UCI Configuration Backend

What's UCI?

UCI is the new configuration interface for OpenWrt. It's the successor of the nvram utility.
As the hardware which runs OpenWrt does normally not have a lot of resources strongSwan now supports this configuration method natively as a plug-in since version 4.2.4.

How to configure for uci support?

Use the configure option --enable-uci. You also need the libuci library and the uci tool.

Controlling the daemon

To connect, disconnect and printing the status we can't use the uci interface. Therefore we use a FIFO pipe on the filesystem to read commands and write status messages to.

For example this command will print the status of your connections:

# echo status > /var/run/charon.fifo

Because it's a FIFO pipe you have to read from this pipe right after you have passed the command to it or it will block any further actions involving the FIFO.

# cat /var/run/charon.fifo

To start and stop connection you can simply run this:

# echo up ucitest > /var/run/charon.fifo

Where ucitest is the name of your connection.

You have to check the feedback message with:

# cat /var/run/charon.fifo
connection 'ucitest' established

Note again: You have to check if there is a message on the fifo waiting to be fetched. Otherwise it will block any further interaction with the daemon.

Using uci

You should have a configuration file "/etc/config/strongswan" with the following content. Charon reads the 'strongswan' package section to get the configuration values.

config 'strongswan'
        option 'local_id' ''
        option 'local_net' ''
        option 'remote_addr' ''
        option 'remote_net' ''
        option 'remote_id' ''
        option 'psk' 'XXXXXXX'
        option 'name' 'ucitest'
        option 'mode' 'client'
        option 'auto' '1'

You can get the configuration by simply typing:

# uci show strongswan

You can manipulate single configuration fields by setting them with:

# uci set


# uci set

To get single configuration fields you type:

# uci get


# uci get

Start and stop strongSwan

If you use the standard strongswan package from the OpenWrt distribution, there should be an Init script you can call with:

# /etc/init.d/strongswan [<start><stop><restart>]

The auto connecting is done in the Init script. Once this should be done in the daemon itself.

Keyword explanation

local_id - Your local id (string)

local_net - Your local internal network (network)

local_addr - Your local external IP address (ip address)

remote_id - The id of the other vpn endpoint (string)

remote_net - The remote internal network (network)

remote_addr - The remote external IP address (ip address)

psk - Your pre shared key (string)

name - a name for the connection (if not provided the name is given by the config 'name' pattern) (string)

auto - start the connection automatically (bool)

ike_proposal - The encryption mode, hash mode and key length of the IKE protocol (aes256-sha1-modp2048/aes128-sha1-modp2048)

ike_rekey - The time to rekey the ike connection in hours (integer)

esp_proposal - The encryption mode, hash mode and key length of the ESP protocol (aes256-sha1-modp2048/aes128-sha1-modp2048)

esp_rekey - The time to rekey the esp connection in hours (integer)