Project

General

Profile

Feature #273

Force USER_FQDN

Added by Gabriel Werner over 6 years ago. Updated about 6 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
libstrongswan
Target version:
Start date:
03.01.2013
Due date:
Estimated time:
Resolution:
Fixed

Description

The server told me to use "IPSecVPN" as USER_FQDN.
strongswan automatically parses this as FQDN, which the server doesn't accept.

I wrote a workaround (added it to strongswan-5.0.1/src/libstrongswan/utils/identification.c after line 993):

                if (*string == '@')
                {
                        if (*(string + 1) == '#')
                        {
                                this = identification_create(ID_KEY_ID);
                                string += 2;
                                this->encoded = chunk_from_hex(
                                                                        chunk_create(string, strlen(string)), NULL);
                                return &this->public;
                        }
+                       else if (*(string + 1) == '@')
+                       {
+                               this = identification_create(ID_RFC822_ADDR);
+                               string += 2;
+                               this->encoded.len = strlen(string);
+                               if (this->encoded.len)
+                               {
+                                       this->encoded.ptr = strdup(string);
+                               }
+                               return &this->public;
+                       }
                        else
                        {
                                this = identification_create(ID_FQDN);
                                string += 1;
                                this->encoded.len = strlen(string);
                                if (this->encoded.len)
                                {
                                        this->encoded.ptr = strdup(string);
                                }
                                return &this->public;
                        }
                }

Now i write it down as @@IPSecVPN, but i don't think that is a nice way.
Maybe you have any idea to make this working another way, maybe a config or a prefix as in the certs (i had to use PSK, so i couldn't take it from the cert).

It would be pretty comfortable to import connections from .vpn or .ini files, even if its not a full support. It would be pretty easy to use, because this firewall-vpn-devices mostly export this configs.. even if i just would have a tool which gives me an output with a example configuration.
I think I'm not advanced enough with strongswan to write it myself.

Have a good day and a happy new year everyone

History

#1 Updated by Gabriel Werner over 6 years ago

there are two "+" missing. one in front of the else if and one in front of this->encoded, but i think you already saw this :)

and also the += 2 is not displayed the right way.. here again:

                if (*string == '@')
                {
                        if (*(string + 1) == '#')
                        {
                                this = identification_create(ID_KEY_ID);
                                string += 2;
                                this->encoded = chunk_from_hex(
                                                                        chunk_create(string, strlen(string)), NULL);
                                return &this->public;
                        }
+                       else if (*(string + 1) == '@')
+                       {
+                               this = identification_create(ID_RFC822_ADDR);
+                               string += 2;
+                               this->encoded.len = strlen(string);
+                               if (this->encoded.len)
+                               {
+                                       this->encoded.ptr = strdup(string);
+                               }
+                               return &this->public;
+                       }
                        else
                        {
                                this = identification_create(ID_FQDN);
                                string += 1;
                                this->encoded.len = strlen(string);
                                if (this->encoded.len)
                                {
                                        this->encoded.ptr = strdup(string);
                                }
                                return &this->public;
                        }
                }

#2 Updated by Tobias Brunner about 6 years ago

  • Description updated (diff)
  • Category set to libstrongswan
  • Status changed from New to Closed
  • Assignee set to Martin Willi
  • Target version set to 5.1.0
  • Resolution set to Fixed

Commit cb6c4e0430d5dd2aba9dfa0ef5f2e4f5b0c6455b, which will be included in 5.1.0, added support for this.

Also available in: Atom PDF