[strongSwan] Running multiple charon daemons
christophe.gouault at 6wind.com
Fri May 24 09:48:53 CEST 2013
If you use netns created by "ip netns add <netnsname>" and start charon
with "ip netns exec <netnsname> ipsec start", then there is a solution
(that we successfully used here to perform IKE tests with a single machine:
"ip netns exec netns1" enables to start the application in netns netns1,
but also, if the /etc/netns/netns1 directory exists, the files and
sub-directories will be remapped in /etc for the application (provided a
file or directory with the same name already exists in /etc).
So, you just have to store your configuration files in this directory
and the pid and socket files in a sub-directory. To do that, you must
chose a different piddir when compiling strongswan:
Example for netns1 and netns2:
create netns and directories
ip netns add netns1
ip netns add netns2
mkdir -p /etc/run
mkdir -p /etc/netns/netns1/run
mkdir -p /etc/netns/netns2/run
./configure --sysconfdir=/etc --with-piddir=/etc/run make
configure and run strongswan instances
Then, you can store configurations files for each charon instance in the
/etc/netns/<netnsname> directory, and start each instance of charon with:
ip netns exec <netnsname> ipsec start
The pid and unix socket files will be stored in
/etc/netns/<netnsname>/run directory instead of the default /var/run.
(From the application point of view, the configuration files are in
/etc, pid and socket files are in /etc/run directories, but they are
actually stored in /etc/netns/<netnsname> and /etc/netns/<netnsname>/run
On 05/22/2013 10:16 PM, Eleouet Francois wrote:
> I'm actually investigating how to run multiple IPsec damons within
> several network namespaces.
> In the openstack project (an open source cloud computing platform), we
> intend to extend virtual networks to the outside world using IPsec.
> Current implentation leverages netns to provide routing (with support
> of overlapping IPs) between different projects/customers/virtual networks.
> As a consequence, we have to start multiple IPsec daemons (one within
> each namespace), so that they bind sockets and set-up IPsec SA & SPD
> in the right netns. I managed to set up this kind of configuration
> using pluto as config, pid and control socket files location can be
> specified as comand line options
> (using --ctlbase --ipsecdir --secretsfile --config...)
> Anyway, these variables seems to be hard coded in charon (at
> ./configure time). As IKEv2 support is really required, I was
> wondering if I missed something. Is there any way to change these
> parameters on a per-process basis? Or maybe have you plan to make
> charon netns aware?
> Thanks in advance,
> Francois Eleouet.
> Users mailing list
> Users at lists.strongswan.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Users