]> git.ipfire.org Git - thirdparty/strongswan.git/blob - src/libcharon/plugins/vici/README.md
projects / thirdparty / strongswan.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
vici: Optionally terminate IKE_SA immediately
[thirdparty/strongswan.git] / src / libcharon / plugins / vici / README.md
1 # The Versatile IKE Control Interface (VICI) protocol #
2
3 The vici _[ˈvitʃi]_ plugin implements the server side of an IPC protocol to
4 configure, monitor and control the IKE daemon charon. It uses request/response
5 and event messages to communicate over a reliable stream based transport.
6
7 ## Transport protocol ##
8
9 To provide the service, the plugin opens a listening socket using a reliable,
10 stream based transport. charon relies on the different stream service
11 abstractions provided by libstrongswan, such as TCP and UNIX sockets.
12
13 A client connects to this service to access functionality. It may send an
14 arbitrary number of packets over the connection before closing it.
15
16 To exchange data, the transport protocol is segmented into byte sequences.
17 Each byte sequence is prefixed by a 32-bit length header in network order,
18 followed by the data. The maximum segment length is currently limited to 512KB
19 of data, and the length field contains the length of the data only, not
20 including the length field itself.
21
22 The order of byte sequences must be strict, byte sequences must arrive in the
23 same order as sent.
24
25 ## Packet layer ##
26
27 Within the byte sequences defined by the transport layer, both the client
28 and the server can exchange packets. The type of packet defines its structure
29 and purpose. The packet type is a 8-bit identifier, and is the first byte
30 in a transport layer byte sequence. The length of the packet is given by the
31 transport layer.
32
33 While a packet type may define the format of the wrapped data freely, currently
34 all types either contain a name, a message or both. The following packet types
35 are currently defined:
36
37 * _CMD_REQUEST = 0_: A named request message
38 * _CMD_RESPONSE = 1_: An unnamed response message for a request
39 * _CMD_UNKNOWN = 2_: An unnamed response if requested command is unknown
40 * _EVENT_REGISTER = 3_: A named event registration request
41 * _EVENT_UNREGISTER = 4_: A named event deregistration request
42 * _EVENT_CONFIRM = 5_: An unnamed response for successful event (de-)registration
43 * _EVENT_UNKNOWN = 6_: A unnamed response if event (de-)registration failed
44 * _EVENT = 7_: A named event message
45
46 For packets having a named type, after the packet type an 8-bit length header
47 of the name follows, indicating the string length in bytes of the name tag, not
48 including the length field itself. The name is an ASCII string that is not
49 null-terminated.
50
51 The rest of the packet forms the exchanged message, the length is determined
52 by the transport byte sequence length, subtracting the packet type and
53 the optional name tag in some messages.
54
55 ### Commands ###
56
57 Commands are currently always requested by the client. The server replies with
58 a response, or with a CMD_UNKNOWN failure message to let the client know
59 that it does not have a handler for such a command. There is no sequence number
60 to associate responses to requests, so only one command can be active at
61 a time on a single connection.
62
63 ### Events ###
64
65 To receive event messages, the client explicitly registers for events by name,
66 and also unregisters if it does not want to receive events of the named kind
67 anymore. The server confirms event registration using EVENT_CONFIRM, or
68 indicates that there is no such event source with EVENT_UNKNOWN.
69
70 Events may get raised at any time while registered, even during an active
71 request command. This mechanism is used to feed continuous data during a request,
72 for example.
73
74 ## Message format ##
75
76 The defined packet types optionally wrap a message with additional data.
77 Messages are currently used in CMD_REQUEST/CMD_RESPONSE, and in EVENT packets.
78 A message uses a hierarchial tree of sections. Each section (or the implicit
79 root section) contains an arbitrary set of key/value pairs, lists and
80 sub-sections. The length of a message is not part of the message itself, but
81 the wrapping layer, usually calculated from the transport byte sequence length.
82
83 The message encoding consists of a sequence of elements. Each element starts
84 with the element type, optionally followed by an element name and/or an element
85 value. Currently the following message element types are defined:
86
87 * _SECTION_START = 1_: Begin a new section having a name
88 * _SECTION_END = 2_: End a previously started section
89 * _KEY_VALUE = 3_: Define a value for a named key in the current section
90 * _LIST_START = 4_: Begin a named list for list items
91 * _LIST_ITEM = 5_: Define an unnamed item value in the current list
92 * _LIST_END = 6_: End a previously started list
93
94 Types are encoded as 8-bit values. Types having a name (SECTION_START,
95 KEY_VALUE and LIST_START) have an ASCII string following the type, which itself
96 uses an 8-bit length header. The string must not be null-terminated, the string
97 length does not include the length field itself.
98
99 Types having a value (KEY_VALUE and LIST_ITEM) have a raw blob sequence,
100 prefixed with a 16-bit network order length. The blob follows the type or the
101 name tag if available, the length defined by the length field does not include
102 the length field itself.
103
104 The interpretation of any value is not defined by the message format; it can
105 take arbitrary blobs. The application may specify types for specific keys, such
106 as strings or integer representations. The vici plugin currently uses
107 non-null terminated strings as values only; numbers get encoded as strings.
108
109 ### Sections ###
110
111 Sections may be opened in the implicit root section, or any previously section.
112 They can be nested to arbitrary levels. A SECTION_END marker always closes
113 the last opened section; SECTION_START and SECTION_END items must be balanced
114 in a valid message.
115
116 ### Key/Values ###
117
118 Key/Value pair elements may appear in the implicit root section or any explicit
119 sub-section at any level. Key names must be unique in the current section, use
120 lists to define multiple values for a key. Key/values may not appear in lists,
121 use a sub-section instead.
122
123 ### Lists ###
124
125 Lists may appear at the same locations as Key/Values, and may not be nested.
126 Only a single list may be opened at the same time, and all lists must be closed
127 in valid messages. After opening a list, only list items may appear before the
128 list closing element. Empty lists are allowed, list items may appear within
129 lists only.
130
131 ### Encoding example ###
132
133 Consider the following structure using pseudo-markup for this example:
134
135 key1 = value1
136 section1 = {
137 sub-section = {
138 key2 = value2
139 }
140 list1 = [ item1, item2 ]
141 }
142
143 The example above reprensents a valid tree structure, that gets encoded as
144 the following C array:
145
146 char msg[] = {
147 /* key1 = value1 */
148 3, 4,'k','e','y','1', 0,6,'v','a','l','u','e','1',
149 /* section1 */
150 1, 8,'s','e','c','t','i','o','n','1',
151 /* sub-section */
152 1, 11,'s','u','b','-','s','e','c','t','i','o','n',
153 /* key2 = value2 */
154 3, 4,'k','e','y','2', 0,6,'v','a','l','u','e','2',
155 /* sub-section end */
156 2,
157 /* list1 */
158 4, 5, 'l','i','s','t','1',
159 /* item1 */
160 5, 0,5,'i','t','e','m','1',
161 /* item2 */
162 5, 0,5,'i','t','e','m','2',
163 /* list1 end */
164 6,
165 /* section1 end */
166 2,
167 };
168
169 ## Client-initiated commands ##
170
171 Based on the packet layer, VICI implements commands requested by the client
172 and responded to by the server using named _CMD_REQUEST_ and _CMD_RESPONSE_
173 packets wrapping messages. The request message may contain command arguments,
174 the response message the reply.
175
176 Some commands use response streaming, that is, a request triggers a series of
177 events to consecutively stream data to the client before the response message
178 completes the stream. A client must register for the appropriate event to
179 receive the stream, and unregister after the response has been received.
180
181 The following client issued commands with the appropriate command input and
182 output messages are currently defined:
183
184 ### version() ###
185
186 Returns daemon and system specific version information.
187
188 {} => {
189 daemon = <IKE daemon name>
190 version = <strongSwan version>
191 sysname = <operating system name>
192 release = <operating system release>
193 machine = <hardware identifier>
194 }
195
196 ### stats() ###
197
198 Returns IKE daemon statistics and load information.
199
200 {} => {
201 uptime = {
202 running = <relative uptime in human-readable form>
203 since = <absolute startup time>
204 }
205 workers = {
206 total = <total number of worker threads>
207 idle = <worker threads currently idle>
208 active = {
209 critical = <threads processing "critical" priority jobs>
210 high = <threads processing "high" priority jobs>
211 medium = <threads processing "medium" priority jobs>
212 low = <threads processing "low" priority jobs>
213 }
214 }
215 queues = {
216 critical = <jobs queued with "critical" priority>
217 high = <jobs queued with "high" priority>
218 medium = <jobs queued with "medium" priority>
219 low = <jobs queued with "low" priority>
220 }
221 scheduled = <number of jobs scheduled for timed execution>
222 ikesas = {
223 total = <total number of IKE_SAs active>
224 half-open = <number of IKE_SAs in half-open state>
225 }
226 plugins = [
227 <names of loaded plugins>
228 ]
229 mem = { # available if built with leak-detective or on Windows
230 total = <total heap memory usage in bytes>
231 allocs = <total heap allocation blocks>
232 <heap-name>* = { # on Windows only
233 total = <heap memory usage in bytes by this heap>
234 allocs = <allocated blocks for this heap>
235 }
236 }
237 mallinfo = { # available with mallinfo() support
238 sbrk = <non-mmaped space available>
239 mmap = <mmaped space available>
240 used = <total number of bytes used>
241 free = <available but unused bytes>
242 }
243 }
244
245 ### reload-settings() ###
246
247 Reloads _strongswan.conf_ settings and all plugins supporting configuration
248 reload.
249
250 {} => {
251 success = <yes or no>
252 errmsg = <error string on failure>
253 }
254
255 ### initiate() ###
256
257 Initiates an SA while streaming _control-log_ events.
258
259 {
260 child = <CHILD_SA configuration name to initiate>
261 ike = <optional IKE_SA configuration name to find child under>
262 timeout = <timeout in ms before returning>
263 init-limits = <whether limits may prevent initiating the CHILD_SA>
264 loglevel = <loglevel to issue "control-log" events for>
265 } => {
266 success = <yes or no>
267 errmsg = <error string on failure or timeout>
268 }
269
270 The default timeout of 0 waits indefinitely for a result, and a timeout value
271 of -1 returns a result immediately.
