[Swan] bandwidth usage

[Paul Wouters]

On Wed, 19 Mar 2014, Bob Miller wrote:

> I am looking for explanations on how packets traverse iptables using
> netkey in openswan/libreswan implementations (I am presuming it will be
> the same for both).  Specifically, I want to know how I would trace vpn
> traffic through the packet flow diagram found at
> http://l7-filter.sourceforge.net/PacketFlow.png - I wonder where in that
> model packets get lifted for encryption/decryption, and where those
> modified packets re-appear, and how the flow of such packets might
> differ from normally NAT'd traffic.  I am particularly not clear on the
> flow in the direction from unencrypted entry to encrypted exit...

There is no good documentation that I know of, especially because the
XFRM hooks where it "steals" and "injects" the packets have no name.

> The purpose is that I am trying to track bandwidth usage and I want to
> know where the count is/isn't being increased by both the unencrypted
> and encrypted packet, as well as differentiate between overall
> egress/ingress, regularly NAT'd traffic, and vpn usage.

I see the RX packets and TX packets counters increase on the interface.

However, it is easier to ask pluto itself because it will ask the kernel
for how much traffic there has happened on an IPsec SA so far:

# ipsec status |grep Traffic
000 #2: "redhat" esp.dfcbec65 at 66.187.233.55 esp.1667cfb4 at 76.10.157.69 tun.0 at 66.187.233.55 tun.0 at 76.10.157.69 ref=0 refhim=4294901761 Traffic: ESPin=92KB ESPout=1MB! ESPmax=4194303B XAUTHuser=pwouters

I've received 92k and send 1MB since this tunnel came up.

This is also logged on shutdown of the tunnel:

"redhat": terminating SAs using this connection
"redhat" #2: deleting state (STATE_QUICK_I2)
"redhat" #2: ESP traffic information: in=92KB out=1MB XAUTHuser=pwouters

Note that these are libreswan functions. AFAIK, those have not been
backported yet by openswan.

Paul