Re: [Swan] About to the Libreswan project

2018-08-17 Thread Peyman Ghorbani 
I have a  request from you, and I hope you do not refuse it.
I'm really tired of trying hard.
I'll give you a raw server.
Can you start the IPSec and ikev2 with pam_radius_auth service on my server?
I really need your help and cooperation.
Thank you very much


> On Aug 14, 2018, at 9:55 PM, Paul Wouters  wrote:
> 
>> On Tue, 14 Aug 2018, Peyman Ghorbani wrote:
>> 
>> Where are these parameters?
>>  pam-authorize
>>  salifetime
>>  ikelifetime
> 
> Those parameters can be added to a "conn" section
> 
> Paul
___
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan

Re: [Swan] About to the Libreswan project

2018-08-14 Thread Paul Wouters 

On Tue, 14 Aug 2018, Peyman Ghorbani wrote:


Where are these parameters?
 pam-authorize
 salifetime
 ikelifetime


Those parameters can be added to a "conn" section

Paul
___
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan

Re: [Swan] About to the Libreswan project

2018-08-14 Thread Peyman Ghorbani 
Hi Paul

> >> Please use the swan mailing list. I don't scale at internet sizes.

Sorry, typed wrong. I've taken your email from the project site. 
(https://libreswan.org/wiki/Support)


> >> You can set IPsec SA and IKE SA time limits via ikelifetime= and
> >> salifetime=
> 
> >> The user then has to re-authenticate to continue.
> 
> >> For IKEv1, you can use xauthby=pam and create an appropriate
> >> /etc/pam.d/pluto configuration file.
> 
> >> For IKEv2, you can set pam-authorize=yes and do something similar.
> 
> >> For example, ou can use pam with radius or you can use the pam_url
> >> module to run your own REST based API to make custom decisions.
> 
> >> Usually however, people limit the users by amount of traffic, not by
> >> amount of time. The updown scripts log the traffic and can be modified
> >> to report the traffic to a monitor/audit server for keeping count.
> >> For existing connections, "ipsec whack --trafficstatus" shows all
> >> connections/users and their currently used traffic (that has not yet
> >> been reported via updown since the connection is still up)

Thanks for the help you.
Where are these parameters?
 pam-authorize
 salifetime
 ikelifetime

I have a request and request from you, and I hope you do not refuse it.
I'm really tired of trying hard.
I'll give you a raw server.
Can you start the IPSec and ikev2 with pam_radius_auth service on my server?
I really need your help and cooperation.
Thank you very much

> On Aug 13, 2018, at 9:24 PM, Paul Wouters  wrote:
> 
>> On Mon, 13 Aug 2018, Peyman Ghorbani wrote:
>> 
>> First thank you for taking the time and reading my letter.
>> I found your email address from Google.
> 
> Please use the swan mailing list. I don't scale at internet sizes.
> 
>> I'll start talking very quickly.
>> I was able to launch the IPSec Cisco service on the my VPS by following the 
>> link below.
>> https://github.com/hwdsl2/setup-ipsec-vpn
>> Very convenient and fast in less than a few minutes, my quality service was 
>> delivered. But now I have a problem.
>> This Shell script has provided me with just one account (Username/password 
>> and IPSec PSK) without any limitations.
>> I need to set a time limit for accounts.
>> In short, I want this service to be connected to the accounting via PAM 
>> RADIUS.
> 
> You can set IPsec SA and IKE SA time limits via ikelifetime= and
> salifetime=
> 
> The user then has to re-authenticate to continue.
> 
> For IKEv1, you can use xauthby=pam and create an appropriate
> /etc/pam.d/pluto configuration file.
> 
> For IKEv2, you can set pam-authorize=yes and do something similar.
> 
> For example, ou can use pam with radius or you can use the pam_url
> module to run your own REST based API to make custom decisions.
> 
> Usually however, people limit the users by amount of traffic, not by
> amount of time. The updown scripts log the traffic and can be modified
> to report the traffic to a monitor/audit server for keeping count.
> For existing connections, "ipsec whack --trafficstatus" shows all
> connections/users and their currently used traffic (that has not yet
> been reported via updown since the connection is still up)
> 
> Paul
___
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan

Re: [Swan] About to the Libreswan project

2018-08-13 Thread Paul Wouters 

On Mon, 13 Aug 2018, Peyman Ghorbani wrote:


First thank you for taking the time and reading my letter.
I found your email address from Google.


Please use the swan mailing list. I don't scale at internet sizes.


I'll start talking very quickly.
I was able to launch the IPSec Cisco service on the my VPS by following the 
link below.
https://github.com/hwdsl2/setup-ipsec-vpn
Very convenient and fast in less than a few minutes, my quality service was 
delivered. But now I have a problem.
This Shell script has provided me with just one account (Username/password and 
IPSec PSK) without any limitations.
I need to set a time limit for accounts.
In short, I want this service to be connected to the accounting via PAM RADIUS.


You can set IPsec SA and IKE SA time limits via ikelifetime= and
salifetime=

The user then has to re-authenticate to continue.

For IKEv1, you can use xauthby=pam and create an appropriate
/etc/pam.d/pluto configuration file.

For IKEv2, you can set pam-authorize=yes and do something similar.

For example, ou can use pam with radius or you can use the pam_url
module to run your own REST based API to make custom decisions.

Usually however, people limit the users by amount of traffic, not by
amount of time. The updown scripts log the traffic and can be modified
to report the traffic to a monitor/audit server for keeping count.
For existing connections, "ipsec whack --trafficstatus" shows all
connections/users and their currently used traffic (that has not yet
been reported via updown since the connection is still up)

Paul
___
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan