[Pkg-swan-devel] Bug#1116662: strongswan-starter: Existing SysV init script ignores new config format

Andrew Bower andrew at bower.uk
Tue Sep 30 08:27:53 BST 2025 

Hi Luigi,

Observation from a non-user here:

On Tue, Sep 30, 2025 at 08:34:43AM +0200, Yves-Alexis Perez wrote:
> On Mon, 2025-09-29 at 21:51 +0000, Luigi Baldoni wrote:
> > Since then, strongswan has deprecated the old ipsec.conf format in favour
> > of swanctl.conf. The systemd scripts launch the daemon first and then invoke
> > swanctl to load the new-style configuration, but the existing
> > /etc/init.d/ipsec
> > does not.
> > 
> > Other non-systemd distributions (e.g. openwrt and alpine) use separate
> > launchers
> > to leave users the choice, upstream systemd seems to do it the new way only,
> > but I haven't delved too much into it.
> 
> Hi Luigi,
> 
> I'm not sure I understand your problem.
> 
> If you want to use the "legacy" ipsec.conf, use strongswan-charon and
> strongswan-starter.
> 
> If you want to use the "new" swanctl.conf, use strongswan-swanctl and charon-
> systemd (and yes that means using systemd launcher).

If you do want to use the new configs, the charon-systemd looks like it
could do the job of starting the daemon (you can get
start-stop-daemon(8) to background the process an dwait for the
sd_notify() response) but for one thing: the logging is set up to use
journald.

I reckon the best approach (if you want to use the new config) is to
extend charon-systemd to have an option to log to syslog. As a bonus, an
option to log to stdout or stderr would be great for 'supervisor'-style
inits like runit. I say extend rather than fork because I think the last
thing this daemon needs is another startup program, although since it
currently takes zero options upstream might like a solution that used
argv[0] to vary the behaviour. Or they might not. It's pretty normal to
be able to vary these things on the command line.

> The `strongswan` metapackage used to depend on the former set, now on the
> latter.

Hope this helps!

An initscript like the following might do the job but, as I said above,
the application is not quite ready for this to be used:

#!/bin/sh /lib/init/init-d-script
### BEGIN INIT INFO
# Provides:          strongswan
# Required-Start:    $remote_fs $network
# Required-Stop:     $remote_fs $network
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: strongSwan IPsec IKEv1/IKEv2 daemon using swanctl
# Description:       The strongSwan VPN suite uses the native IPsec stack
#                    in the standard Linux kernel. It supports both the
#                    IKEv1 and IKEv2 protocols.
### END INIT INFO

DAEMON=/usr/sbin/charon-systemd
NAME=strongswan
DESC="strongSwan IPSec daemon"
START_ARGS="--background --make-pidfile --notify-await"

do_start_cmd_override() {
  do_start_cmd && swanctl --load-all --noprompt
}

do_reload_cmd() {
  swanctl --reload
  swanctl --load-all --noprompt
}

More information about the Pkg-swan-devel mailing list