Project

General

Profile

Actions
Copy link

Regression #11442

closed

Distinguished Name (FQDN) IPsec peer identifier type is not formatted properly in ``swanctl.conf`` secrets

Added by Jim Pingle almost 4 years ago. Updated over 3 years ago.

Status:
Resolved
Priority:
Very High
Assignee:
Jim Pingle
Category:
IPsec
Target version:
2.5.1
Start date:
02/18/2021
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Default
Affected Version:
2.5.0
Affected Architecture:

Description

IPsec tunnels using an identifier type of "Distinguished Name" are not working properly. It appears that the identifier is not being written properly into the swanctl configuration. It's prefixed by an "@" and "fqdn:" when it should be one or the other (not both).

Users can temporarily set the identifier type to Key ID as a workaround.

To me, I have a fix.

Files

ipsec-config-11442.xml (1.82 KB) ipsec-config-11442.xml Jim Pingle, 03/11/2021 03:25 PM
Actions
Copy link
 #1

Updated by Jim Pingle almost 4 years ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100
Actions
Copy link
 #2

Updated by Renato Botelho over 3 years ago

  • Target version changed from CE-Next to 2.5.1
Actions
Copy link
 #3

Updated by e 1/1 over 3 years ago

Patch 10eb04259fd139c62e08df8de877b71fdd0eedc8 is much appreciated, looking forward to P1 release in order to be able to upgrade test boxes remotely.

Actions
Copy link
 #4

Updated by Jim Pingle over 3 years ago

To reproduce the problem, restore the attached IPsec config section to a system without IPsec. Edit/save/apply on the IPsec tunnel.

Check the generated /var/etc/ipsec/swanctl.conf file and it will have an incorrectly formatted remote identifier in the secrets section:

secrets {
    ike-0 {
        secret = 0sZTA3NDhmOWEwY2YwODBiNTExOGNjY2IzNzBlZWEwMWM3MmYzYzliODVlMWUzYTI0NDVkZjEwYzc=
        id-0 = %any
        id-1 = @fqdn:host.example.com
    }
}

On a snapshot with the fix, the id will be correctly formatted:

secrets {
    ike-0 {
        secret = 0sZTA3NDhmOWEwY2YwODBiNTExOGNjY2IzNzBlZWEwMWM3MmYzYzliODVlMWUzYTI0NDVkZjEwYzc=
        id-0 = %any
        id-1 = fqdn:host.example.com
    }
}
Actions
Copy link
 #5

Updated by Jim Pingle over 3 years ago

  • Subject changed from Distinguished Name (FQDN) IPsec identifier type not working properly to Distinguished Name (FQDN) IPsec peer identifier type is not formatted properly in ``swanctl.conf`` secrets

Updating subject for release notes.

Actions
Copy link
 #6

Updated by Max Leighton over 3 years ago

  • Status changed from Feedback to Resolved

Tested and it looks good. This can be resolved.

Actions
Copy link

Also available in: Atom PDF