Todo #9603
closedStrongswan stroke is deprecated, move to swanctl/vici
Added by Chris Linstruth over 5 years ago. Updated almost 5 years ago.
100%
Description
Strongswan says:
Management Commands¶
The powerful swanctl command starts, stops and monitors IPsec connections.
The legacy ipsec command is deprecated but currently still supported.
Look at manipulating strongswan using swanctl/vici instead of ipsec/stroke.
Updated by Chris Linstruth over 5 years ago
- Private changed from No to Yes
Aside from the deprecated status of ipsec/stroke we have seen what appear to be random instances of strongswan saying things like this:
Jun 26 14:39:11 firewall charon: 10[CFG] <con2000|2190> looking for a child config for 172.19.122.200/32|/0 === 198.51.59.17/32|/0 Jun 26 14:39:11 firewall charon: 10[IKE] <con2000|2190> no matching CHILD_SA config found
When the CHILD_SA configuration plainly exists in the pfSense and strongswan configuration.
I raised this issue last year on the strongswan mailing list and Tobias responded with this:
Oct 30 18:06:43 pfSense_2.4.4 charon: 06[CFG] <con4000|55> looking for a child config for 192.168.14.0/24|/0 === 192.168.16.0/24|/0 Oct 30 18:06:43 pfSense_2.4.4 charon: 06[IKE] <con4000|55> no matching CHILD_SA config found IT'S RIGHT THERE: $ ipsec statusall con4000 Status of IKE charon daemon (strongSwan 5.6.3, FreeBSD 11.2-RELEASE-p3, amd64): uptime: 2 days, since Oct 27 22:44:06 2018 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 10 loaded plugins: charon unbound aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey ipseckey pem openssl fips-prf curve25519 xcbc cmac hmac curl attr kernel-pfkey kernel-pfroute resolve socket-default stroke vici updown eap-identity eap-sim eap-md5 eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap whitelist addrblock counters Listening IP addresses: 203.0.113.121 192.168.14.1 172.16.14.1 Connections: con4000: 203.0.113.121...198.51.100.49 IKEv1, dpddelay=10s con4000: local: [203.0.113.121] uses pre-shared key authentication con4000: remote: [198.51.100.49] uses pre-shared key authentication con4000: child: 192.168.14.0/24|/0 === 192.168.16.0/24|/0 TUNNEL, dpdaction=restart Routed Connections: con4000{552}: ROUTED, TUNNEL, reqid 1 con4000{552}: 192.168.14.0/24|/0 === 192.168.16.0/24|/0 Security Associations (3 up, 0 connecting): con4000[55]: ESTABLISHED 4 hours ago, 203.0.113.121[203.0.113.121]...198.51.100.49[198.51.100.49] con4000[55]: IKEv1 SPIs: 6dd2d30fcec4ee45_i* 0007aac07d503b24_r, pre-shared key reauthentication in 2 hours con4000[55]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024 con4000[55]: Tasks queued: INFORMATIONAL con4000[55]: Tasks active: QUICK_MODE > IT'S RIGHT THERE: Not necessarily. The peer_cfg_t object referenced by the active IKE_SA might not contain the required child_cfg_t object anymore. This can happen if the `ipsec reload` command is used while the IKE_SA was already established. This command first removes and then re-adds all configs defined in ipsec.conf. So first all child_cfg_t objects with a specific name are deleted from all (globally shared) peer_cfg_t objects. Which means the object that the established IKE_SA references won't have any child_cfg_t objects in it anymore. Then a new peer_cfg_t object is added (because the stroke plugin removed the old one from its list after removing all the associated child_cfg_t objects), while the active IKE_SA continues to have a reference to the object. So the connection listed in the statusall output (under Connections) might refer to a different object albeit with the same name. However, that's not relevant to the IKE_SA, which only operates on it's current peer_cfg_t object (see #129 [1] for the very old ticket that describes this). The vici/swanctl configuration backend avoids this issue by replacing the child_cfg_t objects in existing peer_cfg_t objects atomically with those of the new config and not touching child_cfg_t objects in replaced peer_cfg_t objects. The deprecated stroke plugin doesn't do that because of the limited interface between the starter daemon and the plugin. But if the config of the active connection (or %default) has not changed, this problem can be avoided by using `ipsec update` to reload the config as that only affects modified configs. Regards, Tobias [1] https://wiki.strongswan.org/issues/129
I am fairly-well convinced that pfSense can do something smarter/better here.
Updated by Chris Linstruth over 5 years ago
I submitted a private comment and it changed the bug to private. Since his comment was on a public list there is no reason to keep it private I suppose.
Updated by Jim Pingle over 5 years ago
Moving to swanctl means rewriting all the code that outputs the config to change from ipsec.conf to swanctl.conf style.
There is a guide at https://wiki.strongswan.org/projects/strongswan/wiki/Fromipsecconf but given how complex the config generating code is, it's going to be a significant amount of work.
Updated by Jim Pingle about 5 years ago
- Tracker changed from Bug to Todo
- Status changed from New to In Progress
- Assignee set to Jim Pingle
I'm looking this over. A few more useful links:
swanctl.conf format:
https://wiki.strongswan.org/projects/strongswan/wiki/Swanctlconf
swanctl directory layout:
https://wiki.strongswan.org/projects/strongswan/wiki/Swanctldirectory
usable examples with both old and new formats to compare:
https://wiki.strongswan.org/projects/strongswan/wiki/UsableExamples
Updated by Jim Pingle almost 5 years ago
- Status changed from In Progress to Feedback
- % Done changed from 0 to 100
Applied in changeset c6220dcf7faf3492713c6c30bb86d3971b2772a9.
Updated by Florin Samareanu almost 5 years ago
Jim Pingle wrote:
Applied in changeset c6220dcf7faf3492713c6c30bb86d3971b2772a9.
Hello,
My setup has ipsec vti tunnels and since this change was pushed my tunnels don't come up automatically on reboot. My internet connection is pppoe over vlan and the thing I noticed is that sometimes it's slow to connect on reboot (pfsense takes few minutes to reboot while the internet connection gets established after 5-10 minutes).
What logs do you want me to provide?
Updated by Jim Pingle almost 5 years ago
Don't post anything here, but start a thread at https://forum.netgate.com/category/78/2-5-development-snapshots with a copy of your /var/etc/ipsec/swanctl.conf , logs from when it starts up, and any other relevant details you can think of.
Updated by Jim Pingle almost 5 years ago
- Status changed from Feedback to Resolved
This has been in for a while and working well. If any new problems come up they can be handled in their own separate issues.