Page MenuHomePhabricator

Add charon settings to 1.2.x configuration CLI
Open, NormalPublicFEATURE REQUEST

Description

There are several settings in /etc/strongswan.d/charon.conf that should be configurable.

install_routes and install_virtual_ip in particular have defaults that tend to cause me grief.

Details

Difficulty level
Easy (less than an hour)
Version
20160524 nightly build
abferm created this task.May 24 2016, 8:19 PM

install_routes sets a default route in table 220. If this happens on both ends of the tunnel you end up with a circular route.
install_virtual_ip attempts to install an address on the local interface for the ip used in the tunnel

syncer triaged this task as Wishlist priority.May 25 2016, 3:36 AM

abferm, could you work out which other settings would be typically employed w/ a syntax proposal. This way we would implement all at once (saving time).

The full list of options is available here https://wiki.strongswan.org/projects/strongswan/wiki/StrongswanConf

I can search around and see if I can find any examples of people changing these options and figure out which are commonly used.

As far as syntax, how does putting them in a subsection of "vpn ipsec" called 'daemon' sound, ie: 'set vpn ipsec daemon install_routes no"

I've found examples of people setting accept_unencrypted_mainmode_messages, cisco_unity, ikesa_table_segments, ikesa_table_size, and init_limit_half_open.

However, reading through the descriptions many of the options sound useful. It shouldn't be too hard to implement all of them, should it?

syncer added a subscriber: VyOS 1.2.x.
syncer raised the priority of this task from Wishlist to High.Jun 25 2018, 10:06 AM
syncer assigned this task to dmbaturin.Sep 25 2018, 2:17 PM
syncer changed the subtype of this task from "Task" to "Feature Request".Oct 18 2018, 5:47 AM
syncer lowered the priority of this task from High to Normal.Nov 9 2018, 8:55 PM
syncer edited projects, added VyOS 1.3.x; removed VyOS 1.2.x (VyOS 1.2.0-rc7).