Multiple PSKs with dyndns left/rightids doesn't work
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
strongswan (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Xenial |
Fix Released
|
Undecided
|
Unassigned | ||
Zesty |
Fix Released
|
Undecided
|
Unassigned | ||
Artful |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
[Impact]
* charon unnecessarily selects a wrong PSK in some cases:
* A site-to-site connection using resolvable hostnames (e.g., DynDNS) as identities in /etc/ipsec.secrets and a Roadwarrior connection (using %any as remote peer identity)
* Multiple site-to-site connections using resolvable hostnames as identities
* Fix is a backport from upstream in since 5.5.2
[Test Case]
* There are detailed steps on how to configure for this case on
https:/
[Regression Potential]
* It is known (see discussion in upstream bug) that this can slightly
increase the connection setup as it adds a dns query. But un-breaking
the covered use cases was considered worth to do so upstream, and so
should we.
* By changing the IKEv1 PSK codepath is the only changed path, so this is
the area where unexpected regressions could occur. None of the testing
found some so far and since upstream didn't change it for a while it
seems safe to me.
[Other Info]
* n/a
---
See: https:/
There is a chance to get an backport into xenial?
It's fixed in the upstream version 5.5.2
# apt-cache policy strongswan
strongswan:
Installed: 5.3.5-1ubuntu3.4
Candidate: 5.3.5-1ubuntu3.4
# lsb_release -rd
Description: Ubuntu 16.04.3 LTS
Release: 16.04
CVE References
description: | updated |
tags: |
added: verification-done-xenial removed: verification-needed-xenial |
Hi Jan,
I'll hopefully be looking at the merge of 5.6.1 next week which includes that fix.
Once in the latest Ubuntu release we can look at the doability of a backport.
On a first sniff test it at least applies cleanly to the code in Xenial.
That still needs to follow some process and extra testing - therefore the merge will be the next ste on this.