Several things I've noticed while trying to use the log files to track
down problems:
- tracking a connection instance's IKE and CHILD SAs is painful
I've an awk script to do this, but the mere existence of this script
should act as a red flag :-). For instance, to match an IKE_SA with
its first CHILD_SA the script:
-> matches /#[0-9]*: Authenticated using RSA/ - the line contains
both the "connection instance" + #IKE_SA; this is used to map
"connection instance"->#IKE_SA
-> matches /#[0-9]*: negotiated connection/ - the line contains
"connection instance" + #CHILD_SA; combining this with above gets
#IKE_SA<->#CHILD_SA
yuck!
- the connection prefix seems like far too much information,
especially when it is constantly repeated and redacted; for instance
<ip-address> in:
... "my-connection"[1234] <ip-address> #100: ...
is just wasted real estate; would it be better to dump all the
connection instance details once as a line
- as a follow-on it would be nice if the connection instance prefix
stopped changing between log lines
because the prefix is generated dynamically it evolves as the
connection information gets changed; again a log line once one all
changes are done
Andrew
_______________________________________________
Swan-dev mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan-dev
