Page MenuHomeVyOS Platform

Use base64 or hex format in ipsec.secrets to allow double quotes
Closed, ResolvedPublicENHANCEMENT

Description

The strongswan documentation states:

PSK Secret
A preshared secret is most conveniently represented as a sequence of characters, which is delimited by double-quote characters ("). The sequence cannot contain newline or double-quote characters.
Alternatively, preshared secrets can be represented as hexadecimal or Base64 encoded binary values. A character sequence beginning with 0x is interpreted as sequence hexadecimal digits. Similarly, a character sequence beginning with 0s is interpreted as Base64 encoded binary data.

Using hex- or base64-encoding in the /etc/ipsec.secrets file would allow double quotes- and newline-characters to be used in VPN PSKs (double quotes being a requirement we just encountered connecting to an ISP's Cisco VPN).

The change is as simple as encoding the PSK, prepending "0s" (base64) or "0x" (hex) and putting the result unquoted (!) into the file.

The problem is that the value is checked for illegal characters in a completely different place.
Changing that unfortunately exceeds my coding abilities.

This will probably get a low priority but I at least wanted to document my findings.

Details

Version
-
Is it a breaking change?
Perfectly compatible
Issue type
Feature (new functionality)

Event Timeline

syncer triaged this task as Wishlist priority.Aug 1 2017, 3:57 AM
syncer changed the edit policy from "Task Author" to "Custom Policy".
syncer added a project: VyOS 1.2 Crux.
syncer set Version to -.
syncer added a subscriber: dmbaturin.
syncer changed the subtype of this task from "Task" to "Enhancement".Oct 20 2018, 4:49 AM

This is best done along with IPsec scripts rewrite.

dmbaturin set Is it a breaking change? to Unspecified (possibly destroys the router).
c-po removed c-po as the assignee of this task.Apr 9 2021, 12:25 PM
c-po subscribed.
dmbaturin set Issue type to Unspecified (please specify).
dmbaturin edited projects, added Ideas; removed Restricted Project, VyOS 1.5 Circinus.Oct 14 2024, 11:07 AM
dmbaturin changed Is it a breaking change? from Unspecified (possibly destroys the router) to Perfectly compatible.
dmbaturin changed Issue type from Unspecified (please specify) to improvement.
dmbaturin set Issue type to Feature (new functionality).Nov 8 2024, 10:50 AM

Since Ipsec secrets al already maintaned in Json config that handle correctly quoting
Is still possible relax the check on the " (double quotes) and let him be saved and commited.
The check is also in commiting phase
I.e.

If you edit manually config.boot and insert a secret i.e then issue load /config/config.boot

you ends up with
show vpn ipsec authentication psk TEST
id 6.6.6.6
>secret "POIPOOPPP\"pino_!@#$%^&*()_+=-{}[]????"

then

commit

and show

show vpn ipsec authentication psk TEST
id 6.6.6.6
secret "POIPOOPPP\"pino_!@#$%^&*()_+=-{}[]????"

save

and this is the final result in config.boot sections

ike-TEST {
# ID's from auth psk <tag> id xxx
id-0e7cbe27-4acd-4ea1-9912-5adc9e6eab82 = "6.6.6.6"
secret = "POIPOOPPP"pino_!@#$%^&*()_+=-{}[]????"
}

So my proposal is to remove validation in the early insertion phase.

@marco_agostani we do not have validators on the insert config step https://github.com/vyos/vyos-1x/blob/8f76c96cb4d7132b7654aa5f37e8ab49fa2e137a/interface-definitions/vpn_ipsec.xml.in#L35-L43
It is more of an interpreter issue/feature

The easiest way will be to add a new node like secret-base64 or secret-type base64 and allow to configure base64 encodes values
something like this:

root@r15:/home/vyos# echo -n 'POIPOOPPP"pino_!@#$%^&*()_+=-{}[]????' | base64
UE9JUE9PUFBQInBpbm9fIUAjJCVeJiooKV8rPS17fVtdPz8/Pw==
root@r15:/home/vyos# 


set vpn ipsec authentication psk PSK secret 'UE9JUE9PUFBQInBpbm9fIUAjJCVeJiooKV8rPS17fVtdPz8/Pw=='
set vpn ipsec authentication psk PSK secret-type base64

Dear Viacheslav,
Glad to hear you.
I think Base64 is ok and is the right approach.

Do you Think is something that could happen on a short time base?
We can migrate from cisco to vyos doing modification directly in config.boot config and loading it, but at some point we should be able to use it.
Without this feature we could stop or migration or at least consider different routing platform.

Cheers
Marco

PR https://github.com/vyos/vyos-1x/pull/4198
Add base64 encrypted password

$ echo -n 1234567890 | base64
MTIzNDU2Nzg5MA==
$ 

Use this password in the config

set vpn ipsec authentication psk PSK id '192.0.2.1'
set vpn ipsec authentication psk PSK id '192.0.2.2'
set vpn ipsec authentication psk PSK secret 'MTIzNDU2Nzg5MA=='
set vpn ipsec authentication psk PSK secret-type 'base64'
Viacheslav claimed this task.
Viacheslav moved this task from Backport Candidates to Completed on the VyOS Rolling board.
Viacheslav moved this task from Open to Finished on the VyOS 1.5 Circinus board.
Viacheslav moved this task from Backlog to Finished on the VyOS 1.4 Sagitta (1.4.1) board.