Project

General

Profile

UCI Configuration Backend » History » Version 2

Martin Willi, 04.08.2008 16:00

1 1 Martin Willi
== UCI ==
2 1 Martin Willi
3 1 Martin Willi
=== What's uci? ===
4 1 Martin Willi
5 1 Martin Willi
Uci is the new configuration interface for openWRT. It's the successor of the nvram utility.
6 2 Martin Willi
As the hardware which runs openWRT does normally not have a lot of resources strongSwan now supports the this configuration method natively as a plug-in.
7 1 Martin Willi
8 1 Martin Willi
=== How to configure for uci support? ===
9 1 Martin Willi
10 1 Martin Willi
Use the configure option "--enable-uci". You also need the libuci library and the uci tool.
11 1 Martin Willi
12 1 Martin Willi
=== Controlling the daemon ===
13 1 Martin Willi
14 1 Martin Willi
To connect, disconnect and printing the status we can't use the uci interface. Therefore we use a FIFO pipe on the filesystem to read commands and write status messages to.
15 1 Martin Willi
16 1 Martin Willi
For example this command will print the status of your connections:
17 1 Martin Willi
18 1 Martin Willi
{{{
19 1 Martin Willi
echo status > /var/run/charon.fifo
20 1 Martin Willi
}}}
21 1 Martin Willi
22 1 Martin Willi
Because it's a FIFO pipe you have to read from this pipe right after you have passed the command to it or it will block any further actions involving the FIFO.
23 1 Martin Willi
24 1 Martin Willi
{{{
25 1 Martin Willi
cat /var/run/charon.fifo
26 1 Martin Willi
}}}
27 1 Martin Willi
28 1 Martin Willi
Which prints you something like:
29 1 Martin Willi
30 1 Martin Willi
{{{
31 1 Martin Willi
ucitest  bob@strongswan.org   123.123.123.123    192.168.10.0/24
32 1 Martin Willi
}}}
33 1 Martin Willi
34 1 Martin Willi
To start and stop connection you can simply run this:
35 1 Martin Willi
36 1 Martin Willi
{{{
37 1 Martin Willi
echo up ucitest > /var/run/charon.fifo
38 1 Martin Willi
}}}
39 1 Martin Willi
40 1 Martin Willi
Where ucitest is the name of your connection.
41 1 Martin Willi
42 1 Martin Willi
You have to check the feedback message with:
43 1 Martin Willi
44 1 Martin Willi
{{{
45 1 Martin Willi
cat /var/run/charon.fifo
46 1 Martin Willi
connection 'ucitest' established
47 1 Martin Willi
}}}
48 1 Martin Willi
49 1 Martin Willi
Note again: You have to check if there is a message on the fifo waiting to be fetched. Otherwise it will block any further interaction with the daemon.
50 1 Martin Willi
51 1 Martin Willi
=== Using uci ===
52 1 Martin Willi
53 1 Martin Willi
You should have a configuration file "/etc/config/strongswan" with the following content. Charon reads the 'strongswan' package section to get the configuration values.
54 1 Martin Willi
55 1 Martin Willi
{{{
56 1 Martin Willi
config 'strongswan'
57 1 Martin Willi
        option 'local_id' 'alice@strongswan.org'
58 1 Martin Willi
        option 'local_net' '192.168.1.0/24'
59 1 Martin Willi
        option 'remote_addr' '123.123.123.123'
60 1 Martin Willi
        option 'remote_net' '192.168.10.0/24'
61 1 Martin Willi
        option 'remote_id' 'bob@strongswan.org'
62 1 Martin Willi
        option 'psk' 'XXXXXXX'
63 1 Martin Willi
        option 'name' 'ucitest'
64 1 Martin Willi
        option 'mode' 'client'
65 1 Martin Willi
        option 'auto' '1'
66 1 Martin Willi
}}}
67 1 Martin Willi
68 1 Martin Willi
You can get the configurations by simply typing:
69 1 Martin Willi
70 1 Martin Willi
71 1 Martin Willi
{{{
72 1 Martin Willi
uci show strongswan
73 1 Martin Willi
}}}
74 1 Martin Willi
75 1 Martin Willi
This will get you something like:
76 1 Martin Willi
77 1 Martin Willi
{{{
78 1 Martin Willi
strongswan.cfg020870=strongswan
79 1 Martin Willi
strongswan.cfg020870.local_id=alice@strongswan.org
80 1 Martin Willi
strongswan.cfg020870.remote_addr=152.96.15.234
81 1 Martin Willi
strongswan.cfg020870.remote_net=192.168.50.0/24
82 1 Martin Willi
strongswan.cfg020870.psk=l1Nk5y5-1
83 1 Martin Willi
strongswan.cfg020870.ike_proposal=aes128-sha1-modp2048
84 1 Martin Willi
strongswan.cfg020870.name=ucitest
85 1 Martin Willi
strongswan.cfg020870.mode=client
86 1 Martin Willi
strongswan.cfg020870.auto=1
87 1 Martin Willi
strongswan.cfg020870.local_net=192.168.1.0/24
88 1 Martin Willi
strongswan.cfg020870.remote_id=bob@strongswan.org
89 1 Martin Willi
strongswan.cfg020870.esp_proposal=aes256-sha1-modp2048
90 1 Martin Willi
strongswan.cfg020870.local_addr=152.96.15.230
91 1 Martin Willi
strongswan.cfg020870.ike_rekey=1
92 1 Martin Willi
strongswan.cfg020870.esp_rekey=1
93 1 Martin Willi
}}}
94 1 Martin Willi
95 1 Martin Willi
You can manipulate single configuration fields by setting them with:
96 1 Martin Willi
97 1 Martin Willi
{{{
98 1 Martin Willi
uci set strongswan.cfg020870.auto=0
99 1 Martin Willi
}}}
100 1 Martin Willi
101 1 Martin Willi
or
102 1 Martin Willi
103 1 Martin Willi
{{{
104 1 Martin Willi
uci set strongswan.cfg020870.name=strongSwan
105 1 Martin Willi
}}}
106 1 Martin Willi
107 1 Martin Willi
To get single configuration fields you type:
108 1 Martin Willi
109 1 Martin Willi
{{{
110 1 Martin Willi
uci get strongswan.cfg020870.auto
111 1 Martin Willi
}}}
112 1 Martin Willi
113 1 Martin Willi
The Answer will be:
114 1 Martin Willi
115 1 Martin Willi
{{{
116 1 Martin Willi
1
117 1 Martin Willi
}}}
118 1 Martin Willi
119 1 Martin Willi
or
120 1 Martin Willi
121 1 Martin Willi
{{{
122 1 Martin Willi
uci get strongswan.cfg020870.name
123 1 Martin Willi
}}}
124 1 Martin Willi
125 1 Martin Willi
Answer:
126 1 Martin Willi
127 1 Martin Willi
{{{
128 1 Martin Willi
ucitest
129 1 Martin Willi
}}}
130 1 Martin Willi
131 1 Martin Willi
=== Start and stop strongSwan ===
132 1 Martin Willi
133 1 Martin Willi
If you use the standard strongswan package from the openWRT distribution, there should be a init script you can call with:
134 1 Martin Willi
135 1 Martin Willi
{{{
136 1 Martin Willi
/etc/init.d/strongswan [<start><stop><restart>]
137 1 Martin Willi
}}}
138 1 Martin Willi
139 1 Martin Willi
The auto connecting is done in the initscript. Once this should be done in the daemon itself.
140 1 Martin Willi
141 1 Martin Willi
=== Keyword explanation ===
142 1 Martin Willi
local_id - Your local id (string)[[BR]]
143 1 Martin Willi
local_net - Your local internal network (network)[[BR]]
144 1 Martin Willi
local_addr - Your local external IP address (ip address)[[BR]]
145 1 Martin Willi
remote_id - The id of the other vpn endpoint (string)[[BR]]
146 1 Martin Willi
remote_net - The remote internal network (network)[[BR]]
147 1 Martin Willi
remote_addr - The remote external IP address (ip address)[[BR]]
148 1 Martin Willi
psk - Your pre shared key (string)[[BR]]
149 1 Martin Willi
name - a name for the connection (if not provided the name is given by the config 'name' pattern) (string)[[BR]]
150 1 Martin Willi
auto - start the connection automatically (bool)[[BR]]
151 1 Martin Willi
ike_proposal - The encryption mode, hash mode and key length of the IKE protocol (aes256-sha1-modp2048/aes128-sha1-modp2048)[[BR]]
152 1 Martin Willi
ike_rekey - The time to rekey the ike connection in hours (integer)[[BR]]
153 1 Martin Willi
esp_proposal - The encryption mode, hash mode and key length of the ESP protocol (aes256-sha1-modp2048/aes128-sha1-modp2048)[[BR]]
154 1 Martin Willi
esp_rekey - The time to rekey the esp connection in hours (integer)[[BR]]