Discussion:
[Bug 1535951] [NEW] Please merge strongswan 5.3.5-1 (main) from Debian unstable (main)
(too old to reply)
Ryan Harper
2016-01-20 00:19:36 UTC
Permalink
Public bug reported:

Please merge strongswan 5.3.5-1 (main) from Debian unstable (main)

** Affects: strongswan (Ubuntu)
Importance: Undecided
Assignee: Ryan Harper (raharper)
Status: New

** Changed in: strongswan (Ubuntu)
Assignee: (unassigned) => Ryan Harper (raharper)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1535951

Title:
Please merge strongswan 5.3.5-1 (main) from Debian unstable (main)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1535951/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-***@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Launchpad Bug Tracker
2016-01-20 11:26:03 UTC
Permalink
Status changed to 'Confirmed' because the bug affects multiple users.

** Changed in: strongswan (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1535951

Title:
Please merge strongswan 5.3.5-1 (main) from Debian unstable (main)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1535951/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-***@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Simon Déziel
2016-01-28 02:28:46 UTC
Permalink
The attached logcheck rules should cover all the normal logs generated
by Strongswan using the stock default config. If Debian integrates this
ruleset, bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=787156
could be closed.

** Bug watch added: Debian Bug tracker #787156
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=787156

** Attachment added: "Refreshed logcheck rules"
https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1535951/+attachment/4558011/+files/strongswan.logcheck
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1535951

Title:
Please merge strongswan 5.3.5-1 (main) from Debian unstable (main)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1535951/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-***@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Simon Déziel
2016-01-28 14:38:18 UTC
Permalink
** Attachment removed: "Refreshed logcheck rules"
https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1535951/+attachment/4558011/+files/strongswan.logcheck

** Attachment added: "Refreshed logcheck rules"
https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1535951/+attachment/4558391/+files/strongswan.logcheck
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1535951

Title:
Please merge strongswan 5.3.5-1 (main) from Debian unstable (main)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1535951/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-***@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Simon Déziel
2016-02-02 17:31:37 UTC
Permalink
** Attachment removed: "Refreshed logcheck rules"
https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1535951/+attachment/4558391/+files/strongswan.logcheck

** Attachment added: "Refreshed logcheck rules"
https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1535951/+attachment/4562410/+files/strongswan.logcheck
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1535951

Title:
Please merge strongswan 5.3.5-1 (main) from Debian unstable (main)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1535951/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-***@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
mrq1
2016-02-13 06:53:35 UTC
Permalink
is there any progress on this issue?

FeatureFreeze & DebianImportFreeze are getting close :-/
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1535951

Title:
Please merge strongswan 5.3.5-1 (main) from Debian unstable (main)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1535951/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-***@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
LocutusOfBorg
2016-02-13 08:21:43 UTC
Permalink
There is a thread on Ubuntu-devel
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1535951

Title:
Please merge strongswan 5.3.5-1 (main) from Debian unstable (main)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1535951/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-***@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Ryan Harper
2016-02-13 16:08:11 UTC
Permalink
Yes, quite close. I'll handle the FFE if needed but I feel on-track.
I'm preparing the merge debdiff for review.

Threads:
https://lists.ubuntu.com/archives/ubuntu-devel/2016-January/039144.html
https://lists.ubuntu.com/archives/ubuntu-devel/2016-February/039201.html

Please give the test-package a go if you're a strongswan user.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1535951

Title:
Please merge strongswan 5.3.5-1 (main) from Debian unstable (main)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1535951/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-***@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
mrq1
2016-02-13 16:24:55 UTC
Permalink
hi

i used your ppa .. looks great with the default plugin package

but with the extra plugins:

Feb 13 17:22:28 kvm-xenial charon: 00[CFG] mediation client database URI not defined, skipped
Feb 13 17:22:28 kvm-xenial charon: 00[CFG] no threshold configured for systime-fix, disabled
Feb 13 17:22:28 kvm-xenial charon: 00[CFG] coupling file path unspecified
Feb 13 17:22:28 kvm-xenial charon: 00[LIB] loaded plugins: charon test-vectors unbound ldap pkcs11 aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey dnscert ipseckey pem openssl gcrypt af-alg fips-prf gmp xcbc cmac hmac ctr ccm gcm ntru curl soup mysql sqlite attr kernel-netlink resolve socket-default connmark farp stroke updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-noauth tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp whitelist lookip error-notify certexpire led radattr addrblock unity
Feb 13 17:22:28 kvm-xenial charon: 00[LIB] dropped capabilities, running as uid 0, gid 0
Feb 13 17:22:28 kvm-xenial charon: 00[JOB] spawning 16 worker threads
Feb 13 17:22:28 kvm-xenial charon: 04[DMN] thread 4 received 11
Feb 13 17:22:28 kvm-xenial charon: 04[LIB] dumping 7 stack frame addresses:
Feb 13 17:22:28 kvm-xenial charon: 04[LIB] /lib/x86_64-linux-gnu/libpthread.so.0 @ 0x7fec9e184000 [0x7fec9e194cd0]
Feb 13 17:22:28 kvm-xenial charon: 09[DMN] thread 9 received 11
Feb 13 17:22:28 kvm-xenial charon: 09[LIB] dumping 7 stack frame addresses:
Feb 13 17:22:28 kvm-xenial charon: 09[LIB] /lib/x86_64-linux-gnu/libpthread.so.0 @ 0x7fec9e184000 [0x7fec9e194cd0]
Feb 13 17:22:28 kvm-xenial charon: 10[DMN] thread 10 received 11
Feb 13 17:22:28 kvm-xenial charon: 10[LIB] dumping 7 stack frame addresses:
Feb 13 17:22:28 kvm-xenial charon: 10[LIB] /lib/x86_64-linux-gnu/libpthread.so.0 @ 0x7fec9e184000 [0x7fec9e194cd0]
Feb 13 17:22:28 kvm-xenial charon: 04[LIB] ->
Feb 13 17:22:28 kvm-xenial charon: 04[LIB] /usr/lib/ipsec/libipsec.so.0 @ 0x7fec8d476000 [0x7fec8d478fdc]
Feb 13 17:22:28 kvm-xenial charon: 09[LIB] ->
Feb 13 17:22:28 kvm-xenial charon: 09[LIB] /usr/lib/ipsec/libipsec.so.0 @ 0x7fec8d476000 [0x7fec8d479b5b]
Feb 13 17:22:28 kvm-xenial charon: 10[LIB] ->
Feb 13 17:22:28 kvm-xenial charon: 10[LIB] /usr/lib/ipsec/libipsec.so.0 @ 0x7fec8d476000 [0x7fec8d479f4b]
Feb 13 17:22:28 kvm-xenial charon: 04[LIB] ->
Feb 13 17:22:28 kvm-xenial charon: 04[LIB] /usr/lib/ipsec/libstrongswan.so.0 @ 0x7fec9e834000 [0x7fec9e8610c2]
Feb 13 17:22:28 kvm-xenial charon: 09[LIB] ->
Feb 13 17:22:28 kvm-xenial charon: 09[LIB] /usr/lib/ipsec/libstrongswan.so.0 @ 0x7fec9e834000 [0x7fec9e8610c2]
Feb 13 17:22:28 kvm-xenial charon: 10[LIB] ->
Feb 13 17:22:28 kvm-xenial charon: 10[LIB] /usr/lib/ipsec/libstrongswan.so.0 @ 0x7fec9e834000 [0x7fec9e8610c2]
Feb 13 17:22:28 kvm-xenial charon: 09[LIB] ->
Feb 13 17:22:28 kvm-xenial charon: 09[LIB] /usr/lib/ipsec/libstrongswan.so.0 @ 0x7fec9e834000 [0x7fec9e8619fb]
Feb 13 17:22:28 kvm-xenial charon: 04[LIB] ->
Feb 13 17:22:28 kvm-xenial charon: 04[LIB] /usr/lib/ipsec/libstrongswan.so.0 @ 0x7fec9e834000 [0x7fec9e8619fb]
Feb 13 17:22:28 kvm-xenial charon: 10[LIB] ->
Feb 13 17:22:28 kvm-xenial charon: 10[LIB] /usr/lib/ipsec/libstrongswan.so.0 @ 0x7fec9e834000 [0x7fec9e8619fb]
Feb 13 17:22:28 kvm-xenial charon: 09[LIB] ->
Feb 13 17:22:28 kvm-xenial charon: 09[LIB] /usr/lib/ipsec/libstrongswan.so.0 @ 0x7fec9e834000 [0x7fec9e87272c]
Feb 13 17:22:28 kvm-xenial charon: 04[LIB] ->
Feb 13 17:22:28 kvm-xenial charon: 04[LIB] /usr/lib/ipsec/libstrongswan.so.0 @ 0x7fec9e834000 [0x7fec9e87272c]
Feb 13 17:22:28 kvm-xenial charon: 10[LIB] ->
Feb 13 17:22:28 kvm-xenial charon: 10[LIB] /usr/lib/ipsec/libstrongswan.so.0 @ 0x7fec9e834000 [0x7fec9e87272c]
Feb 13 17:22:28 kvm-xenial charon: 09[LIB] ->
Feb 13 17:22:28 kvm-xenial charon: 09[LIB] /lib/x86_64-linux-gnu/libpthread.so.0 @ 0x7fec9e184000 [0x7fec9e18b66a]
Feb 13 17:22:28 kvm-xenial charon: 04[LIB] ->
Feb 13 17:22:28 kvm-xenial charon: 04[LIB] /lib/x86_64-linux-gnu/libpthread.so.0 @ 0x7fec9e184000 [0x7fec9e18b66a]
Feb 13 17:22:28 kvm-xenial charon: 10[LIB] ->
Feb 13 17:22:28 kvm-xenial charon: 10[LIB] /lib/x86_64-linux-gnu/libpthread.so.0 @ 0x7fec9e184000 [0x7fec9e18b66a]
Feb 13 17:22:28 kvm-xenial charon: 09[LIB] ->
Feb 13 17:22:28 kvm-xenial charon: 09[LIB] /lib/x86_64-linux-gnu/libc.so.6 @ 0x7fec9ddba000 (clone+0x6d) [0x7fec9dec0e4d]
Feb 13 17:22:28 kvm-xenial charon: 04[LIB] ->
Feb 13 17:22:28 kvm-xenial charon: 04[LIB] /lib/x86_64-linux-gnu/libc.so.6 @ 0x7fec9ddba000 (clone+0x6d) [0x7fec9dec0e4d]
Feb 13 17:22:28 kvm-xenial charon: 09[LIB] ->
Feb 13 17:22:28 kvm-xenial charon: 10[LIB] ->
Feb 13 17:22:28 kvm-xenial charon: 10[LIB] /lib/x86_64-linux-gnu/libc.so.6 @ 0x7fec9ddba000 (clone+0x6d) [0x7fec9dec0e4d]
Feb 13 17:22:28 kvm-xenial charon: 04[LIB] ->
Feb 13 17:22:28 kvm-xenial charon: 10[LIB] ->
Feb 13 17:22:28 kvm-xenial charon: 09[DMN] killing ourself, received critical signal

this is a completly fresh&clean virtual machine with no strongswan
config at all
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1535951

Title:
Please merge strongswan 5.3.5-1 (main) from Debian unstable (main)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1535951/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-***@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
mrq1
2016-02-13 16:39:15 UTC
Permalink
the startup segfault disappears if a purge the extra-plugin package but
NOT if i only remove it :-O

maybe the bug comes with one of the dependency packages?