272
273 ### terminate() ###
274
275 Terminates an SA while streaming _control-log_ events.
276
277 {
278 child = <terminate a CHILD_SA by configuration name>
279 ike = <terminate an IKE_SA by configuration name>
280 child-id = <terminate a CHILD_SA by its reqid>
281 ike-id = <terminate an IKE_SA by its unique id>
282 force = <terminate IKE_SA without waiting for proper DELETE, if timeout
283 is given, waits for a response until it is reached>
284 timeout = <timeout in ms before returning, see below>
285 loglevel = <loglevel to issue "control-log" events for>
286 } => {
287 success = <yes or no>
288 matches = <number of matched SAs>
289 terminated = <number of terminated SAs>
290 errmsg = <error string on failure or timeout>
291 }
292
293 The default timeout of 0 waits indefinitely for a result, and a timeout value
294 of -1 returns a result immediately.
295
296 ### rekey() ###
297
298 Initiate the rekeying of an SA.
299
300 {
301 child = <rekey a CHILD_SA by configuration name>
302 ike = <rekey an IKE_SA by configuration name>
303 child-id = <rekey a CHILD_SA by its reqid>
304 ike-id = <rekey an IKE_SA by its unique id>
305 } => {
306 success = <yes or no>
307 matches = <number of matched SAs>
308 errmsg = <error string on failure>
309 }
310
311 ### redirect() ###
312
313 Redirect a client-initiated IKE_SA to another gateway. Only for IKEv2 and if
314 supported by the peer.
315
316 {
317 ike = <redirect an IKE_SA by configuration name>
318 ike-id = <redirect an IKE_SA by its unique id>
319 peer-ip = <redirect an IKE_SA with matching peer IP, may also be a
320 subnet in CIDR notation or an IP range>
321 peer-id = <redirect an IKE_SA with matching peer identity, may contain
322 wildcards>
323 } => {
324 success = <yes or no>
325 matches = <number of matched SAs>
326 errmsg = <error string on failure>
327 }
328
329 ### install() ###
330
331 Install a trap, drop or bypass policy defined by a CHILD_SA config.
332
333 {
334 child = <CHILD_SA configuration name to install>
335 ike = <optional IKE_SA configuration name to find child under>
336 } => {
337 success = <yes or no>
338 errmsg = <error string on failure>
339 }
340
341 ### uninstall() ###
342
343 Uninstall a trap, drop or bypass policy defined by a CHILD_SA config.
344
345 {
346 child = <CHILD_SA configuration name to install>
347 ike = <optional IKE_SA configuration name to find child under,
348 if not given the first policy matching child is removed>
349 } => {
350 success = <yes or no>
351 errmsg = <error string on failure>
352 }
353
354 ### list-sas() ###
355
356 Lists currently active IKE_SAs and associated CHILD_SAs by streaming _list-sa_
357 events.
358
359 {
360 noblock = <use non-blocking mode if key is set>
361 ike = <filter listed IKE_SAs by its name>
362 ike-id = <filter listed IKE_SA by its unique id>
363 } => {
364 # completes after streaming list-sa events
365 }
366
367 ### list-policies() ###
368
369 List currently installed trap, drop and bypass policies by streaming
370 _list-policy_ events.
371
372 {
373 drop = <set to yes to list drop policies>
374 pass = <set to yes to list bypass policies>
375 trap = <set to yes to list trap policies>
376 child = <filter by CHILD_SA configuration name>
377 ike = <filter by IKE_SA configuration name>
378 } => {
379 # completes after streaming list-sa events
380 }
381
382 ### list-conns() ###
383
384 List currently loaded connections by streaming _list-conn_ events. This
385 call includes all connections known by the daemon, not only those loaded
386 over vici.
387
388 {
389 ike = <list connections matching a given configuration name only>
390 } => {
391 # completes after streaming list-conn events
392 }
393
394 ### get-conns() ###
395
396 Return a list of connection names loaded exclusively over vici, not including
397 connections found in other backends.
398
399 {} => {
400 conns = [
401 <list of connection names>
402 ]
403 }
404
405 ### list-certs() ###
406
407 List currently loaded certificates by streaming _list-cert_ events. This
408 call includes all certificates known by the daemon, not only those loaded
409 over vici.
410
411 {
412 type = <certificate type to filter for, X509|X509_AC|X509_CRL|
413 OCSP_RESPONSE|PUBKEY or ANY>
414 flag = <X.509 certificate flag to filter for, NONE|CA|AA|OCSP or ANY>
415 subject = <set to list only certificates having subject>
416 } => {
417 # completes after streaming list-cert events
418 }
419
420 ### list-authorities() ###
421
422 List currently loaded certification authority information by streaming
423 _list-authority_ events.
424
425 {
426 name = <list certification authority of a given name>
427 } => {
428 # completes after streaming list-authority events
429 }
430
431 ### get-authorities() ###
432
433 Return a list of currently loaded certification authority names.
434
435 {} => {
436 authorities = [
437 <list of certification authority names>
438 ]
439 }
440
441 ### load-conn() ###
442
443 Load a single connection definition into the daemon. An existing connection
444 with the same name gets updated or replaced.
445
446 {
447 <IKE_SA config name> = {
448 # IKE configuration parameters with authentication and CHILD_SA
449 # subsections. Refer to swanctl.conf(5) for details.
450 } => {
451 success = <yes or no>
452 errmsg = <error string on failure>
453 }
454 }
455
456 ### unload-conn() ###
457
458 Unload a previously loaded connection definition by name.
459
460 {
461 name = <IKE_SA config name>
462 } => {
463 success = <yes or no>
464 errmsg = <error string on failure>
465 }
466
467 ### load-cert() ###
468
469 Load a certificate into the daemon.
470
471 {
472 type = <certificate type, X509|X509_AC|X509_CRL>
473 flag = <X.509 certificate flag, NONE|CA|AA|OCSP>
474 data = <PEM or DER encoded certificate data>
475 } => {
476 success = <yes or no>
477 errmsg = <error string on failure>
478 }
479
480 ### load-key() ###
481
482 Load a private key into the daemon.
483
484 {
485 type = <private key type, rsa|ecdsa|bliss|any>
486 data = <PEM or DER encoded key data>
487 } => {
488 success = <yes or no>
489 errmsg = <error string on failure>
490 id = <hex-encoded SHA-1 key identifier of the public key on success>
491 }
492
493 ### unload-key() ###
494
495 Unload the private key with the given key identifier.
496
497 {
498 id = <hex-encoded SHA-1 key identifier of the private key to unload>
499 } => {
500 success = <yes or no>
501 errmsg = <error string on failure>
502 }
503
504 ### get-keys() ###
505
506 Return a list of identifiers of private keys loaded exclusively over vici, not
507 including keys found in other backends.
508
509 {} => {
510 keys = [
511 <list of hex-encoded SHA-1 key identifiers>
512 ]
513 }
514
515 ### load-token() ###
516
517 Load a private key located on a token into the daemon. Such keys may be listed
518 and unloaded using the _get-keys_ and _unload-key_ commands, respectively (based
519 on the key identifier derived from the public key).
520
521 {
522 handle = <hex-encoded CKA_ID of the private key on token>
523 slot = <optional slot number>
524 module = <optional PKCS#11 module>
525 pin = <optional PIN to access the key, has to be provided via other
526 means if not given>
527 } => {
528 success = <yes or no>
529 errmsg = <error string on failure>
530 id = <hex-encoded SHA-1 key identifier of the public key on success>
531 }
532
533 ### load-shared() ###
534
535 Load a shared IKE PSK, EAP, XAuth or NTLM secret into the daemon.
536
537 {
538 id = <optional unique identifier of this shared key>
539 type = <shared key type, IKE|EAP|XAUTH|NTLM>
540 data = <raw shared key data>
541 owners = [
542 <list of shared key owner identities>
543 ]
544 } => {
545 success = <yes or no>
546 errmsg = <error string on failure>
547 }
548
549 ### unload-shared() ###
550
551 Unload a previously loaded shared IKE PSK, EAP, XAuth or NTLM secret by its
552 unique identifier.
553
554 {
555 id = <unique identifier of the shared key to unload>
556 } => {
557 success = <yes or no>
558 errmsg = <error string on failure>
559 }
560
561 ### get-shared() ###
562
563 Return a list of unique identifiers of shared keys loaded exclusively over vici,
564 not including keys found in other backends.
565
566 {} => {
567 keys = [
568 <list of unique identifiers>
569 ]
570 }
571
572 ### flush-certs() ###
573
574 Flushes the certificate cache. The optional type argument allows to flush
575 only certificates of a given type, e.g. all cached CRLs.
576
577 {
578 type = <certificate type to filter for, X509|X509_AC|X509_CRL|
579 OCSP_RESPONSE|PUBKEY or ANY>
580 } => {
581 success = <yes or no>
582 errmsg = <error string on failure>
583 }
584
585 ### clear-creds() ###
586
587 Clear all loaded certificate, private key and shared key credentials. This
588 affects only credentials loaded over vici, but additionally flushes the
589 credential cache.
590
591 {} => {
592 success = <yes or no>
593 errmsg = <error string on failure>
594 }
595
596 ### load-authority() ###
597
598 Load a single certification authority definition into the daemon. An existing
599 authority with the same name gets replaced.
600
601 {
602 <certification authority name> = {
603 # certification authority parameters
604 # refer to swanctl.conf(5) for details.
605 } => {
606 success = <yes or no>
607 errmsg = <error string on failure>
608 }
609 }
610
611 ### unload-authority() ###
612
613 Unload a previously loaded certification authority definition by name.
614
615 {
616 name = <certification authority name>
617 } => {
618 success = <yes or no>
619 errmsg = <error string on failure>
620 }
621
622 ### load-pool() ###
623
624 Load an in-memory virtual IP and configuration attribute pool. Existing
625 pools with the same name get updated, if possible.
626
627 {
628 <pool name> = {
629 addrs = <subnet of virtual IP pool addresses>
630 <attribute type>* = [
631 # attribute type is one of address, dns, nbns, dhcp, netmask,
632 # server, subnet, split_include, split_exclude or a numerical
633 # attribute type identifier.
634 <list of attributes for type>
635 ]
