[Bug 1587886] Re: strongswan ipsec status issue with apparmor

** Changed in: hundredpapercuts Status: Triaged => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1587886 Title: strongswan ipsec status issue with apparmor To manage

[Bug 1587886] Re: strongswan ipsec status issue with apparmor

This bug was fixed in the package strongswan - 5.3.5-1ubuntu4.1 --- strongswan (5.3.5-1ubuntu4.1) yakkety; urgency=medium * fix strongswan ipsec status issue with apparmor (LP: #1587886) -- Christian Ehrhardt Fri, 17 Feb 2017 07:43:22 +0100 **

[Bug 1587886] Re: strongswan ipsec status issue with apparmor

This bug was fixed in the package strongswan - 5.3.5-1ubuntu3.1 --- strongswan (5.3.5-1ubuntu3.1) xenial; urgency=medium * fix strongswan ipsec status issue with apparmor (LP: #1587886) -- Christian Ehrhardt Tue, 07 Feb 2017 15:25:47 +0100 **

[Bug 1587886] Re: strongswan ipsec status issue with apparmor

Ok, I also tested the yakkety case as described in comment #36 - that is really a good way to reproduce with a less complex setup. ALso thank you all for your participation in testing with the more complex cases. So for Xenial: - VPN can be established with the fix - ipsec status fixed -

[Bug 1587886] Re: strongswan ipsec status issue with apparmor

I can confirm NetworkManager-l2tp is working fine with the following yakkety-proposed packages: strongswan_5.3.5-1ubuntu4.1_all strongswan-charon_5.3.5-1ubuntu4.1_amd64 strongswan-libcharon_5.3.5-1ubuntu4.1_amd64 strongswan-starter_5.3.5-1ubuntu4.1_amd64

[Bug 1587886] Re: strongswan ipsec status issue with apparmor

Nevermind. Somehow, /var/run was not symlinked to /run on my system. I fixed that and now there's no problem. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1587886 Title: strongswan ipsec status

[Bug 1587886] Re: strongswan ipsec status issue with apparmor

I think I'm running into the same issue, although I'm not using NetworkManager. I just installed strongswan and configured a VPN manually in /etc/ipsec.conf I'm getting the following errors when trying to start strongswan 5.3.5-1ubuntu3.1 using systemctl: Feb 17 14:11:13 skipton systemd[1]:

[Bug 1587886] Re: strongswan ipsec status issue with apparmor

Hello Douglas, or anyone else affected, Accepted strongswan into yakkety-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/strongswan/5.3.5-1ubuntu4.1 in a few hours, and then in the -proposed repository. Please help us by testing this new package.

[Bug 1587886] Re: strongswan ipsec status issue with apparmor

As far as NetworkManager-l2tp is concerned, I can confirm the strongswan 5.3.5-1ubuntu3.1 xenial-proposed package worked fine for me. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1587886 Title:

[Bug 1587886] Re: strongswan ipsec status issue with apparmor

Brian, you are right - so far on my polling outside of this bug nobody seemed to care. But the change is rather small, low impact and more or less applies there as well. Sorry I punted that too easily, fixed and uploaded to the queue for yakkety as strongswan_5.3.5-1ubuntu4.1. -- You received

[Bug 1587886] Re: strongswan ipsec status issue with apparmor

Thanks, setting verification done. ** Tags removed: verification-needed ** Tags added: verification-done ** Also affects: strongswan (Ubuntu Yakkety) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed

[Bug 1587886] Re: strongswan ipsec status issue with apparmor

I didn't try to reproduce the steps mentioned in comments 5-6 and 28-29 but I'm pretty confident that the above steps are equivalent. On another note, I saw no regression with the -proposed version, thanks! -- You received this bug notification because you are a member of Ubuntu Bugs, which is

[Bug 1587886] Re: strongswan ipsec status issue with apparmor

The simplest way I could think of to reproduce the issue: 1) systemctl edit strongswan 2) Enter the following to use the mount namespace: [Service] ProtectSystem=full 3) systemctl restart strongswan 4) Check dmesg for Apparmor denials, there should be none 5) "ipsec status" should list something

[Bug 1587886] Re: strongswan ipsec status issue with apparmor

It looks like this also should be fixed in Yakkety, is that correct? ** Changed in: strongswan (Ubuntu Xenial) Status: Triaged => Fix Committed ** Tags added: verification-needed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to

Re: [Bug 1587886] Re: strongswan ipsec status issue with apparmor

On Wed, Feb 8, 2017 at 10:30 AM, Dr. Jens Rosenboom wrote: > The unwrapped command is indeed doing fine in comparison: Thanks for an extending look on that. I'd assume that this also is the reason it shows up to begin with. However the interaction of either

[Bug 1587886] Re: strongswan ipsec status issue with apparmor

Hmm, strange, I retried with a new instance too, now after adding the commands that you missed: # add-apt-repository cloud-archive:newton # apt update;apt install strongswan neutron-vpn-agent # mkdir /tmp/test # ip netns add testns I can reproduce with the modified command # ip netns exec

[Bug 1587886] Re: strongswan ipsec status issue with apparmor

It is in the unapproved queue now, for this case especially please help testing and verifying once it (hopefully) hits proposed. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1587886 Title:

[Bug 1587886] Re: strongswan ipsec status issue with apparmor

** Description changed: + [Impact] + + * Certain strongswan based vpn setups fail, especially those based on +network-manager-l2tp or neutron-vpn-netns-wrapper + + * The fix is opening up the apparmor profile slightly for charon and +stroke where paths are disconnected + + [Test

[Bug 1587886] Re: strongswan ipsec status issue with apparmor

Thanks rosenboom, but it seems one needs more than just that. As just with the following it won't trigger: 1. new Xenial KVM Guest 2. $ apt install strongswan neutron-vpn-netns-wrapper 3. $ ip netns add testns 4. $ ip netns exec testns neutron-vpn-netns-wrapper --mount_paths "/var/run:/tmp/test"

[Bug 1587886] Re: strongswan ipsec status issue with apparmor

Despite waiting for even better reproduction steps it passed verifications and other regression tests - so it is ok to be at least considered for SRU. Adding the SRU template now. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu.

[Bug 1587886] Re: strongswan ipsec status issue with apparmor

The packages from the ppa fix the issue for me. In order to reproduce, install neutron-vpn-agent from Newton UCA and run: # mkdir /tmp/test # ip netns add testns # ip netns exec testns neutron-vpn-netns-wrapper --mount_paths "/var/run:/tmp/test" --cmd "ipsec,status" 2017-02-07 18:17:06.729 17492

[Bug 1587886] Re: strongswan ipsec status issue with apparmor

I have all prepared but since I didn't have the case locally recreated I wanted to ask one of you if you could try to pre-verify the fix via the ppa at: https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/2443/ -- You received this bug notification because you are a member of Ubuntu

[Bug 1587886] Re: strongswan ipsec status issue with apparmor

Hi, not sure what Neutron picked up - I'll ping one from the Cloud Archive Team. Does it even have an own strongswan or just that from the Xenial Archive I'd guess? For Xenial in general an SRU makes sense. The change itself is as simple as:

[Bug 1587886] Re: strongswan ipsec status issue with apparmor

Checked - UCA has no "extra" strongswan backport, so Xenial SRU would help you all. ** Changed in: strongswan (Ubuntu) Assignee: ChristianEhrhardt (paelzer) => (unassigned) ** Changed in: strongswan (Ubuntu Xenial) Assignee: (unassigned) => ChristianEhrhardt (paelzer) -- You received

[Bug 1587886] Re: strongswan ipsec status issue with apparmor

This issue still appears when running neutron-vpnaas from Newton UCA on Xenial, is there a chance to fix it for Xenial, too? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1587886 Title: strongswan

[Bug 1587886] Re: strongswan ipsec status issue with apparmor

This bug was fixed in the package strongswan - 5.5.1-1ubuntu2 --- strongswan (5.5.1-1ubuntu2) zesty; urgency=medium * Update Maintainers which was missed while merging 5.5.1-1. -- Christian Ehrhardt Mon, 19 Dec 2016 16:02:40 +0100 ** Changed

[Bug 1587886] Re: strongswan ipsec status issue with apparmor

AppArmor is a Linux kernel security module that allows administrators to restrict programs' capabilities with per-program profiles. Disabling the charon and stroke Apparmor profiles is just a workaround that removes the restrictions including the issue you having. The other option is to edit the

Re: [Bug 1587886] Re: strongswan ipsec status issue with apparmor

Will disabling the charon and Apparmor profiles still let the VPN work? I don't fully understand the technicality of this. Thanks. On Sun, Nov 20, 2016 at 12:22 AM, Douglas Kosovic wrote: > Sorry I gave bad advice, Apparmor complain mode won't help, it was the >

[Bug 1587886] Re: strongswan ipsec status issue with apparmor

Sorry I gave bad advice, Apparmor complain mode won't help, it was the attach_disconnected in the patch which fixes the issue. Simplest solution without patching is to disable the charon and stroke Apparmor profiles as mentioned on: https://github.com/nm-l2tp/network-manager-l2tp/wiki -- You

[Bug 1587886] Re: strongswan ipsec status issue with apparmor

If you are using network-manager-l2tp, the Apparmor strongswan issue is listed in the known issues on the Wiki: https://github.com/nm-l2tp/network-manager-l2tp/wiki The patch just puts the AppArmor profiles for charon and stroke into complain mode. The same can be achieved with the following

[Bug 1587886] Re: strongswan ipsec status issue with apparmor

And this is the error I'm getting when trying to connect to my VPN: Nov 19 17:49:48 aqm-Satellite-L750 kernel: [34630.268103] audit: type=1400 audit(1479595788.404:535): apparmor="DENIED" operation="sendmsg" info="Failed name lookup - disconnected path" error=-13 profile="/usr/lib/ipsec/charon"

[Bug 1587886] Re: strongswan ipsec status issue with apparmor

Hello guys, I am new to Ubuntu and have landed here after doing some search for the problems I'm having with my VPN. I gather that there is a patch attached to this thread, how am I supposed to install/apply it? I am running 16.10 on a Toshiba L750D. Let me know if any other info is required.

