Hello Anaëlle, as is mentioned in our documentation, capability dropping does not work with the updown script because the iptables command requires the process to be root. As a workaround you can configure static IPsec policy firewall rules using iptables as in the following example:
http://www.strongswan.org/uml/testresults/openssl-ikev2/rw-suite-b-128/ which uses the static rules iptables -A FORWARD -i eth0 -o eth1 -m policy --dir in --pol ipsec --proto esp -j ACCEPT iptables -A FORWARD -o eth0 -i eth1 -m policy --dir out --pol ipsec --proto esp -j ACCEPT on the VPN gateway and iptables -A INPUT -i eth0 -m policy --dir in --pol ipsec --proto esp -j ACCEPT iptables -A OUTPUT -o eth0 -m policy --dir out --pol ipsec --proto esp -j ACCEPT on the VPN client. Hope this helps. Andreas On 08/07/2013 05:29 PM, Anaelle POGNOT wrote: > Hello, > > I was wondering if you could help me about a problem I have. > I'm working on StrongSwan 5.0.4 and I was trying to run the test suite > with a different configuration. In fact, I wanted to test the solution > with charon running as another user/group than root. So, I added three > options to the CONFIG_OPTS variable in > testing/scripts/recipes/xxx_strongswan.mk <http://xxx_strongswan.mk> > (--with-user=charon --with-group=charon --with-capabilities=libcap) and > one line at the end of the script testing/scripts/build-baseimage > (execute_chroot "useradd charon", to be sure that the user charon exists). > > However, when I run the test suite, most of the tests fail when trying > to run the ping command. It says: > "ping: sendmsg: Operation not permitted" > > In the xx.daemon.log, I always have the same message: > updown: iptables v1.4.14: can't initialize iptables table `filter': > Permission denied (you must be root) > updown: Perhaps iptables or your kernel needs to be upgraded. > > When I checked on the hosts, I realized that the file > /etc/iptables.rules has the following default policy: > # default policy is DROP > -P INPUT DROP > -P OUTPUT DROP > -P FORWARD DROP > If I change from DROP to ACCEPT on both sides, ping works. > > Am I doing something wrong / forgetting an option or something? Or > doesn't the test suite work with these three options? > > Best regards, > > Anaëlle > ====================================================================== Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Open Source VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]==
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Dev mailing list Dev@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/dev
