732708 – net-vpn/strongswan charon program complains about missing caps (net-misc/networkmanager needs CAP_SETPCAP?)

Bug 732708 - net-vpn/strongswan charon program complains about missing caps (net-misc/networkmanager needs CAP_SETPCAP?)

Summary: net-vpn/strongswan charon program complains about missing caps (net-misc/netw...

Status:	CONFIRMED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	Normal normal with 1 vote (vote)
Assignee:	Dennis Eisele

URL:	https://gitlab.freedesktop.org/Networ...
Whiteboard:
Keywords:	PATCH, PullRequest

Depends on:
Blocks:

Reported:	2020-07-15 07:39 UTC by Michael Jones
Modified:	2023-10-11 08:16 UTC (History)
CC List:	12 users (show)

See Also:	https://github.com/gentoo/gentoo/pull/23557 https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/1053
Package list:
Runtime testing required:	---

Attachments
Network Manager Working (networkmanager-working.log,20.78 KB, text/x-log) 2020-08-12 18:10 UTC, Michael Jones	Details
ppp-options working (ppp-options,306 bytes, text/plain) 2020-08-12 18:12 UTC, Michael Jones	Details
ipsec.conf working (ipsec.conf,538 bytes, text/plain) 2020-08-12 18:12 UTC, Michael Jones	Details
xl2tpd.conf working (xl2tpd.conf,222 bytes, text/plain) 2020-08-12 18:13 UTC, Michael Jones	Details
network manager log - not working (networkmanager-notworking.log,5.68 KB, text/x-log) 2020-08-12 18:29 UTC, Michael Jones	Details
ppp-options not-working (ppp-options,306 bytes, text/plain) 2020-08-12 18:31 UTC, Michael Jones	Details
xl2tpd.conf not working (xl2tpd.conf,222 bytes, text/plain) 2020-08-12 18:33 UTC, Michael Jones	Details
ipsec.conf not working (ipsec.conf,538 bytes, text/plain) 2020-08-12 18:33 UTC, Michael Jones	Details
Temporary fix (override.conf,43 bytes, text/plain) 2021-12-29 08:30 UTC, Stijn Tintel	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Michael Jones 2020-07-15 07:39:14 UTC

