Hi Paul > >> Please use the swan mailing list. I don't scale at internet sizes.
Sorry, typed wrong. I've taken your email from the project site. (https://libreswan.org/wiki/Support) > >> You can set IPsec SA and IKE SA time limits via ikelifetime= and > >> salifetime= > > >> The user then has to re-authenticate to continue. > > >> For IKEv1, you can use xauthby=pam and create an appropriate > >> /etc/pam.d/pluto configuration file. > > >> For IKEv2, you can set pam-authorize=yes and do something similar. > > >> For example, ou can use pam with radius or you can use the pam_url > >> module to run your own REST based API to make custom decisions. > > >> Usually however, people limit the users by amount of traffic, not by > >> amount of time. The updown scripts log the traffic and can be modified > >> to report the traffic to a monitor/audit server for keeping count. > >> For existing connections, "ipsec whack --trafficstatus" shows all > >> connections/users and their currently used traffic (that has not yet > >> been reported via updown since the connection is still up) Thanks for the help you. Where are these parameters? pam-authorize salifetime ikelifetime I have a request and request from you, and I hope you do not refuse it. I'm really tired of trying hard. I'll give you a raw server. Can you start the IPSec and ikev2 with pam_radius_auth service on my server? I really need your help and cooperation. Thank you very much > On Aug 13, 2018, at 9:24 PM, Paul Wouters <[email protected]> wrote: > >> On Mon, 13 Aug 2018, Peyman Ghorbani wrote: >> >> First thank you for taking the time and reading my letter. >> I found your email address from Google. > > Please use the swan mailing list. I don't scale at internet sizes. > >> I'll start talking very quickly. >> I was able to launch the IPSec Cisco service on the my VPS by following the >> link below. >> https://github.com/hwdsl2/setup-ipsec-vpn >> Very convenient and fast in less than a few minutes, my quality service was >> delivered. But now I have a problem. >> This Shell script has provided me with just one account (Username/password >> and IPSec PSK) without any limitations. >> I need to set a time limit for accounts. >> In short, I want this service to be connected to the accounting via PAM >> RADIUS. > > You can set IPsec SA and IKE SA time limits via ikelifetime= and > salifetime= > > The user then has to re-authenticate to continue. > > For IKEv1, you can use xauthby=pam and create an appropriate > /etc/pam.d/pluto configuration file. > > For IKEv2, you can set pam-authorize=yes and do something similar. > > For example, ou can use pam with radius or you can use the pam_url > module to run your own REST based API to make custom decisions. > > Usually however, people limit the users by amount of traffic, not by > amount of time. The updown scripts log the traffic and can be modified > to report the traffic to a monitor/audit server for keeping count. > For existing connections, "ipsec whack --trafficstatus" shows all > connections/users and their currently used traffic (that has not yet > been reported via updown since the connection is still up) > > Paul
_______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
