Skip to content

vr: ipsec/l2tp vpn secret with no ID selectors#5375

Merged
yadvr merged 1 commit into
apache:4.15from
shapeblue:4.15-ipsec-l2tp-no-id-selector
Sep 2, 2021
Merged

vr: ipsec/l2tp vpn secret with no ID selectors#5375
yadvr merged 1 commit into
apache:4.15from
shapeblue:4.15-ipsec-l2tp-no-id-selector

Conversation

@weizhouapache

Copy link
Copy Markdown
Member

Description

according to https://wiki.strongswan.org/projects/strongswan/wiki/Ipsecsecrets , the ID selector is optional.

Not sure if this PR fixes #4281

Types of changes

  • Breaking change (fix or feature that would cause existing functionality to change)
  • New feature (non-breaking change which adds functionality)
  • Bug fix (non-breaking change which fixes an issue)
  • Enhancement (improves an existing feature and functionality)
  • Cleanup (Code refactoring and cleanup, that may add test cases)

Feature/Enhancement Scale or Bug Severity

Feature/Enhancement Scale

  • Major
  • Minor

Bug Severity

  • BLOCKER
  • Critical
  • Major
  • Minor
  • Trivial

Screenshots (if appropriate):

How Has This Been Tested?

@weizhouapache

Copy link
Copy Markdown
Member Author

@blueorangutan package

@blueorangutan

Copy link
Copy Markdown

@weizhouapache a Jenkins job has been kicked to build packages. I'll keep you posted as I make progress.

@blueorangutan

Copy link
Copy Markdown

Packaging result: ✔️ el7 ✔️ el8 ✔️ debian. SL-JID 1018

@weizhouapache

Copy link
Copy Markdown
Member Author

@blueorangutan test

@blueorangutan

Copy link
Copy Markdown

@weizhouapache a Trillian-Jenkins test job (centos7 mgmt + kvm-centos7) has been kicked to run smoke tests

@blueorangutan

Copy link
Copy Markdown

Trillian test result (tid-1780)
Environment: kvm-centos7 (x2), Advanced Networking with Mgmt server 7
Total time taken: 34828 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr5375-t1780-kvm-centos7.zip
Intermittent failure detected: /marvin/tests/smoke/test_iso.py
Intermittent failure detected: /marvin/tests/smoke/test_ssvm.py
Smoke tests completed. 86 look OK, 1 have error(s)
Only failed tests results shown below:

Test Result Time (s) Test File
test_05_stop_ssvm Failure 38.82 test_ssvm.py

@yadvr yadvr added this to the 4.15.2.0 milestone Aug 31, 2021
@yadvr

yadvr commented Aug 31, 2021

Copy link
Copy Markdown
Member

For testing on osx, with kvm - https://github.com/foxlet/macOS-Simple-KVM

@sureshanaparti sureshanaparti left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@weizhouapache Tested on OS X, LGTM.

@weizhouapache
weizhouapache marked this pull request as ready for review September 2, 2021 07:20
@weizhouapache

Copy link
Copy Markdown
Member Author

@weizhouapache Tested on OS X, LGTM.

thanks @sureshanaparti for testing !

@yadvr
yadvr merged commit 989a468 into apache:4.15 Sep 2, 2021
@yadvr

yadvr commented Sep 2, 2021

Copy link
Copy Markdown
Member

Lgtm

yadvr pushed a commit that referenced this pull request Nov 30, 2022
PR #5375, introduced in version 4.15.2.0, removed parameter %any of VPNs client-to-site (C2S) IPSec secrets:

structure before PR vr: ipsec/l2tp vpn secret with no ID selectors #5375:
<IP> %any : PSK "<PSK>"
structure after PR vr: ipsec/l2tp vpn secret with no ID selectors #5375:
<IP> : PSK "<PSK>"
Because of that, when a VPN site-so-site (S2S) is created in parallel to a VPN C2S in the same network, the C2S will not handle any IP (%any) anymore and, as the network is being tunneled to the other VPN, the connection will be handled by the final peer. This way, when a VPN S2S is created in parallel to a VPN C2S in the same network, it is only possible to connect to the C2S with the S2S PSK.

As ACS is only able to implement a single C2S per network (ACS allows setting more than one IP of the network as VPN, however, only the first will be implemented) and every S2S has its own secret file, the secrets structure of C2S was changed to contain only the PSK:

: PSK "<PSK>"
By doing that, StrongSwan will handle correctly C2S connections from any IP and still will use the correct PSK for S2S.

Co-authored-by: GutoVeronezi <daniel@scclouds.com.br>
@weizhouapache
weizhouapache deleted the 4.15-ipsec-l2tp-no-id-selector branch December 9, 2022 08:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants