[strongSwan-dev] How to implement strongswan up and down using SMP?

[Martin Willi]

Hi Vadim,

> I'd like to implement the equivalent of commands "strongswan up
> <connectionname>" and "strongswan down <connectionname>" using SMP
> plugin.

The "smp" plugin was an early attempt for a generic XML based management
interface. However, it is incomplete and didn't get much love since its
initial inception, I don't recommend to use it in new applications.

Instead, we recently introduced the vici interface [1], which is much
more complete and gives you more flexibility. It uses its own binary
protocol, but it is rather simple and comes with a C client library.

The swanctl tool [2] uses this protocol, and is a mostly complete
backend to configure, control and monitor the IKE daemon. It probably
serves as a good starting point for implementing your own client in C.

> It works fine, but I'm still not sure is that the complete equivalent?

For initiation, you usually just reference the CHILD_SA. The associated
IKE_SA gets automatically established. To close a IKE_SA/CHILD_SA pair,
you can usually just terminate the IKE_SA, as that implicitly closes all
associated CHILD_SAs.

> 1) What happens to strongSwan server if my program would be terminated unexpectedly
> before sending the second message?

Only the first message gets processed. But as said, to initiate a
CHILD_SA/IKE_SA pair, you usually need just one command.

> 2) Are these SMP messages synchronous? Do they guarantee that the
> current action (IKE/child initiation or termination) is complete (with
> or without error)?

Yes, this is true for both SMP and vici.

With vici you can use multiple connections/threads for concurrent or
asynchronous commands. The initiate command can detach after a timeout.

Regards
Martin

[1]https://wiki.strongswan.org/projects/strongswan/wiki/Vici
[2]https://wiki.strongswan.org/projects/strongswan/wiki/Swanctl