[Bug 1587886] Re: strongswan ipsec status issue with apparmor

FYI - A merge of latest Debian plus this fix on top is currently in the review queue for Zesty. ** Changed in: strongswan (Ubuntu) Status: Triaged => In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu.

[Bug 1587886] Re: strongswan ipsec status issue with apparmor

Douglas, Simon thanks for your great work on this already. I'll try to look at integrating this on the coming (might take a bit still) merge of strongswan. ** Changed in: strongswan (Ubuntu) Assignee: (unassigned) => ChristianEhrhardt (paelzer) -- You received this bug notification

[Bug 1587886] Re: strongswan ipsec status issue with apparmor

This also effects Neutron VPNaaS (neutron-vpn-agent) - preventing VPNaaS from working with strongswan on Xenial. flags=(attach_disconnected) on /usr/lib/ipsec/stroke appears to resolve the issue. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed

[Bug 1587886] Re: strongswan ipsec status issue with apparmor

** Changed in: strongswan (Ubuntu) Importance: Undecided => High ** Also affects: hundredpapercuts Importance: Undecided Status: New ** Changed in: hundredpapercuts Status: New => Triaged ** Changed in: hundredpapercuts Importance: Undecided => High -- You received this

[Bug 1587886] Re: strongswan ipsec status issue with apparmor

Thanks Simon. Sorry I misunderstood. ** Changed in: strongswan (Ubuntu) Status: Invalid => Triaged -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1587886 Title: strongswan ipsec status issue

[Bug 1587886] Re: strongswan ipsec status issue with apparmor

Based on Douglas' last comment, I believe that the 2 Strongswan profiles are missing the "flags=(attach_disconnected)" to make NetworkManager- l2tp happy. The first patch needs a little cleanup but the bug is valid IMHO. -- You received this bug notification because you are a member of Ubuntu

[Bug 1587886] Re: strongswan ipsec status issue with apparmor

Thanks to Simon and Douglas from figuring this out. Based on your comments I think this bug should be marked Invalid then? ** Changed in: strongswan (Ubuntu) Status: Incomplete => Invalid -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed

[Bug 1587886] Re: strongswan ipsec status issue with apparmor

Sorry, you are correct, I had forgotten I had changed to "complain" a while back for the two profiles to help with debugging. On a clean Ubuntu 16.04 install, I can confirm with just flags=(attach_disconnected) for the two profiles, things work as expected. -- You received this bug notification

[Bug 1587886] Re: strongswan ipsec status issue with apparmor

Hi Douglas, thanks for digging this down and providing a patch. The 2 profiles don't ship with any flags so you probably added "complain" before generating your diff. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu.

[Bug 1587886] Re: strongswan ipsec status issue with apparmor

The attachment "/etc/apparmor.d/usr.lib.ipsec.* patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu- reviewers, unsubscribe the team. [This is an automated message performed by a Launchpad

[Bug 1587886] Re: strongswan ipsec status issue with apparmor

Somehow forgot the attachment, find attached. ** Patch added: "/etc/apparmor.d/usr.lib.ipsec.* patch" https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1587886/+attachment/4690136/+files/usr.lib.ipsec.patch -- You received this bug notification because you are a member of Ubuntu

[Bug 1587886] Re: strongswan ipsec status issue with apparmor

I wasn't able to reproduce issue from the command-line with NetworkManager-l2tp, it only happens after NetworkManager-l2tp restarts strongSwan under NetworkManager. Turns out it is the same NetworkManager issue as the following :

[Bug 1587886] Re: strongswan ipsec status issue with apparmor

Doesn't appear to matter if bare metal PC or VM. So far haven't been able to reproduce 'ipsec status' issue other than using network-manager-l2tp, but need to do more comprehensive command- line tests that mimics better what network-manager-l2tp is doing. -- You received this bug notification

Re: [Bug 1587886] Re: strongswan ipsec status issue with apparmor

On 2016-06-01 10:24 AM, Douglas Kosovic wrote: > UEFI Lenovo desktop PC is what I'm running Xenial on. OK. > I'm the new maintainer for network-manager-l2tp VPN plugin for NetworkManger : >https://github.com/nm-l2tp/network-manager-l2tp Oh nice! > I started an IPSec/L2TP connection using

[Bug 1587886] Re: strongswan ipsec status issue with apparmor

Hi Simon, UEFI Lenovo desktop PC is what I'm running Xenial on. I'm the new maintainer for network-manager-l2tp VPN plugin for NetworkManger : https://github.com/nm-l2tp/network-manager-l2tp I started an IPSec/L2TP connection using network-manager-l2tp before issuing the 'sudo ipsec status'.

[Bug 1587886] Re: strongswan ipsec status issue with apparmor

Hi Douglas, I'm unable to reproduce this on a Xenial host. Are you running in a container or something similar? Also, have you altered the strongswan systemd unit? ** Changed in: strongswan (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member