Bug ID 898441: Enable logging of IKE keys

Last Modified: Jul 23, 2021

Bug Tracker

Affected Product:  See more info
BIG-IP TMOS(all modules)

Known Affected Versions:
15.0.0, 15.0.1, 15.0.1.1, 15.0.1.2, 15.0.1.3, 15.0.1.4, 15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 15.1.2.1, 15.1.3, 15.1.3.1, 16.0.0, 16.0.0.1, 16.0.1, 16.0.1.1, 16.0.1.2

Fixed In:
16.1.0

Opened: Apr 13, 2020
Severity: 4-Minor

Symptoms

IPsec debug level logging does not provide encryption and authentication key information for IKEv1 IKE negotiation. This information is commonly logged by IPsec vendors in order to allow network administrators the ability to decrypt failing ISAKMP exchanges.

Impact

Without the encryption and authentication key information, an ISAKMP negotiation cannot be inspected when troubleshooting tunnel negotiation.

Conditions

-- The BIG-IP system has an IPsec IKEv2 tunnel configured. -- debug level logging is enabled.

Workaround

None, although the remote peer may log this information.

Fix Information

Added sys db variable 'ipsec.debug.logsk' to enable logging of IKE SA keys.

Behavior Change