Jul 15 02:34:29 aegir NetworkManager[323]: <info>  [1594798469.6496] audit: op="connection-activate" uuid="97b7a32d-1bee-4036-892d-ad17aaa5b06b" name="VPN connection 1" pid=492 uid=1101106 result="success"
Jul 15 02:34:29 aegir NetworkManager[323]: <info>  [1594798469.6519] vpn-connection[0x55b1338e2590,97b7a32d-1bee-4036-892d-ad17aaa5b06b,"VPN connection 1",0]: Started the VPN service, PID 64624
Jul 15 02:34:29 aegir NetworkManager[64640]: Stopping strongSwan IPsec failed: starter is not running
Jul 15 02:34:29 aegir NetworkManager[323]: <info>  [1594798469.6593] vpn-connection[0x55b1338e2590,97b7a32d-1bee-4036-892d-ad17aaa5b06b,"VPN connection 1",0]: Saw the service appear; activating connection
Jul 15 02:34:29 aegir NetworkManager[323]: <info>  [1594798469.6964] vpn-connection[0x55b1338e2590,97b7a32d-1bee-4036-892d-ad17aaa5b06b,"VPN connection 1",0]: VPN connection: (ConnectInteractive) reply received
Jul 15 02:34:29 aegir nm-l2tp-service[64624]: Check port 1701
Jul 15 02:34:31 aegir NetworkManager[64637]: Starting strongSwan 5.8.4 IPsec [starter]...
Jul 15 02:34:31 aegir NetworkManager[64637]: Loading config setup
Jul 15 02:34:31 aegir NetworkManager[64637]: Loading conn '97b7a32d-1bee-4036-892d-ad17aaa5b06b'
Jul 15 02:34:31 aegir ipsec_starter[64637]: Starting strongSwan 5.8.4 IPsec [starter]...
Jul 15 02:34:31 aegir ipsec_starter[64637]: Loading config setup
Jul 15 02:34:31 aegir ipsec_starter[64637]: Loading conn '97b7a32d-1bee-4036-892d-ad17aaa5b06b'
Jul 15 02:34:31 aegir ipsec_starter[64646]: Attempting to start charon...
Jul 15 02:34:31 aegir charon[64647]: 00[DMN] Starting IKE charon daemon (strongSwan 5.8.4, Linux 5.4.38-gentoo, x86_64)
Jul 15 02:34:31 aegir charon[64647]: 00[NET] cannot change ownership of socket 'unix:///run/charon.lkp' without CAP_CHOWN capability. socket directory should be accessible to UID/GID under which the daemon will run
Jul 15 02:34:31 aegir charon[64647]: 00[NET] changing socket group for 'unix:///run/charon.lkp' failed: Operation not permitted
Jul 15 02:34:31 aegir charon[64647]: 00[KNL] unable to create IPv4 routing table rule
Jul 15 02:34:31 aegir charon[64647]: 00[KNL] received netlink error: Address family not supported by protocol (97)
Jul 15 02:34:31 aegir charon[64647]: 00[KNL] unable to create IPv6 routing table rule
Jul 15 02:34:31 aegir charon[64647]: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Jul 15 02:34:31 aegir charon[64647]: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Jul 15 02:34:31 aegir charon[64647]: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Jul 15 02:34:31 aegir charon[64647]: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Jul 15 02:34:31 aegir charon[64647]: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Jul 15 02:34:31 aegir charon[64647]: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Jul 15 02:34:31 aegir charon[64647]: 00[CFG] loading secrets from '/etc/ipsec.d/ipsec.nm-l2tp.secrets'
Jul 15 02:34:31 aegir charon[64647]: 00[CFG]   loaded IKE secret for %any
Jul 15 02:34:31 aegir charon[64647]: 00[NET] cannot change ownership of socket 'unix:///run/charon.ctl' without CAP_CHOWN capability. socket directory should be accessible to UID/GID under which the daemon will run
Jul 15 02:34:31 aegir charon[64647]: 00[NET] changing socket group for 'unix:///run/charon.ctl' failed: Operation not permitted
Jul 15 02:34:31 aegir charon[64647]: 00[NET] cannot change ownership of socket 'unix:///run/charon.vici' without CAP_CHOWN capability. socket directory should be accessible to UID/GID under which the daemon will run
Jul 15 02:34:31 aegir charon[64647]: 00[NET] changing socket group for 'unix:///run/charon.vici' failed: Operation not permitted
Jul 15 02:34:31 aegir charon[64647]: 00[CFG] no threshold configured for systime-fix, disabled
Jul 15 02:34:31 aegir charon[64647]: 00[LIB] loaded plugins: charon aes des rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp curve25519 xcbc cmac hmac drbg attr kernel-netlink resolve socket-default socket-dynamic stroke vici updown xauth-generic xauth-pam lookip led unity counters
Jul 15 02:34:31 aegir charon[64647]: 00[LIB] dropping capabilities failed: Operation not permitted
Jul 15 02:34:31 aegir charon[64647]: 00[DMN] capability dropping failed - aborting charon
Jul 15 02:34:31 aegir charon[64647]: 00[KNL] received netlink error: Operation not permitted (1)
Jul 15 02:34:31 aegir charon[64647]: 00[KNL] received netlink error: Operation not permitted (1)
Jul 15 02:34:31 aegir ipsec_starter[64646]: child 64647 (charon) has quit (exit code 66)
Jul 15 02:34:31 aegir ipsec_starter[64646]:
Jul 15 02:34:31 aegir ipsec_starter[64646]: charon has quit: initialization failed
Jul 15 02:34:31 aegir ipsec_starter[64646]: charon refused to be started
Jul 15 02:34:31 aegir ipsec_starter[64646]: ipsec starter stopped
Jul 15 02:34:37 aegir NetworkManager[64669]: Stopping strongSwan IPsec failed: starter is not running
Jul 15 02:34:37 aegir nm-l2tp-service[64624]: g_dbus_method_invocation_take_error: assertion 'error != NULL' failed
Jul 15 02:34:37 aegir NetworkManager[323]: <info>  [1594798477.0600] vpn-connection[0x55b1338e2590,97b7a32d-1bee-4036-892d-ad17aaa5b06b,"VPN connection 1",0]: VPN plugin: state changed: stopped (6)
Jul 15 02:34:37 aegir NetworkManager[323]: <info>  [1594798477.0610] vpn-connection[0x55b1338e2590,97b7a32d-1bee-4036-892d-ad17aaa5b06b,"VPN connection 1",0]: VPN service disappeared
Jul 15 02:34:37 aegir NetworkManager[323]: <warn>  [1594798477.0616] vpn-connection[0x55b1338e2590,97b7a32d-1bee-4036-892d-ad17aaa5b06b,"VPN connection 1",0]: VPN connection: failed to connect: 'Message recipient disconnected from message bus without replying'


Reproducible: Always

Comment 1 Jonas Stein gentoo-dev

2020-07-19 18:45:30 UTC

It is sad to read that you have problems with the software. The situation seems to be a bit more complicate and requires some analysis.
At first I suggest to recompile the package and its dependencies.
We can not help you efficiently via bug tracker. The bug tracker aims rather on specific problems in .ebuilds and less on individual systems. 

I have had very good experience on the gentoo IRC [1] with questions like this. Of course there are also forums and mailing lists [2,3].
I hope you understand, that I will close the bug here therefore and wish you good luck on one of the mentioned channels [4].
Please reopen the ticket in order to provide an indication for an specific error in an ebuild or any gentoo related product.

[1] https://www.gentoo.org/get-involved/irc-channels/
[2] https://forums.gentoo.org/
[3] https://www.gentoo.org/get-involved/mailing-lists/all-lists.html
[4] https://www.gentoo.org/support/

Comment 2 Michael Jones 2020-07-19 19:24:52 UTC

I don't see how there could be any misunderstanding that this is a bug in the strongswan package.


It says right here what the problem is:

Jul 15 02:34:31 aegir charon[64647]: 00[NET] cannot change ownership of socket 'unix:///run/charon.lkp' without CAP_CHOWN capability. socket directory should be accessible to UID/GID under which the daemon will run
Jul 15 02:34:31 aegir charon[64647]: 00[NET] changing socket group for 'unix:///run/charon.lkp' failed: Operation not permitted

Has the "caps" use flag actually been tested? It's clearly not working correctly.



Recompiling the net-vpn/strongswan package with

USE: -caps -non-root


Fixes the problem.


aegir ~ # emerge --info strongswan
Portage 2.3.99 (python 3.7.8-final-0, default/linux/amd64/17.1, gcc-9.3.0, glibc-2.30-r8, 5.4.48-gentoo x86_64)
=================================================================
                         System Settings
=================================================================
System uname: Linux-5.4.48-gentoo-x86_64-Intel-R-_Core-TM-_i7-4810MQ_CPU_@_2.80GHz-with-gentoo-2.6
KiB Mem:    16353332 total,   2280304 free
KiB Swap:    4196348 total,   4163068 free
Timestamp of repository gentoo: Thu, 16 Jul 2020 21:05:21 +0000
Head commit of repository gentoo: a0d48759a01ab416257407b80693d3676d3ef496

Head commit of repository jonesmz-public-overlay: f2a4eeea473f94bf0045e49ca098cd36b44b2bf3

Head commit of repository lto-overlay: fba07541149bd9209e47ccf6a6492201be39661d

Head commit of repository mv: 24e3dc27561563e3335e8a0911608e6e1c8950a4

Head commit of repository steam-overlay: b8fc2697aadc252bcd8c229ef24db59fd67728f4

