Details for Site-to-Site VPN
Logging details for Site-to-Site VPN logs.
Resources
- IPSecConnection
Log Categories
API value (ID): | Console (Display Name) | Description |
---|---|---|
read | IPSec Logs | Includes Site-to-Site VPN logs for read access. |
Availability
Site-to-Site VPN v2 is available in all commercial regions. See Updated Site-to-Site VPN service for more about Site-to-Site VPN v2.
Comments
Site-to-Site VPN logs contain all status-related information of the IPSec tunnels associated with the site-to-site type of IPSec connections. This includes bringing of tunnels up or down, and accompanying negotiation information. Each IPSec connection has two IPSec tunnels created, thus the Site-to-Site VPN logs will contain status on both tunnels. Amongst other types of filtering, IPSec tunnels can be distinguished and thus filtered on their data.TunnelId (see Contents of a Site-to-Site VPN Log below for details).
Most Site-to-Site VPN log messages begin with a connection name. The connection name is unique for each IPSec tunnel. Its base form is comprised of ten numeric digits (see the sample value for the data.message property in the table below). In total, a connection name has three additional variants, and which variant(s) are used is based on the following:
- Each IPSec tunnel has a unique ten-digit key assigned to (for example,
9123456789
) which is contained in the beginning of many of the IPSec log messages. This is the form for IPv4 tunnels. - If the given IPSec tunnel is also configured for IPv6, IPSec log messages can
also contain the same ten-digit key with a
_v6
appended to it (for example,9123456789_v6
). - If the tunnel is policy-based (that is, MED is enabled) there can be multiple
SAs depending on the configuration. The form of the ten-digit key for IPv4
tunnels with multiple SAs is a sequence of
_1
,_2
,_3
, and accordingly depending on the number of SAs (for example,9123456789_1
,9123456789_2
,9123456789_3
). - If the given policy-based tunnel is also configured for IPv6, IPSec log messages
can also contain the same ten-digit key and SA index, along with v6 (for
example,
9123456789_v6_1
).
Contents of a Site-to-Site VPN Log
A Site-to-Site VPN log contains the following fields:
Property | Description | Sample Value |
---|---|---|
data.message | The Site-to-Site VPN log message. | \"2062988354\": terminating SAs using this connection |
data.tunneld | The IPSec tunnel OCID of one of the IPSec connection's IPSec tunnels. | ocid1.ipsectunnel.region1.sea.<uniqueId> |
id | Random UUID, unique to each log entry. | e3002eaa-d717-472e-8474-d024943a0f27 |
oracle.compartmentid | OCID of the compartment that the log group belongs to. | ocid1.tenancy.region1..<uniqueId> |
oracle.ingestedtime | Time the log was ingested by Oracle Cloud Infrastructure Logging. | 2021-02-18T18:22:01.453Z |
oracle.loggroupid | OCID of the log group. | ocid1.loggroup.region1.sea.<uniqueId> |
oracle.logid | OCID of the log. | ocid1.log.region1.sea.<uniqueId> |
oracle.tenantid | OCID of the tenant. | ocid1.tenancy.region1..<uniqueId> |
source | OCID of the IPSec connection, which is comprised of two IPSec tunnels. | ocid1.ipsecconnection.region1.sea.<uniqueId> |
specversion | OCI logging schema version. | 1.0 |
time | Time the log was generated in the IPSec tunnel. | 2021-02-18T18:21:52.024Z |
type | Category of the log. Set of possible values: read | com.oraclecloud.vpn.ipseclog.read |
An Example Site-to-Site VPN Log
{
"data":
{
"message":" \"2062988354\": terminating SAs using this connection",
"tunnelId":"ocid1.ipsectunnel.region1.sea.uniqueId"
},
"id":"e3002eaa-d717-472e-8474-d024943a0f27",
"oracle":
{
"compartmentid":"ocid1.tenancy.region1..uniqueId",
"ingestedtime":"2021-02-18T18:22:01.453Z",
"loggroupid":"ocid1.loggroup.region1.sea.uniqueId",
"logid":"ocid1.log.region1.sea.uniqueId",
"tenantid":"ocid1.tenancy.region1..uniqueId"
},
"source":"ocid1.ipsecconnection.region1.sea.uniqueId",
"specversion":"1.0",
"time":"2021-02-18T18:21:52.024Z",
"type":"com.oraclecloud.vpn.ipseclog.read"
}
}
Troubleshooting
An error is displayed on the log details page if you attempt to enable logs for a v1 Site-to-Site VPN connection. Only v2 connections are supported.