Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPsec PSK bug

    Scheduled Pinned Locked Moved 2.0-RC Snapshot Feedback and Problems - RETIRED
    4 Posts 2 Posters 1.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      Gob
      last edited by

      Hi

      Just upgraded one of our sites from PFS 1.2.3 to v2.0 RC1 (clean install).
      We manually created all of the rules and tunnels but found a bug when copying some IPsec tunnels. The Pre Shared Key on some of the tunnels would cause the config.xml to break and it would roll back to the previous version.
      After further testing it appears that a '£' in the PSK breaks the config.xml whereas other characters such as '$', '&', '(' all work fine.
      The '£' worked fine in PFsense v1.2.3-Release tunnels.

      Gordon

      If I fix one more thing than I break in a day, it's a good day!

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        That is not a valid character to have in XML. The PSK isn't encoded or CDATA escaped, so adding that character led to a config that failed to pass through the XML parser.

        The 1.2.3 parser was very uneven in that regard. You are lucky it didn't blow up the moment you added that. Many places in the config that would have rendered it quite useless.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • G
          Gob
          last edited by

          Ah - Ok. I figured it wasn't being escaped, but hadn't realised it wasn't a valid xml character!

          Good job the £GBP isn't worth much these days ;-)

          Cheers Jim

          If I fix one more thing than I break in a day, it's a good day!

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            Well the raw character isn't valid, if it's encoded or escaped some way it's fine. For example if it were changed into an XML entity it would be OK, or as I mentioned if the whole field were wrapped up in CDATA tags, or perhaps even if the PSK were base64 encoded. None of those are easy to do at the moment though.

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.