(Background: I've set up net-vpn/networkmanager-l2tp with net-vpn/strongswan and my VPN didn't work. I've re-emerge strongswan without `non-root` and it started to work.)
In ebuild, I see: `non-root` does some additional actions which are not default for other net-vpn/networkmanager-* packages.
`non-root` flag shouldn't be turned on by default, maybe?
And one more thing: I don't know details but creating groups and users and groups is handled that way in packages now.
For instance, net-p2p/deluge depends on special packages acct-user/deluge and acct-group/deluge. They create user and group using acct-user and acct-group eclasses.
Would you like to migrate to this system?
Indeed, it doesn't work in non-root mode because the charon daemon can't open the secret file after dropping privileges (from my logs):
[charon] 00[LIB] dropped capabilities, running as uid 987, gid 986_
[charon] 07[CFG] rereading secrets_
[charon] 07[CFG] loading secrets from '/etc/ipsec.secrets'_
[charon] 07[CFG] opening secrets file '/etc/ipsec.secrets' failed: Permission denied_
Workaround is to change group/permissions for some files:
# grep ipsec /etc/passwd
ipsec:x:987:986:added by portage for strongswan:/dev/null:/sbin/nologin
# grep ipsec /etc/group
Tweaks (note that `/etc/ipsec.secrets` includes `/etc/ipsec.d/ipsec.nm-l2tp.secrets`, thus:):
# chown ipsec:ipsec /etc/ipsec.secrets
# chown ipsec:ipsec /etc/ipsec.d/ipsec.nm-l2tp.secrets
It smells like two bugs: one in `net-vpn/strongswan`, because
# equery b /etc/ipsec.secrets
* Searching for /etc/ipsec.secrets ...
and another one in on `networkmanager[-l2tp]` which generates dynamically (?) `/etc/ipsec.d/ipsec.nm-l2tp.secrets`.