This section describes the configuration and format of system logs relating to IP Security. As hosts communicate with each other, the transferred packets may be logged to the system log daemon, syslogd. Other important messages about IP Security will appear as well. An administrator may choose to monitor this logging information for traffic analysis and debugging assistance. The following are the steps for setting up the logging facilities.
local4.debug var/adm/ipsec.log
Use the local4 facility to record traffic and IP Security events. Standard operating system priority levels apply. You should set the priority level of debug until traffic through IP Security tunnels and filters show stability and proper movement.
Note: The logging of filter events can create significant activity at the IP Security host and can consume large amounts of storage.
touch ipsec.log
refresh -s syslogd
mkfilt -g start
You can stop packet logging by issuing the following command:
mkfilt -g stop
The sample log file below contains traffic entries and other IP Security log entries:
1. Aug 27 08:08:40 host1 : Filter logging daemon ipsec_logd (level 2.20) initialized at 08:08:40 on 08/27/97A 2. Aug 27 08:08:46 host1 : mkfilt: Status of packet logging set to Start at 08:08:46 on 08/27/97 3. Aug 27 08:08:47 host1 : mktun: Manual tunnel 2 for IPv4, 9.3.97.244, 9.3.97.130 activated. 4. Aug 27 08:08:47 host1 : mkfilt: #:1 permit 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 udp eq 4001 eq 4001 both both l=n f=y t=0 e= a= 5. Aug 27 08:08:47 host1 : mkfilt: #:2 permit 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 ah any 0 any 0 both both l=n f=y t=0 e= a= 6. Aug 27 08:08:47 host1 : mkfilt: #:3 permit 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 esp any 0 any 0 both both l=n f=y t=0 e= a= 7. Aug 27 08:08:47 host1 : mkfilt: #:4 permit 10.0.0.1 255.255.255.255 10.0.0.2 255.255.255.255 icmp any 0 any 0 local outbound l=y f=y t=1 e= a= 8. Aug 27 08:08:47 host1 : mkfilt: #:4 permit 10.0.0.2 255.255.255.255 10.0.0.1 255.255.255.255 icmp any 0 any 0 local inbound l=y f=y t=1 e= a= 9. Aug 27 08:08:47 host1 : mkfilt: #:6 permit 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 all any 0 any 0 both both l=y f=y t=0 e= a= 10. Aug 27 08:08:47 host1 : mkfilt: Filter support (level 1.00) initialized at 08:08:47 on 08/27/97 11. Aug 27 08:08:48 host1 : #:6 R:p o:10.0.0.1 s:10.0.0.1 d:10.0.0.20 p:udp sp:3327 dp:53 r:l a:n f:n T:0 e:n l:67 12. Aug 27 08:08:48 host1 : #:6 R:p i:10.0.0.1 s:10.0.0.20 d:10.0.0.1 p:udp sp:53 dp:3327 r:l a:n f:n T:0 e:n l:133 13. Aug 27 08:08:48 host1 : #:6 R:p i:10.0.0.1 s:10.0.0.15 d:10.0.0.1 p:tcp sp:4649 dp:23 r:l a:n f:n T:0 e:n l:43 14. Aug 27 08:08:48 host1 : #:6 R:p o:10.0.0.1 s:10.0.0.1 d:10.0.0.15 p:tcp sp:23 dp:4649 r:l a:n f:n T:0 e:n l:41 15. Aug 27 08:08:48 host1 : #:6 R:p i:10.0.0.1 s:10.0.0.15 d:10.0.0.1 p:tcp sp:4649 dp:23 r:l a:n f:n T:0 e:n l:40 16. Aug 27 08:08:51 host1 : #:4 R:p o:10.0.0.1 s:10.0.0.1 d:10.0.0.2 p:icmp t:8 c:0 r:l a:n f:n T:1 e:n l:84 17. Aug 27 08:08:51 host1 : #:5 R:p i:10.0.0.1 s:10.0.0.2 d:10.0.0.1 p:icmp t:0 c:0 r:l a:n f:n T:1 e:n l:84 18. Aug 27 08:08:52 host1 : #:4 R:p o:10.0.0.1 s:10.0.0.1 d:10.0.0.2 p:icmp t:8 c:0 r:l a:n f:n T:1 e:n l:84 19. Aug 27 08:08:52 host1 : #:5 R:p i:10.0.0.1 s:10.0.0.2 d:10.0.0.1 p:icmp t:0 c:0 r:l a:n f:n T:1 e:n l:84 20. Aug 27 08:32:27 host1 : Filter logging daemon terminating at 08:32:27 on 08/27/97l
The following paragraphs explain the log entries.
The following example shows two hosts negotiating a phase 1 and a phase 2 tunnel from the initiating host's point of view. (The isakmpd logging level has been specified as isakmp_events.)
1. Dec 6 14:34:42 host1 Tunnel Manager: 0: TM is processing a Connection_request_msg 2. Dec 6 14:34:42 host1 Tunnel Manager: 1: Creating new P1 tunnel object (tid) 3. Dec 6 14:34:42 host1 isakmpd: 192.168.100.103 >>> 192.168.100.104 ( SA PROPOSAL TRANSFORM ) 4. Dec 6 14:34:42 host1 isakmpd: ::ffff:192.168.100.103 <<< 192.168.100.104 ( SA PROPOSAL TRANSFORM ) 5. Dec 6 14:34:42 host1 isakmpd: Phase I SA Negotiated 6. Dec 6 14:34:42 host1 isakmpd: 192.168.100.103 >>> 192.168.100.104 ( KE NONCE ) 7. Dec 6 14:34:42 host1 isakmpd: ::ffff:192.168.100.103 <<< 192.168.100.104 ( KE NONCE ) 8. Dec 6 14:34:42 host1 isakmpd: Encrypting the following msg to send: ( ID HASH ) 9. Dec 6 14:34:42 host1 isakmpd: 192.168.100.103 >>> 192.168.100.104 ( Encrypted Payloads ) 10. Dec 6 14:34:42 host1 isakmpd: ::ffff:192.168.100.103 <<< 192.168.100.104 ( Encrypted Payloads ) 11. Dec 6 14:34:42 host1 Tunnel Manager: 1: TM is processing a P1_sa_created_msg (tid) 12. Dec 6 14:34:42 host1 Tunnel Manager: 1: Received good P1 SA, updating P1 tunnel (tid) 13. Dec 6 14:34:42 host1 Tunnel Manager: 0: Checking to see if any P2 tunnels need to start 14. Dec 6 14:34:42 host1 isakmpd: Decrypted the following received msg: ( ID HASH ) 15. Dec 6 14:34:42 host1 isakmpd: Phase I Done !!! 16. Dec 6 14:34:42 host1 isakmpd: Phase I negotiation authenticated 17. Dec 6 14:34:44 host1 Tunnel Manager: 0: TM is processing a Connection_request_msg 18. Dec 6 14:34:44 host1 Tunnel Manager: 0: Received a connection object for an active P1 tunnel 19. Dec 6 14:34:44 host1 Tunnel Manager: 1: Created blank P2 tunnel (tid) 20. Dec 6 14:34:44 host1 Tunnel Manager: 0: Checking to see if any P2 tunnels need to start 21. Dec 6 14:34:44 host1 Tunnel Manager: 1: Starting negotiations for P2 (P2 tid) 22. Dec 6 14:34:45 host1 isakmpd: Encrypting the following msg to send: ( HASH SA PROPOSAL TRANSFORM NONCE ID ID ) 23. Dec 6 14:34:45 host1 isakmpd: 192.168.100.103 >>> 192.168.100.104 ( Encrypted Payloads ) 24. Dec 6 14:34:45 host1 isakmpd: ::ffff:192.168.100.103 <<< 192.168.100.104 ( Encrypted Payloads ) 25. Dec 6 14:34:45 host1 isakmpd: Decrypted the following received msg: ( HASH SA PROPOSAL TRANSFORM NONCE ID ID ) 26. Dec 6 14:34:45 host1 isakmpd: Encrypting the following msg to send: ( HASH ) 27. Dec 6 14:34:45 host1 isakmpd: 192.168.100.103 >>> 192.168.100.104 ( Encrypted Payloads ) 28. Dec 6 14:34:45 host1 isakmpd: Phase II SA Negotiated 29. Dec 6 14:34:45 host1 isakmpd: PhaseII negotiation complete. 30. Dec 6 14:34:45 host1 Tunnel Manager: 0: TM is processing a P2_sa_created_msg 31. Dec 6 14:34:45 host1 Tunnel Manager: 1: received p2_sa_created for an existing tunnel as initiator (tid) 32. Dec 6 14:34:45 host1 Tunnel Manager: 1: Filter::AddFilterRules: Created filter rules for tunnel 33. Dec 6 14:34:45 host1 Tunnel Manager: 0: TM is processing a List_tunnels_msg
The following paragraphs explain the log entries.
The fields in the log entries are
abbreviated to reduce DASD space requirements: