dennisstritzke / ipsec_exporter

Prometheus exporter for IPsec metrics.
MIT License
51 stars 39 forks source link

Feature request: Retrieve metrics for multiple SA's for the same conn #29

Open alvesjc opened 4 years ago

alvesjc commented 4 years ago

Hello,

I'm reaching you to check if it's possible to add the functionality to read multiple SA'a on the same tunnel/conn.

We have a usage case where a strongswan server is used as a vpn concentrator for EAP or XAUTH radius authenticated users.

A conn working in this mode can be detected by reading the "rightauth" or rightauth2" parameter in conn configuration file.

For this cases, we would need an additional parameter, that is the username, and then bytes and packets and IP for each user.

The output of "ipsec statusall conn" for this cases is like this:

Status of IKE charon daemon (strongSwan 5.6.2, Linux 4.15.0-91-generic, x86_64): uptime: 2 days, since Jul 20 07:48:59 2020 malloc: sbrk 4956160, mmap 532480, used 3906288, free 1049872 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 7 loaded plugins: charon test-vectors unbound ldap pkcs11 tpm aesni aes rc2 sha2 sha1 md4 md5 mgf1 rdrand random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey dnscert ipseckey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm ntru bliss curl soup mysql sqlite attr kernel-netlink resolve socket-default connmark farp stroke updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp whitelist lookip error-notify certexpire led radattr addrblock unity counters Listening IP addresses: 10.2.3.4 1.2.3.4 Connections: conn1: 1.2.3.4...%any IKEv2, dpddelay=30s conn1: local: [vpn.server.test] uses public key authentication conn1: cert: "CN=vpn.server.test" conn1: remote: uses EAP_RADIUS authentication with EAP identity '%any' conn1: child: 0.0.0.0/0 === dynamic TUNNEL, dpdaction=clear Security Associations (6 up, 0 connecting): conn1[195]: ESTABLISHED 75 seconds ago, 1.2.3.4[vpn.server.test]...x.y.z.w[vpn.server.test] conn1[195]: Remote EAP identity: user1 conn1[195]: IKEv2 SPIs: 7794f527b95240ae_i 405cc25b8b125520_r*, rekeying disabled conn1[195]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048 conn1{189}: INSTALLED, TUNNEL, reqid 64, ESP in UDP SPIs: cf925e2c_i 0ebaa365_o conn1{189}: AES_CBC_256/HMAC_SHA2_256_128, 27978 bytes_i (115 pkts, 7s ago), 24888 bytes_o (93 pkts, 7s ago), rekeying disabled conn1{189}: 0.0.0.0/0 === 192.168.1.5/32 conn1[189]: ESTABLISHED 34 minutes ago, 1.2.3.4[vpn.server.test]...x.y.z.w[vpn.server.test] conn1[189]: Remote EAP identity: user2 conn1[189]: IKEv2 SPIs: b8f50ab49dbcb705_i 37d1d4c97fee3f1e_r*, rekeying disabled conn1[189]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048 conn1{183}: INSTALLED, TUNNEL, reqid 66, ESP in UDP SPIs: c9b2266b_i 0b136eed_o conn1{183}: AES_CBC_256/HMAC_SHA2_256_128, 4967950 bytes_i (63894 pkts, 0s ago), 263756393 bytes_o (212175 pkts, 0s ago), rekeying disabled conn1{183}: 0.0.0.0/0 === 192.168.1.57/32

The username can be retrieved from this line:

conn1[195]: Remote EAP identity: user1

And IP address from this:

conn1{189}: 0.0.0.0/0 === 192.168.1.5/32

Packets and bytes is the same as you already do.

The goal would be to have this metrics retrieved for every user connected in the result page.

like this for example:

ipsec_out_packets{tunnel="conn1",user="user1"} 12345

@dennisstritzke Do you think you can add this functionality ?

Thanks.

alvesjc commented 4 years ago

Hello,

I've made the changes needed to accomplish this goal, and I have it now running. Are you interested in merging it ?

Regards

dennisstritzke commented 4 years ago

I am interested in a pull request. Please link it within this issue.

alvesjc commented 4 years ago

Hi Dennis,

Since I was not getting any response on this, I have it forked now.

You may check the code at:

https://github.com/alvesjc/ipsec_exporter/tree/v0.4