group.of.nepali.translators team mailing list archive

Thread
Date

[Bug 1734207] Re: Multiple PSKs with dyndns left/rightids doesn't work

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1734207@xxxxxxxxxxxxxxxxxx>
Date: Tue, 02 Jan 2018 10:56:04 -0000
Reply-to: Bug 1734207 <1734207@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

This bug was fixed in the package strongswan - 5.5.1-4ubuntu2.2

---------------
strongswan (5.5.1-4ubuntu2.2) artful; urgency=medium

  * d/p/ikev1-First-do-PSK-lookups-lp1734207.patch ensure evaluation
    with resolvable hostnames selects the right PSK (LP: #1734207).

 -- Christian Ehrhardt <christian.ehrhardt@xxxxxxxxxxxxx>  Mon, 18 Dec
2017 11:05:57 +0100

** Changed in: strongswan (Ubuntu Artful)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1734207

Title:
  Multiple PSKs with dyndns left/rightids doesn't work

Status in strongswan package in Ubuntu:
  Fix Released
Status in strongswan source package in Xenial:
  Fix Committed
Status in strongswan source package in Zesty:
  Fix Released
Status in strongswan source package in Artful:
  Fix Released

Bug description:
  [Impact]

   * charon unnecessarily selects a wrong PSK in some cases:
     * A site-to-site connection using resolvable hostnames (e.g., DynDNS) as identities in /etc/ipsec.secrets and a Roadwarrior connection (using %any as remote peer identity)
     * Multiple site-to-site connections using resolvable hostnames as identities

   * Fix is a backport from upstream in since 5.5.2

  [Test Case]

   * There are detailed steps on how to configure for this case on 
     https://wiki.strongswan.org/issues/2223

  [Regression Potential]

   * It is known (see discussion in upstream bug) that this can slightly 
     increase the connection setup as it adds a dns query. But un-breaking 
     the covered use cases was considered worth to do so upstream, and so 
     should we.

   * By changing the IKEv1 PSK codepath is the only changed path, so this is 
     the area where unexpected regressions could occur. None of the testing 
     found some so far and since upstream didn't change it for a while it 
     seems safe to me.

  [Other Info]
   
    * n/a

  ---

  See: https://wiki.strongswan.org/issues/2223

  There is a chance to get an backport into xenial?

  It's fixed in the upstream version 5.5.2

  # apt-cache policy strongswan
  strongswan:
    Installed: 5.3.5-1ubuntu3.4
    Candidate: 5.3.5-1ubuntu3.4

  # lsb_release -rd
  Description:    Ubuntu 16.04.3 LTS
  Release:        16.04

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1734207/+subscriptions