# [solved] strongSwan certificate permissions

## relkai

Hi Guys and Gals,

Yesterday I tried to install strongSwan on my server to connect to my home network using the iPad's builtin IPSec VPN client.

For the configuration of strongSwan I followed this guide:

"http://wiki.strongswan.org/projects/strongswan/wiki/IOS_(Apple)"

Unfortunately during startup I'm getting some "permission denied" errors while accessing the server and client certificates:

```
Mar 27 08:17:52 cheffe charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.0.2, Linux 3.7.10-gentoo, i686)

Mar 27 08:17:52 cheffe charon: 00[CFG] attr-sql plugin: database URI not set

Mar 27 08:17:52 cheffe charon: 00[LIB] plugin 'attr-sql': failed to load - attr_sql_plugin_create returned NULL

Mar 27 08:17:52 cheffe charon: 00[CFG] sql plugin: database URI not set

Mar 27 08:17:52 cheffe charon: 00[LIB] plugin 'sql': failed to load - sql_plugin_create returned NULL

Mar 27 08:17:52 cheffe charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'

Mar 27 08:17:52 cheffe charon: 00[CFG]   loaded ca certificate "C=DE, O=bodsch.com, CN=bodsch.com CA" from '/etc/ipsec.d/cacerts/caCert.pem'

Mar 27 08:17:52 cheffe charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'

Mar 27 08:17:52 cheffe charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'

Mar 27 08:17:52 cheffe charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'

Mar 27 08:17:52 cheffe charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'

Mar 27 08:17:52 cheffe charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'

Mar 27 08:17:52 cheffe charon: 00[CFG]   loaded RSA private key from '/etc/ipsec.d/private/serverKey.pem'

Mar 27 08:17:52 cheffe charon: 00[CFG]   loaded EAP secret for matze

Mar 27 08:17:52 cheffe charon: 00[DMN] loaded plugins: charon curl mysql sqlite aes des sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp dnskey pem openssl fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default stroke updown xauth-generic dhcp

Mar 27 08:17:52 cheffe charon: 00[LIB] dropped capabilities, running as uid 0, gid 0

Mar 27 08:17:52 cheffe charon: 00[JOB] spawning 16 worker threads

Mar 27 08:17:52 cheffe ipsec_starter[14448]: charon (14449) started after 360 ms

Mar 27 08:17:52 cheffe charon: 05[CFG] received stroke: add connection 'ios'

Mar 27 08:17:52 cheffe charon: 05[CFG] left nor right host is our side, assuming left=local

Mar 27 08:17:52 cheffe charon: 05[CFG] adding virtual IP address pool 192.168.1.0/24

Mar 27 08:17:52 cheffe charon: 05[LIB]   opening '/etc/ipsec.d/certs/serverCert.pem' failed: Permission denied

Mar 27 08:17:52 cheffe charon: 05[LIB] building CRED_CERTIFICATE - ANY failed, tried 1 builders

Mar 27 08:17:52 cheffe charon: 05[CFG]   loading certificate from 'serverCert.pem' failed

Mar 27 08:17:52 cheffe charon: 05[LIB]   opening '/etc/ipsec.d/certs/clientCert.pem' failed: Permission denied

Mar 27 08:17:52 cheffe charon: 05[LIB] building CRED_CERTIFICATE - ANY failed, tried 1 builders

Mar 27 08:17:52 cheffe charon: 05[CFG]   loading certificate from 'clientCert.pem' failed

Mar 27 08:17:52 cheffe charon: 05[CFG] added configuration 'ios'
```

I googled a lot for this issue and because I don't find anyone else having this problem, I assume that the root of the problem relies in my brain and not in the guide.

This is my /etc/ipsec.conf:

```
# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup

        # strictcrlpolicy=yes

        # uniqueids = no

conn ios

        keyexchange=ikev1

        authby=xauthrsasig

        xauth=server

        left=%defaultroute

        leftsubnet=10.0.1.0/24

        leftfirewall=yes

        leftcert=serverCert.pem

        right=%any

        rightsubnet=192.168.1.0/24

        rightsourceip=192.168.1.0/24

        rightcert=clientCert.pem

        auto=add
```

The left subnet is my local one and the right subnet the virtual network for the VPN clients.

These are the file permissions of the certificates in /etc/ipsec.d/:

```
aacerts:

insgesamt 0

acerts:

insgesamt 0

cacerts:

insgesamt 4

-rw-r----- 1 ipsec ipsec 1224 26. Mär 17:12 caCert.pem

certs:

insgesamt 8

-rw-r----- 1 ipsec ipsec 1147 26. Mär 17:12 clientCert.pem

-rw-r----- 1 ipsec ipsec 1216 26. Mär 17:12 serverCert.pem

crls:

insgesamt 0

ocspcerts:

insgesamt 0

private:

insgesamt 8

-rw-r----- 1 ipsec ipsec 1675 26. Mär 17:12 clientKey.pem

-rw-r----- 1 ipsec ipsec 1675 26. Mär 17:12 serverKey.pem

reqs:

insgesamt 0
```

Regarding the log, the caCert.pem could be loaded by strongSwan but not the serverCert.pem or the clientCert.pem.

Because all certificates have exactly the same permissions, I'm a bit lost at the moment.

I even tried to "chmod 777" the whole /etc/ipsec.d/ directory (I know: VERY BAD!!) without success.

What am I missing here?

Thanks,

relkai

----------

## relkai

Excuse me, it was indeed a "pebkac".

I installed strongSwan without the USE flag "non-root" because I wanted as less trouble as possible during the initial configuration.

After recompiling strongSwan with this USE flag set (less privileges for the process running ipsec) the certificates are loading fine, now.

I don't know, why it isn't working as root but as long as it's up and running and even more secure, I'm very happy with it.

Cheers,

relkai

----------

