Project

General

Profile

Actions

Todo #12044

closed

Improve IPsec identifier settings

Added by Jim Pingle 3 months ago. Updated 18 days ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
IPsec
Target version:
Start date:
06/15/2021
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
21.09
Release Notes:
Default

Description

We expose several IPsec identifier types in the GUI. strongSwan supports a few more, plus an automatic type. Additionally, our names aren't ideal (e.g. "Distinguished Name" is really FQDN) so there are likely some improvements to be made there, too.

See https://wiki.strongswan.org/projects/strongswan/wiki/IdentityParsing for the options supported by strongSwan, and its current behavior. The current type:value syntax is already in use for some options, for example:

The following types are known: ipv4, ipv6, ipv4net, ipv6net, ipv4range, ipv6range, rfc822, email, userfqdn, fqdn,
dns, asn1dn, asn1gn and keyid. Custom type prefixes may be specified by surrounding the numerical type value
with curly brackets.

Additionally, we should ensure that if we do validate the various types, that they allow wildcard matching for peer/remote identifiers since it is also supported in strongSwan (See https://wiki.strongswan.org/projects/strongswan/wiki/Swanctlconf in the notes for connections.<conn>.remote<suffix>.id)

Actions #1

Updated by Jim Pingle about 2 months ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100
Actions #2

Updated by Jim Pingle about 2 months ago

  • Tracker changed from Feature to Todo
  • Subject changed from Revisit IPsec Identifier Settings to Improve IPsec identifier settings
Actions #3

Updated by Jim Pingle 18 days ago

  • Status changed from Feedback to Resolved

Descriptions are better, options I've tried are all working. If new problems come up they can be added as new and separate issues.

Actions

Also available in: Atom PDF