<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
On 05/24/2013 11:46 AM, Eleouet Francois wrote:<br>
<blockquote
cite="mid:CAFTAuVd6ik-W-wXjtS6iBB3yR_+_T88ZgOQBsPDWJa=ZaZca+g@mail.gmail.com"
type="cite">
<div dir="ltr">Hi,
<div><br>
</div>
<div>Thank you very much, great tip!</div>
</div>
</blockquote>
You're welcome.<br>
<blockquote
cite="mid:CAFTAuVd6ik-W-wXjtS6iBB3yR_+_T88ZgOQBsPDWJa=ZaZca+g@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>The only issue in openstack context is that it usually has
to work with distro packages... Anyway, providing a strongswan
driver alongside with your ./configure suggestion could
definitively be a solution.</div>
</div>
</blockquote>
OK I see.<br>
<br>
I did not test it, but you could maybe write a small launcher
application that does a similar directory remaping as "ip netns
exec". Just take your inspiration from iproute2 function
ip/ipnetns.c:netns_exec(), and remap the directory
/etc/netns/<netnsname>/run to /var/run. (warning, I don't know
if some libraries used by charon read information from /var/run).<br>
<br>
Best Regards,<br>
Christophe.<br>
<blockquote
cite="mid:CAFTAuVd6ik-W-wXjtS6iBB3yR_+_T88ZgOQBsPDWJa=ZaZca+g@mail.gmail.com"
type="cite">
<div dir="ltr">
<div style="">Regards,</div>
<div style="">Francois.</div>
</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">2013/5/24 Christophe Gouault <span
dir="ltr"><<a moz-do-not-send="true"
href="mailto:christophe.gouault@6wind.com" target="_blank">christophe.gouault@6wind.com</a>></span><br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> <tt>Hi François,</tt><tt><br>
</tt><tt><br>
</tt><tt>If you use netns created by "ip netns add
<netnsname>" and start charon with "ip netns exec
<netnsname> ipsec start", then there is a solution
(that we successfully used here to perform IKE tests
with a single machine:</tt><tt><br>
</tt><tt><br>
</tt><tt>"ip netns exec netns1" enables to start the
application in netns netns1, but also, if the
/etc/netns/netns1 directory exists, the files and
sub-directories will be remapped in /etc for the
application (provided a file or directory with the same
name already exists in /etc).</tt><tt><br>
</tt><tt><br>
</tt><tt>So, you just have to store your configuration
files in this directory and the pid and socket files in
a sub-directory. To do that, you must chose a different
piddir when compiling strongswan:</tt><tt><br>
</tt><tt><br>
</tt><tt>Example for netns1 and netns2:</tt><tt><br>
</tt><tt><br>
</tt><tt>create netns and director</tt><tt>ies</tt><tt><br>
</tt><tt>----------------------------<br>
</tt><tt>ip netns add netns1</tt><tt><br>
</tt><tt>ip netns add netns2</tt><tt><br>
</tt><tt>mkdir -p /etc/run<br>
mkdir -p /etc/netns/netns1/run<br>
mkdir -p /etc/netns/netns2/run</tt><tt><br>
</tt><tt><br>
</tt><tt>generate strongswan</tt><tt><br>
</tt><tt>-------------------<br>
</tt><tt>./configure --sysconfdir=/etc
--with-piddir=/etc/run make</tt><tt><br>
</tt><tt>make install</tt><tt><br>
</tt><tt><br>
configure and run strongswan instances<br>
--------------------------------------<br>
</tt><tt>Then, you can store configurations files for each
charon instance in the /etc/netns/<netnsname>
directory, and start each instance of charon with:</tt><tt><br>
</tt><tt>ip netns exec <netnsname> ipsec start</tt><tt><br>
</tt><tt><br>
</tt><tt>The pid and unix socket files will be stored in
/etc/netns/<netnsname>/run directory instead of
the default /var/run.</tt><tt><br>
</tt><tt><br>
</tt><tt>(From the application point of view, the
configuration files are in /etc, pid and socket files
are in /etc/run directories, but they are actually
stored in /etc/netns/<netnsname> and
/etc/netns/<netnsname>/run directories)</tt><tt><br>
</tt><tt><br>
</tt><tt>Enjoy</tt><tt><br>
</tt><tt><br>
</tt><tt>Best Regards,</tt><tt><br>
</tt><tt>Christophe</tt>
<div>
<div class="h5"><br>
<tt><br>
</tt>
<div><tt>On 05/22/2013 10:16 PM, Eleouet Francois
wrote:</tt><tt><br>
</tt></div>
</div>
</div>
<blockquote type="cite">
<div>
<div class="h5">
<div dir="ltr"><tt>Hi,</tt>
<div><tt><br>
</tt></div>
<div><tt>I'm actually investigating how to run
multiple IPsec damons within several network
namespaces.</tt></div>
<div><tt><br>
</tt></div>
<div><tt>In the openstack project (an open source
cloud computing platform), we intend to extend
virtual networks to the outside world using
IPsec. Current implentation leverages netns to
provide routing (with support of overlapping
IPs) between different
projects/customers/virtual networks.</tt></div>
<div><tt><br>
</tt></div>
<div><tt>As a consequence, we have to start
multiple IPsec daemons (one within each
namespace), so that they bind sockets and
set-up IPsec SA & SPD in the right netns.
I managed to set up this kind of configuration
using pluto as config, pid and control socket
files location can be specified as comand line
options
(using --ctlbase --ipsecdir --secretsfile --config...)</tt></div>
<div><tt><br>
</tt></div>
<div><tt>Anyway, these variables seems to be hard
coded in charon (at ./configure time). As
IKEv2 support is really required, I was
wondering if I missed something. Is there any
way to change these parameters on a
per-process basis? Or maybe have you plan to
make charon netns aware?</tt></div>
<div><tt><br>
</tt></div>
<div><tt>Thanks in advance,</tt></div>
<div><tt>Francois Eleouet.</tt></div>
</div>
<tt><br>
</tt>
<fieldset></fieldset>
<tt><br>
</tt> </div>
</div>
<pre>_______________________________________________
Users mailing list
<a moz-do-not-send="true" href="mailto:Users@lists.strongswan.org" target="_blank">Users@lists.strongswan.org</a>
<a moz-do-not-send="true" href="https://lists.strongswan.org/mailman/listinfo/users" target="_blank">https://lists.strongswan.org/mailman/listinfo/users</a></pre>
</blockquote>
<tt><br>
</tt> </div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</body>
</html>