I am using charon-cmd to connect to strongswan vpn on a ubuntu host. When I use the command, it gives me some kind of permission error.
root@8add2362b05f:~# sudo charon-cmd --host example.com --p12 ipsec_vpn_vert/client.cert.p12 --identity [email protected]
00[KNL] kernel-libipsec plugin requires CAP_NET_ADMIN capability
00[LIB] plugin 'kernel-libipsec': failed to load - kernel_libipsec_plugin_create returned NULL
00[KNL] kernel-netlink plugin might require CAP_NET_ADMIN capability
00[KNL] unable to bind XFRM event socket
00[NET] installing IKE bypass policy failed
00[NET] installing IKE bypass policy failed
00[NET] enabling UDP decapsulation for IPv6 on port 50817 failed
00[NET] installing IKE bypass policy failed
00[NET] installing IKE bypass policy failed
00[NET] enabling UDP decapsulation for IPv4 on port 50817 failed
00[LIB] feature CUSTOM:libcharon in critical plugin 'charon-cmd' has unmet dependency: CUSTOM:kernel-ipsec
00[KNL] received netlink error: Operation not permitted (1)
00[KNL] unable to create IPv4 routing table rule
00[KNL] received netlink error: Operation not permitted (1)
00[KNL] unable to create IPv6 routing table rule
00[LIB] failed to load 1 critical plugin feature
00[KNL] received netlink error: Operation not permitted (1)
00[KNL] received netlink error: Operation not permitted (1)
root@8add2362b05f:~#
I am doing this on a docker container.
I tried setcap but that made the situation even worse.
root@8add2362b05f:~# setcap cap_net_admin,cap_net_raw=eip /usr/sbin/charon-cmd
root@8add2362b05f:~# getcap /usr/sbin/charon-cmd /usr/sbin/charon-cmd = cap_net_admin,cap_net_raw+eip
root@8add2362b05f:~#
root@8add2362b05f:~#
root@8add2362b05f:~# sudo charon-cmd --host example.com --p12 ipsec_vpn_vert/client.cert.p12 --identity [email protected]
sudo: unable to execute /usr/sbin/charon-cmd: Operation not permitted
root@8add2362b05f:~#
Any clues on how to solve this?
I think you should run the Docker container with --privileged option. Or you can use a VM instead of a Docker container.