[strongSwan] Strongswan 4.5.1 sqlite database passthrough

Andreas Steffen andreas.steffen at strongswan.org
Wed Jun 29 07:43:24 CEST 2011 

Bonjour Fabrice,

strongswan-4.5.3dr6 with shunt policy support is available from

  http://download.strongswan.org/strongswan-4.5.3dr6.tar.bz2

There is an example scenario based on ipsec.conf

  http://www.strongswan.org/uml/testresults45dr/ikev2/shunt-policies/

where PASS policies are defined with type=pass and DROP policies
with type=drop. Authentication should be set to either 'authby=never'
or 'right|leftauth=any', but this actually doesn't matter as long as
'right|left=%any'.

A second example stores its configuration in an SQLite database

  http://www.strongswan.org/uml/testresults45dr/sql/shunt-policies/

As the SQL dump


http://www.strongswan.org/uml/testresults45dr/sql/shunt-policies/moon.ipsec.sql

shows, the peer_config should have its auth_method set to 0

INSERT INTO peer_configs (
  name, ike_cfg, local_id, remote_id, auth_method, mobike, dpd_delay
) VALUES (
  'shunts', 2, 7, 7, 0, 0, 0
);

and local_id/remote_id should preferably be set to %any

INSERT INTO identities (
  type, data
) VALUES ( /* %any */
  0, '%any'
);

as well as left as left/right in the ike_config

INSERT INTO ike_configs (
  local, remote
) VALUES (
  '%any', '%any'
);

The mode of a PASS policy is 4 and the start_action should be
1 for route:

INSERT INTO child_configs (
  name, mode, start_action
) VALUES (
  'local-net', 4, 1
);

whereas the mode of a DROP policy is 5

INSERT INTO child_configs (
  name, mode, start_action
) VALUES (
  'venus-icmp', 5, 1
);

And do not forget to set install_routes = yes in strongswan.conf


http://www.strongswan.org/uml/testresults45dr/sql/shunt-policies/moon.strongswan.conf

Best regards

Andreas

On 06/28/2011 12:14 PM, CETIAD - Fabrice Barconnière wrote:
> Hello Andreas
> 
> Thanks for all what you do.
> I wait for this.
> 
> Regards
> Fabrice
> 
> Le 28/06/2011 11:04, Andreas Steffen a écrit :
>> Hello Fabrice,
>>
>> probably today I'm going to release a strongSwan snapshot with
>> integrated PASS and DROP shunt policies support. These policies
>> can be configured either via ipsec.conf or an SQL database.
>> So just have a little patience.
>>
>> Best regards
>>
>> Andreas

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

More information about the Users mailing list