Regression #11555
closed
IPsec peer ID of "Any" does not generate a proper remote definition or related secrets
0%
Description
When a peer identifier is set to "Any" the resulting swanctl.conf remote block does not contain an id line. According to the strongSwan docs it should be id = %any.
Might also need to account for that in the secrets section as well. Though checking briefly here I do see %any in at least one of my configurations.
As a result this seems to be causing strongSwan to match sometimes and not others, but it needs more testing to identify why.
Files
Updated by Viktor Gurov over 3 years ago
Updated by Jim Pingle over 3 years ago
- Status changed from New to Pull Request Review
Updated by Renato Botelho over 3 years ago
- Status changed from Pull Request Review to Feedback
PR has been merged. Thanks!
Updated by Jim Pingle over 3 years ago
- Status changed from Feedback to Waiting on Merge
- Target version changed from CE-Next to 2.5.1
Updated by Renato Botelho over 3 years ago
- Status changed from Waiting on Merge to Feedback
Cherry-picked to RELENG_2_5_1
Updated by Jim Pingle over 3 years ago
- File ipsec-config-11555.xml ipsec-config-11555.xml added
To reproduce the problem, restore the attached IPsec config section to a system without IPsec. Edit/save/apply on the IPsec tunnel.
Check the generated /var/etc/ipsec/swanctl.conf file and the remote block will be missing the identifier. Additionally, the secrets block will be missing.
remote {
auth = psk
}
On a snapshot with the fix, the same tunnel will have an id line in the remote block, and a secrets block
remote {
id = %any
auth = psk
}
[...]
secrets {
ike-0 {
secret = 0sZTA3NDhmOWEwY2YwODBiNTExOGNjY2IzNzBlZWEwMWM3MmYzYzliODVlMWUzYTI0NDVkZjEwYzc=
id-0 = %any
id-1 = %any
}
}
Updated by Jim Pingle over 3 years ago
- Subject changed from IPsec peer ID of "Any" is not working consistently to IPsec peer ID of "Any" does not generate a proper remote definition or related secrets
Updating subject for release notes.