Issue #3530
Can i run multiple charon daemon on the linux host
Description
Hi,
Is there a way to run multiple charon daemon in the linux host.
Say suppose, i have the strongswan folder in /etc/libexec/strongswan/
I initialize the ipsec by running the command - /charon --use-syslog --debug-ike 0 --debug-cfg 0 &
- /usr/sbin/swanctl --load-conns
- /usr/sbin/swanctl --load-creds
Kindly let me know , if we can run 2 charon instances with 2 different input swanctl files.
Thanks and Best regards,
Shivaraj. Bhat
History
#1 Updated by Tobias Brunner about 5 years ago
- Status changed from New to Feedback
- Priority changed from High to Normal
Is there a way to run multiple charon daemon in the linux host.
First, why would you want to do that?
Running multiple IKE daemons that want to control the same IPsec/network stack is tricky due to potential conflicts (policies, reqids etc.).
You could, however, use network namespaces.
Kindly let me know , if we can run 2 charon instances with 2 different input swanctl files.
You could use different config files and vici sockets.
#2 Updated by shivaraj bhat about 5 years ago
We have 2 different set of outer IPs towards 2 different hosts and we need to maintain 2 different swanctl configs.
So we need to execute 2 independent charon instances for this requirement in a single linux host.
Kindly let us know how to map a swanctl config file to a charon instance ?
#3 Updated by Noel Kuntze about 5 years ago
You can do that without running two different daemons. Just specify the two different local IPs in the config file, if they are bound to a local interface, or solve it with the routing engine, which you would need to anyway, if your original solution was to use two different processes.
#4 Updated by shivaraj bhat about 5 years ago
Hi Noel,
Thanks for your kind quick response.
I understand, we can specify two different local IPs in the config file and load the charon daemon.
But our requirement is something different.
We will be having 2 different swanctl files( say suppose in different directories in linux host), first one would be loaded statically at the beginning. - no issues for this. We understand.
Second one should be loaded dynamically with different swanctl input file using charon daemon (which will be there in another directory)., so that it would not disturb the 1st swanctl ipsec connectivities.
I hope you get the context now. :)
#5 Updated by Noel Kuntze about 5 years ago
Tzen use the include directive. The included file doesn't need to actually exist when the first file is loaded.
#6 Updated by Tobias Brunner almost 5 years ago
- Category set to configuration
- Status changed from Feedback to Closed
- Assignee set to Noel Kuntze
- Resolution set to No feedback