[strongSwan-dev] strongswan plugin interface

Tobias Brunner tobias at strongswan.org
Fri Mar 16 10:31:07 CET 2012 

Hi Razvan,

> I want to be able to use something like a runtime API(let's say
> for javva) that can be used to alter strongswan configurations as those
> read from ipsec.conf.

If you are just interested in changing the configuration dynamically at
runtime (in an easier way than to modify ipsec.conf) have a look at the
sql plugin [1].  This allows you to store the configuration and the
credentials in a database from which the charon daemon fetches them when
needed.

> So there would be the approach of writing a plugin for this, but the
> plugins are daemon triggered, and this doesn't help me at all, as the
> plugin should be the one that triggers the daemon in this case(when a
> message for a new configuration is received). 

While it is true that the plugins are loaded by the daemon (if that's
what you mean by "triggered"), they are free to interact with external
processes however they want.  There are lots of examples for this.
  The stroke plugin for instance is used to get the config from
ipsec.conf into the daemon.  The config is parsed by starter which uses
a Unix domain socket to send the config to the charon daemon.  The
stroke utility (either directly or via the ipsec script) uses the same
socket to interact with the daemon (e.g. to initiate a connection).
Another plugin which uses Unix domain sockets is the android plugin
which interacts with a modified version of the default Android VPN GUI.
  Then there are plugins that use D-Bus to interact with external
processes, for instance, the nm plugin which is a backend to the
strongSwan NetworkManager plugin.  The maemo plugin also uses D-Bus to
receive connection requests (and config information) from the status
panel applet written for the Nokia N900.
  Also, there is the smp plugin (see [2]), which was never finished, but
allows some control of the daemon via XML sent to a TCP socket.

As you can see, there are plenty of options to control the charon daemon
from external processes.

> Also I was wondering(because the code base is very big and wasn't
> able to find an answer myself), what would an exact workflow diagram
> look like: who stores the configurations? how it stores them?

Have look at the code of the plugins mentioned above for examples of how
configuration objects are created and managed.

> is there any communication between daemons?

No, the pluto and charon daemons are independent and there is no
communication between them (starter does communicate with both of them
but the daemons are unaware of the details).

> if pluto and charon are both active at the same time, do they have
> distinct configuration storage?

Yes.  Also, pluto is not really extensible via plugins, at least not in
regard to configuration.

Regards,
Tobias

[1] http://wiki.strongswan.org/projects/strongswan/wiki/SQL
[2] http://wiki.strongswan.org/projects/strongswan/wiki/SMP

More information about the Dev mailing list