[Swan] Version 3.30 XFRM implementation

Paul Overton Paul at trustedcyber.co.uk
Wed Feb 19 12:40:42 UTC 2020


I believe the correct key work for specifying the XRFMi ipsec interface IP is:  interface-ip preceded by either right or left. However presently when specified this comes up as obsolete. 

I don't see any alternative options in the code to replace this. 

In the CHANGES document, it is suggested that the new command is "iface-ip" but there is no code to support this so far as I can see. 

Do we assume that the code to do this has not yet been written ?

Regards Paul

-----Original Message-----
From: Swan [mailto:swan-bounces at lists.libreswan.org] On Behalf Of Paul Overton
Sent: 19 February 2020 11:11
To: Paul Wouters <paul at nohats.ca>
Cc: Swan at lists.libreswan.org
Subject: Re: [Swan] Version 3.30 XFRM implementation

Thanks Paul,

Some progress, it seems that the iface-ip= directive is causing the failure to start, if I don't include this directive, and only use  ipsec-interface=yes An interface ipsec1 is created and the tunnels are created, but the interface does not have a local IP address. I can add this after though. 

This is the error I get when including the iface-ip= statement:

cannot load config '/etc/ipsec.conf': /etc/ipsec.d/connections.conf:26: syntax error, unexpected STRING [iface-ip]

I have tried adding a number of ipsec interfaces, it would appear the 2 per external interface is the limit. 

Regards Paul

-----Original Message-----
From: Paul Wouters [mailto:paul at nohats.ca]
Sent: 18 February 2020 17:18
To: Paul Overton <Paul at trustedcyber.co.uk>
Cc: Swan at lists.libreswan.org
Subject: Re: [Swan] Version 3.30 XFRM implementation

On Tue, 18 Feb 2020, Paul Overton wrote:

> I have just updated one of my machines to run Version 3.30 from 3.29.

> I would like to change this to use XFRM, and note the new directives 
> ipsec-interface= and iface-ip=, I have tried using these directives, but Pluto hangs on restart when I try.

We have not experienced that. Can you perhaps get more logs and/or strace output to see what's going on?

> Are there any definitive instructions/examples of the configuration 
> and do I need to preload any of the kernel modules ?

if you run with our init system support, which calls _stackmanager, then it should already load the xfrm_interface.ko module.

Swan mailing list
Swan at lists.libreswan.org

More information about the Swan mailing list