Page MenuHomePhabricator

Add charon settings to 1.2.x configuration CLI
Open, NormalPublicFEATURE REQUEST

Description

There are several settings in /etc/strongswan.d/charon.conf that should be configurable.

install_routes and install_virtual_ip in particular have defaults that tend to cause me grief.

Details

Difficulty level
Easy (less than an hour)
Version
20160524 nightly build

Event Timeline

abferm created this task.May 24 2016, 8:19 PM

install_routes sets a default route in table 220. If this happens on both ends of the tunnel you end up with a circular route.
install_virtual_ip attempts to install an address on the local interface for the ip used in the tunnel

syncer triaged this task as Wishlist priority.May 25 2016, 3:36 AM

abferm, could you work out which other settings would be typically employed w/ a syntax proposal. This way we would implement all at once (saving time).

The full list of options is available here https://wiki.strongswan.org/projects/strongswan/wiki/StrongswanConf

I can search around and see if I can find any examples of people changing these options and figure out which are commonly used.

As far as syntax, how does putting them in a subsection of "vpn ipsec" called 'daemon' sound, ie: 'set vpn ipsec daemon install_routes no"

I've found examples of people setting accept_unencrypted_mainmode_messages, cisco_unity, ikesa_table_segments, ikesa_table_size, and init_limit_half_open.

However, reading through the descriptions many of the options sound useful. It shouldn't be too hard to implement all of them, should it?

syncer added a subscriber: VyOS 1.2 Crux.
syncer raised the priority of this task from Wishlist to High.Jun 25 2018, 10:06 AM
syncer assigned this task to dmbaturin.Sep 25 2018, 2:17 PM
syncer changed the subtype of this task from "Task" to "Feature Request".Oct 18 2018, 5:47 AM
syncer lowered the priority of this task from High to Normal.Nov 9 2018, 8:55 PM