'Re: [strongSwan-dev] Problems on test suite when running it with options --with-user and --with-grou'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       strongswan-announce
Subject:    Re: [strongSwan-dev] Problems on test suite when running it with options --with-user and --with-grou
From:       Andreas Steffen <andreas.steffen () strongswan ! org>
Date:       2013-08-07 17:03:13
Message-ID: 52027DD1.6070802 () strongswan ! org
[Download RAW message or body]

[Attachment #2 (multipart/signed)]

Hello Anaëlle,

as is mentioned in our documentation, capability dropping does not
work with the updown script because the iptables command requires
the process to be root. As a workaround you can configure static
IPsec policy firewall rules using iptables as in the following
example:

http://www.strongswan.org/uml/testresults/openssl-ikev2/rw-suite-b-128/

which uses the static rules

iptables -A FORWARD -i eth0 -o eth1 -m policy --dir in  --pol ipsec
--proto esp -j ACCEPT
iptables -A FORWARD -o eth0 -i eth1 -m policy --dir out --pol ipsec
--proto esp -j ACCEPT

on the VPN gateway and

iptables -A INPUT  -i eth0 -m policy --dir in  --pol ipsec --proto esp
-j ACCEPT
iptables -A OUTPUT -o eth0 -m policy --dir out --pol ipsec --proto esp
-j ACCEPT

on the VPN client.

Hope this helps.

Andreas

On 08/07/2013 05:29 PM, Anaelle POGNOT wrote:
> Hello,
> 
> I was wondering if you could help me about a problem I have.
> I'm working on StrongSwan 5.0.4 and I was trying to run the test suite
> with a different configuration. In fact, I wanted to test the solution
> with charon running as another user/group than root. So, I added three
> options to the CONFIG_OPTS variable in
> testing/scripts/recipes/xxx_strongswan.mk <http://xxx_strongswan.mk>
> (--with-user=charon --with-group=charon --with-capabilities=libcap) and
> one line at the end of the script testing/scripts/build-baseimage
> (execute_chroot "useradd charon", to be sure that the user charon exists).
> 
> However, when I run the test suite, most of the tests fail when trying
> to run the ping command. It says:
> "ping: sendmsg: Operation not permitted"
> 
> In the xx.daemon.log, I always have the same message:
> updown: iptables v1.4.14: can't initialize iptables table `filter':
> Permission denied (you must be root)
> updown: Perhaps iptables or your kernel needs to be upgraded.
> 
> When I checked on the hosts, I realized that the file
> /etc/iptables.rules has the following default policy:
> # default policy is DROP
> -P INPUT DROP
> -P OUTPUT DROP
> -P FORWARD DROP
> If I change from DROP to ACCEPT on both sides, ping works.
> 
> Am I doing something wrong / forgetting an option or something? Or
> doesn't the test suite work with these three options?
> 
> Best regards,
> 
> Anaëlle
> 
======================================================================
Andreas Steffen                         andreas.steffen@strongswan.org
strongSwan - the Open Source VPN Solution!          www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

["smime.p7s" (application/pkcs7-signature)]

_______________________________________________
Dev mailing list
Dev@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/dev

[prev in list] [next in list] [prev in thread] [next in thread] 