What's the "new" way of checking the established connections in strongswan

Previously it was in ipsec statusall.

Now with swanctl I can only see swanctl --list-conns but it only shows the configuration details, not the runtime statistics: eg bytes transferred, negotiated ciphersuites, reauth/rekeying stats, and so on and so forth.

So, is there any similar command in the "new" strongswan configuration?

Asked By: zerkms

||
Source

That’s swanctl --list-sas, aka swanctl -l (with the lowercase L) for short:

star6: #1, ESTABLISHED, IKEv2, c87e1f22cf7e22a6_i* d3f4680ff0337849_r
  local  'ember.nullroute.lt' @ 2001:778:e27f:0:9618:82ff:fe38:e480[4500]
  remote 'star.nullroute.lt' @ 2a02:7b40:50d1:e466::1[4500]
  AES_CBC-128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
  established 202176s ago, rekeying in 390602s
  gre: #7181, reqid 18, INSTALLED, TRANSPORT, ESP:AES_GCM_16-128
    installed 45150s ago, rekeying in 38337s, expires in 49890s
    in  c4b908f6,      0 bytes,     0 packets
    out c5d9c42b,    576 bytes,    12 packets,  2530s ago
    local  2001:778:e27f:0:9618:82ff:fe38:e480/128[gre]
    remote 2a02:7b40:50d1:e466::1/128[gre]
 ...

Though if you want to extract this for scripting, it is better to directly query via vici IPC than to parse swanctl output.

Some ESP/AH information can also be retrieved directly from the kernel, via ip xfrm policy and ip xfrm state (with the -s option to get statistics).

Answered By: u1686_grawity
Categories: Answers Tags: , , ,
Answers are sorted by their score. The answer accepted by the question owner as the best is marked with
at the top-right corner.