1 # The Versatile IKE Control Interface (VICI) protocol #
3 The vici _[ˈvitʃi]_ plugin implements the server side of an IPC protocol to
4 configure, monitor and control the IKE daemon charon. It uses request/response
5 and event messages to communicate over a reliable stream based transport.
7 ## Transport protocol ##
9 To provide the service, the plugin opens a listening socket using a reliable,
10 stream based transport. charon relies on the different stream service
11 abstractions provided by libstrongswan, such as TCP and UNIX sockets.
13 A client connects to this service to access functionality. It may send an
14 arbitrary number of packets over the connection before closing it.
16 To exchange data, the transport protocol is segmented into byte sequences.
17 Each byte sequence is prefixed by a 32-bit length header in network order,
18 followed by the data. The maximum segment length is currently limited to 512KB
19 of data, and the length field contains the length of the data only, not
20 including the length field itself.
22 The order of byte sequences must be strict, byte sequences must arrive in the
27 Within the byte sequences defined by the transport layer, both the client
28 and the server can exchange packets. The type of packet defines its structure
29 and purpose. The packet type is a 8-bit identifier, and is the first byte
30 in a transport layer byte sequence. The length of the packet is given by the
33 While a packet type may define the format of the wrapped data freely, currently
34 all types either contain a name, a message or both. The following packet types
35 are currently defined:
37 * _CMD_REQUEST = 0_: A named request message
38 * _CMD_RESPONSE = 1_: An unnamed response message for a request
39 * _CMD_UNKNOWN = 2_: An unnamed response if requested command is unknown
40 * _EVENT_REGISTER = 3_: A named event registration request
41 * _EVENT_UNREGISTER = 4_: A named event deregistration request
42 * _EVENT_CONFIRM = 5_: An unnamed response for successful event (de-)registration
43 * _EVENT_UNKNOWN = 6_: A unnamed response if event (de-)registration failed
44 * _EVENT = 7_: A named event message
46 For packets having a named type, after the packet type an 8-bit length header
47 of the name follows, indicating the string length in bytes of the name tag, not
48 including the length field itself. The name is an ASCII string that is not
51 The rest of the packet forms the exchanged message, the length is determined
52 by the transport byte sequence length, subtracting the packet type and
53 the optional name tag in some messages.
57 Commands are currently always requested by the client. The server replies with
58 a response, or with a CMD_UNKNOWN failure message to let the client know
59 that it does not have a handler for such a command. There is no sequence number
60 to associate responses to requests, so only one command can be active at
61 a time on a single connection.
65 To receive event messages, the client explicitly registers for events by name,
66 and also unregisters if it does not want to receive events of the named kind
67 anymore. The server confirms event registration using EVENT_CONFIRM, or
68 indicates that there is no such event source with EVENT_UNKNOWN.
70 Events may get raised at any time while registered, even during an active
71 request command. This mechanism is used to feed continuous data during a request,
76 The defined packet types optionally wrap a message with additional data.
77 Messages are currently used in CMD_REQUEST/CMD_RESPONSE, and in EVENT packets.
78 A message uses a hierarchial tree of sections. Each section (or the implicit
79 root section) contains an arbitrary set of key/value pairs, lists and
80 sub-sections. The length of a message is not part of the message itself, but
81 the wrapping layer, usually calculated from the transport byte sequence length.
83 The message encoding consists of a sequence of elements. Each element starts
84 with the element type, optionally followed by an element name and/or an element
85 value. Currently the following message element types are defined:
87 * _SECTION_START = 1_: Begin a new section having a name
88 * _SECTION_END = 2_: End a previously started section
89 * _KEY_VALUE = 3_: Define a value for a named key in the current section
90 * _LIST_START = 4_: Begin a named list for list items
91 * _LIST_ITEM = 5_: Define an unnamed item value in the current list
92 * _LIST_END = 6_: End a previously started list
94 Types are encoded as 8-bit values. Types having a name (SECTION_START,
95 KEY_VALUE and LIST_START) have an ASCII string following the type, which itself
96 uses an 8-bit length header. The string must not be null-terminated, the string
97 length does not include the length field itself.
99 Types having a value (KEY_VALUE and LIST_ITEM) have a raw blob sequence,
100 prefixed with a 16-bit network order length. The blob follows the type or the
101 name tag if available, the length defined by the length field does not include
102 the length field itself.
104 The interpretation of any value is not defined by the message format; it can
105 take arbitrary blobs. The application may specify types for specific keys, such
106 as strings or integer representations. The vici plugin currently uses
107 non-null terminated strings as values only; numbers get encoded as strings.
111 Sections may be opened in the implicit root section, or any previously section.
112 They can be nested to arbitrary levels. A SECTION_END marker always closes
113 the last opened section; SECTION_START and SECTION_END items must be balanced
118 Key/Value pair elements may appear in the implicit root section or any explicit
119 sub-section at any level. Key names must be unique in the current section, use
120 lists to define multiple values for a key. Key/values may not appear in lists,
121 use a sub-section instead.
125 Lists may appear at the same locations as Key/Values, and may not be nested.
126 Only a single list may be opened at the same time, and all lists must be closed
127 in valid messages. After opening a list, only list items may appear before the
128 list closing element. Empty lists are allowed, list items may appear within
131 ### Encoding example ###
133 Consider the following structure using pseudo-markup for this example:
140 list1 = [ item1, item2 ]
143 The example above reprensents a valid tree structure, that gets encoded as
144 the following C array:
148 3, 4,'k','e','y','1', 0,6,'v','a','l','u','e','1',
150 1, 8,'s','e','c','t','i','o','n','1',
152 1, 11,'s','u','b','-','s','e','c','t','i','o','n',
154 3, 4,'k','e','y','2', 0,6,'v','a','l','u','e','2',
155 /* sub-section end */
158 4, 5, 'l','i','s','t','1',
160 5, 0,5,'i','t','e','m','1',
162 5, 0,5,'i','t','e','m','2',
169 ## Client-initiated commands ##
171 Based on the packet layer, VICI implements commands requested by the client
172 and responded to by the server using named _CMD_REQUEST_ and _CMD_RESPONSE_
173 packets wrapping messages. The request message may contain command arguments,
174 the response message the reply.
176 Some commands use response streaming, that is, a request triggers a series of
177 events to consecutively stream data to the client before the response message
178 completes the stream. A client must register for the appropriate event to
179 receive the stream, and unregister after the response has been received.
181 The following client issued commands with the appropriate command input and
182 output messages are currently defined:
186 Returns daemon and system specific version information.
189 daemon = <IKE daemon name>
190 version = <strongSwan version>
191 sysname = <operating system name>
192 release = <operating system release>
193 machine = <hardware identifier>
198 Returns IKE daemon statistics and load information.
202 running = <relative uptime in human-readable form>
203 since = <absolute startup time>
206 total = <total number of worker threads>
207 idle = <worker threads currently idle>
209 critical = <threads processing "critical" priority jobs>
210 high = <threads processing "high" priority jobs>
211 medium = <threads processing "medium" priority jobs>
212 low = <threads processing "low" priority jobs>
216 critical = <jobs queued with "critical" priority>
217 high = <jobs queued with "high" priority>
218 medium = <jobs queued with "medium" priority>
219 low = <jobs queued with "low" priority>
221 scheduled = <number of jobs scheduled for timed execution>
223 total = <total number of IKE_SAs active>
224 half-open = <number of IKE_SAs in half-open state>
227 <names of loaded plugins>
229 mem = { # available if built with leak-detective or on Windows
230 total = <total heap memory usage in bytes>
231 allocs = <total heap allocation blocks>
232 <heap-name>* = { # on Windows only
233 total = <heap memory usage in bytes by this heap>
234 allocs = <allocated blocks for this heap>
237 mallinfo = { # available with mallinfo() support
238 sbrk = <non-mmaped space available>
239 mmap = <mmaped space available>
240 used = <total number of bytes used>
241 free = <available but unused bytes>
245 ### reload-settings() ###
247 Reloads _strongswan.conf_ settings and all plugins supporting configuration
251 success = <yes or no>
252 errmsg = <error string on failure>
257 Initiates an SA while streaming _control-log_ events.
260 child = <CHILD_SA configuration name to initiate>
261 ike = <optional IKE_SA configuration name to find child under>
262 timeout = <timeout in ms before returning>
263 init-limits = <whether limits may prevent initiating the CHILD_SA>
264 loglevel = <loglevel to issue "control-log" events for>
266 success = <yes or no>
267 errmsg = <error string on failure or timeout>
270 The default timeout of 0 waits indefinitely for a result, and a timeout value
271 of -1 returns a result immediately.
275 Terminates an SA while streaming _control-log_ events.
278 child = <terminate a CHILD_SA by configuration name>
279 ike = <terminate an IKE_SA by configuration name>
280 child-id = <terminate a CHILD_SA by its reqid>
281 ike-id = <terminate an IKE_SA by its unique id>
282 timeout = <timeout in ms before returning>
283 loglevel = <loglevel to issue "control-log" events for>
285 success = <yes or no>
286 matches = <number of matched SAs>
287 terminated = <number of terminated SAs>
288 errmsg = <error string on failure or timeout>
291 The default timeout of 0 waits indefinitely for a result, and a timeout value
292 of -1 returns a result immediately.
296 Initiate the rekeying of an SA.
299 child = <rekey a CHILD_SA by configuration name>
300 ike = <rekey an IKE_SA by configuration name>
301 child-id = <rekey a CHILD_SA by its reqid>
302 ike-id = <rekey an IKE_SA by its unique id>
304 success = <yes or no>
305 matches = <number of matched SAs>
306 errmsg = <error string on failure>
311 Redirect a client-initiated IKE_SA to another gateway. Only for IKEv2 and if
312 supported by the peer.
315 ike = <redirect an IKE_SA by configuration name>
316 ike-id = <redirect an IKE_SA by its unique id>
317 peer-ip = <redirect an IKE_SA with matching peer IP, may also be a
318 subnet in CIDR notation or an IP range>
319 peer-id = <redirect an IKE_SA with matching peer identity, may contain
322 success = <yes or no>
323 matches = <number of matched SAs>
324 errmsg = <error string on failure>
329 Install a trap, drop or bypass policy defined by a CHILD_SA config.
332 child = <CHILD_SA configuration name to install>
333 ike = <optional IKE_SA configuration name to find child under>
335 success = <yes or no>
336 errmsg = <error string on failure>
341 Uninstall a trap, drop or bypass policy defined by a CHILD_SA config.
344 child = <CHILD_SA configuration name to install>
345 ike = <optional IKE_SA configuration name to find child under,
346 if not given the first policy matching child is removed>
348 success = <yes or no>
349 errmsg = <error string on failure>
354 Lists currently active IKE_SAs and associated CHILD_SAs by streaming _list-sa_
358 noblock = <use non-blocking mode if key is set>
359 ike = <filter listed IKE_SAs by its name>
360 ike-id = <filter listed IKE_SA by its unique id>
362 # completes after streaming list-sa events
365 ### list-policies() ###
367 List currently installed trap, drop and bypass policies by streaming
368 _list-policy_ events.
371 drop = <set to yes to list drop policies>
372 pass = <set to yes to list bypass policies>
373 trap = <set to yes to list trap policies>
374 child = <filter by CHILD_SA configuration name>
375 ike = <filter by IKE_SA configuration name>
377 # completes after streaming list-sa events
382 List currently loaded connections by streaming _list-conn_ events. This
383 call includes all connections known by the daemon, not only those loaded
387 ike = <list connections matching a given configuration name only>
389 # completes after streaming list-conn events
394 Return a list of connection names loaded exclusively over vici, not including
395 connections found in other backends.
399 <list of connection names>
405 List currently loaded certificates by streaming _list-cert_ events. This
406 call includes all certificates known by the daemon, not only those loaded
410 type = <certificate type to filter for, X509|X509_AC|X509_CRL|
411 OCSP_RESPONSE|PUBKEY or ANY>
412 flag = <X.509 certificate flag to filter for, NONE|CA|AA|OCSP or ANY>
413 subject = <set to list only certificates having subject>
415 # completes after streaming list-cert events
418 ### list-authorities() ###
420 List currently loaded certification authority information by streaming
421 _list-authority_ events.
424 name = <list certification authority of a given name>
426 # completes after streaming list-authority events
429 ### get-authorities() ###
431 Return a list of currently loaded certification authority names.
435 <list of certification authority names>
441 Load a single connection definition into the daemon. An existing connection
442 with the same name gets updated or replaced.
445 <IKE_SA config name> = {
446 # IKE configuration parameters with authentication and CHILD_SA
447 # subsections. Refer to swanctl.conf(5) for details.
449 success = <yes or no>
450 errmsg = <error string on failure>
454 ### unload-conn() ###
456 Unload a previously loaded connection definition by name.
459 name = <IKE_SA config name>
461 success = <yes or no>
462 errmsg = <error string on failure>
467 Load a certificate into the daemon.
470 type = <certificate type, X509|X509_AC|X509_CRL>
471 flag = <X.509 certificate flag, NONE|CA|AA|OCSP>
472 data = <PEM or DER encoded certificate data>
474 success = <yes or no>
475 errmsg = <error string on failure>
480 Load a private key into the daemon.
483 type = <private key type, RSA|ECDSA>
484 data = <PEM or DER encoded key data>
486 success = <yes or no>
487 errmsg = <error string on failure>
492 Unload the private key with the given key identifier.
495 id = <hex-encoded SHA-1 key identifier of the private key to unload>
497 success = <yes or no>
498 errmsg = <error string on failure>
503 Return a list of identifiers of private keys loaded exclusively over vici, not
504 including keys found in other backends.
508 <list of hex-encoded SHA-1 key identifiers>
514 Load a private key located on a token into the daemon. Such keys may be listed
515 and unloaded using the _get-keys_ and _unload-key_ commands, respectively (based
516 on the key identifier derived from the public key).
519 handle = <hex-encoded CKA_ID of the private key on token>
520 slot = <optional slot number>
521 module = <optional PKCS#11 module>
522 pin = <optional PIN to access the key, has to be provided via other
525 success = <yes or no>
526 errmsg = <error string on failure>
527 id = <hex-encoded SHA-1 key identifier of the public key on success>
530 ### load-shared() ###
532 Load a shared IKE PSK, EAP or XAuth secret into the daemon.
535 id = <optional unique identifier of this shared key>
536 type = <shared key type, IKE|EAP|XAUTH>
537 data = <raw shared key data>
539 <list of shared key owner identities>
542 success = <yes or no>
543 errmsg = <error string on failure>
546 ### unload-shared() ###
548 Unload a previously loaded shared IKE PSK, EAP or XAuth secret by its unique
552 id = <unique identifier of the shared key to unload>
554 success = <yes or no>
555 errmsg = <error string on failure>
560 Return a list of unique identifiers of shared keys loaded exclusively over vici,
561 not including keys found in other backends.
565 <list of unique identifiers>
569 ### flush-certs() ###
571 Flushes the certificate cache. The optional type argument allows to flush
572 only certificates of a given type, e.g. all cached CRLs.
575 type = <certificate type to filter for, X509|X509_AC|X509_CRL|
576 OCSP_RESPONSE|PUBKEY or ANY>
578 success = <yes or no>
579 errmsg = <error string on failure>
582 ### clear-creds() ###
584 Clear all loaded certificate, private key and shared key credentials. This
585 affects only credentials loaded over vici, but additionally flushes the
589 success = <yes or no>
590 errmsg = <error string on failure>
593 ### load-authority() ###
595 Load a single certification authority definition into the daemon. An existing
596 authority with the same name gets replaced.
599 <certification authority name> = {
600 # certification authority parameters
601 # refer to swanctl.conf(5) for details.
603 success = <yes or no>
604 errmsg = <error string on failure>
608 ### unload-authority() ###
610 Unload a previously loaded certification authority definition by name.
613 name = <certification authority name>
615 success = <yes or no>
616 errmsg = <error string on failure>
621 Load an in-memory virtual IP and configuration attribute pool. Existing
622 pools with the same name get updated, if possible.
626 addrs = <subnet of virtual IP pool addresses>
627 <attribute type>* = [
628 # attribute type is one of address, dns, nbns, dhcp, netmask,
629 # server, subnet, split_include, split_exclude or a numerical
630 # attribute type identifier.
