[strongSwan] Identifying IPSEC user sessions

Jiri Horky jiri.horky at gmail.com
Sat Apr 25 23:37:52 CEST 2015

Hi list,

I am sure somebody solved the same problem in the past as well. We would
like to have a fixed session identifier throughout the lifetime of an
IPSec tunnel (clients connection) even when rekeying happens on IKE
SA/CHILD SA. This is to ensure that we can match the up/down events,
that we catch in a custom handler. Also, this identifier should be
globally unique per servers/multiple user sessions, i.e. if an user from
the same IP goes to the same server, we should have a new session

I was thinking of generating an UUID field when the session up event
happens, and assigning it to some struct which strongswan must have for
the IPSEC  connection (I guess there is such a thing). Then to pass this
information to the handler when session down happens.

Is there a better/easier way how to achieve this? If not, and I am not
completely wrong, could you please point me to the right place where I
should add the field (i.e. which struct should hold the connection
throughout its entire lifetime).

Thank you!
Jiri Horky

More information about the Users mailing list