269 |
269 |
# number of worker threads in charon
|
270 |
270 |
threads = 16
|
271 |
271 |
|
|
272 |
# NOTE: Allows to send multiple subnets for IKEv1
|
|
273 |
cisco_unity = yes
|
|
274 |
|
272 |
275 |
# XXX: There is not much choice here really users win their security!
|
273 |
276 |
i_dont_care_about_security_and_use_aggressive_mode_psk=yes
|
274 |
277 |
|
... | ... | |
475 |
478 |
}
|
476 |
479 |
|
477 |
480 |
/* Add user PSKs */
|
478 |
|
foreach ($config['system']['user'] as $user) {
|
479 |
|
if (!empty($user['ipsecpsk'])) {
|
480 |
|
$pskconf .= "{$user['name']} : PSK \"{$user['ipsecpsk']}\"\n";
|
|
481 |
if (is_array($config['system']) && is_array($config['system']['user'])) {
|
|
482 |
foreach ($config['system']['user'] as $user) {
|
|
483 |
if (!empty($user['ipsecpsk'])) {
|
|
484 |
$pskconf .= "{$user['name']} : PSK \"{$user['ipsecpsk']}\"\n";
|
|
485 |
}
|
481 |
486 |
}
|
|
487 |
unset($user);
|
482 |
488 |
}
|
483 |
489 |
|
484 |
490 |
/* add PSKs for mobile clients */
|
... | ... | |
488 |
494 |
$key['ident'] = '';
|
489 |
495 |
$pskconf .= "{$key['ident']} : PSK \"{$key['pre-shared-key']}\"\n";
|
490 |
496 |
}
|
|
497 |
unset($key);
|
491 |
498 |
}
|
492 |
499 |
|
493 |
500 |
@file_put_contents("{$g['varetc_path']}/ipsec/ipsec.secrets", $pskconf);
|
... | ... | |
497 |
504 |
$natfilterrules = false;
|
498 |
505 |
/* begin ipsec.conf */
|
499 |
506 |
$ipsecconf = "";
|
500 |
|
if ((is_array($a_phase1) && count($a_phase1)) || (is_array($a_phase2) && count($a_phase2))) {
|
|
507 |
if (is_array($a_phase1) && count($a_phase1)) {
|
501 |
508 |
|
502 |
509 |
$ipsecconf .= "# This file is automatically generated. Do not edit\n";
|
503 |
|
if (is_array($a_phase2) && count($a_phase2)) {
|
504 |
|
$ipsecconf .= "config setup\n\tuniqueids = yes\n";
|
505 |
|
$ipsecconf .= "\tcharondebug=\"" . vpn_ipsec_configure_loglevels(true) . "\"\n";
|
|
510 |
$ipsecconf .= "config setup\n\tuniqueids = yes\n";
|
|
511 |
$ipsecconf .= "\tcharondebug=\"" . vpn_ipsec_configure_loglevels(true) . "\"\n";
|
506 |
512 |
|
507 |
|
foreach ($a_phase2 as $ph2ent) {
|
508 |
|
$ikeid = $ph2ent['ikeid'];
|
|
513 |
foreach ($a_phase1 as $ph1ent) {
|
|
514 |
if (isset($ph1ent['disabled']))
|
|
515 |
continue;
|
509 |
516 |
|
510 |
|
$ph1ent = false;
|
511 |
|
if (!ipsec_lookup_phase1($ph2ent,$ph1ent))
|
512 |
|
continue;
|
|
517 |
if ($ph1ent['mode'] == "aggressive")
|
|
518 |
$aggressive = "yes";
|
|
519 |
else
|
|
520 |
$aggressive = "no";
|
513 |
521 |
|
514 |
|
if (isset($ph1ent['disabled']))
|
515 |
|
continue;
|
|
522 |
$ep = ipsec_get_phase1_src($ph1ent);
|
|
523 |
if (!$ep)
|
|
524 |
continue;
|
516 |
525 |
|
517 |
|
if (isset($ph2ent['disabled']))
|
518 |
|
continue;
|
|
526 |
$keyexchange = "ikev1";
|
|
527 |
if (!empty($ph1ent['iketype']) && $ph1ent['iketype'] != "ikev1") {
|
|
528 |
$keyexchange = "ikev2";
|
|
529 |
$passive = "start";
|
|
530 |
} else
|
|
531 |
$passive = "route";
|
|
532 |
|
|
533 |
if (isset($ph1ent['mobile'])) {
|
|
534 |
$right_spec = "%any";
|
|
535 |
$passive = 'add';
|
|
536 |
} else
|
|
537 |
$right_spec = $ph1ent['remote-gateway'];
|
|
538 |
|
|
539 |
list ($myid_type, $myid_data) = ipsec_find_id($ph1ent, "local");
|
|
540 |
list ($peerid_type, $peerid_data) = ipsec_find_id($ph1ent, "peer", $rgmap);
|
|
541 |
|
|
542 |
/* Only specify peer ID if we are not dealing with a mobile PSK-only tunnel */
|
|
543 |
$peerid_spec = '';
|
|
544 |
if (!isset($ph1ent['mobile']))
|
|
545 |
$peerid_spec = $peerid_data;
|
|
546 |
|
|
547 |
if (is_array($ph1ent['encryption-algorithm']) && !empty($ph1ent['encryption-algorithm']['name']) && !empty($ph1ent['hash-algorithm'])) {
|
|
548 |
$ealgosp1 = '';
|
|
549 |
$ealg_id = $ph1ent['encryption-algorithm']['name'];
|
|
550 |
$ealg_kl = $ph1ent['encryption-algorithm']['keylen'];
|
|
551 |
if ($ealg_kl)
|
|
552 |
$ealgosp1 = "ike = {$ealg_id}{$ealg_kl}-{$ph1ent['hash-algorithm']}";
|
|
553 |
else
|
|
554 |
$ealgosp1 = "ike = {$ealg_id}-{$ph1ent['hash-algorithm']}";
|
519 |
555 |
|
520 |
|
if (isset($ph2ent['mobile']) && !isset($a_client['enable']))
|
521 |
|
continue;
|
|
556 |
$modp = vpn_ipsec_convert_to_modp($ph1ent['dhgroup']);
|
|
557 |
if (!empty($modp))
|
|
558 |
$ealgosp1 .= "-{$modp}";
|
522 |
559 |
|
523 |
|
$ikeid = $ph1ent['ikeid'];
|
|
560 |
if ($keyexchange == "ikev1")
|
|
561 |
$ealgosp1 .= "!";
|
|
562 |
}
|
524 |
563 |
|
525 |
|
if ($ph1ent['mode'] == "aggressive")
|
526 |
|
$aggressive = "yes";
|
|
564 |
if ($ph1ent['dpd_delay'] && $ph1ent['dpd_maxfail']) {
|
|
565 |
if ($passive == "start")
|
|
566 |
$dpdline = "dpdaction = restart";
|
527 |
567 |
else
|
528 |
|
$aggressive = "no";
|
|
568 |
$dpdline = "dpdaction = clear";
|
|
569 |
$dpdline .= "\n\tdpddelay = {$ph1ent['dpd_delay']}s";
|
|
570 |
$dpdtimeout = $ph1ent['dpd_delay'] * ($ph1ent['dpd_maxfail'] + 1);
|
|
571 |
$dpdline .= "\n\tdpdtimeout = {$dpdtimeout}s";
|
|
572 |
} else
|
|
573 |
$dpdline = "dpdaction = none";
|
|
574 |
|
|
575 |
$ikelifeline = '';
|
|
576 |
if ($ph1ent['lifetime'])
|
|
577 |
$ikelifeline = "ikelifetime = {$ph1ent['lifetime']}s";
