So I just upgraded to Fedora 33. ipsec-tools rpm is gone. Toast. Ok. But it also takes with it setkey, which I use to setup the odd VPN using integrated Linux ipsec based on my /etc/ipsec.conf file. I've been using that for at least a decade.
Ok, fine, so I have to figure out how else to load my VPN rules into the kernel using stock Fedora tools. (Maybe racoon2....)
But here's the mystery: after rebooting the box into F33, it's still connected on a VPN to a F32 box. Even though setkey is missing!! What on earth is loading my ipsec.conf rules on boot into the kernel?
(Strongswan is also on the box, but it's completely deactivated at the moment. It too looks at ipsec.conf (sometimes). Systemd has it completely ignored (not in any target/wants) and it's not running any daemons. And no, this box doesn't have racoon2 on it (yet).)
It's almost as though the kernel itself is reading the file, but that can't be?? Or the kernel saves the pre-reboot ipsec setup then reloads it? But I can't find any file that it could go in? And that doesn't make sense anyhow vis a vis the separation of kernel and userspace.
I'm completely stumped. There should be no VPN working, but there it is, with me pinging boxes over the tunnel. Very strange... And I can't see any way to read the ipsec spd entries, since setkey did that also! So it's in there but no way to configure it on the fly and no way to see what's configured?
If anyone knows any way to see into the kernel's ipsec setup using /proc or /sys files, let me know! I couldn't find anything relevant in there, not with a filename you'd expect.