[strongSwan] StrongSwan traffic accounting? is it possible?
Gerd v. Egidy
lists at egidy.de
Mon Oct 17 09:57:33 CEST 2011
Hi,
> I would have thought you could use iptables with something like ipac_ng (at
> least, that’s what I used to use for accounting “back in the day”)
yes, some iptables based way is what I think of too.
> I haven’t done accounting for VPN traffic myself, but I imagine you should
> be able to match by policy eg “-m policy -pol ipsec” to be sure you’re
> counting encapsulated traffic.
If I understood Jacky correctly, he wants not only to account all vpn traffic
together, but account the traffic per authenticated user.
The iptables policy match doesn't know about users, it doesn't even know about
strongswan connections. If your users have dedicated virtual ips assigned, you
can use them to match. If not you could use the reqids. Recent strongswan
versions are able to statically assign a reqid to a connection.
Make sure your solution does not modify iptables from within strongswan: the
iptables tool has no locks to protect against concurrent usage. So you have to
setup everything upfront, you can't use any dynamic connection pools or
similar in strongswan if you need any data from strongswan to setup the
iptables rules.
Kind regards,
Gerd
--
Address (better: trap) for people I really don't want to get mail from:
jonas at cactusamerica.com
More information about the Users
mailing list