Project

General

Profile

Regression #11564

swanctl always contains users eap/psk keys

Added by Viktor Gurov about 2 months ago. Updated about 2 months ago.

Status:
Feedback
Priority:
Normal
Assignee:
Category:
IPsec
Target version:
Start date:
02/27/2021
Due date:
% Done:

0%

Estimated time:
Affected Version:
2.5.0
Affected Architecture:
Release Notes:
Default

Description

/var/etc/ipsec/swanctl.conf always contains users eap/psk keys:

...
secrets {
    ike-1 {
        secret = 0sMTIzNDU=
        id-0 = %any
        id-1 = pfuser1
    }
    eap-2 {
        secret = 0scGFzczEyMzQ1
        id-0 = eapuser1
    }
}

even if you don't have an IPsec Mobile entry or it's not set to EAP-MSChapv2/Mutual-PSK mode.

Associated revisions

Revision 3939c0e3 (diff)
Added by Viktor Gurov about 2 months ago

IPsec Mobile users swanctl.conf fix. Issue #11564

History

#2 Updated by Jim Pingle about 2 months ago

  • Status changed from New to Pull Request Review
  • Target version set to CE-Next

The pre-shared key tab entries have uses with site-to-site tunnels they aren't solely for mobile setups.

EAP entries could be skipped if there is nothing using EAP-MSCHAPv2, and PSK entries on users can be skipped if mobile IPsec isn't using PSKs, but the PSK tab entries should always be included.

Though really it's harmless to include the secrets like this even if they aren't being actively used, it is nicer to leave them out.

#3 Updated by Renato Botelho about 2 months ago

  • Status changed from Pull Request Review to Feedback
  • Assignee set to Viktor Gurov

PR has been merged. Thanks!

Also available in: Atom PDF