~alpine/users

Alpine Strongswan question / feature request

Tariq Rahman <rahmant@gmail.com>
Details
Message ID
<CAAYEPfw+hSCo-2v7bR5OYFgJdCRD8P81jhHW4aqN8FMynt7eHA@mail.gmail.com>
DKIM signature
missing
Download raw message
3 years ago 
Hello,

I've been experimenting with Alpine and Strongswan in a virtual lab.
I have the lab working with two Alpine instances running Strongswan
configured in a site-to-site setup to enable communication between two
disparate virtual lab networks.

From reading the docs at wiki.strongswan.org, it seems that there is
an older method of tunnel creation using the /etc/ipsec* configuration
files and a newer method that uses /etc/strongswan* and /etc/swanctl.
The lab setup I've created uses the newer method of configuration,
primarily through the creation of tunnel parameters within a new
/etc/swanctl/conf.d/testvpn.conf file on each VPN node.

I have the Strongswan daemon set to start at boot in Alpine but the
test tunnel doesn't seem to come up after a reboot of the test VPN
nodes.  From a review of the /etc/runlevels/default/strongswan file,
the strongswan service seems preconfigured to make use of the older
ipsec method of strongswan configuration (assumed based on the use of
"ipsec" command as part of the service start/stop settings)

/etc/runlevels/default/strongswan
-----
#!/sbin/openrc-run

extra_started_commands="fullstatus"

depend() {
        need net
        after firewall
        provide ipsec
}

start() {
        ebegin "Starting StrongSwan"
        ipsec start
        eend $?
}

stop () {
        ebegin "Stopping StrongSwan"
        ipsec stop
        eend $?
}

restart() {
        ebegin "Restarting StrongSwan"
        svc_stop
        sleep 2
        svc_start
        eend $?
}

fullstatus() {
        ebegin "StrongSwan Status (verbose):"
        ipsec statusall
        eend $?
}
-----.

I'm guessing I could try editing this file to insert the commands
necessary to start the tunnel using my new
/etc/swanctl/conf.d/testvpn.conf config, but I'd also then assume that
any software updates to the strongswan package would overwrite this
config at the next update.

My questions are as follows:

-) Am I missing a step or config to get the Alpine Strongswan software
to recognize + start the new tunnel with the newer swanctl based
configuration?

-) If the package is currently configured to only make use of the
older ipsec based method of configuration, are there any plans to
insert an update to allow for folks to make use of the newer swanctl
based configuration method and still have the strongswan basic service
admin options (start/stop,etc) use that newer config method?  My goal
is to have the service auto-start and bring up the tunnels if the
hardware is rebooted.

Thanks,

T.
Reply to thread Export thread (mbox)