Too much logging for IPSec DPD
Is it possible to reduce the amount of logging for DPD packets. By default, these are generated every minute, and I have not yet found ways to reduce it.
Can we instead, by default, log if a DPD packet is NOT responded to?
Jan 16 09:46:43 charon: 06[NET] sending packet: from xxx.xxx.xxx.xxx500 to yyy.yyy.yyy.yyy500 (84 bytes)
Jan 16 09:46:43 charon: 06[ENC] generating INFORMATIONAL_V1 request 1646481927 [ HASH N(DPD_ACK) ]
Jan 16 09:46:43 charon: 06[ENC] parsed INFORMATIONAL_V1 request 866924398 [ HASH N(DPD) ]
Jan 16 09:46:43 charon: 06[NET] received packet: from yyy.yyy.yyy.yyy500 to xxx.xxx.xxx.xxx500 (84 bytes)
Updated by Matthew Smith almost 6 years ago
The logging is done by strongswan. There are several ways to control the frequency of DPD-related messages. One is to increase the interval between DPD messages in the IPSec phase 1 configurations.
Another possibility would be to decrease the logging level for the categories that generate log traffic when each DPD message is sent. The categories of the messages pasted in the description as they appear in the pfSense GUI are "Networking" and "Configuration Backend". The default strongswan logging level is "Control". Adjusting the logging levels to Audit or Silent for those categories may reduce the amount of logging you see for DPD. In versions 2.2 through 2.2.4 of pfSense, when changes are made to the logging configurations, they did not persist across a system reboot. This will be fixed in 2.2.5 and 2.3 (see tickets #5242 and #5340) and will result in allowing you greater control of how much data is logged for each category.
Another way to reduce the frequency of DPD log messages would be to send traffic across the tunnel. The only time DPD messages are sent are when no traffic has been sent over the tunnel. If you set up something to ping across the tunnel periodically and set the DPD interval to be close to the interval between pings, you may see a reduction in the number of DPD messages sent.
Given that these other options are available, we are not going to modify the logging behavior in strongswan for DPD messages. It seems unlikely that strongswan would accept a patch from us for a change like this. They would likely cite similar recommendations to the above.
Updated by Chris Buechler almost 6 years ago
- Status changed from Feedback to Resolved
- Target version changed from 2.3 to 2.2.5
- Affected Version changed from 2.2 to 2.2.x
this is as fixed now, the main reason I still had it out there was because I knew it was indicative of general log level issues, all of which are now fixed in 2.2.5 and newer.