Code Monkey home page Code Monkey logo

ipsec_exporter's Introduction

Note

This repository is no longer supported or updated. If you wish to continue to develop this code yourself, consider forking it.

IPsec Exporter

tests Go Reference Go Report Card codecov

Export strongswan/libreswan IPsec stats to Prometheus.

To run it:

make
./ipsec_exporter [flags]

Exported metrics

Exported for both strongswan/libreswan

Metric Meaning Labels
ipsec_up Was the last scrape successful.
ipsec_ike_sas Number of currently registered IKE SAs.
ipsec_half_open_ike_sas Number of IKE SAs in half-open state.
ipsec_ike_sa_state IKE SA state. name, uid, version, local_host, local_id, remote_host, remote_id, remote_identity, vips
ipsec_child_sa_state Child SA state. ike_sa_name, ike_sa_uid, ike_sa_version, ike_sa_local_host, ike_sa_local_id, ike_sa_remote_host, ike_sa_remote_id, ike_sa_remote_identity, ike_sa_vips, name, uid, reqid, mode, protocol, local_ts, remote_ts
ipsec_child_sa_bytes_in Number of input bytes processed. ike_sa_name, ike_sa_uid, ike_sa_version, ike_sa_local_host, ike_sa_local_id, ike_sa_remote_host, ike_sa_remote_id, ike_sa_remote_identity, ike_sa_vips, name, uid, reqid, mode, protocol, local_ts, remote_ts
ipsec_child_sa_bytes_out Number of output bytes processed. ike_sa_name, ike_sa_uid, ike_sa_version, ike_sa_local_host, ike_sa_local_id, ike_sa_remote_host, ike_sa_remote_id, ike_sa_remote_identity, ike_sa_vips, name, uid, reqid, mode, protocol, local_ts, remote_ts

Additionally exported for strongswan-only

Metric Meaning Labels
ipsec_uptime_seconds Number of seconds since the daemon started.
ipsec_workers_total Number of worker threads.
ipsec_idle_workers Number of idle worker threads.
ipsec_active_workers Number of threads processing jobs.
ipsec_queues Number of queued jobs. priority
ipsec_pool_ips_total Number of addresses in the pool. name, address
ipsec_online_pool_ips Number of leases online. name, address
ipsec_offline_pool_ips Number of leases offline. name, address
ipsec_ike_sa_established_seconds Number of seconds since the IKE SA has been established. name, uid, version, local_host, local_id, remote_host, remote_id, remote_identity, vips
ipsec_child_sa_packets_in Number of input packets processed. ike_sa_name, ike_sa_uid, ike_sa_version, ike_sa_local_host, ike_sa_local_id, ike_sa_remote_host, ike_sa_remote_id, ike_sa_remote_identity, ike_sa_vips, name, uid, reqid, mode, protocol, local_ts, remote_ts
ipsec_child_sa_packets_out Number of output packets processed. ike_sa_name, ike_sa_uid, ike_sa_version, ike_sa_local_host, ike_sa_local_id, ike_sa_remote_host, ike_sa_remote_id, ike_sa_remote_identity, ike_sa_vips, name, uid, reqid, mode, protocol, local_ts, remote_ts
ipsec_child_sa_installed_seconds Number of seconds since the child SA has been installed. ike_sa_name, ike_sa_uid, ike_sa_version, ike_sa_local_host, ike_sa_local_id, ike_sa_remote_host, ike_sa_remote_id, ike_sa_remote_identity, ike_sa_vips, name, uid, reqid, mode, protocol, local_ts, remote_ts

strongswan state mapping

IKE SA

Name State value
CREATED 0
CONNECTING 1
ESTABLISHED 2
PASSIVE 3
REKEYING 4
REKEYED 5
DELETING 6
DESTROYING 7

Child SA

Name State value
CREATED 0
ROUTED 1
INSTALLING 2
INSTALLED 3
UPDATING 4
REKEYING 5
REKEYED 6
RETRYING 7
DELETING 8
DELETED 9
DESTROYING 10

