[strongSwan] Is it possible to see which IP addresses the VPN users are accessing?

Houman houmie at gmail.com
Tue Apr 16 22:19:26 CEST 2019

Hello Noel,

Thank you very much for your detailed answer. I started looking into
ulogd2. Tutorials and documentation seem a bit scarce, but I'm sure I will
find my way around it eventually. If you have a good recommendation
please let me know.

Do you recommend keeping ulogd2's logs locally or rather feed them into a
local LogStash?  I wonder which one is faster and less resource hungry.

Many Thanks,

On Mon, 15 Apr 2019 at 19:26, Noel Kuntze
<noel.kuntze+strongswan-users-ml at thermi.consulting> wrote:

> Hello Houman,
> No, that is not a layer that strongSwan or freeradius does have access to.
> You need to log (and account) the user's traffic using, for example, a
> netflow collector or ulogd2 (which can use Linux's native conntrack
> connection tracking system) to capture the relevant data. Using ulogd2 is
> advised, because unless you disabled conntrack for the relevant
> connections, you are basically guaranteed to get all information from
> conntrack (unless ulogd2 can't keep up, but then you don't have enough
> resources, so you have another issue already).
> Kind regards
> Noel
> Am 15.04.19 um 20:13 schrieb Houman:
> > Hello,
> >
> > We got a notification from the German Federal Office for Information
> Security that one of our users has been using a website with malware to
> steal personal information and commit online-banking fraud. To cover their
> tracks they have been using our StrongSwan VPN.
> >
> >
> > We have now blocked the IPs that resolve to the given website to prevent
> this from happening.  Unfortunately, The freeRadius logs and syslog we have
> in place are not enough to pinpoint it to the exact culprit.
> >
> >
> > Is there a way to run strongswan with maximum verbose logs to see which
> EAP-Radius user has been accessing which IP address at what time? We would
> like to ban users like this in future.
> >
> >
> > From Freeradius we get to see the acctstartdate, acctupdatedate and
> acctstopdate but there is no way to relate this to their activities.
> >
> >
> >
> > Many Thanks,
> >
> > Houman
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20190416/48efcc4d/attachment.html>

More information about the Users mailing list