[strongSwan-dev] [PATCH v2 1/1] feature 3590: support modular conf and secrets files
Noel Kuntze
noel.kuntze+strongswan-dev-ml at thermi.consulting
Sat Oct 10 15:39:04 CEST 2020
Already supported OOTB, just needs to add "include" and the path in the config files.
Starter and by extension stroke and ipsec.conf and ipsec.secrets are deprecated and hence this probably won't be merged.
Use swanctl instead.
Am 10.10.20 um 02:41 schrieb Philip Prindeville:
> From: Philip Prindeville <philipp at redfish-solutions.com>
>
> As certs, CAs, keys, etc. are all contained individually in their
> own files, so should it be with configurations and secrets. This
> makes managing a VPN concentrator with scripts easier since you
> don't have to worry about replacing/deleting/etc parts of a file:
> you either write the entire file, or you delete the entire file.
>
> Signed-off-by: Philip Prindeville <philipp at redfish-solutions.com>
> ---
> man/ipsec.secrets.5.in | 2 +-
> src/starter/Makefile.am | 2 ++
> src/starter/ipsec.conf | 2 ++
> src/starter/ipsec.secrets | 2 ++
> 4 files changed, 7 insertions(+), 1 deletion(-)
>
> diff --git a/man/ipsec.secrets.5.in b/man/ipsec.secrets.5.in
> index 15e36faff30ff50cbdc3cbe1793feeef46d7e880..9b06458a196946a8a9c719f1d1f2c1a8d4c696ad 100644
> --- a/man/ipsec.secrets.5.in
> +++ b/man/ipsec.secrets.5.in
> @@ -27,7 +27,7 @@ carol : XAUTH "4iChxLT3"
> dave : XAUTH "ryftzG4A"
>
> # get secrets from other files
> -include ipsec.*.secrets
> +include ipsec.d/secrets/*
> .fi
> .RE
> .LP
> diff --git a/src/starter/Makefile.am b/src/starter/Makefile.am
> index 298a1fb5782776b5f869cbada1f768cbbf0528f9..107cea630223039e6104a0fcbd80b1fcaee98c46 100644
> --- a/src/starter/Makefile.am
> +++ b/src/starter/Makefile.am
> @@ -68,4 +68,6 @@ install-exec-local :
> test -e "$(DESTDIR)${sysconfdir}/ipsec.d/reqs" || $(INSTALL) -d "$(DESTDIR)$(sysconfdir)/ipsec.d/reqs" || true
> test -e "$(DESTDIR)${sysconfdir}/ipsec.d/private" || $(INSTALL) -d -m 750 "$(DESTDIR)$(sysconfdir)/ipsec.d/private" || true
> test -e "$(DESTDIR)$(sysconfdir)/ipsec.conf" || $(INSTALL) -m 644 $(srcdir)/ipsec.conf $(DESTDIR)$(sysconfdir)/ipsec.conf || true
> + test -e "$(DESTDIR)${sysconfdir}/ipsec.d/conf" || $(INSTALL) -d -m 750 "$(DESTDIR)$(sysconfdir)/ipsec.d/conf" || true
> test -e "$(DESTDIR)$(sysconfdir)/ipsec.secrets" || $(INSTALL) -m 600 $(srcdir)/ipsec.secrets $(DESTDIR)$(sysconfdir)/ipsec.secrets || true
> + test -e "$(DESTDIR)${sysconfdir}/ipsec.d/conf" || $(INSTALL) -d -m 700 "$(DESTDIR)$(sysconfdir)/ipsec.d/secrets" || true
> diff --git a/src/starter/ipsec.conf b/src/starter/ipsec.conf
> index a33d68c0a34aaa30dd3c8a0f31dfe74ef609ded8..2c82a9f774c5c3542f953890d63cdb3caf83c0e5 100644
> --- a/src/starter/ipsec.conf
> +++ b/src/starter/ipsec.conf
> @@ -26,3 +26,5 @@ config setup
> # rightsubnet=10.2.0.0/16
> # rightid="C=CH, O=Linux strongSwan CN=peer name"
> # auto=start
> +
> +include ipsec.d/conf/*.conf
> diff --git a/src/starter/ipsec.secrets b/src/starter/ipsec.secrets
> index dae7709a126b6a82c4a6a77a9a9dd087b1e6f8c7..6b3b8964a26df3c10b05f93a1b6a29d43d3c0bf5 100644
> --- a/src/starter/ipsec.secrets
> +++ b/src/starter/ipsec.secrets
> @@ -1 +1,3 @@
> # ipsec.secrets - strongSwan IPsec secrets file
> +
> +include ipsec.d/secrets/*
>
--
Noel Kuntze
IT security consultant
GPG Key ID: 0x0739AD6C
Fingerprint: 3524 93BE B5F7 8E63 1372 AF2D F54E E40B 0739 AD6C
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20201010/2e21d3ad/attachment.sig>
More information about the Dev
mailing list