Re: [Development] Strongswan 5.0.0

From: Stefan Schantl <stefan.schantl@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [Development] Strongswan 5.0.0
Date: Tue, 07 Aug 2012 13:09:12 +0200	[thread overview]
Message-ID: <5020F758.4070105@ipfire.org> (raw)
In-Reply-To: <1344287515.7540.32.camel@rice-oxley.tremer.info>

[-- Attachment #1: Type: text/plain, Size: 2458 bytes --]

Hello Michael,

your commands work without any problems - IPSec will be stopped an 
started as I already have written.

After some work I found the problem in the vpnmain.cgi. In the shipped 
file of your update, there is the line missing which stores
the information if the service is enabled or not. After I've manually 
added it again, I was able to stop and disable IPSec from the WUI.

I've created a patchfile for you - please check and apply it.

Thanks

Stefan
> Please try to manually stop strongswan with the helper tool:
>
> ipsecctrl D
>
> Try to start it again with:
>
> ipsecctrl S
>
> On Mon, 2012-08-06 at 21:48 +0200, Stefan Schantl wrote:
>> Hello Michael,
>>
>> I've tested to stop IPSec from shell which worked without problems. But
>> if I try to disable and stop it from the WUI, by
>> unsing the checkbox the service does a restart and no shutdown.
>>
>> I've looked inside the error_log from the httpd, and found the following
>> lines:
>>
>> [Mon Aug 06 21:42:08 2012] [error] [client 192.168.xxx.xxx] IPSec
>> enabled on orange but orange interface is invalid or not found, referer:
>> https://gate.xxx:444/cgi-bin/vpnmain.cgi
>> [Mon Aug 06 21:42:08 2012] [error] [client 192.168.xxx.xxx] IPSec
>> enabled on blue but blue interface is invalid or not found, referer:
>> https://gate.xxx:444/cgi-bin/vpnmain.cgi
>> [Mon Aug 06 21:42:08 2012] [error] [client 192.168.xxx.xxx] Stopping
>> strongSwan IPsec..., referer: https://gate.xxx:444/cgi-bin/vpnmain.cgi
>> [Mon Aug 06 21:42:12 2012] [error] [client 192.168.xxx.xxx] Starting
>> strongSwan 5.0.0 IPsec [starter]..., referer:
>> https://gate.xxx:444/cgi-bin/vpnmain.cgi
>> [Mon Aug 06 21:42:12 2012] [error] [client 192.168.xxx.xxx] , referer:
>> https://gate.xxx:444/cgi-bin/vpnmain.cgi
>>
>> Why are there entries about an orange and blue network, I don't have one
>> of them......
>>
>> Do you have any idea about that ?
>>
>> Stefan
>>
>>> On Mon, 2012-08-06 at 17:21 +0200, Stefan Schantl wrote:
>>>> The only bad point, I've to report is, that after the update I can't
>>>> disable IPSec over the WUI anymore - may other testers will report the
>>>> same issue.
>>> What is the exact problem? Did you get an internal server error from the
>>> CGI script? Need a more precise error report.
>>>
>>> Michael
>>>
>>>
>> _______________________________________________
>> SIG-VPN mailing list
>> SIG-VPN(a)lists.ipfire.org
>> http://lists.ipfire.org/mailman/listinfo/sig-vpn
>


[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: ipsec-fix-stopping-on-wui.patch --]
[-- Type: text/x-patch, Size: 496 bytes --]

# This patch fixes the problem, to disable and stop the complete IPSec service
# by using the Webinterface.

--- vpnmain.cgi_old	2012-08-07 12:58:31.701086700 +0200
+++ vpnmain.cgi	2012-08-07 12:55:44.627624624 +0200
@@ -436,6 +436,7 @@
 	goto SAVE_ERROR;
     }
 
+    $vpnsettings{'ENABLED'} = $cgiparams{'ENABLED'};
     $vpnsettings{'VPN_IP'} = $cgiparams{'VPN_IP'};
     $vpnsettings{'VPN_DELAYED_START'} = $cgiparams{'VPN_DELAYED_START'};
     $vpnsettings{'RW_NET'} = $cgiparams{'RW_NET'};
