Re: Need to do 'swanctl --load-all' every boot

To: "Sijmen J. Mulder" <ik@sjmulder.nl>
Cc: debian-user@lists.debian.org
Subject: Re: Need to do 'swanctl --load-all' every boot
From: Dan Ritter <dsr@randomstring.org>
Date: Thu, 8 Apr 2021 07:38:11 -0400
Message-id: <[🔎] YG7rIwsvj2wzua8G@randomstring.org>
In-reply-to: <[🔎] 20210408125122.3917a18c8899f56868f41ba3@sjmulder.nl>
References: <[🔎] 20210408125122.3917a18c8899f56868f41ba3@sjmulder.nl>

Sijmen J. Mulder wrote: 
> Hi all,
> 
> I've set up an IPsec + IKEv2 VPN server ('road warrior' set up) on
> Debian 10 with StrongSwan. It was my understanding that
> /etc/strongswan.d/swanctl.conf is the modern way to configure it
> so that's what I did.
> 
> But now after every boot I have to run 'swanctl --load-all' to be able
> to be able to authenticate with the VPN. I found a slightly related
> Stack Exchange post[1] which talks about charon-systemd vs.
> starter/chron and to be honest it's not quite clear to me what these
> different parts are supposed to do.
> 
> These are the strongswan and charon packages I have installed:
> 
>  charon-systemd
>  libcharon-extra-plugins
>  libstrongswan
>  libstrongswan-extra-plugins
>  libstrongswan-standard-plugins
>  strongswan-charon
>  strongswan-libcharon
>  strongswan-starter
>  strongswan-swanctl
> 
> So it looks like *both* the starter and charon-systemd are installed.
> But when I remove the starter the service doesn't seem to work at all -
> I can't initiate IPsec connections to the machine then.
> 
> There is of course the StrongSwan documentation but it didn't help me
> in this aspect.
> 
> Any ideas?

I ran IPsec in various ways for about 15 years. Here's what I
can tell you: Wireguard is superior in every single way.

It's easier to configure.

It's easier to debug.

It's probably more secure.

For stable, Wireguard is in buster-backports; it will be
in-kernel in bullseye -- you'll still need to install the tools
package.

Wireguard's model is similar to SSH: you generate public and
private keys for the server and for each user. The server's
config gets to know the users' public keys; the users' configs
each need to know the server's public key and its name or IP
address. If you want to add a user, you generate a key pair and
add the public side to the server config; if you want to delete
a user, you remove their entry from the server config.

The main site is at wireguard.com, because there's a wire-fence
manufacturer  sitting on wireguard.org.

-dsr-

Reply to:

References:
- Need to do 'swanctl --load-all' every boot
  - From: "Sijmen J. Mulder" <ik@sjmulder.nl>

Prev by Date: Re: .profile not being src'd at login on uptodate buster
Next by Date: Re: No space left when: update-initramfs: Generating /boot/initrd.img-5.10.0-5-amd64
Previous by thread: Need to do 'swanctl --load-all' every boot
Next by thread: minimize daemon downtime for apt upgrade
Index(es):
- Date
- Thread