|
Notes |
|
|
(0007111)
|
|
NickH
|
|
2018-01-29 09:13
|
|
|
It looks like this error is caused by the interface writing an invalid config file. Then either when the conn is added (ipsec auto --add conn_name) or ipsec is restarted (I don't know which the interface does), ipsec fails with an error and this error is not trapped. Now that the interface is crashed you cannot correct the error without going to the command line. |
|
|
|
(0007211)
|
|
NickH
|
|
2018-03-20 02:09
|
|
|
Another error appears if you have a config with a Left IP and the PSK is set to use the Left IP. If you then change the Left IP to "Default Route" and save, as there is no longer a Left IP, the webconfig writes nothing in its place to the secrets file but leaves in what was the space separator between the Left IP and Right IP so the secrets file starts with a blank. Libreswan barfs at this saying a leading blank implies a continuation line and it can't be because it is the first line of the file. The webconfig then falls over because ipsec has fallen over. |
|
|
|
(0007231)
|
|
NickH
|
|
2018-03-21 03:04
|
|
|
Another error appears if you change or remove the DPD action. Sometimes you end up with extra "conn" lines in the conn file. I have seen both one and two lines added. Depending on where it is added it can again bring down the webconfig but not always. |
|
|
|
(0007241)
|
|
NickH
|
|
2018-03-22 02:54
|
|
If this does get revisited, as an enhancement request in order to get ahead in the security game, Phase 1 and Phase 2 Hash need to include sha2/sha256 (and possibly sha384 and sha512). sha2 is a minimum additional requirement.
There are many more encryption options now available and there is a nice table of them dumped into the log file when ipsec is started. |
|
|
|
(0007611)
|
|
NickH
|
|
2018-07-04 02:55
|
|
The interface won't accept plain text in the Local ID field, only an FQDN. If you then try to change it to text, you get a message "Invalid FQDN". It you try to remove it you get "This field is required" but it is not required.
Also the Local ID gets written to the secrets file in place of the local IP (this will break a normal tunnel)
At one point when testing this field I ended up with an extra "conn" heading, but I am unable to reproduce this.
The interface ended up getting into such a state that I had to change left from %defaultroute to my WAN IP and change the Local PSK ID Type from Local WAN IP to something else and back before changes could be saved.
Then changing Left back to Default Route crashed the interface because the left IP was removed from the secrets file and the file started with a blank character. This crashes ipsec as noted earlier in 7211.
There is also potential confusion on how the left/rightid works. It should be able to take plain text which can be preceded by an "@" in the config file. If it is an FQDN to be used as text, it must be preceded by an @ in the config file. If it is not preceded by an @, *swan will resolve it first before using it
The same concept goes for the secrets file. Note that if you use a text string without an @, it will still be treated as a text string as it is not a valid FQDN. |
|
|
|
(0007621)
|
|
NickH
|
|
2018-07-04 03:24
|
|
|
There seems to be no way of handling the combination of Local WAN IP = Default Route and Local PSK ID Type = Local FQDN as it is incorrect to use the Local ID because the Local ID can have other side effects and in out case will get transmitted as text and not an IP address as that is how it is stored in the conf file |
|
|
|
(0016071)
|
|
NickH
|
|
2021-11-09 07:11
|
|
|