[Swan] Version 3.30 XFRM implementation

Paul Wouters paul at nohats.ca
Wed Feb 19 18:22:00 UTC 2020 

On Wed, 19 Feb 2020, Paul Overton wrote:

> I believe the correct key work for specifying the XRFMi ipsec interface IP is:  interface-ip preceded by either right or left. However presently when specified this comes up as obsolete.

Yes, iface-ip was an internal name only. We renamed it. And indeed it
is leftinterface-ip= / rightinterfaceip= but it was not clear to me
this was the outcome of our internal discussion on whether it should be
left/right or not.

And is was mistakebly marked as "obsolete".

And its value is currently unused :/

I'll have to get back to you later when we fix this up. Sorry about
that. For now, do not use the option and configure any IP you need
configured manually.

Paul



> In the CHANGES document, it is suggested that the new command is "iface-ip" but there is no code to support this so far as I can see.
>
> Do we assume that the code to do this has not yet been written ?
>
> Regards Paul
>
> -----Original Message-----
> From: Swan [mailto:swan-bounces at lists.libreswan.org] On Behalf Of Paul Overton
> Sent: 19 February 2020 11:11
> To: Paul Wouters <paul at nohats.ca>
> Cc: Swan at lists.libreswan.org
> Subject: Re: [Swan] Version 3.30 XFRM implementation
>
> Thanks Paul,
>
> Some progress, it seems that the iface-ip= directive is causing the failure to start, if I don't include this directive, and only use  ipsec-interface=yes An interface ipsec1 is created and the tunnels are created, but the interface does not have a local IP address. I can add this after though.
>
> This is the error I get when including the iface-ip= statement:
>
> cannot load config '/etc/ipsec.conf': /etc/ipsec.d/connections.conf:26: syntax error, unexpected STRING [iface-ip]
>
> I have tried adding a number of ipsec interfaces, it would appear the 2 per external interface is the limit.
>
> Regards Paul
>
> -----Original Message-----
> From: Paul Wouters [mailto:paul at nohats.ca]
> Sent: 18 February 2020 17:18
> To: Paul Overton <Paul at trustedcyber.co.uk>
> Cc: Swan at lists.libreswan.org
> Subject: Re: [Swan] Version 3.30 XFRM implementation
>
> On Tue, 18 Feb 2020, Paul Overton wrote:
>
>> I have just updated one of my machines to run Version 3.30 from 3.29.
>
>> I would like to change this to use XFRM, and note the new directives
>> ipsec-interface= and iface-ip=, I have tried using these directives, but Pluto hangs on restart when I try.
>
> We have not experienced that. Can you perhaps get more logs and/or strace output to see what's going on?
>
>> Are there any definitive instructions/examples of the configuration
>> and do I need to preload any of the kernel modules ?
>
> if you run with our init system support, which calls _stackmanager, then it should already load the xfrm_interface.ko module.
>
> Paul
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan
>

More information about the Swan mailing list