[strongSwan] Is it possible to see which IP addresses the VPN users are accessing?

Houman houmie at gmail.com
Mon Apr 15 20:13:19 CEST 2019


We got a notification from the German Federal Office for Information
Security that one of our users has been using a website with malware to
steal personal information and commit online-banking fraud. To cover their
tracks they have been using our StrongSwan VPN.

We have now blocked the IPs that resolve to the given website to prevent
this from happening.  Unfortunately, The freeRadius logs and syslog we have
in place are not enough to pinpoint it to the exact culprit.

Is there a way to run strongswan with maximum verbose logs to see which
EAP-Radius user has been accessing which IP address at what time? We would
like to ban users like this in future.

>From Freeradius we get to see the acctstartdate, acctupdatedate and
acctstopdate but there is no way to relate this to their activities.

Many Thanks,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20190415/7062bf23/attachment.html>

More information about the Users mailing list