Project

General

Profile

Tâche #30185

Scénario #30148: Traitement express MEN (22-24)

VPN sur Amon : pourquoi le script /etc/ipsec.d/ipsec_updown ne s'exécute pas

Added by Fabrice Barconnière about 1 month ago. Updated 18 days ago.

Status:
Fermé
Priority:
Normal
Start date:
05/25/2020
Due date:
06/12/2020
% Done:

100%

Remaining (hours):
0.0

Description

Les tunnels se montent bien avec active_rvp mais les routes et les règles iptables liées à ipsec (dans le script /etc/ipsec.d/ipsec_updown) ne sont pas créées.


Related issues

Related to strongswan - Tâche #13330: Tester qu'il n'y a pas de problème de connexion VPN entre strongSwan 5.3.3 et strongSwan 5.0.4 d'EOLE 2.4.2 avant de packager cette version. Fermé 09/21/2015

Associated revisions

Revision 29ae7dc6 (diff)
Added by Fabrice Barconnière about 1 month ago

/bin -> /usr/bin : modify charon apparmor profile tu run ipsec_updown script

ref #30185

History

#1 Updated by Fabrice Barconnière about 1 month ago

  • Description updated (diff)

#2 Updated by Fabrice Barconnière about 1 month ago

Question sur le chat strongSwan :

<barco> Hi, do you know if there is a problem with updown plugin with strongSwan 5.8.2 ? My own leftupdown script seems to be not called. I have the same configuration with strongSwan 5.6.2 and it is called correctly.
<Thermi> barco: Does it work if you downgrade?
<barco> Thermi: yes, with strongSwan 5.6.2 it works
<Thermi> barco: So you downgraded and it works again?
<barco> I didn't downgrade. I have 2 servers. The 1rst on Ubuntu bionic with strongSwan 5.6.2 and the 2nd on Ubuntu focal with strongSwan 5.8.2
<barco> If i use my ipsec.conf on the 1rst, it works, but not on the 2nd
<barco> Tunnels are OK, but the leftupdown script is not called. When i add "echo "TEST"" in the script, it is logged on the first, but not on the 2nd
<barco> updown plugin is successfully loaded : 2020-05-27T15:21:27.640041+02:00 amon.etb1.lan charon: 00[LIB] plugin 'updown': loaded successfully
<ecdsa> barco: Probably an apparmor issue, read the system log and add override rules as necessary
<barco> Thanks ecdsa , i didn't look on the good log for apparmor. It needs to exec /usr/bin/bash. On the older server, /bin/bash only was OK.

Je l'ai ajouté et ça fonctionne :

root@amon:~# cat /etc/apparmor.d/local/usr.lib.ipsec.charon 
  /bin/bash                 rmPUx,
  /usr/bin/bash             rmPUx,

Pourquoi /usr/bin/bash ?

#3 Updated by Fabrice Barconnière about 1 month ago

  • Related to Tâche #13330: Tester qu'il n'y a pas de problème de connexion VPN entre strongSwan 5.3.3 et strongSwan 5.0.4 d'EOLE 2.4.2 avant de packager cette version. added

#4 Updated by Fabrice Barconnière about 1 month ago

Tiens, c'est pas nouveau : #13330#note-2

#5 Updated by Fabrice Barconnière about 1 month ago

  • Due date set to 06/12/2020
  • Target version set to sprint 2020 22-24 Equipe MENSR
  • Start date set to 05/25/2020

#6 Updated by Fabrice Barconnière about 1 month ago

  • Parent task set to #30148

#7 Updated by Fabrice Barconnière about 1 month ago

  • Status changed from Nouveau to En cours

#8 Updated by Fabrice Barconnière about 1 month ago

  • Assigned To set to Fabrice Barconnière

#9 Updated by Fabrice Barconnière about 1 month ago

  • Status changed from En cours to Résolu

#10 Updated by Fabrice Barconnière about 1 month ago

  • % Done changed from 0 to 100

#11 Updated by Fabrice Barconnière 18 days ago

Je clôture cette demande, il y aura une qualif et on se rendra bien compte que ça fonctionne ;)

#12 Updated by Fabrice Barconnière 18 days ago

  • Status changed from Résolu to Fermé
  • Remaining (hours) set to 0.0

Also available in: Atom PDF