[strongSwan] How to avoid the parsing of strongswan.conf file and set the configuration options programmatically?

2015-04-22 Thread Chinmaya Dwibedy 
  Hi,I want toget rid of strongswan.conf file (which is installed /etc 
directory). Instead I wantto set the values programmatically. I have removed 
the /etc/strongswan.conf ,which is read by libstrongswan during library 
initialization. Furthermore Ihave written set_strongswan_conf_options() 
function to set the few strongswanconfiguration options and then invoking the 
Charon. The library is getting initializedand Charon is getting started up. But 
there is no charon.log file created at/var/log/. Can anyone please suggest what 
might be the wrong?  Thank you in advance for your support andhelp. #define  
IPSEC_DEBUG_LEVEL 3void set_strongswan_conf_options(char*logfile){    if 
(!library_init(NULL, cli))    {   library_deinit();   
    return FALSE;    }    
lib-settings-set_str(lib-settings,charon.filelog.%s,logfile);   
lib-settings-set_str(lib-settings,charon.filelog.%s.time_format,%b %e 
%T, logfile);    
lib-settings-set_bool(lib-settings,charon.filelog.%s.append,FALSE, 
logfile);   
lib-settings-set_bool(lib-settings,charon.filelog.%s.flush_line,TRUE, 
logfile);   
lib-settings-set_int(lib-settings,charon.filelog.%s.default,IPSEC_DEBUG_LEVEL,
 logfile);} StartCharon(){ bool ret = TRUE;        
char*lfile=/var/log/charon.log;    set_strongswan_conf_options(lfile);
 system(starter --daemoncharon);     usleep(50); return 
ret;}Regards,Chinmaya___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] How to avoid the parsing of strongswan.conf file and set the configuration options programmatically?

2015-04-22 Thread Martin Willi 
Hi,

   set_strongswan_conf_options(lfile);
   system(starter --daemon charon);

You can't set options in the current process, and then expect that these
options get inherited to a child process spawned using system() or any
exec*() function.

If you want to set strongswan.conf options programatically, you'll have
to do that early in the process you want to control, for example in
charons main(). Some libcharon based programs already do that, for
example charon-xpc under src/frontends/osx.

Regards
Martin


___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] How to avoid the parsing of strongswan.conf file and set the configuration options programmatically?

2015-04-22 Thread Chinmaya Dwibedy 

Thank you Martin for your valuable response. Let me go thru the charon-xpc 
under src/frontends/osx.   


 On Wednesday, April 22, 2015 7:28 PM, Martin Willi mar...@strongswan.org 
wrote:
   

 Hi,

  set_strongswan_conf_options(lfile);
  system(starter --daemon charon);

You can't set options in the current process, and then expect that these
options get inherited to a child process spawned using system() or any
exec*() function.

If you want to set strongswan.conf options programatically, you'll have
to do that early in the process you want to control, for example in
charons main(). Some libcharon based programs already do that, for
example charon-xpc under src/frontends/osx.

Regards
Martin




  ___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Can StrongSwan support Multicast Dissemination Protocol (MDP) ?

2015-04-22 Thread Martin Willi 
Hi,

 Please can you advise whether StrongSWan can support Multicast
 Dissemination Protocol (MDP) ?

strongSwan does not provide any form of explicit support for that
protocol. Possible that you can use strongSwan as building block to
secure MPD traffic, but I've no experience with that.

Regards
Martin

___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] /etc/strongswan.d/VPN.conf:1: syntax error, unexpected NAME, expecting NEWLINE or '{' or '=' [vpn]

2015-04-22 Thread Stephen Feyrer 

Hi,

I would just like to say thank you to everyone.  On point irony, I learned  
yesterday that today the office network is being upgraded and the current  
VPN will no longer work.


Thank you for your help, I'm sorry I can report back a solution.  I wish  
you all the best.



--
Kind regards

Stephen Feyrer.





On Mon, 20 Apr 2015 12:02:36 +0100, Noel Kuntze n...@familie-kuntze.de  
wrote:



-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Hello Stephen,

Your original configuration looks like l2tp/IPsec.
Your configuration was correct for that purpose.
Where this is going right now, is a general roadwarrior configuration  
for IKEv1.

Please check what is actually configured on the IOS device, so
we can solve this quickly.

Mit freundlichen Grüßen/Regards,
Noel Kuntze

Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 20.04.2015 um 11:01 schrieb Stephen Feyrer:

Hi Miroslav,

Thank you.

We've made progress.  I haven't included the any of the log file as it  
is very verbose (24488 lines - for ipsec up, statusall, down).  Please  
let me know which sections to look at and I'll grab those.


As you can see below the transaction request below seems to be very  
laboured but does result in a success statement.  Following that I have  
tried to test with openl2tp to create the l2tp ppp tunnel.  Openl2tp  
seems create this tunnel but ifconfig does not show any ppp interfaces.


The lines in the conn left/rightprotoport do not seem to affect the  
outcome whether included or not.  The charondebug line when uncommented  
prevents any output and I suspect that the syntax is wrong there.




code:

# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
# strictcrlpolicy=yes
# uniqueids = no
#charondebug=ike 3, cfg 3, app 3, chd 3, dmn 3, net 3

conn VPN-OFFICE-COM
keyexchange=ikev1
type=tunnel
authby=secret
ike=3des-sha1-modp1024
rekey=no
left=%any
leftsourceip=%config
#   leftprotoport=udp/l2tp
right=vpn.office.com
#   rightprotoport=udp/l2tp
rightid=17.11.7.5
rightsubnet=0.0.0.0/0
auto=add


# ipsec up VPN-OFFICE-COM
initiating Main Mode IKE_SA VPN-OFFICE-COM[1] to 17.11.7.5
generating ID_PROT request 0 [ SA V V V V ]
sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (212 bytes)
received packet: from 17.11.7.5[500] to 1.2.3.4[500] (116 bytes)
parsed ID_PROT response 0 [ SA V V ]
received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
received FRAGMENTATION vendor ID
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (244 bytes)
received packet: from 17.11.7.5[500] to 1.2.3.4[500] (304 bytes)
parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ]
received Cisco Unity vendor ID
received XAuth vendor ID
received unknown vendor ID: [HIDDEN]
received unknown vendor ID: [HIDDEN]
local host is behind NAT, sending keep alives
generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (84 bytes)
received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (84 bytes)
parsed ID_PROT response 0 [ ID HASH V ]
received DPD vendor ID
IKE_SA VPN-OFFICE-COM[1] established between  
1.2.3.4[1.2.3.4]...17.11.7.5[17.11.7.5]
generating TRANSACTION request [HIDDEN] [ HASH CPRQ(ADDR DNS U_SPLITINC  
U_LOCALLAN) ]

sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (84 bytes)
sending retransmit 1 of request message ID [HIDDEN], seq 4
sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (84 bytes)
sending retransmit 2 of request message ID [HIDDEN], seq 4
sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (84 bytes)
sending retransmit 3 of request message ID [HIDDEN], seq 4
sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (84 bytes)
received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (84 bytes)
parsed INFORMATIONAL_V1 request [HIDDEN] [ HASH N(DPD) ]
received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (84 bytes)
parsed INFORMATIONAL_V1 request [HIDDEN] [ HASH N(DPD) ]
received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (84 bytes)
parsed INFORMATIONAL_V1 request [HIDDEN] [ HASH N(DPD) ]
sending keep alive to 17.11.7.5[4500]
sending retransmit 4 of request message ID [HIDDEN], seq 4
sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (84 bytes)
received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (84 bytes)
parsed INFORMATIONAL_V1 request [HIDDEN] [ HASH D ]
received DELETE for IKE_SA VPN-OFFICE-COM[1]
deleting IKE_SA VPN-OFFICE-COM[1] between  
1.2.3.4[1.2.3.4]...17.11.7.5[17.11.7.5]

initiating Main Mode IKE_SA VPN-OFFICE-COM[2] to 17.11.7.5
generating ID_PROT request 0 [ SA V V V V ]
sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (212 bytes)
connection 'VPN-OFFICE-COM' established successfully


# ipsec statusall
Status of IKE charon daemon (strongSwan 5.2.2, Linux 3.16.5-gentoo,  
x86_64):

uptime: 112 seconds, since Apr 20