luci-app-libreswan: Add LuCI for Libreswan

[jempatel]

A new app for Libreswan IPSec with LuCI Support.

We also need openwrt/packages#19079
We also need openwrt/packages#19233

Screenshots from the new Luci App Libreswan:

Overview:

Globals:

Proposals:

Proposals Edit:

Tunnels:

Tunnels (General):

Tunnels (Authentication):

Tunnels (Interface):

Tunnels (Advanced):

[systemcrash]

Looks good, logical. Problems with 0.0.0.0/0 masks - IPv4 only. The GUI assumes that the necessary kernel modules are installed (and loaded). Have you tested in the absence of a (configured for use) crypto module?

It's a start. Handling certs would be a good improvement, but increases complexity, ofc.

[jempatel]

Looks good, logical. Problems with 0.0.0.0/0 masks - IPv4 only. The GUI assumes that the necessary kernel modules are installed (and loaded). Have you tested in the absence of a (configured for use) crypto module?

It's a start. Handling certs would be a good improvement, but increases complexity, ofc.

Did not get you with "Problems with 0.0.0.0/0 masks - IPv4 only",

• Remote/Local Subnets are allowed with datatype ipaddr, so it should allow ipv4 and ipv6 both.

The GUI assumes that the necessary kernel modules are installed (and loaded).

• App is installed with LUCI_DEPENDS libreswan and libreswan has all module dependencies handled, I also have checked other apps, but could not find any app that might be checking for the module is loaded or not, Can you pls point me any reference of what you meant here?

[systemcrash]

Just a thought, but given that libreswan and strongswan are virtually identical, can this GUI be dual purpose and used for both? I actually don't know what needs to be done in the package descriptions and/or permissions files, but maybe @jow has a tip here.

[lucize]

wanted to test with latest, does it need some updates ?

[jempatel]

wanted to test with latest, does it need some updates ?

I have rebased the current branch with the latest master and Its working fine at my end. Can you pls check again?

[lucize]

so I used the today master and still the same error on this page, I also cleared the config file and it's the same for me

[jempatel]

so I used the today master and still the same error on this page, I also cleared the config file and it's the same for me

I got it, there was actually a syntax error, and the fix is pushed. Weird, It was not reporting in private/incognito mode at my end.

[lucize]

great stuff, it works

Sun Jan 29 16:08:44 2023 authpriv.warn pluto[8684]: "forti/1x1" #2: initiator established Child SA using #1; IPsec tunnel [0.0.0.0-255.255.255.255:0-65535 0] -> [0.0.0.0-255.255.255.255:0-65535 0] {ESPinUDP=>0x6b4ab02b <0xf4081b5d xfrm=AES_CBC_256-HMAC_SHA2_256_128 NATD=x.x.x.x:4500 DPD=active}

[lucize]

Tested-by: Lucian [email protected]

[systemcrash]

minlength(8)

[jempatel]

Corrected

[systemcrash]

Preshared Key

Also, please add never and null types. Useful to some.

[jempatel]

Added

[systemcrash]

Please change this default, and mark 3des with a *, and a GUI note explaining it as unsafe.

[jempatel]

Updated

[systemcrash]

Mark AES as default.

[jempatel]

Updated

[systemcrash]

Mark this hash with a *:
o.value('md5', _('MD5*'));

[jempatel]

Updated

[systemcrash]

Mark this hash with a *:
o.value('sha1', _('SHA1*'));

• Move to a better, more collision resistant hash.

[jempatel]

Updated

[systemcrash]

Please add multiple values to choose from (and hint in readable text the amount of hours it represents), and permit the user to enter their own values.

If the current libreswan version is >=4.2, then the default is 8h.

I do not think that this should be an unsigned integer...

[systemcrash]

Suggestions: 1h, 2h, 4h, 8h, 12h, 16, 24h, custom...

[jempatel]

Updated

[systemcrash]

This needs a depends where authentication = secret - future iterations may add other auth methods.

