[strongSwan] Identifying IPSEC user sessions

Andrew Foss afoss at actmobile.com
Sun Apr 26 01:35:16 CEST 2015


I just wrestled with this in an attempt to get some byte counters in my 
updown scripts.

I ended up doing a patch. I have tried two ways, we use a custom cert 
for each ipsec client and an XAuthName, so they are available in the 

you might check those two vars in your updown and see if they provide 
the id you are looking for...


On 4/25/15 2:37 PM, Jiri Horky wrote:
> Hi list,
> I am sure somebody solved the same problem in the past as well. We would
> like to have a fixed session identifier throughout the lifetime of an
> IPSec tunnel (clients connection) even when rekeying happens on IKE
> SA/CHILD SA. This is to ensure that we can match the up/down events,
> that we catch in a custom handler. Also, this identifier should be
> globally unique per servers/multiple user sessions, i.e. if an user from
> the same IP goes to the same server, we should have a new session
> identifier.
> I was thinking of generating an UUID field when the session up event
> happens, and assigning it to some struct which strongswan must have for
> the IPSEC  connection (I guess there is such a thing). Then to pass this
> information to the handler when session down happens.
> Is there a better/easier way how to achieve this? If not, and I am not
> completely wrong, could you please point me to the right place where I
> should add the field (i.e. which struct should hold the connection
> throughout its entire lifetime).
> Thank you!
> Jiri Horky
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

More information about the Users mailing list