Add strongSwan / IPsec application#19857
Closed
lirone wants to merge 1 commit into
Closed
Conversation
New 'strongswan' application: per-connection IPsec metrics (in/out throughput, state, installed child SAs, re-establishment rate) plus global rekey/error counters, collected from strongSwan via a JSON SNMP extend. Works with OPNsense legacy 'Tunnel Settings' (con<N>) and the new 'Connections' model (UUID names) as well as plain Linux strongSwan. Per-SA counters reset on rekey, so the extend emits monotonic cumulative counters for clean DERIVE rates. Includes poller, multi-instance graphs, device app page, docs and test data. The agent-side extend script is a companion PR to librenms/librenms-agent. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
hey @lirone , why did u close the PR? |
Contributor
Author
|
I didn't mean to close it — it was resubmitted right after as #19858, which is the live one (companion agent script: librenms/librenms-agent#622). |
|
thanks for the info. Good idea by the way :) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add strongSwan / IPsec application (per-connection traffic, state, rekeys)
What this does
Adds a new
strongswanapplication that monitors per-connection IPsec metrics from anystrongSwan host (OPNsense/pfSense, Linux strongSwan, …) via an SNMP JSON-extend script.
Today LibreNMS can only graph IPsec tunnels for Cisco devices (CISCO-IPSEC-FLOW-MONITOR-MIB).
strongSwan exposes nothing comparable over SNMP, so there is no way to see IPsec throughput on
the very common OPNsense/strongSwan firewalls. This app fills that gap.
For every IPsec connection it graphs:
Plus daemon-wide counters from
swanctl --counters: IKE/child rekeys/s and error rates(
invalid,invalid SPI).Each connection is labelled with its human description (and peer IP) instead of the raw
strongSwan connection name, e.g. "Example Partner A (192.0.2.10)".
How it works
strongswanextend script (submitted separately tolibrenms-agent) is the agent-side
JSON SNMP extend:
it parses
swanctl --list-sasandswanctl --countersand aggregates per connection.con<N>connectionnames,
<phase1>in config.xml) and the new "Connections" model (UUID connection names,//OPNsense/Swanctl/Connections/Connection). On plain Linux strongSwan the connection name isused as-is. The poller stores a name→label map so graphs/UI show meaningful names.
small state file and emits monotonic cumulative counters, so DERIVE datasets produce clean,
gap-free rates instead of spikes at each rekey.
Files
The agent-side extend script is a companion PR to
librenms/librenms-agent(snmp/strongswan).The app is auto-discovered through the standard JSON-extend mechanism (the snmpd extend must be
named
strongswan, matching the poller file name).Testing
linux_strongswan) covers a legacycon<N>tunnel with traffic, a new-modelUUID tunnel, a down tunnel, and global counters. Generated with
./scripts/save-test-data.php --os linux --variant strongswan --modules applications."Connections" models), polled by LibreNMS 26.5.
Notes / scope
$multiplier = 8.the per-tunnel
reestablishesmetric (IKE SA id change between polls) is the per-connectionflapping signal. True per-connection DPD counters would require a VICI event listener (a daemon),
which is out of scope for an SNMP extend.
doc/Extensions/Applications/Strongswan.md)?tests/snmpsim+tests/data)?