Project

General

Profile

UCI Configuration Backend » History » Version 6

Martin Willi, 07.08.2008 10:32
Correct typos

1 1 Martin Willi
2 6 Martin Willi
h2. UCI
3 1 Martin Willi
4 6 Martin Willi
5 6 Martin Willi
6 6 Martin Willi
h3. What's uci?
7 6 Martin Willi
8 6 Martin Willi
9 1 Martin Willi
Uci is the new configuration interface for openWRT. It's the successor of the nvram utility.
10 1 Martin Willi
As the hardware which runs openWRT does normally not have a lot of resources strongSwan now supports the this configuration method natively as a plug-in since version 4.2.4.
11 1 Martin Willi
12 1 Martin Willi
13 6 Martin Willi
h3. How to configure for uci support?
14 1 Martin Willi
15 1 Martin Willi
16 6 Martin Willi
Use the configure option _--enable-uci_. You also need the libuci library and the uci tool.
17 6 Martin Willi
18 6 Martin Willi
19 6 Martin Willi
h3. Controlling the daemon
20 6 Martin Willi
21 6 Martin Willi
22 1 Martin Willi
To connect, disconnect and printing the status we can't use the uci interface. Therefore we use a FIFO pipe on the filesystem to read commands and write status messages to.
23 1 Martin Willi
24 3 Martin Willi
For example this command will print the status of your connections:
25 1 Martin Willi
26 6 Martin Willi
<pre>
27 4 Martin Willi
# echo status > /var/run/charon.fifo
28 6 Martin Willi
</pre>
29 1 Martin Willi
30 6 Martin Willi
*Because it's a FIFO pipe you have to read from this pipe right after you have passed the command to it or it will block any further actions involving the FIFO.*
31 1 Martin Willi
32 6 Martin Willi
<pre>
33 1 Martin Willi
# cat /var/run/charon.fifo
34 1 Martin Willi
ucitest  bob@strongswan.org   123.123.123.123    192.168.10.0/24
35 6 Martin Willi
</pre>
36 1 Martin Willi
37 1 Martin Willi
To start and stop connection you can simply run this:
38 3 Martin Willi
39 6 Martin Willi
<pre>
40 1 Martin Willi
# echo up ucitest > /var/run/charon.fifo
41 6 Martin Willi
</pre>
42 1 Martin Willi
43 1 Martin Willi
Where ucitest is the name of your connection.
44 1 Martin Willi
45 1 Martin Willi
You have to check the feedback message with:
46 1 Martin Willi
47 6 Martin Willi
<pre>
48 3 Martin Willi
# cat /var/run/charon.fifo
49 1 Martin Willi
connection 'ucitest' established
50 6 Martin Willi
</pre>
51 1 Martin Willi
52 6 Martin Willi
*Note again: You have to check if there is a message on the fifo waiting to be fetched. Otherwise it will block any further interaction with the daemon.*
53 1 Martin Willi
54 1 Martin Willi
55 6 Martin Willi
h3. Using uci
56 6 Martin Willi
57 6 Martin Willi
58 1 Martin Willi
You should have a configuration file "/etc/config/strongswan" with the following content. Charon reads the 'strongswan' package section to get the configuration values.
59 1 Martin Willi
60 6 Martin Willi
<pre>
61 1 Martin Willi
config 'strongswan'
62 1 Martin Willi
        option 'local_id' 'alice@strongswan.org'
63 1 Martin Willi
        option 'local_net' '192.168.1.0/24'
64 1 Martin Willi
        option 'remote_addr' '123.123.123.123'
65 1 Martin Willi
        option 'remote_net' '192.168.10.0/24'
66 1 Martin Willi
        option 'remote_id' 'bob@strongswan.org'
67 1 Martin Willi
        option 'psk' 'XXXXXXX'
68 1 Martin Willi
        option 'name' 'ucitest'
69 1 Martin Willi
        option 'mode' 'client'
70 1 Martin Willi
        option 'auto' '1'
71 6 Martin Willi
</pre>
72 3 Martin Willi
73 1 Martin Willi
You can get the configurations by simply typing:
74 1 Martin Willi
75 3 Martin Willi
76 6 Martin Willi
<pre>
77 1 Martin Willi
# uci show strongswan
78 1 Martin Willi
strongswan.cfg020870=strongswan
79 1 Martin Willi
strongswan.cfg020870.local_id=alice@strongswan.org
80 1 Martin Willi
strongswan.cfg020870.remote_addr=100.100.100.2
81 1 Martin Willi
strongswan.cfg020870.remote_net=192.168.2.0/24
82 1 Martin Willi
strongswan.cfg020870.psk=l1Nk5y5-1
83 1 Martin Willi
strongswan.cfg020870.ike_proposal=aes128-sha1-modp2048
84 1 Martin Willi
strongswan.cfg020870.name=ucitest
85 1 Martin Willi
strongswan.cfg020870.mode=client
86 1 Martin Willi
strongswan.cfg020870.auto=1
87 1 Martin Willi
strongswan.cfg020870.local_net=192.168.1.0/24
88 1 Martin Willi
strongswan.cfg020870.remote_id=bob@strongswan.org
89 1 Martin Willi
strongswan.cfg020870.esp_proposal=aes256-sha1-modp2048
90 1 Martin Willi
strongswan.cfg020870.local_addr=100.100.100.1
91 1 Martin Willi
strongswan.cfg020870.ike_rekey=1
92 1 Martin Willi
strongswan.cfg020870.esp_rekey=1
93 6 Martin Willi
</pre>
94 1 Martin Willi
95 1 Martin Willi
You can manipulate single configuration fields by setting them with:
96 1 Martin Willi
97 6 Martin Willi
<pre>
98 1 Martin Willi
# uci set strongswan.cfg020870.auto=0
99 6 Martin Willi
</pre>
100 1 Martin Willi
101 1 Martin Willi
or
102 1 Martin Willi
103 6 Martin Willi
<pre>
104 1 Martin Willi
# uci set strongswan.cfg020870.name=strongSwan
105 6 Martin Willi
</pre>
106 1 Martin Willi
107 1 Martin Willi
To get single configuration fields you type:
108 1 Martin Willi
109 6 Martin Willi
<pre>
110 1 Martin Willi
# uci get strongswan.cfg020870.auto
111 1 Martin Willi
1
112 6 Martin Willi
</pre>
113 1 Martin Willi
114 1 Martin Willi
or
115 1 Martin Willi
116 6 Martin Willi
<pre>
117 1 Martin Willi
# uci get strongswan.cfg020870.name
118 1 Martin Willi
ucitest
119 6 Martin Willi
</pre>
120 3 Martin Willi
121 1 Martin Willi
122 6 Martin Willi
h3. Start and stop strongSwan
123 6 Martin Willi
124 6 Martin Willi
125 1 Martin Willi
If you use the standard strongswan package from the openWRT distribution, there should be a init script you can call with:
126 1 Martin Willi
127 6 Martin Willi
<pre>
128 1 Martin Willi
# /etc/init.d/strongswan [<start><stop><restart>]
129 6 Martin Willi
</pre>
130 1 Martin Willi
131 1 Martin Willi
The auto connecting is done in the initscript. Once this should be done in the daemon itself.
132 1 Martin Willi
133 6 Martin Willi
134 6 Martin Willi
h3. Keyword explanation
135 6 Martin Willi
136 6 Martin Willi
local_id - Your local id (string)
137 6 Martin Willi
138 6 Martin Willi
local_net - Your local internal network (network)
139 6 Martin Willi
140 6 Martin Willi
local_addr - Your local external IP address (ip address)
141 6 Martin Willi
142 6 Martin Willi
remote_id - The id of the other vpn endpoint (string)
143 6 Martin Willi
144 6 Martin Willi
remote_net - The remote internal network (network)
145 6 Martin Willi
146 6 Martin Willi
remote_addr - The remote external IP address (ip address)
147 6 Martin Willi
148 6 Martin Willi
psk - Your pre shared key (string)
149 6 Martin Willi
150 6 Martin Willi
name - a name for the connection (if not provided the name is given by the config 'name' pattern) (string)
151 6 Martin Willi
152 6 Martin Willi
auto - start the connection automatically (bool)
153 6 Martin Willi
154 6 Martin Willi
ike_proposal - The encryption mode, hash mode and key length of the IKE protocol (aes256-sha1-modp2048/aes128-sha1-modp2048)
155 6 Martin Willi
156 6 Martin Willi
ike_rekey - The time to rekey the ike connection in hours (integer)
157 6 Martin Willi
158 6 Martin Willi
esp_proposal - The encryption mode, hash mode and key length of the ESP protocol (aes256-sha1-modp2048/aes128-sha1-modp2048)
159 6 Martin Willi
160 6 Martin Willi
esp_rekey - The time to rekey the esp connection in hours (integer)