Project

General

Profile

Actions
Copy link

Feature #1986

closed

Find a way to list logged in IPsec xauth users

Added by Jim Pingle over 12 years ago. Updated almost 12 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Ermal Luçi
Category:
IPsec
Target version:
2.1
Start date:
11/01/2011
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:

Description

At the moment there is no way to get a list of logged in users from racoonctl, setkey, or any other utility we're aware of.

The racoonctl program can log a user out by username (and it works), but can't list users.

It looks like it won't be too difficult to get the login information in racoonctl's information gathering path, but I wasn't able to get it to work [insert disclaimer about my aging/lacking C skills here :-)]. See the attached patch for my attempt.

Existing output:

: /usr/local/sbin/racoonctl -l show-sa isakmp
Destination            Cookies                           ST S  V E Created             Phase2
192.168.20.18.60500    043cd11c07447a2f:ea9d0bd9a3f803b7  9 R 10 A 2011-11-01 15:31:09      1 
x.x.x.x.500            83477b98da89f388:777b89ddc646a6f6  9 I 10 A 2011-11-01 01:00:13      1

What I get:

./racoonctl -l show-sa isakmp
Destination            Cookies                           ST S  V E Created             Phase2 Login
invalid length 584
192.168.20.18.60500    043cd11c07447a2f:ea9d0bd9a3f803b7  9 R 10 A 2011-11-01 15:31:09      1  ƒG{˜Ú‰ów{‰ÝÆF¦ö

Expected/Desired output:

./racoonctl -l show-sa isakmp
Destination            Cookies                           ST S  V E Created             Phase2 Login
192.168.20.18.60500    043cd11c07447a2f:ea9d0bd9a3f803b7  9 R 10 A 2011-11-01 15:31:09      1 jim
x.x.x.x.500            83477b98da89f388:777b89ddc646a6f6  9 I 10 A 2011-11-01 01:00:13      1

While we're at it, a boolean Y/N column for "Mobile" would be nice too, not sure how easy that might be to pull off, but it would make the status and widget display a million times easier/faster.

Files

racoon-login-output.diff (2.55 KB) racoon-login-output.diff Jim Pingle, 11/01/2011 03:50 PM
Actions
Copy link
 #1

Updated by Ermal Luçi about 12 years ago

  • Assignee set to Ermal Luçi
Actions
Copy link
 #2

Updated by Ermal Luçi about 12 years ago

  • Status changed from New to Feedback

pfPort patched.
new racoonctl option show-users

Actions
Copy link
 #3

Updated by Jim Pingle almost 12 years ago

  • Status changed from Feedback to New

Setting this back to New since we still need code in the GUI to read this yet.

Actions
Copy link
 #4

Updated by Jim Pingle almost 12 years ago

Also this does not seem to work.

[2.1-DEVELOPMENT][]/root(68): racoonctl show-sa isakmp
Destination Cookies Created
192.168.20.5.21896 ece8fdf1863c039b:849a5bc4fb85f9d2 2012-05-08 16:18:34
[2.1-DEVELOPMENT][]/root(69): racoonctl show-users
[2.1-DEVELOPMENT][]/root(70):

That is a connected mobile user, and it does not show in show-users.

From the IPsec log:

May 8 16:18:34     racoon: [Self]: INFO: ISAKMP-SA established 192.168.20.243[4500]-192.168.20.5[21896] spi:ece8fdf1863c039b:849a5bc4fb85f9d2
May 8 16:18:34     racoon: INFO: Using port 0
May 8 16:18:34     racoon: INFO: login succeeded for user "jim"

Actions
Copy link
 #5

Updated by Ermal Luçi almost 12 years ago

  • Status changed from New to Feedback

This mostly works.
Just destination which is the system itself needs some more fixes, though its useable.

Actions
Copy link
 #6

Updated by Jim Pingle almost 12 years ago

  • % Done changed from 0 to 100
Actions
Copy link
 #7

Updated by Jim Pingle almost 12 years ago

  • Status changed from Feedback to New

Ermal - running the show-users command with no users connected seems to crash racoon with no logged error, just a core dump.

For whatever reason it only seems to happen on i386, I can repeat it on two boxes with i386, but my amd64 vm never crashes.

I have a core file, ping me when you're around and I'll get it to you.

Actions
Copy link
 #8

Updated by Jim Pingle almost 12 years ago

A bit better info now, the i386/amd64 bit was a red herring, it can crash on both. They key factor is that you have to have an additional non-mobile IPsec tunnel up when it's run to trigger the crash. I can now reproduce it on my amd64 vm.

So to recap:
  • Have an active IPsec tunnel (both P1 and P2 UP)
  • run racoonctl show-users
  • Watch racoon core dump and die

Note that if you just have an IPsec tunnel configured but not up/connected, then racoon will not crash.

Actions
Copy link
 #9

Updated by Jim Pingle almost 12 years ago

After the last commit, racoon no longer crashes, but now it's listing all tunnels in the 'show-users' output, but non-mobile tunnels have no username.

Easy to work around that if it's intended.

Actions
Copy link
 #10

Updated by Ermal Luçi almost 12 years ago

  • Status changed from New to Feedback

For me this is resolved.
Agreed that its easy to skip the non-user tunnels.
If needed be the change to not show them is quite easy.

Actions
Copy link
 #11

Updated by Jim Pingle almost 12 years ago

  • Status changed from Feedback to Resolved

We can close this, it's working fine as-is since your last fix and there's no reason not to just code around the other bit.

Actions
Copy link

Also available in: Atom PDF