Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[RFC/RDY] make l2tp work with Strongswan #31019

Merged
merged 2 commits into from Mar 3, 2018
Merged

[RFC/RDY] make l2tp work with Strongswan #31019

merged 2 commits into from Mar 3, 2018

Conversation

teto
Copy link
Member

@teto teto commented Oct 31, 2017
edited

Motivation for this change

I badly needed l2tp VPN to work for my job so I fought hard with 0 experience on the matter. After a 1-month struggle (#30147), here is the PR.

I hope this is how it should be done, I am not sure yet on which nixos files should go where (concerning /etc files).
This is definitely the kind of setup that could use some tests but I've already spent way too much time on this so.

Big thanks to the l2tp maintainer who has been immensely helpful.

Things done
  • bump l2tp module
  • create missing pieces for strongswan to work with l2tp
  • Tested using sandboxing (nix.useSandbox on NixOS, or option build-use-sandbox in nix.conf on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nox --run "nox-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Fits CONTRIBUTING.md.

teto
teto commented Oct 31, 2017
View reviewed changes
nixos/modules/services/networking/networkmanager.nix Outdated
++ optional (cfg.basePackages ? networkmanager_l2tp)
{
target = "ipsec.d/stub";
text = "";
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

here I just want to create the ipsec.d folder but didn't know how to do it without creating a stub file.

teto
teto commented Oct 31, 2017
View reviewed changes
nixos/modules/services/networking/strongswan.nix Outdated

# with nopeerdns, ppp writes into this folder
environment.etc."ppp/stub".text = ''
'';
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

same problem, I dunno how to create just the folder

teto
teto commented Oct 31, 2017
View reviewed changes
nixos/modules/services/networking/strongswan.nix Outdated
config = with cfg;
let
# would like to add some path when network manager is enabled
secrets2 = cfg.secrets ++ [ "toto" ];
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

here in principle it should add conditionnally lib.optional networkmanager_l2tp "/etc/ipsec.d/*.secrets" but whatever I do it never makes it into secret2. For instance here 'toto' is not written to the file. I suspect cfg.secrets to partially support the ++ operator (like it discards its content). The PR should not be merged as long as this is not fixed.

@teto teto changed the title [RFC] make l2tp work with Strongswan [RFC] (do not merge yet) make l2tp work with Strongswan Oct 31, 2017
@teto teto mentioned this pull request Nov 11, 2017
Merged
8 tasks
@teto teto force-pushed the strongswan_rebased branch 2 times, most recently from cf8c05a to 6d6b7c3 Compare January 28, 2018 15:09
@teto teto changed the title [RFC] (do not merge yet) make l2tp work with Strongswan [RFC/RDY] make l2tp work with Strongswan Jan 29, 2018
@teto
Copy link
Member Author

teto commented Jan 29, 2018

I fixed my previous comments by letting systemd create the folders and believe it's (finally) ready.

@teto
l2tp: 1.2.4 -> 1.2.8
11a9e1c 
the new version brings a new panel in IPsec settings which allows to
reenable old algorithms for IPsec phases 1/2 (dropped in recent libreswan/strongswan etc).

Also updates the homepage with the new one.
@teto
strongswan module: make it work with ipsec l2tp
fe4f4de 
l2tp saves its secrets into /etc/ipsec.d but strongswan would not read
them. l2tp checks for /etc/ipsec.secrets includes /etc/ipsec.d and if
not tries to write into it.

Solution:
Have the strongswan module create /etc/ipsec.d and /etc/ipsec.secrets
when networkmanager_l2tp is installed.
Include /etc/ipsec.secrets in
/nix/store/hash-strongswan/etc/ipsec.secrets so that it can find l2tp
secrets.

Also when the ppp 'nopeerdns' option is used, the DNS resolver tries to
write into an alternate file /etc/ppp/resolv.conf. This fails when
/etc/ppp does not exist so the module creates it by default.
@Mic92 Mic92 merged commit 9936ed4 into NixOS:master Mar 3, 2018
@Mic92
Copy link
Member

Mic92 commented Mar 3, 2018

Thanks!

@teto
Copy link
Member Author

teto commented Mar 3, 2018

thanks for merging this. I must say when I marked the PR as READY, it did work, I tried it recently and it didn't work anymore and I haven't had the chance to inquire it. The changes you merged are definitely necessary to make it work though. I just note it for other people who might have problems. Maybe the problems were due to other nix components and have been fixed by now. I will check again soon.

@teto teto deleted the strongswan_rebased branch May 13, 2020 09:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
6.topic: nixos 8.has: module (update) 10.rebuild-darwin: 1-10 10.rebuild-linux: 1-10
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@teto @Mic92 @GrahamcOfBorg