[strongSwan] log

[richard lucassen]

On Thu, 28 Jul 2016 11:59:55 +0200
Tobias Brunner <tobias at strongswan.org> wrote:

> > How do I know which tunnel is logging e.g. the following line?:
> > 
> > Jul 28 11:27:18 vpn2 charon: 13[IKE] retransmit 1 of request with
> > message ID 0
> 
> Please have a look at [1], in particular the `ike_name` setting.

Ok, thnx, I'll have to wait until the weekend as this has become a
production tunnel a bit too early :-(

BTW: I'm connecting to a Juniper SRX240 redundant cluster and the
lifetime is 8 hours. The connection goes down for about half an hour
each 8 hours. I think that one side is using the new SA while the
other end is still expecting the old SA. Setting DPD reduces the
downtime to a few minutes, but do you have an idea why this happens?
I've seen this behaviour more than once btw, and it always occurs
using ipsec between different vendors. This is the config of the tunnel,
it's strongswan 5.2, the one that comes with Debian Jessie and I did
not touch any default settings:

        esp=aes256-sha1
        authby=psk
        type=tunnel
        left=5.6.7.8
        leftsubnet=55.66.77.88/32
        leftid=5.6.7.8
        right=1.2.3.4
        rightsubnet=11.22.33.44/32
        rightid=1.2.3.4
        keyexchange=ikev1
        ikelifetime=28800s
        keylife=3600s
        auto=route
        dpdaction=restart
        dpddelay=10s
        dpdtimeout=120s

To try to find out what's happening I need to set the logging to debug,
that's why I asked this question. The problem is that when I restart
ipsec, the four tunnels are logging simultaniously and with the
standard logging I'm not able to filter the messages of one particular
tunnel. This is what I actually see in the logs when the connection
went down (just guessed what lines belong to this particular tunnel):

http://tmp.xaq.nl/ipsec.txt

The other tunnels are running without problems btw.

R.

-- 
richard lucassen
http://contact.xaq.nl/