Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[solved] strongSwan certificate permissions
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
relkai
Tux's lil' helper
Tux's lil' helper


Joined: 22 Jun 2004
Posts: 96
Location: Hamburg, Germany

PostPosted: Wed Mar 27, 2013 7:34 am    Post subject: [solved] strongSwan certificate permissions Reply with quote

Hi Guys and Gals,

Yesterday I tried to install strongSwan on my server to connect to my home network using the iPad's builtin IPSec VPN client.
For the configuration of strongSwan I followed this guide:
"http://wiki.strongswan.org/projects/strongswan/wiki/IOS_(Apple)"

Unfortunately during startup I'm getting some "permission denied" errors while accessing the server and client certificates:
Code:
Mar 27 08:17:52 cheffe charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.0.2, Linux 3.7.10-gentoo, i686)
Mar 27 08:17:52 cheffe charon: 00[CFG] attr-sql plugin: database URI not set
Mar 27 08:17:52 cheffe charon: 00[LIB] plugin 'attr-sql': failed to load - attr_sql_plugin_create returned NULL
Mar 27 08:17:52 cheffe charon: 00[CFG] sql plugin: database URI not set
Mar 27 08:17:52 cheffe charon: 00[LIB] plugin 'sql': failed to load - sql_plugin_create returned NULL
Mar 27 08:17:52 cheffe charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Mar 27 08:17:52 cheffe charon: 00[CFG]   loaded ca certificate "C=DE, O=bodsch.com, CN=bodsch.com CA" from '/etc/ipsec.d/cacerts/caCert.pem'
Mar 27 08:17:52 cheffe charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Mar 27 08:17:52 cheffe charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Mar 27 08:17:52 cheffe charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Mar 27 08:17:52 cheffe charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Mar 27 08:17:52 cheffe charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Mar 27 08:17:52 cheffe charon: 00[CFG]   loaded RSA private key from '/etc/ipsec.d/private/serverKey.pem'
Mar 27 08:17:52 cheffe charon: 00[CFG]   loaded EAP secret for matze
Mar 27 08:17:52 cheffe charon: 00[DMN] loaded plugins: charon curl mysql sqlite aes des sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp dnskey pem openssl fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default stroke updown xauth-generic dhcp
Mar 27 08:17:52 cheffe charon: 00[LIB] dropped capabilities, running as uid 0, gid 0
Mar 27 08:17:52 cheffe charon: 00[JOB] spawning 16 worker threads
Mar 27 08:17:52 cheffe ipsec_starter[14448]: charon (14449) started after 360 ms
Mar 27 08:17:52 cheffe charon: 05[CFG] received stroke: add connection 'ios'
Mar 27 08:17:52 cheffe charon: 05[CFG] left nor right host is our side, assuming left=local
Mar 27 08:17:52 cheffe charon: 05[CFG] adding virtual IP address pool 192.168.1.0/24
Mar 27 08:17:52 cheffe charon: 05[LIB]   opening '/etc/ipsec.d/certs/serverCert.pem' failed: Permission denied
Mar 27 08:17:52 cheffe charon: 05[LIB] building CRED_CERTIFICATE - ANY failed, tried 1 builders
Mar 27 08:17:52 cheffe charon: 05[CFG]   loading certificate from 'serverCert.pem' failed
Mar 27 08:17:52 cheffe charon: 05[LIB]   opening '/etc/ipsec.d/certs/clientCert.pem' failed: Permission denied
Mar 27 08:17:52 cheffe charon: 05[LIB] building CRED_CERTIFICATE - ANY failed, tried 1 builders
Mar 27 08:17:52 cheffe charon: 05[CFG]   loading certificate from 'clientCert.pem' failed
Mar 27 08:17:52 cheffe charon: 05[CFG] added configuration 'ios'


I googled a lot for this issue and because I don't find anyone else having this problem, I assume that the root of the problem relies in my brain and not in the guide.
This is my /etc/ipsec.conf:
Code:
# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
        # strictcrlpolicy=yes
        # uniqueids = no

conn ios
        keyexchange=ikev1
        authby=xauthrsasig
        xauth=server
        left=%defaultroute
        leftsubnet=10.0.1.0/24
        leftfirewall=yes
        leftcert=serverCert.pem
        right=%any
        rightsubnet=192.168.1.0/24
        rightsourceip=192.168.1.0/24
        rightcert=clientCert.pem
        auto=add

The left subnet is my local one and the right subnet the virtual network for the VPN clients.

These are the file permissions of the certificates in /etc/ipsec.d/:
Code:
aacerts:
insgesamt 0

acerts:
insgesamt 0

cacerts:
insgesamt 4
-rw-r----- 1 ipsec ipsec 1224 26. Mär 17:12 caCert.pem

certs:
insgesamt 8
-rw-r----- 1 ipsec ipsec 1147 26. Mär 17:12 clientCert.pem
-rw-r----- 1 ipsec ipsec 1216 26. Mär 17:12 serverCert.pem

crls:
insgesamt 0

ocspcerts:
insgesamt 0

private:
insgesamt 8
-rw-r----- 1 ipsec ipsec 1675 26. Mär 17:12 clientKey.pem
-rw-r----- 1 ipsec ipsec 1675 26. Mär 17:12 serverKey.pem

reqs:
insgesamt 0


Regarding the log, the caCert.pem could be loaded by strongSwan but not the serverCert.pem or the clientCert.pem.
Because all certificates have exactly the same permissions, I'm a bit lost at the moment.
I even tried to "chmod 777" the whole /etc/ipsec.d/ directory (I know: VERY BAD!!) without success.

What am I missing here?

Thanks,
relkai
_________________
Server: Pentium D-3,2GHz / 2 GB DDR-RAM / TerraTec Cynergy 1400 DVB-T
Notebook: IBM Thinkpad T60 / Core 2 Duo 2,2GHz / 2GB DDR-RAM / Intel 945GM
MythTV Box: Zotac ZBOX HD-ID33 1,8GHz / 2 GB DDR2-RAM / 32GB SSD-HDD
Back to top
View user's profile Send private message
relkai
Tux's lil' helper
Tux's lil' helper


Joined: 22 Jun 2004
Posts: 96
Location: Hamburg, Germany

PostPosted: Wed Mar 27, 2013 8:51 am    Post subject: Reply with quote

Excuse me, it was indeed a "pebkac".

I installed strongSwan without the USE flag "non-root" because I wanted as less trouble as possible during the initial configuration.
After recompiling strongSwan with this USE flag set (less privileges for the process running ipsec) the certificates are loading fine, now.

I don't know, why it isn't working as root but as long as it's up and running and even more secure, I'm very happy with it.

Cheers,
relkai
_________________
Server: Pentium D-3,2GHz / 2 GB DDR-RAM / TerraTec Cynergy 1400 DVB-T
Notebook: IBM Thinkpad T60 / Core 2 Duo 2,2GHz / 2GB DDR-RAM / Intel 945GM
MythTV Box: Zotac ZBOX HD-ID33 1,8GHz / 2 GB DDR2-RAM / 32GB SSD-HDD
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum