sergeymakinen / ipsec_exporter Goto Github PK
View Code? Open in Web Editor NEWExport strongswan/libreswan IPsec stats to Prometheus
License: BSD 3-Clause "New" or "Revised" License
Export strongswan/libreswan IPsec stats to Prometheus
License: BSD 3-Clause "New" or "Revised" License
Hi
I used libreswan,and may I have dial up username.
Thank you
From exporter metrics
TYPE ipsec_ike_sa_state gauge
ipsec_ike_sa_state{local_host="10.1.0.2",local_id="35.XX.14.204,MS+XS+S=C",name="xauth-psk[21]",remote_host="122.117.XX.85",remote_id="+MC+XC+S=C",remote_identity="",uid="95",version="1",vips=""} 6
ipsec_ike_sa_state{local_host="10.1.0.2",local_id="35.XX.14.204,MS+XS+S=C",name="xauth-psk[22]",remote_host="123.210.XX.40",remote_id="+MC+XC+S=C",remote_identity="",uid="96",version="1",vips=""} 6
From ipsec status
000 #6: "l2tp-psk"[1] 74.82.XX.36:47274 STATE_MAIN_R0 (expecting Main Mode request); nodpd; idle;
000 #85: "l2tp-psk"[2] 118.193.XX.201:65282 STATE_MAIN_R0 (expecting Main Mode request); nodpd; idle;
000 #93: "xauth-psk"[21] 122.117.XX.85:4500 STATE_QUICK_R2 (IPsec SA established); EXPIRE in 23505s; newest; eroute owner; ISAKMP SA #83; idle;
000 #93: "xauth-psk"[21] 122.117.XX.85 [email protected] [email protected] [email protected] [email protected] Traffic: ESPin=623MB ESPout=10062MB ESPmax=4194303B username=user1
000 #95: "xauth-psk"[21] 122.117.XX.85:4500 STATE_MAIN_R3 (IKE SA established); EXPIRE in 68211s; newest; lastdpd=18s(seq in:24172 out:0); idle;
000 #94: "xauth-psk"[22] 123.240.XX.40:4500 STATE_QUICK_R2 (IPsec SA established); EXPIRE in 23523s; newest; eroute owner; ISAKMP SA #84; idle;
000 #94: "xauth-psk"[22] 123.240.XX.40 [email protected] [email protected] [email protected] [email protected] Traffic: ESPin=0B ESPout=0B ESPmax=4194303B username=user2
000 #96: "xauth-psk"[22] 123.240.XX.40:4500 STATE_MAIN_R3 (IKE SA established); EXPIRE in 68218s; newest; lastdpd=24s(seq in:19875 out:0); idle;
If I understand it correctly, UIDs in libreswan are generated dynamically and are always changing.
If this is true, including UIDs in metrics, like this:
ipsec_child_sa_state{ike_sa_local_host="xxxx",ike_sa_local_id="",ike_sa_name="xxxx",ike_sa_remote_host="xxxx",ike_sa_remote_id="",ike_sa_remote_identity="",ike_sa_uid="2970",ike_sa_version="1",ike_sa_vips="",local_ts="xxxx",mode="TUNNEL",name="xxxx",protocol="ESP",remote_ts="xxxx",reqid="",uid="2961"} 17
ipsec_child_sa_bytes_out{ike_sa_local_host="xxxx",ike_sa_local_id="",ike_sa_name="xxxx",ike_sa_remote_host="xxxx",ike_sa_remote_id="",ike_sa_remote_identity="",ike_sa_uid="2970",ike_sa_version="1",ike_sa_vips="",local_ts="xxxx",mode="TUNNEL",name="xxxx",protocol="ESP",remote_ts="xxxx",reqid="",uid="2961"} 4096
ipsec_ike_sa_state{local_host="xxxx",local_id="",name="xxxx",remote_host="xxxx",remote_id="",remote_identity="",uid="2953",version="1",vips=""} 7
is a bad practice since it will cause an unbounded number of unique prometheus time series, as described in https://prometheus.io/docs/practices/naming/ :
Remember that every unique combination of key-value label pairs represents a new time series, which can dramatically increase the amount of data stored. Do not use labels to store dimensions with high cardinality (many different label values), such as user IDs, email addresses, or other unbounded sets of values.
