[strongSwan-dev] about user quota usage and terminating

Isa YETER isa at teknasyon.com
Thu Jun 29 15:21:54 CEST 2017 

Hello again Tobias,

Thank you for your kindly help, I'm using radiusDB now for accounting. 
It is ok.

Last problem is; I still could not found a way to terminate an active 
connection by it's username.

I looked swanctl help and see this : swanctl --terminate        (-t)  
terminate a connection

I dont know is it terminating an active user connection or not, i tried 
: "swanctl -t testuser", it said: "terminate failed: missing terminate 
selector"

How can I do that?

Thanks.


On 28/06/2017 15:49, Tobias Brunner wrote:
> Hi Isa,
>
>> I want to log all user's bytes usage (received+sent) in my MySQL database,
>>
>> I think I can get it from : "*strongswan statusall*" command, (I can't
>> find another command to achieve this, is there any?)
> That's not the best approach.  In particular because querying it often
> is not ideal (locks the SAs) and the format is not that machine readable
> (vici/swanctl [1] provides a better interface in regards to the latter,
> but still not ideal when queried often).  Rekeyings could also be a
> problem, depending on the interval used to query the SAs.  Have a look
> at the eap-radius plugin, that does accumulate use stats for RADIUS
> accounting.
>
>> According to this log, does "*511 by**tes_i*" and "*1111 bytes_o*"
>> represents the incoming and outgoing bytes count of *testu* user?
> Yes, of one of the CHILD_SAs of an IKE_SA that was created by that user.
>
>> Also when I want to get only "testu" user statistics, according to docs
>> I'm typing this: *"**strongswan statusall test**u"*
> There is no option to query SAs by remote identity.  Only by IKE or
> CHILD_SA name or their unique identifier (same goes with vici/swanctl).
> Where did you see that in the docs?
>
>> And my last  question; I will count bytes usage of users and if someone
>> exceed his quota I want to kick him, how can I do that?
> You could enumerate SAs and find the ones with a matching remote
> identity and then terminate those (using vici/swanctl).  But you should
> probably use RADIUS accounting and DAE [2] for all of this.
>
> Regards,
> Tobias
>
> [1] http://wiki.strongswan.org/projects/strongswan/wiki/Vici
> [2] https://wiki.strongswan.org/projects/strongswan/wiki/EapRadius

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20170629/0266ab20/attachment.html>

More information about the Dev mailing list