vici - strongSwan VICI Protocol Interface

6.0.3 · active · verified Thu Apr 16

The 'vici' Python library provides a native interface for strongSwan's Versatile IKE Control Interface (VICI) protocol. It enables external Python applications to configure, monitor, and control the strongSwan 'charon' IKE daemon. The library is currently at version 6.0.3 and is actively maintained, with regular updates.

Common errors

```
FileNotFoundError: [Errno 2] No such file or directory: '/var/run/charon.vici'
```
cause The strongSwan `charon` daemon is either not running, or its VICI Unix socket is located at a different path than the default `/var/run/charon.vici`.

fix Verify that the strongSwan `charon` service is active and check its configuration for the `vici` plugin to confirm the exact socket path. If it's different, pass the correct path to `socket.connect()` or set the `VICI_SOCKET` environment variable.
```
PermissionError: [Errno 13] Permission denied: '/var/run/charon.vici'
```
cause The user executing the Python script lacks the necessary read/write permissions for the VICI Unix domain socket.

fix Adjust the permissions of `/var/run/charon.vici` to allow access for your user or group, or run the script with appropriate privileges (e.g., `sudo`). For a more robust solution, configure strongSwan to create the socket with appropriate group ownership and permissions, and add your user to that group.
```
AttributeError: 'Session' object has no attribute 'get_algorithms'
```
cause The Python `vici` client's `Session` object does not have a direct wrapper method for the specific VICI command you are trying to call. This can happen for less common commands or if the client library version is older than the daemon's VICI capabilities.

fix Use the generic `session.request("command-name", arguments)` method. For example, instead of `session.get_algorithms()`, use `session.request('get-algorithms')`.

Warnings

gotcha Iterators returned by methods like `list_conns()` are Python generators. If not fully consumed (e.g., by iterating through them entirely), they must be explicitly closed using the `.close()` method to release resources.
Fix: Ensure you iterate through all results or call `generator.close()` explicitly if you break out of a loop prematurely.
gotcha The VICI protocol for strongSwan can, in some message structures, rely on the order of key-value pairs within a dictionary. The `vici` library returns `OrderedDict` instances for these structures; it's recommended to use `OrderedDict` when constructing messages where order is semantically significant to avoid unexpected behavior.
Fix: When constructing VICI messages that require ordered elements, use `collections.OrderedDict` for nested dictionaries instead of standard Python `dict`.
breaking Older versions of the `vici` Python client (installed via pip) might encounter compatibility issues or missing direct command wrappers when used with much newer strongSwan `charon` daemon versions or VICI plugin versions. While many issues have been resolved, significant version mismatches can lead to unexpected behavior or missing functionality.
Fix: Keep your `vici` Python library version in sync with your strongSwan `charon` daemon's VICI plugin version. If a direct method like `session.get_algorithms()` is missing, use the more generic `session.request('get-algorithms')` method.
gotcha Connecting to the default VICI Unix socket (`/var/run/charon.vici`) often requires elevated privileges or specific file permissions. A `PermissionError` indicates the user running the script lacks the necessary access.
Fix: Configure strongSwan's `vici` plugin to create the socket with more permissive group write access and add your user to that group, or (for testing) temporarily adjust socket permissions (e.g., `sudo chmod 777 /var/run/charon.vici`). Running the script as root is another option but generally not recommended for production.

Install

pip install vici Install stable version

Imports

Session
```
import vici
session = vici.Session()
```
The Session class is the primary entry point for interacting with the strongSwan daemon via VICI.

Quickstart

This quickstart demonstrates how to connect to the strongSwan `charon` daemon via its VICI Unix socket, retrieve its version, and list configured connections. It includes error handling for common connection issues like missing sockets or permission errors. Remember to ensure the strongSwan daemon is running and accessible.

import vici
import socket
import os

# Default VICI socket path for Unix-like systems
VICI_SOCKET_PATH = os.environ.get('VICI_SOCKET', '/var/run/charon.vici')

try:
    # Connect to the VICI socket
    s = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
    s.connect(VICI_SOCKET_PATH)
    session = vici.Session(s)

    # Get and print the daemon version information
    version_info = session.version()
    print(f"Connected to strongSwan daemon: {version_info['daemon']} {version_info['version']} "
          f"({version_info['sysname']}, {version_info['release']}, {version_info['machine']})")

    # Example: List loaded connections
    print("\nLoaded Connections:")
    conns_found = False
    for conn in session.list_conns():
        conns_found = True
        print(f"  - {list(conn.keys())[0]}") # Connection name is the first key
    if not conns_found:
        print("  (No connections found)")

    # Important: Close the session/socket when done
    session.close()
    s.close()

except FileNotFoundError:
    print(f"Error: VICI socket not found at {VICI_SOCKET_PATH}. Is strongSwan charon running?")
except PermissionError:
    print(f"Error: Permission denied when accessing VICI socket at {VICI_SOCKET_PATH}. "
          "Adjust socket permissions or run with appropriate privileges.")
except Exception as e:
    print(f"An unexpected error occurred: {e}")

view raw JSON →