Project

General

Profile

strongSwan Manager » History » Version 26

Tobias Brunner, 22.10.2015 09:30
URL to SQL script updated

1 22 Martin Willi
h1. strongSwan Manager
2 1 Martin Willi
3 1 Martin Willi
4 22 Martin Willi
*strongSwan Manager* is a web application which interacts with the IKEv2 daemon [[charon]] via an XML interface running the [[SMP]] information query and control protocol.
5 22 Martin Willi
6 1 Martin Willi
7 23 Tobias Brunner
!manager.png!
8 23 Tobias Brunner
9 1 Martin Willi
----
10 23 Tobias Brunner
11 23 Tobias Brunner
*strongSwan Manager is still under heavy development and not intended for production use!*
12 23 Tobias Brunner
13 1 Martin Willi
----
14 1 Martin Willi
15 1 Martin Willi
16 1 Martin Willi
h2. Building strongSwan Manager
17 22 Martin Willi
18 1 Martin Willi
19 23 Tobias Brunner
The manager is based on a FastCGI application and uses the "ClearSilver templating engine":http://www.clearsilver.net/ to build the web sites. Thus you will need
20 22 Martin Willi
* ClearSilver including headers (Debian: clearsilver-dev)
21 23 Tobias Brunner
* FastCGI headers and library (Debian: libfcgi-dev)
22 22 Martin Willi
* SQLite3 with headers (Debian: libsqlite3-dev)
23 22 Martin Willi
24 23 Tobias Brunner
The FastCGI communicates through a Unix socket, which is group-writable. So the FastCGI user has to be in the group under which the daemon runs.
25 22 Martin Willi
As you don't want to add that user to group 0, it's highly recommended to run strongSwan under a [[nonRoot|non-root]] group. Create a group for that purpose:
26 1 Martin Willi
<pre>
27 1 Martin Willi
groupadd vpn
28 22 Martin Willi
</pre>
29 1 Martin Willi
30 22 Martin Willi
To build the manager, add the following options to ./configure
31 1 Martin Willi
<pre>
32 1 Martin Willi
--enable-smp --enable-manager --enable-sqlite --with-group=vpn
33 22 Martin Willi
</pre>
34 23 Tobias Brunner
strongSwan releases prior to 4.2.2 use numerical group IDs, use @--with-gid@ instead.
35 1 Martin Willi
36 22 Martin Willi
37 1 Martin Willi
h2. Setting up Apache 2
38 1 Martin Willi
39 23 Tobias Brunner
As the manager uses FastCGI, any web server may be used to host the application. Here we look at the configuration of Apache2 using _mod-fastcgi_.
40 1 Martin Willi
41 1 Martin Willi
In addition to the Apache2 web server itself, you'll need
42 1 Martin Willi
* mod-fastcgi (Debian: libapache2-mod-fastcgi)
43 1 Martin Willi
44 1 Martin Willi
Make sure to enable the new module and that the following fastcgi option is set (e.g. in mods-enabled/fastcgi.conf):
45 22 Martin Willi
<pre>
46 23 Tobias Brunner
AddHandler fastcgi-script .fcgi
47 22 Martin Willi
</pre>
48 23 Tobias Brunner
Static files are directly served by Apache, everything else is served by the FastCGI application. Add these two lines to your website:
49 22 Martin Willi
<pre>
50 1 Martin Willi
Alias /manager/static /usr/local/libexec/ipsec/manager/templates/static
51 23 Tobias Brunner
ScriptAlias /manager /usr/local/libexec/ipsec/manager/manager.fcgi
52 1 Martin Willi
</pre>
53 23 Tobias Brunner
Adapt these paths according to your @--prefix@ or @--libexecdir@ [[InstallationDocumentation|installation]] settings.
54 19 Martin Willi
55 23 Tobias Brunner
Now you'll need to add the FastCGI user to group which is used by strongSwan:
56 22 Martin Willi
<pre>
57 1 Martin Willi
usermod -a -G vpn www-data
58 22 Martin Willi
</pre>
59 1 Martin Willi
This setup is only recommended if you don't run other websites, as it allows the apache user to control strongSwan. You really should consider a more
60 1 Martin Willi
secure setup (e.g. separate user for Manager, suexec, etc.)!
61 15 Martin Willi
62 22 Martin Willi
h2. Configure the manager
63 15 Martin Willi
64 22 Martin Willi
65 23 Tobias Brunner
The manager uses a small database to do user authorization and gateway management. We have no frontend yet, so you'll need to set up this database yourself. It is tested with SQLite, but MySQL should work if you set up the database properly.
66 1 Martin Willi
67 23 Tobias Brunner
The manager uses the [[StrongswanConf|strongswan.conf]] configuration file installed in your _sysconfdir_ (e.g. _/etc_):
68 1 Martin Willi
<pre>
69 22 Martin Willi
manager {
70 15 Martin Willi
  # path to your database
71 15 Martin Willi
  database = sqlite:///etc/ipsec.d/manager.db
72 15 Martin Willi
  # disable libfast debugging
73 6 Martin Willi
  debug = false
74 16 Martin Willi
  # number of threads to create in libfast
75 16 Martin Willi
  threads = 5
76 16 Martin Willi
  # session timeout
77 19 Martin Willi
  timeout = 600
78 19 Martin Willi
  # socket, if you want to run manager on console to debug. No socket lets apache create manager instances
79 19 Martin Willi
  #socket = /var/lib/apache2/fastcgi/manager
80 16 Martin Willi
}
81 16 Martin Willi
</pre>
82 23 Tobias Brunner
To create the database tables and some test data, have a look at the SQLite SQL script (see source:src/manager/sqlite.sql). This script creates a user _strongSwan_ with the password _strongSwan_.
83 23 Tobias Brunner
84 23 Tobias Brunner
To create an SQLite database, use something like:
85 1 Martin Willi
<pre>
86 26 Tobias Brunner
wget https://wiki.strongswan.org/projects/strongswan/repository/revisions/master/raw/src/manager/sqlite.sql -q -O - | sqlite3 /etc/ipsec.d/manager.db
87 20 Martin Willi
chmod g+w /etc/ipsec.d/manager.db
88 21 Martin Willi
chgrp vpn /etc/ipsec.d/manager.db
89 22 Martin Willi
</pre>
90 22 Martin Willi
The password is hashed in the configuration database. To update it to _USERNAME_ and _PASSWORD_ use something like this (on bash):
91 22 Martin Willi
<pre>
92 25 Martin Willi
echo "update users set username = 'USERNAME', password = '`echo -n "USERNAMEPASSWORD" \
93 25 Martin Willi
| sha1sum | awk '{ print $1 }'`';" | sqlite3 /etc/ipsec.d/manager.db
94 22 Martin Willi
</pre>
95 22 Martin Willi
If for example USERNAME is *foo* and PASSWORD is *barbara8x92* then the entry becomes
96 22 Martin Willi
<pre>
97 25 Martin Willi
echo "update users set username = 'foo', password = '`echo -n "foobarbara8x92" \
98 25 Martin Willi
| sha1sum | awk '{ print $1 }'`';" | sqlite3 /etc/ipsec.d/manager.db
99 22 Martin Willi
</pre>
100 1 Martin Willi
Don't forget to set up write permissions for the apache user.
101 1 Martin Willi
102 22 Martin Willi
h2. Logging in
103 22 Martin Willi
104 22 Martin Willi
105 1 Martin Willi
Surf to
106 22 Martin Willi
<pre>
107 1 Martin Willi
http://host/manager/status/ikesalist
108 22 Martin Willi
</pre>
109 1 Martin Willi
and have fun.