Project

General

Profile

UCI Configuration Backend » History » Version 7

Tobias Brunner, 05.05.2009 18:49
trac conversion errors fixed

1 7 Tobias Brunner
h1. UCI
2 6 Martin Willi
3 1 Martin Willi
4 1 Martin Willi
5 7 Tobias Brunner
h2. What's uci?
6 6 Martin Willi
7 6 Martin Willi
8 1 Martin Willi
Uci is the new configuration interface for openWRT. It's the successor of the nvram utility.
9 1 Martin Willi
As the hardware which runs openWRT does normally not have a lot of resources strongSwan now supports the this configuration method natively as a plug-in since version 4.2.4.
10 1 Martin Willi
11 1 Martin Willi
12 7 Tobias Brunner
h2. How to configure for uci support?
13 1 Martin Willi
14 1 Martin Willi
15 7 Tobias Brunner
Use the [[AutoConf|configure option]] --enable-uci. You also need the libuci library and the uci tool.
16 6 Martin Willi
17 6 Martin Willi
18 7 Tobias Brunner
h2. Controlling the daemon
19 6 Martin Willi
20 6 Martin Willi
21 1 Martin Willi
To connect, disconnect and printing the status we can't use the uci interface. Therefore we use a FIFO pipe on the filesystem to read commands and write status messages to.
22 1 Martin Willi
23 3 Martin Willi
For example this command will print the status of your connections:
24 1 Martin Willi
25 6 Martin Willi
<pre>
26 4 Martin Willi
# echo status > /var/run/charon.fifo
27 6 Martin Willi
</pre>
28 1 Martin Willi
29 6 Martin Willi
*Because it's a FIFO pipe you have to read from this pipe right after you have passed the command to it or it will block any further actions involving the FIFO.*
30 1 Martin Willi
31 6 Martin Willi
<pre>
32 1 Martin Willi
# cat /var/run/charon.fifo
33 1 Martin Willi
ucitest  bob@strongswan.org   123.123.123.123    192.168.10.0/24
34 6 Martin Willi
</pre>
35 1 Martin Willi
36 1 Martin Willi
To start and stop connection you can simply run this:
37 3 Martin Willi
38 6 Martin Willi
<pre>
39 1 Martin Willi
# echo up ucitest > /var/run/charon.fifo
40 6 Martin Willi
</pre>
41 1 Martin Willi
42 1 Martin Willi
Where ucitest is the name of your connection.
43 1 Martin Willi
44 1 Martin Willi
You have to check the feedback message with:
45 1 Martin Willi
46 6 Martin Willi
<pre>
47 3 Martin Willi
# cat /var/run/charon.fifo
48 1 Martin Willi
connection 'ucitest' established
49 6 Martin Willi
</pre>
50 1 Martin Willi
51 6 Martin Willi
*Note again: You have to check if there is a message on the fifo waiting to be fetched. Otherwise it will block any further interaction with the daemon.*
52 1 Martin Willi
53 1 Martin Willi
54 7 Tobias Brunner
h2. Using uci
55 6 Martin Willi
56 6 Martin Willi
57 1 Martin Willi
You should have a configuration file "/etc/config/strongswan" with the following content. Charon reads the 'strongswan' package section to get the configuration values.
58 1 Martin Willi
59 6 Martin Willi
<pre>
60 1 Martin Willi
config 'strongswan'
61 1 Martin Willi
        option 'local_id' 'alice@strongswan.org'
62 1 Martin Willi
        option 'local_net' '192.168.1.0/24'
63 1 Martin Willi
        option 'remote_addr' '123.123.123.123'
64 1 Martin Willi
        option 'remote_net' '192.168.10.0/24'
65 1 Martin Willi
        option 'remote_id' 'bob@strongswan.org'
66 1 Martin Willi
        option 'psk' 'XXXXXXX'
67 1 Martin Willi
        option 'name' 'ucitest'
68 1 Martin Willi
        option 'mode' 'client'
69 1 Martin Willi
        option 'auto' '1'
70 6 Martin Willi
</pre>
71 3 Martin Willi
72 1 Martin Willi
You can get the configurations by simply typing:
73 1 Martin Willi
74 3 Martin Willi
75 6 Martin Willi
<pre>
76 1 Martin Willi
# uci show strongswan
77 1 Martin Willi
strongswan.cfg020870=strongswan
78 1 Martin Willi
