News:

Welcome to the Home Network Guy forum!

Main Menu

OPNsense router strongswan-5.9.4 error (Update)

Started by JiveTalking, February 02, 2022, 01:12:03 PM

Previous topic - Next topic

JiveTalking

Hello,

UPdate: I found out that there is a new strongswan release strongswan-5.9.5-released, but it does not show up for updating in my OPN and I do not know why.  Maybe I need to uninstall it.
Here is the information should anyone else be needing it https://www.strongswan.org/blog/2022/01/24/strongswan-vulnerability-(cve-2021-45079).html



I find this:
***GOT REQUEST TO AUDIT SECURITY***
Currently running OPNsense 21.7.8 (amd64/LibreSSL) at Tue Feb  1 10:01:11 PST 2022
Fetching vuln.xml.bz2: .......... done
strongswan-5.9.4 is vulnerable:
  strongswan - Incorrect Handling of Early EAP-Success Messages

1 problem(s) in 1 installed package(s) found.
***DONE***

So I reinstalled Strongswan, ran the test again, and the error remains - I have no idea what to do now, this will be a recurring theme as this posts goes along.

I also received this:
The default strongSwan configuration interface have been updated to vici.
To use the stroke interface by default either compile the port without the vici option or
set 'strongswan_interface="stroke"' in your rc.conf file.
Checking integrity... done (0 conflicting)

This means nothing to me, and again I have no idea what to do.



Any help is greatly appreciated :/


JiveTalking

Well, I think I've solved my slow down issue :D it was my VPN which needed some tweaking.

But I still cannot find (internet searching) any tips on how to deal with a error as I have posted here.

- I mean do I remove strongswan-5.9.4, or would this cause other issues?

Can anyone point me to where how to deal with errors is laid out?

I really only trust this forum  :-* but I did search OPNsence forum but didn't find anything....

Home Network Guy

It sounds like the package used by the IPsec VPN uses is vulnerable and will not allow you to use it until you update it. I am not sure if you can update that version without an update provided by OPNsense. The versions that are downloaded from the OPNsense repository will be the version that is shipped with each OPNsense release. You will either have to wait until that is patched or perhaps download it from a different repository. However, I do not know if updating it from another repository will break anything since there might be some integration work that needs to be completed in order for the new version to work properly. I would imagine if there is a vulnerable VPN package that OPNsense would update that quickly or be working on updating it soon.