Re: [strongSwan] (Vici) How to disconnect a VPN connection on the server side?
Hi Houman, > That's great news. You are right, I can see those entries in sys logs. > But there is still a strange issue. At 12:09:27 despite the initial > disconnect request and acknowledgement, StrongSwan doesn't disconnect > the user. You can't use this method for IKE_SAs that are concurrently being established. Such IKE_SAs are locked and, thus, skipped by the Disconnect handler. This particular IKE_SA is waiting for the EAP-Accounting response and until that's received and the IKE_AUTH response has been sent, the IKE_SA can't be closed via this code path. It also affects SAs later if they are locked for some reason (e.g. handling rekeyings or DPDs, but not interim Accounting updates as the SA is unlocked before sending those). So perhaps the RADIUS server could retry sending the Disconnect message if it still has state around for the user but received a NAK (or delay sending the Disconnect for a bit). Ideally you'd handle authentication via RADIUS so you could reject users immediately. Regards, Tobias
Re: [strongSwan] (Vici) How to disconnect a VPN connection on the server side?
Hi Tobias,
That's great news. You are right, I can see those entries in sys logs. But
there is still a strange issue. At 12:09:27 despite the initial disconnect
request and acknowledgement, StrongSwan doesn't disconnect the user.
Oct 15 12:09:27 stag-1 charon: 05[CFG] reassigning offline lease to 'houman'
Oct 15 12:09:27 stag-1 charon: 05[IKE] assigning virtual IP
:54c4::1::301 to peer 'houman'
Oct 15 12:09:27 stag-1 charon: 05[IKE] CHILD_SA stag-1{26} established with
SPIs c8a04ba5_i 041b28de_o and TS 0.0.0.0/0 ::/0 === 10.10.10.1/32
xxx:54c4:4c90:1::301/128
Oct 15 12:09:27 stag-1 charon: 05[CFG] sending RADIUS Accounting-Request to
server 'server-a'
Oct 15 12:09:27 stag-1 charon: 13[CFG] received RADIUS DAE
Disconnect-Request for houman from 127.0.0.1
Oct 15 12:09:27 stag-1 charon: 13[CFG] no IKE_SA matches
Disconnect-Request, sending Disconnect-NAK
Oct 15 12:09:27 stag-1 charon: 05[CFG] received RADIUS Accounting-Response
from server 'server-a'
Oct 15 12:09:27 stag-1 charon: 05[ENC] generating IKE_AUTH response 6 [
AUTH CPRP(ADDR ADDR6 DNS DNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) ]
Oct 15 12:09:27 stag-1 charon: 05[NET] sending packet: from
172.31.X.X[4500] to 5.78.X.X[4500] (352 bytes)
10 seconds later (because of the Acct-Interim-Interval) a second disconnect
request is sent.
post-auth {
update reply {
Acct-Interim-Interval = 10
}
}
Oct 15 12:09:37 stag-1 charon: 16[CFG] sending RADIUS Accounting-Request to
server 'server-a'
Oct 15 12:09:37 stag-1 charon: 07[CFG] received RADIUS DAE
Disconnect-Request for houman from 127.0.0.1
Oct 15 12:09:37 stag-1 charon: 07[CFG] closing 1 IKE_SA matching
Disconnect-Request, sending Disconnect-ACK
Oct 15 12:09:37 stag-1 charon: 07[IKE] deleting IKE_SA stag-1[35] between
172.31.xx.xx[stag-1.xxx.com]…5.78.xxx.xx[stag-1.xxx.com]
Oct 15 12:09:37 stag-1 charon: 07[IKE] sending DELETE for IKE_SA stag-1[35]
Oct 15 12:09:37 stag-1 charon: 07[ENC] generating INFORMATIONAL request 0 [
D ]
Oct 15 12:09:37 stag-1 charon: 07[NET] sending packet: from
172.31.xx.xx[4500] to 5.78.xx.xx[4500] (80 bytes)
Oct 15 12:09:37 stag-1 charon: 16[CFG] received RADIUS Accounting-Response
from server 'server-a'
Oct 15 12:09:37 stag-1 charon: 06[NET] received packet: from
5.78.xx.xx[4500] to 172.31.xx.xx[4500] (80 bytes)
Oct 15 12:09:37 stag-1 charon: 06[ENC] parsed INFORMATIONAL response 0 [ ]
Oct 15 12:09:37 stag-1 charon: 06[IKE] IKE_SA deleted
Oct 15 12:09:37 stag-1 charon: 06[CFG] sending RADIUS Accounting-Request to
server 'server-a'
Oct 15 12:09:37 stag-1 charon: 11[CFG] received RADIUS DAE
Disconnect-Request for houman from 127.0.0.1
Oct 15 12:09:37 stag-1 charon: 11[CFG] no IKE_SA matches
Disconnect-Request, sending Disconnect-NAK
Oct 15 12:09:37 stag-1 charon: 06[CFG] received RADIUS Accounting-Response
from server 'server-a'
Oct 15 12:09:37 stag-1 charon: 06[CFG] lease fdd2:54c4:4c90:1::301 by
'houman' went offline
Oct 15 12:09:37 stag-1 charon: 06[CFG] lease 10.10.10.1 by 'houman' went
offline
Only this time it actually works and the user is disconnected. Why isn't
it working the first time around?
Many Thanks,
Houman
On Tue, 15 Oct 2019 at 15:34, Tobias Brunner wrote:
> Hi Houman,
>
> > What attributes *should* be in the Disconnect-Request beside User-Name?
>
> None, that's fine. If you receive a NAK that means no IKE_SA was found
> with a matching remote identity. You should see something like this in
> the strongSwan log:
>
> > received RADIUS DAE Disconnect-Request for houman from 127.0.0.1
> > no IKE_SA matches houman, sending Disconnect-NAK
>
> Regards,
> Tobias
>
Re: [strongSwan] (Vici) How to disconnect a VPN connection on the server side?
Hi Houman, > What attributes *should* be in the Disconnect-Request beside User-Name? None, that's fine. If you receive a NAK that means no IKE_SA was found with a matching remote identity. You should see something like this in the strongSwan log: > received RADIUS DAE Disconnect-Request for houman from 127.0.0.1 > no IKE_SA matches houman, sending Disconnect-NAK Regards, Tobias
Re: [strongSwan] (Vici) How to disconnect a VPN connection on the server side?
Hello Tobias, Thank you, for your help on this. I have managed to utilise eap-radius plugin to listen to disconnect messages from Freeradius. I get strange reporting in the logs. It seems that StrongSwan rejects the initial disconnect message with a NAK. (4) Sent Disconnect-Request Id 11 from 0.0.0.0:42481 to 127.0.0.1:3799 length 28 (4) User-Name = "houman" (4) Sent Accounting-Response Id 178 from 127.0.0.1:1813 to 127.0.0.1:51530 length 0 (4) Finished request (4) Cleaning up request packet ID 178 with timestamp +6 Waking up in 2.1 seconds. (4) Clearing existing : attributes (4) Received Disconnect-NAK Id 11 from 127.0.0.1:3799 to 127.0.0.1:42481 length 20 What attributes *should* be in the Disconnect-Request beside User-Name? Is there anything else I need to avoid getting a NAK from StrongSwan? Many Thanks, Houman On Tue, 10 Sep 2019 at 12:02, Tobias Brunner wrote: > Hi Houman, > > > Do you think that is possible to do via FreeRadius? > > See [1]. > > > Just to be > > clear there is always a 1:1 relationship between IKE_SA and a user at a > > time, correct? > > Probably, that is, if you don't allow multiple IKE_SAs per user identity. > > > If I end an IKE_SA, I won't be kicking several users by > > mistake? > > Not if you do so by unique ID (by name wouldn't be a good idea because > all IKE_SAs by roadwarriors will share the name of the connection). > > > So in other words what > > I'm trying to achieve is possible with Vici right? > > Yes. > > Regards, > Tobias > > [1] > > https://wiki.strongswan.org/projects/strongswan/wiki/EapRadius#Session-Timeout-and-Dynamic-Authorization-Extension >
Re: [strongSwan] (Vici) How to disconnect a VPN connection on the server side?
Hi Houman, > Do you think that is possible to do via FreeRadius? See [1]. > Just to be > clear there is always a 1:1 relationship between IKE_SA and a user at a > time, correct? Probably, that is, if you don't allow multiple IKE_SAs per user identity. > If I end an IKE_SA, I won't be kicking several users by > mistake? Not if you do so by unique ID (by name wouldn't be a good idea because all IKE_SAs by roadwarriors will share the name of the connection). > So in other words what > I'm trying to achieve is possible with Vici right? Yes. Regards, Tobias [1] https://wiki.strongswan.org/projects/strongswan/wiki/EapRadius#Session-Timeout-and-Dynamic-Authorization-Extension
Re: [strongSwan] (Vici) How to disconnect a VPN connection on the server side?
Hello Tobias,
Thank you for your reply.
Not directly (at least not via vici, it might be possible via RADIUS,
> depending on the RADIUS server).