631 <list of attributes for type>
635 success = <yes or no>
636 errmsg = <error string on failure>
639 ### unload-pool() ###
641 Unload a previously loaded virtual IP and configuration attribute pool.
642 Unloading fails for pools with leases currently online.
645 name = <virtual IP address pool to delete>
647 success = <yes or no>
648 errmsg = <error string on failure>
653 List the currently loaded pools.
656 leases = <set to yes to include leases>
657 name = <optional name of the pool to query>
660 base = <virtual IP pool base address>
661 size = <total number of addresses in the pool>
662 online = <number of leases online>
663 offline = <number of leases offline>
665 <zero-based index>* = {
666 address = <IP address>
667 identity = <assigned identity>
668 status = <online|offline>
674 ### get-algorithms() ###
676 List currently loaded algorithms and their implementation.
680 <algorithm> = <plugin providing the implementation>
684 ## Server-issued events ##
686 Based on the packet layer, the vici plugin raises event messages using named
687 EVENT packets wrapping messages. The message contains event details.
691 The _log_ event is issued to registered clients for each debug log message.
692 This event is not associated with a command.
695 group = <subsystem identifier for debug message>
696 level = <log level, 0-4>
697 thread = <numerical thread identifier issuing the log message>
698 ikesa-name = <name of IKE_SA, if log is associated with any>
699 ikesa-uniqued = <unique identifier of IKE_A, if log associated with any>
700 msg = <log message text>
705 The _control-log_ event is issued for log events during active _initiate_ or
706 _terminate_ commands. It is issued only to clients currently having such
710 group = <subsystem identifier for debug message>
711 level = <log level, 0-4>
712 ikesa-name = <name of IKE_SA, if log associated with any>
713 ikesa-uniqued = <unique identifier of IKE_A, if log associated with any>
714 msg = <log message text>
719 The _list-sa_ event is issued to stream IKE_SAs during an active _list-sas_
723 <IKE_SA config name> = {
724 uniqueid = <IKE_SA unique identifier>
725 version = <IKE version, 1 or 2>
726 state = <IKE_SA state name>
727 local-host = <local IKE endpoint address>
728 local-port = <local IKE endpoint port>
729 local-id = <local IKE identity>
730 remote-host = <remote IKE endpoint address>
731 remote-port = <remote IKE endpoint port>
732 remote-id = <remote IKE identity>
733 remote-xauth-id = <remote XAuth identity, if XAuth-authenticated>
734 remote-eap-id = <remote EAP identity, if EAP-authenticated>
735 initiator = <yes, if initiator of IKE_SA>
736 initiator-spi = <hex encoded initiator SPI / cookie>
737 responder-spi = <hex encoded responder SPI / cookie>
738 nat-local = <yes, if local endpoint is behind a NAT>
739 nat-remote = <yes, if remote endpoint is behind a NAT>
740 nat-fake = <yes, if NAT situation has been faked as responder>
741 nat-any = <yes, if any endpoint is behind a NAT (also if faked)>
742 encr-alg = <IKE encryption algorithm string>
743 encr-keysize = <key size for encr-alg, if applicable>
744 integ-alg = <IKE integrity algorithm string>
745 integ-keysize = <key size for encr-alg, if applicable>
746 prf-alg = <IKE pseudo random function string>
747 dh-group = <IKE Diffie-Hellman group string>
748 established = <seconds the IKE_SA has been established>
749 rekey-time = <seconds before IKE_SA gets rekeyed>
750 reauth-time = <seconds before IKE_SA gets re-authenticated>
752 <list of virtual IPs assigned by the remote peer, installed locally>
755 <list of virtual IPs assigned to the remote peer>
758 <list of currently queued tasks for execution>
761 <list of tasks currently initiating actively>
764 <list of tasks currently handling passively>
767 <unique child-sa-name>* = {
768 name = <name of the CHILD_SA>
769 uniqueid = <unique CHILD_SA identifier>
770 reqid = <reqid of CHILD_SA>
771 state = <state string of CHILD_SA>
772 mode = <IPsec mode, tunnel|transport|beet>
773 protocol = <IPsec protocol AH|ESP>
774 encap = <yes if using UDP encapsulation>
775 spi-in = <hex encoded inbound SPI>
776 spi-out = <hex encoded outbound SPI>
777 cpi-in = <hex encoded inbound CPI, if using compression>
778 cpi-out = <hex encoded outbound CPI, if using compression>
779 mark-in = <hex encoded inbound Netfilter mark value>
780 mark-mask-in = <hex encoded inbound Netfilter mark mask>
781 mark-out = <hex encoded outbound Netfilter mark value>
782 mark-mask-out = <hex encoded outbound Netfilter mark mask>
783 encr-alg = <ESP encryption algorithm name, if any>
784 encr-keysize = <ESP encryption key size, if applicable>
785 integ-alg = <ESP or AH integrity algorithm name, if any>
786 integ-keysize = <ESP or AH integrity key size, if applicable>
787 prf-alg = <CHILD_SA pseudo random function name>
788 dh-group = <CHILD_SA PFS rekeying DH group name, if any>
789 esn = <1 if using extended sequence numbers>
790 bytes-in = <number of input bytes processed>
791 packets-in = <number of input packets processed>
792 use-in = <seconds since last inbound packet, if any>
793 bytes-out = <number of output bytes processed>
794 packets-out = <number of output packets processed>
795 use-out = <seconds since last outbound packet, if any>
796 rekey-time = <seconds before CHILD_SA gets rekeyed>
797 life-time = <seconds before CHILD_SA expires>
798 install-time = <seconds the CHILD_SA has been installed>
800 <list of local traffic selectors>
803 <list of remote traffic selectors>
812 The _list-policy_ event is issued to stream installed policies during an active
813 _list-policies_ command.
