Project

General

Profile

Issue #868

vici transfer bytes decrease?

Added by bronze man over 7 years ago. Updated almost 7 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
-
Affected version:
5.2.2
Resolution:

Description

This is 10:59 log with swanctl -l

ios_ikev2_psk: #5250, ESTABLISHED, IKEv2, 04d1af87a5b13325:c27e317c24f3d1e5
local '121.xxx.14.143' 10.60.153.62
remote 'xxxx1'
124.xxx.227.6
3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
established 1357s ago, reauth in 8655s
ios_ikev2_psk: #4073, INSTALLED, TUNNEL-in-UDP, ESP:3DES_CBC/HMAC_SHA1_96
installed 1357 ago, rekeying in 1325s, expires in 2243s
in ce38aaca, 37395 bytes, 265 packets, 1314s ago
out 0fff69ac, 217116 bytes, 319 packets, 691s ago
local 0.0.0.0/0
remote 172.20.3.202/32

This is 11:05 log with swanctl -l
ios_ikev2_psk: #5250, ESTABLISHED, IKEv2, 04d1af87a5b13325:c27e317c24f3d1e5
local '121.xxx.14.143' 10.60.153.62
remote 'xxx1'
124.xxx.227.6
3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
established 1585s ago, reauth in 8427s
ios_ikev2_psk: #4073, INSTALLED, TUNNEL-in-UDP, ESP:3DES_CBC/HMAC_SHA1_96
installed 144 ago, rekeying in 2409s, expires in 3456s
in c5ee03c9, 0 bytes, 0 packets
out 0ccdc9fc, 0 bytes, 0 packets
local 0.0.0.0/0
remote 172.20.3.202/32

I never restart the strongswan server during the time.
Please tell me how to account the transfer bytes base on remote_id.

I had used psk_id to id a connection, and change my database transfer bytes base on that.
There is so many concepts look like a connection,Which one should I used for transfer bytes account with vici and radius?
Should I use psk_child_id? or should I use spi?

Ps: I use radius and vici to get more accurate transfer bytes account.
But It looks like they have different defined of a connection.

History

#1 Updated by Martin Willi over 7 years ago

  • Tracker changed from Bug to Issue
  • Status changed from New to Feedback

Hi,

swanctl/vici (and ipsec statusall) show the bytes/packets transferred over the ESP SAs of a single CHILD_SA. During rekeying of a CHILD_SA, new SAs get negotiated and installed to the kernel, resetting these counters.

In RADIUS accounting, the plugin automatically collects the bytes/packets transferred for all CHILD_SAs under the accounted IKE_SA. So eap-radius has some additional logic to count that data cumulatively under a single IKE_SA, which vici/stroke do not have.

Regards
Martin

#2 Updated by bronze man over 7 years ago

Hi,
Is there some way to get the bytes/packets transferred for all CHILD_SAs under the accounted IKE_SA in swanctl/vici?
In the second log,I can only see one bytes/packets data and it is zero.

If I store the spi_id in other place,and add the bytes as the spi_id changed,will I get more more accurate transfer bytes?

#3 Updated by Martin Willi over 7 years ago

Is there some way to get the bytes/packets transferred for all CHILD_SAs under the accounted IKE_SA in swanctl/vici?

As said, no, there is currently no such IKE_SA specific counter.

If I store the spi_id in other place,and add the bytes as the spi_id changed,will I get more more accurate transfer bytes?

That could work, yes. But as there are no rekey events exposed over vici, you'll have to aggressively poll the daemon to don't miss any bytes.

Regards
Martin

#4 Updated by bronze man over 7 years ago

Hi,
Thanks,I gave up that way.
I use radius and interim updates accounting to get more more accurate transfer bytes.

The only useful stuff in vici is to kill the IKE_SA.
I think it will be better to have some way to kill the IKE_SA connection in the radius accounting response.

#5 Updated by bronze man over 7 years ago

Radius interim updates can decrease transfer bytes too.
It happens less common.
Please look at #891 .

It looks like there is no way to work around this kind of bug.

#6 Updated by Tobias Brunner almost 7 years ago

  • Status changed from Feedback to Closed
  • Assignee set to Martin Willi

Also available in: Atom PDF