weixin_39692623
weixin_39692623
2021-01-06 06:18

ipsec: Fix Strongswan configuration syntax

Strongswan seems to have .opt files in the source tree with the dotted option syntax. It seems that up until version 5.6, the syntax was also accepted by Strongswan.

However, the .opt files are converted to .conf files during Strongswan build, and the dotted syntax is no longer accepted by Strongswan (tested on 5.8.2).

The effect was that the ovs ipsec monitor fails to start Strongswan, since that complains with: /etc/strongswan.d/ovs.conf:4: syntax error, unexpected ., expecting : or '{' or '=' [.]

I could not locate the exact code change in Strongswan that changed and caused this, but fact is that the *.conf files in /etc/strongswan.d have the same syntax as the PR suggests.

该提问来源于开源项目:openvswitch/ovs

  • 点赞
  • 写回答
  • 关注问题
  • 收藏
  • 复制链接分享
  • 邀请回答

6条回答

  • weixin_39888018 weixin_39888018 3月前

    Thanks, everyone! Patch applied to master as commit b424becaac58d8cb08fb19ea839be6807d3ed57f. Also, this is not technically a bugfix, but it seems important to support strongswan 5.7+ as it's already really old, so I backported the fix down to 2.13.

    点赞 评论 复制链接分享
  • weixin_39683598 weixin_39683598 3月前

    I made the same fix as this PR (in PR #334 which I just closed after I found this one). Also to confirm I tested the fix with strongSwan 5.3.5 (the version with Ubuntu 16.04.2) and saw no problem.

    点赞 评论 复制链接分享
  • weixin_39692623 weixin_39692623 3月前

    The documentation will also need to be updated at https://github.com/openvswitch/ovs/blob/master/Documentation/tutorials/ipsec.rst#requirements and probably NEWS. What does this mean in terms of backwards compatibility?

    Previous versions of Strongswan accepted the conf file syntax, no problem. I tested it with 5.6.

    I just checked version 5.3.5 source code, and it does the very same thing by compiling the .opt files to .conf files and I am pretty sure the updated config will work there as well.

    As for the docs, I never tested Libreswan, but this change goes in the StrongSwanHelper class, "This class does StrongSwan specific configurations.", so this change does not affect Libreswan compatibility. No reason to update the wiki for this commit.

    点赞 评论 复制链接分享
  • weixin_39583751 weixin_39583751 3月前

    Strongswan seems to have .opt files in the source tree with the dotted option syntax. It seems that up until version 5.6, the syntax was also accepted by Strongswan.

    However, the .opt files are converted to .conf files during Strongswan build, and the dotted syntax is no longer accepted by Strongswan (tested on 5.8.2).

    The effect was that the ovs ipsec monitor fails to start Strongswan, since that complains with: /etc/strongswan.d/ovs.conf:4: syntax error, unexpected ., expecting : or '{' or '=' [.]

    I could not locate the exact code change in Strongswan that changed and caused this, but fact is that the *.conf files in /etc/strongswan.d have the same syntax as the PR suggests.

    You could add some of this text into the commit message and add a "Signed-off-by".

    点赞 评论 复制链接分享
  • weixin_39583751 weixin_39583751 3月前

    The documentation will also need to be updated at https://github.com/openvswitch/ovs/blob/master/Documentation/tutorials/ipsec.rst#requirements and probably NEWS. What does this mean in terms of backwards compatibility?

    点赞 评论 复制链接分享
  • weixin_39692623 weixin_39692623 3月前

    The checks that failed previously were some test artifacts, probably network glitch.

    I have rebased the change on top of master, though.

    点赞 评论 复制链接分享
提交

为你推荐