[Swan] Problem with using FQDN in left/right if it starts with a number
Michael Schwartzkopff
ms at sys4.de
Tue Jan 5 18:25:37 UTC 2021
On 05.01.21 18:52, Nick Howitt wrote:
> Hi Paul,
>
> If you have a conn:
> conn njh
> type=tunnel
> authby=secret
> auto=ignore
> #auto=start
> left=12345.example.com
> leftsourceip=172.17.2.1
> leftsubnet=172.17.2.0/24
> right=159.203.19.178
> rightsourceip=10.137.48.60
> rightsubnet=10.137.48.60/16
> dpdaction=restart
> dpdtimeout=120
> dpddelay=30
>
> Then load it with "ipsec auto --add njh" you get the following:
> [root at server ~]# ipsec auto --add njh
> 000 failed to convert '12345.example.com' at load time: not a numeric IPv4
> address and name lookup failed (no validation performed)
> 002 added connection description "njh"
>
> It seems to be because the first subdomain is numeric. It seems to assume that
> if the first part of the FQDN is numeric then the parameter is going to be an IP
> address and not an FQDN. In this case 12345 can never be an FQDN, but you get
> the same issue 123. I have a feeling some cleverer interpretation is needed of
> this type of parameter.
>
> I have tested this with a valid FQDN like this but can't publish it,
> unfortunately. You can test it on *.poweredbyclear.com as it has wildcard
> resolution back to the primary A record.
>
> This is with libreswan-3.25-9.1.el7_8.x86_64.
>
> Regards,
>
> Nick
>
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan
man ipsec.confm section IDENTITY PARSING
The type and binary encoding of identity strings specified in
leftid are detected as follows:
· If the string value contains an equal sign (=) it is
assumed to be a Distinguished Name, with RDNs separated by commas (,) or
slashes (/ - the string must
start with a slash to use this syntax). An attempt is made
to create a binary ASN.1 encoding from this string. If that fails the
type is set to KEY_ID with
the literal string value adopted as encoding.
· If the string value contains an @ the type depends on the
position of that character:
· If the string begins with @# the type is set to
KEY_ID and the string following that prefix is assumed to be the
hex-encoded binary value of the
identity.
· If the string begins with @@ the type is set to
USER_FQDN and the encoding is the literal string after that prefix.
· If the string begins with @ the type is set to FQDN
and the encoding is the literal string after that prefix.
· All remaining strings containing an @ are assumed
to be of type USER_FQDN/RFC822 with the literal string value as encoding.
· If the value does not contain any @ or = characters it is
parsed as follows:
· If the value is an empty string, or equals %any[6],
0.0.0.0, ::, or * the type is set to ID_ANY, which matches any other
identity.
· If the value contains a colon (:) it is assumed to
be an IPv6 address. But if parsing the address and converting it to its
binary encoding fails the
type is set to KEY_ID and the encoding is the
literal value.
· For all other strings an attempt at parsing them as
IPv4 addresses is made. If that fails the type is set to FQDN and the
literal value is adopted
as encoding (this is where domain names and simple
names end up).
Mit freundlichen Grüßen,
--
[*] sys4 AG
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20210105/02ebe3be/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: OpenPGP digital signature
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20210105/02ebe3be/attachment.sig>
More information about the Swan
mailing list