[strongSwan] Creating an ad-hoc tunnel with charon-cmd?
Kees van Reeuwijk
reeuwijk at few.vu.nl
Thu Aug 15 18:03:35 CEST 2013
Thank you for your customary speedy response!
On 08/14/2013 11:09 AM, Martin Willi wrote:
>> charon-cmd is not willing to wait for the other side of the connection,
> This is not what charon-cmd has been designed for. charon-cmd is a
> simple IKE client (initiator) for use in road-warrior scenarios. It
> can't act as an IKE responder.
Yeah, I know. I understand why this is (the road-warrior scenarios are
probably 99% of the use cases of strongSwan), but for us it is one of
those frustrating `so close yet so far away' things.
>> give two arbitrary machines from a large pool of machines, how do you
>> create a tunnel between the two?
> This requires to create connections dynamically. Scripting ipsec.conf
> and "ipsec" commands is cumbersome, but we have a powerful plugin API.
> That allows you to write extensions doing whatever you need, initiating
> or responding with dynamically created connections.
In fact, a student at our university, Razvan Ghitulete, developed
exactly such a plugin. It is called 'styx'. It offers a daemon that
listens on a unix-domain socket (thereby ruling out any remote hacking
of this daemon, and allowing controlled access), and dynamically creates
arbitrary connections. He did a very good job, but it was a student
project, meaning that we didn't do industrial-strength testing, and
error messages and documentation are also not up to industrial standards.
We have offered this plugin for inclusion in the main distribution, but
so far we have never gotten any response. That's understandable, since
this plugin would increase your maintenance burden for what you probably
consider a pretty marginal use case, but we are now left with a dilemma:
use a fork of strongSwan or not use our styx plugin.
If charon-cmd would offer the functionality I had hoped for, the dilemma
would have been solved.
Dr. Ir. Kees van Reeuwijk
More information about the Users