Project

General

Profile

UCI Configuration Backend » History » Version 3

« Previous - Version 3/9 (diff) - Next » - Current version
Martin Willi, 05.08.2008 12:17


UCI

=== What's uci? ===

Uci is the new configuration interface for openWRT. It's the successor of the nvram utility.
As the hardware which runs openWRT does normally not have a lot of resources strongSwan now supports the this configuration method natively as a plug-in in since version 4.2.4.

=== How to configure for uci support? ===

Use the configure option ''--enable-uci''. You also need the libuci library and the uci tool.

=== Controlling the daemon ===

To connect, disconnect and printing the status we can't use the uci interface. Therefore we use a FIFO pipe on the filesystem to read commands and write status messages to.

For example this command will print the status of your connections:

{{{
  1. echo status > /var/run/charon.fifo
    }}}

Because it's a FIFO pipe you have to read from this pipe right after you have passed the command to it or it will block any further actions involving the FIFO.

{{{
  1. cat /var/run/charon.fifo
    ucitest 123.123.123.123 192.168.10.0/24
    }}}

To start and stop connection you can simply run this:

{{{
  1. echo up ucitest > /var/run/charon.fifo
    }}}

Where ucitest is the name of your connection.

You have to check the feedback message with:

{{{
  1. cat /var/run/charon.fifo
    connection 'ucitest' established
    }}}

Note again: You have to check if there is a message on the fifo waiting to be fetched. Otherwise it will block any further interaction with the daemon.

=== Using uci ===

You should have a configuration file "/etc/config/strongswan" with the following content. Charon reads the 'strongswan' package section to get the configuration values.

{{{
config 'strongswan'
option 'local_id' ''
option 'local_net' '192.168.1.0/24'
option 'remote_addr' '123.123.123.123'
option 'remote_net' '192.168.10.0/24'
option 'remote_id' ''
option 'psk' 'XXXXXXX'
option 'name' 'ucitest'
option 'mode' 'client'
option 'auto' '1'
}}}

You can get the configurations by simply typing:

{{{
  1. uci show strongswan
    strongswan.cfg020870=strongswan
    strongswan.cfg020870.local_id=
    strongswan.cfg020870.remote_addr=100.100.100.2
    strongswan.cfg020870.remote_net=192.168.2.0/24
    strongswan.cfg020870.psk=l1Nk5y5-1
    strongswan.cfg020870.ike_proposal=aes128-sha1-modp2048
    strongswan.cfg020870.name=ucitest
    strongswan.cfg020870.mode=client
    strongswan.cfg020870.auto=1
    strongswan.cfg020870.local_net=192.168.1.0/24
    strongswan.cfg020870.remote_id=
    strongswan.cfg020870.esp_proposal=aes256-sha1-modp2048
    strongswan.cfg020870.local_addr=100.100.100.1
    strongswan.cfg020870.ike_rekey=1
    strongswan.cfg020870.esp_rekey=1
    }}}

You can manipulate single configuration fields by setting them with:

{{{
  1. uci set strongswan.cfg020870.auto=0
    }}}

or

{{{
  1. uci set strongswan.cfg020870.name=strongSwan
    }}}

To get single configuration fields you type:

{{{
  1. uci get strongswan.cfg020870.auto
    1
    }}}

or

{{{
  1. uci get strongswan.cfg020870.name
    ucitest
    }}}

=== Start and stop strongSwan ===

If you use the standard strongswan package from the openWRT distribution, there should be a init script you can call with:

{{{
  1. /etc/init.d/strongswan [<start><stop><restart>]
    }}}

The auto connecting is done in the initscript. Once this should be done in the daemon itself.

=== Keyword explanation ===
local_id - Your local id (string)BR
local_net - Your local internal network (network)BR
local_addr - Your local external IP address (ip address)BR
remote_id - The id of the other vpn endpoint (string)BR
remote_net - The remote internal network (network)BR
remote_addr - The remote external IP address (ip address)BR
psk - Your pre shared key (string)BR
name - a name for the connection (if not provided the name is given by the config 'name' pattern) (string)BR
auto - start the connection automatically (bool)BR
ike_proposal - The encryption mode, hash mode and key length of the IKE protocol (aes256-sha1-modp2048/aes128-sha1-modp2048)BR
ike_rekey - The time to rekey the ike connection in hours (integer)BR
esp_proposal - The encryption mode, hash mode and key length of the ESP protocol (aes256-sha1-modp2048/aes128-sha1-modp2048)BR
esp_rekey - The time to rekey the esp connection in hours (integer)BR