counters Plugin

Purpose

The counters plugin for libcharon collects and provides several IKE statistics counters. The counter values can be queried or reset (globally or per connection name) via the swanctl --counters subcommand.

The plugin is disabled by default and can be enabled with the ./configure option

--enable-counters

Available Counters

Counters are collected globally and per connection name. However, the latter category has some limitations e.g. if the initially selected connection is switched due to the authentication method or the exchanged identities. In which case e.g. no IKE_SA_INIT messages will be recorded for the name of the second connection. Also some counters will never record connection specific numbers (e.g. the number of messages with invalid IKE SPI).

Identifier Description

ike-rekey-init

Initiated IKE_SA rekeyings

ike-rekey-resp

Responded IKE_SA rekeyings

child-rekey

Completed CHILD_SA rekeyings

invalid

Messages with invalid types, length or an out-of-range value

invalid-spi

Messages with invalid IKE SPI

ike-init-in-req

Received IKE_SA_INIT requests

ike-init-in-resp

Received IKE_SA_INIT responses

ike-init-out-req

Sent IKE_SA_INIT requests

ike-init-out-resp

Sent IKE_SA_INIT responses

ike-auth-in-req

Received IKE_AUTH requests

ike-auth-in-resp

Received IKE_AUTH responses

ike-auth-out-req

Sent IKE_AUTH requests

ike-auth-out-resp

Sent IKE_AUTH responses

create-child-in-req

Received CREATE_CHILD_SA requests

create-child-in-resp

Received CREATE_CHILD_SA responses

create-child-out-req

Sent CREATE_CHILD_SA requests

create-child-out-resp

Sent CREATE_CHILD_SA responses

info-in-req

Received INFORMATIONAL requests

info-in-resp

Received INFORMATIONAL responses

info-out-req

Sent INFORMATIONAL requests

info-out-resp

Sent INFORMATIONAL responses