bronze1man / gostrongswanvici Goto Github PK
View Code? Open in Web Editor NEWa golang implement of strongswan vici plugin client.
License: MIT License
a golang implement of strongswan vici plugin client.
License: MIT License
How do we set revocation policy i.e. strict, relaxed, ifuri as mentioned in (https://docs.strongswan.org/docs/5.9/swanctl/swanctlConf.html#_connections_conn_remote) using goStrongswanVici?
I am able to initiate tunnels in psk mode as well as in cert mode. I am able to see xfrm state changing but no policy getting added in xfrm policy. Can you please help me with the same
While fetching a list of connections and SAs from the kernel, some of the functions are returning maps which are keyed/indexed by name. But in the kernel it is possible to have multiple connections with the same name.
Since this library is already being used many others, it's not a good idea to break the API. May be in a later version, this functionality can be changed.
To overcome this limitation, we have modified the readMap function to be able to handle duplicate keys: rancher@c0828c2. This has worked out well for us and this code has been tested multiple times and also being used in production environments too.
For the benefit of others, I can submit the above patch as a PR.
What do you think @bronze1man?
Hi Team ,
Thanks for having golang vici support, i am using it and it work great. However some times i see that load connection falis saying "error loading connection": "unsuccessful LoadConn: "
Any clue on this issue , did any one face this while using the apis. I believe this can be seen if the response from strongswan is delayed or read thread exited. Any taught and guidance on this issue will help .
Thanks,
Naveen
Hi @bronze1man,
I am trying to implement some additional functions that I need. I have successfully implemented a load-shared() but am having trouble implementing a load-conn(). I am hoping you can guide me in the right direction.
For load-conn() there isn't any clear definition of the fields required on the vici github page https://github.com/strongswan/strongswan/tree/master/src/libcharon/plugins/vici and I followed the field names listed in the list-conn() section.
Here are the structs I have defined.
type IKEConf struct {
Local_addrs []string json:"local_addrs"
Remote_addrs []string json:"remote_addrs"
Version string json:"version"
Children map[string]ChildSAConf json:"children"
//string is the childSAConfig name
Local map[string]AuthConf json:"local"
Remote map[string]AuthConf json:"remote"
}
type ChildSAConf struct {
Mode string json:"mode"
Local_ts []string json:"local-ts"
Remote_ts []string json:"remote-ts"
}
type AuthConf struct {
AuthMethod string json:"class"
//psk
}
And here is the load-conn function.
func (c *ClientConn) LoadConn(conf *IKEConf) error {
requestMap := &map[string]interface{}{}
err := ConvertToGeneral(conf, requestMap)
fmt.Printf("requestMap: %+v \n ", requestMap)
if err != nil {
return fmt.Errorf("error creating request: %v", err)
}
msg, err := c.Request("load-conn", *requestMap)
if msg["success"] != "yes" {
return fmt.Errorf("unsuccessful LoadConn: %v", msg["success"])
}
fmt.Printf("Msg[success]: %v", msg["success"])
return nil
}
Here is the main
client, err := goStrongswanVici.NewClientConnFromDefaultSocket()
if err != nil {
panic(err)
}
defer client.Close()
//get strongswan version
v, err := client.Version()
if err != nil {
panic(err)
}
fmt.Printf("%#v\n", v)
fmt.Printf("------------------------------------------------------------------- \n\n")
childConfMap := make(map[string]goStrongswanVici.ChildSAConf)
childSAConf := goStrongswanVici.ChildSAConf{
Local_ts: []string{"10.10.20.0/24"},
Remote_ts: []string{"10.10.30.0/24"},
Mode: "tunnel",
}
childConfMap["child-sa-config-tmp"] = childSAConf
localAuthMap := make(map[string]goStrongswanVici.AuthConf)
localAuthConf := goStrongswanVici.AuthConf{
AuthMethod: "psk",
}
localAuthMap[""] = localAuthConf
remoteAuthMap := make(map[string]goStrongswanVici.AuthConf)
remoteAuthConf := goStrongswanVici.AuthConf{
AuthMethod: "psk",
}
localAuthMap[""] = localAuthConf
remoteAuthMap := make(map[string]goStrongswanVici.AuthConf)
remoteAuthConf := goStrongswanVici.AuthConf{
AuthMethod: "psk",
}
remoteAuthMap[""] = remoteAuthConf
ikeConf := &goStrongswanVici.IKEConf{
Local_addrs: []string{"192.168.198.1"},
Remote_addrs: []string{"192.168.198.20"},
Version: "1",
Local: localAuthMap,
Remote: remoteAuthMap,
Children: childConfMap,
}
err = client.LoadConn(ikeConf)
if err != nil {
fmt.Printf("error loading connection: %v")
panic(err)
}
Error message I get is:
request goStrongswanVici.segment{typ:0x1, name:"", msg:map[string]interface {}{"success":"no", "errmsg":"invalid section: child-sa-config-tmp"}}
Any suggestions on what may be going wrong? I appreciate your help and can submit a PR for review if that helps.
dial unix /var/run/charon.vici: connection refused. Since socket activation is not supported with charon we should retry.
Is there any function to add a new username and password or remove user via goStrongswanVici? (ipsec.secrets)
Hi,
is there a reason why you do not have added the certs field into the AuthConf struct?
type AuthConf struct {
ID string json:"id"
Round string json:"round,omitempty"
AuthMethod string json:"auth"
// (psk|pubkey)
EAP_ID string json:"eap_id,omitempty"
PubKeys []string json:"pubkeys,omitempty"
// PEM encoded public keys
}
Best regards
Alex
Hey, is this what is used in X-VPN (are you one of the developers of it). If not, how may I contact you about your projects?
hi,
will using the module using "-race" i got a race condition error on c.lastError.
use case is as follow :
because of the error condition (charon down, no unix socket anymore), the readThread() will get a error in readSegment() and tries to set c.lastError.
but the connection is owned bij another go routine which runs the poll on Stat() which uses readResponse to get segments from the readerThread() using a responseChan channel
so readThread go routine does
outMsg, err := readSegment(c.conn)
if err != nil {
c.lastError := err <=== write c.lastError
return
}
and user go routine does
outMsg := c.readResponse()
if c.lastError != nil { <==== read c.lastError
return nil, c.lastError
}
as stated in https://blog.golang.org/share-memory-by-communicating
Do not communicate by sharing memory; instead, share memory by communicating.
we should use a chan error to communicate the error to the owner of the client connection
and use that to set the c.LastError.
i'm currently preparing a patch to do this.
Hey,
I see you wrote that its longer maintained, I'd be happy to take over and manage this repo.
I've contributed in the past, and my peers as well.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.