Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
This is GSOC propsal for Libreswan Org, please comment the suggestions to this Gist.

Candidate Introduction

Task Statement

  • Implement ipsec add command to make it easier to add connections

Task Analysis

  • This requires experience with python3, bash, conf files and Makefile
  • ipsec add <args> is intended to generate config file from the arguments provided via CLI and hence making the software more user-friendly
  • After successful implementation, it should be able to parse all args which are part of config file as per docs, write them in a config file section-wise and include the generated file into main(default, ipsec.conf) config file.

What I have done so far

  • Read the General documentation and Developer documentation
  • set up dev env on Linux machine
  • Tried several client and server configurations using amazon EC2 for VPN
  • Subscribed to mailing and joined IRC community
  • Walked through the libreswan codebase and tried to understand architecture
  • Studied the previous pull request and open issues, especially ones closely related to the task statement

Task Breakdown

  • building the core scripts for CLI parsing and creating config file
  • adding tests and steps for CI/CD pipeline
  • writing extensive documentation

1. Writting Core Program module

  • from what i understand, all CLI commands scripts are place under programs/ folder
  • Each subcommand has atleast 3 files in their subdirectory, .in file which deals with all parsing, XML file/s dealing with metadata and docs realated stuff and Makefile.
  • I will use python for writing core logic and have studied the past PRs implementing the similiar functionality
  • For parsing the arguments passed via CLI, i will use argparse and OS module.
  • After parsing the relevant flags and validating the arguments, A dict with key as section name will have dict as object, having key value pairs parsed from args. For example,
        "mytunnel" : {
            "leftid": "@west",
            "left": "",
            "leftrsasigkey": "0sAwEAAb42X0gw....."
            "rightrsasigkey": "0sAwEAAesFfVZqFzRA9F...","
            "authby": "rsasig",
            "auto": "add"
    so that, it will be easier to write .conf file and do the necessary testing.\
  • Make provision for default values if arguments are not provided
  • For writing the .conf file from dict object, I think it would be better to make a new file such as /etc/generated.conf and include it into ipsec.conf. There are multiple choices available for writing the object as specificed ipsec format in docs, plain-text string formatting, ipsecparse if use of external libs are permitted and ConfigParse's write method (will require some research to modify default writing format).
  • Expeceted time : 70 hours (+/- 10 hours) for a beta working version, before first evalutation

2. Writing the documentation

  • As this utility is aimed at users not wanting to write .conf, i will provide very clear documentation with examples, defaults values, and advance usage (incase somebody wants to modify the behaviour)
  • It will include modifications under docs/ and adding XML file
  • Expected time: 35 hours (+/- 5 hours)

3. Extensive testing and inclusion in CI

  • This will go under programs/testing (and maybe some more directories which i am unaware of currently)
  • I will get more familiar with how testing works in libreswan and add the required test cases including empty input test, proper error ouptupt, edge cases covering, etc.
  • After finishing writing tests, make necessary changes to docker environment if needed and include it in the CI pipeline
  • Expected time: 40 hours (+/- 7 hours)

Community Bonding

  • Get more familiar with CI and testing guidelines
  • Discuss about the default values of the arguments if not passed and other implementation specific details
  • Get more comfortable with codebase and differnt entry points of execution


  • I will be able to devote 45+ hours a week at minimum
  • After finishing primary task, i can work pending issues with elliptic-curve encyption, arch linux and debian packaging, more test coverage, etc.
  • It would be also good to add ipsec remove <args> command
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment