[strongSwan] Running multiple charon daemons

Eleouet Francois f.eleouet at gmail.com
Fri May 24 11:46:03 CEST 2013


Hi,

Thank you very much, great tip!

The only issue in openstack context is that it usually has to work with
distro packages... Anyway, providing a strongswan driver alongside with
your ./configure suggestion could definitively be a solution.

Regards,
Francois.


2013/5/24 Christophe Gouault <christophe.gouault at 6wind.com>

>  Hi François,
>
> If you use netns created by "ip netns add <netnsname>" and start charon
> with "ip netns exec <netnsname> ipsec start", then there is a solution
> (that we successfully used here to perform IKE tests with a single machine:
>
> "ip netns exec netns1" enables to start the application in netns netns1,
> but also, if the /etc/netns/netns1 directory exists, the files and
> sub-directories will be remapped in /etc for the application (provided a
> file or directory with the same name already exists in /etc).
>
> So, you just have to store your configuration files in this directory and
> the pid and socket files in a sub-directory. To do that, you must chose a
> different piddir when compiling strongswan:
>
> Example for netns1 and netns2:
>
> create netns and directories
> ----------------------------
> ip netns add netns1
> ip netns add netns2
> mkdir -p /etc/run
> mkdir -p /etc/netns/netns1/run
> mkdir -p /etc/netns/netns2/run
>
> generate strongswan
> -------------------
> ./configure --sysconfdir=/etc --with-piddir=/etc/run make
> make install
>
> configure and run strongswan instances
> --------------------------------------
> Then, you can store configurations files for each charon instance in the
> /etc/netns/<netnsname> directory, and start each instance of charon with:
> ip netns exec <netnsname> ipsec start
>
> The pid and unix socket files will be stored in /etc/netns/<netnsname>/run
> directory instead of the default /var/run.
>
> (From the application point of view, the configuration files are in /etc,
> pid and socket files are in /etc/run directories, but they are actually
> stored in /etc/netns/<netnsname> and /etc/netns/<netnsname>/run directories)
>
> Enjoy
>
> Best Regards,
> Christophe
>
>
>  On 05/22/2013 10:16 PM, Eleouet Francois wrote:
>
> Hi,
>
>  I'm actually investigating how to run multiple IPsec damons within
> several network namespaces.
>
>  In the openstack project (an open source cloud computing platform), we
> intend to extend virtual networks to the outside world using IPsec. Current
> implentation leverages netns to provide routing (with support of
> overlapping IPs) between different projects/customers/virtual networks.
>
>  As a consequence, we have to start multiple IPsec daemons (one within
> each namespace), so that they bind sockets and set-up IPsec SA & SPD in the
> right netns. I managed to set up this kind of configuration using pluto as
> config, pid and control socket files location can be specified as comand
> line options (using --ctlbase --ipsecdir --secretsfile --config...)
>
>  Anyway, these variables seems to be hard coded in charon (at ./configure
> time). As IKEv2 support is really required, I was wondering if I missed
> something. Is there any way to change these parameters on a per-process
> basis? Or maybe have you plan to make charon netns aware?
>
>  Thanks in advance,
> Francois Eleouet.
>
>
>  _______________________________________________
> Users mailing listUsers at lists.strongswan.orghttps://lists.strongswan.org/mailman/listinfo/users
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130524/ace29065/attachment.html>


More information about the Users mailing list