|
|
578 |
|
|
579 |
$authentication = "";
|
|
580 |
switch ($ph1ent['authentication_method']) {
|
|
581 |
case 'xauth_rsa_server':
|
|
582 |
$authentication = "leftauth = pubkey\n\trightauth = pubkey";
|
|
583 |
$authentication .= "\n\trightauth2 = xauth-generic";
|
|
584 |
break;
|
|
585 |
case 'xauth_psk_server':
|
|
586 |
$authentication = "leftauth = psk\n\trightauth = psk";
|
|
587 |
$authentication .= "\n\trightauth2 = xauth-generic";
|
|
588 |
break;
|
|
589 |
case 'pre_shared_key':
|
|
590 |
$authentication = "leftauth = psk\n\trightauth = psk";
|
|
591 |
break;
|
|
592 |
case 'rsasig':
|
|
593 |
$authentication = "leftauth = pubkey\n\trightauth = pubkey";
|
|
594 |
break;
|
|
595 |
case 'hybrid_rsa_server':
|
|
596 |
$authentication = "leftauth = xauth-generic\n\trightauth = pubkey";
|
|
597 |
$authentication .= "\n\trightauth2 = xauth";
|
|
598 |
break;
|
|
599 |
}
|
529 |
600 |
|
530 |
|
$ep = ipsec_get_phase1_src($ph1ent);
|
531 |
|
if (!$ep)
|
532 |
|
continue;
|
|
601 |
$left_spec = $ep;
|
533 |
602 |
|
534 |
|
$passive = "start";
|
535 |
|
if (isset($ph1ent['mobile'])) {
|
536 |
|
$rgip = "%any";
|
537 |
|
$passive = 'add';
|
538 |
|
} else
|
539 |
|
$rgip = $ph1ent['remote-gateway'];
|
540 |
|
|
541 |
|
$keyexchange = "ikev1";
|
542 |
|
if (!empty($ph1ent['iketype']) && $ph1ent['iketype'] != "ikev1") {
|
543 |
|
$keyexchange = "ikev2";
|
544 |
|
$rekey = "rekey = yes";
|
545 |
|
} else {
|
546 |
|
$rekey = "rekey = yes";
|
547 |
|
}
|
|
603 |
$ipseclifetime = 0;
|
|
604 |
$rightsubnet_spec = array();
|
|
605 |
$leftsubnet_spec = array();
|
|
606 |
$ealgoAHsp2arr = array();
|
|
607 |
$ealgoESPsp2arr = array();
|
|
608 |
if (is_array($a_phase2) && count($a_phase2)) {
|
|
609 |
foreach ($a_phase2 as $ph2ent) {
|
|
610 |
$ikeid = $ph2ent['ikeid'];
|
|
611 |
if ($ikeid != $ph1ent['ikeid'])
|
|
612 |
continue;
|
548 |
613 |
|
549 |
|
list ($myid_type, $myid_data) = ipsec_find_id($ph1ent, "local");
|
550 |
|
list ($peerid_type, $peerid_data) = ipsec_find_id($ph1ent, "peer", $rgmap);
|
|
614 |
if (isset($ph2ent['disabled']))
|
|
615 |
continue;
|
551 |
616 |
|
552 |
|
/* Only specify peer ID if we are not dealing with a mobile PSK-only tunnel */
|
553 |
|
$peerid_spec = '';
|
554 |
|
if (!isset($ph1ent['mobile']))
|
555 |
|
$peerid_spec = $peerid_data;
|
556 |
|
|
557 |
|
if (is_array($ph1ent['encryption-algorithm']) && !empty($ph1ent['encryption-algorithm']['name']) && !empty($ph1ent['hash-algorithm'])) {
|
558 |
|
$ealgosp1 = '';
|
559 |
|
