sql Plugin

Purpose

The sql plugin for libcharon allows to store the complete connection configuration in a relational database. Further, the charon daemon reads credentials such as certificates, private keys or passwords from the database to do all kinds of authentication. Logging to the database is also possible.

The plugin is disabled by default and can be enabled with the ./configure option

--enable-sql

Also required is support for either MySQL/MariaDB (--enable-mysql) or SQLite (--enable-sqlite) which builds and loads the mysql or sqlite plugin, respectively.

Configuration

The sql plugin is still rather experimental. Thus there is currently no comfortable frontend to configure the database. But there are some SQL scripts to assist you in the database setup (more information on the tables and values can be found here).

MySQL tables: src/pool/mysql.sql
SQLite tables: src/pool/sqlite.sql
Test data: testing/tests/sql, e.g. this example data.sql file.

The sql plugin is configured using the following options in the charon.plugins.sql section of strongswan.conf:

Key Default Description

Key	Default	Description
database		Database URI. If it contains a password, make sure to adjust the permissions of the config file accordingly
loglevel	`-1`	Loglevel for logging to SQL database

database

Database URI. If it contains a password, make sure to adjust the permissions of the config file accordingly

loglevel

-1

Loglevel for logging to SQL database

Examples

# MySQL:
charon {
  plugins {
    sql {
      database = mysql://user:pass@localhost/database
    }
  }
}

# SQLite:
charon {
  plugins {
    sql {
      database = sqlite:///etc/ipsec.d/ipsec.db
    }
  }
}