[strongSwan-dev] logging: unique connection IDs?

Harald Dunkel harald.dunkel at aixigo.com
Mon Aug 19 10:16:45 CEST 2019

Hi Tobias,

On 8/16/19 3:27 PM, Tobias Brunner wrote:
> Hi Harald,
>> if I restart charon, then the connection IDs in the logfile start
>> by 1 again, making logfile analysis pretty difficult. The IDs are
>> not unique.
> Couldn't you e.g. split the log based on messages referring to the
> daemon's restart before analyzing it (or consider the timestamps in your
> analysis).

Doesn't really help: The log files are already rotated. I would have
to distinguish between "old" and "new" log files, i.e. introduce my
own connection ids.

>> Would it be possible to use a random number for the first ID after
>> a restart instead? Still not perfect, but the chance to get unique
>> IDs is much higher.
> Hm, these are simply static variables initialized to zero (one for IKE
> and one for CHILD SAs).  I suppose it would theoretically be possible to
> initialize them to a random value as an option somehow.  But we'd have
> to make sure they are only initialized once, so wrap-arounds and
> concurrency are handled properly, however, we don't have a portable
> pthread_once abstraction yet.

Maybe it would be possible to use an alphanumerical identifier similar
to the connection identifiers in sendmail's log file, e.g.
"x7J7j1kb2487133". Could be generated using something like

echo $n $remoteIP $remoteport $localIP $localport `date` | md5sum

or another cryptographic function. I am sure you get the idea. $n
is the current incremental connection id, still starting at 1 with
each restart.


More information about the Dev mailing list