Project

General

Profile

Actions

Bug #8543

closed

IKE Phase 1 configuration not working

Added by Thomas Eckardt over 6 years ago. Updated over 6 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
IPsec
Target version:
Start date:
05/28/2018
Due date:
% Done:

100%

Estimated time:
0.50 h
Plus Target Version:
Release Notes:
Affected Version:
2.4.3_1
Affected Architecture:
All

Description

issue:

strongSwan uses only AES 128, because keylen is empty in the pfsense config file.

<phase1> 
.....
<encryption>
<item>
<encryption-algorithm>
<name>aes</name>
<keylen></keylen>
</encryption-algorithm>
<hash-algorithm>sha256</hash-algorithm>
<dhgroup>14</dhgroup>
</item>
</encryption>

A bug in /usr/local/www/vpn_ipsec_phase1.php causes an unselectable Phase 1 'key length' for all algorithms and prevents adding more Phase 1 Proposals.

line 1199:

// algorithm 
$('[id^=ealgo_algo]select').change(function () {
id = getStringInt(this.id);
ealgosel_change(id, <?=$keyset?>);
});

uses $keyset - which is not defined anywhere in this php file or any included file!. This leads in to the browser javascript call

ealgosel_change(0, );

which causes a syntax error in the bowser javascript engine (missing the second parameter) - script processing is stopped and later parts are not executed.

solution:

change this part to

// algorithm 
$('[id^=ealgo_algo]select').change(function () {
id = getStringInt(this.id);
ealgosel_change(id, 0);
});

or set $keyset to 0 anywhere else in this php file, before it is used here.

IKE (strongSwan) itself and the GUI config dialog are working very well after this change.


Files

vpn_ipsec_phase1.php (34.8 KB) vpn_ipsec_phase1.php the changed working file Thomas Eckardt, 05/28/2018 11:55 PM
Actions #1

Updated by Jim Pingle over 6 years ago

  • Status changed from New to Feedback
  • Assignee changed from Jim Thompson to Jim Pingle
  • Priority changed from Urgent to Normal

I can't replicate this problem here. I see what you mean about that variable not being populated, but the page still functions, keylen is stored, and the strongSwan configuration is correct.

I have tested this in the most recent versions of Firefox and Chrome and both function as expected.

What browser are you using?

Actions #2

Updated by Thomas Eckardt over 6 years ago

I used chrome Version 57.0.2987.133 (64-bit) and MS-IE 11.431.162990 (32 and 64 bit) on Windows 10.

This depends on the JavaScript engine - if it does not stop on syntax errors, the page will work like expected. But if it stops, keylen will be empty and "Add Algorithm" will fail, because the JavaScript code "ealgosel_change(0,);" and the JavaScript code after this line is not executed.

"ealgosel_change(0,);" it self fills the "select" options for keylen -> empty select -> empty keylen -> empty keylen in config -> empty keylen in strongSwan.conf -> AES 128

some lines below in the php file

foreach($pconfig['encryption']['item'] as $key => $p1enc) {
$keylen = $p1enc['encryption-algorithm']['keylen'];
if (!is_numericint($keylen)) {
$keylen = "''";
}
echo "ealgosel_change({$key}, {$keylen});";
}

the JavaScript code "ealgosel_change(0,'');" is produced in case of an empty keylen.
If executed, this line would set the page parameters like expected. My browser JavaScript sessions are stopped before, yours are executing this line.

Simply change the code like suggested - => 0 - and the issue is gone for all browsers.

Thomas

Actions #3

Updated by Jim Pingle over 6 years ago

  • Status changed from Feedback to Confirmed

OK, I can replicate it in IE and confirm the fix. Pushing momentarily.

Actions #4

Updated by Jim Pingle over 6 years ago

  • Status changed from Confirmed to Feedback
  • % Done changed from 50 to 100
Actions #5

Updated by Jim Pingle over 6 years ago

  • Status changed from Feedback to Resolved
Actions

Also available in: Atom PDF