Regression #11487
IPsec tunnels using expanded IKE connection numbers do not have proper child SA names in ``swanctl.conf``
100%
Description
Tunnels with expanded IKE connection numbers (e.g. "con100000") are not forming proper child SA con numbers. The numerical part of the name (e.g. "100000") is missing in the child SA names.
Related to #9592
To me, I have a fix.
Associated revisions
Fix child SA name generation. Fixes #11487
(cherry picked from commit eb5bd64face47422285cb883ad44fc5d77c361fa)
History
#1
Updated by Jim Pingle about 2 months ago
- Status changed from New to Feedback
- % Done changed from 0 to 100
Applied in changeset eb5bd64face47422285cb883ad44fc5d77c361fa.
#2
Updated by Renato Botelho about 2 months ago
- Target version changed from CE-Next to 2.5.1
#3
Updated by Jim Pingle about 1 month ago
To reproduce the problem, restore the attached IPsec config section to a system without IPsec. Edit/save/apply on the IPsec tunnel.
Check the generated /var/etc/ipsec/swanctl.conf
file and it will have an incorrect child name (con0
)
con100000 { fragmentation = yes unique = replace version = 2 proposals = aes128gcm128-aesxcbc-curve448 dpd_delay = 10s dpd_timeout = 60s rekey_time = 25920s reauth_time = 25920s over_time = 2880s rand_time = 2880s encap = no mobike = no local_addrs = 198.51.100.15 remote_addrs = 198.51.100.99 pools = local { id = 198.51.100.15 auth = psk } remote { id = 198.51.100.99 auth = psk } children { con0 { dpd_action = trap mode = tunnel policies = yes life_time = 3600s rekey_time = 3240s rand_time = 360s start_action = trap local_ts = 10.15.0.0/24 remote_ts = 10.14.0.0/24 esp_proposals = aes128gcm128-curve448 } } }
On a snapshot with the fix, the same tunnel will have a child with the correct name, con100000
:
con100000 { dpd_action = trap mode = tunnel policies = yes life_time = 3600s rekey_time = 3240s rand_time = 360s start_action = trap local_ts = 10.6.0.0/24 remote_ts = 10.14.0.0/24 esp_proposals = aes128gcm128-curve448 }
#4
Updated by Jim Pingle about 1 month ago
- Subject changed from IPsec tunnels using expanded IKE connection numbers are not getting proper child SA names to IPsec tunnels using expanded IKE connection numbers do not have proper child SA names in ``swanctl.conf``
Updating subject for release notes.
Fix child SA name generation. Fixes #11487