We have installed and configured a strongswan
VPN server with username / password authentication. Is it possible to store the users' credentials in a MySQL
backend and configure strongswan to use the backend for this purpose?
So far I just found a mysql plugin for configuration purposes and Xauth backends using AAA, radius, etc. . Unfortunately this is not what we need.
Best Answer
The sql plugin provides configuration details but also credentials stored in a database. It's not required to store everything in the database and the data can be combined with that provided by other plugins. So it is possible to use the stroke plugin to provide configurations from
ipsec.conf
and certificates from/etc/ipsec.d/
but define the username and passwords used for EAP/XAuth authentication in a database instead of inipsec.secrets
. The driver provided by the mysql plugin is required by the sql plugin to access MySQL databases.As mentioned above, you are free to ignore the tables that provide configurations and instead just define the secrets and usernames in the
shared_secrets
andidentities
tables, respectively, and associated them via theshared_secret_identity
table. Theid2sql
script (not installed but built in thescripts
folder in the strongSwan build directory) provides an easy way to generate entries for theidentities
table.Here is some example SQL data (more information regarding the types can be found here):