[apple/ipsec.git] / ipsec-tools / racoon / ipsecSessionTracer.c

/*
 * Copyright (c) 2008 Apple Computer, Inc. All rights reserved.
 *
 * @APPLE_LICENSE_HEADER_START@
 * 
 * The contents of this file constitute Original Code as defined in and
 * are subject to the Apple Public Source License Version 1.1 (the
 * "License").  You may not use this file except in compliance with the
 * License.  Please obtain a copy of the License at
 * http://www.apple.com/publicsource and read it before using this file.
 * 
 * This Original Code and all software distributed under the License are
 * distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, EITHER
 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT.  Please see the
 * License for the specific language governing rights and limitations
 * under the License.
 * 
 * @APPLE_LICENSE_HEADER_END@
 */

#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#import	 <asl.h>
#include <sys/types.h>
#include "ike_session.h"
#include "ipsecMessageTracer.h"
#include "misc.h"
#include "nattraversal.h"

#define     TRUE	1
#define		FALSE	0
const char *ipsecSessionInvalidEventString = "Invalid Event";
const char *ipsecSessionString			   = "IPSEC";

/* tells us the event's description */
const char * const ipsecSessionEventStrings[IPSECSESSIONEVENTCODE_MAX] = {	CONSTSTR("NONE") /* index place holder */,
																			CONSTSTR("IKE Packet: transmit success"),
																			CONSTSTR("IKE Packet: transmit failed"),
																			CONSTSTR("IKE Packet: receive success"),
																			CONSTSTR("IKE Packet: receive failed"),
																			CONSTSTR("IKEv1 Phase1 Initiator: success"),
																			CONSTSTR("IKEv1 Phase1 Initiator: failed"),
																			CONSTSTR("IKEv1 Phase1 Initiator: dropped"),
																			CONSTSTR("IKEv1 Phase1 Responder: success"),
																			CONSTSTR("IKEv1 Phase1 Responder: failed"),
																			CONSTSTR("IKEv1 Phase1 Responder: drop"),
																			CONSTSTR("IKEv1 Phase1: maximum retransmits"),
																			CONSTSTR("IKEv1 Phase1 AUTH: success"),
																			CONSTSTR("IKEv1 Phase1 AUTH: failed"),
																			CONSTSTR("IKEv1 Dead-Peer-Detection: request transmitted"),
																			CONSTSTR("IKEv1 Dead-Peer-Detection: response received"),
																			CONSTSTR("IKEv1 Dead-Peer-Detection: request retransmitted"),
																			CONSTSTR("IKEv1 Dead-Peer-Detection: request received"),
																			CONSTSTR("IKEv1 Dead-Peer-Detection: response transmitted"),
																			CONSTSTR("IKEv1 Dead-Peer-Detection: response retransmitted"),
																			CONSTSTR("IKEv1 Dead-Peer-Detection: maximum retransmits"),
																			CONSTSTR("IKEv1 Config: retransmited"),
																			CONSTSTR("IKEv1 Mode-Config: success"),
																			CONSTSTR("IKEv1 Mode-Config: failed"),
																			CONSTSTR("IKEv1 Mode-Config: dropped"),
																			CONSTSTR("IKEv1 XAUTH: success"),
																			CONSTSTR("IKEv1 XAUTH: failed"),
																			CONSTSTR("IKEv1 XAUTH: dropped"),
																			CONSTSTR("IKEv1 Phase2 Initiator: success"),
																			CONSTSTR("IKEv1 Phase2 Initiator: failed"),
																			CONSTSTR("IKEv1 Phase2 Initiator: dropped"),
																			CONSTSTR("IKEv1 Phase2 Responder: success"),
																			CONSTSTR("IKEv1 Phase2 Responder: fail"),
																			CONSTSTR("IKEv1 Phase2 Responder: drop"),
																			CONSTSTR("IKEv1 Phase2: maximum retransmits"),
																			CONSTSTR("IKEv1 Phase2 AUTH: success"),
																			CONSTSTR("IKEv1 Phase2 AUTH: failed"),
																			CONSTSTR("IKEv1 Information-Notice: transmit success"),
																			CONSTSTR("IKEv1 Information-Notice: transmit failed"),
																			CONSTSTR("IKEv1 Information-Notice: receive success"),
																			CONSTSTR("IKEv1 Information-Notice: receive failed"),
																		};

/* tells us if we can ignore the failure_reason passed into the event tracer */
const int const ipsecSessionEventIgnoreReason[IPSECSESSIONEVENTCODE_MAX] = {TRUE/* index place holder */,
																			TRUE,
																			TRUE,
																			TRUE,
																			TRUE,
																			TRUE,
																			FALSE,
																			TRUE,
																			TRUE,
																			FALSE,
																			TRUE,
																			FALSE,
																			TRUE,
																			FALSE,
																			TRUE,
																			TRUE,
																			TRUE,
																			TRUE,
																			TRUE,
																			TRUE,
																			FALSE,
																			TRUE,
																			TRUE,
																			FALSE,
																			FALSE,
																			TRUE,
																			FALSE,
																			FALSE,
																			TRUE,
																			FALSE,
																			TRUE,
																			TRUE,
																			FALSE,
																			TRUE,
																			FALSE,
																			TRUE,
																			FALSE,
																			TRUE,
																			TRUE,
																			TRUE,
																			TRUE,
																			};


