Project

General

Profile

Regression #11555

IPsec peer ID of "Any" does not generate a proper remote definition or related secrets

Added by Jim Pingle about 2 months ago. Updated about 1 month ago.

Status:
Feedback
Priority:
Normal
Assignee:
Category:
IPsec
Target version:
Start date:
02/26/2021
Due date:
% Done:

0%

Estimated time:
Affected Version:
2.5.0
Affected Architecture:
Release Notes:
Default

Description

When a peer identifier is set to "Any" the resulting swanctl.conf remote block does not contain an id line. According to the strongSwan docs it should be id = %any.

Might also need to account for that in the secrets section as well. Though checking briefly here I do see %any in at least one of my configurations.

As a result this seems to be causing strongSwan to match sometimes and not others, but it needs more testing to identify why.

ipsec-config-11555.xml (1.82 KB) ipsec-config-11555.xml Jim Pingle, 03/11/2021 03:26 PM

Associated revisions

Revision 4a51b9cd (diff)
Added by Viktor Gurov about 1 month ago

IPsec peer ID Any fix. Issue #11555

Revision f1864df6 (diff)
Added by Viktor Gurov about 1 month ago

IPsec peer ID Any fix. Issue #11555

(cherry picked from commit 4a51b9cd8fd58b26c5c30784b0736cc5757e86fc)

History

#2 Updated by Jim Pingle about 1 month ago

  • Status changed from New to Pull Request Review

#3 Updated by Renato Botelho about 1 month ago

  • Status changed from Pull Request Review to Feedback

PR has been merged. Thanks!

#4 Updated by Jim Pingle about 1 month ago

  • Status changed from Feedback to Waiting on Merge
  • Target version changed from CE-Next to 2.5.1

#5 Updated by Renato Botelho about 1 month ago

  • Status changed from Waiting on Merge to Feedback

Cherry-picked to RELENG_2_5_1

#6 Updated by Jim Pingle about 1 month ago

To reproduce the problem, restore the attached IPsec config section to a system without IPsec. Edit/save/apply on the IPsec tunnel.

Check the generated /var/etc/ipsec/swanctl.conf file and the remote block will be missing the identifier. Additionally, the secrets block will be missing.

        remote {
            auth = psk
        }

On a snapshot with the fix, the same tunnel will have an id line in the remote block, and a secrets block

        remote {
            id = %any
            auth = psk
        }
[...]
secrets {
    ike-0 {
        secret = 0sZTA3NDhmOWEwY2YwODBiNTExOGNjY2IzNzBlZWEwMWM3MmYzYzliODVlMWUzYTI0NDVkZjEwYzc=
        id-0 = %any
        id-1 = %any
    }
}

#7 Updated by Jim Pingle about 1 month ago

  • Subject changed from IPsec peer ID of "Any" is not working consistently to IPsec peer ID of "Any" does not generate a proper remote definition or related secrets

Updating subject for release notes.

Also available in: Atom PDF