Oops wrong choice the checkbox is only for javascript
Remove redundant code and check for dpd_enable checkbox to be set
Use leftcert for more options on IPsec authentication
Fixes #3995. Do not set rightsourceip on site-to-site VPNs but only on mobile users ones otherwise nothing works.
Reload also the configuration not only the secrets before trying to apply existing configuration. Ticket #3981
fix text, PPPoE Server, not VPN
set install_routes=no for charon to avoid the issues noted in ticket
use tabs rather than spaces, as most of this already did.
fix invalid ipsec.conf
Restore 3 values back on NAT-T settings Just Enable now its Auto as per strongswan default. and off disabled mobike. Ticket #3979
Properly configure NAT Tranversal setting.
Remove debugging code
Allow accept_unencrypted_mainmode_messages to be enabled if needed
Enable unity plugin as per request from https://forum.pfsense.org/index.php?topic=79737.msg452808#msg452808
This really does not need the =
Ooops restore this
Inverse the sense of the toggles to avoid configuration upgrades
Actually use the new toggles
Provide a first implementation of EAP-TLS authentication with IKEv2. It is a start and might not work on all cases
Make this work properly and not throw out errors.
Put some tuning on number of half open connection possible in one time.
Provide some parallellizm on the IKESA lookups for heavy loaded boxes.
Actually roll this back since it was a testing glitch
Correct generating loglevels for startup through ipsec.conf
Blah unconditionally set rightsourceip per https://forum.pfsense.org/index.php?topic=80300.0 Until pools can be supported properly.
Correct processing and assignment on ikeid variable so it does the right thing
Allow HASH algorithms to be empty for phase2 in case the encryption one is AES-GCM
Do not allow duplicate subnet entries on left|rightsubnet specification since it will blackhole all traffic to that subnet when connection is setup as route
Do not accept proposal out of that configured even for IKEv2 even though there is no possibility in the GUI to set more than one proposal for Phase1 so far.
Restore behaviour as with racoon to trigger tunnel startup from traffic that needs to go into the tunnel. Even related to Ticket #3806.
rightsourceip must be used with PSK+Xauth.
This is required for PSK+Xauth. I'll commit that clarification in a bit.Revert "Revert "Fix assignment of tunnel IPs to mobile clients.""
This reverts commit 23ba08fc940b711f3b44551199890dc8e28a63b6.
Revert "Fix assignment of tunnel IPs to mobile clients." This normally is not needed since the attr plugin deals with all this.
This reverts commit 00311d6a841c0f6fc162ea11da06569f10220f5e.
Actually disable this plugin for now. It was not really needed for solving the issues with IKEv1
Fix assignment of tunnel IPs to mobile clients.
Fix #3798 - 'IPsec phase 2 pinghost is not used if the source IP should be a virtual IP address'
Correct this so the dpdaction is created properly as restart
Do a reload on the cofniguration which is better than update. Also let the keyingtries to 3 rather than forever to avoid problems on recovery.
Change the logic of the vpn config generation to make connectivity more stable especially ipsec. Also for IKEv1 just generate the policies and only on traffic start them.
Move the rekey to yes always to avoid issues.
Do not try to rekey for IKEv1.
Use a uniqid() to track phase2 entries to avoid confustion and various mistakes when modifying and editing them.
Fix for #3785 - 'strongswan config being generated with ike SA lifetime set to value of ipsec SA lifetime'
Fix #3781 - 'strongswan dpdtimeout value not generated correctly'
Fix for bug 3769
Convert almost all /sbin/sysctl calls to php functions
Actually use ph1ent ikeid here otherwise will duplicate ids here.
Correct variable test here, too. Ticket #3662
Fix test (variable is a checkbox, not an array/string). Fixes #3662
Use correct variable name here.
Make some fixes related to Ticket #3662. Its mostly cleanup.
Actually make this correct
Use subnet rather than address/netmask to allow multiple clients to behave properly
Move duplicated code into a function; Include local ID on mobile tunnel key line in ipsec.secrets.
Use the right specification for ahnding over the subnet to mobile clients
Do not specify the rightid in mobile tunnels since it makes things not work
Oops this was moved accidentally
Correct sense of match and move the code up to since it makes more sense
Actually this should be rightauth2 since they should send the extra infor to be validated
Allow to use PSK+agressive mode since user should have the choice even though it poses security risks
This slipped in wrongly
Allow a key to specified for all users as for exmpale when connecting from Apple iOS
Pass the loglevels on the config rather than execing commands to specify these loglevels. This allows somethings to be properly logged as config logs
No need to have the ip let strongswan do it for us! Keeping still filterdns to properly evaluate dns behaviour here
Strongswan does not need the quotes here
Remove generate policy option since its not relevant with strongswan
Some adjustments to the code for logging
If unbound is configured then assign it for the vpn service
Another dir to be created
Correct the definitions of certificate path to correct place to allow the daemon to start
Update binaries used
Make this a global so no errors occur
Make this more usable by putting a delimiter in there
Also configure log levels any time the daemon is restarted.
Try to put the connection name in the logs for easy identification
More removal of racoon from referenced in sources
Remove remeants of racoon
Generate nat rules for ipsec when needed
Better just use start here seems to be more reliable
Correct the generation of the config for mobile tunnels as well
Push log changes for IPSec and fix generation of strongswan.conf and ipsec.secrets to be properly considered
Be specific on the authentication method to use since xauth-eap will be active as well
Correct script path
Remove references to racoon and correct some handling of ipsec configuration
Remove copy paste leftover
If specified add authentication script configuration to strongswan.conf
First swing at converting from racoon to StrongSWAN.It allows to use existing configurations on xml to generate StrongSWAN configurations.So its only IKEv1
Provide a setting to disable the auto added LAN SPDs in the DB
Use current racoon.conf syntax to avoid issues when deprecated one is removed, it fixes #3338
Use _vip as identified for CARP vip IPs to allow easier upgrade code. This way only ipaliases on carp need to be upgraded.
Remove references to _vip interface and provide proper configuration for carp on FreeBSD 10. Still some places to deal with this and certainly missing upgrade code
Remove SPD when disable phase2, it fixes #2719
Delete old route for remote gateway when its IP changes. It fixes #3155
Don't print this message for a mobile IPsec setup. It's normal for it to not have an endpoint, and not worth spamming the log about.
Remove extra parenthesis
Also consider 0.0.0.0/0 here since it fails on is_subnet() but is a valid/special config. Fixes #3016
vpn.inc calls functions from ipsec.inc but doesn't actually include it in all cases where it's needed.
Remove unecessary if
This didn't fix anything, made another syntax error. Revert "Seems to be missing a semicolon here."
This reverts commit 47a24491e2ea07a19d360d29325c1780652026a4.