>
This is concerning if this wasn't possible. I have FreeRadius 3.0.16, maybe
I should explain the use case I'm trying to achieve.
I have setup a limit by monthly-usage in FreeRadius. Each user can use 10
GB and after that, any attempt to connect to the VPN server fails.
echo 'ATTRIBUTE Monthly-Usage 3001integer64' >>
/etc/freeradius/3.0/dictionary
sed -i '/authorize {/a\
update request {\
Monthly-Usage = "%{sql:SELECT
COALESCE((SUM(`acctoutputoctets`)), 0) FROM radacct WHERE
`username`='"'"'%{User-Name}'"'"' AND
Month(acctupdatetime)=(Month(NOW())) AND
Year(acctupdatetime)=Year(NOW())}"\
}\
' /etc/freeradius/3.0/sites-enabled/default
INSERT INTO radcheck (username,attribute,op,VALUE) VALUES
('houman','Monthly-Usage','<',100);
This works, however, once the limit has been reached, he continues to
remain connected, nothing forces him out. Only if he disconnects and tries
to connect again, he would be prevented. I was thinking to check every 5
minutes to see if someone has reached the monthly usage and is still
connected to kick him out.
Do you think that is possible to do via FreeRadius?
What do you mean? [1] provides an overview and has a link to the
> README.md file that describes the available commands and even contains
> simple code examples. The Python bindings are basically a wrapper that
> provides a convenient interface for these commands.
>
Ah my bad. I was looking at https://pypi.org/project/vici/ but I found more
documentation at the github project.
That returns the configured connections, so that's not really useful to
> you. More interesting will be the list of established IKE_SAs
> (s.list_sas).
There is no option to filter by remote/user ID, so you have
to enumerate the established SAs (list-sa documents the returned
> information) and check remote-(eap-)id yourself.
>
>
Perfect. I think the username in Radcheck is the same as the
remote-(eap-)id you mentioned. So I have to find a way to filter that
within the IKE_SA and then to terminate the IKE_SA itself. Just to be
clear there is always a 1:1 relationship between IKE_SA and a user at a
time, correct? If I end an IKE_SA, I won't be kicking several users by
mistake? It will be only the one user using that? So in other words what
I'm trying to achieve is possible with Vici right?
Many Thanks,
Houman
Re: [strongSwan] (Vici) How to disconnect a VPN connection on the server side?
Hi Houman, > Is there is a way to disconnect a specific strongswan user from the > command line? Not directly (at least not via vici, it might be possible via RADIUS, depending on the RADIUS server). > I have found the Vici plugin, but there is no documentation whatsoever. What do you mean? [1] provides an overview and has a link to the README.md file that describes the available commands and even contains simple code examples. The Python bindings are basically a wrapper that provides a convenient interface for these commands. > import vici > s = vici.Session() s.list_conns() > That returns the configured connections, so that's not really useful to you. More interesting will be the list of established IKE_SAs (s.list_sas). > Looking at the code there is a "filters" as an argument to pass in: That argument can be used to pass information to the command (check the README for what the options are). For example, with list-sas you can filter based on the name or unique ID of an SA and/or pass a flag that determines if the command operates in non-blocking mode (blocked SAs are skipped). There is no option to filter by remote/user ID, so you have to enumerate the established SAs (list-sa documents the returned information) and check remote-(eap-)id yourself. > But I'm stuck as I don't know how to set that. There must be some kind > of documentation for this right? As I said, the README file documents the commands and arguments. > I suppose once I have the actual SA, I could pass it to terminate(). Get the unique ID of the SA and then terminate it using that. Regards, Tobias [1] https://wiki.strongswan.org/projects/strongswan/wiki/Vici
[strongSwan] (Vici) How to disconnect a VPN connection on the server side?
Hello,
Is there is a way to disconnect a specific strongswan user from the command
line?
I have found the Vici plugin, but there is no documentation whatsoever. It
says check the comments in the code and it's still not clear to me.
All I could do so far was this
import vici
s = vici.Session()
>>> s.list_conns()
I have one connection on this test server, But I need somehow to filter for
a specific user, if I had more connections.
Looking at the code there is a "filters" as an argument to pass in:
def list_conns(self, filters=None):
"""Retrieve loaded connections.
:param filters: retrieve only matching configuration names
(optional)
:type filters: dict
:return: generator for loaded connections as dict
:rtype: generator
"""
return self.streamed_request("list-conns", "list-conn",
filters)
But I'm stuck as I don't know how to set that. There must be some kind of
documentation for this right?
I suppose once I have the actual SA, I could pass it to terminate().
Many Thanks,
Houman
