Bug ID 617134: Encryption and authentication keys for IKEv2 are not logged

Last Modified: Dec 13, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP TMOS(all modules)

Fixed In:
15.1.0

Opened: Sep 16, 2016
Severity: 4-Minor

Symptoms

BIG-IP provides no option to log the negotiated IKEv2 keys for debugging purposes.

Impact

Debugging protocol problems is impeded when encrypted packets cannot be examined for problems.

Conditions

This is encountered if you are trying to troubleshoot or debug IKEv2.

Workaround

No workaround is known at this time.

Fix Information

When ike-daemon log level is set to debug, and a log publisher is also attached, encryption and authentication keys are logged in tmm log files as well as ipsec.log. This mainly appears in the form of IKE protocol packets displayed in human readable form after decryption. This includes all negotiated keys, unless you have explicitly requested suppression of keys in logs by changing the value of sys db variable ipsec.debug.logkeys to prevent such display.

Behavior Change

When ike-daemon log level is set to debug, and a log publisher is also attached, encryption and authentication keys are logged in tmm log files as well as ipsec.log. This mainly appears in the form of IKE protocol packets displayed in human readable form after decryption. This includes all negotiated keys, unless you have explicitly requested suppression of keys in logs by changing the value of sys db variable ipsec.debug.logkeys to prevent such display.