[strongSwan] How to dynamically add and delete tunnels?

John A. Sullivan III jsullivan at opensourcedevel.com
Wed Oct 19 12:19:04 CEST 2011


On Tue, 2011-10-18 at 20:03 +0200, dr. ir. Kees van Reeuwijk wrote: 
> Hi,
> 
> I need to add and delete StrongSwan tunnels to a machine without user intervention.
> 
> The solution I have come up with is to create a special directory, let's call it  /strongswan, and then
> put a separate configuration file into /strongswan for each tunnel. To do this I added an entry
> 
>     include /strongswan/*.conf
> 
> to /etc/ipsec.conf
> 
> Adding a tunnel then consists of writing a new file to /strongswan, and saying
> 
>    ipsec update
> 
> Removing a tunnel consists of removing its configuration file from /strongswan, and saying
> 
>     ipsec update
> 
> update.
> 
> Sadly, this does not work. A minor inconvenience is that strongSwan does not like it if the directory is empty, but that is easily solved with an empty dummy file. However, it seems that only the first `real' configuration file is read, and anything beyond that does not work. Also, I had expected that if I remove a configuration file, its tunnel goes away, but that doesn't seem to be the case. In fact, some of these tunnels do not go away, no matter what I do, and only a complete restart of the system helps.
> 
> It is quite possible that I'm doing something wrong, but before I start debugging I would like to ask a few questions: Is this a reasonable way to accomplish my goal? Is there a better way? Is there perhaps a limitation on the length of a connection name (so that what I think are two different names is treated as the same)?
> 
> Any help with this would be great.
> 
> 
We, likewise, store our configurations in a separate directory and have
a dummy.conf for when it is empty.  However, to do start and stop, e.g.,
for restarting tunnels in response to monitoring alerts that the tunnel
has dropped, we use the ipsec auto commands and pass the conn name to
it, e.g., 
ipsec auto --delete <conn>
ipsec auto --add <conn>
ipsec auto --up <conn>

I do not know if that would work for you - John





More information about the Users mailing list