Received: from mail-lj1-f175.google.com (mail-lj1-f175.google.com [209.85.208.175])
	by nld3-dev1.alpinelinux.org (Postfix) with ESMTPS id A0650780DDE
	for <~alpine/users@lists.alpinelinux.org>; Mon, 20 Dec 2021 00:03:47 +0000 (UTC)
Received: by mail-lj1-f175.google.com with SMTP id v15so13259709ljc.0
        for <~alpine/users@lists.alpinelinux.org>; Sun, 19 Dec 2021 16:03:47 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20210112;
        h=mime-version:from:date:message-id:subject:to;
        bh=lSXjPElhCFSz55N184UH26l4cbJZQE2wpDjjh8XWmz4=;
        b=WIg3ShIiKqHiwE1v7EPcvVSiQeLafqEEJEup+MCz7bFt7Efsu0dDL/+a69tH/s1EXr
         rw9PtzhhkYONMMBhe8XgnJvkHbK7FTBVktKW8pruNDzBx5bVjFM4SZIpjGmjc83hL77a
         ne/W1tUgvTGlAsxmSNyXaDkWBzEDodfzEH3KRgQVLYktMioOxInI+30138aRGxpmtJ3J
         xZu0uHl3YmzGtOKmbTklAiAVWdC3M2p2B8DyztiqGATlaazwV9E0nuwuyoQXaQWpB1MY
         b123V0NJFrGWCvhwoyKq5WBeEGeQz0qgz6GEHsRd4rr0z+storrSX8U5yqpa3jlRBS8w
         GpTw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
        bh=lSXjPElhCFSz55N184UH26l4cbJZQE2wpDjjh8XWmz4=;
        b=6zvYFeccXUjstO4a+heGNpVt1P/13hB0+sdbHcF0gYmRIc5QQs69KWhd9dp7eqlEnF
         vPKc92VLRY3Xpj5MoaLuneTdsqOUqxpVbnT+gQxyjua0LuAN6W0/Tki1chnhtXDGNf8N
         1pf8Z4mzJ3T0xHSTQdJbQxKaKEGC2myZxRHnqPYhTxr7niJwihmAseN+DF+sKEKKICld
         7ZlSyy2WCQnRaAB0UxtmaFclBB0tFhrzNygOPjNgrxCXD4iJp7FpNQAHPDkVR3o2N1rO
         5t4dLmn+xbPtM5eN2m9m6xxW1HWEikCQOYrgo29HxAUystQ4S9nvH3IMvaiwIbkHo32N
         jJkQ==
X-Gm-Message-State: AOAM532f4o4BxUEXQII6h1DQZG+e6GCb+QcB9gseSV+huljYwJg08JQa
	NolFC5hocOfLM6qVC9QjPjryG67H+SafRqX5VCjvlBRQ
X-Google-Smtp-Source: ABdhPJzg0KUQs631Oz5SXPxeIwdt7mCzCDfBg8+ZD7643ZLcym5eGD3bSSf86+FaqIOs8KuodIgVFh7hbl2KhnZH6iw=
X-Received: by 2002:a05:651c:235:: with SMTP id z21mr13011419ljn.473.1639958626902;
 Sun, 19 Dec 2021 16:03:46 -0800 (PST)
MIME-Version: 1.0
From: Tariq Rahman <rahmant@gmail.com>
Date: Sun, 19 Dec 2021 19:03:35 -0500
Message-ID: <CAAYEPfw+hSCo-2v7bR5OYFgJdCRD8P81jhHW4aqN8FMynt7eHA@mail.gmail.com>
Subject: Alpine Strongswan question / feature request
To: ~alpine/users@lists.alpinelinux.org
Content-Type: text/plain; charset="UTF-8"

Hello,

I've been experimenting with Alpine and Strongswan in a virtual lab.
I have the lab working with two Alpine instances running Strongswan
configured in a site-to-site setup to enable communication between two
disparate virtual lab networks.

From reading the docs at wiki.strongswan.org, it seems that there is
an older method of tunnel creation using the /etc/ipsec* configuration
files and a newer method that uses /etc/strongswan* and /etc/swanctl.
The lab setup I've created uses the newer method of configuration,
primarily through the creation of tunnel parameters within a new
/etc/swanctl/conf.d/testvpn.conf file on each VPN node.

I have the Strongswan daemon set to start at boot in Alpine but the
test tunnel doesn't seem to come up after a reboot of the test VPN
nodes.  From a review of the /etc/runlevels/default/strongswan file,
the strongswan service seems preconfigured to make use of the older
ipsec method of strongswan configuration (assumed based on the use of
"ipsec" command as part of the service start/stop settings)

/etc/runlevels/default/strongswan
-----
#!/sbin/openrc-run

extra_started_commands="fullstatus"

depend() {
        need net
        after firewall
        provide ipsec
}

start() {
        ebegin "Starting StrongSwan"
        ipsec start
        eend $?
}

stop () {
        ebegin "Stopping StrongSwan"
        ipsec stop
        eend $?
}

restart() {
        ebegin "Restarting StrongSwan"
        svc_stop
        sleep 2
        svc_start
        eend $?
}

fullstatus() {
        ebegin "StrongSwan Status (verbose):"
        ipsec statusall
        eend $?
}
-----.

I'm guessing I could try editing this file to insert the commands
necessary to start the tunnel using my new
/etc/swanctl/conf.d/testvpn.conf config, but I'd also then assume that
any software updates to the strongswan package would overwrite this
config at the next update.

My questions are as follows:

-) Am I missing a step or config to get the Alpine Strongswan software
to recognize + start the new tunnel with the newer swanctl based
configuration?

-) If the package is currently configured to only make use of the
older ipsec based method of configuration, are there any plans to
insert an update to allow for folks to make use of the newer swanctl
based configuration method and still have the strongswan basic service
admin options (start/stop,etc) use that newer config method?  My goal
is to have the service auto-start and bring up the tunnels if the
hardware is rebooted.

Thanks,

T.