bronze1man / gostrongswanvici Goto Github PK

How do we set revocation policy i.e. strict, relaxed, ifuri as mentioned in (https://docs.strongswan.org/docs/5.9/swanctl/swanctlConf.html#_connections_conn_remote) using goStrongswanVici?

I am able to initiate tunnels in psk mode as well as in cert mode. I am able to see xfrm state changing but no policy getting added in xfrm policy. Can you please help me with the same

While fetching a list of connections and SAs from the kernel, some of the functions are returning maps which are keyed/indexed by name. But in the kernel it is possible to have multiple connections with the same name.

• https://github.com/bronze1man/goStrongswanVici/blob/master/listConns.go#L7
• https://github.com/bronze1man/goStrongswanVici/blob/master/listSas.go#L83

Since this library is already being used many others, it's not a good idea to break the API. May be in a later version, this functionality can be changed.
To overcome this limitation, we have modified the readMap function to be able to handle duplicate keys: rancher@c0828c2. This has worked out well for us and this code has been tested multiple times and also being used in production environments too.

For the benefit of others, I can submit the above patch as a PR.

What do you think @bronze1man?

Hi Team ,

Thanks for having golang vici support, i am using it and it work great. However some times i see that load connection falis saying "error loading connection": "unsuccessful LoadConn: "

Any clue on this issue , did any one face this while using the apis. I believe this can be seen if the response from strongswan is delayed or read thread exited. Any taught and guidance on this issue will help .

Thanks,
Naveen

Hi @bronze1man,

I am trying to implement some additional functions that I need. I have successfully implemented a load-shared() but am having trouble implementing a load-conn(). I am hoping you can guide me in the right direction.

For load-conn() there isn't any clear definition of the fields required on the vici github page https://github.com/strongswan/strongswan/tree/master/src/libcharon/plugins/vici and I followed the field names listed in the list-conn() section.

Here are the structs I have defined.

type IKEConf struct {
Local_addrs []string json:"local_addrs"
Remote_addrs []string json:"remote_addrs"
Version string json:"version"
Children map[string]ChildSAConf json:"children" //string is the childSAConfig name
Local map[string]AuthConf json:"local"
Remote map[string]AuthConf json:"remote"
}

type ChildSAConf struct {
Mode string json:"mode"
Local_ts []string json:"local-ts"
Remote_ts []string json:"remote-ts"
}

type AuthConf struct {
AuthMethod string json:"class" //psk
}

And here is the load-conn function.

func (c *ClientConn) LoadConn(conf *IKEConf) error {
requestMap := &map[string]interface{}{}

err := ConvertToGeneral(conf, requestMap)
fmt.Printf("requestMap: %+v \n ", requestMap)

if err != nil {
    return fmt.Errorf("error creating request: %v", err)

}
msg, err := c.Request("load-conn", *requestMap)
if msg["success"] != "yes" {
    return fmt.Errorf("unsuccessful LoadConn: %v", msg["success"])
}

fmt.Printf("Msg[success]: %v", msg["success"])
return nil

}

Here is the main
client, err := goStrongswanVici.NewClientConnFromDefaultSocket()
if err != nil {
panic(err)
}
defer client.Close()

    //get strongswan version
    v, err := client.Version()
    if err != nil {
            panic(err)
    }
    fmt.Printf("%#v\n", v)

    fmt.Printf("------------------------------------------------------------------- \n\n")

    childConfMap := make(map[string]goStrongswanVici.ChildSAConf)
    childSAConf := goStrongswanVici.ChildSAConf{
            Local_ts:  []string{"10.10.20.0/24"},
            Remote_ts: []string{"10.10.30.0/24"},
            Mode:      "tunnel",
    }
    childConfMap["child-sa-config-tmp"] = childSAConf

    localAuthMap := make(map[string]goStrongswanVici.AuthConf)
    localAuthConf := goStrongswanVici.AuthConf{
            AuthMethod: "psk",
    }   
    localAuthMap[""] = localAuthConf

    remoteAuthMap := make(map[string]goStrongswanVici.AuthConf)
    remoteAuthConf := goStrongswanVici.AuthConf{

AuthMethod: "psk",
}
localAuthMap[""] = localAuthConf

    remoteAuthMap := make(map[string]goStrongswanVici.AuthConf)
    remoteAuthConf := goStrongswanVici.AuthConf{
            AuthMethod: "psk",
    }
    remoteAuthMap[""] = remoteAuthConf
    ikeConf := &goStrongswanVici.IKEConf{
            Local_addrs:  []string{"192.168.198.1"},
            Remote_addrs: []string{"192.168.198.20"},
            Version:      "1",
            Local:        localAuthMap,
            Remote:       remoteAuthMap,
            Children:     childConfMap,
    }

    err = client.LoadConn(ikeConf)
    if err != nil {
            fmt.Printf("error loading connection: %v")
            panic(err)
    }

Error message I get is:
request goStrongswanVici.segment{typ:0x1, name:"", msg:map[string]interface {}{"success":"no", "errmsg":"invalid section: child-sa-config-tmp"}}

Any suggestions on what may be going wrong? I appreciate your help and can submit a PR for review if that helps.

dial unix /var/run/charon.vici: connection refused. Since socket activation is not supported with charon we should retry.

Is there any function to add a new username and password or remove user via goStrongswanVici? (ipsec.secrets)

Hi,

is there a reason why you do not have added the certs field into the AuthConf struct?

type AuthConf struct {
ID string json:"id"
Round string json:"round,omitempty"
AuthMethod string json:"auth" // (psk|pubkey)
EAP_ID string json:"eap_id,omitempty"
PubKeys []string json:"pubkeys,omitempty" // PEM encoded public keys
}

Best regards
Alex

Hey, is this what is used in X-VPN (are you one of the developers of it). If not, how may I contact you about your projects?

hi,

will using the module using "-race" i got a race condition error on c.lastError.
use case is as follow :

• start a monitor go function with basically opens a unix socket connection and run regular c.Stat() calls
  when this stat fails , we know our connection to the charon daemon is lost.
• while this is running
  • open a new terminal and stop strongswan service.

because of the error condition (charon down, no unix socket anymore), the readThread() will get a error in readSegment() and tries to set c.lastError.

but the connection is owned bij another go routine which runs the poll on Stat() which uses readResponse to get segments from the readerThread() using a responseChan channel

so readThread go routine does
outMsg, err := readSegment(c.conn)
if err != nil {
c.lastError := err <=== write c.lastError
return
}

and user go routine does
outMsg := c.readResponse()
if c.lastError != nil { <==== read c.lastError
return nil, c.lastError
}

as stated in https://blog.golang.org/share-memory-by-communicating
Do not communicate by sharing memory; instead, share memory by communicating.

we should use a chan error to communicate the error to the owner of the client connection
and use that to set the c.LastError.

i'm currently preparing a patch to do this.

Hey,
I see you wrote that its longer maintained, I'd be happy to take over and manage this repo.
I've contributed in the past, and my peers as well.

Now, please check the logs in the below attached image:

As you can see in the logs, it is there in the ike conf map, but not in connection map which is after loading the connection.

What could be the possible reason, is it a bug & how to resolve it?