Project

General

Profile

UCI Configuration Backend » History » Version 9

Tobias Brunner, 03.08.2011 17:18

1 9 Tobias Brunner
h1. UCI Configuration Backend
2 1 Martin Willi
3 8 Tobias Brunner
h2. What's UCI?
4 1 Martin Willi
5 1 Martin Willi
6 8 Tobias Brunner
UCI(Unified Configuration Interface) is the new configuration interface for "OpenWrt":http://openwrt.org. It's the successor of the nvram utility.
7 8 Tobias Brunner
As the hardware which runs OpenWrt does normally not have a lot of resources strongSwan now supports this configuration method natively as a plug-in since [[424|version 4.2.4]].
8 1 Martin Willi
9 1 Martin Willi
10 7 Tobias Brunner
h2. How to configure for uci support?
11 1 Martin Willi
12 1 Martin Willi
13 8 Tobias Brunner
Use the [[AutoConf|configure option]] --enable-uci. You also need the _libuci_ library and the _uci_ tool.
14 6 Martin Willi
15 7 Tobias Brunner
16 6 Martin Willi
h2. Controlling the daemon
17 6 Martin Willi
18 1 Martin Willi
To connect, disconnect and printing the status we can't use the uci interface. Therefore we use a FIFO pipe on the filesystem to read commands and write status messages to.
19 1 Martin Willi
20 3 Martin Willi
For example this command will print the status of your connections:
21 1 Martin Willi
22 6 Martin Willi
<pre>
23 4 Martin Willi
# echo status > /var/run/charon.fifo
24 6 Martin Willi
</pre>
25 1 Martin Willi
26 6 Martin Willi
*Because it's a FIFO pipe you have to read from this pipe right after you have passed the command to it or it will block any further actions involving the FIFO.*
27 1 Martin Willi
28 6 Martin Willi
<pre>
29 1 Martin Willi
# cat /var/run/charon.fifo
30 1 Martin Willi
ucitest  bob@strongswan.org   123.123.123.123    192.168.10.0/24
31 6 Martin Willi
</pre>
32 1 Martin Willi
33 1 Martin Willi
To start and stop connection you can simply run this:
34 3 Martin Willi
35 6 Martin Willi
<pre>
36 1 Martin Willi
# echo up ucitest > /var/run/charon.fifo
37 6 Martin Willi
</pre>
38 1 Martin Willi
39 1 Martin Willi
Where ucitest is the name of your connection.
40 1 Martin Willi
41 1 Martin Willi
You have to check the feedback message with:
42 1 Martin Willi
43 6 Martin Willi
<pre>
44 3 Martin Willi
# cat /var/run/charon.fifo
45 1 Martin Willi
connection 'ucitest' established
46 6 Martin Willi
</pre>
47 1 Martin Willi
48 6 Martin Willi
*Note again: You have to check if there is a message on the fifo waiting to be fetched. Otherwise it will block any further interaction with the daemon.*
49 1 Martin Willi
50 1 Martin Willi
51 7 Tobias Brunner
h2. Using uci
52 6 Martin Willi
53 6 Martin Willi
54 1 Martin Willi
You should have a configuration file "/etc/config/strongswan" with the following content. Charon reads the 'strongswan' package section to get the configuration values.
55 1 Martin Willi
56 6 Martin Willi
<pre>
57 1 Martin Willi
config 'strongswan'
58 1 Martin Willi
        option 'local_id' 'alice@strongswan.org'
59 1 Martin Willi
        option 'local_net' '192.168.1.0/24'
60 1 Martin Willi
        option 'remote_addr' '123.123.123.123'
61 1 Martin Willi
        option 'remote_net' '192.168.10.0/24'
62 1 Martin Willi
        option 'remote_id' 'bob@strongswan.org'
63 1 Martin Willi
        option 'psk' 'XXXXXXX'
64 1 Martin Willi
        option 'name' 'ucitest'
65 1 Martin Willi
        option 'mode' 'client'
66 6 Martin Willi
        option 'auto' '1'
67 3 Martin Willi
</pre>
68 1 Martin Willi
69 8 Tobias Brunner
You can get the configuration by simply typing:
70 3 Martin Willi
71 6 Martin Willi
<pre>
72 1 Martin Willi
# uci show strongswan
73 1 Martin Willi
strongswan.cfg020870=strongswan
74 1 Martin Willi
