[strongSwan] multiple remote_ts with ikev1 file format
Rich Lafferty
rich at lafferty.ca
Thu Feb 22 15:45:03 CET 2018
> On Feb 22, 2018, at 7:15 AM, Marco Berizzi <pupilla at hotmail.com> wrote:
>
> I'm starting strongswan with the old 'ipsec start', and after I
> issue the command: 'swanctl -q' for loading the configuration
> files under /etc/swanctl/conf.d/*
>
> Am I right? Or is there a smarter way to start strongswan without
> the old 'ipsec' script?
Distro-specific, but we’re running charon directly from upstart:
------ /etc/init/charon.conf ------
description "StrongSwan IKE daemon"
start on runlevel [2345]
stop on runlevel [!2345]
respawn
respawn limit 10 5
exec /usr/lib/ipsec/charon --use-syslog
------
And we leverage the on-start charon option to have it load its config on start:
------ /etc/strongswan.d/charon-startup.conf ------
charon {
start-scripts {
load-config = swanctl --load-all
}
}
------
(We also don’t install the ‘ipsec’ command at all, to avoid people confusing old and new approaches; I’ve found swanctl gives me everything that I’d get out of ipsec other than starting and stopping charon.)
> Is there a way to not write in every section the parameters
> common to all the children sections (rekey_time, esp_proposals…)?
I wasn’t able to find a way to set defaults, but I’ve put my common parameters in /etc/swanctl/swanctl-ipsec.conf and then done
"include swanctl-ipsec.conf” in each child config. If someone else knows a better way, though, I’m all ears!
-Rich
More information about the Users
mailing list