Hi,
I'm sorry to bother you again on this topic, but I really would like to get it
to work as non-privileged user.
Charon on the other hand, works like a charm, sadly pluto doesn't.
This is my setup now :
strongswan runs as user vpn
In ipsec.conf, I added : leftupdown=sudo ipsec _updown
In /etc/sudoers, i added : vpn ALL = NOPASSWD: /usr/local/sbin/ipsec
Still I get the error below on the interface version.
Can you please help me on this ? Any idea is appreciated.
thank you very much
kind regards,
Claude
On Friday 09 July 2010 11:32:19 Claude Tompers wrote:
Hi,
I still get that unknown interface version error if I'm trying to start
pluto as non-privileged user, followed by the deletion of the SA.
Is there some fix to my issue or do I have to run strongswan as root as long
as I use pluto ?
thanks a lot for your help
kind regards,
Claude
On Wednesday 07 July 2010 10:11:50 Claude Tompers wrote:
Hi,
I've had it already compiled with --with-capabilities=libcap .
I've tried sudo'ing and it has changed something, but I think there are
still missing some bits.
Here's the new log error :
Jul 2 13:33:56 vpn6-test pluto[3286]: cisco-vpn[6] 192.168.3.18:58180
#6: up-client output: /usr/local/libexec/ipsec/_updown: unknown interface
version `'
Jul 2 13:33:56 vpn6-test pluto[3286]: cisco-vpn[6] 192.168.3.18:58180
#6: up-client command exited with status 2
Jul 2 13:33:56 vpn6-test pluto[3286]: cisco-vpn[6] 192.168.3.18:58180
#6: ERROR: netlink response for Del SA esp.63e0a...@192.168.1.13 included
errno 3: No such process
Jul 2 13:33:57 vpn6-test pluto[3286]: cisco-vpn[6] 192.168.3.18:58180
#5: ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0x919ff160) not found
(maybe expired)
Jul 2 13:33:57 vpn6-test pluto[3286]: cisco-vpn[6] 192.168.3.18:58180
#5: ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0x63e0a322) not found
(maybe expired)
kind regards
Claude
On Friday 02 July 2010 12:13:21 Martin Willi wrote:
Hi,
I've compiled strongswan with user vpn and group vpn.
If you use non-root users, you'll need support for capability handling
too. Add --with-capabilities=libcap to ./configure.
route-client output: Not sufficient rights to flush
It is not possible to propagate the capabilities to the updown script.
Pluto uses the updown script not only for firewalling, but also for
route installation.
You'll have to run the updown script with root privileges. Never tried
it, but file system based capability settings might work. Another
alternative is to define
leftupdown=sudo ipsec _updown
and configure sudo accordingly.
Regards
Martin
--
Claude Tompers
Ingénieur réseau et système
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la
Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
Tel: +352 424409 1
Fax: +352 422473
signature.asc
Description: This is a digitally signed message part.
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users