Project

General

Profile

UCI Configuration Backend

What's UCI?

UCI is the new configuration interface for OpenWrt. It's the successor of the nvram utility.
As the hardware which runs OpenWrt does normally not have a lot of resources strongSwan now supports this configuration method natively as a plug-in since version 4.2.4.

How to configure for uci support?

Use the configure option --enable-uci. You also need the libuci library and the uci tool.

Controlling the daemon

To connect, disconnect and printing the status we can't use the uci interface. Therefore we use a FIFO pipe on the filesystem to read commands and write status messages to.

For example this command will print the status of your connections:

# echo status > /var/run/charon.fifo

Because it's a FIFO pipe you have to read from this pipe right after you have passed the command to it or it will block any further actions involving the FIFO.

# cat /var/run/charon.fifo
ucitest  bob@strongswan.org   123.123.123.123    192.168.10.0/24

To start and stop connection you can simply run this:

# echo up ucitest > /var/run/charon.fifo

Where ucitest is the name of your connection.

You have to check the feedback message with:

# cat /var/run/charon.fifo
connection 'ucitest' established

Note again: You have to check if there is a message on the fifo waiting to be fetched. Otherwise it will block any further interaction with the daemon.

Using uci

You should have a configuration file "/etc/config/strongswan" with the following content. Charon reads the 'strongswan' package section to get the configuration values.

config 'strongswan'
        option 'local_id' 'alice@strongswan.org'
        option 'local_net' '192.168.1.0/24'
        option 'remote_addr' '123.123.123.123'
        option 'remote_net' '192.168.10.0/24'
        option 'remote_id' 'bob@strongswan.org'
        option 'psk' 'XXXXXXX'
        option 'name' 'ucitest'
        option 'mode' 'client'
        option 'auto' '1'

You can get the configuration by simply typing:

# uci show strongswan
strongswan.cfg020870=strongswan
strongswan.cfg020870.local_id=alice@strongswan.org
strongswan.cfg020870.remote_addr=100.100.100.2
strongswan.cfg020870.remote_net=192.168.2.0/24
strongswan.cfg020870.psk=l1Nk5y5-1
strongswan.cfg020870.ike_proposal=aes128-sha1-modp2048
strongswan.cfg020870.name=ucitest
strongswan.cfg020870.mode=client
strongswan.cfg020870.auto=1
strongswan.cfg020870.local_net=192.168.1.0/24
strongswan.cfg020870.remote_id=bob@strongswan.org
strongswan.cfg020870.esp_proposal=aes256-sha1-modp2048
strongswan.cfg020870.local_addr=100.100.100.1
strongswan.cfg020870.ike_rekey=1
strongswan.cfg020870.esp_rekey=1

You can manipulate single configuration fields by setting them with:

# uci set strongswan.cfg020870.auto=0

or

# uci set strongswan.cfg020870.name=strongSwan

To get single configuration fields you type:

# uci get strongswan.cfg020870.auto
1

or

# uci get strongswan.cfg020870.name
ucitest

Start and stop strongSwan

If you use the standard strongswan package from the OpenWrt distribution, there should be an Init script you can call with:

# /etc/init.d/strongswan [<start><stop><restart>]

The auto connecting is done in the Init script. Once this should be done in the daemon itself.

Keyword explanation

local_id - Your local id (string)

local_net - Your local internal network (network)

local_addr - Your local external IP address (ip address)

remote_id - The id of the other vpn endpoint (string)

remote_net - The remote internal network (network)

remote_addr - The remote external IP address (ip address)

psk - Your pre shared key (string)

name - a name for the connection (if not provided the name is given by the config 'name' pattern) (string)

auto - start the connection automatically (bool)

ike_proposal - The encryption mode, hash mode and key length of the IKE protocol (aes256-sha1-modp2048/aes128-sha1-modp2048)

ike_rekey - The time to rekey the ike connection in hours (integer)

esp_proposal - The encryption mode, hash mode and key length of the ESP protocol (aes256-sha1-modp2048/aes128-sha1-modp2048)

esp_rekey - The time to rekey the esp connection in hours (integer)