[strongSwan] Running multiple charon daemons

Eleouet Francois f.eleouet at gmail.com
Thu May 23 17:43:56 CEST 2013


Hi,

Thank you very much for your prompt answer.

2013/5/23 Martin Willi <martin at strongswan.org>

> Hi Francois,
>
> > Anyway, these variables seems to be hard coded in charon (at ./configure
> > time). As IKEv2 support is really required, I was wondering if I missed
> > something. Is there any way to change these parameters on a per-process
> > basis?
>
> No, these paths are hard coded, there are currently no runtime options.
>
> Unix control sockets are set up by the plugin, and it is quite difficult
> to pass command line arguments to them. So instead we probably should
> just add an option for a strongswan.conf, which then may contain custom
> paths for control sockets, pid file etc.


This would be great!

>
>
> Or maybe have you plan to make charon netns aware?
>
> We had some discussions about integrated netns support, but no,
> currently there are no concrete plans for implementing it (this might
> change if someone is willing to sponsor the development).
>

I can't figure out how complex that would be, but it may be tricky to
manage several IKE & netkey sockets from a single daemon.
netns context would probably have to be handled in a large part of the
code...
Some other people were talking about that here: http://www.spinics
.net/lists/netdev/msg219734.html

While investigating using containers to run several daemons, I started
thinking having one isolated userland process per netns could be better
from a security point of view (but more resource consuming, of course). Any
thought on that?

>
> Kind Regards
> Martin
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130523/c8913785/attachment.html>


More information about the Users mailing list