Migrate from deprecated stroke interface to modern VICI/swanctl for StrongSwan management #14810
Description
Summary
StrongSwan's stroke interface (used by ipsec commands and ipsec.conf) is officially deprecated in favor of the modern VICI interface (used by swanctl). Algo should migrate to the modern interface to stay aligned with upstream development and prepare for future Ubuntu LTS versions.
Background
Current State:
- Algo uses
ipsec.conf+ipsec.secrets(stroke-based configuration) - Management via
ipsec statusalland similar stroke-based commands - Works perfectly but relies on deprecated interfaces
StrongSwan Direction:
- stroke interface: ❌ Deprecated (maintained for backward compatibility)
- VICI/swanctl interface: ✅ Modern standard (active development focus)
- StrongSwan documentation states stroke "had never been designed to get automated"
Ubuntu LTS Roadmap Impact
| Ubuntu LTS | StrongSwan Version | Default Interface | Status |
|---|---|---|---|
| 20.04 | 5.8.2 | stroke | Current |
| 22.04 | 5.9.5 | stroke | Current |
| 24.04 | 5.9.13 | stroke | Current |
| 26.04 (2026) | ~6.0+ | Likely swanctl | Future risk |
Technical Advantages of VICI/swanctl
- Better Automation: Designed specifically for scripting and automation
- Enhanced Security: More granular permission controls and validation
- Modern Protocol: Stable IPC interface with multiple language bindings
- Configuration Atomicity: Avoids race conditions present in stroke
- Future-Proof: All new StrongSwan features target VICI first
Migration Scope
Files to Migrate
ipsec.conf→swanctl.confipsec.secrets→ swanctl certificate/key structure- Client configuration generation templates
- Management/monitoring scripts (Ansible tasks)
- Documentation and user guides
Estimated Effort
- Configuration Templates: 2-3 days
- Client Generation Logic: 1-2 days
- Testing & Validation: 3-4 days
- Documentation Updates: 1 day
- Total: ~1-2 weeks for complete migration
Recommended Implementation Strategy
Phase 1: Preparation (3.0 Release)
# Always install swanctl alongside current stroke interface
- name: Install swanctl for future compatibility
apt:
name: strongswan-swanctl
state: present
# Ensure both management interfaces work (requires AF_UNIX in SystemD restrictions)
RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_PACKET AF_UNIXPhase 2: Hybrid Support (3.x)
- Generate both
ipsec.confandswanctl.confconfigurations - Add swanctl-based management commands alongside stroke
- Provide migration documentation for existing deployments
Phase 3: Default Migration (Future)
- Default to swanctl configuration (with stroke fallback option)
- Align with Ubuntu 26.04 LTS expectations
Benefits
- Future-Proofing: Ready for Ubuntu 26.04+ direction
- Better Security: Enhanced validation and permission controls
- Improved Automation: Modern interface designed for scripting
- Reduced Technical Debt: Align with upstream development focus
- Competitive Advantage: Ready when other VPN projects need to catch up
Risks of Delaying
- Ubuntu 26.04 Impact: May be caught off-guard if Ubuntu defaults change
- Upstream Divergence: New StrongSwan features may not support stroke
- Maintenance Burden: Deprecated interfaces become harder to maintain
Implementation Notes
- Both interfaces can coexist during transition
- No immediate functionality impact (stroke remains supported)
- Migration can be gradual with user choice
- Maintains Algo's reliability-first approach
Definition of Done
-
strongswan-swanctlpackage installed by default - VICI socket functional (requires AF_UNIX address family)
- swanctl configuration templates created
- Client configuration generation supports swanctl
- Management scripts updated to use swanctl
- Documentation updated with modern interface examples
- Migration guide for existing deployments
- CI/CD tests validate both interfaces work
References
- StrongSwan VICI Documentation
- Ubuntu StrongSwan Package Evolution
- Related: Recent SystemD security hardening work that ensured both interfaces are functional