libreswan: backport deprecating KLIPS

remove building kernel module, it is not used and is not working with 4.19

rework the ready to use l2tp-ipsec example

Signed-off-by: Lucian Cristian <lucian.cristian@gmail.com>

2 files changed, 19 insertions, 47 deletions

diff --git a/net/libreswan/files/ipsec.conf b/net/libreswan/files/ipsec.conf
index affa5b0a6..8b7493b86 100644
--- a/net/libreswan/files/ipsec.conf
+++ b/net/libreswan/files/ipsec.conf
@@ -1,46 +1,25 @@
-# /etc/ipsec.conf - Libreswan IPsec configuration file
-#
-# see 'man ipsec.conf' and 'man pluto' for more information
-#
-# For example configurations and documentation, see https://libreswan.org/wiki/
-
 config setup
-        # Normally, pluto logs via syslog.
-        #logfile=/var/log/pluto.log
-        #
-        # Do not enable debug options to debug configuration issues!
-        #
-        # plutodebug="control parsing"
-        # plutodebug="all crypt"
-        plutodebug=none
-        #
-        # NAT-TRAVERSAL support
-        # exclude networks used on server side by adding %v4:!a.b.c.0/24
-        # It seems that T-Mobile in the US and Rogers/Fido in Canada are
-        # using 25/8 as "private" address space on their wireless networks.
-        # This range has never been announced via BGP (at least up to 2015)
-        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10
-
-# if it exists, include system wide crypto-policy defaults
-# include /etc/crypto-policies/back-ends/libreswan.config
-
-# It is best to add your IPsec connections as separate files in /etc/ipsec.d/
-
-conn L2TP-PSK-NAT
-    rightsubnet=vhost:%priv
-    also=L2TP-PSK-noNAT
+    # needed when using PSK only. Not needed for X.509 based servers
+    uniqueids=no
+    virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v4:!100.64.0.0/24
 
-conn L2TP-PSK-noNAT
+conn ikev1
     authby=secret
     pfs=no
     auto=add
-    keyingtries=8
-    ikelifetime=8h
-    keylife=1h
+    rekey=no
+    left=%defaultroute
+    right=%any
+    ikev2=never
     type=transport
-    left=A.B.C.D
     leftprotoport=17/1701
-    right=%any
     rightprotoport=17/%any
+    dpddelay=15
+    dpdtimeout=30
+    dpdaction=clear
+
+conn ikev1-nat
+    also=ikev1
+    rightsubnet=vhost:%priv
 
-include /etc/ipsec.d/*.conf
\ No newline at end of file
+# include /etc/ipsec.d/*.conf
diff --git a/net/libreswan/files/ipsec.secrets b/net/libreswan/files/ipsec.secrets
index a43754ca9..5ef87b09c 100644
--- a/net/libreswan/files/ipsec.secrets
+++ b/net/libreswan/files/ipsec.secrets
@@ -1,17 +1,10 @@
-# This file holds shared secrets (PSK) and XAUTH user passwords used for
-# authentication.  See pluto(8) manpage or the libreswan website.
-
 # Unlike older openswan, this file does NOT contain any X.509 related
 # information such as private key :RSA statements as these now reside
 # in the NSS database. See:
 #
 # https://libreswan.org/wiki/Using_NSS_with_libreswan
 # https://libreswan.org/wiki/Migrating_from_Openswan
-#
-# The preferred method for adding secrets is to create a new file in
-# the /etc/ipsec.d/ directory, so it will be included via the include
-# line below
-
-#A.B.C.D %any : PSK "SsEeCcRrEeTt"
 
-include /etc/ipsec.d/*.secrets
+# A.B.C.D %any : PSK "SsEeCcRrEeTt"
+: PSK "SsEeCcRrEeTt"
+# include /etc/ipsec.d/*.secrets