Hi, I have upgraded one of my VyOS routers to 1.2.3. I noticed that the logs report a lot of the below that looks like NAT keepalives. Is this normal and if so, is there a way to supress these?
Oct 18 12:19:54 vr1 charon[2570]: 16[NET] received packet: from *.*.78.140[4500] to *.*.2.24[4500] (92 bytes)
Oct 18 12:19:54 vr1 charon[2570]: 16[ENC] parsed INFORMATIONAL_V1 request 337600209 [ HASH N(DPD) ]
Oct 18 12:19:54 vr1 charon[2570]: 16[ENC] generating INFORMATIONAL_V1 request 1855294023 [ HASH N(DPD_ACK) ]
Oct 18 12:19:54 vr1 charon[2570]: 16[NET] sending packet: from *.*.2.24[4500] to *.*.78.140[4500] (92 bytes)
Oct 18 12:19:54 vr1 charon[2570]: 06[NET] received packet: from *.*.131.238[4500] to *.*.2.24[4500] (92 bytes)
Oct 18 12:19:54 vr1 charon[2570]: 06[ENC] parsed INFORMATIONAL_V1 request 3986625573 [ HASH N(DPD) ]
Oct 18 12:19:54 vr1 charon[2570]: 06[ENC] generating INFORMATIONAL_V1 request 3871781865 [ HASH N(DPD_ACK) ]
Oct 18 12:19:54 vr1 charon[2570]: 06[NET] sending packet: from *.*.2.24[4500] to *.*.131.238[4500] (92 bytes)
Oct 18 12:19:55 vr1 charon[2570]: 13[NET] received packet: from *.*.17.93[4500] to *.*.2.24[4500] (92 bytes)
Oct 18 12:19:55 vr1 charon[2570]: 13[ENC] parsed INFORMATIONAL_V1 request 1464281430 [ HASH N(DPD) ]
Oct 18 12:19:55 vr1 charon[2570]: 13[ENC] generating INFORMATIONAL_V1 request 4264215386 [ HASH N(DPD_ACK) ]
Oct 18 12:19:55 vr1 charon[2570]: 13[NET] sending packet: from *.*.2.24[4500] to *.*.17.93[4500] (92 bytes)
Oct 18 12:19:55 vr1 charon[2570]: 05[NET] received packet: from 52.58.104.35[4500] to *.*.2.24[4500] (92 bytes)
Oct 18 12:19:55 vr1 charon[2570]: 05[ENC] parsed INFORMATIONAL_V1 request 1395098484 [ HASH N(DPD) ]
Oct 18 12:19:55 vr1 charon[2570]: 05[ENC] generating INFORMATIONAL_V1 request 2286900408 [ HASH N(DPD_ACK) ]
Oct 18 12:19:55 vr1 charon[2570]: 05[NET] sending packet: from *.*.2.24[4500] to 52.58.104.35[4500] (92 bytes)
Oct 18 12:19:56 vr1 charon[2570]: 08[NET] received packet: from *.*.7.174[500] to *.*.2.24[500] (92 bytes)
Oct 18 12:19:56 vr1 charon[2570]: 08[ENC] parsed INFORMATIONAL_V1 request 3130225679 [ HASH N(DPD) ]
Oct 18 12:19:56 vr1 charon[2570]: 08[ENC] generating INFORMATIONAL_V1 request 742869777 [ HASH N(DPD_ACK) ]
Oct 18 12:19:56 vr1 charon[2570]: 08[NET] sending packet: from *.*.2.24[500] to *.*.7.174[500] (92 bytes)
Oct 18 12:19:56 vr1 charon[2570]: 14[NET] received packet: from *.*.19.229[4500] to *.*.2.24[4500] (92 bytes)
Oct 18 12:19:56 vr1 charon[2570]: 14[ENC] parsed INFORMATIONAL_V1 request 1407259097 [ HASH N(DPD) ]
Oct 18 12:19:56 vr1 charon[2570]: 14[ENC] generating INFORMATIONAL_V1 request 1800667301 [ HASH N(DPD_ACK) ]
Oct 18 12:19:56 vr1 charon[2570]: 14[NET] sending packet: from *.*.2.24[4500] to *.*.19.229[4500] (92 bytes)
Oct 18 12:19:56 vr1 charon[2570]: 10[NET] received packet: from *.*.127.166[4500] to *.*.2.24[4500] (92 bytes)
