[strongSwan] ipsec_starter strikes charon for pluto's misdeeds

Jan Engelhardt jengelh at medozas.de
Fri Sep 3 15:53:34 CEST 2010


On Friday 2010-09-03 15:28, Gerd v. Egidy wrote:
>
>> Well, yes and no. In openSUSE 11.3, strongswan is split into
>> strongswan-ikev1, strongswan-ikev2, strongswan-ipsec (holds
>> ipsec.conf) and strongswan (dummy package holding a requires for -ikev1,
>> -ikev2, -ipsec).
>
>Splitting strongswan like this is what I would consider as good practice for 
>any distribution.
>
>> ipsec.conf has been tuned to read
>> 
>>  include /etc/ipsec.*.conf
>
>Is that the default for the SUSE packages?

No it is not the SUSE default. It is a modification of mine -- following 
the recommendation of ipsec.conf(5)!

>I think it would be better to use something like
>
>include /etc/ipsec.d/*.conf

Tell that strongswan ;-)


>> And
>> placing plutostart=no anywhere may not work well with
>> othervpn.noarch.rpm. :)
>
>Sorry, I don't understand that part. What is othervpn.noarch.rpm for?

Well, assume there is one RPM package for each VPN setup. One cannot 
know in advance that there will be no IKEv1 package installed in the 
future, so using plutostart=no won't work.




More information about the Users mailing list