diff options
| author | Chris Buechler <cmb@pfsense.org> | 2015-10-12 21:42:02 -0500 |
|---|---|---|
| committer | Chris Buechler <cmb@pfsense.org> | 2015-10-12 21:42:02 -0500 |
| commit | 54a527574311d935403e81bb18fd8b659ec403ca (patch) | |
| tree | dc2de2bea7fa182a2353ba0c2dd649b58dfc70c5 /etc | |
| parent | 94b89bdf0724ca8697248cea23c5c8b162aef2c5 (diff) | |
| download | pfsense-54a527574311d935403e81bb18fd8b659ec403ca.zip pfsense-54a527574311d935403e81bb18fd8b659ec403ca.tar.gz | |
Fix up strongswan logging levels. Remove charondebug since strongswan.conf settings take precedence. Set logging levels in strongswan.conf to match what's set on a running system via 'ipsec stroke loglevel', and remove log levels that were hard coded in strongswan.conf. Ticket #5242
Diffstat (limited to 'etc')
| -rw-r--r-- | etc/inc/vpn.inc | 18 |
1 files changed, 11 insertions, 7 deletions
diff --git a/etc/inc/vpn.inc b/etc/inc/vpn.inc index 99d7e60..35ff661 100644 --- a/etc/inc/vpn.inc +++ b/etc/inc/vpn.inc @@ -52,12 +52,12 @@ function vpn_ipsec_configure_loglevels($forconfig = false) { mwexec("/usr/local/sbin/ipsec stroke loglevel {$lkey} -- -1", false); } else if (is_numeric($config['ipsec']["ipsec_{$lkey}"]) && intval($config['ipsec']["ipsec_{$lkey}"]) >= 0 && intval($config['ipsec']["ipsec_{$lkey}"]) <= 5) { - $forconfig ? $cfgtext[] = "${lkey} " . (intval($config['ipsec']["ipsec_{$lkey}"]) - 1) : + $forconfig ? $cfgtext[] = "${lkey} = " . (intval($config['ipsec']["ipsec_{$lkey}"]) - 1) : mwexec("/usr/local/sbin/ipsec stroke loglevel {$lkey} " . (intval($config['ipsec']["ipsec_{$lkey}"]) - 1) , false); } } if ($forconfig) { - return implode(',', $cfgtext); + return $cfgtext; } } @@ -400,6 +400,13 @@ function vpn_ipsec_configure($restart = false) { unset($stronconf); + $strongswanlog = ""; + $ipsecloglevels = vpn_ipsec_configure_loglevels(true); + if (is_array($ipsecloglevels)) { + foreach ($ipsecloglevels as $loglevel) { + $strongswanlog .= "\t\t" . $loglevel . "\n"; + } + } $strongswan = <<<EOD # Automatically generated config file - DO NOT MODIFY. Changes will be overwritten. @@ -424,15 +431,13 @@ cisco_unity = {$unity_enabled} # to, currently one of: daemon, auth. syslog { identifier = charon - # default level to the LOG_DAEMON facility daemon { ike_name = yes +{$strongswanlog} } - # very minimalistic IKE auditing logs to LOG_AUTHPRIV auth { - default = -1 - ike = 1 ike_name = yes +{$strongswanlog} } } @@ -728,7 +733,6 @@ EOD; $ipsecconf .= "# This file is automatically generated. Do not edit\n"; $ipsecconf .= "config setup\n\tuniqueids = {$uniqueids}\n"; - $ipsecconf .= "\tcharondebug=\"" . vpn_ipsec_configure_loglevels(true) . "\"\n"; if (isset($config['ipsec']['strictcrlpolicy'])) { $ipsecconf .= "\tstrictcrlpolicy = yes \n"; |
