[Bug 1549436] Re: AppArmor kills StronSwan daemon 'charon'
ruslan_ka
1549436 at bugs.launchpad.net
Fri Feb 26 18:11:36 UTC 2016
> I have no idea what can cause this access to /dev/tty. I never ran into
> this problem on my own server which is similar minus the EAP/RADIUS
> part, I use xauth-generic only.
xauth-eap works in a different way. It takes clear text password from client and makes EAP request to a radius server (in my case EAP-MSCHAPv2). It allows to store user passwords encrypted.
Quick look through the code gives many uses for stdout (as example), but
I'm not an expert to analyze them
(https://git.strongswan.org/?p=strongswan.git&a=search&h=ddf1fc7692889298e04a4c799bf0c2f67b61ebe9&st=grep&s=stdout).
> As such, I'd recommend something like this:
> dpdtimeout=15s
> dpddelay=5s
Thanks for notice this.
> Again, not related but aren't the 2 rightsourceip= overlapping?
it is a StrongSwan feature. It manages ip pool as shared in such case. You can either use
rightsourceip=%poolname
or just use identical definition in rightsourceip and StrongSwan will share the same pool implicitly.
> I honestly don't know why charon tries to access /dev/tty. Are you able
> to see that message on the console or the upstart log when the Apparmor
> profile is disabled?
With disabled Apparmor profile everything work pretty good.
Right now I've just manage to predictably catch this error, and it is
not related to xauth-eap module!
Server 1 (where the error occur) with almost the same config. Added a
load-testing section:
$ sudo cat /etc/ipsec.conf | grep -v '^\s*#' | grep .
config setup
strictcrlpolicy=yes
uniqueids = no
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
inactivity = 60s
dpdaction = clear
dpdtimeout = 6s
dpddelay = 5s
conn ikev1-psk-xauth
leftsubnet=0.0.0.0/0
leftfirewall=yes
leftid=@test-vpn.server.name
leftauth=psk
right=%any
rightsourceip=10.0.0.0/9
rightauth=psk
rightauth2=xauth-eap
auto=add
conn ikev2-with-eap
keyexchange=ikev2
leftsubnet=0.0.0.0/0
leftfirewall=yes
leftid="C=US, O=server, OU=VPN Dept, CN=test-vpn.server.name, E=admin at server.name"
leftauth=pubkey
leftcert=test-vpn.server.name.pem
right=%any
rightsourceip=10.0.0.0/16
rightsendcert=never
rightauth=eap-radius
eap_identity=%identity
auto=add
conn ikev2-with-eap-loadtest
keyexchange=ikev2
leftsubnet=0.0.0.0/0
leftfirewall=yes
leftid="CN=srv, OU=load-test, O=strongSwan"
leftauth=pubkey
leftcert=resp.pem
right=%any
rightsourceip=10.0.0.0/16
rightsendcert=never
rightauth=eap-radius
eap_identity=%identity
auto=add
$ sudo cat /etc/ipsec.secrets | grep -v '^\s*#' | grep .
: RSA test-vpn.server.name.pem
: RSA resp.pem
test-vpn.server.name : PSK "testtest"
All other the same.
Server 2 - load-tester:
$ sudo cat /etc/ipsec.conf | grep -v '^\s*#' | grep .
config setup
$ sudo cat /etc/strongswan.d/charon/load-tester.conf | grep -v '^\s*#' | grep .
load-tester {
child_rekey = 60
delay = 500
delete_after_established = no
dpd_delay = 20
eap_password = SECRET
enable = yes
ike_rekey = 0
init_limit = 100000
initiator_auth = eap-mschap
initiator_id = loadtest-%d
issuer_cert = /etc/ipsec.d/cacerts/cacert.pem
ca_dir = /etc/ipsec.d/cacerts/
load = yes
mode = tunnel
preshared_key = test123
proposal = aes128-sha1-modp2048
request_virtual_ip = yes
responder = x.x.x.x
responder_auth = pubkey
shutdown_when_complete = yes
version = 0
addrs {
}
}
As you can see, for load testing ikev2-with-eap is used. Under some load (about 150 users connected with interval 10ms) I can see the same errors at log:
sudo cat /var/log/syslog | grep -B 3 -A 2 DENIED
Feb 26 17:22:12 test-vpn-01 charon: 16[NET] received packet: from 172.31.62.150[500] to 172.31.59.95[500] (76 bytes)
Feb 26 17:22:12 test-vpn-01 charon: 16[ENC] parsed IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ]
Feb 26 17:22:12 test-vpn-01 charon: 16[CFG] sending RADIUS Access-Request to server '127.0.0.1'
Feb 26 17:22:12 test-vpn-01 kernel: [ 779.054434] type=1400 audit(1456507332.177:18): apparmor="DENIED" operation="open" profile="/usr/lib/ipsec/charon" name="/dev/tty" pid=4396 comm="charon" requested_mask="rw" denied_mask="rw" fsuid=0 ouid=0
Feb 26 17:22:17 test-vpn-01 charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.1.2, Linux 3.13.0-74-generic, x86_64)
Feb 26 17:22:17 test-vpn-01 charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
--
Feb 26 17:26:48 test-vpn-01 charon: 06[CFG] sending RADIUS Accounting-Request to server '127.0.0.1'
Feb 26 17:26:48 test-vpn-01 charon: 04[CFG] sending RADIUS Accounting-Request to server '127.0.0.1'
Feb 26 17:26:48 test-vpn-01 charon: 03[CFG] sending RADIUS Accounting-Request to server '127.0.0.1'
Feb 26 17:26:48 test-vpn-01 kernel: [ 1055.002410] type=1400 audit(1456507608.125:19): apparmor="DENIED" operation="open" profile="/usr/lib/ipsec/charon" name="/dev/tty" pid=5666 comm="charon" requested_mask="rw" denied_mask="rw" fsuid=0 ouid=0
Feb 26 17:26:48 test-vpn-01 kernel: [ 1055.003152] type=1400 audit(1456507608.125:20): apparmor="DENIED" operation="open" profile="/usr/lib/ipsec/charon" name="/dev/tty" pid=5665 comm="charon" requested_mask="rw" denied_mask="rw" fsuid=0 ouid=0
Feb 26 17:26:53 test-vpn-01 charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.1.2, Linux 3.13.0-74-generic, x86_64)
Feb 26 17:26:53 test-vpn-01 charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
--
Feb 26 17:56:16 test-vpn-01 charon: 05[NET] ignoring IKE_SA setup from 172.31.62.150, peer too aggressive
Feb 26 17:56:16 test-vpn-01 vpn: + loadtest-141 10.0.0.127/32 == 172.31.62.150 -- 172.31.59.95
Feb 26 17:56:16 test-vpn-01 charon: 16[CFG] sending RADIUS Accounting-Request to server '127.0.0.1'
Feb 26 17:56:16 test-vpn-01 kernel: [ 2823.186497] type=1400 audit(1456509376.309:21): apparmor="DENIED" operation="open" profile="/usr/lib/ipsec/charon" name="/dev/tty" pid=7829 comm="charon" requested_mask="rw" denied_mask="rw" fsuid=0 ouid=0
Feb 26 17:56:21 test-vpn-01 charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.1.2, Linux 3.13.0-74-generic, x86_64)
Feb 26 17:56:21 test-vpn-01 charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
--
Feb 26 17:56:43 test-vpn-01 charon: 06[CFG] received RADIUS Accounting-Response from server '127.0.0.1'
Feb 26 17:56:43 test-vpn-01 charon: 11[CFG] sending RADIUS Accounting-Request to server '127.0.0.1'
Feb 26 17:56:43 test-vpn-01 charon: 13[CFG] received RADIUS Accounting-Response from server '127.0.0.1'
Feb 26 17:56:43 test-vpn-01 kernel: [ 2850.013558] type=1400 audit(1456509403.137:22): apparmor="DENIED" operation="open" profile="/usr/lib/ipsec/charon" name="/dev/tty" pid=16398 comm="charon" requested_mask="rw" denied_mask="rw" fsuid=0 ouid=0
Feb 26 17:56:48 test-vpn-01 charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.1.2, Linux 3.13.0-74-generic, x86_64)
Feb 26 17:56:48 test-vpn-01 charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
I can provide any additional information about this system or can do
some tests.
BR
Ruslan.
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to strongswan in Ubuntu.
https://bugs.launchpad.net/bugs/1549436
Title:
AppArmor kills StronSwan daemon 'charon'
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1549436/+subscriptions
More information about the Ubuntu-server-bugs
mailing list