[strongSwan] StrongSwan traffic accounting? is it possible?
Gerd v. Egidy
lists at egidy.de
Mon Oct 17 13:25:55 CEST 2011
Hi,
> 1) first, create iptables chain named IPSEC
> iptables -I INPUT -m policy --pol ipsec --proto esp --dir in -j IPSEC
> iptables -I OUTPUT -m policy --pol ipsec --proto esp --dir out -j IPSEC
a rule for the FORWARD chain is missing.
> 2) add some custom commands StrongSwan's updown scripts, where a new ipsec
> connection created by strongswan, it will execute my custom command. a)
> Commands used in the scene of up-client:
> USER_ID='test001'
> COMMENT="$PLUTO_PEER $USER_ID"
> iptables -t filter -I IPSEC -s $PLUTO_PEER $S_PEER_PORT -m comment
> --comment "$COMMENT " iptables -t filter -I IPSEC -d $PLUTO_PEER
> $D_PEER_PORT -m comment --comment "$COMMENT "
I can not recommend to call "iptables" from within strongswan scripts. If two
"iptables" commands run at the same time, one of the calls can be missed
because the iptables command has no locking against this. If several vpn
connections are established or disconnected at the same time you can hit this
problem.
Kind regards,
Gerd
--
Address (better: trap) for people I really don't want to get mail from:
jonas at cactusamerica.com
More information about the Users
mailing list