Hi, I'm sorry to bother you again on this topic, but I really would like to get it to work as non-privileged user. Charon on the other hand, works like a charm, sadly pluto doesn't.
This is my setup now :
strongswan runs as user vpn
In ipsec.conf, I added : leftupdown="sudo ipsec _updown"
In /etc/sudoers, i added : vpn ALL = NOPASSWD: /usr/local/sbin/ipsec
Still I get the error below on the interface version.
Can you please help me on this ? Any idea is appreciated.
thank you very much
kind regards,
Claude
On Friday 09 July 2010 11:32:19 Claude Tompers wrote:
> Hi,
>
> I still get that "unknown interface version" error if I'm trying to start
> pluto as non-privileged user, followed by the deletion of the SA.
> Is there some fix to my issue or do I have to run strongswan as root as long
> as I use pluto ?
>
> thanks a lot for your help
>
> kind regards,
> Claude
>
>
> On Wednesday 07 July 2010 10:11:50 Claude Tompers wrote:
> > Hi,
> >
> > I've had it already compiled with --with-capabilities=libcap .
> > I've tried sudo'ing and it has changed something, but I think there are
> > still missing some bits.
> >
> > Here's the new log error :
> >
> > Jul 2 13:33:56 vpn6-test pluto[3286]: "cisco-vpn"[6] 192.168.3.18:58180
> > #6: up-client output: /usr/local/libexec/ipsec/_updown: unknown interface
> > version `'
> > Jul 2 13:33:56 vpn6-test pluto[3286]: "cisco-vpn"[6] 192.168.3.18:58180
> > #6: up-client command exited with status 2
> > Jul 2 13:33:56 vpn6-test pluto[3286]: "cisco-vpn"[6] 192.168.3.18:58180
> > #6: ERROR: netlink response for Del SA esp.63e0a...@192.168.1.13 included
> > errno 3: No such process
> > Jul 2 13:33:57 vpn6-test pluto[3286]: "cisco-vpn"[6] 192.168.3.18:58180
> > #5: ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0x919ff160) not found
> > (maybe expired)
> > Jul 2 13:33:57 vpn6-test pluto[3286]: "cisco-vpn"[6] 192.168.3.18:58180
> > #5: ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0x63e0a322) not found
> > (maybe expired)
> >
> > kind regards
> > Claude
> >
> >
> > On Friday 02 July 2010 12:13:21 Martin Willi wrote:
> > > Hi,
> > >
> > > > I've compiled strongswan with user vpn and group vpn.
> > >
> > > If you use non-root users, you'll need support for capability handling
> > > too. Add --with-capabilities=libcap to ./configure.
> > >
> > > > route-client output: Not sufficient rights to flush
> > >
> > > It is not possible to propagate the capabilities to the updown script.
> > > Pluto uses the updown script not only for firewalling, but also for
> > > route installation.
> > > You'll have to run the updown script with root privileges. Never tried
> > > it, but file system based capability settings might work. Another
> > > alternative is to define
> > > leftupdown="sudo ipsec _updown"
> > > and configure sudo accordingly.
> > >
> > > Regards
> > > Martin
> > >
> > >
> >
> >
>
>
--
Claude Tompers
Ingénieur réseau et système
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la
Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
Tel: +352 424409 1
Fax: +352 422473
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