libreswan state mapping

Name State value
STATE_MAIN_R0 0
STATE_MAIN_I1 1
STATE_MAIN_R1 2
STATE_MAIN_I2 3
STATE_MAIN_R2 4
STATE_MAIN_I3 5
STATE_MAIN_R3 6
STATE_MAIN_I4 7
STATE_AGGR_R0 8
STATE_AGGR_I1 9
STATE_AGGR_R1 10
STATE_AGGR_I2 11
STATE_AGGR_R2 12
STATE_QUICK_R0 13
STATE_QUICK_I1 14
STATE_QUICK_R1 15
STATE_QUICK_I2 16
STATE_QUICK_R2 17
STATE_INFO 18
STATE_INFO_PROTECTED 19
STATE_XAUTH_R0 20
STATE_XAUTH_R1 21
STATE_MODE_CFG_R0 22
STATE_MODE_CFG_R1 23
STATE_MODE_CFG_R2 24
STATE_MODE_CFG_I1 25
STATE_XAUTH_I0 26
STATE_XAUTH_I1 27
STATE_V2_PARENT_I0 29
STATE_V2_PARENT_I1 30
STATE_V2_PARENT_I2 31
STATE_V2_PARENT_R0 32
STATE_V2_PARENT_R1 33
STATE_V2_IKE_AUTH_CHILD_I0 34
STATE_V2_IKE_AUTH_CHILD_R0 35
STATE_V2_NEW_CHILD_I0 36
STATE_V2_NEW_CHILD_I1 37
STATE_V2_REKEY_IKE_I0 38
STATE_V2_REKEY_IKE_I1 39
STATE_V2_REKEY_CHILD_I0 40
STATE_V2_REKEY_CHILD_I1 41
STATE_V2_NEW_CHILD_R0 42
STATE_V2_REKEY_IKE_R0 43
STATE_V2_REKEY_CHILD_R0 44
STATE_V2_ESTABLISHED_IKE_SA 45
STATE_V2_ESTABLISHED_CHILD_SA 46
STATE_V2_IKE_SA_DELETE 47
STATE_V2_CHILD_SA_DELETE 48

Flags

./ipsec_exporter --help
  • vici.address: VICI socket address. Example: unix:///var/run/charon.vici or tcp://127.0.0.1:4502.
  • vici.timeout: VICI socket connect timeout.
  • collector: Collector type to scrape metrics with. vici or ipsec.
  • ipsec.command: Command to scrape IPsec metrics when the collector is configured to an ipsec binary. ipsec statusall by default. To use with libreswan, set to ipsec status.
  • web.listen-address: Address to listen on for web interface and telemetry.
  • web.telemetry-path: Path under which to expose metrics.
  • log.level: Logging level. info by default.
  • log.format: Set the log target and format. Example: logger:syslog?appname=bob&local=7 or logger:stdout?json=true.

TLS and basic authentication

The ipsec_exporter supports TLS and basic authentication. To use TLS and/or basic authentication, you need to pass a configuration file using the --web.config.file parameter. The format of the file is described in the exporter-toolkit repository.

ipsec_exporter's People

Contributors

dependabot[bot] avatar sergeymakinen avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar

Forkers

oxyno-zeta spheromak idatahu ffreville habitatenergy dioss-machiel altbrace ivanu-bede maxtyutyunnikov cloudbrink vtzan one-mind rmartinsjr logicall shmeleviv

ipsec_exporter's Issues

not all tunnels are reported

We have a quite complicated setup, with multiple tunnels per tunnel endpoint pair. Our own subnet is always the same, but the other subnet is unique (of course, otherwise the routing would not work).
It seems the exporter's data model does not handle this at all, because only the first tunnels for a given endpoint pair show up.
(Libreswan 3.32 on Ubuntu 22.04)

