Page MenuHomeVyOS Platform
Create Task
Maniphest T264

Use base64 or hex format in ipsec.secrets to allow double quotes
Open, WishlistPublicENHANCEMENT
Actions

Description

The strongswan documentation states:

PSK Secret
A preshared secret is most conveniently represented as a sequence of characters, which is delimited by double-quote characters ("). The sequence cannot contain newline or double-quote characters.
Alternatively, preshared secrets can be represented as hexadecimal or Base64 encoded binary values. A character sequence beginning with 0x is interpreted as sequence hexadecimal digits. Similarly, a character sequence beginning with 0s is interpreted as Base64 encoded binary data.

Using hex- or base64-encoding in the /etc/ipsec.secrets file would allow double quotes- and newline-characters to be used in VPN PSKs (double quotes being a requirement we just encountered connecting to an ISP's Cisco VPN).

The change is as simple as encoding the PSK, prepending "0s" (base64) or "0x" (hex) and putting the result unquoted (!) into the file.

The problem is that the value is checked for illegal characters in a completely different place.
Changing that unfortunately exceeds my coding abilities.

This will probably get a low priority but I at least wanted to document my findings.

Details

Difficulty level
Normal (likely a few hours)
Version
-
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Unspecified (please specify)

Event Timeline

hsychla created this task.Feb 3 2017, 3:58 PM
syncer triaged this task as Wishlist priority.Aug 1 2017, 3:57 AM
syncer changed the edit policy from "Task Author" to "Custom Policy".
syncer added a project: VyOS 1.2 Crux.
syncer set Version to -.
syncer added subscribers: Community, Active contributors, Maintainers.
syncer reassigned this task from syncer to dmbaturin.Nov 3 2017, 12:57 PM
syncer added a subscriber: syncer.
syncer edited projects, added VyOS 1.2 Crux (VyOS 1.2.0-rc4); removed VyOS 1.2 Crux.Oct 13 2018, 10:09 AM
syncer reassigned this task from dmbaturin to c-po.Oct 13 2018, 6:39 PM
syncer added a subscriber: dmbaturin.
syncer changed the subtype of this task from "Task" to "Enhancement".Oct 20 2018, 4:49 AM
syncer edited projects, added VyOS 1.2 Crux (VyOS 1.2.0-rc5); removed VyOS 1.2 Crux (VyOS 1.2.0-rc4).Oct 24 2018, 4:40 PM
syncer edited projects, added VyOS 1.2 Crux (VyOS 1.2.0-rc6); removed VyOS 1.2 Crux (VyOS 1.2.0-rc5).Oct 29 2018, 6:16 PM
dmbaturin edited projects, added VyOS 1.3 Equuleus; removed VyOS 1.2 Crux (VyOS 1.2.0-rc6).Nov 3 2018, 11:16 PM

This is best done along with IPsec scripts rewrite.

pasik added a subscriber: pasik.Mar 12 2019, 6:12 PM
dmbaturin edited projects, added VyOS 1.4 Sagitta; removed VyOS 1.3 Equuleus.Dec 10 2020, 11:57 AM
dmbaturin set Is it a breaking change? to Unspecified (possibly destroys the router).
c-po removed c-po as the assignee of this task.Apr 9 2021, 12:25 PM
c-po added a subscriber: c-po.
dmbaturin edited projects, added VyOS 1.5 Circinus; removed VyOS 1.4 Sagitta.Fri, Apr 12, 3:17 PM
dmbaturin set Issue type to Unspecified (please specify).