Page MenuHomeVyOS Platform

IPSEC deprecated keyword 'interfaces' in config setup
Closed, ResolvedPublicBUG

Description

After typing rcommand

ipsec restart there is an error message about deprecated command:

root@gw-ireland-1c:~# ipsec restart
Stopping strongSwan IPsec...
Starting strongSwan 5.5.1 IPsec [starter]...
# deprecated keyword 'interfaces' in config setup
### 1 parsing error (0 fatal) ###

Solution is very simple, we just need to remove deprecated lines in /etc/ipsec.conf created by
/opt/vyatta/sbin/vpn-config.pl

# generated by /opt/vyatta/sbin/vpn-config.pl

#config setup
#       interfaces="%none"

I didn't find a notice about deprecation of this command, but there is no mention about command "interface" in "config setup" part which is more important i suppose.

https://wiki.strongswan.org/projects/strongswan/wiki/ConfigSetupSection

Details

Difficulty level
Unknown (require assessment)
Version
VyOS 1.2.0-rolling+201806250436
Why the issue appeared?
Will be filled on close

Event Timeline

https://github.com/vyos/vyatta-cfg-vpn/blob/current/scripts/vpn-config.pl#L238-L242

# We need to generate an "interfaces=..." entry in the setup section
# only if the underlying IPsec kernel code we are using is KLIPS.
# If we are using NETKEY, the "interfaces=..." entry is essentially
# not used, though we do need to include the line and the keyword
# "%none" to keep the IPsec setup code from defaulting the entry.

https://stackoverflow.com/questions/16873711/difference-between-klips-and-netkey-ipsec-stacks-in-linux

IMHO save for removal

It seems to be working now

Version:          VyOS 1.2.0-rolling+201808100337
Built by:         [email protected]
Built on:         Fri 10 Aug 2018 03:37 UTC
Build ID:         8f4bcd80-09e5-41f7-bcf8-935d48b6c7cc
root@gw-ireland-1c:~# ipsec restart
Stopping strongSwan IPsec...
Starting strongSwan 5.5.1 IPsec [starter]...
root@gw-ireland-1c:~# ipsec status
Security Associations (3 up, 0 connecting):