[strongSwan] Strongswan equivalent of openvpn push-peer-info

flyingrhino flyingrhino at orcon.net.nz
Thu Jan 4 05:18:07 CET 2018

Thank Noel.

BTW, how does the attr/attr-sql plugin work? I tried to configure it and 
A few days ago I sent the email "[strongSwan] Struggling to send custom 
configuration payload	between peers" and I quoted the ipsec.conf and 
strongswan.conf files I was using.
I got messages "Dec 29 15:16:37 asus303 charon: 10[CFG] handling (20000) 
attribute failed"

Am I missing something there ?


On 2018-01-04 16:10, Noel Kuntze wrote:
> It also relates to the responder.
> You could patch strongSwan to do that.
> On 04.01.2018 03:56, flyingrhino wrote:
>> Thanks Noel for the quick response.
>> I do have a question though -
>>> You do that on the responder side via the attr/attr-sql plugins
>>> (possibly by using `ipsec pool`, too).
>> The initiator has several variables that I need to pass to the 
>> responder at connection time. The variables don't change AFTER 
>> connection, but MAY change AT THE NEXT connection. The responder needs 
>> to do firewall stuff based upon these variables.
>> Does your advice below also relate to the responder - that these 
>> variables are NOT AVAILABLE to the updown script env ?
>> Either way, what is your advice on getting the variables to the updown 
>> script?
>> A really dirty solution is the initiator uploads a variables file to 
>> some location and the responder updown script accesses and parses it 
>> for the values. Is there a better way?
>> Thanks.
>>> On the initiator side, you need a plugin for charon to process the
>>> custom attributes. They aren't available
>>> in the updown script.
>>> Kind regards
>>> Noel
>>> On 03.01.2018 22:51, flyingrhino wrote:
>>>> Hi,
>>>> Do we have an equivalent of the --push-peer-info command that 
>>>> openvpn has?
>>>> Of most interest to me is the initiator pushing environment values 
>>>> to the responder when it connects so that I can program the up/down 
>>>> script to act upon this information.
>>>> Here are the useful bits from the openvpn man page:
>>>>   Push additional information about the client to server.
>>>>   UV_<name>=<value> -- client environment variables whose names 
>>>> start with "UV_"
>>>> Thanks.

More information about the Users mailing list