New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
strongswan: swanctl init script doesn't load connections #15446
Comments
A while ago when I was trying to implement swanctl support myself, I also had this issue. The solution I came up with back then was stintel@b489d87, but it's quite hackish. |
Did you have a preexisting |
It is part of the strongswan package:
|
Hmm...
I don't see anything in |
The issue here is that /var/swanctl/strongswan.conf isn't included by default for some reason. |
Why should /var/swanctl/strongswan.conf be included? My configs are in /etc/swanctl/conf.d/*.conf... |
Because the generated config files are ephemeral and storing them in /var guarantees that they do not conflict with user defined files, packaged files, or are included in a tarball of the configuration (which would be redundant because they are a product of a script and the UCI config that is in in /etc). The swanctl.init script generates a strongswan.conf file to set the options necessary for the correct functioning of the generated configs. It also generates a swanctl.conf file that contains the generated tunnel configurations. On the test machine the inclusion worked fine. We now have to figure out why it doesn't work for you. I propose just packaging a very short config file in swanctl/conf.d and strongswan.d that include the corresponding file in /var. |
|
@stintel Please check for opkg-new files. |
There aren't any related to strongSwan
|
Weird. With -5, the includes were just appended to the config files. See 643df01. |
What does the tail of your
|
Either way, not relevant as |
It is relevant because that file will contain the config generated by the swanctl init script. |
But it doesn't contain anything right now, so it's not relevant to this problem? |
It is relevant as far as we can see that at the very least this file was installed correctly. |
Any ideas? As you're deprecating the old ipsec script you're actively suggesting people to migrate from something that works to something that is broken... |
The package contains the correct strongswan config files to include the ones generated by the script, so your setup is the odd one. On our test machine the issue does not occur. Please try to reproduce it.
Also, the reason the old script is getting deprecated is because upstream is removing the ipsec/stroke config backend in version 6.0.0, which is relatively close. With version 6.0.0, the old script won't work as intended anymore because the generated ipsec.conf file won't be read anymore.
Son it's not our decision. And I have no leverage on the issue.
Am May 4, 2021 9:54:53 AM UTC schrieb Stijn Tintel ***@***.***>:
…Any ideas? As you're deprecating the old ipsec script you're actively
suggesting people to migrate from something that works to something
that is broken...
--
You are receiving this because you were mentioned.
Reply to this email directly or view it on GitHub:
#15446 (comment)
--
Sent from mobile
|
Forcing people to migrate to UCI is not acceptable. If the swanctl script does not load connections configured in /etc/swanctl/swanctl.conf (or files included from there), that is a bug. This combined with the fact that the ipsec init script now actively tells people it is deprecated will result in people losing access to devices in the field. This is never acceptable, and especially not in the current times with travel restrictions. I've stressed this multiple times when I was still maintaining the package. The fact that strongSwan 6.0.0 will deprecate ipsec entirely doesn't change anything to this. While I agree that something needs to be done before strongSwan 6.0.0 arrives, the risk of people losing access to devices should be avoided at all cost. |
It does load these configs. That is why there is an include there.
Am 05.05.21 um 16:51 schrieb Stijn Tintel:
… Forcing people to migrate to UCI is not acceptable. If the swanctl script does not load connections configured in /etc/swanctl/swanctl.conf (or files included from there), that is a bug. This combined with the fact that the ipsec init script now actively tells people it is deprecated /will/ result in people losing access to devices in the field. This is never acceptable, and especially not in the current times with travel restrictions. I've stressed this multiple times when I was still maintaining the package.
The fact that strongSwan 6.0.0 will deprecate ipsec entirely doesn't change anything to this. While I agree that something needs to be done before strongSwan 6.0.0 arrives, the risk of people losing access to devices should be avoided at all cost.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub <#15446 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AA3QSQNE4RHFFX2YAVLNR4TTMFLPXANCNFSM43EGXW2Q>.
--
GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
|
No, it does not.
None of the connections in the files matched by the first include are loaded by the init script. I have to manually run |
That is because for some reason, despite the packaged file contains the include for the generated strongswan.conf in /var, the file that you have on your system does not have the include. It appears to be the old version. And you stated you have no opkg-new file for it either.
That is why I asked you to reproduce the issue.
By default strongswan does not load any swanctl configs. It has to made to so either by using the init daemon (charon-systemd and system work fine
like that because charon-systemd tells systemd when it's ready and then it can execute the command to tell it to do so.
That does not work reliably with any other init daemon because none of them implements anything that could be used to notify it of system daemon readiness (e.g. charon/charon-systemd of strongswan). In these cases charon.start-scripts needs to be used to tell it to load the configs. The file
generated by the new swanctl init script does that. It contains the relevant lines. So if it is set up, all configs are loaded.
Please try to reproduce the issue.
|
Just remove /etc/config/ipsec. |
What do you mean with that? |
I'm assuming loading the connections is handled by https://github.com/openwrt/packages/blob/master/net/strongswan/files/swanctl.init#L555-L557 This is part of the config_ipsec() function which is called here. When /etc/config/ipsec does not exist, the init script will not run config_ipsec at all so it will not append that start-script snippet to the included config file and |
Additionally I was lacking Imo it would be better to just ship a file /etc/strongswan.d/start-scripts.conf or so in strongswan-swanctl that contains:
This would avoid appending in the Makefile, and reduce the appending in the init script, for a much cleaner solution imo. |
I gave up maintainership of this package because I no longer have the energy to devote much time on this. I'm glad you took over that role, but please, do a better job. The swanctl init script was rushed, imo, and it shows. |
No, that'd change the behaviour of the daemon even if the service was not used and it would cause unnecessary opkg-new files to be created when the package is updated and the user edited them. |
Fixes issue openwrt#15446 Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
Fixes issue openwrt#15446 Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
Please try out PR #15575. |
Fixes issue openwrt#15446 Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
If you ship the file with the package it wouldn't be runtime generated. And you could either exclude the file from conffiles, or add a header that says the file is not to be edited. That would solve the -opkg file creation. As for the changing behaviour of the daemon, I think an unconditional load-all is exactly what happens on systemd-based systems. I don't see why this would be a problem. If a user doesn't want the service he can disable it or not install it at all. |
Resolved with PR #15575. |
Maintainer: @pprindeville @Thermi
Environment: OpenWrt master r16565-37958f0d115 on octeon (Ubiquiti EdgeRouter Lite)
Description:
The swanctl init script doesn't load connections defined in /etc/swanctl/conf.d/. The file /etc/swanctl/conf.d/ contains
include conf.d/*.conf
, and runningswanctl --load-all
manually works fine. The deprecated ipsec script is disabled.The text was updated successfully, but these errors were encountered: