Regression #11564
closed
strongSwan configuration always contains user EAP/PSK values
Added by Viktor Gurov about 3 years ago.
Updated almost 3 years ago.
Plus Target Version:
21.05
Description
/var/etc/ipsec/swanctl.conf always contains users eap/psk keys:
...
secrets {
ike-1 {
secret = 0sMTIzNDU=
id-0 = %any
id-1 = pfuser1
}
eap-2 {
secret = 0scGFzczEyMzQ1
id-0 = eapuser1
}
}
even if you don't have an IPsec Mobile entry or it's not set to EAP-MSChapv2/Mutual-PSK mode.
- Status changed from New to Pull Request Review
- Target version set to CE-Next
The pre-shared key tab entries have uses with site-to-site tunnels they aren't solely for mobile setups.
EAP entries could be skipped if there is nothing using EAP-MSCHAPv2, and PSK entries on users can be skipped if mobile IPsec isn't using PSKs, but the PSK tab entries should always be included.
Though really it's harmless to include the secrets like this even if they aren't being actively used, it is nicer to leave them out.
- Status changed from Pull Request Review to Feedback
- Assignee set to Viktor Gurov
PR has been merged. Thanks!
- Target version changed from CE-Next to 2.6.0
- Plus Target Version set to 21.05
- Subject changed from swanctl always contains users eap/psk keys to strongSwan configuration always contains user EAP/PSK values
Updating subject for release notes.
- Target version changed from 2.6.0 to 2.5.2
- Status changed from Feedback to Closed
Also available in: Atom
PDF
Updated by Viktor Gurov 
Updated by 
Updated by