We have installed and configured a strongswan VPN server with username / password authentication. Is it possible to store the users' credentials in a MySQL backend and configure strongswan to use the backend for this purpose?
So far I just found a mysql plugin for configuration purposes and Xauth backends using AAA, radius, etc. . Unfortunately this is not what we need.
Best Answer
The sql plugin provides configuration details but also credentials stored in a database. It's not required to store everything in the database and the data can be combined with that provided by other plugins. So it is possible to use the stroke plugin to provide configurations from
ipsec.confand certificates from/etc/ipsec.d/but define the username and passwords used for EAP/XAuth authentication in a database instead of inipsec.secrets. The driver provided by the mysql plugin is required by the sql plugin to access MySQL databases.As mentioned above, you are free to ignore the tables that provide configurations and instead just define the secrets and usernames in the
shared_secretsandidentitiestables, respectively, and associated them via theshared_secret_identitytable. Theid2sqlscript (not installed but built in thescriptsfolder in the strongSwan build directory) provides an easy way to generate entries for theidentitiestable.Here is some example SQL data (more information regarding the types can be found here):