IPSEC Log Empty

chriscarpenter12 · October 13, 2018, 1:12pm

I am trying to debug a new IPSEC VPN on vyos 1.2. I can’t seem to get any logging why my phase 2 isn’t coming up. Log is basically empty.

I see a reference to another post from last December.

$ show log vpn all
Oct 12 23:20:36 localhost systemd[1]: Starting LSB: Cleans up pppoe peers files...
Oct 12 23:20:36 localhost systemd[1]: Started LSB: Cleans up pppoe peers files.

IPSEC:

vpn {
    ipsec {
        esp-group ESP-AES128-SHA1-LT3600 { ... }
        ike-group IKE-AES128-SHA1-LT28800 { ... }
        ipsec-interfaces {
            interface eth0
        }
        logging {
            log-level 2
        }
        nat-traversal enable

Firewall:

name OUTSIDE-LOCAL {
        default-action drop
        rule 10 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action accept
            icmp {
                type-name echo-request
            }
            protocol icmp
            state {
                new enable
            }
        }
        rule 30 {
            action accept
            destination {
                port 22
            }
            protocol tcp
            source {
                group {
                    network-group LOGIN-IPS
                }
            }
            state {
                new enable
            }
        }
        rule 40 {
            action accept
            ipsec {
                match-ipsec
            }
            log enable
        }
        rule 50 {
            action accept
            destination {
                port 500
            }
            log enable
            protocol udp
            state {
                established enable
                new enable
                related enable
            }
        }
        rule 60 {
            action accept
            destination {
                port 4500
            }
            log enable
            protocol udp
            state {
                established enable
                new enable
                related enable
            }
        }
        rule 70 {
            action accept
            log enable
            protocol esp
            state {
                established enable
                new enable
                related enable
            }
        }
    }

I can see my IKE is up, but IPSEC never comes up. How can I get better logs?

netarchitect · October 22, 2018, 6:09pm

I found I needed to use journalctl to get at the logs as show log vpn ipsec was not getting me anything.

sudo journalctl | grep charon