Jul 15 02:34:29 aegir NetworkManager[323]: <info> [1594798469.6496] audit: op="connection-activate" uuid="97b7a32d-1bee-4036-892d-ad17aaa5b06b" name="VPN connection 1" pid=492 uid=1101106 result="success" Jul 15 02:34:29 aegir NetworkManager[323]: <info> [1594798469.6519] vpn-connection[0x55b1338e2590,97b7a32d-1bee-4036-892d-ad17aaa5b06b,"VPN connection 1",0]: Started the VPN service, PID 64624 Jul 15 02:34:29 aegir NetworkManager[64640]: Stopping strongSwan IPsec failed: starter is not running Jul 15 02:34:29 aegir NetworkManager[323]: <info> [1594798469.6593] vpn-connection[0x55b1338e2590,97b7a32d-1bee-4036-892d-ad17aaa5b06b,"VPN connection 1",0]: Saw the service appear; activating connection Jul 15 02:34:29 aegir NetworkManager[323]: <info> [1594798469.6964] vpn-connection[0x55b1338e2590,97b7a32d-1bee-4036-892d-ad17aaa5b06b,"VPN connection 1",0]: VPN connection: (ConnectInteractive) reply received Jul 15 02:34:29 aegir nm-l2tp-service[64624]: Check port 1701 Jul 15 02:34:31 aegir NetworkManager[64637]: Starting strongSwan 5.8.4 IPsec [starter]... Jul 15 02:34:31 aegir NetworkManager[64637]: Loading config setup Jul 15 02:34:31 aegir NetworkManager[64637]: Loading conn '97b7a32d-1bee-4036-892d-ad17aaa5b06b' Jul 15 02:34:31 aegir ipsec_starter[64637]: Starting strongSwan 5.8.4 IPsec [starter]... Jul 15 02:34:31 aegir ipsec_starter[64637]: Loading config setup Jul 15 02:34:31 aegir ipsec_starter[64637]: Loading conn '97b7a32d-1bee-4036-892d-ad17aaa5b06b' Jul 15 02:34:31 aegir ipsec_starter[64646]: Attempting to start charon... Jul 15 02:34:31 aegir charon[64647]: 00[DMN] Starting IKE charon daemon (strongSwan 5.8.4, Linux 5.4.38-gentoo, x86_64) Jul 15 02:34:31 aegir charon[64647]: 00[NET] cannot change ownership of socket 'unix:///run/charon.lkp' without CAP_CHOWN capability. socket directory should be accessible to UID/GID under which the daemon will run Jul 15 02:34:31 aegir charon[64647]: 00[NET] changing socket group for 'unix:///run/charon.lkp' failed: Operation not permitted Jul 15 02:34:31 aegir charon[64647]: 00[KNL] unable to create IPv4 routing table rule Jul 15 02:34:31 aegir charon[64647]: 00[KNL] received netlink error: Address family not supported by protocol (97) Jul 15 02:34:31 aegir charon[64647]: 00[KNL] unable to create IPv6 routing table rule Jul 15 02:34:31 aegir charon[64647]: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts' Jul 15 02:34:31 aegir charon[64647]: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts' Jul 15 02:34:31 aegir charon[64647]: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts' Jul 15 02:34:31 aegir charon[64647]: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts' Jul 15 02:34:31 aegir charon[64647]: 00[CFG] loading crls from '/etc/ipsec.d/crls' Jul 15 02:34:31 aegir charon[64647]: 00[CFG] loading secrets from '/etc/ipsec.secrets' Jul 15 02:34:31 aegir charon[64647]: 00[CFG] loading secrets from '/etc/ipsec.d/ipsec.nm-l2tp.secrets' Jul 15 02:34:31 aegir charon[64647]: 00[CFG] loaded IKE secret for %any Jul 15 02:34:31 aegir charon[64647]: 00[NET] cannot change ownership of socket 'unix:///run/charon.ctl' without CAP_CHOWN capability. socket directory should be accessible to UID/GID under which the daemon will run Jul 15 02:34:31 aegir charon[64647]: 00[NET] changing socket group for 'unix:///run/charon.ctl' failed: Operation not permitted Jul 15 02:34:31 aegir charon[64647]: 00[NET] cannot change ownership of socket 'unix:///run/charon.vici' without CAP_CHOWN capability. socket directory should be accessible to UID/GID under which the daemon will run Jul 15 02:34:31 aegir charon[64647]: 00[NET] changing socket group for 'unix:///run/charon.vici' failed: Operation not permitted Jul 15 02:34:31 aegir charon[64647]: 00[CFG] no threshold configured for systime-fix, disabled Jul 15 02:34:31 aegir charon[64647]: 00[LIB] loaded plugins: charon aes des rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp curve25519 xcbc cmac hmac drbg attr kernel-netlink resolve socket-default socket-dynamic stroke vici updown xauth-generic xauth-pam lookip led unity counters Jul 15 02:34:31 aegir charon[64647]: 00[LIB] dropping capabilities failed: Operation not permitted Jul 15 02:34:31 aegir charon[64647]: 00[DMN] capability dropping failed - aborting charon Jul 15 02:34:31 aegir charon[64647]: 00[KNL] received netlink error: Operation not permitted (1) Jul 15 02:34:31 aegir charon[64647]: 00[KNL] received netlink error: Operation not permitted (1) Jul 15 02:34:31 aegir ipsec_starter[64646]: child 64647 (charon) has quit (exit code 66) Jul 15 02:34:31 aegir ipsec_starter[64646]: Jul 15 02:34:31 aegir ipsec_starter[64646]: charon has quit: initialization failed Jul 15 02:34:31 aegir ipsec_starter[64646]: charon refused to be started Jul 15 02:34:31 aegir ipsec_starter[64646]: ipsec starter stopped Jul 15 02:34:37 aegir NetworkManager[64669]: Stopping strongSwan IPsec failed: starter is not running Jul 15 02:34:37 aegir nm-l2tp-service[64624]: g_dbus_method_invocation_take_error: assertion 'error != NULL' failed Jul 15 02:34:37 aegir NetworkManager[323]: <info> [1594798477.0600] vpn-connection[0x55b1338e2590,97b7a32d-1bee-4036-892d-ad17aaa5b06b,"VPN connection 1",0]: VPN plugin: state changed: stopped (6) Jul 15 02:34:37 aegir NetworkManager[323]: <info> [1594798477.0610] vpn-connection[0x55b1338e2590,97b7a32d-1bee-4036-892d-ad17aaa5b06b,"VPN connection 1",0]: VPN service disappeared Jul 15 02:34:37 aegir NetworkManager[323]: <warn> [1594798477.0616] vpn-connection[0x55b1338e2590,97b7a32d-1bee-4036-892d-ad17aaa5b06b,"VPN connection 1",0]: VPN connection: failed to connect: 'Message recipient disconnected from message bus without replying' Reproducible: Always
It is sad to read that you have problems with the software. The situation seems to be a bit more complicate and requires some analysis. At first I suggest to recompile the package and its dependencies. We can not help you efficiently via bug tracker. The bug tracker aims rather on specific problems in .ebuilds and less on individual systems. I have had very good experience on the gentoo IRC [1] with questions like this. Of course there are also forums and mailing lists [2,3]. I hope you understand, that I will close the bug here therefore and wish you good luck on one of the mentioned channels [4]. Please reopen the ticket in order to provide an indication for an specific error in an ebuild or any gentoo related product. [1] https://www.gentoo.org/get-involved/irc-channels/ [2] https://forums.gentoo.org/ [3] https://www.gentoo.org/get-involved/mailing-lists/all-lists.html [4] https://www.gentoo.org/support/
I don't see how there could be any misunderstanding that this is a bug in the strongswan package. It says right here what the problem is: Jul 15 02:34:31 aegir charon[64647]: 00[NET] cannot change ownership of socket 'unix:///run/charon.lkp' without CAP_CHOWN capability. socket directory should be accessible to UID/GID under which the daemon will run Jul 15 02:34:31 aegir charon[64647]: 00[NET] changing socket group for 'unix:///run/charon.lkp' failed: Operation not permitted Has the "caps" use flag actually been tested? It's clearly not working correctly. Recompiling the net-vpn/strongswan package with USE: -caps -non-root Fixes the problem. aegir ~ # emerge --info strongswan Portage 2.3.99 (python 3.7.8-final-0, default/linux/amd64/17.1, gcc-9.3.0, glibc-2.30-r8, 5.4.48-gentoo x86_64) ================================================================= System Settings ================================================================= System uname: Linux-5.4.48-gentoo-x86_64-Intel-R-_Core-TM-_i7-4810MQ_CPU_@_2.80GHz-with-gentoo-2.6 KiB Mem: 16353332 total, 2280304 free KiB Swap: 4196348 total, 4163068 free Timestamp of repository gentoo: Thu, 16 Jul 2020 21:05:21 +0000 Head commit of repository gentoo: a0d48759a01ab416257407b80693d3676d3ef496 Head commit of repository jonesmz-public-overlay: f2a4eeea473f94bf0045e49ca098cd36b44b2bf3 Head commit of repository lto-overlay: fba07541149bd9209e47ccf6a6492201be39661d Head commit of repository mv: 24e3dc27561563e3335e8a0911608e6e1c8950a4 Head commit of repository steam-overlay: b8fc2697aadc252bcd8c229ef24db59fd67728f4 sh bash 5.0_p17 ld GNU ld (Gentoo 2.33.1 p2) 2.33.1 distcc 3.3.3 x86_64-pc-linux-gnu [disabled] ccache version 3.7.9 [disabled] app-shells/bash: 5.0_p17::gentoo dev-java/java-config: 2.3.1::gentoo dev-lang/perl: 5.30.3::gentoo dev-lang/python: 2.7.18::gentoo, 3.6.11-r2::lto-overlay, 3.7.8-r2::lto-overlay, 3.8.3-r1::gentoo dev-util/ccache: 3.7.9::gentoo dev-util/cmake: 3.16.5::gentoo dev-util/pkgconfig: 0.29.2::gentoo sys-apps/baselayout: 2.6-r1::gentoo sys-apps/sandbox: 2.18::gentoo sys-devel/autoconf: 2.13-r1::gentoo, 2.69-r4::gentoo sys-devel/automake: 1.16.1-r1::gentoo sys-devel/binutils: 2.33.1-r1::gentoo sys-devel/gcc: 9.3.0-r1::gentoo sys-devel/gcc-config: 2.3::gentoo sys-devel/libtool: 2.4.6-r6::gentoo sys-devel/make: 4.2.1-r4::gentoo sys-kernel/linux-headers: 5.4-r1::gentoo (virtual/os-headers) sys-libs/glibc: 2.30-r8::gentoo Repositories: gentoo location: /usr/portage sync-type: git sync-uri: git://anongit.gentoo.org/repo/sync/gentoo.git priority: -1000 jonesmz-public-overlay location: /usr/portage-overlays/jonesmz-public-overlay sync-type: git sync-uri: https://github.com/jonesmz/gentoo-overlay.git masters: gentoo lto-overlay location: /usr/portage-overlays/lto-overlay sync-type: git sync-uri: https://github.com/InBetweenNames/gentooLTO.git masters: gentoo mv mv location: /usr/portage-overlays/mv sync-type: git sync-uri: https://anongit.gentoo.org/git/user/mv.git masters: gentoo steam-overlay location: /usr/portage-overlays/steam-overlay sync-type: git sync-uri: https://github.com/anyc/steam-overlay.git masters: gentoo priority: 50 Installed sets: @archive, @desktop-applications, @esteam, @lxqt, @pc-base-system, @portage, @vcs, @virt-client ACCEPT_KEYWORDS="amd64" ACCEPT_LICENSE="@FREE" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-O3 -fgraphite-identity -floop-nest-optimize -fdevirtualize-at-ltrans -fipa-pta -fno-semantic-interposition -flto=1 -fuse-linker-plugin -march=x86-64 -mtune=generic -O2 -pipe -ffat-lto-objects" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/lib64/libreoffice/program/sofficerc /usr/share/config /usr/share/gnupg/qualified.txt" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c" CXXFLAGS="-O2 -pipe -O3 -fgraphite-identity -floop-nest-optimize -fdevirtualize-at-ltrans -fipa-pta -fno-semantic-interposition -flto=1 -fuse-linker-plugin -march=x86-64 -mtune=generic -O2 -pipe -ffat-lto-objects" DISTDIR="/usr/portage-distfiles" EMERGE_DEFAULT_OPTS=" --jobs --keep-going --newuse --changed-deps --deep --tree --backtrack=3000 --complete-graph --with-bdeps=y --binpkg-respect-use=y --binpkg-changed-deps=y --changed-slot=y --usepkg=y" ENV_UNSET="DBUS_SESSION_BUS_ADDRESS DISPLAY GOBIN GOPATH PERL5LIB PERL5OPT PERLPREFIX PERL_CORE PERL_MB_OPT PERL_MM_OPT XAUTHORITY XDG_CACHE_HOME XDG_CONFIG_HOME XDG_DATA_HOME XDG_RUNTIME_DIR" FCFLAGS="-O2 -pipe" FEATURES="assume-digests binpkg-docompress binpkg-dostrip binpkg-logs binpkg-multi-instance buildpkg clean-logs compress-build-logs compressdebug config-protect-if-modified distlocks ebuild-locks fixlafiles installsources ipc-sandbox merge-sync multilib-strict network-sandbox news nostrip parallel-fetch parallel-install pid-sandbox preserve-libs protect-owned qa-unresolved-soname-deps sandbox sfperms split-elog split-log strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr" FFLAGS="-O2 -pipe" GENTOO_MIRRORS="http://distfiles.gentoo.org" LANG="en_US.utf8" LDFLAGS="-Wl,-O1 -Wl,--as-needed" LINGUAS="en en_US" MAKEOPTS="-j2" PKGDIR="/usr/portage-packages" PORTAGE_COMPRESS="xz" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --exclude=/.git" PORTAGE_TMPDIR="/var/tmp" USE="X a52 aac acl acpi alsa amd64 branding bzip2 cairo cdda cdr clang crypt dbus dri dts dvd dvdr egl emboss encode exif flac gif glamor gles2 gnome-keyring gpm gstreamer gtk gtk3 hardened iconv icu ipv6 jpeg lcms libnotify libtirpc mad mp3 mp4 mpeg multilib ncurses networkmanager nls nptl ogg opengl openmp pam pango pcre pdf pie png policykit ppds pulseaudio qt5 readline samba sdl seccomp sound spell split-usr ssl ssp startup-notification svg systemd theora threads tiff truetype udev udisks unicode upower usb vaapi vorbis wayland widevine wifi x264 xattr xcb xinerama xml xtpax xv xvid zeroconf zlib" ABI_X86="64" ADA_TARGET="gnat_2018" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="karbon sheets words" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_X86="mmx sse sse2 mmxext" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock greis isync itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf skytraq superstar2 timing tsip tripmate tnt ublox ubx" GRUB_PLATFORMS="coreboot efi-64 emu qemu pc" INPUT_DEVICES="libinput" KERNEL="linux" L10N="en