IPsec: Include ipsec.user.conf at the bottom

IPsec: Include ipsec.user.conf at the bottom

[Larsen]

[-- Attachment #1: Type: text/plain, Size: 545 bytes --]

Hi,

I noticed that in "/var/ipfire/vpn/ipsec.conf" the line "include  
/etc/ipsec.user.conf" is placed at the top instead of the bottom.
For us, this leads to the problem that our configuration from  
"ipsec.user.conf" is overwritten by the default configuration from  
"ipsec.conf" when it should be the other way around. Therefore, after a  
restart of the IPsec server (iirc), I have to manually fix this problem by  
moving the line from top to bottom.

Is this by design or is this a bug?

Using IPFire 2.17 (i586) - Core Update 89


Lars

Re: IPsec: Include ipsec.user.conf at the bottom

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 1119 bytes --]

Hi,

this is intentional because I use this configuration file only to change
some default settings by adding: conn %default and sometimes using the
setup section. That doesn't work when it is at the bottom.

Depending on what ever you want to do: Isn't it better to integrate that
configuration into the CGI script?

-Michael

On Tue, 2015-05-19 at 16:32 +0200, Larsen wrote:
> Hi,
> 
> I noticed that in "/var/ipfire/vpn/ipsec.conf" the line "include  
> /etc/ipsec.user.conf" is placed at the top instead of the bottom.
> For us, this leads to the problem that our configuration from  
> "ipsec.user.conf" is overwritten by the default configuration from  
> "ipsec.conf" when it should be the other way around. Therefore, after a  
> restart of the IPsec server (iirc), I have to manually fix this problem by  
> moving the line from top to bottom.
> 
> Is this by design or is this a bug?
> 
> Using IPFire 2.17 (i586) - Core Update 89
> 
> 
> Lars
> _______________________________________________
> Development mailing list
> Development(a)lists.ipfire.org
> http://lists.ipfire.org/mailman/listinfo/development

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

Re: IPsec: Include ipsec.user.conf at the bottom

[Larsen]

[-- Attachment #1: Type: text/plain, Size: 1214 bytes --]

Hi,

> this is intentional because I use this configuration file only to change
> some default settings by adding: conn %default and sometimes using the
> setup section. That doesn't work when it is at the bottom.

Which config file exactly do you use?
It sounds like you are using "ipsec.user.conf", but I see "conn %default"  
in "ipsec.conf".

Perhaps we can simply have two includes? One at the top and one at the  
bottom?


> Depending on what ever you want to do: Isn't it better to integrate that
> configuration into the CGI script?

A co-worker has setup IPsec so I am not deeply familiar why he choosed to  
configure it like he did. Afaik, he was following the wiki, but I also  
know that this didn´t went smoothly and he had to correct things with help  
of the forum.
That being said, at the moment IPFire creates the entries in "ipsec.conf"  
and we add the following stuff to "ipsec.user.conf":

conn jdoepc
         leftsubnet=0.0.0.0/0
         leftallowany=yes
         rightsubnet=192.168.110.0/24
         rightsourceip=192.168.110.118
         rekey=no

Is there a better way to do this?
We need "rekey=no" for the connection to be stable with Win7 (more on that  
in a later post).


Lars