A flaw was found in Libreswan. This issue causes Libreswan to restart under some IKEv2 retransmit scenarios when a connection is configured to use PreSharedKeys (authby=secret), and the connection cannot find a matching configured secret. When automatically added on startup using the auto= keyword, it can cause repeated crashes, leading to a denial of service.
As a workaround to prevent the misconfiguration from causing the crash, place an unguessable long random "catch-all" secret in /etc/ipsec.secrets, for example, using the following command:
echo -e "# CVE-2024-2357 workaround\n: PSK "$(openssl rand -hex 32)"" >> /etc/ipsec.secrets
This will ensure a PSK secret is always found, but it will always be wrong, and thus authentication will still properly fail.