strongSwan

h2. UCI

h3. What's uci?

Uci is the new configuration interface for openWRT. It's the successor of the nvram utility.

As the hardware which runs openWRT does normally not have a lot of resources strongSwan now supports the this configuration method natively as a plug-in since version 4.2.4.

h3. How to configure for uci support?

Use the configure option _--enable-uci_. You also need the libuci library and the uci tool.

h3. Controlling the daemon

To connect, disconnect and printing the status we can't use the uci interface. Therefore we use a FIFO pipe on the filesystem to read commands and write status messages to.

For example this command will print the status of your connections:

<pre>

# echo status > /var/run/charon.fifo

</pre>

*Because it's a FIFO pipe you have to read from this pipe right after you have passed the command to it or it will block any further actions involving the FIFO.*

<pre>

# cat /var/run/charon.fifo

ucitest  bob@strongswan.org   123.123.123.123    192.168.10.0/24

</pre>

To start and stop connection you can simply run this:

<pre>

# echo up ucitest > /var/run/charon.fifo

</pre>

Where ucitest is the name of your connection.

You have to check the feedback message with:

<pre>

# cat /var/run/charon.fifo

connection 'ucitest' established

</pre>

*Note again: You have to check if there is a message on the fifo waiting to be fetched. Otherwise it will block any further interaction with the daemon.*

h3. Using uci

You should have a configuration file "/etc/config/strongswan" with the following content. Charon reads the 'strongswan' package section to get the configuration values.

<pre>

config 'strongswan'

        option 'local_id' 'alice@strongswan.org'

        option 'local_net' '192.168.1.0/24'

        option 'remote_addr' '123.123.123.123'

        option 'remote_net' '192.168.10.0/24'

        option 'remote_id' 'bob@strongswan.org'

        option 'psk' 'XXXXXXX'

        option 'name' 'ucitest'

        option 'mode' 'client'

        option 'auto' '1'

</pre>

You can get the configurations by simply typing:

<pre>

# uci show strongswan

strongswan.cfg020870=strongswan

strongswan.cfg020870.local_id=alice@strongswan.org

strongswan.cfg020870.remote_addr=100.100.100.2

strongswan.cfg020870.remote_net=192.168.2.0/24

strongswan.cfg020870.psk=l1Nk5y5-1

strongswan.cfg020870.ike_proposal=aes128-sha1-modp2048

strongswan.cfg020870.name=ucitest

strongswan.cfg020870.mode=client

strongswan.cfg020870.auto=1

strongswan.cfg020870.local_net=192.168.1.0/24

strongswan.cfg020870.remote_id=bob@strongswan.org

strongswan.cfg020870.esp_proposal=aes256-sha1-modp2048

strongswan.cfg020870.local_addr=100.100.100.1

strongswan.cfg020870.ike_rekey=1

strongswan.cfg020870.esp_rekey=1

</pre>

You can manipulate single configuration fields by setting them with:

<pre>

# uci set strongswan.cfg020870.auto=0

</pre>

or

<pre>

# uci set strongswan.cfg020870.name=strongSwan

</pre>

To get single configuration fields you type:

<pre>

# uci get strongswan.cfg020870.auto

1

</pre>

or

<pre>

# uci get strongswan.cfg020870.name

ucitest

</pre>

h3. Start and stop strongSwan

If you use the standard strongswan package from the openWRT distribution, there should be a init script you can call with:

<pre>

# /etc/init.d/strongswan [<start><stop><restart>]

</pre>

The auto connecting is done in the initscript. Once this should be done in the daemon itself.

h3. Keyword explanation

local_id - Your local id (string)

local_net - Your local internal network (network)

local_addr - Your local external IP address (ip address)

remote_id - The id of the other vpn endpoint (string)

remote_net - The remote internal network (network)

remote_addr - The remote external IP address (ip address)

psk - Your pre shared key (string)

name - a name for the connection (if not provided the name is given by the config 'name' pattern) (string)

auto - start the connection automatically (bool)

ike_proposal - The encryption mode, hash mode and key length of the IKE protocol (aes256-sha1-modp2048/aes128-sha1-modp2048)

ike_rekey - The time to rekey the ike connection in hours (integer)

esp_proposal - The encryption mode, hash mode and key length of the ESP protocol (aes256-sha1-modp2048/aes128-sha1-modp2048)

esp_rekey - The time to rekey the esp connection in hours (integer)