Project

General

Profile

Requesting Help and Reporting Bugs » History » Version 28

Noel Kuntze, 17.03.2021 02:58
%% -> %

1 11 Tobias Brunner
{{title(Requesting Help and Reporting Bugs)}}
2 1 Noel Kuntze
3 21 Noel Kuntze
4 21 Noel Kuntze
{{>toc}}
5 21 Noel Kuntze
6 11 Tobias Brunner
h1. Requesting Help and Reporting Bugs
7 1 Noel Kuntze
8 11 Tobias Brunner
Before you request help or report bugs, please give the following items some consideration to avoid wasting your and our time and for optimizing the time it takes to find a solution.
9 1 Noel Kuntze
10 11 Tobias Brunner
If you are **new to strongSwan** please read [[IntroductionTostrongSwan|the introduction]].
11 11 Tobias Brunner
12 11 Tobias Brunner
If you look for **help regarding configuration**, base your configuration on [[UsableExamples|the usable examples]] first to avoid generic problems.
13 11 Tobias Brunner
14 14 Tobias Brunner
If you have problems with **traffic not reaching hosts via VPN**, read the documentation regarding [[ForwardingAndSplitTunneling|forwarding traffic, split-tunneling and MTU/MSS issues]].
15 14 Tobias Brunner
16 11 Tobias Brunner
If you are **reporting a security issue**, refer to [[FlawReporting|the dedicated security flaw reporting instructions]].
17 11 Tobias Brunner
18 11 Tobias Brunner
If you require help with **configuring special features of strongSwan**, look at [[UserDocumentation#HOWTOs|the how-tos for those features first]].
19 11 Tobias Brunner
20 22 Noel Kuntze
h2. Finding solutions for your problems effectively and efficiently
21 22 Noel Kuntze
22 11 Tobias Brunner
For other problems please follow these steps:
23 11 Tobias Brunner
24 11 Tobias Brunner
# Read the [[FAQ|Frequently Asked Questions (FAQ)]]
25 11 Tobias Brunner
# Read the manuals (i.e. the man pages that come with *your* version of strongSwan)
26 11 Tobias Brunner
  And make sure your version of the man page corresponds to strongSwan and not FreeS/WAN, Openswan or Libreswan.
27 1 Noel Kuntze
  The software that a man page belongs to is usually printed in the center top of the man page when it's initially opened.
28 1 Noel Kuntze
# Make sure you put the files into the right directories. On distributions that stem from RHEL, strongSwan configuration files are under @/etc/strongswan@.
29 11 Tobias Brunner
# If charon crashes, [[FAQ#strongSwan-crashes|try these things first]].
30 1 Noel Kuntze
# Make sure your version is up to date. A lot of actual bugs (not user error) are fixed in newer versions of strongSwan.
31 11 Tobias Brunner
# Search the bug tracker using the "search function":https://wiki.strongswan.org/projects/strongswan/search for keywords from the logs or
32 11 Tobias Brunner
  keywords that describe your issue. Make sure to include issues.
33 11 Tobias Brunner
# Search the "mailing list archives":https://www.strongswan.org/support.html. You may also use your favorite search engine by restricting the results to lists.strongswan.org (usually the syntax is @site:lists.strongswan.org@).
34 11 Tobias Brunner
# Now, you may ask for help. Please write issues and emails to the mailing lists in English only. Do not write your messages in any other language.
35 11 Tobias Brunner
  Please attach your complete config files (ipsec.conf, strongswan.conf, swanctl.conf etc.) and a complete log file showing the problem.
36 15 Noel Kuntze
  Please supply text files. Pictures are not useful. If the files are large (over 1 MB), please use a pastebin of your choice or host it somewhere
37 15 Noel Kuntze
 yourself. If you are told to provide the data in the IRC channel of strongSwan, then please use a pastebin and provide links to your pastes. Use different pastes for different data.
38 15 Noel Kuntze
39 18 Noel Kuntze
  We generally require *all* of the following from you:
