Project

General

Profile

Bug #10505

Mobile PSK users have wrong type in swanctl.conf secrets

Added by Jim Pingle 6 months ago. Updated 6 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
IPsec
Target version:
Start date:
04/28/2020
Due date:
% Done:

100%

Estimated time:
Affected Version:
2.5.0
Affected Architecture:
All

Description

When making entries on vpn_ipsec_keys.php, users can be set to a type of PSK or EAP. No matter what the user chooses, in the swanctl.conf secrets {} section, the key is prefixed with eap, which prevents PSKs from being recognized for use with IKE.

Associated revisions

Revision 2c9c2891 (diff)
Added by Jim Pingle 6 months ago

Use correct prefix for IPsec user keys. Fixes #10505

History

#1 Updated by Jim Pingle 6 months ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100

#2 Updated by Jim Pingle 6 months ago

  • Status changed from Feedback to Resolved

Confirmed working by the original reporter: https://forum.netgate.com/post/908737

#3 Updated by Viktor Gurov 6 months ago

tested on 2.5.0.a.20200428.1204

now it sets 'psk' prefix correctly, but I don't see the 'mobile-userpool' section for psk user:

# This file is automatically generated. Do not edit
connections {
    bypass {
        remote_addrs = 127.0.0.1
        children {
            bypass {
                local_ts = 192.168.3.0/24,fc00:5555::/64
                remote_ts = 192.168.3.0/24,fc00:5555::/64
                mode = pass
                start_action = trap
            }
        }
    }
    con-mobile : con-mobile-defaults {
        # Stub to load con-mobile-defaults
    }
    con-mobile-userpool-1 : con-mobile-defaults {
        remote {
            id = userfqdn:test1
            eap_id = %any
        }
        pools = mobile-userpool-1
    }
}
...
pools {
    mobile-pool-v4 : mobile-pool {
        addrs = 10.33.33.0/24
    }
    mobile-pool-v6 : mobile-pool {
        addrs = fc00:3434::/64
    }
    mobile-userpool-1 : mobile-pool {
        addrs = 10.11.11.1/32
    }
}
secrets {
    private-0 {
        file = /var/etc/ipsec/private/cert-1.key
    }
    eap-1 {
        secret = 0sMTIz
        id-0 = test1
    }
    ike-2 {
        secret = 0sMTIz
        id-0 = test2
    }
}

I set the 10.12.12.1/32 pool for the user test2 in WebGUI, but can't see it in swanctl.conf

#4 Updated by Jim Pingle 6 months ago

The code in ipsec_setup_userpools() explicitly checks for a type of EAP before making a user pool. I'm not sure if that is strictly required for that feature or not. That would be a separate issue though, if you want to look into that, open a new Redmine with the details.

Also available in: Atom PDF