Re: [strongSwan] multiple remote_ts with ikev1 file format
Rich Laffertywrote: > > Is there a way to not write in every section the parameters > > common to all the children sections (rekey_time, esp_proposals…)? > I wasn’t able to find a way to set defaults, but I’ve put my common > parameters in /etc/swanctl/swanctl-ipsec.conf and then > done > "include swanctl-ipsec.conf” in each child config. If someone else knows a > better way, though, I’m all ears! Thanks a lot Rich for the tips.
Re: [strongSwan] multiple remote_ts with ikev1 file format
> On Feb 22, 2018, at 7:15 AM, Marco Berizziwrote: > > I'm starting strongswan with the old 'ipsec start', and after I > issue the command: 'swanctl -q' for loading the configuration > files under /etc/swanctl/conf.d/* > > Am I right? Or is there a smarter way to start strongswan without > the old 'ipsec' script? Distro-specific, but we’re running charon directly from upstart: -- /etc/init/charon.conf -- description "StrongSwan IKE daemon" start on runlevel [2345] stop on runlevel [!2345] respawn respawn limit 10 5 exec /usr/lib/ipsec/charon --use-syslog -- And we leverage the on-start charon option to have it load its config on start: -- /etc/strongswan.d/charon-startup.conf -- charon { start-scripts { load-config = swanctl --load-all } } -- (We also don’t install the ‘ipsec’ command at all, to avoid people confusing old and new approaches; I’ve found swanctl gives me everything that I’d get out of ipsec other than starting and stopping charon.) > Is there a way to not write in every section the parameters > common to all the children sections (rekey_time, esp_proposals…)? I wasn’t able to find a way to set defaults, but I’ve put my common parameters in /etc/swanctl/swanctl-ipsec.conf and then done "include swanctl-ipsec.conf” in each child config. If someone else knows a better way, though, I’m all ears! -Rich
[strongSwan] multiple remote_ts with ikev1 file format
Hello everyone, I would like to finally drop the ipsec.conf and ipsec.secrets configuration files from my strongswan ipsec gateway. I have a couple of questions to ask. I'm running strongswan 5.6.2 on Slackware linux (still systemd free). On my test bed, ipsec.conf and ipsec.secrets are those shipped with strongswan: they are both empty. I'm starting strongswan with the old 'ipsec start', and after I issue the command: 'swanctl -q' for loading the configuration files under /etc/swanctl/conf.d/* Am I right? Or is there a smarter way to start strongswan without the old 'ipsec' script? The second question is about the file format when multiple remote_ts need to be defined when ikev1 must be used. Here is my example: children { net-0ab1 { local_ts = 10.139.10.0/23 remote_ts = 10.177.0.0/16 rekey_time = 8h start_action = trap esp_proposals = aes128-sha1-modp1024,aes256-sha1-modp1024 } net-0ab4 { local_ts = 10.139.10.0/23 remote_ts = 10.180.0.0/16 rekey_time = 8h start_action = trap esp_proposals = aes128-sha1-modp1024,aes256-sha1-modp1024 } } Is there a way to not write in every section the parameters common to all the children sections (rekey_time, esp_proposals...)? Thanks in advance