[prev in list] [next in list] [prev in thread] [next in thread]
List: strongswan-announce
Subject: Re: [strongSwan-dev] Problems on test suite when running it with options --with-user and --with-grou
From: Andreas Steffen <andreas.steffen () strongswan ! org>
Date: 2013-08-07 17:03:13
Message-ID: 52027DD1.6070802 () strongswan ! org
[Download RAW message or body]
[Attachment #2 (multipart/signed)]
Hello Anaëlle,
as is mentioned in our documentation, capability dropping does not
work with the updown script because the iptables command requires
the process to be root. As a workaround you can configure static
IPsec policy firewall rules using iptables as in the following
example:
http://www.strongswan.org/uml/testresults/openssl-ikev2/rw-suite-b-128/
which uses the static rules
iptables -A FORWARD -i eth0 -o eth1 -m policy --dir in --pol ipsec
--proto esp -j ACCEPT
iptables -A FORWARD -o eth0 -i eth1 -m policy --dir out --pol ipsec
--proto esp -j ACCEPT
on the VPN gateway and
iptables -A INPUT -i eth0 -m policy --dir in --pol ipsec --proto esp
-j ACCEPT
iptables -A OUTPUT -o eth0 -m policy --dir out --pol ipsec --proto esp
-j ACCEPT
on the VPN client.
Hope this helps.
Andreas
On 08/07/2013 05:29 PM, Anaelle POGNOT wrote:
> Hello,
>
> I was wondering if you could help me about a problem I have.
> I'm working on StrongSwan 5.0.4 and I was trying to run the test suite
> with a different configuration. In fact, I wanted to test the solution
> with charon running as another user/group than root. So, I added three
> options to the CONFIG_OPTS variable in
> testing/scripts/recipes/xxx_strongswan.mk <http://xxx_strongswan.mk>
> (--with-user=charon --with-group=charon --with-capabilities=libcap) and
> one line at the end of the script testing/scripts/build-baseimage
> (execute_chroot "useradd charon", to be sure that the user charon exists).
>
> However, when I run the test suite, most of the tests fail when trying
> to run the ping command. It says:
> "ping: sendmsg: Operation not permitted"
>
> In the xx.daemon.log, I always have the same message:
> updown: iptables v1.4.14: can't initialize iptables table `filter':
> Permission denied (you must be root)
> updown: Perhaps iptables or your kernel needs to be upgraded.
>
> When I checked on the hosts, I realized that the file
> /etc/iptables.rules has the following default policy:
> # default policy is DROP
> -P INPUT DROP
> -P OUTPUT DROP
> -P FORWARD DROP
> If I change from DROP to ACCEPT on both sides, ping works.
>
> Am I doing something wrong / forgetting an option or something? Or
> doesn't the test suite work with these three options?
>
> Best regards,
>
> Anaëlle
>
======================================================================
Andreas Steffen andreas.steffen@strongswan.org
strongSwan - the Open Source VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
["smime.p7s" (application/pkcs7-signature)]
_______________________________________________
Dev mailing list
Dev@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/dev
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic