Bug ID 1176735
Summary StrongSwan suddenly changed to use swanctl.conf instead of ipsec.conf, breaking all VPNs, Yast2 vpn fails to work post-change
Classification openSUSE
Product openSUSE Distribution
Version Leap 15.2
Hardware Other
OS Other
Status NEW
Severity Normal
Priority P5 - None
Component Other
Assignee screening-team-bugs@suse.de
Reporter glenbarney@gmail.com
QA Contact qa-bugs@suse.de
Found By ---
Blocker --- 

This bug describes a sudden and significant change in behavior to Strongswan
which occurred in the middle of OpenSuse 15.1's lifetime, and persists to the
present day in 15.2.

BACKGROUND

For several years and OpenSuSE distrbutions (42.3, 15.0, 15.1) I've been
successfully using Strongswan to provide IKEv1 roadwarrior-style inbound VPN
service for my Android clients.   I had it configured on five different servers
at different locations, and was using these servers with multiple clients
successfully.

After one of the routine "zypper up" updates during the 15.1 era, all of my VPN
connections stopped working.  I was not able to look into it immediately, so I
cannot determine which patch release actually caused the breakage.  My clients
could still connect to other VPNs, but none of my clients could connect to any
of my OpenSuSE Strongswan VPNs.  They all just stopped working.

Just recently in preparation for moving to 15.2, I was able to spend time
debugging this.  I had originally used yast2 vpn to set up my VPN services;
yast2 had written data to /etc/ipsec.conf and /etc/ipsec.secrets, and all was
well.  After a long debugging process, I discovered that Strongswan was no
longer honoring or even reading /etc/ipsec.conf.  Instead, Strongswan was now
looking for the (non-existent) /etc/swanctl/swanctl.conf file; and, not finding
it, Strongswan was not loading any pools, connections, or other information, so
nobody was able to connect.

However, yast2 vpn was still reading, writing, and working with the
/etc/ipsec.conf file.  Any changes I made with yast2 vpn were being written to
/etc/ipsec.conf; only, Strongswan itself didn't care, because Strongswan was
reading /etc/swanctl/swanctl.conf.

Ultimately, in order to get my VPNs to work again, I had to manually craft a
new /etc/swanctl/swanctl.conf file, by hand, and make other changes, in order
to restore VPN service.  Additional background, including the debugging steps I
took to identify this problem, and the procedure I followed to restore service,
are in the list message I originally posted about this topic here: 
https://lists.opensuse.org/opensuse/2020-09/msg00442.html  .  

PROBLEMS:

So the problem(s) surrounding this bug are as follows:

#1. A significant change to a production package (Strongswan) was deployed as a
patch to an existing Leap point release (15.1), right in the middle of its
lifetime, with no warning.  As mentioned by another user here
https://lists.opensuse.org/opensuse/2020-09/msg00443.html, "such changes are
not acceptable in stable releases."  This means Strongswan is broken for 15.1
(and later releases) compared to the state of Strongswan when 15.1 was
originally released.

#2. The change made (i.e. the move from ipsec to swanctl) was *not* applied to
the yast2 vpn configuration tool.  This means that Yast2 is *also* broken for
VPN configuration, because Yast2 only sees the "old" ipsec.conf configuration,
whereas Strongswan only sees the "new" swanctl.conf configuration.

#3. As hinted at in bug # 1168226 (
https://bugzilla.opensuse.org/show_bug.cgi?id=1168226 ), the requisite
directory structures needed for the "new" Strongswan setup were not included in
the installer/update package scripts, resulting in additional errors on startup
(as if suddenly having all of your connections vanish isn't bad enough
already.)

TESTS RUN:

I tried removing /etc/swanctl/swanctl.conf (a basically blank file with just
comments in it anyway) to see if Strongswan would fall back to /etc/ipsec.conf.
It did not. I confirmed that the deprecated "stroke" plugin was present, it is,
and it's supposed to load /etc/ipsec.conf, but it does not.

I did a fresh, clean install of OpenSuSE 15.1, and confirmed the same behavior
there. I also did a clean install of 15.2, and that behavior persists:
Strongswan completely ignores /etc/ipsec.conf, Yast2 ignores everything else,
and only works with /etc/ipsec.conf.

STEPS TO REPRODUCE:

* Do a fresh load of an any OpenSuse version 15.0 or earlier, OR do a fresh
load from ISO media of OpenSuse 15.1 *without* applying updates.  Add a VPN
connection via yast2 vpn, or by manually configuring /etc/ipsec.conf.  Observe
that yast2 vpn reads and writes /etc/ipsec.conf, and that Strongswan reads from
/etc/ipsec.conf and successfully loads pools and connections from it.  This is
the expected behavior.

* Do a fresh load of OpenSuse 15.1 (with updates) or OpenSuse 15.2.  Add a VPN
connection via yast2 vpn or by manually configuring /etc/ipsec.conf.  Observe
that yast2 vpn still reads and writes /etc/ipsec.conf, but observe that
Strongswan cannot open any pools or connections (as indicated in
/var/log/messages with phrases like "no authorities found, 0 unloaded, no pools
found, 0 unloaded, no connections found, 0 unloaded").  No VPN connections are
possible.  Now manually configure some connections in
/etc/swanctl/swanctl.conf.  Observe that Strongswan successfully loads and
services those new connections.  Observe that yast2 vpn, on the other hand,
does not see or display any of those new connections.  This is the broken
behavior.

SUGGESTED RESOLUTIONS:

* Identify whether new behavior (swanctl.conf) is desired (which seems likely
given Strongswan's own website commentary and documentation - they claim that
stroke is deprecated in favor of vpni), or whether the old behavior is desired
(ipsec.conf - which should probably be the case until 16.0, if I understand the
roadmap correctly.)

* If the old behavior is desired, restore the old behavior to Strongswan via a
new patch release to 15.1 and 15.2

* If the new behavior is desired:
- Provide a patch to yast2 vpn to support the new file
- Provide the correct directory structure as required by the new behavior, and
- Provide a migration tool to modify existing ipsec.conf configurations and
attempt to translate them into swanctl.conf configurations, as described in
https://wiki.strongswan.org/projects/strongswan/wiki/Fromipsecconf .

NOTE:

The details I provided in
https://lists.opensuse.org/opensuse/2020-09/msg00442.html outline a
swanctl.conf setup that does work, both for Android/IOS clients, and for
Windows/MacOS clients *natively*.  It seems to me that providing these either
as yast2 vpn options, or as a default configuration or sample configuration
file in future releases would make our users' jobs a lot easier.

Thank you for your attention, apologies if this is off-point or already being
addressed.

You are receiving this mail because: