[Swan-dev] What happened to "ipsec show" ?

Paul Wouters paul at nohats.ca
Sat Oct 28 04:36:33 EEST 2023 

On Fri, 27 Oct 2023, Brady Johnson wrote:

> And here is the output of the new command I added:
> 
> ipsec briefconnectionstatus
> 000 Connection list:
> 000  
> 000 "vpnclient.gwn02.xyz.com": 172.16.20.0/24===172.22.18.102[O=XYZ,
> CN=vpnclient.gwn02.xyz.com]...172.22.18.101[O=XYZ, CN=vpnserver.gwn01.xyz.com]===172.16.10.0/24;
> 000  
> 000 Total IPsec connections: loaded 1, active 1
> 
> This still seems a little verbose, but I think it provides just enough info. If somebody wants more
> info, they can just use the "ipsec connectionstatus" command.

The old "ipsec eroute" would have shown something like:

172.16.20.0/24 -> 172.16.10.0/24 => tun at SPI@172.22.18.101

I was proposing only adding the traffic counter (in+out) and conn name
(not any IDs because the IDs are long, especially with certs), eg:

172.16.20.0/24 -> 172.16.10.0/24 => tun at SPI@172.22.18.101  188M  vpnclient.gwn02.xyz.com

These also used tabs so it would kind of align, eg like (not sure if it
will render properly in email):


172.16.20.0/24	-> 172.16.10.0/24	=> tun at SPI@172.22.18.101	188M	vpnclient.gwn02.xyz.com
1.1.1.1/32	-> 8.8.8.0/24		=> tun at SPI@2.2.2.1		88G	blabla.gwn02.xyz.com


Of course, we then decided not to put all this into pluto, as everyone
has their own wishlist for output, and just output json. Then people
could write their own programs and we could add some favourite /
standard ones during install or in contrib/
Then we looked at something dbus compatible, but dbus libraries are
terrible. Then we looked at varlink.org, but it failed to get momentum.
Then I thought perhaps some Yang output.
But I think I'm back at json now :P

Paul

> On Wed, Oct 25, 2023 at 4:18 PM Andrew Cagney <andrew.cagney at gmail.com> wrote:
>       > How about I add "whack --briefconnectionstatus", which would be wrapped by "ipsec
>       briefconnectionstatus"? This would show (at least) what you listed above.
>
>       It would somehow display both:
>           host<->host kernel state
>           selector<->selector kernel policy
>       ?
>
>       I suspect more useful than the reqid are the type of policy(1) and/or routing
>
>       Andrew
>
>       (1) There's a bear trap here, pluto has three words - reject, drop,
>       hold - that all mean block(linux) / discard(bsd); I'd ignore it
> 
> 
>

More information about the Swan-dev mailing list