ClearFoundation Tracker - ClearOS
View Issue Details
0017101ClearOSapp-static-vpn-basic - Static VPN for Homepublic2017-09-13 14:302021-11-09 07:11
NickH 
 
normalminoralways
closedsuspended 
7.3.1 
 
0017101: The app-static-vpn interface is not robust at trapping input errors
It is quite easy to crash the app-static-vpn interface getting a php Ooops! error. I can do it simply by adding multiple subnets to the leftsubnet field or rightsubnet field, so something like "172.17.2.0/24, 172.17.3.0/24". If you then hit update the interface crashes. Ideally it would detect multiple subnets and use leftsubnets instead of leftsubnet but that is another feature request. The interface should not crash.

I believe there are other instances where it crashes as well. The app needs to be checked over.

There is an instance on ticket #555759 on the second client post but I don't know what the customer did to get the crash but it is different to my multiple subnet crash.
Make a working configuration then add a second subnet in the leftsubnet field and hit update
No tags attached.
Issue History
2017-09-13 14:30NickHNew Issue
2017-09-13 19:24user2Statusnew => confirmed
2018-01-29 07:33user2Target Version => 7.4.0 Updates
2018-01-29 09:13NickHNote Added: 0007111
2018-02-12 09:54user2Target Version7.4.0 Updates =>
2018-03-20 02:09NickHNote Added: 0007211
2018-03-21 03:04NickHNote Added: 0007231
2018-03-22 02:54NickHNote Added: 0007241
2018-07-04 02:55NickHNote Added: 0007611
2018-07-04 03:24NickHNote Added: 0007621
2021-11-09 07:11NickHNote Added: 0016071
2021-11-09 07:11NickHStatusconfirmed => closed
2021-11-09 07:11NickHResolutionopen => suspended

Notes
(0007111)
NickH   
2018-01-29 09:13   
It looks like this error is caused by the interface writing an invalid config file. Then either when the conn is added (ipsec auto --add conn_name) or ipsec is restarted (I don't know which the interface does), ipsec fails with an error and this error is not trapped. Now that the interface is crashed you cannot correct the error without going to the command line.
(0007211)
NickH   
2018-03-20 02:09   
Another error appears if you have a config with a Left IP and the PSK is set to use the Left IP. If you then change the Left IP to "Default Route" and save, as there is no longer a Left IP, the webconfig writes nothing in its place to the secrets file but leaves in what was the space separator between the Left IP and Right IP so the secrets file starts with a blank. Libreswan barfs at this saying a leading blank implies a continuation line and it can't be because it is the first line of the file. The webconfig then falls over because ipsec has fallen over.
(0007231)
NickH   
2018-03-21 03:04   
Another error appears if you change or remove the DPD action. Sometimes you end up with extra "conn" lines in the conn file. I have seen both one and two lines added. Depending on where it is added it can again bring down the webconfig but not always.
(0007241)
NickH   
2018-03-22 02:54   
If this does get revisited, as an enhancement request in order to get ahead in the security game, Phase 1 and Phase 2 Hash need to include sha2/sha256 (and possibly sha384 and sha512). sha2 is a minimum additional requirement.

There are many more encryption options now available and there is a nice table of them dumped into the log file when ipsec is started.
(0007611)
NickH   
2018-07-04 02:55   
The interface won't accept plain text in the Local ID field, only an FQDN. If you then try to change it to text, you get a message "Invalid FQDN". It you try to remove it you get "This field is required" but it is not required.

Also the Local ID gets written to the secrets file in place of the local IP (this will break a normal tunnel)

At one point when testing this field I ended up with an extra "conn" heading, but I am unable to reproduce this.

The interface ended up getting into such a state that I had to change left from %defaultroute to my WAN IP and change the Local PSK ID Type from Local WAN IP to something else and back before changes could be saved.

Then changing Left back to Default Route crashed the interface because the left IP was removed from the secrets file and the file started with a blank character. This crashes ipsec as noted earlier in 7211.

There is also potential confusion on how the left/rightid works. It should be able to take plain text which can be preceded by an "@" in the config file. If it is an FQDN to be used as text, it must be preceded by an @ in the config file. If it is not preceded by an @, *swan will resolve it first before using it

The same concept goes for the secrets file. Note that if you use a text string without an @, it will still be treated as a text string as it is not a valid FQDN.
(0007621)
NickH   
2018-07-04 03:24   
There seems to be no way of handling the combination of Local WAN IP = Default Route and Local PSK ID Type = Local FQDN as it is incorrect to use the Local ID because the Local ID can have other side effects and in out case will get transmitted as text and not an IP address as that is how it is stored in the conf file
(0016071)
NickH   
2021-11-09 07:11   
Migrated to https://gitlab.com/clearos/app-static-vpn-basic/-/issues/3 [^]