** Changed in: hundredpapercuts
Status: Triaged => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1587886
Title:
strongswan ipsec status issue with apparmor
To manage
This bug was fixed in the package strongswan - 5.3.5-1ubuntu4.1
---
strongswan (5.3.5-1ubuntu4.1) yakkety; urgency=medium
* fix strongswan ipsec status issue with apparmor (LP: #1587886)
-- Christian Ehrhardt Fri, 17 Feb
2017 07:43:22 +0100
**
This bug was fixed in the package strongswan - 5.3.5-1ubuntu3.1
---
strongswan (5.3.5-1ubuntu3.1) xenial; urgency=medium
* fix strongswan ipsec status issue with apparmor (LP: #1587886)
-- Christian Ehrhardt Tue, 07 Feb
2017 15:25:47 +0100
**
Ok,
I also tested the yakkety case as described in comment #36 - that is really a
good way to reproduce with a less complex setup.
ALso thank you all for your participation in testing with the more complex
cases.
So for Xenial:
- VPN can be established with the fix
- ipsec status fixed
-
I can confirm NetworkManager-l2tp is working fine with the following
yakkety-proposed packages:
strongswan_5.3.5-1ubuntu4.1_all
strongswan-charon_5.3.5-1ubuntu4.1_amd64
strongswan-libcharon_5.3.5-1ubuntu4.1_amd64
strongswan-starter_5.3.5-1ubuntu4.1_amd64
Nevermind. Somehow, /var/run was not symlinked to /run on my system. I
fixed that and now there's no problem.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1587886
Title:
strongswan ipsec status
I think I'm running into the same issue, although I'm not using
NetworkManager.
I just installed strongswan and configured a VPN manually in
/etc/ipsec.conf
I'm getting the following errors when trying to start strongswan
5.3.5-1ubuntu3.1 using systemctl:
Feb 17 14:11:13 skipton systemd[1]:
Hello Douglas, or anyone else affected,
Accepted strongswan into yakkety-proposed. The package will build now
and be available at
https://launchpad.net/ubuntu/+source/strongswan/5.3.5-1ubuntu4.1 in a
few hours, and then in the -proposed repository.
Please help us by testing this new package.
As far as NetworkManager-l2tp is concerned, I can confirm the strongswan
5.3.5-1ubuntu3.1 xenial-proposed package worked fine for me.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1587886
Title:
Brian, you are right - so far on my polling outside of this bug nobody seemed
to care.
But the change is rather small, low impact and more or less applies there as
well.
Sorry I punted that too easily, fixed and uploaded to the queue for yakkety as
strongswan_5.3.5-1ubuntu4.1.
--
You received
Thanks, setting verification done.
** Tags removed: verification-needed
** Tags added: verification-done
** Also affects: strongswan (Ubuntu Yakkety)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed
I didn't try to reproduce the steps mentioned in comments 5-6 and 28-29
but I'm pretty confident that the above steps are equivalent. On another
note, I saw no regression with the -proposed version, thanks!
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is
The simplest way I could think of to reproduce the issue:
1) systemctl edit strongswan
2) Enter the following to use the mount namespace:
[Service]
ProtectSystem=full
3) systemctl restart strongswan
4) Check dmesg for Apparmor denials, there should be none
5) "ipsec status" should list something
It looks like this also should be fixed in Yakkety, is that correct?
** Changed in: strongswan (Ubuntu Xenial)
Status: Triaged => Fix Committed
** Tags added: verification-needed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to
On Wed, Feb 8, 2017 at 10:30 AM, Dr. Jens Rosenboom
wrote:
> The unwrapped command is indeed doing fine in comparison:
Thanks for an extending look on that.
I'd assume that this also is the reason it shows up to begin with.
However the interaction of either
Hmm, strange, I retried with a new instance too, now after adding the
commands that you missed:
# add-apt-repository cloud-archive:newton
# apt update;apt install strongswan neutron-vpn-agent
# mkdir /tmp/test
# ip netns add testns
I can reproduce with the modified command
# ip netns exec
It is in the unapproved queue now, for this case especially please help
testing and verifying once it (hopefully) hits proposed.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1587886
Title:
** Description changed:
+ [Impact]
+
+ * Certain strongswan based vpn setups fail, especially those based on
+network-manager-l2tp or neutron-vpn-netns-wrapper
+
+ * The fix is opening up the apparmor profile slightly for charon and
+stroke where paths are disconnected
+
+ [Test
Thanks rosenboom,
but it seems one needs more than just that.
