[Swan] About to the Libreswan project

Paul Wouters paul at nohats.ca
Mon Aug 13 16:54:22 UTC 2018


On Mon, 13 Aug 2018, Peyman Ghorbani wrote:

> First thank you for taking the time and reading my letter.
> I found your email address from Google.

Please use the swan mailing list. I don't scale at internet sizes.

> I'll start talking very quickly.
> I was able to launch the IPSec Cisco service on the my VPS by following the link below.
> https://github.com/hwdsl2/setup-ipsec-vpn
> Very convenient and fast in less than a few minutes, my quality service was delivered. But now I have a problem.
> This Shell script has provided me with just one account (Username/password and IPSec PSK) without any limitations.
> I need to set a time limit for accounts.
> In short, I want this service to be connected to the accounting via PAM RADIUS.

You can set IPsec SA and IKE SA time limits via ikelifetime= and
salifetime=

The user then has to re-authenticate to continue.

For IKEv1, you can use xauthby=pam and create an appropriate
/etc/pam.d/pluto configuration file.

For IKEv2, you can set pam-authorize=yes and do something similar.

For example, ou can use pam with radius or you can use the pam_url
module to run your own REST based API to make custom decisions.

Usually however, people limit the users by amount of traffic, not by
amount of time. The updown scripts log the traffic and can be modified
to report the traffic to a monitor/audit server for keeping count.
For existing connections, "ipsec whack --trafficstatus" shows all
connections/users and their currently used traffic (that has not yet
been reported via updown since the connection is still up)

Paul


More information about the Swan mailing list