const char *
ipsecSessionEventCodeToString (ipsecSessionEventCode_t eventCode)
{
	if (eventCode <= IPSECSESSIONEVENTCODE_NONE || eventCode >= IPSECSESSIONEVENTCODE_MAX)
		return ipsecSessionInvalidEventString;
	return(ipsecSessionEventStrings[eventCode]);
}

const char *
ipsecSessionGetConnectionDomain (ike_session_t *session)
{
	if (session) {
		if (session->is_cisco_ipsec) {
            if (session->established) {
                return CISCOIPSECVPN_CONNECTION_ESTABLISHED_DOMAIN;
            } else {
                return CISCOIPSECVPN_CONNECTION_NOTESTABLISHED_DOMAIN;
            }
		} else if (session->is_l2tpvpn_ipsec) {
            if (session->established) {
                return L2TPIPSECVPN_CONNECTION_ESTABLISHED_DOMAIN;
            } else {
                return L2TPIPSECVPN_CONNECTION_NOTESTABLISHED_DOMAIN;
            }
		} else if (session->is_btmm_ipsec) {
            if (session->established) {
                return BTMMIPSEC_CONNECTION_ESTABLISHED_DOMAIN;
            } else {
                return BTMMIPSEC_CONNECTION_NOTESTABLISHED_DOMAIN;
            }
		} else {
            if (session->established) {
                return PLAINIPSEC_CONNECTION_ESTABLISHED_DOMAIN;
            } else {
                return PLAINIPSEC_CONNECTION_NOTESTABLISHED_DOMAIN;
            }
        }
	}
	return PLAINIPSECDOMAIN;
}

const char *
ipsecSessionGetConnectionLessDomain (ike_session_t *session)
{
	if (session) {
		if (session->is_cisco_ipsec) {
            return CISCOIPSECVPN_CONNECTION_NOTESTABLISHED_DOMAIN;
		} else if (session->is_l2tpvpn_ipsec) {
            return L2TPIPSECVPN_CONNECTION_NOTESTABLISHED_DOMAIN;
		} else if (session->is_btmm_ipsec) {
            return BTMMIPSEC_CONNECTION_NOTESTABLISHED_DOMAIN;
		} else {
            return PLAINIPSEC_CONNECTION_NOTESTABLISHED_DOMAIN;
        }
	}
	return PLAINIPSECDOMAIN;
}

const char *
ipsecSessionGetPhaseDomain (ike_session_t *session)
{
	if (session) {
		if (session->is_cisco_ipsec) {
			return CISCOIPSECVPN_PHASE_DOMAIN;
		} else if (session->is_l2tpvpn_ipsec) {
			return L2TPIPSECVPN_PHASE_DOMAIN;
		} else if (session->is_btmm_ipsec) {
			return BTMMIPSEC_PHASE_DOMAIN;
		}
	}
	return PLAINIPSEC_PHASE_DOMAIN;
}

static
void
ipsecSessionLogEvent (ike_session_t *session, const char *event_msg)
{
	aslmsg m;

	if (!event_msg) {
		return;
	}

	m = asl_new(ASL_TYPE_MSG);
	asl_set(m, ASL_KEY_FACILITY, ipsecSessionGetPhaseDomain(session));
	asl_set(m, ASL_KEY_MSG, ipsecSessionString);
	asl_log(NULL, m, ASL_LEVEL_NOTICE, "%s", event_msg);
	asl_free(m);
}

void
ipsecSessionTracerStart (ike_session_t *session)
{
	if (session == NULL) {
		return;
	}
	bzero(&session->stats, sizeof(session->stats));
	bzero(&session->stop_timestamp, sizeof(session->stop_timestamp));
	bzero(&session->estab_timestamp, sizeof(session->estab_timestamp));
	gettimeofday(&session->start_timestamp, NULL);
	ipsecSessionLogEvent(session, CONSTSTR("Connecting."));
}

void
ipsecSessionTracerEvent (ike_session_t *session, ipsecSessionEventCode_t eventCode, const char *event, const char *failure_reason)
{
	char buf[1024];

	if (session == NULL) {
		ipsecSessionLogEvent(session, CONSTSTR("tracer failed. (Invalid session)."));
		return;
	}
	if (eventCode <= IPSECSESSIONEVENTCODE_NONE || eventCode >= IPSECSESSIONEVENTCODE_MAX) {
		ipsecSessionLogEvent(session, CONSTSTR("tracer failed. (Invalid event code)."));
		return;
	}
	if (event == NULL) {
		ipsecSessionLogEvent(session, CONSTSTR("tracer failed. (Invalid event)."));
		return;
	}

	if (failure_reason) {
		if (!session->term_reason &&
            !ipsecSessionEventIgnoreReason[eventCode]) {
			session->term_reason = failure_reason;
		}
	}

	session->stats.counters[eventCode]++;
	buf[0] = (char)0;
	snprintf(buf, sizeof(buf), "%s. (%s).", ipsecSessionEventCodeToString(eventCode), event);
	ipsecSessionLogEvent(session, CONSTSTR(buf));
}

static void
ipsecSessionTracerLogFailureRate (ike_session_t *session, const char *signature, double failure_rate)
{
	aslmsg		m;
	char		buf[128];
	const char *domain = ipsecSessionGetPhaseDomain(session);

	if (!signature || failure_rate <= 0.001) {
		return;
	}

	m = asl_new(ASL_TYPE_MSG);
	asl_set(m, "com.apple.message.domain", domain);
	asl_set(m, ASL_KEY_FACILITY, domain);
	asl_set(m, ASL_KEY_MSG, ipsecSessionString);
    asl_set(m, "com.apple.message.result", "noop");
	asl_set(m, "com.apple.message.signature", signature);
	snprintf(buf, sizeof(buf), "%.3f", failure_rate);
	asl_set(m, "com.apple.message.value", buf);	// stuff the up time into value
	asl_log(NULL, m, ASL_LEVEL_NOTICE, "%s. (Failure-Rate = %s).", signature, buf);
	asl_free(m);
}

static void
ipsecSessionTracerLogStop (ike_session_t *session, int caused_by_failure, const char *reason)
{
	aslmsg      m;
	char        nat_buf[128];
	char        buf[128];
	const char *domain = (session->established)? ipsecSessionGetConnectionDomain(session) : ipsecSessionGetConnectionLessDomain(session);

	m = asl_new(ASL_TYPE_MSG);
	asl_set(m, "com.apple.message.domain", domain);
	asl_set(m, ASL_KEY_FACILITY, domain);
	asl_set(m, ASL_KEY_MSG, ipsecSessionString);
    if (caused_by_failure ||
        (reason && reason != ike_session_stopped_by_flush && reason != ike_session_stopped_by_vpn_disconnect)) {
        asl_set(m, "com.apple.message.result", CONSTSTR("failure"));	// failure
    } else {
        asl_set(m, "com.apple.message.result", CONSTSTR("success"));	// success
    }
	if (reason) {
        if (session->natt_flags & NAT_DETECTED_ME) {
            snprintf(nat_buf, sizeof(nat_buf), "%s. NAT detected by Me", reason);
            asl_set(m, "com.apple.message.signature", nat_buf);
        } else if (session->natt_flags & NAT_DETECTED_PEER) {
            snprintf(nat_buf, sizeof(nat_buf), "%s. NAT detected by Peer", reason);
            asl_set(m, "com.apple.message.signature", nat_buf);
        } else {
            asl_set(m, "com.apple.message.signature", reason);
        }
	} else {
		// reason was NULL; make sure success/failure have different signature
		if (caused_by_failure) {
			asl_set(m, "com.apple.message.signature", CONSTSTR("Internal/Server-side error"));
		} else {
			asl_set(m, "com.apple.message.signature", CONSTSTR("User/System initiated the disconnect"));
		}
	}
	if (session->established) {
		snprintf(buf, sizeof(buf), "%8.6f", timedelta(&session->estab_timestamp, &session->stop_timestamp));
		asl_set(m, "com.apple.message.value", buf);	// stuff the up time into value
		asl_log(NULL, m, ASL_LEVEL_NOTICE, "Disconnecting. (Connection was up for, %s seconds).", buf);
	} else {
		snprintf(buf, sizeof(buf), "%8.6f", timedelta(&session->start_timestamp, &session->stop_timestamp));
		asl_set(m, "com.apple.message.value2", buf);	/// stuff the negoing time into value2
		asl_log(NULL, m, ASL_LEVEL_NOTICE, "Disconnecting. (Connection tried to negotiate for, %s seconds).", buf);
	}
	asl_free(m);
}

void
ipsecSessionTracerStop (ike_session_t *session, int caused_by_failure, const char *reason)
{
	if (session == NULL) {
		return;
	}

	gettimeofday(&session->stop_timestamp, NULL);

	ipsecSessionTracerLogStop(session, caused_by_failure, reason);

	// go thru counters logging failure-rate events
	if (session->stats.counters[IPSECSESSIONEVENTCODE_IKE_PACKET_TX_FAIL]) {
		ipsecSessionTracerLogFailureRate(session,
										 CONSTSTR("IKE Packets Transmit Failure-Rate Statistic"),
										 get_percentage((double)session->stats.counters[IPSECSESSIONEVENTCODE_IKE_PACKET_TX_FAIL], (double)session->stats.counters[IPSECSESSIONEVENTCODE_IKE_PACKET_TX_SUCC]));
	}
	if (session->stats.counters[IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL]) {
		ipsecSessionTracerLogFailureRate(session,
										 CONSTSTR("IKE Packets Receive Failure-Rate Statistic"),
										 get_percentage((double)session->stats.counters[IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL], (double)session->stats.counters[IPSECSESSIONEVENTCODE_IKE_PACKET_RX_SUCC]));
	}
	if (session->version == IKE_VERSION_1) {
		if (session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_PH1_MAX_RETRANSMIT] ||
			session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_PH1_INIT_FAIL] ||
			session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_PH1_RESP_FAIL]) {
			ipsecSessionTracerLogFailureRate(session,
											 CONSTSTR("IKE Phase1 Failure-Rate Statistic"),
											 get_percentage((double)(session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_PH1_MAX_RETRANSMIT] +
                                                                     session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_PH1_INIT_FAIL] + 
                                                                     session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_PH1_RESP_FAIL]),
                                                            (double)(session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_PH1_INIT_SUCC] +
                                                                     session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_PH1_RESP_SUCC])));
		}
		if (session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_PH1_INIT_FAIL]) {
			ipsecSessionTracerLogFailureRate(session,
											 CONSTSTR("IKE Phase1 Initiator Failure-Rate Statistic"),
											 get_percentage((double)session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_PH1_INIT_FAIL], (double)session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_PH1_INIT_SUCC]));
		}
		if (session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_PH1_RESP_FAIL]) {
			ipsecSessionTracerLogFailureRate(session,
											 CONSTSTR("IKE Phase1 Responder Failure-Rate Statistic"),
											 get_percentage((double)session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_PH1_RESP_FAIL], (double)session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_PH1_RESP_SUCC]));
		}
		if (session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_PH1_AUTH_FAIL]) {
			ipsecSessionTracerLogFailureRate(session,
											 CONSTSTR("IKE Phase1 Authentication Failure-Rate Statistic"),
											 get_percentage((double)session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_PH1_AUTH_FAIL], (double)session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_PH1_AUTH_SUCC]));
		}
		if (session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_DPD_MAX_RETRANSMIT]) {
			ipsecSessionTracerLogFailureRate(session,
											 CONSTSTR("IKE Dead-Peer-Detection Failure-Rate Statistic"),
											 get_percentage((double)session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_DPD_MAX_RETRANSMIT],
                                                            (double)(session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_DPD_MAX_RETRANSMIT] +
                                                                     session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_DPD_INIT_REQ])));
		}
		if (session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_DPD_INIT_RETRANSMIT] ||
			session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_DPD_RESP_RETRANSMIT]) {
			ipsecSessionTracerLogFailureRate(session,
											 CONSTSTR("IKE Dead-Peer-Detect Retransmit-Rate Statistic"),
											 get_percentage((double)(session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_DPD_INIT_RETRANSMIT] +
                                                                     session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_DPD_RESP_RETRANSMIT]),
                                                            (double)(session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_DPD_INIT_REQ] +
                                                                     session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_DPD_RESP_REQ])));
		}		
		if (session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_MODECFG_FAIL]) {
			ipsecSessionTracerLogFailureRate(session,
											 CONSTSTR("IKE MODE-Config Failure-Rate Statistic"),
											 get_percentage((double)session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_MODECFG_FAIL], (double)session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_MODECFG_SUCC]));
		}
		if (session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_XAUTH_FAIL]) {
			ipsecSessionTracerLogFailureRate(session,
											 CONSTSTR("IKE XAUTH Failure-Rate Statistic"),
											 get_percentage((double)session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_XAUTH_FAIL], (double)session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_XAUTH_SUCC]));
		}
		if (session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_PH2_MAX_RETRANSMIT] ||
			session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_PH2_INIT_FAIL] ||
			session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_PH2_RESP_FAIL]) {
			ipsecSessionTracerLogFailureRate(session,
											 CONSTSTR("IKE Phase2 Failure-Rate Statistic"),
											 get_percentage((double)(session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_PH2_MAX_RETRANSMIT] +
                                                                     session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_PH2_INIT_FAIL] + 
                                                                     session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_PH2_RESP_FAIL]),
                                                            (double)(session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_PH2_INIT_SUCC] +
                                                                     session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_PH2_RESP_FAIL])));
		}
		if (session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_PH2_INIT_FAIL]) {
			ipsecSessionTracerLogFailureRate(session,
											 CONSTSTR("IKE Phase2 Initiator Failure-Rate Statistic"),
											 get_percentage((double)session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_PH2_INIT_FAIL], (double)session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_PH2_INIT_SUCC]));
		}
		if (session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_PH2_RESP_FAIL]) {
			ipsecSessionTracerLogFailureRate(session,
											 CONSTSTR("IKE Phase2 Responder Failure-Rate Statistic"),
											 get_percentage((double)session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_PH2_RESP_FAIL], (double)session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_PH2_RESP_SUCC]));
		}
		if (session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_PH2_AUTH_FAIL]) {
			ipsecSessionTracerLogFailureRate(session,
											 CONSTSTR("IKE Phase2 Authentication Failure-Rate Statistics"),
											 get_percentage((double)session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_PH2_AUTH_FAIL], (double)session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_PH2_AUTH_SUCC]));
		}
		if (session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_INFO_NOTICE_TX_FAIL]) {
			ipsecSessionTracerLogFailureRate(session,
											 CONSTSTR("IKE Information-Notice Transmit Failure-Rate Statistic"),
											 get_percentage((double)session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_INFO_NOTICE_TX_FAIL], (double)session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_INFO_NOTICE_TX_FAIL]));
		}
		if (session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_INFO_NOTICE_RX_FAIL]) {
			ipsecSessionTracerLogFailureRate(session,
											 CONSTSTR("IKE Information-Notice Receive Failure-Rate Statistic"),
											 get_percentage((double)session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_INFO_NOTICE_RX_FAIL], (double)session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_INFO_NOTICE_RX_SUCC]));
		}
	}
}

void
ipsecSessionTracerLogEstablished (ike_session_t *session)
{
	aslmsg      m;
	const char *domain = ipsecSessionGetConnectionLessDomain(session);

	m = asl_new(ASL_TYPE_MSG);
	asl_set(m, "com.apple.message.domain", domain);
	asl_set(m, ASL_KEY_FACILITY, domain);
	asl_set(m, ASL_KEY_MSG, ipsecSessionString);
    asl_set(m, "com.apple.message.result", "success");	// success
    asl_set(m, "com.apple.message.signature", "success");
    asl_log(NULL, m, ASL_LEVEL_NOTICE, "Connected.");
	asl_free(m);
}
Commit	Line	Data
d1e348cf A	1	/*
	2	* Copyright (c) 2008 Apple Computer, Inc. All rights reserved.
	3	*
	4	* @APPLE_LICENSE_HEADER_START@
	5	*
	6	* The contents of this file constitute Original Code as defined in and
	7	* are subject to the Apple Public Source License Version 1.1 (the
	8	* "License"). You may not use this file except in compliance with the
	9	* License. Please obtain a copy of the License at
	10	* http://www.apple.com/publicsource and read it before using this file.
	11	*
	12	* This Original Code and all software distributed under the License are
	13	* distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, EITHER
	14	* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
	15	* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
	16	* FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT. Please see the
	17	* License for the specific language governing rights and limitations
	18	* under the License.
	19	*
	20	* @APPLE_LICENSE_HEADER_END@
	21	*/
	22
	23	#include <stdlib.h>
	24	#include <stdio.h>
	25	#include <string.h>
	26	#import <asl.h>
	27	#include <sys/types.h>
	28	#include "ike_session.h"
	29	#include "ipsecMessageTracer.h"
	30	#include "misc.h"
	31	#include "nattraversal.h"
	32
	33	#define TRUE 1
	34	#define FALSE 0
	35	const char *ipsecSessionInvalidEventString = "Invalid Event";
	36	const char *ipsecSessionString = "IPSEC";
	37
	38	/* tells us the event's description */
	39	const char * const ipsecSessionEventStrings[IPSECSESSIONEVENTCODE_MAX] = { CONSTSTR("NONE") /* index place holder */,
	40	CONSTSTR("IKE Packet: transmit success"),
	41	CONSTSTR("IKE Packet: transmit failed"),
	42	CONSTSTR("IKE Packet: receive success"),
	43	CONSTSTR("IKE Packet: receive failed"),
	44	CONSTSTR("IKEv1 Phase1 Initiator: success"),
	45	CONSTSTR("IKEv1 Phase1 Initiator: failed"),
	46	CONSTSTR("IKEv1 Phase1 Initiator: dropped"),
	47	CONSTSTR("IKEv1 Phase1 Responder: success"),
	48	CONSTSTR("IKEv1 Phase1 Responder: failed"),
	49	CONSTSTR("IKEv1 Phase1 Responder: drop"),
	50	CONSTSTR("IKEv1 Phase1: maximum retransmits"),
	51	CONSTSTR("IKEv1 Phase1 AUTH: success"),
	52	CONSTSTR("IKEv1 Phase1 AUTH: failed"),
	53	CONSTSTR("IKEv1 Dead-Peer-Detection: request transmitted"),
	54	CONSTSTR("IKEv1 Dead-Peer-Detection: response received"),
	55	CONSTSTR("IKEv1 Dead-Peer-Detection: request retransmitted"),
	56	CONSTSTR("IKEv1 Dead-Peer-Detection: request received"),
	57	CONSTSTR("IKEv1 Dead-Peer-Detection: response transmitted"),
	58	CONSTSTR("IKEv1 Dead-Peer-Detection: response retransmitted"),
	59	CONSTSTR("IKEv1 Dead-Peer-Detection: maximum retransmits"),
	60	CONSTSTR("IKEv1 Config: retransmited"),
	61	CONSTSTR("IKEv1 Mode-Config: success"),
	62	CONSTSTR("IKEv1 Mode-Config: failed"),
	63	CONSTSTR("IKEv1 Mode-Config: dropped"),
	64	CONSTSTR("IKEv1 XAUTH: success"),
65	CONSTSTR("IKEv1 XAUTH: failed"),
66	CONSTSTR("IKEv1 XAUTH: dropped"),
67	CONSTSTR("IKEv1 Phase2 Initiator: success"),
68	CONSTSTR("IKEv1 Phase2 Initiator: failed"),
69	CONSTSTR("IKEv1 Phase2 Initiator: dropped"),
70	CONSTSTR("IKEv1 Phase2 Responder: success"),
71	CONSTSTR("IKEv1 Phase2 Responder: fail"),
72	CONSTSTR("IKEv1 Phase2 Responder: drop"),
73	CONSTSTR("IKEv1 Phase2: maximum retransmits"),
74	CONSTSTR("IKEv1 Phase2 AUTH: success"),
75	CONSTSTR("IKEv1 Phase2 AUTH: failed"),
76	CONSTSTR("IKEv1 Information-Notice: transmit success"),
77	CONSTSTR("IKEv1 Information-Notice: transmit failed"),
78	CONSTSTR("IKEv1 Information-Notice: receive success"),
79	CONSTSTR("IKEv1 Information-Notice: receive failed"),
80	};
81
82	/* tells us if we can ignore the failure_reason passed into the event tracer */
83	const int const ipsecSessionEventIgnoreReason[IPSECSESSIONEVENTCODE_MAX] = {TRUE/* index place holder */,
84	TRUE,
85	TRUE,
86	TRUE,
87	TRUE,
88	TRUE,
89	FALSE,
90	TRUE,
91	TRUE,
92	FALSE,
93	TRUE,
94	FALSE,
95	TRUE,
96	FALSE,
97	TRUE,
98	TRUE,
99	TRUE,
100	TRUE,
101	TRUE,
102	TRUE,
103	FALSE,
104	TRUE,
105	TRUE,
106	FALSE,
107	FALSE,
108	TRUE,
109	FALSE,
110	FALSE,
111	TRUE,
112	FALSE,
113	TRUE,
114	TRUE,
115	FALSE,
116	TRUE,
117	FALSE,
118	TRUE,
119	FALSE,
120	TRUE,
121	TRUE,
122	TRUE,
123	TRUE,
124	};
125
126
127	const char *
128	ipsecSessionEventCodeToString (ipsecSessionEventCode_t eventCode)
129	{
130	if (eventCode <= IPSECSESSIONEVENTCODE_NONE \|\| eventCode >= IPSECSESSIONEVENTCODE_MAX)
131	return ipsecSessionInvalidEventString;
132	return(ipsecSessionEventStrings[eventCode]);
133	}
134
135	const char *
136	ipsecSessionGetConnectionDomain (ike_session_t *session)
137	{
138	if (session) {
139	if (session->is_cisco_ipsec) {
140	if (session->established) {
141	return CISCOIPSECVPN_CONNECTION_ESTABLISHED_DOMAIN;
142	} else {
143	return CISCOIPSECVPN_CONNECTION_NOTESTABLISHED_DOMAIN;
144	}
145	} else if (session->is_l2tpvpn_ipsec) {
146	if (session->established) {
147	return L2TPIPSECVPN_CONNECTION_ESTABLISHED_DOMAIN;
148	} else {
149	return L2TPIPSECVPN_CONNECTION_NOTESTABLISHED_DOMAIN;
150	}
151	} else if (session->is_btmm_ipsec) {
152	if (session->established) {
153	return BTMMIPSEC_CONNECTION_ESTABLISHED_DOMAIN;
154	} else {
155	return BTMMIPSEC_CONNECTION_NOTESTABLISHED_DOMAIN;
156	}
157	} else {
158	if (session->established) {
159	return PLAINIPSEC_CONNECTION_ESTABLISHED_DOMAIN;
160	} else {
161	return PLAINIPSEC_CONNECTION_NOTESTABLISHED_DOMAIN;
162	}
163	}
164	}
165	return PLAINIPSECDOMAIN;
166	}
167
168	const char *
169	ipsecSessionGetConnectionLessDomain (ike_session_t *session)
170	{
171	if (session) {
172	if (session->is_cisco_ipsec) {
173	return CISCOIPSECVPN_CONNECTION_NOTESTABLISHED_DOMAIN;
174	} else if (session->is_l2tpvpn_ipsec) {
175	return L2TPIPSECVPN_CONNECTION_NOTESTABLISHED_DOMAIN;
176	} else if (session->is_btmm_ipsec) {
177	return BTMMIPSEC_CONNECTION_NOTESTABLISHED_DOMAIN;
178	} else {
179	return PLAINIPSEC_CONNECTION_NOTESTABLISHED_DOMAIN;
180	}
181	}
182	return PLAINIPSECDOMAIN;
183	}
184
185	const char *
186	ipsecSessionGetPhaseDomain (ike_session_t *session)
187	{
188	if (session) {
189	if (session->is_cisco_ipsec) {
190	return CISCOIPSECVPN_PHASE_DOMAIN;
191	} else if (session->is_l2tpvpn_ipsec) {
192	return L2TPIPSECVPN_PHASE_DOMAIN;
193	} else if (session->is_btmm_ipsec) {
194	return BTMMIPSEC_PHASE_DOMAIN;
195	}
196	}
197	return PLAINIPSEC_PHASE_DOMAIN;
198	}
199
200	static
201	void
202	ipsecSessionLogEvent (ike_session_t session, const char event_msg)
203	{
204	aslmsg m;
205
206	if (!event_msg) {
207	return;
208	}
209
210	m = asl_new(ASL_TYPE_MSG);
211	asl_set(m, ASL_KEY_FACILITY, ipsecSessionGetPhaseDomain(session));
212	asl_set(m, ASL_KEY_MSG, ipsecSessionString);
213	asl_log(NULL, m, ASL_LEVEL_NOTICE, "%s", event_msg);
214	asl_free(m);
215	}
216
217	void
218	ipsecSessionTracerStart (ike_session_t *session)
219	{
220	if (session == NULL) {
221	return;
222	}
223	bzero(&session->stats, sizeof(session->stats));
224	bzero(&session->stop_timestamp, sizeof(session->stop_timestamp));
225	bzero(&session->estab_timestamp, sizeof(session->estab_timestamp));
226	gettimeofday(&session->start_timestamp, NULL);
227	ipsecSessionLogEvent(session, CONSTSTR("Connecting."));
228	}
229
230	void
231	ipsecSessionTracerEvent (ike_session_t session, ipsecSessionEventCode_t eventCode, const char event, const char *failure_reason)
232	{
233	char buf[1024];
234
235	if (session == NULL) {
236	ipsecSessionLogEvent(session, CONSTSTR("tracer failed. (Invalid session)."));
237	return;
238	}
239	if (eventCode <= IPSECSESSIONEVENTCODE_NONE \|\| eventCode >= IPSECSESSIONEVENTCODE_MAX) {
240	ipsecSessionLogEvent(session, CONSTSTR("tracer failed. (Invalid event code)."));
241	return;
242	}
243	if (event == NULL) {
244	ipsecSessionLogEvent(session, CONSTSTR("tracer failed. (Invalid event)."));
245	return;
246	}
247
248	if (failure_reason) {
249	if (!session->term_reason &&
250	!ipsecSessionEventIgnoreReason[eventCode]) {
251	session->term_reason = failure_reason;
252	}
253	}
254
255	session->stats.counters[eventCode]++;
256	buf[0] = (char)0;
257	snprintf(buf, sizeof(buf), "%s. (%s).", ipsecSessionEventCodeToString(eventCode), event);
258	ipsecSessionLogEvent(session, CONSTSTR(buf));
259	}
260
261	static void
262	ipsecSessionTracerLogFailureRate (ike_session_t session, const char signature, double failure_rate)
263	{
264	aslmsg m;
265	char buf[128];
266	const char *domain = ipsecSessionGetPhaseDomain(session);
267
268	if (!signature \|\| failure_rate <= 0.001) {
269	return;
270	}
271
272	m = asl_new(ASL_TYPE_MSG);
273	asl_set(m, "com.apple.message.domain", domain);
274	asl_set(m, ASL_KEY_FACILITY, domain);
275	asl_set(m, ASL_KEY_MSG, ipsecSessionString);
276	asl_set(m, "com.apple.message.result", "noop");
277	asl_set(m, "com.apple.message.signature", signature);
278	snprintf(buf, sizeof(buf), "%.3f", failure_rate);
279	asl_set(m, "com.apple.message.value", buf); // stuff the up time into value
280	asl_log(NULL, m, ASL_LEVEL_NOTICE, "%s. (Failure-Rate = %s).", signature, buf);
281	asl_free(m);
282	}
283
284	static void
285	ipsecSessionTracerLogStop (ike_session_t session, int caused_by_failure, const char reason)
286	{
287	aslmsg m;
288	char nat_buf[128];
289	char buf[128];
290	const char *domain = (session->established)? ipsecSessionGetConnectionDomain(session) : ipsecSessionGetConnectionLessDomain(session);
291
292	m = asl_new(ASL_TYPE_MSG);
293	asl_set(m, "com.apple.message.domain", domain);
294	asl_set(m, ASL_KEY_FACILITY, domain);
295	asl_set(m, ASL_KEY_MSG, ipsecSessionString);
296	if (caused_by_failure \|\|
297	(reason && reason != ike_session_stopped_by_flush && reason != ike_session_stopped_by_vpn_disconnect)) {
298	asl_set(m, "com.apple.message.result", CONSTSTR("failure")); // failure
299	} else {
300	asl_set(m, "com.apple.message.result", CONSTSTR("success")); // success
301	}
302	if (reason) {
303	if (session->natt_flags & NAT_DETECTED_ME) {
304	snprintf(nat_buf, sizeof(nat_buf), "%s. NAT detected by Me", reason);
305	asl_set(m, "com.apple.message.signature", nat_buf);
306	} else if (session->natt_flags & NAT_DETECTED_PEER) {
307	snprintf(nat_buf, sizeof(nat_buf), "%s. NAT detected by Peer", reason);
308	asl_set(m, "com.apple.message.signature", nat_buf);
309	} else {
310	asl_set(m, "com.apple.message.signature", reason);
311	}
312	} else {
313	// reason was NULL; make sure success/failure have different signature
314	if (caused_by_failure) {
315	asl_set(m, "com.apple.message.signature", CONSTSTR("Internal/Server-side error"));
316	} else {
317	asl_set(m, "com.apple.message.signature", CONSTSTR("User/System initiated the disconnect"));
318	}
319	}
320	if (session->established) {
321	snprintf(buf, sizeof(buf), "%8.6f", timedelta(&session->estab_timestamp, &session->stop_timestamp));
322	asl_set(m, "com.apple.message.value", buf); // stuff the up time into value
323	asl_log(NULL, m, ASL_LEVEL_NOTICE, "Disconnecting. (Connection was up for, %s seconds).", buf);
324	} else {
325	snprintf(buf, sizeof(buf), "%8.6f", timedelta(&session->start_timestamp, &session->stop_timestamp));
326	asl_set(m, "com.apple.message.value2", buf); /// stuff the negoing time into value2
327	asl_log(NULL, m, ASL_LEVEL_NOTICE, "Disconnecting. (Connection tried to negotiate for, %s seconds).", buf);
328	}
329	asl_free(m);
330	}
331
332	void
333	ipsecSessionTracerStop (ike_session_t session, int caused_by_failure, const char reason)
334	{
335	if (session == NULL) {
336	return;
337	}
338
339	gettimeofday(&session->stop_timestamp, NULL);
340
341	ipsecSessionTracerLogStop(session, caused_by_failure, reason);
342
343	// go thru counters logging failure-rate events
344	if (session->stats.counters[IPSECSESSIONEVENTCODE_IKE_PACKET_TX_FAIL]) {
345	ipsecSessionTracerLogFailureRate(session,
346	CONSTSTR("IKE Packets Transmit Failure-Rate Statistic"),
347	get_percentage((double)session->stats.counters[IPSECSESSIONEVENTCODE_IKE_PACKET_TX_FAIL], (double)session->stats.counters[IPSECSESSIONEVENTCODE_IKE_PACKET_TX_SUCC]));
348	}
349	if (session->stats.counters[IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL]) {
350	ipsecSessionTracerLogFailureRate(session,
351	CONSTSTR("IKE Packets Receive Failure-Rate Statistic"),
352	get_percentage((double)session->stats.counters[IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL], (double)session->stats.counters[IPSECSESSIONEVENTCODE_IKE_PACKET_RX_SUCC]));
353	}
354	if (session->version == IKE_VERSION_1) {
355	if (session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_PH1_MAX_RETRANSMIT] \|\|
356	session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_PH1_INIT_FAIL] \|\|
357	session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_PH1_RESP_FAIL]) {
358	ipsecSessionTracerLogFailureRate(session,
359	CONSTSTR("IKE Phase1 Failure-Rate Statistic"),
360	get_percentage((double)(session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_PH1_MAX_RETRANSMIT] +
361	session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_PH1_INIT_FAIL] +
362	session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_PH1_RESP_FAIL]),
363	(double)(session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_PH1_INIT_SUCC] +
364	session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_PH1_RESP_SUCC])));
365	}
366	if (session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_PH1_INIT_FAIL]) {
367	ipsecSessionTracerLogFailureRate(session,
368	CONSTSTR("IKE Phase1 Initiator Failure-Rate Statistic"),
369	get_percentage((double)session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_PH1_INIT_FAIL], (double)session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_PH1_INIT_SUCC]));
370	}
371	if (session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_PH1_RESP_FAIL]) {
372	ipsecSessionTracerLogFailureRate(session,
373	CONSTSTR("IKE Phase1 Responder Failure-Rate Statistic"),
374	get_percentage((double)session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_PH1_RESP_FAIL], (double)session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_PH1_RESP_SUCC]));
375	}
376	if (session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_PH1_AUTH_FAIL]) {
377	ipsecSessionTracerLogFailureRate(session,
378	CONSTSTR("IKE Phase1 Authentication Failure-Rate Statistic"),
379	get_percentage((double)session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_PH1_AUTH_FAIL], (double)session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_PH1_AUTH_SUCC]));
380	}
381	if (session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_DPD_MAX_RETRANSMIT]) {
382	ipsecSessionTracerLogFailureRate(session,
383	CONSTSTR("IKE Dead-Peer-Detection Failure-Rate Statistic"),
384	get_percentage((double)session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_DPD_MAX_RETRANSMIT],
385	(double)(session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_DPD_MAX_RETRANSMIT] +
386	session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_DPD_INIT_REQ])));
387	}
388	if (session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_DPD_INIT_RETRANSMIT] \|\|
389	session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_DPD_RESP_RETRANSMIT]) {
390	ipsecSessionTracerLogFailureRate(session,
391	CONSTSTR("IKE Dead-Peer-Detect Retransmit-Rate Statistic"),
392	get_percentage((double)(session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_DPD_INIT_RETRANSMIT] +
393	session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_DPD_RESP_RETRANSMIT]),
394	(double)(session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_DPD_INIT_REQ] +
395	session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_DPD_RESP_REQ])));
396	}
397	if (session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_MODECFG_FAIL]) {
398	ipsecSessionTracerLogFailureRate(session,
399	CONSTSTR("IKE MODE-Config Failure-Rate Statistic"),
400	get_percentage((double)session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_MODECFG_FAIL], (double)session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_MODECFG_SUCC]));
401	}
402	if (session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_XAUTH_FAIL]) {
403	ipsecSessionTracerLogFailureRate(session,
404	CONSTSTR("IKE XAUTH Failure-Rate Statistic"),
405	get_percentage((double)session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_XAUTH_FAIL], (double)session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_XAUTH_SUCC]));
406	}
407	if (session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_PH2_MAX_RETRANSMIT] \|\|
408	session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_PH2_INIT_FAIL] \|\|
409	session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_PH2_RESP_FAIL]) {
410	ipsecSessionTracerLogFailureRate(session,
411	CONSTSTR("IKE Phase2 Failure-Rate Statistic"),
412	get_percentage((double)(session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_PH2_MAX_RETRANSMIT] +
413	session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_PH2_INIT_FAIL] +
414	session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_PH2_RESP_FAIL]),
415	(double)(session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_PH2_INIT_SUCC] +
416	session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_PH2_RESP_FAIL])));
417	}
418	if (session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_PH2_INIT_FAIL]) {
419	ipsecSessionTracerLogFailureRate(session,
420	CONSTSTR("IKE Phase2 Initiator Failure-Rate Statistic"),
421	get_percentage((double)session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_PH2_INIT_FAIL], (double)session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_PH2_INIT_SUCC]));
422	}
423	if (session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_PH2_RESP_FAIL]) {
424	ipsecSessionTracerLogFailureRate(session,
425	CONSTSTR("IKE Phase2 Responder Failure-Rate Statistic"),
426	get_percentage((double)session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_PH2_RESP_FAIL], (double)session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_PH2_RESP_SUCC]));
427	}
428	if (session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_PH2_AUTH_FAIL]) {
429	ipsecSessionTracerLogFailureRate(session,
430	CONSTSTR("IKE Phase2 Authentication Failure-Rate Statistics"),
431	get_percentage((double)session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_PH2_AUTH_FAIL], (double)session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_PH2_AUTH_SUCC]));
432	}
433	if (session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_INFO_NOTICE_TX_FAIL]) {
434	ipsecSessionTracerLogFailureRate(session,
435	CONSTSTR("IKE Information-Notice Transmit Failure-Rate Statistic"),
436	get_percentage((double)session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_INFO_NOTICE_TX_FAIL], (double)session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_INFO_NOTICE_TX_FAIL]));
437	}
438	if (session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_INFO_NOTICE_RX_FAIL]) {
439	ipsecSessionTracerLogFailureRate(session,
440	CONSTSTR("IKE Information-Notice Receive Failure-Rate Statistic"),
441	get_percentage((double)session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_INFO_NOTICE_RX_FAIL], (double)session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_INFO_NOTICE_RX_SUCC]));
442	}
443	}
444	}
445
446	void
447	ipsecSessionTracerLogEstablished (ike_session_t *session)
448	{
449	aslmsg m;
450	const char *domain = ipsecSessionGetConnectionLessDomain(session);
451
452	m = asl_new(ASL_TYPE_MSG);
453	asl_set(m, "com.apple.message.domain", domain);
454	asl_set(m, ASL_KEY_FACILITY, domain);
455	asl_set(m, ASL_KEY_MSG, ipsecSessionString);
456	asl_set(m, "com.apple.message.result", "success"); // success
457	asl_set(m, "com.apple.message.signature", "success");
458	asl_log(NULL, m, ASL_LEVEL_NOTICE, "Connected.");
459	asl_free(m);
460	}