From b9392f59b5cc3543fbb5d64fb0d3994a9a031cd8 Mon Sep 17 00:00:00 2001 From: Ad Schellevis Date: Tue, 22 Nov 2016 14:25:29 +0100 Subject: [PATCH] (ipsec) fix syslog output, eventually we should switch to the new style loggers, but for now it's better to make sure charondebug is respected. From the docs: Starting with version 4.2.9, strongSwan provides a much more flexible configuration of the loggers. Logger configurations in strongswan.conf have a higher priority than charondebug in ipsec.conf: If you define any loggers in strongswan.conf, charondebug does not have any effect at all. --- src/etc/inc/ipsec.inc | 42 +++++++++++++++++----------------- src/www/vpn_ipsec_settings.php | 5 ++-- 2 files changed, 24 insertions(+), 23 deletions(-) diff --git a/src/etc/inc/ipsec.inc b/src/etc/inc/ipsec.inc index 75c69ba07..9af8b00e1 100644 --- a/src/etc/inc/ipsec.inc +++ b/src/etc/inc/ipsec.inc @@ -29,11 +29,24 @@ POSSIBILITY OF SUCH DAMAGE. */ -$ipsec_loglevels = array("dmn" => "Daemon", "mgr" => "SA Manager", "ike" => "IKE SA", "chd" => "IKE Child SA", - "job" => "Job Processing", "cfg" => "Configuration backend", "knl" => "Kernel Interface", - "net" => "Networking", "asn" => "ASN encoding", "enc" => "Message encoding", - "imc" => "Integrity checker", "imv" => "Integrity Verifier", "pts" => "Platform Trust Service", - "tls" => "TLS handler", "esp" => "IPsec traffic", "lib" => "StrongSWAN Lib" +$ipsec_loglevels = array( + "asn" => "Low-level encoding/decoding (ASN.1, X.509 etc.)", + "cfg" => "Configuration management and plugins", + "chd" => "CHILD_SA/IPsec SA", + "dmn" => "Main daemon setup/cleanup/signal handling", + "enc" => "Packet encoding/decoding encryption/decryption operations", + "esp" => "libipsec library messages", + "ike" => "IKE_SA/ISAKMP SA", + "imc" => "Integrity Measurement Collector", + "imv" => "Integrity Measurement Verifier", + "job" => "Jobs queuing/processing and thread pool management", + "knl" => "IPsec/Networking kernel interface", + "lib" => "libstrongwan library messages", + "mgr" => "IKE_SA manager, handling synchronization for IKE_SA access", + "net" => "IKE network communication", + "pts" => "Platform Trust Service", + "tls" => "libtls library messages", + "tnc" => "Trusted Network Connect" ); $p1_ealgos = array( @@ -605,20 +618,7 @@ charon { ikesa_table_segments = 4 init_limit_half_open = 1000; {$cnf_add_to_charon_section} - # And two loggers using syslog. The subsections define the facility to log - # to, currently one of: daemon, auth. - syslog { - identifier = charon - # default level to the LOG_DAEMON facility - daemon { - } - # very minimalistic IKE auditing logs to LOG_AUTHPRIV - auth { - default = -1 - ike = 1 - ike_name = yes - } - } + EOD; $strongswan .= "\tplugins {\n"; @@ -828,8 +828,8 @@ EOD; if (isset($ipsec_loglevels)) { foreach ($ipsec_loglevels as $lkey => $ldescr) { if (isset($config['ipsec']["ipsec_{$lkey}"]) && is_numeric($config['ipsec']["ipsec_{$lkey}"]) && - intval($config['ipsec']["ipsec_{$lkey}"]) >= 1 && intval($config['ipsec']["ipsec_{$lkey}"]) <= 5) { - $cfg_loglevels[] = "${lkey} " . (intval($config['ipsec']["ipsec_{$lkey}"]) - 1); + intval($config['ipsec']["ipsec_{$lkey}"]) >= -1 && intval($config['ipsec']["ipsec_{$lkey}"]) <= 4) { + $cfg_loglevels[] = "${lkey} " . $config['ipsec']["ipsec_{$lkey}"]; } } } diff --git a/src/www/vpn_ipsec_settings.php b/src/www/vpn_ipsec_settings.php index 30bc1f907..b0db23739 100644 --- a/src/www/vpn_ipsec_settings.php +++ b/src/www/vpn_ipsec_settings.php @@ -158,9 +158,10 @@ if (isset($input_errors) && count($input_errors) > 0) { ?>