1. Home
  2. Cisco Systems
  3. PIX 501 accounting on remote dial-in ipsec

PIX 501 accounting on remote dial-in ipsec

How can I enable accounting on remote dial-in ipsec users? I just want to record the duration for remote dial-in ipsec connection Any help will be appreciated

Reply to
John Strow
Loading thread data ...

What is a "remote dial-in ipsec user" ?

The PIX's idea of a "dial-in" user is one using PPTP or L2TP rather than IPSec.

If you have made some kind of arrangements with an ISP to provide packet transportation via modem, that ISP transport is transparent to the VPN Client, and so cannot be seperately accounted.

You can use "aaa accounting" to try to account a VPN Client, but as best I can tell the results would be somewhat unreliable, as IPSec does not have a nice "I'm done with this complete session" notification -- and especially with people using modems, you cannot counted upon the session not dropping before something like that got sent. Unlike direct modem serial connections, IPSec (and TCP/IP in general) doesn't have a "carrier signal" that tells you that the session is still there, and doesn't have any mechanism to notify upon loss of that (non-existant) carrier signal.

The closest you can get to a carrier signal is to use isakmp keep-alives if you have a new enough software version. I don't recall at the moment exactly when that was introduced.

Reply to
Walter Roberson

What I meant by saying Ipses is about users who dial on to PIX using Cisco VPN software client, and all I need from accounting is users name and session duration. In another case I use VPN 3000 concentrator and when user dial in IAS shows all info I need: time when user established session and session duration. I'm expecting same from PIX accounting but Radius server shows the time and information regarding the authentication but no session duration.

This is what Radius log shows

Acct-Status-Type = Start

NAS-Port = 0

NAS-IP-Address = 192.168.x.x

Login-IP-Host = 192.168.x.x

Login-TCP-Port = 3389

Acct-Session-Id = "0x4e806004"

User-Name = "External VPN"

Vendor-Specific = "V9:T1:L26:ip:source-ip=192.168.x.x"

Vendor-Specific = "V9:T1:L21:ip:source-port=1129"

Vendor-Specific = "V9:T1:L31:ip:destination-ip=192.168.x.x"

Vendor-Specific = "V9:T1:L26:ip:destination-port=3389"

Timestamp = 1160341527

Request-Authenticator = Verified

thanks

Reply to
John Strow

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.