Project

General

Profile

Actions

Bug #4792

closed

IPSec ASN.1 DN needs double quotes in config file

Added by Cullen Trey almost 9 years ago. Updated over 8 years ago.

Status:
Resolved
Priority:
High
Category:
IPsec
Target version:
Start date:
01/24/2015
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.2.3
Affected Architecture:

Description

This is a bug #4275 reintroduced in 2.2.3:

Upon upgrade of 2.2.2 to 2.2.3 strongswan did not start and quit with the following message:

I ONLY adapted these lines of the old bug:

ipsec_starter73005: unable to start strongSwan -- fatal errors in config
ipsec_starter73005: invalid config file '/var/etc/ipsec/ipsec.conf'
ipsec_starter73005: /var/etc/ipsec/ipsec.conf:19: syntax error, unexpected EQ [=]
ipsec_starter73005: Starting strongSwan 5.2.3 IPsec [starter]...

Line 19 of ipsec.conf is:
leftid = asn1dn:C=CH/ST=Aargau/L=Baden/O=TechFreak/emailAddress=XXX/CN=vpn.example.com

I got StrongSwan only to accept it by changing leftif|rightid to (ommiting asn1dn)

leftid = "C=CH/ST=Aargau/L=Baden/O=TechFreak/emailAddress=XXX/CN=vpn.example.com"

this started to work again, and strongswan bootet up.

This should be checked in the GUI and automatically added to the value saved in the config file.

As the ipsec.conf is generated by the vpn.inc I adapted it the following way. Sorry for having no diff etc... Spot it by the comment line!

list ($myid_type, $myid_data) = ipsec_find_id($ph1ent, 'local');

if ($myid_type = 'asn1dn')
$myid_data = "\"{$myid_data}\"";
else
if ($myid_type != 'address')
$myid_data = "{$myid_type}:{$myid_data}";

/* Only specify peer ID if we are not dealing with a mobile PSK-only tunnel /
$peerid_spec = '';
if (!isset($ph1ent['mobile'])) {
list ($peerid_type, $peerid_data) = ipsec_find_id($ph1ent, 'peer', $rgmap);
*if ($peerid_type = 'asn1dn')
$peerid_spec = "\"{$peerid_data}\"";
else
if ($peerid_type != 'address')
$peerid_spec = "{$peerid_type}:{$peerid_data}";
else
$peerid_spec = $peerid_data;
}

Kind regards

Actions #1

Updated by Cullen Trey almost 9 years ago

Okay, understood why it is not possible to specify:

leftid = asn1dn:C=CH/ST=Aargau/L=Baden/O=TechFreak/emailAddress=XXX/CN=vpn.example.com

Strongswan wants to have asn1dn entries encoded in the binary der format:

https://lists.strongswan.org/pipermail/users/2015-May/008123.html

Ideas for an String to der format converter? Or just throw away the asn1dn identifier...?

Actions #2

Updated by Kill Bill almost 9 years ago

Cullen Trey wrote:

Or just throw away the asn1dn identifier...?

Sounds like a plan. Completely craptastic design. DER my ass.

Actions #3

Updated by Jorge Albarenque almost 9 years ago

I stumbled upon this today.

If you omit the identity prefix altogether, strongSwan will guess and convert the data type automatically (it works).
If you want to specify the identity prefix, the data must be in appropiate format. In case of ASN1.DNs, the conversion procedure is somewhat explained on a later post on the same thread referenced before and the following one

I did all that "openssl to hex nightmare" and it indeed works.

Please consider that this issue will also arise with other identity prefixes as well (IP addresses for example) as explained in the strongSwan wiki

Actions #4

Updated by Moritz Bechler over 8 years ago

Actually, I think this is a bug in strongswan (just filed it: https://wiki.strongswan.org/issues/1028), as the asn1dn type gets parsed if auto-detected but not when explicitly specified. Just dropping it should be also fine though, as this is the first case in the auto-detection and just checks for a =.

Actions #5

Updated by Kill Bill over 8 years ago

Moritz Bechler wrote:

Actually, I think this is a bug in strongswan

Of course not! That's all by (utterly braindead) design. :-P

Actions #6

Updated by Jim Thompson over 8 years ago

  • Assignee set to Renato Botelho
Actions #7

Updated by Chris Buechler over 8 years ago

  • Status changed from New to Feedback

this looks to be fixed.

Actions #8

Updated by Jorge Albarenque over 8 years ago

Hold on... The real issue here (as explained in the first comment) is the mishandling of the peer id type for the new versions of strongSwan. As I can see on the submitted revision, this looks still broken at least for the ASN1 type reported here (it still adds "{$peerid_type}:" before the unmodified data)

Is this being handled as part of another bug report?

Actions #9

Updated by Renato Botelho over 8 years ago

  • Status changed from Feedback to Assigned

The issue doesn't affect left side because leftid is overwritten by strongSwan when leftcert is defined.

I'm working on a fix

Actions #10

Updated by Renato Botelho over 8 years ago

  • Status changed from Assigned to Feedback

Please try next round of snapshots

Actions #11

Updated by Moritz Bechler over 8 years ago

31ae45d2535e73f58b307f18227ba29a9061d2af looks good to me.

keyid might deserve some quotes, too, but that's propably not that common.

Actions #12

Updated by Chris Buechler over 8 years ago

  • Status changed from Feedback to Resolved

fixed

Actions

Also available in: Atom PDF