Is there any way to get the PIX to do accounting for VPN connections. I currently have it set up to do VPN authentication via radius, but once it authenticates, nothing is sent from the pix via the radius-acct port (1813) to indicate success/failure etc. I know you can account other services like ssh/telnet/http connections TO the pix itself or through it. I tried "rigging" it by accounting any connections to udp/4500, but that didn't seem to work. There doesn't seem to be any command to enable vpn accounting, at least not that I could find. If anyone has any ideas it would be appreciated. I'm running a PIX 515e w/6.3 and using Freeradius running on Linux.
Note: The sysopt connection permit-ipsec command, not the sysopt ipsec pl-compatible command, is necessary for xauth accounting to work. Xauth accounting does not work with only the sysopt ipsec pl-compatible command. Xauth accounting is valid for TCP connections, not ICMP or UDP.
Hi and thanks for replying. That just seemed to account all tcp connections passing through the PIX via VPN after the authentication. It did not account the actual client VPN authentication and connection to the PIX. :(
I tried from a client that does transparent tunneling from behind another firewall and a client not behind a firewall, and no accounting info was sent from the VPN PIX at all. Any other suggestions or maybe this kind of accounting is not available for the PIX right now, since it probably was meant to do mainly site-to-site VPNs and not client-to-PIX?
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...