[strongSwan] strongSwan 5.1.2 on Ubuntu Trusty (14.0.4) and AppArmor

James Lay jlay at slave-tothe-box.net
Thu Mar 19 15:01:05 CET 2015


On 2015-03-19 07:22 AM, Fabrice Barconnière wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hello,
>
> I've configured VPN on Ubuntu Trusty with strongSwan 5.1.2 and
> connections are OK.
> But when i execute "ipsec statusall" command, it replies :
> "reading from socket failed: Permission denied"
>
> When i suppress "/etc/apparmor.d/usr.lib.ipsec.stroke" AppArmor
> profile, the command replies correctly.
>
> This is the default AppArmor profile :
>
> #include <tunables/global>
>
> /usr/lib/ipsec/stroke flags=(audit) {
>   #include <abstractions/base>
>
>   /etc/strongswan.conf          r,
>   /etc/strongswan.d/            r,
>   /etc/strongswan.d/**          r,
>
>   /run/charon.ctl               rw,
> }
>
> I don't find what to add to make the command replies correctly.
>
> Any idea ?
>
>
> Thanks,
> Fabrice Barconnière
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
>
> iQEcBAEBAgAGBQJVCs2NAAoJEMv1LpJod2ZFHb4IAJ9P2hmCi790HuheeMYmOcrn
> j88Rl6FIRoi97MpekQ5PTR+G5wlKkuQh7dfQOJHRBSfz4a5rE/TSJlRHJsMjh9ek
> 0eRioGV7w6WOdig0sHeEY6a6/JKiVrzvN8FxTJ7UW3zQII/scCH8qGvX0SbdIwFL
> UI/MsjRaVGtdd4OWZ/hX1nAQ00MktUDmlTZkyWDvmBVpEcj4+vI0vI78Hd21wBP9
> riMyLC5I/sI9GY8QgY4hKX+LtOM6o4R8yWMw37qtFHwXVhtIy609taZiIBUYQJEF
> 2j1HGgI8ZWt0b5QnjTilfiIrhorBnFdA05gwqkqeLBB2aTZ/ieldPBuzVgyTlhY=
> =C0EN
> -----END PGP SIGNATURE-----
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users


I am running the same version and I do not see this issue...sanitized 
messages below:

[07:56:06 :~/careful$] dpkg -l | grep strong
ii  libstrongswan                        5.1.2-0ubuntu2.2               
       i386         strongSwan utility and crypto library
ii  strongswan                           5.1.2-0ubuntu2.2               
       all          IPsec VPN solution metapackage
ii  strongswan-ike                       5.1.2-0ubuntu2.2               
       i386         strongSwan Internet Key Exchange (v2) daemon
ii  strongswan-plugin-openssl            5.1.2-0ubuntu2.2               
       i386         strongSwan plugin for OpenSSL
ii  strongswan-plugin-xauth-generic      5.1.2-0ubuntu2.2               
       i386         strongSwan plugin for the generic XAuth backend
ii  strongswan-starter                   5.1.2-0ubuntu2.2               
       i386         strongSwan daemon starter and configuration file 
parser

[07:57:04 :~/careful$] sudo ipsec statusall
Status of IKE charon daemon (strongSwan 5.1.2, Linux 3.13.0-46-generic, 
i686):
   uptime: 7 days, since Mar 12 05:50:38 2015
   malloc: sbrk 675840, mmap 0, used 184720, free 491120
   worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, 
scheduled: 0
   loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random 
nonce x509 revocation constraints pkcs1 pkcs7 pkcs8 pkcs12 pem openssl 
xcbc cmac hmac ctr ccm gcm attr kernel-netlink resolve socket-default 
stroke updown eap-identity xauth-generic addrblock
Virtual IP pools (size/online/offline):
   x.x.x.x: 1/0/0
Listening IP addresses:
   x.x.x.x
   x.x.x.x
Connections:
           rw:  %any...%any  IKEv1/2
           rw:   local:  [C=CH, O=strongSwan, CN=]
           rw:    cert:  "C=CH, O=strongSwan, CN=]
           rw:   remote: uses public key authentication
           rw:   child:  192.168.1.0/24 === dynamic TUNNEL
Security Associations (0 up, 0 connecting):
   none


Welcome to Ubuntu 14.04.2 LTS (GNU/Linux 3.13.0-46-generic i686)

  * Documentation:  https://help.ubuntu.com/

   System information as of Thu Mar 19 05:03:50 MDT 2015

   System load:  1.66               Processes:           206
   Usage of /:   22.5% of 73.21GB   Users logged in:     1
   Memory usage: 87%                IP address for eth0: x.x.x.x
   Swap usage:   9%                 IP address for ppp0: x.x.x.x


   Graph this data and manage this system at:
     https://landscape.canonical.com/

0 packages can be updated.
0 updates are security updates.

James


More information about the Users mailing list