diff options
author | Chris Buechler <cmb@pfsense.org> | 2015-10-12 21:49:34 -0500 |
---|---|---|
committer | Chris Buechler <cmb@pfsense.org> | 2015-10-12 21:49:34 -0500 |
commit | 31630f472b2fe191319f5f3c0863f9ab35086ee2 (patch) | |
tree | 8bafb18e23e97ccccfde56950070647c48e9ac25 /src/etc | |
parent | dc5254328bab72e40a89d0eef362cef24ac46bdc (diff) | |
download | pfsense-31630f472b2fe191319f5f3c0863f9ab35086ee2.zip pfsense-31630f472b2fe191319f5f3c0863f9ab35086ee2.tar.gz |
Fix up strongswan logging levels. Remove charondebug since strongswan.conf settings take precedence. Set logging levels in strongswan.conf to match what's set on a running system via 'ipsec stroke loglevel', and remove log levels that were hard coded in strongswan.conf. Ticket #5242
Diffstat (limited to 'src/etc')
-rw-r--r-- | src/etc/inc/vpn.inc | 18 |
1 files changed, 11 insertions, 7 deletions
diff --git a/src/etc/inc/vpn.inc b/src/etc/inc/vpn.inc index e277da5..74bbc59 100644 --- a/src/etc/inc/vpn.inc +++ b/src/etc/inc/vpn.inc @@ -52,12 +52,12 @@ function vpn_ipsec_configure_loglevels($forconfig = false) { mwexec("/usr/local/sbin/ipsec stroke loglevel {$lkey} -- -1", false); } else if (is_numeric($config['ipsec']["ipsec_{$lkey}"]) && intval($config['ipsec']["ipsec_{$lkey}"]) >= 0 && intval($config['ipsec']["ipsec_{$lkey}"]) <= 5) { - $forconfig ? $cfgtext[] = "${lkey} " . (intval($config['ipsec']["ipsec_{$lkey}"]) - 1) : + $forconfig ? $cfgtext[] = "${lkey} = " . (intval($config['ipsec']["ipsec_{$lkey}"]) - 1) : mwexec("/usr/local/sbin/ipsec stroke loglevel {$lkey} " . (intval($config['ipsec']["ipsec_{$lkey}"]) - 1) , false); } } if ($forconfig) { - return implode(',', $cfgtext); + return $cfgtext; } } @@ -396,6 +396,13 @@ function vpn_ipsec_configure($restart = false) { unset($stronconf); + $strongswanlog = ""; + $ipsecloglevels = vpn_ipsec_configure_loglevels(true); + if (is_array($ipsecloglevels)) { + foreach ($ipsecloglevels as $loglevel) { + $strongswanlog .= "\t\t" . $loglevel . "\n"; + } + } $strongswan = <<<EOD # Automatically generated config file - DO NOT MODIFY. Changes will be overwritten. @@ -420,15 +427,13 @@ cisco_unity = {$unity_enabled} # to, currently one of: daemon, auth. syslog { identifier = charon - # default level to the LOG_DAEMON facility daemon { ike_name = yes +{$strongswanlog} } - # very minimalistic IKE auditing logs to LOG_AUTHPRIV auth { - default = -1 - ike = 1 ike_name = yes +{$strongswanlog} } } @@ -724,7 +729,6 @@ EOD; $ipsecconf .= "# This file is automatically generated. Do not edit\n"; $ipsecconf .= "config setup\n\tuniqueids = {$uniqueids}\n"; - $ipsecconf .= "\tcharondebug=\"" . vpn_ipsec_configure_loglevels(true) . "\"\n"; if (isset($config['ipsec']['strictcrlpolicy'])) { $ipsecconf .= "\tstrictcrlpolicy = yes \n"; |