Feature request: Retrieve metrics for multiple SA's for the same conn #29
Comments
|
Hello, I've made the changes needed to accomplish this goal, and I have it now running. Regards |
|
I am interested in a pull request. Please link it within this issue. |
|
Hi Dennis, Since I was not getting any response on this, I have it forked now. You may check the code at: |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hello,
I'm reaching you to check if it's possible to add the functionality to read multiple SA'a on the same tunnel/conn.
We have a usage case where a strongswan server is used as a vpn concentrator for EAP or XAUTH radius authenticated users.
A conn working in this mode can be detected by reading the "rightauth" or rightauth2" parameter in conn configuration file.
For this cases, we would need an additional parameter, that is the username, and then bytes and packets and IP for each user.
The output of "ipsec statusall conn" for this cases is like this:
Status of IKE charon daemon (strongSwan 5.6.2, Linux 4.15.0-91-generic, x86_64):uptime: 2 days, since Jul 20 07:48:59 2020malloc: sbrk 4956160, mmap 532480, used 3906288, free 1049872worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 7loaded plugins: charon test-vectors unbound ldap pkcs11 tpm aesni aes rc2 sha2 sha1 md4 md5 mgf1 rdrand random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey dnscert ipseckey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm ntru bliss curl soup mysql sqlite attr kernel-netlink resolve socket-default connmark farp stroke updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp whitelist lookip error-notify certexpire led radattr addrblock unity countersListening IP addresses:10.2.3.41.2.3.4Connections:conn1: 1.2.3.4...%any IKEv2, dpddelay=30sconn1: local: [vpn.server.test] uses public key authenticationconn1: cert: "CN=vpn.server.test"conn1: remote: uses EAP_RADIUS authentication with EAP identity '%any'conn1: child: 0.0.0.0/0 === dynamic TUNNEL, dpdaction=clearSecurity Associations (6 up, 0 connecting):conn1[195]: ESTABLISHED 75 seconds ago, 1.2.3.4[vpn.server.test]...x.y.z.w[vpn.server.test]conn1[195]: Remote EAP identity: user1conn1[195]: IKEv2 SPIs: 7794f527b95240ae_i 405cc25b8b125520_r*, rekeying disabledconn1[195]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048conn1{189}: INSTALLED, TUNNEL, reqid 64, ESP in UDP SPIs: cf925e2c_i 0ebaa365_oconn1{189}: AES_CBC_256/HMAC_SHA2_256_128, 27978 bytes_i (115 pkts, 7s ago), 24888 bytes_o (93 pkts, 7s ago), rekeying disabledconn1{189}: 0.0.0.0/0 === 192.168.1.5/32conn1[189]: ESTABLISHED 34 minutes ago, 1.2.3.4[vpn.server.test]...x.y.z.w[vpn.server.test]conn1[189]: Remote EAP identity: user2conn1[189]: IKEv2 SPIs: b8f50ab49dbcb705_i 37d1d4c97fee3f1e_r*, rekeying disabledconn1[189]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048conn1{183}: INSTALLED, TUNNEL, reqid 66, ESP in UDP SPIs: c9b2266b_i 0b136eed_oconn1{183}: AES_CBC_256/HMAC_SHA2_256_128, 4967950 bytes_i (63894 pkts, 0s ago), 263756393 bytes_o (212175 pkts, 0s ago), rekeying disabledconn1{183}: 0.0.0.0/0 === 192.168.1.57/32The username can be retrieved from this line:
conn1[195]: Remote EAP identity: user1And IP address from this:
conn1{189}: 0.0.0.0/0 === 192.168.1.5/32Packets and bytes is the same as you already do.
The goal would be to have this metrics retrieved for every user connected in the result page.
like this for example:
ipsec_out_packets{tunnel="conn1",user="user1"} 12345@dennisstritzke Do you think you can add this functionality ?
Thanks.
The text was updated successfully, but these errors were encountered: