[Swan] Truncated log output

Ondrej Moris omoris at redhat.com
Sat Nov 3 12:27:22 UTC 2018 

Hi, I noticed that output in logs is sometimes truncated when it is
too long. For instance I have the following configuration:

conn test
    left=%defaultroute
    right=1.2.3.4
    authby=secret
    auto=add
    ikev2=insist
    pfs=yes
    ike=aes_gcm256-sha2_512;dh19,aes_gcm256-sha2_256;dh19,aes256-sha2_512;dh19,aes256-sha2_256;dh19,aes256-sha1;dh19,aes_gcm128-sha2_512;dh19,aes_gcm128-sha2_256;dh19,aes128-sha2_256;dh19,aes128-sha1;dh19,aes_gcm256-sha2_512;dh20,aes_gcm256-sha2_256;dh20,aes256-sha2_512;dh20,aes256-sha2_256;dh20,aes256-sha1;dh20,aes_gcm128-sha2_512;dh20,aes_gcm128-sha2_256;dh20,aes128-sha2_256;dh20,aes128-sha1;dh20,aes_gcm256-sha2_512;dh21,aes_gcm256-sha2_256;dh21,aes256-sha2_512;dh21,aes256-sha2_256;dh21,aes256-sha1;dh21,aes_gcm128-sha2_512;dh21,aes_gcm128-sha2_256;dh21,aes128-sha2_256;dh21,aes128-sha1;dh21,aes_gcm256-sha2_512;dh14,aes_gcm256-sha2_256;dh14,aes256-sha2_512;dh14,aes256-sha2_256;dh14,aes256-sha1;dh14,aes_gcm128-sha2_512;dh14,aes_gcm128-sha2_256;dh14,aes128-sha2_256;dh14,aes128-sha1;dh14,aes_gcm256-sha2_512;dh15,aes_gcm256-sha2_256;dh15,aes256-sha2_512;dh15,aes256-sha2_256;dh15,aes256-sha1;dh15,aes_gcm128-sha2_512;dh15,aes_gcm128-sha2_256;dh15,aes128-sha2_256;dh15,aes128-sha1;dh15,aes_gcm256-sha2_512;dh16,aes_gcm256-sha2_256;dh16,aes256-sha2_512;dh16,aes256-sha2_256;dh16,aes256-sha1;dh16,aes_gcm128-sha2_512;dh16,aes_gcm128-sha2_256;dh16,aes128-sha2_256;dh16,aes128-sha1;dh16,aes_gcm256-sha2_512;dh18,aes_gcm256-sha2_256;dh18,aes256-sha2_512;dh18,aes256-sha2_256;dh18,aes256-sha1;dh18,aes_gcm128-sha2_512;dh18,aes_gcm128-sha2_256;dh18,aes128-sha2_256;dh18,aes128-sha1;dh18
    esp=aes_gcm256,aes256-sha2_512,aes256-sha1,aes256-sha2_256,aes_gcm128,aes128-sha1,aes128-sha2_256

When connection is initiated, IKE proposal is printed but truncated:

# ipsec auto --verbose --up test
002 "test" #1: initiating v2 parent SA
133 "test" #1: initiate
002 "test" #1: constructed local IKE proposals for test (IKE SA
initiator selecting KE):
1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;INTEG=NONE;DH=ECP_256
2:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_256;INTEG=NONE;DH=ECP_256
3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512;INTEG=HMAC_SHA2_512_256;DH=ECP_256
4:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=ECP_256
5:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=ECP_256
6:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512;INTEG=NONE;DH=ECP_256
7:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_256;INTEG=NONE;DH=ECP_256
8:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=ECP_256
9:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=ECP_256
10:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;INTEG=NONE;DH=ECP_384
11:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_256;INTEG=NONE;DH=ECP_384
12:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512;INTEG=HMAC_SHA2_512_256;DH=ECP_384
13:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=ECP_384
14:IKE:ENCR=AES_CBC_25...
133 "test" #1: STATE_PARENT_I1: sent v2I1, expected v2R1

Is there a way how to disable truncating? Or possibly how to increase
its limits? Or is there any other way to get IKE proposal? I want to
check that proposal contains exactly what is configured.

--
Ondrej Moris

More information about the Swan mailing list