Feature #1986

Find a way to list logged in IPsec xauth users

Added by Jim P over 2 years ago. Updated almost 2 years ago.

Status:Resolved Start date:11/01/2011
Priority:Normal Due date:
Assignee:Ermal Luçi % Done:

100%

Category:IPsec
Target version:2.1
Affected version:2.0 Affected Architecture:

Description

At the moment there is no way to get a list of logged in users from racoonctl, setkey, or any other utility we're aware of.

The racoonctl program can log a user out by username (and it works), but can't list users.

It looks like it won't be too difficult to get the login information in racoonctl's information gathering path, but I wasn't able to get it to work [insert disclaimer about my aging/lacking C skills here :-)]. See the attached patch for my attempt.

Existing output:

: /usr/local/sbin/racoonctl -l show-sa isakmp
Destination            Cookies                           ST S  V E Created             Phase2
192.168.20.18.60500    043cd11c07447a2f:ea9d0bd9a3f803b7  9 R 10 A 2011-11-01 15:31:09      1 
x.x.x.x.500            83477b98da89f388:777b89ddc646a6f6  9 I 10 A 2011-11-01 01:00:13      1

What I get:

./racoonctl -l show-sa isakmp
Destination            Cookies                           ST S  V E Created             Phase2 Login
invalid length 584
192.168.20.18.60500    043cd11c07447a2f:ea9d0bd9a3f803b7  9 R 10 A 2011-11-01 15:31:09      1  ƒG{˜Ú‰ów{‰ÝÆF¦ö

Expected/Desired output:

./racoonctl -l show-sa isakmp
Destination            Cookies                           ST S  V E Created             Phase2 Login
192.168.20.18.60500    043cd11c07447a2f:ea9d0bd9a3f803b7  9 R 10 A 2011-11-01 15:31:09      1 jim
x.x.x.x.500            83477b98da89f388:777b89ddc646a6f6  9 I 10 A 2011-11-01 01:00:13      1

While we're at it, a boolean Y/N column for "Mobile" would be nice too, not sure how easy that might be to pull off, but it would make the status and widget display a million times easier/faster.

racoon-login-output.diff Magnifier (2.5 kB) Jim P, 11/01/2011 03:50 pm

Associated revisions

Revision bf3da811
Added by Jim P almost 2 years ago

List logged-in IPsec xauth users and provide a mechanism to disconnect them. Implements #1986

Conflicts:

usr/local/www/diag_ipsec.php

Revision 6e0b68bf
Added by Jim P almost 2 years ago

List logged-in IPsec xauth users and provide a mechanism to disconnect them. Implements #1986

History

#1 Updated by Ermal Luçi about 2 years ago

  • Assignee set to Ermal Luçi

#2 Updated by Ermal Luçi about 2 years ago

  • Status changed from New to Feedback

pfPort patched.
new racoonctl option show-users

#3 Updated by Jim P almost 2 years ago

  • Status changed from Feedback to New

Setting this back to New since we still need code in the GUI to read this yet.

#4 Updated by Jim P almost 2 years ago

Also this does not seem to work.

[2.1-DEVELOPMENT][]/root(68): racoonctl show-sa isakmp
Destination Cookies Created
192.168.20.5.21896 ece8fdf1863c039b:849a5bc4fb85f9d2 2012-05-08 16:18:34
[2.1-DEVELOPMENT][]/root(69): racoonctl show-users
[2.1-DEVELOPMENT][]/root(70):

That is a connected mobile user, and it does not show in show-users.

From the IPsec log:

May 8 16:18:34     racoon: [Self]: INFO: ISAKMP-SA established 192.168.20.243[4500]-192.168.20.5[21896] spi:ece8fdf1863c039b:849a5bc4fb85f9d2
May 8 16:18:34     racoon: INFO: Using port 0
May 8 16:18:34     racoon: INFO: login succeeded for user "jim" 

#5 Updated by Ermal Luçi almost 2 years ago

  • Status changed from New to Feedback

This mostly works.
Just destination which is the system itself needs some more fixes, though its useable.

#6 Updated by Jim P almost 2 years ago

  • % Done changed from 0 to 100

#7 Updated by Jim P almost 2 years ago

  • Status changed from Feedback to New

Ermal - running the show-users command with no users connected seems to crash racoon with no logged error, just a core dump.

For whatever reason it only seems to happen on i386, I can repeat it on two boxes with i386, but my amd64 vm never crashes.

I have a core file, ping me when you're around and I'll get it to you.

#8 Updated by Jim P almost 2 years ago

A bit better info now, the i386/amd64 bit was a red herring, it can crash on both. They key factor is that you have to have an additional non-mobile IPsec tunnel up when it's run to trigger the crash. I can now reproduce it on my amd64 vm.

So to recap:
  • Have an active IPsec tunnel (both P1 and P2 UP)
  • run racoonctl show-users
  • Watch racoon core dump and die

Note that if you just have an IPsec tunnel configured but not up/connected, then racoon will not crash.

#9 Updated by Jim P almost 2 years ago

After the last commit, racoon no longer crashes, but now it's listing all tunnels in the 'show-users' output, but non-mobile tunnels have no username.

Easy to work around that if it's intended.

#10 Updated by Ermal Luçi almost 2 years ago

  • Status changed from New to Feedback

For me this is resolved.
Agreed that its easy to skip the non-user tunnels.
If needed be the change to not show them is quite easy.

#11 Updated by Jim P almost 2 years ago

  • Status changed from Feedback to Resolved

We can close this, it's working fine as-is since your last fix and there's no reason not to just code around the other bit.

Also available in: Atom PDF