Feb 13 17:31:24 kvm-xenial charon: 00[LIB] loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp xcbc hmac ccm gcm attr kernel-netlink resolve socket-default connmark farp stroke updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-noauth tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp lookip error-notify certexpire led addrblock unity
Feb 13 17:31:24 kvm-xenial charon: 00[LIB] dropped capabilities, running as uid 0, gid 0
Feb 13 17:31:24 kvm-xenial charon: 00[JOB] spawning 16 worker threads
Feb 13 17:31:24 kvm-xenial charon: 02[DMN] thread 2 received 11
Feb 13 17:31:24 kvm-xenial charon: 02[LIB] dumping 7 stack frame addresses:
Feb 13 17:31:24 kvm-xenial charon: 02[LIB] /lib/x86_64-linux-gnu/libpthread.so.0 @ 0x7f77069c9000 [0x7f77069d9cd0]
Feb 13 17:31:24 kvm-xenial charon: 08[DMN] thread 8 received 11
Feb 13 17:31:24 kvm-xenial charon: 08[LIB] dumping 7 stack frame addresses:
Feb 13 17:31:24 kvm-xenial charon: 08[LIB] /lib/x86_64-linux-gnu/libpthread.so.0 @ 0x7f77069c9000 [0x7f77069d9cd0]
Feb 13 17:31:24 kvm-xenial charon: 07[DMN] thread 7 received 11
Feb 13 17:31:24 kvm-xenial charon: 07[LIB] dumping 7 stack frame addresses:
Feb 13 17:31:24 kvm-xenial charon: 07[LIB] /lib/x86_64-linux-gnu/libpthread.so.0 @ 0x7f77069c9000 [0x7f77069d9cd0]
Feb 13 17:31:24 kvm-xenial charon: 08[LIB] ->
Feb 13 17:31:24 kvm-xenial charon: 08[LIB] /usr/lib/ipsec/libipsec.so.0 @ 0x7f770176d000 [0x7f7701770f4b]
Feb 13 17:31:24 kvm-xenial charon: 02[LIB] ->
Feb 13 17:31:24 kvm-xenial charon: 02[LIB] /usr/lib/ipsec/libipsec.so.0 @ 0x7f770176d000 [0x7f770176ffdc]
Feb 13 17:31:24 kvm-xenial charon: 07[LIB] ->
Feb 13 17:31:24 kvm-xenial charon: 07[LIB] /usr/lib/ipsec/libipsec.so.0 @ 0x7f770176d000 [0x7f7701770b5b]
Feb 13 17:31:24 kvm-xenial charon: 02[LIB] ->
Feb 13 17:31:24 kvm-xenial charon: 02[LIB] /usr/lib/ipsec/libstrongswan.so.0 @ 0x7f7707079000 [0x7f77070a60c2]
Feb 13 17:31:24 kvm-xenial charon: 08[LIB] ->
Feb 13 17:31:24 kvm-xenial charon: 08[LIB] /usr/lib/ipsec/libstrongswan.so.0 @ 0x7f7707079000 [0x7f77070a60c2]
Feb 13 17:31:24 kvm-xenial charon: 07[LIB] ->
Feb 13 17:31:24 kvm-xenial charon: 07[LIB] /usr/lib/ipsec/libstrongswan.so.0 @ 0x7f7707079000 [0x7f77070a60c2]
Feb 13 17:31:24 kvm-xenial charon: 02[LIB] ->
Feb 13 17:31:24 kvm-xenial charon: 02[LIB] /usr/lib/ipsec/libstrongswan.so.0 @ 0x7f7707079000 [0x7f77070a69fb]
Feb 13 17:31:24 kvm-xenial charon: 08[LIB] ->
Feb 13 17:31:24 kvm-xenial charon: 08[LIB] /usr/lib/ipsec/libstrongswan.so.0 @ 0x7f7707079000 [0x7f77070a69fb]
Feb 13 17:31:24 kvm-xenial charon: 07[LIB] ->
Feb 13 17:31:24 kvm-xenial charon: 07[LIB] /usr/lib/ipsec/libstrongswan.so.0 @ 0x7f7707079000 [0x7f77070a69fb]
Feb 13 17:31:24 kvm-xenial charon: 02[LIB] ->
Feb 13 17:31:24 kvm-xenial charon: 02[LIB] /usr/lib/ipsec/libstrongswan.so.0 @ 0x7f7707079000 [0x7f77070b772c]
Feb 13 17:31:24 kvm-xenial charon: 08[LIB] ->
Feb 13 17:31:24 kvm-xenial charon: 08[LIB] /usr/lib/ipsec/libstrongswan.so.0 @ 0x7f7707079000 [0x7f77070b772c]
Feb 13 17:31:24 kvm-xenial charon: 07[LIB] ->
Feb 13 17:31:24 kvm-xenial charon: 07[LIB] /usr/lib/ipsec/libstrongswan.so.0 @ 0x7f7707079000 [0x7f77070b772c]
Feb 13 17:31:24 kvm-xenial charon: 02[LIB] ->
Feb 13 17:31:24 kvm-xenial charon: 02[LIB] /lib/x86_64-linux-gnu/libpthread.so.0 @ 0x7f77069c9000 [0x7f77069d066a]
Feb 13 17:31:24 kvm-xenial charon: 08[LIB] ->
Feb 13 17:31:24 kvm-xenial charon: 08[LIB] /lib/x86_64-linux-gnu/libpthread.so.0 @ 0x7f77069c9000 [0x7f77069d066a]
Feb 13 17:31:24 kvm-xenial charon: 07[LIB] ->
Feb 13 17:31:24 kvm-xenial charon: 07[LIB] /lib/x86_64-linux-gnu/libpthread.so.0 @ 0x7f77069c9000 [0x7f77069d066a]
Feb 13 17:31:24 kvm-xenial charon: 02[LIB] ->
Feb 13 17:31:24 kvm-xenial charon: 02[LIB] /lib/x86_64-linux-gnu/libc.so.6 @ 0x7f77065ff000 (clone+0x6d) [0x7f7706705e4d]
Feb 13 17:31:24 kvm-xenial charon: 08[LIB] ->
Feb 13 17:31:24 kvm-xenial charon: 08[LIB] /lib/x86_64-linux-gnu/libc.so.6 @ 0x7f77065ff000 (clone+0x6d) [0x7f7706705e4d]
Feb 13 17:31:24 kvm-xenial charon: 07[LIB] ->
Feb 13 17:31:24 kvm-xenial charon: 07[LIB] /lib/x86_64-linux-gnu/libc.so.6 @ 0x7f77065ff000 (clone+0x6d) [0x7f7706705e4d]
Feb 13 17:31:24 kvm-xenial charon: 02[LIB] ->
Feb 13 17:31:24 kvm-xenial charon: 08[LIB] ->
Feb 13 17:31:24 kvm-xenial charon: 07[LIB] ->
Feb 13 17:31:25 kvm-xenial charon: 02[DMN] killing ourself, received critical signal
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1535951

Title:
Please merge strongswan 5.3.5-1 (main) from Debian unstable (main)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1535951/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-***@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Ryan Harper
2016-02-13 17:39:48 UTC
Permalink
Ah, yes. I've a fix for that; I hadn't pushed my latest update in to the
ppa. The extra-plugins package need some more privs for the charon binary
in the apparmor profile.

Look for 1ubuntu5 in the ppa in just a bit and see if that fixes up the
issue with the extras plugins.
Post by mrq1
the startup segfault disappears if a purge the extra-plugin package but
NOT if i only remove it :-O
maybe the bug comes with one of the dependency packages?
Feb 13 17:31:24 kvm-xenial charon: 00[LIB] loaded plugins: charon
test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation
constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl
fips-prf gmp xcbc hmac ccm gcm attr kernel-netlink resolve socket-default
connmark farp stroke updown eap-identity eap-sim eap-sim-pcsc eap-aka
eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc
eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc
xauth-generic xauth-eap xauth-noauth tnc-tnccs tnccs-20 tnccs-11
tnccs-dynamic dhcp lookip error-notify certexpire led addrblock unity
Feb 13 17:31:24 kvm-xenial charon: 00[LIB] dropped capabilities, running as uid 0, gid 0
Feb 13 17:31:24 kvm-xenial charon: 00[JOB] spawning 16 worker threads
Feb 13 17:31:24 kvm-xenial charon: 02[DMN] thread 2 received 11
Feb 13 17:31:24 kvm-xenial charon: 02[LIB]
Feb 13 17:31:24 kvm-xenial charon: 08[DMN] thread 8 received 11
Feb 13 17:31:24 kvm-xenial charon: 08[LIB]
Feb 13 17:31:24 kvm-xenial charon: 07[DMN] thread 7 received 11
Feb 13 17:31:24 kvm-xenial charon: 07[LIB]
Feb 13 17:31:24 kvm-xenial charon: 08[LIB] ->
Feb 13 17:31:24 kvm-xenial charon: 08[LIB] /usr/lib/ipsec/libipsec.so.0
@ 0x7f770176d000 [0x7f7701770f4b]
Feb 13 17:31:24 kvm-xenial charon: 02[LIB] ->
Feb 13 17:31:24 kvm-xenial charon: 02[LIB] /usr/lib/ipsec/libipsec.so.0
@ 0x7f770176d000 [0x7f770176ffdc]
Feb 13 17:31:24 kvm-xenial charon: 07[LIB] ->
Feb 13 17:31:24 kvm-xenial charon: 07[LIB] /usr/lib/ipsec/libipsec.so.0
@ 0x7f770176d000 [0x7f7701770b5b]
Feb 13 17:31:24 kvm-xenial charon: 02[LIB] ->
Feb 13 17:31:24 kvm-xenial charon: 02[LIB]
Feb 13 17:31:24 kvm-xenial charon: 08[LIB] ->
Feb 13 17:31:24 kvm-xenial charon: 08[LIB]
Feb 13 17:31:24 kvm-xenial charon: 07[LIB] ->
Feb 13 17:31:24 kvm-xenial charon: 07[LIB]
Feb 13 17:31:24 kvm-xenial charon: 02[LIB] ->
Feb 13 17:31:24 kvm-xenial charon: 02[LIB]
Feb 13 17:31:24 kvm-xenial charon: 08[LIB] ->
Feb 13 17:31:24 kvm-xenial charon: 08[LIB]
Feb 13 17:31:24 kvm-xenial charon: 07[LIB] ->
Feb 13 17:31:24 kvm-xenial charon: 07[LIB]
Feb 13 17:31:24 kvm-xenial charon: 02[LIB] ->
Feb 13 17:31:24 kvm-xenial charon: 02[LIB]
Feb 13 17:31:24 kvm-xenial charon: 08[LIB] ->
Feb 13 17:31:24 kvm-xenial charon: 08[LIB]
Feb 13 17:31:24 kvm-xenial charon: 07[LIB] ->
Feb 13 17:31:24 kvm-xenial charon: 07[LIB]
Feb 13 17:31:24 kvm-xenial charon: 02[LIB] ->
Feb 13 17:31:24 kvm-xenial charon: 02[LIB]
Feb 13 17:31:24 kvm-xenial charon: 08[LIB] ->
Feb 13 17:31:24 kvm-xenial charon: 08[LIB]
Feb 13 17:31:24 kvm-xenial charon: 07[LIB] ->
Feb 13 17:31:24 kvm-xenial charon: 07[LIB]
Feb 13 17:31:24 kvm-xenial charon: 02[LIB] ->
Feb 13 17:31:24 kvm-xenial charon: 02[LIB]
[0x7f7706705e4d]
Feb 13 17:31:24 kvm-xenial charon: 08[LIB] ->
Feb 13 17:31:24 kvm-xenial charon: 08[LIB]
[0x7f7706705e4d]
Feb 13 17:31:24 kvm-xenial charon: 07[LIB] ->
Feb 13 17:31:24 kvm-xenial charon: 07[LIB]
[0x7f7706705e4d]
Feb 13 17:31:24 kvm-xenial charon: 02[LIB] ->
Feb 13 17:31:24 kvm-xenial charon: 08[LIB] ->
Feb 13 17:31:24 kvm-xenial charon: 07[LIB] ->
Feb 13 17:31:25 kvm-xenial charon: 02[DMN] killing ourself, received critical signal
--
You received this bug notification because you are subscribed to the bug
report.
https://bugs.launchpad.net/bugs/1535951
Please merge strongswan 5.3.5-1 (main) from Debian unstable (main)
https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1535951/+subscriptions
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1535951

Title:
Please merge strongswan 5.3.5-1 (main) from Debian unstable (main)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1535951/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-***@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Simon Déziel
2016-02-14 01:00:28 UTC
Permalink
Post by Ryan Harper
The extra-plugins package need some more privs for the charon binary
in the apparmor profile.
Ryan, please take a look at [1] for refreshed AA profiles that could
address many more LP bugs (all mentioned in debian/changelog). Thanks.

Regards,
Simon

1:
https://github.com/simondeziel/ubuntu-strongswan/commit/9f414ee4e04d6d88810c85029cc0dcbaed58fba8
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1535951

Title:
Please merge strongswan 5.3.5-1 (main) from Debian unstable (main)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1535951/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-***@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Ryan Harper
2016-02-14 01:13:56 UTC
Permalink
Excellent! I had forgotten about that. I'll update.
Post by Simon Déziel
Post by Ryan Harper
The extra-plugins package need some more privs for the charon binary
in the apparmor profile.
Ryan, please take a look at [1] for refreshed AA profiles that could
address many more LP bugs (all mentioned in debian/changelog). Thanks.
Regards,
Simon
https://github.com/simondeziel/ubuntu-strongswan/commit/9f414ee4e04d6d88810c85029cc0dcbaed58fba8
--
You received this bug notification because you are subscribed to the bug
report.
https://bugs.launchpad.net/bugs/1535951
Please merge strongswan 5.3.5-1 (main) from Debian unstable (main)
https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1535951/+subscriptions
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1535951

Title:
Please merge strongswan 5.3.5-1 (main) from Debian unstable (main)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1535951/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-***@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listi
mrq1
2016-02-13 18:27:44 UTC
Permalink
great! starts now :-)

what about the chapoly plugin? can you enable it in the extra package?
it would be very important for me!

btw: the output of service looks strange to me

# service strongswan status
● strongswan.service - strongSwan IPsec services
Loaded: loaded (/lib/systemd/system/strongswan.service; enabled; vendor preset: enabled)
Active: inactive (dead) since Sat 2016-02-13 19:22:46 CET; 42s ago
Process: 25807 ExecStopPost=/bin/rm -f /var/run/charon.pid /var/run/starter.charon.pid (code=exited, status=0/SUCCESS)
Process: 25789 ExecStop=/usr/sbin/ipsec stop (code=exited, status=0/SUCCESS)
Main PID: 25643 (code=exited, status=0/SUCCESS)

looks like the service is not running anymore but via
# ipsec statusall
everything looks ok

is the some systemd-integration-magic missing?

thanks!
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1535951

Title:
Please merge strongswan 5.3.5-1 (main) from Debian unstable (main)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1535951/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-***@lists.ubuntu.com
https://lists.ubuntu
Ryan Harper
2016-02-13 22:09:33 UTC
Permalink
Post by mrq1
great! starts now :-)
what about the chapoly plugin? can you enable it in the extra package?
it would be very important for me!
I can look at enabling it. It's new in 5.3.5. If enabled, can you test
and confirm it works?
Looks like something quite interesting.
https://en.wikipedia.org/wiki/Poly1305

Comments here in the Debian bug indicate that this requires at least 4.2
kernel.
For Xenial, this will be sufficient I suppose.

