Ipsec
ubuntu 上 charon-cmd 的權限問題
我正在使用 charon-cmd 連接到 ubuntu 主機上的 strongswan vpn。當我使用該命令時,它給了我某種權限錯誤。
root@8add2362b05f:~# sudo charon-cmd --host example.com --p12 ipsec_vpn_vert/client.cert.p12 --identity client@example.com 00[KNL] kernel-libipsec plugin requires CAP_NET_ADMIN capability 00[LIB] plugin 'kernel-libipsec': failed to load - kernel_libipsec_plugin_create returned NULL 00[KNL] kernel-netlink plugin might require CAP_NET_ADMIN capability 00[KNL] unable to bind XFRM event socket 00[NET] installing IKE bypass policy failed 00[NET] installing IKE bypass policy failed 00[NET] enabling UDP decapsulation for IPv6 on port 50817 failed 00[NET] installing IKE bypass policy failed 00[NET] installing IKE bypass policy failed 00[NET] enabling UDP decapsulation for IPv4 on port 50817 failed 00[LIB] feature CUSTOM:libcharon in critical plugin 'charon-cmd' has unmet dependency: CUSTOM:kernel-ipsec 00[KNL] received netlink error: Operation not permitted (1) 00[KNL] unable to create IPv4 routing table rule 00[KNL] received netlink error: Operation not permitted (1) 00[KNL] unable to create IPv6 routing table rule 00[LIB] failed to load 1 critical plugin feature 00[KNL] received netlink error: Operation not permitted (1) 00[KNL] received netlink error: Operation not permitted (1) root@8add2362b05f:~#
我在 docker 容器上執行此操作。
我嘗試了 setcap 但這使情況變得更糟。
root@8add2362b05f:~# setcap cap_net_admin,cap_net_raw=eip /usr/sbin/charon-cmd root@8add2362b05f:~# getcap /usr/sbin/charon-cmd /usr/sbin/charon-cmd = cap_net_admin,cap_net_raw+eip root@8add2362b05f:~# root@8add2362b05f:~# root@8add2362b05f:~# sudo charon-cmd --host example.com --p12 ipsec_vpn_vert/client.cert.p12 --identity client@example.com sudo: unable to execute /usr/sbin/charon-cmd: Operation not permitted root@8add2362b05f:~#
關於如何解決這個問題的任何線索?
我認為您應該使用 –privileged 選項執行 Docker 容器。或者,您可以使用 VM 而不是 Docker 容器。