Hello,
as Core Update 61 has now been released, it is time to go on with developments for the next one:
I have updated strongswan to version 5.0.0 which finally removes the pluto daemon which was responsible for IKEv1 connections. However, pluto has gotten very old and was created in the beginnings of the IPsec for Linux developments back in freeswan times.
charon was introduced by strongswan some time ago when IKEv2 connections got supported. It handles IKEv1 connections as well as IKEv2 connections since strongswan version 5.0.0.
What are the benefits for IPFire?
As mentioned earlier, pluto is very old and got very hard to maintain. There have been problems with VPNs that terminate at hosts with dynamic IP addresses, so we needed to restart the entire IPsec subsystem in intervals of 5 minutes. This caused some trouble in stability terms.
charon handles those dynamic endpoints much better without the need to restart anything. Connections may now be added and removed smoothly and in total there should be much more connection stability.
There is also some new code for hybrid IPsec VPNs which can be used with Android 4 and maybe Apple iOS. I have not done any investigation on this topic, because I am not interested, but hopefully somebody else gives it a shot.
I have now packaged the changes into a small package which wants to be installed on your system.
http://people.ipfire.org/~ms/unsupported/core-upgrade-2.11-strongswan.ipfire
It should not require any manual interaction at all. Please install and give me feedback about the connection stability and the interoperability with other (proprietary) implementations.
I am looking forward to it.
Michael
P.S. If you reply to this mail make sure to keep both mailing lists.
Hello Michael,
I've successfully installed the new version of strongswan on my IPFire 2 system.
VPN over IPSec still works perfectly - tested with IKEv1 and IKEv2 connections.
The only bad point, I've to report is, that after the update I can't disable IPSec over the WUI anymore - may other testers will report the same issue.
Best regards,
Stefan
Hello,
as Core Update 61 has now been released, it is time to go on with developments for the next one:
I have updated strongswan to version 5.0.0 which finally removes the pluto daemon which was responsible for IKEv1 connections. However, pluto has gotten very old and was created in the beginnings of the IPsec for Linux developments back in freeswan times.
charon was introduced by strongswan some time ago when IKEv2 connections got supported. It handles IKEv1 connections as well as IKEv2 connections since strongswan version 5.0.0.
What are the benefits for IPFire?
As mentioned earlier, pluto is very old and got very hard to maintain. There have been problems with VPNs that terminate at hosts with dynamic IP addresses, so we needed to restart the entire IPsec subsystem in intervals of 5 minutes. This caused some trouble in stability terms.
charon handles those dynamic endpoints much better without the need to restart anything. Connections may now be added and removed smoothly and in total there should be much more connection stability.
There is also some new code for hybrid IPsec VPNs which can be used with Android 4 and maybe Apple iOS. I have not done any investigation on this topic, because I am not interested, but hopefully somebody else gives it a shot.
I have now packaged the changes into a small package which wants to be installed on your system.
http://people.ipfire.org/~ms/unsupported/core-upgrade-2.11-strongswan.ipfire
It should not require any manual interaction at all. Please install and give me feedback about the connection stability and the interoperability with other (proprietary) implementations.
I am looking forward to it.
Michael
P.S. If you reply to this mail make sure to keep both mailing lists.
Development mailing list Development@lists.ipfire.org http://lists.ipfire.org/mailman/listinfo/development
On Mon, 2012-08-06 at 17:21 +0200, Stefan Schantl wrote:
The only bad point, I've to report is, that after the update I can't disable IPSec over the WUI anymore - may other testers will report the same issue.
What is the exact problem? Did you get an internal server error from the CGI script? Need a more precise error report.
Michael
Hello Michael,
I've tested to stop IPSec from shell which worked without problems. But if I try to disable and stop it from the WUI, by unsing the checkbox the service does a restart and no shutdown.
I've looked inside the error_log from the httpd, and found the following lines:
[Mon Aug 06 21:42:08 2012] [error] [client 192.168.xxx.xxx] IPSec enabled on orange but orange interface is invalid or not found, referer: https://gate.xxx:444/cgi-bin/vpnmain.cgi [Mon Aug 06 21:42:08 2012] [error] [client 192.168.xxx.xxx] IPSec enabled on blue but blue interface is invalid or not found, referer: https://gate.xxx:444/cgi-bin/vpnmain.cgi [Mon Aug 06 21:42:08 2012] [error] [client 192.168.xxx.xxx] Stopping strongSwan IPsec..., referer: https://gate.xxx:444/cgi-bin/vpnmain.cgi [Mon Aug 06 21:42:12 2012] [error] [client 192.168.xxx.xxx] Starting strongSwan 5.0.0 IPsec [starter]..., referer: https://gate.xxx:444/cgi-bin/vpnmain.cgi [Mon Aug 06 21:42:12 2012] [error] [client 192.168.xxx.xxx] , referer: https://gate.xxx:444/cgi-bin/vpnmain.cgi
Why are there entries about an orange and blue network, I don't have one of them......
Do you have any idea about that ?
Stefan
On Mon, 2012-08-06 at 17:21 +0200, Stefan Schantl wrote:
The only bad point, I've to report is, that after the update I can't disable IPSec over the WUI anymore - may other testers will report the same issue.
