eap-radius: Remove cache entries for expired SAs during ike/child_rekey
[strongswan.git] / src / libcharon / plugins / eap_radius / eap_radius_accounting.c
index cd81cfc..b486ba4 100644 (file)
@@ -1,4 +1,7 @@
 /*
+ * Copyright (C) 2015 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
  * Copyright (C) 2012 Martin Willi
  * Copyright (C) 2012 revosec AG
  *
  */
 
 #include "eap_radius_accounting.h"
+#include "eap_radius_plugin.h"
 
 #include <time.h>
 
-#include "radius_message.h"
-#include "radius_client.h"
+#include <radius_message.h>
+#include <radius_client.h>
 #include <daemon.h>
-#include <utils/hashtable.h>
+#include <collections/array.h>
+#include <collections/hashtable.h>
 #include <threading/mutex.h>
+#include <processing/jobs/callback_job.h>
 
 typedef struct private_eap_radius_accounting_t private_eap_radius_accounting_t;
 
@@ -36,7 +42,7 @@ struct private_eap_radius_accounting_t {
        eap_radius_accounting_t public;
 
        /**
-        * Hashtable with sessions, IKE_SA unique id => entry_t
+        * Hashtable with sessions, ike_sa_id_t => entry_t
         */
        hashtable_t *sessions;
 
@@ -49,23 +55,99 @@ struct private_eap_radius_accounting_t {
         * Session ID prefix
         */
        u_int32_t prefix;
+
+       /**
+        * Format string we use for Called/Calling-Station-Id for a host
+        */
+       char *station_id_fmt;
+
+       /**
+        * Disable accounting unless IKE_SA has at least one virtual IP
+        */
+       bool acct_req_vip;
 };
 
 /**
+ * Singleton instance of accounting
+ */
+static private_eap_radius_accounting_t *singleton = NULL;
+
+/**
+ * Acct-Terminate-Cause
+ */
+typedef enum {
+       ACCT_CAUSE_USER_REQUEST = 1,
+       ACCT_CAUSE_LOST_CARRIER = 2,
+       ACCT_CAUSE_LOST_SERVICE = 3,
+       ACCT_CAUSE_IDLE_TIMEOUT = 4,
+       ACCT_CAUSE_SESSION_TIMEOUT = 5,
+       ACCT_CAUSE_ADMIN_RESET = 6,
+       ACCT_CAUSE_ADMIN_REBOOT = 7,
+       ACCT_CAUSE_PORT_ERROR = 8,
+       ACCT_CAUSE_NAS_ERROR = 9,
+       ACCT_CAUSE_NAS_REQUEST = 10,
+       ACCT_CAUSE_NAS_REBOOT = 11,
+       ACCT_CAUSE_PORT_UNNEEDED = 12,
+       ACCT_CAUSE_PORT_PREEMPTED = 13,
+       ACCT_CAUSE_PORT_SUSPENDED = 14,
+       ACCT_CAUSE_SERVICE_UNAVAILABLE = 15,
+       ACCT_CAUSE_CALLBACK = 16,
+       ACCT_CAUSE_USER_ERROR = 17,
+       ACCT_CAUSE_HOST_REQUEST = 18,
+} radius_acct_terminate_cause_t;
+
+/**
+ * Usage stats for a cached SAs
+ */
+typedef struct {
+       /** unique CHILD_SA identifier */
+       u_int32_t id;
+       /** usage stats for this SA */
+       struct {
+               u_int64_t sent;
+               u_int64_t received;
+       } bytes, packets;
+} sa_entry_t;
+
+/**
  * Hashtable entry with usage stats
  */
 typedef struct {
+       /** IKE_SA identifier this entry is stored under */
+       ike_sa_id_t *id;
        /** RADIUS accounting session ID */
-       char sid[16];
-       /** number of octets sent */
-       u_int64_t sent;
-       /** number of octets received */
-       u_int64_t received;
+       char sid[24];
+       /** number of sent/received octets/packets for expired SAs */
+       struct {
+               u_int64_t sent;
+               u_int64_t received;
+       } bytes, packets;
+       /** list of cached SAs, sa_entry_t (sorted by their unique ID) */
+       array_t *cached;
        /** session creation time */
        time_t created;
+       /** terminate cause */
+       radius_acct_terminate_cause_t cause;
+       /* interim interval and timestamp of last update */
+       struct {
+               u_int32_t interval;
+               time_t last;
+       } interim;
+       /** did we send Accounting-Start */
+       bool start_sent;
 } entry_t;
 
