[strongSwan] Strongswan 4.5.1 sqlite database passthrough

Wed Jun 29 07:47:15 CEST 2011

Oops, "install_routes" should of course be set to *no*.

BTW - a shunt can be removed with

  ipsec unroute local-net

and added again with

  ipsec route local-net

Regards

Andreas

On 06/29/2011 07:43 AM, Andreas Steffen wrote:
> Bonjour Fabrice,
> 
> strongswan-4.5.3dr6 with shunt policy support is available from
> 
>   http://download.strongswan.org/strongswan-4.5.3dr6.tar.bz2
> 
> There is an example scenario based on ipsec.conf
> 
>   http://www.strongswan.org/uml/testresults45dr/ikev2/shunt-policies/
> 
> where PASS policies are defined with type=pass and DROP policies
> with type=drop. Authentication should be set to either 'authby=never'
> or 'right|leftauth=any', but this actually doesn't matter as long as
> 'right|left=%any'.
> 
> A second example stores its configuration in an SQLite database
> 
>   http://www.strongswan.org/uml/testresults45dr/sql/shunt-policies/
> 
> As the SQL dump
> 
> 
> http://www.strongswan.org/uml/testresults45dr/sql/shunt-policies/moon.ipsec.sql
> 
> shows, the peer_config should have its auth_method set to 0
> 
> INSERT INTO peer_configs (
>   name, ike_cfg, local_id, remote_id, auth_method, mobike, dpd_delay
> ) VALUES (
>   'shunts', 2, 7, 7, 0, 0, 0
> );
> 
> and local_id/remote_id should preferably be set to %any
> 
> INSERT INTO identities (
>   type, data
> ) VALUES ( /* %any */
>   0, '%any'
> );
> 
> as well as left as left/right in the ike_config
> 
> INSERT INTO ike_configs (
>   local, remote
> ) VALUES (
>   '%any', '%any'
> );
> 
> The mode of a PASS policy is 4 and the start_action should be
> 1 for route:
> 
> INSERT INTO child_configs (
>   name, mode, start_action
> ) VALUES (
>   'local-net', 4, 1
> );
> 
> whereas the mode of a DROP policy is 5
> 
> INSERT INTO child_configs (
>   name, mode, start_action
> ) VALUES (
>   'venus-icmp', 5, 1
> );
> 
> And do not forget to set install_routes = yes in strongswan.conf
> 
> 
> http://www.strongswan.org/uml/testresults45dr/sql/shunt-policies/moon.strongswan.conf
> 
> Best regards
> 
> Andreas
> 
> On 06/28/2011 12:14 PM, CETIAD - Fabrice Barconnière wrote:
>> Hello Andreas
>>
>> Thanks for all what you do.
>> I wait for this.
>>
>> Regards
>> Fabrice
>>
>> Le 28/06/2011 11:04, Andreas Steffen a écrit :
>>> Hello Fabrice,
>>>
>>> probably today I'm going to release a strongSwan snapshot with
>>> integrated PASS and DROP shunt policies support. These policies
>>> can be configured either via ipsec.conf or an SQL database.
>>> So just have a little patience.
>>>
>>> Best regards
>>>
>>> Andreas

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==