Bug 1219037 - StrongSwan update breaks modern Vici interface
Summary: StrongSwan update breaks modern Vici interface
Status: RESOLVED WONTFIX
Alias: None
Product: openSUSE Distribution
Classification: openSUSE
Component: Network (show other bugs)
Version: Leap 15.5
Hardware: Other openSUSE Leap 15.5
: P5 - None : Normal (vote)
Target Milestone: ---
Assignee: Mohd Saquib
QA Contact: E-mail List
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2024-01-21 12:07 UTC by Georg Pfuetzenreuter
Modified: 2024-02-22 11:39 UTC (History)
0 users

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Georg Pfuetzenreuter 2024-01-21 12:07:05 UTC 
Hello,

https://bugzilla.opensuse.org/show_bug.cgi?id=1184144 introduced a change in `strongswan` which masks `strongswan.service`:

```
* Fri Mar 31 2023
- Allow to use stroke aka ipsec interface by default instead of
  vici aka swanctl interface which is current upstream's default.
  strongswan.service which enables swanctl interface is masked to
  stop interfering with the ipsec interface (bsc#1184144)
```

This breaks all existing deployments of StrongSwan using the modern Vici plugin (swanctl.conf)!

The Stroke plugin (ipsec.conf) is DEPRECATED. New users should not be forced to use a legacy implementation of the software, and existing users should not be forced to migrate their modern configuration to a legacy one!

Please revert this change - please do not ship a masked `strongswan.service`, please do not link the legacy ipsec binary to swanctl, and please generally do not break existing deployments.

If I understand the referenced bug report correctly, this was done due to a FIPS concern. If the change is really needed for FIPS compliance, it should only be introduced on FIPS enabled systems.

Georg
Comment 1 Mohd Saquib 2024-02-20 07:16:54 UTC 
Hi Georg,
I am aware of this vici vs stroke issue with strongswan. When strongswan switched from stroke to vici, updating the strongswan broke the existing deployements as systemd units were renamed etc etc. and I had many many bug reports stating that their systems are not working after strongswan update. Moreover, these issues were propagated to SLE products and yast-vpn module and because of FIPS and other concerns I had to make this change so migration could be smooth.

Nevertheless, I understand that for opensuse distributions things should be different as stroke is deprecated now for the latest versions of strongswan. Having said that, strongswan 6.0 is near and it will disable the stroke interface unless explicitly enabled. Currently 6.0 version is in beta stage and it was supposed to be released by the end of 2023, but did't happen. So at this time I'm just waiting for it to get released and then I'll make the required changes.

Also, last I checked there were issues with using vici interface on tumbleweed directly (not sure if that's still the case), and thus before enabling it I've to make sure things work correctly.
Comment 2 Mohd Saquib 2024-02-22 11:39:32 UTC 
For now, I'm closing this as wontfix. Thank you!!