ims-volte-vowifi
/
strongswan
9
0
Fork 0
Code Pull Requests Releases Activity

vici: Document the available vici command and event messages

This commit is contained in:
Martin Willi 2014-10-08 18:13:31 +02:00
parent f684be6583
commit 56f17733c9
1 changed files with 509 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

510
src/libcharon/plugins/vici/README.md
View File

@ -103,7 +103,8 @@ the length field itself.
The interpretation of any value is not defined by the message format; it can
take arbitrary blobs. The application may specify types for specific keys, such
as strings or integer representations.
as strings or integer representations. The vici plugin currently uses
non-null terminated strings as values only; numbers get encoded as strings.
### Sections ###
@ -165,6 +166,513 @@ the following C array:
1,
};
## Client-initiated commands ##
Based on the packet layer, VICI implements commands requested by the client
and responded to by the server using named _CMD_REQUEST_ and _CMD_RESPONSE_
packets wrapping messages. The request message may contain command arguments,
the response message the reply.
Some commands use response streaming, that is, a request triggers a series of
events to consecutively stream data to the client before the response message
completes the stream. A client must register for the appropriate event to
receive the stream, and unregister after the response has been received.
The following client issued commands with the appropriate command input and
output messages are currently defined:
### version() ###
Returns daemon and system specific version information.
{} => {
daemon = <IKE daemon name>
version = <strongSwan version>
sysname = <operating system name>
release = <operating system release>
machine = <hardware identifier>
}
### stats() ###
Returns IKE daemon statistics and load information.
{} => {
uptime = {
running = <relative uptime in human-readable form>
since = <absolute startup time>
}
workers = {
total = <total number of worker threads>
idle = <worker threads currently idle>
active = {
critical = <threads processing "critical" priority jobs>
high = <threads processing "high" priority jobs>
medium = <threads processing "medium" priority jobs>
low = <threads processing "low" priority jobs>
}
}
queues = {
critical = <jobs queued with "critical" priority>
high = <jobs queued with "high" priority>
medium = <jobs queued with "medium" priority>
low = <jobs queued with "low" priority>
}
scheduled = <number of jobs scheduled for timed execution>
ikesas = {
total = <total number of IKE_SAs active>
half-open = <number of IKE_SAs in half-open state>
}
plugins = [
<names of loaded plugins>
]
mem = { # available if built with leak-detective or on Windows
total = <total heap memory usage in bytes>
allocs = <total heap allocation blocks>
<heap-name>* = { # on Windows only
total = <heap memory usage in bytes by this heap>
allocs = <allocated blocks for this heap>
}
}
mallinfo = { # available with mallinfo() support
sbrk = <non-mmaped space available>
mmap = <mmaped space available>
used = <total number of bytes used>
free = <available but unused bytes>
}
}
### reload-settings() ###
Reloads _strongswan.conf_ settings and all plugins supporting configuration
reload.
{} => {
success = <yes or no>
errmsg = <error string on failure>
}
### initiate() ###
Initiates an SA while streaming _control-log_ events.
{
child = <CHILD_SA configuration name to initiate>
timeout = <timeout in seconds before returning>
loglevel = <loglevel to issue "control-log" events for>
} => {
success = <yes or no>
errmsg = <error string on failure or timeout>
}
### terminate() ###
Terminates an SA while streaming _control-log_ events.
{
child = <terminate a CHILD_SA by configuration name>
ike = <terminate an IKE_SA by configuration name>
child_id = <terminate a CHILD_SA by its reqid>
ike_id = <terminate an IKE_SA by its unique id>
timeout = <timeout in seconds before returning>
loglevel = <loglevel to issue "control-log" events for>
} => {
success = <yes or no>
errmsg = <error string on failure or timeout>
}
### install() ###
Install a trap, drop or bypass policy defined by a CHILD_SA config.
{
child = <CHILD_SA configuration name to install>
} => {
success = <yes or no>
errmsg = <error string on failure>
}
### uninstall() ###
Uninstall a trap, drop or bypass policy defined by a CHILD_SA config.
{
child = <CHILD_SA configuration name to install>
} => {
success = <yes or no>
errmsg = <error string on failure>
}
### list-sas() ###
Lists currently active IKE_SAs and associated CHILD_SAs by streaming _list-sa_
events.
{
noblock = <use non-blocking mode if key is set>
ike = <filter listed IKE_SAs by its name>
ike_id = <filter listed IKE_SA by its unique id>
} => {
# completes after streaming list-sa events
}
### list-policies() ###
List currently installed trap, drop and bypass policies by streaming
_list-policy_ events.
