[strongSwan] strongSwan 5.1.2 on Ubuntu Trusty (14.0.4) and AppArmor
James Lay
jlay at slave-tothe-box.net
Thu Mar 19 15:01:05 CET 2015
On 2015-03-19 07:22 AM, Fabrice Barconnière wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hello,
>
> I've configured VPN on Ubuntu Trusty with strongSwan 5.1.2 and
> connections are OK.
> But when i execute "ipsec statusall" command, it replies :
> "reading from socket failed: Permission denied"
>
> When i suppress "/etc/apparmor.d/usr.lib.ipsec.stroke" AppArmor
> profile, the command replies correctly.
>
> This is the default AppArmor profile :
>
> #include <tunables/global>
>
> /usr/lib/ipsec/stroke flags=(audit) {
> #include <abstractions/base>
>
> /etc/strongswan.conf r,
> /etc/strongswan.d/ r,
> /etc/strongswan.d/** r,
>
> /run/charon.ctl rw,
> }
>
> I don't find what to add to make the command replies correctly.
>
> Any idea ?
>
>
> Thanks,
> Fabrice Barconnière
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
>
> iQEcBAEBAgAGBQJVCs2NAAoJEMv1LpJod2ZFHb4IAJ9P2hmCi790HuheeMYmOcrn
> j88Rl6FIRoi97MpekQ5PTR+G5wlKkuQh7dfQOJHRBSfz4a5rE/TSJlRHJsMjh9ek
> 0eRioGV7w6WOdig0sHeEY6a6/JKiVrzvN8FxTJ7UW3zQII/scCH8qGvX0SbdIwFL
> UI/MsjRaVGtdd4OWZ/hX1nAQ00MktUDmlTZkyWDvmBVpEcj4+vI0vI78Hd21wBP9
> riMyLC5I/sI9GY8QgY4hKX+LtOM6o4R8yWMw37qtFHwXVhtIy609taZiIBUYQJEF
> 2j1HGgI8ZWt0b5QnjTilfiIrhorBnFdA05gwqkqeLBB2aTZ/ieldPBuzVgyTlhY=
> =C0EN
> -----END PGP SIGNATURE-----
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
I am running the same version and I do not see this issue...sanitized
messages below:
[07:56:06 :~/careful$] dpkg -l | grep strong
ii libstrongswan 5.1.2-0ubuntu2.2
i386 strongSwan utility and crypto library
ii strongswan 5.1.2-0ubuntu2.2
all IPsec VPN solution metapackage
ii strongswan-ike 5.1.2-0ubuntu2.2
i386 strongSwan Internet Key Exchange (v2) daemon
ii strongswan-plugin-openssl 5.1.2-0ubuntu2.2
i386 strongSwan plugin for OpenSSL
ii strongswan-plugin-xauth-generic 5.1.2-0ubuntu2.2
i386 strongSwan plugin for the generic XAuth backend
ii strongswan-starter 5.1.2-0ubuntu2.2
i386 strongSwan daemon starter and configuration file
parser
[07:57:04 :~/careful$] sudo ipsec statusall
Status of IKE charon daemon (strongSwan 5.1.2, Linux 3.13.0-46-generic,
i686):
uptime: 7 days, since Mar 12 05:50:38 2015
malloc: sbrk 675840, mmap 0, used 184720, free 491120
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 0
loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random
nonce x509 revocation constraints pkcs1 pkcs7 pkcs8 pkcs12 pem openssl
xcbc cmac hmac ctr ccm gcm attr kernel-netlink resolve socket-default
stroke updown eap-identity xauth-generic addrblock
Virtual IP pools (size/online/offline):
x.x.x.x: 1/0/0
Listening IP addresses:
x.x.x.x
x.x.x.x
Connections:
rw: %any...%any IKEv1/2
rw: local: [C=CH, O=strongSwan, CN=]
rw: cert: "C=CH, O=strongSwan, CN=]
rw: remote: uses public key authentication
rw: child: 192.168.1.0/24 === dynamic TUNNEL
Security Associations (0 up, 0 connecting):
none
Welcome to Ubuntu 14.04.2 LTS (GNU/Linux 3.13.0-46-generic i686)
* Documentation: https://help.ubuntu.com/
System information as of Thu Mar 19 05:03:50 MDT 2015
System load: 1.66 Processes: 206
Usage of /: 22.5% of 73.21GB Users logged in: 1
Memory usage: 87% IP address for eth0: x.x.x.x
Swap usage: 9% IP address for ppp0: x.x.x.x
Graph this data and manage this system at:
https://landscape.canonical.com/
0 packages can be updated.
0 updates are security updates.
James
More information about the Users
mailing list