[Swan] About to the Libreswan project
Peyman Ghorbani
peymanghorbani at icloud.com
Tue Aug 14 06:42:39 UTC 2018
Hi Paul
> >> Please use the swan mailing list. I don't scale at internet sizes.
Sorry, typed wrong. I've taken your email from the project site. (https://libreswan.org/wiki/Support)
> >> You can set IPsec SA and IKE SA time limits via ikelifetime= and
> >> salifetime=
>
> >> The user then has to re-authenticate to continue.
>
> >> For IKEv1, you can use xauthby=pam and create an appropriate
> >> /etc/pam.d/pluto configuration file.
>
> >> For IKEv2, you can set pam-authorize=yes and do something similar.
>
> >> For example, ou can use pam with radius or you can use the pam_url
> >> module to run your own REST based API to make custom decisions.
>
> >> Usually however, people limit the users by amount of traffic, not by
> >> amount of time. The updown scripts log the traffic and can be modified
> >> to report the traffic to a monitor/audit server for keeping count.
> >> For existing connections, "ipsec whack --trafficstatus" shows all
> >> connections/users and their currently used traffic (that has not yet
> >> been reported via updown since the connection is still up)
Thanks for the help you.
Where are these parameters?
pam-authorize
salifetime
ikelifetime
I have a request and request from you, and I hope you do not refuse it.
I'm really tired of trying hard.
I'll give you a raw server.
Can you start the IPSec and ikev2 with pam_radius_auth service on my server?
I really need your help and cooperation.
Thank you very much
> On Aug 13, 2018, at 9:24 PM, Paul Wouters <paul at nohats.ca> wrote:
>
>> On Mon, 13 Aug 2018, Peyman Ghorbani wrote:
>>
>> First thank you for taking the time and reading my letter.
>> I found your email address from Google.
>
> Please use the swan mailing list. I don't scale at internet sizes.
>
>> I'll start talking very quickly.
>> I was able to launch the IPSec Cisco service on the my VPS by following the link below.
>> https://github.com/hwdsl2/setup-ipsec-vpn
>> Very convenient and fast in less than a few minutes, my quality service was delivered. But now I have a problem.
>> This Shell script has provided me with just one account (Username/password and IPSec PSK) without any limitations.
>> I need to set a time limit for accounts.
>> In short, I want this service to be connected to the accounting via PAM RADIUS.
>
> You can set IPsec SA and IKE SA time limits via ikelifetime= and
> salifetime=
>
> The user then has to re-authenticate to continue.
>
> For IKEv1, you can use xauthby=pam and create an appropriate
> /etc/pam.d/pluto configuration file.
>
> For IKEv2, you can set pam-authorize=yes and do something similar.
>
> For example, ou can use pam with radius or you can use the pam_url
> module to run your own REST based API to make custom decisions.
>
> Usually however, people limit the users by amount of traffic, not by
> amount of time. The updown scripts log the traffic and can be modified
> to report the traffic to a monitor/audit server for keeping count.
> For existing connections, "ipsec whack --trafficstatus" shows all
> connections/users and their currently used traffic (that has not yet
> been reported via updown since the connection is still up)
>
> Paul
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20180814/938c7015/attachment-0001.html>
More information about the Swan
mailing list