40 11 Tobias Brunner
41 18 Noel Kuntze
  * The *complete log* from daemon start to the point where the problem occurs
42 24 Tobias Brunner
* The *complete configuration*  (ipsec.conf or swanctl.conf, depending on which configuration backend you are using)
43 24 Tobias Brunner
* The *complete current status* of the daemon (@ipsec statusall@ or @swanctl -L@ and @swanctl -l@)
44 24 Tobias Brunner
* The *complete firewall rules* (output of *@iptables-save@ and @ip6tables-save@* on Linux, analogously on other operating systems using the corresponding command(s))
45 24 Tobias Brunner
* The *complete contents of all routing tables* (output of @ip route show table all@ on Linux, analogously on other operating systems)
46 24 Tobias Brunner
* The *complete overview over all IP addresses* (output of @ip address@ on Linux, analogously on other operating systems)
47 1 Noel Kuntze
48 23 Noel Kuntze
When you create a log file, *use the [[LoggerConfiguration|log settings]] from [[HelpRequests#Configuration-snippets|the bottom of the page]], unless we tell you otherwise.*
49 1 Noel Kuntze
If you (or your distribution) use a Linux Security Module (LSM), like AppArmor, Selinux, YAMA or TOMOYO, you need to allow the IKE daemon (charon, charon-systemd etc.) to create and write to that file first, or disable the LSM for the time of the debugging. Obviously, allowing the daemon to create and write the file is preferred.
50 18 Noel Kuntze
51 20 Noel Kuntze
h2. Dealing with Linux Security Modules (LSM)
52 20 Noel Kuntze
53 20 Noel Kuntze
In order for strongSwan to be able to write the logfile, it has to be allowed by the OS. If the OS implements an LSM, like CentOS with Selinux or Ubuntu like AppArmor, it is likely that the LSM prevents strongSwan from writing the logfile. If that is the case, there will be a log record for that in the audit log (ususally under /var/log/audit/audit.log or /var/log/audit.log). Setting the LSM into permissive mode for strongSwan while logging is required is one of the acceptable ways of allowing it to do that. The following subsections show the commands to do that.
54 20 Noel Kuntze
55 20 Noel Kuntze
All advice in this section applies only temporarily. After a reboot, the previous configured status applies again. For example, if AppArmor was active in enforce mode before you put it in permissive mode, it will likely be in enforce mode again after the reboot.
56 20 Noel Kuntze
57 20 Noel Kuntze
h3. AppArmor
58 20 Noel Kuntze
59 20 Noel Kuntze
The information about AppArmor was taken from "the article about AppArmor":https://help.ubuntu.com/community/AppArmor on https://help.ubuntu.com.
60 20 Noel Kuntze
61 20 Noel Kuntze
h4. Check if AppArmor is active
62 20 Noel Kuntze
63 20 Noel Kuntze
Run at least one of the following commands to determine if AppArmor is active
64 20 Noel Kuntze
65 20 Noel Kuntze
@aa-status@ or @aa-enabled@
66 20 Noel Kuntze
67 20 Noel Kuntze
The command has to be executed with root privileges.
68 20 Noel Kuntze
69 20 Noel Kuntze
h4. Set complain mode for strongSwan temporarily
70 20 Noel Kuntze
71 20 Noel Kuntze
@aa-complain <path to charon/charon-systemd binary>@
72 20 Noel Kuntze
73 20 Noel Kuntze
The command has to be executed with root privileges.
74 20 Noel Kuntze
75 20 Noel Kuntze
Example: @aa-complain /usr/lib/ipsec/charon@
76 20 Noel Kuntze
77 20 Noel Kuntze
The command has to be executed with root privileges. You can find out what the path is by either checking @ps aux@ or, if strongSwan isn't running, by examining the contents of the packages that provide strongSwan on the system.
78 20 Noel Kuntze
79 20 Noel Kuntze
h4. Disable AppArmor mode globally temporarily
80 20 Noel Kuntze
81 20 Noel Kuntze
@aa-teardown@
82 20 Noel Kuntze
83 20 Noel Kuntze
The command has to be executed with root privileges. Unknown if this works on anything but Arch Linux.
84 20 Noel Kuntze
85 20 Noel Kuntze
h3. Selinux
86 20 Noel Kuntze
87 20 Noel Kuntze
The information about Selinux was taken from "the article about Selinux":https://wiki.archlinux.org/index.php/SELinux on the "ArchWiki":https://wiki.archlinux.org/.
88 20 Noel Kuntze
89 20 Noel Kuntze
h4. Check if Selinux is active
90 20 Noel Kuntze
91 20 Noel Kuntze
@sestatus@
92 20 Noel Kuntze
93 20 Noel Kuntze
h4. Set permissive mode for strongSwan temporarily
94 20 Noel Kuntze
95 20 Noel Kuntze
@semanage permissive -a <domain of the strongSwan process>@
96 20 Noel Kuntze
97 20 Noel Kuntze
Example: @semanage permissive -a strongswan_t@
98 20 Noel Kuntze
99 27 Noel Kuntze
The command has to be executed with root privileges. You can find out what the domain is by either checking @ps auxZ@ or, if strongSwan isn't running, by examining the contents of the packages that provide strongSwan on the system.
100 20 Noel Kuntze
101 27 Noel Kuntze
The command has to be executed with root privileges.
102 20 Noel Kuntze
103 20 Noel Kuntze
h4. Set permissive mode globally temporarily
104 20 Noel Kuntze
105 20 Noel Kuntze
@echo 0 > /sys/fs/selinux/enforce@
106 20 Noel Kuntze
107 20 Noel Kuntze
h4. Set enforce mode globally temporarily
108 20 Noel Kuntze
109 20 Noel Kuntze
@echo 1 > /sys/fs/selinux/enforce@
110 20 Noel Kuntze
111 20 Noel Kuntze
h2. Configuration snippets
112 20 Noel Kuntze
113 25 Noel Kuntze
IMPORTANT: On Windows, use a different path from /var/log/... or /tmp/. Use, for example, just charon.log, which creates the file in the working directory of the process (if it is allowed to do so).
114 25 Noel Kuntze
115 18 Noel Kuntze
Use the following snippet for *strongswan < 5.7.0*
116 1 Noel Kuntze
  <pre>
117 18 Noel Kuntze
    filelog {
118 1 Noel Kuntze
            /var/log/charon_debug.log {
119 28 Noel Kuntze
                    time_format = %a, %Y-%m-%d, %H:%M:%S
120 18 Noel Kuntze
                    default = 2
121 18 Noel Kuntze
                    mgr = 0
122 18 Noel Kuntze
                    net = 1
123 18 Noel Kuntze
                    enc = 1
124 18 Noel Kuntze
                    asn = 1
125 18 Noel Kuntze
                    job = 1
126 18 Noel Kuntze
                    ike_name = yes
127 18 Noel Kuntze
                    append = no
128 18 Noel Kuntze
                    flush_line = yes
129 18 Noel Kuntze
            }
130 18 Noel Kuntze
    }
131 18 Noel Kuntze
</pre>
132 18 Noel Kuntze
133 19 Noel Kuntze
---
134 19 Noel Kuntze
135 18 Noel Kuntze
Use the following snippet for *strongswan >= 5.7.0*
136 18 Noel Kuntze
  <pre>
137 18 Noel Kuntze
    filelog {
138 17 Tobias Brunner
            # since 5.7.0 the path to the log file has to be specified in a separate setting if it contains dots,
139 17 Tobias Brunner
            # use an arbitrary name without dots for the section instead of the one given here
140 1 Noel Kuntze
            charon-debug-log {
141 17 Tobias Brunner
                    # this setting is required with 5.7.0 and newer if the path contains dots
142 17 Tobias Brunner
                    path = /var/log/charon_debug.log
143 25 Noel Kuntze
                    time_format = %a, %Y-%m-%d, %H:%M:%S
144 11 Tobias Brunner
                    default = 2
145 11 Tobias Brunner
                    mgr = 0
146 11 Tobias Brunner
                    net = 1
147 11 Tobias Brunner
                    enc = 1
148 11 Tobias Brunner
                    asn = 1
149 11 Tobias Brunner
                    job = 1
150 11 Tobias Brunner
                    ike_name = yes
151 11 Tobias Brunner
                    append = no
152 11 Tobias Brunner
                    flush_line = yes
153 11 Tobias Brunner
            }
154 11 Tobias Brunner
    }
155 1 Noel Kuntze
</pre>