Which script to use for ipsec restart

[guho]

I am running 384.8_2 on my ac86u. I would like to have a jffs script update the /tmp/etc/ipsec.conf file and call ipsec restart so it takes effect. My JFFS is on and I tried putting commands doing the conf update and restart in firewall-start and in services-start. But I think the IPSec VPN server starts after either one of these scripts run. What would be the best place to accomplish this? I am afraid to hang the router if I start putting sleep statements to delay the ipsec restart until after the IPSec VPN server comes up. It works of course if I manually log into the router via ssh and do the update & restart from the SSH command line.

Thanks!

 

[RMerlin]

I am running 384.8_2 on my ac86u. I would like to have a jffs script update the /tmp/etc/ipsec.conf file and call ipsec restart so it takes effect. My JFFS is on and I tried putting commands doing the conf update and restart in firewall-start and in services-start. But I think the IPSec VPN server starts after either one of these scripts run. What would be the best place to accomplish this? I am afraid to hang the router if I start putting sleep statements to delay the ipsec restart until after the IPSec VPN server comes up. It works of course if I manually log into the router via ssh and do the update & restart from the SSH command line.

Thanks!

Try a service-event (not sure if it will only intercept service restarts, or also the initial start):

https://github.com/RMerl/asuswrt-merlin/wiki/User-scripts

Check the passed service to ensure it's being called for ipsec.

 

[guho]

Thanks. I will try that. For future Merlin versions, would you consider allowing users to provide ipsecserver.postconf similar to the openvpnserverX.postconf?

 

[RMerlin]

Thanks. I will try that. For future Merlin versions, would you consider allowing users to provide ipsecserver.postconf similar to the openvpnserverX.postconf?

Probably a good idea, I just need to recheck how Asus implemented their config generation to confirm it's doable.

 

[guho]

Try a service-event (not sure if it will only intercept service restarts, or also the initial start):

https://github.com/RMerl/asuswrt-merlin/wiki/User-scripts

Check the passed service to ensure it's being called for ipsec.

Unfortunately not called for ipsec upon startup. But I found I can tag along with diskmon restart service-event, which occurs later than the generation of /etc/ipsec.conf. So this is my workaround. I hope you will have sometime to implement ipsecserver.postconf in an upcoming Merlin release. Thanks in advance.

 

[RMerlin]

Asus's IPSEC code is a complete mess.

I added ipsec.postconf and strongswan.postconf, both being run after the creation of these two config files. They should _hopefully_ work as expected when creating these two config files, but due to how messy the whole code is, I can't be entirely sure...

 

[guho]

Asus's IPSEC code is a complete mess.

I added ipsec.postconf and strongswan.postconf, both being run after the creation of these two config files. They should _hopefully_ work as expected when creating these two config files, but due to how messy the whole code is, I can't be entirely sure...

Thank you, that is great news. Unfortunately, it looks like I also need ipsec.secrets.postconf because I have to add an RSA line for my ikev2 ipsec server. I have not worked with strongswan.postconf perhaps that will allow me to do something about the secrets?

In any case, thank you for doing this so quickly Is it in 348.9 alpha or some future release 384.10?

 

[RMerlin]

Thank you, that is great news. Unfortunately, it looks like I also need ipsec.secrets.postconf because I have to add an RSA line for my ikev2 ipsec server. I have not worked with strongswan.postconf perhaps that will allow me to do something about the secrets?

You can use the other scripts to modify it too (one of the two is run after secrets gets configured, can't remember which one).

The changes are in 384.9.

 

[guho]

Thanks RMerlin for doing this. I upgraded to 384.9 last week and adopted the new strongswan.postconf and ipsec.postconf. I also made a donation to you. For others who might be interested: I have in my strongswan.postconf

pc_delete "interfaces_ignore = br0" $CONFIG

because my ac86u is not my main router and I forward the IPSEC ports from my main Verizon router to my ac86u. In my ipsec.postconf, I have

cp /jffs/scripts/ipsec.conf $CONFIG
cp /jffs/scripts/ipsec.secrets /tmp/etc/ipsec.secrets

to just completely overwrite these as there are too many changes to do manipulations. Main change is to add ikev2/EAP in addition to the stock ikev1 XAUTH. Now I can log in to the home VPN using the strongswan Android app, which gives me a very stable VPN access.

Thanks again to RMerlin to responding and acting on my suggestion of these two new postconfs. One further request is to document these in your list of postconfs on the wiki so others can use these as well.

 

[RMerlin]

Thanks again to RMerlin to responding and acting on my suggestion of these two new postconfs. One further request is to document these in your list of postconfs on the wiki so others can use these as well.

Thanks, I forgot to update the Wiki.

 

[guho]

@RMerlin: actually now I just found out my ipsec.secrets gets overwritten after ipsec.postconf runs. Would it be possible to add ipsec.secrets.postconf as well? Thanks!

PS: strongswan.postconf runs late enough to do the trick updating ipsec.secrets. So all is working now even after reboot.

 

[RMerlin]

@RMerlin: actually now I just found out my ipsec.secrets gets overwritten after ipsec.postconf runs. Would it be possible to add ipsec.secrets.postconf as well? Thanks!

PS: strongswan.postconf runs late enough to do the trick updating ipsec.secrets. So all is working now even after reboot.

I will have to re-analyze the code do determine if it's doable. The IPSEC implementation is a complete mess, quite frankly. Took me a whole afternoon just to implement these two scripts.