The server serves only incoming VPN requests, it is for mobile road- warriors. And the error does not occur right after starting a strongswan or bringing tunnels up. So it makes no sense to run it with auto=add or not.
Strongswan is serving clients ok. It is working for a long time until a first DENIAL. It looks like it is somehow related to reauthentication of xauth iOS client, but I can't reproduce it. Sometimes client can reauth ok, as I can see at logs, but sometimes right after successful reauth I see this error. There are about 5 active clients right now with 20-30 connections per/day, and server gives me an error once/twice per day. I would not even note it, if it'd not break accounting at radius. If ipsec runs at debug mode at console (--nofork) I don't get this error. $ sudo cat /etc/ipsec.secrets # This file holds shared secrets or RSA private keys for authentication. : RSA vpn.server.name.pem vpn.server.name : PSK "simpletestpsk" $ sudo cat /etc/ipsec.conf # ipsec.conf - strongSwan IPsec configuration file # basic configuration config setup strictcrlpolicy=yes # uniqueids = no # default options conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 inactivity = 60s dpdaction = clear dpdtimeout = 5s dpddelay = 5s # Add connections here. conn ikev1-psk-xauth leftsubnet=0.0.0.0/0 leftfirewall=yes leftid=@vpn.server.name leftauth=psk right=%any rightsourceip=10.0.0.0/9 rightauth=psk rightauth2=xauth-eap auto=add conn ikev2-with-eap keyexchange=ikev2 leftsubnet=0.0.0.0/0 leftfirewall=yes leftid="C=US, O=Server.name.co, OU=VPN Dept, CN=vpn.server.name, E=ad...@server.name" leftauth=pubkey leftcert=vpn.server.name.pem right=%any rightsourceip=10.0.0.0/16 rightsendcert=never rightauth=eap-radius eap_identity=%identity auto=add $ sudo cat /etc/strongswan.conf # strongswan.conf - strongSwan configuration file charon { load_modular = yes plugins { include strongswan.d/charon/*.conf } dns1 = 8.8.8.8 } include strongswan.d/*.conf $ sudo cat /etc/strongswan.d/charon.conf | grep -v '^[[:space:]]*#'| grep . charon { crypto_test { } host_resolver { } leak_detective { } processor { priority_threads { } } tls { } x509 { } } $ sudo cat /etc/strongswan.d/charon/xauth-eap.conf | grep -v '^[[:space:]]*#'| grep . xauth-eap { backend = radius load = yes } $ sudo cat /etc/strongswan.d/charon/eap-radius.conf | grep -v '^[[:space:]]*#'| grep . eap-radius { accounting = yes load = yes port = 1812 secret = secret server = 127.0.0.1 sockets = 1000 dae { enable = yes listen = 0.0.0.0 port = 3799 secret = dae_secret } forward { } servers { } xauth { } } -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to strongswan in Ubuntu. https://bugs.launchpad.net/bugs/1549436 Title: AppArmor kills StronSwan daemon 'charon' To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1549436/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs