[strongSwan] StrongSwan traffic accounting? is it possible?

Gerd v. Egidy lists at egidy.de
Mon Oct 17 13:25:55 CEST 2011


Hi,

> 1) first, create iptables chain named IPSEC
> 	iptables -I INPUT -m policy --pol ipsec --proto esp --dir in -j IPSEC
> 	iptables -I OUTPUT -m policy --pol ipsec --proto esp --dir out -j IPSEC

a rule for the FORWARD chain is missing.

> 2) add some custom commands StrongSwan's updown scripts, where a new ipsec
> connection created by strongswan, it will execute my custom command. a)
> Commands used in the scene of up-client:
> 	USER_ID='test001'
> 	COMMENT="$PLUTO_PEER $USER_ID"
> 	iptables -t filter -I IPSEC -s $PLUTO_PEER $S_PEER_PORT -m comment
> --comment "$COMMENT " iptables -t filter -I IPSEC -d $PLUTO_PEER
> $D_PEER_PORT -m comment --comment "$COMMENT "

I can not recommend to call "iptables" from within strongswan scripts. If two 
"iptables" commands run at the same time, one of the calls can be missed 
because the iptables command has no locking against this. If several vpn 
connections are established or disconnected at the same time you can hit this 
problem.

Kind regards,

Gerd

-- 
Address (better: trap) for people I really don't want to get mail from:
jonas at cactusamerica.com




More information about the Users mailing list