Re: [Bug 1535951] Re: Please merge strongswan 5.3.5-1 (main) from Debian unstable (main)
>> i think the kernel-libipsec plugin should not be loaded by default >> >> the plugin works only with UDP encapsulated packets >> >> (look here: https://wiki.strongswan.org/projects/strongswan/wiki/Kernel- >> libipsec) >> >> and this will break most of the "normal"/LAN setups >> > > The kernel-libipsec plugin is optional; a user must apt-get install > libstrongswan-extra-plugins. > I've installed the extra plugins in a VM which uses NAT configuration and > none of the > networking was broken if the kernel-libipsec module was loaded (but > unconfigured). There is nothing to configure, as long as it gets loaded before any of the other kernel-ipsec implementations (that's the default) it gets used as IPsec backend (i.e. IPsec is then handled in userland, not the kernel). As described on the wiki page, it is not generally recommended to be used. > However, I'm interested if you can expand on what setup would break? We > certainly don't want > break or surprise users so I'd like understand what "breaks" if the module > is loaded by default. Refer to the wiki page above. One example are host-to-host tunnels, which require additional configuration, then there are the performance limitations. >> i would build and include the plugin but disable the loading with >> >> /etc/strongswan.d/charon/kernel-libipsec.conf >>> load = no That would be an option, another is to put the plugin and config snippet into a separate package. Regards, Tobias -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to strongswan in Ubuntu. https://bugs.launchpad.net/bugs/1535951 Title: Please merge strongswan 5.3.5-1 (main) from Debian unstable (main) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1535951/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1451091] Re: new upstream version 5.2.2
Thanks for the example config. The client will encode the identity as FQDN and the server is forced to encode it as keyid (the content will be the same but the type is different). So there won't be a match. Looking at the screenshot I'm not sure how to configure a FQDN in the pfSense GUI, perhaps Distinguished name even though the DN in FQDN stands for domain name. Additionally, the identity in ipsec.secrets on the server is also encoded as FQDN as the prefix is missing (should probably be reported to pfSense). Also, rightid is missing on the server, so authentication will fail anyway as the server will default to the client's IP address, which won't match the client's leftid (omnicon-5900). Selecting the identity type could make sense, but the identities would have to be encoded properly (e.g. parse the configured string according to the type and binary encode it, then prefix it), otherwise the result will not be what the user intended (e.g. leftid=ipv4:192.168.0.1 is not the same thing as leftid=192.168.0.1 or leftid=ipv4:#c0a80001). -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to strongswan in Ubuntu. https://bugs.launchpad.net/bugs/1451091 Title: new upstream version 5.2.2 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1451091/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1451091] Re: new upstream version 5.2.2
The current version of Strongswan (5.1.2) does not work with newer versions of pfSense (Strongswan 5.3.2 based). When using IPsec IKEv2/PSK the identity type is now prefixed leftid and rightid for better matching. Hm, could you elaborate on that? For instance, provide example configs? At a first glance I'd say what pfSense does is wrong, as it seems to send incorrectly encoded identity payloads. As described in the man/wiki page, you can't just prefix a string with a prefix and expect that to work correctly. These prefixes are really mostly useful in special situations (e.g. to encode a FQDN as keyid). -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to strongswan in Ubuntu. https://bugs.launchpad.net/bugs/1451091 Title: new upstream version 5.2.2 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1451091/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1309594] Re: kernel-libipsec not loading
While debian/strongswan-plugin-kernel-libipsec.install lists usr/lib/ipsec/plugins/libstrongswan-kernel-libipsec.so the strongswan- plugin-kernel-libipsec package does not actually include that file. The reason for this is how dh_install is called in debian/rules, due to the -Xlibstrongswan-kernel option all kernel plugins are excluded from the packages. The kernel-netlink/pfroute/pfkey plugins are added manually to the libstrongswan package depending on the target platform (i.e. FreeBSD vs. Linux). I suppose something similar could be done to add the kernel-libipsec plugin to the plugin-kernel-libipsec package. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to strongswan in Ubuntu. https://bugs.launchpad.net/bugs/1309594 Title: kernel-libipsec not loading To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1309594/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs