[Swan-dev] ipsec.conf version specificaton

Paul Wouters paul at nohats.ca
Mon Jun 23 18:43:45 EEST 2014

On Sun, 22 Jun 2014, D. Hugh Redelmeier wrote:

> Man page change:
> -The first significant line of the file must specify the version of this specification that it conforms to:
> +The first significant line of the file may specify a version of this specification for backwards compatibility with freeswan and openswan\&. It is ignored and unused\&. For compatibility with openswan, specify:
> I think that it is a serious mistake to decommit from the version
> specification in ipsec.conf

note the man page was merely updated to reflect reality.

> In FreeS/WAN, we went through a bit of agony to introduce it.
> Once we introduced it, it was a way to allow new config file features that
> would break old ones.  FreeS/WAN code could know when to use the old rules
> or the new ones, based on this option.
> Backward compatablility is such a straighjacket.  This is one way to
> break out of it.

These days, package managers are responsible for upgrading any kind of
versioning and creating backup copies of config files. There was no good
method used historically to bump it when things were added or removed,
so it became a useless entry in the file.

Also, it seems preemptively failing on the version number is worse than trying
your best and then failing due to a change.

I think this made more sense in a world where /etc/ipsec.conf was not
owned by a package with a maintainer, and people used "make install" to
upgrade and were actually present and aware of performing a swan upgrade.
That is less obvious with yum or apt-get update.


More information about the Swan-dev mailing list