From b003d9a4242904b042b251f8597fe3b00b5175ab Mon Sep 17 00:00:00 2001 From: changzhi Date: Thu, 20 Aug 2015 00:26:35 +0800 Subject: [PATCH] Allow enabling detailed logging for OpenSwan Add log for IPSec pluto process. This log will be useful to developers for debug IPSec site connection and IPSec connectivity. This applies to OpenSwan and Libraswan, and that StrongSwan has logging that logs to syslog. DocImpact Closes-Bug: #1484410 Change-Id: Id150416a179ae4ddeed5bd13d6c50793e6183f55 --- etc/vpn_agent.ini | 7 +++++ .../services/vpn/device_drivers/ipsec.py | 31 ++++++++++++------- 2 files changed, 27 insertions(+), 11 deletions(-) diff --git a/etc/vpn_agent.ini b/etc/vpn_agent.ini index f06cc2b2e..f068309c6 100644 --- a/etc/vpn_agent.ini +++ b/etc/vpn_agent.ini @@ -20,6 +20,13 @@ # Status check interval # ipsec_status_check_interval=60 +# Enable detail logging for ipsec pluto process. +# If the flag set to True, the detailed logging will +# be written into config_base_dir//logs." +# NOTE: this applies to OpenSwan and Libraswan, and +# that StrongSwan has logging that logs to syslog. +# enable_detailed_logging=False + [strongswan] # For fedora use: # default_config_area=/usr/share/strongswan/templates/config/strongswan.d diff --git a/neutron_vpnaas/services/vpn/device_drivers/ipsec.py b/neutron_vpnaas/services/vpn/device_drivers/ipsec.py index 894b44e72..e896b571b 100644 --- a/neutron_vpnaas/services/vpn/device_drivers/ipsec.py +++ b/neutron_vpnaas/services/vpn/device_drivers/ipsec.py @@ -51,7 +51,12 @@ ipsec_opts = [ help=_('Location to store ipsec server config files')), cfg.IntOpt('ipsec_status_check_interval', default=60, - help=_("Interval for checking ipsec status")) + help=_("Interval for checking ipsec status")), + cfg.BoolOpt('enable_detailed_logging', + default=False, + help=_("Enable detail logging for ipsec pluto process. " + "If the flag set to True, the detailed logging will " + "be written into config_base_dir//logs.")), ] cfg.CONF.register_opts(ipsec_opts, 'ipsec') @@ -141,6 +146,7 @@ class BaseSwanProcess(object): self.config_dir = os.path.join( cfg.CONF.ipsec.config_base_dir, self.id) self.etc_dir = os.path.join(self.config_dir, 'etc') + self.log_dir = os.path.join(self.config_dir, 'logs') self.update_vpnservice(vpnservice) self.STATUS_PATTERN = re.compile(self.STATUS_RE) self.STATUS_NOT_RUNNING_PATTERN = re.compile( @@ -411,16 +417,19 @@ class OpenSwanProcess(BaseSwanProcess): return virtual_private = self._virtual_privates() #start pluto IKE keying daemon - self._execute([self.binary, - 'pluto', - '--ctlbase', self.pid_path, - '--ipsecdir', self.etc_dir, - '--use-netkey', - '--uniqueids', - '--nat_traversal', - '--secretsfile', self.secrets_file, - '--virtual_private', virtual_private - ]) + cmd = [self.binary, + 'pluto', + '--ctlbase', self.pid_path, + '--ipsecdir', self.etc_dir, + '--use-netkey', + '--uniqueids', + '--nat_traversal', + '--secretsfile', self.secrets_file, + '--virtual_private', virtual_private] + + if self.conf.ipsec.enable_detailed_logging: + cmd += ['--perpeerlogbase', self.log_dir] + self._execute(cmd) #add connections for ipsec_site_conn in self.vpnservice['ipsec_site_connections']: nexthop = self._get_nexthop(ipsec_site_conn['peer_address'],