What's the "new" way of checking the established connections in strongswan
Previously it was in ipsec statusall
.
Now with swanctl
I can only see swanctl --list-conns
but it only shows the configuration details, not the runtime statistics: eg bytes transferred, negotiated ciphersuites, reauth/rekeying stats, and so on and so forth.
So, is there any similar command in the "new" strongswan configuration?
That’s swanctl --list-sas
, aka swanctl -l
(with the lowercase L) for short:
star6: #1, ESTABLISHED, IKEv2, c87e1f22cf7e22a6_i* d3f4680ff0337849_r
local 'ember.nullroute.lt' @ 2001:778:e27f:0:9618:82ff:fe38:e480[4500]
remote 'star.nullroute.lt' @ 2a02:7b40:50d1:e466::1[4500]
AES_CBC-128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
established 202176s ago, rekeying in 390602s
gre: #7181, reqid 18, INSTALLED, TRANSPORT, ESP:AES_GCM_16-128
installed 45150s ago, rekeying in 38337s, expires in 49890s
in c4b908f6, 0 bytes, 0 packets
out c5d9c42b, 576 bytes, 12 packets, 2530s ago
local 2001:778:e27f:0:9618:82ff:fe38:e480/128[gre]
remote 2a02:7b40:50d1:e466::1/128[gre]
...
Though if you want to extract this for scripting, it is better to directly query via vici IPC than to parse swanctl output.
Some ESP/AH information can also be retrieved directly from the kernel, via ip xfrm policy
and ip xfrm state
(with the -s
option to get statistics).