As just with the following it won't trigger:
1. new Xenial KVM Guest
2. $ apt install strongswan neutron-vpn-netns-wrapper
3. $ ip netns add testns
4. $ ip netns exec testns neutron-vpn-netns-wrapper --mount_paths
"/var/run:/tmp/test"
Despite waiting for even better reproduction steps it passed
verifications and other regression tests - so it is ok to be at least
considered for SRU. Adding the SRU template now.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
The packages from the ppa fix the issue for me. In order to reproduce,
install neutron-vpn-agent from Newton UCA and run:
# mkdir /tmp/test
# ip netns add testns
# ip netns exec testns neutron-vpn-netns-wrapper --mount_paths
"/var/run:/tmp/test" --cmd "ipsec,status"
2017-02-07 18:17:06.729 17492
I have all prepared but since I didn't have the case locally recreated I wanted
to ask one of you if you could try to pre-verify the fix via the ppa at:
https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/2443/
--
You received this bug notification because you are a member of Ubuntu
Hi,
not sure what Neutron picked up - I'll ping one from the Cloud Archive Team.
Does it even have an own strongswan or just that from the Xenial Archive I'd
guess?
For Xenial in general an SRU makes sense.
The change itself is as simple as:
Checked - UCA has no "extra" strongswan backport, so Xenial SRU would
help you all.
** Changed in: strongswan (Ubuntu)
Assignee: ChristianEhrhardt (paelzer) => (unassigned)
** Changed in: strongswan (Ubuntu Xenial)
Assignee: (unassigned) => ChristianEhrhardt (paelzer)
--
You received
This issue still appears when running neutron-vpnaas from Newton UCA on
Xenial, is there a chance to fix it for Xenial, too?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1587886
Title:
strongswan
This bug was fixed in the package strongswan - 5.5.1-1ubuntu2
---
strongswan (5.5.1-1ubuntu2) zesty; urgency=medium
* Update Maintainers which was missed while merging 5.5.1-1.
-- Christian Ehrhardt Mon, 19 Dec
2016 16:02:40 +0100
** Changed
AppArmor is a Linux kernel security module that allows administrators to
restrict programs' capabilities with per-program profiles.
Disabling the charon and stroke Apparmor profiles is just a workaround
that removes the restrictions including the issue you having.
The other option is to edit the
Will disabling the charon and Apparmor profiles still let the VPN work? I
don't fully understand the technicality of this.
Thanks.
On Sun, Nov 20, 2016 at 12:22 AM, Douglas Kosovic
wrote:
> Sorry I gave bad advice, Apparmor complain mode won't help, it was the
>
Sorry I gave bad advice, Apparmor complain mode won't help, it was the
attach_disconnected in the patch which fixes the issue.
Simplest solution without patching is to disable the charon and stroke Apparmor
profiles as mentioned on:
https://github.com/nm-l2tp/network-manager-l2tp/wiki
--
You
If you are using network-manager-l2tp, the Apparmor strongswan issue is listed
in the known issues on the Wiki:
https://github.com/nm-l2tp/network-manager-l2tp/wiki
The patch just puts the AppArmor profiles for charon and stroke into
complain mode. The same can be achieved with the following
And this is the error I'm getting when trying to connect to my VPN:
Nov 19 17:49:48 aqm-Satellite-L750 kernel: [34630.268103] audit:
type=1400 audit(1479595788.404:535): apparmor="DENIED"
operation="sendmsg" info="Failed name lookup - disconnected path"
error=-13 profile="/usr/lib/ipsec/charon"
Hello guys, I am new to Ubuntu and have landed here after doing some
search for the problems I'm having with my VPN.
I gather that there is a patch attached to this thread, how am I
supposed to install/apply it?
I am running 16.10 on a Toshiba L750D. Let me know if any other info is
required.
