Open alvesjc opened 4 years ago
Hello,
I've made the changes needed to accomplish this goal, and I have it now running. Are you interested in merging it ?
Regards
I am interested in a pull request. Please link it within this issue.
Hi Dennis,
Since I was not getting any response on this, I have it forked now.
You may check the code at:
Hello,
I'm reaching you to check if it's possible to add the functionality to read multiple SA'a on the same tunnel/conn.
We have a usage case where a strongswan server is used as a vpn concentrator for EAP or XAUTH radius authenticated users.
A conn working in this mode can be detected by reading the "rightauth" or rightauth2" parameter in conn configuration file.
For this cases, we would need an additional parameter, that is the username, and then bytes and packets and IP for each user.
The output of "ipsec statusall conn" for this cases is like this:
Status of IKE charon daemon (strongSwan 5.6.2, Linux 4.15.0-91-generic, x86_64):
uptime: 2 days, since Jul 20 07:48:59 2020
malloc: sbrk 4956160, mmap 532480, used 3906288, free 1049872
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 7
loaded plugins: charon test-vectors unbound ldap pkcs11 tpm aesni aes rc2 sha2 sha1 md4 md5 mgf1 rdrand random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey dnscert ipseckey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm ntru bliss curl soup mysql sqlite attr kernel-netlink resolve socket-default connmark farp stroke updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp whitelist lookip error-notify certexpire led radattr addrblock unity counters
Listening IP addresses:
10.2.3.4
1.2.3.4
Connections:
conn1: 1.2.3.4...%any IKEv2, dpddelay=30s
conn1: local: [vpn.server.test] uses public key authentication
conn1: cert: "CN=vpn.server.test"
conn1: remote: uses EAP_RADIUS authentication with EAP identity '%any'
conn1: child: 0.0.0.0/0 === dynamic TUNNEL, dpdaction=clear
Security Associations (6 up, 0 connecting):
conn1[195]: ESTABLISHED 75 seconds ago, 1.2.3.4[vpn.server.test]...x.y.z.w[vpn.server.test]
conn1[195]: Remote EAP identity: user1
conn1[195]: IKEv2 SPIs: 7794f527b95240ae_i 405cc25b8b125520_r*, rekeying disabled
conn1[195]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
conn1{189}: INSTALLED, TUNNEL, reqid 64, ESP in UDP SPIs: cf925e2c_i 0ebaa365_o
conn1{189}: AES_CBC_256/HMAC_SHA2_256_128, 27978 bytes_i (115 pkts, 7s ago), 24888 bytes_o (93 pkts, 7s ago), rekeying disabled
conn1{189}: 0.0.0.0/0 === 192.168.1.5/32
conn1[189]: ESTABLISHED 34 minutes ago, 1.2.3.4[vpn.server.test]...x.y.z.w[vpn.server.test]
conn1[189]: Remote EAP identity: user2
conn1[189]: IKEv2 SPIs: b8f50ab49dbcb705_i 37d1d4c97fee3f1e_r*, rekeying disabled
conn1[189]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
conn1{183}: INSTALLED, TUNNEL, reqid 66, ESP in UDP SPIs: c9b2266b_i 0b136eed_o
conn1{183}: AES_CBC_256/HMAC_SHA2_256_128, 4967950 bytes_i (63894 pkts, 0s ago), 263756393 bytes_o (212175 pkts, 0s ago), rekeying disabled
conn1{183}: 0.0.0.0/0 === 192.168.1.57/32
The username can be retrieved from this line:
conn1[195]: Remote EAP identity: user1
And IP address from this:
conn1{189}: 0.0.0.0/0 === 192.168.1.5/32
Packets and bytes is the same as you already do.
The goal would be to have this metrics retrieved for every user connected in the result page.
like this for example:
ipsec_out_packets{tunnel="conn1",user="user1"} 12345
@dennisstritzke Do you think you can add this functionality ?
Thanks.