Page MenuHomeVyOS Platform
Create Task
Maniphest T71

Add charon settings to 1.2.x configuration CLI
Open, NormalPublicFEATURE REQUEST
Actions

Description

There are several settings in /etc/strongswan.d/charon.conf that should be configurable.

install_routes and install_virtual_ip in particular have defaults that tend to cause me grief.

Details

Difficulty level
Normal (likely a few hours)
Version
20160524 nightly build
Is it a breaking change?
Unspecified (possibly destroys the router)

Related Objects
Search...

Event Timeline

abferm created this task.May 24 2016, 8:19 PM
abferm added a comment.May 24 2016, 8:37 PM

install_routes sets a default route in table 220. If this happens on both ends of the tunnel you end up with a circular route.
install_virtual_ip attempts to install an address on the local interface for the ip used in the tunnel

syncer triaged this task as Wishlist priority.May 25 2016, 3:36 AM
EwaldvanGeffen added a subscriber: EwaldvanGeffen.May 25 2016, 7:08 PM

abferm, could you work out which other settings would be typically employed w/ a syntax proposal. This way we would implement all at once (saving time).

abferm added a comment.May 26 2016, 2:03 PM

The full list of options is available here https://wiki.strongswan.org/projects/strongswan/wiki/StrongswanConf

I can search around and see if I can find any examples of people changing these options and figure out which are commonly used.

As far as syntax, how does putting them in a subsection of "vpn ipsec" called 'daemon' sound, ie: 'set vpn ipsec daemon install_routes no"

abferm added a comment.May 26 2016, 6:52 PM

I've found examples of people setting accept_unencrypted_mainmode_messages, cisco_unity, ikesa_table_segments, ikesa_table_size, and init_limit_half_open.

However, reading through the descriptions many of the options sound useful. It shouldn't be too hard to implement all of them, should it?

syncer edited projects, added VyOS 1.2 Crux; removed VyOS 1.1.x (1.1.8).Dec 14 2016, 1:25 PM
syncer added a subscriber: VyOS 1.2 Crux.
c-po mentioned this in T415: Beta ISO VTI Tunnel.Dec 26 2017, 9:12 PM
syncer raised the priority of this task from Wishlist to High.Jun 25 2018, 10:06 AM
syncer merged a task: T415: Beta ISO VTI Tunnel.Jun 25 2018, 12:02 PM
syncer added a subtask: T628: StrongSwan requires configuration change for proper routing over VTI..
syncer added subscribers: volga629, c-po, pasik and 2 others.
syncer assigned this task to dmbaturin.Sep 25 2018, 2:17 PM
dmbaturin closed subtask T628: StrongSwan requires configuration change for proper routing over VTI. as Resolved.Sep 25 2018, 6:04 PM
syncer edited projects, added VyOS 1.2 Crux (VyOS 1.2.0-rc4); removed VyOS 1.2 Crux.Oct 13 2018, 10:09 AM
syncer changed the subtype of this task from "Task" to "Feature Request".Oct 18 2018, 5:47 AM
syncer reopened subtask T628: StrongSwan requires configuration change for proper routing over VTI. as Open.Oct 22 2018, 9:05 PM
syncer closed subtask T628: StrongSwan requires configuration change for proper routing over VTI. as Resolved.
syncer edited projects, added VyOS 1.2 Crux (VyOS 1.2.0-rc5); removed VyOS 1.2 Crux (VyOS 1.2.0-rc4).Oct 24 2018, 4:40 PM
syncer edited projects, added VyOS 1.2 Crux (VyOS 1.2.0-rc6); removed VyOS 1.2 Crux (VyOS 1.2.0-rc5).Oct 29 2018, 6:16 PM
syncer edited projects, added VyOS 1.2 Crux (VyOS 1.2.0-rc7); removed VyOS 1.2 Crux (VyOS 1.2.0-rc6).Nov 6 2018, 12:57 AM
syncer lowered the priority of this task from High to Normal.Nov 9 2018, 8:55 PM
syncer edited projects, added VyOS 1.3 Equuleus; removed VyOS 1.2 Crux (VyOS 1.2.0-rc7).
c-po mentioned this in T628: StrongSwan requires configuration change for proper routing over VTI..Sep 16 2019, 5:26 PM
dmbaturin added a parent task: T2816: Rewrite IPsec scripts with the new XML/Python approach.Aug 20 2020, 3:44 PM
Viacheslav edited projects, added VyOS 1.4 Sagitta; removed VyOS 1.3 Equuleus.Feb 5 2021, 9:52 AM
Viacheslav changed Difficulty level from Easy (less than an hour) to Normal (likely a few hours).
Viacheslav set Is it a breaking change? to Unspecified (possibly destroys the router).