WIKIABOUT

FOR TIPS, gUIDES & TUTORIALS

subscribe to our Youtube

GO TO YOUTUBE

14165 questions

16819 answers

27656 comments

54118 members

Most popular tags

rut955 rut240 rut950 rutx11 rms vpn to wifi openvpn not sms trb140 firmware connection - ipsec on rutx12 rutx09 modbus

adding an option to the /etc/strongswan.conf file

0 votes
854 views 9 comments
by
Hello:

I want to add this option to the strngswan.conf file:

charon.make_before_break =  yes

I can do this with vi and when I do a /etc/init.d/ipsec restart, the edit is gone.

This cannot be edited in the /etc/config/strongswan file, that only covers the ipsec.conf and ipsec.secrets files.

Can someone advise where/how to edit the strongswan.conf file?

[email protected]:~# ls -l /etc/strong*

lrwxrwxrwx    1 root     root            26 Nov 26  2019 /etc/strongswan.conf -> /tmp/ipsec/strongswan.conf

Note: I have asked this before and it was not answered.

Cheers,

john
by
Hi All:

Thank you for the hints.......they lead me in the right direction.

I had indeed edit the /etc/init.d/ipsec file as follows:

Before:

prepare_strongswan_config(){

        echo "charon {" >"$File_strongswan"

        if [ $KERNEL_LIB -eq 0 ]; then

                echo "  load = charon aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pk

        else

                echo "  load = charon aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pk

        fi

        echo "  i_dont_care_about_security_and_use_aggressive_mode_psk = yes" >>"$File_strongswan"

        echo "}" >>"$File_strongswan"

}

After:

prepare_strongswan_config(){

        echo "charon {" >"$File_strongswan"

        if [ $KERNEL_LIB -eq 0 ]; then

                echo "  load = charon aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pk

        else

                echo "  load = charon aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pk

        fi

        echo "  i_dont_care_about_security_and_use_aggressive_mode_psk = yes" >>"$File_strongswan"

        echo "  charon.make_before_break = yes" >>"$File_strongswan"

        echo "}" >>"$File_strongswan"

}

And the proof of the pudding is in the eating of course:

charon {

        load = charon aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp dnskey sshkey pem fips-prf gmp xcbc hmac attr kernel-netlink resolve socket-default stroke updown vici xauth-generic

        i_dont_care_about_security_and_use_aggressive_mode_psk = yes

}

[email protected]:~# /etc/init.d/ipsec restart

Stopping strongSwan IPsec...

Starting weakSwan 5.6.2 IPsec [starter]...

!! Your strongswan.conf contains manual plugin load options for charon.

!! This is recommended for experts only, see

!! http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad

[email protected]:~# cat /etc/strongswan.conf

charon {

        load = charon aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp dnskey sshkey pem fips-prf gmp xcbc hmac attr kernel-netlink resolve socket-default stroke updown vici xauth-generic

        i_dont_care_about_security_and_use_aggressive_mode_psk = yes

  charon.make_before_break = yes

}

[email protected]:~#

And there it is. Wonderful.

Cheers,

john

2 Answers

0 votes
by

Hello,

Have you tried to stop IPsec service, edit /etc/strongswan.conf file and then instead of restart, use start command:

/etc/init.d/ipsec start

It is usual behavior that manual config changes are wiped after each restart.

Best regards.

by
As you can see:

[email protected]:~# /etc/init.d/ipsec stop

Stopping strongSwan IPsec...

[email protected]:~# vi /etc/strongswan.conf

[email protected]:~# uci commit

[email protected]:~# /etc/init.d/ipsec start

Starting weakSwan 5.6.2 IPsec [starter]...

!! Your strongswan.conf contains manual plugin load options for charon.

!! This is recommended for experts only, see

!! http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad

[email protected]:~# cat /etc/strongswan.conf

charon {

        load = charon aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints

        pubkey pkcs1 pgp dnskey sshkey pem fips-prf gmp xcbc hmac attr kernel-netlink resolve

        socket-default stroke updown vici xauth-generic  

        i_dont_care_about_security_and_use_aggressive_mode_psk = yes

        }

        

It did not work. My addition is gone.

How can I edit that file and make the edits stick?

Cheers,

john
by
I tried this:

[email protected]:~# find / -name strongswan.conf

/etc/strongswan.conf

/rom/etc/strongswan.conf

/tmp/ipsec/strongswan.conf

[email protected]:~# vi /rom/etc/strongswan.conf

I I edited the file in /rom/etc/strongswan.conf.....

But once I did /etc/int.d/ipsec restart....my edits were gone.

Need to figure this out.

Cheers,

john
by

John,

Not sure about the RUT950 but on the RUTX11 I had to edit the /etc/init.d/ipsec script, look at the swan_xappend function and add:

        swan_xappend "  make_before_break = yes"                               

after "charon {"
Hope it helps.
 
0 votes
by
Hi,

Try adding the option via WebUI, in the "Custom options" field.

Config files (except /etc/config/*) are refreshed on service restarts. Editing the strongswan.conf file does nothing - it is generated anew from the info contained in /etc/config/strongswan each time the service restarts.

Adding the option via WebUI places it in /etc/config/strongswan. Also, the working IPsec config is at /var/ipsec/ipsec.conf.

DM
by
Where is the "Custom options" field?

Can't find it on my unit.

Cheers,

john
by

Hello, I marked the Custom options field:

Make sure you are running the latest firmware version: RUT9XX_R_00.06.07.4

Regards.

by
How can I past in a screen snap.....

you need to see a bug in the screen.

Cheers,

John
by

Stopping strongSwan IPsec failed: starter is not running

Starting weakSwan 5.6.2 IPsec [starter]...

!! Your strongswan.conf contains manual plugin load options for charon.

!! This is recommended for experts only, see

!! http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad

/tmp/ipsec/ipsec.conf:29: missing value for setting 'charon.make_before_break'

invalid config file '/tmp/ipsec/ipsec.conf'

unable to start strongSwan -- fatal errors in config

Didn't work. That "Custom Options" field adds it to the ipsec.conf file not to the strongswan.conf file.
Cheers,
john
by
On the RUT950 you'll have to add it manually to /etc/init.d/ipsec after "charon {"

If aggressive mode on: line 154, add echo "  make_before_break = yes" >> $FileCommon

If aggressive mode off: line 168, add echo "  make_before_break = yes" >> $FileCommon

Regards,