Project

General

Profile

Regression #11442

Distinguished Name (FQDN) IPsec peer identifier type is not formatted properly in ``swanctl.conf`` secrets

Added by Jim Pingle about 2 months ago. Updated 3 days ago.

Status:
Resolved
Priority:
Very High
Assignee:
Category:
IPsec
Target version:
Start date:
02/18/2021
Due date:
% Done:

100%

Estimated time:
Affected Version:
2.5.0
Affected Architecture:
Release Notes:
Default

Description

IPsec tunnels using an identifier type of "Distinguished Name" are not working properly. It appears that the identifier is not being written properly into the swanctl configuration. It's prefixed by an "@" and "fqdn:" when it should be one or the other (not both).

Users can temporarily set the identifier type to Key ID as a workaround.

To me, I have a fix.

ipsec-config-11442.xml (1.82 KB) ipsec-config-11442.xml Jim Pingle, 03/11/2021 03:25 PM

Associated revisions

Revision c09137ab (diff)
Added by Jim Pingle about 2 months ago

Do not prefix FQDN IPsec IDs with @. Fixes #11442

Revision 10eb0425 (diff)
Added by Jim Pingle about 2 months ago

Do not prefix FQDN IPsec IDs with @. Fixes #11442

(cherry picked from commit c09137ab4726dc492c658c27b6c46e25f0fbb55b)

History

#1 Updated by Jim Pingle about 2 months ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100

#2 Updated by Renato Botelho about 2 months ago

  • Target version changed from CE-Next to 2.5.1

#3 Updated by e 1/1 about 2 months ago

Patch 10eb04259fd139c62e08df8de877b71fdd0eedc8 is much appreciated, looking forward to P1 release in order to be able to upgrade test boxes remotely.

#4 Updated by Jim Pingle about 1 month ago

To reproduce the problem, restore the attached IPsec config section to a system without IPsec. Edit/save/apply on the IPsec tunnel.

Check the generated /var/etc/ipsec/swanctl.conf file and it will have an incorrectly formatted remote identifier in the secrets section:

secrets {
    ike-0 {
        secret = 0sZTA3NDhmOWEwY2YwODBiNTExOGNjY2IzNzBlZWEwMWM3MmYzYzliODVlMWUzYTI0NDVkZjEwYzc=
        id-0 = %any
        id-1 = @fqdn:host.example.com
    }
}

On a snapshot with the fix, the id will be correctly formatted:

secrets {
    ike-0 {
        secret = 0sZTA3NDhmOWEwY2YwODBiNTExOGNjY2IzNzBlZWEwMWM3MmYzYzliODVlMWUzYTI0NDVkZjEwYzc=
        id-0 = %any
        id-1 = fqdn:host.example.com
    }
}

#5 Updated by Jim Pingle about 1 month ago

  • Subject changed from Distinguished Name (FQDN) IPsec identifier type not working properly to Distinguished Name (FQDN) IPsec peer identifier type is not formatted properly in ``swanctl.conf`` secrets

Updating subject for release notes.

#6 Updated by Max Leighton 3 days ago

  • Status changed from Feedback to Resolved

Tested and it looks good. This can be resolved.

Also available in: Atom PDF