[strongSwan-dev] ANNOUNCE: strongswan-4.4.0rc1

Jan Willem Beusink jan.willem.beusink at ti-wmc.nl
Thu May 20 14:32:00 CEST 2010


Andreas Steffen wrote:
> Hi,
> strongswan.conf is used for global configuration parameters
> and thus a replacement for the config setup section of ipsec.conf.
> It is not intended to contain connection-specific parameters.
Although for my purposes a non-connection-specific parameter would
suffice it wouldn't hurt to be able to specify this per connection.

> If you tell us which new keywords you need and what they are
> good for then we could at least add them to keywords.txt so
> that your problem with patches and gperf goes away. If your
> additions are of general interest we might integrate them into
> the strongSwan main stream.

I'm integrating permis to do authorization during the authentication
process. Ultimately this results in a plugin for strongswan.
PERMIS acts as a Policy Decision Point and can parse fine grained policies.
Keep in mind that only the responder performs authorization as access to
an target it its realm is requested.

For this end, at least a boolean stating that it should or should not
perform permis authorization is needed (defaulting to FALSE/no). Being
able to configure the server location and port wouldn't hurt either.

I propose the following keywords:

pdp = permis | never
pdp_server = <ip address> | <fqdn>
pdp_port = <number>

defaulting in never, and 5010 respectively.

Kind regards,

Jan Willem Beuink

> Best regards
> Andreas
> On 20.05.2010 13:25, Jan Willem Beusink wrote:
>> Andreas Steffen wrote:
>>> You must add the new keyword to
>>>    keywords.h and keywords.txt
>>> If you have checked out strongSwan from the git repository then
>>> make will automatically call gperf and generate keywords.c.
>>> If you have a tarball then you must invoke gperf manually.
>>> A look at the starter Makefile will tell you the exact arguments.
>>> IMPORTANT:  the new keyword must be added to the token_info[]
>>>              array in args.c at the correct position with the
>>>              correct type!
>>> You must also define a corresponding variable in the starter_end
>>> or starter_conn structs in confread.h. If your argument cannot
>>> be stored directly in the struct but needs some preprocessing
>>> then you must add a case statement in confread.c
>>> Regards
>>> Andreas
>>> On 05/19/2010 09:40 AM, Jan Willem Beusink wrote:
>>>> I would like to add some own configuration options to strongswan to be
>>>> used by my modifications. Do I only need to modify
>>>> starter/keywords.[c|h|txt] or do I also need to change the starter code
>>>> itself?
>>> ======================================================================
>>> Andreas Steffen                         andreas.steffen at strongswan.org
>>> strongSwan - the Linux VPN Solution!                www.strongswan.org
>>> Institute for Internet Technologies and Applications
>>> University of Applied Sciences Rapperswil
>>> CH-8640 Rapperswil (Switzerland)
>>> ===========================================================[ITA-HSR]==
>> Thank you, this really helps.
>> I'm bugged by two things though:
>> 1) If I were to edit keywords.txt, keywords.h, confread.h (optionally
>> confread.c) and args.c; were to run gperf so I'd get a keywords.c; and
>> finally make a patch to apply these changes against a tarball. This
>> patch would become useless to use against a newer tarball if this new
>> tarball would have new keywords in it, right?
>> Thus a patch would have to exclude keywords.c and after this patch would
>> be applied, gperf needs to be run before compilation.
>> 2) wouldn't it be much easier to add configuration options to
>> strongswan.conf instead of ipsec.conf?
>> Kind regards,
>> Jan Willem Beusink

More information about the Dev mailing list