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=803787
Post by mrq1
btw: the output of service looks strange to me
# service strongswan status
● strongswan.service - strongSwan IPsec services
Loaded: loaded (/lib/systemd/system/strongswan.service; enabled; vendor preset: enabled)
Active: inactive (dead) since Sat 2016-02-13 19:22:46 CET; 42s ago
Process: 25807 ExecStopPost=/bin/rm -f /var/run/charon.pid
/var/run/starter.charon.pid (code=exited, status=0/SUCCESS)
Process: 25789 ExecStop=/usr/sbin/ipsec stop (code=exited,
status=0/SUCCESS)
Main PID: 25643 (code=exited, status=0/SUCCESS)
That looks like from the initial install; You may need to reload the new
apparmor policy

apparmor_parser -r /etc/apparmor.d/usr.lib.ipsec.charon

And then you can restart it with:

systemctl restart strongswan

and check status

systemctl status strongswan
Post by mrq1
looks like the service is not running anymore but via
# ipsec statusall
everything looks ok
is the some systemd-integration-magic missing?
I'm not sure what ipsec statusall invokes to check status.

In an up-to-date Xenial VM, installing the current packages in the PPA, I
get the following:

# systemctl status strongswan
● strongswan.service - strongSwan IPsec services
Loaded: loaded (/lib/systemd/system/strongswan.service; enabled; vendor
preset: enabled)
Active: active (running) since Sat 2016-02-13 21:50:59 UTC; 18s ago
Main PID: 2798 (starter)
CGroup: /system.slice/strongswan.service
├─2798 /usr/lib/ipsec/starter --daemon charon
└─2799 /usr/lib/ipsec/charon --use-syslog

Feb 13 21:50:59 sw1 charon[2799]: 00[CFG] loading ocsp signer certificates
from '/...ts'
Feb 13 21:50:59 sw1 charon[2799]: 00[CFG] loading attribute certificates
from '/et...ts'
Feb 13 21:50:59 sw1 charon[2799]: 00[CFG] loading crls from
'/etc/ipsec.d/crls'
Feb 13 21:50:59 sw1 charon[2799]: 00[CFG] loading secrets from
'/etc/ipsec.secrets'
Feb 13 21:50:59 sw1 charon[2799]: 00[LIB] loaded plugins: charon
test-vectors aes ...own
Feb 13 21:50:59 sw1 charon[2799]: 00[LIB] dropped capabilities, running as
uid 0, gid 0
Feb 13 21:50:59 sw1 charon[2799]: 00[JOB] spawning 16 worker threads
Feb 13 21:50:59 sw1 ipsec_starter[2798]: charon (2799) started after 20 ms
Feb 13 21:50:59 sw1 systemd[1]: Started strongSwan IPsec services.
Feb 13 21:51:00 sw1 systemd[1]: Started strongSwan IPsec services.
Hint: Some lines were ellipsized, use -l to show in full.
***@sw1:~#
***@sw1:~# ipsec statusall
Status of IKE charon daemon (strongSwan 5.3.5, Linux 4.4.0-4-generic,
x86_64):
uptime: 30 seconds, since Feb 13 21:51:00 2016
malloc: sbrk 946176, mmap 0, used 229008, free 717168
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 0
loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random
nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp
dnskey sshkey pem fips-prf gmp xcbc hmac attr kernel-netlink resolve
socket-default stroke updown
Listening IP addresses:
192.168.122.147
10.0.3.1
Connections:
Security Associations (0 up, 0 connecting):
none
Post by mrq1
thanks!
--
You received this bug notification because you are subscribed to the bug
report.
https://bugs.launchpad.net/bugs/1535951
Please merge strongswan 5.3.5-1 (main) from Debian unstable (main)
https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1535951/+subscriptions
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1535951

Title:
Please merge strongswan 5.3.5-1 (main) from Debian unstable (main)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1535951/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-***@lists.ubuntu.com
h
Simon Déziel
2016-02-14 01:51:29 UTC
Permalink
Post by Ryan Harper
Post by mrq1
great! starts now :-)
what about the chapoly plugin? can you enable it in the extra package?
it would be very important for me!
I can look at enabling it. It's new in 5.3.5.
+1

ChaCha20/Poly1305 actually made it in 5.3.3 [1] and I haven't heard of
any problem on the mailing list.
Post by Ryan Harper
If enabled, can you test and confirm it works?
I too would be glad to give it a spin and report about it.
Post by Ryan Harper
Looks like something quite interesting.
https://en.wikipedia.org/wiki/Poly1305
Indeed! Chacha20 and Poly1305 are cool and getting quite some traction
these days [2].
Post by Ryan Harper
Comments here in the Debian bug indicate that this requires at least 4.2
kernel.
For the IKE part, the kernel version shouldn't matter. For the ESP part,
you indeed need a recent kernel or you can always use the userspace
implementation (libipsec).

libipsec support is very cool (thanks for enabling it!) as it should
allow running a IPsec in containers.
Post by Ryan Harper
For Xenial, this will be sufficient I suppose.
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=803787
The reporter was looking for NTRU (enabled in your PPA build IIRC) and
BLISS. That said, I'm sure the reporter would welcome having another
AEAD cipher available because they are well regarded [3] in terms of
security.

Thanks,
Simon

1: https://wiki.strongswan.org/versions/58
2:
https://en.wikipedia.org/w/index.php?title=Salsa20&redirect=no#ChaCha20_adoption
3: https://www.imperialviolet.org/2015/05/16/aeads.html
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1535951

Title:
Please merge strongswan 5.3.5-1 (main) from Debian unstable (main)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1535951/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-***@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Ryan Harper
2016-02-14 03:03:50 UTC
Permalink
Post by Simon Déziel
Post by Ryan Harper
Post by mrq1
great! starts now :-)
what about the chapoly plugin? can you enable it in the extra package?
it would be very important for me!
I can look at enabling it. It's new in 5.3.5.
+1
ChaCha20/Poly1305 actually made it in 5.3.3 [1] and I haven't heard of
any problem on the mailing list.
Post by Ryan Harper
If enabled, can you test and confirm it works?
I too would be glad to give it a spin and report about it.
Post by Ryan Harper
Looks like something quite interesting.
https://en.wikipedia.org/wiki/Poly1305
Indeed! Chacha20 and Poly1305 are cool and getting quite some traction
these days [2].
Excellent! I've just uploaded a new version to the PPA; should be ready in
a bit with the new plugin
and updated apparmor profiles from your repo.

