<div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div>Hello Noel,</div><div><br></div>Thank you for the tip. I will definitely look into RELP. For now, I finally got it working with a JSON output for testing purposes only. <div><br></div><div>I added this to the iptables:</div><div><b><font face="monospace, monospace">sudo iptables -I FORWARD ! -i lo -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j NFLOG --nflog-prefix "Web 80" --nflog-group 1</font></b><br></div><div><br></div><div><div><font face="monospace, monospace">Chain INPUT (policy ACCEPT)</font></div><div><font face="monospace, monospace">num target prot opt source destination</font></div><div><font face="monospace, monospace">1 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED</font></div><div><font face="monospace, monospace">2 ACCEPT tcp -- anywhere anywhere tcp dpt:https</font></div><div><font face="monospace, monospace">3 ACCEPT tcp -- anywhere anywhere tcp dpt:2022</font></div><div><font face="monospace, monospace">4 ACCEPT all -- anywhere anywhere</font></div><div><font face="monospace, monospace">5 DROP all -- anywhere anywhere state INVALID</font></div><div><font face="monospace, monospace">6 ACCEPT udp -- anywhere anywhere udp dpt:isakmp</font></div><div><font face="monospace, monospace">7 ACCEPT udp -- anywhere anywhere udp dpt:ipsec-nat-t</font></div><div><font face="monospace, monospace">8 DROP all -- anywhere anywhere</font></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace">Chain FORWARD (policy ACCEPT)</font></div><div><font face="monospace, monospace">num target prot opt source destination</font></div><div><font face="monospace, monospace">1 NFLOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN state NEW nflog-prefix "Web 80" nflog-group 1</font></div><div><font face="monospace, monospace">2 ACCEPT all -- ip-10-10-10-0.eu-west-2.compute.internal/24 anywhere policy match dir in pol ipsec proto esp</font></div><div><font face="monospace, monospace">3 ACCEPT all -- anywhere ip-10-10-10-0.eu-west-2.compute.internal/24 policy match dir out pol ipsec proto esp</font></div><div><font face="monospace, monospace">4 DROP all -- anywhere anywhere</font></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace">Chain OUTPUT (policy ACCEPT)</font></div><div><font face="monospace, monospace">num target prot opt source destination</font></div></div><div><br></div><div>It works nicely. BUT the source IP shows as <span style="color:rgb(106,135,89);font-family:Menlo;font-size:9pt;background-color:rgb(43,43,43)">10.10.10.8</span></div><div>I was expecting to see my real IP address. What am I missing, please?</div><div><br></div><div>I know I can't add it to the INPUT because the VPN is masquerading. I have to put the rule against FORWARD, otherwise, I get no entries in the log. So what to do?</div><div><pre style="background-color:rgb(43,43,43);color:rgb(169,183,198);font-family:Menlo;font-size:9pt">{<br> <span style="color:rgb(152,118,170)">"timestamp"</span><span style="color:rgb(204,120,50)">: </span><span style="color:rgb(106,135,89)">"2019-04-17T09:37:40.502387"</span><span style="color:rgb(204,120,50)">,<br></span><span style="color:rgb(204,120,50)"> </span><span style="color:rgb(152,118,170)">"dvc"</span><span style="color:rgb(204,120,50)">: </span><span style="color:rgb(106,135,89)">"My awesome Netfilter firewall"</span><span style="color:rgb(204,120,50)">,<br></span><span style="color:rgb(204,120,50)"> </span><span style="color:rgb(152,118,170)">"raw.pktlen"</span><span style="color:rgb(204,120,50)">: </span><span style="color:rgb(104,151,187)">64</span><span style="color:rgb(204,120,50)">,<br></span><span style="color:rgb(204,120,50)"> </span><span style="color:rgb(152,118,170)">"raw.pktcount"</span><span style="color:rgb(204,120,50)">: </span><span style="color:rgb(104,151,187)">1</span><span style="color:rgb(204,120,50)">,<br></span><span style="color:rgb(204,120,50)"> </span><span style="color:rgb(152,118,170)">"oob.prefix"</span><span style="color:rgb(204,120,50)">: </span><span style="color:rgb(106,135,89)">"Web 80"</span><span style="color:rgb(204,120,50)">,<br></span><span style="color:rgb(204,120,50)"> </span><span style="color:rgb(152,118,170)">"oob.time.sec"</span><span style="color:rgb(204,120,50)">: </span><span style="color:rgb(104,151,187)">1555493860</span><span