sql Plugin

Purpose

The sql plugin for libcharon allows to store the complete connection configuration in a relational database. Further, the charon daemon reads credentials such as certificates, private keys or passwords from the database to do all kinds of authentication. Logging to the database is also possible.

The plugin is disabled by default and can be enabled with the ./configure option

--enable-sql

Also required is support for either MySQL/MariaDB (--enable-mysql) or SQLite (--enable-sqlite) which builds and loads the mysql or sqlite plugin, respectively.

Configuration

The sql plugin is still rather experimental. Thus there is currently no comfortable frontend to configure the database. But there are some SQL scripts to assist you in the database setup (more information on the tables and values can be found here).

The sql plugin is configured using the following options in the charon.plugins.sql section of strongswan.conf:

Key Default Description

database

Database URI. If it contains a password, make sure to adjust the permissions of the config file accordingly

loglevel

-1

Loglevel for logging to SQL database

Examples

# MySQL:
charon {
  plugins {
    sql {
      database = mysql://user:pass@localhost/database
    }
  }
}
# SQLite:
charon {
  plugins {
    sql {
      database = sqlite:///etc/ipsec.d/ipsec.db
    }
  }
}