Project

General

Profile

Bug #10505

Mobile PSK users have wrong type in swanctl.conf secrets

Added by Jim Pingle 12 months ago. Updated 12 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
IPsec
Target version:
Start date:
04/28/2020
Due date:
% Done:

100%

Estimated time:
Affected Version:
2.5.0
Affected Architecture:
All
Release Notes:
Default

Description

When making entries on vpn_ipsec_keys.php, users can be set to a type of PSK or EAP. No matter what the user chooses, in the swanctl.conf secrets {} section, the key is prefixed with eap, which prevents PSKs from being recognized for use with IKE.

Associated revisions

Revision 2c9c2891 (diff)
Added by Jim Pingle 12 months ago

Use correct prefix for IPsec user keys. Fixes #10505

History

#1 Updated by Jim Pingle 12 months ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100

#2 Updated by Jim Pingle 12 months ago

  • Status changed from Feedback to Resolved

Confirmed working by the original reporter: https://forum.netgate.com/post/908737

#3 Updated by Viktor Gurov 12 months ago

tested on 2.5.0.a.20200428.1204

now it sets 'psk' prefix correctly, but I don't see the 'mobile-userpool' section for psk user:

# This file is automatically generated. Do not edit
connections {
    bypass {
        remote_addrs = 127.0.0.1
        children {
            bypass {
                local_ts = 192.168.3.0/24,fc00:5555::/64
                remote_ts = 192.168.3.0/24,fc00:5555::/64
                mode = pass
                start_action = trap
            }
        }
    }
    con-mobile : con-mobile-defaults {
        # Stub to load con-mobile-defaults
    }
    con-mobile-userpool-1 : con-mobile-defaults {
        remote {
            id = userfqdn:test1
            eap_id = %any
        }
        pools = mobile-userpool-1
    }
}
...
pools {
    mobile-pool-v4 : mobile-pool {
        addrs = 10.33.33.0/24
    }
    mobile-pool-v6 : mobile-pool {
        addrs = fc00:3434::/64
    }
    mobile-userpool-1 : mobile-pool {
        addrs = 10.11.11.1/32
    }
}
secrets {
    private-0 {
        file = /var/etc/ipsec/private/cert-1.key
    }
    eap-1 {
        secret = 0sMTIz
        id-0 = test1
    }
    ike-2 {
        secret = 0sMTIz
        id-0 = test2
    }
}

I set the 10.12.12.1/32 pool for the user test2 in WebGUI, but can't see it in swanctl.conf

#4 Updated by Jim Pingle 12 months ago

The code in ipsec_setup_userpools() explicitly checks for a type of EAP before making a user pool. I'm not sure if that is strictly required for that feature or not. That would be a separate issue though, if you want to look into that, open a new Redmine with the details.

Also available in: Atom PDF