[strongSwan] Is it possible to see which IP addresses the VPN users are accessing?

[Noel Kuntze]

Hello Houman,

No, that is not a layer that strongSwan or freeradius does have access to. You need to log (and account) the user's traffic using, for example, a netflow collector or ulogd2 (which can use Linux's native conntrack connection tracking system) to capture the relevant data. Using ulogd2 is advised, because unless you disabled conntrack for the relevant connections, you are basically guaranteed to get all information from conntrack (unless ulogd2 can't keep up, but then you don't have enough resources, so you have another issue already).

Kind regards

Noel

Am 15.04.19 um 20:13 schrieb Houman:
> Hello,
>
> We got a notification from the German Federal Office for Information Security that one of our users has been using a website with malware to steal personal information and commit online-banking fraud. To cover their tracks they have been using our StrongSwan VPN.
>
>
> We have now blocked the IPs that resolve to the given website to prevent this from happening.  Unfortunately, The freeRadius logs and syslog we have in place are not enough to pinpoint it to the exact culprit.
>
>
> Is there a way to run strongswan with maximum verbose logs to see which EAP-Radius user has been accessing which IP address at what time? We would like to ban users like this in future.
>
>
> From Freeradius we get to see the acctstartdate, acctupdatedate and acctstopdate but there is no way to relate this to their activities.
>
>
>
> Many Thanks,
>
> Houman

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20190415/5e55c4bc/attachment.sig>