UCI Configuration Backend » History » Version 2
Martin Willi, 04.08.2008 16:00
| 1 | 1 | Martin Willi | == UCI == |
|---|---|---|---|
| 2 | 1 | Martin Willi | |
| 3 | 1 | Martin Willi | === What's uci? === |
| 4 | 1 | Martin Willi | |
| 5 | 1 | Martin Willi | Uci is the new configuration interface for openWRT. It's the successor of the nvram utility. |
| 6 | 2 | Martin Willi | As the hardware which runs openWRT does normally not have a lot of resources strongSwan now supports the this configuration method natively as a plug-in. |
| 7 | 1 | Martin Willi | |
| 8 | 1 | Martin Willi | === How to configure for uci support? === |
| 9 | 1 | Martin Willi | |
| 10 | 1 | Martin Willi | Use the configure option "--enable-uci". You also need the libuci library and the uci tool. |
| 11 | 1 | Martin Willi | |
| 12 | 1 | Martin Willi | === Controlling the daemon === |
| 13 | 1 | Martin Willi | |
| 14 | 1 | Martin Willi | To connect, disconnect and printing the status we can't use the uci interface. Therefore we use a FIFO pipe on the filesystem to read commands and write status messages to. |
| 15 | 1 | Martin Willi | |
| 16 | 1 | Martin Willi | For example this command will print the status of your connections: |
| 17 | 1 | Martin Willi | |
| 18 | 1 | Martin Willi | {{{ |
| 19 | 1 | Martin Willi | echo status > /var/run/charon.fifo |
| 20 | 1 | Martin Willi | }}} |
| 21 | 1 | Martin Willi | |
| 22 | 1 | Martin Willi | Because it's a FIFO pipe you have to read from this pipe right after you have passed the command to it or it will block any further actions involving the FIFO. |
| 23 | 1 | Martin Willi | |
| 24 | 1 | Martin Willi | {{{ |
| 25 | 1 | Martin Willi | cat /var/run/charon.fifo |
| 26 | 1 | Martin Willi | }}} |
| 27 | 1 | Martin Willi | |
| 28 | 1 | Martin Willi | Which prints you something like: |
| 29 | 1 | Martin Willi | |
| 30 | 1 | Martin Willi | {{{ |
| 31 | 1 | Martin Willi | ucitest bob@strongswan.org 123.123.123.123 192.168.10.0/24 |
| 32 | 1 | Martin Willi | }}} |
| 33 | 1 | Martin Willi | |
| 34 | 1 | Martin Willi | To start and stop connection you can simply run this: |
| 35 | 1 | Martin Willi | |
| 36 | 1 | Martin Willi | {{{ |
| 37 | 1 | Martin Willi | echo up ucitest > /var/run/charon.fifo |
| 38 | 1 | Martin Willi | }}} |
| 39 | 1 | Martin Willi | |
| 40 | 1 | Martin Willi | Where ucitest is the name of your connection. |
| 41 | 1 | Martin Willi | |
| 42 | 1 | Martin Willi | You have to check the feedback message with: |
| 43 | 1 | Martin Willi | |
| 44 | 1 | Martin Willi | {{{ |
| 45 | 1 | Martin Willi | cat /var/run/charon.fifo |
| 46 | 1 | Martin Willi | connection 'ucitest' established |
| 47 | 1 | Martin Willi | }}} |
| 48 | 1 | Martin Willi | |
| 49 | 1 | Martin Willi | Note again: You have to check if there is a message on the fifo waiting to be fetched. Otherwise it will block any further interaction with the daemon. |
| 50 | 1 | Martin Willi | |
| 51 | 1 | Martin Willi | === Using uci === |
| 52 | 1 | Martin Willi | |
| 53 | 1 | Martin Willi | You should have a configuration file "/etc/config/strongswan" with the following content. Charon reads the 'strongswan' package section to get the configuration values. |
| 54 | 1 | Martin Willi | |
| 55 | 1 | Martin Willi | {{{ |
| 56 | 1 | Martin Willi | config 'strongswan' |
| 57 | 1 | Martin Willi | option 'local_id' 'alice@strongswan.org' |
| 58 | 1 | Martin Willi | option 'local_net' '192.168.1.0/24' |
| 59 | 1 | Martin Willi | option 'remote_addr' '123.123.123.123' |
| 60 | 1 | Martin Willi | option 'remote_net' '192.168.10.0/24' |
| 61 | 1 | Martin Willi | option 'remote_id' 'bob@strongswan.org' |
| 62 | 1 | Martin Willi | option 'psk' 'XXXXXXX' |
| 63 | 1 | Martin Willi | option 'name' 'ucitest' |
| 64 | 1 | Martin Willi | option 'mode' 'client' |
| 65 | 1 | Martin Willi | option 'auto' '1' |
| 66 | 1 | Martin Willi | }}} |
| 67 | 1 | Martin Willi | |
| 68 | 1 | Martin Willi | You can get the configurations by simply typing: |
| 69 | 1 | Martin Willi | |
| 70 | 1 | Martin Willi | |
| 71 | 1 | Martin Willi | {{{ |
| 72 | 1 | Martin Willi | uci show strongswan |
| 73 | 1 | Martin Willi | }}} |
| 74 | 1 | Martin Willi | |
| 75 | 1 | Martin Willi | This will get you something like: |
| 76 | 1 | Martin Willi | |
| 77 | 1 | Martin Willi | {{{ |
| 78 | 1 | Martin Willi | strongswan.cfg020870=strongswan |
| 79 | 1 | Martin Willi | strongswan.cfg020870.local_id=alice@strongswan.org |
