Page MenuHomeVyOS Platform
Create Task
Maniphest T7290

VPN IPsec log level does not work
Closed, ResolvedPublicBUG
Actions

Description

VPN IPsec log level does not work

set vpn ipsec authentication psk PSK id '192.0.2.1'
set vpn ipsec authentication psk PSK id '192.0.2.2'
set vpn ipsec authentication psk PSK secret '1234567890'
set vpn ipsec esp-group ESP-group lifetime '3600'
set vpn ipsec esp-group ESP-group mode 'tunnel'
set vpn ipsec esp-group ESP-group pfs 'enable'
set vpn ipsec esp-group ESP-group proposal 1 encryption 'aes256'
set vpn ipsec esp-group ESP-group proposal 1 hash 'sha1'
set vpn ipsec ike-group IKE-group key-exchange 'ikev2'
set vpn ipsec ike-group IKE-group lifetime '28800'
set vpn ipsec ike-group IKE-group proposal 1 encryption 'aes256'
set vpn ipsec ike-group IKE-group proposal 1 hash 'sha1'
set vpn ipsec interface 'eth1'
set vpn ipsec log level '2'
set vpn ipsec site-to-site peer OFFICE-B authentication local-id '192.0.2.1'
set vpn ipsec site-to-site peer OFFICE-B authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer OFFICE-B authentication remote-id '192.0.2.2'
set vpn ipsec site-to-site peer OFFICE-B connection-type 'initiate'
set vpn ipsec site-to-site peer OFFICE-B ike-group 'IKE-group'
set vpn ipsec site-to-site peer OFFICE-B local-address '192.0.2.1'
set vpn ipsec site-to-site peer OFFICE-B remote-address '192.0.2.2'
set vpn ipsec site-to-site peer OFFICE-B tunnel 0 esp-group 'ESP-group'
set vpn ipsec site-to-site peer OFFICE-B tunnel 0 local prefix '100.64.1.0/24'
set vpn ipsec site-to-site peer OFFICE-B tunnel 0 remote prefix '100.64.2.0/24'

For 1.4.x
Expected 2 for the charon.syslog.daemon.default option in the file /etc/strongswan.d/charon-logging.conf

But this option does not work.

vyos@r14# cat /etc/strongswan.d/charon-logging.conf 

charon {
    syslog {
        # prefix for each log message
        identifier = charon
        # use default settings to log to the LOG_DAEMON facility
        daemon {
            default = 1
            ike_name = yes
        }
    }
}

I do not see that we parse and use log.level option anywhere in the templates https://github.com/vyos/vyos-1x/tree/current/data/templates/ipsec

For the rolling expected for logging file

vyos@r14# cat /etc/strongswan.d/charon-systemd.conf 

charon-systemd {

    # Section to configure native systemd journal logger, very similar to the
    # syslog logger as described in LOGGER CONFIGURATION in strongswan.conf(5).
    journal {

        # Loglevel for a specific subsystem.
        # <subsystem> = <default>

        # Default loglevel.
        default = 2
    }

}

Details

Version
VyOS 2025.03.27-0018-rolling, 1.4.1
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)

Related Objects