Username support

Hi
I used libreswan,and may I have dial up username.
Thank you

From exporter metrics
TYPE ipsec_ike_sa_state gauge
ipsec_ike_sa_state{local_host="10.1.0.2",local_id="35.XX.14.204,MS+XS+S=C",name="xauth-psk[21]",remote_host="122.117.XX.85",remote_id="+MC+XC+S=C",remote_identity="",uid="95",version="1",vips=""} 6
ipsec_ike_sa_state{local_host="10.1.0.2",local_id="35.XX.14.204,MS+XS+S=C",name="xauth-psk[22]",remote_host="123.210.XX.40",remote_id="+MC+XC+S=C",remote_identity="",uid="96",version="1",vips=""} 6

From ipsec status
000 #6: "l2tp-psk"[1] 74.82.XX.36:47274 STATE_MAIN_R0 (expecting Main Mode request); nodpd; idle;
000 #85: "l2tp-psk"[2] 118.193.XX.201:65282 STATE_MAIN_R0 (expecting Main Mode request); nodpd; idle;
000 #93: "xauth-psk"[21] 122.117.XX.85:4500 STATE_QUICK_R2 (IPsec SA established); EXPIRE in 23505s; newest; eroute owner; ISAKMP SA #83; idle;
000 #93: "xauth-psk"[21] 122.117.XX.85 [email protected] [email protected] [email protected] [email protected] Traffic: ESPin=623MB ESPout=10062MB ESPmax=4194303B username=user1
000 #95: "xauth-psk"[21] 122.117.XX.85:4500 STATE_MAIN_R3 (IKE SA established); EXPIRE in 68211s; newest; lastdpd=18s(seq in:24172 out:0); idle;
000 #94: "xauth-psk"[22] 123.240.XX.40:4500 STATE_QUICK_R2 (IPsec SA established); EXPIRE in 23523s; newest; eroute owner; ISAKMP SA #84; idle;
000 #94: "xauth-psk"[22] 123.240.XX.40 [email protected] [email protected] [email protected] [email protected] Traffic: ESPin=0B ESPout=0B ESPmax=4194303B username=user2
000 #96: "xauth-psk"[22] 123.240.XX.40:4500 STATE_MAIN_R3 (IKE SA established); EXPIRE in 68218s; newest; lastdpd=24s(seq in:19875 out:0); idle;

Why are UIDs included as a label?

If I understand it correctly, UIDs in libreswan are generated dynamically and are always changing.

If this is true, including UIDs in metrics, like this:

ipsec_child_sa_state{ike_sa_local_host="xxxx",ike_sa_local_id="",ike_sa_name="xxxx",ike_sa_remote_host="xxxx",ike_sa_remote_id="",ike_sa_remote_identity="",ike_sa_uid="2970",ike_sa_version="1",ike_sa_vips="",local_ts="xxxx",mode="TUNNEL",name="xxxx",protocol="ESP",remote_ts="xxxx",reqid="",uid="2961"} 17

ipsec_child_sa_bytes_out{ike_sa_local_host="xxxx",ike_sa_local_id="",ike_sa_name="xxxx",ike_sa_remote_host="xxxx",ike_sa_remote_id="",ike_sa_remote_identity="",ike_sa_uid="2970",ike_sa_version="1",ike_sa_vips="",local_ts="xxxx",mode="TUNNEL",name="xxxx",protocol="ESP",remote_ts="xxxx",reqid="",uid="2961"} 4096

ipsec_ike_sa_state{local_host="xxxx",local_id="",name="xxxx",remote_host="xxxx",remote_id="",remote_identity="",uid="2953",version="1",vips=""} 7

is a bad practice since it will cause an unbounded number of unique prometheus time series, as described in https://prometheus.io/docs/practices/naming/ :

Remember that every unique combination of key-value label pairs represents a new time series, which can dramatically increase the amount of data stored. Do not use labels to store dimensions with high cardinality (many different label values), such as user IDs, email addresses, or other unbounded sets of values.

