[strongSwan] Running multiple charon daemons

Christophe Gouault christophe.gouault at 6wind.com
Fri May 24 09:48:53 CEST 2013

Hi François,

If you use netns created by "ip netns add <netnsname>" and start charon 
with "ip netns exec <netnsname> ipsec start", then there is a solution 
(that we successfully used here to perform IKE tests with a single machine:

"ip netns exec netns1" enables to start the application in netns netns1, 
but also, if the /etc/netns/netns1 directory exists, the files and 
sub-directories will be remapped in /etc for the application (provided a 
file or directory with the same name already exists in /etc).

So, you just have to store your configuration files in this directory 
and the pid and socket files in a sub-directory. To do that, you must 
chose a different piddir when compiling strongswan:

Example for netns1 and netns2:

create netns and directories
ip netns add netns1
ip netns add netns2
mkdir -p /etc/run
mkdir -p /etc/netns/netns1/run
mkdir -p /etc/netns/netns2/run

generate strongswan
./configure --sysconfdir=/etc --with-piddir=/etc/run make
make install

configure and run strongswan instances
Then, you can store configurations files for each charon instance in the 
/etc/netns/<netnsname> directory, and start each instance of charon with:
ip netns exec <netnsname> ipsec start

The pid and unix socket files will be stored in 
/etc/netns/<netnsname>/run directory instead of the default /var/run.

(From the application point of view, the configuration files are in 
/etc, pid and socket files are in /etc/run directories, but they are 
actually stored in /etc/netns/<netnsname> and /etc/netns/<netnsname>/run 


Best Regards,

On 05/22/2013 10:16 PM, Eleouet Francois wrote:
> Hi,
> I'm actually investigating how to run multiple IPsec damons within 
> several network namespaces.
> In the openstack project (an open source cloud computing platform), we 
> intend to extend virtual networks to the outside world using IPsec. 
> Current implentation leverages netns to provide routing (with support 
> of overlapping IPs) between different projects/customers/virtual networks.
> As a consequence, we have to start multiple IPsec daemons (one within 
> each namespace), so that they bind sockets and set-up IPsec SA & SPD 
> in the right netns. I managed to set up this kind of configuration 
> using pluto as config, pid and control socket files location can be 
> specified as comand line options 
> (using --ctlbase --ipsecdir --secretsfile --config...)
> Anyway, these variables seems to be hard coded in charon (at 
> ./configure time). As IKEv2 support is really required, I was 
> wondering if I missed something. Is there any way to change these 
> parameters on a per-process basis? Or maybe have you plan to make 
> charon netns aware?
> Thanks in advance,
> Francois Eleouet.
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130524/b1975e98/attachment.html>

More information about the Users mailing list