Issue #605
A closing IKEv2 connection - does not log a "closing CHILD_SA" event.
Description
Hi,
I'm not sure if this is an issue or a feature request.
When an IKEv1 connection disconnects, Strongswan logs a "closing CHILD_SA" event, which contains details of the volume of traffic that has passed through the tunnel.
closing CHILD_SA Apple{1} with SPIs cfcd4cc7_i (2920 bytes) cabe7cc9_o (31296 bytes) and TS 192.168.3.210/32 === 10.0.64.1/32
We are then using that to evaluate an overall volume of activity for a given user/organisation.
Loglevels
default = -1
ike = 0
Disconnecting an IKEv2, does not log the same "closing CHILD_SA" event, only an "deleting IKE_SA".
I have tried increasing the log level and the event never gets logged.
The only way I found to have the information logged is to enable the option "inactivity=1m" as an example.
This will force the CHILD_SA to close for the IKEv2 connection and logs the event, however this is not feasible as we would have to continually disconnect user to log traffic volumes.
Is there a configuration/compile option to enable this that I have missed ?
If not and it is a feature request, is it possible that IKEv2 connections log a "closing CHILD_SA" when the "IKE_SA" is requested ?
I'm happy to provide further information or configurations as required.
Thanks
Jason
History
#1 Updated by Martin Willi over 11 years ago
Hi Jason,
Disconnecting an IKEv2, does not log the same "closing CHILD_SA" event, only an "deleting IKE_SA".
The problem is that IKEv2 implicitly closes CHILD_SAs associated to IKE_SAs that are getting closed. There is no explicit exchange, hence it is not separately logged.
We are then using that to evaluate an overall volume of activity for a given user/organisation.
Probably parsing the log output is not very reliable. There are other cases where this would not work.
Instead, have you considered using RADIUS accounting? It can be used without RADIUS authentication, and provides more reliable usage statistics to your AAA backend.
Alternatively, a custom plugin could work as well to report usage statistics to your system.
Regards
Martin
#2 Updated by Jason Kershaw over 11 years ago
Hi Martin,
Thanks for the response.
We are using Radius accounting already, and are currently investigating retrieving the same data from there.
However the extraction from the Radius server we have is a much more convoluted process.
We are using syslog to a central server which can be interrogated using other tools to make it a simple repeatable process to extract the data.
Depending on the investigation of the Radius extraction we may come back to discuss the plugins option.
Many Thanks
Jason
#3 Updated by Tobias Brunner about 10 years ago
- Status changed from New to Closed
- Assignee set to Martin Willi
- Resolution set to No feedback