<html><body><div style="font-family: arial, helvetica, sans-serif; font-size: 12pt; color: #000000"><div> <!--StartFragment--><div>Version: 5.9.1-1+deb11u3 </div><div><div>Package: strongswan-charon</div><div>Version: 5.9.1-1+deb11u3</div><div>Severity: normal</div><div>X-Debbugs-Cc: none</div></div><div><br></div><div><br data-mce-bogus="1"></div><div>Dear maintainer,</div><div><br data-mce-bogus="1"></div><div>I ran into a problem using Strongswan which looks like a bug to me. I'm not sure if its in strongswan-charon or in Apparmor but I fixed it by editing /etc/apparmor.d/usr.lib.ipsec.charon which is strongswan-charon code, so I'm raising it here first.</div><div><br data-mce-bogus="1"></div><div>The problem was that when I ran the command 'ipsec rereadsecrets' these messages appeared in syslog:</div><div><br data-mce-bogus="1"></div><div><div>Feb 28 14:50:41 myhostname charon: 01[CFG] expanding file expression '/etc/ipsec.secrets.d/*' failed</div><div>Feb 28 14:50:41 myhostname kernel: [2262128.239395] audit: type=1400 audit(1677556241.557:15): apparmor="DENIED" operation="open" profile="/usr/lib/ipsec/charon" name="/etc/ipsec.secrets.d/" pid=49996 comm="charon" requested_mask="r" d</div><div>enied_mask="r" fsuid=0 ouid=0</div><div>Feb 28 14:50:41 myhostname kernel: [2262128.239405] audit: type=1400 audit(1677556241.557:16): apparmor="DENIED" operation="open" profile="/usr/lib/ipsec/charon" name="/etc/ipsec.secrets.d/99-netier_datacenter.secrets" pid=49996 comm="</div><div>charon" requested_mask="r" denied_mask="r" fsuid=0 ouid=0</div><div><br data-mce-bogus="1"></div><div>Incoming connections were then rejected:</div><div><br data-mce-bogus="1"></div><div><div>Feb 28 14:46:57 myhostname charon: 14[CFG] selected peer config 'my_sa_name'</div><div>Feb 28 14:46:57 myhostname charon: 14[IKE] no shared key found for '192.168.XXX.0' - '192.168.XXX.0'</div></div></div><div><div>Feb 28 14:46:57 fw-cwp-dubbo charon: 14[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding</div><div>Feb 28 14:46:57 fw-cwp-dubbo charon: 14[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]</div></div><div><br></div><div>I disabled this profile using aa-complain and verified that ipsec could read the secrets file and that the connection could be opened.</div><div><br data-mce-bogus="1"></div><div>I then modified /etc/apparmor.d/usr.lib.ipsec.charon as follows, after which IPSec was able to load the secrets file and authenticate incoming connections:</div><div><br data-mce-bogus="1"></div><div><div>+ # Site-specific additions and overrides. See local/README for details.</div><div>+ #include <local/usr.lib.ipsec.charon></div><div>+ /etc/ipsec.secrets.d/ r,</div><div>+ /etc/ipsec.secrets.d/** r,</div><div><br></div><div> /etc/ipsec.conf r,</div><div> /etc/ipsec.secrets r,</div><div> /etc/ipsec.*.secrets r,</div><div> /etc/ipsec.d/ r,</div><div> /etc/ipsec.d/** r,</div><div> /etc/ipsec.d/crls/* rw,</div><div> /etc/opensc/opensc.conf r,</div><div> /etc/strongswan.conf r,</div><div> /etc/strongswan.d/ r,</div><div> /etc/strongswan.d/** r,</div><div> /etc/tnc_config r,</div><div><br></div><div> /proc/sys/net/core/xfrm_acq_expires w,</div><div><br></div><div> /run/charon.* rw,</div><div> /run/pcscd/pcscd.comm rw,</div><div><br></div><div> /usr/lib/ipsec/charon rmix,</div><div> /usr/lib/ipsec/imcvs/ r,</div><div> /usr/lib/ipsec/imcvs/** rm,</div><div><br></div><div> /usr/lib/*/opensc-pkcs11.so rm,</div><div><br></div><div> /var/lib/strongswan/* r,</div><div><br></div><div> /{,var/}run/systemd/notify w,</div><div><br></div><div> # allow self to read file descriptors (LP #1786250)</div><div> # restrict to our own process-ID as per apparmor vars</div><div> @{PROC}/@{pid}/fd/ r,</div><div><br></div><div> # for using the ha plugin (LP: #1773956)</div><div> @{PROC}/@{pid}/net/ipt_CLUSTERIP/ r,</div><div> @{PROC}/@{pid}/net/ipt_CLUSTERIP/* rw,</div><div><br data-mce-bogus="1"></div><div> <!--StartFragment--><div>- # Site-specific additions and overrides. See local/README for details.</div><div>- #include <local/usr.lib.ipsec.charon></div><div>- /etc/ipsec.secrets.d/ r,</div><div>- /etc/ipsec.secrets.d/** r,<!--EndFragment--></div></div><div>}</div><div><br data-mce-bogus="1"></div></div><div><div>-- System Information:</div><div>Debian Release: 11.6</div><div> APT prefers stable-updates</div><div> APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')</div><div>Architecture: amd64 (x86_64)</div><div><br></div><div>Kernel: Linux 5.10.0-21-amd64 (SMP w/4 CPU threads)</div><div>Locale: LANG=en_AU, LC_CTYPE=en_AU (charmap=ISO-8859-1), LANGUAGE=en_AU:en</div><div>Shell: /bin/sh linked to /usr/bin/dash</div><div>Init: systemd (via /run/systemd/system)</div><div>LSM: AppArmor: enabled</div><div><br></div><div>Versions of packages strongswan-charon depends on:</div><div>ii debconf [debconf-2.0] 1.5.77</div><div>ii iproute2 5.10.0-4</div><div>ii libc6 2.31-13+deb11u5</div><div>ii libstrongswan 5.9.1-1+deb11u3</div><div>ii strongswan-libcharon 5.9.1-1+deb11u3</div><div>ii strongswan-starter 5.9.1-1+deb11u3</div><div><br></div><div>strongswan-charon recommends no packages.</div><div><br></div><div>strongswan-charon suggests no packages.</div><div><br></div><div><div>-- Configuration Files:</div><div>/etc/apparmor.d/usr.lib.ipsec.charon changed:</div><div>/usr/lib/ipsec/charon flags=(attach_disconnected) {</div><div> #include <abstractions/base></div><div> #include <abstractions/nameservice></div><div> #include <abstractions/authentication></div><div> #include <abstractions/openssl></div><div> #include <abstractions/p11-kit></div><div> capability ipc_lock,</div><div> capability net_admin,</div><div> capability net_raw,</div><div> # allow priv dropping (LP: #1333655)</div><div> capability chown,</div><div> capability setgid,</div><div> capability setuid,</div><div> capability setpcap,</div><div> # libcharon-extra-plugins: xauth-pam</div><div> capability audit_write,</div><div> # libstrongswan-standard-plugins: agent</div><div> capability dac_override,</div><div> network,</div><div> network raw,</div><div> /{,usr/}bin/dash rmPUx,</div><div> # libcharon-extra-plugins: kernel-libipsec</div><div> /dev/net/tun rw,</div><div> # Site-specific additions and overrides. See local/README for details.</div><div> #include <local/usr.lib.ipsec.charon></div><div> /etc/ipsec.secrets.d/ r,</div><div> /etc/ipsec.secrets.d/** r,</div><div> /etc/ipsec.conf r,</div><div> /etc/ipsec.secrets r,</div><div> /etc/ipsec.*.secrets r,</div><div> /etc/ipsec.d/ r,</div><div> /etc/ipsec.d/** r,</div><div> /etc/ipsec.d/crls/* rw,</div><div> /etc/opensc/opensc.conf r,</div><div> /etc/strongswan.conf r,</div><div> /etc/strongswan.d/ r,</div><div> /etc/strongswan.d/** r,</div><div> /etc/tnc_config r,</div><div> /proc/sys/net/core/xfrm_acq_expires w,</div><div> /run/charon.* rw,</div><div> /run/pcscd/pcscd.comm rw,</div><div> /usr/lib/ipsec/charon rmix,</div><div> /usr/lib/ipsec/imcvs/ r,</div><div> /usr/lib/ipsec/imcvs/** rm,</div><div> /usr/lib/*/opensc-pkcs11.so rm,</div><div> /var/lib/strongswan/* r,</div><div> /{,var/}run/systemd/notify w,</div><div> # allow self to read file descriptors (LP #1786250)</div><div> # restrict to our own process-ID as per apparmor vars</div><div> @{PROC}/@{pid}/fd/ r,</div><div> # for using the ha plugin (LP: #1773956)</div><div> @{PROC}/@{pid}/net/ipt_CLUSTERIP/ r,</div><div> @{PROC}/@{pid}/net/ipt_CLUSTERIP/* rw,</div><div>}</div></div></div><div><br></div><!--EndFragment--> </div><div>-------------------</div><div><br data-mce-bogus="1"></div><div data-marker="__SIG_PRE__"><div><div>James Lownie</div><div>Support Engineer</div><div>Sol1</div><div><br></div><div>https://sol1.com.au/</div><div>1300 765 122</div></div></div></div></body></html>