On Tue, 24 Oct 2023 at 06:55, Brady Johnson <[email protected]> wrote: > > > Hello, > > I am migrating from Libreswan 4.5 to the latest version, and I notice that > the "ipsec show" command no longer exists in the latest version. > > I looked around git a little, and found this commit: > > commit a4d3d235e89739691b4d4acfe6eff280dcbcc763 > Author: Andrew Cagney <[email protected]> > Date: Fri Aug 12 15:42:50 2022 -0400 > > > ipsec: make <<ipsec {look,show,verify}>> linux only > > I looked at the code changes in that git commit, and saw that the "ipsec > show" and other scripts were removed, and never added for linux only.
These are the commits to look at: commit 55fac9bcc7f44606178dcd936396e9763c4003c6 Author: Andrew Cagney <[email protected]> Date: Sat Sep 30 13:42:28 2023 -0400 ipsec look: delete -> the testsuite is using the experimental scripts ipsec-kernel-{state,policy}.sh but the assumption is that someone on linux knows about ip xfrm, on *bsd, setkey, and on openbsd something I forget (hence the test scripts :-) commit 0cfec8bc587296d9f1f6619fe6bc75711858e9d9 Author: Paul Wouters <[email protected]> Date: Tue Sep 5 11:13:20 2023 -0400 programs: Remove support for ipsec show and ipsec verify These tools are not commonly used, and have not aged very well. It also causes the package to pull in a python dependency. Note that "ipsec portexcludes" uses python, but it is not installed by default. See also: https://github.com/coreos/fedora-coreos-tracker/issues/1504 -> fwiw I think using <<ipsec show>> to run an esoteric linux only command was a really really unfortunate choice; it excluded any possibility of <<ipsec show policy>> et.al. commit c1a5581431a4c1f1c174722299b0fafbf695c4fd Author: Tuomo Soini <[email protected]> Date: Thu Apr 13 22:34:54 2023 +0300 ipsec: replace all auto functionality This change replaces "ipsec auto {command}" with "ipsec {command}" maintaingin compatibility with old usage when possible. Also remove -- from commands, so "ipsec auto --up connname" got > Before I dig around more, is there a reason this was not added for Linux > only? If needed, I can create a PR to add it. > > I find the IPs in the output of this command VERY useful when managing > multiple tunnels. Maybe there is another way to get this info?? > ipsec show > 172.16.2.0/24 <=> 172.16.111.0/24 using reqid 16393 > 172.16.2.0/24 <=> 172.16.110.0/24 using reqid 16389 > 172.16.2.0/24 <=> 172.16.113.0/24 using reqid 16401 > 172.16.2.0/24 <=> 172.16.117.0/24 using reqid 16409 > 172.16.2.0/24 <=> 172.16.112.0/24 using reqid 16397 > fd02::/64 <=> fd03:116::/64 using reqid 16413 Now is the time to raise this :-) <<ipsec connectionstatus>> includes: 192.0.1.0/24===192.1.2.45[@west]...192.1.2.23[@east]===192.0.2.0/24; (er, I don't see reqid anywhere in the connectionstatus output?) but good luck deciphering it. Its appearance is also config sensitive. And it is struggling with multiple selectors. There's also trafficstatus, but it doesn't include the topology (it's stats are per SA and not per policy combination) so ideas welcome, Andrew _______________________________________________ Swan-dev mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan-dev
