[strongSwan] Identifying IPSEC user sessions

Andrew Foss afoss at actmobile.com
Sun Apr 26 01:35:16 CEST 2015


Jiri,

I just wrestled with this in an attempt to get some byte counters in my 
updown scripts.

I ended up doing a patch. I have tried two ways, we use a custom cert 
for each ipsec client and an XAuthName, so they are available in the 
updown as $PLUTO_XAUTH_ID and $PLUTO_PEER_ID

you might check those two vars in your updown and see if they provide 
the id you are looking for...

andrew

On 4/25/15 2:37 PM, Jiri Horky wrote:
> Hi list,
>
> I am sure somebody solved the same problem in the past as well. We would
> like to have a fixed session identifier throughout the lifetime of an
> IPSec tunnel (clients connection) even when rekeying happens on IKE
> SA/CHILD SA. This is to ensure that we can match the up/down events,
> that we catch in a custom handler. Also, this identifier should be
> globally unique per servers/multiple user sessions, i.e. if an user from
> the same IP goes to the same server, we should have a new session
> identifier.
>
> I was thinking of generating an UUID field when the session up event
> happens, and assigning it to some struct which strongswan must have for
> the IPSEC  connection (I guess there is such a thing). Then to pass this
> information to the handler when session down happens.
>
> Is there a better/easier way how to achieve this? If not, and I am not
> completely wrong, could you please point me to the right place where I
> should add the field (i.e. which struct should hold the connection
> throughout its entire lifetime).
>
> Thank you!
> Jiri Horky
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users



More information about the Users mailing list