Re: AW: IPsec: Include ipsec.user.conf at the bottom

Re: AW: IPsec: Include ipsec.user.conf at the bottom

[Larsen]

[-- Attachment #1: Type: text/plain, Size: 659 bytes --]

Just stumbled across this in vpnmain.cgi:
     "/etc/ipsec.user-post.conf"

When this file exists, it will be included. So apparently, we were using  
the wrong file (or the documentation is missing that - I don´t know where  
my co-worker got it from).


Lars



On Tue, 19 May 2015 17:07:41 +0200, Heribert Schorn <Schorn(a)t-online.de>  
wrote:

> Hi,
>
> I agree withe Larsen suggestions to have the include als at the bottom.  
> With the include stetment on the top the seteetings of ipsec.user.conf  
> are overwritten and the connection e.g. to IOS or Android will not work  
> following the proposal in the wiki or the forum.
>
> regards
> Heribert

Re: AW: IPsec: Include ipsec.user.conf at the bottom

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 1386 bytes --]

Yeah I thought that this was going in some of these directions where you
want to add really bad configuration directives like rekey=no. We will
discuss that in the other thread on this list though...

I generally oppose having too many "hidden" include files that can be
used to overwrite the basic configuration. They often give us a headache
when we touch things because eventually we will break some of those
manual settings. We keep telling ourselves that this is fine because we
never said that we supported them any way. But that is not really a
valid point.

The better option should be to not need those files.

-Michael

On Tue, 2015-05-19 at 17:28 +0200, Larsen wrote:
> Just stumbled across this in vpnmain.cgi:
>      "/etc/ipsec.user-post.conf"
> 
> When this file exists, it will be included. So apparently, we were using  
> the wrong file (or the documentation is missing that - I don´t know where  
> my co-worker got it from).
> 
> 
> Lars
> 
> 
> 
> On Tue, 19 May 2015 17:07:41 +0200, Heribert Schorn <Schorn(a)t-online.de>  
> wrote:
> 
> > Hi,
> >
> > I agree withe Larsen suggestions to have the include als at the bottom.  
> > With the include stetment on the top the seteetings of ipsec.user.conf  
> > are overwritten and the connection e.g. to IOS or Android will not work  
> > following the proposal in the wiki or the forum.
> >
> > regards
> > Heribert

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

Re: AW: IPsec: Include ipsec.user.conf at the bottom

[Larsen]

[-- Attachment #1: Type: text/plain, Size: 1493 bytes --]

> I generally oppose having too many "hidden" include files that can be
> used to overwrite the basic configuration. They often give us a headache
> when we touch things because eventually we will break some of those
> manual settings. We keep telling ourselves that this is fine because we
> never said that we supported them any way. But that is not really a
> valid point.

I think it is normal also for other projects, to give the user the  
opportunity to configure things manually. The user is able to quickly fix  
problems if they need a special configuration. Otherwise, he would have to  
wait for the project to implement code for his special need which could  
take a lot of time.

Therefore, I think it´s absolutely normal and fine to offer user.confs  
with the limitation that the user.conf might break stuff. Here, the user  
is responsible and I guess the majority is fine with that.



Small patch to add a test around the first include as for the last include:

--- /srv/web/ipfire/cgi-bin/vpnmain.cgi.org     2015-05-19  
17:42:52.944050515 +0200
+++ /srv/web/ipfire/cgi-bin/vpnmain.cgi 2015-05-19 17:43:49.951598841 +0200
@@ -253,8 +253,10 @@
      print CONF "\n";

      # Add user includes to config file
-    print CONF "include /etc/ipsec.user.conf\n";
-    print CONF "\n";
+    if (-e "/etc/ipsec.user.conf") {
+        print CONF "include /etc/ipsec.user.conf\n";
+        print CONF "\n";
+    }

      print SECRETS "include /etc/ipsec.user.secrets\n";



Lars