[Swan-dev] What happened to "ipsec show" ?

Andrew Cagney andrew.cagney at gmail.com
Tue Oct 24 16:00:47 EEST 2023 

On Tue, 24 Oct 2023 at 06:55, Brady Johnson <bradyjoh at redhat.com> wrote:
>
>
> Hello,
>
> I am migrating from Libreswan 4.5 to the latest version, and I notice that the "ipsec show" command no longer exists in the latest version.
>
> I looked around git a little, and found this commit:
>
> commit a4d3d235e89739691b4d4acfe6eff280dcbcc763
> Author: Andrew Cagney <cagney at gnu.org>
> Date:   Fri Aug 12 15:42:50 2022 -0400
>
>
>     ipsec: make <<ipsec {look,show,verify}>> linux only
>
> I looked at the code changes in that git commit, and saw that the "ipsec show" and other scripts were removed, and never added for linux only.

These are the commits to look at:

commit 55fac9bcc7f44606178dcd936396e9763c4003c6
Author: Andrew Cagney <cagney at gnu.org>
Date:   Sat Sep 30 13:42:28 2023 -0400

    ipsec look: delete

-> the testsuite is using the experimental scripts
ipsec-kernel-{state,policy}.sh but the assumption is that someone on
linux knows about ip xfrm, on *bsd, setkey, and on openbsd something I
forget (hence the test scripts :-)

commit 0cfec8bc587296d9f1f6619fe6bc75711858e9d9
Author: Paul Wouters <paul.wouters at aiven.io>
Date:   Tue Sep 5 11:13:20 2023 -0400

    programs: Remove support for ipsec show and ipsec verify

    These tools are not commonly used, and have not aged very well.
    It also causes the package to pull in a python dependency.

    Note that "ipsec portexcludes" uses python, but it is not installed
    by default.

    See also: https://github.com/coreos/fedora-coreos-tracker/issues/1504

-> fwiw I think using <<ipsec show>> to run an esoteric linux only
command was a really really unfortunate choice; it excluded any
possibility of <<ipsec show policy>> et.al.

commit c1a5581431a4c1f1c174722299b0fafbf695c4fd
Author: Tuomo Soini <tis at foobar.fi>
Date:   Thu Apr 13 22:34:54 2023 +0300

    ipsec: replace all auto functionality

    This change replaces "ipsec auto {command}" with "ipsec {command}"
    maintaingin compatibility with old usage when possible.

    Also remove -- from commands, so "ipsec auto --up connname" got

> Before I dig around more, is there a reason this was not added for Linux only? If needed, I can create a PR to add it.
>
> I find the IPs in the output of this command VERY useful when managing multiple tunnels. Maybe there is another way to get this info??

> ipsec show
> 172.16.2.0/24 <=> 172.16.111.0/24 using reqid 16393
> 172.16.2.0/24 <=> 172.16.110.0/24 using reqid 16389
> 172.16.2.0/24 <=> 172.16.113.0/24 using reqid 16401
> 172.16.2.0/24 <=> 172.16.117.0/24 using reqid 16409
> 172.16.2.0/24 <=> 172.16.112.0/24 using reqid 16397
> fd02::/64 <=> fd03:116::/64 using reqid 16413

Now is the time to raise this :-)

<<ipsec connectionstatus>> includes:
   192.0.1.0/24===192.1.2.45[@west]...192.1.2.23[@east]===192.0.2.0/24;
(er, I don't see reqid anywhere in the connectionstatus output?) but
good luck deciphering it.  Its appearance is also config sensitive.
And it is struggling with multiple selectors.

There's also trafficstatus, but it doesn't include the topology (it's
stats are per SA and not per policy combination)

so ideas welcome,
Andrew

More information about the Swan-dev mailing list