Skip to content

Export strongswan/libreswan IPsec stats to Prometheus

License

Notifications You must be signed in to change notification settings

dioss-Machiel/ipsec_exporter

 
 

Repository files navigation

IPsec Exporter

tests Go Reference Go Report Card codecov

Export strongswan/libreswan IPsec stats to Prometheus.

To run it:

make
./ipsec_exporter [flags]

Exported metrics

Exported for both strongswan/libreswan

Metric Meaning Labels
ipsec_up Was the last scrape successful.
ipsec_ike_sas Number of currently registered IKE SAs.
ipsec_half_open_ike_sas Number of IKE SAs in half-open state.
ipsec_ike_sa_state IKE SA state. name, uid, version, local_host, local_id, remote_host, remote_id, remote_identity, vips
ipsec_child_sa_state Child SA state. ike_sa_name, ike_sa_uid, ike_sa_version, ike_sa_local_host, ike_sa_local_id, ike_sa_remote_host, ike_sa_remote_id, ike_sa_remote_identity, ike_sa_vips, name, uid, reqid, mode, protocol, local_ts, remote_ts
ipsec_child_sa_bytes_in Number of input bytes processed. ike_sa_name, ike_sa_uid, ike_sa_version, ike_sa_local_host, ike_sa_local_id, ike_sa_remote_host, ike_sa_remote_id, ike_sa_remote_identity, ike_sa_vips, name, uid, reqid, mode, protocol, local_ts, remote_ts
ipsec_child_sa_bytes_out Number of output bytes processed. ike_sa_name, ike_sa_uid, ike_sa_version, ike_sa_local_host, ike_sa_local_id, ike_sa_remote_host, ike_sa_remote_id, ike_sa_remote_identity, ike_sa_vips, name, uid, reqid, mode, protocol, local_ts, remote_ts

Additionally exported for strongswan-only

Metric Meaning Labels
ipsec_uptime_seconds Number of seconds since the daemon started.
ipsec_workers_total Number of worker threads.
ipsec_idle_workers Number of idle worker threads.
ipsec_active_workers Number of threads processing jobs.
ipsec_queues Number of queued jobs. priority
ipsec_pool_ips_total Number of addresses in the pool. name, address
ipsec_online_pool_ips Number of leases online. name, address
ipsec_offline_pool_ips Number of leases offline. name, address
ipsec_ike_sa_established_seconds Number of seconds since the IKE SA has been established. name, uid, version, local_host, local_id, remote_host, remote_id, remote_identity, vips
ipsec_child_sa_packets_in Number of input packets processed. ike_sa_name, ike_sa_uid, ike_sa_version, ike_sa_local_host, ike_sa_local_id, ike_sa_remote_host, ike_sa_remote_id, ike_sa_remote_identity, ike_sa_vips, name, uid, reqid, mode, protocol, local_ts, remote_ts
ipsec_child_sa_packets_out Number of output packets processed. ike_sa_name, ike_sa_uid, ike_sa_version, ike_sa_local_host, ike_sa_local_id, ike_sa_remote_host, ike_sa_remote_id, ike_sa_remote_identity, ike_sa_vips, name, uid, reqid, mode, protocol, local_ts, remote_ts
ipsec_child_sa_installed_seconds Number of seconds since the child SA has been installed. ike_sa_name, ike_sa_uid, ike_sa_version, ike_sa_local_host, ike_sa_local_id, ike_sa_remote_host, ike_sa_remote_id, ike_sa_remote_identity, ike_sa_vips, name, uid, reqid, mode, protocol, local_ts, remote_ts

strongswan state mapping

IKE SA

Name State value
CREATED 0
CONNECTING 1
ESTABLISHED 2
PASSIVE 3
REKEYING 4
REKEYED 5
DELETING 6
DESTROYING 7

Child SA

Name State value
CREATED 0
ROUTED 1
INSTALLING 2
INSTALLED 3
UPDATING 4
REKEYING 5
REKEYED 6
RETRYING 7
DELETING 8
DELETED 9
DESTROYING 10

libreswan state mapping

Name State value
STATE_MAIN_R0 0
STATE_MAIN_I1 1
STATE_MAIN_R1 2
STATE_MAIN_I2 3
STATE_MAIN_R2 4
STATE_MAIN_I3 5
STATE_MAIN_R3 6
STATE_MAIN_I4 7
STATE_AGGR_R0 8
STATE_AGGR_I1 9
STATE_AGGR_R1 10
STATE_AGGR_I2 11
STATE_AGGR_R2 12
STATE_QUICK_R0 13
STATE_QUICK_I1 14
STATE_QUICK_R1 15
STATE_QUICK_I2 16
STATE_QUICK_R2 17
STATE_INFO 18
STATE_INFO_PROTECTED 19
STATE_XAUTH_R0 20
STATE_XAUTH_R1 21
STATE_MODE_CFG_R0 22
STATE_MODE_CFG_R1 23
STATE_MODE_CFG_R2 24
STATE_MODE_CFG_I1 25
STATE_XAUTH_I0 26
STATE_XAUTH_I1 27
STATE_V2_PARENT_I0 29
STATE_V2_PARENT_I1 30
STATE_V2_PARENT_I2 31
STATE_V2_PARENT_R0 32
STATE_V2_PARENT_R1 33
STATE_V2_IKE_AUTH_CHILD_I0 34
STATE_V2_IKE_AUTH_CHILD_R0 35
STATE_V2_NEW_CHILD_I0 36
STATE_V2_NEW_CHILD_I1 37
STATE_V2_REKEY_IKE_I0 38
STATE_V2_REKEY_IKE_I1 39
STATE_V2_REKEY_CHILD_I0 40
STATE_V2_REKEY_CHILD_I1 41
STATE_V2_NEW_CHILD_R0 42
STATE_V2_REKEY_IKE_R0 43
STATE_V2_REKEY_CHILD_R0 44
STATE_V2_ESTABLISHED_IKE_SA 45
STATE_V2_ESTABLISHED_CHILD_SA 46
STATE_V2_IKE_SA_DELETE 47
STATE_V2_CHILD_SA_DELETE 48

Flags

./ipsec_exporter --help
  • vici.address: VICI socket address. Example: unix:///var/run/charon.vici or tcp://127.0.0.1:4502.
  • vici.timeout: VICI socket connect timeout.
  • collector: Collector type to scrape metrics with. vici or ipsec.
  • ipsec.command: Command to scrape IPsec metrics when the collector is configured to an ipsec binary. ipsec statusall by default. To use with libreswan, set to ipsec status.
  • web.listen-address: Address to listen on for web interface and telemetry.
  • web.telemetry-path: Path under which to expose metrics.
  • log.level: Logging level. info by default.
  • log.format: Set the log target and format. Example: logger:syslog?appname=bob&local=7 or logger:stdout?json=true.

TLS and basic authentication

The ipsec_exporter supports TLS and basic authentication. To use TLS and/or basic authentication, you need to pass a configuration file using the --web.config.file parameter. The format of the file is described in the exporter-toolkit repository.

About

Export strongswan/libreswan IPsec stats to Prometheus

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • Go 99.9%
  • Makefile 0.1%