Regression #11442
closed
Distinguished Name (FQDN) IPsec peer identifier type is not formatted properly in ``swanctl.conf`` secrets
Added by Jim Pingle almost 4 years ago.
Updated over 3 years ago.
Description
IPsec tunnels using an identifier type of "Distinguished Name" are not working properly. It appears that the identifier is not being written properly into the swanctl configuration. It's prefixed by an "@" and "fqdn:" when it should be one or the other (not both).
Users can temporarily set the identifier type to Key ID as a workaround.
To me, I have a fix.
Files
- Status changed from New to Feedback
- % Done changed from 0 to 100
- Target version changed from CE-Next to 2.5.1
Patch 10eb04259fd139c62e08df8de877b71fdd0eedc8 is much appreciated, looking forward to P1 release in order to be able to upgrade test boxes remotely.
To reproduce the problem, restore the attached IPsec config section to a system without IPsec. Edit/save/apply on the IPsec tunnel.
Check the generated /var/etc/ipsec/swanctl.conf file and it will have an incorrectly formatted remote identifier in the secrets section:
secrets {
ike-0 {
secret = 0sZTA3NDhmOWEwY2YwODBiNTExOGNjY2IzNzBlZWEwMWM3MmYzYzliODVlMWUzYTI0NDVkZjEwYzc=
id-0 = %any
id-1 = @fqdn:host.example.com
}
}
On a snapshot with the fix, the id will be correctly formatted:
secrets {
ike-0 {
secret = 0sZTA3NDhmOWEwY2YwODBiNTExOGNjY2IzNzBlZWEwMWM3MmYzYzliODVlMWUzYTI0NDVkZjEwYzc=
id-0 = %any
id-1 = fqdn:host.example.com
}
}
- Subject changed from Distinguished Name (FQDN) IPsec identifier type not working properly to Distinguished Name (FQDN) IPsec peer identifier type is not formatted properly in ``swanctl.conf`` secrets
Updating subject for release notes.
- Status changed from Feedback to Resolved
Tested and it looks good. This can be resolved.
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by 
Updated by