FOR TIPS, gUIDES & TUTORIALS

subscribe to our Youtube

GO TO YOUTUBE

14455 questions

17168 answers

28195 comments

0 members

We are migrating to our new platform at https://community.teltonika.lt. Moving forward, you can continue discussions on this new platform. This current platform will be temporarily maintained for reference purposes.
0 votes
1,053 views 9 comments
by anonymous
Hello:

I want to add this option to the strngswan.conf file:

charon.make_before_break =  yes

I can do this with vi and when I do a /etc/init.d/ipsec restart, the edit is gone.

This cannot be edited in the /etc/config/strongswan file, that only covers the ipsec.conf and ipsec.secrets files.

Can someone advise where/how to edit the strongswan.conf file?

root@JohnTestRTU950:~# ls -l /etc/strong*

lrwxrwxrwx    1 root     root            26 Nov 26  2019 /etc/strongswan.conf -> /tmp/ipsec/strongswan.conf

Note: I have asked this before and it was not answered.

Cheers,

john
by anonymous
Hi All:

Thank you for the hints.......they lead me in the right direction.

I had indeed edit the /etc/init.d/ipsec file as follows:

Before:

prepare_strongswan_config(){

        echo "charon {" >"$File_strongswan"

        if [ $KERNEL_LIB -eq 0 ]; then

                echo "  load = charon aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pk

        else

                echo "  load = charon aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pk

        fi

        echo "  i_dont_care_about_security_and_use_aggressive_mode_psk = yes" >>"$File_strongswan"

        echo "}" >>"$File_strongswan"

}

After:

prepare_strongswan_config(){

        echo "charon {" >"$File_strongswan"

        if [ $KERNEL_LIB -eq 0 ]; then

                echo "  load = charon aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pk

        else

                echo "  load = charon aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pk

        fi

        echo "  i_dont_care_about_security_and_use_aggressive_mode_psk = yes" >>"$File_strongswan"

        echo "  charon.make_before_break = yes" >>"$File_strongswan"

        echo "}" >>"$File_strongswan"

}

And the proof of the pudding is in the eating of course:

charon {

        load = charon aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp dnskey sshkey pem fips-prf gmp xcbc hmac attr kernel-netlink resolve socket-default stroke updown vici xauth-generic

        i_dont_care_about_security_and_use_aggressive_mode_psk = yes

}

root@JohnTestRTU950:~# /etc/init.d/ipsec restart

Stopping strongSwan IPsec...

Starting weakSwan 5.6.2 IPsec [starter]...

!! Your strongswan.conf contains manual plugin load options for charon.

!! This is recommended for experts only, see

!! http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad

root@JohnTestRTU950:~# cat /etc/strongswan.conf

charon {

        load = charon aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp dnskey sshkey pem fips-prf gmp xcbc hmac attr kernel-netlink resolve socket-default stroke updown vici xauth-generic

        i_dont_care_about_security_and_use_aggressive_mode_psk = yes

  charon.make_before_break = yes

}

root@JohnTestRTU950:~#

And there it is. Wonderful.

Cheers,

john

2 Answers

0 votes
by anonymous

Hello,

Have you tried to stop IPsec service, edit /etc/strongswan.conf file and then instead of restart, use start command:

/etc/init.d/ipsec start

It is usual behavior that manual config changes are wiped after each restart.

Best regards.

by anonymous
As you can see:

root@JohnTestRTU950:~# /etc/init.d/ipsec stop

Stopping strongSwan IPsec...

root@JohnTestRTU950:~# vi /etc/strongswan.conf

root@JohnTestRTU950:~# uci commit

root@JohnTestRTU950:~# /etc/init.d/ipsec start

Starting weakSwan 5.6.2 IPsec [starter]...

!! Your strongswan.conf contains manual plugin load options for charon.

!! This is recommended for experts only, see

!! http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad

root@JohnTestRTU950:~# cat /etc/strongswan.conf

charon {

        load = charon aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints

        pubkey pkcs1 pgp dnskey sshkey pem fips-prf gmp xcbc hmac attr kernel-netlink resolve

        socket-default stroke updown vici xauth-generic  

        i_dont_care_about_security_and_use_aggressive_mode_psk = yes

        }

        

It did not work. My addition is gone.

How can I edit that file and make the edits stick?

Cheers,

john
by anonymous
I tried this:

root@JohnTestRTU950:~# find / -name strongswan.conf

/etc/strongswan.conf

/rom/etc/strongswan.conf

/tmp/ipsec/strongswan.conf

root@JohnTestRTU950:~# vi /rom/etc/strongswan.conf

I I edited the file in /rom/etc/strongswan.conf.....

But once I did /etc/int.d/ipsec restart....my edits were gone.

Need to figure this out.

Cheers,

john
by anonymous

John,

Not sure about the RUT950 but on the RUTX11 I had to edit the /etc/init.d/ipsec script, look at the swan_xappend function and add:

        swan_xappend "  make_before_break = yes"                               

after "charon {"
Hope it helps.
 
0 votes
by anonymous
Hi,

Try adding the option via WebUI, in the "Custom options" field.

Config files (except /etc/config/*) are refreshed on service restarts. Editing the strongswan.conf file does nothing - it is generated anew from the info contained in /etc/config/strongswan each time the service restarts.

Adding the option via WebUI places it in /etc/config/strongswan. Also, the working IPsec config is at /var/ipsec/ipsec.conf.

DM
by anonymous
Where is the "Custom options" field?

Can't find it on my unit.

Cheers,

john
by anonymous

Hello, I marked the Custom options field:

Make sure you are running the latest firmware version: RUT9XX_R_00.06.07.4

Regards.

by anonymous
How can I past in a screen snap.....

you need to see a bug in the screen.

Cheers,

John
by anonymous

Stopping strongSwan IPsec failed: starter is not running

Starting weakSwan 5.6.2 IPsec [starter]...

!! Your strongswan.conf contains manual plugin load options for charon.

!! This is recommended for experts only, see

!! http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad

/tmp/ipsec/ipsec.conf:29: missing value for setting 'charon.make_before_break'

invalid config file '/tmp/ipsec/ipsec.conf'

unable to start strongSwan -- fatal errors in config

Didn't work. That "Custom Options" field adds it to the ipsec.conf file not to the strongswan.conf file.
Cheers,
john
by anonymous
On the RUT950 you'll have to add it manually to /etc/init.d/ipsec after "charon {"

If aggressive mode on: line 154, add echo "  make_before_break = yes" >> $FileCommon

If aggressive mode off: line 168, add echo "  make_before_break = yes" >> $FileCommon

Regards,