This library allows for the manipulation of strongSwan connection configuration stored in a MySQL database in a manner that is compatible with the strongSwan SQL plugin for charon.

How to use this module:

The strongSwan IPsec package offers the means to store connection configuration in a SQL database. This module offers some facilities to manipulate these config elements from Haskell code in a simplified abstracted way. This library offers two approaches to manipulating strongswan configuration in an SQL database as expected by the SQL plugin. See Managed vs Manual API below.

Since managing each configuration object per hand and establishing the relationships amongst them can be tricky and demands internal knowledge of the SQL plugin inner workings, a special API is offered in which all configuration parameters are bundled together in a single type (see IPSecSettings). The simplified API allows then for writing, reading and deleting these, while behind bars the required elements are created and linked together unbeknownst to the caller. This of course greatly simplifies things but the catch is that the ability to share configuration elements amongst connections is of course lost. Each managed connection configuration gets a separate IKE, Child SA, Peer config etc and no attempt is made to reuse them amongst managed connections.

The different strongswan configuration elements are mapped to a Haskell type and they can be manually written or read from the SQL database. This offers utmost control in terms of what elements get created and how they are interlinked. So for example one can create a single IKE session configuration to be shared for all connections or have some child SA configurations being shared amongst peers of a given type, etc. The downside of course to this level of control is that it requires for the user of the library to be familiar with the (poorly documented) way in which the plugin expects the relationships to be expressed in terms of entries in the SQL tables etc.

The manual API has been reverse engineered based on the SQL table definitions available here

• Child SA : All configuration parameters related to an IPsec SA.
• IKE Configuration : Configuration applicable to the IKE session (phase 1 in IKEv1 parlance).
• Peer Configuration : All elements related to configuration of a peering connection. A peer connection links to a specific IKE configuration (by means of ID), and it is furthermore associated to the Child SA by means of a Peer2ChildConfig type.
• Traffic Selectors: These are independent values linked to a Child SA by means of a Child2TSConfig type.

The manual API consists mainly of one writeXXX, findXXX, lookupXXX and a deleteXXX function for each object to be stored as an SQL row in its respective table. The writeXXX functions trigger an insertion or an update of the given row in the SQL database depending on whether the given object owns a key already or not (usually an ID). The search functions (findXXX and lookupXXX) perform a search in the DB for the given key. The difference is that a findXXX will trigger a failure in the Failable context with a NotFound error and that the lookupXXX functions simply return Nothing if a key doesn't exist in the DB (they can of course trigger other errors in the Failable context)

There are lenses exported to facilitate access to the records in the type section below.