[strongSwan] Creating an ad-hoc tunnel with charon-cmd?

[Kees van Reeuwijk]

Hello Martin,

Thank you for your customary speedy response!

On 08/14/2013 11:09 AM, Martin Willi wrote:
> Hi,
>
>> charon-cmd is not willing to wait for the other side of the connection,
> This is not what charon-cmd has been designed for. charon-cmd is a
> simple IKE client (initiator) for use in road-warrior scenarios. It
> can't act as an IKE responder.

Yeah, I know. I understand why this is (the road-warrior scenarios are 
probably 99% of the use cases of strongSwan), but for us it is one of 
those frustrating `so close yet so far away' things.



>> give two arbitrary machines from a large pool of machines, how do you
>> create a tunnel between the two?
> This requires to create connections dynamically. Scripting ipsec.conf
> and "ipsec" commands is cumbersome, but we have a powerful plugin API.
> That allows you to write extensions doing whatever you need, initiating
> or responding with dynamically created connections.

In fact, a student at our university, Razvan Ghitulete, developed 
exactly such a plugin. It is called 'styx'. It offers a daemon that 
listens on a unix-domain socket (thereby ruling out any remote hacking 
of this daemon, and allowing controlled access), and dynamically creates 
arbitrary connections. He did a very good job, but it was a student 
project, meaning that we didn't do industrial-strength testing, and 
error messages and documentation are also not up to industrial standards.

We have offered this plugin for inclusion in the main distribution, but 
so far we have never gotten any response. That's understandable, since 
this plugin would increase your maintenance burden for what you probably 
consider a pretty marginal use case, but we are now left with a dilemma: 
use a fork of strongSwan or not use our styx plugin.

If charon-cmd would offer the functionality I had hoped for, the dilemma 
would have been solved.



-- 
Dr. Ir. Kees van Reeuwijk