Project

General

Profile

History

strongSwan User Documentation » strongSwan plugins »

counters Plugin

Purpose

The counters plugin collects and provides several IKE performance counters.

The counter values may be queried or reset (globally or per connection name) via swanctl/vici or ipsec script.

The plugin is disabled by default (unless the stroke plugin is built) and can be enabled by adding

--enable-counters
to the ./configure options.

The plugin has been introduced with 5.6.1, its functionality was previously included in the stroke plugin.

Available Counters

Counters are collected globally and per connection name. However, the latter has some limitations e.g. if the initially selected connection is switched due to the authentication method or the exchanged identities. In which case, for example, no IKE_SA_INIT messages will be recorded for the name of the second connection. Some counters also will never record connection specific numbers (e.g. the number of messages with invalid IKE SPI).

Identifier (as used by vici) Description
ike-rekey-init Initiated IKE_SA rekeyings
ike-rekey-resp Responded IKE_SA rekeyings
child-rekey Completed CHILD_SA rekeyings
invalid Messages with invalid types, length or an out-of-range value
invalid-spi Messages with invalid IKE SPI
ike-init-in-req Received IKE_SA_INIT requests
ike-init-in-resp Received IKE_SA_INIT responses
ike-init-out-req Sent IKE_SA_INIT requests
ike-init-out-resp Sent IKE_SA_INIT responses
ike-auth-in-req Received IKE_AUTH requests
ike-auth-in-resp Received IKE_AUTH responses
ike-auth-out-req Sent IKE_AUTH requests
ike-auth-out-resp Sent IKE_AUTH responses
create-child-in-req Received CREATE_CHILD_SA requests
create-child-in-resp Received CREATE_CHILD_SA responses
create-child-out-req Sent CREATE_CHILD_SA requests
create-child-out-resp Sent CREATE_CHILD_SA responses
info-in-req Received INFORMATIONAL requests
info-in-resp Received INFORMATIONAL responses
info-out-req Sent INFORMATIONAL requests
info-out-resp Sent INFORMATIONAL responses