{
drop = <set to yes to list drop policies>
pass = <set to yes to list bypass policies>
trap = <set to yes to list trap policies>
child = <filter by CHILD_SA configuration name>
} => {
# completes after streaming list-sa events
}
### list-conns() ###
List currently loaded connections by streaming _list-conn_ events. This
call includes all connections known by the daemon, not only those loaded
over vici.
{
ike = <list connections matching a given configuration name only>
} => {
# completes after streaming list-conn events
}
### get-conns() ###
Return a list of connection names loaded exclusively over vici, not including
connections found in other backends.
{} => {
conns = [
<list of connection names>
]
}
### list-certs() ###
List currently loaded certificates by streaming _list-cert_ events. This
call includes all certificates known by the daemon, not only those loaded
over vici.
{
type = <certificate type to filter for, or ANY>
subject = <set to list only certificates having subject>
} => {
# completes after streaming list-cert events
}
### load-conn() ###
Load a single connection definition into the daemon. An existing connection
with the same name gets updated or replaced.
{
<IKE_SA config name> = {
# IKE configuration parameters with authentication and CHILD_SA
# subsections. Refer to swanctl.conf(5) for details.
} => {
success = <yes or no>
errmsg = <error string on failure>
}
}
### unload-conn() ###
Unload a previously loaded connection definition by name.
{
name = <IKE_SA config name>
} => {
success = <yes or no>
errmsg = <error string on failure>
}
### load-cert() ###
Load a certificate into the daemon.
{
type = <certificate type, X509|X509CA|X509AA|X509CRL|X509AC>
data = <PEM or DER encoded certificate data>
} => {
success = <yes or no>
errmsg = <error string on failure>
}
### load-key() ###
Load a private key into the daemon.
{
type = <private key type, RSA|ECDSA>
data = <PEM or DER encoded key data>
} => {
success = <yes or no>
errmsg = <error string on failure>
}
### load-shared() ###
Load a shared IKE PSK, EAP or XAuth secret into the daemon.
{
type = <private key type, IKE|EAP|XAUTH>
data = <raw shared key data>
owners = [
<list of shared key owner identities>
]
} => {
success = <yes or no>
errmsg = <error string on failure>
}
### clear-creds() ###
Clear all loaded certificate, private key and shared key credentials. This
affects only credentials loaded over vici, but additionally flushes the
credential cache.
{} => {
success = <yes or no>
errmsg = <error string on failure>
}
### load-pool() ###
Load an in-memory virtual IP and configuration attribute pool. Existing
pools with the same name get updated, if possible.
{
<pool name> = {
addrs = <subnet of virtual IP pool addresses>
<attribute type>* = [
# attribute type is one of address, dns, nbns, dhcp, netmask,
# server, subnet, split_include, split_exclude or a numerical
# attribute type identifier.
<list of attributes for type>
]
}
} => {
success = <yes or no>
errmsg = <error string on failure>
}
### unload-pool() ###
Unload a previously loaded virtual IP and configuration attribute pool.
Unloading fails for pools with leases currently online.
{
name = <virtual IP address pool to delete>
} => {
success = <yes or no>
errmsg = <error string on failure>
}
### get-pools() ###
List the currently loaded pools.
{} => {
<pool name>* = {
base = <virtual IP pool base address>
size = <total number of addresses in the pool>
online = <number of leases online>
offline = <number of leases offline>
}
}
## Server-issued events ##
Based on the packet layer, the vici plugin raises event messages using named
EVENT packets wrapping messages. The message contains event details.
### log ###
The _log_ event is issued to registered clients for each debug log message.
This event is not associated with a command.
{
group = <subsystem identifier for debug message>
level = <log level, 0-4>
thread = <numerical thread identifier issuing the log message>
ikesa-name = <name of IKE_SA, if log is associated with any>
ikesa-uniqued = <unique identifier of IKE_A, if log associated with any>
msg = <log message text>
}
### control-log ###
The _control-log_ event is issued for log events during active _initiate_ or
_terminate_ commands. It is issued only to clients currently having such
a command active.
{
group = <subsystem identifier for debug message>
level = <log level, 0-4>
ikesa-name = <name of IKE_SA, if log associated with any>
ikesa-uniqued = <unique identifier of IKE_A, if log associated with any>
msg = <log message text>
}
### list-sa ###
The _list-sa_ event is issued to stream IKE_SAs during an active _list-sas_
command.
