The whitelist plugin checks a successfully authenticated peer identity against an in-memory whitelist. Only identities listed are allowed to connect, connection attempts with other identities get rejected using AUTHENTICATION_FAILED.
The plugin is disabled by default and can be enabled by adding
--enable-whitelistto the ./configure options.
Any identity successfully authenticated using any authentication method in every authentication round gets checked against a whitelist. Only whitelisted identities get accepted. The whitelist is held in-memory in a hashtable to have good lookup times. The whitelist is volatile and listed identities get lost during a daemon restart.
To manipulate the whitelist, a UNIX socket exports an interface to add/list/remove whitelisted identities. A simple CLI frontend is provided to manipulate the whitelist.
The plugin is configured using the following strongswan.conf options:
|charon.plugins.whitelist.enabled||No||Enable whitelist checking|
This enabled option can be changed during runtime using the whitelist enable/disable commands (see below).
The whitelist ipsec utility, invoked by
ipsec whitelistcan be used to manipulate the whitelist while the daemon is running. It supports the following operations:
|ipsec whitelist add <identity>||Add a single identity to the whitelist.|
|ipsec whitelist remove <identity>||Remove a single identity from the whitelist.|
|ipsec whitelist add-from [<file>]||Add identities read from a newline separated file, by default stdin.|
|ipsec whitelist remove-from [<file>]||Remove identities read from a newline separated file, by default stdin.|
|ipsec whitelist flush [<pattern>]||Flush identities from the whitelist, optionally matching an identity with wildcards.|
|ipsec whitelist list [<pattern>]||List identities whitelisted, optionally matching an identity with wildcards.|
|ipsec whitelist enable||Enable whitelist checking.|
|ipsec whitelist disable||Disable whitelist checking.|
The Socket interface format is defined source:src/libcharon/plugins/whitelist/whitelist_msg.h. The whitelist CLI utility at source:src/libcharon/plugins/whitelist/whitelist.c is a good starting point to integrate whitelist manipulation to your own frontend.