Bug 1276285 - Please add pluto.socket to default presets
Please add pluto.socket to default presets
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: fedora-release (Show other bugs)
24
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Stephen Gallagher
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-10-29 07:00 EDT by Lubomir Rintel
Modified: 2016-12-02 12:52 EST (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-12-02 12:52:02 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Lubomir Rintel 2015-10-29 07:00:07 EDT
Libreswan upstream has added support for activation via management socket recently and we'd like to use it for Fedora 24 IPSec VPN support.

It will activate the libreswan IPSec/IKE managment daemon as soon as the user activates an IPSec VPN network and won't impact installations where IPSec is not used or libreswan not installed.

Currently, to achieve the same effect, NetworkManager checks whether the service is started and starts a private instance if not and that's just not nice.

Please add following to preset policy file.

# IPSec management
enable pluto.socket
Comment 1 Zbigniew Jędrzejewski-Szmek 2015-10-29 08:16:27 EDT
Is my understanding correct that with pluto.socket enabled in presets, after installation of the package, anyone connecting to the socket will activate the daemon?
Comment 2 Stephen Gallagher 2015-10-29 08:38:59 EDT
This is an internal-only socket, correct? It's not exposing a network, port.

Is this useful for all Editions of Fedora or is this more Workstation-targeted? (This is needed to explain whether it belongs in the common presets or the Edition-specific ones).
Comment 3 Peter Robinson 2015-10-29 08:43:07 EDT
> Is this useful for all Editions of Fedora or is this more
> Workstation-targeted? (This is needed to explain whether it belongs in the
> common presets or the Edition-specific ones).

IPSEC VPNs are often used server to server in corp networks or even cloud to cloud and all sorts of other combos so I would have thought there was potential for all
Comment 4 Stephen Gallagher 2015-10-29 08:48:02 EDT
(In reply to Peter Robinson from comment #3)
> > Is this useful for all Editions of Fedora or is this more
> > Workstation-targeted? (This is needed to explain whether it belongs in the
> > common presets or the Edition-specific ones).
> 
> IPSEC VPNs are often used server to server in corp networks or even cloud to
> cloud and all sorts of other combos so I would have thought there was
> potential for all

I wasn't sure if that was the case or if such VPNs happened at the router level. I have no problem putting it in the global presets. I just wanted to be able to point to a reason why.
Comment 5 Peter Robinson 2015-10-29 08:55:54 EDT
> I wasn't sure if that was the case or if such VPNs happened at the router
> level. I have no problem putting it in the global presets. I just wanted to
> be able to point to a reason why.

It depends on the use case. In a lot of banking and sites like PCI-DSS (Payment card industry - data security standards) require host to host encryption. IPSEC can use opportunistic encryption [1] which is supported by at least some (maybe all) of the *SWAN implementations.

[1] https://en.wikipedia.org/wiki/Opportunistic_encryption
Comment 6 Lubomir Rintel 2015-10-29 09:11:07 EDT
(In reply to Stephen Gallagher from comment #2)
> This is an internal-only socket, correct? It's not exposing a network, port.
> 
> Is this useful for all Editions of Fedora or is this more
> Workstation-targeted? (This is needed to explain whether it belongs in the
> common presets or the Edition-specific ones).

I guess for server installations the sysadmin would like to enable the service also for non-user initiated connections. Therefore they're expected to "systemctl enable ipsec" anyway.

Since we don't do server connections with the NetworkManager plugin (yet), I'm fine with having this enabled just for the Workstation edition.
Comment 7 Stephen Gallagher 2015-10-29 10:16:47 EDT
(In reply to Lubomir Rintel from comment #6)
> I guess for server installations the sysadmin would like to enable the
> service also for non-user initiated connections. Therefore they're expected
> to "systemctl enable ipsec" anyway.
> 
> Since we don't do server connections with the NetworkManager plugin (yet),
> I'm fine with having this enabled just for the Workstation edition.

I'm not sure I'm reading this correctly. Are you saying "it's not valuable for Server" or "Server should/must not enable this socket by default"?

If it's not valuable but not harmful, I may put this in the global defaults anyway (so non-Workstation DE spins get it too).
Comment 8 Lubomir Rintel 2015-10-29 10:30:23 EDT
(In reply to Stephen Gallagher from comment #7)
> (In reply to Lubomir Rintel from comment #6)
> > I guess for server installations the sysadmin would like to enable the
> > service also for non-user initiated connections. Therefore they're expected
> > to "systemctl enable ipsec" anyway.
> > 
> > Since we don't do server connections with the NetworkManager plugin (yet),
> > I'm fine with having this enabled just for the Workstation edition.
> 
> I'm not sure I'm reading this correctly. Are you saying "it's not valuable
> for Server" or "Server should/must not enable this socket by default"?
> 
> If it's not valuable but not harmful, I may put this in the global defaults
> anyway (so non-Workstation DE spins get it too).

I meant to say "It's not valuable".
Comment 9 Jan Kurik 2016-02-24 08:53:08 EST
This bug appears to have been reported against 'rawhide' during the Fedora 24 development cycle.
Changing version to '24'.

More information and reason for this action is here:
https://fedoraproject.org/wiki/Fedora_Program_Management/HouseKeeping/Fedora24#Rawhide_Rebase
Comment 10 Stephen Gallagher 2016-07-20 11:01:22 EDT
Sorry for the long silence. This fell off my radar.

Submitted https://pagure.io/fedora-release/pull-request/52 for Fedora 25.

Note You need to log in before you can comment on or make changes to this bug.