{
<IKE_SA config name> = {
uniqueid = <IKE_SA unique identifier>
version = <IKE version, 1 or 2>
state = <IKE_SA state name>
local-host = <local IKE endpoint address>
local-id = <local IKE identity>
remote-host = <remote IKE endpoint address>
remote-id = <remote IKE identity>
remote-xauth-id = <remote XAuth identity, if XAuth-authenticated>
remote-eap-id = <remote EAP identity, if EAP-authenticated>
initiator = <yes, if initiator of IKE_SA>
initiator-spi = <hex encoded initiator SPI / cookie>
responder-spi = <hex encoded responder SPI / cookie>
encr-alg = <IKE encryption algorithm string>
encr-keysize = <key size for encr-alg, if applicable>
integ-alg = <IKE integrity algorithm string>
integ-keysize = <key size for encr-alg, if applicable>
prf-alg = <IKE pseudo random function string>
dh-group = <IKE Diffie-Hellman group string>
established = <seconds the IKE_SA has been established>
rekey-time = <seconds before IKE_SA gets rekeyed>
reauth-time = <seconds before IKE_SA gets re-authenticated>
tasks-queued = [
<list of currently queued tasks for execution>
]
tasks-active = [
<list of tasks currently initiating actively>
]
tasks-passive = [
<list of tasks currently handling passively>
]
child-sas = {
<child-sa-name>* = {
reqid = <reqid of CHILD_SA>
state = <state string of CHILD_SA>
mode = <IPsec mode, tunnel|transport|beet>
protocol = <IPsec protocol AH|ESP>
encap = <yes if using UDP encapsulation>
spi-in = <hex encoded inbound SPI>
spi-out = <hex encoded outbound SPI>
cpi-in = <hex encoded inbound CPI, if using compression>
cpi-out = <hex encoded outbound CPI, if using compression>
encr-alg = <ESP encryption algorithm name, if any>
encr-keysize = <ESP encryption key size, if applicable>
integ-alg = <ESP or AH integrity algorithm name, if any>
integ-keysize = <ESP or AH integrity key size, if applicable>
prf-alg = <CHILD_SA pseudo random function name>
dh-group = <CHILD_SA PFS rekeying DH group name, if any>
esn = <1 if using extended sequence numbers>
bytes-in = <number of input bytes processed>
packets-in = <number of input packets processed>
use-in = <seconds since last inbound packet, if any>
bytes-out = <number of output bytes processed>
packets-out = <number of output packets processed>
use-out = <seconds since last outbound packet, if any>
rekey-time = <seconds before CHILD_SA gets rekeyed>
life-time = <seconds before CHILD_SA expires>
install-time = <seconds the CHILD_SA has been installed>
local-ts = [
<list of local traffic selectors>
]
remote-ts = [
<list of remote traffic selectors>
]
}
}
}
}
### list-policy ###
The _list-policy_ event is issued to stream installed policies during an active
_list-policies_ command.
{
<child-sa-config-name> = {
mode = <policy mode, tunnel|transport|pass|drop>
local-ts = [
<list of local traffic selectors>
]
remote-ts = [
<list of remote traffic selectors>
]
}
}
### list-conn ###
The _list-conn_ event is issued to stream loaded connection during an active
_list-conns_ command.
{
<IKE_SA connection name> = {
local_addrs = [
<list of valid local IKE endpoint addresses>
]
remote_addrs = [
<list of valid remote IKE endpoint addresses>
]
version = <IKE version as string, IKEv1|IKEv2 or 0 for any>
local*, remote* = { # multiple local and remote auth sections
class = <authentication type>
eap-type = <EAP type to authenticate if when using EAP>
eap-vendor = <EAP vendor for type, if any>
xauth = <xauth backend name>
revocation = <revocation policy>
id = <IKE identity>
aaa_id = <AAA authentication backend identity>
eap_id = <EAP identity for authentication>
xauth_id = <XAuth username for authentication>
groups = [
<group membership required to use connection>
]
certs = [
<certificates allowed for authentication>
]
cacerts = [
<CA certificates allowed for authentication>
]
}
children = {
<CHILD_SA config name>* = {
mode = <IPsec mode>
local-ts = [
<list of local traffic selectors>
]
remote-ts = [
<list of remote traffic selectors>
]
}
}
}
}
### list-cert ###
The _list-cert_ event is issued to stream loaded certificates during an active
_list-certs_ command.
{
type = <certificate type>
has_privkey = <set if a private key for the certificate is available>
data = <ASN1 encoded certificate data>
}
# libvici C client library #
libvici is the reference implementation of a C client library implementing