[strongSwan] swanctl.conf EAP credential information

bls s bls3427 at outlook.com
Thu Nov 30 18:23:49 CET 2017

Tobias, Thank you! Indeed your suggested workaround to delete the dots in section names fixed the issue.

From: Tobias Brunner<mailto:tobias at strongswan.org>
Sent: Thursday, November 30, 2017 8:49 AM
To: bls s<mailto:bls3427 at outlook.com>; Noel Kuntze<mailto:noel.kuntze+strongswan-users-ml at thermi.consulting>; users at lists.strongswan.org<mailto:users at lists.strongswan.org>
Subject: Re: [strongSwan] swanctl.conf EAP credential information


The problem are the dots in the section names of your EAP secrets.  For

  eap-user1 at mydomain.com {
    id = user1 at mydomain.com

When enumerating the id... keys in these sections the current section
name was written to a string buffer instead of using the parameter
evaluation provided by settings_t.  All dots in strings are interpreted
as section separators so the dot there caused a lookup of the section:

  eap-user1 at mydomain {
    com {

But since that doesn't exist no id... key was found in this section and
the secrets were not associated with any identities:

> Wed, 2017-11-29 10:59 07[CFG] vici client 1 requests: load-shared
> Wed, 2017-11-29 10:59 07[CFG] loaded EAP shared key with id 'eap-bls at mydomain.net' for: '%any'

This basically caused the first of these secrets to get used for all

I pushed a fix to the swanctl-enumerate-kv branch (for connections and
their subsections dots still can't be used, though).

As a workaround don't use any dots in these section names.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20171130/574733dd/attachment.html>

More information about the Users mailing list