Openswan can be compiled using HAVE_STATSD=true This will cause openswan to log all state changes by calling a binary, currently hardcoded to /bin/openswan-statsd It will log the state changes as arguments to that binary which is called using system() As an example, to log these to a file called /tmp/stats.out you can do: cat > /bin/openswan-statsd < EOF #!/bin/sh echo "$*" >> /tmp/stats.out EOF chmod 755 /bin/openswan-statsd Example output (where we have a conn l2tp-psk) push ipsec-tunnel-l2tp-psk if_stats /proc/net/dev/eth0 ; push ipsec-tunnel-l2tp-psk tunnel phase1up ; push ipsec-tunnel-l2tp-psk phase1 unknown ; push ipsec-tunnel-l2tp-psk phase2 unknown nfmark me/him 4986003/4986003 push ipsec-tunnel-l2tp-psk if_stats /proc/net/dev/eth0 ; push ipsec-tunnel-l2tp-psk tunnel phase2 ; push ipsec-tunnel-l2tp-psk phase1 unknown ; push ipsec-tunnel-l2tp-psk phase2 neg nfmark me/him 4986003/4986003 push ipsec-tunnel-l2tp-psk if_stats /proc/net/dev/eth0 ; push ipsec-tunnel-l2tp-psk tunnel up ; push ipsec-tunnel-l2tp-psk phase1 unknown ; push ipsec-tunnel-l2tp-psk phase2 unknown nfmark me/him 4986003/65536 push ipsec-tunnel-l2tp-psk if_stats /proc/net/dev/eth0 ; push ipsec-tunnel-l2tp-psk tunnel phase1up ; push ipsec-tunnel-l2tp-psk phase1 unknown ; push ipsec-tunnel-l2tp-psk phase2 unknown nfmark me/him 4986003/65536 push ipsec-tunnel-l2tp-psk if_stats /proc/net/dev/eth0 ; push ipsec-tunnel-l2tp-psk tunnel unknown ; push ipsec-tunnel-l2tp-psk phase1 unknown ; push ipsec-tunnel-l2tp-psk phase2 unknown nfmark me/him 4986003/4986003 push ipsec-tunnel-l2tp-psk if_stats /proc/net/dev/eth0 ; push ipsec-tunnel-l2tp-psk tunnel phase1up ; push ipsec-tunnel-l2tp-psk phase1 unknown ; push ipsec-tunnel-l2tp-psk phase2 unknown nfmark me/him 4986003/65536 push ipsec-tunnel-l2tp-psk if_stats /proc/net/dev/eth0 ; push ipsec-tunnel-l2tp-psk tunnel unknown ; push ipsec-tunnel-l2tp-psk phase1 unknown ; push ipsec-tunnel-l2tp-psk phase2 unknown nfmark me/him 4986003/4986003 The last two numbers are the SAref number (converted to the NFMARK numbers, so directly usable for iptables)