strongSwan

h1. strongSwan Manager

*strongSwan Manager* is a web application which interacts with the IKEv2 daemon [[charon]] via an XML interface running the [[SMP]] information query and control protocol.

[[Image(htdocs:manager.png)]]

----

_*strongSwan Manager is still under heavy development and not intended for production use! *_

----

h2. Building strongSwan Manager

The manager is based on a [[FastCGI]] application and uses the ClearSilver templating engine to build the web sites. Thus you will need

* ClearSilver including headers (Debian: clearsilver-dev)

* [[FastCGI]] headers and library (Debian: libfcgi-dev)

* SQLite3 with headers (Debian: libsqlite3-dev)

The [[FastCGI]] communicates through a Unix socket, which is group-writable. So the [[FastCGI]] user has to be in the group under which the daemon runs.

As you don't want to add that user to group 0, it's highly recommended to run strongSwan under a [[nonRoot|non-root]] group. Create a group for that purpose:

<pre>

groupadd vpn

</pre>

To build the manager, add the following options to ./configure

<pre>

--enable-smp --enable-manager --enable-sqlite --with-group=vpn

</pre>

strongSwan releases prior to 4.2.2 use numerical group IDs, use _--with-gid_ instead.

h2. Setting up Apache 2

As the manager uses [[FastCGI]], any web server may be used to host the application. Here we look at the configuration of Apache2 using _mod-fastcgi_.

In addition to the Apache2 web server itself, you'll need

* mod-fastcgi (Debian: libapache2-mod-fastcgi)

Make sure to enable the new module and that the following fastcgi option is set (e.g. in mods-enabled/fastcgi.conf):

<pre>

[[AddHandler]] fastcgi-script .fcgi

</pre>

Static files are directly served by Apache, everything else is served by the [[FastCGI]] application. Add these two lines to your website:

<pre>

Alias /manager/static /usr/local/libexec/ipsec/manager/templates/static

[[ScriptAlias]] /manager /usr/local/libexec/ipsec/manager/manager.fcgi

</pre>

Adapt these paths according to your _--prefix_ or _--libexecdir_ [[InstallationDocumentation|installation]] settings.

Now you'll need to add the [[FastCGI]] user to group which is used by strongSwan:

<pre>

usermod -a -G vpn www-data

</pre>

This setup is only recommended if you don't run other websites, as it allows the apache user to control strongSwan. You really should consider a more

secure setup (e.g. separate user for Manager, suexec, etc.)!

h2. Configure the manager

The manager uses a small database to do user authorization and gateway management. We have no frontend yet, so you'll need to set up this database yourself. It is tested with SQLite, but [[MySQL]] should work if you set up the database properly.

The manager uses the _strongswan.conf_ configuration file installed in your _sysconfdir_ (e.g. _/etc_):

<pre>

manager {

  # path to your database

  database = sqlite:///etc/ipsec.d/manager.db

  # disable libfast debugging

  debug = false

  # number of threads to create in libfast

  threads = 5

  # session timeout

  timeout = 600

  # socket, if you want to run manager on console to debug. No socket lets apache create manager instances

  #socket = /var/lib/apache2/fastcgi/manager

}

</pre>

To create the database tables and some test data, have a look at the [browser:/trunk/src/manager/sqlite.sql SQLite SQL script]. This script creates a user _strongSwan_ with the password _strongSwan_.

To create a SQLite database, use something like:

<pre>

wget http://trac.strongswan.org/browser/trunk/src/manager/sqlite.sql?format=txt -q -O - | sqlite3 /etc/ipsec.d/manager.db

chmod g+w /etc/ipsec.d/manager.db

chgrp vpn /etc/ipsec.d/manager.db

</pre>

The password is hashed in the configuration database. To update it to _USERNAME_ and _PASSWORD_ use something like this (on bash):

<pre>

echo "update users set username = 'USERNAME'", password = "'@echo -n "USERNAMEPASSWORD" \

| sha1sum | awk '{ print $1 }'@';" | sqlite3 /etc/ipsec.d/manager.db

</pre>

If for example USERNAME is *foo* and PASSWORD is *barbara8x92* then the entry becomes

<pre>

echo "update users set username = 'foo'", password = "'@echo -n "foobarbara8x92" \

| sha1sum | awk '{ print $1 }'@';" | sqlite3 /etc/ipsec.d/manager.db

</pre>

Don't forget to set up write permissions for the apache user.

h2. Logging in

Surf to

<pre>

http://host/manager/status/ikesalist

</pre>

and have fun.