IPsec PSK bug

  • Hi

    Just upgraded one of our sites from PFS 1.2.3 to v2.0 RC1 (clean install).
    We manually created all of the rules and tunnels but found a bug when copying some IPsec tunnels. The Pre Shared Key on some of the tunnels would cause the config.xml to break and it would roll back to the previous version.
    After further testing it appears that a '£' in the PSK breaks the config.xml whereas other characters such as '$', '&', '(' all work fine.
    The '£' worked fine in PFsense v1.2.3-Release tunnels.


  • Rebel Alliance Developer Netgate

    That is not a valid character to have in XML. The PSK isn't encoded or CDATA escaped, so adding that character led to a config that failed to pass through the XML parser.

    The 1.2.3 parser was very uneven in that regard. You are lucky it didn't blow up the moment you added that. Many places in the config that would have rendered it quite useless.

  • Ah - Ok. I figured it wasn't being escaped, but hadn't realised it wasn't a valid xml character!

    Good job the £GBP isn't worth much these days ;-)

    Cheers Jim

  • Rebel Alliance Developer Netgate

    Well the raw character isn't valid, if it's encoded or escaped some way it's fine. For example if it were changed into an XML entity it would be OK, or as I mentioned if the whole field were wrapped up in CDATA tags, or perhaps even if the PSK were base64 encoded. None of those are easy to do at the moment though.

Log in to reply