attr-sql Plugin

Purpose

The attr-sql plugin for libcharon is similar to the attr plugin but stores the attributes in an SQL database instead of strongswan.conf.

The plugin is disabled by default and can be enabled with the ./configure option

--enable-attr-sql

Also required is support for either MySQL/MariaDB (--enable-mysql) or SQLite (--enable-sqlite) which enables the mysql or sqlite plugin, respectively.

Behavior

Configured attributes are assigned to peers via CP configuration payloads (IKEv2) or via Mode Config (IKEv1). Attributes are only assigned to peers if they request a virtual IP.

Configuration

The attr-sql plugin is configured using the following options in the charon.plugins.attr-sql section of strongswan.conf:

Key Default Description

Key	Default	Description
crash_recovery	`yes`	Release all online leases during startup. Disable this to share the database between multiple VPN gateways
database		Database URI used to access the database
lease_history	`yes`	Enable logging of IP pool leases

crash_recovery

yes

Release all online leases during startup. Disable this to share the database between multiple VPN gateways

database

Database URI used to access the database

lease_history

yes

Enable logging of IP pool leases

Database Setup

To setup the database use the schema defined in the following SQL scripts:

MySQL tables: src/pool/mysql.sql
SQLite tables: src/pool/sqlite.sql

These files contain the complete database schema, which also includes tables that are required by the sql plugin, only.

ipsec pool Tool

Attributes stored in the database can be managed using the ipsec pool utility.