Re-enable strongswan_log_level: -1 to another level after install

[CA2MI]

Hi, I set strongswan_log_level: -1 during the install. I have a user who is abusing the VPN from our small group of users and I need to find out who is allowing copyright material to be broadcast. Since I set strongswan to off, I'm going blind into this. I'm not sure where to enable it so I can get some logs. I know i can't change it in the config file since it's already written the files for the server. Much needed help on this.

[davidemyers]

The value set in config.cfg for strongswan_log_level is used as the value for charondebug in /etc/ipsec.conf. If you edit that file you should then restart strongSwan with:

sudo systemctl restart strongswan-starter

However I think the information logged by strongSwan is mostly about connection establishment and therefore won't be helpful for your situation.

If it would help to see what IP addresses your users are connecting to you can install the package conntrack and try a command like:

sudo conntrack -L

[CA2MI]

Is it possible to see what connection files are being used so I could remove them for the person violating? I'm trying to figure out how I can block a user if they just do $hitty things via the VPN. If I could identity the connection file name they were using, then I might be able to block them from using the server(s) on a restart.

[davidemyers]

I've been using WireGuard instead of IPsec for quite a while now so I might be wrong, but I think you can see which IP address is associated with a given user by running ipsec statusall, though that association is dynamic as strongSwan assigns the address at connection time kind of like DHCP.

If:

1. You can associate the bad behavior with a user; and
2. You still have the copy of Algo you used to deploy the server; and
3. You chose to save the PKI information when you deployed the server; and
4. You still have the CA password that was printed to the screen after the deployment finished

Then:

You can remove the user from config.cfg and run ./algo update-users to revoke the certificate and block the user from connecting.

[CA2MI]

Hi David,

Yikes, lots to think about on that one. If i do an update-users command will it modify all the other users on the server and would need to re-assign the config files to each one of them? I have about 50 active users on 12 different servers around the globe using the same algo install.

[davidemyers]

Removing a user is not supposed to affect any existing users as long as you leave their names in config.cfg.