[strongSwan-dev] Monitoring certificate per ip

Andreas Steffen andreas.steffen at strongswan.org
Mon Aug 18 14:13:31 CEST 2014


Hi, if you want the virtual IP address[es] then you can use the
following enumerator:

enumerator_t *enumerator;
host_t *vip;
size_t buf_len = 128;
char buf[buf_len];

enumerator = ike_sa->create_virtual_ip_enumerator(ike_sa, FALSE);
if (enumerator->enumerate(enumerator, &vip))
{
    /* Print the IPv4 or IPv6 address */
    snprintf(buf, buf_len, "%H", vip);
}
enumerator->destroy(enumerator);

Since at the time of the ike_updown bus event the virtual IPs haven't
been assigned yet, your listener must subscribe to the assign_vips
bus event. As an example have a look at the tnc-ifmap plugin:

http://git.strongswan.org/?p=strongswan.git;a=blob;f=src/libcharon/plugins/tnc_ifmap/tnc_ifmap_listener.c;h=d2ba2e345b8d5de73b37c236822d1e32021b29b7;hb=HEAD#l108

Best regards

Andreas

On 18.08.2014 13:22, The supervisor wrote:
> Thank you for the response, it was very helpful.
>
> I'm facing a small problem, i'm using the following code to get the ip
> and write it to a file :
> host_t* host = ike_sa->get_other_host(ike_sa);
> sockaddr_t* address = host->get_sockaddr(host);
> struct sockaddr_in* their_addr = (struct sockaddr_in*)address;
> char *ip = inet_ntoa(their_addr->sin_addr);
>
> But the ip is the real ip, i want to know the vpn ip that the strongswan
> gave the client, i couldn't find it.
> i tried to use :
> chunk_t* blabla = host->get_address(host);
>
> but i don't understand how to handle "chunk_t" how do i print the ip in
> blabla ?
>
> Thanks in advance.
>
>
>
> On Sun, Aug 3, 2014 at 10:24 AM, Andreas Steffen
> <andreas.steffen at strongswan.org <mailto:andreas.steffen at strongswan.org>>
> wrote:
>
>     Hi,
>
>     you could write your own monitoring plugin along the lines of the
>     "certexpire" plugin:
>
>     https://wiki.strongswan.org/projects/strongswan/repository/revisions/master/show/src/libcharon/plugins/certexpire
>
>     where a bus listener collects the certificates used and checks them
>     for the expiration date.
>
>     In your case you could store the received peer certificates together
>     with the corresponding IKE identities in a local file or send the
>     information over a network socket.to <http://socket.to> a proxy server.
>
>     Best regards
>
>     Andreas
>
>     On 08/02/2014 08:05 PM, The supervisor wrote:
>      > Hi,
>      >
>      >
>      > I'm new to strongswan and i am trying to achieve something that
>      > shouldn't be very hard, i have the following setup :
>      >
>      > Clients --> Strongswan VPN --> transparent proxy --> Internet.
>      >
>      >
>      > Clients connect to strongswan vpn using client certificate.
>      >
>      >
>      > I'm trying to find the simplest way (minimum code changes) to
>     know which
>      > client uses which certificate (and then to send this information
>     to my
>      > transparent proxy, or just print it to a file).​
>      >
>      > For example, when client with ip 10.1.0.1 connected using
>     certificate X,
>      > i want to send to my proxy a message about it.​
>      >
>      >
>      > I downloaded and compiled the code, but i don't know really where to
>      > start, If someone could point me to the relevant code modules i would
>      > very appreciate it,  also any general explanation about how to
>     achieve
>      > my goal would be helpful also.
>      >
>      >
>      > Thanks in advanced,
>      >
>      > DN
>      >
>     ======================================================================
>     Andreas Steffen andreas.steffen at strongswan.org
>     <mailto:andreas.steffen at strongswan.org>
>     strongSwan - the Open Source VPN Solution! www.strongswan.org
>     <http://www.strongswan.org>
>     Institute for Internet Technologies and Applications
>     University of Applied Sciences Rapperswil
>     CH-8640 Rapperswil (Switzerland)
>     ===========================================================[ITA-HSR]==
>
>

-- 
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution!          www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4255 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20140818/50a608a6/attachment.bin>


More information about the Dev mailing list