Project

General

Profile

charon-systemd » History » Version 6

Tobias Brunner, 20.07.2020 16:42
Note about PRIORITY field

1 1 Martin Willi
h1. charon-systemd
2 1 Martin Willi
3 1 Martin Willi
The _charon-systemd_ daemon implements the IKE daemon very similar to _charon_, but is specifically designed for use with _systemd_. It uses the _systemd_ libraries for a native integration and comes with a simple _systemd_ service file.
4 1 Martin Willi
5 1 Martin Willi
Instead of using [[IpsecStarter|starter]] and an [[IpsecConf|ipsec.conf]] based configuration, the daemon is directly managed by _systemd_ and configured with the [[swanctl]] configuration backend. [[IpsecConf|ipsec.conf]] based configurations are not supported with that daemon, as that would require the [[IpsecStarter|starter]] process.
6 1 Martin Willi
7 4 Martin Willi
h2. Legacy systemd support using _ipsec.conf_ and _starter_
8 4 Martin Willi
9 4 Martin Willi
Since [[4.5.2]], strongSwan comes with a systemd service unit called @strongswan@. This service invokes _starter_, which then loads _ipsec.conf_. This service is different from the _charon-systemd_ based service we discuss here, which has a much simpler design and native systemd integration. _charon-systemd_ implements the systemd service unit called @strongswan-swanctl@, because it relies on [[swanctl]] for its configuration.
10 4 Martin Willi
11 4 Martin Willi
h2. Build options
12 4 Martin Willi
13 1 Martin Willi
To build the daemon, add
14 1 Martin Willi
<pre>--enable-systemd --enable-swanctl</pre> to the [[InstallationDocumentation|./configure options]].
15 1 Martin Willi
16 1 Martin Willi
To disable [[IpsecStarter|starter]], [[IpsecCommand|ipsec]] and the [[IpsecStroke|stroke]] backend, additionally add
17 3 Martin Willi
<pre>--disable-charon --disable-stroke --disable-scepclient</pre> to build a lightweight and clean IKE daemon using modern tools.
18 1 Martin Willi
19 1 Martin Willi
The _systemd_ unit file directory is detected automatically using _pkg-config_, but may be set manually using the @--with-systemdsystemunitdir=@ option.
20 1 Martin Willi
21 1 Martin Willi
It is available since [[5.2.1]].
22 1 Martin Willi
23 1 Martin Willi
h2. Behavior
24 1 Martin Willi
25 5 Tobias Brunner
_charon-systemd_ gets installed as native _systemd_ daemon, and should be started and stopped using _systemctl_. The systemd service unit is named @strongswan@ (was @strongswan-swanctl@ before version:5.8.0, to distinguish it from the @strongswan@ service that uses [[IpsecStarter|starter]], which is now called @strongswan-starter@).
26 1 Martin Willi
27 5 Tobias Brunner
After startup, _systemd_ uses [[swanctl]] to load the _swanctl_-based configuration, including connections, pools and credentials.
28 5 Tobias Brunner
29 5 Tobias Brunner
The _reload_ command reloads [[strongswanConf|strongswan.conf]] and since version:5.7.0 also the _swanctl_-based configuration.
30 1 Martin Willi
31 1 Martin Willi
h2. Configuration
32 1 Martin Willi
33 1 Martin Willi
To configure configurations and connections, refer to the [[swanctl]] backend documentation. _charon-systemd_ requires the use of a [[swanctl]] based configuration.
34 1 Martin Willi
35 1 Martin Willi
h2. Logging
36 1 Martin Willi
37 1 Martin Willi
By default the _charon-systemd_ backend logs to the _systemd_ journal, use _journalctl_ to inspect the log. Loglevels can be configured very similar to the other charon [[LoggerConfiguration|logger configuration]], but using a _journal_ section:
38 1 Martin Willi
39 1 Martin Willi
<pre>
40 1 Martin Willi
charon-systemd {
41 1 Martin Willi
  journal {
42 1 Martin Willi
    default = 1
43 1 Martin Willi
    ike = 2
44 1 Martin Willi
    knl = 3
45 1 Martin Willi
    # ...
46 1 Martin Willi
  }
47 1 Martin Willi
}
48 1 Martin Willi
</pre>Of course one may define traditional _syslog_ and _filelog_ loggers in the _strongswan.conf_ _charon-systemd_ section, refer to [[LoggerConfiguration]] for details. To disable the _journal_ logger, set @default = -1@ to make it silent.
49 1 Martin Willi
50 1 Martin Willi
The _journal_ based logger provides some additional metadata in custom _journal_ fields:
51 1 Martin Willi
52 6 Tobias Brunner
|_<.Field|_<.Description|
53 1 Martin Willi
|LEVEL|numerical strongSwan log level|
54 1 Martin Willi
|GROUP|logging subsystem string|
55 1 Martin Willi
|THREAD|numerical thread identifier issuing the journal entry|
56 1 Martin Willi
|IKE_SA_UNIQUE_ID|IKE_SA unique identifier, if available|
57 1 Martin Willi
|IKE_SA_NAME|name of the IKE_SA configuration, if available|
58 1 Martin Willi
59 1 Martin Willi
The _MESSAGE_ field contains the log message, _MESSAGE_ID_ uses a unique identifier specific to each log message type.
60 6 Tobias Brunner
61 6 Tobias Brunner
The log levels are also mapped to values stored in the _PRIORITY_ field (0 to _LOG_NOTICE_, 1 to _LOG_INFO_, everything above to _LOG_DEBUG_, see @syslog(3)@).