Regression #11442
closedDistinguished Name (FQDN) IPsec peer identifier type is not formatted properly in ``swanctl.conf`` secrets
100%
Description
IPsec tunnels using an identifier type of "Distinguished Name" are not working properly. It appears that the identifier is not being written properly into the swanctl configuration. It's prefixed by an "@" and "fqdn:" when it should be one or the other (not both).
Users can temporarily set the identifier type to Key ID as a workaround.
To me, I have a fix.
Files
Updated by Jim Pingle almost 4 years ago
- Status changed from New to Feedback
- % Done changed from 0 to 100
Applied in changeset c09137ab4726dc492c658c27b6c46e25f0fbb55b.
Updated by Renato Botelho almost 4 years ago
- Target version changed from CE-Next to 2.5.1
Updated by e 1/1 almost 4 years ago
Patch 10eb04259fd139c62e08df8de877b71fdd0eedc8 is much appreciated, looking forward to P1 release in order to be able to upgrade test boxes remotely.
Updated by Jim Pingle almost 4 years ago
- File ipsec-config-11442.xml ipsec-config-11442.xml added
To reproduce the problem, restore the attached IPsec config section to a system without IPsec. Edit/save/apply on the IPsec tunnel.
Check the generated /var/etc/ipsec/swanctl.conf
file and it will have an incorrectly formatted remote identifier in the secrets
section:
secrets { ike-0 { secret = 0sZTA3NDhmOWEwY2YwODBiNTExOGNjY2IzNzBlZWEwMWM3MmYzYzliODVlMWUzYTI0NDVkZjEwYzc= id-0 = %any id-1 = @fqdn:host.example.com } }
On a snapshot with the fix, the id will be correctly formatted:
secrets { ike-0 { secret = 0sZTA3NDhmOWEwY2YwODBiNTExOGNjY2IzNzBlZWEwMWM3MmYzYzliODVlMWUzYTI0NDVkZjEwYzc= id-0 = %any id-1 = fqdn:host.example.com } }
Updated by Jim Pingle almost 4 years ago
- Subject changed from Distinguished Name (FQDN) IPsec identifier type not working properly to Distinguished Name (FQDN) IPsec peer identifier type is not formatted properly in ``swanctl.conf`` secrets
Updating subject for release notes.
Updated by Max Leighton over 3 years ago
- Status changed from Feedback to Resolved
Tested and it looks good. This can be resolved.