http://bugzilla.opensuse.org/show_bug.cgi?id=1176735 Bug ID: 1176735 Summary: StrongSwan suddenly changed to use swanctl.conf instead of ipsec.conf, breaking all VPNs, Yast2 vpn fails to work post-change Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.2 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Other Assignee: screening-team-bugs@suse.de Reporter: glenbarney@gmail.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- This bug describes a sudden and significant change in behavior to Strongswan which occurred in the middle of OpenSuse 15.1's lifetime, and persists to the present day in 15.2. BACKGROUND For several years and OpenSuSE distrbutions (42.3, 15.0, 15.1) I've been successfully using Strongswan to provide IKEv1 roadwarrior-style inbound VPN service for my Android clients. I had it configured on five different servers at different locations, and was using these servers with multiple clients successfully. After one of the routine "zypper up" updates during the 15.1 era, all of my VPN connections stopped working. I was not able to look into it immediately, so I cannot determine which patch release actually caused the breakage. My clients could still connect to other VPNs, but none of my clients could connect to any of my OpenSuSE Strongswan VPNs. They all just stopped working. Just recently in preparation for moving to 15.2, I was able to spend time debugging this. I had originally used yast2 vpn to set up my VPN services; yast2 had written data to /etc/ipsec.conf and /etc/ipsec.secrets, and all was well. After a long debugging process, I discovered that Strongswan was no longer honoring or even reading /etc/ipsec.conf. Instead, Strongswan was now looking for the (non-existent) /etc/swanctl/swanctl.conf file; and, not finding it, Strongswan was not loading any pools, connections, or other information, so nobody was able to connect. However, yast2 vpn was still reading, writing, and working with the /etc/ipsec.conf file. Any changes I made with yast2 vpn were being written to /etc/ipsec.conf; only, Strongswan itself didn't care, because Strongswan was reading /etc/swanctl/swanctl.conf. Ultimately, in order to get my VPNs to work again, I had to manually craft a new /etc/swanctl/swanctl.conf file, by hand, and make other changes, in order to restore VPN service. Additional background, including the debugging steps I took to identify this problem, and the procedure I followed to restore service, are in the list message I originally posted about this topic here: https://lists.opensuse.org/opensuse/2020-09/msg00442.html . PROBLEMS: So the problem(s) surrounding this bug are as follows: #1. A significant change to a production package (Strongswan) was deployed as a patch to an existing Leap point release (15.1), right in the middle of its lifetime, with no warning. As mentioned by another user here https://lists.opensuse.org/opensuse/2020-09/msg00443.html, "such changes are not acceptable in stable releases." This means Strongswan is broken for 15.1 (and later releases) compared to the state of Strongswan when 15.1 was originally released. #2. The change made (i.e. the move from ipsec to swanctl) was *not* applied to the yast2 vpn configuration tool. This means that Yast2 is *also* broken for VPN configuration, because Yast2 only sees the "old" ipsec.conf configuration, whereas Strongswan only sees the "new" swanctl.conf configuration. #3. As hinted at in bug # 1168226 ( https://bugzilla.opensuse.org/show_bug.cgi?id=1168226 ), the requisite directory structures needed for the "new" Strongswan setup were not included in the installer/update package scripts, resulting in additional errors on startup (as if suddenly having all of your connections vanish isn't bad enough already.) TESTS RUN: I tried removing /etc/swanctl/swanctl.conf (a basically blank file with just comments in it anyway) to see if Strongswan would fall back to /etc/ipsec.conf. It did not. I confirmed that the deprecated "stroke" plugin was present, it is, and it's supposed to load /etc/ipsec.conf, but it does not. I did a fresh, clean install of OpenSuSE 15.1, and confirmed the same behavior there. I also did a clean install of 15.2, and that behavior persists: Strongswan completely ignores /etc/ipsec.conf, Yast2 ignores everything else, and only works with /etc/ipsec.conf. STEPS TO REPRODUCE: * Do a fresh load of an any OpenSuse version 15.0 or earlier, OR do a fresh load from ISO media of OpenSuse 15.1 *without* applying updates. Add a VPN connection via yast2 vpn, or by manually configuring /etc/ipsec.conf. Observe that yast2 vpn reads and writes /etc/ipsec.conf, and that Strongswan reads from /etc/ipsec.conf and successfully loads pools and connections from it. This is the expected behavior. * Do a fresh load of OpenSuse 15.1 (with updates) or OpenSuse 15.2. Add a VPN connection via yast2 vpn or by manually configuring /etc/ipsec.conf. Observe that yast2 vpn still reads and writes /etc/ipsec.conf, but observe that Strongswan cannot open any pools or connections (as indicated in /var/log/messages with phrases like "no authorities found, 0 unloaded, no pools found, 0 unloaded, no connections found, 0 unloaded"). No VPN connections are possible. Now manually configure some connections in /etc/swanctl/swanctl.conf. Observe that Strongswan successfully loads and services those new connections. Observe that yast2 vpn, on the other hand, does not see or display any of those new connections. This is the broken behavior. SUGGESTED RESOLUTIONS: * Identify whether new behavior (swanctl.conf) is desired (which seems likely given Strongswan's own website commentary and documentation - they claim that stroke is deprecated in favor of vpni), or whether the old behavior is desired (ipsec.conf - which should probably be the case until 16.0, if I understand the roadmap correctly.) * If the old behavior is desired, restore the old behavior to Strongswan via a new patch release to 15.1 and 15.2 * If the new behavior is desired: - Provide a patch to yast2 vpn to support the new file - Provide the correct directory structure as required by the new behavior, and - Provide a migration tool to modify existing ipsec.conf configurations and attempt to translate them into swanctl.conf configurations, as described in https://wiki.strongswan.org/projects/strongswan/wiki/Fromipsecconf . NOTE: The details I provided in https://lists.opensuse.org/opensuse/2020-09/msg00442.html outline a swanctl.conf setup that does work, both for Android/IOS clients, and for Windows/MacOS clients *natively*. It seems to me that providing these either as yast2 vpn options, or as a default configuration or sample configuration file in future releases would make our users' jobs a lot easier. Thank you for your attention, apologies if this is off-point or already being addressed. -- You are receiving this mail because: You are on the CC list for the bug.