libreswan: uci configuration support #19079
Conversation
|
wouldn't be best to also have a template file ? |
jempatel
force-pushed
the
improve_libreswan-uci
branch
from
c744780 to
2ca90a6
Compare
yes, @lucize Added a config and example commented sections in the config file with details |
jempatel
force-pushed
the
improve_libreswan-uci
branch
from
2ca90a6 to
946bdb0
Compare
jempatel
force-pushed
the
improve_libreswan-uci
branch
from
946bdb0 to
a1362d1
Compare
|
I'll try to give it a spin in this weekend |
jempatel
force-pushed
the
improve_libreswan-uci
branch
from
a1362d1 to
3a6ce7f
Compare
Thanks, I have noticed in testing that the libreswan site-to-site tunnel config does not work with IKEv2 but works with IKEv1. I reverted to libreswan version 4.2 and it works fine on that version. LuCI app for the same is also ready PR for the same is opened. |
jempatel
force-pushed
the
improve_libreswan-uci
branch
from
3a6ce7f to
f27a980
Compare
|
the handle of vti, I'm not so sure, usually I define the vti interfaces via /etc/config/network, but I see that you use |
@lucize , Screenshots for the LuCI app are updated. Yes VTI handling is added here because, in testing, I found, that it can only handle 1 wildcard tunnel, and If the interface already exists it does not manage it correctly. To avoid changes in the existing updown script, and handle that, added a hotplug hook, which would create VTI interface with PLUTO_PEER. |
| @@ -0,0 +1,44 @@ | |||
| #!/bin/sh | |||
There was a problem hiding this comment.
OpenWrt now uses firewall4 which is based on nftables.
It would therefore be good if we support both the old firewall3 (iptables) and the new firewall4 (nftables).
Also, "only" IPv4 is set. Don't we also need this for IPv6?
This should also be stored as a separate hotplug script and not be called via ipsec.user.
net/libreswan/Makefile
Outdated
| $(1)/etc/ipsec.d/policies \ | ||
| $(1)/usr/libexec/ipsec \ | ||
| $(1)/usr/sbin | ||
|
|
||
| $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/ipsec \ | ||
| $(1)/usr/sbin/ipsec | ||
| $(INSTALL_BIN) ./files/ipsec.init $(1)/etc/init.d/ipsec | ||
| $(INSTALL_DATA) ./files/ipsec.conf $(1)/etc/ipsec.conf | ||
| $(INSTALL_DATA) ./files/ipsec.secrets $(1)/etc/ipsec.secrets |
There was a problem hiding this comment.
I would prefer that we do not copy the data generically, but that we specify each file.
That way we can work with INSTALL_DATA or INSTALL_BIN.
This makes it clearer what is installed where and how.
Otherwise we have to maintain the execution flags in git.
| @@ -0,0 +1,7 @@ | |||
| #!/bin/sh | |||
There was a problem hiding this comment.
Shouldn't we use a separate hotplug directory here, libreswan? Because if someone also installs strongswan we will have a problem here.
| ;; | ||
| esac | ||
| + | ||
| +/sbin/hotplug-call ipsec |
There was a problem hiding this comment.
I think better would be here
/sbin/hotplug-call libreswan
| @@ -0,0 +1,31 @@ | |||
| #!/bin/sh | |||
There was a problem hiding this comment.
I don't think the creation of configurations is so good thing here!
I wouldn't expect that as a user.
You have to think about on a firmware upgrade here.
Can we not solve this differently
jempatel
force-pushed
the
improve_libreswan-uci
branch
2 times, most recently
from
247e678 to
9bfb459
Compare
jempatel
force-pushed
the
improve_libreswan-uci
branch
from
9bfb459 to
6155b82
Compare
Maintainer: @lucize @feckert
Run tested: x86-64, aarch64, virtual box, marvell_armada-3720-db
Description:
Add libreswan UCI configuration and hotplug support
packaged uci config (/etc/config/libreswan) file provides examples/details with commented sections.
UCI sections:
globals
init script would read globals UCI section and generate ipsec.conf.
tunnel
init script would read all tunnel sections and it would generate each connection config in /var/run/ipsec/conf.d/<conn_name>.conf
crypto_proposal
policies of each tunnel section would be referenced from crypto_proposal sections.