strongswan: dependencies hell

[timur-davletshin]

Maintainer: @pprindeville Environment: (OpenWrt 23.05.0-rc3)

Description:

1. I believe strongswan packages (both full and default) should depend on kmod-xfrm-interface package. Without it I get error in logread:

daemon.info ipsec: 00[KNL] received netlink error: Unknown device type (95)
daemon.info ipsec: 00[KNL] failed to create XFRM interface 'xfrmi-test-6147'

2. Same can be said about strongswan-mod-drbg (results in non-functional setup if strongswan-default is installed)

3. strongswan-full should include strongswan-mod-gmpdh in its dependencies too or user will get:

plugin 'gmpdh': failed to load - gmpdh_plugin_create not found and no plugin file available

4. I believe strongswan-mod-wolfssl is broken because of wolfSSL version mismatch. I get:

plugin 'wolfssl' failed to load: Error relocating /usr/lib/ipsec/plugins/libstrongswan-wolfssl.so: wolfssl_ec_diffie_hellman_create: symbol not found

[tobiasbrunner]

Some comments on the points you brought up.

I believe strongswan packages (both full and default) should depend on kmod-xfrm-interface package. Without it I get error in logread:

Not a fatal error and only an problem if the user actually want's to use XFRM interfaces, in which case the kmod-xfrm-interface is required anyway.

Same can be said about strongswan-mod-drbg (results in non-functional setup if strongswan-default is installed)

I don't see why that would be the case because the drbg plugin is really only used by the legacy ntru plugin and when the gmp plugin generates private keys. So how does it result in a "non-functional setup"?

strongswan-full should include strongswan-mod-gmpdh in its dependencies too or user will get:

Not a significant error. And that plugin is completely useless when the strongswan-mod-gmp package is installed and the gmp plugin is loaded (full and default both depend on it). The gmpdh plugin is basically a trimmed down version of the gmp plugin that only provides DH (i.e. no RSA) and links libgmp statically.

In full, the strongswan-mod-gmp package is also completely redundant as it also depends on the strongswan-mod-openssl package (that's actually true for a lot of packages full installs as the openssl plugin pretty much provides all the crypto operations the built-in crypto plugins like aes, ccm, gcm, hmac, sha1 or sha2 do). Also, installing strongswan-mod-wolfssl or strongswan-mod-gcrypt doesn't really serve a purpose if strongswan-mod-openssl is installed. So full seems pretty bloated.

I believe strongswan-mod-wolfssl is broken because of wolfSSL version mismatch. I get:

wolfssl_ec_diffie_hellman_create is a function provided by the wolfssl plugin itself. In both wolfssl_plugin.c (where the function is referenced) and wolfssl_ec_diffie_hellmn.c (where it is defined) we depend on HAVE_ECC_DHE, so it's weird that it would be undefined only in one location but not the other.

[timur-davletshin]

I have impression that people who maintain packages are not using it.

[pprindeville]

I have impression that people who maintain packages are not using it.

I do not use wolfssl, you’re correct.

[vincejv]

@pprindeville i'm getting the ff error on strongswan-full with service restart-crash loop, the log files are now gone, but something like this

daemon.info ipsec: 00[KNL]: failed to create tun device 

and only way to fix it is to install kmod-tun

[timur-davletshin]

It is what I was talking about - dependencies are not properly resolved.

[vincejv]

@timur-davletshin i'm giving this package the benefit of the doubt, if i can't get it working, i'll switch to softethervpn server package and crossing my fingers 🤞 that it works

[ericclose]

I believe strongswan-mod-wolfssl is broken because of wolfSSL version mismatch. I get: plugin 'wolfssl' failed to load: Error relocating /usr/lib/ipsec/plugins/libstrongswan-wolfssl.so: wolfssl_ec_diffie_hellman_create: symbol not found

There are other (redundant) crypto plugins installed.

• souce: error message of swanctl on openwrt