New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nixos/libreswan: use /etc/ipsec.conf as config #48029
Conversation
Hmmm. Changes to the config file no longer trigger restarts of the ipsec service because there is no longer a store path that changes. Not really sure how to get around this. |
I believe you can use |
You could use |
It appears that the --config flags don't actually work, because libreswan fails to start unless the config exists at /etc/ipsec.conf as well. The simplest solution is just to exclusively use /etc/ipsec.conf as a config file which seems to make libreswan happy.
1712aeb
to
d20ec37
Compare
@aneeshusa nice call, that totally worked. Just pushed up a change which I think actually made the diff smaller. |
Any updates on this pull request, please? |
I would recommend to hold this PR back until libreswan is updated. Version 3.18, which is in nixpkgs, is from Jul 27, 2016. The most recent version is 3.29. When the problem still exists after the update we can merge this PR. Note that there is also a CVE out for pre 3.28 versions. |
Thank you for your contributions.
|
Not the original submitter, but I can confirm that this issue is still relevant and that the proposed fix works. To my eyes, it is ready to merge. There is still another stumbling block which could be fixed in the future: ipsec does not start if the directory |
I'm not using libreswan anymore (wireguard gang) so I'm not going to be able to validate changes to this PR. If someone else wants to carry across to the finish line, please do. |
Motivation for this change
It appears that the --config flags don't actually work, because
libreswan fails to start unless the config exists at /etc/ipsec.conf as
well. The simplest solution is just to exclusively use /etc/ipsec.conf
as a config file which seems to make libreswan happy.
Things done
sandbox
innix.conf
on non-NixOS)nix-shell -p nox --run "nox-review wip"
./result/bin/
)nix path-info -S
before and after)