Vyatta Network OS Documentation

Learn how to install, configure and operate the Vyatta NOS, which helps drive our virtual networking & physical platforms portfolio.

security vpn ipsec logging

Specifies logging options for IPsec VPN.

set security vpn ipsec logging [ log-modes mode ]
delete security vpn ipsec logging [ log-modes ]
show security vpn ipsec logging [ log-modes ]
log-modes mode
Mandatory. Multi-node. The log mode to be used for IPsec log messages. Supported values are as follows:

all—Enables all logging options.

raw—Shows the raw bytes of messages.

crypt—Shows the encryption and decryption of messages.

parsing—Shows the structure of input messages.

emitting— Shows the structure of output messages.

control—Shows the decision-making process of the IKE daemon (Pluto).

private—Allows debugging output with private keys.

You can configure multiple log modes, by creating more than one log-mode configuration node.

Configuration mode

security {
        vpn {
            ipsec {
                logging {
                        log-modes mode
            }
        }
    }
}

Use this command to define logging options for IPsec VPN.

When this command is set, the system uses the vRouter 's internal VPN logging daemon for IPsec log messages.

The IPsec process generates log messages during operation. You can direct the system to send IPsec log messages to syslog. The result will depend on how the system syslog is configured.

Keep in mind that in the current implementation, the main syslog file reports only messages of severity warning and above, regardless of the severity level configured. If you want to configure a different level of severity for log messages (for example, if you want to see debug messages during troubleshooting), you must configure syslog to send messages into a different file, which you define within syslog.

Configuring log modes is optional. When a log mode is not configured, IPsec log messages consist mostly of IPsec startup and shutdown messages. The log modes allow you to direct the system to inspect the IPsec packets and report the results.

Note that some log modes (for example, all and control) generate several log messages per packet. Using any of these options may severely degrade system performance.

VPN IPsec log messages use standard syslog levels of severity.

Use the set form of this command to specify logging modes for IPsec VPN.

Use the delete form of this command to remove the logging configuration.

Use the show form of this command to view the logging configuration.