FOR TIPS, gUIDES & TUTORIALS

subscribe to our Youtube

GO TO YOUTUBE

14455 questions

17168 answers

28195 comments

0 members

We are migrating to our new platform at https://community.teltonika.lt. Moving forward, you can continue discussions on this new platform. This current platform will be temporarily maintained for reference purposes.
0 votes
2,144 views 6 comments
by anonymous
Hello:

Strongswan debug levels are controlled by the entry charondebug <debug list> which is placed in the "config setup" section of /etc/ipsec.conf.

One sets up /etc/ipsec.conf from the /etc/config/strongswan file and the /etc/init.d/ipsec file.

The format of the charondebug entry is as follows:

 charondebug="cfg 2, dmn 2, ike 2, net 2"

I'm having some issues with GRE over IPsec to A Cisco IOS router in India. It works perfect from RUT-950 in Singapore but in India we're having strange issues. As such I need to bump up the debug level to 2 from the default of 1 to troubleshoot.

Questions:

1. The default /etc/ipsec.conf file has no "config setup" section. How to create one?

2. Once the "config setup" is created, where do I setup the parameters for the charondebug entry? Is that

done in the /etc/config/strongswan file or in the /etc/init.d/ipsec file? And the format of the entry would be what?

Any tips on this would be greatly appreciated.

Cheers,

john

1 Answer

0 votes
by anonymous

Hello,

From memory, in /etc/init.d/ipsec:

swan_xappend "    daemon {"                                                                                                
        swan_xappend "      default = 1"                                                                                           
        swan_xappend "    }"

The default value is hardcoded at 1, increase it to 2 to 4 to suit your needs.

Regards,

by anonymous

root@CORS525:~# cat /etc/init.d/ipsec | grep swan_xappend

root@CORS525:~#

That value does not exist in /etc/init.d/ipsec
Cheers,
John
by anonymous
Which firmware version do you use ?
by anonymous
RUT9XX_R_00.06.08.6
by anonymous
You need to add code to /etc/init.d/ipsec in order to create and populate the sections you need. The function prepare_ipsec_config() seems to be the most sensible location to do that.
by anonymous
Solution:

prepare_ipsec_config() {

        echo "# generated by /etc/init.d/ipsec" >"$File_ipsec"

        echo "conn %default"  >>"$File_ipsec"

        echo "  rekeymargin=9m" >>"$File_ipsec"

        echo "        rekeyfuzz=100%" >>"$File_ipsec"

        echo "        mobike=no" >>"$File_ipsec"

        echo "" >>"$File_ipsec"

        echo "config setup"  >>"$File_ipsec"

        echo "   charondebug=\"cfg 2, dmn 2, ike 2, net 2\"" >>"$File_ipsec"

        echo "" >>"$File_ipsec"

}

This worked.

Cheers,

john
by anonymous
Perfect.

Regards,