[strongSwan] Running multiple charon daemons

Eleouet Francois f.eleouet at gmail.com
Sat May 25 09:55:05 CEST 2013


Thank you very much again for pointing this out, I didn't catch before that
ip netns exec command was also running process in a mount namespace (thanks
to unshare(CLONE_NEWNS) ).

As suggested, wrapping ipsec commands with this kind of scripts seems to
work fine:



for file in $PREFIX/$1/{run,etc}; do
    [ -d $dir ] || exit

mount --bind $PREFIX/$1/run /var/run/
mount --bind $PREFIX/$1/etc /etc

eval "$@"

Assuming the above script name is nswrap, just have to use "ip netns exec
netns_name nswrap netns_name ipsec start", to fire up strongswan.

It seems to work fine for basic uses cases, but as you mentioned, /var/run
will only contain charon pluto and starter pid and ctl files, don't know if
some plugins require additional information.


2013/5/24 Christophe Gouault <christophe.gouault at 6wind.com>

>  On 05/24/2013 11:46 AM, Eleouet Francois wrote:
> Hi,
>  Thank you very much, great tip!
> You're welcome.
>  The only issue in openstack context is that it usually has to work with
> distro packages... Anyway, providing a strongswan driver alongside with
> your ./configure suggestion could definitively be a solution.
> OK I see.
> I did not test it, but you could maybe write a small launcher application
> that does a similar directory remaping as "ip netns exec". Just take your
> inspiration from iproute2 function ip/ipnetns.c:netns_exec(), and remap the
> directory /etc/netns/<netnsname>/run to /var/run. (warning, I don't know if
> some libraries used by charon read information from /var/run).
> Best Regards,
> Christophe.
>  Regards,
> Francois.
> 2013/5/24 Christophe Gouault <christophe.gouault at 6wind.com>
>>  Hi François,
>> If you use netns created by "ip netns add <netnsname>" and start charon
>> with "ip netns exec <netnsname> ipsec start", then there is a solution
>> (that we successfully used here to perform IKE tests with a single machine:
>> "ip netns exec netns1" enables to start the application in netns netns1,
>> but also, if the /etc/netns/netns1 directory exists, the files and
>> sub-directories will be remapped in /etc for the application (provided a
>> file or directory with the same name already exists in /etc).
>> So, you just have to store your configuration files in this directory and
>> the pid and socket files in a sub-directory. To do that, you must chose a
>> different piddir when compiling strongswan:
>> Example for netns1 and netns2:
>> create netns and directories
>> ----------------------------
>> ip netns add netns1
>> ip netns add netns2
>> mkdir -p /etc/run
>> mkdir -p /etc/netns/netns1/run
>> mkdir -p /etc/netns/netns2/run
>> generate strongswan
>> -------------------
>> ./configure --sysconfdir=/etc --with-piddir=/etc/run make
>> make install
>> configure and run strongswan instances
>> --------------------------------------
>> Then, you can store configurations files for each charon instance in the
>> /etc/netns/<netnsname> directory, and start each instance of charon with:
>> ip netns exec <netnsname> ipsec start
>> The pid and unix socket files will be stored in
>> /etc/netns/<netnsname>/run directory instead of the default /var/run.
>> (From the application point of view, the configuration files are in /etc,
>> pid and socket files are in /etc/run directories, but they are actually
>> stored in /etc/netns/<netnsname> and /etc/netns/<netnsname>/run directories)
>> Enjoy
>> Best Regards,
>> Christophe
>>  On 05/22/2013 10:16 PM, Eleouet Francois wrote:
>>  Hi,
>>  I'm actually investigating how to run multiple IPsec damons within
>> several network namespaces.
>>  In the openstack project (an open source cloud computing platform), we
>> intend to extend virtual networks to the outside world using IPsec. Current
>> implentation leverages netns to provide routing (with support of
>> overlapping IPs) between different projects/customers/virtual networks.
>>  As a consequence, we have to start multiple IPsec daemons (one within
>> each namespace), so that they bind sockets and set-up IPsec SA & SPD in the
>> right netns. I managed to set up this kind of configuration using pluto as
>> config, pid and control socket files location can be specified as comand
>> line options (using --ctlbase --ipsecdir --secretsfile --config...)
>>  Anyway, these variables seems to be hard coded in charon (at
>> ./configure time). As IKEv2 support is really required, I was wondering if
>> I missed something. Is there any way to change these parameters on a
>> per-process basis? Or maybe have you plan to make charon netns aware?
>>  Thanks in advance,
>> Francois Eleouet.
>>   _______________________________________________
>> Users mailing listUsers at lists.strongswan.orghttps://lists.strongswan.org/mailman/listinfo/users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130525/c833fd82/attachment.html>

More information about the Users mailing list