[Bug 1549436] Re: AppArmor kills StronSwan daemon 'charon'

[ruslan_ka]

The server serves only incoming VPN requests, it is for mobile road-
warriors. And the error does not  occur right after starting a
strongswan or bringing tunnels up. So it makes no sense to run it with
auto=add or not.

Strongswan is serving clients ok. It is working for a long time until a
first DENIAL. It looks like it is somehow related to reauthentication of
xauth iOS client, but I can't reproduce it. Sometimes client can reauth
ok, as I can see at logs, but sometimes  right after successful reauth I
see this error. There are about 5 active clients right now with 20-30
connections per/day, and server gives me an error once/twice per day. I
would not even note it, if it'd not break accounting at radius.

If ipsec runs at debug mode at console (--nofork) I don't get this
error.


$ sudo cat /etc/ipsec.secrets 
# This file holds shared secrets or RSA private keys for authentication.

: RSA  vpn.server.name.pem
vpn.server.name    : PSK "simpletestpsk"


$ sudo cat /etc/ipsec.conf 
# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
	strictcrlpolicy=yes
	# uniqueids = no

# default options

conn %default
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=1
        inactivity = 60s
        dpdaction = clear
        dpdtimeout = 5s
        dpddelay = 5s


# Add connections here.

conn ikev1-psk-xauth
        leftsubnet=0.0.0.0/0
        leftfirewall=yes
        leftid=@vpn.server.name
        leftauth=psk
        right=%any
        rightsourceip=10.0.0.0/9
        rightauth=psk
        rightauth2=xauth-eap
        auto=add

conn ikev2-with-eap
        keyexchange=ikev2
        leftsubnet=0.0.0.0/0
        leftfirewall=yes
        leftid="C=US, O=Server.name.co, OU=VPN Dept, CN=vpn.server.name, E=admin at server.name"
        leftauth=pubkey
        leftcert=vpn.server.name.pem
        right=%any
        rightsourceip=10.0.0.0/16
        rightsendcert=never
        rightauth=eap-radius
        eap_identity=%identity
        auto=add


$ sudo cat /etc/strongswan.conf 
# strongswan.conf - strongSwan configuration file

charon {
	load_modular = yes
	plugins {
		include strongswan.d/charon/*.conf
	}
	dns1 = 8.8.8.8
}

include strongswan.d/*.conf


$ sudo cat /etc/strongswan.d/charon.conf | grep -v '^[[:space:]]*#'| grep .
charon {
    crypto_test {
    }
    host_resolver {
    }
    leak_detective {
    }
    processor {
        priority_threads {
        }
    }
    tls {
    }
    x509 {
    }
}


$ sudo cat /etc/strongswan.d/charon/xauth-eap.conf  | grep -v '^[[:space:]]*#'| grep .
xauth-eap {
    backend = radius
    load = yes
}

$ sudo cat /etc/strongswan.d/charon/eap-radius.conf   | grep -v '^[[:space:]]*#'| grep .
eap-radius {
    accounting = yes
    load = yes
    port = 1812
    secret = secret
    server = 127.0.0.1
    sockets = 1000
    dae {
        enable = yes
        listen = 0.0.0.0
        port = 3799
        secret = dae_secret
    }
    forward {
    }
    servers {
    }
    xauth {
    }
}

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to strongswan in Ubuntu.
https://bugs.launchpad.net/bugs/1549436

Title:
  AppArmor kills StronSwan daemon 'charon'

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1549436/+subscriptions