 /**
+ * Destroy an entry_t
+ */
+static void destroy_entry(entry_t *this)
+{
+       array_destroy_function(this->cached, (void*)free, NULL);
+       this->id->destroy(this->id);
+       free(this);
+}
+
+/**
  * Accounting message status types
  */
 typedef enum {
@@ -79,17 +161,34 @@ typedef enum {
 /**
  * Hashtable hash function
  */
-static u_int hash(uintptr_t key)
+static u_int hash(ike_sa_id_t *key)
 {
-       return key;
+       return key->get_responder_spi(key);
 }
 
 /**
  * Hashtable equals function
  */
-static bool equals(uintptr_t a, uintptr_t b)
+static bool equals(ike_sa_id_t *a, ike_sa_id_t *b)
 {
-       return a == b;
+       return a->equals(a, b);
+}
+
+/**
+ * Sort cached SAs
+ */
+static int sa_sort(const void *a, const void *b, void *user)
+{
+       const sa_entry_t *ra = a, *rb = b;
+       return ra->id - rb->id;
+}
+
+/**
+ * Find a cached SA
+ */
+static int sa_find(const void *a, const void *b)
+{
+       return sa_sort(a, b, NULL);
 }
 
 /**
@@ -98,24 +197,77 @@ static bool equals(uintptr_t a, uintptr_t b)
 static void update_usage(private_eap_radius_accounting_t *this,
                                                 ike_sa_t *ike_sa, child_sa_t *child_sa)
 {
-       u_int64_t sent, received;
+       u_int64_t bytes_in, bytes_out, packets_in, packets_out;
        entry_t *entry;
+       sa_entry_t *sa, lookup;
 
-       child_sa->get_usestats(child_sa, FALSE, NULL, &sent);
-       child_sa->get_usestats(child_sa, TRUE, NULL, &received);
+       child_sa->get_usestats(child_sa, FALSE, NULL, &bytes_out, &packets_out);
+       child_sa->get_usestats(child_sa, TRUE, NULL, &bytes_in, &packets_in);
 
        this->mutex->lock(this->mutex);
-       entry = this->sessions->get(this->sessions,
-                                                               (void*)(uintptr_t)ike_sa->get_unique_id(ike_sa));
+       entry = this->sessions->get(this->sessions, ike_sa->get_id(ike_sa));
        if (entry)
        {
-               entry->sent += sent;
-               entry->received += received;
+               lookup.id = child_sa->get_unique_id(child_sa);
+               if (array_bsearch(entry->cached, &lookup, sa_find, &sa) == -1)
+               {
+                       INIT(sa,
+                               .id = lookup.id,
+                       );
+                       array_insert_create(&entry->cached, ARRAY_TAIL, sa);
+                       array_sort(entry->cached, sa_sort, NULL);
+               }
+               sa->bytes.sent = bytes_out;
+               sa->bytes.received = bytes_in;
+               sa->packets.sent = packets_out;
+               sa->packets.received = packets_in;
        }
        this->mutex->unlock(this->mutex);
 }
 
 /**
+ * Cleanup cached SAs
+ */
+static void cleanup_sas(private_eap_radius_accounting_t *this, ike_sa_t *ike_sa,
+                                               entry_t *entry)
+{
+       enumerator_t *enumerator;
+       child_sa_t *child_sa;
+       sa_entry_t *sa, *found;
+       array_t *sas;
+
+       sas = array_create(0, 0);
+       enumerator = ike_sa->create_child_sa_enumerator(ike_sa);
+       while (enumerator->enumerate(enumerator, &child_sa))
+       {
+               INIT(sa,
+                       .id = child_sa->get_unique_id(child_sa),
+               );
+               array_insert(sas, ARRAY_TAIL, sa);
+               array_sort(sas, sa_sort, NULL);
+       }
+       enumerator->destroy(enumerator);
+
+       enumerator = array_create_enumerator(entry->cached);
+       while (enumerator->enumerate(enumerator, &sa))
+       {
+               if (array_bsearch(sas, sa, sa_find, &found) == -1)
+               {
+                       /* SA is gone, add its latest stats to the total for this IKE_SA
+                        * and remove the cache entry */
+                       entry->bytes.sent += sa->bytes.sent;
+                       entry->bytes.received += sa->bytes.received;
+                       entry->packets.sent += sa->packets.sent;
+                       entry->packets.received += sa->packets.received;
+                       array_remove_at(entry->cached, enumerator);
+                       free(sa);
+               }
+       }
+       enumerator->destroy(enumerator);
+       array_destroy_function(sas, (void*)free, NULL);
+}
+
+/**
  * Send a RADIUS message, wait for response
  */
 static bool send_message(private_eap_radius_accounting_t *this,
@@ -125,7 +277,7 @@ static bool send_message(private_eap_radius_accounting_t *this,
        radius_client_t *client;
        bool ack = FALSE;
 
-       client = radius_client_create();
+       client = eap_radius_create_client();
        if (client)
        {
                response = client->request(client, request);
@@ -142,28 +294,300 @@ static bool send_message(private_eap_radius_accounting_t *this,
 /**
  * Add common IKE_SA parameters to RADIUS account message
  */
-static void add_ike_sa_parameters(radius_message_t *message, ike_sa_t *ike_sa)
+static void add_ike_sa_parameters(private_eap_radius_accounting_t *this,
+                                                                 radius_message_t *message, ike_sa_t *ike_sa)
 {
-       host_t *vip;
-       char buf[64];
+       enumerator_t *enumerator;
+       host_t *vip, *host;
+       char buf[MAX_RADIUS_ATTRIBUTE_SIZE + 1];
        chunk_t data;
+       u_int32_t value;
+
+       /* virtual NAS-Port-Type */
+       value = htonl(5);
+       message->add(message, RAT_NAS_PORT_TYPE, chunk_from_thing(value));
+       /* framed ServiceType */
+       value = htonl(2);
+       message->add(message, RAT_SERVICE_TYPE, chunk_from_thing(value));
+
+       value = htonl(ike_sa->get_unique_id(ike_sa));
+       message->add(message, RAT_NAS_PORT, chunk_from_thing(value));
+       message->add(message, RAT_NAS_PORT_ID,
+                                chunk_from_str(ike_sa->get_name(ike_sa)));
+
+       host = ike_sa->get_my_host(ike_sa);
+       data = host->get_address(host);
+       switch (host->get_family(host))
+       {
+               case AF_INET:
+                       message->add(message, RAT_NAS_IP_ADDRESS, data);
+                       break;
+               case AF_INET6:
+                       message->add(message, RAT_NAS_IPV6_ADDRESS, data);
+               default:
+                       break;
+       }
+       snprintf(buf, sizeof(buf), this->station_id_fmt, host);
+       message->add(message, RAT_CALLED_STATION_ID, chunk_from_str(buf));
+       host = ike_sa->get_other_host(ike_sa);
+       snprintf(buf, sizeof(buf), this->station_id_fmt, host);
+       message->add(message, RAT_CALLING_STATION_ID, chunk_from_str(buf));
 
        snprintf(buf, sizeof(buf), "%Y", ike_sa->get_other_eap_id(ike_sa));
-       message->add(message, RAT_USER_NAME, chunk_create(buf, strlen(buf)));
-       snprintf(buf, sizeof(buf), "%#H", ike_sa->get_other_host(ike_sa));
-       message->add(message, RAT_CALLING_STATION_ID, chunk_create(buf, strlen(buf)));
-       vip = ike_sa->get_virtual_ip(ike_sa, FALSE);
-       if (vip && vip->get_family(vip) == AF_INET)
+       message->add(message, RAT_USER_NAME, chunk_from_str(buf));
+
+       enumerator = ike_sa->create_virtual_ip_enumerator(ike_sa, FALSE);
+       while (enumerator->enumerate(enumerator, &vip))
        {
-               message->add(message, RAT_FRAMED_IP_ADDRESS, vip->get_address(vip));
+               switch (vip->get_family(vip))
+               {
+                       case AF_INET:
+                               message->add(message, RAT_FRAMED_IP_ADDRESS,
+                                                        vip->get_address(vip));
+                               break;
+                       case AF_INET6:
+                               /* we currently assign /128 prefixes, only (reserved, length) */
+                               data = chunk_from_chars(0, 128);
+                               data = chunk_cata("cc", data, vip->get_address(vip));
+                               message->add(message, RAT_FRAMED_IPV6_PREFIX, data);
+                               break;
+                       default:
+                               break;
+               }
        }
-       if (vip && vip->get_family(vip) == AF_INET6)
+       enumerator->destroy(enumerator);
+}
+
+/**
+ * Get an existing or create a new entry from the locked session table
+ */
+static entry_t* get_or_create_entry(private_eap_radius_accounting_t *this,
+                                                                       ike_sa_t *ike_sa)
+{
+       ike_sa_id_t *id;
+       entry_t *entry;
+       time_t now;
+
+       entry = this->sessions->get(this->sessions, ike_sa->get_id(ike_sa));
+       if (!entry)
        {
-               /* we currently assign /128 prefixes, only (reserved, length) */
-               data = chunk_from_chars(0, 128);
-               data = chunk_cata("cc", data, vip->get_address(vip));
-               message->add(message, RAT_FRAMED_IPV6_PREFIX, data);
+               now = time_monotonic(NULL);
+               id = ike_sa->get_id(ike_sa);
+
+               INIT(entry,
+                       .id = id->clone(id),
+                       .created = now,
+                       .interim = {
+                               .last = now,
+                       },
+                       /* default terminate cause, if none other catched */
+                       .cause = ACCT_CAUSE_USER_REQUEST,
+               );
+               snprintf(entry->sid, sizeof(entry->sid), "%u-%u",
+                                this->prefix, ike_sa->get_unique_id(ike_sa));
+               this->sessions->put(this->sessions, entry->id, entry);
        }
+       return entry;
+}
+
+/* forward declaration */
+static void schedule_interim(private_eap_radius_accounting_t *this,
+                                                        entry_t *entry);
+
+/**
+ * Data passed to send_interim() using callback job
+ */
+typedef struct {
+       /** reference to radius accounting */
+       private_eap_radius_accounting_t *this;
+       /** IKE_SA identifier to send interim update to */
+       ike_sa_id_t *id;
+} interim_data_t;
+
+/**
+ * Clean up interim data
+ */
+void destroy_interim_data(interim_data_t *this)
+{
+       this->id->destroy(this->id);
+       free(this);
+}
+
+/**
+ * Send an interim update for entry of given IKE_SA identifier
+ */
+static job_requeue_t send_interim(interim_data_t *data)
+{
+       private_eap_radius_accounting_t *this = data->this;
+       u_int64_t bytes_in = 0, bytes_out = 0, packets_in = 0, packets_out = 0;
+       u_int64_t bytes, packets;
+       radius_message_t *message = NULL;
+       enumerator_t *enumerator;
+       child_sa_t *child_sa;
+       ike_sa_t *ike_sa;
+       entry_t *entry;
+       u_int32_t value;
+       array_t *stats;
+       sa_entry_t *sa, *found;
+
+       ike_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager, data->id);
+       if (!ike_sa)
+       {
+               return JOB_REQUEUE_NONE;
+       }
+       stats = array_create(0, 0);
+       enumerator = ike_sa->create_child_sa_enumerator(ike_sa);
+       while (enumerator->enumerate(enumerator, &child_sa))
+       {
+               INIT(sa,
+                       .id = child_sa->get_unique_id(child_sa),
+               );
+               array_insert(stats, ARRAY_TAIL, sa);
+               array_sort(stats, sa_sort, NULL);
+
+               child_sa->get_usestats(child_sa, FALSE, NULL, &bytes, &packets);
+               sa->bytes.sent = bytes;
+               sa->packets.sent = packets;
+               bytes_out += bytes;
+               packets_out += packets;
+               child_sa->get_usestats(child_sa, TRUE, NULL, &bytes, &packets);
+               sa->bytes.received = bytes;
+               sa->packets.received = packets;
+               bytes_in += bytes;
+               packets_in += packets;
+       }
+       enumerator->destroy(enumerator);
+       charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
+
+       /* avoid any races by returning IKE_SA before acquiring lock */
+
+       this->mutex->lock(this->mutex);
+       entry = this->sessions->get(this->sessions, data->id);
+       if (entry)
+       {
+               entry->interim.last = time_monotonic(NULL);
+
+               enumerator = array_create_enumerator(entry->cached);
+               while (enumerator->enumerate(enumerator, &sa))
+               {
+                       if (array_bsearch(stats, sa, sa_find, &found) != -1)
+                       {
+                               /* SA is still around, update stats (e.g. for IKEv1 where
+                                * SA might get used even after rekeying) */
+                               sa->bytes = found->bytes;
+                               sa->packets = found->packets;
+                       }
+                       else
+                       {
+                               /* SA is gone, add its latest stats to the total for this IKE_SA
+                                * and remove the cache entry */
+                               entry->bytes.sent += sa->bytes.sent;
+                               entry->bytes.received += sa->bytes.received;
+                               entry->packets.sent += sa->packets.sent;
+                               entry->packets.received += sa->packets.received;
+                               array_remove_at(entry->cached, enumerator);
+                               free(sa);
+                       }
+               }
+               enumerator->destroy(enumerator);
+
+               bytes_in += entry->bytes.received;
+               bytes_out += entry->bytes.sent;
+               packets_in += entry->packets.received;
+               packets_out += entry->packets.sent;
+
+               message = radius_message_create(RMC_ACCOUNTING_REQUEST);
+               value = htonl(ACCT_STATUS_INTERIM_UPDATE);
+               message->add(message, RAT_ACCT_STATUS_TYPE, chunk_from_thing(value));
+               message->add(message, RAT_ACCT_SESSION_ID,
+                                        chunk_create(entry->sid, strlen(entry->sid)));
+               add_ike_sa_parameters(this, message, ike_sa);
+
+               value = htonl(bytes_out);
+               message->add(message, RAT_ACCT_OUTPUT_OCTETS, chunk_from_thing(value));
+               value = htonl(bytes_out >> 32);
+               if (value)
+               {
+                       message->add(message, RAT_ACCT_OUTPUT_GIGAWORDS,
+                                                chunk_from_thing(value));
+               }
+               value = htonl(packets_out);
+               message->add(message, RAT_ACCT_OUTPUT_PACKETS, chunk_from_thing(value));
+
+               value = htonl(bytes_in);
+               message->add(message, RAT_ACCT_INPUT_OCTETS, chunk_from_thing(value));
+               value = htonl(bytes_in >> 32);
+               if (value)
+               {
+                       message->add(message, RAT_ACCT_INPUT_GIGAWORDS,
+                                                chunk_from_thing(value));
+               }
+               value = htonl(packets_in);
+               message->add(message, RAT_ACCT_INPUT_PACKETS, chunk_from_thing(value));
+
+               value = htonl(entry->interim.last - entry->created);
+               message->add(message, RAT_ACCT_SESSION_TIME, chunk_from_thing(value));
+
+               schedule_interim(this, entry);
+       }
+       this->mutex->unlock(this->mutex);
+       array_destroy_function(stats, (void*)free, NULL);
+
+       if (message)
+       {
+               if (!send_message(this, message))
+               {
+                       if (lib->settings->get_bool(lib->settings,
+                                                       "%s.plugins.eap-radius.accounting_close_on_timeout",
+                                                       TRUE, lib->ns))
+                       {
+                               eap_radius_handle_timeout(data->id);
+                       }
+               }
+               message->destroy(message);
+       }
+       return JOB_REQUEUE_NONE;
+}
+
+/**
+ * Schedule interim update for given entry
+ */
+static void schedule_interim(private_eap_radius_accounting_t *this,
+                                                        entry_t *entry)
+{
+       if (entry->interim.interval)
+       {
+               interim_data_t *data;
+               timeval_t tv = {
+                       .tv_sec = entry->interim.last + entry->interim.interval,
+               };
+
+               INIT(data,
+                       .this = this,
+                       .id = entry->id->clone(entry->id),
+               );
+               lib->scheduler->schedule_job_tv(lib->scheduler,
+                       (job_t*)callback_job_create_with_prio(
+                               (callback_job_cb_t)send_interim,
+                               data, (void*)destroy_interim_data,
+                               (callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL), tv);
+       }
+}
+
+/**
+ * Check if an IKE_SA has assigned a virtual IP (to peer)
+ */
+static bool has_vip(ike_sa_t *ike_sa)
+{
+       enumerator_t *enumerator;
+       host_t *host;
+       bool found;
+
+       enumerator = ike_sa->create_virtual_ip_enumerator(ike_sa, FALSE);
+       found = enumerator->enumerate(enumerator, &host);
+       enumerator->destroy(enumerator);
+
+       return found;
 }
 
 /**
@@ -173,26 +597,41 @@ static void send_start(private_eap_radius_accounting_t *this, ike_sa_t *ike_sa)
 {
        radius_message_t *message;
        entry_t *entry;
-       u_int32_t id, value;
+       u_int32_t value;
 
-       id = ike_sa->get_unique_id(ike_sa);
-       INIT(entry,
-               .created = time_monotonic(NULL),
-       );
-       snprintf(entry->sid, sizeof(entry->sid), "%u-%u", this->prefix, id);
+       if (this->acct_req_vip && !has_vip(ike_sa))
+       {
+               return;
+       }
+
+       this->mutex->lock(this->mutex);
+
+       entry = get_or_create_entry(this, ike_sa);
+       entry->start_sent = TRUE;
 
        message = radius_message_create(RMC_ACCOUNTING_REQUEST);
        value = htonl(ACCT_STATUS_START);
        message->add(message, RAT_ACCT_STATUS_TYPE, chunk_from_thing(value));
        message->add(message, RAT_ACCT_SESSION_ID,
                                 chunk_create(entry->sid, strlen(entry->sid)));
-       add_ike_sa_parameters(message, ike_sa);
-       if (send_message(this, message))
+
+       if (!entry->interim.interval)
        {
-               this->mutex->lock(this->mutex);
-               entry = this->sessions->put(this->sessions, (void*)(uintptr_t)id, entry);
-               this->mutex->unlock(this->mutex);
-               free(entry);
+               entry->interim.interval = lib->settings->get_time(lib->settings,
+                                       "%s.plugins.eap-radius.accounting_interval", 0, lib->ns);
+               if (entry->interim.interval)
+               {
+                       DBG1(DBG_CFG, "scheduling RADIUS Interim-Updates every %us",
+                                entry->interim.interval);
+               }
+       }
+       schedule_interim(this, entry);
+       this->mutex->unlock(this->mutex);
+
+       add_ike_sa_parameters(this, message, ike_sa);
+       if (!send_message(this, message))
+       {
+               eap_radius_handle_timeout(ike_sa->get_id(ike_sa));
        }
        message->destroy(message);
 }
@@ -203,46 +642,104 @@ static void send_start(private_eap_radius_accounting_t *this, ike_sa_t *ike_sa)
 static void send_stop(private_eap_radius_accounting_t *this, ike_sa_t *ike_sa)
 {
        radius_message_t *message;
+       enumerator_t *enumerator;
        entry_t *entry;
-       u_int32_t id, value;
+       sa_entry_t *sa;
+       u_int32_t value;
 
