config setup setup section being ignored

[dkosovic]

Debian and CentOS Stream 9 (rhbz#2039877) now use the following libreswan patches to disable IKEv1 by default :

• https://salsa.debian.org/debian/libreswan/-/blob/debian/main/debian/patches/0004-ikev1-policy-defaults-to-drop.patch
• https://git.centos.org/rpms/libreswan/blob/c9-beta/f/SOURCES/libreswan-4.6-ikev1-policy-defaults-to-drop.patch

I was trying to use the following test-ipsec.conf config file which has a config setup section to accept IKEv1 :

config setup
  ikev1-policy=accept

conn test
  auto=add
  type=transport
  authby=secret
  left=%defaultroute
  leftprotoport=udp/l2tp
  rightprotoport=udp/l2tp
  right=198.48.63.228
  rightid=%any
  keyingtries=%forever
  ikev2=no

But get the following error :

036 "test": failed to add IKEv1 connection: global ikev1-policy does not allow IKEv1 connections

after running the following which specifies that test-ipsec.conf config file :

sudo ipsec restart
sleep 2
sudo ipsec auto \
  --config ~/test-ipsec.conf \
  --verbose --add test
sudo ipsec auto --up test

If I add ikev1-policy=accept to /etc/ipsec.conf, that error message doesn't occur and it successfully connects.

I'm wondering if there is some way to set ikev1-policy=accept without having to get users to modify /etc/ipsec.conf ?

For NetworkManager-l2tp, it looks like I'll probably have to update the NetworkManager-l2tp README.md file to describe what needs to be changed in /etc/ipsec.conf

[letoams]

Was this on Debian or Centos9 ?

I don’t understand the centos patch. They should have shipped with the option set in ipsec.conf and yes for using your IKEv1 NM, you would need to change it again. That is expected and you should be happy IKEv1 wasn’t compiled out yet. Try to migrate to ikev2

Sent using a virtual keyboard on a phone

On Mar 30, 2022, at 13:04, Douglas Kosovic @.***> wrote:

 Debian and CentOS Stream 9 (rhbz#2039877) now use the following libreswan patches to disable IKEv1 by default :

https://salsa.debian.org/debian/libreswan/-/blob/debian/main/debian/patches/0004-ikev1-policy-defaults-to-drop.patch https://git.centos.org/rpms/libreswan/blob/c9-beta/f/SOURCES/libreswan-4.6-ikev1-policy-defaults-to-drop.patch I was trying to use the following test-ipsec.conf config file which has a config setup section to accept IKEv1 :

config setup ikev1-policy=accept

conn test auto=add type=transport authby=secret left=%defaultroute leftprotoport=udp/l2tp rightprotoport=udp/l2tp right=198.48.63.228 rightid=%any keyingtries=%forever ikev2=no But get the following error :

036 "test": failed to add IKEv1 connection: global ikev1-policy does not allow IKEv1 connections after running the following which specifies that test-ipsec.conf config file :

sudo ipsec restart sleep 2 sudo ipsec auto \ --config ~/test-ipsec.conf \ --verbose --add test sudo ipsec auto --up test If I add ikev1-policy=accept to /etc/ipsec/conf, that error message doesn't occur and it sucessfully connects.

I'm wondering if there is some way to set ikev1-policy=accept without having to get users to modify /etc/ipsec/conf ?

For NetworkManager-l2tp, I may just have to write in its README file to modify /etc/ipsec/conf with ikev1-policy=accept.

— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you are subscribed to this thread.

[dkosovic]

Extract from the CentOS Stream 9 libreswan.spec changelog :

Wed Feb 2 2022 Daiki Ueno - 4.6-3 - Drop IKEv1 packets by default, based on the Debian patch by Daniel Kahn Gillmor (rhbz#2039877)

So it is both CentOS Stream 9 and Debian (currently Debian Sid aka Debian unstable and the soon to be released Ubuntu 22.04).

I'll probably update the NetworkManager-l2tp README.md to describe what needs to be changed in /etc/ipsec.conf

[dkosovic]

In regards to the Debian and CentOS Stream 9 patches, see pull request https://github.com/libreswan/libreswan/pull/617 for this repository.

[The-Mule]

Is it actually possible to have more config sections? I mean - to have a custom config section in the file included to the main ipsec.conf? If so, is it merged into the main one? For some reason I always though there is always only a single config section.

[letoams]

I believe there is just one and any further ones are ignored

Sent using a virtual keyboard on a phone

On Apr 1, 2022, at 11:25, Ondrej Moris @.***> wrote:

 Is it actually possible to have more config sections? I mean - to have a custom config section in the file included to the main ipsec.conf? If so, is it merged into the main one? For some reason I always though there is always only a single config section.

— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you commented.

[dkosovic]

Looks like the soon to be released Ubuntu 22.04 isn't using the Debian libreswan-4.6-1 package, but a much older libreswan-3.32-3ubuntu3 package :

• https://launchpad.net/ubuntu/+source/libreswan
• https://tracker.debian.org/pkg/libreswan

So I was wrong about Ubuntu 22.04 LTS (Jammy Jellyfish) dropping IKEv1 by default with their libreswan package.

I'll close this issue as I've updated the NetworkManager-l2tp README.md file to describe what needs to be changed in /etc/ipsec.conf to re-enable IKEv1.