[strongSwan-dev] Backward compatibility option for inbound SA/SP marking

Tobias Brunner tobias at strongswan.org
Fri Aug 25 12:12:07 CEST 2017

Hi Christophe,

>> There are some control features, like `down-srcip`, `purgeike` or
>> `list|resetcounters`, that are not implemented (yet).  But they may
>> still be used, if necessary (ideally users would notify us of features
>> they still need),
> I started using the vici API for monitoring and stats, and I must
> admit it is far better suited than stroke to interface with an
> external application.
> I precisely missed the equivalent for `listcounters` in the vici
> interface, so I take the opportunity to notify you officially that its
> support would be appreciated :)

Noted...and actually already implemented in the vici-counters branch :)

Since it's based on the same code, it has the same behavior and
limitations.  For instance, counters are associated with an IKE_SA's
name not individual IKE_SAs (e.g. via their unique IDs).  So they may
cover several IKE_SAs with the same name and they are not automatically
reset or removed once SAs are terminated.  And since the name may change
on responders due to the identities or authentication settings the
connection-specific counters might not be exactly accurate (e.g. if the
first defined connection is configured for pubkey client authentication
but most clients will connect via EAP using an otherwise identical
second connection, too many inbound IKE_AUTHs will recorded for the
first connection's name and too few for the second).  Let me know if you
see anything that could be improved (e.g. the naming of the counters).


More information about the Dev mailing list