Open MikhailKasimov opened 6 years ago
We've no plans or feature request (https://fate.suse.com/ or https://features.opensuse.org/) to implement ipsec via ifcfg (generate config for an ipsec daemon from ifcfg variables, ...).
The ipsecX interfaces are "gone" for a very long time (since kernel 2.6 AFAIR), that is the old/alternative ipsec stacks using them are not supported in favor to the ipsec in the kernel. With kernel ipsec, the (tunnel/transport) policies are applied as xfrm policy (ip xfrm policy list) to normal (e.g. ethernet) interfaces by e.g. strongswan, which is FIPS, ... certified, what were done with wicked under the hood.
Use ipsec daemon's config directly, AFAIK there is also a yast2-vpn module that can be used.
When you want to automate apply/remove of ipsec policies (start/stop tunnels), configure
them in strongswan (auto=ignore to not start automatically) and issue ipsec up $connection
via POST_UP_SCRIPT/PRE_DOWN_SCRIPT.
Thanks for clarification! IMO, this can be as a chapter/paragraph of wicked's manuals.
Hello!
Reading [0] https://www.centos.org/docs/5/html/Deployment_Guide-en-US/s1-networkscripts-interfaces.html or [1] https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/4/html/Security_Guide/s1-ipsec-net2net.html
we can meet description of
ifcfg-ipsec
mechanism, e.g. from [0]:But can't see the neither similar mechanism for SUSE in
wicked
, nor some description foripsec
configuring inwicked
man pages (ifcfg
orifcfg-tunnel
).Is such mechanism implemented currently in
wicked
? Or how can it be done/workarounded on user's side for today?Thanks!