src: Implement changes for dmvpn

[Thermi]

No description provided.

[Thermi]

appveyor failed because of a build timeout. 2 out of 3 tests passed.

[zpericic]

I have been rebaseing Timo's patches for few years and using it on fedora. There are few differences, namely you are missing changes for OpenWRT in src/libcharon/plugins/uci/uci_control.c and you squashed patches. I also have vyos-disconnect patch on my branch.

Timo's has been sending them to strongswan list for at least eight years.

Here is my conclusion:

1. Tobias insist that this is implemented as separate plugin.
2. Copyright notice was added on Tobias request as at first I thought copyright is showstopper.
3. Strongswan added some things based on Timo's patches, namely new events and connection loading as sarthurdev mentioned on src: Implement changes for dmvpn #345 .

Frr ships nhrp daemon (not dmvpn) for few years in stable releases, quagga also (but it has been deprecated) and it's a real shame this was not accepted or taken more seriously because most of SS usage on linux are on server to server basis. Even more because SS became main part of most distributions.

If only some of SS developer could find some time to review and do some work in direction in which it is acceptable to SS.

BTW. SS source is real large and IPsec/IKE is very complicated matter so it's not real that this is implemented by non SS developer.

[Thermi]

1. Not feasible to implement because the changes it requires
2. Solved for a long time now.
3. The patches already take that into account.

[zpericic]

So what would be correct course of action?

As Tobias stated this patches were rejected years ago and I don't see that they will ever be accepted. I especially don’t see that they could accepted in this squashed state.

Patches appeared on strongswan-dev list in 2014. Timo has resubmitted it few more times and they are ignored since.

Are we waiting for changes which would break this patches completely so we could throw away all nhrp code in Frr and Quagga?

[zpericic]

BTW. This is original thread which partly answer's Tobias questions.

[pemensik]

We have received request to include this feature into Fedora strongswan package. But one of original arguments in mailing list were lack of design document. I have found something on FRR NHRPD, but I would think this deserves at least some README.md on strongswan side. I can find updated code, but I miss any documentation notes added along. Is it intentional?

[Thermi]

What kind of documentation do you want? There is essentially no user interaction needed after the IKE_SA and CHILD_SA configuration is provided, and frr nhrpd is connected to it (and the nhrpd configuration is obviously frr specific, and has nothing to do with strongSwan).

[nwhisper2014]

Updated, actively supported version of the patch for strongswan 5.9.11: https://gitlab.alpinelinux.org/alpine/aports/-/tree/master/main/strongswan

Please add these patches to the main strongswan code. This will greatly simplify the work of some strongswan users who now have to build strongswan manually every time.

[sever-sever]

Any updates?