Bug #10505
closed
Mobile PSK users have wrong type in swanctl.conf secrets
100%
Description
When making entries on vpn_ipsec_keys.php, users can be set to a type of PSK or EAP. No matter what the user chooses, in the swanctl.conf secrets {} section, the key is prefixed with eap, which prevents PSKs from being recognized for use with IKE.
Updated by Jim Pingle over 4 years ago
- Status changed from New to Feedback
- % Done changed from 0 to 100
Applied in changeset 2c9c2891678fc87dc40359726af81468a3570464.
Updated by Jim Pingle over 4 years ago
- Status changed from Feedback to Resolved
Confirmed working by the original reporter: https://forum.netgate.com/post/908737
Updated by Viktor Gurov over 4 years ago
tested on 2.5.0.a.20200428.1204
now it sets 'psk' prefix correctly, but I don't see the 'mobile-userpool' section for psk user:
# This file is automatically generated. Do not edit
connections {
bypass {
remote_addrs = 127.0.0.1
children {
bypass {
local_ts = 192.168.3.0/24,fc00:5555::/64
remote_ts = 192.168.3.0/24,fc00:5555::/64
mode = pass
start_action = trap
}
}
}
con-mobile : con-mobile-defaults {
# Stub to load con-mobile-defaults
}
con-mobile-userpool-1 : con-mobile-defaults {
remote {
id = userfqdn:test1
eap_id = %any
}
pools = mobile-userpool-1
}
}
...
pools {
mobile-pool-v4 : mobile-pool {
addrs = 10.33.33.0/24
}
mobile-pool-v6 : mobile-pool {
addrs = fc00:3434::/64
}
mobile-userpool-1 : mobile-pool {
addrs = 10.11.11.1/32
}
}
secrets {
private-0 {
file = /var/etc/ipsec/private/cert-1.key
}
eap-1 {
secret = 0sMTIz
id-0 = test1
}
ike-2 {
secret = 0sMTIz
id-0 = test2
}
}
I set the 10.12.12.1/32 pool for the user test2 in WebGUI, but can't see it in swanctl.conf
Updated by Jim Pingle over 4 years ago
The code in ipsec_setup_userpools() explicitly checks for a type of EAP before making a user pool. I'm not sure if that is strictly required for that feature or not. That would be a separate issue though, if you want to look into that, open a new Redmine with the details.