Closed gregorburger closed 1 month ago
I only tested with libreswan 4.14 (and some earlier versions) along with a release candidate of libreswan 5.0, so looks like the logic I used fails with 4.15.
The code is supposed to be doing the following:
ipsec auto --config /run/nm-l2tp-UUID/ipsec.conf --add UUID
for libreswan < 5.0ipsec add UUID --config /run/nm-l2tp-UUID/ipsec.conf
for libreswan >= 5.0As auto
comes up with a deprecated message with libreswan 5.0, --config
has to be after add
and that version doesn't like it if the add command is --add
.
In the code I use ipsec --help
to determine if the auto
command is listed, if it is, the code should use ipsec auto ...
, otherwise use ipsec add ...
Could you provide the output of ipsec --help | grep auto
? This is what I see with Libreswan 4.14 and 5.0 :
$ ipsec --version
Libreswan 4.14
$ ipsec --help | grep auto
algparse auto
$ ipsec --version
Libreswan 5.0rc2
$ ipsec --help | grep auto
auto is listed in libreswan 4.15. see the outputs below
$ ipsec --version
Libreswan 4.15
$ ipsec --help | grep auto
auto barf
It seems you are too strict on your match here: https://github.com/nm-l2tp/NetworkManager-l2tp/blob/0b0a416a14c07912c51b89971d8d6587267461fb/shared/utils.c#L53
"\tauto\n"
won't match the output from libreswan 4.15 because auto
is not at the end of the line. would it hurt to just match "auto"
?
Ahh.
The code is looking for "\tauto\n" in the output and failing, the code probably should be doing:
if (strstr(output, "\tauto\n") != NULL || strstr(output, "\tauto\t") != NULL)
Figured it would be safer to test for either "\tauto\t" or "\tauto\n" in case auto is used as a prefix.
libreswan 5.0 was released 2 weeks ago and libreswan 4.15 was 3 weeks ago. Fedora and Debian are still on 4.14 and suspect they will jump straight to 5.0. Hopefully there aren't too many Linux distros with libreswan 4.15. Regardless, I'll probably release a new version of NetworkManager-l2tp in the next few days.
Thanks for the bug report!
It seems that the introduced compatibility with 1.20.14 is regressing for libreswan 4.15 with:
nm-l2tp[25138] <info> starting ipsec Redirecting to: systemctl restart ipsec.service /nix/store/38v98zpbjp55avbbaq5rf35kk1hq7f42-libreswan-4.15/bin/ipsec: unknown IPsec command "add" ("ipsec --help" for list)
I don't know for sure but it seems here: https://github.com/nm-l2tp/NetworkManager-l2tp/blob/0b0a416a14c07912c51b89971d8d6587267461fb/src/nm-l2tp-service.c#L1521 instead offadd
there should be an--add