Do not specify the rightid in mobile tunnels since it makes things not work
Oops this was moved accidentally
Correct sense of match and move the code up to since it makes more sense
Actually this should be rightauth2 since they should send the extra infor to be validated
Allow to use PSK+agressive mode since user should have the choice even though it poses security risks
This slipped in wrongly
Allow a key to specified for all users as for exmpale when connecting from Apple iOS
Pass the loglevels on the config rather than execing commands to specify these loglevels. This allows somethings to be properly logged as config logs
No need to have the ip let strongswan do it for us! Keeping still filterdns to properly evaluate dns behaviour here
Strongswan does not need the quotes here
Remove generate policy option since its not relevant with strongswan
Some adjustments to the code for logging
If unbound is configured then assign it for the vpn service
Another dir to be created
Correct the definitions of certificate path to correct place to allow the daemon to start
Update binaries used
Make this a global so no errors occur
Make this more usable by putting a delimiter in there
Also configure log levels any time the daemon is restarted.
Try to put the connection name in the logs for easy identification
More removal of racoon from referenced in sources
Remove remeants of racoon
Generate nat rules for ipsec when needed
Better just use start here seems to be more reliable
Correct the generation of the config for mobile tunnels as well
Push log changes for IPSec and fix generation of strongswan.conf and ipsec.secrets to be properly considered
Be specific on the authentication method to use since xauth-eap will be active as well
Correct script path
Remove references to racoon and correct some handling of ipsec configuration
Remove copy paste leftover
If specified add authentication script configuration to strongswan.conf
First swing at converting from racoon to StrongSWAN.It allows to use existing configurations on xml to generate StrongSWAN configurations.So its only IKEv1
Provide a setting to disable the auto added LAN SPDs in the DB
Use current racoon.conf syntax to avoid issues when deprecated one is removed, it fixes #3338
Use _vip as identified for CARP vip IPs to allow easier upgrade code. This way only ipaliases on carp need to be upgraded.
Remove references to _vip interface and provide proper configuration for carp on FreeBSD 10. Still some places to deal with this and certainly missing upgrade code
Remove SPD when disable phase2, it fixes #2719
Delete old route for remote gateway when its IP changes. It fixes #3155
Don't print this message for a mobile IPsec setup. It's normal for it to not have an endpoint, and not worth spamming the log about.
Remove extra parenthesis
Also consider 0.0.0.0/0 here since it fails on is_subnet() but is a valid/special config. Fixes #3016
vpn.inc calls functions from ipsec.inc but doesn't actually include it in all cases where it's needed.
Remove unecessary if
This didn't fix anything, made another syntax error. Revert "Seems to be missing a semicolon here."
This reverts commit 47a24491e2ea07a19d360d29325c1780652026a4.
Seems to be missing a semicolon here.
Fix indent and whitespace
Make return value of vpn_ipsec_configure() have a meaning when ipsec is enabled. This can be used to detect if there are dynamic hostnames on ipsec policies
Only reload racoon when there is at least one tunnel enabled on the interface used to call rc.newwanip(v6). It fixes #2922
Fix #2818. Last change didn't work, it needs to be one more step out of the loop.
Fix #2818. Save information about all phase1 on ipsecpinghosts instead of only the last one
Remove redundant variable
Properly generate all address data based on configuration selected
Kill filterdns when not being used
Update etc/inc/vpn.inc
There's no need to create a spd.conf.reload file if it's empty.Phase 1 entries for mobile clients are not handled by this function, thus exclude them. Their SPD have a limited lifetime anyway.
Delete SPDs when an IPSec tunnel is deleted.
- Add new function to delete SPDs (see 'remove_tunnel_spd_policy($phase1,$phase2)' on vpn.inc)- Change vpn_ipsec.php to delete SPDs on phase 2 and phase 1.- Change the method GET to delete phase 2 (needs to inform which is the phase 1)...
Tell filterdns to reload the config rather than restart if its running
Also consider 0.0.0.0/0 here since it fails both these tests but is still a valid/special config.
If the old configuration is present there use the new one for local users
Fix location of banner file for ipsec and also sprinkle some unset to avoid php keeping data in memory
Correct path even for generated certs for ipsec
Correct path to certificates as well
Corrected racoon path to psk.txt.
"path pre_shared_key \"{$g['varetc_path']}/psk.txt\";\n\n"; is incorrected, ammended to "path pre_shared_key \"{$g['varetc_path']}/ipsec/psk.txt\";\n\n";
Remove none per Jim since it is confusing
Allow other system authentication types to be used with ipsec. LDAP/RADIUS/local acc
Fixes #2394. If an entry of 0.0.0.0/0 is configured than use the first interface ip matching. Also do a microptimization to not retrieve the interface list every ping host entry
Fixes #2300. Take into consideration ip aliases on carp
Fixes #2300. Add static route even for ip aliases selected to avoid issues.
Use a proposal check value of obey for all mobile, not just pure-PSK. (The docs recommend setting this, may as well make it the default)
Correct the config generation
config.xml might have some elusive data so do not fail sainfo section for localside if there is an empty nat address. Just do not put the nat side in there
Correctly build the sainfo to avoid errors
Use .= for strings rather than +=
Add a NAT entry for configuring NAT on ipsec phase2. It will add nat rules on enc interface
Add forgotten part of the IPsec split dns fix from yesterday
Ticket #2635: during ipsec reload, do not generate spd for disabled ph1
Don't add ldapcfg to racoon.conf since we're not using racoon's built-in LDAP support now. Moving to external script-based auth, see ticket #1112
Restructure these IP/subnet tests so they don't break transport mode.
Fixes #2364. On busy pppoe servers it might take some time before mpd exits. Check for this before trying to restart
Make sure that we match multiple characters.Ticket #2415
First round of CARP vip renaming changesTicket #2415
routes should not be skipped when IPsec is on WAN, as WAN may not be the default gateway.
this is only valid in mpd5 (really?...) Revert "RADIUS accounting updates are needed for PPPoE and L2TP too"
This reverts commit 02b14dcb49da8dc278e87785bb3f811336bf1fd0.
RADIUS accounting updates are needed for PPPoE and L2TP too
Don't let an empty subnet into racoon.conf, it can cause parse errors. Ticket #2201
Fix reference to PPTP secondary RADIUS server shared secret.See http://forum.pfsense.org/index.php/topic,46103.0/topicseen.html
Only do foreach on the p2's if it's actually an array.
Ensure we always write out a blank spd.conf if there are no phase 2 entries. If you delete the last phase 2 and then apply, it will still be in spd.conf and used by racoon even with no phase 2's configured.
Fix several issues in pppoe code and remove duplicated code.
Make initial changes to allow pfSense to work in a jail.
This mostly avoids starting things that will not work and gets theinitial config. Most of the pfSense functionality will not work(pf rules, routing, etc) but it can be used for testing.
Also escape \ in pptp passwords.
Correct whitespace and some problems in the just merged ldap auth sorce for racoon
Merge pull request #8 from ninja76/master
IPSec xAuth allowing LDAP to be used as a backend
Prevent php from coring if the wrong parameters are passed to ip2long
Relax PPTP password restrictions, just prevent starting with a !, and limit to common printable/keyboard characters so it doesn't result in invalid xml. Fixes #1720
Improved ipsec ldap xauth
Always send the route delete command even if it fails its ok. This avoids having to dump the routing table.
Use the new change to be less distuptive
format error
More sanity checking