[Swan-dev] 182 "westnet-eastnet-ikev2" #2: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048}

Andrew Cagney andrew.cagney at gmail.com
Wed Mar 11 12:12:05 UTC 2020


On Wed, 11 Mar 2020 at 01:09, Antony Antony <antony at phenome.org> wrote:
>
> On Tue, Mar 10, 2020 at 11:51:06AM -0400, Andrew Cagney wrote:
> > I'd like to change this log message as follows:
> >
> > - change #2 (the CHILD SA) to #1 (the IKE SA)
>
> good idea
>
> > - drop "STATE_PARENT_I2: "
>
> It sounds like bad idea to rush this change. An identifier without spaces is
> easy grep.

This is an internal variable, it doesn't belong in user visible logs.
It should be removed.

The text paul Proposes, namely:
  sent IKE_AUTH request
is more than sufficient

I pulled the first part of the change as I discovered tests running:
   ipsec status | grep STATE_
that's wrong at so many levels.

> If you use shorter ones and if those words are repeated else where in the
> debug log it would be hard to grep too. IKE_AUTH on its own may sound good.
> However, when searching IKE_AUTH there are other matches in debug log it.
> That makes it harder to grep and count etc.
>
> example "exchange type: ISAKMP_v2_IKE_AUTH (0x23)"
>
> > thoughts
>
> make a proposal, make full proposal with state stories and other related
> bits text we need. Otherwise it feels we will keep changing too many times.

> This is where we got stuck in the last iteration of such a similar attempt.
> https://libreswan.org/wiki/IKEv2_Child_SA

Which is why I did not propose changing the story text, and I avoided
mentioning child state names.  I figured this part of the IKE exchange
was safe.


More information about the Swan-dev mailing list