UCI Configuration Backend¶
What's UCI?¶
UCI is the new configuration interface for OpenWrt. It's the successor of the nvram utility.
As the hardware which runs OpenWrt does normally not have a lot of resources strongSwan now supports this configuration method natively as a plug-in since version 4.2.4.
How to configure for uci support?¶
Use the configure option --enable-uci. You also need the libuci library and the uci tool.
Controlling the daemon¶
To connect, disconnect and printing the status we can't use the uci interface. Therefore we use a FIFO pipe on the filesystem to read commands and write status messages to.
For example this command will print the status of your connections:
# echo status > /var/run/charon.fifo
Because it's a FIFO pipe you have to read from this pipe right after you have passed the command to it or it will block any further actions involving the FIFO.
# cat /var/run/charon.fifo ucitest bob@strongswan.org 123.123.123.123 192.168.10.0/24
To start and stop connection you can simply run this:
# echo up ucitest > /var/run/charon.fifo
Where ucitest is the name of your connection.
You have to check the feedback message with:
# cat /var/run/charon.fifo connection 'ucitest' established
Note again: You have to check if there is a message on the fifo waiting to be fetched. Otherwise it will block any further interaction with the daemon.
Using uci¶
You should have a configuration file "/etc/config/strongswan" with the following content. Charon reads the 'strongswan' package section to get the configuration values.
config 'strongswan' option 'local_id' 'alice@strongswan.org' option 'local_net' '192.168.1.0/24' option 'remote_addr' '123.123.123.123' option 'remote_net' '192.168.10.0/24' option 'remote_id' 'bob@strongswan.org' option 'psk' 'XXXXXXX' option 'name' 'ucitest' option 'mode' 'client' option 'auto' '1'
You can get the configuration by simply typing:
# uci show strongswan strongswan.cfg020870=strongswan strongswan.cfg020870.local_id=alice@strongswan.org strongswan.cfg020870.remote_addr=100.100.100.2 strongswan.cfg020870.remote_net=192.168.2.0/24 strongswan.cfg020870.psk=l1Nk5y5-1 strongswan.cfg020870.ike_proposal=aes128-sha1-modp2048 strongswan.cfg020870.name=ucitest strongswan.cfg020870.mode=client strongswan.cfg020870.auto=1 strongswan.cfg020870.local_net=192.168.1.0/24 strongswan.cfg020870.remote_id=bob@strongswan.org strongswan.cfg020870.esp_proposal=aes256-sha1-modp2048 strongswan.cfg020870.local_addr=100.100.100.1 strongswan.cfg020870.ike_rekey=1 strongswan.cfg020870.esp_rekey=1
You can manipulate single configuration fields by setting them with:
# uci set strongswan.cfg020870.auto=0
or
# uci set strongswan.cfg020870.name=strongSwan
To get single configuration fields you type:
# uci get strongswan.cfg020870.auto 1
or
# uci get strongswan.cfg020870.name ucitest
Start and stop strongSwan¶
If you use the standard strongswan package from the OpenWrt distribution, there should be an Init script you can call with:
# /etc/init.d/strongswan [<start><stop><restart>]
The auto connecting is done in the Init script. Once this should be done in the daemon itself.
Keyword explanation¶
local_id - Your local id (string)
local_net - Your local internal network (network)
local_addr - Your local external IP address (ip address)
remote_id - The id of the other vpn endpoint (string)
remote_net - The remote internal network (network)
remote_addr - The remote external IP address (ip address)
psk - Your pre shared key (string)
name - a name for the connection (if not provided the name is given by the config 'name' pattern) (string)
auto - start the connection automatically (bool)
ike_proposal - The encryption mode, hash mode and key length of the IKE protocol (aes256-sha1-modp2048/aes128-sha1-modp2048)
ike_rekey - The time to rekey the ike connection in hours (integer)
esp_proposal - The encryption mode, hash mode and key length of the ESP protocol (aes256-sha1-modp2048/aes128-sha1-modp2048)
esp_rekey - The time to rekey the esp connection in hours (integer)