Message ID | 20200205112425.20108-2-michael.tremer@ipfire.org |
---|---|
State | Accepted |
Headers |
Return-Path: <development-bounces@lists.ipfire.org> Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 48CK374HPvz3xyL for <patchwork@web04.haj.ipfire.org>; Wed, 5 Feb 2020 11:24:35 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail02.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 48CK360gWSz6ZT; Wed, 5 Feb 2020 11:24:34 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 48CK3553Ncz2yW9; Wed, 5 Feb 2020 11:24:33 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 48CK3504Fkz2xrx for <development@lists.ipfire.org>; Wed, 5 Feb 2020 11:24:33 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPSA id 48CK342x38z6Z2; Wed, 5 Feb 2020 11:24:32 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=201909ed25519; t=1580901872; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:in-reply-to:in-reply-to:references:references; bh=twwV5TM8lTTnzZGHA5ebHjlbBMoyp+VqxLZtauc/snc=; b=NFDiv1WtaZYP4LKhvb31EC1lhz8u28m2xIXZmDH+wV8I+WtQDPe3EIXnQAyVl8s6T/Y/Ai aQ8CUqvBx50Bs8CQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201909rsa; t=1580901872; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:in-reply-to:in-reply-to:references:references; bh=twwV5TM8lTTnzZGHA5ebHjlbBMoyp+VqxLZtauc/snc=; b=j5eUys4GMA46bWNhYhId3mASxRMbpko6vfkGNXQtnuHTCsqm6GVgCCXflD3zSw/7DTLxkR tp6T+ZZIudh12yjTvcGAYIsqtpt4ox/4VikMJxZGTCSyL9/lOLVcIdVRvFE0dX4z0a3onB eqn8AP2J/tD9ra8lzQkR71bsfv3CE0+feZ6lnq9BR5wpAAnLdbGEjuyRjhjYYmGLjFOK37 /3ko69qfj0hXfk7V28k98tl2cfNncmVrQy1PAw5NpKZlsz/pDV/+/M2Xwasg6rTHpE3PnJ 9x8KL8IwVgcDMTtZ62sfSg00Dl7Re497BLTd67Oeb6cRCqkm7pnov0Nh28sTvQ== From: Michael Tremer <michael.tremer@ipfire.org> To: development@lists.ipfire.org Subject: [PATCH 2/2] ipsec: Silence charon Date: Wed, 5 Feb 2020 11:24:25 +0000 Message-Id: <20200205112425.20108-2-michael.tremer@ipfire.org> In-Reply-To: <20200205112425.20108-1-michael.tremer@ipfire.org> References: <20200205112425.20108-1-michael.tremer@ipfire.org> Authentication-Results: mail01.ipfire.org; auth=pass smtp.mailfrom=michael.tremer@ipfire.org X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk <development.lists.ipfire.org> List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>, <mailto:development-request@lists.ipfire.org?subject=unsubscribe> List-Archive: <http://lists.ipfire.org/pipermail/development/> List-Post: <mailto:development@lists.ipfire.org> List-Help: <mailto:development-request@lists.ipfire.org?subject=help> List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>, <mailto:development-request@lists.ipfire.org?subject=subscribe> Cc: Michael Tremer <michael.tremer@ipfire.org> Errors-To: development-bounces@lists.ipfire.org Sender: "Development" <development-bounces@lists.ipfire.org> |
Series |
[1/2] ipsec: Add script to ensure VPNs are always on
|
|
Commit Message
Michael Tremer
Feb. 5, 2020, 11:24 a.m. UTC
Charon has some verbose logging enabled by default. This clutters
the logs a lot.
This patch disables debug logging but still lets charon log important
messages like tunnels that are going up or down.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
html/cgi-bin/vpnmain.cgi | 3 +++
1 file changed, 3 insertions(+)
Comments
May I suggest that we also move the IPSec logging into its own file? It seems to me that, even with verbosity reduced, having it in /var/log/messages makes it a pain to locate anything else in the kernel log. Tom On 02/05/2020 6:24 AM, Michael Tremer wrote: > Charon has some verbose logging enabled by default. This clutters > the logs a lot. > > This patch disables debug logging but still lets charon log important > messages like tunnels that are going up or down. > > Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> > --- > html/cgi-bin/vpnmain.cgi | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi > index b3cd3e51e..d2bc70a27 100644 > --- a/html/cgi-bin/vpnmain.cgi > +++ b/html/cgi-bin/vpnmain.cgi > @@ -266,6 +266,9 @@ sub writeipsecfiles { > flock CONF, 2; > flock SECRETS, 2; > print CONF "version 2\n\n"; > + print CONF "config setup\n"; > + print CONF "\tcharondebug=\"dmn 0, mgr 0, ike 0, chd 0, job 0, cfg 0, knl 0, net 0, asn 0, enc 0, lib 0, esp 0, tls 0, tnc 0, imc 0, imv 0, pts 0\"\n"; > + print CONF "\n"; > print CONF "conn %default\n"; > print CONF "\tkeyingtries=%forever\n"; > print CONF "\n"; >
Hi, Are those logged messages really useful? I know that there is a ticket open with this matter, but I am not sure if there is any value in the proposed changes. https://bugzilla.ipfire.org/show_bug.cgi?id=11001 What are you getting from the logs that you won’t get right now? I have to enable proper debugging every time I want to have a REALLY detailed look. Otherwise the amount of logs are very verbose and it is hard to find things. Best, -Michael > On 5 Feb 2020, at 15:25, Tom Rymes <trymes@rymes.com> wrote: > > May I suggest that we also move the IPSec logging into its own file? It seems to me that, even with verbosity reduced, having it in /var/log/messages makes it a pain to locate anything else in the kernel log. > > Tom > > On 02/05/2020 6:24 AM, Michael Tremer wrote: >> Charon has some verbose logging enabled by default. This clutters >> the logs a lot. >> This patch disables debug logging but still lets charon log important >> messages like tunnels that are going up or down. >> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> >> --- >> html/cgi-bin/vpnmain.cgi | 3 +++ >> 1 file changed, 3 insertions(+) >> diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi >> index b3cd3e51e..d2bc70a27 100644 >> --- a/html/cgi-bin/vpnmain.cgi >> +++ b/html/cgi-bin/vpnmain.cgi >> @@ -266,6 +266,9 @@ sub writeipsecfiles { >> flock CONF, 2; >> flock SECRETS, 2; >> print CONF "version 2\n\n"; >> + print CONF "config setup\n"; >> + print CONF "\tcharondebug=\"dmn 0, mgr 0, ike 0, chd 0, job 0, cfg 0, knl 0, net 0, asn 0, enc 0, lib 0, esp 0, tls 0, tnc 0, imc 0, imv 0, pts 0\"\n"; >> + print CONF "\n"; >> print CONF "conn %default\n"; >> print CONF "\tkeyingtries=%forever\n"; >> print CONF "\n";
I have no issue with reducing the amount of verbosity of the current IPSec logging. It has been helpful in the past when troubleshooting a new tunnel, but it's not a major deal. I was just hoping that whatever remaining messages are left after reducing the verbosity could be directed to /var/log/ipsec instead of /var/log/messages, as the IPSec messages can clutter up the kernel log, which can be annoying. We have 20+ tunnels on two different machines, so it can be quite extensive. Tom On 02/05/2020 11:55 AM, Michael Tremer wrote: > Hi, > > Are those logged messages really useful? > > I know that there is a ticket open with this matter, but I am not sure if there is any value in the proposed changes. > > https://bugzilla.ipfire.org/show_bug.cgi?id=11001 > > What are you getting from the logs that you won’t get right now? > > I have to enable proper debugging every time I want to have a REALLY detailed look. Otherwise the amount of logs are very verbose and it is hard to find things. > > Best, > -Michael > >> On 5 Feb 2020, at 15:25, Tom Rymes <trymes@rymes.com> wrote: >> >> May I suggest that we also move the IPSec logging into its own file? It seems to me that, even with verbosity reduced, having it in /var/log/messages makes it a pain to locate anything else in the kernel log. >> >> Tom >> >> On 02/05/2020 6:24 AM, Michael Tremer wrote: >>> Charon has some verbose logging enabled by default. This clutters >>> the logs a lot. >>> This patch disables debug logging but still lets charon log important >>> messages like tunnels that are going up or down. >>> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> >>> --- >>> html/cgi-bin/vpnmain.cgi | 3 +++ >>> 1 file changed, 3 insertions(+) >>> diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi >>> index b3cd3e51e..d2bc70a27 100644 >>> --- a/html/cgi-bin/vpnmain.cgi >>> +++ b/html/cgi-bin/vpnmain.cgi >>> @@ -266,6 +266,9 @@ sub writeipsecfiles { >>> flock CONF, 2; >>> flock SECRETS, 2; >>> print CONF "version 2\n\n"; >>> + print CONF "config setup\n"; >>> + print CONF "\tcharondebug=\"dmn 0, mgr 0, ike 0, chd 0, job 0, cfg 0, knl 0, net 0, asn 0, enc 0, lib 0, esp 0, tls 0, tnc 0, imc 0, imv 0, pts 0\"\n"; >>> + print CONF "\n"; >>> print CONF "conn %default\n"; >>> print CONF "\tkeyingtries=%forever\n"; >>> print CONF "\n"; >
diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index b3cd3e51e..d2bc70a27 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -266,6 +266,9 @@ sub writeipsecfiles { flock CONF, 2; flock SECRETS, 2; print CONF "version 2\n\n"; + print CONF "config setup\n"; + print CONF "\tcharondebug=\"dmn 0, mgr 0, ike 0, chd 0, job 0, cfg 0, knl 0, net 0, asn 0, enc 0, lib 0, esp 0, tls 0, tnc 0, imc 0, imv 0, pts 0\"\n"; + print CONF "\n"; print CONF "conn %default\n"; print CONF "\tkeyingtries=%forever\n"; print CONF "\n";