Interface library for strongSwan SQL backend.
Interface library and companion CLI tool to configure strongSwan IPsec over MySQL backend
strongswan-sql
Configuration of StrongSwan SQL backend
This library allows for the manipulation of strongSwan connection configuration stored in a MySQL database in a manner that is compatible with the strongSwan SQL plugin for charon.
- How to use this module:
The strongSwan IPsec package offers the means to store connection configuration in a SQL database. This module offers some facilities to manipulate these config elements from Haskell code in a simplified abstracted way. This library offers two approaches to manipulating strongswan configuration in an SQL database as expected by the SQL plugin. See Managed vs Manual API below.
Managed API Since managing each configuration object per hand and establishing the relationships amongst them can be tricky and demands internal knowledge of the SQL plugin inner workings, a special API is offered in which all configuration parameters are bundled together in a single type (see
IPSecSettings
). The simplified API allows then for writing, reading and deleting these, while behind bars the required elements are created and linked together unbeknownst to the caller. This of course greatly simplifies things /but/ the catch is that the ability to share configuration elements amongst connections is of course lost. Each managed connection configuration gets a separate IKE, Child SA, Peer config etc and no attempt is made to reuse them amongst managed connections.Manual API
The different strongswan configuration elements are mapped to a Haskell type and they can be manually written or read from the SQL database. This offers utmost control in terms of what elements get created and how they are interlinked. So for example one can create a single IKE session configuration to be shared for all connections or have some child SA configurations being shared amongst peers of a given type, etc. The downside of course to this level of control is that it requires for the user of the library to be familiar with the (poorly documented) way in which the plugin expects the relationships to be expressed in terms of entries in the SQL tables etc.
The manual API has been reverse engineered based on the SQL table definitions available here
- Child SA : All configuration parameters related to an IPsec SA.
- IKE Configuration : Configuration applicable to the IKE session (/phase 1/ in IKEv1 parlance).
- Peer Configuration : All elements related to configuration of a peering connection. A peer connection links to a specific IKE configuration (by means of ID), and it is furthermore associated to the Child SA by means of a
Peer2ChildConfig
type. - Traffic Selectors: These are independent values linked to a Child SA by means of a
Child2TSConfig
type.