816 <ike-sa-config-name/child-sa-config-name> = {
817 child = <CHILD_SA configuration name>
818 ike = <IKE_SA configuration name or namespace, if available>
819 mode = <policy mode, tunnel|transport|pass|drop>
821 <list of local traffic selectors>
824 <list of remote traffic selectors>
831 The _list-conn_ event is issued to stream loaded connection during an active
832 _list-conns_ command.
835 <IKE_SA connection name> = {
837 <list of valid local IKE endpoint addresses>
840 <list of valid remote IKE endpoint addresses>
842 version = <IKE version as string, IKEv1|IKEv2 or 0 for any>
843 reauth_time = <IKE_SA reauthentication interval in seconds>
844 rekey_time = <IKE_SA rekeying interval in seconds>
846 local*, remote* = { # multiple local and remote auth sections
847 class = <authentication type>
848 eap-type = <EAP type to authenticate if when using EAP>
849 eap-vendor = <EAP vendor for type, if any>
850 xauth = <xauth backend name>
851 revocation = <revocation policy>
853 aaa_id = <AAA authentication backend identity>
854 eap_id = <EAP identity for authentication>
855 xauth_id = <XAuth username for authentication>
857 <group membership required to use connection>
860 <certificates allowed for authentication>
863 <CA certificates allowed for authentication>
867 <CHILD_SA config name>* = {
869 rekey_time = <CHILD_SA rekeying interval in seconds>
870 rekey_bytes = <CHILD_SA rekeying interval in bytes>
871 rekey_packets = <CHILD_SA rekeying interval in packets>
873 <list of local traffic selectors>
876 <list of remote traffic selectors>
885 The _list-cert_ event is issued to stream loaded certificates during an active
886 _list-certs_ command.
889 type = <certificate type, X509|X509_AC|X509_CRL|OCSP_RESPONSE|PUBKEY>
890 flag = <X.509 certificate flag, NONE|CA|AA|OCSP>
891 has_privkey = <set if a private key for the certificate is available>
892 data = <ASN1 encoded certificate data>
893 subject = <subject string if defined and certificate type is PUBKEY>
894 not-before = <time string if defined and certificate type is PUBKEY>
895 not-after = <time string if defined and certificate type is PUBKEY>
898 ### list-authority ###
900 The _list-authority_ event is issued to stream loaded certification authority
901 information during an active_list-authorities_ command.
