Project

General

Profile

Actions

Regression #11555

closed

IPsec peer ID of "Any" does not generate a proper remote definition or related secrets

Added by Jim Pingle 8 months ago. Updated 6 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
IPsec
Target version:
Start date:
02/26/2021
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Default
Affected Version:
2.5.0
Affected Architecture:

Description

When a peer identifier is set to "Any" the resulting swanctl.conf remote block does not contain an id line. According to the strongSwan docs it should be id = %any.

Might also need to account for that in the secrets section as well. Though checking briefly here I do see %any in at least one of my configurations.

As a result this seems to be causing strongSwan to match sometimes and not others, but it needs more testing to identify why.


Files

ipsec-config-11555.xml (1.82 KB) ipsec-config-11555.xml Jim Pingle, 03/11/2021 03:26 PM
Actions #2

Updated by Jim Pingle 8 months ago

  • Status changed from New to Pull Request Review
Actions #3

Updated by Renato Botelho 8 months ago

  • Status changed from Pull Request Review to Feedback

PR has been merged. Thanks!

Actions #4

Updated by Jim Pingle 8 months ago

  • Status changed from Feedback to Waiting on Merge
  • Target version changed from CE-Next to 2.5.1
Actions #5

Updated by Renato Botelho 8 months ago

  • Status changed from Waiting on Merge to Feedback

Cherry-picked to RELENG_2_5_1

Actions #6

Updated by Jim Pingle 8 months ago

To reproduce the problem, restore the attached IPsec config section to a system without IPsec. Edit/save/apply on the IPsec tunnel.

Check the generated /var/etc/ipsec/swanctl.conf file and the remote block will be missing the identifier. Additionally, the secrets block will be missing.

        remote {
            auth = psk
        }

On a snapshot with the fix, the same tunnel will have an id line in the remote block, and a secrets block

        remote {
            id = %any
            auth = psk
        }
[...]
secrets {
    ike-0 {
        secret = 0sZTA3NDhmOWEwY2YwODBiNTExOGNjY2IzNzBlZWEwMWM3MmYzYzliODVlMWUzYTI0NDVkZjEwYzc=
        id-0 = %any
        id-1 = %any
    }
}
Actions #7

Updated by Jim Pingle 8 months ago

  • Subject changed from IPsec peer ID of "Any" is not working consistently to IPsec peer ID of "Any" does not generate a proper remote definition or related secrets

Updating subject for release notes.

Actions #8

Updated by Jim Pingle 6 months ago

  • Status changed from Feedback to Closed
Actions

Also available in: Atom PDF