** Description changed: + [Impact] + + * charon unnecessarily selects a wrong PSK in some cases: + * A site-to-site connection using resolvable hostnames (e.g., DynDNS) as identities in /etc/ipsec.secrets and a Roadwarrior connection (using %any as remote peer identity) + * Multiple site-to-site connections using resolvable hostnames as identities + + * Fix is a backport from upstream in since 5.5.2 + + [Test Case] + + * There are detailed steps on how to configure for this case on + https://wiki.strongswan.org/issues/2223 + + [Regression Potential] + + * It is known (see discussion in upstream bug) that this can slightly + increase the connection setup as it adds a dns query. But un-breaking + the covered use cases was considered worth to do so upstream, and so + should we. + + * By changing the IKEv1 PSK codepath is the only changed path, so this is + the area where unexpected regressions could occur. None of the testing + found some so far and since upstream didn't change it for a while it + seems safe to me. + + [Other Info] + + * n/a + + --- + See: https://wiki.strongswan.org/issues/2223 There is a chance to get an backport into xenial? It's fixed in the upstream version 5.5.2 # apt-cache policy strongswan strongswan: - Installed: 5.3.5-1ubuntu3.4 - Candidate: 5.3.5-1ubuntu3.4 + Installed: 5.3.5-1ubuntu3.4 + Candidate: 5.3.5-1ubuntu3.4 # lsb_release -rd Description: Ubuntu 16.04.3 LTS Release: 16.04
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1734207 Title: Multiple PSKs with dyndns left/rightids doesn't work To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1734207/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