Because of this, there should be no label where the value of the label does not come from the configuration file, or is not a fixed value.

So the labels I don't really understand are:

  • uid
  • ike_sa_uid
  • ike_sa_local_id
  • ike_sa_remote_id
  • ike_sa_remote_identity
  • reqid

Hi, how do you configure it

Hi, how do you configure it, can you post some sample configurations you use? I don't know how to start the configuration. thank you very much

[root@localhost:~]#ipsec --help
Usage: ipsec {command} [argument] ...>
where {command} is one of:

	start			stop
	restart			status
	trafficstatus		globalstatus
	shuntstatus		import
	initnss			checknss
	checknflog		addconn
	algparse		auto
	barf			cavp
	enumcheck		eroute
	klipsdebug		look
	newhostkey		pf_key
	pluto			readwriteconf
	rsasigkey		setup
	show			showhostkey
	spi			spigrp
	tncfg			verify
	whack
See also: man ipsec <command> or ipsec <command> --help
See <https://libreswan.org/> for more general info.
Linux Libreswan 3.25 (netkey) on 3.10.0-1160.el7.x86_64

libreswan support

Hi

I tried your exporter to get metrics out of https://github.com/hwdsl2/docker-ipsec-vpn-server which is libreswan, I assume. I only use it for IKEv2.

I do not have the ipsec statusall command:

bash-5.1# ipsec statusall
/usr/local/sbin/ipsec: unknown IPsec command "statusall" ("ipsec --help" for list)

I tried it with ipsec globalstatus but I get only half of the metrics:

bash-5.1# curl localhost:9903/metrics | grep ipsec_
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  7302    0  7302    0     0  1380k      0 --:--:-- --:--:-- --:--:-- 1426k
# HELP ipsec_active_workers Number of threads processing jobs.
# TYPE ipsec_active_workers gauge
ipsec_active_workers 0
# HELP ipsec_exporter_build_info A metric with a constant '1' value labeled by version, revision, branch, and goversion from which ipsec_exporter was built.
# TYPE ipsec_exporter_build_info gauge
ipsec_exporter_build_info{branch="HEAD",goversion="go1.16.7",revision="67ba91cdd5486a75e290d155747d43a6070ceb1a",version="1.0.0-beta.0"} 1
# HELP ipsec_half_open_ike_sas Number of IKE SAs in half-open state.
# TYPE ipsec_half_open_ike_sas gauge
ipsec_half_open_ike_sas 0
# HELP ipsec_idle_workers Number of idle worker threads.
# TYPE ipsec_idle_workers gauge
ipsec_idle_workers 0
# HELP ipsec_ike_sas Number of currently registered IKE SAs.
# TYPE ipsec_ike_sas gauge
ipsec_ike_sas 0
# HELP ipsec_queues Number of queued jobs.
# TYPE ipsec_queues gauge
ipsec_queues{priority="critical"} 0
ipsec_queues{priority="high"} 0
ipsec_queues{priority="low"} 0
ipsec_queues{priority="medium"} 0
# HELP ipsec_up Was the last scrape successful.
# TYPE ipsec_up gauge
ipsec_up 1
# HELP ipsec_workers_total Number of worker threads.
# TYPE ipsec_workers_total gauge
ipsec_workers_total 0

Those are my current processes:

bash-5.1# ps aux
PID   USER     TIME  COMMAND
    1 root      0:00 /usr/sbin/xl2tpd -D -c /etc/xl2tpd/xl2tpd.conf
  120 root      0:01 /usr/local/libexec/ipsec/pluto --config /etc/ipsec.conf
 1339 root      0:00 bash
 2018 root      0:00 ./ipsec_exporter --collector=ipsec --ipsec.command=ipsec globalstatus
 2037 root      0:00 ps aux

I'd put the ipsec.command into doublequotes, no idea why the process list is not showing them.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.