What is the exact problem? Did you get an internal server error from the CGI script? Need a more precise error report.
Michael
Please try to manually stop strongswan with the helper tool:
ipsecctrl D
Try to start it again with:
ipsecctrl S
On Mon, 2012-08-06 at 21:48 +0200, Stefan Schantl wrote:
Hello Michael,
I've tested to stop IPSec from shell which worked without problems. But if I try to disable and stop it from the WUI, by unsing the checkbox the service does a restart and no shutdown.
I've looked inside the error_log from the httpd, and found the following lines:
[Mon Aug 06 21:42:08 2012] [error] [client 192.168.xxx.xxx] IPSec enabled on orange but orange interface is invalid or not found, referer: https://gate.xxx:444/cgi-bin/vpnmain.cgi [Mon Aug 06 21:42:08 2012] [error] [client 192.168.xxx.xxx] IPSec enabled on blue but blue interface is invalid or not found, referer: https://gate.xxx:444/cgi-bin/vpnmain.cgi [Mon Aug 06 21:42:08 2012] [error] [client 192.168.xxx.xxx] Stopping strongSwan IPsec..., referer: https://gate.xxx:444/cgi-bin/vpnmain.cgi [Mon Aug 06 21:42:12 2012] [error] [client 192.168.xxx.xxx] Starting strongSwan 5.0.0 IPsec [starter]..., referer: https://gate.xxx:444/cgi-bin/vpnmain.cgi [Mon Aug 06 21:42:12 2012] [error] [client 192.168.xxx.xxx] , referer: https://gate.xxx:444/cgi-bin/vpnmain.cgi
Why are there entries about an orange and blue network, I don't have one of them......
Do you have any idea about that ?
Stefan
On Mon, 2012-08-06 at 17:21 +0200, Stefan Schantl wrote:
The only bad point, I've to report is, that after the update I can't disable IPSec over the WUI anymore - may other testers will report the same issue.
What is the exact problem? Did you get an internal server error from the CGI script? Need a more precise error report.
Michael
SIG-VPN mailing list SIG-VPN@lists.ipfire.org http://lists.ipfire.org/mailman/listinfo/sig-vpn
Hello Michael,
your commands work without any problems - IPSec will be stopped an started as I already have written.
After some work I found the problem in the vpnmain.cgi. In the shipped file of your update, there is the line missing which stores the information if the service is enabled or not. After I've manually added it again, I was able to stop and disable IPSec from the WUI.
I've created a patchfile for you - please check and apply it.
Thanks
Stefan
Please try to manually stop strongswan with the helper tool:
ipsecctrl D
Try to start it again with:
ipsecctrl S
On Mon, 2012-08-06 at 21:48 +0200, Stefan Schantl wrote:
Hello Michael,
I've tested to stop IPSec from shell which worked without problems. But if I try to disable and stop it from the WUI, by unsing the checkbox the service does a restart and no shutdown.
I've looked inside the error_log from the httpd, and found the following lines:
[Mon Aug 06 21:42:08 2012] [error] [client 192.168.xxx.xxx] IPSec enabled on orange but orange interface is invalid or not found, referer: https://gate.xxx:444/cgi-bin/vpnmain.cgi [Mon Aug 06 21:42:08 2012] [error] [client 192.168.xxx.xxx] IPSec enabled on blue but blue interface is invalid or not found, referer: https://gate.xxx:444/cgi-bin/vpnmain.cgi [Mon Aug 06 21:42:08 2012] [error] [client 192.168.xxx.xxx] Stopping strongSwan IPsec..., referer: https://gate.xxx:444/cgi-bin/vpnmain.cgi [Mon Aug 06 21:42:12 2012] [error] [client 192.168.xxx.xxx] Starting strongSwan 5.0.0 IPsec [starter]..., referer: https://gate.xxx:444/cgi-bin/vpnmain.cgi [Mon Aug 06 21:42:12 2012] [error] [client 192.168.xxx.xxx] , referer: https://gate.xxx:444/cgi-bin/vpnmain.cgi
Why are there entries about an orange and blue network, I don't have one of them......
Do you have any idea about that ?
Stefan
On Mon, 2012-08-06 at 17:21 +0200, Stefan Schantl wrote:
The only bad point, I've to report is, that after the update I can't disable IPSec over the WUI anymore - may other testers will report the same issue.
What is the exact problem? Did you get an internal server error from the CGI script? Need a more precise error report.
Michael
SIG-VPN mailing list SIG-VPN@lists.ipfire.org http://lists.ipfire.org/mailman/listinfo/sig-vpn
Applied, thanks for the fix.
http://git.ipfire.org/?p=people/ms/ipfire-2.x.git;a=commitdiff;h=35b5392a958...
So everyone who installs the package needs to manually update the CGI script.
Michael
On Tue, 2012-08-07 at 13:09 +0200, Stefan Schantl wrote:
Hello Michael,
your commands work without any problems - IPSec will be stopped an started as I already have written.
After some work I found the problem in the vpnmain.cgi. In the shipped file of your update, there is the line missing which stores the information if the service is enabled or not. After I've manually added it again, I was able to stop and disable IPSec from the WUI.
I've created a patchfile for you - please check and apply it.
Thanks
Stefan
-
Michael Tremer -
Stefan Schantl