SourceForge has been redesigned. Learn more.

#4 To obtain IPSEC statistics through adminport


To obtain IPSEC statistics through adminport - A means
to obtain the number of bytes/packets per connection
(SPI) which go as encrypted/unencrpted in each
direction - "in", "out", "fwd".

As this may require a kernel patch, this kernel patch and
a suitable interface to obtain this kernel info is to be


  • Aidas Kasparas

    Aidas Kasparas - 2005-02-15

    Logged In: YES

    Why do you need to do that through adminport?

    You see, en/de-capsulation of data packets into/from ipsec
    packets is a matter of kernel. Racoon is involved in this
    business only to set SA which govern that process. Therefore
    adminport is not appropriate place to insert that functionality.

    Part of information you requested is alreasy available
    1) number of unencrypted bytes is show by "setkey -D"
    (accuracy should be checked, as I send ping, ping claimed it
    sends 64 bytes packets, but that number increased only by 56);
    2) number of encrypted bytes can be found through iptables
    (you have to select -p esp and optionally required SPI).
    Yes, I understand that it is tricky to setup such iptables
    rule in dynamic environment before packets will go using
    that SPI.

    By extending kernel and setkey utility one could make number
    of encrypted bytes available at the same place as number of
    unencrypted bytes. That would require:
    1) counting such bytes in kernel;
    2) introduce new payload in PFKEY, fill it in kernel side;
    3) teach setkey to understand that payload.

    As the first two will involve kernel, you have to supply
    very good reason for this feature for it to be developed
    and go to mainline kernel.

  • Timo Teras

    Timo Teras - 2009-01-16
    • status: open --> closed
  • Timo Teras

    Timo Teras - 2009-01-16

    Closing all bugs. If this issue has not been cared for please submit a new bug report to issue tracker. Thank you.


Log in to post a comment.