Ubuntu
strongswan package

Bug #1514794
Comment #2

Comment 2 for bug 1514794

Revision history for this message

Steven Bishop (sib-ubuntu-replies) wrote on 2016-02-29: Fwd: Re: [Bug 1514794] Re: package:strongswan-plugin-farp may need apparmor config change

usr.lib.ipsec.charon - my-patched-copy Edit (1.2 KiB, text/plain; charset=UTF-8; name="usr.lib.ipsec.charon - my-patched-copy")

Hi there,

Sending again as message didn't show up in the thread.

-------- Forwarded Message --------

Subject: Re: [Bug 1514794] Re: package:strongswan-plugin-farp may need apparmor config change
Date: Thu, 28 Jan 2016 20:26:48 +0000
From: Steven Bishop <xxxxxxxxx@xxxxxx>
To: Bug 1514794 <email address hidden>

Hi Simon,

Thanks for your email.

Had a quick look back at the details.

I've attached the complete copy of "/etc/apparmor.d/usr.lib.ipsec.charon"
that I've got installed and running (post-the-patch).

The excerpt I took from "/var/log/syslog" at the time of the bug-report
showed that apparmor was blocking the dgram packets that the strongswan farp plugin
was trying to generate when I had a Road-Warrior client connected to the VPN
and pinging a LAN-side client.

Until I put in the patch to "/etc/apparmor.d/usr.lib.ipsec.charon" of :

network packet dgram,

the ping wasn't getting any reply as apparmor was preventing the farp plugin
from generating the correct traffic for the ping to travel back from the LAN-side client
andacross the VPN boundary.

Doing a quick :

$ dpkg -S /etc/apparmor.d/usr.lib.ipsec.charon

returns :

strongswan-ike: /etc/apparmor.d/usr.lib.ipsec.charon

Looking in /var/log/auth.log, I can see that I installed :

$ sudo apt-get install strongswan-ikev2

On Oct-17-2015 @ 17:30pm (BST = GMT + 1hr)

Looking at the current Trusty repo, the date on their copy is from 15-Nov-2015
so that working copy is actually newer than my bug-report.

I've pulled down a copy that particular .deb and looked at
it's copy of /etc/apparmor.d/usr.lib.ipsec.charon.

Looking at the version I've got installed I can see some noteable style differences
in the layout of the file.
The ordering of the '#include' statements are grouped all together.

I'm guessing that the package that I "apt-get install"ed on 17-Oct-2015
has been updated on the Trusty repo since that time.

By the way, the version currently available in the current Trusty repo has the 2 lines:

line-24:
network,
line-25:
network raw,

If I'm reading this correctly, wouldn't line-24 mean that all network traffic is allowed.
and makes line-25 unnecessary.

[ ref : http://wiki.apparmor.net/index.php/AppArmor_Core_Policy_Reference#Network_rules ]

As long as the current version of the Strongswan package with farp-plugin installed
will permit a road-warrior client connected to the VPN to 'ping' a LAN-side client
then I would be 100% happy.

Kind Regards,

Steven

On 24/01/2016 23:12, Simon Déziel wrote:
> @Steven, is this still an issue? The diff you showed includes "# network
> all," but this is not in the released version of charon's profile. Maybe
> you had a locally modified profile when you ran into the issue?
>
> Since the charon's profile in Trusty allows all networking, I don't
> think that adding "network packet dgram," makes sense. Would you mind
> confirm if the problem happened with the stock profile or not?
>
> ** Changed in: strongswan (Ubuntu)
> Status: New => Incomplete
>