Project

General

Profile

Issue #3530

Can i run multiple charon daemon on the linux host

Added by shivaraj bhat 12 days ago. Updated 8 days ago.

Status:
Feedback
Priority:
Normal
Assignee:
-
Category:
-
Affected version:
5.9.0
Resolution:

Description

Hi,
Is there a way to run multiple charon daemon in the linux host.
Say suppose, i have the strongswan folder in /etc/libexec/strongswan/
I initialize the ipsec by running the command - /charon --use-syslog --debug-ike 0 --debug-cfg 0 &
- /usr/sbin/swanctl --load-conns
- /usr/sbin/swanctl --load-creds

Kindly let me know , if we can run 2 charon instances with 2 different input swanctl files.

Thanks and Best regards,
Shivaraj. Bhat

History

#1 Updated by Tobias Brunner 12 days ago

  • Status changed from New to Feedback
  • Priority changed from High to Normal

Is there a way to run multiple charon daemon in the linux host.

First, why would you want to do that?

Running multiple IKE daemons that want to control the same IPsec/network stack is tricky due to potential conflicts (policies, reqids etc.).

You could, however, use network namespaces.

Kindly let me know , if we can run 2 charon instances with 2 different input swanctl files.

You could use different config files and vici sockets.

#2 Updated by shivaraj bhat 10 days ago

We have 2 different set of outer IPs towards 2 different hosts and we need to maintain 2 different swanctl configs.
So we need to execute 2 independent charon instances for this requirement in a single linux host.
Kindly let us know how to map a swanctl config file to a charon instance ?

#3 Updated by Noel Kuntze 9 days ago

You can do that without running two different daemons. Just specify the two different local IPs in the config file, if they are bound to a local interface, or solve it with the routing engine, which you would need to anyway, if your original solution was to use two different processes.

#4 Updated by shivaraj bhat 8 days ago

Hi Noel,
Thanks for your kind quick response.
I understand, we can specify two different local IPs in the config file and load the charon daemon.
But our requirement is something different.
We will be having 2 different swanctl files( say suppose in different directories in linux host), first one would be loaded statically at the beginning. - no issues for this. We understand.
Second one should be loaded dynamically with different swanctl input file using charon daemon (which will be there in another directory)., so that it would not disturb the 1st swanctl ipsec connectivities.
I hope you get the context now. :)

#5 Updated by Noel Kuntze 8 days ago

Tzen use the include directive. The included file doesn't need to actually exist when the first file is loaded.

Also available in: Atom PDF