[strongSwan] Users Digest, Vol 85, Issue 8
alirmusio at icloud.com
alirmusio at icloud.com
Fri Feb 10 00:24:49 CET 2017
Sent from my iPhone
> On Feb 10, 2017, at 2:52 AM, users-request at lists.strongswan.org wrote:
>
> Send Users mailing list submissions to
> users at lists.strongswan.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://lists.strongswan.org/mailman/listinfo/users
> or, via email, send a message with subject or body 'help' to
> users-request at lists.strongswan.org
>
> You can reach the person managing the list at
> users-owner at lists.strongswan.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Users digest..."
>
>
> Today's Topics:
>
> 1. Can't load certificates and keys via symlink (Jose Novacho)
> 2. Re: Can't load certificates and keys via symlink (Noel Kuntze)
> 3. No traffic with compress=yes (Alexander Hill)
> 4. Re: No traffic with compress=yes (Noel Kuntze)
> 5. Re: Can't load certificates and keys via symlink (Jose Novacho)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Thu, 9 Feb 2017 16:55:23 +0100
> From: Jose Novacho <jnovacho at yahoo.com>
> To: users at lists.strongswan.org
> Subject: [strongSwan] Can't load certificates and keys via symlink
> Message-ID: <5aff96ac-2fe1-ec2d-808a-9278da41fba2 at yahoo.com>
> Content-Type: text/plain; charset="utf-8"; Format="flowed"
>
> Hi,
> I have setup strongSwan VPN on my Ubuntu 16.04 server. I'm using
> LetEncrypt certificates, and the ipsec daemon does no want to load the
> certificates from symbolic link.
>
> The setup is following:
>
> Contents of relevant directories:
>
> /root at Trinity:/etc/ipsec.d/certs# ls -la//
> celkem 8//
> //drwxr-xr-x 2 root root 4096 úno 9 16:08 .///
> //drwxr-xr-x 12 root root 4096 úno 8 20:36 ..///
> //lrwxrwxrwx 1 root root 54 úno 9 16:08 fullchain.pem ->
> /etc/letsencrypt/live/trinity.ingames.cz/fullchain.pem//
>
> root at Trinity:/etc/letsencrypt/live/trinity.ingames.cz# ls -la
> celkem 8
> drwxr-xr-x 2 root root 4096 úno 6 20:51 .
> drwx------ 3 root root 4096 úno 6 20:51 ..
> lrwxrwxrwx 1 root root 42 úno 6 20:51 cert.pem ->
> ../../archive/trinity.ingames.cz/cert1.pem
> lrwxrwxrwx 1 root root 47 úno 6 20:51 fullchain.pem ->
> ../../archive/trinity.ingames.cz/fullchain1.pem
> lrwxrwxrwx 1 root root 43 úno 6 20:51 chain.pem ->
> ../../archive/trinity.ingames.cz/chain1.pem
> lrwxrwxrwx 1 root root 45 úno 6 20:51 privkey.pem ->
> ../../archive/trinity.ingames.cz/privkey1.pem
>
> root at Trinity:/etc/letsencrypt/archive/trinity.ingames.cz# ls -la
> celkem 24
> drwxr-xr-x 2 root root 4096 úno 6 20:51 .
> drwx------ 3 root root 4096 úno 6 20:51 ..
> -rw-r--r-- 1 root root 1805 úno 6 20:51 cert1.pem
> -rw-r--r-- 1 root root 3452 úno 6 20:51 fullchain1.pem
> -rw-r--r-- 1 root root 1647 úno 6 20:51 chain1.pem
> -rw-r--r-- 1 root root 1704 úno 6 20:51 privkey1.pem
>
> /-------------------------------------
> ipsec.conf configuration file
> /# ipsec.conf - strongSwan IPsec configuration file//
> //config setup//
> // charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2, mgr 2"//
> //
> //conn %default//
> // keyexchange=ikev2//
> // ike=<plugins>//
> // esp=<plugins>//
> // dpdaction=restart//
> // dpddelay=10s//
> // dpdtimeout=30s//
> // authby=pubkey//
> // left=%any//
> // leftsubnet=0.0.0.0/0//
> // leftcert=fullchain.pem <------- my symbolic link//
> // leftsendcert=always//
> // right=%any//
> // rightsourceip=192.168.0.110-192.168.0.115//
> // rightdns=192.168.0.253//
> // leftupdown=/home/services/.vpnkeepalive/pluto.sh//
> //
> //conn IPSec-eap//
> // keyexchange=ikev2//
> // rightauth=eap-mschapv2//
> // eap_identity=%any//
> // auto=start//
> //
> //conn IPSec-IKEv2//
> // keyexchange=ikev2//
> // auto=start/
>
> If I launch the ipsec service I get following in the logs:
> /
> 05[CFG] adding virtual IP address pool 192.168.0.110-192.168.0.115//
> /*/05[LIB] opening '/etc/ipsec.d/certs/fullchain.pem' failed:
> Permission denied/*/ <------ /Permission denied opening the
> symbolic link
> /05[LIB] building CRED_CERTIFICATE - ANY failed, tried 1 builders//
> /*/05[CFG] loading certificate from 'fullchain.pem' failed/*/
> /
> My strongSwan version info:
>
> /root at Trinity:/$ ipsec --version//
> //Linux strongSwan U5.3.5/K4.8.0-32-generic//
> //Institute for Internet Technologies and Applications//
> //University of Applied Sciences Rapperswil, Switzerland//
> //See 'ipsec --copyright' for copyright information.
>
> /
> If I replace the link with the actual file, everything works fine. All
> actions presented were done as root.
>
> Is there a way to use symlinks instead of actual files?
>
> Thanks,
> JN
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <http://lists.strongswan.org/pipermail/users/attachments/20170209/96508ce9/attachment-0001.html>
>
> ------------------------------
>
> Message: 2
> Date: Thu, 9 Feb 2017 18:29:10 +0100
> From: Noel Kuntze <noel at familie-kuntze.de>
> To: Jose Novacho <jnovacho at yahoo.com>, users at lists.strongswan.org
> Subject: Re: [strongSwan] Can't load certificates and keys via symlink
> Message-ID: <6faa8ee5-6092-83b5-ce54-7cc962be5525 at familie-kuntze.de>
> Content-Type: text/plain; charset="utf-8"
>
>
> Hello Jose,
>
>> Am 09.02.2017 um 16:55 schrieb Jose Novacho:
>> /
>> //lrwxrwxrwx 1 root root 54 úno 9 16:08 fullchain.pem -> /etc/letsencrypt/live/trinity.ingames.cz/fullchain.pem//
>> /
> Loading several certificates from a file is not supported.
>
> --
>
> Mit freundlichen Grüßen/Kind Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
>
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: signature.asc
> Type: application/pgp-signature
> Size: 866 bytes
> Desc: OpenPGP digital signature
> URL: <http://lists.strongswan.org/pipermail/users/attachments/20170209/da991fdc/attachment-0001.sig>
>
> ------------------------------
>
> Message: 3
> Date: Thu, 09 Feb 2017 17:39:11 +0000
> From: Alexander Hill <alex at hill.net.au>
> To: "users at lists.strongswan.org" <users at lists.strongswan.org>
> Subject: [strongSwan] No traffic with compress=yes
> Message-ID:
> <CA+KBOKwtipc79XU+gFY-QPYFO-97S6rmvOCDJv+J+4XrpJm0cQ at mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> Hi all,
>
> Runnings Strongswan 5.3.5 on Ubuntu 16.04 on clients and server.
>
> My connections with compress=yes don't appear to pass any traffic. What I'm
> seeing seems similar to the issue described in this post from 2013:
> https://lists.strongswan.org/pipermail/users/2013-May/004689.html
>
> I get connections apparently up, I see them in the output of ipsec status
> and ipsec leases, but no traffic across the link. Set compress=no on the
> server and issue ipsec reload, and the clients connect and communicate fine.
>
> Are there any known problems with this setup?
>
> Thanks,
> Alex
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <http://lists.strongswan.org/pipermail/users/attachments/20170209/e17a5050/attachment-0001.html>
>
> ------------------------------
>
> Message: 4
> Date: Thu, 9 Feb 2017 18:41:38 +0100
> From: Noel Kuntze <noel at familie-kuntze.de>
> To: Alexander Hill <alex at hill.net.au>, "users at lists.strongswan.org"
> <users at lists.strongswan.org>
> Subject: Re: [strongSwan] No traffic with compress=yes
> Message-ID: <3b435253-506f-58eb-4d90-081b4b7611ef at familie-kuntze.de>
> Content-Type: text/plain; charset="utf-8"
>
>> Am 09.02.2017 um 18:39 schrieb Alexander Hill:
>>
>> I get connections apparently up, I see them in the output of ipsec status and ipsec leases, but no traffic across the link. Set compress=no on the server and issue ipsec reload, and the clients connect and communicate fine.
>
> Read the part in the FAQ about IPsec and iptables/nftables[1].
> Quote: "Packets that are compressed using the ipcomp option pass through some chains three times.
> Once as encapsulated packet, then as IP-in-IP packet and then as the actual packet.
> The protocol number depends on the encapsulated protocol. You need to allow the protocols in iptables and
> ip6tables depending on your tunnel configuration."
>
> [1] https://wiki.strongswan.org/projects/strongswan/wiki/FAQ#IPsec-and-iptablesnftables
>
> --
>
> Mit freundlichen Grüßen/Kind Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
>
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: signature.asc
> Type: application/pgp-signature
> Size: 866 bytes
> Desc: OpenPGP digital signature
> URL: <http://lists.strongswan.org/pipermail/users/attachments/20170209/9f007af8/attachment-0001.sig>
>
> ------------------------------
>
> Message: 5
> Date: Fri, 10 Feb 2017 00:22:36 +0100
> From: Jose Novacho <jnovacho at yahoo.com>
> To: Noel Kuntze <noel at familie-kuntze.de>, users at lists.strongswan.org
> Subject: Re: [strongSwan] Can't load certificates and keys via symlink
> Message-ID: <00974667-383a-15fe-de41-212b087f9717 at yahoo.com>
> Content-Type: text/plain; charset="utf-8"; Format="flowed"
>
> Hell Noel,
> if I replace the symbolic link with the actual file fullchain1.pem
> everything works as expected.
>
> I have also replaced the link, so it points at the
> /etc/letsencrypt//archive//trinity.ingames.cz/cert1.pem file. But that
> didn't help either. I'm still getting permission denied on the cert file.
>
> Do you know which of the following LestEncrypt files is the correct one?
>
> /root at Trinity:/etc/letsencrypt/archive/trinity.ingames.cz# ls -la
> celkem 24
> drwxr-xr-x 2 root root 4096 úno 6 20:51 .
> drwx------ 3 root root 4096 úno 6 20:51 ..
> -rw-r--r-- 1 root root 1805 úno 6 20:51 cert1.pem
> -rw-r--r-- 1 root root 3452 úno 6 20:51 fullchain1.pem
> -rw-r--r-- 1 root root 1647 úno 6 20:51 chain1.pem
> -rw-r--r-- 1 root root 1704 úno 6 20:51 privkey1.pem
>
> / I'm not really sure how to use them for VPN otherwise.
>
> Best,
> JN
>
>
>> On 09.02.2017 18:29, Noel Kuntze wrote:
>> Hello Jose,
>>
>>> Am 09.02.2017 um 16:55 schrieb Jose Novacho:
>>> /
>>> //lrwxrwxrwx 1 root root 54 úno 9 16:08 fullchain.pem -> /etc/letsencrypt/live/trinity.ingames.cz/fullchain.pem//
>>> /
>> Loading several certificates from a file is not supported.
>>
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <http://lists.strongswan.org/pipermail/users/attachments/20170210/9a55c78c/attachment.html>
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
>
> ------------------------------
>
> End of Users Digest, Vol 85, Issue 8
> ************************************
More information about the Users
mailing list