style="color:rgb(204,120,50)">,<br></span><span style="color:rgb(204,120,50)"> </span><span style="color:rgb(152,118,170)">"oob.time.usec"</span><span style="color:rgb(204,120,50)">: </span><span style="color:rgb(104,151,187)">502387</span><span style="color:rgb(204,120,50)">,<br></span><span style="color:rgb(204,120,50)"> </span><span style="color:rgb(152,118,170)">"oob.mark"</span><span style="color:rgb(204,120,50)">: </span><span style="color:rgb(104,151,187)">0</span><span style="color:rgb(204,120,50)">,<br></span><span style="color:rgb(204,120,50)"> </span><span style="color:rgb(152,118,170)">"oob.ifindex_in"</span><span style="color:rgb(204,120,50)">: </span><span style="color:rgb(104,151,187)">2</span><span style="color:rgb(204,120,50)">,<br></span><span style="color:rgb(204,120,50)"> </span><span style="color:rgb(152,118,170)">"oob.ifindex_out"</span><span style="color:rgb(204,120,50)">: </span><span style="color:rgb(104,151,187)">2</span><span style="color:rgb(204,120,50)">,<br></span><span style="color:rgb(204,120,50)"> </span><span style="color:rgb(152,118,170)">"oob.hook"</span><span style="color:rgb(204,120,50)">: </span><span style="color:rgb(104,151,187)">2</span><span style="color:rgb(204,120,50)">,<br></span><span style="color:rgb(204,120,50)"> </span><span style="color:rgb(152,118,170)">"raw.mac_len"</span><span style="color:rgb(204,120,50)">: </span><span style="color:rgb(104,151,187)">14</span><span style="color:rgb(204,120,50)">,<br></span><span style="color:rgb(204,120,50)"> </span><span style="color:rgb(152,118,170)">"oob.family"</span><span style="color:rgb(204,120,50)">: </span><span style="color:rgb(104,151,187)">2</span><span style="color:rgb(204,120,50)">,<br></span><span style="color:rgb(204,120,50)"> </span><span style="color:rgb(152,118,170)">"oob.protocol"</span><span style="color:rgb(204,120,50)">: </span><span style="color:rgb(104,151,187)">2048</span><span style="color:rgb(204,120,50)">,<br></span><span style="color:rgb(204,120,50)"> </span><span style="color:rgb(152,118,170)">"action"</span><span style="color:rgb(204,120,50)">: </span><span style="color:rgb(106,135,89)">"allowed"</span><span style="color:rgb(204,120,50)">,<br></span><span style="color:rgb(204,120,50)"> </span><span style="color:rgb(152,118,170)">"raw.type"</span><span style="color:rgb(204,120,50)">: </span><span style="color:rgb(104,151,187)">1</span><span style="color:rgb(204,120,50)">,<br></span><span style="color:rgb(204,120,50)"> </span><span style="color:rgb(152,118,170)">"raw.mac.addrlen"</span><span style="color:rgb(204,120,50)">: </span><span style="color:rgb(104,151,187)">6</span><span style="color:rgb(204,120,50)">,<br></span><span style="color:rgb(204,120,50)"> </span><span style="color:rgb(152,118,170)">"ip.protocol"</span><span style="color:rgb(204,120,50)">: </span><span style="color:rgb(104,151,187)">6</span><span style="color:rgb(204,120,50)">,<br></span><span style="color:rgb(204,120,50)"> </span><span style="color:rgb(152,118,170)">"ip.tos"</span><span style="color:rgb(204,120,50)">: </span><span style="color:rgb(104,151,187)">0</span><span style="color:rgb(204,120,50)">,<br></span><span style="color:rgb(204,120,50)"> </span><span style="color:rgb(152,118,170)">"ip.ttl"</span><span style="color:rgb(204,120,50)">: </span><span style="color:rgb(104,151,187)">63</span><span style="color:rgb(204,120,50)">,<br></span><span style="color:rgb(204,120,50)"> </span><span style="color:rgb(152,118,170)">"ip.totlen"</span><span style="color:rgb(204,120,50)">: </span><span style="color:rgb(104,151,187)">64</span><span style="color:rgb(204,120,50)">,<br></span><span style="color:rgb(204,120,50)"> </span><span style="color:rgb(152,118,170)">"ip.ihl"</span><span style="color:rgb(204,120,50)">: </span><span style="color:rgb(104,151,187)">5</span><span style="color:rgb(204,120,50)">,<br></span><span style="color:rgb(204,120,50)"> </span><span style="color:rgb(152,118,170)">"ip.csum"</span><span style="color:rgb(204,120,50)">: </span><span style="color:rgb(104,151,187)">44141</span><span style="color:rgb(204,120,50)">,<br></span><span style="color:rgb(204,120,50)"> </span><span style="color:rgb(152,118,170)">"<a href="http://ip.id">ip.id</a>"</span><span style="color:rgb(204,120,50)">: </span><span style="color:rgb(104,151,187)">0</span><span