Libreswan upstream has added support for activation via management socket recently and we'd like to use it for Fedora 24 IPSec VPN support. It will activate the libreswan IPSec/IKE managment daemon as soon as the user activates an IPSec VPN network and won't impact installations where IPSec is not used or libreswan not installed. Currently, to achieve the same effect, NetworkManager checks whether the service is started and starts a private instance if not and that's just not nice. Please add following to preset policy file. # IPSec management enable pluto.socket
Is my understanding correct that with pluto.socket enabled in presets, after installation of the package, anyone connecting to the socket will activate the daemon?
This is an internal-only socket, correct? It's not exposing a network, port. Is this useful for all Editions of Fedora or is this more Workstation-targeted? (This is needed to explain whether it belongs in the common presets or the Edition-specific ones).
> Is this useful for all Editions of Fedora or is this more > Workstation-targeted? (This is needed to explain whether it belongs in the > common presets or the Edition-specific ones). IPSEC VPNs are often used server to server in corp networks or even cloud to cloud and all sorts of other combos so I would have thought there was potential for all
(In reply to Peter Robinson from comment #3) > > Is this useful for all Editions of Fedora or is this more > > Workstation-targeted? (This is needed to explain whether it belongs in the > > common presets or the Edition-specific ones). > > IPSEC VPNs are often used server to server in corp networks or even cloud to > cloud and all sorts of other combos so I would have thought there was > potential for all I wasn't sure if that was the case or if such VPNs happened at the router level. I have no problem putting it in the global presets. I just wanted to be able to point to a reason why.
> I wasn't sure if that was the case or if such VPNs happened at the router > level. I have no problem putting it in the global presets. I just wanted to > be able to point to a reason why. It depends on the use case. In a lot of banking and sites like PCI-DSS (Payment card industry - data security standards) require host to host encryption. IPSEC can use opportunistic encryption [1] which is supported by at least some (maybe all) of the *SWAN implementations. [1] https://en.wikipedia.org/wiki/Opportunistic_encryption
(In reply to Stephen Gallagher from comment #2) > This is an internal-only socket, correct? It's not exposing a network, port. > > Is this useful for all Editions of Fedora or is this more > Workstation-targeted? (This is needed to explain whether it belongs in the > common presets or the Edition-specific ones). I guess for server installations the sysadmin would like to enable the service also for non-user initiated connections. Therefore they're expected to "systemctl enable ipsec" anyway. Since we don't do server connections with the NetworkManager plugin (yet), I'm fine with having this enabled just for the Workstation edition.
(In reply to Lubomir Rintel from comment #6) > I guess for server installations the sysadmin would like to enable the > service also for non-user initiated connections. Therefore they're expected > to "systemctl enable ipsec" anyway. > > Since we don't do server connections with the NetworkManager plugin (yet), > I'm fine with having this enabled just for the Workstation edition. I'm not sure I'm reading this correctly. Are you saying "it's not valuable for Server" or "Server should/must not enable this socket by default"? If it's not valuable but not harmful, I may put this in the global defaults anyway (so non-Workstation DE spins get it too).
(In reply to Stephen Gallagher from comment #7) > (In reply to Lubomir Rintel from comment #6) > > I guess for server installations the sysadmin would like to enable the > > service also for non-user initiated connections. Therefore they're expected > > to "systemctl enable ipsec" anyway. > > > > Since we don't do server connections with the NetworkManager plugin (yet), > > I'm fine with having this enabled just for the Workstation edition. > > I'm not sure I'm reading this correctly. Are you saying "it's not valuable > for Server" or "Server should/must not enable this socket by default"? > > If it's not valuable but not harmful, I may put this in the global defaults > anyway (so non-Workstation DE spins get it too). I meant to say "It's not valuable".
This bug appears to have been reported against 'rawhide' during the Fedora 24 development cycle. Changing version to '24'. More information and reason for this action is here: https://fedoraproject.org/wiki/Fedora_Program_Management/HouseKeeping/Fedora24#Rawhide_Rebase
Sorry for the long silence. This fell off my radar. Submitted https://pagure.io/fedora-release/pull-request/52 for Fedora 25.