Sent from my iPhone
> On Feb 10, 2017, at 2:52 AM, [email protected] wrote: > > Send Users mailing list submissions to > [email protected] > > To subscribe or unsubscribe via the World Wide Web, visit > https://lists.strongswan.org/mailman/listinfo/users > or, via email, send a message with subject or body 'help' to > [email protected] > > You can reach the person managing the list at > [email protected] > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Users digest..." > > > Today's Topics: > > 1. Can't load certificates and keys via symlink (Jose Novacho) > 2. Re: Can't load certificates and keys via symlink (Noel Kuntze) > 3. No traffic with compress=yes (Alexander Hill) > 4. Re: No traffic with compress=yes (Noel Kuntze) > 5. Re: Can't load certificates and keys via symlink (Jose Novacho) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Thu, 9 Feb 2017 16:55:23 +0100 > From: Jose Novacho <[email protected]> > To: [email protected] > Subject: [strongSwan] Can't load certificates and keys via symlink > Message-ID: <[email protected]> > Content-Type: text/plain; charset="utf-8"; Format="flowed" > > Hi, > I have setup strongSwan VPN on my Ubuntu 16.04 server. I'm using > LetEncrypt certificates, and the ipsec daemon does no want to load the > certificates from symbolic link. > > The setup is following: > > Contents of relevant directories: > > /root@Trinity:/etc/ipsec.d/certs# ls -la// > celkem 8// > //drwxr-xr-x 2 root root 4096 úno 9 16:08 ./// > //drwxr-xr-x 12 root root 4096 úno 8 20:36 ../// > //lrwxrwxrwx 1 root root 54 úno 9 16:08 fullchain.pem -> > /etc/letsencrypt/live/trinity.ingames.cz/fullchain.pem// > > root@Trinity:/etc/letsencrypt/live/trinity.ingames.cz# ls -la > celkem 8 > drwxr-xr-x 2 root root 4096 úno 6 20:51 . > drwx------ 3 root root 4096 úno 6 20:51 .. > lrwxrwxrwx 1 root root 42 úno 6 20:51 cert.pem -> > ../../archive/trinity.ingames.cz/cert1.pem > lrwxrwxrwx 1 root root 47 úno 6 20:51 fullchain.pem -> > ../../archive/trinity.ingames.cz/fullchain1.pem > lrwxrwxrwx 1 root root 43 úno 6 20:51 chain.pem -> > ../../archive/trinity.ingames.cz/chain1.pem > lrwxrwxrwx 1 root root 45 úno 6 20:51 privkey.pem -> > ../../archive/trinity.ingames.cz/privkey1.pem > > root@Trinity:/etc/letsencrypt/archive/trinity.ingames.cz# ls -la > celkem 24 > drwxr-xr-x 2 root root 4096 úno 6 20:51 . > drwx------ 3 root root 4096 úno 6 20:51 .. > -rw-r--r-- 1 root root 1805 úno 6 20:51 cert1.pem > -rw-r--r-- 1 root root 3452 úno 6 20:51 fullchain1.pem > -rw-r--r-- 1 root root 1647 úno 6 20:51 chain1.pem > -rw-r--r-- 1 root root 1704 úno 6 20:51 privkey1.pem > > /------------------------------------- > ipsec.conf configuration file > /# ipsec.conf - strongSwan IPsec configuration file// > //config setup// > // charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2, mgr 2"// > // > //conn %default// > // keyexchange=ikev2// > // ike=<plugins>// > // esp=<plugins>// > // dpdaction=restart// > // dpddelay=10s// > // dpdtimeout=30s// > // authby=pubkey// > // left=%any// > // leftsubnet=0.0.0.0/0// > // leftcert=fullchain.pem <------- my symbolic link// > // leftsendcert=always// > // right=%any// > // rightsourceip=192.168.0.110-192.168.0.115// > // rightdns=192.168.0.253// > // leftupdown=/home/services/.vpnkeepalive/pluto.sh// > // > //conn IPSec-eap// > // keyexchange=ikev2// > // rightauth=eap-mschapv2// > // eap_identity=%any// > // auto=start// > // > //conn IPSec-IKEv2// > // keyexchange=ikev2// > // auto=start/ > > If I launch the ipsec service I get following in the logs: > / > 05[CFG] adding virtual IP address pool 192.168.0.110-192.168.0.115// > /*/05[LIB] opening '/etc/ipsec.d/certs/fullchain.pem' failed: > Permission denied/*/ <------ /Permission denied opening the > symbolic link > /05[LIB] building CRED_CERTIFICATE - ANY failed, tried 1 builders// > /*/05[CFG] loading certificate from 'fullchain.pem' failed/*/ > / > My strongSwan version info: > > /root@Trinity:/$ ipsec --version// > //Linux strongSwan U5.3.5/K4.8.0-32-generic// > //Institute for Internet Technologies and Applications// > //University of Applied Sciences Rapperswil, Switzerland// > //See 'ipsec --copyright' for copyright information. > > / > If I replace the link with the actual file, everything works fine. All > actions presented were done as root. > > Is there a way to use symlinks instead of actual files? > > Thanks, > JN > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > <http://lists.strongswan.org/pipermail/users/attachments/20170209/96508ce9/attachment-0001.html> > > ------------------------------ > > Message: 2 > Date: Thu, 9 Feb 2017 18:29:10 +0100 > From: Noel Kuntze <[email protected]> > To: Jose Novacho <[email protected]>, [email protected] > Subject: Re: [strongSwan] Can't load certificates and keys via symlink > Message-ID: <[email protected]> > Content-Type: text/plain; charset="utf-8" > > > Hello Jose, > >> Am 09.02.2017 um 16:55 schrieb Jose Novacho: >> / >> //lrwxrwxrwx 1 root root 54 úno 9 16:08 fullchain.pem -> >> /etc/letsencrypt/live/trinity.ingames.cz/fullchain.pem// >> / > Loading several certificates from a file is not supported. > > -- > > Mit freundlichen Grüßen/Kind Regards, > Noel Kuntze > > GPG Key ID: 0x63EC6658 > Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 > > > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: signature.asc > Type: application/pgp-signature > Size: 866 bytes > Desc: OpenPGP digital signature > URL: > <http://lists.strongswan.org/pipermail/users/attachments/20170209/da991fdc/attachment-0001.sig> > > ------------------------------ > > Message: 3 > Date: Thu, 09 Feb 2017 17:39:11 +0000 > From: Alexander Hill <[email protected]> > To: "[email protected]" <[email protected]> > Subject: [strongSwan] No traffic with compress=yes > Message-ID: > <ca+kbokwtipc79xu+gfy-qpyfo-97s6rmvocdjv+j+4xrpjm...@mail.gmail.com> > Content-Type: text/plain; charset="utf-8" > > Hi all, > > Runnings Strongswan 5.3.5 on Ubuntu 16.04 on clients and server. > > My connections with compress=yes don't appear to pass any traffic. What I'm > seeing seems similar to the issue described in this post from 2013: > https://lists.strongswan.org/pipermail/users/2013-May/004689.html > > I get connections apparently up, I see them in the output of ipsec status > and ipsec leases, but no traffic across the link. Set compress=no on the > server and issue ipsec reload, and the clients connect and communicate fine. > > Are there any known problems with this setup? > > Thanks, > Alex > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > <http://lists.strongswan.org/pipermail/users/attachments/20170209/e17a5050/attachment-0001.html> > > ------------------------------ > > Message: 4 > Date: Thu, 9 Feb 2017 18:41:38 +0100 > From: Noel Kuntze <[email protected]> > To: Alexander Hill <[email protected]>, "[email protected]" > <[email protected]> > Subject: Re: [strongSwan] No traffic with compress=yes > Message-ID: <[email protected]> > Content-Type: text/plain; charset="utf-8" > >> Am 09.02.2017 um 18:39 schrieb Alexander Hill: >> >> I get connections apparently up, I see them in the output of ipsec status >> and ipsec leases, but no traffic across the link. Set compress=no on the >> server and issue ipsec reload, and the clients connect and communicate fine. > > Read the part in the FAQ about IPsec and iptables/nftables[1]. > Quote: "Packets that are compressed using the ipcomp option pass through some > chains three times. > Once as encapsulated packet, then as IP-in-IP packet and then as the actual > packet. > The protocol number depends on the encapsulated protocol. You need to allow > the protocols in iptables and > ip6tables depending on your tunnel configuration." > > [1] > https://wiki.strongswan.org/projects/strongswan/wiki/FAQ#IPsec-and-iptablesnftables > > -- > > Mit freundlichen Grüßen/Kind Regards, > Noel Kuntze > > GPG Key ID: 0x63EC6658 > Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 > > > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: signature.asc > Type: application/pgp-signature > Size: 866 bytes > Desc: OpenPGP digital signature > URL: > <http://lists.strongswan.org/pipermail/users/attachments/20170209/9f007af8/attachment-0001.sig> > > ------------------------------ > > Message: 5 > Date: Fri, 10 Feb 2017 00:22:36 +0100 > From: Jose Novacho <[email protected]> > To: Noel Kuntze <[email protected]>, [email protected] > Subject: Re: [strongSwan] Can't load certificates and keys via symlink > Message-ID: <[email protected]> > Content-Type: text/plain; charset="utf-8"; Format="flowed" > > Hell Noel, > if I replace the symbolic link with the actual file fullchain1.pem > everything works as expected. > > I have also replaced the link, so it points at the > /etc/letsencrypt//archive//trinity.ingames.cz/cert1.pem file. But that > didn't help either. I'm still getting permission denied on the cert file. > > Do you know which of the following LestEncrypt files is the correct one? > > /root@Trinity:/etc/letsencrypt/archive/trinity.ingames.cz# ls -la > celkem 24 > drwxr-xr-x 2 root root 4096 úno 6 20:51 . > drwx------ 3 root root 4096 úno 6 20:51 .. > -rw-r--r-- 1 root root 1805 úno 6 20:51 cert1.pem > -rw-r--r-- 1 root root 3452 úno 6 20:51 fullchain1.pem > -rw-r--r-- 1 root root 1647 úno 6 20:51 chain1.pem > -rw-r--r-- 1 root root 1704 úno 6 20:51 privkey1.pem > > / I'm not really sure how to use them for VPN otherwise. > > Best, > JN > > >> On 09.02.2017 18:29, Noel Kuntze wrote: >> Hello Jose, >> >>> Am 09.02.2017 um 16:55 schrieb Jose Novacho: >>> / >>> //lrwxrwxrwx 1 root root 54 úno 9 16:08 fullchain.pem -> >>> /etc/letsencrypt/live/trinity.ingames.cz/fullchain.pem// >>> / >> Loading several certificates from a file is not supported. >> > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > <http://lists.strongswan.org/pipermail/users/attachments/20170210/9a55c78c/attachment.html> > > ------------------------------ > > Subject: Digest Footer > > _______________________________________________ > Users mailing list > [email protected] > https://lists.strongswan.org/mailman/listinfo/users > > ------------------------------ > > End of Users Digest, Vol 85, Issue 8 > ************************************ _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
