Project

General

Profile

Actions

Regression #11442

closed

Distinguished Name (FQDN) IPsec peer identifier type is not formatted properly in ``swanctl.conf`` secrets

Added by Jim Pingle 7 months ago. Updated 6 months ago.

Status:
Resolved
Priority:
Very High
Assignee:
Category:
IPsec
Target version:
Start date:
02/18/2021
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Default
Affected Version:
2.5.0
Affected Architecture:

Description

IPsec tunnels using an identifier type of "Distinguished Name" are not working properly. It appears that the identifier is not being written properly into the swanctl configuration. It's prefixed by an "@" and "fqdn:" when it should be one or the other (not both).

Users can temporarily set the identifier type to Key ID as a workaround.

To me, I have a fix.


Files

ipsec-config-11442.xml (1.82 KB) ipsec-config-11442.xml Jim Pingle, 03/11/2021 03:25 PM
Actions #1

Updated by Jim Pingle 7 months ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100
Actions #2

Updated by Renato Botelho 7 months ago

  • Target version changed from CE-Next to 2.5.1
Actions #3

Updated by e 1/1 7 months ago

Patch 10eb04259fd139c62e08df8de877b71fdd0eedc8 is much appreciated, looking forward to P1 release in order to be able to upgrade test boxes remotely.

Actions #4

Updated by Jim Pingle 7 months ago

To reproduce the problem, restore the attached IPsec config section to a system without IPsec. Edit/save/apply on the IPsec tunnel.

Check the generated /var/etc/ipsec/swanctl.conf file and it will have an incorrectly formatted remote identifier in the secrets section:

secrets {
    ike-0 {
        secret = 0sZTA3NDhmOWEwY2YwODBiNTExOGNjY2IzNzBlZWEwMWM3MmYzYzliODVlMWUzYTI0NDVkZjEwYzc=
        id-0 = %any
        id-1 = @fqdn:host.example.com
    }
}

On a snapshot with the fix, the id will be correctly formatted:

secrets {
    ike-0 {
        secret = 0sZTA3NDhmOWEwY2YwODBiNTExOGNjY2IzNzBlZWEwMWM3MmYzYzliODVlMWUzYTI0NDVkZjEwYzc=
        id-0 = %any
        id-1 = fqdn:host.example.com
    }
}
Actions #5

Updated by Jim Pingle 7 months ago

  • Subject changed from Distinguished Name (FQDN) IPsec identifier type not working properly to Distinguished Name (FQDN) IPsec peer identifier type is not formatted properly in ``swanctl.conf`` secrets

Updating subject for release notes.

Actions #6

Updated by Max Leighton 6 months ago

  • Status changed from Feedback to Resolved

Tested and it looks good. This can be resolved.

Actions

Also available in: Atom PDF