Bug 256508 - security/strongswan: ipsec.conf never loaded
Summary: security/strongswan: ipsec.conf never loaded
Status: Closed Overcome By Events
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: freebsd-ports-bugs (Nobody)
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-06-09 19:14 UTC by O. Hartmann
Modified: 2021-06-10 10:45 UTC (History)
1 user (show)

See Also:
bugzilla: maintainer-feedback? (strongswan)


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description O. Hartmann 2021-06-09 19:14:38 UTC
I have to admit that I'm new to IPsec and StrongSwan. The subject is FreebSD 13-STABLE (FreeBSD 13.0-STABLE #159 stable/13-n245920-95b7e4e0feb: Mon Jun  7 12:03:41 CEST 2021 amd64) and recent port security/strongswan (strongswan-5.9.2_2 ). 

The setup I use has been tested for good on a Linux Xubunto box 21.04  (ipsec.conf) so far by editing and preparing the ipsec.conf and ipsec.secrets files, for FreeBSD's port located at /usr/local/etc. FreeBSD box is a client and should contact a network behind an AVM Fritz!Box router with a configured IPsec VPN.

Whe starting strongswan or restarting strongswan it seems that /usr/local/etc/ipsec.conf never is read or does never configure any VPN:

# service strongswan restart
Stopping strongswan.
Starting strongswan.
no files found matching '/usr/local/etc/swanctl/conf.d/*.conf'
no authorities found, 0 unloaded
no pools found, 0 unloaded
no connections found, 0 unloaded

It is also remarkable that the files

strongswan.d/starter.conf
strongswan.d/charon/stroke.conf

contain an unsubstituted variable "${sysconfdir}" which seems to stay unsubstituted while ipsec starts up - I might be wrong.
Comment 1 strongswan 2021-06-10 07:21:38 UTC
(In reply to O. Hartmann from comment #0)

In bug 249865 the default configuration for strongswan to use was changed from stroke to vici. The swanctl configuration is discussed in https://wiki.strongswan.org/projects/strongswan/wiki/UserDocumentation#Modern-vici-based-Scenarios

The stroke interface uses the ipsec.conf and ipsec.secrets files.

The two options you have is:
 - convert the configuration to the swanctl format, which may be needed in the future if support for the older format is dropped completely by strongswan.
 - add the following line to your rc.conf file to use the stroke configuration.
   strongswan_interface="stroke"
Comment 2 O. Hartmann 2021-06-10 08:10:34 UTC
Hello.
Thank you for your reply. I'm a "starter", so the absence of the given information rendered the installation on FreeBSD useless so far.

It would be nice if there could be a hint or short notice on what you've given here in the port's message file.

I think it will be straight forward to convert the config files as recommended.

PR closed.

Kind regards,
oh
Comment 3 strongswan 2021-06-10 10:45:00 UTC
(In reply to O. Hartmann from comment #2)
Just for information, the latest package 5.9.2_2, does have a package message on install.  I think it just hasn't made it's way to the package repository yet.