en-US" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php7-2" POSTGRES_TARGETS="postgres10 postgres11" PYTHON_SINGLE_TARGET="python3_7" PYTHON_TARGETS="python2_7 python3_7" QEMU_SOFTMMU_TARGETS="arm aarch64 x86_64" QEMU_USER_TARGETS="arm aarch64 x86_64" RUBY_TARGETS="ruby25" USERLAND="GNU" VIDEO_CARDS="vesa modesetting intel i965 radeon radeonsi amdgpu" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: CC, CPPFLAGS, CTARGET, CXX, INSTALL_MASK, LC_ALL, PORTAGE_BINHOST, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS ================================================================= Package Settings ================================================================= net-vpn/strongswan-5.8.4::gentoo was built with the following: USE="constraints gmp networkmanager openssl pam strongswan_plugins_led strongswan_plugins_lookip strongswan_plugins_systime-fix strongswan_plugins_unity strongswan_plugins_vici systemd -caps -curl -debug -dhcp -eap -farp -gcrypt -ldap -mysql -non-root -pkcs11 (-selinux) -sqlite -strongswan_plugins_aesni -strongswan_plugins_blowfish -strongswan_plugins_ccm -strongswan_plugins_chapoly -strongswan_plugins_ctr -strongswan_plugins_forecast -strongswan_plugins_gcm -strongswan_plugins_ha -strongswan_plugins_ipseckey -strongswan_plugins_newhope -strongswan_plugins_ntru (-strongswan_plugins_padlock) -strongswan_plugins_rdrand -strongswan_plugins_save-keys -strongswan_plugins_unbound -strongswan_plugins_whitelist" ABI_X86="(64)" CFLAGS="-O3 -fgraphite-identity -floop-nest-optimize -fdevirtualize-at-ltrans -fipa-pta -fno-semantic-interposition -flto=1 -fuse-linker-plugin -march=x86-64 -mtune=generic -O2 -pipe -ffat-lto-objects -Wl,-O1 -Wl,--as-needed" CXXFLAGS="-O2 -pipe -O3 -fgraphite-identity -floop-nest-optimize -fdevirtualize-at-ltrans -fipa-pta -fno-semantic-interposition -flto=1 -fuse-linker-plugin -march=x86-64 -mtune=generic -O2 -pipe -ffat-lto-objects -Wl,-O1 -Wl,--as-needed" LDFLAGS="-Wl,-O1 -Wl,--as-needed -O3 -fgraphite-identity -floop-nest-optimize -fdevirtualize-at-ltrans -fipa-pta -fno-semantic-interposition -flto=1 -fuse-linker-plugin -march=x86-64 -mtune=generic -O2 -pipe -ffat-lto-objects"
You are probably mixing USE=caps expectation with USE=filecaps expectation known from other packages (note: strongswan has no USE=filecaps). Anyway, I am unable to reproduce. Please provide strongswan config to trigger this.
Created attachment 654354 [details] Network Manager Working A log from systemd-journald where network manager successfully connects with L2TP VPN from Ubiquiti 4 port unifi security gateway
Created attachment 654356 [details] ppp-options working ppp-options file from /var/run/nm-l2tp-0636cd9c-e1a6-441d-b336-6943f8b2ab0d when successfully connected
Created attachment 654358 [details] ipsec.conf working ipsec.conf from /var/run/nm-l2tp-0636cd9c-e1a6-441d-b336-6943f8b2ab0d when successfully connected
Created attachment 654360 [details] xl2tpd.conf working xl2tpd.conf from /var/run/nm-l2tp-0636cd9c-e1a6-441d-b336-6943f8b2ab0d when successfully connected
Created attachment 654368 [details] network manager log - not working systemd-journald log when net-vpn/strongswan is compiled with USE="caps non-root" Doesn't work.
Created attachment 654370 [details] ppp-options not-working
Created attachment 654372 [details] xl2tpd.conf not working
Created attachment 654374 [details] ipsec.conf not working
In the non-working case, this is the contents of /run/ aegir /run # ls -lah total 24K drwxr-xr-x 24 root root 660 Aug 12 13:33 . drwxr-xr-x 1 root root 226 Mar 17 04:50 .. drwxr-xr-x 2 avahi avahi 80 Aug 10 21:17 avahi-daemon drwxr-xr-x 2 root root 60 Aug 10 21:17 blkid srwxrwx--- 1 root root 0 Aug 12 13:25 charon.ctl srwxrwx--- 1 root root 0 Aug 12 13:25 charon.lkp srwxrwx--- 1 root root 0 Aug 12 13:25 charon.vici drwx------ 2 root root 40 Aug 10 21:17 cryptsetup drwxr-xr-x 2 root root 40 Aug 10 21:17 ctdb drwxr-xr-x 2 root root 60 Aug 10 21:17 dbus -rw-r--r-- 1 root root 6 Aug 12 13:20 dhclient6-wlp3s0.pid -rw-r--r-- 1 root root 6 Aug 12 04:47 dhclient-wlp3s0.pid -rw-r--r-- 1 root root 4 Aug 10 21:17 gpm.pid prw------- 1 root root 0 Aug 10 21:17 initctl drwxr-xr-x 3 root root 60 Aug 10 21:17 libvirt drwxrwxr-x 5 root uucp 100 Aug 10 21:17 lock drwxr-xr-x 3 root root 60 Aug 10 21:17 log drwx------ 2 root root 40 Aug 10 21:17 lvm drwxr-xr-x 2 root root 40 Aug 10 21:17 media drwxr-xr-x 2 root root 40 Aug 10 21:17 mount drwxr-xr-x 3 root root 120 Aug 12 13:24 NetworkManager drwx--x--- 2 root root 40 Aug 10 21:17 openvpn-client drwx--x--- 2 root root 40 Aug 10 21:17 openvpn-server -rw-r--r-- 1 root root 8.0K Aug 12 12:59 pppd2.tdb drwxr-xr-x 3 root root 80 Aug 10 21:17 samba drwxr-xr-x 2 root root 60 Aug 10 21:17 sddm drwx--x--x 3 root root 60 Aug 10 21:17 sudo drwxr-xr-x 20 root root 480 Aug 10 21:17 systemd drwxr-xr-x 7 root root 160 Aug 12 13:24 udev drwx------ 2 root root 40 Aug 10 21:17 udisks2 drwxr-xr-x 3 root root 60 Aug 10 21:18 user -rw-rw-r-- 1 root utmp 1.2K Aug 10 21:17 utmp drwxr-xr-x 2 root root 40 Aug 10 21:17 xl2tpd
I don't see much of a difference when I have USE="-caps -non-root" total 36K drwxr-xr-x 25 root root 740 Aug 12 13:46 . drwxr-xr-x 1 root root 226 Mar 17 04:50 .. drwxr-xr-x 2 avahi avahi 80 Aug 10 21:17 avahi-daemon drwxr-xr-x 2 root root 60 Aug 10 21:17 blkid srwxrwx--- 1 root root 0 Aug 12 13:46 charon.ctl srwxrwx--- 1 root root 0 Aug 12 13:46 charon.lkp -rw-r--r-- 1 root root 7 Aug 12 13:46 charon.pid srwxrwx--- 1 root root 0 Aug 12 13:46 charon.vici drwx------ 2 root root 40 Aug 10 21:17 cryptsetup drwxr-xr-x 2 root root 40 Aug 10 21:17 ctdb drwxr-xr-x 2 root root 60 Aug 10 21:17 dbus -rw-r--r-- 1 root root 6 Aug 12 13:20 dhclient6-wlp3s0.pid -rw-r--r-- 1 root root 6 Aug 12 04:47 dhclient-wlp3s0.pid -rw-r--r-- 1 root root 4 Aug 10 21:17 gpm.pid prw------- 1 root root 0 Aug 10 21:17 initctl drwxr-xr-x 3 root root 60 Aug 10 21:17 libvirt drwxrwxr-x 5 root uucp 100 Aug 10 21:17 lock drwxr-xr-x 3 root root 60 Aug 10 21:17 log drwx------ 2 root root 40 Aug 10 21:17 lvm drwxr-xr-x 2 root root 40 Aug 10 21:17 media drwxr-xr-x 2 root root 40 Aug 10 21:17 mount drwxr-xr-x 3 root root 120 Aug 12 13:46 NetworkManager drwx------ 2 root root 140 Aug 12 13:46 nm-l2tp-0636cd9c-e1a6-441d-b336-6943f8b2ab0d drwx--x--- 2 root root 40 Aug 10 21:17 openvpn-client drwx--x--- 2 root root 40 Aug 10 21:17 openvpn-server -rw-r--r-- 1 root root 7 Aug 12 13:46 ppp0.pid -rw-r--r-- 1 root root 8.0K Aug 12 12:59 pppd2.tdb drwxr-xr-x 3 root root 80 Aug 10 21:17 samba drwxr-xr-x 2 root root 60 Aug 10 21:17 sddm -rw-r--r-- 1 root root 7 Aug 12 13:46 starter.charon.pid drwx--x--x 3 root root 60 Aug 10 21:17 sudo drwxr-xr-x 20 root root 480 Aug 10 21:17 systemd drwxr-xr-x 7 root root 160 Aug 12 13:46 udev drwx------ 2 root root 40 Aug 10 21:17 udisks2 drwxr-xr-x 3 root root 60 Aug 10 21:18 user -rw-rw-r-- 1 root utmp 1.2K Aug 10 21:17 utmp drwxr-xr-x 2 root root 40 Aug 10 21:17 xl2tpd
What other information do you need? I'm not trying to understand what "caps" or "non-root" do. So I'm not confusing "caps" with "filecaps". I'm simply pointing out that at least on my system, if I compile with USE="caps non-root", it doesn't let me connect to the VPN, claiming it doesn't have the CAP_CHOWN capability. If I compile with USE="-caps -non-root", it works without problem.