636 }
637 } => {
638 success = <yes or no>
639 errmsg = <error string on failure>
640 }
641
642 ### unload-pool() ###
643
644 Unload a previously loaded virtual IP and configuration attribute pool.
645 Unloading fails for pools with leases currently online.
646
647 {
648 name = <virtual IP address pool to delete>
649 } => {
650 success = <yes or no>
651 errmsg = <error string on failure>
652 }
653
654 ### get-pools() ###
655
656 List the currently loaded pools.
657
658 {
659 leases = <set to yes to include leases>
660 name = <optional name of the pool to query>
661 } => {
662 <pool name>* = {
663 base = <virtual IP pool base address>
664 size = <total number of addresses in the pool>
665 online = <number of leases online>
666 offline = <number of leases offline>
667 leases = {
668 <zero-based index>* = {
669 address = <IP address>
670 identity = <assigned identity>
671 status = <online|offline>
672 }
673 }
674 }
675 }
676
677 ### get-algorithms() ###
678
679 List currently loaded algorithms and their implementation.
680
681 {} => {
682 <algorithm type> = {
683 <algorithm> = <plugin providing the implementation>
684 }
685 }
686
687 ### get-counters() ###
688
689 List global or connection-specific counters for several IKE events.
690
691 {
692 name = <optional connection name, omit for global counters>
693 all = <yes to get counters for all connections, name is ignored>
694 } => {
695 counters = {
696 <name|empty for global counters> = {
697 <pairs of counter name and 64-bit counter value>
698 }
699 }
700 success = <yes or no>
701 errmsg = <error string on failure>
702 }
703
704 ### reset-counters() ###
705
706 Reset global or connection-specific IKE event counters.
707
708 {
709 name = <optional connection name, omit for global counters>
710 all = <yes to reset counters for all connections, name is ignored>
711 } => {
712 success = <yes or no>
713 errmsg = <error string on failure>
714 }
715
716 ## Server-issued events ##
717
718 Based on the packet layer, the vici plugin raises event messages using named
719 EVENT packets wrapping messages. The message contains event details.
720
721 ### log ###
722
723 The _log_ event is issued to registered clients for each debug log message.
724 This event is not associated with a command.
725
726 {
727 group = <subsystem identifier for debug message>
728 level = <log level, 0-4>
729 thread = <numerical thread identifier issuing the log message>
730 ikesa-name = <name of IKE_SA, if log is associated with any>
731 ikesa-uniqued = <unique identifier of IKE_A, if log associated with any>
732 msg = <log message text>
733 }
734
735 ### control-log ###
736
737 The _control-log_ event is issued for log events during active _initiate_ or
738 _terminate_ commands. It is issued only to clients currently having such
739 a command active.
740
741 {
742 group = <subsystem identifier for debug message>
743 level = <log level, 0-4>
744 ikesa-name = <name of IKE_SA, if log associated with any>
745 ikesa-uniqued = <unique identifier of IKE_A, if log associated with any>
746 msg = <log message text>
747 }
748
749 ### list-sa ###
750
751 The _list-sa_ event is issued to stream IKE_SAs during an active _list-sas_
752 command.
753
754 {
755 <IKE_SA config name> = {
756 uniqueid = <IKE_SA unique identifier>
757 version = <IKE version, 1 or 2>
758 state = <IKE_SA state name>
759 local-host = <local IKE endpoint address>
760 local-port = <local IKE endpoint port>
761 local-id = <local IKE identity>
762 remote-host = <remote IKE endpoint address>
763 remote-port = <remote IKE endpoint port>
764 remote-id = <remote IKE identity>
765 remote-xauth-id = <remote XAuth identity, if XAuth-authenticated>
766 remote-eap-id = <remote EAP identity, if EAP-authenticated>
767 initiator = <yes, if initiator of IKE_SA>
768 initiator-spi = <hex encoded initiator SPI / cookie>
769 responder-spi = <hex encoded responder SPI / cookie>
770 nat-local = <yes, if local endpoint is behind a NAT>
771 nat-remote = <yes, if remote endpoint is behind a NAT>
772 nat-fake = <yes, if NAT situation has been faked as responder>
773 nat-any = <yes, if any endpoint is behind a NAT (also if faked)>
774 encr-alg = <IKE encryption algorithm string>
775 encr-keysize = <key size for encr-alg, if applicable>
776 integ-alg = <IKE integrity algorithm string>
777 integ-keysize = <key size for encr-alg, if applicable>
778 prf-alg = <IKE pseudo random function string>
779 dh-group = <IKE Diffie-Hellman group string>
780 established = <seconds the IKE_SA has been established>
781 rekey-time = <seconds before IKE_SA gets rekeyed>
782 reauth-time = <seconds before IKE_SA gets re-authenticated>
783 local-vips = [
784 <list of virtual IPs assigned by the remote peer, installed locally>
785 ]
786 remote-vips = [
787 <list of virtual IPs assigned to the remote peer>
788 ]
789 tasks-queued = [
790 <list of currently queued tasks for execution>
791 ]
792 tasks-active = [
793 <list of tasks currently initiating actively>
794 ]
795 tasks-passive = [
796 <list of tasks currently handling passively>
797 ]
798 child-sas = {
799 <unique child-sa-name>* = {
800 name = <name of the CHILD_SA>
801 uniqueid = <unique CHILD_SA identifier>
802 reqid = <reqid of CHILD_SA>
803 state = <state string of CHILD_SA>
804 mode = <IPsec mode, tunnel|transport|beet>
805 protocol = <IPsec protocol AH|ESP>
806 encap = <yes if using UDP encapsulation>
807 spi-in = <hex encoded inbound SPI>
808 spi-out = <hex encoded outbound SPI>
809 cpi-in = <hex encoded inbound CPI, if using compression>
810 cpi-out = <hex encoded outbound CPI, if using compression>
811 mark-in = <hex encoded inbound Netfilter mark value>
812 mark-mask-in = <hex encoded inbound Netfilter mark mask>
813 mark-out = <hex encoded outbound Netfilter mark value>
814 mark-mask-out = <hex encoded outbound Netfilter mark mask>
815 encr-alg = <ESP encryption algorithm name, if any>
816 encr-keysize = <ESP encryption key size, if applicable>
817 integ-alg = <ESP or AH integrity algorithm name, if any>
818 integ-keysize = <ESP or AH integrity key size, if applicable>
819 prf-alg = <CHILD_SA pseudo random function name>
820 dh-group = <CHILD_SA PFS rekeying DH group name, if any>
821 esn = <1 if using extended sequence numbers>
822 bytes-in = <number of input bytes processed>
823 packets-in = <number of input packets processed>
824 use-in = <seconds since last inbound packet, if any>
825 bytes-out = <number of output bytes processed>
826 packets-out = <number of output packets processed>
827 use-out = <seconds since last outbound packet, if any>
828 rekey-time = <seconds before CHILD_SA gets rekeyed>
829 life-time = <seconds before CHILD_SA expires>
830 install-time = <seconds the CHILD_SA has been installed>
831 local-ts = [
832 <list of local traffic selectors>
833 ]
834 remote-ts = [
835 <list of remote traffic selectors>
836 ]
837 }
838 }
839 }
840 }
841
842 ### list-policy ###
843
844 The _list-policy_ event is issued to stream installed policies during an active
845 _list-policies_ command.
