[Openswan dev] RFC: Changes to whack's --status output

mcr at xelerance.com mcr at xelerance.com
Wed Dec 1 11:22:58 CET 2004 

-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "Ludwig" == Ludwig Nussel <ludwig.nussel at suse.de> writes:
    Ludwig> There have been inquiries about adding ipsec support to our
    Ludwig> smpppd maintainer in the past already. smpppd is a "meta
    Ludwig> pppd daemon", it provides a common interface for the various
    Ludwig> dial-up methods like modem, isdn and dsl. A desktop user
    Ludwig> controls it with a kde applet in the panel (there is also a
    Ludwig> commandine and a web frontend). It would be very convenient
    Ludwig> to also control IPsec tunnels this way, e.g. the RAS tunnel
    Ludwig> into the company or tunnels for WLAN. For this to be
    Ludwig> actually useful smpppd would need to do more than just
    Ludwig> "ipsec auto --up ...", it would need to query the current
    Ludwig> state of the tunnels periodically (or receive notification)
    Ludwig> so the user can get visual feedback about them
    Ludwig> e.g. "negotiating", "up", "down", "choking", "authentication
    Ludwig> failure" etc. Collecting all the necessary information from

  so, we wanted to create a program "initiate", which basically does
"ipsec whack --name FOO --initiate", and only that. It would be small
enough to be easily reviewed, and therefore able to be setuid.
  (ipsec auto --up FOO translates to the above)
  
  This is necessary for someone to do a nice GUI for XAUTH mode.
  (does smpppd handle prompting users for username/password already?)

  progress indicators already come out of whack, and can be processed
by "initiate" if you like to give feedback. Tell us what format to
provide the feedback if the current output is not okay. (Alas the
numbers that come out are actually internal states, and change slowly
over time)

  As for ongoing information about tunnel status... it may be possible
for us to provide the DPD status for liveness directly. This is in the
HEAD's whack --status, but you probably want it in a nicer format.
  Systems with ipsecX devices can trivially get tunnel stats by looking
at the ipsecX stats. (that's one of the reasons to have this device!)

  ipsec0    Link encap:Ethernet  HWaddr 00:E0:63:81:F7:D7  
          inet addr:192.168.0.137  Mask:255.255.255.0
          inet6 addr: fe80::2e0:63ff:fe81:f7d7/64 Scope:Link
          UP RUNNING NOARP  MTU:1400  Metric:1
          RX packets:106 errors:0 dropped:4 overruns:0 frame:0
                                          ^- decryption/authentication errors

          TX packets:14387 errors:0 dropped:1845 overruns:0 carrier:0
                                            ^-due to lack of keys
          collisions:0 txqueuelen:10 
          RX bytes:17563 (17.1 KiB)  TX bytes:1218822 (1.1 MiB)


- -- 
]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson,    Xelerance Corporation, Ottawa, ON    |net architect[
] mcr at xelerance.com      http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBQa4L/4qHRg3pndX9AQErJQQAmki0RRmQ2p5/PVD3hHgsoUXzHJnkG37G
dwjjkAgMZxVqnMCilccMHtkA8FExBTqI2WI8nDqntKndYvXj5hkX//+QpOWfc03H
aQKoWc3PZ3ncw9gNAPHMMC23DEY5AzOLY9hPQlsq7hzfv3QSBZBEtnGUvydtliNX
2YhxihRfOn8=
=fUVp
-----END PGP SIGNATURE-----

More information about the Dev mailing list