sh bash 5.0_p17
ld GNU ld (Gentoo 2.33.1 p2) 2.33.1
distcc 3.3.3 x86_64-pc-linux-gnu [disabled]
ccache version 3.7.9 [disabled]
app-shells/bash:          5.0_p17::gentoo
dev-java/java-config:     2.3.1::gentoo
dev-lang/perl:            5.30.3::gentoo
dev-lang/python:          2.7.18::gentoo, 3.6.11-r2::lto-overlay, 3.7.8-r2::lto-overlay, 3.8.3-r1::gentoo
dev-util/ccache:          3.7.9::gentoo
dev-util/cmake:           3.16.5::gentoo
dev-util/pkgconfig:       0.29.2::gentoo
sys-apps/baselayout:      2.6-r1::gentoo
sys-apps/sandbox:         2.18::gentoo
sys-devel/autoconf:       2.13-r1::gentoo, 2.69-r4::gentoo
sys-devel/automake:       1.16.1-r1::gentoo
sys-devel/binutils:       2.33.1-r1::gentoo
sys-devel/gcc:            9.3.0-r1::gentoo
sys-devel/gcc-config:     2.3::gentoo
sys-devel/libtool:        2.4.6-r6::gentoo
sys-devel/make:           4.2.1-r4::gentoo
sys-kernel/linux-headers: 5.4-r1::gentoo (virtual/os-headers)
sys-libs/glibc:           2.30-r8::gentoo
Repositories:

gentoo
    location: /usr/portage
    sync-type: git
    sync-uri: git://anongit.gentoo.org/repo/sync/gentoo.git
    priority: -1000

jonesmz-public-overlay
    location: /usr/portage-overlays/jonesmz-public-overlay
    sync-type: git
    sync-uri: https://github.com/jonesmz/gentoo-overlay.git
    masters: gentoo

lto-overlay
    location: /usr/portage-overlays/lto-overlay
    sync-type: git
    sync-uri: https://github.com/InBetweenNames/gentooLTO.git
    masters: gentoo mv

mv
    location: /usr/portage-overlays/mv
    sync-type: git
    sync-uri: https://anongit.gentoo.org/git/user/mv.git
    masters: gentoo

steam-overlay
    location: /usr/portage-overlays/steam-overlay
    sync-type: git
    sync-uri: https://github.com/anyc/steam-overlay.git
    masters: gentoo
    priority: 50

Installed sets: @archive, @desktop-applications, @esteam, @lxqt, @pc-base-system, @portage, @vcs, @virt-client
ACCEPT_KEYWORDS="amd64"
ACCEPT_LICENSE="@FREE"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-O3 -fgraphite-identity -floop-nest-optimize -fdevirtualize-at-ltrans -fipa-pta -fno-semantic-interposition -flto=1 -fuse-linker-plugin -march=x86-64 -mtune=generic -O2 -pipe -ffat-lto-objects"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/lib64/libreoffice/program/sofficerc /usr/share/config /usr/share/gnupg/qualified.txt"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c"
CXXFLAGS="-O2 -pipe -O3 -fgraphite-identity -floop-nest-optimize -fdevirtualize-at-ltrans -fipa-pta -fno-semantic-interposition -flto=1 -fuse-linker-plugin -march=x86-64 -mtune=generic -O2 -pipe -ffat-lto-objects"
DISTDIR="/usr/portage-distfiles"
EMERGE_DEFAULT_OPTS=" --jobs --keep-going --newuse --changed-deps --deep --tree --backtrack=3000 --complete-graph --with-bdeps=y --binpkg-respect-use=y --binpkg-changed-deps=y --changed-slot=y --usepkg=y"
ENV_UNSET="DBUS_SESSION_BUS_ADDRESS DISPLAY GOBIN GOPATH PERL5LIB PERL5OPT PERLPREFIX PERL_CORE PERL_MB_OPT PERL_MM_OPT XAUTHORITY XDG_CACHE_HOME XDG_CONFIG_HOME XDG_DATA_HOME XDG_RUNTIME_DIR"
FCFLAGS="-O2 -pipe"
FEATURES="assume-digests binpkg-docompress binpkg-dostrip binpkg-logs binpkg-multi-instance buildpkg clean-logs compress-build-logs compressdebug config-protect-if-modified distlocks ebuild-locks fixlafiles installsources ipc-sandbox merge-sync multilib-strict network-sandbox news nostrip parallel-fetch parallel-install pid-sandbox preserve-libs protect-owned qa-unresolved-soname-deps sandbox sfperms split-elog split-log strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr"
FFLAGS="-O2 -pipe"
GENTOO_MIRRORS="http://distfiles.gentoo.org"
LANG="en_US.utf8"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
LINGUAS="en en_US"
MAKEOPTS="-j2"
PKGDIR="/usr/portage-packages"
PORTAGE_COMPRESS="xz"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --exclude=/.git"
PORTAGE_TMPDIR="/var/tmp"
USE="X a52 aac acl acpi alsa amd64 branding bzip2 cairo cdda cdr clang crypt dbus dri dts dvd dvdr egl emboss encode exif flac gif glamor gles2 gnome-keyring gpm gstreamer gtk gtk3 hardened iconv icu ipv6 jpeg lcms libnotify libtirpc mad mp3 mp4 mpeg multilib ncurses networkmanager nls nptl ogg opengl openmp pam pango pcre pdf pie png policykit ppds pulseaudio qt5 readline samba sdl seccomp sound spell split-usr ssl ssp startup-notification svg systemd theora threads tiff truetype udev udisks unicode upower usb vaapi vorbis wayland widevine wifi x264 xattr xcb xinerama xml xtpax xv xvid zeroconf zlib" ABI_X86="64" ADA_TARGET="gnat_2018" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="karbon sheets words" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_X86="mmx sse sse2 mmxext" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock greis isync itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf skytraq superstar2 timing tsip tripmate tnt ublox ubx" GRUB_PLATFORMS="coreboot efi-64 emu qemu pc" INPUT_DEVICES="libinput" KERNEL="linux" L10N="en en-US" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php7-2" POSTGRES_TARGETS="postgres10 postgres11" PYTHON_SINGLE_TARGET="python3_7" PYTHON_TARGETS="python2_7 python3_7" QEMU_SOFTMMU_TARGETS="arm aarch64 x86_64" QEMU_USER_TARGETS="arm aarch64 x86_64" RUBY_TARGETS="ruby25" USERLAND="GNU" VIDEO_CARDS="vesa modesetting intel i965 radeon radeonsi amdgpu" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
Unset:  CC, CPPFLAGS, CTARGET, CXX, INSTALL_MASK, LC_ALL, PORTAGE_BINHOST, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS

=================================================================
                        Package Settings
=================================================================

net-vpn/strongswan-5.8.4::gentoo was built with the following:
USE="constraints gmp networkmanager openssl pam strongswan_plugins_led strongswan_plugins_lookip strongswan_plugins_systime-fix strongswan_plugins_unity strongswan_plugins_vici systemd -caps -curl -debug -dhcp -eap -farp -gcrypt -ldap -mysql -non-root -pkcs11 (-selinux) -sqlite -strongswan_plugins_aesni -strongswan_plugins_blowfish -strongswan_plugins_ccm -strongswan_plugins_chapoly -strongswan_plugins_ctr -strongswan_plugins_forecast -strongswan_plugins_gcm -strongswan_plugins_ha -strongswan_plugins_ipseckey -strongswan_plugins_newhope -strongswan_plugins_ntru (-strongswan_plugins_padlock) -strongswan_plugins_rdrand -strongswan_plugins_save-keys -strongswan_plugins_unbound -strongswan_plugins_whitelist" ABI_X86="(64)"
CFLAGS="-O3 -fgraphite-identity -floop-nest-optimize -fdevirtualize-at-ltrans -fipa-pta -fno-semantic-interposition -flto=1 -fuse-linker-plugin -march=x86-64 -mtune=generic -O2 -pipe -ffat-lto-objects -Wl,-O1 -Wl,--as-needed"
CXXFLAGS="-O2 -pipe -O3 -fgraphite-identity -floop-nest-optimize -fdevirtualize-at-ltrans -fipa-pta -fno-semantic-interposition -flto=1 -fuse-linker-plugin -march=x86-64 -mtune=generic -O2 -pipe -ffat-lto-objects -Wl,-O1 -Wl,--as-needed"
LDFLAGS="-Wl,-O1 -Wl,--as-needed -O3 -fgraphite-identity -floop-nest-optimize -fdevirtualize-at-ltrans -fipa-pta -fno-semantic-interposition -flto=1 -fuse-linker-plugin -march=x86-64 -mtune=generic -O2 -pipe -ffat-lto-objects"

Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev

2020-08-11 17:23:53 UTC

You are probably mixing USE=caps expectation with USE=filecaps expectation known from other packages (note: strongswan has no USE=filecaps).

