strongSwan gotcha


TL;DR Don't use strongSwan, use WireGuard instead. Seriously. You've been warned by Linux-creator Linus Torvalds himself.

Still here? Wow. Okay, you must really be intent on using strongSwan for whatever reason. In that case, use Algo or Digital Ocean's guide or IKEv2-setup or this gist or some random guy or Gyp the Cat.

What do all of these have in common? They're all wrong.

Okay, perhaps "wrong" is a strong word. They're all deprecated.

Yep, they all lead you down a dead-end road -- configuration and tools that will no longer be available at some point in the future. But why would they do that? Why not use the latest recommendation from the source? Well, frankly, strongSwan stinks at change management.

Perhaps an allegory is in order. Python is the second most popular programming language in the world. With so many fans, open source projects, and coding samples floating around the Internet it would be easy to learn, right? Not so fast. You download the latest version of Python (3.x) and some code off the Internet and try to run it but it doesn't work. Why? Well the code was written for Python 2.x. That's odd, you think, Python 2 has been deprecated since 2008. Why would this fairly recent code example use Python 2? Well, it turns out people don't like change and when nice people decide not to force them you end up with a split environment with half using the new way and half using the old way for 12 years!  All that time "wrong way" code samples are created and proliferated, diluting the "right way" examples and making them harder to find.

strongSwan has sadly decided to repeat history by following in their footsteps because few wanted to depart from the old way of doing things (ipsec/stroke, deprecated in 2016). So what did strongSwan do? Instead of launching a public education campaign and making the new way easier and simpler, they buried the deprecation notice in tiny font at the bottom of their documentation page, continued to publish the old style configuration (sometimes listing the old way above the new way), and released a confusing transition guide. Ironically, their new IKEv2 and other examples are actually surprisingly good but you just can't find them in the sea of old, deprecated information  :(

Rule of thumb: if a guide says to create an ipsec.conf file, it's deprecated; if the guide says to create a swanctl.conf file, it's modern.

Comments

Popular Posts