Ubuntu
strongswan package

Bug #1549436
Comment #4

Comment 4 for bug 1549436

Revision history for this message

ruslan_ka (r-kalakutsky) wrote on 2016-02-25: Re: AppArmor kills StronSwan daemon 'charon'

The server serves only incoming VPN requests, it is for mobile road-warriors. And the error does not occur right after starting a strongswan or bringing tunnels up. So it makes no sense to run it with auto=add or not.

Strongswan is serving clients ok. It is working for a long time until a first DENIAL. It looks like it is somehow related to reauthentication of xauth iOS client, but I can't reproduce it. Sometimes client can reauth ok, as I can see at logs, but sometimes right after successful reauth I see this error. There are about 5 active clients right now with 20-30 connections per/day, and server gives me an error once/twice per day. I would not even note it, if it'd not break accounting at radius.

If ipsec runs at debug mode at console (--nofork) I don't get this error.

$ sudo cat /etc/ipsec.secrets
# This file holds shared secrets or RSA private keys for authentication.

: RSA vpn.server.name.pem
vpn.server.name : PSK "simpletestpsk"

$ sudo cat /etc/ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
strictcrlpolicy=yes
# uniqueids = no

# default options

conn %default
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=1
        inactivity = 60s
        dpdaction = clear
        dpdtimeout = 5s
        dpddelay = 5s

# Add connections here.

conn ikev1-psk-xauth
        leftsubnet=0.0.0.0/0
        leftfirewall=yes
        <email address hidden>
        leftauth=psk
        right=%any
        rightsourceip=10.0.0.0/9
        rightauth=psk
        rightauth2=xauth-eap
        auto=add

conn ikev2-with-eap
        keyexchange=ikev2
        leftsubnet=0.0.0.0/0
        leftfirewall=yes
        leftid="C=US, O=Server.name.co, OU=VPN Dept, CN=vpn.server.name, <email address hidden>"
        leftauth=pubkey
        leftcert=vpn.server.name.pem
        right=%any
        rightsourceip=10.0.0.0/16
        rightsendcert=never
        rightauth=eap-radius
        eap_identity=%identity
        auto=add

$ sudo cat /etc/strongswan.conf
# strongswan.conf - strongSwan configuration file

charon {
load_modular = yes
plugins {
include strongswan.d/charon/*.conf
}
dns1 = 8.8.8.8
}

include strongswan.d/*.conf

$ sudo cat /etc/strongswan.d/charon.conf | grep -v '^[[:space:]]*#'| grep .
charon {
    crypto_test {
    }
    host_resolver {
    }
    leak_detective {
    }
    processor {
        priority_threads {
        }
    }
    tls {
    }
    x509 {
    }
}

$ sudo cat /etc/strongswan.d/charon/xauth-eap.conf | grep -v '^[[:space:]]*#'| grep .
xauth-eap {
backend = radius
load = yes
}

$ sudo cat /etc/strongswan.d/charon/eap-radius.conf | grep -v '^[[:space:]]*#'| grep .
eap-radius {
    accounting = yes
    load = yes
    port = 1812
    secret = secret
    server = 127.0.0.1
    sockets = 1000
    dae {
        enable = yes
        listen = 0.0.0.0
        port = 3799
        secret = dae_secret
    }
    forward {
    }
    servers {
    }
    xauth {
    }
}

The server serves only incoming VPN requests, it is for mobile road-warriors. And the error does not  occur right after starting a strongswan or bringing tunnels up. So it makes no sense to run it with auto=add or not.

Strongswan is serving clients ok. It is working for a long time until a first DENIAL. It looks like it is somehow related to reauthentication of xauth iOS client, but I can't reproduce it. Sometimes client can reauth ok, as I can see at logs, but sometimes  right after successful reauth I see this error. There are about 5 active clients right now with 20-30 connections per/day, and server gives me an error once/twice per day. I would not even note it, if it'd not break accounting at radius.

If ipsec runs at debug mode at console (--nofork) I don't get this error.

$ sudo cat /etc/ipsec.secrets 
# This file holds shared secrets or RSA private keys for authentication.

: RSA  vpn.server.name.pem
vpn.server.name    : PSK "simpletestpsk"

$ sudo cat /etc/ipsec.conf 
# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
	strictcrlpolicy=yes
	# uniqueids = no

# default options

conn %default
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=1
        inactivity = 60s
        dpdaction = clear
        dpdtimeout = 5s
        dpddelay = 5s

# Add connections here.

conn ikev1-psk-xauth
        leftsubnet=0.0.0.0/0
        leftfirewall=yes
        leftid=@vpn.server.name
        leftauth=psk
        right=%any
        rightsourceip=10.0.0.0/9
        rightauth=psk
        rightauth2=xauth-eap
        auto=add

conn ikev2-with-eap
        keyexchange=ikev2
        leftsubnet=0.0.0.0/0
        leftfirewall=yes
        leftid="C=US, O=Server.name.co, OU=VPN Dept, CN=vpn.server.name, E=admin@server.name"
        leftauth=pubkey
        leftcert=vpn.server.name.pem
        right=%any
        rightsourceip=10.0.0.0/16
        rightsendcert=never
        rightauth=eap-radius
        eap_identity=%identity
        auto=add

$ sudo cat /etc/strongswan.conf 
# strongswan.conf - strongSwan configuration file

charon {
	load_modular = yes
	plugins {
		include strongswan.d/charon/*.conf
	}
	dns1 = 8.8.8.8
}

include strongswan.d/*.conf

$ sudo cat /etc/strongswan.d/charon/xauth-eap.conf  | grep -v '^[[:space:]]*#'| grep .
xauth-eap {
    backend = radius
    load = yes
}

$ sudo cat /etc/strongswan.d/charon/eap-radius.conf   | grep -v '^[[:space:]]*#'| grep .
eap-radius {
    accounting = yes
    load = yes
    port = 1812
    secret = secret
    server = 127.0.0.1
    sockets = 1000
    dae {
        enable = yes
        listen = 0.0.0.0
        port = 3799
        secret = dae_secret
    }
    forward {
    }
    servers {
    }
    xauth {
    }
}

Ubuntustrongswan package

Comment 4 for bug 1549436

Ubuntu
strongswan package