Just stumbled across this in vpnmain.cgi: "/etc/ipsec.user-post.conf"
When this file exists, it will be included. So apparently, we were using the wrong file (or the documentation is missing that - I don´t know where my co-worker got it from).
Lars
On Tue, 19 May 2015 17:07:41 +0200, Heribert Schorn Schorn@t-online.de wrote:
Hi,
I agree withe Larsen suggestions to have the include als at the bottom. With the include stetment on the top the seteetings of ipsec.user.conf are overwritten and the connection e.g. to IOS or Android will not work following the proposal in the wiki or the forum.
regards Heribert
Yeah I thought that this was going in some of these directions where you want to add really bad configuration directives like rekey=no. We will discuss that in the other thread on this list though...
I generally oppose having too many "hidden" include files that can be used to overwrite the basic configuration. They often give us a headache when we touch things because eventually we will break some of those manual settings. We keep telling ourselves that this is fine because we never said that we supported them any way. But that is not really a valid point.
The better option should be to not need those files.
-Michael
On Tue, 2015-05-19 at 17:28 +0200, Larsen wrote:
Just stumbled across this in vpnmain.cgi: "/etc/ipsec.user-post.conf"
When this file exists, it will be included. So apparently, we were using the wrong file (or the documentation is missing that - I don´t know where my co-worker got it from).
Lars
On Tue, 19 May 2015 17:07:41 +0200, Heribert Schorn Schorn@t-online.de wrote:
Hi,
I agree withe Larsen suggestions to have the include als at the bottom. With the include stetment on the top the seteetings of ipsec.user.conf are overwritten and the connection e.g. to IOS or Android will not work following the proposal in the wiki or the forum.
regards Heribert
I generally oppose having too many "hidden" include files that can be used to overwrite the basic configuration. They often give us a headache when we touch things because eventually we will break some of those manual settings. We keep telling ourselves that this is fine because we never said that we supported them any way. But that is not really a valid point.
I think it is normal also for other projects, to give the user the opportunity to configure things manually. The user is able to quickly fix problems if they need a special configuration. Otherwise, he would have to wait for the project to implement code for his special need which could take a lot of time.
Therefore, I think it´s absolutely normal and fine to offer user.confs with the limitation that the user.conf might break stuff. Here, the user is responsible and I guess the majority is fine with that.
Small patch to add a test around the first include as for the last include:
--- /srv/web/ipfire/cgi-bin/vpnmain.cgi.org 2015-05-19 17:42:52.944050515 +0200 +++ /srv/web/ipfire/cgi-bin/vpnmain.cgi 2015-05-19 17:43:49.951598841 +0200 @@ -253,8 +253,10 @@ print CONF "\n";
# Add user includes to config file - print CONF "include /etc/ipsec.user.conf\n"; - print CONF "\n"; + if (-e "/etc/ipsec.user.conf") { + print CONF "include /etc/ipsec.user.conf\n"; + print CONF "\n"; + }
print SECRETS "include /etc/ipsec.user.secrets\n";
Lars
-
Larsen -
Michael Tremer