Hi,
I noticed that in "/var/ipfire/vpn/ipsec.conf" the line "include /etc/ipsec.user.conf" is placed at the top instead of the bottom. For us, this leads to the problem that our configuration from "ipsec.user.conf" is overwritten by the default configuration from "ipsec.conf" when it should be the other way around. Therefore, after a restart of the IPsec server (iirc), I have to manually fix this problem by moving the line from top to bottom.
Is this by design or is this a bug?
Using IPFire 2.17 (i586) - Core Update 89
Lars
Hi,
this is intentional because I use this configuration file only to change some default settings by adding: conn %default and sometimes using the setup section. That doesn't work when it is at the bottom.
Depending on what ever you want to do: Isn't it better to integrate that configuration into the CGI script?
-Michael
On Tue, 2015-05-19 at 16:32 +0200, Larsen wrote:
Hi,
I noticed that in "/var/ipfire/vpn/ipsec.conf" the line "include /etc/ipsec.user.conf" is placed at the top instead of the bottom. For us, this leads to the problem that our configuration from "ipsec.user.conf" is overwritten by the default configuration from "ipsec.conf" when it should be the other way around. Therefore, after a restart of the IPsec server (iirc), I have to manually fix this problem by moving the line from top to bottom.
Is this by design or is this a bug?
Using IPFire 2.17 (i586) - Core Update 89
Lars _______________________________________________ Development mailing list Development@lists.ipfire.org http://lists.ipfire.org/mailman/listinfo/development
Hi,
this is intentional because I use this configuration file only to change some default settings by adding: conn %default and sometimes using the setup section. That doesn't work when it is at the bottom.
Which config file exactly do you use? It sounds like you are using "ipsec.user.conf", but I see "conn %default" in "ipsec.conf".
Perhaps we can simply have two includes? One at the top and one at the bottom?
Depending on what ever you want to do: Isn't it better to integrate that configuration into the CGI script?
A co-worker has setup IPsec so I am not deeply familiar why he choosed to configure it like he did. Afaik, he was following the wiki, but I also know that this didn´t went smoothly and he had to correct things with help of the forum. That being said, at the moment IPFire creates the entries in "ipsec.conf" and we add the following stuff to "ipsec.user.conf":
conn jdoepc leftsubnet=0.0.0.0/0 leftallowany=yes rightsubnet=192.168.110.0/24 rightsourceip=192.168.110.118 rekey=no
Is there a better way to do this? We need "rekey=no" for the connection to be stable with Win7 (more on that in a later post).
Lars
-
Larsen -
Michael Tremer