One question, the profile included /dev/tun, and in my Xenial setups, I
need
/dev/net/tun so I've both allowed in the profile. Not clear to me if it's
useful/needed
to have both, or if only one is sufficient.
Post by Simon Déziel
Post by Ryan Harper
Comments here in the Debian bug indicate that this requires at least 4.2
kernel.
For the IKE part, the kernel version shouldn't matter. For the ESP part,
you indeed need a recent kernel or you can always use the userspace
implementation (libipsec).
OK
Post by Simon Déziel
libipsec support is very cool (thanks for enabling it!) as it should
allow running a IPsec in containers.
Please do confirm if that's working. I suspect they'll need to be
privileged containers
or will need some additional permissions/configs for unprivileged since
it'll want access to
/dev/net/tun which won't be present by default.

I'd like to capture how to run strongswan in containers like LXD so if
you've any experience
with getting that working it'd be very helpful for us to document.
Post by Simon Déziel
Post by Ryan Harper
For Xenial, this will be sufficient I suppose.
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=803787
The reporter was looking for NTRU (enabled in your PPA build IIRC) and
Yes
Post by Simon Déziel
BLISS. That said, I'm sure the reporter would welcome having another
AEAD cipher available because they are well regarded [3] in terms of
security.
Thanks,
Simon
1: https://wiki.strongswan.org/versions/58
https://en.wikipedia.org/w/index.php?title=Salsa20&redirect=no#ChaCha20_adoption
3: https://www.imperialviolet.org/2015/05/16/aeads.html
--
You received this bug notification because you are subscribed to the bug
report.
https://bugs.launchpad.net/bugs/1535951
Please merge strongswan 5.3.5-1 (main) from Debian unstable (main)
https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1535951/+subscriptions
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1535951

Title:
Please merge strongswan 5.3.5-1 (main) from Debian unstable (main)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1535951/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-***@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubunt
Simon Déziel
2016-02-14 14:00:13 UTC
Permalink
Post by Ryan Harper
Post by Simon Déziel
Post by Ryan Harper
Post by mrq1
great! starts now :-)
what about the chapoly plugin? can you enable it in the extra package?
it would be very important for me!
I can look at enabling it. It's new in 5.3.5.
+1
ChaCha20/Poly1305 actually made it in 5.3.3 [1] and I haven't heard of
any problem on the mailing list.
Post by Ryan Harper
If enabled, can you test and confirm it works?
I too would be glad to give it a spin and report about it.
Post by Ryan Harper
Looks like something quite interesting.
https://en.wikipedia.org/wiki/Poly1305
Indeed! Chacha20 and Poly1305 are cool and getting quite some traction
these days [2].
Excellent! I've just uploaded a new version to the PPA; should be ready in
a bit with the new plugin
and updated apparmor profiles from your repo.
Thanks, will try it out.
Post by Ryan Harper
One question, the profile included /dev/tun, and in my Xenial setups, I
need
/dev/net/tun so I've both allowed in the profile. Not clear to me if it's
useful/needed
to have both, or if only one is sufficient.
Good catch. The path always have been /dev/net/tun even in previous
releases so please drop the erroneous /dev/tun rule I added.
Post by Ryan Harper
Post by Simon Déziel
Post by Ryan Harper
Comments here in the Debian bug indicate that this requires at least 4.2
kernel.
For the IKE part, the kernel version shouldn't matter. For the ESP part,
you indeed need a recent kernel or you can always use the userspace
implementation (libipsec).
OK
Post by Simon Déziel
libipsec support is very cool (thanks for enabling it!) as it should
allow running a IPsec in containers.
Please do confirm if that's working. I suspect they'll need to be
privileged containers
or will need some additional permissions/configs for unprivileged since
it'll want access to
/dev/net/tun which won't be present by default.
I'd like to capture how to run strongswan in containers like LXD so if
you've any experience
I'd expect it to be pretty close to running OpenVPN in a container. I'll
check that out on LXD and let you know.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1535951

Title:
Please merge strongswan 5.3.5-1 (main) from Debian unstable (main)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1535951/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-***@lists.ubuntu.com
https://lists.ubuntu.com/mail
Simon Déziel
2016-02-15 18:34:28 UTC
Permalink
Post by Ryan Harper
Post by Simon Déziel
libipsec support is very cool (thanks for enabling it!) as it should
allow running a IPsec in containers.
Please do confirm if that's working. I suspect they'll need to be
privileged containers
or will need some additional permissions/configs for unprivileged since
it'll want access to
/dev/net/tun which won't be present by default.
Correct, for unprivileged containers, one has to make the tun device
available using:

lxc config device add $CTNAME tun unix-char path=/dev/net/tun

Then it works.

Thanks,
Simon
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1535951

Title:
Please merge strongswan 5.3.5-1 (main) from Debian unstable (main)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1535951/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-***@lists.ubuntu.com
https:/
Ryan Harper
2016-02-13 22:12:31 UTC
Permalink
** Bug watch added: Debian Bug tracker #803787
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=803787
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1535951

Title:
Please merge strongswan 5.3.5-1 (main) from Debian unstable (main)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1535951/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-***@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
mrq1
2016-02-14 08:12:27 UTC
Permalink
thanks for the fast pace!
should be ready in a bit with the new plugin
NOPE. still no chapoly & ntru plugin included

# ipsec statusall
Status of IKE charon daemon (strongSwan 5.3.5, Linux 4.4.0-4-generic, x86_64):
uptime: 10 minutes, since Feb 14 08:59:01 2016
malloc: sbrk 1650688, mmap 0, used 547408, free 1103280
worker threads: 7 of 16 idle, 5/0/4/0 working, job queue: 0/0/0/0, scheduled: 0
loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-libipsec kernel-netlink resolve socket-default connmark farp stroke updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp lookip error-notify certexpire led addrblock unity

i installed a new virtual machine and installed the ppa-strongswan

looks like it is not enough to
# apt install libcharon-extra-plugins
this package does not depend on
# apt install strongswan
which it should!

now starts the testing ;-)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1535951

Title:
Please merge strongswan 5.3.5-1 (main) from Debian unstable (main)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1535951/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-***@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Ryan Harper
2016-02-14 14:43:50 UTC
Permalink
Post by mrq1
thanks for the fast pace!
should be ready in a bit with the new plugin
NOPE. still no chapoly & ntru plugin included
chapoly and ntru are part of libstrongswan-extra-plugins
Post by mrq1
# ipsec statusall
uptime: 10 minutes, since Feb 14 08:59:01 2016
malloc: sbrk 1650688, mmap 0, used 547408, free 1103280
worker threads: 7 of 16 idle, 5/0/4/0 working, job queue: 0/0/0/0, scheduled: 0
loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random
nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp
dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr
kernel-libipsec kernel-netlink resolve socket-default connmark farp stroke
updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2
eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2
eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic
xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic
dhcp lookip error-notify certexpire led addrblock unity
You might need to restart after upgrade: systemctl restart strongswan

# ipsec statusall
Status of IKE charon daemon (strongSwan 5.3.5, Linux 4.4.0-4-generic,
x86_64):
uptime: 99 seconds, since Feb 14 14:40:22 2016
malloc: sbrk 2834432, mmap 532480, used 1004336, free 1830096
worker threads: 7 of 16 idle, 5/0/4/0 working, job queue: 0/0/0/0,
scheduled: 0
loaded plugins: charon test-vectors unbound ldap pkcs11 aes rc2 sha1 sha2
md4 md5 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7
pkcs8 pkcs12 pgp dnskey sshkey dnscert ipseckey pem openssl gcrypt af-alg
fips-prf gmp agent chapoly xcbc cmac hmac ctr ccm gcm ntru curl soup mysql
sqlite attr kernel-libipsec kernel-netlink resolve socket-default connmark
farp stroke updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2
eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2
eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic
xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic
dhcp whitelist lookip error-notify certexpire led radattr addrblock unity
Listening IP addresses:
192.168.122.147
10.0.3.1
Connections:
Security Associations (0 up, 0 connecting):
none
Post by mrq1
i installed a new virtual machine and installed the ppa-strongswan
looks like it is not enough to
# apt install libcharon-extra-plugins
this package does not depend on
# apt install strongswan
which it should!
if you apt-get install libstrongswan-extra-plugins, this will pull in the
strongswan package.
Post by mrq1
now starts the testing ;-)
Excellent!
Post by mrq1
--
You received this bug notification because you are subscribed to the bug
report.
https://bugs.launchpad.net/bugs/1535951
Please merge strongswan 5.3.5-1 (main) from Debian unstable (main)
https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1535951/+subscriptions
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1535951

Title:
Please merge strongswan 5.3.5-1 (main) from Debian unstable (main)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1535951/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-***@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
mrq1
2016-02-14 09:36:18 UTC
Permalink
looks good so far :-)

i think the kernel-libipsec plugin should not be loaded by default

the plugin works only with UDP encapsulated packets

(look here: https://wiki.strongswan.org/projects/strongswan/wiki/Kernel-
libipsec)

and this will break most of the "normal"/LAN setups

i would build and include the plugin but disable the loading with

/etc/strongswan.d/charon/kernel-libipsec.conf
load = no
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1535951

Title:
Please merge strongswan 5.3.5-1 (main) from Debian unstable (main)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1535951/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-***@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Ryan Harper
2016-02-15 21:03:34 UTC
Permalink
Post by mrq1
looks good so far :-)
i think the kernel-libipsec plugin should not be loaded by default
the plugin works only with UDP encapsulated packets
(look here: https://wiki.strongswan.org/projects/strongswan/wiki/Kernel-
libipsec)
and this will break most of the "normal"/LAN setups
The kernel-libipsec plugin is optional; a user must apt-get install
libstrongswan-extra-plugins.
I've installed the extra plugins in a VM which uses NAT configuration and
none of the
networking was broken if the kernel-libipsec module was loaded (but
unconfigured).

However, I'm interested if you can expand on what setup would break? We
certainly don't want
break or surprise users so I'd like understand what "breaks" if the module
is loaded by default.
Post by mrq1
i would build and include the plugin but disable the loading with
/etc/strongswan.d/charon/kernel-libipsec.conf
load = no
This would be a change compared to all other plugins so I'd like to
understand why
this plugin in the default configuration breaks any normal/LAN setups.
Post by mrq1
--
You received this bug notification because you are subscribed to the bug
report.
https://bugs.launchpad.net/bugs/1535951
Please merge strongswan 5.3.5-1 (main) from Debian unstable (main)
https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1535951/+subscriptions
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1535951

Title:
Please merge strongswan 5.3.5-1 (main) from Debian unstable (main)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1535951/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-***@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Tobias Brunner
2016-02-16 09:10:10 UTC
Permalink
Post by Ryan Harper
Post by mrq1
i think the kernel-libipsec plugin should not be loaded by default
the plugin works only with UDP encapsulated packets
(look here: https://wiki.strongswan.org/projects/strongswan/wiki/Kernel-
libipsec)
and this will break most of the "normal"/LAN setups
The kernel-libipsec plugin is optional; a user must apt-get install
libstrongswan-extra-plugins.
I've installed the extra plugins in a VM which uses NAT configuration and
none of the
networking was broken if the kernel-libipsec module was loaded (but
unconfigured).
There is nothing to configure, as long as it gets loaded before any of
the other kernel-ipsec implementations (that's the default) it gets used
as IPsec backend (i.e. IPsec is then handled in userland, not the
kernel). As described on the wiki page, it is not generally recommended
to be used.
Post by Ryan Harper
However, I'm interested if you can expand on what setup would break? We
certainly don't want
break or surprise users so I'd like understand what "breaks" if the module
is loaded by default.
Refer to the wiki page above. One example are host-to-host tunnels,
which require additional configuration, then there are the performance
limitations.
Post by Ryan Harper
Post by mrq1
i would build and include the plugin but disable the loading with
/etc/strongswan.d/charon/kernel-libipsec.conf
load = no
That would be an option, another is to put the plugin and config snippet
into a separate package.

Regards,
Tobias
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1535951

Title:
Please merge strongswan 5.3.5-1 (main) from Debian unstable (main)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1535951/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-***@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
mrq1
2016-02-14 15:24:38 UTC
Permalink
Post by Ryan Harper
chapoly and ntru are part of libstrongswan-extra-plugins
you are right!

i mixed up libcharon-extra-plugins & libstrongswan-extra-plugins
(had only the first one)

my tests are looking good so far.

chapoly & ntru are working as expected, great work!

the MOBIKE handling has much improved since 5.1.2 :-)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1535951

Title:
Please merge strongswan 5.3.5-1 (main) from Debian unstable (main)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1535951/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-***@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
mrq1
2016-02-16 14:46:19 UTC
Permalink
it looks like strongswan is faking a nat situation if the kernel-libipsec
is used, so there are only problems with transport & beet mode ..

btw: did you get this audit entries too?