@Michael Jones - did you ever resolve this? I ran into exactly the same issue you had regarding caps/non-root USE. Now, after passing that hurdle, I'm trying to understand why, when compiling strongswan with USE="-non-root -caps" the syslog shows me this: charon: 00[KNL] received netlink error: Address family not supported by protocol (97)
If it helps, I just started having (I believe) the same issue about two days ago. At least a couple times every hour, my V.P.N. stops routing traffic until I restart the whole service. No idea why this just started a couple days ago. I hadn't updated or changed anything for at least a week prior to that. I was working on a script that managed some basic initialisation but I don't think there's any way that could be the cause. In the interest of not posting a huge log, here are the highlights of one instance: 1: V.P.N. connection is established. 2: Peer supports MOBIKE. 3: Sends a "keep alive" about once every 20-40 seconds for about 18 minutes. 4: 4.1: Sends DPD request. 4.2: Generates INFORMATIONAL request. 4.3: Sends packet. 4.4: Receives packet. 4.5: Parses INFORMATIONAL response. Those 4.* events seem to repeat indefinitely, but `ipsec status` shows the connection is established and I can ping the server's non-V.P.N. address normally (but nothing through the V.P.N.). I'm on version U5.9.1/K5.4.80-gentoo-r1.
I've also hit this issue, basically a clean new install of KDE plasma desktop. It appears that the starter and charon processes are inheriting the capabilities of the NetworkManager process (0x00000000200534e2=cap_dac_override,cap_kill,cap_setgid,cap_setuid,cap_net_bind_service,cap_net_admin,cap_net_raw,cap_sys_module,cap_sys_chroot,cap_audit_write ) which either is abandoning required capabilities long before reaching strongswan. I don't know if this is a strongswan issue or a NM issue (I don't know what is expected from the parent process in terms of kernel capabilities, I'm guessing that without no-root there is a sticky gid being set somewhere). Please let me know what information is helpful on debugging/directing this.
Also having this issue. It can be solved by adding CAP_SETPCAP to CapabilityBoundingSet in the NetworkManager.service systemd unit.
Submitted fix upstream: https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/1053
Upstream doesn't want to add the extra capability. Opinions on the suggested alternative of having the plugin install a systemd override file?
Created attachment 760703 [details] Temporary fix Save this file as /etc/systemd/system/NetworkManager.service.d/override.conf and run "systemctl daemon-reload; systemctl restart NetworkManager.service" for a temporary fix while we decide how to move forward.
This is not really a Gentoo bug, but something both upstreams, i.e., strongswan and NetworkManager, have to figure out. For now, there appear to be two solutions 1. Emerge strongswan with USE="-caps -non-root" 2. Override NetworkManager.service with CapabilityBoundingSet=CAP_SETPCAP (see https://bugs.gentoo.org/732708#c21)
maybe you can do this? REQUIRED_USE="networkmanager? ( !caps !non-root )"