Re: [strongSwan] ipsec_starter strikes charon for pluto's misdeeds
On Friday 2010-09-03 15:28, Gerd v. Egidy wrote: > >> Well, yes and no. In openSUSE 11.3, strongswan is split into >> strongswan-ikev1, strongswan-ikev2, strongswan-ipsec (holds >> ipsec.conf) and strongswan (dummy package holding a requires for -ikev1, >> -ikev2, -ipsec). > >Splitting strongswan like this is what I would consider as good practice for >any distribution. > >> ipsec.conf has been tuned to read >> >> include /etc/ipsec.*.conf > >Is that the default for the SUSE packages? No it is not the SUSE default. It is a modification of mine -- following the recommendation of ipsec.conf(5)! >I think it would be better to use something like > >include /etc/ipsec.d/*.conf Tell that strongswan ;-) >> And >> placing plutostart=no anywhere may not work well with >> othervpn.noarch.rpm. :) > >Sorry, I don't understand that part. What is othervpn.noarch.rpm for? Well, assume there is one RPM package for each VPN setup. One cannot know in advance that there will be no IKEv1 package installed in the future, so using plutostart=no won't work. ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] ipsec_starter strikes charon for pluto's misdeeds
> >> And > >> placing plutostart=no anywhere may not work well with > >> othervpn.noarch.rpm. :) > > > >Sorry, I don't understand that part. What is othervpn.noarch.rpm for? > > Well, assume there is one RPM package for each VPN setup. One cannot > know in advance that there will be no IKEv1 package installed in the > future, so using plutostart=no won't work. We are using configuration-rpms on some systems too. This is one of the cases where you have to take extra measures to make it work. In cases like this we usually have a Makefile which creates all configuration- dependent files. In your case that would be /etc/ipsec.conf. The Makefile checks all existing configuration files and sets plutostart=yes|no and charonstart=yes|no accordingly. This Makefile is included in a base rpm which is required by all the configuration rpms. Each configuration rpm then calls make in it's %post section. Kind regards, Gerd -- Address (better: trap) for people I really don't want to get mail from: jo...@cactusamerica.com ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] ipsec_starter strikes charon for pluto's misdeeds
Hi, > Well, yes and no. In openSUSE 11.3, strongswan is split into > strongswan-ikev1, strongswan-ikev2, strongswan-ipsec (holds > ipsec.conf) and strongswan (dummy package holding a requires for -ikev1, > -ikev2, -ipsec). Splitting strongswan like this is what I would consider as good practice for any distribution. > ipsec.conf has been tuned to read > > include /etc/ipsec.*.conf Is that the default for the SUSE packages? I think it would be better to use something like include /etc/ipsec.d/*.conf > And > placing plutostart=no anywhere may not work well with > othervpn.noarch.rpm. :) Sorry, I don't understand that part. What is othervpn.noarch.rpm for? Kind regards, Gerd -- Address (better: trap) for people I really don't want to get mail from: jo...@cactusamerica.com ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] ipsec_starter strikes charon for pluto's misdeeds
On Friday 2010-09-03 10:41, Tobias Brunner wrote: >> #config setup >> #nothing here > >Just define > >config setup > plutostart=no > >and you should be fine. Well, yes and no. In openSUSE 11.3, strongswan is split into strongswan-ikev1, strongswan-ikev2, strongswan-ipsec (holds ipsec.conf) and strongswan (dummy package holding a requires for -ikev1, -ikev2, -ipsec). ipsec.conf has been tuned to read include /etc/ipsec.*.conf So that our in-house VPN configuration package(s) that provide /etc/ipsec.company.conf can be easily installed on top. As /etc/ipsec.company.conf contains keyexchange=ikev2 company-vpn.noarch.rpm technically only needs a Require on ikev2.-- And placing plutostart=no anywhere may not work well with othervpn.noarch.rpm. :) ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] ipsec_starter strikes charon for pluto's misdeeds
Hi Jan, > #config setup > #nothing here Just define config setup plutostart=no and you should be fine. Regards, Tobias ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users