Change default IPsec/strongswan log levels
It is usually beneficial to set IKE SA, IKE Child SA, and Configuration Backend to logging level "Diag" when troubleshooting IPsec issues. Propose changing these to be the default settings with all others staying at level "Control."
Rework how IPsec log settings are stored/retreived, adjust the default values. Implements #7007
#1 Updated by Kill Bill almost 4 years ago
Any attempts on tweaks useful for debugging here are completely useless while IPsec log is being flooding with tons of utter junk.
Time Process PID Message Dec 12 20:50:57 charon 13[NET] <con4|20> sending packet: from 188.xx.xx.xx to 94.xx.xx.xx (57 bytes) Dec 12 20:50:57 charon 13[ENC] <con4|20> generating INFORMATIONAL response 416 [ ] Dec 12 20:50:57 charon 13[ENC] <con4|20> parsed INFORMATIONAL request 416 [ ] Dec 12 20:50:57 charon 13[NET] <con4|20> received packet: from 94.xx.xx.xx to 188.xx.xx.xx (57 bytes)
100+ lines of the above shit in 5 minutes. At default logging levels. Awesome. I certainly object to increasing loglevels of anything here until the crap it muted.
#2 Updated by Jim Pingle almost 4 years ago
- Target version set to 2.4.0
Those are a different story entirely and unrelated to this at all. See #4227 (If you set "Networking" and "Message Encoding" to audit or silent it may be able to stop those from being logged)
The log areas in question on this ticket are what we always recommend for IPsec troubleshooting anyhow, it only increases the log verboseness during negotiation and it shows much more useful information about the encryption/authentication/traffic selector exchanges.