-       id = ike_sa->get_unique_id(ike_sa);
        this->mutex->lock(this->mutex);
-       entry = this->sessions->remove(this->sessions, (void*)(uintptr_t)id);
+       entry = this->sessions->remove(this->sessions, ike_sa->get_id(ike_sa));
        this->mutex->unlock(this->mutex);
        if (entry)
        {
+               if (!entry->start_sent)
+               {       /* we tried to authenticate this peer, but never sent a start */
+                       destroy_entry(entry);
+                       return;
+               }
+               enumerator = array_create_enumerator(entry->cached);
+               while (enumerator->enumerate(enumerator, &sa))
+               {
+                       entry->bytes.sent += sa->bytes.sent;
+                       entry->bytes.received += sa->bytes.received;
+                       entry->packets.sent += sa->packets.sent;
+                       entry->packets.received += sa->packets.received;
+               }
+               enumerator->destroy(enumerator);
+
                message = radius_message_create(RMC_ACCOUNTING_REQUEST);
                value = htonl(ACCT_STATUS_STOP);
                message->add(message, RAT_ACCT_STATUS_TYPE, chunk_from_thing(value));
                message->add(message, RAT_ACCT_SESSION_ID,
                                         chunk_create(entry->sid, strlen(entry->sid)));
-               add_ike_sa_parameters(message, ike_sa);
-               value = htonl(entry->sent);
+               add_ike_sa_parameters(this, message, ike_sa);
+
+               value = htonl(entry->bytes.sent);
                message->add(message, RAT_ACCT_OUTPUT_OCTETS, chunk_from_thing(value));
-               value = htonl(entry->sent >> 32);
+               value = htonl(entry->bytes.sent >> 32);
                if (value)
                {
                        message->add(message, RAT_ACCT_OUTPUT_GIGAWORDS,
                                                 chunk_from_thing(value));
                }
-               value = htonl(entry->received);
+               value = htonl(entry->packets.sent);
+               message->add(message, RAT_ACCT_OUTPUT_PACKETS, chunk_from_thing(value));
+
+               value = htonl(entry->bytes.received);
                message->add(message, RAT_ACCT_INPUT_OCTETS, chunk_from_thing(value));
-               value = htonl(entry->received >> 32);
+               value = htonl(entry->bytes.received >> 32);
                if (value)
                {
                        message->add(message, RAT_ACCT_INPUT_GIGAWORDS,
                                                 chunk_from_thing(value));
                }
+               value = htonl(entry->packets.received);
+               message->add(message, RAT_ACCT_INPUT_PACKETS, chunk_from_thing(value));
+
                value = htonl(time_monotonic(NULL) - entry->created);
                message->add(message, RAT_ACCT_SESSION_TIME, chunk_from_thing(value));
 
-               send_message(this, message);
+
+               value = htonl(entry->cause);
+               message->add(message, RAT_ACCT_TERMINATE_CAUSE, chunk_from_thing(value));
+
+               if (!send_message(this, message))
+               {
+                       eap_radius_handle_timeout(NULL);
+               }
                message->destroy(message);
-               free(entry);
+               destroy_entry(entry);
        }
 }
 
+METHOD(listener_t, alert, bool,
+       private_eap_radius_accounting_t *this, ike_sa_t *ike_sa, alert_t alert,
+       va_list args)
+{
+       radius_acct_terminate_cause_t cause;
+       entry_t *entry;
+
+       switch (alert)
+       {
+               case ALERT_IKE_SA_EXPIRED:
+                       cause = ACCT_CAUSE_SESSION_TIMEOUT;
+                       break;
+               case ALERT_RETRANSMIT_SEND_TIMEOUT:
+                       cause = ACCT_CAUSE_LOST_SERVICE;
+                       break;
+               default:
+                       return TRUE;
+       }
+       this->mutex->lock(this->mutex);
+       entry = this->sessions->get(this->sessions, ike_sa->get_id(ike_sa));
+       if (entry)
+       {
+               entry->cause = cause;
+       }
+       this->mutex->unlock(this->mutex);
+       return TRUE;
+}
+
 METHOD(listener_t, ike_updown, bool,
        private_eap_radius_accounting_t *this, ike_sa_t *ike_sa, bool up)
 {
@@ -266,15 +763,52 @@ METHOD(listener_t, ike_updown, bool,
 
 METHOD(listener_t, message_hook, bool,
        private_eap_radius_accounting_t *this, ike_sa_t *ike_sa,
-       message_t *message, bool incoming)
+       message_t *message, bool incoming, bool plain)
 {
        /* start accounting here, virtual IP now is set */
-       if (ike_sa->get_state(ike_sa) == IKE_ESTABLISHED &&
-               message->get_exchange_type(message) == IKE_AUTH &&
+       if (plain && ike_sa->get_state(ike_sa) == IKE_ESTABLISHED &&
                !incoming && !message->get_request(message))
        {
-               send_start(this, ike_sa);
+               if (ike_sa->get_version(ike_sa) == IKEV1 &&
+                       message->get_exchange_type(message) == TRANSACTION)
+               {
+                       send_start(this, ike_sa);
+               }
+               if (ike_sa->get_version(ike_sa) == IKEV2 &&
+                       message->get_exchange_type(message) == IKE_AUTH)
+               {
+                       send_start(this, ike_sa);
+               }
+       }
+       return TRUE;
+}
+
+METHOD(listener_t, ike_rekey, bool,
+       private_eap_radius_accounting_t *this, ike_sa_t *old, ike_sa_t *new)
+{
+       entry_t *entry;
+
+       this->mutex->lock(this->mutex);
+       entry = this->sessions->remove(this->sessions, old->get_id(old));
+       if (entry)
+       {
+               /* update IKE_SA identifier */
+               entry->id->destroy(entry->id);
+               entry->id = new->get_id(new);
+               entry->id = entry->id->clone(entry->id);
+               /* fire new interim update job, old gets invalid */
+               schedule_interim(this, entry);
+
+               cleanup_sas(this, new, entry);
+
+               entry = this->sessions->put(this->sessions, entry->id, entry);
+               if (entry)
+               {
+                       destroy_entry(entry);
+               }
        }
+       this->mutex->unlock(this->mutex);
+
        return TRUE;
 }
 
@@ -282,8 +816,16 @@ METHOD(listener_t, child_rekey, bool,
        private_eap_radius_accounting_t *this, ike_sa_t *ike_sa,
        child_sa_t *old, child_sa_t *new)
 {
-       update_usage(this, ike_sa, old);
+       entry_t *entry;
 
+       update_usage(this, ike_sa, old);
+       this->mutex->lock(this->mutex);
+       entry = this->sessions->get(this->sessions, ike_sa->get_id(ike_sa));
+       if (entry)
+       {
+               cleanup_sas(this, ike_sa, entry);
+       }
+       this->mutex->unlock(this->mutex);
        return TRUE;
 }
 
@@ -301,6 +843,8 @@ METHOD(listener_t, child_updown, bool,
 METHOD(eap_radius_accounting_t, destroy, void,
        private_eap_radius_accounting_t *this)
 {
+       charon->bus->remove_listener(charon->bus, &this->public.listener);
+       singleton = NULL;
        this->mutex->destroy(this->mutex);
        this->sessions->destroy(this->sessions);
        free(this);
@@ -316,7 +860,9 @@ eap_radius_accounting_t *eap_radius_accounting_create()
        INIT(this,
                .public = {
                        .listener = {
+                               .alert = _alert,
                                .ike_updown = _ike_updown,
+                               .ike_rekey = _ike_rekey,
                                .message = _message_hook,
                                .child_updown = _child_updown,
                                .child_rekey = _child_rekey,
@@ -329,6 +875,41 @@ eap_radius_accounting_t *eap_radius_accounting_create()
                                                                         (hashtable_equals_t)equals, 32),
                .mutex = mutex_create(MUTEX_TYPE_DEFAULT),
        );
+       if (lib->settings->get_bool(lib->settings,
+                               "%s.plugins.eap-radius.station_id_with_port", TRUE, lib->ns))
+       {
+               this->station_id_fmt = "%#H";
+       }
+       else
+       {
+               this->station_id_fmt = "%H";
+       }
+       if (lib->settings->get_bool(lib->settings,
+                                                       "%s.plugins.eap-radius.accounting", FALSE, lib->ns))
+       {
+               singleton = this;
+               charon->bus->add_listener(charon->bus, &this->public.listener);
+       }
+       this->acct_req_vip = lib->settings->get_bool(lib->settings,
+                                                       "%s.plugins.eap-radius.accounting_requires_vip",
+                                                       FALSE, lib->ns);
 
        return &this->public;
 }
+
+/**
+ * See header
+ */
+void eap_radius_accounting_start_interim(ike_sa_t *ike_sa, u_int32_t interval)
+{
+       if (singleton)
+       {
+               entry_t *entry;
+
+               DBG1(DBG_CFG, "scheduling RADIUS Interim-Updates every %us", interval);
+               singleton->mutex->lock(singleton->mutex);
+               entry = get_or_create_entry(singleton, ike_sa);
+               entry->interim.interval = interval;
+               singleton->mutex->unlock(singleton->mutex);
+       }
+}