Wrong ipsec.secrets file generation

vzotov · April 8, 2020, 10:34am

vyos-1.3

in some circumstances, when ipsec use rsasig authentication, ipsec.secrets generated with
duplicated records. when number of such records over 3 or 4 charon stucks.

for example we have the following ipsec configuration:
set vpn ipsec site-to-site peer 172.18.0.125 authentication mode ‘x509’
set vpn ipsec site-to-site peer 172.18.0.125 authentication remote-id ‘C=World, ST=Province, L=City, O=ORG, OU=WANt, CN=ntop’
set vpn ipsec site-to-site peer 172.18.0.125 authentication x509 ca-cert-file ‘/config/auth/cazenit2015.crt’
set vpn ipsec site-to-site peer 172.18.0.125 authentication x509 cert-file ‘/config/auth/ano.crt.pem’
set vpn ipsec site-to-site peer 172.18.0.125 authentication x509 key file ‘/config/auth/ano.key.pem’
set vpn ipsec site-to-site peer 172.18.0.125 connection-type ‘initiate’
set vpn ipsec site-to-site peer 172.18.0.125 ike-group ‘IKE00’
set vpn ipsec site-to-site peer 172.18.0.125 ikev2-reauth ‘inherit’
set vpn ipsec site-to-site peer 172.18.0.125 local-address ‘10.40.85.1’
set vpn ipsec site-to-site peer 172.18.0.125 vti bind ‘vti01’
set vpn ipsec site-to-site peer 172.18.0.125 vti esp-group ‘ESP00’
set vpn ipsec site-to-site peer 172.20.92.9 authentication mode ‘x509’
set vpn ipsec site-to-site peer 172.20.92.9 authentication remote-id ‘C=World, ST=Province, L=City, O=ORG, OU=WANt, CN=zip40’
set vpn ipsec site-to-site peer 172.20.92.9 authentication x509 ca-cert-file ‘/config/auth/cazenit2015.crt’
set vpn ipsec site-to-site peer 172.20.92.9 authentication x509 cert-file ‘/config/auth/ano.crt.pem’
set vpn ipsec site-to-site peer 172.20.92.9 authentication x509 key file ‘/config/auth/ano.key.pem’
set vpn ipsec site-to-site peer 172.20.92.9 connection-type ‘initiate’
set vpn ipsec site-to-site peer 172.20.92.9 ike-group ‘IKE00’
set vpn ipsec site-to-site peer 172.20.92.9 ikev2-reauth ‘inherit’
set vpn ipsec site-to-site peer 172.20.92.9 local-address ‘10.40.85.1’
set vpn ipsec site-to-site peer 172.20.92.9 vti bind ‘vti03’
set vpn ipsec site-to-site peer 172.20.92.9 vti esp-group ‘ESP00’
set vpn ipsec site-to-site peer 172.20.92.10 authentication mode ‘x509’
set vpn ipsec site-to-site peer 172.20.92.10 authentication remote-id ‘C=World, ST=Province, L=City, O=ORG, OU=WANt, CN=zip50’
set vpn ipsec site-to-site peer 172.20.92.10 authentication x509 ca-cert-file ‘/config/auth/cazenit2015.crt’
set vpn ipsec site-to-site peer 172.20.92.10 authentication x509 cert-file ‘/config/auth/ano.crt.pem’
set vpn ipsec site-to-site peer 172.20.92.10 authentication x509 key file ‘/config/auth/ano.key.pem’
set vpn ipsec site-to-site peer 172.20.92.10 connection-type ‘initiate’
set vpn ipsec site-to-site peer 172.20.92.10 ike-group ‘IKE00’
set vpn ipsec site-to-site peer 172.20.92.10 ikev2-reauth ‘inherit’
set vpn ipsec site-to-site peer 172.20.92.10 local-address ‘10.40.85.1’
set vpn ipsec site-to-site peer 172.20.92.10 vti bind ‘vti02’
set vpn ipsec site-to-site peer 172.20.92.10 vti esp-group ‘ESP00’

and generated /etc/ipsec.secrets is:

generated by /opt/vyatta/sbin/vpn-config.pl

: RSA /etc/ipsec.d/private/ano.key.pem
: RSA /etc/ipsec.d/private/ano.key.pem
: RSA /etc/ipsec.d/private/ano.key.pem

the following patch solves the problem:
— vpn-config.pl.orig 2020-04-08 13:11:06.323867034 +0300
+++ vpn-config.pl 2020-04-08 13:13:19.558447941 +0300
@@ -1307,6 +1307,21 @@
exit 1;
}

+sub uniq_str {

my %kw = ();
my $ns="";
my ( $str ) = @_;
for my $w ( split /\n/, $str )
{
```
  if (! exists($kw{$w}))
```
```
  {
```
```
      $kw{$w} = 1;
```
```
      $ns .=  $w . "\n";
```
```
  }
```
}
return $ns;
+}

sub write_config {
my ($genout, $interfaces_use, $STRONGSWAN_INTF_CONFIG, $config_file, $genout_secrets, $secrets_file, $dhcp_if, %public_keys) = @_;

@@ -1332,7 +1347,7 @@

 open my $output_secrets, '>', $secrets_file
     or die "Can't open $secrets_file: $!";

print ${output_secrets} $genout_secrets;

print ${output_secrets} uniq_str($genout_secrets);
close $output_secrets;
dhcp_hook($dhcp_if);