Project

General

Profile

Feature #7007

Change default IPsec/strongswan log levels

Added by Chris Linstruth 8 months ago. Updated 7 months ago.

Status:
Resolved
Priority:
Low
Assignee:
Category:
Logging
Target version:
Start date:
12/12/2016
Due date:
% Done:

100%


Description

It is usually beneficial to set IKE SA, IKE Child SA, and Configuration Backend to logging level "Diag" when troubleshooting IPsec issues. Propose changing these to be the default settings with all others staying at level "Control."

Associated revisions

Revision e470f721
Added by Jim Pingle 7 months ago

Rework how IPsec log settings are stored/retreived, adjust the default values. Implements #7007

Revision 286ed246
Added by Jim Pingle 7 months ago

Fix typo. Ticket #7007

History

#1 Updated by Kill Bill 8 months ago

Any attempts on tweaks useful for debugging here are completely useless while IPsec log is being flooding with tons of utter junk.

Time    Process    PID    Message
Dec 12 20:50:57    charon        13[NET] <con4|20> sending packet: from 188.xx.xx.xx[500] to 94.xx.xx.xx[500] (57 bytes)
Dec 12 20:50:57    charon        13[ENC] <con4|20> generating INFORMATIONAL response 416 [ ]
Dec 12 20:50:57    charon        13[ENC] <con4|20> parsed INFORMATIONAL request 416 [ ]
Dec 12 20:50:57    charon        13[NET] <con4|20> received packet: from 94.xx.xx.xx[500] to 188.xx.xx.xx[500] (57 bytes)

100+ lines of the above shit in 5 minutes. At default logging levels. Awesome. I certainly object to increasing loglevels of anything here until the crap it muted.

#2 Updated by Jim Pingle 8 months ago

  • Target version set to 2.4.0

Those are a different story entirely and unrelated to this at all. See #4227 (If you set "Networking" and "Message Encoding" to audit or silent it may be able to stop those from being logged)

The log areas in question on this ticket are what we always recommend for IPsec troubleshooting anyhow, it only increases the log verboseness during negotiation and it shows much more useful information about the encryption/authentication/traffic selector exchanges.

#3 Updated by Jim Thompson 7 months ago

  • Assignee set to Jim Pingle

assigned to Pingle for resolution.

#4 Updated by Jim Pingle 7 months ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100

#5 Updated by Jim Pingle 7 months ago

  • Status changed from Feedback to Resolved

Works

Also available in: Atom PDF