Project

General

Profile

strongSwan Manager » History » Version 22

Version 21 (Martin Willi, 04.06.2008 16:03) → Version 22/27 (Martin Willi, 04.06.2008 16:03)


h1.
= strongSwan Manager

*strongSwan Manager*
=

'''strongSwan Manager'''
is a web application which interacts with the IKEv2 daemon [[charon]] [wiki:charon] via an XML interface running the [[SMP]] [wiki:SMP] information query and control protocol.

[[Image(htdocs:manager.png)]]
----
_*strongSwan '''''strongSwan Manager is still under heavy development and not intended for production use! *_ '''''
----

h2.


==
Building strongSwan Manager

==

The manager is based on a [[FastCGI]] FastCGI application and uses the ClearSilver !ClearSilver templating engine to build the web sites. Thus you will need

* ClearSilver !ClearSilver including headers (Debian: clearsilver-dev)

* [[FastCGI]] FastCGI headers and library (Debian: libfcgi-dev)

* SQLite3 with headers (Debian: libsqlite3-dev)

The [[FastCGI]] FastCGI communicates through a Unix socket, which is group-writable. So the [[FastCGI]] FastCGI user has to be in the group under which the daemon runs.
As you don't want to add that user to group 0, it's highly recommended to run strongSwan under a [[nonRoot|non-root]] [wiki:nonRoot non-root] group. Create a group for that purpose:
<pre>
{{{
groupadd vpn
</pre>

}}}

To build the manager, add the following options to ./configure
<pre>
{{{
--enable-smp --enable-manager --enable-sqlite --with-group=vpn
</pre>
}}}
strongSwan releases prior to 4.2.2 use numerical group IDs, use _--with-gid_ ''--with-gid'' instead.

h2.


==
Setting up Apache 2

==
As the manager uses [[FastCGI]], FastCGI, any web server may be used to host the application. Here we look at the configuration of Apache2 using _mod-fastcgi_. ''mod-fastcgi''.

In addition to the Apache2 web server itself, you'll need

* mod-fastcgi (Debian: libapache2-mod-fastcgi)

Make sure to enable the new module and that the following fastcgi option is set (e.g. in mods-enabled/fastcgi.conf):
<pre>
[[AddHandler]]
{{{
AddHandler
fastcgi-script .fcgi
</pre>
}}}
Static files are directly served by Apache, everything else is served by the [[FastCGI]] FastCGI application. Add these two lines to your website:
<pre>
{{{
Alias /manager/static /usr/local/libexec/ipsec/manager/templates/static
[[ScriptAlias]] ScriptAlias /manager /usr/local/libexec/ipsec/manager/manager.fcgi
</pre>
}}}
Adapt these paths according to your _--prefix_ ''--prefix'' or _--libexecdir_ [[InstallationDocumentation|installation]] ''--libexecdir'' [wiki:InstallationDocumentation installation] settings.

Now you'll need to add the [[FastCGI]] FastCGI user to group which is used by strongSwan:
<pre>
{{{
usermod -a -G vpn www-data
</pre>
}}}
This setup is only recommended if you don't run other websites, as it allows the apache user to control strongSwan. You really should consider a more
secure setup (e.g. separate user for Manager, suexec, etc.)!

h2.


==
Configure the manager

==

The manager uses a small database to do user authorization and gateway management. We have no frontend yet, so you'll need to set up this database yourself. It is tested with SQLite, but [[MySQL]] MySQL should work if you set up the database properly.

The manager uses the _strongswan.conf_ ''strongswan.conf'' configuration file installed in your _sysconfdir_ ''sysconfdir'' (e.g. _/etc_): ''/etc''):
<pre>
{{{
manager {
# path to your database
database = sqlite:///etc/ipsec.d/manager.db
# disable libfast debugging
debug = false
# number of threads to create in libfast
threads = 5
# session timeout
timeout = 600
# socket, if you want to run manager on console to debug. No socket lets apache create manager instances
#socket = /var/lib/apache2/fastcgi/manager
}
</pre>
}}}
To create the database tables and some test data, have a look at the [browser:/trunk/src/manager/sqlite.sql SQLite SQL script]. This script creates a user _strongSwan_ ''strongSwan'' with the password _strongSwan_. ''strongSwan''.
To create a SQLite database, use something like:
<pre>
{{{
wget http://trac.strongswan.org/browser/trunk/src/manager/sqlite.sql?format=txt -q -O - | sqlite3 /etc/ipsec.d/manager.db
chmod g+w /etc/ipsec.d/manager.db
chgrp vpn /etc/ipsec.d/manager.db
</pre>
}}}
The password is hashed in the configuration database. To update it to _USERNAME_ ''USERNAME'' and _PASSWORD_ ''PASSWORD'' use something like this (on bash):
<pre>
{{{
echo "update users set username = 'USERNAME'", password = "'@echo "'`echo -n "USERNAMEPASSWORD" \
| sha1sum | awk '{ print $1 }'@';" }'`';" | sqlite3 /etc/ipsec.d/manager.db
</pre>
}}}
If for example USERNAME is *foo* '''foo''' and PASSWORD is *barbara8x92* '''barbara8x92''' then the entry becomes
<pre>
{{{
echo "update users set username = 'foo'", password = "'@echo "'`echo -n "foobarbara8x92" \
| sha1sum | awk '{ print $1 }'@';" }'`';" | sqlite3 /etc/ipsec.d/manager.db
</pre>
}}}
Don't forget to set up write permissions for the apache user.

h2.


==
Logging in

==

Surf to
<pre>
{{{
http://host/manager/status/ikesalist
</pre>
}}}
and have fun.