strongswan.cfg020870.local_id=alice@strongswan.org
75 1 Martin Willi
strongswan.cfg020870.remote_addr=100.100.100.2
76 1 Martin Willi
strongswan.cfg020870.remote_net=192.168.2.0/24
77 1 Martin Willi
strongswan.cfg020870.psk=l1Nk5y5-1
78 1 Martin Willi
strongswan.cfg020870.ike_proposal=aes128-sha1-modp2048
79 1 Martin Willi
strongswan.cfg020870.name=ucitest
80 1 Martin Willi
strongswan.cfg020870.mode=client
81 1 Martin Willi
strongswan.cfg020870.auto=1
82 1 Martin Willi
strongswan.cfg020870.local_net=192.168.1.0/24
83 1 Martin Willi
strongswan.cfg020870.remote_id=bob@strongswan.org
84 1 Martin Willi
strongswan.cfg020870.esp_proposal=aes256-sha1-modp2048
85 1 Martin Willi
strongswan.cfg020870.local_addr=100.100.100.1
86 1 Martin Willi
strongswan.cfg020870.ike_rekey=1
87 1 Martin Willi
strongswan.cfg020870.esp_rekey=1
88 6 Martin Willi
</pre>
89 1 Martin Willi
90 1 Martin Willi
You can manipulate single configuration fields by setting them with:
91 1 Martin Willi
92 6 Martin Willi
<pre>
93 1 Martin Willi
# uci set strongswan.cfg020870.auto=0
94 6 Martin Willi
</pre>
95 1 Martin Willi
96 1 Martin Willi
or
97 1 Martin Willi
98 6 Martin Willi
<pre>
99 1 Martin Willi
# uci set strongswan.cfg020870.name=strongSwan
100 6 Martin Willi
</pre>
101 1 Martin Willi
102 1 Martin Willi
To get single configuration fields you type:
103 1 Martin Willi
104 6 Martin Willi
<pre>
105 1 Martin Willi
# uci get strongswan.cfg020870.auto
106 1 Martin Willi
1
107 6 Martin Willi
</pre>
108 1 Martin Willi
109 1 Martin Willi
or
110 1 Martin Willi
111 1 Martin Willi
<pre>
112 6 Martin Willi
# uci get strongswan.cfg020870.name
113 1 Martin Willi
ucitest
114 6 Martin Willi
</pre>
115 1 Martin Willi
116 3 Martin Willi
117 1 Martin Willi
h3. Start and stop strongSwan
118 6 Martin Willi
119 1 Martin Willi
120 8 Tobias Brunner
If you use the standard strongswan package from the OpenWrt distribution, there should be an Init script you can call with:
121 6 Martin Willi
122 1 Martin Willi
<pre>
123 6 Martin Willi
# /etc/init.d/strongswan [<start><stop><restart>]
124 1 Martin Willi
</pre>
125 1 Martin Willi
126 8 Tobias Brunner
The auto connecting is done in the Init script. Once this should be done in the daemon itself.
127 6 Martin Willi
128 6 Martin Willi
h3. Keyword explanation
129 6 Martin Willi
130 6 Martin Willi
local_id - Your local id (string)
131 6 Martin Willi
132 6 Martin Willi
local_net - Your local internal network (network)
133 6 Martin Willi
134 6 Martin Willi
local_addr - Your local external IP address (ip address)
135 6 Martin Willi
136 6 Martin Willi
remote_id - The id of the other vpn endpoint (string)
137 6 Martin Willi
138 6 Martin Willi
remote_net - The remote internal network (network)
139 6 Martin Willi
140 6 Martin Willi
remote_addr - The remote external IP address (ip address)
141 6 Martin Willi
142 6 Martin Willi
psk - Your pre shared key (string)
143 6 Martin Willi
144 6 Martin Willi
name - a name for the connection (if not provided the name is given by the config 'name' pattern) (string)
145 6 Martin Willi
146 6 Martin Willi
auto - start the connection automatically (bool)
147 6 Martin Willi
148 6 Martin Willi
ike_proposal - The encryption mode, hash mode and key length of the IKE protocol (aes256-sha1-modp2048/aes128-sha1-modp2048)
149 6 Martin Willi
150 6 Martin Willi
ike_rekey - The time to rekey the ike connection in hours (integer)
151 6 Martin Willi
152 6 Martin Willi
esp_proposal - The encryption mode, hash mode and key length of the ESP protocol (aes256-sha1-modp2048/aes128-sha1-modp2048)
153 6 Martin Willi
154 6 Martin Willi
esp_rekey - The time to rekey the esp connection in hours (integer)