904 <certification authority name> = {
905 cacert = <subject distinguished name of CA certificate>
907 <CRL URI (http, ldap or file)>
912 cert_uri_base = <base URI for download of hash-and-URL certificates>
918 The _ike-updown_ event is issued when an IKE_SA is established or terminated.
921 up = <set if up event>
922 <IKE_SA config name> = {
923 <same data as in the list-sas event, but without child-sas section>
929 The _ike-rekey_ event is issued when an IKE_SA is rekeyed.
932 <IKE_SA config name> = {
934 <same data as in the list-sas event, but without child-sas section>
937 <same data as in the list-sas event, but without child-sas section>
944 The _child-updown_ event is issued when a CHILD_SA is established or terminated.
947 up = <set if up event>
948 <IKE_SA config name> = {
949 <same data as in the list-sas event, but with only the affected
950 CHILD_SA in the child-sas section>
956 The _child-rekey_ event is issued when a CHILD_SA is rekeyed.
959 <IKE_SA config name> = {
960 <same data as in the list-sas event, but with the child-sas section
965 <same data as in the list-sas event>
968 <same data as in the list-sas event>
975 # libvici C client library #
977 libvici is the reference implementation of a C client library implementing
978 the vici protocol. It builds upon libstrongswan, but provides a stable API
979 to implement client applications in the C programming language. libvici uses
980 the libstrongswan thread pool to deliver event messages asynchronously.
982 ## Connecting to the daemon ##
984 This example shows how to connect to the daemon using the default URI, and
985 then perform proper cleanup:
993 int main(int argc, char *argv[])
999 conn = vici_connect(NULL);
1003 vici_disconnect(conn);
1008 fprintf(stderr, "connecting failed: %s\n", strerror(errno));
1014 ## A simple client request ##
1016 In the following example, a simple _version_ request is issued to the daemon
1017 and the result is printed:
1019 int get_version(vici_conn_t *conn)
1025 req = vici_begin("version");
1026 res = vici_submit(req, conn);
1029 printf("%s %s (%s, %s, %s)\n",
1030 vici_find_str(res, "", "daemon"),
1031 vici_find_str(res, "", "version"),
1032 vici_find_str(res, "", "sysname"),
1033 vici_find_str(res, "", "release"),
1034 vici_find_str(res, "", "machine"));
1040 fprintf(stderr, "version request failed: %s\n", strerror(errno));
1045 ## A request with event streaming and callback parsing ##
1047 In this more advanced example, the _list-conns_ command is used to stream
1048 loaded connections with the _list-conn_ event. The event message is parsed
1049 with a simple callback to print the connection name:
1051 int conn_cb(void *null, vici_res_t *res, char *name)
1053 printf("%s\n", name);
1057 void list_cb(void *null, char *name, vici_res_t *res)
1059 if (vici_parse_cb(res, conn_cb, NULL, NULL, NULL) != 0)
1061 fprintf(stderr, "parsing failed: %s\n", strerror(errno));
1065 int list_conns(vici_conn_t *conn)
1071 if (vici_register(conn, "list-conn", list_cb, NULL) == 0)
1073 req = vici_begin("list-conns");
1074 res = vici_submit(req, conn);
1082 fprintf(stderr, "request failed: %s\n", strerror(errno));
1084 vici_register(conn, "list-conn", NULL, NULL);
1089 fprintf(stderr, "registration failed: %s\n", strerror(errno));
1094 ## API documentation ##
1096 More information about the libvici API is available in the _libvici.h_ header
1097 file or the generated Doxygen documentation.
1101 The _vici ruby gem_ is a pure ruby implementation of the VICI protocol to
1102 implement client applications. It is provided in the _ruby_ subdirectory, and
1103 gets built and installed if strongSwan has been _./configure_'d with
1104 _--enable-vici_ and _--enable-ruby-gems_.
1106 The _Connection_ class from the _Vici_ module provides the high level interface,
1107 the underlying classes are usually not required to build ruby applications
1108 using VICI. The _Connection_ class provides methods for the supported VICI
1109 commands and an event listening mechanism.
1111 To represent the VICI message data tree, the gem converts the binary encoding
1112 to ruby data types. The _Connection_ class takes and returns ruby objects for
1113 the exchanged message data:
1114 * Sections get encoded as Hash, containing other sections as Hash, or
1115 * Key/Values, where the values are Strings as Hash values
1116 * Lists get encoded as Arrays with String values
1117 Non-String values that are not a Hash nor an Array get converted with .to_s
1120 ## Connecting to the daemon ##
1122 To create a connection to the daemon, a socket can be passed to the
1123 _Connection_ constructor. If none is passed, a default Unix socket at
1124 _/var/run/charon.vici_ is used:
1129 v = Vici::Connection.new(UNIXSocket.new("/var/run/charon.vici"))
1131 ## A simple client request ##
1133 An example to print the daemon version information is as simple as:
1136 puts "%s %s (%s, %s, %s)" % [
1137 x["daemon"], x["version"], x["sysname"], x["release"], x["machine"]
1140 ## A request with closure invocation ##
1142 The _Connection_ class takes care of event streaming by invoking a closure
1143 for each event. The following example lists all loaded connections using the
1144 _list-conns_ command and implicitly the _list-conn_ event:
1146 v.list_conns { |conn|
1147 conn.each { |key, value|
1152 ## API documentation ##
1154 For more details about the ruby gem refer to the comments in the gem source
1155 code or the generated documentation.
