Project

General

Profile

strongSwan Manager » History » Version 23

Version 22 (Martin Willi, 04.06.2008 16:03) → Version 23/27 (Tobias Brunner, 05.05.2009 19:39)


h1. strongSwan Manager



*strongSwan Manager* is a web application which interacts with the IKEv2 daemon [[charon]] via an XML interface running the [[SMP]] information query and control protocol.

!manager.png!

[[Image(htdocs:manager.png)]]
----

*strongSwan

_*strongSwan
Manager is still under heavy development and not intended for production use!*

use! *_
----



h2. Building strongSwan Manager



The manager is based on a FastCGI [[FastCGI]] application and uses the "ClearSilver ClearSilver templating engine":http://www.clearsilver.net/ engine to build the web sites. Thus you will need
* ClearSilver including headers (Debian: clearsilver-dev)
* FastCGI [[FastCGI]] headers and library (Debian: libfcgi-dev)
* SQLite3 with headers (Debian: libsqlite3-dev)

The FastCGI [[FastCGI]] communicates through a Unix socket, which is group-writable. So the FastCGI [[FastCGI]] user has to be in the group under which the daemon runs.
As you don't want to add that user to group 0, it's highly recommended to run strongSwan under a [[nonRoot|non-root]] group. Create a group for that purpose:
<pre>

groupadd vpn
</pre>



To build the manager, add the following options to ./configure
<pre>

--enable-smp --enable-manager --enable-sqlite --with-group=vpn
</pre>

strongSwan releases prior to 4.2.2 use numerical group IDs, use @--with-gid@ _--with-gid_ instead.



h2. Setting up Apache 2



As the manager uses FastCGI, [[FastCGI]], any web server may be used to host the application. Here we look at the configuration of Apache2 using _mod-fastcgi_.

In addition to the Apache2 web server itself, you'll need
* mod-fastcgi (Debian: libapache2-mod-fastcgi)

Make sure to enable the new module and that the following fastcgi option is set (e.g. in mods-enabled/fastcgi.conf):
<pre>
AddHandler

[[AddHandler]]
fastcgi-script .fcgi
</pre>

Static files are directly served by Apache, everything else is served by the FastCGI [[FastCGI]] application. Add these two lines to your website:
<pre>

Alias /manager/static /usr/local/libexec/ipsec/manager/templates/static
ScriptAlias [[ScriptAlias]] /manager /usr/local/libexec/ipsec/manager/manager.fcgi
</pre>

Adapt these paths according to your @--prefix@ _--prefix_ or @--libexecdir@ _--libexecdir_ [[InstallationDocumentation|installation]] settings.

Now you'll need to add the FastCGI [[FastCGI]] user to group which is used by strongSwan:
<pre>

usermod -a -G vpn www-data
</pre>

This setup is only recommended if you don't run other websites, as it allows the apache user to control strongSwan. You really should consider a more
secure setup (e.g. separate user for Manager, suexec, etc.)!



h2. Configure the manager



The manager uses a small database to do user authorization and gateway management. We have no frontend yet, so you'll need to set up this database yourself. It is tested with SQLite, but MySQL [[MySQL]] should work if you set up the database properly.

The manager uses the [[StrongswanConf|strongswan.conf]] _strongswan.conf_ configuration file installed in your _sysconfdir_ (e.g. _/etc_):
<pre>

manager {
# path to your database
database = sqlite:///etc/ipsec.d/manager.db
# disable libfast debugging
debug = false
# number of threads to create in libfast
threads = 5
# session timeout
timeout = 600
# socket, if you want to run manager on console to debug. No socket lets apache create manager instances
#socket = /var/lib/apache2/fastcgi/manager
}
</pre>

To create the database tables and some test data, have a look at the [browser:/trunk/src/manager/sqlite.sql SQLite SQL script (see source:src/manager/sqlite.sql). script]. This script creates a user _strongSwan_ with the password _strongSwan_.


To create an a SQLite database, use something like:
<pre>

wget http://wiki.strongswan.org/repositories/entry/strongswan/src/manager/sqlite.sql?format=raw http://trac.strongswan.org/browser/trunk/src/manager/sqlite.sql?format=txt -q -O - | sqlite3 /etc/ipsec.d/manager.db
chmod g+w /etc/ipsec.d/manager.db
chgrp vpn /etc/ipsec.d/manager.db
</pre>

The password is hashed in the configuration database. To update it to _USERNAME_ and _PASSWORD_ use something like this (on bash):
<pre>

echo "update users set username = 'USERNAME'", password = "'@echo -n "USERNAMEPASSWORD" \
| sha1sum | awk '{ print $1 }'@';" | sqlite3 /etc/ipsec.d/manager.db
</pre>

If for example USERNAME is *foo* and PASSWORD is *barbara8x92* then the entry becomes
<pre>

echo "update users set username = 'foo'", password = "'@echo -n "foobarbara8x92" \
| sha1sum | awk '{ print $1 }'@';" | sqlite3 /etc/ipsec.d/manager.db
</pre>

Don't forget to set up write permissions for the apache user.



h2. Logging in



Surf to
<pre>

http://host/manager/status/ikesalist
</pre>

and have fun.