[systemcrash]

Have you tested what happens here with an IPv6?

[jempatel]

This app version does not support IPv6, getIPAddrs only returns IPv4 addresses.

        /**                                                                          
         * Query all IPv4 addresses of the logical interface.                        
         *                                                                           
         * @returns {string[]}                                                      
         * Returns an array of IPv4 addresses in CIDR notation which have been
         * registered by the protocol handler. The order of the resulting array
         * follows the order of the addresses in `ubus` runtime information.
         */
        getIPAddrs: function() {

[zcracker]

Why can't it be merged, this app is very much needed

[sjkhsl]

Error after latest main build

RPCError
RPC call to uci/get failed with ubus code 4: Resource not found
  at ClassConstructor.handleCallReply (https://192.168.79.128/luci-static/resources/rpc.js?v=git-23.156.69953-fa775ee:15:3)

[lucize]

tested it today on master and I don't have that issue, all seems to work

[systemcrash]

@jempatel can you address my comments, and let me know when you're done.

[jempatel]

@jempatel can you address my comments, and let me know when you're done?

Sure, Let me address the comments and test changes.

[systemcrash]

Sure, Let me address the comments and test changes.

If you did something, nothing has changed here...

[jempatel]

Sure, Let me address the comments and test changes.

If you did something, nothing has changed here...

I've recently rebased the master branches of both luci and packages feeds in order to synchronize all the latest changes. Now I am testing my local changes with fresh firmware build and separate package installation on installed firmware. Once the testing confirms that everything is functioning correctly, I will re-request for review.

[jempatel]

This PR depends on
openwrt/packages#19233

[jempatel]

Sure, Let me address the comments and test changes.

If you did something, nothing has changed here...

@systemcrash all the comments are addressed and PR in packages is also merged now. If everything is fine, we can merge this as well

[systemcrash]

Almost, you have the right values there, but they should be made translation (i18n) friendly.

e.g.

o.value('secret', 'Shared Secret');

should be

o.value('secret', _('Shared Secret'));

[systemcrash]

update to e.g.:

		o = s.taboption('general', form.MultiValue, 'encryption_algorithm', _('Encryption Method'), _('* = unsafe'));

[jempatel]

Updated

[systemcrash]

Just 3DES*

[systemcrash]

With ofc

		o = s.taboption('general', form.MultiValue, 'encryption_algorithm', _('Encryption Method'), _('* = unsafe'));

[jempatel]

Updated

[systemcrash]

Add comment _('* = unsafe. See <a href="%s">RFC8247</a>.').format('https://www.rfc-editor.org/rfc/rfc8247#section-2.4')

[jempatel]

Updated

[systemcrash]

Mark dh22 as DH Group 22*

[jempatel]

Updated

[systemcrash]

Mark with *

[systemcrash]

with ofc

		o = s.taboption('general', form.MultiValue, 'dh_group', _('DH Group'), _('* = unsafe'));

[jempatel]

Updated

[systemcrash]

🔍 🧐

[systemcrash]

@jempatel please fix these most recent additions

[jempatel]

@jempatel please fix these most recent additions

Done

[systemcrash]

Be sure that translatable sections start with _.

[jempatel]

Its already handled inside the format function except string "See"

[systemcrash]

Perhaps just put See also in with Unsafe, e.g. _('Unsafe, See')

[jempatel]

Updated

[systemcrash]

Ok good. @jow- @hnyman any other reviewers? I'm largely satisfied.

[jow-]

I held back merging this as the underlying packages PR were open for a long time, but it seems they finally got merged last week, so let's go ahead! We can still continue polishing this in subsequent PRs if the need arises.

@jempatel - thanks a lot for your effort and patience.

[jow-]

Merged via 9f65244

[systemcrash]

@jempatel looks like you missed the 15m -> 15h thing I flagged in the review.

[jempatel]

@jempatel looks like you missed the 15m -> 15h thing I flagged in the review.

Ahh, Yup I missed that. Looks like someone had already updated and merged that to master.