charon-systemd » History » Version 3

Version 2 (Martin Willi, 12.09.2014 13:22) → Version 3/6 (Martin Willi, 12.09.2014 13:22)

h1. charon-systemd

The _charon-systemd_ daemon implements the IKE daemon very similar to _charon_, but is specifically designed for use with _systemd_. It uses the _systemd_ libraries for a native integration and comes with a simple _systemd_ service file.

Instead of using [[IpsecStarter|starter]] and an [[IpsecConf|ipsec.conf]] based configuration, the daemon is directly managed by _systemd_ and configured with the [[swanctl]] configuration backend. [[IpsecConf|ipsec.conf]] based configurations are not supported with that daemon, as that would require the [[IpsecStarter|starter]] process.

To build the daemon, add
<pre>--enable-systemd --enable-swanctl</pre> to the [[InstallationDocumentation|./configure options]].

To disable [[IpsecStarter|starter]], [[IpsecCommand|ipsec]] and the [[IpsecStroke|stroke]] backend, additionally add
<pre>--disable-charon <pre>--disable --disable-stroke --disable-scepclient</pre> to build a lightweight and clean IKE daemon using modern tools.

The _systemd_ unit file directory is detected automatically using _pkg-config_, but may be set manually using the @--with-systemdsystemunitdir=@ option.

It is available since [[5.2.1]].

h2. Behavior

_charon-systemd_ gets installed as native _systemd_ daemon, and should be started and stopped using _systemctl_. The _reload_ command reloads [[strongswanConf|strongswan.conf]].

After startup, _systemd_ uses [[swanctl]] to load the _swanctl_ based configuration, including connections, pools and credentials.

h2. Configuration

To configure configurations and connections, refer to the [[swanctl]] backend documentation. _charon-systemd_ requires the use of a [[swanctl]] based configuration.

h2. Logging

By default the _charon-systemd_ backend logs to the _systemd_ journal, use _journalctl_ to inspect the log. Loglevels can be configured very similar to the other charon [[LoggerConfiguration|logger configuration]], but using a _journal_ section:

charon-systemd {
journal {
default = 1
ike = 2
knl = 3
# ...
</pre>Of course one may define traditional _syslog_ and _filelog_ loggers in the _strongswan.conf_ _charon-systemd_ section, refer to [[LoggerConfiguration]] for details. To disable the _journal_ logger, set @default = -1@ to make it silent.

The _journal_ based logger provides some additional metadata in custom _journal_ fields:

|LEVEL|numerical strongSwan log level|
|GROUP|logging subsystem string|
|THREAD|numerical thread identifier issuing the journal entry|
|IKE_SA_UNIQUE_ID|IKE_SA unique identifier, if available|
|IKE_SA_NAME|name of the IKE_SA configuration, if available|

The _MESSAGE_ field contains the log message, _MESSAGE_ID_ uses a unique identifier specific to each log message type.