strongswan.cfg020870.local_id=alice@strongswan.org
79 1 Martin Willi
strongswan.cfg020870.remote_addr=100.100.100.2
80 1 Martin Willi
strongswan.cfg020870.remote_net=192.168.2.0/24
81 1 Martin Willi
strongswan.cfg020870.psk=l1Nk5y5-1
82 1 Martin Willi
strongswan.cfg020870.ike_proposal=aes128-sha1-modp2048
83 1 Martin Willi
strongswan.cfg020870.name=ucitest
84 1 Martin Willi
strongswan.cfg020870.mode=client
85 1 Martin Willi
strongswan.cfg020870.auto=1
86 1 Martin Willi
strongswan.cfg020870.local_net=192.168.1.0/24
87 1 Martin Willi
strongswan.cfg020870.remote_id=bob@strongswan.org
88 1 Martin Willi
strongswan.cfg020870.esp_proposal=aes256-sha1-modp2048
89 1 Martin Willi
strongswan.cfg020870.local_addr=100.100.100.1
90 1 Martin Willi
strongswan.cfg020870.ike_rekey=1
91 1 Martin Willi
strongswan.cfg020870.esp_rekey=1
92 6 Martin Willi
</pre>
93 1 Martin Willi
94 1 Martin Willi
You can manipulate single configuration fields by setting them with:
95 1 Martin Willi
96 6 Martin Willi
<pre>
97 1 Martin Willi
# uci set strongswan.cfg020870.auto=0
98 6 Martin Willi
</pre>
99 1 Martin Willi
100 1 Martin Willi
or
101 1 Martin Willi
102 6 Martin Willi
<pre>
103 1 Martin Willi
# uci set strongswan.cfg020870.name=strongSwan
104 6 Martin Willi
</pre>
105 1 Martin Willi
106 1 Martin Willi
To get single configuration fields you type:
107 1 Martin Willi
108 6 Martin Willi
<pre>
109 1 Martin Willi
# uci get strongswan.cfg020870.auto
110 1 Martin Willi
1
111 6 Martin Willi
</pre>
112 1 Martin Willi
113 1 Martin Willi
or
114 1 Martin Willi
115 6 Martin Willi
<pre>
116 1 Martin Willi
# uci get strongswan.cfg020870.name
117 1 Martin Willi
ucitest
118 6 Martin Willi
</pre>
119 3 Martin Willi
120 1 Martin Willi
121 6 Martin Willi
h3. Start and stop strongSwan
122 6 Martin Willi
123 6 Martin Willi
124 1 Martin Willi
If you use the standard strongswan package from the openWRT distribution, there should be a init script you can call with:
125 1 Martin Willi
126 6 Martin Willi
<pre>
127 1 Martin Willi
# /etc/init.d/strongswan [<start><stop><restart>]
128 6 Martin Willi
</pre>
129 1 Martin Willi
130 1 Martin Willi
The auto connecting is done in the initscript. Once this should be done in the daemon itself.
131 1 Martin Willi
132 6 Martin Willi
133 6 Martin Willi
h3. Keyword explanation
134 6 Martin Willi
135 6 Martin Willi
local_id - Your local id (string)
136 6 Martin Willi
137 6 Martin Willi
local_net - Your local internal network (network)
138 6 Martin Willi
139 6 Martin Willi
local_addr - Your local external IP address (ip address)
140 6 Martin Willi
141 6 Martin Willi
remote_id - The id of the other vpn endpoint (string)
142 6 Martin Willi
143 6 Martin Willi
remote_net - The remote internal network (network)
144 6 Martin Willi
145 6 Martin Willi
remote_addr - The remote external IP address (ip address)
146 6 Martin Willi
147 6 Martin Willi
psk - Your pre shared key (string)
148 6 Martin Willi
149 6 Martin Willi
name - a name for the connection (if not provided the name is given by the config 'name' pattern) (string)
150 6 Martin Willi
151 6 Martin Willi
auto - start the connection automatically (bool)
152 6 Martin Willi
153 6 Martin Willi
ike_proposal - The encryption mode, hash mode and key length of the IKE protocol (aes256-sha1-modp2048/aes128-sha1-modp2048)
154 6 Martin Willi
155 6 Martin Willi
ike_rekey - The time to rekey the ike connection in hours (integer)
156 6 Martin Willi
157 6 Martin Willi
esp_proposal - The encryption mode, hash mode and key length of the ESP protocol (aes256-sha1-modp2048/aes128-sha1-modp2048)
158 6 Martin Willi
159 6 Martin Willi
esp_rekey - The time to rekey the esp connection in hours (integer)