Because of this, there should be no label where the value of the label does not come from the configuration file, or is not a fixed value.
So the labels I don't really understand are:
We have a quite complicated setup, with multiple tunnels per tunnel endpoint pair. Our own subnet is always the same, but the other subnet is unique (of course, otherwise the routing would not work).
It seems the exporter's data model does not handle this at all, because only the first tunnels for a given endpoint pair show up.
(Libreswan 3.32 on Ubuntu 22.04)
Hi, how do you configure it, can you post some sample configurations you use? I don't know how to start the configuration. thank you very much
[root@localhost:~]#ipsec --help
Usage: ipsec {command} [argument] ...>
where {command} is one of:
start stop
restart status
trafficstatus globalstatus
shuntstatus import
initnss checknss
checknflog addconn
algparse auto
barf cavp
enumcheck eroute
klipsdebug look
newhostkey pf_key
pluto readwriteconf
rsasigkey setup
show showhostkey
spi spigrp
tncfg verify
whack
See also: man ipsec <command> or ipsec <command> --help
See <https://libreswan.org/> for more general info.
Linux Libreswan 3.25 (netkey) on 3.10.0-1160.el7.x86_64
Hi
I tried your exporter to get metrics out of https://github.com/hwdsl2/docker-ipsec-vpn-server which is libreswan, I assume. I only use it for IKEv2.
I do not have the ipsec statusall
command:
bash-5.1# ipsec statusall
/usr/local/sbin/ipsec: unknown IPsec command "statusall" ("ipsec --help" for list)
I tried it with ipsec globalstatus
but I get only half of the metrics:
bash-5.1# curl localhost:9903/metrics | grep ipsec_
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 7302 0 7302 0 0 1380k 0 --:--:-- --:--:-- --:--:-- 1426k
# HELP ipsec_active_workers Number of threads processing jobs.
# TYPE ipsec_active_workers gauge
ipsec_active_workers 0
# HELP ipsec_exporter_build_info A metric with a constant '1' value labeled by version, revision, branch, and goversion from which ipsec_exporter was built.
# TYPE ipsec_exporter_build_info gauge
ipsec_exporter_build_info{branch="HEAD",goversion="go1.16.7",revision="67ba91cdd5486a75e290d155747d43a6070ceb1a",version="1.0.0-beta.0"} 1
# HELP ipsec_half_open_ike_sas Number of IKE SAs in half-open state.
# TYPE ipsec_half_open_ike_sas gauge
ipsec_half_open_ike_sas 0
# HELP ipsec_idle_workers Number of idle worker threads.
# TYPE ipsec_idle_workers gauge
ipsec_idle_workers 0
# HELP ipsec_ike_sas Number of currently registered IKE SAs.
# TYPE ipsec_ike_sas gauge
ipsec_ike_sas 0
# HELP ipsec_queues Number of queued jobs.
# TYPE ipsec_queues gauge
ipsec_queues{priority="critical"} 0
ipsec_queues{priority="high"} 0
ipsec_queues{priority="low"} 0
ipsec_queues{priority="medium"} 0
# HELP ipsec_up Was the last scrape successful.
# TYPE ipsec_up gauge
ipsec_up 1
# HELP ipsec_workers_total Number of worker threads.
# TYPE ipsec_workers_total gauge
ipsec_workers_total 0
Those are my current processes:
bash-5.1# ps aux
PID USER TIME COMMAND
1 root 0:00 /usr/sbin/xl2tpd -D -c /etc/xl2tpd/xl2tpd.conf
120 root 0:01 /usr/local/libexec/ipsec/pluto --config /etc/ipsec.conf
1339 root 0:00 bash
2018 root 0:00 ./ipsec_exporter --collector=ipsec --ipsec.command=ipsec globalstatus
2037 root 0:00 ps aux
I'd put the ipsec.command into doublequotes, no idea why the process list is not showing them.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.