(Background: I've set up net-vpn/networkmanager-l2tp with net-vpn/strongswan and my VPN didn't work. I've re-emerge strongswan without `non-root` and it started to work.) In ebuild, I see: `non-root` does some additional actions which are not default for other net-vpn/networkmanager-* packages. `non-root` flag shouldn't be turned on by default, maybe?
And one more thing: I don't know details but creating groups and users and groups is handled that way in packages now. For instance, net-p2p/deluge depends on special packages acct-user/deluge and acct-group/deluge. They create user and group using acct-user and acct-group eclasses. Would you like to migrate to this system?
Indeed, it doesn't work in non-root mode because the charon daemon can't open the secret file after dropping privileges (from my logs): [charon] 00[LIB] dropped capabilities, running as uid 987, gid 986_ ... [charon] 07[CFG] rereading secrets_ [charon] 07[CFG] loading secrets from '/etc/ipsec.secrets'_ [charon] 07[CFG] opening secrets file '/etc/ipsec.secrets' failed: Permission denied_ Workaround is to change group/permissions for some files: # grep ipsec /etc/passwd ipsec:x:987:986:added by portage for strongswan:/dev/null:/sbin/nologin # grep ipsec /etc/group ipsec:x:986: Tweaks (note that `/etc/ipsec.secrets` includes `/etc/ipsec.d/ipsec.nm-l2tp.secrets`, thus:): # chown ipsec:ipsec /etc/ipsec.secrets # chown ipsec:ipsec /etc/ipsec.d/ipsec.nm-l2tp.secrets It smells like two bugs: one in `net-vpn/strongswan`, because # equery b /etc/ipsec.secrets * Searching for /etc/ipsec.secrets ... net-vpn/strongswan-5.9.0 (/etc/ipsec.secrets) and another one in on `networkmanager[-l2tp]` which generates dynamically (?) `/etc/ipsec.d/ipsec.nm-l2tp.secrets`.
Is this still a problem. Which version is this related to because I can't recreate this behaviour.
I think fixed since f38ee93fe7a4a82f21d8292c3555e852928c9a57 (acct-user/ipsec), a9fedde1ebf5d74e865b14ced8daccce5b1a65b0 (acct-group/ipsec) and 5b75bbc28e33006510b81602231652b00b9d00b5 (=net-vpn/strongswan-5.9.1).