Hi,

We are trying to integrate an opensource IPSec stack into our product. This IPSec stack would be configured through embedded web server. Internally we would be implementing a component which would convert user configuration into stack specific format programmatically.

As per our current investigation we understand there are two possible approaches to configure the IPSec stack -
1) Modifying IPSec stack configuration files.
2) Using a Plugin / API interface.

Before moving forward with actual implementation using one of the above approaches I wanted to get Linux expert opinion on -
1) What is the best / preferred approach in Linux world of the two listed above?
2) What are the pros and cons of each of the approaches?

Thanks,
-Ravi

Several thoughts ...

Look at shorewall, which is a good tool for automatically issuing IPsec commands. Maybe you update the Shorewall configuration file then restart that service.

There is an obvious risk of the user shutting himself out of his own system.

I have second thoughts about integrating this into your product, i.e. to be modified directly by the user.

I also am nervous about the possibility that a malicious intruder could tamper with it, perhaps undetected.