Page MenuHomeVyOS Platform
Create Task
Maniphest T475

IPSec set log-mode broken
Closed, ResolvedPublicBUG
Actions

Description

set log-mode in IPSec is broken in VyOS 1.2:

How you can reproduce:

[edit vpn ipsec logging]
vyos@vyos-test# sh
 log-level 1
+log-modes mgr
[edit vpn ipsec logging]
vyos@vyos-test# commit
[ vpn ]
connecting to 'unix:///var/run/charon.ctl' failed: Connection refused
failed to connect to stroke socket 'unix:///var/run/charon.ctl'
Warning: unable to [Stroking log source mgr to loglevel 1], received error code 65280

Logging documentation of StrongSwan: https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration

A log-mode option 'all' would also be useful. Thanks

Details

Difficulty level
Unknown (require assessment)
Version
VyOS 1.2 999 nightly build 201711232137
Why the issue appeared?
Will be filled on close

Event Timeline

Line2 created this task.Nov 26 2017, 11:12 AM
syncer assigned this task to c-po.Nov 26 2017, 2:30 PM
syncer triaged this task as Normal priority.
syncer moved this task from Need Triage to Backlog on the VyOS 1.2 Crux board.
syncer added subscribers: c-po, syncer.

hey @c-po
can you check this one.

c-po added a comment.Nov 27 2017, 6:31 PM

I can't reproduce this.

cpo@AC1# set vpn ipsec logging log-modes mgr
[edit]
cpo@AC1# commit
[ vpn ]
Restarting Next Hop Resolution Protocol: opennhrpopennhrp[18746]: OpenNHRP debian/0.14.1-1+vyos2+current1-2-geb8d3d0 starting
.
[edit]

Some more information would be useful, e.g. what have you done before?

Line2 added a comment.Nov 27 2017, 7:00 PM

thanks @c-po.
I don't know what other information could be relevant. It's an instance on AWS. Nothing special before. The log-modes are set after the error messages. I can say that. Look at this here:

[edit vpn ipsec logging]
vyos@vyos-test# sh
 log-level 1
 log-modes mgr
 [edit vpn ipsec logging]
vyos@vyos-test# del log-modes
[edit vpn ipsec logging]
vyos@vyos-test# sh
 log-level 1
-log-modes mgr
[edit vpn ipsec logging]
vyos@vyos-test# commit
[ vpn ]
connecting to 'unix:///var/run/charon.ctl' failed: Connection refused
failed to connect to stroke socket 'unix:///var/run/charon.ctl'
Warning: unable to [Deactivating log source mgr], received error code 65280

[edit vpn ipsec logging]
vyos@vyos-test# sh
 log-level 1
[edit vpn ipsec logging]
vyos@vyos-test# set log-modes mgr
[edit vpn ipsec logging]
vyos@vyos-test# commit
[ vpn ]
connecting to 'unix:///var/run/charon.ctl' failed: Connection refused
failed to connect to stroke socket 'unix:///var/run/charon.ctl'
Warning: unable to [Stroking log source mgr to loglevel 1], received error code 65280

[edit vpn ipsec logging]
vyos@vyos-test# sh
 log-level 1
 log-modes mgr

Hmm, what could be the difference between your test and mine?

c-po added a comment.EditedNov 27 2017, 7:06 PM

CurrentlyI'm running VyOS 999.201711072137 but upgrading to 999.201711232137 still works.

Line2 added a comment.Nov 27 2017, 7:25 PM

yes that's the version I tested on

c-po added a comment.Nov 27 2017, 8:12 PM

Can you please try the following, setup your IPSEC connection w/o log-modes and check that after commit your connection is online. In a second step try set vpn ipsec logging log-modes mgr .

Could be a possible race condition when setting up all at once.

