Project

General

Profile

strongSwan Manager » History » Version 16

Martin Willi, 02.04.2008 15:35

1 2 Martin Willi
= strongSwan Manager =
2 1 Martin Willi
3 7 Martin Willi
'''strongSwan Manager''' is a web application which interacts with the IKEv2 daemon [wiki:charon] via an XML interface running the [wiki:SMP] information query and control protocol.
4 1 Martin Willi
5 7 Martin Willi
6 7 Martin Willi
[[Image(htdocs:manager.png)]]
7 1 Martin Willi
----
8 7 Martin Willi
'''''strongSwan Manager is still under heavy development and not intended for production use! '''''
9 1 Martin Willi
----
10 1 Martin Willi
11 8 Martin Willi
== Building strongSwan Manager ==
12 1 Martin Willi
13 9 Martin Willi
The manager is based on a FastCGI application and uses the !ClearSilver templating engine to build the web sites. Thus you will need
14 1 Martin Willi
 * !ClearSilver including headers (Debian: clearsilver-dev)
15 1 Martin Willi
 * FastCGI headers and library (Debian: libfcgi-dev)
16 1 Martin Willi
 * SQLite3 with headers (Debian: libsqlite3-dev)
17 1 Martin Willi
18 10 Martin Willi
The FastCGI communicates through a Unix socket, which is group-writable. So the FastCGI user has to be in the group under which the daemon runs.
19 13 Martin Willi
As you don't want to add that user to group 0, it's highly recommended to run strongSwan under a [wiki:nonRoot non-root] group. Create a group for that purpose:
20 10 Martin Willi
{{{
21 10 Martin Willi
groupadd vpn
22 10 Martin Willi
}}}
23 10 Martin Willi
24 1 Martin Willi
To build the manager, add the following options to ./configure
25 1 Martin Willi
{{{
26 15 Martin Willi
--enable-smp --enable-manager --with-gid=`id -g vpn`
27 1 Martin Willi
}}}
28 5 Martin Willi
29 1 Martin Willi
== Setting up Apache 2 ==
30 8 Martin Willi
As the manager uses FastCGI, any web server may be used to host the application. Here we look at the configuration of Apache2 using ''mod-fastcgi''.
31 1 Martin Willi
32 8 Martin Willi
In addition to the Apache2 web server itself, you'll need
33 14 Martin Willi
 * mod-fastcgi (Debian: libapache2-mod-fastcgi)
34 1 Martin Willi
35 1 Martin Willi
Make sure to enable the new module and that the following fastcgi option is set (e.g. in mods-enabled/fastcgi.conf):
36 1 Martin Willi
{{{
37 1 Martin Willi
AddHandler fastcgi-script .fcgi
38 1 Martin Willi
}}}
39 8 Martin Willi
Static files are directly served by Apache, everything else is served by the FastCGI application. Add these two lines to your website:
40 1 Martin Willi
{{{
41 3 Martin Willi
Alias /manager/static /usr/local/libexec/ipsec/templates/static
42 1 Martin Willi
ScriptAlias /manager /usr/local/libexec/ipsec/manager.fcgi
43 1 Martin Willi
}}}
44 1 Martin Willi
Adapt these paths according to your ''--prefix'' or ''--libexecdir'' [wiki:InstallationDocumentation installation] settings.
45 10 Martin Willi
46 10 Martin Willi
Now you'll need to add the FastCGI user to group which is used by strongSwan:
47 10 Martin Willi
{{{
48 10 Martin Willi
usermod -a -G vpn www-data
49 10 Martin Willi
}}}
50 10 Martin Willi
This setup is only recommended if you don't run other websites, as it allows the apache user to control strongSwan. You really should consider a more
51 12 Martin Willi
secure setup (e.g. separate user for Manager, suexec, etc.)!
52 10 Martin Willi
53 15 Martin Willi
== Configure the manager ==
54 1 Martin Willi
55 15 Martin Willi
The manager uses a small database to do user authorization and gateway management. We have no frontend yet, so you'll need to set up this database yourself. It is tested with SQLite, but MySQL should work if you set up the database properly.
56 15 Martin Willi
57 15 Martin Willi
The manager uses the ''strongswan.conf'' configuration file form ''/usr/local/libexec/ipsec'':
58 1 Martin Willi
{{{
59 15 Martin Willi
manager {
60 15 Martin Willi
  # path to your database
61 15 Martin Willi
  database = sqlite:///usr/local/libexec/ipsec/manager.db
62 15 Martin Willi
  # disable libfast debugging
63 15 Martin Willi
  debug = false
64 15 Martin Willi
  # number of threads to create in libfast
65 15 Martin Willi
  threads = 5
66 15 Martin Willi
  # session timeout
67 15 Martin Willi
  timeout = 600
68 15 Martin Willi
  # socket, if you want to run manager on console to debug. No socket lets apache create manager instances
69 15 Martin Willi
  #socket = /var/lib/apache2/fastcgi/manager
70 15 Martin Willi
}
71 6 Martin Willi
}}}
72 16 Martin Willi
To create the database tables and some test data, have a look at the [browser:/trunk/src/manager/sqlite.sql SQLite SQL script]. This script creates a user ''strongSwan'' with the password ''strongSwan''.
73 16 Martin Willi
To create a SQLite database, use something like:
74 16 Martin Willi
{{{
75 16 Martin Willi
wget http://trac.strongswan.org/browser/trunk/src/manager/sqlite.sql?format=txt -q -O - | sqlite3 /usr/local/libexec/ipsec/manager.db
76 16 Martin Willi
chmod g+w /usr/local/libexec/ipsec/manager.db
77 16 Martin Willi
chgrp vpn /usr/local/libexec/ipsec/manager.db
78 16 Martin Willi
}}}
79 16 Martin Willi
The password is hashed in the configuration database. To update it to ''USERNAME'' and ''PASSWORD'' use something like this (on bash):
80 1 Martin Willi
{{{
81 1 Martin Willi
echo "update users set username = 'USERNAME'", password = "'`echo -n "USERNAMEPASSWORD" \
82 1 Martin Willi
| sha1sum | awk '{ print $1 }'`';" | sqlite3 /usr/local/libexec/ipsec/manager.db
83 1 Martin Willi
}}}
84 15 Martin Willi
Don't forget to set up write permissions for the apache user.
85 15 Martin Willi
86 15 Martin Willi
== Logging in ==
87 15 Martin Willi
88 15 Martin Willi
Surf to
89 15 Martin Willi
{{{
90 15 Martin Willi
http://host/manager/status/ikesalist
91 15 Martin Willi
}}}
92 15 Martin Willi
and have fun.