Regression #11555
closed
IPsec peer ID of "Any" does not generate a proper remote definition or related secrets
Added by Jim Pingle over 3 years ago.
Updated over 3 years ago.
Description
When a peer identifier is set to "Any" the resulting swanctl.conf remote block does not contain an id line. According to the strongSwan docs it should be id = %any.
Might also need to account for that in the secrets section as well. Though checking briefly here I do see %any in at least one of my configurations.
As a result this seems to be causing strongSwan to match sometimes and not others, but it needs more testing to identify why.
Files
- Status changed from New to Pull Request Review
- Status changed from Pull Request Review to Feedback
PR has been merged. Thanks!
- Status changed from Feedback to Waiting on Merge
- Target version changed from CE-Next to 2.5.1
- Status changed from Waiting on Merge to Feedback
Cherry-picked to RELENG_2_5_1
To reproduce the problem, restore the attached IPsec config section to a system without IPsec. Edit/save/apply on the IPsec tunnel.
Check the generated /var/etc/ipsec/swanctl.conf file and the remote block will be missing the identifier. Additionally, the secrets block will be missing.
remote {
auth = psk
}
On a snapshot with the fix, the same tunnel will have an id line in the remote block, and a secrets block
remote {
id = %any
auth = psk
}
[...]
secrets {
ike-0 {
secret = 0sZTA3NDhmOWEwY2YwODBiNTExOGNjY2IzNzBlZWEwMWM3MmYzYzliODVlMWUzYTI0NDVkZjEwYzc=
id-0 = %any
id-1 = %any
}
}
- Subject changed from IPsec peer ID of "Any" is not working consistently to IPsec peer ID of "Any" does not generate a proper remote definition or related secrets
Updating subject for release notes.
- Status changed from Feedback to Closed
Also available in: Atom
PDF
Updated by Viktor Gurov 
Updated by 
Updated by