Line2 added a comment.Nov 27 2017, 8:38 PM

that's exactly how i tested before. All other vpn config was done before and is running fine (commit and saved). As soon as i change (set or delete) something at 'vpn ipsec logging log-level' oder vpn ipsec logging log-modes' I get this message:

connecting to 'unix:///var/run/charon.ctl' failed: Connection refused
failed to connect to stroke socket 'unix:///var/run/charon.ctl'
Warning: unable to [Deactivating log source mgr], received error code 65280

or

Warning: unable to [Stroking log source mgr to loglevel 1], received error code 65280

I see here something similar on pfsense: https://redmine.pfsense.org/issues/4520

c-po added a comment.Nov 27 2017, 9:02 PM

Can you please do a ls -al /run and check for charon.ctl?

Line2 added a comment.EditedNov 27 2017, 9:04 PM
vyos@vyos-test# ls -al /run
total 56
drwxr-xr-x 25 root     root       900 Nov 27 21:29 .
drwxr-xr-x  1 root     root      4096 Nov 24 20:22 ..
drwxr-xr-x  2 root     root        40 Nov 24 20:23 agentx
-rw-r--r--  1 root     root         5 Nov 24 20:22 atd.pid
drwxr-xr-x  2 root     root        80 Nov 24 20:22 blkid
srwxrwx---  1 root     root         0 Nov 27 21:29 charon.ctl
-rw-r--r--  1 root     root         6 Nov 27 21:29 charon.pid
srwxrwx---  1 root     root         0 Nov 27 21:29 charon.vici
-rw-r--r--  1 root     root         5 Nov 24 20:22 crond.pid
c-po moved this task from Backlog to In Progress on the VyOS 1.2 Crux board.Dec 27 2017, 12:02 PM
c-po added a comment.Feb 8 2018, 8:06 PM

Unfortunately I can't reproduce this. @Line2 could you please try with the latest version again?

Line2 added a comment.Feb 8 2018, 8:21 PM

I just tested on VyOS 999.201802080337 with same result:

[edit vpn ipsec logging]
vyos@vyos-test# show
[edit vpn ipsec logging]
vyos@vyos-test# set log-modes mgr
[edit vpn ipsec logging]
vyos@vyos-test# commit
[ vpn ]
connecting to 'unix:///var/run/charon.ctl' failed: Connection refused
failed to connect to stroke socket 'unix:///var/run/charon.ctl'
Warning: unable to [Stroking log source mgr to loglevel 1], received error code 65280

[edit vpn ipsec logging]
vyos@vyos-test# show
 log-modes mgr
c-po added a comment.Feb 8 2018, 8:37 PM

Ah ok, you are in edit mode, this is different to me.

Could you please post a santized IPSec configuration with show tech-support?

Line2 added a comment.Feb 8 2018, 9:04 PM

I also tried without edit mode like this with same result:

[edit]
vyos@vyos-test# show vpn ipsec logging
[edit]
vyos@vyos-test# set vpn ipsec logging log-modes mgr
[edit]
vyos@vyos-test# commit
[ vpn ]
connecting to 'unix:///var/run/charon.ctl' failed: Connection refused
failed to connect to stroke socket 'unix:///var/run/charon.ctl'
Warning: unable to [Stroking log source mgr to loglevel 1], received error code 65280

[edit]
vyos@vyos-test#

and show tech-support with IPSec config{F33222}

Line2 added a comment.May 22 2018, 8:16 AM

I just tested this one again in VyOS-1.2.0-rolling+201805220337. Setting IPSec log-modes works! commit without errors. Maybe fixed by update to latest strongSwan version.

c-po added a comment.EditedMay 29 2018, 7:29 PM

This one should be closed and reopened if required @syncer

@Line2 THX for assistance

c-po moved this task from In Progress to Finished on the VyOS 1.2 Crux board.May 29 2018, 7:30 PM
syncer closed this task as Resolved.May 29 2018, 7:30 PM
syncer edited projects, added VyOS 1.2 Crux (VyOS 1.2.0-rc1), VyOS-1.2.0-GA; removed VyOS 1.2 Crux.Oct 15 2018, 11:29 PM
syncer moved this task from Needs Triage to Finished on the VyOS 1.2 Crux (VyOS 1.2.0-rc1) board.Oct 15 2018, 11:58 PM