flyingrhino
2018-07-16 01:26:17 UTC
Hi fellow Swan'ers,
I'm trying to log traffic usage of vpn clients session when they
disconnect (how much traffic they used during their session). I can
trigger a script at the "down" easily with:
leftupdown=/usr/local/bin/updownScript.sh , but there are no usage stats
in the environment variables passed to the script.
Are the usage counters available somewhere else that I'm not aware of?
Perhaps a plugin that adds these vars to the "down" env?
My troubleshooting:
I know of the 'counters' plugin that exposes the IKE counters 'ipsec
listcounters', as well as the 'ipsec statusall' command that gives this
info under the relevant SA:
CertName{24}: AES_CBC_256/HMAC_SHA2_384_192, 315872 bytes_i (4002 pkts,
100s ago), 7933390 bytes_o (6414 pkts, 101s ago), rekeying in 3 minutes.
However, the counters reset when the rekeying happens again, so even if
I wanted to count the stats per SA I'd need to script a periodic check
and a state machine to track the SA's connection:
CertName{25}: AES_CBC_256/HMAC_SHA2_384_192, 127 bytes_i (2 pkts, 2s
ago), 120 bytes_o (3 pkts, 1s ago), rekeying in 14 minutes.
It could be possible to do this via iptables too, with a rule marked per
session, then read the counters from there. But it is as awkward as the
state machine above...
Thanks.
I'm trying to log traffic usage of vpn clients session when they
disconnect (how much traffic they used during their session). I can
trigger a script at the "down" easily with:
leftupdown=/usr/local/bin/updownScript.sh , but there are no usage stats
in the environment variables passed to the script.
Are the usage counters available somewhere else that I'm not aware of?
Perhaps a plugin that adds these vars to the "down" env?
My troubleshooting:
I know of the 'counters' plugin that exposes the IKE counters 'ipsec
listcounters', as well as the 'ipsec statusall' command that gives this
info under the relevant SA:
CertName{24}: AES_CBC_256/HMAC_SHA2_384_192, 315872 bytes_i (4002 pkts,
100s ago), 7933390 bytes_o (6414 pkts, 101s ago), rekeying in 3 minutes.
However, the counters reset when the rekeying happens again, so even if
I wanted to count the stats per SA I'd need to script a periodic check
and a state machine to track the SA's connection:
CertName{25}: AES_CBC_256/HMAC_SHA2_384_192, 127 bytes_i (2 pkts, 2s
ago), 120 bytes_o (3 pkts, 1s ago), rekeying in 14 minutes.
It could be possible to do this via iptables too, with a rule marked per
session, then read the counters from there. But it is as awkward as the
state machine above...
Thanks.