Netgate SG-1000 microFirewall

Author Topic: How to read a IPSec-Log  (Read 6968 times)

0 Members and 1 Guest are viewing this topic.

Offline Ruddimaster

  • Jr. Member
  • **
  • Posts: 75
  • Karma: +1/-0
    • View Profile
How to read a IPSec-Log
« on: March 31, 2015, 02:06:13 am »
Hello,

we have approx 40 VPN-Tunnels. Since upgrade to strongswan ist isn't possible to separate the log entires to its VPN-Tunnel.
With Racoon in each entry the vpn description was included.

At this point I can't use this log for troubleshooting.
Is there an option like firewall log (rule) to add a column or something else?

Dirk

Offline Ruddimaster

  • Jr. Member
  • **
  • Posts: 75
  • Karma: +1/-0
    • View Profile
Re: How to read a IPSec-Log
« Reply #1 on: April 01, 2015, 02:44:36 am »
I'm the only one with this problem?

Offline doktornotor

  • Hero Member
  • *****
  • Posts: 8553
  • Karma: +956/-278
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: How to read a IPSec-Log
« Reply #2 on: April 01, 2015, 02:46:01 am »
No, you are not the only one. The logs are absolutely useless flood of junk even with loglevel dropped to absolute minimum. The upstream guys need a heavy hit with a cluebat.
Do NOT PM for help!

Offline neik

  • Jr. Member
  • **
  • Posts: 50
  • Karma: +1/-1
    • View Profile
Re: How to read a IPSec-Log
« Reply #3 on: April 02, 2015, 01:04:07 pm »
I'm the only one with this problem?

You are not the only one, but I know it certainly seems like it sometimes. The racoon logs were great, whereas the new logs are useless.

Offline cmb

  • Hero Member
  • *****
  • Posts: 11228
  • Karma: +894/-7
    • View Profile
    • Chris Buechler
Re: How to read a IPSec-Log
« Reply #4 on: April 02, 2015, 01:18:08 pm »
Our log display code showed the associated tunnel by the IP in racoon's logs. The challenge with strongswan's logs is it doesn't necessarily have the IP in relevant lines nor any other way of differentiating easily. There's a ticket or two open in this area to help things here in the future where we can.

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 21493
  • Karma: +1458/-26
    • View Profile
Re: How to read a IPSec-Log
« Reply #5 on: April 02, 2015, 02:53:42 pm »
In addition to the identification problem, for interpreting the messages we are slowly building a list of example logs and explanations/fixes here:

https://doc.pfsense.org/index.php/IPsec_Troubleshooting#Common_Errors_.28strongSwan.2C_pfSense_.3E.3D_2.2.x.29

As we find more good examples, they will be added to the wiki.
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline cmb

  • Hero Member
  • *****
  • Posts: 11228
  • Karma: +894/-7
    • View Profile
    • Chris Buechler
Re: How to read a IPSec-Log
« Reply #6 on: April 02, 2015, 11:15:25 pm »
This will help significantly.
https://github.com/pfsense/pfsense/commit/db9e5154d64dfc537870b44f5b262ff940c0be70

I didn't realize it was only enabled for auth facility previously. That'll help greatly in writing a GUI log parser in the future, and at least the text has identifiers now.

Now you'll have logs like:
Code: [Select]
Apr  2 23:54:02 22vpntest charon: 14[NET] <con2|1> received packet: from 203.0.113.44[500] to 1.2.3.27[500] (96 bytes)
Apr  2 23:54:02 22vpntest charon: 14[ENC] <con2|1> parsed INFORMATIONAL response 2 [ ]
Apr  2 23:54:12 22vpntest charon: 14[NET] <con2|1> received packet: from 203.0.113.44[500] to 1.2.3.27[500] (96 bytes)
Apr  2 23:54:12 22vpntest charon: 14[ENC] <con2|1> parsed INFORMATIONAL request 5 [ ]
Apr  2 23:54:12 22vpntest charon: 14[ENC] <con2|1> generating INFORMATIONAL response 5 [ ]

for connection con2 as shown by 'ipsec statusall'. That'll be in the next 2.2.2 snapshots.

Offline Ruddimaster

  • Jr. Member
  • **
  • Posts: 75
  • Karma: +1/-0
    • View Profile
Re: How to read a IPSec-Log
« Reply #7 on: April 08, 2015, 03:13:37 am »
Hi cmb,

thanks for your reply. This will help to read the log extremely. In future it will be nice, it is possible to filter each tunnel. If you have approx 50 tunnells, there's a lot going on.

Offline Ruddimaster

  • Jr. Member
  • **
  • Posts: 75
  • Karma: +1/-0
    • View Profile
Re: How to read a IPSec-Log
« Reply #8 on: April 27, 2015, 02:23:42 am »
I have upgraded to 2.2.2 an I am still unable to read this log:


Code: [Select]
Apr 27 09:13:57 charon: 15[ENC] <con17000|131734> parsed INFORMATIONAL_V1 request 395783956 [ HASH N(DPD_ACK) ]
Apr 27 09:13:57 charon: 15[NET] <con17000|131734> received packet: from xxx.xxx.xxx.xxx[4500] to xxx.xxx.xxx.xxx[4500] (140 bytes)
Apr 27 09:13:57 charon: 15[NET] <con17000|131734> sending packet: from xxx.xxx.xxx.xxx[4500] to xxx.xxx.xxx.xxx[4500] (140 bytes)
Apr 27 09:13:57 charon: 15[ENC] <con17000|131734> generating INFORMATIONAL_V1 request 1846969741 [ HASH N(DPD) ]
Apr 27 09:13:57 charon: 15[IKE] <con17000|131734> sending DPD request
Apr 27 09:13:57 charon: 15[IKE] <con17000|131734> sending DPD request
Apr 27 09:13:56 charon: 15[NET] <217862> sending packet: from xxx.xxx.xxx.xxx[500] to xxx.xxx.xxx.xxx[500] (56 bytes)
Apr 27 09:13:56 charon: 15[ENC] <217862> generating INFORMATIONAL_V1 request 3646241847 [ N(NO_PROP) ]
Apr 27 09:13:56 charon: 15[IKE] <217862> no proposal found
Apr 27 09:13:56 charon: 15[IKE] <217862> no proposal found
Apr 27 09:13:56 charon: 15[CFG] <217862> configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
Apr 27 09:13:56 charon: 15[CFG] <217862> received proposals: IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1536
Apr 27 09:13:56 charon: 15[IKE] <217862> xxx.xxx.xxx.xxx is initiating a Main Mode IKE_SA
Apr 27 09:13:56 charon: 15[IKE] <217862> xxx.xxx.xxx.xxx is initiating a Main Mode IKE_SA
Apr 27 09:13:56 charon: 15[IKE] <217862> received DPD vendor ID
Apr 27 09:13:56 charon: 15[IKE] <217862> received DPD vendor ID
Apr 27 09:13:56 charon: 15[IKE] <217862> received XAuth vendor ID
Apr 27 09:13:56 charon: 15[IKE] <217862> received XAuth vendor ID
Apr 27 09:13:56 charon: 15[IKE] <217862> received Cisco Unity vendor ID
Apr 27 09:13:56 charon: 15[IKE] <217862> received Cisco Unity vendor ID
Apr 27 09:13:56 charon: 15[IKE] <217862> received strongSwan vendor ID
Apr 27 09:13:56 charon: 15[IKE] <217862> received strongSwan vendor ID
Apr 27 09:13:56 charon: 09[NET] <217861> sending packet: from xxx.xxx.xxx.xxx[500] to xxx.xxx.xxx.xxx[500] (56 bytes)
Apr 27 09:13:56 charon: 09[ENC] <217861> generating INFORMATIONAL_V1 request 3135978726 [ N(NO_PROP) ]
Apr 27 09:13:56 charon: 09[IKE] <217861> no proposal found
Apr 27 09:13:56 charon: 09[IKE] <217861> no proposal found
Apr 27 09:13:56 charon: 09[CFG] <217861> configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
Apr 27 09:13:56 charon: 09[CFG] <217861> received proposals: IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1536
Apr 27 09:13:56 charon: 09[IKE] <217861> xxx.xxx.xxx.xxx is initiating a Main Mode IKE_SA
Apr 27 09:13:56 charon: 09[IKE] <217861> xxx.xxx.xxx.xxx is initiating a Main Mode IKE_SA
Apr 27 09:13:56 charon: 09[IKE] <217861> received DPD vendor ID
Apr 27 09:13:56 charon: 09[IKE] <217861> received DPD vendor ID
Apr 27 09:13:56 charon: 09[IKE] <217861> received XAuth vendor ID
Apr 27 09:13:56 charon: 09[IKE] <217861> received XAuth vendor ID
Apr 27 09:13:56 charon: 09[IKE] <217861> received Cisco Unity vendor ID
Apr 27 09:13:56 charon: 09[IKE] <217861> received Cisco Unity vendor ID
Apr 27 09:13:56 charon: 09[IKE] <217861> received strongSwan vendor ID

Can anyone send me a hint, to separate each entry to its own tunnel?


Offline cmb

  • Hero Member
  • *****
  • Posts: 11228
  • Karma: +894/-7
    • View Profile
    • Chris Buechler
Re: How to read a IPSec-Log
« Reply #9 on: April 27, 2015, 06:03:33 pm »
Can anyone send me a hint, to separate each entry to its own tunnel?

The one that shows "con17000" matches with the tunnel that shows as con17000 in the output of "ipsec statusall". The ones with no con* log marker, rather  <217862>, <217861>, are connection attempts that don't match any configured connection.

Offline mrjohnbravo

  • Newbie
  • *
  • Posts: 4
  • Karma: +0/-1
    • View Profile
Re: How to read a IPSec-Log
« Reply #10 on: January 25, 2017, 04:17:38 pm »
Quote
The one that shows "con17000" matches with the tunnel that shows as con17000 in the output of "ipsec statusall". The ones with no con* log marker, rather  <217862>, <217861>, are connection attempts that don't match any configured connection.

<RANT>
another case of dev's not using the software they write in a production environment.

This above reply is also entirely useless in the PFSense UI context as there is no reference in the GUI to the con number being referred to and so there is still no way to associate with an indvidual connection. And even when you go to ssh and run that command you get a non-static number for any given connection that may in fact change and  will have a new and seemingly arbitrary con number. And last but not least... in the GUI in the LOG when your troubleshooting skimming literally thousands of useless chatty entries it's extremely difficult to actually see con1000 vs con3000 vs con30000 vs con10000
. I'd be willing to pay a bounty for the solution to this issue as it has made troubleshooting any but the most simplistic of configurations a real nightmare.

</rant>



Offline nc21

  • Newbie
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
Re: How to read a IPSec-Log
« Reply #11 on: January 03, 2018, 08:10:04 am »
Several years after these pertinent remarks, it is sad to see that nothing has been done to make the log display readable.
Happy new year anyway  ;D