We have installed and configured a strongswan VPN server with username / password authentication. Is it possible to store the users' credentials in a MySQL backend and configure strongswan to use the backend for this purpose?
So far I just found a mysql plugin for configuration purposes and Xauth backends using AAA, radius, etc. . Unfortunately this is not what we need.
The sql plugin provides configuration details but also credentials stored in a database. It's not required to store everything in the database and the data can be combined with that provided by other plugins. So it is possible to use the stroke plugin to provide configurations from ipsec.conf and certificates from /etc/ipsec.d/ but define the username and passwords used for EAP/XAuth authentication in a database instead of in ipsec.secrets. The driver provided by the mysql plugin is required by the sql plugin to access MySQL databases.
As mentioned above, you are free to ignore the tables that provide configurations and instead just define the secrets and usernames in the shared_secrets and identities tables, respectively, and associated them via the shared_secret_identity table. The id2sql script (not installed but built in the scripts folder in the strongSwan build directory) provides an easy way to generate entries for the identities table.
Here is some example SQL data (more information regarding the types can be found here):
INSERT INTO identities (
type, data
) VALUES ( /* type=ID_RFC822_ADDR, data=carol@strongswan.org */
3, X'6361726f6c407374726f6e677377616e2e6f7267'
);
INSERT INTO shared_secrets (
type, data
) VALUES ( /* type=SHARED_EAP/XAUTH, data=Ar3etTnp01qlpOgb */
2, X'4172336574546e703031716c704f6762'
);
/* assumes the entries above are the first ones in their respective
* tables, as their id column is auto_increment */
INSERT INTO shared_secret_identity (
shared_secret, identity
) VALUES (
1, 1
);
For anyone that stumbles upon this, I used this excellent guide: https://www.cl.cam.ac.uk/~mas90/resources/strongswan to do the basic setup and then the setup the database entries as above.
Afterwards, I use free letsencrypt certificates and the CN="myvpnserver.mydomain.com" so I set leftcert=myvpnserver.mydomain.com in my ipsec.conf. I then added an entry into the mysql table identities with type '2' and data 'myvpnserver.mydomain.com' (have to use id2sql script from strongswan to convert the data entry). Then I got the automatically assigned id number for that entry from the my identities database and the shared secret id like the previous entry in order to make an entry into shared_secret_identity like this:
INSERT INTO shared_secret_identity (shared_secret, identity) VALUES ( id_of_user_logging_in_that_was_set_in_shared_secrets_database, automatically_assigned_id_number_for_myvpnser.mydomain.com_in_identities_database );
After that it worked.
