Actions
Regression #11564
closed
strongSwan configuration always contains user EAP/PSK values
Start date:
02/27/2021
Due date:
% Done:
0%
Estimated time:
Plus Target Version:
21.05
Release Notes:
Default
Affected Version:
2.5.0
Affected Architecture:
Description
/var/etc/ipsec/swanctl.conf always contains users eap/psk keys:
...
secrets {
ike-1 {
secret = 0sMTIzNDU=
id-0 = %any
id-1 = pfuser1
}
eap-2 {
secret = 0scGFzczEyMzQ1
id-0 = eapuser1
}
}
even if you don't have an IPsec Mobile entry or it's not set to EAP-MSChapv2/Mutual-PSK mode.
Updated by Viktor Gurov over 3 years ago
Updated by Jim Pingle over 3 years ago
- Status changed from New to Pull Request Review
- Target version set to CE-Next
The pre-shared key tab entries have uses with site-to-site tunnels they aren't solely for mobile setups.
EAP entries could be skipped if there is nothing using EAP-MSCHAPv2, and PSK entries on users can be skipped if mobile IPsec isn't using PSKs, but the PSK tab entries should always be included.
Though really it's harmless to include the secrets like this even if they aren't being actively used, it is nicer to leave them out.
Updated by Renato Botelho over 3 years ago
- Status changed from Pull Request Review to Feedback
- Assignee set to Viktor Gurov
PR has been merged. Thanks!
Updated by Jim Pingle over 3 years ago
- Target version changed from CE-Next to 2.6.0
Updated by Jim Pingle over 3 years ago
- Subject changed from swanctl always contains users eap/psk keys to strongSwan configuration always contains user EAP/PSK values
Updating subject for release notes.
Updated by Jim Pingle over 3 years ago
- Target version changed from 2.6.0 to 2.5.2
Actions