[strongSwan] StrongSwan traffic accounting? is it possible?

Jacky.He jacky.he at gmail.com
Mon Oct 17 12:06:16 CEST 2011 

Hi all,

Here is my test procedure:
1) first, create iptables chain named IPSEC
	iptables -I INPUT -m policy --pol ipsec --proto esp --dir in -j IPSEC
	iptables -I OUTPUT -m policy --pol ipsec --proto esp --dir out -j IPSEC
2) add some custom commands StrongSwan's updown scripts, where a new ipsec connection created by strongswan, it will execute my custom command.
a) Commands used in the scene of up-client:
	USER_ID='test001'
	COMMENT="$PLUTO_PEER $USER_ID"
	iptables -t filter -I IPSEC -s $PLUTO_PEER $S_PEER_PORT -m comment --comment "$COMMENT "
	iptables -t filter -I IPSEC -d $PLUTO_PEER $D_PEER_PORT -m comment --comment "$COMMENT "
b) Commands used in the scene of down-client:
	USER_ID=''test001'
	COMMENT="$PLUTO_PEER $USER_ID"
	iptables -t filter -D IPSEC -s $PLUTO_PEER $S_PEER_PORT -m comment --comment "$COMMENT "
	iptables -t filter -D IPSEC -d $PLUTO_PEER $D_PEER_PORT -m comment --comment "$COMMENT "

3) I use IKEv1+XAUTH to connect to my VPN Box, everything is OK.
4) then, I use the following command to monitor iptables chain, and get the log:
# iptables -L IPSEC -v -n -x
Chain IPSEC (2 references)
    pkts      bytes target     prot opt in     out     source               destination         
       0        0            all  --  *      *       0.0.0.0/0            12X.16X.20X.XXX     /* 12X.16X.20X.XXX test001 */ 
       0        0            all  --  *      *       12X.16X.20X.XXX      0.0.0.0/0           /* 12X.16X.20X.XXX test001 */

Seens I can now monitor the every new connection by using iptables, but I found there is no pkts and bytes accounting information.

Someone give me suggestion or point me the right way?

JACKY

-----Original Message-----
From: users-bounces+jacky.he=gmail.com at lists.strongswan.org [mailto:users-bounces+jacky.he=gmail.com at lists.strongswan.org] On Behalf Of Gerd v. Egidy
Sent: Monday, October 17, 2011 3:58 PM
To: users at lists.strongswan.org
Subject: Re: [strongSwan] StrongSwan traffic accounting? is it possible?

Hi,

> I would have thought you could use iptables with something like ipac_ng (at
> least, that’s what I used to use for accounting “back in the day”)

yes, some iptables based way is what I think of too.
 
> I haven’t done accounting for VPN traffic myself, but I imagine you should
> be able to match by policy eg “-m policy -pol ipsec” to be sure you’re
> counting encapsulated traffic.

If I understood Jacky correctly, he wants not only to account all vpn traffic 
together, but account the traffic per authenticated user.

The iptables policy match doesn't know about users, it doesn't even know about 
strongswan connections. If your users have dedicated virtual ips assigned, you 
can use them to match. If not you could use the reqids. Recent strongswan 
versions are able to statically assign a reqid to a connection.

Make sure your solution does not modify iptables from within strongswan: the 
iptables tool has no locks to protect against concurrent usage. So you have to 
setup everything upfront, you can't use any dynamic connection pools or 
similar in strongswan if you need any data from strongswan to setup the 
iptables rules.

Kind regards,

Gerd
-- 
Address (better: trap) for people I really don't want to get mail from:
jonas at cactusamerica.com

_______________________________________________
Users mailing list
Users at lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
 

__________ Information from ESET NOD32 Antivirus, version of virus signature database 6542 (20111014) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com

More information about the Users mailing list