Anyway, I am unable to reproduce. Please provide strongswan config to trigger this.

Comment 4 Michael Jones 2020-08-12 18:10:40 UTC

Created attachment 654354 [details]
Network Manager Working

A log from systemd-journald where network manager successfully connects with L2TP VPN from Ubiquiti 4 port unifi security gateway

Comment 5 Michael Jones 2020-08-12 18:12:11 UTC

Created attachment 654356 [details]
ppp-options working

ppp-options file from /var/run/nm-l2tp-0636cd9c-e1a6-441d-b336-6943f8b2ab0d when successfully connected

Comment 6 Michael Jones 2020-08-12 18:12:45 UTC

Created attachment 654358 [details]
ipsec.conf working

ipsec.conf from /var/run/nm-l2tp-0636cd9c-e1a6-441d-b336-6943f8b2ab0d when successfully connected

Comment 7 Michael Jones 2020-08-12 18:13:25 UTC

Created attachment 654360 [details]
xl2tpd.conf working

xl2tpd.conf from /var/run/nm-l2tp-0636cd9c-e1a6-441d-b336-6943f8b2ab0d when successfully connected

Comment 8 Michael Jones 2020-08-12 18:29:34 UTC

Created attachment 654368 [details]
network manager log - not working

systemd-journald log when net-vpn/strongswan is compiled with USE="caps non-root"

Doesn't work.

Comment 9 Michael Jones 2020-08-12 18:31:11 UTC

Created attachment 654370 [details]
ppp-options not-working

Comment 10 Michael Jones 2020-08-12 18:33:04 UTC

Created attachment 654372 [details]
xl2tpd.conf not working

Comment 11 Michael Jones 2020-08-12 18:33:23 UTC

Created attachment 654374 [details]
ipsec.conf not working

Comment 12 Michael Jones 2020-08-12 18:34:39 UTC

In the non-working case, this is the contents of /run/

aegir /run # ls -lah
total 24K
drwxr-xr-x 24 root  root   660 Aug 12 13:33 .
drwxr-xr-x  1 root  root   226 Mar 17 04:50 ..
drwxr-xr-x  2 avahi avahi   80 Aug 10 21:17 avahi-daemon
drwxr-xr-x  2 root  root    60 Aug 10 21:17 blkid
srwxrwx---  1 root  root     0 Aug 12 13:25 charon.ctl
srwxrwx---  1 root  root     0 Aug 12 13:25 charon.lkp
srwxrwx---  1 root  root     0 Aug 12 13:25 charon.vici
drwx------  2 root  root    40 Aug 10 21:17 cryptsetup
drwxr-xr-x  2 root  root    40 Aug 10 21:17 ctdb
drwxr-xr-x  2 root  root    60 Aug 10 21:17 dbus
-rw-r--r--  1 root  root     6 Aug 12 13:20 dhclient6-wlp3s0.pid
-rw-r--r--  1 root  root     6 Aug 12 04:47 dhclient-wlp3s0.pid
-rw-r--r--  1 root  root     4 Aug 10 21:17 gpm.pid
prw-------  1 root  root     0 Aug 10 21:17 initctl
drwxr-xr-x  3 root  root    60 Aug 10 21:17 libvirt
drwxrwxr-x  5 root  uucp   100 Aug 10 21:17 lock
drwxr-xr-x  3 root  root    60 Aug 10 21:17 log
drwx------  2 root  root    40 Aug 10 21:17 lvm
drwxr-xr-x  2 root  root    40 Aug 10 21:17 media
drwxr-xr-x  2 root  root    40 Aug 10 21:17 mount
drwxr-xr-x  3 root  root   120 Aug 12 13:24 NetworkManager
drwx--x---  2 root  root    40 Aug 10 21:17 openvpn-client
drwx--x---  2 root  root    40 Aug 10 21:17 openvpn-server
-rw-r--r--  1 root  root  8.0K Aug 12 12:59 pppd2.tdb
drwxr-xr-x  3 root  root    80 Aug 10 21:17 samba
drwxr-xr-x  2 root  root    60 Aug 10 21:17 sddm
drwx--x--x  3 root  root    60 Aug 10 21:17 sudo
drwxr-xr-x 20 root  root   480 Aug 10 21:17 systemd
drwxr-xr-x  7 root  root   160 Aug 12 13:24 udev
drwx------  2 root  root    40 Aug 10 21:17 udisks2
drwxr-xr-x  3 root  root    60 Aug 10 21:18 user
-rw-rw-r--  1 root  utmp  1.2K Aug 10 21:17 utmp
drwxr-xr-x  2 root  root    40 Aug 10 21:17 xl2tpd