style="color:rgb(204,120,50)">,<br></span><span style="color:rgb(204,120,50)"> </span><span style="color:rgb(152,118,170)">"ip.fragoff"</span><span style="color:rgb(204,120,50)">: </span><span style="color:rgb(104,151,187)">16384</span><span style="color:rgb(204,120,50)">,<br></span><span style="color:rgb(204,120,50)"> </span><span style="color:rgb(152,118,170)">"src_port"</span><span style="color:rgb(204,120,50)">: </span><span style="color:rgb(104,151,187)">55560</span><span style="color:rgb(204,120,50)">,<br></span><span style="color:rgb(204,120,50)"> </span><span style="color:rgb(152,118,170)">"dest_port"</span><span style="color:rgb(204,120,50)">: </span><span style="color:rgb(104,151,187)">80</span><span style="color:rgb(204,120,50)">,<br></span><span style="color:rgb(204,120,50)"> </span><span style="color:rgb(152,118,170)">"tcp.seq"</span><span style="color:rgb(204,120,50)">: </span><span style="color:rgb(104,151,187)">1199851582</span><span style="color:rgb(204,120,50)">,<br></span><span style="color:rgb(204,120,50)"> </span><span style="color:rgb(152,118,170)">"tcp.ackseq"</span><span style="color:rgb(204,120,50)">: </span><span style="color:rgb(104,151,187)">0</span><span style="color:rgb(204,120,50)">,<br></span><span style="color:rgb(204,120,50)"> </span><span style="color:rgb(152,118,170)">"tcp.window"</span><span style="color:rgb(204,120,50)">: </span><span style="color:rgb(104,151,187)">65535</span><span style="color:rgb(204,120,50)">,<br></span><span style="color:rgb(204,120,50)"> </span><span style="color:rgb(152,118,170)">"tcp.offset"</span><span style="color:rgb(204,120,50)">: </span><span style="color:rgb(104,151,187)">0</span><span style="color:rgb(204,120,50)">,<br></span><span style="color:rgb(204,120,50)"> </span><span style="color:rgb(152,118,170)">"tcp.reserved"</span><span style="color:rgb(204,120,50)">: </span><span style="color:rgb(104,151,187)">0</span><span style="color:rgb(204,120,50)">,<br></span><span style="color:rgb(204,120,50)"> </span><span style="color:rgb(152,118,170)">"tcp.urg"</span><span style="color:rgb(204,120,50)">: </span><span style="color:rgb(104,151,187)">0</span><span style="color:rgb(204,120,50)">,<br></span><span style="color:rgb(204,120,50)"> </span><span style="color:rgb(152,118,170)">"tcp.ack"</span><span style="color:rgb(204,120,50)">: </span><span style="color:rgb(104,151,187)">0</span><span style="color:rgb(204,120,50)">,<br></span><span style="color:rgb(204,120,50)"> </span><span style="color:rgb(152,118,170)">"tcp.psh"</span><span style="color:rgb(204,120,50)">: </span><span style="color:rgb(104,151,187)">0</span><span style="color:rgb(204,120,50)">,<br></span><span style="color:rgb(204,120,50)"> </span><span style="color:rgb(152,118,170)">"tcp.rst"</span><span style="color:rgb(204,120,50)">: </span><span style="color:rgb(104,151,187)">0</span><span style="color:rgb(204,120,50)">,<br></span><span style="color:rgb(204,120,50)"> </span><span style="color:rgb(152,118,170)">"tcp.syn"</span><span style="color:rgb(204,120,50)">: </span><span style="color:rgb(104,151,187)">1</span><span style="color:rgb(204,120,50)">,<br></span><span style="color:rgb(204,120,50)"> </span><span style="color:rgb(152,118,170)">"tcp.fin"</span><span style="color:rgb(204,120,50)">: </span><span style="color:rgb(104,151,187)">0</span><span style="color:rgb(204,120,50)">,<br></span><span style="color:rgb(204,120,50)"> </span><span style="color:rgb(152,118,170)">"tcp.res1"</span><span style="color:rgb(204,120,50)">: </span><span style="color:rgb(104,151,187)">0</span><span style="color:rgb(204,120,50)">,<br></span><span style="color:rgb(204,120,50)"> </span><span style="color:rgb(152,118,170)">"tcp.res2"</span><span style="color:rgb(204,120,50)">: </span><span style="color:rgb(104,151,187)">3</span><span style="color:rgb(204,120,50)">,<br></span><span style="color:rgb(204,120,50)"> </span><span style="color:rgb(152,118,170)">"tcp.csum"</span><span style="color:rgb(204,120,50)">: </span><span style="color:rgb(104,151,187)">26423</span><span style="color:rgb(204,120,50)">,<br></span><span style="color:rgb(204,120,50)"> </span><span style="color:rgb(152,118,170)">"<a href="http://oob.in">oob.in</a>"</span><span style="color:rgb(204,120,50)">: </span><span style="color:rgb(106,135,89)">"eth0"</span><span style="color:rgb(204,120,50)">,<br></span><span