lookip Plugin
Purpose
The lookip (lookup by IP) plugin for libcharon provides a fast and simple
interface to query specific information about tunnels by the remote peer’s
virtual IP address. This allows a gateway administrator
to get client information of an IP acting in the protected network.
The plugin is disabled by default and can be enabled with the
./configure option
--enable-lookip
Implementation
If the plugin is enabled, it collects information about each virtual IP in a fast data structure.
A UNIX socket allows to query the data structure and receive additional information to this IP, such as outer IP, peer identity and connection name.
Configuration
The lookip plugin is configured using the following options in the
charon.plugins.lookip
section of strongswan.conf:
| Key | Default | Description |
|---|---|---|
socket |
[→] |
Socket provided by the lookip plugin.
|
Query Tool
The lookip ipsec utility usually invoked by
/usr/libexec/ipsec/lookip ...
can be used to query the virtual IP database. It can take multiple arguments to run multiple queries. If invoked without arguments, it runs interactively.
| Command | Description |
|---|---|
|
Dump all active virtual IPs with associated data |
|
Query an entry for a specific virtual IP |
|
Listen for new virtual IP entries |
|
Listen for virtual IP entries disappearing |
If one or more of the `listen arguments is used, the tool blocks and prints out notifications for the registered events.
Socket interface
The lookip socket interface definition can be found here:
src/libcharon/plugins/lookip/lookip_msg.h.
The lookip tool demonstrating how the interface can be used:
src/libcharon/plugins/lookip/lookip.c