1159 The _vici Python egg_ is a pure Python implementation of the VICI protocol to
1160 implement client applications. It is provided in the _python_ subdirectory, and
1161 gets built and installed if strongSwan has been _./configure_'d with
1162 _--enable-vici_ and _--enable-python-eggs_.
1164 The _vici_ module provides a _Session()_ constructor for a high level interface,
1165 the underlying classes are usually not required to build Python applications
1166 using VICI. The _Session_ class provides methods for the supported VICI
1169 To represent the VICI message data tree, the library converts the binary
1170 encoding to Python data types. The _Session_ class takes and returns Python
1171 objects for the exchanged message data:
1172 * Sections get encoded as OrderedDict, containing other sections, or
1173 * Key/Values, where the values are strings as dictionary values
1174 * Lists get encoded as Python Lists with string values
1175 Values that do not conform to Python dict or list get converted to strings using
1178 ## Connecting to the daemon ##
1180 To create a connection to the daemon, a socket can be passed to the _Session_
1181 constructor. If none is passed, a default Unix socket at _/var/run/charon.vici_
1187 s = socket.socket(socket.AF_UNIX)
1188 s.connect("/var/run/charon.vici")
1191 ## A simple client request ##
1193 An example to print the daemon version information is as simple as:
1197 print "{daemon} {version} ({sysname}, {release}, {machine})".format(**ver)
1199 ## A request with response iteration ##
1201 The _Session_ class returns an iterable Python generator for streamed events to
1202 continuously stream objects to the caller. The following example lists all
1203 loaded connections using the _list-conns_ command and implicitly the _list-conn_
1206 for conn in v.list_conns():
1210 Please note that if the returned generator is not iterated completely, it must
1211 be closed using _close()_. This is implicitly done when breaking from a loop,
1212 but an explicit call may be required when directly iterating the generator with
1215 ## Sorting in dictionaries ##
1217 In VICI, in some message trees the order of objects in dictionary matters. In
1218 contrast to ruby Hashes, Python dictionaries do not preserve order of added
1219 objects. It is therefore recommended to use OrderedDicts instead of the default
1220 dictionaries. Objects returned by the library use OrderedDicts.
1222 ## API documentation ##
1224 For more details about the Python egg refer to the comments in the Python source
1227 # Vici::Session Perl CPAN module #
1229 The _Vici::Session Perl CPAN module_ is a pure Perl implementation of the VICI
1230 protocol to implement client applications. It is provided in the _perl_
1231 subdirectory, and gets built and installed if strongSwan has been
1232 _./configure_'d with_--enable-vici_ and _--enable-perl-cpan_.
1234 The _Vici::Session_ module provides a _new()_ constructor for a high level
1235 interface, the underlying _Vici::Packet_ and _Vici::Transport_ classes are
1236 usually not required to build Perl applications using VICI. The _Vici::Session_
1237 class provides methods for the supported VICI commands. The auxiliare
1238 _Vici::Message_ class is used to encode configuration parameters sent to
1239 the daemon and decode data returned by the daemon.
1241 ## Connecting to the daemon ##
1243 use IO::Socket::UNIX;
1247 my $socket = IO::Socket::UNIX->new(
1248 Type => SOCK_STREAM,
1249 Peer => '/var/run/charon.vici',
1250 ) or die "Vici socket: $!";
1252 my $session = Vici::Session->new($socket);
1254 ## A simple client request ##
1256 An example to print the daemon version information is as simple as:
1258 my $version = $session->version()->hash();
1260 foreach my $key ('daemon', 'version', 'sysname', 'release', 'machine' ) {
1261 print $version->{$key}, " ";
1264 The _Vici::Session_ methods are explained in the perl/Vici-Session/README.pod
projects / strongswan.git / blob