[strongSwan] SWAN leases runtime API

Victor Voronkov VVoronkov at trustwave.com
Tue Mar 21 09:59:30 CET 2017


From your answers I assume that using attr-sql plugin with lease_history property can't help us to identify online connection by accessing the DB and querying it by virtual IP assigned, before the lease is released.

Is there any way to get online leases from the daemon except CLI? (we need an identity info for external service)

-----Original Message-----
From: Tobias Brunner [mailto:tobias at strongswan.org] 
Sent: Tuesday, March 21, 2017 10:01 AM
To: Noel Kuntze <noel at familie-kuntze.de>; Victor Voronkov <VVoronkov at trustwave.com>; users at lists.strongswan.org
Subject: Re: [strongSwan] SWAN leases runtime API

Hi Noel,

>>> - Can we assure multiple VPN servers configured to work with the 
>>> same pool in common DB will assign unique virtual IPs?
>> Yes, if they use the same DB the leases will be unique.
> 
> I just had a quick look at the code of the attr-sql plugin.
> The attr-sql plugin seems to close all online leases when it gets loaded[1].

Thanks for noticing that.

> Tobias, can you elaborate on what the code does exactly (I know Martin wrote the code)?

As the comment indicates it intends to release any online leases in case of a crash of the daemon.  When an SA is properly terminated the addresses are released (and if lease_history is enabled recorded) but that won't happen if the daemon crashes.  I guess we could make that cleanup optional in order to enable sharing the DB.  I pushed that to the attr-sql-cleanup branch.

Regards,
Tobias



More information about the Users mailing list