Hi, I'm sorry to bother you again on this topic, but I really would like to get it to work as non-privileged user. Charon on the other hand, works like a charm, sadly pluto doesn't.
This is my setup now : strongswan runs as user vpn In ipsec.conf, I added : leftupdown="sudo ipsec _updown" In /etc/sudoers, i added : vpn ALL = NOPASSWD: /usr/local/sbin/ipsec Still I get the error below on the interface version. Can you please help me on this ? Any idea is appreciated. thank you very much kind regards, Claude On Friday 09 July 2010 11:32:19 Claude Tompers wrote: > Hi, > > I still get that "unknown interface version" error if I'm trying to start > pluto as non-privileged user, followed by the deletion of the SA. > Is there some fix to my issue or do I have to run strongswan as root as long > as I use pluto ? > > thanks a lot for your help > > kind regards, > Claude > > > On Wednesday 07 July 2010 10:11:50 Claude Tompers wrote: > > Hi, > > > > I've had it already compiled with --with-capabilities=libcap . > > I've tried sudo'ing and it has changed something, but I think there are > > still missing some bits. > > > > Here's the new log error : > > > > Jul 2 13:33:56 vpn6-test pluto[3286]: "cisco-vpn"[6] 192.168.3.18:58180 > > #6: up-client output: /usr/local/libexec/ipsec/_updown: unknown interface > > version `' > > Jul 2 13:33:56 vpn6-test pluto[3286]: "cisco-vpn"[6] 192.168.3.18:58180 > > #6: up-client command exited with status 2 > > Jul 2 13:33:56 vpn6-test pluto[3286]: "cisco-vpn"[6] 192.168.3.18:58180 > > #6: ERROR: netlink response for Del SA esp.63e0a...@192.168.1.13 included > > errno 3: No such process > > Jul 2 13:33:57 vpn6-test pluto[3286]: "cisco-vpn"[6] 192.168.3.18:58180 > > #5: ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0x919ff160) not found > > (maybe expired) > > Jul 2 13:33:57 vpn6-test pluto[3286]: "cisco-vpn"[6] 192.168.3.18:58180 > > #5: ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0x63e0a322) not found > > (maybe expired) > > > > kind regards > > Claude > > > > > > On Friday 02 July 2010 12:13:21 Martin Willi wrote: > > > Hi, > > > > > > > I've compiled strongswan with user vpn and group vpn. > > > > > > If you use non-root users, you'll need support for capability handling > > > too. Add --with-capabilities=libcap to ./configure. > > > > > > > route-client output: Not sufficient rights to flush > > > > > > It is not possible to propagate the capabilities to the updown script. > > > Pluto uses the updown script not only for firewalling, but also for > > > route installation. > > > You'll have to run the updown script with root privileges. Never tried > > > it, but file system based capability settings might work. Another > > > alternative is to define > > > leftupdown="sudo ipsec _updown" > > > and configure sudo accordingly. > > > > > > Regards > > > Martin > > > > > > > > > > > > -- Claude Tompers Ingénieur réseau et système Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users