style="color:rgb(204,120,50)"> </span><span style="color:rgb(152,118,170)">"oob.out"</span><span style="color:rgb(204,120,50)">: </span><span style="color:rgb(106,135,89)">"eth0"</span><span style="color:rgb(204,120,50)">,<br></span><span style="color:rgb(204,120,50)"> </span><span style="color:rgb(152,118,170)">"src_ip"</span><span style="color:rgb(204,120,50)">: </span><span style="color:rgb(106,135,89)">"10.10.10.8"</span><span style="color:rgb(204,120,50)">,<br></span><span style="color:rgb(204,120,50)"> </span><span style="color:rgb(152,118,170)">"dest_ip"</span><span style="color:rgb(204,120,50)">: </span><span style="color:rgb(106,135,89)">"52.85.70.228"</span><span style="color:rgb(204,120,50)">,<br></span><span style="color:rgb(204,120,50)"> </span><span style="color:rgb(152,118,170)">"mac.saddr.str"</span><span style="color:rgb(204,120,50)">: </span><span style="color:rgb(106,135,89)">"xx"</span><span style="color:rgb(204,120,50)">,<br></span><span style="color:rgb(204,120,50)"> </span><span style="color:rgb(152,118,170)">"mac.daddr.str"</span><span style="color:rgb(204,120,50)">: </span><span style="color:rgb(106,135,89)">"xx"</span><span style="color:rgb(204,120,50)">,<br></span><span style="color:rgb(204,120,50)"> </span><span style="color:rgb(152,118,170)">"mac.str"</span><span style="color:rgb(204,120,50)">: </span><span style="color:rgb(106,135,89)">"xx"<br></span>}</pre></div><div>Many Thanks,</div><div>Houman</div></div></div></div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, 16 Apr 2019 at 21:40, Noel Kuntze <noel.kuntze+strongswan-users-ml@thermi.consulting> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">Hello Houman,<br>
<br>
I'd keep the logs as text only and stream them to a logging service via RELP (don't use syslog over tcp. It can loose messages. RELP ensures delivery by design.).<br>
Unless you really got a boatload of clients (> 4000) on a single system, I doubt you'll run into problems.<br>
<br>
Kind regards<br>
<br>
Noel<br>
<br>
Am 16.04.19 um 22:19 schrieb Houman:<br>
> Hello Noel,<br>
> <br>
> Thank you very much for your detailed answer. I started looking into ulogd2. Tutorials and documentation seem a bit scarce, but I'm sure I will find my way around it eventually. If you have a good recommendation please let me know.<br>
> <br>
> Do you recommend keeping ulogd2's logs locally or rather feed them into a local LogStash? I wonder which one is faster and less resource hungry.<br>
> <br>
> Many Thanks,<br>
> Houman<br>
> <br>
> <br>
> <br>
> <br>
> <br>
> <br>
> On Mon, 15 Apr 2019 at 19:26, Noel Kuntze <noel.kuntze+strongswan-users-ml@thermi.consulting> wrote:<br>
> <br>
> Hello Houman,<br>
> <br>
> No, that is not a layer that strongSwan or freeradius does have access to. You need to log (and account) the user's traffic using, for example, a netflow collector or ulogd2 (which can use Linux's native conntrack connection tracking system) to capture the relevant data. Using ulogd2 is advised, because unless you disabled conntrack for the relevant connections, you are basically guaranteed to get all information from conntrack (unless ulogd2 can't keep up, but then you don't have enough resources, so you have another issue already).<br>
> <br>
> Kind regards<br>
> <br>
> Noel<br>
> <br>
> Am 15.04.19 um 20:13 schrieb Houman:<br>
> > Hello,<br>
> ><br>
> > We got a notification from the German Federal Office for Information Security that one of our users has been using a website with malware to steal personal information and commit online-banking fraud. To cover their tracks they have been using our StrongSwan VPN.<br>
> ><br>
> ><br>
> > We have now blocked the IPs that resolve to the given website to prevent this from happening. Unfortunately, The freeRadius logs and syslog we have in place are not enough to pinpoint it to the exact culprit.<br>
> ><br>
> ><br>
> > Is there a way to run strongswan with maximum verbose logs to see which EAP-Radius user has been accessing which IP address at what time? We would like to ban users like this in future.<br>
> ><br>
> ><br>
> > From Freeradius we get to see the acctstartdate, acctupdatedate and acctstopdate but there is no way to relate this to their activities.<br>
> ><br>
> ><br>
> ><br>
> > Many Thanks,<br>
> ><br>
> > Houman<br>
> <br>
<br>
</blockquote></div>