Character problem for password & pre-shared keys



  • I have encountered problems using some characters for openvpn password & psk for ipsec.
    Now "cmb" does not have these problems, so the question is why do I?

    Here's my details:

    1. For Openvpn I use the ClientExportUtility, choose "Use a password to protect the pkcs12 file contents." and adds a password containing '+'.
      This does not work from any client (tried from LinuxDebian, WinXP & Win7), password is not accepted ("private-key-password-failure").
      Exchanging the '+' with 'a' and it works fine.

    2. For IPSec, I used '%', ']' '-' - in psk.
      Phase1 did not come up, error "Error: none, message must be encrypted" which I tracked down to a "PAYLOAD-MISMATCH (16)" - this indicates a key error.
      Removing those 3 characters and everything works fine!

    cmb on the other hand reports:
    @cmb:

    I just setup one of my VPNs with every special character on the US keyboard in the key along with a number of letters and numbers and it's working as it should.

    What can be the cause, why does what works for cmb not work for me?
    Can it be a encoding problem? Shouldn't be possible, everything is entered via pfSense:s webgui but anyway here's what I have:
    *I'm running Debian Lenny as my desktop, locale: all set to sv_SE.UTF-8
    *I don't know what locale pfsense is using, don't know how to check that.
    *Windows uses something else, don't really know what.

    Any ideas, folks?



  • Didn't realize you were referring to the client export, that may have issues with certain characters, haven't tried them all in that.

    On the IPsec you were connecting to some remote device running something else. Some other IPsec devices don't properly handle some characters, or have to be properly escaped, which has to be where that problem came from. Nothing you're entering could have any impact.


  • Rebel Alliance Developer Netgate

    For the client export, + will probably break it as it's handled in JS. It probably needs some extra code to escape or encode the whole thing. I thought it was already doing that, but I may have been thinking of a different field.


Log in to reply