Troubleshooting VPN with the QVPN journal

 

Provides information about IP traffic and connections. VPN uses a separate journal to log information about the IP traffic and connections called the QVPN journal. The QVPN is stored in the QUSRSYS library. The journal code is M and the journal type is TS. You will rarely use journal entries on a daily basis. Instead, you might find them useful for troubleshooting and verifying that your system, keys, and connections are functioning in the manner that you specified. For example, journal entries help you understand what happens to your data packets. They also keep you informed of your current VPN status.

 

Parent topic:

Troubleshooting VPN

 

How to enable the VPN journal

Use the virtual private networking interface in iSeries™ Navigator to activate the VPN journal. There is no function that allows logging for all VPN connections. Therefore, enable the logging function for each individual dynamic-key group or manual connection.

The following steps describe how to enable the journal function for a particular dynamic-key group or manual connection:

  1. In iSeries Navigator, expand your system > Network > IP Policies > Virtual Private Networking > Secure Connections.

  2. For dyanamic-key groups, expand By Group and then right-click the dynamic key group for which you want to enable journaling and select Properties.

  3. For manual connections, expand All Connections and then right-click the manual connection for which you want to enable journaling.

  4. On the General page, select the level of journaling you require. You have the choice between four options. These are:

    None

    No journaling occurs for this connection group.

    All

    Journaling occurs for all connection activities, such as starting or stopping a connection, or key refreshes, as well as IP traffic information.

    Connection Activity

    Journaling occurs for such connection activity as starting or stopping a connection.

    IP traffic

    Journaling occurs for all of the VPN traffic that is associated with this connection. A log entry is made every time a filter rule is invoked. The system records IP traffic information in the journal QIPFILTER, which is located in the QUSRSYS library.

  5. Click OK.

  6. Start the connection to activate journaling.

Before you can stop journaling, make sure that the connection is inactive. To change the journaling status of a connection group, make sure that no active connections are associated with that particular group.

 

How to use the VPN journal

To view the entry-specific details in the VPN journal, you can display the entries on the screen or you can use the output file.

By copying the journal entries to the output file, you can easily view the entries by using query utilities such as Query/400 or SQL. You can also write your own HLL programs to process the entries in the output files. The following is an example of the Display Journal (DSPJRN) command: 

DSPJRN JRN(QVPN) JRNCDE((M)) ENTTYP((TS)) OUTPUT(*OUTFILE) OUTFILFMT(*TYPE4)
    OUTFILE(mylib/myfile) ENTDTALEN(*VARLEN *CALC)

Use the following steps to copy the VPN journal entries to the output file:

  1. Create a copy of the system-supplied output file QSYS/QATOVSOF into a user library. You can do this by using the Create Duplicate Object (CRTDUPOBJ) command. The following is an example of the CRTDUPOBJ command: 
    CRTDUPOBJ OBJ(QATOVSOF) FROMLIB(QSYS) OBJTYPE(*FILE) TOLIB(mylib)
     NEWOBJ(myfile)

  2. Use the Display Journal (DSPJRN) command to copy the entries from the QUSRSYS/QVPN journal to the output file created in the previous step. If you attempt to copy the DSPJRN into an output file that does not exist, the system creates a file for you, but this file does not contain the correct field descriptions.

See QVPN journal fields for a table that describes the fields in the QVPN output file.