[strongSwan-dev] about user quota usage and terminating

Tobias Brunner tobias at strongswan.org
Wed Jun 28 14:49:14 CEST 2017

Hi Isa,

> I want to log all user's bytes usage (received+sent) in my MySQL database,
> I think I can get it from : "*strongswan statusall*" command, (I can't
> find another command to achieve this, is there any?)

That's not the best approach.  In particular because querying it often
is not ideal (locks the SAs) and the format is not that machine readable
(vici/swanctl [1] provides a better interface in regards to the latter,
but still not ideal when queried often).  Rekeyings could also be a
problem, depending on the interval used to query the SAs.  Have a look
at the eap-radius plugin, that does accumulate use stats for RADIUS

> According to this log, does "*511 by**tes_i*" and "*1111 bytes_o*"
> represents the incoming and outgoing bytes count of *testu* user?

Yes, of one of the CHILD_SAs of an IKE_SA that was created by that user.

> Also when I want to get only "testu" user statistics, according to docs
> I'm typing this: *"**strongswan statusall test**u"*

There is no option to query SAs by remote identity.  Only by IKE or
CHILD_SA name or their unique identifier (same goes with vici/swanctl).
Where did you see that in the docs?

> And my last  question; I will count bytes usage of users and if someone
> exceed his quota I want to kick him, how can I do that?

You could enumerate SAs and find the ones with a matching remote
identity and then terminate those (using vici/swanctl).  But you should
probably use RADIUS accounting and DAE [2] for all of this.


[1] http://wiki.strongswan.org/projects/strongswan/wiki/Vici
[2] https://wiki.strongswan.org/projects/strongswan/wiki/EapRadius

More information about the Dev mailing list