[strongSwan] swanctl.conf EAP credential information
bls s
bls3427 at outlook.com
Thu Nov 30 18:23:49 CET 2017
Tobias, Thank you! Indeed your suggested workaround to delete the dots in section names fixed the issue.
From: Tobias Brunner<mailto:tobias at strongswan.org>
Sent: Thursday, November 30, 2017 8:49 AM
To: bls s<mailto:bls3427 at outlook.com>; Noel Kuntze<mailto:noel.kuntze+strongswan-users-ml at thermi.consulting>; users at lists.strongswan.org<mailto:users at lists.strongswan.org>
Subject: Re: [strongSwan] swanctl.conf EAP credential information
Hi,
The problem are the dots in the section names of your EAP secrets. For
instance:
eap-user1 at mydomain.com {
id = user1 at mydomain.com
secret=secret1
}
When enumerating the id... keys in these sections the current section
name was written to a string buffer instead of using the parameter
evaluation provided by settings_t. All dots in strings are interpreted
as section separators so the dot there caused a lookup of the section:
eap-user1 at mydomain {
com {
...
}
}
But since that doesn't exist no id... key was found in this section and
the secrets were not associated with any identities:
> Wed, 2017-11-29 10:59 07[CFG] vici client 1 requests: load-shared
> Wed, 2017-11-29 10:59 07[CFG] loaded EAP shared key with id 'eap-bls at mydomain.net' for: '%any'
This basically caused the first of these secrets to get used for all
clients.
I pushed a fix to the swanctl-enumerate-kv branch (for connections and
their subsections dots still can't be used, though).
As a workaround don't use any dots in these section names.
Regards,
Tobias
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20171130/574733dd/attachment.html>
More information about the Users
mailing list