VyOS 1.2.3 IPSec logging

avdvyver · October 21, 2019, 8:02am

Hi, I have upgraded one of my VyOS routers to 1.2.3. I noticed that the logs report a lot of the below that looks like NAT keepalives. Is this normal and if so, is there a way to supress these?

Oct 18 12:19:54 vr1 charon[2570]: 16[NET] received packet: from *.*.78.140[4500] to *.*.2.24[4500] (92 bytes)
Oct 18 12:19:54 vr1 charon[2570]: 16[ENC] parsed INFORMATIONAL_V1 request 337600209 [ HASH N(DPD) ]
Oct 18 12:19:54 vr1 charon[2570]: 16[ENC] generating INFORMATIONAL_V1 request 1855294023 [ HASH N(DPD_ACK) ]
Oct 18 12:19:54 vr1 charon[2570]: 16[NET] sending packet: from *.*.2.24[4500] to *.*.78.140[4500] (92 bytes)
Oct 18 12:19:54 vr1 charon[2570]: 06[NET] received packet: from *.*.131.238[4500] to *.*.2.24[4500] (92 bytes)
Oct 18 12:19:54 vr1 charon[2570]: 06[ENC] parsed INFORMATIONAL_V1 request 3986625573 [ HASH N(DPD) ]
Oct 18 12:19:54 vr1 charon[2570]: 06[ENC] generating INFORMATIONAL_V1 request 3871781865 [ HASH N(DPD_ACK) ]
Oct 18 12:19:54 vr1 charon[2570]: 06[NET] sending packet: from *.*.2.24[4500] to *.*.131.238[4500] (92 bytes)
Oct 18 12:19:55 vr1 charon[2570]: 13[NET] received packet: from *.*.17.93[4500] to *.*.2.24[4500] (92 bytes)
Oct 18 12:19:55 vr1 charon[2570]: 13[ENC] parsed INFORMATIONAL_V1 request 1464281430 [ HASH N(DPD) ]
Oct 18 12:19:55 vr1 charon[2570]: 13[ENC] generating INFORMATIONAL_V1 request 4264215386 [ HASH N(DPD_ACK) ]
Oct 18 12:19:55 vr1 charon[2570]: 13[NET] sending packet: from *.*.2.24[4500] to *.*.17.93[4500] (92 bytes)
Oct 18 12:19:55 vr1 charon[2570]: 05[NET] received packet: from 52.58.104.35[4500] to *.*.2.24[4500] (92 bytes)
Oct 18 12:19:55 vr1 charon[2570]: 05[ENC] parsed INFORMATIONAL_V1 request 1395098484 [ HASH N(DPD) ]
Oct 18 12:19:55 vr1 charon[2570]: 05[ENC] generating INFORMATIONAL_V1 request 2286900408 [ HASH N(DPD_ACK) ]
Oct 18 12:19:55 vr1 charon[2570]: 05[NET] sending packet: from *.*.2.24[4500] to 52.58.104.35[4500] (92 bytes)
Oct 18 12:19:56 vr1 charon[2570]: 08[NET] received packet: from *.*.7.174[500] to *.*.2.24[500] (92 bytes)
Oct 18 12:19:56 vr1 charon[2570]: 08[ENC] parsed INFORMATIONAL_V1 request 3130225679 [ HASH N(DPD) ]
Oct 18 12:19:56 vr1 charon[2570]: 08[ENC] generating INFORMATIONAL_V1 request 742869777 [ HASH N(DPD_ACK) ]
Oct 18 12:19:56 vr1 charon[2570]: 08[NET] sending packet: from *.*.2.24[500] to *.*.7.174[500] (92 bytes)
Oct 18 12:19:56 vr1 charon[2570]: 14[NET] received packet: from *.*.19.229[4500] to *.*.2.24[4500] (92 bytes)
Oct 18 12:19:56 vr1 charon[2570]: 14[ENC] parsed INFORMATIONAL_V1 request 1407259097 [ HASH N(DPD) ]
Oct 18 12:19:56 vr1 charon[2570]: 14[ENC] generating INFORMATIONAL_V1 request 1800667301 [ HASH N(DPD_ACK) ]
Oct 18 12:19:56 vr1 charon[2570]: 14[NET] sending packet: from *.*.2.24[4500] to *.*.19.229[4500] (92 bytes)
Oct 18 12:19:56 vr1 charon[2570]: 10[NET] received packet: from *.*.127.166[4500] to *.*.2.24[4500] (92 bytes)
Oct 18 12:19:56 vr1 charon[2570]: 10[ENC] parsed INFORMATIONAL_V1 request 3314563526 [ HASH N(DPD) ]
Oct 18 12:19:56 vr1 charon[2570]: 10[ENC] generating INFORMATIONAL_V1 request 3124265033 [ HASH N(DPD_ACK) ]
Oct 18 12:19:56 vr1 charon[2570]: 10[NET] sending packet: from *.*.2.24[4500] to *.*.127.166[4500] (92 bytes)
Oct 18 12:19:58 vr1 charon[2570]: 06[NET] received packet: from *.*.82.65[4500] to *.*.2.24[4500] (92 bytes)
Oct 18 12:19:58 vr1 charon[2570]: 06[ENC] parsed INFORMATIONAL_V1 request 2346058362 [ HASH N(DPD) ]
Oct 18 12:19:58 vr1 charon[2570]: 06[ENC] generating INFORMATIONAL_V1 request 172438870 [ HASH N(DPD_ACK) ]
Oct 18 12:19:58 vr1 charon[2570]: 06[NET] sending packet: from *.*.2.24[4500] to *.*.82.65[4500] (92 bytes)
Oct 18 12:19:58 vr1 charon[2570]: 11[NET] received packet: from *.*.127.33[4500] to *.*.2.24[4500] (92 bytes)
Oct 18 12:19:58 vr1 charon[2570]: 11[ENC] parsed INFORMATIONAL_V1 request 2356544550 [ HASH N(DPD) ]
Oct 18 12:19:58 vr1 charon[2570]: 11[ENC] generating INFORMATIONAL_V1 request 1006631227 [ HASH N(DPD_ACK) ]
Oct 18 12:19:58 vr1 charon[2570]: 11[NET] sending packet: from *.*.2.24[4500] to *.*.127.33[4500] (92 bytes)
Oct 18 12:20:00 vr1 charon[2570]: 08[NET] received packet: from *.*.17.93[4500] to *.*.2.24[4500] (92 bytes)
Oct 18 12:20:00 vr1 charon[2570]: 08[ENC] parsed INFORMATIONAL_V1 request 3381045369 [ HASH N(DPD) ]
Oct 18 12:20:00 vr1 charon[2570]: 08[ENC] generating INFORMATIONAL_V1 request 1269840418 [ HASH N(DPD_ACK) ]
Oct 18 12:20:00 vr1 charon[2570]: 08[NET] sending packet: from *.*.2.24[4500] to *.*.17.93[4500] (92 bytes)

Secondly, martian packets are reported on my GRE tunnels because the far end sends keepalives. I did not see this in version 1.1.8. Is this expected behaviour?

Oct 21 07:51:48 vr1 kernel: IPv4: martian source 169.254.200.57 from 169.254.200.58, on dev tun4
Oct 21 07:51:51 vr1 kernel: IPv4: martian source 169.254.200.5 from 169.254.200.6, on dev tun2
Oct 21 07:51:53 vr1 kernel: IPv4: martian source 169.254.200.1 from 169.254.200.2, on dev tun1
Oct 21 07:51:57 vr1 kernel: IPv4: martian source 169.254.200.57 from 169.254.200.58, on dev tun4
Oct 21 07:52:01 vr1 kernel: IPv4: martian source 169.254.200.5 from 169.254.200.6, on dev tun2
Oct 21 07:52:02 vr1 kernel: IPv4: martian source 169.254.200.1 from 169.254.200.2, on dev tun1
Oct 21 07:52:07 vr1 kernel: IPv4: martian source 169.254.200.57 from 169.254.200.58, on dev tun4

Thanks.

Dmitry · October 21, 2019, 8:27am

Hello @avdvyver , this dead-peer-detection, you can decrease interval.
About martian packets, if you know what exactly these packets, you can ignore this. Also you can disable martian logging:

set firewall log-martians disable

avdvyver · October 21, 2019, 8:42am

Thanks! Disabled martian logging.

I hear what you are saying about the dpd packets, but there are definitely NAT keepalives being sent very frequently. Can these be suppressed by un-commenting and setting the below to 0 in /etc/strongswan.d/charon.conf? Or is there a different method?

# NAT keep alive interval.
# keep_alive = 20s

Dmitry · October 21, 2019, 10:48pm

Can you provide configuration both sides. I think need reproduce this in LAB. I’m never formed attention on these entry in log.

show configuration commands | strip-private | match ipsec

avdvyver · October 22, 2019, 7:07am

Thank you.

This is an AWS AMI and VyOS detects that it is behind NAT during startup.

charon[30532]: 08[IKE] local host is behind NAT, sending keep alives

It would be great if there is a method of suppressing the NAT Keealive and DPD informational messages from the logs.

Config on VyOS side:

set vpn ipsec esp-group AWS compression 'disable'
set vpn ipsec esp-group AWS lifetime '3600'
set vpn ipsec esp-group AWS mode 'tunnel'
set vpn ipsec esp-group AWS pfs 'enable'
set vpn ipsec esp-group AWS proposal 1 encryption 'aes128'
set vpn ipsec esp-group AWS proposal 1 hash 'sha1'
set vpn ipsec esp-group GCP compression 'disable'
set vpn ipsec esp-group GCP lifetime '10800'
set vpn ipsec esp-group GCP mode 'tunnel'
set vpn ipsec esp-group GCP pfs 'enable'
set vpn ipsec esp-group GCP proposal 1 encryption 'aes128'
set vpn ipsec esp-group GCP proposal 1 hash 'sha1'
set vpn ipsec ike-group AWS dead-peer-detection action 'restart'
set vpn ipsec ike-group AWS dead-peer-detection interval '15'
set vpn ipsec ike-group AWS dead-peer-detection timeout '30'
set vpn ipsec ike-group AWS ikev2-reauth 'no'
set vpn ipsec ike-group AWS key-exchange 'ikev1'
set vpn ipsec ike-group AWS lifetime '28800'
set vpn ipsec ike-group AWS proposal 1 dh-group '2'
set vpn ipsec ike-group AWS proposal 1 encryption 'aes128'
set vpn ipsec ike-group AWS proposal 1 hash 'sha1'
set vpn ipsec ike-group GCP dead-peer-detection action 'restart'
set vpn ipsec ike-group GCP dead-peer-detection interval '15'
set vpn ipsec ike-group GCP dead-peer-detection timeout '30'
set vpn ipsec ike-group GCP ikev2-reauth 'no'
set vpn ipsec ike-group GCP key-exchange 'ikev1'
set vpn ipsec ike-group GCP lifetime '36000'
set vpn ipsec ike-group GCP proposal 1 dh-group '2'
set vpn ipsec ike-group GCP proposal 1 encryption 'aes128'
set vpn ipsec ike-group GCP proposal 1 hash 'sha1'
set vpn ipsec ipsec-interfaces interface 'eth0'
set vpn ipsec logging log-level '1'
set vpn ipsec site-to-site peer x.x.x.x authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer x.x.x.x authentication pre-shared-secret xxxxxx
set vpn ipsec site-to-site peer x.x.x.x connection-type 'initiate'
set vpn ipsec site-to-site peer x.x.x.x ike-group 'AWS'
set vpn ipsec site-to-site peer x.x.x.x ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer x.x.x.x local-address 'xxx.xxx.2.24'
set vpn ipsec site-to-site peer x.x.x.x vti bind 'vti3'
set vpn ipsec site-to-site peer x.x.x.x vti esp-group 'AWS'
set vpn ipsec site-to-site peer x.x.x.x authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer x.x.x.x authentication pre-shared-secret xxxxxx
set vpn ipsec site-to-site peer x.x.x.x connection-type 'initiate'
set vpn ipsec site-to-site peer x.x.x.x ike-group 'AWS'
set vpn ipsec site-to-site peer x.x.x.x ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer x.x.x.x local-address 'xxx.xxx.2.24'
set vpn ipsec site-to-site peer x.x.x.x vti bind 'vti5'
set vpn ipsec site-to-site peer x.x.x.x vti esp-group 'AWS'
set vpn ipsec site-to-site peer x.x.x.x authentication id 'xxx.xxx.132.220'
set vpn ipsec site-to-site peer x.x.x.x authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer x.x.x.x authentication pre-shared-secret xxxxxx
set vpn ipsec site-to-site peer x.x.x.x connection-type 'initiate'
set vpn ipsec site-to-site peer x.x.x.x ike-group 'GCP'
set vpn ipsec site-to-site peer x.x.x.x ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer x.x.x.x local-address 'xxx.xxx.2.24'
set vpn ipsec site-to-site peer x.x.x.x vti bind 'vti1'
set vpn ipsec site-to-site peer x.x.x.x vti esp-group 'GCP'
set vpn ipsec site-to-site peer x.x.x.x authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer x.x.x.x authentication pre-shared-secret xxxxxx
set vpn ipsec site-to-site peer x.x.x.x connection-type 'initiate'
set vpn ipsec site-to-site peer x.x.x.x default-esp-group 'AWS'
set vpn ipsec site-to-site peer x.x.x.x ike-group 'AWS'
set vpn ipsec site-to-site peer x.x.x.x ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer x.x.x.x local-address 'xxx.xxx.2.24'
set vpn ipsec site-to-site peer x.x.x.x tunnel 1 allow-nat-networks 'disable'
set vpn ipsec site-to-site peer x.x.x.x tunnel 1 allow-public-networks 'disable'
set vpn ipsec site-to-site peer x.x.x.x tunnel 1 local prefix 'xxx.xxx.200.58/32'
set vpn ipsec site-to-site peer x.x.x.x tunnel 1 protocol 'all'
set vpn ipsec site-to-site peer x.x.x.x tunnel 1 remote prefix 'xxx.xxx.200.57/32'
set vpn ipsec site-to-site peer x.x.x.x authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer x.x.x.x authentication pre-shared-secret xxxxxx
set vpn ipsec site-to-site peer x.x.x.x connection-type 'initiate'
set vpn ipsec site-to-site peer x.x.x.x ike-group 'AWS'
set vpn ipsec site-to-site peer x.x.x.x ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer x.x.x.x local-address 'xxx.xxx.2.24'
set vpn ipsec site-to-site peer x.x.x.x vti bind 'vti6'
set vpn ipsec site-to-site peer x.x.x.x vti esp-group 'AWS'
set vpn ipsec site-to-site peer x.x.x.x authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer x.x.x.x authentication pre-shared-secret xxxxxx
set vpn ipsec site-to-site peer x.x.x.x connection-type 'initiate'
set vpn ipsec site-to-site peer x.x.x.x ike-group 'AWS'
set vpn ipsec site-to-site peer x.x.x.x ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer x.x.x.x local-address 'xxx.xxx.2.24'
set vpn ipsec site-to-site peer x.x.x.x vti bind 'vti4'
set vpn ipsec site-to-site peer x.x.x.x vti esp-group 'AWS'
set vpn ipsec site-to-site peer x.x.x.x authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer x.x.x.x authentication pre-shared-secret xxxxxx
set vpn ipsec site-to-site peer x.x.x.x connection-type 'initiate'
set vpn ipsec site-to-site peer x.x.x.x default-esp-group 'AWS'
set vpn ipsec site-to-site peer x.x.x.x ike-group 'AWS'
set vpn ipsec site-to-site peer x.x.x.x ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer x.x.x.x local-address 'xxx.xxx.2.24'
set vpn ipsec site-to-site peer x.x.x.x tunnel 1 allow-nat-networks 'disable'
set vpn ipsec site-to-site peer x.x.x.x tunnel 1 allow-public-networks 'disable'
set vpn ipsec site-to-site peer x.x.x.x tunnel 1 local prefix 'xxx.xxx.200.2/32'
set vpn ipsec site-to-site peer x.x.x.x tunnel 1 protocol 'all'
set vpn ipsec site-to-site peer x.x.x.x tunnel 1 remote prefix 'xxx.xxx.200.1/32'
set vpn ipsec site-to-site peer x.x.x.x authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer x.x.x.x authentication pre-shared-secret xxxxxx
set vpn ipsec site-to-site peer x.x.x.x connection-type 'initiate'
set vpn ipsec site-to-site peer x.x.x.x default-esp-group 'AWS'
set vpn ipsec site-to-site peer x.x.x.x ike-group 'AWS'
set vpn ipsec site-to-site peer x.x.x.x ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer x.x.x.x local-address 'xxx.xxx.2.24'
set vpn ipsec site-to-site peer x.x.x.x tunnel 1 allow-nat-networks 'disable'
set vpn ipsec site-to-site peer x.x.x.x tunnel 1 allow-public-networks 'disable'
set vpn ipsec site-to-site peer x.x.x.x tunnel 1 local prefix 'xxx.xxx.200.54/32'
set vpn ipsec site-to-site peer x.x.x.x tunnel 1 protocol 'all'
set vpn ipsec site-to-site peer x.x.x.x tunnel 1 remote prefix 'xxx.xxx.200.53/32'
set vpn ipsec site-to-site peer x.x.x.x authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer x.x.x.x authentication pre-shared-secret xxxxxx
set vpn ipsec site-to-site peer x.x.x.x connection-type 'initiate'
set vpn ipsec site-to-site peer x.x.x.x default-esp-group 'AWS'
set vpn ipsec site-to-site peer x.x.x.x ike-group 'AWS'
set vpn ipsec site-to-site peer x.x.x.x ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer x.x.x.x local-address 'xxx.xxx.2.24'
set vpn ipsec site-to-site peer x.x.x.x tunnel 1 allow-nat-networks 'disable'
set vpn ipsec site-to-site peer x.x.x.x tunnel 1 allow-public-networks 'disable'
set vpn ipsec site-to-site peer x.x.x.x tunnel 1 local prefix 'xxx.xxx.200.6/32'
set vpn ipsec site-to-site peer x.x.x.x tunnel 1 protocol 'all'
set vpn ipsec site-to-site peer x.x.x.x tunnel 1 remote prefix 'xxx.xxx.200.5/32'

avdvyver · October 28, 2019, 12:43pm

Hi, is there any feedback on this? Having all these events logged really makes it difficult to find and diagnose actual issues. In the versions later than 1.1.8, the logging commands e.g. show log vpn ipsec is also broken (does not return anything). Thanks

Dmitry · October 28, 2019, 7:59pm

Hi, about show log vpn ipsec this is know issue and it was fixed in VyOS 1.2.3. ⚓ T1571 `show log vpn ipsec` produces no output
Can you provide show version

avdvyver · October 29, 2019, 5:36am

Version:          VyOS 1.2.3
Built by:         Sentrium S.L.
Built on:         Fri 13 Sep 2019 11:12 UTC
Build UUID:       eea47a51-d015-463d-8b40-508a55b38396
Build Commit ID:  24f1a74bc88f3a

Architecture:     x86_64
Boot via:         installed image
System type:      Xen HVM guest

Hardware vendor:  Xen
Hardware model:   HVM domU
Hardware S/N:     ec206f32-6c40-d8a6-42d6-acf8eeed09ef
Hardware UUID:    ec206f32-6c40-d8a6-42d6-acf8eeed09ef

Copyright:        VyOS maintainers and contributors

Dmitry · October 29, 2019, 6:56pm

Command show log vpn ipsec works correct on VyOS 1.2.3, and it do next

cat $(printf "%s\n" /var/log/messages* | sort -nr) | grep -e charon
Can you confirm that command show log vpn ipsec nothing to show?

avdvyver · October 30, 2019, 6:30am

Looks like charon logs are not written to /var/log/messages but elsewhere

vyos@vr1:/var/log$ sh ver
Version:          VyOS 1.2.3
Built by:         Sentrium S.L.
Built on:         Fri 13 Sep 2019 11:12 UTC
Build UUID:       eea47a51-d015-463d-8b40-508a55b38396
Build Commit ID:  24f1a74bc88f3a

Architecture:     x86_64
Boot via:         installed image
System type:      Xen HVM guest

Hardware vendor:  Xen
Hardware model:   HVM domU
Hardware S/N:     ec206f32-6c40-d8a6-42d6-acf8eeed09ef
Hardware UUID:    ec206f32-6c40-d8a6-42d6-acf8eeed09ef

Copyright:        VyOS maintainers and contributors
vyos@vr1:/var/log$ sh log vpn ipsec
vyos@vr1:/var/log$ cat $(printf "%s\n" /var/log/messages* | sort -nr) | grep -e charon
vyos@vr1:/var/log$ sh log | tail -n 10
Oct 30 06:27:48 vr1 charon[30532]: 15[ENC] generating INFORMATIONAL_V1 request 1793407231 [ HASH N(DPD_ACK) ]
Oct 30 06:27:48 vr1 charon[30532]: 15[NET] sending packet: from x.x.x.x[500] to x.x.x.x[500] (92 bytes)
Oct 30 06:27:48 vr1 charon[30532]: 05[NET] received packet: from x.x.x.x[500] to x.x.x.x[500] (92 bytes)
Oct 30 06:27:48 vr1 charon[30532]: 05[ENC] parsed INFORMATIONAL_V1 request 3655706159 [ HASH N(DPD) ]
Oct 30 06:27:48 vr1 charon[30532]: 05[ENC] generating INFORMATIONAL_V1 request 3582498717 [ HASH N(DPD_ACK) ]
Oct 30 06:27:48 vr1 charon[30532]: 05[NET] sending packet: from x.x.x.x[500] to x.x.x.x[500] (92 bytes)
Oct 30 06:27:50 vr1 charon[30532]: 10[NET] received packet: from x.x.x.x[500] to x.x.x.x[500] (92 bytes)
Oct 30 06:27:50 vr1 charon[30532]: 10[ENC] parsed INFORMATIONAL_V1 request 2401995041 [ HASH N(DPD) ]
Oct 30 06:27:50 vr1 charon[30532]: 10[ENC] generating INFORMATIONAL_V1 request 770921317 [ HASH N(DPD_ACK) ]
Oct 30 06:27:50 vr1 charon[30532]: 10[NET] sending packet: from x.x.x.x[500] to x.x.x.x[500] (92 bytes)

Dmitry · October 30, 2019, 9:17pm

show log command use sudo /bin/journalctl. Do you have configured set system syslog? Can you provide this?

avdvyver · October 31, 2019, 11:49am

vyos@vr3.ew1a:~$ sh conf comm | match syslog
set system syslog global facility all level 'notice'
set system syslog global facility protocols level 'debug'

Dmitry · November 1, 2019, 10:10pm

Really interesting moment with syslog level and show log vpn ipsec command.
try

set system syslog global facility daemon level all
commit

and then run show log vpn ipsec

avdvyver · November 4, 2019, 8:45am

Yep, that did it. Thank you.

vyos@vr1:~$ sh log vpn ipsec
vyos@vr1:~$ conf
[edit]
vyos@vr1# set system syslog global facility daemon level all
[edit]
vyos@vr1# commit
[edit]
vyos@vr1# save
Saving configuration to '/config/config.boot'...
Done
[edit]
vyos@vr1# exit
exit
vyos@vr1:~$ sh log vpn ipsec
Nov  4 08:24:43 vr1 charon: 10[NET] received packet: from x.x.x.x[4500] to x.x.x.x[4500] (92 bytes)
Nov  4 08:24:43 vr1 charon: 10[ENC] parsed INFORMATIONAL_V1 request 3423371308 [ HASH N(DPD) ]
Nov  4 08:24:43 vr1 charon: 10[ENC] generating INFORMATIONAL_V1 request 3392349050 [ HASH N(DPD_ACK) ]
Nov  4 08:24:43 vr1 charon: 10[NET] sending packet: from x.x.x.x[4500] to x.x.x.x[4500] (92 bytes)
Nov  4 08:24:44 vr1 charon: 16[NET] received packet: from x.x.x.x[500] to x.x.x.x[500] (92 bytes)
Nov  4 08:24:44 vr1 charon: 16[ENC] parsed INFORMATIONAL_V1 request 2974880587 [ HASH N(DPD) ]
Nov  4 08:24:44 vr1 charon: 16[ENC] generating INFORMATIONAL_V1 request 2223377023 [ HASH N(DPD_ACK) ]
Nov  4 08:24:44 vr1 charon: 16[NET] sending packet: from x.x.x.x[500] to x.x.x.x[500] (92 bytes)
Nov  4 08:24:44 vr1 charon: 06[NET] received packet: from x.x.x.x[4500] to x.x.x.x[4500] (92 bytes)
Nov  4 08:24:44 vr1 charon: 06[ENC] parsed INFORMATIONAL_V1 request 4232543034 [ HASH N(DPD) ]
Nov  4 08:24:44 vr1 charon: 06[ENC] generating INFORMATIONAL_V1 request 2526916029 [ HASH N(DPD_ACK) ]
Nov  4 08:24:44 vr1 charon: 06[NET] sending packet: from x.x.x.x[4500] to x.x.x.x[4500] (92 bytes)
Nov  4 08:24:45 vr1 charon: 13[NET] received packet: from x.x.x.x[500] to x.x.x.x[500] (92 bytes)
Nov  4 08:24:45 vr1 charon: 13[ENC] parsed INFORMATIONAL_V1 request 3267261688 [ HASH N(DPD) ]
Nov  4 08:24:45 vr1 charon: 13[ENC] generating INFORMATIONAL_V1 request 1734391610 [ HASH N(DPD_ACK) ]
Nov  4 08:24:45 vr1 charon: 13[NET] sending packet: from x.x.x.x[500] to x.x.x.x[500] (92 bytes)
Nov  4 08:24:46 vr1 charon: 08[NET] received packet: from x.x.x.x[4500] to x.x.x.x[4500] (92 bytes)
Nov  4 08:24:46 vr1 charon: 08[ENC] parsed INFORMATIONAL_V1 request 2404765121 [ HASH N(DPD) ]

So, to suppress IPSec informational events form being logged, should:
a set system syslog global facility daemon level notice
b set system syslog global facility protocols level notice
c both a and b?

Thanks

Dmitry · November 6, 2019, 8:38am

I think you need

set system syslog global facility daemon level notice
set system syslog global facility protocols level all

You also can set log-modes fro ipsec

vyos@R1# set vpn ipsec logging log-modes 
Possible completions:
   dmn          Debug log option for strongSwan
   mgr          Debug log option for strongSwan
   ike          Debug log option for strongSwan
   chd          Debug log option for strongSwan
   job          Debug log option for strongSwan
   cfg          Debug log option for strongSwan
   knl          Debug log option for strongSwan
   net          Debug log option for strongSwan
   asn          Debug log option for strongSwan
   enc          Debug log option for strongSwan
   lib          Debug log option for strongSwan
   esp          Debug log option for strongSwan
   tls          Debug log option for strongSwan
   tnc          Debug log option for strongSwan
   imc          Debug log option for strongSwan
   imv          Debug log option for strongSwan
   pts          Debug log option for strongSwan
   any          Debug log option for strongSwan

Each logging message also has a source from which subsystem in the daemon the log came from:

app: applications other than daemons

asn: Low-level encoding/decoding (ASN.1, X.509 etc.)

cfg: Configuration management and plugins

chd: CHILD_SA/IPsec SA

dmn: Main daemon setup/cleanup/signal handling

enc: Packet encoding/decoding encryption/decryption operations

esp: libipsec library messages

ike: IKE_SA/ISAKMP SA

imc: Integrity Measurement Collector

imv: Integrity Measurement Verifier

job: Jobs queuing/processing and thread pool management

knl: IPsec/Networking kernel interface

lib: libstrongwan library messages

mgr: IKE_SA manager, handling synchronization for IKE_SA access

net: IKE network communication

pts: Platform Trust Service

tls: libtls library messages

tnc: Trusted Network Connect

avdvyver · November 7, 2019, 12:09pm

Thanks - I have tried what you proposed.

vyos@vr1:~$ sh conf comm | match syslog
set system syslog global facility all
set system syslog global facility daemon level 'notice'
set system syslog global facility protocols level 'all'

Unfortunately, now the sh log vpn ipsec does not update - even when I break an IPSec tunnel from the far end. sh log contains all the IKE messages but sh log vpn ipsec does not include any new data

Dmitry · November 8, 2019, 3:28pm

Sorry for confusing, charon this is IKE daemon. And only facility daemon have matter for this case. Use info level, it must be enough for show log vpn ipsec output.

avdvyver · November 12, 2019, 6:28am

Okay thanks - I have changed it back. The only thing that is still outstanding is suppressing the informational DPD messages in the logs that are logged multiple times per second. These were not logged in 1.1.8 and I am migrating the config as is with a few modification here and there as the syntax required e.g. with specifying the address family in the BGP config. All the DPD noise in the logs makes it quite difficult to fault find.

Dmitry · November 13, 2019, 10:17pm

Try set charon log level to 0 for any subsystem. I hope this help you.

set vpn ipsec logging log-level '0'
set vpn ipsec logging log-modes 'any'

avdvyver · November 19, 2019, 11:17am

Looking much better. Thanks a lot!