Re: [strongSwan] multiple remote_ts with ikev1 file format

2018-02-23 Thread Marco Berizzi 
Rich Lafferty  wrote:

> > Is there a way to not write in every section the parameters
> > common to all the children sections (rekey_time, esp_proposals…)?

> I wasn’t able to find a way to set defaults, but I’ve put my common 
> parameters in /etc/swanctl/swanctl-ipsec.conf and then > done
>  "include swanctl-ipsec.conf” in each child config. If someone else knows a 
> better way, though, I’m all ears!

Thanks a lot Rich for the tips.

Re: [strongSwan] multiple remote_ts with ikev1 file format

2018-02-22 Thread Rich Lafferty 

> On Feb 22, 2018, at 7:15 AM, Marco Berizzi  wrote:
> 
> I'm starting strongswan with the old 'ipsec start', and after I
> issue the command: 'swanctl -q' for loading the configuration
> files under /etc/swanctl/conf.d/*
> 
> Am I right? Or is there a smarter way to start strongswan without
> the old 'ipsec' script?

Distro-specific, but we’re running charon directly from upstart:

-- /etc/init/charon.conf -- 
description "StrongSwan IKE daemon"

start on runlevel [2345]
stop on runlevel [!2345]

respawn
respawn limit 10 5

exec /usr/lib/ipsec/charon --use-syslog
--  

And we leverage the on-start charon option to have it load its config on start:

-- /etc/strongswan.d/charon-startup.conf -- 
charon {
start-scripts {
   load-config = swanctl --load-all
}
}
-- 

(We also don’t install the ‘ipsec’ command at all, to avoid people confusing 
old and new approaches; I’ve found swanctl gives me everything that I’d get out 
of ipsec other than starting and stopping charon.)

> Is there a way to not write in every section the parameters
> common to all the children sections (rekey_time, esp_proposals…)?

I wasn’t able to find a way to set defaults, but I’ve put my common parameters 
in /etc/swanctl/swanctl-ipsec.conf and then done
"include swanctl-ipsec.conf” in each child config. If someone else knows a 
better way, though, I’m all ears!

  -Rich

[strongSwan] multiple remote_ts with ikev1 file format

2018-02-22 Thread Marco Berizzi 
Hello everyone,

I would like to finally drop the ipsec.conf and ipsec.secrets
configuration files from my strongswan ipsec gateway.
I have a couple of questions to ask.

I'm running strongswan 5.6.2 on Slackware linux (still systemd
free).

On my test bed, ipsec.conf and ipsec.secrets are those shipped
with strongswan: they are both empty.

I'm starting strongswan with the old 'ipsec start', and after I
issue the command: 'swanctl -q' for loading the configuration
files under /etc/swanctl/conf.d/*

Am I right? Or is there a smarter way to start strongswan without
the old 'ipsec' script?

The second question is about the file format when multiple remote_ts
need to be defined when ikev1 must be used.
Here is my example:

children {
  net-0ab1 {
  local_ts  = 10.139.10.0/23
  remote_ts = 10.177.0.0/16
  rekey_time = 8h
  start_action = trap
  esp_proposals = aes128-sha1-modp1024,aes256-sha1-modp1024
  }
net-0ab4 {
  local_ts  = 10.139.10.0/23
  remote_ts = 10.180.0.0/16
  rekey_time = 8h
  start_action = trap
  esp_proposals = aes128-sha1-modp1024,aes256-sha1-modp1024
  }
}

Is there a way to not write in every section the parameters
common to all the children sections (rekey_time, esp_proposals...)?

Thanks in advance