[Swan-dev] Converting all test cases to not use ipsec.conf.common

Antony Antony antony at phenome.org
Wed Sep 27 17:41:45 UTC 2017 

Hi Paul,
Thanks for adding --conn option. It is a good to have option.

If expanding "also" is done well this is a good idea. My experience with 
readwriteconf is it need more work before this effort could begin.  
Currently, I wonder it work at all! See the example below.

If we do this, my preference is to convert incrementally. To avoid noise in 
the test output. If the base line outputs change, please follow it up 
immediately, rather than taking weeks to fix.

try basic-pluto-01 

/usr/local/libexec/ipsec/readwriteconf --conn  westnet-eastnet

conn westnet-eastnet
	#also = westnet-eastnet-ipv4 west-east-base-id-nss 
west-east-base-ipv4 westnet-ipv4 eastnet-ipv4 west-leftrsasigkey 
east-rightrsasigkey
	left=192.1.2.45
	leftid="@west"
	leftnexthop=192.1.2.23
	leftsubnet=192.0.1.0/24
	leftrsasigkey=0sAQOm9dY/449sAWr8e3xtV4tJOQ1396zihfGYHkttpT6zlprRmVq8EPKX3vIo+V+SCfDI1BLkYG6cYJgQAX0mt4+VYi2H3c3e9tOPNbBQ0Bj1mfgE8f9hW7x/H8AE2OSMrDStesHaPC2MMK7WPFmxOpTT1Spzkb1ZXz5yv0obncWyK03nDSQ+d/l/LdadKe9wfXptorhhDEsJSgZxhHCFmo9SoYAG/cb8Pif6Fvoyg6nKgNsPSr/36VWOvSlNI6bcKrNdYqkhHr6D2Gk8AwpIjtM6EfKGWtEwZb3I9IOH/wSHMwVP4NiM/rMZTN2FQPNNbuhJFAYsH1lZBY8gsMpGP8kgfgQwfZqAbD8KiffTr9gVBDf5
	left=192.1.2.45
	right=192.1.2.23
	rightid="@east"
	rightnexthop=192.1.2.45
	rightsubnet=192.0.2.0/24
	rightrsasigkey=0sAQO9bJbr33iJs+13DaF/e+UWwsnkfZIKkJ1VQ7RiEwOFeuAme1QfygmTz/8lyQJMeMqU5T6s0fmo5bt/zCCE4CHJ8A3FRLrzSGRhWPYPYw3SZx5Zi+zzUDlx+znaEWS2Ys1f040uwVDtnG4iDDmnzmK1r4qADy5MBVyCx40pAi67I1/b8p61feIgcBpj845drEfwXCZOsdBCYFJKsHclzuCYK0P0x1kaZAGD6k7jGiqSuFWrY91LcEcp3Om0YL9DTViPZHOVcKw1ibLCnNRiwF9WX60b5d1Jk2r1I4Lt1OfV8VXyLaImpjZTL5T7mSJcR8xtgDCIljgM9fLtN9AJ1QePae+pmc5NGneeOcQ488VRUUjv
	right=192.1.2.23
	auto=ignore
	type=tunnel
	compress=no
	pfs=yes
	ikepad=yes
	authby=never
	phase2=esp
	ikev2=permit
	esn=no

Note the wrong authby line in the expanded connection. The expanded 
connection got many options, some of which are defaults, such as ikepad=yes, 
esn=no.  Do we really need those for documentation? If these extras are in 
the expanded version, it ould defeat the goal. Users will be more confused.

Also I wonder if the readwriteconf could be smart enough to put some stuff 
to conn %default.  

If readwriteconf create a minimal "conn" and do not change output then it 
could be interesting to convert some test cases. I am not sure readwriteconf 
is smart for all tests. We could just expand a few test cases.

Currently it completely removes "conn %default", which is a bad idea!

Look at ikev2-18-x509-alias
/usr/local/libexec/ipsec/readwriteconf --conn road-east-ipv4-psk-ikev2

Shouldn't It leave %default alone?

Oh, look the expanding  of "plutodebug=all" you might be able get rid of with --setup option.

In some configuration files common options are abstracted within the config 
file. If converted using a script, I wonder how readable it would look.  See 
interop-ikev2-strongswan-33-ike-algo-responder/west.conf or 
ikev2-18-x509-alias

-antony

On Tue, Sep 26, 2017 at 08:36:03PM -0400, Paul Wouters wrote:
> 
> Hi,
> 
> We have talked about this in the past, but before I go ahead, I wanted
> to ask if anyone objects to the test cases being converted to standalone
> configuration files that no longer use or need ipsec.conf.common.
> 
> The advantage is that each test case is its own documentation case. This
> is very useful to our users. Right now due to the also= includes, this
> is useless to endusers as documentation.
> 
> The disadvantage is that any changes that upto now could be made in an
> also= conn that is included would effect all the conns that use it.
> After this rewrite, there is no easy way to edit an include file. For
> example, if we change the rsw RSA key on west, it means changing all
> the raw RSA testcases to update the *.conf files.
> 
> I've made the changes that allow me to use ipsec readwriteconf to
> convert all test cases in an automated way. If I hear now object this
> week, I'll go ahead sometime next week.
> 
> Paul
> _______________________________________________
> Swan-dev mailing list
> Swan-dev at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan-dev

More information about the Swan-dev mailing list