vyos-1.3
in some circumstances, when ipsec use rsasig authentication, ipsec.secrets generated with
duplicated records. when number of such records over 3 or 4 charon stucks.
for example we have the following ipsec configuration:
set vpn ipsec site-to-site peer 172.18.0.125 authentication mode ‘x509’
set vpn ipsec site-to-site peer 172.18.0.125 authentication remote-id ‘C=World, ST=Province, L=City, O=ORG, OU=WANt, CN=ntop’
set vpn ipsec site-to-site peer 172.18.0.125 authentication x509 ca-cert-file ‘/config/auth/cazenit2015.crt’
set vpn ipsec site-to-site peer 172.18.0.125 authentication x509 cert-file ‘/config/auth/ano.crt.pem’
set vpn ipsec site-to-site peer 172.18.0.125 authentication x509 key file ‘/config/auth/ano.key.pem’
set vpn ipsec site-to-site peer 172.18.0.125 connection-type ‘initiate’
set vpn ipsec site-to-site peer 172.18.0.125 ike-group ‘IKE00’
set vpn ipsec site-to-site peer 172.18.0.125 ikev2-reauth ‘inherit’
set vpn ipsec site-to-site peer 172.18.0.125 local-address ‘10.40.85.1’
set vpn ipsec site-to-site peer 172.18.0.125 vti bind ‘vti01’
set vpn ipsec site-to-site peer 172.18.0.125 vti esp-group ‘ESP00’
set vpn ipsec site-to-site peer 172.20.92.9 authentication mode ‘x509’
set vpn ipsec site-to-site peer 172.20.92.9 authentication remote-id ‘C=World, ST=Province, L=City, O=ORG, OU=WANt, CN=zip40’
set vpn ipsec site-to-site peer 172.20.92.9 authentication x509 ca-cert-file ‘/config/auth/cazenit2015.crt’
set vpn ipsec site-to-site peer 172.20.92.9 authentication x509 cert-file ‘/config/auth/ano.crt.pem’
set vpn ipsec site-to-site peer 172.20.92.9 authentication x509 key file ‘/config/auth/ano.key.pem’
set vpn ipsec site-to-site peer 172.20.92.9 connection-type ‘initiate’
set vpn ipsec site-to-site peer 172.20.92.9 ike-group ‘IKE00’
set vpn ipsec site-to-site peer 172.20.92.9 ikev2-reauth ‘inherit’
set vpn ipsec site-to-site peer 172.20.92.9 local-address ‘10.40.85.1’
set vpn ipsec site-to-site peer 172.20.92.9 vti bind ‘vti03’
set vpn ipsec site-to-site peer 172.20.92.9 vti esp-group ‘ESP00’
set vpn ipsec site-to-site peer 172.20.92.10 authentication mode ‘x509’
set vpn ipsec site-to-site peer 172.20.92.10 authentication remote-id ‘C=World, ST=Province, L=City, O=ORG, OU=WANt, CN=zip50’
set vpn ipsec site-to-site peer 172.20.92.10 authentication x509 ca-cert-file ‘/config/auth/cazenit2015.crt’
set vpn ipsec site-to-site peer 172.20.92.10 authentication x509 cert-file ‘/config/auth/ano.crt.pem’
set vpn ipsec site-to-site peer 172.20.92.10 authentication x509 key file ‘/config/auth/ano.key.pem’
set vpn ipsec site-to-site peer 172.20.92.10 connection-type ‘initiate’
set vpn ipsec site-to-site peer 172.20.92.10 ike-group ‘IKE00’
set vpn ipsec site-to-site peer 172.20.92.10 ikev2-reauth ‘inherit’
set vpn ipsec site-to-site peer 172.20.92.10 local-address ‘10.40.85.1’
set vpn ipsec site-to-site peer 172.20.92.10 vti bind ‘vti02’
set vpn ipsec site-to-site peer 172.20.92.10 vti esp-group ‘ESP00’
and generated /etc/ipsec.secrets is:
generated by /opt/vyatta/sbin/vpn-config.pl
: RSA /etc/ipsec.d/private/ano.key.pem
: RSA /etc/ipsec.d/private/ano.key.pem
: RSA /etc/ipsec.d/private/ano.key.pem
the following patch solves the problem:
— vpn-config.pl.orig 2020-04-08 13:11:06.323867034 +0300
+++ vpn-config.pl 2020-04-08 13:13:19.558447941 +0300
@@ -1307,6 +1307,21 @@
exit 1;
}
+sub uniq_str {
- my %kw = ();
- my $ns="";
- my ( $str ) = @_;
- for my $w ( split /\n/, $str )
- {
-
if (! exists($kw{$w}))
-
{
-
$kw{$w} = 1;
-
$ns .= $w . "\n";
-
}
- }
- return $ns;
+}
sub write_config {
my ($genout, $interfaces_use, $STRONGSWAN_INTF_CONFIG, $config_file, $genout_secrets, $secrets_file, $dhcp_if, %public_keys) = @_;
@@ -1332,7 +1347,7 @@
open my $output_secrets, '>', $secrets_file
or die "Can't open $secrets_file: $!";
- print ${output_secrets} $genout_secrets;
- print ${output_secrets} uniq_str($genout_secrets);
close $output_secrets;
dhcp_hook($dhcp_if);