[strongSwan] UCI configuration

Nicola Feltrin nicola.feltrin at mailbox.org
Sun Jan 22 22:22:24 CET 2017

Hi all,

I’m running strongswan on an OpenWRT router as a server for some
roadwarriors. The configuration works, but has been implemented through
the standard strongswan configuration files (/etc/strongswan.conf,
/etc/ipsec.conf, /etc/ipsec.secrets, /etc/ipsec.d). I would like to
move to a uci-implemented configuration, to keep the system clean and
because it seems like it would allow to assign VPN traffic to a
specific firewall zone.

I have consulted OpenWRT[1][2][3] and StrongSwan[4] docs, but many
things are still unclear to me. There seem to be two different files:
 - /etc/config/strongswan, parsed automatically by charon, defining the
connections details usually described in /etc/ipsec.conf
 - /etc/config/ipsec, parsed by a custom init script, generating
everything(?) else
Can someone confirm it? Is there a table/scheme/guide somewhere that
lists where each option should go?

As a bonus, it would be interesting to know if there is a way to
specify a firewall zone with the standard configuration files.

Hoping this was not too much OT, with my best wishes,

Nicola Feltrin

[1]: http://wiki.openwrt.org/doc/howto/vpn.ipsec.basics
[2]: http://wiki.openwrt.org/doc/uci/ipsec
[3]: http://wiki.openwrt.org/doc/howto/vpn.ipsec.firewall
[4]: https://wiki.strongswan.org/projects/strongswan/wiki/OpenWrtUCI

More information about the Users mailing list