$ealg_id = $ph1ent['encryption-algorithm']['name'];
|
560 |
|
$ealg_kl = $ph1ent['encryption-algorithm']['keylen'];
|
561 |
|
if ($ealg_kl)
|
562 |
|
$ealgosp1 = "ike = {$ealg_id}{$ealg_kl}-{$ph1ent['hash-algorithm']}";
|
563 |
|
else
|
564 |
|
$ealgosp1 = "ike = {$ealg_id}-{$ph1ent['hash-algorithm']}";
|
565 |
|
|
566 |
|
$modp = vpn_ipsec_convert_to_modp($ph1ent['dhgroup']);
|
567 |
|
if (!empty($modp))
|
568 |
|
$ealgosp1 .= "-{$modp}";
|
569 |
|
|
570 |
|
if ($keyexchange == "ikev1")
|
571 |
|
$ealgosp1 .= "!";
|
572 |
|
}
|
|
617 |
if (isset($ph2ent['mobile']) && !isset($a_client['enable']))
|
|
618 |
continue;
|
573 |
619 |
|
574 |
|
if ($ph1ent['dpd_delay'] && $ph1ent['dpd_maxfail']) {
|
575 |
|
if ($passive == "start")
|
576 |
|
$dpdline = "dpdaction = restart";
|
577 |
|
else
|
578 |
|
$dpdline = "dpdaction = clear";
|
579 |
|
$dpdline .= "\n\tdpddelay = {$ph1ent['dpd_delay']}s";
|
580 |
|
$dpdtimeout = $ph1ent['dpd_delay'] * ($ph1ent['dpd_maxfail'] + 1);
|
581 |
|
$dpdline .= "\n\tdpdtimeout = {$dpdtimeout}s";
|
582 |
|
} else
|
583 |
|
$dpdline = "dpdaction = none";
|
584 |
|
|
585 |
|
if (!empty($ph1ent['authentication_method']) && (strpos($ph1ent['authentication_method'], "xauth") || strpos($ph1ent['authentication_method'], "hybrid")))
|
586 |
|
$xauth = "xauth = server";
|
587 |
|
|
588 |
|
$ikelifeline = '';
|
589 |
|
if ($ph1ent['lifetime'])
|
590 |
|
$ikelifeline = "ikelifetime = {$ph1ent['lifetime']}s";
|
591 |
|
|
592 |
|
$remoteid_spec = '';
|
593 |
620 |
if (($ph2ent['mode'] == 'tunnel') or ($ph2ent['mode'] == 'tunnel6')) {
|
594 |
621 |
$tunneltype = "type = tunnel";
|
595 |
622 |
|
596 |
623 |
$localid_type = $ph2ent['localid']['type'];
|
597 |
|
$localid_data = ipsec_idinfo_to_cidr($ph2ent['localid'], false, $ph2ent['mode']);
|
|
624 |
$leftsubnet_data = ipsec_idinfo_to_cidr($ph2ent['localid'], false, $ph2ent['mode']);
|
598 |
625 |
/* Do not print localid in some cases, such as a pure-psk or psk/xauth single phase2 mobile tunnel */
|
599 |
626 |
if (($localid_type == "none" || $localid_type == "mobile")
|
600 |
|
&& isset($ph1ent['mobile'])
|
601 |
|
&& (ipsec_get_number_of_phase2($ikeid)==1))
|
602 |
|
$localid_spec = "%any";
|
603 |
|
else {
|
|
627 |
&& isset($ph1ent['mobile']) && (ipsec_get_number_of_phase2($ikeid)==1)) {
|
|
628 |
$left_spec = '%any';
|
|
629 |
} else {
|
604 |
630 |
if ($localid_type != "address") {
|
605 |
631 |
$localid_type = "subnet";
|
606 |
632 |
}
|
607 |
633 |
// Don't let an empty subnet into config, it can cause parse errors. Ticket #2201.
