[strongSwan] Multiple charon daemons mininet namespaces

Piyush Agarwal agarwalpiyush at gmail.com
Thu Apr 27 00:14:41 CEST 2017


Hi Noel,
Thanks for your reply but I am not sure I completely understood your answer.

While waiting for a reply to my question, I tried this though:

1) Downloaded strongswan-starter deb file. Unpacked it.
2) Changed IPSEC_PIDDIR in usr/sbin/ipsec file to point to /etc/ipsec.d/run
(rather than /var/run)
3) Re-built the deb file
4) Installed this new deb file on my ubuntu 14.04 host
5) Now ipsec binary does report piddir to be the changed location:

a at strongswan3:~$ sudo ip netns exec blue ipsec --piddir
/etc/ipsec.d/run

But charon seems to still think the piddir is /var/run and hence wouldn't
start the second instance.

a at strongswan3:~$ sudo ip netns exec red ipsec start
Starting strongSwan 5.1.2 IPsec [starter]...
charon is already running (/var/run/charon.pid exists) -- skipping daemon
start
starter is already running (/var/run/starter.charon.pid exists) -- no fork
done

So obviously charon is getting its piddir from somewhere else. I am looking
for source code to modify such that charon's piddir is not hardcoded to
/var/run (as it currently seems to be). I'd like to make it modifiable via
either a command line, conf file or some other similar way. Perhaps I may
be okay to even hardcode it in my private .deb file to be /etc/ipsec.d/run
rather than /var/run.

Is there any pointer to achieving this? Requiring install from source code
and modifying ./configure options to change piddir is just a no-go for me
unfortunately.

Thank you.
Piyush

On Wed, Apr 26, 2017 at 11:23 AM, Noel Kuntze <noel.kuntze at thermi.consulting
> wrote:

> You can't do that when you start charon using "ipsec" (which implicitely
> calls "ipsec starter".
> You can do it with charon-systemd, though (but then you need to start it
> using systemd and you get a similiar problem).
>
> On 26.04.2017 20:11, Piyush Agarwal wrote:
> > Hi,
> > I need to run multiple ipsec charon daemons in multiple mininet
> namespaces (perhaps some semantics change from ip namespaces).
> >
> > Sure enough, on following steps from https://wiki.strongswan.org/
> projects/strongswan/wiki/Netns (including piddir change), I could get
> multiple charon daemons running with*ip network namespaces*.
> >
> > I am not trying to achieve two things:
> > 1) Run multiple charon daemons with mininet namespaces
> > 2) Be able to do so without requiring piddir configuration option change.
> >
> > Regarding (1): I am not sure if mininet namespaces provide for bind
> mounting anything /etc/netns/<namespace name>/ to /etc/ for the process
> running in that network namespace -- if it doesn't, I will bind mount
> manually before starting charon/ipsec. So this should be okay.
> >
> > But, I am trying to find how I can do away the piddir configuration
> change and make it work directly from the deb file install. Is there no way
> to achieve this? No environment variable that can be set?
> >
> > Appreciate any comments/directions/pointers.
> >
> > Thank you.
> > Piyush
> >
> >
> > --
> > Piyush Agarwal
> > Life can only be understood backwards; but it must be lived forwards.
> >
> >
> > _______________________________________________
> > Users mailing list
> > Users at lists.strongswan.org
> > https://lists.strongswan.org/mailman/listinfo/users
>
> --
> Noel Kuntze
> IT security consultant
>
> GPG Key ID: 0x0739AD6C
> Fingerprint: 3524 93BE B5F7 8E63 1372 AF2D F54E E40B 0739 AD6C
>
>
>


-- 
Piyush Agarwal
Life can only be understood backwards; but it must be lived forwards.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170426/0c9a372e/attachment.html>


More information about the Users mailing list