BUG: Mobile IPSec client login banner cannot be changed (v2.2) [RESOLVED]
-
After upgrading a few days ago from v2.1.5 to v2.2, we noticed we cannot change the IPsec mobile client login banner. We change it in the GUI and save changes, but the actual banner presented to the client never changes.
This is unfortunate because during testing our banner was "Welcome to the <company>network. If you do anything bad we'll come to your house and set fire to your dog." Our C-levels are not amused.</company>
-
If you stop, then start strongswan does it update the banner? Seems there are certain things it doesn't actually update with only a reload.
-
@cmb:
If you stop, then start strongswan does it update the banner? Seems there are certain things it doesn't actually update with only a reload.
No dice, even with a reboot :-/
-
So what's in the strongswan config file and config.xml? Should not be a rocket science to check
/var/etc/ipsec/strongswan.conf
grep login_banner /conf/config.xml -
So what's in the strongswan config file and config.xml? Should not be a rocket science to check
/var/etc/ipsec/strongswan.conf
grep login_banner /conf/config.xmlOK, just checked both files, and the banner is correct in both of them. The strange thing is all clients are still presented with the old banner when authenticating.
-
Well, then you are not connecting to the proper server I'm afraid.
-
Well, then you are not connecting to the proper server I'm afraid.
That's simply not the case. Is there anywhere else I can check for a lingering config holdover from 2.1.5?
-
What kind of holdover? 2.1.5 was using racoon, not strongswan.
-
What kind of holdover? 2.1.5 was using racoon, not strongswan.
Yeah, the 2.1.5 config was for racoon, strongswan in 2.2 certainly isn't picking that up. The strongswan.conf file doktornotor pointed out is the only one it can load the banner from. It definitely couldn't persist across a reboot if it's correct in strongswan.conf. Maybe the client is caching it? Or you're connecting to a different server.
-
@cmb:
What kind of holdover? 2.1.5 was using racoon, not strongswan.
Yeah, the 2.1.5 config was for racoon, strongswan in 2.2 certainly isn't picking that up. The strongswan.conf file doktornotor pointed out is the only one it can load the banner from. It definitely couldn't persist across a reboot if it's correct in strongswan.conf. Maybe the client is caching it? Or you're connecting to a different server.
We're definitely connecting to the correct server, but I'm wondering if the client is caching it. We'll completely remove the connection on the client and rebuild it. Thanks.