Project

General

Profile

Issue #3088

Why ipsec status couldn't display windows clients

Added by John YU 3 months ago. Updated 3 months ago.

Status:
Feedback
Priority:
Low
Assignee:
-
Category:
-
Affected version:
5.6.0
Resolution:

Description

I used command "ipsec status" to see the status of all current clients. I found that android with strongswan and IOS clients can be displayed. But windows clients couldn't be displayed. Why?

Also IOS clients can only display IP, no user name displayed. Just like:

Security Associations (2 up, 0 connecting):
ios_ikev23: ESTABLISHED 42 seconds ago, server ip[server domain]...external ip[192.168.0.114]
ios_ikev2{2}: INSTALLED, TUNNEL, reqid 2, ESP in UDP SPIs: f9199b1f_i 0f681235_o
ios_ikev2{2}: 0.0.0.0/0 === 10.10.10.2/32
ios_ikev22: ESTABLISHED 93 seconds ago, server ip[server domain]...external ip[client1]
ios_ikev2{1}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: fa169212_i 1925b24a_o
ios_ikev2{1}: 0.0.0.0/0 === 10.10.10.1/32

Is it a bug? Or my misuse? Thanks!

History

#1 Updated by Tobias Brunner 3 months ago

  • Status changed from New to Feedback

But windows clients couldn't be displayed. Why?

What do you mean? Is there such a client even connected? If not, what exactly are you expecting to see?

Also IOS clients can only display IP, no user name displayed.

ipsec status only displays "usernames" on a separate line if XAuth or EAP authentication with a different identity was used (the values in [] are the IKE identities).

#2 Updated by John YU 3 months ago

I mean, command "ipsec status" couldn't display windows clients. I can't find windows clients by this command when windows clients are connected.

Any way, the values in [] is not clients' username, but IP address. Is it possible to fix it?

#3 Updated by Tobias Brunner 3 months ago

I mean, command "ipsec status" couldn't display windows clients. I can't find windows clients by this command when windows clients are connected.

That makes no sense. If they are connected via IKE, there MUST be an entry in the status output.

Any way, the values in [] is not clients' username, but IP address. Is it possible to fix it?

As I said above, these are the identities (i.e. the value on the right depends on the client's configuration/implmentation), and whether a separate EAP identity is shown depends on the authentication method (i.e. change that if you want a different result).

#4 Updated by John YU 3 months ago

OK. Could you please tell me why command "ipsec status" couldn't display windows clients. I can't find windows clients by this command when windows clients are connected. Thanks

#5 Updated by Tobias Brunner 3 months ago

Could you please tell me why command "ipsec status" couldn't display windows clients. I can't find windows clients by this command when windows clients are connected.

As I said, that makes no sense. Either these clients are not connected at all, or not connected to this IKE daemon (e.g. because they use a different VPN protocol or connect to a different server). It's also possible that you are interpreting the output incorrectly.

#6 Updated by John YU 3 months ago

Of course they are connected to the server. Just I don't know which algorithms they are using. But I can make sure that they connected to the server via IKEv2/IPSec protocol because I forced the clients to use IKEv2 protocol in the configuration. Is there any way to show whether they are connected or not?

For windows server, I can see all the clients. Thanks

#7 Updated by Tobias Brunner 3 months ago

Of course they are connected to the server.

I very much doubt that, otherwise, you'd see them in the status output.

Just I don't know which algorithms they are using.

What do you mean?

Is there any way to show whether they are connected or not?

ipsec status, or do you mean on the client? If so, I guess you could check the VPN adapter's status window.

For windows server, I can see all the clients.

So they are actually connected to a different server? Or what do you mean?

#8 Updated by John YU 3 months ago

Of course they are connected to the server.

I very much doubt that, otherwise, you'd see them in the status output.
Because it was me who was doing a test and using a windows computer as a client to connect server. So I definitely know that. No doubt.

Just I don't know which algorithms they are using.

What do you mean?
Because you said "they use a different VPN protocol". Anyway, forget this point.

Is there any way to show whether they are connected or not?

ipsec status, or do you mean on the client? If so, I guess you could check the VPN adapter's status window.
No, no the server. I want to see how many clients are connected to the server and who are they.

For windows server, I can see all the clients.

So they are actually connected to a different server? Or what do you mean?
I mean, it seems that windows server can meet the requirement of checking all the clients and know who they are.

#9 Updated by Tobias Brunner 3 months ago

Because it was me who was doing a test and using a windows computer as a client to connect server. So I definitely know that. No doubt.

I can only repeat myself. If that was actually the case, you'd see these clients in the status output. Either they are not connected, or you are misinterpreting the status output (post it and more information about the clients, e.g. IP addresses and identities, if you need help with that).

#10 Updated by John YU 3 months ago

OK. It seems my fault. Windows clients can now be seen by this command.

I just want to know, is there any solution to show how many clients are online and how much traffic has been used? Thanks

#11 Updated by Tobias Brunner 3 months ago

I just want to know, is there any solution to show how many clients are online and how much traffic has been used?

You get more information with ipsec statusall (actually even more via vici). But the statistics are per IPsec SA, i.e. each CHILD_SA rekeying creates new SAs with reset counters. You can get accumulated data via RADIUS accounting (no need to authenticate via RADIUS for it to work).

Also available in: Atom PDF