README
¶
IPsec Exporter
Export strongswan/libreswan IPsec stats to Prometheus.
To run it:
make
./ipsec_exporter [flags]
Exported metrics
Exported for both strongswan/libreswan
| Metric | Meaning | Labels |
|---|---|---|
| ipsec_up | Was the last scrape successful. | |
| ipsec_ike_sas | Number of currently registered IKE SAs. | |
| ipsec_half_open_ike_sas | Number of IKE SAs in half-open state. | |
| ipsec_ike_sa_state | IKE SA state. | name, uid, version, local_host, local_id, remote_host, remote_id, remote_identity, vips |
| ipsec_child_sa_state | Child SA state. | ike_sa_name, ike_sa_uid, ike_sa_version, ike_sa_local_host, ike_sa_local_id, ike_sa_remote_host, ike_sa_remote_id, ike_sa_remote_identity, ike_sa_vips, name, uid, reqid, mode, protocol, local_ts, remote_ts |
| ipsec_child_sa_bytes_in | Number of input bytes processed. | ike_sa_name, ike_sa_uid, ike_sa_version, ike_sa_local_host, ike_sa_local_id, ike_sa_remote_host, ike_sa_remote_id, ike_sa_remote_identity, ike_sa_vips, name, uid, reqid, mode, protocol, local_ts, remote_ts |
| ipsec_child_sa_bytes_out | Number of output bytes processed. | ike_sa_name, ike_sa_uid, ike_sa_version, ike_sa_local_host, ike_sa_local_id, ike_sa_remote_host, ike_sa_remote_id, ike_sa_remote_identity, ike_sa_vips, name, uid, reqid, mode, protocol, local_ts, remote_ts |
Additionally exported for strongswan-only
| Metric | Meaning | Labels |
|---|---|---|
| ipsec_uptime_seconds | Number of seconds since the daemon started. | |
| ipsec_workers_total | Number of worker threads. | |
| ipsec_idle_workers | Number of idle worker threads. | |
| ipsec_active_workers | Number of threads processing jobs. | |
| ipsec_queues | Number of queued jobs. | priority |
| ipsec_pool_ips_total | Number of addresses in the pool. | name, address |
| ipsec_online_pool_ips | Number of leases online. | name, address |
| ipsec_offline_pool_ips | Number of leases offline. | name, address |
| ipsec_ike_sa_established_seconds | Number of seconds since the IKE SA has been established. | name, uid, version, local_host, local_id, remote_host, remote_id, remote_identity, vips |
| ipsec_child_sa_packets_in | Number of input packets processed. | ike_sa_name, ike_sa_uid, ike_sa_version, ike_sa_local_host, ike_sa_local_id, ike_sa_remote_host, ike_sa_remote_id, ike_sa_remote_identity, ike_sa_vips, name, uid, reqid, mode, protocol, local_ts, remote_ts |
| ipsec_child_sa_packets_out | Number of output packets processed. | ike_sa_name, ike_sa_uid, ike_sa_version, ike_sa_local_host, ike_sa_local_id, ike_sa_remote_host, ike_sa_remote_id, ike_sa_remote_identity, ike_sa_vips, name, uid, reqid, mode, protocol, local_ts, remote_ts |
| ipsec_child_sa_installed_seconds | Number of seconds since the child SA has been installed. | ike_sa_name, ike_sa_uid, ike_sa_version, ike_sa_local_host, ike_sa_local_id, ike_sa_remote_host, ike_sa_remote_id, ike_sa_remote_identity, ike_sa_vips, name, uid, reqid, mode, protocol, local_ts, remote_ts |
strongswan state mapping
IKE SA
| Name | State value |
|---|---|
| CREATED | 0 |
| CONNECTING | 1 |
| ESTABLISHED | 2 |
| PASSIVE | 3 |
| REKEYING | 4 |
| REKEYED | 5 |
| DELETING | 6 |
| DESTROYING | 7 |
Child SA
| Name | State value |
|---|---|
| CREATED | 0 |
| ROUTED | 1 |
| INSTALLING | 2 |
| INSTALLED | 3 |
| UPDATING | 4 |
| REKEYING | 5 |
| REKEYED | 6 |
| RETRYING | 7 |
| DELETING | 8 |
| DELETED | 9 |
| DESTROYING | 10 |
libreswan state mapping
| Name | State value |
|---|---|
| STATE_MAIN_R0 | 0 |
| STATE_MAIN_I1 | 1 |
| STATE_MAIN_R1 | 2 |
| STATE_MAIN_I2 | 3 |
| STATE_MAIN_R2 | 4 |
| STATE_MAIN_I3 | 5 |
| STATE_MAIN_R3 | 6 |
| STATE_MAIN_I4 | 7 |
| STATE_AGGR_R0 | 8 |
| STATE_AGGR_I1 | 9 |
| STATE_AGGR_R1 | 10 |
| STATE_AGGR_I2 | 11 |
| STATE_AGGR_R2 | 12 |
| STATE_QUICK_R0 | 13 |
| STATE_QUICK_I1 | 14 |
| STATE_QUICK_R1 | 15 |
| STATE_QUICK_I2 | 16 |
| STATE_QUICK_R2 | 17 |
| STATE_INFO | 18 |
| STATE_INFO_PROTECTED | 19 |
| STATE_XAUTH_R0 | 20 |
| STATE_XAUTH_R1 | 21 |
| STATE_MODE_CFG_R0 | 22 |
| STATE_MODE_CFG_R1 | 23 |
| STATE_MODE_CFG_R2 | 24 |
| STATE_MODE_CFG_I1 | 25 |
| STATE_XAUTH_I0 | 26 |
| STATE_XAUTH_I1 | 27 |
| STATE_V2_PARENT_I0 | 29 |
| STATE_V2_PARENT_I1 | 30 |
| STATE_V2_PARENT_I2 | 31 |
| STATE_V2_PARENT_R0 | 32 |
| STATE_V2_PARENT_R1 | 33 |
| STATE_V2_IKE_AUTH_CHILD_I0 | 34 |
| STATE_V2_IKE_AUTH_CHILD_R0 | 35 |
| STATE_V2_NEW_CHILD_I0 | 36 |
| STATE_V2_NEW_CHILD_I1 | 37 |
| STATE_V2_REKEY_IKE_I0 | 38 |
| STATE_V2_REKEY_IKE_I1 | 39 |
| STATE_V2_REKEY_CHILD_I0 | 40 |
| STATE_V2_REKEY_CHILD_I1 | 41 |
| STATE_V2_NEW_CHILD_R0 | 42 |
| STATE_V2_REKEY_IKE_R0 | 43 |
| STATE_V2_REKEY_CHILD_R0 | 44 |
| STATE_V2_ESTABLISHED_IKE_SA | 45 |
| STATE_V2_ESTABLISHED_CHILD_SA | 46 |
| STATE_V2_IKE_SA_DELETE | 47 |
| STATE_V2_CHILD_SA_DELETE | 48 |
Flags
./ipsec_exporter --help
vici.address: VICI socket address. Example:unix:///var/run/charon.viciortcp://127.0.0.1:4502.vici.timeout: VICI socket connect timeout.collector: Collector type to scrape metrics with.vicioripsec.ipsec.command: Command to scrape IPsec metrics when the collector is configured to anipsecbinary.ipsec statusallby default. To use with libreswan, set toipsec status.web.listen-address: Address to listen on for web interface and telemetry.web.telemetry-path: Path under which to expose metrics.log.level: Logging level.infoby default.log.format: Set the log target and format. Example:logger:syslog?appname=bob&local=7orlogger:stdout?json=true.
TLS and basic authentication
The ipsec_exporter supports TLS and basic authentication.
To use TLS and/or basic authentication, you need to pass a configuration file
using the --web.config.file parameter. The format of the file is described
in the exporter-toolkit repository.
Documentation
Source Files
Directories
¶
| Path | Synopsis |
|---|---|
|
internal
|
|
|
ourlog
ourlog wraps and sets up the promlog instance for the application
|
ourlog wraps and sets up the promlog instance for the application |
|
pkg
|
|
|
exporter
Package exporter provides a collector for strongswan/libreswan IPsec stats.
|
Package exporter provides a collector for strongswan/libreswan IPsec stats. |
Click to show internal directories.
Click to hide internal directories.