Regression #11555
closedIPsec peer ID of "Any" does not generate a proper remote definition or related secrets
0%
Description
When a peer identifier is set to "Any" the resulting swanctl.conf remote
block does not contain an id
line. According to the strongSwan docs it should be id = %any
.
Might also need to account for that in the secrets section as well. Though checking briefly here I do see %any in at least one of my configurations.
As a result this seems to be causing strongSwan to match sometimes and not others, but it needs more testing to identify why.
Files
Updated by Viktor Gurov almost 4 years ago
Updated by Jim Pingle almost 4 years ago
- Status changed from New to Pull Request Review
Updated by Renato Botelho almost 4 years ago
- Status changed from Pull Request Review to Feedback
PR has been merged. Thanks!
Updated by Jim Pingle almost 4 years ago
- Status changed from Feedback to Waiting on Merge
- Target version changed from CE-Next to 2.5.1
Updated by Renato Botelho almost 4 years ago
- Status changed from Waiting on Merge to Feedback
Cherry-picked to RELENG_2_5_1
Updated by Jim Pingle almost 4 years ago
- File ipsec-config-11555.xml ipsec-config-11555.xml added
To reproduce the problem, restore the attached IPsec config section to a system without IPsec. Edit/save/apply on the IPsec tunnel.
Check the generated /var/etc/ipsec/swanctl.conf
file and the remote
block will be missing the identifier. Additionally, the secrets
block will be missing.
remote { auth = psk }
On a snapshot with the fix, the same tunnel will have an id line in the remote
block, and a secrets
block
remote { id = %any auth = psk } [...] secrets { ike-0 { secret = 0sZTA3NDhmOWEwY2YwODBiNTExOGNjY2IzNzBlZWEwMWM3MmYzYzliODVlMWUzYTI0NDVkZjEwYzc= id-0 = %any id-1 = %any } }
Updated by Jim Pingle almost 4 years ago
- Subject changed from IPsec peer ID of "Any" is not working consistently to IPsec peer ID of "Any" does not generate a proper remote definition or related secrets
Updating subject for release notes.