Feature #1986
closed
Find a way to list logged in IPsec xauth users
100%
Description
At the moment there is no way to get a list of logged in users from racoonctl, setkey, or any other utility we're aware of.
The racoonctl program can log a user out by username (and it works), but can't list users.
It looks like it won't be too difficult to get the login information in racoonctl's information gathering path, but I wasn't able to get it to work [insert disclaimer about my aging/lacking C skills here :-)]. See the attached patch for my attempt.
Existing output:
: /usr/local/sbin/racoonctl -l show-sa isakmp Destination Cookies ST S V E Created Phase2 192.168.20.18.60500 043cd11c07447a2f:ea9d0bd9a3f803b7 9 R 10 A 2011-11-01 15:31:09 1 x.x.x.x.500 83477b98da89f388:777b89ddc646a6f6 9 I 10 A 2011-11-01 01:00:13 1
What I get:
./racoonctl -l show-sa isakmp
Destination Cookies ST S V E Created Phase2 Login
invalid length 584
192.168.20.18.60500 043cd11c07447a2f:ea9d0bd9a3f803b7 9 R 10 A 2011-11-01 15:31:09 1 ƒG{˜Ú‰ów{‰ÝÆF¦ö
Expected/Desired output:
./racoonctl -l show-sa isakmp Destination Cookies ST S V E Created Phase2 Login 192.168.20.18.60500 043cd11c07447a2f:ea9d0bd9a3f803b7 9 R 10 A 2011-11-01 15:31:09 1 jim x.x.x.x.500 83477b98da89f388:777b89ddc646a6f6 9 I 10 A 2011-11-01 01:00:13 1
While we're at it, a boolean Y/N column for "Mobile" would be nice too, not sure how easy that might be to pull off, but it would make the status and widget display a million times easier/faster.
Files
Updated by Ermal Luçi almost 13 years ago
- Status changed from New to Feedback
pfPort patched.
new racoonctl option show-users
Updated by Jim Pingle over 12 years ago
- Status changed from Feedback to New
Setting this back to New since we still need code in the GUI to read this yet.
Updated by Jim Pingle over 12 years ago
Also this does not seem to work.
[2.1-DEVELOPMENT][root@pfsense-amd64.localdomain]/root(68): racoonctl show-sa isakmp
Destination Cookies Created
192.168.20.5.21896 ece8fdf1863c039b:849a5bc4fb85f9d2 2012-05-08 16:18:34
[2.1-DEVELOPMENT][root@pfsense-amd64.localdomain]/root(69): racoonctl show-users
[2.1-DEVELOPMENT][root@pfsense-amd64.localdomain]/root(70):
That is a connected mobile user, and it does not show in show-users.
From the IPsec log:
May 8 16:18:34 racoon: [Self]: INFO: ISAKMP-SA established 192.168.20.243[4500]-192.168.20.5[21896] spi:ece8fdf1863c039b:849a5bc4fb85f9d2 May 8 16:18:34 racoon: INFO: Using port 0 May 8 16:18:34 racoon: INFO: login succeeded for user "jim"
Updated by Ermal Luçi over 12 years ago
- Status changed from New to Feedback
This mostly works.
Just destination which is the system itself needs some more fixes, though its useable.
Updated by Jim Pingle over 12 years ago
- % Done changed from 0 to 100
Applied in changeset 6e0b68bfdea29b2943b6f104373f43cc56537bd8.
Updated by Jim Pingle over 12 years ago
- Status changed from Feedback to New
Ermal - running the show-users command with no users connected seems to crash racoon with no logged error, just a core dump.
For whatever reason it only seems to happen on i386, I can repeat it on two boxes with i386, but my amd64 vm never crashes.
I have a core file, ping me when you're around and I'll get it to you.
Updated by Jim Pingle over 12 years ago
A bit better info now, the i386/amd64 bit was a red herring, it can crash on both. They key factor is that you have to have an additional non-mobile IPsec tunnel up when it's run to trigger the crash. I can now reproduce it on my amd64 vm.
So to recap:- Have an active IPsec tunnel (both P1 and P2 UP)
- run racoonctl show-users
- Watch racoon core dump and die
Note that if you just have an IPsec tunnel configured but not up/connected, then racoon will not crash.
Updated by Jim Pingle over 12 years ago
After the last commit, racoon no longer crashes, but now it's listing all tunnels in the 'show-users' output, but non-mobile tunnels have no username.
Easy to work around that if it's intended.
Updated by Ermal Luçi over 12 years ago
- Status changed from New to Feedback
For me this is resolved.
Agreed that its easy to skip the non-user tunnels.
If needed be the change to not show them is quite easy.
Updated by Jim Pingle over 12 years ago
- Status changed from Feedback to Resolved
We can close this, it's working fine as-is since your last fix and there's no reason not to just code around the other bit.