Re: Need to do 'swanctl --load-all' every boot
Sijmen J. Mulder wrote:
> Hi all,
>
> I've set up an IPsec + IKEv2 VPN server ('road warrior' set up) on
> Debian 10 with StrongSwan. It was my understanding that
> /etc/strongswan.d/swanctl.conf is the modern way to configure it
> so that's what I did.
>
> But now after every boot I have to run 'swanctl --load-all' to be able
> to be able to authenticate with the VPN. I found a slightly related
> Stack Exchange post[1] which talks about charon-systemd vs.
> starter/chron and to be honest it's not quite clear to me what these
> different parts are supposed to do.
>
> These are the strongswan and charon packages I have installed:
>
> charon-systemd
> libcharon-extra-plugins
> libstrongswan
> libstrongswan-extra-plugins
> libstrongswan-standard-plugins
> strongswan-charon
> strongswan-libcharon
> strongswan-starter
> strongswan-swanctl
>
> So it looks like *both* the starter and charon-systemd are installed.
> But when I remove the starter the service doesn't seem to work at all -
> I can't initiate IPsec connections to the machine then.
>
> There is of course the StrongSwan documentation but it didn't help me
> in this aspect.
>
> Any ideas?
I ran IPsec in various ways for about 15 years. Here's what I
can tell you: Wireguard is superior in every single way.
It's easier to configure.
It's easier to debug.
It's probably more secure.
For stable, Wireguard is in buster-backports; it will be
in-kernel in bullseye -- you'll still need to install the tools
package.
Wireguard's model is similar to SSH: you generate public and
private keys for the server and for each user. The server's
config gets to know the users' public keys; the users' configs
each need to know the server's public key and its name or IP
address. If you want to add a user, you generate a key pair and
add the public side to the server config; if you want to delete
a user, you remove their entry from the server config.
The main site is at wireguard.com, because there's a wire-fence
manufacturer sitting on wireguard.org.
-dsr-
Reply to: