Bug #4792
closed
IPSec ASN.1 DN needs double quotes in config file
0%
Description
This is a bug #4275 reintroduced in 2.2.3:
Upon upgrade of 2.2.2 to 2.2.3 strongswan did not start and quit with the following message:
I ONLY adapted these lines of the old bug:
ipsec_starter73005: unable to start strongSwan -- fatal errors in config
ipsec_starter73005: invalid config file '/var/etc/ipsec/ipsec.conf'
ipsec_starter73005: /var/etc/ipsec/ipsec.conf:19: syntax error, unexpected EQ [=]
ipsec_starter73005: Starting strongSwan 5.2.3 IPsec [starter]...
Line 19 of ipsec.conf is:
leftid = asn1dn:C=CH/ST=Aargau/L=Baden/O=TechFreak/emailAddress=XXX/CN=vpn.example.com
I got StrongSwan only to accept it by changing leftif|rightid to (ommiting asn1dn)
leftid = "C=CH/ST=Aargau/L=Baden/O=TechFreak/emailAddress=XXX/CN=vpn.example.com"
this started to work again, and strongswan bootet up.
This should be checked in the GUI and automatically added to the value saved in the config file.
As the ipsec.conf is generated by the vpn.inc I adapted it the following way. Sorry for having no diff etc... Spot it by the comment line!
list ($myid_type, $myid_data) = ipsec_find_id($ph1ent, 'local');
if ($myid_type = 'asn1dn')
$myid_data = "\"{$myid_data}\"";
else if ($myid_type != 'address')
$myid_data = "{$myid_type}:{$myid_data}";
/* Only specify peer ID if we are not dealing with a mobile PSK-only tunnel /
$peerid_spec = '';
if (!isset($ph1ent['mobile'])) {
list ($peerid_type, $peerid_data) = ipsec_find_id($ph1ent, 'peer', $rgmap);
*if ($peerid_type = 'asn1dn')
$peerid_spec = "\"{$peerid_data}\"";
else if ($peerid_type != 'address')
$peerid_spec = "{$peerid_type}:{$peerid_data}";
else
$peerid_spec = $peerid_data;
}
Kind regards
Updated by 
Updated by Kill Bill 
Updated by 
Updated by 
Updated by 
Updated by 
Updated by