0

I am able to use python3-vici in the global namespace, suppose I want to route it through a particular namespace say, /var/run/x/x/vpn, how do I do that? I have charon.ctl, charon.pid, ipsec.conf, ipsec.d, starter.charon.pid, strongswan.conf files in the vpn folder but not charon.vici. I tried installing vici in the namespace, but I don't see a charon.vici file there. Anything I'm missing here?

Another thing: I'm not able to map the certificates I have loaded using vici.Session().load_cert() with a particular connection. Using a 'cert' attribute in a connection dictionary inside 'local' throws an error like:

vici.exception.CommandException: Command failed: b'unknown option: certs, config discarded'

Although, if you load the connection using swanctl.conf, and then retrieve information using vici, you can see the cert field being populated on doing a list_conns().

KungFuPanda
  • 55
  • 1
  • 6
  • How did you get charon.ctl (from the legacy _stroke_ plugin) there? Do it the same way for the _vici_ plugin and its socket. Note that what you get back via VICI basically never matches what you have to configure. Refer to the swanctl.conf documentation for the latter and VICI's README.md for the former. Also, you don't usually _map_ certificates loaded via `load_cert()` to connections. Either you load them with the connections in the first place, or you use identities to tie certificates loaded individually to specific connections. – ecdsa May 07 '20 at 12:48
  • What do u mean by load certificates with the connections? like, load connections and load_cert() in one go u mean? – KungFuPanda May 08 '20 at 05:17
  • Another question: How do u map a loaded pool with a connection using vici? In swanctl.conf, we have a 'pools' attribute, I don't find any such thing in vici. – KungFuPanda May 08 '20 at 06:02
  • And how do u load proposals(ah, esp) in child? – KungFuPanda May 08 '20 at 07:03
  • No, as part of the connection (with `load-conn()` in a _local_ or _remote_ section, again refer to the [swanctl.conf docs](https://wiki.strongswan.org/projects/strongswan/wiki/Swanctlconf) for details). Pools and proposals are exactly the same in VICI. As documented in [README.md](https://github.com/strongswan/strongswan/blob/master/src/libcharon/plugins/vici/README.md), what you pass to `load-conn()` is just a connection section as in swanctl.conf (only certificates, if passed via _ca/certs_, are a bit special as they are passed as binary blobs, not paths). – ecdsa May 08 '20 at 09:22
  • 1. Yes, we can add certs in the local section in swanctl.conf, but my use-case is to avoid swanctl.conf and do everything using pythonn3-vici functions. And I don't see a certs field available for vici conn. 2. I'm still not clear on pools mapping to a particular conn and proposal provision. – KungFuPanda May 08 '20 at 09:58
  • `swanctl` is just a VICI client. Everything you can configure in swanctl.conf you can directly via VICI. For instance, in the Python bindings, just prepare a (nested) dict that's basically structured like a sub-section of _connections_ in swanctl.conf and pass it to `load_conn()`. – ecdsa May 08 '20 at 10:07
  • Yes, I have tried doing that exact thing. but 'certs', 'pools', 'proposals' in the nested dict passed to load_conn() are throwing errors just like the above in my question. rwdict = { "rw-eap1": { "version": "2", "local_addrs": [ "10.54.22.240" ], "local" : { "auth" : "eap-tls", "id" : "myname@uix.com", "certs": 'new.pem' }, "remote": { "auth": "eap-tls" }, "children": { "net": { "local_ts" : ["10.54.21.240/24"] } } } } – KungFuPanda May 08 '20 at 12:47
  • 1
    First, _certs_ takes a list of certificates (i.e. use `[]`). And as I said above, certificates are not passed as strings, but binary blobs (i.e. use the contents of that file there, not its name). You could pass absolute paths, but you have to do so in a _cert_ section (again, refer to the swanctl.conf docs for details). – ecdsa May 08 '20 at 15:13
  • Using a list [] in certs field worked, thanks a lot! The same goes with 'pools' and 'proposals'. Although, when I define a pool like : load_pool({'abc':{'addrs':'10.3.0.0/16'}}) ,'dns':['8.8.8.8']}}) And I try to mention the name of the pool in load_conn dict like "pools": ['abc'], it doesn't throw any error while loading but poses a problem when establishing connections. Do u know any other way I can specify the pool_name in conn dict just the way we do in swanctl.conf? – KungFuPanda May 09 '20 at 14:22
  • Also, when I want to initiate a site-site connection using vici, I do :- initiate({'child':'net-to-net', 'ike':'my-site-site'}). Where 'net-to-net' is defined as 'children': {'net-to-net': {'local_ts': ['10.54.21.0/24'], 'remote_ts': ['10.54.25.0/24']} within the 'my-site-site' conn dict. The connection doesn't get initiated this way. But when I do a 'swanctl -i -c net-to-net', it works perfectly fine. Am I missing something here? – KungFuPanda May 11 '20 at 07:34
  • Maybe the IKE connection name is wrong. Read the logs (also goes for the problem above with the pool). – ecdsa May 11 '20 at 07:42
  • Nope, I rechecked the name, it's alright. Also, according to this solution here: https://www.xinux.net/index.php/Vici_python_example , it expects an 'active_connection'? Shouldn't an active connection be available after an initiation? And I don't see any logs when doing an initiate() – KungFuPanda May 11 '20 at 08:20
  • You might want to increase the log level for _cfg_ to 2 for more log messages. – ecdsa May 11 '20 at 09:25
  • I did that and also increased logging for CHD, I still don't see any logs when I do a sess.initiate(), but I see logs when doing a 'swanctl -i -c '. Seems strange to me. Also, in the above comment's link, they're running a .next() function which is not available in the latest python3-vici, but close() and other functions are available. – KungFuPanda May 11 '20 at 12:04

0 Answers0