[Swan-dev] the new ikev2 default (upstream and downstream issue)

Tuomo Soini tis at foobar.fi
Mon Dec 3 13:45:33 UTC 2018

On Sun, 2 Dec 2018 17:16:32 -0500 (EST)
Paul Wouters <paul at nohats.ca> wrote:

> I'm preparing to move to ikev2 as the default. This comes in the same
> release where we will no longer allow a connection to be either v1
> or v2. That is, basically we only have ikev2=yes|no

That is good. ikev1 fallback or ikev2 upgrade were not good ideas.

> For the other options, ikev2=propose|permit we need to define what to
> do. We had come to a tentative conclusion to alias 'propose' to 'yes'
> and alias 'permit' to 'no'. We figured this would break the least
> amount of configurations.

This would be most preferred option. This will only break very rare and
partly broken configurations where ikev2 upgrade of ikev1 fallback is
required for asymmetric configuration to work. And we can never avoid
breaking this.
> Red Hat however, prefers that we break cleanly. That is, they prefer
> that the keywords propose and permit just error out and that the
> connection fails to load. This makes it a little unfriendler, but
> the _if_ a failure happens, it is clear as to why and when it happens.
> (on upgrade, on startup)

I don't think this is good idea to do. At least not with single
release. We'd need to deprecate keywords first and give warnings about
obsolete keywords for at least one released version.

> This leaves us in an unfortunate situation that upstream would behave
> different from a major deployment downstream.

That is unfortunate but Red Hat is wrong in this - we can't change
behaviour that fast.

> So the question is, should we do the same in upstream or not?
> I have a slight preference for not doing this, but my feelings are not
> very strong about this. What do others think?

This is tricky. We'd want to go to ikev2=yes|no only finally with
ikev2=yes being default.

But breaking user experience is bad thing to do.

My suggestion is to do the change in two stages.

Now change our behaviour to default to ikev2=no. And WARN in release
notes that next version will change behaviour to be ikev2=yes so that
people at least have possibility to set ikev2=no in their conn %default
so they won't break all tunnels.

Switching default from ikev1 to ikev2 requires major release. So that
is libreswan-4.0. I suggest we do that behaviour change at same time we
drop klips support completely.

Tuomo Soini <tis at foobar.fi>
Foobar Linux services
+358 40 5240030
Foobar Oy <https://foobar.fi/>

More information about the Swan-dev mailing list