<div dir="ltr">Hi,<div><br></div><div>Thank you very much, great tip!</div><div><br></div><div>The only issue in openstack context is that it usually has to work with distro packages... Anyway, providing a strongswan driver alongside with your ./configure suggestion could definitively be a solution.</div>
<div><br></div><div style>Regards,</div><div style>Francois.</div></div><div class="gmail_extra"><br><br><div class="gmail_quote">2013/5/24 Christophe Gouault <span dir="ltr"><<a href="mailto:christophe.gouault@6wind.com" target="_blank">christophe.gouault@6wind.com</a>></span><br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<tt>Hi François,</tt><tt><br>
</tt><tt><br>
</tt><tt>If you use netns created by "ip netns add
<netnsname>" and start charon with "ip netns exec
<netnsname> ipsec start", then there is a solution (that we
successfully used here to perform IKE tests with a single machine:</tt><tt><br>
</tt><tt><br>
</tt><tt>"ip netns exec netns1" enables to start the application in
netns netns1, but also, if the /etc/netns/netns1 directory exists,
the files and sub-directories will be remapped in /etc for the
application (provided a file or directory with the same name
already exists in /etc).</tt><tt><br>
</tt><tt><br>
</tt><tt>So, you just have to store your configuration files in this
directory and the pid and socket files in a sub-directory. To do
that, you must chose a different piddir when compiling strongswan:</tt><tt><br>
</tt><tt><br>
</tt><tt>Example for netns1 and netns2:</tt><tt><br>
</tt><tt><br>
</tt><tt>create netns and director</tt><tt>ies</tt><tt><br>
</tt><tt>----------------------------<br>
</tt><tt>ip netns add netns1</tt><tt><br>
</tt><tt>ip netns add netns2</tt><tt><br>
</tt><tt>mkdir -p /etc/run<br>
mkdir -p /etc/netns/netns1/run<br>
mkdir -p /etc/netns/netns2/run</tt><tt><br>
</tt><tt><br>
</tt><tt>generate strongswan</tt><tt><br>
</tt><tt>-------------------<br>
</tt><tt>./configure --sysconfdir=/etc --with-piddir=/etc/run
make</tt><tt><br>
</tt><tt>make install</tt><tt><br>
</tt><tt><br>
configure and run strongswan instances<br>
--------------------------------------<br>
</tt><tt>Then, you can store configurations files for each charon
instance in the /etc/netns/<netnsname> directory, and start
each instance of charon with:</tt><tt><br>
</tt><tt>ip netns exec <netnsname> ipsec start</tt><tt><br>
</tt><tt><br>
</tt><tt>The pid and unix socket files will be stored in
/etc/netns/<netnsname>/run directory instead of the default
/var/run.</tt><tt><br>
</tt><tt><br>
</tt><tt>(From the application point of view, the configuration
files are in /etc, pid and socket files are in /etc/run
directories, but they are actually stored in
/etc/netns/<netnsname> and /etc/netns/<netnsname>/run
directories)</tt><tt><br>
</tt><tt><br>
</tt><tt>Enjoy</tt><tt><br>
</tt><tt><br>
</tt><tt>Best Regards,</tt><tt><br>
</tt><tt>Christophe</tt><div><div class="h5"><br>
<tt><br>
</tt>
<div><tt>On 05/22/2013 10:16 PM, Eleouet
Francois wrote:</tt><tt><br>
</tt></div>
</div></div><blockquote type="cite"><div><div class="h5">
<div dir="ltr"><tt>Hi,</tt>
<div><tt><br>
</tt></div>
<div><tt>I'm actually investigating how to run multiple
IPsec damons within several network namespaces.</tt></div>
<div><tt><br>
</tt></div>
<div><tt>In the openstack project (an open source cloud
computing platform), we intend to extend virtual networks to
the outside world using IPsec. Current implentation
leverages netns to provide routing (with support of
overlapping IPs) between different
projects/customers/virtual networks.</tt></div>
<div><tt><br>
</tt></div>
<div><tt>As a consequence, we have to start multiple
IPsec daemons (one within each namespace), so that they bind
sockets and set-up IPsec SA & SPD in the right netns. I
managed to set up this kind of configuration using pluto as
config, pid and control socket files location can be
specified as comand line options
(using --ctlbase --ipsecdir --secretsfile --config...)</tt></div>
<div><tt><br>
</tt></div>
<div><tt>Anyway, these variables seems to be hard coded
in charon (at ./configure time). As IKEv2 support is really
required, I was wondering if I missed something. Is there
any way to change these parameters on a per-process basis?
Or maybe have you plan to make charon netns aware?</tt></div>
<div><tt><br>
</tt></div>
<div><tt>Thanks in advance,</tt></div>
<div><tt>Francois Eleouet.</tt></div>
</div>
<tt><br>
</tt>
<fieldset></fieldset>
<tt><br>
</tt>
</div></div><pre>_______________________________________________
Users mailing list
<a href="mailto:Users@lists.strongswan.org" target="_blank">Users@lists.strongswan.org</a>
<a href="https://lists.strongswan.org/mailman/listinfo/users" target="_blank">https://lists.strongswan.org/mailman/listinfo/users</a></pre>
</blockquote>
<tt><br>
</tt>
</div>
</blockquote></div><br></div>