Closed luca0x333 closed 5 years ago
dennisstritzke
commented
5 years ago ipsec statusall command?ipsec statusall <any of your tunnels>?My current guess is that the exporter either isn't able to get or parse the status correctly.
luca0x333
commented
5 years ago
- Is the user executing the ipsec_exporter able to run the
ipsec statusallcommand?- Could you please provide an exemplary output of
ipsec statusall <any of your tunnels>?My current guess is that the exporter either isn't able to get or parse the status correctly.
i am running the exporter as root, this is the output
root@fw-01:~# ipsec statusall peer-51.xx.xx.xx-tunnel-0
Status of IKE charon daemon (strongSwan 5.7.2, Linux 4.19.20-amd64-vyos, x86_64):
uptime: 36 days, since Mar 26 19:05:07 2019
malloc: sbrk 3063808, mmap 0, used 914720, free 2149088
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 7
loaded plugins: charon test-vectors ldap pkcs11 tpm aesni aes rc2 sha2 sha1 md5 mgf1 rdrand random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default connmark stroke vici updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led addrblock counters
Listening IP addresses:
54.xx.xx.xx
Connections:
peer-51.xx.xx.xx-tunnel-0: 54.xx.xx.xx...51.xx.xx.xx IKEv1
peer-51.xx.xx.xx-tunnel-0: local: [54.xx.xx.xx] uses pre-shared key authentication
peer-51.xx.xx.xx-tunnel-0: remote: [51.xx.xx.xx] uses pre-shared key authentication
peer-51.xx.xx.xx-tunnel-0: child: 172.xx.xx.xx/24 === 172.xx.xx.xx/24 TUNNEL
Security Associations (3 up, 1 connecting):
peer-51.xx.xx.xx-tunnel-0[3569]: ESTABLISHED 44 minutes ago, 54.xx.xx.xx[54.xx.xx.xx]...51.xx.xx.xx[51.xx.xx.xx]
peer-51.xx.xx.xx-tunnel-0[3569]: IKEv1 SPIs: 1b2bdb5f914887e6_i* e5e760995546c332_r, pre-shared key reauthentication in 5 minutes
peer-51.xx.xx.xx-tunnel-0[3569]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
peer-51.xx.xx.xx-tunnel-0{14505}: REKEYED, TUNNEL, reqid 3, expires in 2 minutes
peer-51.xx.xx.xx-tunnel-0{14505}: 172.xx.xx.xx/24 === 172.xx.xx.xx/24
peer-51.xx.xx.xx-tunnel-0{14510}: REKEYED, TUNNEL, reqid 3, expires in 16 minutes
peer-51.xx.xx.xx-tunnel-0{14510}: 172.xx.xx.xx/24 === 172.xx.xx.xx/24
peer-51.xx.xx.xx-tunnel-0{14513}: INSTALLED, TUNNEL, reqid 3, ESP SPIs: c21b2b9c_i c2c8d92a_o
peer-51.xx.xx.xx-tunnel-0{14513}: AES_CBC_256/HMAC_SHA1_96/MODP_1024, 6174 bytes_i (75 pkts, 9s ago), 112892 bytes_o (88 pkts, 10s ago), rekeying in 11 minutes
peer-51.xx.xx.xx-tunnel-0{14513}: 172.xx.xx.xx/24 === 172.xx.xx.xx/24The exporter recognised your tunnel names as just being peer-51 though they are actually named like peer-51.xx.xx.xx-tunnel-0. Connection names containing dots weren't treated correctly.
I released version 0.3.1, which fixes this issue. Also I verified that your status output is processed correctly. Rolling out the new version should fix your issue. Is the issue actually fixed?
luca0x333
commented
5 years ago amazing, thanks a lot. tomorrow morning i'll try it
luca0x333
commented
5 years ago works as expected, thanks again!
Hello,
i run ipsec_exporter on a vyatta firewall (debian based), the metrics shows that all the tunnels are down status 2 when they are up and running.
ipsec_status{tunnel="peer-115"} 2 ipsec_status{tunnel="peer-138"} 2 ipsec_status{tunnel="peer-195"} 2 ipsec_status{tunnel="peer-198"} 2 ipsec_status{tunnel="peer-51"} 2 ipsec_status{tunnel="peer-83"} 2
peer-138.xx.xx.xx-tunnel-0{8987}: INSTALLED, TUNNEL, reqid 9, ESP SPIs: cef086aa_i c500ce25_o
and i am using /etc/ipsec.conf of couse with all the tunnel names which are properly reported in the metrics
and so on..
i downloaded the 0.3 version of the exporter and i am using this version of ipsec: Linux strongSwan U5.3.5/K4.4.95-amd64-vyos
any idea? thanks