|
608 |
|
if (!is_ipaddr($localid_data) && !is_subnet($localid_data) && ($localid_data != "0.0.0.0/0")) {
|
|
634 |
if (!is_ipaddr($leftsubnet_data) && !is_subnet($leftsubnet_data) && ($leftsubnet_data != "0.0.0.0/0")) {
|
609 |
635 |
log_error("Invalid IPsec Phase 2 \"{$ph2ent['descr']}\" - {$ph2ent['localid']['type']} has no subnet.");
|
610 |
636 |
continue;
|
611 |
637 |
}
|
612 |
|
$localid_spec = $ep;
|
613 |
638 |
if (!empty($ph2ent['natlocalid'])) {
|
614 |
|
$natlocalid_data = ipsec_idinfo_to_cidr($ph2ent['natlocalid'], false, $ph2ent['mode']);
|
|
639 |
$natleftsubnet_data = ipsec_idinfo_to_cidr($ph2ent['natlocalid'], false, $ph2ent['mode']);
|
615 |
640 |
if ($ph2ent['natlocalid']['type'] != "address") {
|
616 |
|
if (is_subnet($natlocalid_data))
|
617 |
|
$localid_data = "{$natlocalid_data}|{$localid_data}";
|
|
641 |
if (is_subnet($natleftsubnet_data))
|
|
642 |
$leftsubnet_data = "{$natleftsubnet_data}|{$leftsubnet_data}";
|
618 |
643 |
} else {
|
619 |
|
if (is_ipaddr($natlocalid_data))
|
620 |
|
$localid_data = "{$natlocalid_data}|{$localid_data}";
|
|
644 |
if (is_ipaddr($natleftsubnet_data))
|
|
645 |
$leftsubnet_data = "{$natleftsubnet_data}|{$leftsubnet_data}";
|
621 |
646 |
}
|
622 |
647 |
$natfilterrules = true;
|
623 |
648 |
}
|
624 |
649 |
}
|
625 |
650 |
|
|
651 |
$leftsubnet_spec[] = $leftsubnet_data;
|
|
652 |
|
626 |
653 |
if (!isset($ph2ent['mobile'])) {
|
627 |
|
$remoteid_data = ipsec_idinfo_to_cidr($ph2ent['remoteid'], false, $ph2ent['mode']);
|
628 |
|
$remoteid_spec = "\trightsubnet = {$remoteid_data}";
|
|
654 |
$rightsubnet_spec[] = ipsec_idinfo_to_cidr($ph2ent['remoteid'], false, $ph2ent['mode']);
|
629 |
655 |
} else if (!empty($a_client['pool_address']))
|
630 |
|
$remoteid_spec = "\trightsourceip = {$a_client['pool_address']}/{$a_client['pool_netbits']}";
|
|
656 |
$rightsubnet_spec[] = "{$a_client['pool_address']}/{$a_client['pool_netbits']}";
|
631 |
657 |
} else {
|
632 |
658 |
$tunneltype = "type = transport";
|
633 |
|
$rgip = $ph1ent['remote-gateway'];
|
634 |
659 |
|
635 |
660 |
if ((($ph1ent['authentication_method'] == "xauth_psk_server") ||
|
636 |
|
($ph1ent['authentication_method'] == "pre_shared_key"))
|
637 |
|
&& isset($ph1ent['mobile']))
|
638 |
|
$localid_spec = "%any";
|
639 |
|
else {
|
640 |
|
$localid_data = ipsec_get_phase1_src($ph1ent);
|
641 |
|
$localid_spec = $ep;
|
642 |
|
}
|
643 |
|
if (!isset($ph2ent['mobile'])) {
|
644 |
|
$remoteid_spec = "\trightsubnet = {$rgip}";
|
|
661 |
($ph1ent['authentication_method'] == "pre_shared_key")) && isset($ph1ent['mobile'])) {
|
|
662 |
$left_spec = "%any";
|
|
663 |
} else {
|
|
664 |
$leftsubnet_spec[] = ipsec_get_phase1_src($ph1ent);
|
645 |
665 |
}
|
646 |
|
}
|
647 |
|
$authentication = "";
|
648 |
|
switch ($ph1ent['authentication_method']) {
|
649 |
|
case 'xauth_rsa_server':
|
650 |
|
$authentication = "leftauth = pubkey\n\trightauth = pubkey";
|
651 |
|
$authentication .= "\n\trightauth2 = xauth-generic";
|
652 |
|
break;
|
653 |
|
case 'xauth_psk_server':
|
654 |
|
$authentication = "leftauth = psk\n\trightauth = psk";
|
655 |
|
$authentication .= "\n\trightauth2 = xauth-generic";
|
656 |
|
break;
|
657 |
|
case 'pre_shared_key':
|
658 |
|
$authentication = "leftauth = psk\n\trightauth = psk";
|
659 |
|
break;
|
660 |
|
case 'rsasig':
|
661 |
|
$authentication = "leftauth = pubkey\n\trightauth = pubkey";
|
662 |
|
break;
|
663 |
|
case 'hybrid_rsa_server':
|
664 |
|
$authentication = "leftauth = xauth-generic\n\trightauth = pubkey";
|
665 |
|
$authentication .= "\n\trightauth2 = xauth";
|
666 |
|
break;
|
|
666 |
|
|
667 |
if (!isset($ph2ent['mobile']))
|
|
668 |
$rightsubnet_spec[] = $right_spec;
|
667 |
669 |
}
|
668 |
670 |
|
669 |
671 |
if (isset($a_client['pfs_group']))
|
670 |
672 |
$ph2ent['pfsgroup'] = $a_client['pfs_group'];
|
671 |
673 |
|
672 |
|
$ealgosp2 = '';
|
673 |
674 |
if ($ph2ent['protocol'] == 'esp') {
|
674 |
675 |
if (is_array($ph2ent['encryption-algorithm-option']) && is_array($ph2ent['hash-algorithm-option'])) {
|
675 |
|
$ealgosp2arr = array();
|
676 |
676 |
foreach ($ph2ent['encryption-algorithm-option'] as $ealg) {
|
677 |
677 |
$ealg_id = $ealg['name'];
|
678 |
678 |
$ealg_kl = $ealg['keylen'];
|
... | ... | |
694 |
694 |
$modp = vpn_ipsec_convert_to_modp($ph2ent['pfsgroup']);
|
695 |
695 |
if (!empty($modp))
|
696 |
696 |
$tmpealgo .= "-{$modp}";
|
697 |
|
$ealgosp2arr[] = $tmpealgo;
|
|
697 |
$ealgoESPsp2arr[] = $tmpealgo;
|
698 |
698 |
}
|
699 |
699 |
}
|
700 |
700 |
}
|
... | ... | |
705 |
705 |
$modp = vpn_ipsec_convert_to_modp($ph2ent['pfsgroup']);
|
706 |
706 |
if (!empty($modp))
|
707 |
707 |
$tmpealgo .= "-{$modp}";
|
708 |
|
$ealgosp2arr[] = $tmpealgo;
|
|
708 |
$ealgoESPsp2arr[] = $tmpealgo;
|
709 |
709 |
}
|
710 |
710 |
}
|
711 |
711 |
}
|
712 |
|
$ealgosp2 = "esp = " . join(",", $ealgosp2arr);
|
713 |
|
unset($ealgosp2arr);
|
714 |
|
$ealgosp2 .= "!";
|
715 |
712 |
}
|
716 |
713 |
} else if ($ph2ent['protocol'] == 'ah') {
|
717 |
714 |
if (is_array($ph2ent['hash-algorithm-option'])) {
|
718 |
|
$ealgosp2 = "ah = " . join(",", $ph2ent['hash-algorithm-option']);
|
719 |
|
$ealgosp2 = str_replace('hmac_', '', $ealgosp2);
|
720 |
715 |
$modp = vpn_ipsec_convert_to_modp($ph2ent['pfsgroup']);
|
721 |
|
if (!empty($modp))
|
722 |
|
$ealgosp2 .= "-{$modp}";
|
723 |
|
$ealgosp2 .= "!";
|
|
716 |
foreach ($ph2ent['hash-algorithm-option'] as $tmpAHalgo) {
|
|
717 |
$tmpAHalgo = str_replace('hmac_', '', $tmpAHalgo);
|
|
718 |
if (!empty($modp))
|
|
719 |
$tmpAHalgo = "-{$modp}";
|
|
720 |
$ealgoAHsp2arr[] = $tmpAHalgo;
|
|
721 |
}
|
724 |
722 |
}
