[strongSwan] Running strongswan (charon) with non-root privileges fails to communicate with kernel

Sandesh Sawant sandesh.sawant at gmail.com
Thu Jun 29 14:36:30 CEST 2017


Hi,

I am trying to run strongSwan 5.5.2 with non-root privileges as per
https://wiki.strongswan.org/projects/strongswan/wiki/ReducedPrivileges
(i.e. configured it with —with-user=vpn --with-group=vpn)
My linux kernel version is: 4.4.0-81-generic #104-Ubuntu SMP Wed Jun 14
08:17:06 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
I see that when charon is running as root in ps command output: vpn
 13988  0.0  0.2 762140  6056 ?        Ssl  12:37   0:00
/usr/local/libexec/ipsec/charon --use-syslog
However it fails to succeed in IKE negotiation with the below log messages:

Jun 29 11:32:38 UB-SS-1604 charon: 12[IKE] establishing CHILD_SA rbvti2
Jun 29 11:32:38 UB-SS-1604 charon: 12[KNL] allocating SPI failed: Operation
not permitted (1)
Jun 29 11:32:38 UB-SS-1604 charon: 12[KNL] unable to get SPI
Jun 29 11:32:38 UB-SS-1604 charon: 12[IKE] unable to allocate SPIs from
kernel

I read https://wiki.strongswan.org/issues/996 and added CAP_NET_ADMIN
capability to charon binary, but no luck after that:
root at UB-SS-1604:~# setcap cap_net_admin,cap_net_raw=ep
/usr/local/libexec/ipsec/charon
root at UB-SS-1604:~# getcap /usr/local/libexec/ipsec/charon
/usr/local/libexec/ipsec/charon = cap_net_admin,cap_net_raw+ep
root at UB-SS-1604:~# ls -l /usr/local/libexec/ipsec/charon
-rwxr-xr-x 1 root root 113136 Jun 28 13:12 /usr/local/libexec/ipsec/charon
root at UB-SS-1604:~#

Any idea what else is missing and how can I debug it further to root cause
the issue?

Thanks,
Sandesh
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170629/0747807d/attachment.html>


More information about the Users mailing list