[strongSwan] How to determine how many connections are currently active?

Andreas Steffen andreas.steffen at strongswan.org
Wed Jul 31 16:28:38 CEST 2019 

Hi Houman,

The CHILD SAs are the actual tunnels carrying encrypted data. The
IKE SA is used for peer authentication and the setup of the
CHILD SAs. In principle an IKE SA can define multiple CHILD SAs
if you want to connect multiple subnets behind the two VPN gateways
with each other.

Regards

Andreas

On 31.07.19 12:43, Houman wrote:
> Hi Andreas,
> 
> Thank you very much.  That worked nicely, much easier than I thought it
> would be.
> 
> The difference between INSTALLED (519) and ESTABLISHED (520) was nearly
> the same in my case.   What is the main difference between them in this
> context?
> 
> Many Thanks,
> Houman
> 
> On Wed, 31 Jul 2019 at 11:14, Andreas Steffen
> <andreas.steffen at strongswan.org <mailto:andreas.steffen at strongswan.org>>
> wrote:
> 
>     Hi Houman,
> 
>     you can get the number of active IKE SAs via
> 
>       swanctl --list-sas | grep ESTABLISHED | wc -l
> 
>     if you are using the vici interface or
> 
>       ipsec statusall | grep ESTABLISHED | wc -l
> 
>     if you are using the legacy whack interface.
> 
>     For the total number of active CHILD SAs replace ESTABLISHED
>     by INSTALLED in the grep query.
> 
>     Best regards
> 
>     Andreas
> 
>     On 31.07.19 10:05, Houman wrote:
>     > Good morning,
>     >
>     >
>     > What is the best way to determine how many connections are currently
>     > active on the StrongSwan server? 
>     >
>     >
>     > Maybe there is a simpler way but I thought of one way. I’m using
>     > FreeRadius with Mysql DB as storage.
>     >
>     >
>     > There are three fields that capture the start (acctstarttime), ongoing
>     > (acctupdatetime) and the end (acctstoptime) of a connection.
>     >
>     >
>     > I could theoretically filter for all acctupdatetime that start from
>     > today and have a acctstoptime that is null.  The count of these
>     records
>     > would be the approximate number of active connections to the server.
>     >
>     >
>     > Is there a better way to achieve this or do you agree to this
>     approach?
>     >
>     >
>     >
>     > Many Thanks,
>     >
>     > Houman
>     >
> 
>     -- 
>     ======================================================================
>     Andreas Steffen                       
>      andreas.steffen at strongswan.org <mailto:andreas.steffen at strongswan.org>
>     strongSwan - the Open Source VPN Solution!         
>     www.strongswan.org <http://www.strongswan.org>
>     Institute for Networked Solutions
>     HSR University of Applied Sciences Rapperswil
>     CH-8640 Rapperswil (Switzerland)
>     ===========================================================[INS-HSR]==
> 

-- 
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution!          www.strongswan.org
Institute for Networked Solutions
HSR University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[INS-HSR]==

More information about the Users mailing list