Project

General

Profile

Feature #420

Add more of the verbs that were supported by pluto to the updown plugin

Added by c b almost 7 years ago. Updated almost 7 years ago.

Status:
Feedback
Priority:
Normal
Category:
-
Target version:
-
Start date:
26.09.2013
Due date:
Estimated time:
Resolution:

Description

I really only have a question but there is no StrongSwan FORUM that I can find anywhere. Is there one?

I'm trying to find some API doc on the updown scripts and what parameters (if any) you can specify right in the leftupdown configuration. Plus, there is mention of some "default _updown" but I have no clue where this would exist. On my system I did find /usr/lib/ipsec/_updown and looking at it, it contains bunch of PLUTO references and PLUTO variables it uses. I can GUESS that's the script that runs, but don't know. I wrote a bare-bones script that just outputs all parameters and output of 'set' command into a file and I see it does have PLUTO variables with pieces of the ipsec configuration; we'll continue using the PLUTO names?

Also, I read that the updown scripts only run if the connection is established. Is it possible to define something to run before bringing it up?

Thanks.

History

#1 Updated by c b almost 7 years ago

So from testing I have determined that indeed the default script that runs is /usr/libexec/ipsec/_updown.
I added a line in there to output the PLUTO_VERB and parameters. But the only things I ever see output are:
up-client:iptables
down-client:iptables

I never see things like prepare-cilent or prepare-host.. I don't see route-.. anything.. and all my connections are with auto=route. But even when I run 'ipsec route xx' and 'ipsec unroute xx' I still don't see that verb appear.

#2 Updated by c b almost 7 years ago

What I'm trying to do is get the PLUTO_VERB to be "prepare-client" when it says it's supposed to happen, or even "route-client" so that I can add a special SNAT rule that has to be in place in order for traffic to get picked up by ipsec's route rule.

But so far I can not make it do anything other than "up-client" and "down-client" using 'ipsec update'. I have not tried 'ipsec restart' because I don't want to mess up the other connections, but I'll need it to work without calling 'ipsec restart'.

#3 Updated by Tobias Brunner almost 7 years ago

  • Subject changed from leftupdown rightupdown syntax to Add more of the verbs that were supported by pluto to the updown plugin
  • Status changed from New to Feedback

I really only have a question but there is no StrongSwan FORUM that I can find anywhere. Is there one?

Try our mailing lists for such things: http://www.strongswan.org/support.html

I'm trying to find some API doc on the updown scripts and what parameters (if any) you can specify right in the leftupdown configuration. Plus, there is mention of some "default _updown" but I have no clue where this would exist. On my system I did find /usr/lib/ipsec/_updown and looking at it, it contains bunch of PLUTO references and PLUTO variables it uses.

Yep, that's the default script used for the leftfirewall functionality. The environment variables provided by the daemon when calling the script are document at the top of the file.

I can GUESS that's the script that runs, but don't know. I wrote a bare-bones script that just outputs all parameters and output of 'set' command into a file and I see it does have PLUTO variables with pieces of the ipsec configuration; we'll continue using the PLUTO names?

For legacy reasons the names of those environment variables probably won't change even now that the old pluto daemon is gone.

Also, I read that the updown scripts only run if the connection is established. Is it possible to define something to run before bringing it up?

No currently not, you'd have to either modify the updown plugin or write your own plugin that does something like that. But there is currently no event that signifies the start of a connection establishment. You could perhaps use one of the existing events, but it depends on what you want to do exactly.

I never see things like prepare-cilent or prepare-host.. I don't see route-.. anything.. and all my connections are with auto=route. But even when I run 'ipsec route xx' and 'ipsec unroute xx' I still don't see that verb appear.

Nope, those verbs are not used by the updown plugin. Only the pluto daemon used those.

The only verbs used by the updown plugin are up-host, up-client, their down counterparts and the -v6 variants of them.

What I'm trying to do is get the PLUTO_VERB to be "prepare-client" when it says it's supposed to happen, or even "route-client" so that I can add a special SNAT rule that has to be in place in order for traffic to get picked up by ipsec's route rule.

Since there are currently no events for plugins to catch when connections get routed, the updown plugin currently can't produce a route-client event.

#4 Updated by c b almost 7 years ago

I see. Thank you for the info and renaming the feature. I will keep an eye for that feature.

I did an 'ipsec restart' at off-peak hours and I still didn't see any "up-host", but I wouldn't use that anyway because I don't want to mess with other connections.

Is there a doc that explains exactly when those happen?

I don't see an "updown plugin" when I download the source. Can you point me in the right direction? I searched the entire tree structure for something like "up-client" and only found it in the shell scripts and tests. But from what you wrote, it sounds like there is no way to do anything in the updown plugin to make it get called before a connection is already up.

Not sure I'll have the time to spend modifying and testing the updown plugin, so I guess my only remaining option is to write a script that will read the config file and do stuff. That is what my "ipsec-monitor" script does now, looking for a "#monitor" line which then defines what protected IP and port to check, and reset the connection if it fails. This happens several times a day for a few of our flaky VPN partners.

#5 Updated by Tobias Brunner almost 7 years ago

I did an 'ipsec restart' at off-peak hours and I still didn't see any "up-host", but I wouldn't use that anyway because I don't want to mess with other connections.

Whether up-host or up-client is used depends on the local traffic selector. For single hosts up-host is used, for subnets up-client is used.

Is there a doc that explains exactly when those happen?

Other than the comments in the default updown script, no. (I realize that those may not be all that clear).

I don't see an "updown plugin" when I download the source. Can you point me in the right direction?

source:src/libcharon/plugins/updown/

I searched the entire tree structure for something like "up-client" and only found it in the shell scripts and tests.

That's because those strings are dynamically generated in updown_listener.c.

But from what you wrote, it sounds like there is no way to do anything in the updown plugin to make it get called before a connection is already up.

No currently not.

#6 Updated by Andreas Steffen almost 7 years ago

  • Assignee set to Tobias Brunner

Also available in: Atom PDF