strongSwan Manager » History » Version 23

Version 22 (Martin Willi, 04.06.2008 16:03) → Version 23/27 (Tobias Brunner, 05.05.2009 19:39)

h1. strongSwan Manager

*strongSwan Manager* is a web application which interacts with the IKEv2 daemon [[charon]] via an XML interface running the [[SMP]] information query and control protocol.




Manager is still under heavy development and not intended for production use!*

use! *_

h2. Building strongSwan Manager

The manager is based on a FastCGI [[FastCGI]] application and uses the "ClearSilver ClearSilver templating engine": engine to build the web sites. Thus you will need
* ClearSilver including headers (Debian: clearsilver-dev)
* FastCGI [[FastCGI]] headers and library (Debian: libfcgi-dev)
* SQLite3 with headers (Debian: libsqlite3-dev)

The FastCGI [[FastCGI]] communicates through a Unix socket, which is group-writable. So the FastCGI [[FastCGI]] user has to be in the group under which the daemon runs.
As you don't want to add that user to group 0, it's highly recommended to run strongSwan under a [[nonRoot|non-root]] group. Create a group for that purpose:

groupadd vpn

To build the manager, add the following options to ./configure

--enable-smp --enable-manager --enable-sqlite --with-group=vpn

strongSwan releases prior to 4.2.2 use numerical group IDs, use @--with-gid@ _--with-gid_ instead.

h2. Setting up Apache 2

As the manager uses FastCGI, [[FastCGI]], any web server may be used to host the application. Here we look at the configuration of Apache2 using _mod-fastcgi_.

In addition to the Apache2 web server itself, you'll need
* mod-fastcgi (Debian: libapache2-mod-fastcgi)

Make sure to enable the new module and that the following fastcgi option is set (e.g. in mods-enabled/fastcgi.conf):

fastcgi-script .fcgi

Static files are directly served by Apache, everything else is served by the FastCGI [[FastCGI]] application. Add these two lines to your website:

Alias /manager/static /usr/local/libexec/ipsec/manager/templates/static
ScriptAlias [[ScriptAlias]] /manager /usr/local/libexec/ipsec/manager/manager.fcgi

Adapt these paths according to your @--prefix@ _--prefix_ or @--libexecdir@ _--libexecdir_ [[InstallationDocumentation|installation]] settings.

Now you'll need to add the FastCGI [[FastCGI]] user to group which is used by strongSwan:

usermod -a -G vpn www-data

This setup is only recommended if you don't run other websites, as it allows the apache user to control strongSwan. You really should consider a more
secure setup (e.g. separate user for Manager, suexec, etc.)!

h2. Configure the manager

The manager uses a small database to do user authorization and gateway management. We have no frontend yet, so you'll need to set up this database yourself. It is tested with SQLite, but MySQL [[MySQL]] should work if you set up the database properly.

The manager uses the [[StrongswanConf|strongswan.conf]] _strongswan.conf_ configuration file installed in your _sysconfdir_ (e.g. _/etc_):

manager {
# path to your database
database = sqlite:///etc/ipsec.d/manager.db
# disable libfast debugging
debug = false
# number of threads to create in libfast
threads = 5
# session timeout
timeout = 600
# socket, if you want to run manager on console to debug. No socket lets apache create manager instances
#socket = /var/lib/apache2/fastcgi/manager

To create the database tables and some test data, have a look at the [browser:/trunk/src/manager/sqlite.sql SQLite SQL script (see source:src/manager/sqlite.sql). script]. This script creates a user _strongSwan_ with the password _strongSwan_.

To create an a SQLite database, use something like:

wget -q -O - | sqlite3 /etc/ipsec.d/manager.db
chmod g+w /etc/ipsec.d/manager.db
chgrp vpn /etc/ipsec.d/manager.db

The password is hashed in the configuration database. To update it to _USERNAME_ and _PASSWORD_ use something like this (on bash):

echo "update users set username = 'USERNAME'", password = "'@echo -n "USERNAMEPASSWORD" \
| sha1sum | awk '{ print $1 }'@';" | sqlite3 /etc/ipsec.d/manager.db

If for example USERNAME is *foo* and PASSWORD is *barbara8x92* then the entry becomes

echo "update users set username = 'foo'", password = "'@echo -n "foobarbara8x92" \
| sha1sum | awk '{ print $1 }'@';" | sqlite3 /etc/ipsec.d/manager.db

Don't forget to set up write permissions for the apache user.

h2. Logging in

Surf to


and have fun.