[strongSwan] StrongSwan Setup Questions

Chris Arnold carnold at electrichendrix.com
Sat Mar 31 03:58:42 CEST 2012 

>> -Where is the authlog located?
>iirc, strongswan logs to syslog by default. Have a look at
><http://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration>
>if you want to customize logging.

OK, i have configured strongSwan on both servers. Created the certs on both servers and open 500 and 4500 on both firewalls. I try to ping the remote network and get 0 replies. I am a little confused on where the log entries go in strongswan.conf. Here is said file:
# strongswan.conf - strongSwan configuration file

charon {

	# number of worker threads in charon
	threads = 16
	
	# plugins to load in charon
	# load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
	
	plugins {

		sql {
			# loglevel to log into sql database
			loglevel = -1
			
			# URI to the database
			# database = sqlite:///path/to/file.db
			# database = mysql://user:password@localhost/database
		}
	}
	
	# ...
}

pluto {

	# plugins to load in pluto
	# load = aes des sha1 md5 sha2 hmac gmp random pubkey
	
}

libstrongswan {

	#  set to no, the DH exponent size is optimized
	#  dh_exponent_ansi_x9_42 = no
}

charon {
    # Two defined file loggers. Each subsection is either a file
    # in the filesystem or one of: stdout, stderr.
    filelog {
        /var/log/charon.log {
            # add a timestamp prefix
            time_format = %b %e %T
            # loggers to files also accept the append option to open files in
            # append mode at startup (default is yes)
            append = no
            # the default loglevel for all daemon subsystems (defaults to 1).
            default = 1
            # flush each line to disk
            flush_line = yes
        }
        stderr {
            # more detailed loglevel for a specific subsystem, overriding the
            # default loglevel.
            ike = 2
            knl = 3
            # prepend connection name, simplifies grepping
            ike_name = yes
        }
    }
    # And two loggers using syslog. The subsections define the facility to log
    # to, currently one of: daemon, auth.
    syslog {
        # default level to the LOG_DAEMON facility
        daemon {
        }
        # very minimalistic IKE auditing logs to LOG_AUTHPRIV
        auth {
            default = -1
            ike = 0
        }
    }
    # ...
}

Is this right for the log file? I also restarted ipsec and looked in /var/log to see if i see the charon file and do not.

More information about the Users mailing list