| 80 | 1 | Martin Willi | strongswan.cfg020870.remote_addr=152.96.15.234 |
| 81 | 1 | Martin Willi | strongswan.cfg020870.remote_net=192.168.50.0/24 |
| 82 | 1 | Martin Willi | strongswan.cfg020870.psk=l1Nk5y5-1 |
| 83 | 1 | Martin Willi | strongswan.cfg020870.ike_proposal=aes128-sha1-modp2048 |
| 84 | 1 | Martin Willi | strongswan.cfg020870.name=ucitest |
| 85 | 1 | Martin Willi | strongswan.cfg020870.mode=client |
| 86 | 1 | Martin Willi | strongswan.cfg020870.auto=1 |
| 87 | 1 | Martin Willi | strongswan.cfg020870.local_net=192.168.1.0/24 |
| 88 | 1 | Martin Willi | strongswan.cfg020870.remote_id=bob@strongswan.org |
| 89 | 1 | Martin Willi | strongswan.cfg020870.esp_proposal=aes256-sha1-modp2048 |
| 90 | 1 | Martin Willi | strongswan.cfg020870.local_addr=152.96.15.230 |
| 91 | 1 | Martin Willi | strongswan.cfg020870.ike_rekey=1 |
| 92 | 1 | Martin Willi | strongswan.cfg020870.esp_rekey=1 |
| 93 | 1 | Martin Willi | }}} |
| 94 | 1 | Martin Willi | |
| 95 | 1 | Martin Willi | You can manipulate single configuration fields by setting them with: |
| 96 | 1 | Martin Willi | |
| 97 | 1 | Martin Willi | {{{ |
| 98 | 1 | Martin Willi | uci set strongswan.cfg020870.auto=0 |
| 99 | 1 | Martin Willi | }}} |
| 100 | 1 | Martin Willi | |
| 101 | 1 | Martin Willi | or |
| 102 | 1 | Martin Willi | |
| 103 | 1 | Martin Willi | {{{ |
| 104 | 1 | Martin Willi | uci set strongswan.cfg020870.name=strongSwan |
| 105 | 1 | Martin Willi | }}} |
| 106 | 1 | Martin Willi | |
| 107 | 1 | Martin Willi | To get single configuration fields you type: |
| 108 | 1 | Martin Willi | |
| 109 | 1 | Martin Willi | {{{ |
| 110 | 1 | Martin Willi | uci get strongswan.cfg020870.auto |
| 111 | 1 | Martin Willi | }}} |
| 112 | 1 | Martin Willi | |
| 113 | 1 | Martin Willi | The Answer will be: |
| 114 | 1 | Martin Willi | |
| 115 | 1 | Martin Willi | {{{ |
| 116 | 1 | Martin Willi | 1 |
| 117 | 1 | Martin Willi | }}} |
| 118 | 1 | Martin Willi | |
| 119 | 1 | Martin Willi | or |
| 120 | 1 | Martin Willi | |
| 121 | 1 | Martin Willi | {{{ |
| 122 | 1 | Martin Willi | uci get strongswan.cfg020870.name |
| 123 | 1 | Martin Willi | }}} |
| 124 | 1 | Martin Willi | |
| 125 | 1 | Martin Willi | Answer: |
| 126 | 1 | Martin Willi | |
| 127 | 1 | Martin Willi | {{{ |
| 128 | 1 | Martin Willi | ucitest |
| 129 | 1 | Martin Willi | }}} |
| 130 | 1 | Martin Willi | |
| 131 | 1 | Martin Willi | === Start and stop strongSwan === |
| 132 | 1 | Martin Willi | |
| 133 | 1 | Martin Willi | If you use the standard strongswan package from the openWRT distribution, there should be a init script you can call with: |
| 134 | 1 | Martin Willi | |
| 135 | 1 | Martin Willi | {{{ |
| 136 | 1 | Martin Willi | /etc/init.d/strongswan [<start><stop><restart>] |
| 137 | 1 | Martin Willi | }}} |
| 138 | 1 | Martin Willi | |
| 139 | 1 | Martin Willi | The auto connecting is done in the initscript. Once this should be done in the daemon itself. |
| 140 | 1 | Martin Willi | |
| 141 | 1 | Martin Willi | === Keyword explanation === |
| 142 | 1 | Martin Willi | local_id - Your local id (string)[[BR]] |
| 143 | 1 | Martin Willi | local_net - Your local internal network (network)[[BR]] |
| 144 | 1 | Martin Willi | local_addr - Your local external IP address (ip address)[[BR]] |
| 145 | 1 | Martin Willi | remote_id - The id of the other vpn endpoint (string)[[BR]] |
| 146 | 1 | Martin Willi | remote_net - The remote internal network (network)[[BR]] |
| 147 | 1 | Martin Willi | remote_addr - The remote external IP address (ip address)[[BR]] |
| 148 | 1 | Martin Willi | psk - Your pre shared key (string)[[BR]] |
| 149 | 1 | Martin Willi | name - a name for the connection (if not provided the name is given by the config 'name' pattern) (string)[[BR]] |
| 150 | 1 | Martin Willi | auto - start the connection automatically (bool)[[BR]] |
| 151 | 1 | Martin Willi | ike_proposal - The encryption mode, hash mode and key length of the IKE protocol (aes256-sha1-modp2048/aes128-sha1-modp2048)[[BR]] |
| 152 | 1 | Martin Willi | ike_rekey - The time to rekey the ike connection in hours (integer)[[BR]] |
| 153 | 1 | Martin Willi | esp_proposal - The encryption mode, hash mode and key length of the ESP protocol (aes256-sha1-modp2048/aes128-sha1-modp2048)[[BR]] |
| 154 | 1 | Martin Willi | esp_rekey - The time to rekey the esp connection in hours (integer)[[BR]] |