Comment 13 Michael Jones 2020-08-12 18:47:27 UTC

I don't see much of a difference when I have USE="-caps -non-root"

total 36K
drwxr-xr-x 25 root  root   740 Aug 12 13:46 .
drwxr-xr-x  1 root  root   226 Mar 17 04:50 ..
drwxr-xr-x  2 avahi avahi   80 Aug 10 21:17 avahi-daemon
drwxr-xr-x  2 root  root    60 Aug 10 21:17 blkid
srwxrwx---  1 root  root     0 Aug 12 13:46 charon.ctl
srwxrwx---  1 root  root     0 Aug 12 13:46 charon.lkp
-rw-r--r--  1 root  root     7 Aug 12 13:46 charon.pid
srwxrwx---  1 root  root     0 Aug 12 13:46 charon.vici
drwx------  2 root  root    40 Aug 10 21:17 cryptsetup
drwxr-xr-x  2 root  root    40 Aug 10 21:17 ctdb
drwxr-xr-x  2 root  root    60 Aug 10 21:17 dbus
-rw-r--r--  1 root  root     6 Aug 12 13:20 dhclient6-wlp3s0.pid
-rw-r--r--  1 root  root     6 Aug 12 04:47 dhclient-wlp3s0.pid
-rw-r--r--  1 root  root     4 Aug 10 21:17 gpm.pid
prw-------  1 root  root     0 Aug 10 21:17 initctl
drwxr-xr-x  3 root  root    60 Aug 10 21:17 libvirt
drwxrwxr-x  5 root  uucp   100 Aug 10 21:17 lock
drwxr-xr-x  3 root  root    60 Aug 10 21:17 log
drwx------  2 root  root    40 Aug 10 21:17 lvm
drwxr-xr-x  2 root  root    40 Aug 10 21:17 media
drwxr-xr-x  2 root  root    40 Aug 10 21:17 mount
drwxr-xr-x  3 root  root   120 Aug 12 13:46 NetworkManager
drwx------  2 root  root   140 Aug 12 13:46 nm-l2tp-0636cd9c-e1a6-441d-b336-6943f8b2ab0d
drwx--x---  2 root  root    40 Aug 10 21:17 openvpn-client
drwx--x---  2 root  root    40 Aug 10 21:17 openvpn-server
-rw-r--r--  1 root  root     7 Aug 12 13:46 ppp0.pid
-rw-r--r--  1 root  root  8.0K Aug 12 12:59 pppd2.tdb
drwxr-xr-x  3 root  root    80 Aug 10 21:17 samba
drwxr-xr-x  2 root  root    60 Aug 10 21:17 sddm
-rw-r--r--  1 root  root     7 Aug 12 13:46 starter.charon.pid
drwx--x--x  3 root  root    60 Aug 10 21:17 sudo
drwxr-xr-x 20 root  root   480 Aug 10 21:17 systemd
drwxr-xr-x  7 root  root   160 Aug 12 13:46 udev
drwx------  2 root  root    40 Aug 10 21:17 udisks2
drwxr-xr-x  3 root  root    60 Aug 10 21:18 user
-rw-rw-r--  1 root  utmp  1.2K Aug 10 21:17 utmp
drwxr-xr-x  2 root  root    40 Aug 10 21:17 xl2tpd

Comment 14 Michael Jones 2020-08-12 18:49:06 UTC

What other information do you need?

