[Pkg-swan-devel] Bug#1098714: Bug#1098714: strongswan-starter should depends on strongswan-charon

Mon Feb 24 08:21:25 GMT 2025

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Sun, 2025-02-23 at 17:55 +0900, Jongmin Kim wrote:
> When I run the command: "ipsec start", it fails to locate the necessary
> binary.
> 
>     $ ipsec start
>     IKE daemon '/usr/lib/ipsec/charon' not found
> 
> [...]
> Please forgive me if I am mistaken, as I do not fully understand the
> context of these packages.

Hi, thanks for the report, it's likely related to the packaging changes in
6.0.0-1/6.0.0-2 which made strongswan-swanctl and charon-systemd the default
choices for strongswan metapackage. The NEWS entry should have alerted people
about that but there might still be fallouts.

The thing are a bit complicated in strongSwan to be honest.

First we have multiple charon daemons:
- - /usr/lib/ipsec/charon which is the historical charon daemon, controlled
through the ipsec(8) command (in the strongswan-starter package) and the
stroke plugin, configured via /etc/ipsec.conf and is in the strongswan-charon
package
- - /usr/sbin/charon-systemd which is a newer charon daemon, controled throught
the swanctl(8) command (in the strongswan-swanctl package) and the VICI
plugin, configured via /etc/swanctl.conf and is in the charon-systemd package
- - /usr/sbin/charon-cmd which is a newer charon daemon intended to be used and
configured directly from the command line and is in the charon-cmd package
- - /usr/lib/ipsec/charon-nm which is intended to be used and controlled via
network-manager and is in the strongswan-nm package

strongswan-charon depended on strongswan-starter and I wrongly updated that
dependency in 6.0.0-1 to strongswan-swanctl. I'll revert that in -3. In
reverse, strongswan-starter Recommends: the strongswan-charon package because
it doesn't really make sense to have the ipsec command and no daemon to
control it. But obviously we can't have the two circular dependencies.

I hope it's more clear for you (and the other people reading this bug report
later on).

As a side note and as indicated by the NEWS entry, you're still encouraged to
migrate from the ipsec.conf (and ipsec(8) and /usr/lib/charon) to the
swanct.conf way. Just pull the strongswan metapackage and you should be good
to start the transition to the configuration.

Regards,
- -- 
Yves-Alexis
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEE8vi34Qgfo83x35gF3rYcyPpXRFsFAme8LAUACgkQ3rYcyPpX
RFtC9Af/V6/AB2vSz6gxRCNjh9mDk44Gp24soF9UsW11rZlSQxO+c+cIvgyrOCuJ
dCpT8PX6wpW6anZriMJItABfzSQVptx0egQKoYEP8UxwYURpd1Q6+I6zxO+f5/Jd
G4GhsOmT1xD87ZHQRg57lf/I7TwsposvZRdGtUkKaH0zmpeCCQxMQeDLrxKtDHcv
YnCDgsRCiFyh16e4Icf/Kv946tHn8XXhcf9Xr9INXjQD4cgDdeZnw/3LSa3knzeP
W6xwJ2lsDX591gWUefCkZ4TTiTVfWzjnvdyQx5R55oGdR3TL7anjJB0cfMERiio1
DGSQ2Dw9+IB21Vjg+iGTsqUDC6AOOA==
=i+on
-----END PGP SIGNATURE-----