Ipsec

ubuntu 上 charon-cmd 的權限問題

  • February 6, 2020

我正在使用 charon-cmd 連接到 ubuntu 主機上的 strongswan vpn。當我使用該命令時,它給了我某種權限錯誤。

root@8add2362b05f:~# sudo charon-cmd --host example.com --p12 ipsec_vpn_vert/client.cert.p12  --identity client@example.com 
00[KNL] kernel-libipsec plugin requires CAP_NET_ADMIN capability
00[LIB] plugin 'kernel-libipsec': failed to load - kernel_libipsec_plugin_create returned NULL
00[KNL] kernel-netlink plugin might require CAP_NET_ADMIN capability
00[KNL] unable to bind XFRM event socket
00[NET] installing IKE bypass policy failed
00[NET] installing IKE bypass policy failed
00[NET] enabling UDP decapsulation for IPv6 on port 50817 failed
00[NET] installing IKE bypass policy failed
00[NET] installing IKE bypass policy failed
00[NET] enabling UDP decapsulation for IPv4 on port 50817 failed
00[LIB] feature CUSTOM:libcharon in critical plugin 'charon-cmd' has unmet dependency: CUSTOM:kernel-ipsec
00[KNL] received netlink error: Operation not permitted (1)
00[KNL] unable to create IPv4 routing table rule
00[KNL] received netlink error: Operation not permitted (1)
00[KNL] unable to create IPv6 routing table rule
00[LIB] failed to load 1 critical plugin feature
00[KNL] received netlink error: Operation not permitted (1)
00[KNL] received netlink error: Operation not permitted (1)
root@8add2362b05f:~#

我在 docker 容器上執行此操作。

我嘗試了 setcap 但這使情況變得更糟。

root@8add2362b05f:~# setcap cap_net_admin,cap_net_raw=eip /usr/sbin/charon-cmd 
root@8add2362b05f:~# getcap /usr/sbin/charon-cmd /usr/sbin/charon-cmd = cap_net_admin,cap_net_raw+eip
root@8add2362b05f:~# 
root@8add2362b05f:~# 
root@8add2362b05f:~# sudo charon-cmd --host example.com --p12 ipsec_vpn_vert/client.cert.p12  --identity client@example.com 
sudo: unable to execute /usr/sbin/charon-cmd: Operation not permitted
root@8add2362b05f:~#

關於如何解決這個問題的任何線索?

我認為您應該使用 –privileged 選項執行 Docker 容器。或者,您可以使用 VM 而不是 Docker 容器。

引用自:https://serverfault.com/questions/839945