# grep audit /var/log/syslog
Feb 16 07:56:31 kvm-xenial kernel: [240771.376037] audit: type=1400 audit(1455605791.501:866): apparmor="DENIED" operation="open" profile="/usr/lib/ipsec/charon" name="/proc/31139/fd/" pid=31139 comm="charon" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Feb 16 08:20:30 kvm-xenial kernel: [242210.398331] audit: type=1400 audit(1455607230.525:867): apparmor="DENIED" operation="open" profile="/usr/lib/ipsec/charon" name="/proc/31165/fd/" pid=31165 comm="charon" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Feb 16 08:37:04 kvm-xenial kernel: [243204.311072] audit: type=1400 audit(1455608224.480:868): apparmor="DENIED" operation="open" profile="/usr/lib/ipsec/charon" name="/proc/31720/fd/" pid=31720 comm="charon" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Feb 16 08:41:09 kvm-xenial kernel: [243449.474502] audit: type=1400 audit(1455608469.642:869): apparmor="DENIED" operation="open" profile="/usr/lib/ipsec/charon" name="/proc/31743/fd/" pid=31743 comm="charon" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Feb 16 08:41:30 kvm-xenial kernel: [243470.304749] audit: type=1400 audit(1455608490.474:870): apparmor="DENIED" operation="open" profile="/usr/lib/ipsec/charon" name="/proc/31836/fd/" pid=31836 comm="charon" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1535951

Title:
Please merge strongswan 5.3.5-1 (main) from Debian unstable (main)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1535951/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-***@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Ryan Harper
2016-02-16 15:07:17 UTC
Permalink
Post by mrq1
it looks like strongswan is faking a nat situation if the kernel-libipsec
is used, so there are only problems with transport & beet mode ..
It sounds like it could be confusing. I'd prefer not to have a one-off for
just this
package but if it's disruptive then it's likely warranted.
Post by mrq1
btw: did you get this audit entries too?
No. Are you running 1ubuntu6 and have you reloaded the apparmor profile
and restarted strongswan?

sudo apparmor_parser -r /etc/apparmor.d/usr.lib.ipsec.charon
sudo systemctl restart strongswan
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1535951

Title:
Please merge strongswan 5.3.5-1 (main) from Debian unstable (main)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1535951/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-***@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Simon Déziel
2016-02-16 15:23:48 UTC
Permalink
Post by mrq1
it looks like strongswan is faking a nat situation if the kernel-libipsec
is used
This is by design as kernel-libipsec requires ESPinUDP.

As Tobias (Strongswan upstream) said, it's best to not have this on by
default.
Post by mrq1
btw: did you get this audit entries too?
# grep audit /var/log/syslog
Feb 16 07:56:31 kvm-xenial kernel: [240771.376037] audit: type=1400 audit(1455605791.501:866): apparmor="DENIED" operation="open" profile="/usr/lib/ipsec/charon" name="/proc/31139/fd/" pid=31139 comm="charon" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Feb 16 08:20:30 kvm-xenial kernel: [242210.398331] audit: type=1400 audit(1455607230.525:867): apparmor="DENIED" operation="open" profile="/usr/lib/ipsec/charon" name="/proc/31165/fd/" pid=31165 comm="charon" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Feb 16 08:37:04 kvm-xenial kernel: [243204.311072] audit: type=1400 audit(1455608224.480:868): apparmor="DENIED" operation="open" profile="/usr/lib/ipsec/charon" name="/proc/31720/fd/" pid=31720 comm="charon" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Feb 16 08:41:09 kvm-xenial kernel: [243449.474502] audit: type=1400 audit(1455608469.642:869): apparmor="DENIED" operation="open" profile="/usr/lib/ipsec/charon" name="/proc/31743/fd/" pid=31743 comm="charon" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Feb 16 08:41:30 kvm-xenial kernel: [243470.304749] audit: type=1400 audit(1455608490.474:870): apparmor="DENIED" operation="open" profile="/usr/lib/ipsec/charon" name="/proc/31836/fd/" pid=31836 comm="charon" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
I don't get those but I only tested libipsec in a container where there
is no Apparmor. Maybe it's libipsec specific?

Can you add this to the profile and see if it helps:

owner @{PROC}/@{pid}/fd/ r,
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1535951

Title:
Please merge strongswan 5.3.5-1 (main) from Debian unstable (main)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1535951/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-***@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Ryan Harper
2016-02-17 23:16:30 UTC
Permalink
I've pushed the latest revisions into the PPA:

strongswan (5.3.5-1ubuntu7) xenial; urgency=medium

* debian/{rules,control,libstrongswan-extra-plugins.install}
Enable bliss plugin
* debian/patches/increase-bliss-test-timeout.patch
Under QEMU/KVM for autopkgtest bliss test takes a bit longer
* debian/patches/dont-load-kernel-libipsec-plugin-by-default.patch
Upstream suggests to not load this plugin by default as it has
some limitations.
https://wiki.strongswan.org/projects/strongswan/wiki/Kernel-libipsec
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1535951

Title:
Please merge strongswan 5.3.5-1 (main) from Debian unstable (main)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1535951/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-***@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Ryan Harper
2016-02-17 23:22:01 UTC
Permalink
** Patch added: "Ubuntu debdiff between 5.1.2-0ubuntu8 and 5.3.5-1ubuntu1"
https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1535951/+attachment/4573962/+files/ubuntu-5.1.2-0ubuntu8-to-5.3.5-1ubuntu1.debdiff
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1535951

Title:
Please merge strongswan 5.3.5-1 (main) from Debian unstable (main)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1535951/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-***@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Ryan Harper
2016-02-17 23:22:39 UTC
Permalink
** Patch added: "debdiff netween debian 5.3.5-1 and ubuntu 5.3.5-1ubuntu1"
https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1535951/+attachment/4573963/+files/debian-5.3.5-1-to-5.3.5-1ubuntu1.debdiff
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1535951

Title:
Please merge strongswan 5.3.5-1 (main) from Debian unstable (main)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1535951/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-***@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Ubuntu Foundations Team Bug Bot
2016-02-18 00:24:42 UTC
Permalink
The attachment "Ubuntu debdiff between 5.1.2-0ubuntu8 and
5.3.5-1ubuntu1" seems to be a debdiff. The ubuntu-sponsors team has
been subscribed to the bug report so that they can review and hopefully
sponsor the debdiff. If the attachment isn't a patch, please remove the
"patch" flag from the attachment, remove the "patch" tag, and if you are
member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by
~brian-murray, for any issue please contact him.]

** Tags added: patch
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1535951

Title:
Please merge strongswan 5.3.5-1 (main) from Debian unstable (main)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1535951/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-***@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Serge Hallyn
2016-02-18 01:44:46 UTC
Permalink
** Changed in: strongswan (Ubuntu)
Importance: Undecided => High
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1535951

Title:
Please merge strongswan 5.3.5-1 (main) from Debian unstable (main)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1535951/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-***@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Serge Hallyn
2016-02-18 04:34:12 UTC
Permalink
** Changed in: strongswan (Ubuntu)
Status: Confirmed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1535951

Title:
Please merge strongswan 5.3.5-1 (main) from Debian unstable (main)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1535951/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-***@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Continue reading on narkive:
Loading...