Project

General

Profile

Bug #8543

IKE Phase 1 configuration not working

Added by Thomas Eckardt 12 months ago. Updated 11 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
IPsec
Target version:
Start date:
05/28/2018
Due date:
% Done:

100%

Estimated time:
0.50 h
Affected Version:
2.4.3_1
Affected Architecture:
All

Description

issue:

strongSwan uses only AES 128, because keylen is empty in the pfsense config file.

<phase1> 
.....
<encryption>
<item>
<encryption-algorithm>
<name>aes</name>
<keylen></keylen>
</encryption-algorithm>
<hash-algorithm>sha256</hash-algorithm>
<dhgroup>14</dhgroup>
</item>
</encryption>

A bug in /usr/local/www/vpn_ipsec_phase1.php causes an unselectable Phase 1 'key length' for all algorithms and prevents adding more Phase 1 Proposals.

line 1199:

// algorithm 
$('[id^=ealgo_algo]select').change(function () {
id = getStringInt(this.id);
ealgosel_change(id, <?=$keyset?>);
});

uses $keyset - which is not defined anywhere in this php file or any included file!. This leads in to the browser javascript call

ealgosel_change(0, );

which causes a syntax error in the bowser javascript engine (missing the second parameter) - script processing is stopped and later parts are not executed.

solution:

change this part to

// algorithm 
$('[id^=ealgo_algo]select').change(function () {
id = getStringInt(this.id);
ealgosel_change(id, 0);
});

or set $keyset to 0 anywhere else in this php file, before it is used here.

IKE (strongSwan) itself and the GUI config dialog are working very well after this change.

vpn_ipsec_phase1.php (34.8 KB) vpn_ipsec_phase1.php the changed working file Thomas Eckardt, 05/28/2018 11:55 PM

Associated revisions

Revision ac976b7e (diff)
Added by Jim Pingle 12 months ago

Fix reference to non-existent variable in IPsec P1. Fixes #8543

Revision 5ecce9d0 (diff)
Added by Jim Pingle 12 months ago

Fix reference to non-existent variable in IPsec P1. Fixes #8543

(cherry picked from commit ac976b7e061f19d108a6f60a57ce6866dd0a9499)

History

#1 Updated by Jim Pingle 12 months ago

  • Status changed from New to Feedback
  • Assignee changed from Jim Thompson to Jim Pingle
  • Priority changed from Urgent to Normal

I can't replicate this problem here. I see what you mean about that variable not being populated, but the page still functions, keylen is stored, and the strongSwan configuration is correct.

I have tested this in the most recent versions of Firefox and Chrome and both function as expected.

What browser are you using?

#2 Updated by Thomas Eckardt 12 months ago

I used chrome Version 57.0.2987.133 (64-bit) and MS-IE 11.431.162990 (32 and 64 bit) on Windows 10.

This depends on the JavaScript engine - if it does not stop on syntax errors, the page will work like expected. But if it stops, keylen will be empty and "Add Algorithm" will fail, because the JavaScript code "ealgosel_change(0,);" and the JavaScript code after this line is not executed.

"ealgosel_change(0,);" it self fills the "select" options for keylen -> empty select -> empty keylen -> empty keylen in config -> empty keylen in strongSwan.conf -> AES 128

some lines below in the php file

foreach($pconfig['encryption']['item'] as $key => $p1enc) {
$keylen = $p1enc['encryption-algorithm']['keylen'];
if (!is_numericint($keylen)) {
$keylen = "''";
}
echo "ealgosel_change({$key}, {$keylen});";
}

the JavaScript code "ealgosel_change(0,'');" is produced in case of an empty keylen.
If executed, this line would set the page parameters like expected. My browser JavaScript sessions are stopped before, yours are executing this line.

Simply change the code like suggested - => 0 - and the issue is gone for all browsers.

Thomas

#3 Updated by Jim Pingle 12 months ago

  • Status changed from Feedback to Confirmed

OK, I can replicate it in IE and confirm the fix. Pushing momentarily.

#4 Updated by Jim Pingle 12 months ago

  • Status changed from Confirmed to Feedback
  • % Done changed from 50 to 100

#5 Updated by Jim Pingle 11 months ago

  • Status changed from Feedback to Resolved

Also available in: Atom PDF