Comments (8)
Actually I don't want to replace swanctl by my own tool. swanctl is already made for monitoring. Supporting json would make it more useful.
from strongswan.
Please check the man page:
NAME
swanctl - strongSwan configuration, control and monitoring command line interface.
from strongswan.
You can just use the python egg or ruby gem to communicate programmatically over VICI socket.
from strongswan.
No, swanctl is not made for monitoring. It's just a configuration tool. It's --raw and --pretty modes are just for printing all the information in a "good" format. It's not made for text scraping or anything else other than usage by a human.
from strongswan.
Is there any news on this topic?
I would also like to query IPsec status information that is readable by the machine.
@Thermi As you know I work with OpenWrt and would like to add a status page to LuCI for strongswan.
Why is the output not in json?
Is there any parser for the output swanctl --list-sas --pretty
Is the output from swanctl --list-sas --pretty
a common valid format as JSON?
from strongswan.
I would also like to query IPsec status information that is readable by the machine.
Then use the machine-readable VICI interface directly via one of the available bindings. The output of swanctl
is intended for humans (--raw
is for development/debugging and used for the simple grep checks in our regression tests, --pretty
makes it more readable).
Is there any parser for the output
swanctl --list-sas --pretty
Is the output fromswanctl --list-sas --pretty
a common valid format as JSON?
While it does look similar to JSON, it's just a simple text representation of the VICI messages (with {}
used for sections and []
for lists and =
to separate key-value pairs). It's not intended to be parsed again (the output is ambiguous, although the --pretty
version could possibly be parsed as each key-value pair and list item is on a separate line).
from strongswan.
The bindings are suboptimal for a pure monitoring purpose.
I think originally this was understood, as per the mention in the man page that monitoring should be a job of swanctl.
and it's also normal - the class of tool (ctl
) should be stable enough to use.
But the main thing is to have something. One thing is that the main tooling does not directly rely on those other languages and so the daemon might work fine yet no python (the only one i can talk about) would be installed. Especially if you think appliances, like pfSense etc. (besides from good FreeSWAN intro at CCC camp in 1999 thats my only touch point), where you utterly need to have monitoring. And it should not break on upgrades due to missing dependencies etc.
A clean route would be to have a SNMP MIB extension and subagent, so the perl route in theory. In practice, that is, idk, 50-100 times the effort of making a monitoring plugin that can screenscrape something. So even for the non-monitoring case of pure debugging, the current state is endagering the vpn admin while they're debugging. I suppose Linux people can solve this by plugin into something that has external connection handling, i.e. NetworkManager)
So the question is what's achievable.
a more stable output from swanctl
would be ideal as it would help multiple use cases including manually monitoring the status. (Good output is a good human factors thing, debugging with bad output is a bad thing.
If I try to make a more actionable interpretation of what you wrote, the best option would be to develop / contribute a C based tool (swanmon
) that would use the vici interface/socket and parses / provides output.
A person debugging would need to run it in a second session and could get quasi-live status updates.
A person building monitoring without relying on external libraries could run it. The output could be built to work well with i.e. TextFSM to reach a stable interface that is easy to use for screensrapers, and it could output JSON or other things alternatively.
If there's a read-only set of API calls in the bindings, there might even be an option to make use of that to gain a non-privileged monitor.
The bad thing is that VPN connections usually are fatally important, so any frontend would need to be well-designed.
So that means whatever a frontend relies on, it should be built by a seasoned person with good enough understanding of the IPsec state machines to ensure good reporting.
At that point we're leaving territory that is 'actionable'.
What seems possible, at the moment, within reach of less professional contributors:
- with help, identify the right source code that will generate the output
- build a json frontend with DTD'ed output
- build a mock swanmon that creates this output or human-readable one
- create parser templates that can be updated / versioned
- remove all stupid parsing layers once someone with necessary skills can build it in C
That would bring
- stable output
- implement tricky things as contributions or however someone skilled enough becomes available
- clearly handle output changes from swanctl and cleanly refuse to process them
- updating the template could re-enable processing
footnote:
maybe it's too much crazy, but there's not much else one can do. I have a sunday night and after that i'll have built this monitoring for the firewalls, for now.
I've used textfsm like once, so it's far too advanced to use here, and i'll just skip over any good practice and get the job done.
this means, i'm just burning time, and I would like to help "you" get to where there's a fund-it link where I can drop pay for a man-hour or two. and a few more people can do the same till it's enough for someone competent to solve it for real.
I only found out about this whole thing because there's so many broken / messed up / overengineered monitoring implementations for strongswan. I think I found 4-5. 1/5 even uses the vici interface.
but, you know, if they worked well / easily, i wouldn't even be here.
from strongswan.
@FlorianHeigl Thank you for your detailed explanation.
We have not been idle and have written a small tool that outputs the data as they are as json via the VICI socket. The small tools uses the davici library.
That would be just the beginning. We still need to understand more about how IPsec works.
from strongswan.
Related Issues (20)
- no NDK aarch64-linux-android-gcc on $PATH at (eval 10) line 142. HOT 3
- Add ssl=on parameter to mysql plugin. HOT 6
- FORTIFY: pthread_mutex_lock called on a destroyed mutex HOT 1
- charon-systemd Preemptively Exiting on Kernel alg Debugging Messages HOT 1
- segfault when compiled with leak-detective enabled and systemd >=254 HOT 3
- potential automatic mangle rules issues w.r.t. mark_in and mark_out settings HOT 3
- StrongSwan 6 beta 5 | Failed to generate a common proposal even though there is an acceptable choice HOT 3
- StrongSwan 6 Beta 5 integration with liboqs 0.9.1 | Getting error "negotiated key exchange method KYBER_L3 not supported" HOT 2
- Allow comparing connection/child configuration with reported status HOT 1
- Restart router A. The process is successfully started and the configuration parameters are correct. However, the connection to IPsec server B fails. HOT 1
- Incomplete logging of log messages containing newlines when using `swanctl --initiate --loglevel 3/4` HOT 1
- Support systemd socket activation for charon HOT 3
- swanctl listing wrong data HOT 4
- Running suite 'rsa' hangs HOT 1
- Can't connect to StrongSwan VPN with Android 14 native client
- X509v3 Name Constraints incorrectly required on subordinate CAs in chain HOT 6
- StrongSwan Android 2.5.0 Start/Stop Profile Intent profile not found HOT 5
- Restoring EAP-TTLS (and PEAP) support on Android HOT 9
- F-Droid can't build HOT 6
- SecurityException for SCHEDULE_EXACT_ALARM HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from strongswan.