Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Need to do 'swanctl --load-all' every boot
350 views
Skip to first unread message
Sijmen J. Mulder
Apr 8, 2021, 7:00:05 AM4/8/21
to
Hi all,
I've set up an IPsec + IKEv2 VPN server ('road warrior' set up) on
Debian 10 with StrongSwan. It was my understanding that
/etc/strongswan.d/swanctl.conf is the modern way to configure it
so that's what I did.
But now after every boot I have to run 'swanctl --load-all' to be able
to be able to authenticate with the VPN. I found a slightly related
Stack Exchange post[1] which talks about charon-systemd vs.
starter/chron and to be honest it's not quite clear to me what these
different parts are supposed to do.
These are the strongswan and charon packages I have installed:
charon-systemd
libcharon-extra-plugins
libstrongswan
libstrongswan-extra-plugins
libstrongswan-standard-plugins
strongswan-charon
strongswan-libcharon
strongswan-starter
strongswan-swanctl
So it looks like *both* the starter and charon-systemd are installed.
But when I remove the starter the service doesn't seem to work at all -
I can't initiate IPsec connections to the machine then.
There is of course the StrongSwan documentation but it didn't help me
in this aspect.
Any ideas?
Thanks,
Sijmen Mulder
1: https://unix.stackexchange.com/questions/557032/how-to-start-a-swanctl-conf-configured-tunnel-automatically
I've set up an IPsec + IKEv2 VPN server ('road warrior' set up) on
Debian 10 with StrongSwan. It was my understanding that
/etc/strongswan.d/swanctl.conf is the modern way to configure it
so that's what I did.
But now after every boot I have to run 'swanctl --load-all' to be able
to be able to authenticate with the VPN. I found a slightly related
Stack Exchange post[1] which talks about charon-systemd vs.
starter/chron and to be honest it's not quite clear to me what these
different parts are supposed to do.
These are the strongswan and charon packages I have installed:
charon-systemd
libcharon-extra-plugins
libstrongswan
libstrongswan-extra-plugins
libstrongswan-standard-plugins
strongswan-charon
strongswan-libcharon
strongswan-starter
strongswan-swanctl
So it looks like *both* the starter and charon-systemd are installed.
But when I remove the starter the service doesn't seem to work at all -
I can't initiate IPsec connections to the machine then.
There is of course the StrongSwan documentation but it didn't help me
in this aspect.
Any ideas?
Thanks,
Sijmen Mulder
1: https://unix.stackexchange.com/questions/557032/how-to-start-a-swanctl-conf-configured-tunnel-automatically
Dan Ritter
Apr 8, 2021, 7:40:05 AM4/8/21
to
can tell you: Wireguard is superior in every single way.
It's easier to configure.
It's easier to debug.
It's probably more secure.
For stable, Wireguard is in buster-backports; it will be
in-kernel in bullseye -- you'll still need to install the tools
package.
Wireguard's model is similar to SSH: you generate public and
private keys for the server and for each user. The server's
config gets to know the users' public keys; the users' configs
each need to know the server's public key and its name or IP
address. If you want to add a user, you generate a key pair and
add the public side to the server config; if you want to delete
a user, you remove their entry from the server config.
The main site is at wireguard.com, because there's a wire-fence
manufacturer sitting on wireguard.org.
-dsr-
0 new messages