Bug 10496

Summary: Strongswan: Roadwarrior with PSK wrong parameter from GUI
Product: IPFire Reporter: g.onay
Component: strongswanAssignee: Larsen <larsen007>
Status: CLOSED FIXED QA Contact:
Severity: Minor Usability    
Priority: - Unknown - CC: alexander.marx, larsen007, michael.tremer
Version: 2   
Hardware: unspecified   
OS: Unspecified   

Description g.onay 2014-03-14 12:50:57 UTC 
Unfortunately, there is the problem that the GUI parameter at a Roadwarrior configuration "rightsubnet=vhost:%no,%priv" sets. 
This works no longer since Strongswan 5. 
In the documentation of Strongswan the value does not exist. Maybe it comes from Openswan.

Here I have described it ever more accurately:
http://forum.ipfire.org/index.php?topic=7946.0
Comment 1 Michael Tremer 2014-03-14 14:16:29 UTC 
From the thread on the forums I can see that you suggest to use 0.0.0.0/0 which will cause that all traffic goes through the VPN tunnel. That is possibly not what people want, because it might make sense just to allow access to the GREEN or ORANGE network.

I suppose this works just for a subnet just as well?
Comment 2 g.onay 2014-03-14 15:59:36 UTC 
The rightsubnet is the subnet from the Roadwarrior. The leftsubnet is the local subnet from the IPFire and can be changed via GUI. You can define any subnet for the rightsubnet, but you must know it. And that's the problem. What if multiple subnets are used for Roadwarriors? 
Maybe "0.0.0.0/0" is not the elegant value but it works and "vhost:%no,%priv" don't. A other way is the possibility to edit the rightsubnet via GUI.
Comment 3 Larsen 2015-07-22 09:19:47 UTC 
This default setting also leads to warnings in the log when the IPsec configuration is loaded:

charon: 01[CFG] invalid subnet: vhost:%no, skipped
charon: 01[CFG] invalid subnet: %priv, skipped


Furthermore, a roadwarrior cannot connect:

charon: 09[IKE] traffic selectors ::/0 0.0.0.0/0 === ::/0 0.0.0.0/0  inacceptable
charon: 09[IKE] failed to establish CHILD_SA, keeping IKE_SA


A workaround is to add this in "/etc/ipsec.user-post.conf" for a connection:

"rightsubnet="


Afaics, the setting in the GUI ("Roadwarrior virtual IP") that causes this value, stems from IPcop. I think this can be safely removed as with "rightsubnet=" (or a missing entry), traffic will only flow between the local and remote subnet.
Comment 4 Michael Tremer 2015-07-22 22:48:08 UTC 
@Larsen: You fancy sending in a patch?
Comment 5 Larsen 2015-07-23 00:19:15 UTC 
Sure. Might take some time though.
Comment 6 g.onay 2015-07-23 09:10:29 UTC 
That would be great.
Comment 7 Larsen 2015-09-25 00:06:14 UTC 
A patch has been uploaded:
http://patchwork.ipfire.org/patch/88/

This patch removes the GUI setting so that no "rightsubnet" entry is made in "/var/ipfire/vpn/ipsec.conf"
Comment 8 g.onay 2015-11-04 10:39:39 UTC 
Hi

Is this patch already in the last release?
Comment 9 Larsen 2015-11-04 10:43:36 UTC 
No, but I think it will be in the next one.
Comment 10 g.onay 2015-11-04 11:01:45 UTC 
Ok, thanks.
Comment 11 Larsen 2015-12-22 16:51:13 UTC 
Released with Core Update 95