FYI - A merge of latest Debian plus this fix on top is currently in the
review queue for Zesty.
** Changed in: strongswan (Ubuntu)
Status: Triaged => In Progress
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
Douglas, Simon thanks for your great work on this already.
I'll try to look at integrating this on the coming (might take a bit still)
merge of strongswan.
** Changed in: strongswan (Ubuntu)
Assignee: (unassigned) => ChristianEhrhardt (paelzer)
--
You received this bug notification
This also effects Neutron VPNaaS (neutron-vpn-agent) - preventing VPNaaS
from working with strongswan on Xenial. flags=(attach_disconnected) on
/usr/lib/ipsec/stroke appears to resolve the issue.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed
** Changed in: strongswan (Ubuntu)
Importance: Undecided => High
** Also affects: hundredpapercuts
Importance: Undecided
Status: New
** Changed in: hundredpapercuts
Status: New => Triaged
** Changed in: hundredpapercuts
Importance: Undecided => High
--
You received this
Thanks Simon. Sorry I misunderstood.
** Changed in: strongswan (Ubuntu)
Status: Invalid => Triaged
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1587886
Title:
strongswan ipsec status issue
Based on Douglas' last comment, I believe that the 2 Strongswan profiles
are missing the "flags=(attach_disconnected)" to make NetworkManager-
l2tp happy. The first patch needs a little cleanup but the bug is valid
IMHO.
--
You received this bug notification because you are a member of Ubuntu
Thanks to Simon and Douglas from figuring this out. Based on your
comments I think this bug should be marked Invalid then?
** Changed in: strongswan (Ubuntu)
Status: Incomplete => Invalid
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed
Sorry, you are correct, I had forgotten I had changed to "complain" a
while back for the two profiles to help with debugging.
On a clean Ubuntu 16.04 install, I can confirm with just
flags=(attach_disconnected) for the two profiles, things work as
expected.
--
You received this bug notification
Hi Douglas, thanks for digging this down and providing a patch. The 2
profiles don't ship with any flags so you probably added "complain"
before generating your diff.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
The attachment "/etc/apparmor.d/usr.lib.ipsec.* patch" seems to be a
patch. If it isn't, please remove the "patch" flag from the attachment,
remove the "patch" tag, and if you are a member of the ~ubuntu-
reviewers, unsubscribe the team.
[This is an automated message performed by a Launchpad
Somehow forgot the attachment, find attached.
** Patch added: "/etc/apparmor.d/usr.lib.ipsec.* patch"
https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1587886/+attachment/4690136/+files/usr.lib.ipsec.patch
--
You received this bug notification because you are a member of Ubuntu
I wasn't able to reproduce issue from the command-line with
NetworkManager-l2tp, it only happens after NetworkManager-l2tp restarts
strongSwan under NetworkManager.
Turns out it is the same NetworkManager issue as the following :
Doesn't appear to matter if bare metal PC or VM.
So far haven't been able to reproduce 'ipsec status' issue other than
using network-manager-l2tp, but need to do more comprehensive command-
line tests that mimics better what network-manager-l2tp is doing.
--
You received this bug notification
On 2016-06-01 10:24 AM, Douglas Kosovic wrote:
> UEFI Lenovo desktop PC is what I'm running Xenial on.
OK.
> I'm the new maintainer for network-manager-l2tp VPN plugin for NetworkManger :
>https://github.com/nm-l2tp/network-manager-l2tp
Oh nice!
> I started an IPSec/L2TP connection using
Hi Simon,
UEFI Lenovo desktop PC is what I'm running Xenial on.
I'm the new maintainer for network-manager-l2tp VPN plugin for NetworkManger :
https://github.com/nm-l2tp/network-manager-l2tp
I started an IPSec/L2TP connection using network-manager-l2tp before
issuing the 'sudo ipsec status'.
Hi Douglas,
I'm unable to reproduce this on a Xenial host. Are you running in a
container or something similar? Also, have you altered the strongswan
systemd unit?
** Changed in: strongswan (Ubuntu)
Status: New => Incomplete
--
You received this bug notification because you are a member
48 matches
Mail list logo