Oct 18 12:19:56 vr1 charon[2570]: 10[ENC] parsed INFORMATIONAL_V1 request 3314563526 [ HASH N(DPD) ]
Oct 18 12:19:56 vr1 charon[2570]: 10[ENC] generating INFORMATIONAL_V1 request 3124265033 [ HASH N(DPD_ACK) ]
Oct 18 12:19:56 vr1 charon[2570]: 10[NET] sending packet: from *.*.2.24[4500] to *.*.127.166[4500] (92 bytes)
Oct 18 12:19:58 vr1 charon[2570]: 06[NET] received packet: from *.*.82.65[4500] to *.*.2.24[4500] (92 bytes)
Oct 18 12:19:58 vr1 charon[2570]: 06[ENC] parsed INFORMATIONAL_V1 request 2346058362 [ HASH N(DPD) ]
Oct 18 12:19:58 vr1 charon[2570]: 06[ENC] generating INFORMATIONAL_V1 request 172438870 [ HASH N(DPD_ACK) ]
Oct 18 12:19:58 vr1 charon[2570]: 06[NET] sending packet: from *.*.2.24[4500] to *.*.82.65[4500] (92 bytes)
Oct 18 12:19:58 vr1 charon[2570]: 11[NET] received packet: from *.*.127.33[4500] to *.*.2.24[4500] (92 bytes)
Oct 18 12:19:58 vr1 charon[2570]: 11[ENC] parsed INFORMATIONAL_V1 request 2356544550 [ HASH N(DPD) ]
Oct 18 12:19:58 vr1 charon[2570]: 11[ENC] generating INFORMATIONAL_V1 request 1006631227 [ HASH N(DPD_ACK) ]
Oct 18 12:19:58 vr1 charon[2570]: 11[NET] sending packet: from *.*.2.24[4500] to *.*.127.33[4500] (92 bytes)
Oct 18 12:20:00 vr1 charon[2570]: 08[NET] received packet: from *.*.17.93[4500] to *.*.2.24[4500] (92 bytes)
Oct 18 12:20:00 vr1 charon[2570]: 08[ENC] parsed INFORMATIONAL_V1 request 3381045369 [ HASH N(DPD) ]
Oct 18 12:20:00 vr1 charon[2570]: 08[ENC] generating INFORMATIONAL_V1 request 1269840418 [ HASH N(DPD_ACK) ]
Oct 18 12:20:00 vr1 charon[2570]: 08[NET] sending packet: from *.*.2.24[4500] to *.*.17.93[4500] (92 bytes)
Secondly, martian packets are reported on my GRE tunnels because the far end sends keepalives. I did not see this in version 1.1.8. Is this expected behaviour?
Oct 21 07:51:48 vr1 kernel: IPv4: martian source 169.254.200.57 from 169.254.200.58, on dev tun4
Oct 21 07:51:51 vr1 kernel: IPv4: martian source 169.254.200.5 from 169.254.200.6, on dev tun2
Oct 21 07:51:53 vr1 kernel: IPv4: martian source 169.254.200.1 from 169.254.200.2, on dev tun1
Oct 21 07:51:57 vr1 kernel: IPv4: martian source 169.254.200.57 from 169.254.200.58, on dev tun4
Oct 21 07:52:01 vr1 kernel: IPv4: martian source 169.254.200.5 from 169.254.200.6, on dev tun2
Oct 21 07:52:02 vr1 kernel: IPv4: martian source 169.254.200.1 from 169.254.200.2, on dev tun1
Oct 21 07:52:07 vr1 kernel: IPv4: martian source 169.254.200.57 from 169.254.200.58, on dev tun4
Hello @avdvyver , this dead-peer-detection, you can decrease interval.
About martian packets, if you know what exactly these packets, you can ignore this. Also you can disable martian logging:
I hear what you are saying about the dpd packets, but there are definitely NAT keepalives being sent very frequently. Can these be suppressed by un-commenting and setting the below to 0 in /etc/strongswan.d/charon.conf? Or is there a different method?
Hi, is there any feedback on this? Having all these events logged really makes it difficult to find and diagnose actual issues. In the versions later than 1.1.8, the logging commands e.g. show log vpn ipsec is also broken (does not return anything). Thanks
vyos@vr3.ew1a:~$ sh conf comm | match syslog
set system syslog global facility all level 'notice'
set system syslog global facility protocols level 'debug'
vyos@vr1:~$ sh log vpn ipsec
vyos@vr1:~$ conf
[edit]
vyos@vr1# set system syslog global facility daemon level all
[edit]
vyos@vr1# commit
[edit]
vyos@vr1# save
Saving configuration to '/config/config.boot'...
Done
[edit]
vyos@vr1# exit
exit
vyos@vr1:~$ sh log vpn ipsec
Nov 4 08:24:43 vr1 charon: 10[NET] received packet: from x.x.x.x[4500] to x.x.x.x[4500] (92 bytes)
Nov 4 08:24:43 vr1 charon: 10[ENC] parsed INFORMATIONAL_V1 request 3423371308 [ HASH N(DPD) ]
Nov 4 08:24:43 vr1 charon: 10[ENC] generating INFORMATIONAL_V1 request 3392349050 [ HASH N(DPD_ACK) ]
Nov 4 08:24:43 vr1 charon: 10[NET] sending packet: from x.x.x.x[4500] to x.x.x.x[4500] (92 bytes)
Nov 4 08:24:44 vr1 charon: 16[NET] received packet: from x.x.x.x[500] to x.x.x.x[500] (92 bytes)
Nov 4 08:24:44 vr1 charon: 16[ENC] parsed INFORMATIONAL_V1 request 2974880587 [ HASH N(DPD) ]
Nov 4 08:24:44 vr1 charon: 16[ENC] generating INFORMATIONAL_V1 request 2223377023 [ HASH N(DPD_ACK) ]
Nov 4 08:24:44 vr1 charon: 16[NET] sending packet: from x.x.x.x[500] to x.x.x.x[500] (92 bytes)
Nov 4 08:24:44 vr1 charon: 06[NET] received packet: from x.x.x.x[4500] to x.x.x.x[4500] (92 bytes)
Nov 4 08:24:44 vr1 charon: 06[ENC] parsed INFORMATIONAL_V1 request 4232543034 [ HASH N(DPD) ]
Nov 4 08:24:44 vr1 charon: 06[ENC] generating INFORMATIONAL_V1 request 2526916029 [ HASH N(DPD_ACK) ]
Nov 4 08:24:44 vr1 charon: 06[NET] sending packet: from x.x.x.x[4500] to x.x.x.x[4500] (92 bytes)
Nov 4 08:24:45 vr1 charon: 13[NET] received packet: from x.x.x.x[500] to x.x.x.x[500] (92 bytes)
Nov 4 08:24:45 vr1 charon: 13[ENC] parsed INFORMATIONAL_V1 request 3267261688 [ HASH N(DPD) ]
Nov 4 08:24:45 vr1 charon: 13[ENC] generating INFORMATIONAL_V1 request 1734391610 [ HASH N(DPD_ACK) ]
Nov 4 08:24:45 vr1 charon: 13[NET] sending packet: from x.x.x.x[500] to x.x.x.x[500] (92 bytes)
Nov 4 08:24:46 vr1 charon: 08[NET] received packet: from x.x.x.x[4500] to x.x.x.x[4500] (92 bytes)
Nov 4 08:24:46 vr1 charon: 08[ENC] parsed INFORMATIONAL_V1 request 2404765121 [ HASH N(DPD) ]
So, to suppress IPSec informational events form being logged, should:
a set system syslog global facility daemon level notice
b set system syslog global facility protocols level notice
c both a and b?
vyos@vr1:~$ sh conf comm | match syslog
set system syslog global facility all
set system syslog global facility daemon level 'notice'
set system syslog global facility protocols level 'all'
Unfortunately, now the sh log vpn ipsec does not update - even when I break an IPSec tunnel from the far end. sh log contains all the IKE messages but sh log vpn ipsec does not include any new data
Sorry for confusing, charon this is IKE daemon. And only facility daemon have matter for this case. Use info level, it must be enough for show log vpn ipsec output.
Okay thanks - I have changed it back. The only thing that is still outstanding is suppressing the informational DPD messages in the logs that are logged multiple times per second. These were not logged in 1.1.8 and I am migrating the config as is with a few modification here and there as the syntax required e.g. with specifying the address family in the BGP config. All the DPD noise in the logs makes it quite difficult to fault find.