'[strongSwan] problems with starter'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       strongswan-users
Subject:    [strongSwan] problems with starter
From:       andreas.steffen () strongswan ! org (Andreas Steffen)
Date:       2006-06-21 13:46:30
Message-ID: 44993176.8090004 () strongswan ! org
[Download RAW message or body]

Pavel Levshin wrote:
> Hello all.
> 
> I have upgraded my strongSwan installations from 2.6.2 to 2.7.1
> yesterday. At the morning, some of them became broken.
> 
> First problem is related to ipsec starter. I did not use it before,
> mainly because of it's obscure  requirements (see below). My
> installations had been started with "ipsec setup start" or
> "/etc/rc.d/init.d/ipsec". This night, some of them has failed:
> 
> Jun 16 04:41:45 cat ipsec_starter[303]: /etc/ipsec.conf:2: syntax error,
> unexpected FIRST_SPACES [
> ]
> Jun 16 04:41:45 cat ipsec_starter[303]: unable to start strongSwan --
> errors in config
> 
> I see, the server had been rebooted, and /etc/rc.d/init.d/ipsec now uses
> ipsec starter instead of old-style "ipsec setup". But the "starter" has
> failed while "setup" still works.
> 
> Ok, I tried to rearrange my ipsec.conf to make starter start. First, I
> had to delete a single space from 2nd line of ipsec.conf. It wasn't very
> simple, as the line seemed empty.
> 
> Jun 16 09:09:09 hare ipsec_starter[30952]: /etc/ipsec.conf:16: unknown
> keyword 'disablearrivalcheck' [no]

The IPsec RFCs require that the packets arriving through the tunnel
are check if they comply with the negotiated policy. When the
FreeS/WAN project introduced this check they offered the possibility
to disable this feature with disablearrivalcheck=yes. A couple of
years have passed since then and I decided that I wouldn't add this
keyword to Mathieu Lafon's original ipsec starter.

> Man ipsec.conf doesn't think it's unknown keyword, but it is not
> required to me, so I deleted it.
> 
> Jun 16 09:09:39 hare ipsec_starter[30960]: # bad integer value:
> keyingtries=%forever
>
> '%default'
> 
> Again, man ipsec.conf does not think %forever is so bad value. I don't
> know what to substitute instead (possible 0?), so I deleted it
> altogether. Then ipsec starter did start.
>
Didn't know that there was a %forever wildcard for keyingtries=0.
Will go into strongswan-2.7.2.

> It seemes that the project is lacking in up-to-date documentation.
> 
The man pages are clearly not up to date and contain a lot of
FreeS/WAN legacy stuff, but

  http://www.strongswan.org/docs/readme.htm

is and

  http://www.strongswan.org/uml/testresults/

gives you dozens of example scenarios.

For strongswan-4.0 branch we will switch to a new and comprehensive
documentation concept. BTW - anyone is welcome to provide updates
and extensions to strongSwan's documentation.

> 
> Pavel Levshin

Regards

Andreas

======================================================================
Andreas Steffen                         andreas.steffen@strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute of Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic