ipsec_exporter icon indicating copy to clipboard operation
ipsec_exporter copied to clipboard

Published 20 hours ago verified publisher icon dennisstritzke

support for multiple tunnel instances

Open kruftik opened this issue 4 years ago • 3 comments

add support for multiple CHILD_SA (ipsec) instances.

kruftik avatar Feb 14 '21 12:02 kruftik

@dennisstritzke , could you see the PR?

kruftik avatar Feb 18 '21 05:02 kruftik

Thank you for contributing.

Could you please

  • remove all the code formatting and whitespace changes?
  • describe your changes in plain language so the review is much easier (esp. why do you made the changes and how)

dennisstritzke avatar Feb 22 '21 08:02 dennisstritzke

@dennisstritzke,

we have an ike2 site-to-site tunnel between strongswan-powered endpoint and proprietary one. both peers have multiple networks behind them. While strongswan side configuration via ipsec.conf is pretty straightforward: leftsubnet contains comma-separated subnets list, other endpoint does not support multiple CIDRs in a single connection (we use checkpoint device on that side) neither in ike2 nor ike1 modes.

That's why we configure strongswarn in such a manner:

conn peer-to-peer
...
    left=%defaultroute
    leftid=A.A.A.A
    leftsubnet=cidr11, cidr12, cidr13, ..
    right=B.B.B.B
...
conn peer-to-peer-0
    also=peer-to-peer
    rightsubnet=cidr21
conn peer-to-peer-1
    also=peer-to-peer
    rightsubnet=cidr22

(there is a parent connection with all the left networks configured and multiple child connections with only one right subnet configured in each one)

It results in multiple peer-to-peer-0, peer-to-peer-1, .. connection instances in ipsec statusall output with different IDs (an example is given in a test case https://github.com/dennisstritzke/ipsec_exporter/pull/31/files#diff-443c41e5b3b54fa01b3d29fdb1db07b04711c18f8653cf7cc6d20d5ee2c64248R124). Since ipsec-exporter does not expect such a situation out of the box, it uses only 1st instance statistics (wrt bytes and packets) for the tunnel and gives completely wrong metrics.

described case is supported by reworked ipsec statusall output parsing logic:

  • The exporter code now collects the connection metrics for all the instances.
  • In order not to increase passes count by the regex through the statusall command output and collect each and every required matches in a single pass, a little bit more complex regular expression is used. especially, as PR changes testing showed, statusall output might not contain bytes counters in some cases for input and/or output traffic.

what about 1st point is concerned, I'll try to tidy up the PR changes.

kruftik avatar Feb 22 '21 11:02 kruftik