[RndTbl] ipsec mystery

Trevor Cordes trevor at tecnopolis.ca
Tue Jun 1 23:08:05 CDT 2021

So I just upgraded to Fedora 33.  ipsec-tools rpm is gone.  Toast.  Ok.
But it also takes with it setkey, which I use to setup the odd VPN using
integrated Linux ipsec based on my /etc/ipsec.conf file.  I've been using
that for at least a decade.

Ok, fine, so I have to figure out how else to load my VPN rules into the
kernel using stock Fedora tools.  (Maybe racoon2....)

But here's the mystery: after rebooting the box into F33, it's still
connected on a VPN to a F32 box.  Even though setkey is missing!!  What on
earth is loading my ipsec.conf rules on boot into the kernel?

(Strongswan is also on the box, but it's completely deactivated at the
moment.  It too looks at ipsec.conf (sometimes).  Systemd has it
completely ignored (not in any target/wants) and it's not running any
daemons.  And no, this box doesn't have racoon2 on it (yet).)

It's almost as though the kernel itself is reading the file, but that
can't be??  Or the kernel saves the pre-reboot ipsec setup then reloads
it?  But I can't find any file that it could go in?  And that doesn't make
sense anyhow vis a vis the separation of kernel and userspace.

I'm completely stumped.  There should be no VPN working, but there it is,
with me pinging boxes over the tunnel.  Very strange...  And I can't see
any way to read the ipsec spd entries, since setkey did that also!  So
it's in there but no way to configure it on the fly and no way to see
what's configured?

If anyone knows any way to see into the kernel's ipsec setup using /proc
or /sys files, let me know!  I couldn't find anything relevant in there,
not with a filename you'd expect.

More information about the Roundtable mailing list