Project

General

Profile

Actions

Todo #12044

closed

Improve IPsec identifier settings

Added by Jim Pingle over 3 years ago. Updated about 3 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
IPsec
Target version:
Start date:
06/15/2021
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
22.01
Release Notes:
Default

Description

We expose several IPsec identifier types in the GUI. strongSwan supports a few more, plus an automatic type. Additionally, our names aren't ideal (e.g. "Distinguished Name" is really FQDN) so there are likely some improvements to be made there, too.

See https://wiki.strongswan.org/projects/strongswan/wiki/IdentityParsing for the options supported by strongSwan, and its current behavior. The current type:value syntax is already in use for some options, for example:

The following types are known: ipv4, ipv6, ipv4net, ipv6net, ipv4range, ipv6range, rfc822, email, userfqdn, fqdn,
dns, asn1dn, asn1gn and keyid. Custom type prefixes may be specified by surrounding the numerical type value
with curly brackets.

Additionally, we should ensure that if we do validate the various types, that they allow wildcard matching for peer/remote identifiers since it is also supported in strongSwan (See https://wiki.strongswan.org/projects/strongswan/wiki/Swanctlconf in the notes for connections.<conn>.remote<suffix>.id)

Actions

Also available in: Atom PDF