Skip to main content

Libreswan IPSec tunnel collector

Collects bytes-in, bytes-out and uptime for all established libreswan IPSEC tunnels.

The following charts are created, per tunnel:

  1. Uptime
  • the uptime of the tunnel
  1. Traffic
  • bytes in
  • bytes out


If using our official native DEB/RPM packages, make sure netdata-plugin-chartsd is installed.

Edit the charts.d/libreswan.conf configuration file using edit-config from the Netdata config directory, which is typically at /etc/netdata.

cd /etc/netdata   # Replace this path with your Netdata config directory, if different
sudo ./edit-config charts.d/libreswan.conf

The plugin executes 2 commands to collect all the information it needs:

ipsec whack --status
ipsec whack --trafficstatus

The first command is used to extract the currently established tunnels, their IDs and their names. The second command is used to extract the current uptime and traffic.

Most probably user netdata will not be able to query libreswan, so the ipsec commands will be denied. The plugin attempts to run ipsec as sudo ipsec ..., to get access to libreswan statistics.

To allow user netdata execute sudo ipsec ..., create the file /etc/sudoers.d/netdata with this content:

netdata ALL = (root) NOPASSWD: /sbin/ipsec whack --status
netdata ALL = (root) NOPASSWD: /sbin/ipsec whack --trafficstatus

Make sure the path /sbin/ipsec matches your setup (execute which ipsec to find the right path).

Do you have any feedback for this page? If so, you can open a new issue on our netdata/learn repository.