846
847 {
848 <ike-sa-config-name/child-sa-config-name> = {
849 child = <CHILD_SA configuration name>
850 ike = <IKE_SA configuration name or namespace, if available>
851 mode = <policy mode, tunnel|transport|pass|drop>
852 local-ts = [
853 <list of local traffic selectors>
854 ]
855 remote-ts = [
856 <list of remote traffic selectors>
857 ]
858 }
859 }
860
861 ### list-conn ###
862
863 The _list-conn_ event is issued to stream loaded connection during an active
864 _list-conns_ command.
865
866 {
867 <IKE_SA connection name> = {
868 local_addrs = [
869 <list of valid local IKE endpoint addresses>
870 ]
871 remote_addrs = [
872 <list of valid remote IKE endpoint addresses>
873 ]
874 version = <IKE version as string, IKEv1|IKEv2 or 0 for any>
875 reauth_time = <IKE_SA reauthentication interval in seconds>
876 rekey_time = <IKE_SA rekeying interval in seconds>
877
878 local*, remote* = { # multiple local and remote auth sections
879 class = <authentication type>
880 eap-type = <EAP type to authenticate if when using EAP>
881 eap-vendor = <EAP vendor for type, if any>
882 xauth = <xauth backend name>
883 revocation = <revocation policy>
884 id = <IKE identity>
885 aaa_id = <AAA authentication backend identity>
886 eap_id = <EAP identity for authentication>
887 xauth_id = <XAuth username for authentication>
888 groups = [
889 <group membership required to use connection>
890 ]
891 certs = [
892 <certificates allowed for authentication>
893 ]
894 cacerts = [
895 <CA certificates allowed for authentication>
896 ]
897 }
898 children = {
899 <CHILD_SA config name>* = {
900 mode = <IPsec mode>
901 rekey_time = <CHILD_SA rekeying interval in seconds>
902 rekey_bytes = <CHILD_SA rekeying interval in bytes>
903 rekey_packets = <CHILD_SA rekeying interval in packets>
904 local-ts = [
905 <list of local traffic selectors>
906 ]
907 remote-ts = [
908 <list of remote traffic selectors>
909 ]
910 }
911 }
912 }
913 }
914
915 ### list-cert ###
916
917 The _list-cert_ event is issued to stream loaded certificates during an active
918 _list-certs_ command.
919
920 {
921 type = <certificate type, X509|X509_AC|X509_CRL|OCSP_RESPONSE|PUBKEY>
922 flag = <X.509 certificate flag, NONE|CA|AA|OCSP>
923 has_privkey = <set if a private key for the certificate is available>
924 data = <ASN1 encoded certificate data>
925 subject = <subject string if defined and certificate type is PUBKEY>
926 not-before = <time string if defined and certificate type is PUBKEY>
927 not-after = <time string if defined and certificate type is PUBKEY>
928 }
929
930 ### list-authority ###
931
932 The _list-authority_ event is issued to stream loaded certification authority
933 information during an active_list-authorities_ command.
934
935 {
936 <certification authority name> = {
937 cacert = <subject distinguished name of CA certificate>
938 crl_uris = [
939 <CRL URI (http, ldap or file)>
940 ]
941 ocsp_uris = [
942 <OCSP URI (http)>
943 ]
944 cert_uri_base = <base URI for download of hash-and-URL certificates>
945 }
946 }
947
948 ### ike-updown ###
949
950 The _ike-updown_ event is issued when an IKE_SA is established or terminated.
951
952 {
953 up = <set if up event>
954 <IKE_SA config name> = {
955 <same data as in the list-sas event, but without child-sas section>
956 }
957 }
958
959 ### ike-rekey ###
960
961 The _ike-rekey_ event is issued when an IKE_SA is rekeyed.
962
963 {
964 <IKE_SA config name> = {
965 old = {
966 <same data as in the list-sas event, but without child-sas section>
967 }
968 new = {
969 <same data as in the list-sas event, but without child-sas section>
970 }
971 }
972 }
973
974 ### child-updown ###
975
976 The _child-updown_ event is issued when a CHILD_SA is established or terminated.
977
978 {
979 up = <set if up event>
980 <IKE_SA config name> = {
981 <same data as in the list-sas event, but with only the affected
982 CHILD_SA in the child-sas section>
983 }
984 }
985
986 ### child-rekey ###
987
988 The _child-rekey_ event is issued when a CHILD_SA is rekeyed.
989
990 {
991 <IKE_SA config name> = {
992 <same data as in the list-sas event, but with the child-sas section
993 as follows>
994 child-sas = {
995 <child-sa-name> = {
996 old = {
997 <same data as in the list-sas event>
998 }
999 new = {
1000 <same data as in the list-sas event>
1001 }
1002 }
1003 }
1004 }
1005 }
1006
1007 # libvici C client library #
1008
1009 libvici is the reference implementation of a C client library implementing
1010 the vici protocol. It builds upon libstrongswan, but provides a stable API
1011 to implement client applications in the C programming language. libvici uses
1012 the libstrongswan thread pool to deliver event messages asynchronously.
1013
1014 ## Connecting to the daemon ##
1015
1016 This example shows how to connect to the daemon using the default URI, and
1017 then perform proper cleanup:
1018
1019 #include <stdio.h>
1020 #include <errno.h>
1021 #include <string.h>
1022
1023 #include <libvici.h>
1024
1025 int main(int argc, char *argv[])
1026 {
1027 vici_conn_t *conn;
1028 int ret = 0;
1029
1030 vici_init();
1031 conn = vici_connect(NULL);
1032 if (conn)
1033 {
1034 /* do stuff */
1035 vici_disconnect(conn);
1036 }
1037 else
1038 {
1039 ret = errno;
1040 fprintf(stderr, "connecting failed: %s\n", strerror(errno));
1041 }
1042 vici_deinit();
1043 return ret;
1044 }
1045
1046 ## A simple client request ##
1047
1048 In the following example, a simple _version_ request is issued to the daemon
1049 and the result is printed:
1050
1051 int get_version(vici_conn_t *conn)
1052 {
1053 vici_req_t *req;
1054 vici_res_t *res;
1055 int ret = 0;
1056
1057 req = vici_begin("version");
1058 res = vici_submit(req, conn);
1059 if (res)
1060 {
1061 printf("%s %s (%s, %s, %s)\n",
1062 vici_find_str(res, "", "daemon"),
1063 vici_find_str(res, "", "version"),
1064 vici_find_str(res, "", "sysname"),
1065 vici_find_str(res, "", "release"),
1066 vici_find_str(res, "", "machine"));
1067 vici_free_res(res);
1068 }
1069 else
1070 {
1071 ret = errno;
1072 fprintf(stderr, "version request failed: %s\n", strerror(errno));
1073 }
1074 return ret;
1075 }
1076
1077 ## A request with event streaming and callback parsing ##
1078
1079 In this more advanced example, the _list-conns_ command is used to stream
1080 loaded connections with the _list-conn_ event. The event message is parsed
1081 with a simple callback to print the connection name:
1082
1083 int conn_cb(void *null, vici_res_t *res, char *name)
1084 {
1085 printf("%s\n", name);
1086 return 0;
1087 }
1088
1089 void list_cb(void *null, char *name, vici_res_t *res)
1090 {
1091 if (vici_parse_cb(res, conn_cb, NULL, NULL, NULL) != 0)
1092 {
1093 fprintf(stderr, "parsing failed: %s\n", strerror(errno));
1094 }
1095 }
1096
1097 int list_conns(vici_conn_t *conn)
1098 {
1099 vici_req_t *req;
1100 vici_res_t *res;
1101 int ret = 0;
1102
1103 if (vici_register(conn, "list-conn", list_cb, NULL) == 0)
1104 {
1105 req = vici_begin("list-conns");
1106 res = vici_submit(req, conn);
1107 if (res)
1108 {
1109 vici_free_res(res);
1110 }
1111 else
1112 {
1113 ret = errno;
1114 fprintf(stderr, "request failed: %s\n", strerror(errno));
1115 }
1116 vici_register(conn, "list-conn", NULL, NULL);
1117 }
1118 else
1119 {
1120 ret = errno;
1121 fprintf(stderr, "registration failed: %s\n", strerror(errno));
1122 }
1123 return ret;
1124 }
1125
1126 ## API documentation ##
1127
1128 More information about the libvici API is available in the _libvici.h_ header
1129 file or the generated Doxygen documentation.
1130
1131 # vici ruby gem #
1132
1133 The _vici ruby gem_ is a pure ruby implementation of the VICI protocol to
1134 implement client applications. It is provided in the _ruby_ subdirectory, and
1135 gets built and installed if strongSwan has been _./configure_'d with
1136 _--enable-vici_ and _--enable-ruby-gems_.
1137
1138 The _Connection_ class from the _Vici_ module provides the high level interface,
1139 the underlying classes are usually not required to build ruby applications
1140 using VICI. The _Connection_ class provides methods for the supported VICI
1141 commands and an event listening mechanism.
1142
1143 To represent the VICI message data tree, the gem converts the binary encoding
1144 to ruby data types. The _Connection_ class takes and returns ruby objects for
1145 the exchanged message data:
1146 * Sections get encoded as Hash, containing other sections as Hash, or
1147 * Key/Values, where the values are Strings as Hash values
1148 * Lists get encoded as Arrays with String values
1149 Non-String values that are not a Hash nor an Array get converted with .to_s
1150 during encoding.
