Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Implemented IPsec Mobile client expert tunnel configuration #3298

Closed
wants to merge 1 commit into from

Conversation

@stumbaumr
Copy link
Contributor

stumbaumr commented Mar 8, 2019

Hi,

we have the requirement to assign separate virtual IP pools to different IPsec mobile user groups. I understand that adjusting the WebUI to cater for our specific need is rather complex. I went through comparable requests from other people and realised their requirements are still well different from ours.

So my conclusion was that there are two possible setups

  • The existing options are good enough for most people
  • The desired options are so complex that a WebUi will never be sufficient

I opened therefore a feature request (#3295 ) to allow for an expert tunnel configuration.

This PR is the result from above feature request.

We had to rearrange some of the code for generation strongswan.conf which is in our opinion backwards compatible.

The only new fixed addition is class_group = yes - but that should have no influence as well.

So we are awaiting possible feedback and hope to get that expert tunnel config included.

Best regards
Mark & Rainer

@AdSchellevis

This comment has been minimized.

Copy link
Member

AdSchellevis commented Mar 8, 2019

maybe we could think of some sort of hooking, but plain text gui input for configuration files is something we don't want to support (impossible to validate, prone to all sorts of errors).

@stumbaumr

This comment has been minimized.

Copy link
Contributor Author

stumbaumr commented Mar 8, 2019

So are you going to remove the „Advanced configuration“ from OpenVPN?
There seems to be no validation as well...

@AdSchellevis

This comment has been minimized.

Copy link
Member

AdSchellevis commented Mar 8, 2019

Unfortunately not, no, it's one of the very few leftovers from our legacy base. Although we're not planning on implementing new future issues.

For new components we often try to support template hooks, which allow bootstrapping custom configs, which isn't available for regular users. Maybe we can think of something flexible here as well, if time permits we would like to cleanup some parts in IPsec anyway.

@stumbaumr

This comment has been minimized.

Copy link
Contributor Author

stumbaumr commented Mar 8, 2019

So we are just going to go live with our patch then and maintain it until there is a proper solution...

@stumbaumr stumbaumr closed this Mar 8, 2019
@stumbaumr stumbaumr reopened this Mar 9, 2019
@stumbaumr

This comment has been minimized.

Copy link
Contributor Author

stumbaumr commented Mar 9, 2019

So then: How about just always having a include ipsec.*.conf in ipsec.conf and a include ipsec.*.secrets at the bottom of the generated files?

Would a PR for that be acceptable? It requires anyhow knowledge of the command line and only the knowledgable are creating files manually.

@AdSchellevis

This comment has been minimized.

Copy link
Member

AdSchellevis commented Mar 9, 2019

@stumbaumr I think it will, strongswan indeed has an excellent include option there.

@stumbaumr

This comment has been minimized.

Copy link
Contributor Author

stumbaumr commented Mar 10, 2019

So is a PR acceptable that only adds the includes for all the time or do you want a checkbox to activate that funktionality specifically?

I can imagine users complaining about magically appearing conn's that are configured on the filesystem and then forgotten about...

I would put that checkbox under "Advanced settings"...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
4 participants
You can’t perform that action at this time.