[strongSwan] (Vici) How to disconnect a VPN connection on the server side?

Houman houmie at gmail.com
Tue Sep 10 09:06:21 CEST 2019

Hello Tobias,

Thank you for your reply.

Not directly (at least not via vici, it might be possible via RADIUS,
> depending on the RADIUS server).

This is concerning if this wasn't possible. I have FreeRadius 3.0.16, maybe
I should explain the use case I'm trying to achieve.

I have setup a limit by monthly-usage in FreeRadius. Each user can use 10
GB and after that, any attempt to connect to the VPN server fails.

echo 'ATTRIBUTE       Monthly-Usage          3001    integer64' >>

sed -i '/authorize {/a\
   update request {\
                Monthly-Usage = "%{sql:SELECT
COALESCE((SUM(`acctoutputoctets`)), 0) FROM radacct WHERE
`username`='"'"'%{User-Name}'"'"' AND
Month(acctupdatetime)=(Month(NOW())) AND
' /etc/freeradius/3.0/sites-enabled/default

INSERT INTO radcheck (username,attribute,op,VALUE) VALUES

This works, however, once the limit has been reached, he continues to
remain connected, nothing forces him out. Only if he disconnects and tries
to connect again, he would be prevented.  I was thinking to check every 5
minutes to see if someone has reached the monthly usage and is still
connected to kick him out.

Do you think that is possible to do via FreeRadius?

What do you mean?  [1] provides an overview and has a link to the
> README.md file that describes the available commands and even contains
> simple code examples.  The Python bindings are basically a wrapper that
> provides a convenient interface for these commands.

Ah my bad. I was looking at https://pypi.org/project/vici/ but I found more
documentation at the github project.

That returns the configured connections, so that's not really useful to
> you.  More interesting will be the list of established IKE_SAs
> (s.list_sas).

There is no option to filter by remote/user ID, so you have

to enumerate the established SAs (list-sa documents the returned
> information) and check remote-(eap-)id yourself.
Perfect. I think the username in Radcheck is the same as the
remote-(eap-)id you mentioned. So I have to find a way to filter that
within the IKE_SA and then to terminate the IKE_SA itself.  Just to be
clear there is always a 1:1 relationship between IKE_SA and a user at a
time, correct?  If I end an IKE_SA, I won't be kicking several users by
mistake? It will be only the one user using that? So in other words what
I'm trying to achieve is possible with Vici right?

Many Thanks,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20190910/8248260e/attachment.html>

More information about the Users mailing list