UnivNautes

Oops wrong choice the checkbox is only for javascript

Remove redundant code and check for dpd_enable checkbox to be set

Use leftcert for more options on IPsec authentication

Fixes #3995. Do not set rightsourceip on site-to-site VPNs but only on mobile users ones otherwise nothing works.

Reload also the configuration not only the secrets before trying to apply existing configuration. Ticket #3981

fix text, PPPoE Server, not VPN

set install_routes=no for charon to avoid the issues noted in ticket

use tabs rather than spaces, as most of this already did.

fix invalid ipsec.conf

Restore 3 values back on NAT-T settings Just Enable now its Auto as per strongswan default. and off disabled mobike. Ticket #3979

Properly configure NAT Tranversal setting.

Remove debugging code

Allow accept_unencrypted_mainmode_messages to be enabled if needed

Enable unity plugin as per request from https://forum.pfsense.org/index.php?topic=79737.msg452808#msg452808

This really does not need the =

Ooops restore this

Inverse the sense of the toggles to avoid configuration upgrades

Actually use the new toggles

Provide a first implementation of EAP-TLS authentication with IKEv2. It is a start and might not work on all cases

Make this work properly and not throw out errors.

Put some tuning on number of half open connection possible in one time.

Provide some parallellizm on the IKESA lookups for heavy loaded boxes.

Actually roll this back since it was a testing glitch

Correct generating loglevels for startup through ipsec.conf

Blah unconditionally set rightsourceip per https://forum.pfsense.org/index.php?topic=80300.0 Until pools can be supported properly.

Correct processing and assignment on ikeid variable so it does the right thing

Allow HASH algorithms to be empty for phase2 in case the encryption one is AES-GCM

Do not allow duplicate subnet entries on left|rightsubnet specification since it will blackhole all traffic to that subnet when connection is setup as route

Do not accept proposal out of that configured even for IKEv2 even though there is no possibility in the GUI to set more than one proposal for Phase1 so far.

Restore behaviour as with racoon to trigger tunnel startup from traffic that needs to go into the tunnel. Even related to Ticket #3806.

rightsourceip must be used with PSK+Xauth.

This is required for PSK+Xauth. I'll commit that clarification in a bit.
Revert "Revert "Fix assignment of tunnel IPs to mobile clients.""

This reverts commit 23ba08fc940b711f3b44551199890dc8e28a63b6.

Revert "Fix assignment of tunnel IPs to mobile clients."
This normally is not needed since the attr plugin deals with all this.

This reverts commit 00311d6a841c0f6fc162ea11da06569f10220f5e.

Actually disable this plugin for now. It was not really needed for solving the issues with IKEv1

Fix assignment of tunnel IPs to mobile clients.

Fix #3798 - 'IPsec phase 2 pinghost is not used if the source IP should be a virtual IP address'

Correct this so the dpdaction is created properly as restart

Do a reload on the cofniguration which is better than update. Also let the keyingtries to 3 rather than forever to avoid problems on recovery.

Change the logic of the vpn config generation to make connectivity more stable especially ipsec. Also for IKEv1 just generate the policies and only on traffic start them.

Move the rekey to yes always to avoid issues.

Do not try to rekey for IKEv1.

Use a uniqid() to track phase2 entries to avoid confustion and various mistakes when modifying and editing them.

Fix for #3785 - 'strongswan config being generated with ike SA lifetime set to value of ipsec SA lifetime'

Fix #3781 - 'strongswan dpdtimeout value not generated correctly'

Fix for bug 3769

Convert almost all /sbin/sysctl calls to php functions

Actually use ph1ent ikeid here otherwise will duplicate ids here.

Correct variable test here, too. Ticket #3662

Fix test (variable is a checkbox, not an array/string). Fixes #3662

Use correct variable name here.

Make some fixes related to Ticket #3662. Its mostly cleanup.

Actually make this correct

Use subnet rather than address/netmask to allow multiple clients to behave properly

Move duplicated code into a function; Include local ID on mobile tunnel key line in ipsec.secrets.

Use the right specification for ahnding over the subnet to mobile clients

Do not specify the rightid in mobile tunnels since it makes things not work

Oops this was moved accidentally

Correct sense of match and move the code up to since it makes more sense

Actually this should be rightauth2 since they should send the extra infor to be validated

Allow to use PSK+agressive mode since user should have the choice even though it poses security risks

This slipped in wrongly

Allow a key to specified for all users as for exmpale when connecting from Apple iOS

Pass the loglevels on the config rather than execing commands to specify these loglevels. This allows somethings to be properly logged as config logs

No need to have the ip let strongswan do it for us! Keeping still filterdns to properly evaluate dns behaviour here

Strongswan does not need the quotes here

Remove generate policy option since its not relevant with strongswan

Some adjustments to the code for logging

If unbound is configured then assign it for the vpn service

Another dir to be created

Correct the definitions of certificate path to correct place to allow the daemon to start

Update binaries used

Make this a global so no errors occur

Make this more usable by putting a delimiter in there

Also configure log levels any time the daemon is restarted.

Try to put the connection name in the logs for easy identification

More removal of racoon from referenced in sources

Remove remeants of racoon

Generate nat rules for ipsec when needed

Better just use start here seems to be more reliable

Correct the generation of the config for mobile tunnels as well

Push log changes for IPSec and fix generation of strongswan.conf and ipsec.secrets to be properly considered

• Correct logging to syslog and proper file for ipsec from strongswan
• Use proper commands to reload strongswan rather than just the daemon

Be specific on the authentication method to use since xauth-eap will be active as well

Correct script path

Remove references to racoon and correct some handling of ipsec configuration

Remove copy paste leftover

If specified add authentication script configuration to strongswan.conf

First swing at converting from racoon to StrongSWAN.
It allows to use existing configurations on xml to generate StrongSWAN configurations.
So its only IKEv1

• Missing support for dynamic ips(hostnames)
  - resolver plugin of StrongSWAN needs to be configured in strongswan.conf...

Provide a setting to disable the auto added LAN SPDs in the DB

Use current racoon.conf syntax to avoid issues when deprecated one is removed, it fixes #3338

Use _vip as identified for CARP vip IPs to allow easier upgrade code. This way only ipaliases on carp need to be upgraded.

Remove references to _vip interface and provide proper configuration for carp on FreeBSD 10. Still some places to deal with this and certainly missing upgrade code

Remove SPD when disable phase2, it fixes #2719

Delete old route for remote gateway when its IP changes. It fixes #3155

Don't print this message for a mobile IPsec setup. It's normal for it to not have an endpoint, and not worth spamming the log about.

Remove extra parenthesis

Also consider 0.0.0.0/0 here since it fails on is_subnet() but is a valid/special config. Fixes #3016

vpn.inc calls functions from ipsec.inc but doesn't actually include it in all cases where it's needed.

Remove unecessary if

This didn't fix anything, made another syntax error. Revert "Seems to be missing a semicolon here."

This reverts commit 47a24491e2ea07a19d360d29325c1780652026a4.