search

libreswan / libreswan

libreswan
https://libreswan.org/
Other
849 stars 225 forks source link

`ipsec up` doesn't work with non-standard location of `ipsec.conf` #1726

Closed igsilya closed 2 months ago

igsilya commented 4 months ago

In Libreswan v5 ipsec auto no longer supports --config option:

# ipsec auto --config ./my/custom/ipsec.conf
WARNING: ipsec auto has been deprecated
/usr/sbin/ipsec: unknown option "--config" (perhaps command name was omitted?)

However, without this option ipsec auto --start --asynchronous <name> will call addcon command with --config /etc/ipsec.conf, which is not a config file pluto is running with, e.g.

echo > ./my/ipsec.conf
ipsec pluto --config $(pwd)/my/ipsec.conf \
        --ipsecdir $(pwd)/my --nssdir $(pwd)/my/ipsec.d \
        --logfile $(pwd)/my/pluto.log --secretsfile $(pwd)/my/secrets \
        --rundir $(pwd)/my

echo '
config setup
    uniqueids=yes

conn %default
    keyingtries=%forever
    type=transport
    auto=route
    ike=aes_gcm256-sha2_256
    esp=aes_gcm256
    ikev2=insist

conn tun-in-1
    left=%defaultroute
    right=10.1.1.2
    authby=secret
    leftprotoport=udp/6081
    rightprotoport=udp

conn tun-out-1
    left=%defaultroute
    right=10.1.1.2
    authby=secret
    leftprotoport=udp
    rightprotoport=udp/6081
' > $(pwd)/my/ipsec.conf

# ipsec auto --ctlsocket $(pwd)/my/pluto.ctl --config $(pwd)/my/ipsec.conf --start --asynchronous tun-in-1
WARNING: ipsec auto has been deprecated
/usr/sbin/ipsec: unknown option "--config" (perhaps command name was omitted?)

# ipsec auto --ctlsocket $(pwd)/my/pluto.ctl --start --asynchronous tun-in-1
WARNING: ipsec auto has been deprecated
conn 'tun-in-1': not found (tried aliases)
no connection or alias named "tun-in-1"'

# strace -f ipsec auto --ctlsocket $(pwd)/my/pluto.ctl --start --asynchronous tun-in-1 2>&1 | grep 'tun-in-1'
execve("/usr/sbin/ipsec", ["ipsec", "auto", "--ctlsocket", "/root/ovs/libreswan/my/pluto.ctl", "--start", "--asynchronous", "tun-in-1"], 0x7ffc0b6e9328 /* 44 vars */) = 0
[pid 302300] execve("/usr/libexec/ipsec/addconn", ["/usr/libexec/ipsec/addconn", "--config", "/etc/ipsec.conf", "--ctlsocket", "/root/ovs/libreswan/my/pluto.ctl", "tun-in-1"], 0x55ea71c449e0 /* 50 vars */) = 0
                                                                                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
[pid 302300] write(2, "conn 'tun-in-1': not found (trie"..., 43conn 'tun-in-1': not found (tried aliases)
[pid 302301] execve("/usr/libexec/ipsec/whack", ["/usr/libexec/ipsec/whack", "--ctlsocket", "/root/ovs/libreswan/my/pluto.ctl", "--asynchronous", "--name", "tun-in-1", "--initiate"], 0x55ea71c449e0 /* 50 vars */) = 0
[pid 302301] write(1, "no connection or alias named \"tu"..., 41no connection or alias named "tun-in-1"'
bleve commented 4 months ago

This has been fixed by adding support for parsing --config to ipsec command. Note: auto script is no more, everything ipsec does for auto is eats auto part of the command and warns about using legacy option.

igsilya commented 4 months ago

This has been fixed by adding support for parsing --config to ipsec command. Note: auto script is no more, everything ipsec does for auto is eats auto part of the command and warns about using legacy option.

Are you suggesting to re-order arguments? If so, it doesn't work as ipsec command itself doesn't recognize the --config either:

# ipsec --config $(pwd)/my/ipsec.conf auto --ctlsocket $(pwd)/my/pluto.ctl --start --asynchronous tun-in-1
/usr/sbin/ipsec: unknown option "--config" (perhaps command name was omitted?)
bleve commented 4 months ago

Order doesn't matter. But in near future you need to stop using old options and move to using new ones. We won't support auto option forever.

igsilya commented 4 months ago

Order doesn't matter. But in near future you need to stop using old options and move to using new ones. We won't support auto option forever.

I understand that, but it is still available now and it doesn't work, so it is still a bug. 'deprecated' means that it is still supposed to work until it is removed in some future version. What's the point of deprecation if it is just broken? You could have deleted the ipsec auto command right away in this case.

bleve commented 4 months ago

That was unfair. This was first use case which was not working.

cagney commented 4 months ago

untested

cagney commented 4 months ago

I pushed the test WIP whack-up-02-config, the bug isn't related to deprecating ipsec auto.

cagney commented 2 months ago

Fixed by b9c34f53bc69bcb687c2f64aa340178e0d6a1623