|
725 |
723 |
}
|
726 |
724 |
|
727 |
725 |
|
728 |
|
$ipseclifetime = '';
|
729 |
|
if ($ph2ent['lifetime'])
|
730 |
|
$ipseclifeline = "lifetime = {$ph2ent['lifetime']}s";
|
|
726 |
if (!empty($ph2ent['lifetime'])) {
|
|
727 |
if ($ipseclifetime == 0 || intval($ipseclifetime) > intval($ph2ent['lifetime']))
|
|
728 |
$ipseclifetime = intval($ph2ent['lifetime']);
|
|
729 |
}
|
|
730 |
}
|
|
731 |
}
|
731 |
732 |
|
732 |
|
$ipsecconf .=<<<EOD
|
|
733 |
$ipsecconf .=<<<EOD
|
733 |
734 |
|
734 |
|
conn con{$ph1ent['ikeid']}-{$ph2ent['uniqid']}
|
|
735 |
conn con{$ph1ent['ikeid']}
|
735 |
736 |
aggressive = {$aggressive}
|
736 |
737 |
fragmentation = yes
|
737 |
738 |
keyexchange = {$keyexchange}
|
738 |
739 |
keyingtries = %forever
|
739 |
740 |
reauth = yes
|
740 |
|
{$rekey}
|
|
741 |
rekey = yes
|
741 |
742 |
reqid = {$ikeid}
|
742 |
743 |
installpolicy = yes
|
743 |
|
{$ikelifeline}
|
744 |
|
{$ipseclifeline}
|
745 |
744 |
{$tunneltype}
|
746 |
745 |
{$dpdline}
|
747 |
746 |
auto = {$passive}
|
748 |
|
left = {$localid_spec}
|
749 |
|
leftsubnet = {$localid_data}
|
750 |
|
right = {$rgip}
|
|
747 |
left = {$left_spec}
|
|
748 |
right = {$right_spec}
|
751 |
749 |
leftid = {$myid_data}
|
752 |
750 |
|
753 |
751 |
EOD;
|
754 |
752 |
|
755 |
|
if (!empty($remoteid_spec))
|
756 |
|
$ipsecconf .= "{$remoteid_spec}\n";
|
757 |
|
if (!empty($ealgosp1))
|
758 |
|
$ipsecconf .= "\t{$ealgosp1}\n";
|
759 |
|
if (!empty($ealgosp2))
|
760 |
|
$ipsecconf .= "\t{$ealgosp2}\n";
|
761 |
|
if (!empty($authentication))
|
762 |
|
$ipsecconf .= "\t{$authentication}\n";
|
763 |
|
if (!empty($peerid_spec))
|
764 |
|
$ipsecconf .= "\trightid = {$peerid_spec}\n";
|
765 |
|
}
|
|
753 |
if (!empty($ikelifeline))
|
|
754 |
$ipsecconf .= "\t{$ikelifeline}\n";
|
|
755 |
if ($ipseclifetime > 0)
|
|
756 |
$ipsecconf .= "\tlifetime = {$ipseclifetime}s\n";
|
|
757 |
if (!empty($rightsubnet_spec))
|
|
758 |
$ipsecconf .= "\trightsubnet = " . join(",", $rightsubnet_spec) . "\n";
|
|
759 |
if (!empty($leftsubnet_spec))
|
|
760 |
$ipsecconf .= "\tleftsubnet = " . join(",", $leftsubnet_spec) . "\n";
|
|
761 |
if (!empty($ealgosp1))
|
|
762 |
$ipsecconf .= "\t{$ealgosp1}\n";
|
|
763 |
if (!empty($ealgoAHsp2arr))
|
|
764 |
$ipsecconf .= "\tah = " . join(',', $ealgoAHsp2arr) . "!\n";
|
|
765 |
if (!empty($ealgoESPsp2arr))
|
|
766 |
$ipsecconf .= "\tesp = " . join(',', $ealgoESPsp2arr) . "!\n";
|
|
767 |
if (!empty($authentication))
|
|
768 |
$ipsecconf .= "\t{$authentication}\n";
|
|
769 |
if (!empty($peerid_spec))
|
|
770 |
$ipsecconf .= "\trightid = {$peerid_spec}\n";
|
766 |
771 |
}
|
767 |
772 |
}
|
768 |
773 |
}
|
Change the logic of the vpn config generation to make connectivity more stable especially ipsec. Also for IKEv1 just generate the policies and only on traffic start them.