Red Hat Bugzilla – Bug 1301319
VPN (strongswan) only connects when NetworkManager is started in debug mode
Last modified: 2016-03-05 01:22:45 EST
Description of problem:
VPN only connects when NetworkManager is started in debug mode
Version-Release number of selected component (if applicable):
Add a Strongswan VPN (EAP in my case, not sure if it makes a difference) using nm-connection-manager (the 'settings' applet is broken). Starting VPN doesn't work.
systemctl stop NetworkManager
NetworkManager -b (starts nm in debug mode, and not as a daemon)
Now the VPN does connect.
Not sure how I can get more info to provide to more knowledgeable users/developers, but I would be happy to try.
Would you include NetworkManager logs for both the successful and the failing case. You should be able to get the logs using journalctl.
# journalctl -b 0 -u NetworkManager
Created attachment 1118337 [details]
Output of journalctl for failed connection
Created attachment 1118338 [details]
log for successful connection
Created attachment 1118339 [details]
SELinux audit.log, grepped for 'charon-nm'
I looked at the logs and uploaded them here.
For some reason (not sure why; might be connected to my attempts of installing custom policies into selinux), I couldn't get it working in the debug mode of NetworkManager anymore either.
But, it is quite evident from the logs that SELinux is to blame. So I included on top of journalctl logs for NetworkManager, also audit.log, grepped for the suspect process 'charon-nm'.
For clarity, the successful connection and the audit.log are acquired after setting SELinux to 'permissive'.
Author: Lukas Vrabec <email@example.com>
Date: Thu Feb 25 17:33:09 2016 +0100
Allow ipsec to read home certs, when connecting to VPN. rhbz#1301319
selinux-policy-3.13.1-158.9.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-ffbae3a870
selinux-policy-3.13.1-158.9.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-ffbae3a870
selinux-policy-3.13.1-158.9.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.