1151
1152 ## Connecting to the daemon ##
1153
1154 To create a connection to the daemon, a socket can be passed to the
1155 _Connection_ constructor. If none is passed, a default Unix socket at
1156 _/var/run/charon.vici_ is used:
1157
1158 require "vici"
1159 require "socket"
1160
1161 v = Vici::Connection.new(UNIXSocket.new("/var/run/charon.vici"))
1162
1163 ## A simple client request ##
1164
1165 An example to print the daemon version information is as simple as:
1166
1167 x = v.version
1168 puts "%s %s (%s, %s, %s)" % [
1169 x["daemon"], x["version"], x["sysname"], x["release"], x["machine"]
1170 ]
1171
1172 ## A request with closure invocation ##
1173
1174 The _Connection_ class takes care of event streaming by invoking a closure
1175 for each event. The following example lists all loaded connections using the
1176 _list-conns_ command and implicitly the _list-conn_ event:
1177
1178 v.list_conns { |conn|
1179 conn.each { |key, value|
1180 puts key
1181 }
1182 }
1183
1184 ## API documentation ##
1185
1186 For more details about the ruby gem refer to the comments in the gem source
1187 code or the generated documentation.
1188
1189 # vici Python egg #
1190
1191 The _vici Python egg_ is a pure Python implementation of the VICI protocol to
1192 implement client applications. It is provided in the _python_ subdirectory, and
1193 gets built and installed if strongSwan has been _./configure_'d with
1194 _--enable-vici_ and _--enable-python-eggs_.
1195
1196 The _vici_ module provides a _Session()_ constructor for a high level interface,
1197 the underlying classes are usually not required to build Python applications
1198 using VICI. The _Session_ class provides methods for the supported VICI
1199 commands.
1200
1201 To represent the VICI message data tree, the library converts the binary
1202 encoding to Python data types. The _Session_ class takes and returns Python
1203 objects for the exchanged message data:
1204 * Sections get encoded as OrderedDict, containing other sections, or
1205 * Key/Values, where the values are strings as dictionary values
1206 * Lists get encoded as Python Lists with string values
1207 Values that do not conform to Python dict or list get converted to strings using
1208 str().
1209
1210 ## Connecting to the daemon ##
1211
1212 To create a connection to the daemon, a socket can be passed to the _Session_
1213 constructor. If none is passed, a default Unix socket at _/var/run/charon.vici_
1214 is used:
1215
1216 import vici
1217 import socket
1218
1219 s = socket.socket(socket.AF_UNIX)
1220 s.connect("/var/run/charon.vici")
1221 v = vici.Session(s)
1222
1223 ## A simple client request ##
1224
1225 An example to print the daemon version information is as simple as:
1226
1227 ver = v.version()
1228
1229 print "{daemon} {version} ({sysname}, {release}, {machine})".format(**ver)
1230
1231 ## A request with response iteration ##
1232
1233 The _Session_ class returns an iterable Python generator for streamed events to
1234 continuously stream objects to the caller. The following example lists all
1235 loaded connections using the _list-conns_ command and implicitly the _list-conn_
1236 event:
1237
1238 for conn in v.list_conns():
1239 for key in conn:
1240 print key
1241
1242 Please note that if the returned generator is not iterated completely, it must
1243 be closed using _close()_. This is implicitly done when breaking from a loop,
1244 but an explicit call may be required when directly iterating the generator with
1245 _next()_.
1246
1247 ## Sorting in dictionaries ##
1248
1249 In VICI, in some message trees the order of objects in dictionary matters. In
1250 contrast to ruby Hashes, Python dictionaries do not preserve order of added
1251 objects. It is therefore recommended to use OrderedDicts instead of the default
1252 dictionaries. Objects returned by the library use OrderedDicts.
1253
1254 ## API documentation ##
1255
1256 For more details about the Python egg refer to the comments in the Python source
1257 code.
1258
1259 # Vici::Session Perl CPAN module #
1260
1261 The _Vici::Session Perl CPAN module_ is a pure Perl implementation of the VICI
1262 protocol to implement client applications. It is provided in the _perl_
1263 subdirectory, and gets built and installed if strongSwan has been
1264 _./configure_'d with_--enable-vici_ and _--enable-perl-cpan_.
1265
1266 The _Vici::Session_ module provides a _new()_ constructor for a high level
1267 interface, the underlying _Vici::Packet_ and _Vici::Transport_ classes are
1268 usually not required to build Perl applications using VICI. The _Vici::Session_
1269 class provides methods for the supported VICI commands. The auxiliare
1270 _Vici::Message_ class is used to encode configuration parameters sent to
1271 the daemon and decode data returned by the daemon.
1272
1273 ## Connecting to the daemon ##
1274
1275 use IO::Socket::UNIX;
1276 use Vici::Session;
1277 use Vici::Message;
1278
1279 my $socket = IO::Socket::UNIX->new(
1280 Type => SOCK_STREAM,
1281 Peer => '/var/run/charon.vici',
1282 ) or die "Vici socket: $!";
1283
1284 my $session = Vici::Session->new($socket);
1285
1286 ## A simple client request ##
1287
1288 An example to print the daemon version information is as simple as:
1289
1290 my $version = $session->version()->hash();
1291
1292 foreach my $key ('daemon', 'version', 'sysname', 'release', 'machine' ) {
1293 print $version->{$key}, " ";
1294 }
1295
1296 The _Vici::Session_ methods are explained in the perl/Vici-Session/README.pod
1297 document.
Unnamed repository; edit this file 'description' to name the repository.