On Mon, 13 Aug 2018, Peyman Ghorbani wrote:
First thank you for taking the time and reading my letter. I found your email address from Google.
Please use the swan mailing list. I don't scale at internet sizes.
I'll start talking very quickly. I was able to launch the IPSec Cisco service on the my VPS by following the link below. https://github.com/hwdsl2/setup-ipsec-vpn Very convenient and fast in less than a few minutes, my quality service was delivered. But now I have a problem. This Shell script has provided me with just one account (Username/password and IPSec PSK) without any limitations. I need to set a time limit for accounts. In short, I want this service to be connected to the accounting via PAM RADIUS.
You can set IPsec SA and IKE SA time limits via ikelifetime= and salifetime= The user then has to re-authenticate to continue. For IKEv1, you can use xauthby=pam and create an appropriate /etc/pam.d/pluto configuration file. For IKEv2, you can set pam-authorize=yes and do something similar. For example, ou can use pam with radius or you can use the pam_url module to run your own REST based API to make custom decisions. Usually however, people limit the users by amount of traffic, not by amount of time. The updown scripts log the traffic and can be modified to report the traffic to a monitor/audit server for keeping count. For existing connections, "ipsec whack --trafficstatus" shows all connections/users and their currently used traffic (that has not yet been reported via updown since the connection is still up) Paul _______________________________________________ Swan mailing list Swan@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan