[Openswan dev] RFC: Changes to whack's --status output

Ludwig Nussel ludwig.nussel at suse.de
Tue Nov 30 13:30:07 CET 2004

Paul Wouters wrote:
> On Thu, 25 Nov 2004, D. Hugh Redelmeier wrote:
> [...]
> Third, I think ipsec whack --status in its current form is next to
> useless to most users. Even I find it very difficult to read. In its
> [...]
> I think it is still useful to keep a more machine readable status option
> that can be used by developers with grep, or which can be used as basis
> for other GUI/web interfaces to display the status.
> Other options could include presenting the status information in a very
> structured way such as XML, RSS or SNMP. Though that is probably best
> left to third party tools.
> [...]
> What I am further missing is a command to show me the last few lines
> of pluto output (say the last 20-40). Or to have an 'ipsec log' option
> you can run that 'tail -f's all ipsec subsystem output. This will
> avoid me having to figure out where syslog is leaving the information
> (secure? daemon.log?  auth.log? messages?). tail -f /var/log/* used
> to work fine, but these days some versions of tail dont silently skip
> directories but stop, and some foolish people put named pipes or sockets
> in that directory. Such an option also would make receiving logfiles
> easier. And most of the time when receiving or reading a barf, those
> loglines tell me the exact problem. So being able to run 'ipsec log >
> forpaul.txt' while in another window starting ipsec (or just the conn)
> would be very useful. It is a bit similar to seeing some messages happening
> when you manually 'ipsec auto --up connname'.

There have been inquiries about adding ipsec support to our smpppd
maintainer in the past already. smpppd is a "meta pppd daemon", it
provides a common interface for the various dial-up methods like
modem, isdn and dsl. A desktop user controls it with a kde applet in
the panel (there is also a commandine and a web frontend). It would
be very convenient to also control IPsec tunnels this way, e.g. the
RAS tunnel into the company or tunnels for WLAN. For this to be
actually useful smpppd would need to do more than just "ipsec auto
--up ...", it would need to query the current state of the tunnels
periodically (or receive notification) so the user can get visual
feedback about them e.g. "negotiating", "up", "down", "choking",
"authentication failure" etc. Collecting all the necessary
information from /etc/ipsec.conf (and includes), the current status
output and logfiles is cumbersome, error prone and hard to maintain
so a nice machine readable status output would be quite a step in
the direction of enduser friendly IPsec.


 (o_   Ludwig Nussel
 //\   SUSE LINUX Products GmbH, Development
 V_/_  http://www.suse.de/

More information about the Dev mailing list