Page MenuHomeVyOS Platform

Add ipsec peer-name to log to simplifies grepping and troubleshooting
Open, Requires assessmentPublicFEATURE REQUEST

Description

Strongswan allows us to use charon.syslog.<facility>.ike_name which can help more faster find peer info for troubleshooting.
When we change /etc/strongswan.d/charon-logging.conf and add ike_name = yes

charon {
    syslog {
        # prefix for each log message
        identifier = charon
        # use default settings to log to the LOG_DAEMON facility
        daemon {
            default = 1
            ike_name = yes
        }
   }
}

This adds the possibility grepping/matching peers what we need.

vyos@vyos# run show log vpn ipsec | match 100.64.0.1
Jun 19 14:03:54 vyos charon: 12[IKE] <peer-100.64.0.1-tunnel-0|1> initiating Main Mode IKE_SA peer-100.64.0.1-tunnel-0[1] to 100.64.0.1
Jun 19 14:03:54 vyos charon: 12[ENC] <peer-100.64.0.1-tunnel-0|1> generating ID_PROT request 0 [ SA V V V V V ]
Jun 19 14:03:54 vyos charon: 12[NET] <peer-100.64.0.1-tunnel-0|1> sending packet: from 100.64.0.2[500] to 100.64.0.1[500] (180 bytes)
Jun 19 14:03:54 vyos charon: 07[NET] <peer-100.64.0.1-tunnel-0|1> received packet: from 100.64.0.1[500] to 100.64.0.2[500] (56 bytes)
Jun 19 14:03:54 vyos charon: 07[ENC] <peer-100.64.0.1-tunnel-0|1> parsed INFORMATIONAL_V1 request 3793066263 [ N(NO_PROP) ]
Jun 19 14:03:54 vyos charon: 07[IKE] <peer-100.64.0.1-tunnel-0|1> received NO_PROPOSAL_CHOSEN error notify

Details

Difficulty level
Unknown (require assessment)
Version
-
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)