Project

General

Profile

strongSwan Manager » History » Version 22

Martin Willi, 04.06.2008 16:03
correction

1 1 Martin Willi
2 22 Martin Willi
h1. strongSwan Manager
3 1 Martin Willi
4 1 Martin Willi
5 22 Martin Willi
*strongSwan Manager* is a web application which interacts with the IKEv2 daemon [[charon]] via an XML interface running the [[SMP]] information query and control protocol.
6 22 Martin Willi
7 22 Martin Willi
8 1 Martin Willi
[[Image(htdocs:manager.png)]]
9 1 Martin Willi
----
10 22 Martin Willi
_*strongSwan Manager is still under heavy development and not intended for production use! *_
11 1 Martin Willi
----
12 1 Martin Willi
13 1 Martin Willi
14 22 Martin Willi
h2. Building strongSwan Manager
15 1 Martin Willi
16 22 Martin Willi
17 22 Martin Willi
The manager is based on a [[FastCGI]] application and uses the ClearSilver templating engine to build the web sites. Thus you will need
18 22 Martin Willi
* ClearSilver including headers (Debian: clearsilver-dev)
19 22 Martin Willi
* [[FastCGI]] headers and library (Debian: libfcgi-dev)
20 22 Martin Willi
* SQLite3 with headers (Debian: libsqlite3-dev)
21 22 Martin Willi
22 22 Martin Willi
The [[FastCGI]] communicates through a Unix socket, which is group-writable. So the [[FastCGI]] user has to be in the group under which the daemon runs.
23 22 Martin Willi
As you don't want to add that user to group 0, it's highly recommended to run strongSwan under a [[nonRoot|non-root]] group. Create a group for that purpose:
24 22 Martin Willi
<pre>
25 1 Martin Willi
groupadd vpn
26 22 Martin Willi
</pre>
27 1 Martin Willi
28 8 Martin Willi
To build the manager, add the following options to ./configure
29 22 Martin Willi
<pre>
30 1 Martin Willi
--enable-smp --enable-manager --enable-sqlite --with-group=vpn
31 22 Martin Willi
</pre>
32 22 Martin Willi
strongSwan releases prior to 4.2.2 use numerical group IDs, use _--with-gid_ instead.
33 1 Martin Willi
34 1 Martin Willi
35 22 Martin Willi
h2. Setting up Apache 2
36 22 Martin Willi
37 22 Martin Willi
As the manager uses [[FastCGI]], any web server may be used to host the application. Here we look at the configuration of Apache2 using _mod-fastcgi_.
38 22 Martin Willi
39 1 Martin Willi
In addition to the Apache2 web server itself, you'll need
40 22 Martin Willi
* mod-fastcgi (Debian: libapache2-mod-fastcgi)
41 1 Martin Willi
42 1 Martin Willi
Make sure to enable the new module and that the following fastcgi option is set (e.g. in mods-enabled/fastcgi.conf):
43 22 Martin Willi
<pre>
44 22 Martin Willi
[[AddHandler]] fastcgi-script .fcgi
45 22 Martin Willi
</pre>
46 22 Martin Willi
Static files are directly served by Apache, everything else is served by the [[FastCGI]] application. Add these two lines to your website:
47 22 Martin Willi
<pre>
48 1 Martin Willi
Alias /manager/static /usr/local/libexec/ipsec/manager/templates/static
49 22 Martin Willi
[[ScriptAlias]] /manager /usr/local/libexec/ipsec/manager/manager.fcgi
50 22 Martin Willi
</pre>
51 22 Martin Willi
Adapt these paths according to your _--prefix_ or _--libexecdir_ [[InstallationDocumentation|installation]] settings.
52 19 Martin Willi
53 22 Martin Willi
Now you'll need to add the [[FastCGI]] user to group which is used by strongSwan:
54 22 Martin Willi
<pre>
55 1 Martin Willi
usermod -a -G vpn www-data
56 22 Martin Willi
</pre>
57 1 Martin Willi
This setup is only recommended if you don't run other websites, as it allows the apache user to control strongSwan. You really should consider a more
58 1 Martin Willi
secure setup (e.g. separate user for Manager, suexec, etc.)!
59 15 Martin Willi
60 15 Martin Willi
61 22 Martin Willi
h2. Configure the manager
62 15 Martin Willi
63 22 Martin Willi
64 22 Martin Willi
The manager uses a small database to do user authorization and gateway management. We have no frontend yet, so you'll need to set up this database yourself. It is tested with SQLite, but [[MySQL]] should work if you set up the database properly.
65 22 Martin Willi
66 22 Martin Willi
The manager uses the _strongswan.conf_ configuration file installed in your _sysconfdir_ (e.g. _/etc_):
67 22 Martin Willi
<pre>
68 15 Martin Willi
manager {
69 15 Martin Willi
  # path to your database
70 15 Martin Willi
  database = sqlite:///etc/ipsec.d/manager.db
71 6 Martin Willi
  # disable libfast debugging
72 16 Martin Willi
  debug = false
73 16 Martin Willi
  # number of threads to create in libfast
74 16 Martin Willi
  threads = 5
75 19 Martin Willi
  # session timeout
76 19 Martin Willi
  timeout = 600
77 19 Martin Willi
  # socket, if you want to run manager on console to debug. No socket lets apache create manager instances
78 16 Martin Willi
  #socket = /var/lib/apache2/fastcgi/manager
79 16 Martin Willi
}
80 22 Martin Willi
</pre>
81 22 Martin Willi
To create the database tables and some test data, have a look at the [browser:/trunk/src/manager/sqlite.sql SQLite SQL script]. This script creates a user _strongSwan_ with the password _strongSwan_.
82 19 Martin Willi
To create a SQLite database, use something like:
83 22 Martin Willi
<pre>
84 20 Martin Willi
wget http://trac.strongswan.org/browser/trunk/src/manager/sqlite.sql?format=txt -q -O - | sqlite3 /etc/ipsec.d/manager.db
85 20 Martin Willi
chmod g+w /etc/ipsec.d/manager.db
86 21 Martin Willi
chgrp vpn /etc/ipsec.d/manager.db
87 22 Martin Willi
</pre>
88 22 Martin Willi
The password is hashed in the configuration database. To update it to _USERNAME_ and _PASSWORD_ use something like this (on bash):
89 22 Martin Willi
<pre>
90 22 Martin Willi
echo "update users set username = 'USERNAME'", password = "'@echo -n "USERNAMEPASSWORD" \
91 22 Martin Willi
| sha1sum | awk '{ print $1 }'@';" | sqlite3 /etc/ipsec.d/manager.db
92 22 Martin Willi
</pre>
93 22 Martin Willi
If for example USERNAME is *foo* and PASSWORD is *barbara8x92* then the entry becomes
94 22 Martin Willi
<pre>
95 22 Martin Willi
echo "update users set username = 'foo'", password = "'@echo -n "foobarbara8x92" \
96 22 Martin Willi
| sha1sum | awk '{ print $1 }'@';" | sqlite3 /etc/ipsec.d/manager.db
97 22 Martin Willi
</pre>
98 1 Martin Willi
Don't forget to set up write permissions for the apache user.
99 1 Martin Willi
100 1 Martin Willi
101 22 Martin Willi
h2. Logging in
102 22 Martin Willi
103 22 Martin Willi
104 1 Martin Willi
Surf to
105 22 Martin Willi
<pre>
106 1 Martin Willi
http://host/manager/status/ikesalist
107 22 Martin Willi
</pre>
108 1 Martin Willi
and have fun.