[strongSwan] strongSwan 5.1.2 on Ubuntu Trusty (14.0.4) and AppArmor

Fabrice Barconnière fabrice.barconniere at ac-dijon.fr
Mon Mar 23 10:26:43 CET 2015 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Le 19/03/2015 15:01, James Lay a écrit :
> On 2015-03-19 07:22 AM, Fabrice Barconnière wrote: Hello,
> 
> I've configured VPN on Ubuntu Trusty with strongSwan 5.1.2 and 
> connections are OK. But when i execute "ipsec statusall" command, 
> it replies : "reading from socket failed: Permission denied"
> 
> When i suppress "/etc/apparmor.d/usr.lib.ipsec.stroke" AppArmor 
> profile, the command replies correctly.
> 
> This is the default AppArmor profile :
> 
> #include <tunables/global>
> 
> /usr/lib/ipsec/stroke flags=(audit) { #include <abstractions/base>
> 
> /etc/strongswan.conf          r, /etc/strongswan.d/            r, 
> /etc/strongswan.d/**          r,
> 
> /run/charon.ctl               rw, }
> 
> I don't find what to add to make the command replies correctly.
> 
> Any idea ?
> 
> 
> Thanks, Fabrice Barconnière
>> _______________________________________________ Users mailing 
>> list Users at lists.strongswan.org 
>> https://lists.strongswan.org/mailman/listinfo/users
> 
> 
> I am running the same version and I do not see this 
> issue...sanitized messages below:
> 
> [07:56:06 :~/careful$] dpkg -l | grep strong ii  libstrongswan 
> 5.1.2-0ubuntu2.2 i386         strongSwan utility and crypto library
> ii  strongswan                           5.1.2-0ubuntu2.2 all
> IPsec VPN solution metapackage ii  strongswan-ike 5.1.2-0ubuntu2.2
> i386         strongSwan Internet Key Exchange (v2) daemon ii
> strongswan-plugin-openssl            5.1.2-0ubuntu2.2 i386
> strongSwan plugin for OpenSSL ii strongswan-plugin-xauth-generic
> 5.1.2-0ubuntu2.2 i386         strongSwan plugin for the generic
> XAuth backend ii strongswan-starter
> 5.1.2-0ubuntu2.2 i386         strongSwan daemon starter and
> configuration file parser
> 
> [07:57:04 :~/careful$] sudo ipsec statusall Status of IKE charon 
> daemon (strongSwan 5.1.2, Linux 3.13.0-46-generic, i686): uptime:
> 7 days, since Mar 12 05:50:38 2015 malloc: sbrk 675840, mmap 0,
> used 184720, free 491120 worker threads: 11 of 16 idle, 5/0/0/0
> working, job queue: 0/0/0/0, scheduled: 0 loaded plugins: charon 
> test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509
> revocation constraints pkcs1 pkcs7 pkcs8 pkcs12 pem openssl xcbc
> cmac hmac ctr ccm gcm attr kernel-netlink resolve socket-default
> stroke updown eap-identity xauth-generic addrblock Virtual IP
> pools (size/online/offline): x.x.x.x: 1/0/0 Listening IP
> addresses: x.x.x.x x.x.x.x Connections: rw:  %any...%any  IKEv1/2
> rw:   local: [C=CH, O=strongSwan, CN=] rw:    cert:  "C=CH,
> O=strongSwan, CN=] rw:   remote: uses public key authentication rw:
> child: 192.168.1.0/24 === dynamic TUNNEL Security Associations (0
> up, 0 connecting): none
> 
> 
> Welcome to Ubuntu 14.04.2 LTS (GNU/Linux 3.13.0-46-generic i686)
> 
> * Documentation:  https://help.ubuntu.com/
> 
> System information as of Thu Mar 19 05:03:50 MDT 2015
> 
> System load:  1.66               Processes:           206 Usage of 
> /:   22.5% of 73.21GB   Users logged in:     1 Memory usage: 87% IP
> address for eth0: x.x.x.x Swap usage:   9%                 IP 
> address for ppp0: x.x.x.x
> 
> 
> Graph this data and manage this system at: 
> https://landscape.canonical.com/
> 
> 0 packages can be updated. 0 updates are security updates.
> 
> James _______________________________________________ Users
> mailing list Users at lists.strongswan.org 
> https://lists.strongswan.org/mailman/listinfo/users

EOLE project[1] is an Ubuntu based distribution. We certainly do
something wrong. When I try strongSwan on a Trusty fresh installation,
there is no problem.
We are looking for help on askubuntu site.

Thanks for the replies.


Footnotes :
[1] http://eole.orion.education.fr/diff/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJVD9xTAAoJEMv1LpJod2ZFGBUH/1nIQERUgWl/lWrDt/0lSKhN
4dclcQEuSGM682v5r1o5zdhKMt1w8kPkcXlR8Y/OoR3VLTHLzzl5MjTnY2EYGnfA
dUPGqhycFWrnx05vZ0lQyr1aFGJpucHimxgA4cNC7XAdIyvUw5oYJ7K2+cK3bRyP
uIyiPO2Jv4JBjdkMO6yUDtmZT3wkMoAxz8BHfUNxU8MX6BU3TuDHhaOYbbRapggi
Cu8rSK7NyDQPRbwtnze6s7mgzXCHI2za+V1aGrlhfp8kEdSshuECJ1TjEYmOpUm4
r8k+QuvI2yqlz6qJPQI1t0gJoo8e8THgbLPdCkJPoRiAP2fYaxy7laRijIaD2I4=
=W6et
-----END PGP SIGNATURE-----

More information about the Users mailing list