Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

src: Implement changes for dmvpn #345

Closed
wants to merge 1 commit into from
Closed

src: Implement changes for dmvpn #345

wants to merge 1 commit into from

Conversation

Thermi
Copy link
Contributor

@Thermi Thermi commented Apr 22, 2021

Test suite and test scenarios passe with the changes.

@Thermi Thermi closed this May 10, 2021
@Thermi Thermi reopened this May 10, 2021
@sarthurdev
Copy link

It would be great to see support for dmvpn, we've been having to use these patches in local builds.

@Thermi
Copy link
Contributor Author

Thermi commented Jun 3, 2021

@sarthurdev Exactly these patches?

@sarthurdev
Copy link

Not exactly your fork, but the patches by Timo Teras.

@Thermi
Copy link
Contributor Author

Thermi commented Jun 3, 2021

Could you kindly test my fork? Then I can be sure it's working alright. I don't have an existing test setup for DMVPN.

@zendulkaj
Copy link

zendulkaj commented Jun 3, 2021
edited

Could you kindly test my fork? Then I can be sure it's working alright. I don't have an existing test setup for DMVPN.

I also welcome these patches. I asked for it in the past at ticket https://wiki.strongswan.org/issues/3643. I going to test it with FRR/NHRP as well. When will it be part of the Strongswan release?

@Thermi
Copy link
Contributor Author

Thermi commented Jun 3, 2021
edited

I don't know that. Probably when they are merged. :P
I adapted the changes to the latest version. They did not apply cleanly to 5.9.2 because of changes in the upstream code.

@tobiasbrunner
Copy link
Member

As far as I remember, these patches were rejected years ago. And I've never seen a design document that describes the problem they are trying to solve, what alternatives were considered and why were dismissed, and why this set of patches should be the best approach.

@Thermi
Copy link
Contributor Author

Thermi commented Jun 3, 2021

Which patches exactly? The ones for VICI?

@sarthurdev
Copy link

Found the original messages on the topic: https://lists.strongswan.org/pipermail/dev/2014-August/001017.html

Might actually be able to approach this differently now, for example vici does seem to support creating dynamic connections now with load-conn().

@Thermi
Copy link
Contributor Author

Thermi commented Jun 3, 2021

Found the original messages on the topic: https://lists.strongswan.org/pipermail/dev/2014-August/001017.html

That is extremely outdated, because all of these things already happened.
dmvpn is part of quagge and FRR.

Might actually be able to approach this differently now, for example vici does seem to support creating dynamic connections now with load-conn().
That's just for loading configs.
The issue is that the config lookup is linear, so it slows down with an increasing number of conns.
People with stupidly large amounts of sites to interconnect will get slowdowns if new connections are explicitely new configurations.
The patch instead allows overriding the remote and local addresses when initiating the connections. That way a common configuration can be used.

@sarthurdev
Copy link 

root@swan-dev# swanctl -i -c dmvpn -S 192.0.2.2 -R 192.0.2.1
[DMN] thread 13 received 11
[LIB]  dumping 7 stack frame addresses:
[LIB]   /lib/x86_64-linux-gnu/libpthread.so.0 @ 0x7fdca3c1f000 [0x7fdca3c31730]
[LIB]     -> 
[LIB]   /usr/lib/ipsec/libcharon.so.0 @ 0x7fdca3dcb000 [0x7fdca3e03575]
[LIB]     -> 
[LIB]   /usr/lib/ipsec/libcharon.so.0 @ 0x7fdca3dcb000 [0x7fdca3de0b9a]
[LIB]     -> 
[LIB]   /usr/lib/ipsec/libstrongswan.so.0 @ 0x7fdca3e6a000 [0x7fdca3ea66eb]
[LIB]     -> 
[LIB]   /usr/lib/ipsec/libstrongswan.so.0 @ 0x7fdca3e6a000 [0x7fdca3eb917b]
[LIB]     -> 
[LIB]   /lib/x86_64-linux-gnu/libpthread.so.0 @ 0x7fdca3c1f000 [0x7fdca3c26fa3]
[LIB]     -> 
[LIB]   /lib/x86_64-linux-gnu/libc.so.6 @ 0x7fdca3a59000 (clone+0x3f) [0x7fdca3b524cf]
[LIB]     -> 
initiate request failed: Success

I'm facing the above problem, you should be able to reproduce and test this without a dmvpn setup, by defining a connection in swanctl.conf and initiate it like above command.

@Thermi
Copy link
Contributor Author

Thermi commented Jun 3, 2021

Thank you for your quick response. I'll fix it when I have time allocated for it. :)

@sarthurdev
Copy link

@Thermi It seems that Alpine Linux have working 5.9 patches for dmvpn support: https://gitlab.alpinelinux.org/alpine/aports/-/tree/master/main/strongswan

@Thermi
Copy link
Contributor Author

Thermi commented Jun 21, 2021

@Thermi It seems that Alpine Linux have working 5.9 patches for dmvpn support: https://gitlab.alpinelinux.org/alpine/aports/-/tree/master/main/strongswan

That's the patches that I based the changes in this commit on. Because of changes in strongSwan, the patches in that branch don't apply anymore. And strongSwan on Alpine already crashes when the the conns are reloaded using swanctl (if it's used in cojunction with quagga's nhrpd). So that's no good.

@Thermi
Copy link
Contributor Author

Thermi commented Jul 11, 2021

I fixed a bug and rebased for 5.9.3. See #502 please.

@Thermi Thermi closed this Jul 11, 2021
@zpericic zpericic mentioned this pull request Aug 25, 2021
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@Thermi @sarthurdev @zendulkaj @tobiasbrunner