Todo #9603
closed
Strongswan stroke is deprecated, move to swanctl/vici
Added by Chris Linstruth over 6 years ago. Updated about 6 years ago.
100%
Description
Strongswan says:
Management Commands¶
The powerful swanctl command starts, stops and monitors IPsec connections.
The legacy ipsec command is deprecated but currently still supported.Look at manipulating strongswan using swanctl/vici instead of ipsec/stroke.
Updated by Chris Linstruth over 6 years ago
- Private changed from No to Yes
Aside from the deprecated status of ipsec/stroke we have seen what appear to be random instances of strongswan saying things like this:
Jun 26 14:39:11 firewall charon: 10[CFG] <con2000|2190> looking for a child config for 172.19.122.200/32|/0 === 198.51.59.17/32|/0 Jun 26 14:39:11 firewall charon: 10[IKE] <con2000|2190> no matching CHILD_SA config found
When the CHILD_SA configuration plainly exists in the pfSense and strongswan configuration.
I raised this issue last year on the strongswan mailing list and Tobias responded with this:
Oct 30 18:06:43 pfSense_2.4.4 charon: 06[CFG] <con4000|55> looking for a child config for 192.168.14.0/24|/0 === 192.168.16.0/24|/0
Oct 30 18:06:43 pfSense_2.4.4 charon: 06[IKE] <con4000|55> no matching CHILD_SA config found
IT'S RIGHT THERE:
$ ipsec statusall con4000
Status of IKE charon daemon (strongSwan 5.6.3, FreeBSD 11.2-RELEASE-p3, amd64):
uptime: 2 days, since Oct 27 22:44:06 2018
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 10
loaded plugins: charon unbound aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey ipseckey pem openssl fips-prf curve25519 xcbc cmac hmac curl attr kernel-pfkey kernel-pfroute resolve socket-default stroke vici updown eap-identity eap-sim eap-md5 eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap whitelist addrblock counters
Listening IP addresses:
203.0.113.121
192.168.14.1
172.16.14.1
Connections:
con4000: 203.0.113.121...198.51.100.49 IKEv1, dpddelay=10s
con4000: local: [203.0.113.121] uses pre-shared key authentication
con4000: remote: [198.51.100.49] uses pre-shared key authentication
con4000: child: 192.168.14.0/24|/0 === 192.168.16.0/24|/0 TUNNEL, dpdaction=restart
Routed Connections:
con4000{552}: ROUTED, TUNNEL, reqid 1
con4000{552}: 192.168.14.0/24|/0 === 192.168.16.0/24|/0
Security Associations (3 up, 0 connecting):
con4000[55]: ESTABLISHED 4 hours ago, 203.0.113.121[203.0.113.121]...198.51.100.49[198.51.100.49]
con4000[55]: IKEv1 SPIs: 6dd2d30fcec4ee45_i* 0007aac07d503b24_r, pre-shared key reauthentication in 2 hours
con4000[55]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
con4000[55]: Tasks queued: INFORMATIONAL
con4000[55]: Tasks active: QUICK_MODE
> IT'S RIGHT THERE:
Not necessarily. The peer_cfg_t object referenced by the active IKE_SA
might not contain the required child_cfg_t object anymore.
This can happen if the `ipsec reload` command is used while the IKE_SA
was already established. This command first removes and then re-adds
all configs defined in ipsec.conf. So first all child_cfg_t objects
with a specific name are deleted from all (globally shared) peer_cfg_t
objects. Which means the object that the established IKE_SA references
won't have any child_cfg_t objects in it anymore. Then a new peer_cfg_t
object is added (because the stroke plugin removed the old one from its
list after removing all the associated child_cfg_t objects), while the
active IKE_SA continues to have a reference to the object. So the
connection listed in the statusall output (under Connections) might
refer to a different object albeit with the same name. However, that's
not relevant to the IKE_SA, which only operates on it's current
peer_cfg_t object (see #129 [1] for the very old ticket that describes
this).
The vici/swanctl configuration backend avoids this issue by replacing
the child_cfg_t objects in existing peer_cfg_t objects atomically with
those of the new config and not touching child_cfg_t objects in replaced
peer_cfg_t objects. The deprecated stroke plugin doesn't do that
because of the limited interface between the starter daemon and the
plugin. But if the config of the active connection (or %default) has
not changed, this problem can be avoided by using `ipsec update` to
reload the config as that only affects modified configs.
Regards,
Tobias
[1] https://wiki.strongswan.org/issues/129
I am fairly-well convinced that pfSense can do something smarter/better here.
Updated by Chris Linstruth over 6 years ago
I submitted a private comment and it changed the bug to private. Since his comment was on a public list there is no reason to keep it private I suppose.
Updated by Jim Pingle over 6 years ago
Moving to swanctl means rewriting all the code that outputs the config to change from ipsec.conf to swanctl.conf style.
There is a guide at https://wiki.strongswan.org/projects/strongswan/wiki/Fromipsecconf but given how complex the config generating code is, it's going to be a significant amount of work.
Updated by Jim Pingle over 6 years ago
- Tracker changed from Bug to Todo
- Status changed from New to In Progress
- Assignee set to Jim Pingle
I'm looking this over. A few more useful links:
swanctl.conf format:
https://wiki.strongswan.org/projects/strongswan/wiki/Swanctlconf
swanctl directory layout:
https://wiki.strongswan.org/projects/strongswan/wiki/Swanctldirectory
usable examples with both old and new formats to compare:
https://wiki.strongswan.org/projects/strongswan/wiki/UsableExamples
Updated by Jim Pingle over 6 years ago
- Status changed from In Progress to Feedback
- % Done changed from 0 to 100
Applied in changeset commit:c6220dcf7faf3492713c6c30bb86d3971b2772a9.
Updated by Florin Samareanu about 6 years ago
Jim Pingle wrote:
Applied in changeset commit:c6220dcf7faf3492713c6c30bb86d3971b2772a9.
Hello,
My setup has ipsec vti tunnels and since this change was pushed my tunnels don't come up automatically on reboot. My internet connection is pppoe over vlan and the thing I noticed is that sometimes it's slow to connect on reboot (pfsense takes few minutes to reboot while the internet connection gets established after 5-10 minutes).
What logs do you want me to provide?
Updated by Jim Pingle about 6 years ago
Don't post anything here, but start a thread at https://forum.netgate.com/category/78/2-5-development-snapshots with a copy of your /var/etc/ipsec/swanctl.conf , logs from when it starts up, and any other relevant details you can think of.
Updated by Jim Pingle about 6 years ago
- Status changed from Feedback to Resolved
This has been in for a while and working well. If any new problems come up they can be handled in their own separate issues.