Bug ID 898441: Enable logging of IKE keys

Last Modified: Sep 13, 2023

Affected Product(s):
BIG-IP TMOS(all modules)

Known Affected Versions:
15.0.0, 15.0.1,,,,, 15.1.0,,,,,, 15.1.1, 15.1.2,, 15.1.3,, 16.0.0,, 16.0.1,,

Fixed In:
16.1.0, 15.1.4,

Opened: Apr 13, 2020

Severity: 4-Minor


IPsec debug level logging does not provide encryption and authentication key information for IKEv1 IKE negotiation. This information is commonly logged by IPsec vendors in order to allow network administrators the ability to decrypt failing ISAKMP exchanges.


Without the encryption and authentication key information, an ISAKMP negotiation cannot be inspected when troubleshooting tunnel negotiation.


-- The BIG-IP system has an IPsec IKEv2 tunnel configured. -- debug level logging is enabled.


None, although the remote peer may log this information.

Fix Information

Added sys db variable 'ipsec.debug.logsk' to enable logging of IKE SA keys.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips