apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/swanctl" name="/dev/net/tun" pid=490601 comm="swanctl" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0

I suspect you using kernel-libipsec which would explain why you are running into this, right? Could you please try the following:

cat << EOF | sudo tee -a /etc/apparmor.d/local/usr.sbin.swanctl
  # libcharon-extra-plugins: kernel-libipsec
  /dev/net/tun rw,
EOF
sudo apparmor_parser -rTW /etc/apparmor.d/usr.sbin.swanctl

Then restart strongswan?

If that fixes the problem, I'll submit a pull request. Setting as incomplete until then.

No, I'm not running kernel-libipsec.

My configured ipsec connections work despite the apparmor deny action.

If the libipsec plugin is not loaded then I cannot explain why it would try to use /dev/net/tun so it's hard to make a case of extending the profile.

There are only three components in strongSwan that open TUN devices, charon-xpc (on macOS), the kernel-pfroute plugin (also not on Linux but macOS and *BSD) and kernel-libipsec, as pointed out by Simon. However, swanctl has no business loading kernel plugins (it doesn't by default), as it is no IKE daemon. It just loads configs/credentials and passes them to the daemon via VICI. So no idea where this comes from, unless strongswan.conf or any includes are somehow messed up and swanctl loads that plugin inadvertently.

# grep -R kernel-libipsec /etc/strongswan.* /etc/swanctl/
/etc/strongswan.d/charon/kernel-libipsec.conf:kernel-libipsec {

The whole file /etc/strongswan.d/charon/kernel-libipsec.conf:
kernel-libipsec {
    load = no
}

Anything else that I could check?

That file is not relevant for swanctl (unless it was manually included, check the main strongswan.conf file). Check the output of `swanctl --help` (lists the plugins), use strace to see when exactly that access happens.

Hi Philipp,

Thank you for taking the time to file a bug report.

I was not able to reproduce the issue reported by you using the default configuration provided by the packages. Could you please provide your configuration files? They should live in:

- /etc/strongswan.d/
- /etc/swanctl/
- /etc/strongswan.conf
- /etc/ipsec.conf

You can also use dpkg to help you identify the modified files:

$ sudo dpkg --verify charon-systemd libcharon-extauth-plugins libcharon-extra-plugins libstrongswan strongswan-charon strongswan-libcharon strongswan-pki strongswan-starter strongswan-swanctl

Since there is not enough information in your report to begin triage or to
differentiate between a local configuration problem and a bug in Ubuntu, I
am marking this bug as "Incomplete". We would be grateful if you would:
provide a more complete description of the problem, explain why you
believe this is a bug in Ubuntu rather than a problem specific to your
system, and then change the bug status back to "New".

For local configuration issues, you can find assistance here:
http://www.ubuntu.com/support/community

[Expired for strongswan (Ubuntu) because there has been no activity for 60 days.]