[strongSwan] Logging traffic usage counters for an entire client session

flyingrhino flyingrhino at orcon.net.nz
Mon Jul 16 03:26:17 CEST 2018

Hi fellow Swan'ers,

I'm trying to log traffic usage of vpn clients session when they 
disconnect (how much traffic they used during their session). I can 
trigger a script at the "down" easily with: 
leftupdown=/usr/local/bin/updownScript.sh , but there are no usage stats 
in the environment variables passed to the script.

Are the usage counters available somewhere else that I'm not aware of? 
Perhaps a plugin that adds these vars to the "down" env?

My troubleshooting:

I know of the 'counters' plugin that exposes the IKE counters 'ipsec 
listcounters', as well as the 'ipsec statusall' command that gives this 
info under the relevant SA:

CertName{24}:  AES_CBC_256/HMAC_SHA2_384_192, 315872 bytes_i (4002 pkts, 
100s ago), 7933390 bytes_o (6414 pkts, 101s ago), rekeying in 3 minutes.

However, the counters reset when the rekeying happens again, so even if 
I wanted to count the stats per SA I'd need to script a periodic check 
and a state machine to track the SA's connection:

CertName{25}:  AES_CBC_256/HMAC_SHA2_384_192, 127 bytes_i (2 pkts, 2s 
ago), 120 bytes_o (3 pkts, 1s ago), rekeying in 14 minutes.

It could be possible to do this via iptables too, with a rule marked per 
session, then read the counters from there. But it is as awkward as the 
state machine above...


More information about the Users mailing list