[Openswan dev] RFC: Changes to whack's --status output

Ludwig Nussel ludwig.nussel at suse.de
Mon Dec 6 11:53:32 CET 2004 

mcr at xelerance.com wrote:
> >>>>> "Ludwig" == Ludwig Nussel <ludwig.nussel at suse.de> writes:
>     Ludwig> There have been inquiries about adding ipsec support to our
>     Ludwig> smpppd maintainer in the past already. smpppd is a "meta
>     Ludwig> pppd daemon", it provides a common interface for the various
>     Ludwig> dial-up methods like modem, isdn and dsl. A desktop user
>     Ludwig> controls it with a kde applet in the panel (there is also a
>     Ludwig> commandine and a web frontend). It would be very convenient
>     Ludwig> to also control IPsec tunnels this way, e.g. the RAS tunnel
>     Ludwig> into the company or tunnels for WLAN. For this to be
>     Ludwig> actually useful smpppd would need to do more than just
>     Ludwig> "ipsec auto --up ...", it would need to query the current
>     Ludwig> state of the tunnels periodically (or receive notification)
>     Ludwig> so the user can get visual feedback about them
>     Ludwig> e.g. "negotiating", "up", "down", "choking", "authentication
>     Ludwig> failure" etc. Collecting all the necessary information from
> 
>   so, we wanted to create a program "initiate", which basically does
> "ipsec whack --name FOO --initiate", and only that. It would be small
> enough to be easily reviewed, and therefore able to be setuid.
>   (ipsec auto --up FOO translates to the above)
>   
>   This is necessary for someone to do a nice GUI for XAUTH mode.
>   (does smpppd handle prompting users for username/password already?)

Yes.

>   progress indicators already come out of whack, and can be processed
> by "initiate" if you like to give feedback. Tell us what format to
> provide the feedback if the current output is not okay. (Alas the
> numbers that come out are actually internal states, and change slowly
> over time)

When I talked to the smpppd maintainer last time he was not very
fond of parsing any command output at all. The best thing would
probably be a C library that handles the socket communication to
pluto. This way at least some errors can be catched at build time
already, like e.g. new value for an enum -> warning in switch().
Ideally such a library interface would be high level enough so it
can be used for other isakmp implementations as well :-)

cu
Ludwig

-- 
 (o_   Ludwig Nussel
 //\   SUSE LINUX Products GmbH, Development
 V_/_  http://www.suse.de/

More information about the Dev mailing list