neutron

PSK in the VPNAAS is stored/displayed in Plain text

Bug #1316699 reported by Ashish Kumar Gupta
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
neutron
Won't Fix
High
Unassigned

Bug Description

Pre shared key for the vpnaas is stored in plain text .
/var/lib/neutron/ipsec/$routeid/etc/ipsec.secrets"
# Configuration for myvpn1
$Site_Address $Peer_address : PSK "secret"

and also when we we perform neutron ipsec-site-connection-list
----------------+----------------------------------------------------+
| Field | Value |
+----------------+----------------------------------------------------+
| admin_state_up | True |
| auth_mode | psk |
| description | |
| dpd | {"action": "hold", "interval": 30, "timeout": 120} |
| id | 981ebe4c-01e3-4b3f-8a42-42714038ac39 |
| ikepolicy_id | a8d616f9-5f87-4ee9-88d4-d247186ba931 |
| initiator | bi-directional |
| ipsecpolicy_id | 4fc920e8-4f95-4f88-b064-076d95cdb9ec |
| mtu | 1500 |
| name | vpnconnection2 |
| peer_address | 1$Peer_address |
| peer_cidrs | $Peer_cidr |
| peer_id | $peer_id |
| psk | secret |
| route_mode | static |
| status | ACTIVE |
| tenant_id | d209c7ac08304ff48c59a53c2c47516c |
| vpnservice_id | 9d550160-fc3b-4a84-a702-f7b75684af49 |
+----------------+----------------------------------------------------+

secret is the psk for the ipsec site connection.
Should it not be in the encrypted format?

See original description
Tags: vpnaas
Ashish Kumar Gupta (ashish-kumar-gupta)
description: updated
Salvatore Orlando (salvatore-orlando)
tags: added: vpnaas
Revision history for this message
Nachi Ueno (nati-ueno) wrote :

This is known issue and PSK should be in the Barbican according to discussion about service cred management

Changed in neutron:
importance: Undecided → High
status: New → Confirmed
Revision history for this message
Wei Wang (damon-devops) wrote :

Add dependence to Barbican?

Revision history for this message
Eugene Nikanorov (enikanorov) wrote :

Considering furure advanced services spin off and the fact that this is really a shortcut to make experimental VPN work, I'm marking this as 'Won't fix'

description: updated
Changed in neutron:
status: Confirmed → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.