Allow HASH algorithms to be empty for phase2 in case the encryption one is AES-GCM
Do not allow duplicate subnet entries on left|rightsubnet specification since it will blackhole all traffic to that subnet when connection is setup as route
Do not accept proposal out of that configured even for IKEv2 even though there is no possibility in the GUI to set more than one proposal for Phase1 so far.
Restore behaviour as with racoon to trigger tunnel startup from traffic that needs to go into the tunnel. Even related to Ticket #3806.
rightsourceip must be used with PSK+Xauth.
This is required for PSK+Xauth. I'll commit that clarification in a bit.Revert "Revert "Fix assignment of tunnel IPs to mobile clients.""
This reverts commit 23ba08fc940b711f3b44551199890dc8e28a63b6.
Revert "Fix assignment of tunnel IPs to mobile clients." This normally is not needed since the attr plugin deals with all this.
This reverts commit 00311d6a841c0f6fc162ea11da06569f10220f5e.
Actually disable this plugin for now. It was not really needed for solving the issues with IKEv1
Fix assignment of tunnel IPs to mobile clients.
Fix #3798 - 'IPsec phase 2 pinghost is not used if the source IP should be a virtual IP address'
Correct this so the dpdaction is created properly as restart
Do a reload on the cofniguration which is better than update. Also let the keyingtries to 3 rather than forever to avoid problems on recovery.
Change the logic of the vpn config generation to make connectivity more stable especially ipsec. Also for IKEv1 just generate the policies and only on traffic start them.
Move the rekey to yes always to avoid issues.
Do not try to rekey for IKEv1.
Use a uniqid() to track phase2 entries to avoid confustion and various mistakes when modifying and editing them.
Fix for #3785 - 'strongswan config being generated with ike SA lifetime set to value of ipsec SA lifetime'
Fix #3781 - 'strongswan dpdtimeout value not generated correctly'
Fix for bug 3769
Convert almost all /sbin/sysctl calls to php functions
Actually use ph1ent ikeid here otherwise will duplicate ids here.
Correct variable test here, too. Ticket #3662
Fix test (variable is a checkbox, not an array/string). Fixes #3662
Use correct variable name here.
Make some fixes related to Ticket #3662. Its mostly cleanup.
Actually make this correct
Use subnet rather than address/netmask to allow multiple clients to behave properly
Move duplicated code into a function; Include local ID on mobile tunnel key line in ipsec.secrets.
Use the right specification for ahnding over the subnet to mobile clients
Do not specify the rightid in mobile tunnels since it makes things not work
Oops this was moved accidentally
Correct sense of match and move the code up to since it makes more sense
Actually this should be rightauth2 since they should send the extra infor to be validated
Allow to use PSK+agressive mode since user should have the choice even though it poses security risks
This slipped in wrongly
Allow a key to specified for all users as for exmpale when connecting from Apple iOS
Pass the loglevels on the config rather than execing commands to specify these loglevels. This allows somethings to be properly logged as config logs
No need to have the ip let strongswan do it for us! Keeping still filterdns to properly evaluate dns behaviour here
Strongswan does not need the quotes here
Remove generate policy option since its not relevant with strongswan
Some adjustments to the code for logging
If unbound is configured then assign it for the vpn service
Another dir to be created
Correct the definitions of certificate path to correct place to allow the daemon to start
Update binaries used
Make this a global so no errors occur
Make this more usable by putting a delimiter in there
Also configure log levels any time the daemon is restarted.
Try to put the connection name in the logs for easy identification
More removal of racoon from referenced in sources
Remove remeants of racoon
Generate nat rules for ipsec when needed
Better just use start here seems to be more reliable
Correct the generation of the config for mobile tunnels as well
Push log changes for IPSec and fix generation of strongswan.conf and ipsec.secrets to be properly considered
Be specific on the authentication method to use since xauth-eap will be active as well
Correct script path
Remove references to racoon and correct some handling of ipsec configuration
Remove copy paste leftover
If specified add authentication script configuration to strongswan.conf
First swing at converting from racoon to StrongSWAN.It allows to use existing configurations on xml to generate StrongSWAN configurations.So its only IKEv1
Provide a setting to disable the auto added LAN SPDs in the DB
Use current racoon.conf syntax to avoid issues when deprecated one is removed, it fixes #3338
Use _vip as identified for CARP vip IPs to allow easier upgrade code. This way only ipaliases on carp need to be upgraded.
Remove references to _vip interface and provide proper configuration for carp on FreeBSD 10. Still some places to deal with this and certainly missing upgrade code
Remove SPD when disable phase2, it fixes #2719
Delete old route for remote gateway when its IP changes. It fixes #3155
Don't print this message for a mobile IPsec setup. It's normal for it to not have an endpoint, and not worth spamming the log about.
Remove extra parenthesis
Also consider 0.0.0.0/0 here since it fails on is_subnet() but is a valid/special config. Fixes #3016
vpn.inc calls functions from ipsec.inc but doesn't actually include it in all cases where it's needed.
Remove unecessary if
This didn't fix anything, made another syntax error. Revert "Seems to be missing a semicolon here."
This reverts commit 47a24491e2ea07a19d360d29325c1780652026a4.
Seems to be missing a semicolon here.
Fix indent and whitespace
Make return value of vpn_ipsec_configure() have a meaning when ipsec is enabled. This can be used to detect if there are dynamic hostnames on ipsec policies
Only reload racoon when there is at least one tunnel enabled on the interface used to call rc.newwanip(v6). It fixes #2922
Fix #2818. Last change didn't work, it needs to be one more step out of the loop.
Fix #2818. Save information about all phase1 on ipsecpinghosts instead of only the last one
Remove redundant variable
Properly generate all address data based on configuration selected
Kill filterdns when not being used
Update etc/inc/vpn.inc
There's no need to create a spd.conf.reload file if it's empty.Phase 1 entries for mobile clients are not handled by this function, thus exclude them. Their SPD have a limited lifetime anyway.
Delete SPDs when an IPSec tunnel is deleted.
- Add new function to delete SPDs (see 'remove_tunnel_spd_policy($phase1,$phase2)' on vpn.inc)- Change vpn_ipsec.php to delete SPDs on phase 2 and phase 1.- Change the method GET to delete phase 2 (needs to inform which is the phase 1)...
Tell filterdns to reload the config rather than restart if its running
Also consider 0.0.0.0/0 here since it fails both these tests but is still a valid/special config.
If the old configuration is present there use the new one for local users
Fix location of banner file for ipsec and also sprinkle some unset to avoid php keeping data in memory
Correct path even for generated certs for ipsec
Correct path to certificates as well
Corrected racoon path to psk.txt.
"path pre_shared_key \"{$g['varetc_path']}/psk.txt\";\n\n"; is incorrected, ammended to "path pre_shared_key \"{$g['varetc_path']}/ipsec/psk.txt\";\n\n";
Remove none per Jim since it is confusing
Allow other system authentication types to be used with ipsec. LDAP/RADIUS/local acc
Fixes #2394. If an entry of 0.0.0.0/0 is configured than use the first interface ip matching. Also do a microptimization to not retrieve the interface list every ping host entry
Fixes #2300. Take into consideration ip aliases on carp
Fixes #2300. Add static route even for ip aliases selected to avoid issues.
Use a proposal check value of obey for all mobile, not just pure-PSK. (The docs recommend setting this, may as well make it the default)
Correct the config generation
config.xml might have some elusive data so do not fail sainfo section for localside if there is an empty nat address. Just do not put the nat side in there