[strongSwan] Using just charon

Mohammad Ahmad mohd.ahmad17 at gmail.com
Tue Jul 21 01:59:03 CEST 2015


Thanks for the responses guys. This helps clarify things and I am now
able to run charon (yay!).

I do have a couple of followups.

1- When I run /usr/lib/charon it loads the /etc/strongswan.conf which
has the plugins to be loaded. For me this does not load the vici
plugin. I found something here
https://wiki.strongswan.org/projects/strongswan/wiki/Vici about
--enable-vici but I installed strongswan using apt-get so how can I
enable it?

2- From here https://www.strongswan.org/uml/testresults/ikev2/net2net-psk/moon.ipsec.conf
if see that config options of keylife, authby are defined in
ipsec.conf. Can these options be configured using vici? Can a default
proposal for each host be defined which lists the algorithms and the
DH group to be used.

Sorry for the excessive questions and thanks for the help.

Ahmad

On Sun, Jul 19, 2015 at 1:34 PM, Noel Kuntze <noel at familie-kuntze.de> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Hello Ryan,
>
> ipsec starter loads the configuration into charon using stroke socket.
> If you don't use ipsec starter, that doesn't happen, so you need to
> load the config manually, using ipsec reload/update.
>
> Mit freundlichen Grüßen/Kind Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
> Am 18.07.2015 um 13:44 schrieb Ruel, Ryan:
>> Anreas,
>>
>> Are there any limitations to just starting the charon daemon directly (versus using the “ipsec” script)?
>>
>> /Ryan
>>
>>
>>
>>
>> On 7/18/15, 6:26 AM, "Andreas Steffen" <andreas.steffen at strongswan.org> wrote:
>>
>>> Hi Ahmand,
>>>
>>> no, just start charon itself:
>>>
>>>  /usr/libexec/ipsec/charon &
>>>
>>> If you have an Ubuntu or Debian platform you can use the attached
>>> /etc/init.d/charon runlevel script and start and stop the daemon
>>> with
>>>
>>>  sudo service charon start
>>>
>>>  sudo service charon stop
>>>
>>> If you have Fedora or some other OS supporting systemd then you
>>> can use the charon-systemd daemon variant.
>>>
>>> Best regards
>>>
>>> Andreas
>>>
>>> On 07/18/2015 12:12 PM, Mohammad Ahmad wrote:
>>>> Hey Andreas,
>>>>
>>>> Thank you for response. Quick followup,  I need to run 'ipsec start'
>>>> with the sample configuration file you have shared to start charon in
>>>> the background?
>>>>
>>>> I apologize for asking very basic questions. I'm just getting started
>>>> with strongswan.
>>>>
>>>>
>>>> On Sat, Jul 18, 2015, 2:46 AM Andreas Steffen
>>>> <andreas.steffen at strongswan.org <mailto:andreas.steffen at strongswan.org>>
>>>> wrote:
>>>>
>>>>     Hi Ahmad,
>>>>
>>>>     if you intend to use the vici plugin then you need neither
>>>>     starter nor stroke. Just start the charon daemon in the
>>>>     background. The minimum of plugins you need are e.g.
>>>>
>>>>     https://www.strongswan.org/uml/testresults/swanctl/rw-cert/moon.strongswan.conf
>>>>
>>>>     Best regards
>>>>
>>>>     Andreas
>>>>
>>>>     On 07/18/2015 04:26 AM, Mohammad Ahmad wrote:
>>>>     > Hi,
>>>>     >
>>>>     > I want to run charon and plan to speak to it using a vici plugin I am
>>>>     > developing.
>>>>     > With racoon, I run racoon -f /path/to/config but with charon, I see a
>>>>     > number of tools that can be used to achieve this, stroke, starter,
>>>>     > ipsec but am unsure which one will require the minimum number of
>>>>     > packages to be installed (I want to keep that to a minimum).
>>>>     >
>>>>     > More infomation
>>>>     > I will be adding the ipsec policies manually and am using ipsec in
>>>>     > tunnel mode. I have two sites behind each of which is a subnet.
>>>>     >
>>>>     > Looking forward to hearing from you guys.
>>>>     >
>>>>     > Ahmad
>>>>
>>>>     ======================================================================
>>>>     Andreas Steffen
>>>>      andreas.steffen at strongswan.org <mailto:andreas.steffen at strongswan.org>
>>>>     strongSwan - the Open Source VPN Solution!
>>>>     www.strongswan.org <http://www.strongswan.org>
>>>>     Institute for Internet Technologies and Applications
>>>>     University of Applied Sciences Rapperswil
>>>>     CH-8640 Rapperswil (Switzerland)
>>>>     ===========================================================[ITA-HSR]==
>>>>
>>>
>>> --
>>> ======================================================================
>>> Andreas Steffen                         andreas.steffen at strongswan.org
>>> strongSwan - the Open Source VPN Solution!          www.strongswan.org
>>> Institute for Internet Technologies and Applications
>>> University of Applied Sciences Rapperswil
>>> CH-8640 Rapperswil (Switzerland)
>>> ===========================================================[ITA-HSR]==
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
>
> iQIcBAEBCAAGBQJVrAnQAAoJEDg5KY9j7GZYVTsP/1AbUfJzwr0M4/P0TiBKCZeW
> H00avc4OAQJb4UN4kx+cPvffiekIdLLm/3AWk5MTqMytkpziDZ/EVHsekpXDvnTy
> PCbDdDH/5dtn3bCQUTMu3DCsHcnFcORiN0E3juAJn144iE0kuxB4hY4qhLf8OTmt
> I3iY6HcSDbgVaiAacK4nGLbsyUWAf0TBaOI80yPNZhRiSr9UHe2Qs9rJzNNWI3a+
> D6DPlLODhQeH2f9cKIBiL5GIRzaWxPD48lF8hWdhB3ekajaDUwL+yyuMQ91Hd+8F
> qBBvLnZU287KaTObiunrI6Rz4V9vUUDv9xzsxLAXgBbjcK3otf1v/ga1o3byVitH
> FOfYkJOIlbViiUT94J3VKwmK6RVQ9Sp2LgNBbB76p0DAhvMYgZFhX51YhXzrIoT0
> iHDlZpoaNEuKPY6oe0Ky/UpOv3LgoIVLOLsAbUSI3R6aV5jxMcp+EQRj9wnqED4x
> 0mBu5EpKLsBBjjGF65hi1LipsHgdmILfrLiTVFZSr/ZmU6NEpPhx4v/6iU4jD9bm
> f4u+u1FO+2F4kO3wPIwi+fDd7i6R+5JrzX8EHaADg//TNTlqd4yJimfE+k5mQbBN
> ZfMXlEiysIj5j5EHICgxzuUbn5dTrzo04RsPzWl6dmVwhNE1ZceUnNkAsoir1HO+
> uzqOE/mJ1NOJW10gKMjn
> =Tnhl
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users


More information about the Users mailing list