[strongSwan] Running multiple charon daemons

Christophe Gouault christophe.gouault at 6wind.com
Fri May 24 14:45:23 CEST 2013

On 05/24/2013 11:46 AM, Eleouet Francois wrote:
> Hi,
> Thank you very much, great tip!
You're welcome.
> The only issue in openstack context is that it usually has to work 
> with distro packages... Anyway, providing a strongswan driver 
> alongside with your ./configure suggestion could definitively be a 
> solution.
OK I see.

I did not test it, but you could maybe write a small launcher 
application that does a similar directory remaping as "ip netns exec". 
Just take your inspiration from iproute2 function 
ip/ipnetns.c:netns_exec(), and remap the directory 
/etc/netns/<netnsname>/run to /var/run. (warning, I don't know if some 
libraries used by charon read information from /var/run).

Best Regards,
> Regards,
> Francois.
> 2013/5/24 Christophe Gouault <christophe.gouault at 6wind.com 
> <mailto:christophe.gouault at 6wind.com>>
>     Hi François,
>     If you use netns created by "ip netns add <netnsname>" and start
>     charon with "ip netns exec <netnsname> ipsec start", then there is
>     a solution (that we successfully used here to perform IKE tests
>     with a single machine:
>     "ip netns exec netns1" enables to start the application in netns
>     netns1, but also, if the /etc/netns/netns1 directory exists, the
>     files and sub-directories will be remapped in /etc for the
>     application (provided a file or directory with the same name
>     already exists in /etc).
>     So, you just have to store your configuration files in this
>     directory and the pid and socket files in a sub-directory. To do
>     that, you must chose a different piddir when compiling strongswan:
>     Example for netns1 and netns2:
>     create netns and directories
>     ----------------------------
>     ip netns add netns1
>     ip netns add netns2
>     mkdir -p /etc/run
>     mkdir -p /etc/netns/netns1/run
>     mkdir -p /etc/netns/netns2/run
>     generate strongswan
>     -------------------
>     ./configure --sysconfdir=/etc --with-piddir=/etc/run make
>     make install
>     configure and run strongswan instances
>     --------------------------------------
>     Then, you can store configurations files for each charon instance
>     in the /etc/netns/<netnsname> directory, and start each instance
>     of charon with:
>     ip netns exec <netnsname> ipsec start
>     The pid and unix socket files will be stored in
>     /etc/netns/<netnsname>/run directory instead of the default /var/run.
>     (From the application point of view, the configuration files are
>     in /etc, pid and socket files are in /etc/run directories, but
>     they are actually stored in /etc/netns/<netnsname> and
>     /etc/netns/<netnsname>/run directories)
>     Enjoy
>     Best Regards,
>     Christophe
>     On 05/22/2013 10:16 PM, Eleouet Francois wrote:
>>     Hi,
>>     I'm actually investigating how to run multiple IPsec damons
>>     within several network namespaces.
>>     In the openstack project (an open source cloud computing
>>     platform), we intend to extend virtual networks to the outside
>>     world using IPsec. Current implentation leverages netns to
>>     provide routing (with support of overlapping IPs) between
>>     different projects/customers/virtual networks.
>>     As a consequence, we have to start multiple IPsec daemons (one
>>     within each namespace), so that they bind sockets and set-up
>>     IPsec SA & SPD in the right netns. I managed to set up this kind
>>     of configuration using pluto as config, pid and control socket
>>     files location can be specified as comand line options
>>     (using --ctlbase --ipsecdir --secretsfile --config...)
>>     Anyway, these variables seems to be hard coded in charon (at
>>     ./configure time). As IKEv2 support is really required, I was
>>     wondering if I missed something. Is there any way to change these
>>     parameters on a per-process basis? Or maybe have you plan to make
>>     charon netns aware?
>>     Thanks in advance,
>>     Francois Eleouet.
>>     _______________________________________________
>>     Users mailing list
>>     Users at lists.strongswan.org  <mailto:Users at lists.strongswan.org>
>>     https://lists.strongswan.org/mailman/listinfo/users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130524/b1ca2040/attachment.html>

More information about the Users mailing list