On 22.09.2010 17:42, samuel morin wrote: > Hi, > > Since now, we use strongswan 2.8 for our vpn and we wrote an ipsec.conf > generator for our config files (we have several hundred of tunnels) > > Here is an example of a piece of a configuration file : > > version 2 > config setup > interfaces=%defaultroute > klipsdebug=none > plutodebug=none > #strictcrlpolicy=yes > uniqueids=yes > > > conn %default > keyingtries=3 > keylife=8h > ikelifetime=3h > authby=rsasig > pfs=yes > > > #DEB: ca-AGRIATES-DIJON-02 > ca ca-AGRIATES-DIJON-02 > cacert=CertifCa.pem > crluri=http://crl1.igc.education.fr/agriates.crl > crluri2=http://crl2.igc.education.fr/agriates.crl > auto=add > #FIN: ca-AGRIATES-DIJON-02 > > #DEB:0210017E-01-AGRIATES-DIJON-02 > > conn C-0210017E-01-0-AGRIATES-DIJON-02 > rightrsasigkey=%cert > leftrsasigkey=%cert > > rightid="@/C=fr/O=gouv/OU=education/OU=ac-dijon/CN=AGRIATES-DIJON-02" > right=xxx.xxx.xxx.xxa > rightsubnet=172.30.107.224/255.255.255.240 > rightnexthop=xxx.xxx.xxx.xxb > leftid="@/C=fr/O=gouv/OU=education/OU=ac-dijon/CN=0210017E-01" > left=yyy.yyy.yyy.yya > leftcert=/etc/freeswan/ipsec.d/0210017E-01.pem > leftsourceip=10.21.11.1 > leftsubnet=10.21.11.0/255.255.255.0 > leftnexthop=yyy.yyy.yyy.yyb > > leftupdown="/etc/freeswan/ipsec_updown_AGRIATES-DIJON-02-0210017E-01-0" > lefthostaccess=yes > > ike=aes256-sha2_512-modp8192,aes128-sha2_256-modp2048,aes128-sha-modp2048,aes128-sha2_256-modp1536,aes128-sha-modp1536,3des-md5-modp1536,3des-md5-modp1024,3des-sha-modp1536,3des-sha-modp1024 > esp=aes256-sha2_512,aes128-sha2_256,aes128-sha1,3des-md5,3des-sha1 > pfsgroup=modp2048 > auto=start > > Each school may have 10 tunnels to a central gateway. > > Now, we need to change our strongswan version (4.4) and using new > functionalities. > We would like to generate our config in sqlite format (more easier to > generate and to update than a config file). I have a lot of question > about this version compared to the old. > > Is it possible, to mix, in sqlite mode, ikev1 and ikev2 connexions ? > Currently only the IKEv2 charon daemon allows to store connection definitions in an SQLite database. You can mix IKEv1 and IKEv2 connections if you define the IKEv1 ones in ipsec.conf and the IKEv2 ones in the database.
> Is it possible to reproduce the same behaviour that we used until now, > in using sqlite database instead of file configuration ? > > I don't find how to put some parameters like crluri, sourceip. > ca sections containing crluri information currently cannot be stored in a database yet, but I could have a look if it could be easily done. The leftsourceip parameter is not needed by the IKEv2 daemon since charon finds out if one of the gateway's network interfaces belongs to leftsubnet and automatically adds a source route. > I don't really understand some columns of tables like "kind" column into > "child_config_traffic_selector" table. How do I use it ? > http://git.strongswan.org/?p=strongswan.git;a=blob;f=testing/tests/sql/net2net-cert/hosts/moon/etc/ipsec.d/data.sql;h=54086643f6ecf47f49d90ed22bf9c3f4266218f0;hb=HEAD#l129 shows an example. Kind can take on the following values: TS_LOCAL = 0 TS_REMOTE = 1 TS_LOCAL_DYNAMIC = 2 TS_REMOTE_DYNAMIC = 3 as shown in http://git.strongswan.org/?p=strongswan.git;a=blob;f=src/libcharon/plugins/sql/sql_config.c;h=a47d93f7b1399a98dda65ddc14490525097d9043;hb=HEAD#l49 TS_LOCAL/TS_REMOTE are used with predefined left/rightsubnets and TS_LOCAL_DYNAMIC/TS_REMOTE_DYNAMIC are used in host mode and might include the assignment of a virtual IP as shown in this roadwarrior example http://git.strongswan.org/?p=strongswan.git;a=blob;f=testing/tests/sql/ip-pool-db/hosts/carol/etc/ipsec.d/data.sql;h=d2cd51debf19f6b5406197e38c18fcfb5c14beb9;hb=HEAD#l129 > > I saw that, in stongswan 4.4.x there were options to manage High > Availability. I saw how to active it but not how to use it. Is it > possible to have some example ? > A HOWTO can be found under the link http://wiki.strongswan.org/projects/strongswan/wiki/HighAvailability > Thank you very much for your help > > Best regards > > samuel > Best regards Andreas ====================================================================== Andreas Steffen [email protected] strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]== _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