I'm not trying to understand what "caps" or "non-root" do. So I'm not confusing "caps" with "filecaps". I'm simply pointing out that at least on my system, if I compile with USE="caps non-root", it doesn't let me connect to the VPN, claiming it doesn't have the CAP_CHOWN capability. If I compile with USE="-caps -non-root", it works without problem.

Comment 15 goeland86 2020-12-04 22:05:07 UTC

@Michael Jones - did you ever resolve this?

I ran into exactly the same issue you had regarding caps/non-root USE.

Now, after passing that hurdle, I'm trying to understand why, when compiling strongswan with USE="-non-root -caps" the syslog shows me this:

charon: 00[KNL] received netlink error: Address family not supported by protocol (97)

Comment 16 Penguin-Guru 2021-02-28 01:07:14 UTC

If it helps, I just started having (I believe) the same issue about two days ago. At least a couple times every hour, my V.P.N. stops routing traffic until I restart the whole service. No idea why this just started a couple days ago. I hadn't updated or changed anything for at least a week prior to that. I was working on a script that managed some basic initialisation but I don't think there's any way that could be the cause.

In the interest of not posting a huge log, here are the highlights of one instance:

1: V.P.N. connection is established.

2: Peer supports MOBIKE.

3: Sends a "keep alive" about once every 20-40 seconds for about 18 minutes.

4:
     4.1: Sends DPD request.
     4.2: Generates INFORMATIONAL request.
     4.3: Sends packet.
     4.4: Receives packet.
     4.5: Parses INFORMATIONAL response.

Those 4.* events seem to repeat indefinitely, but `ipsec status` shows the connection is established and I can ping the server's non-V.P.N. address normally (but nothing through the V.P.N.).

I'm on version U5.9.1/K5.4.80-gentoo-r1.

Comment 17 ddeflyer 2021-12-04 01:52:10 UTC

I've also hit this issue, basically a clean new install of KDE plasma desktop. It appears that the starter and charon processes are inheriting the capabilities of the NetworkManager process (0x00000000200534e2=cap_dac_override,cap_kill,cap_setgid,cap_setuid,cap_net_bind_service,cap_net_admin,cap_net_raw,cap_sys_module,cap_sys_chroot,cap_audit_write
) which either is abandoning required capabilities long before reaching strongswan.


I don't know if this is a strongswan issue or a NM issue (I don't know what is expected from the parent process in terms of kernel capabilities, I'm guessing that without no-root there is a sticky gid being set somewhere). Please let me know what information is helpful on debugging/directing this.

Comment 18 Stijn Tintel 2021-12-28 23:49:36 UTC

Also having this issue. It can be solved by adding CAP_SETPCAP to CapabilityBoundingSet in the NetworkManager.service systemd unit.

Comment 19 Stijn Tintel 2021-12-29 00:18:19 UTC

Submitted fix upstream: https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/1053

Comment 20 Stijn Tintel 2021-12-29 08:07:21 UTC

Upstream doesn't want to add the extra capability.

Opinions on the suggested alternative of having the plugin install a systemd override file?

Comment 21 Stijn Tintel 2021-12-29 08:30:31 UTC

Created attachment 760703 [details]
Temporary fix

Save this file as /etc/systemd/system/NetworkManager.service.d/override.conf and run "systemctl daemon-reload; systemctl restart NetworkManager.service" for a temporary fix while we decide how to move forward.

Comment 22 Florian Schmaus gentoo-dev

2022-07-12 10:15:21 UTC

This is not really a Gentoo bug, but something both upstreams, i.e., strongswan and NetworkManager, have to figure out. For now, there appear to be two solutions

1. Emerge strongswan with USE="-caps -non-root"
2. Override NetworkManager.service with CapabilityBoundingSet=CAP_SETPCAP (see https://bugs.gentoo.org/732708#c21)

Comment 23 wkg 2023-10-11 08:16:02 UTC

maybe you can do this?

REQUIRED_USE="networkmanager? ( !caps !non-root )"