Bug #4792
closed
IPSec ASN.1 DN needs double quotes in config file
0%
Description
This is a bug #4275 reintroduced in 2.2.3:
Upon upgrade of 2.2.2 to 2.2.3 strongswan did not start and quit with the following message:
I ONLY adapted these lines of the old bug:
ipsec_starter73005: unable to start strongSwan -- fatal errors in config
ipsec_starter73005: invalid config file '/var/etc/ipsec/ipsec.conf'
ipsec_starter73005: /var/etc/ipsec/ipsec.conf:19: syntax error, unexpected EQ [=]
ipsec_starter73005: Starting strongSwan 5.2.3 IPsec [starter]...
Line 19 of ipsec.conf is:
leftid = asn1dn:C=CH/ST=Aargau/L=Baden/O=TechFreak/emailAddress=XXX/CN=vpn.example.com
I got StrongSwan only to accept it by changing leftif|rightid to (ommiting asn1dn)
leftid = "C=CH/ST=Aargau/L=Baden/O=TechFreak/emailAddress=XXX/CN=vpn.example.com"
this started to work again, and strongswan bootet up.
This should be checked in the GUI and automatically added to the value saved in the config file.
As the ipsec.conf is generated by the vpn.inc I adapted it the following way. Sorry for having no diff etc... Spot it by the comment line!
list ($myid_type, $myid_data) = ipsec_find_id($ph1ent, 'local');
if ($myid_type = 'asn1dn')
$myid_data = "\"{$myid_data}\"";
else if ($myid_type != 'address')
$myid_data = "{$myid_type}:{$myid_data}";
/* Only specify peer ID if we are not dealing with a mobile PSK-only tunnel /
$peerid_spec = '';
if (!isset($ph1ent['mobile'])) {
list ($peerid_type, $peerid_data) = ipsec_find_id($ph1ent, 'peer', $rgmap);
*if ($peerid_type = 'asn1dn')
$peerid_spec = "\"{$peerid_data}\"";
else if ($peerid_type != 'address')
$peerid_spec = "{$peerid_type}:{$peerid_data}";
else
$peerid_spec = $peerid_data;
}
Kind regards
Updated by Cullen Trey over 9 years ago
Okay, understood why it is not possible to specify:
leftid = asn1dn:C=CH/ST=Aargau/L=Baden/O=TechFreak/emailAddress=XXX/CN=vpn.example.com
Strongswan wants to have asn1dn entries encoded in the binary der format:
https://lists.strongswan.org/pipermail/users/2015-May/008123.html
Ideas for an String to der format converter? Or just throw away the asn1dn identifier...?
Updated by Kill Bill over 9 years ago
Cullen Trey wrote:
Or just throw away the asn1dn identifier...?
Sounds like a plan. Completely craptastic design. DER my ass.
Updated by Jorge Albarenque over 9 years ago
I stumbled upon this today.
If you omit the identity prefix altogether, strongSwan will guess and convert the data type automatically (it works).
If you want to specify the identity prefix, the data must be in appropiate format. In case of ASN1.DNs, the conversion procedure is somewhat explained on a later post on the same thread referenced before and the following one
I did all that "openssl to hex nightmare" and it indeed works.
Please consider that this issue will also arise with other identity prefixes as well (IP addresses for example) as explained in the strongSwan wiki
Updated by Moritz Bechler over 9 years ago
Actually, I think this is a bug in strongswan (just filed it: https://wiki.strongswan.org/issues/1028), as the asn1dn type gets parsed if auto-detected but not when explicitly specified. Just dropping it should be also fine though, as this is the first case in the auto-detection and just checks for a =.
Updated by Kill Bill over 9 years ago
Moritz Bechler wrote:
Actually, I think this is a bug in strongswan
Of course not! That's all by (utterly braindead) design. :-P
Updated by
Updated by Chris Buechler over 9 years ago
- Status changed from New to Feedback
this looks to be fixed.
Updated by Jorge Albarenque over 9 years ago
Hold on... The real issue here (as explained in the first comment) is the mishandling of the peer id type for the new versions of strongSwan. As I can see on the submitted revision, this looks still broken at least for the ASN1 type reported here (it still adds "{$peerid_type}:" before the unmodified data)
Is this being handled as part of another bug report?
Updated by Renato Botelho over 9 years ago
- Status changed from Feedback to Assigned
The issue doesn't affect left side because leftid is overwritten by strongSwan when leftcert is defined.
I'm working on a fix
Updated by Renato Botelho over 9 years ago
- Status changed from Assigned to Feedback
Please try next round of snapshots
Updated by Moritz Bechler over 9 years ago
31ae45d2535e73f58b307f18227ba29a9061d2af looks good to me.
keyid might deserve some quotes, too, but that's propably not that common.