| 269 |
269 |
# number of worker threads in charon
|
| 270 |
270 |
threads = 16
|
| 271 |
271 |
|
|
272 |
# NOTE: Allows to send multiple subnets for IKEv1
|
|
273 |
cisco_unity = yes
|
|
274 |
|
| 272 |
275 |
# XXX: There is not much choice here really users win their security!
|
| 273 |
276 |
i_dont_care_about_security_and_use_aggressive_mode_psk=yes
|
| 274 |
277 |
|
| ... | ... | |
| 475 |
478 |
}
|
| 476 |
479 |
|
| 477 |
480 |
/* Add user PSKs */
|
| 478 |
|
foreach ($config['system']['user'] as $user) {
|
| 479 |
|
if (!empty($user['ipsecpsk'])) {
|
| 480 |
|
$pskconf .= "{$user['name']} : PSK \"{$user['ipsecpsk']}\"\n";
|
|
481 |
if (is_array($config['system']) && is_array($config['system']['user'])) {
|
|
482 |
foreach ($config['system']['user'] as $user) {
|
|
483 |
if (!empty($user['ipsecpsk'])) {
|
|
484 |
$pskconf .= "{$user['name']} : PSK \"{$user['ipsecpsk']}\"\n";
|
|
485 |
}
|
| 481 |
486 |
}
|
|
487 |
unset($user);
|
| 482 |
488 |
}
|
| 483 |
489 |
|
| 484 |
490 |
/* add PSKs for mobile clients */
|
| ... | ... | |
| 488 |
494 |
$key['ident'] = '';
|
| 489 |
495 |
$pskconf .= "{$key['ident']} : PSK \"{$key['pre-shared-key']}\"\n";
|
| 490 |
496 |
}
|
|
497 |
unset($key);
|
| 491 |
498 |
}
|
| 492 |
499 |
|
| 493 |
500 |
@file_put_contents("{$g['varetc_path']}/ipsec/ipsec.secrets", $pskconf);
|
| ... | ... | |
| 497 |
504 |
$natfilterrules = false;
|
| 498 |
505 |
/* begin ipsec.conf */
|
| 499 |
506 |
$ipsecconf = "";
|
| 500 |
|
if ((is_array($a_phase1) && count($a_phase1)) || (is_array($a_phase2) && count($a_phase2))) {
|
|
507 |
if (is_array($a_phase1) && count($a_phase1)) {
|
| 501 |
508 |
|
| 502 |
509 |
$ipsecconf .= "# This file is automatically generated. Do not edit\n";
|
| 503 |
|
if (is_array($a_phase2) && count($a_phase2)) {
|
| 504 |
|
$ipsecconf .= "config setup\n\tuniqueids = yes\n";
|
| 505 |
|
$ipsecconf .= "\tcharondebug=\"" . vpn_ipsec_configure_loglevels(true) . "\"\n";
|
|
510 |
$ipsecconf .= "config setup\n\tuniqueids = yes\n";
|
|
511 |
$ipsecconf .= "\tcharondebug=\"" . vpn_ipsec_configure_loglevels(true) . "\"\n";
|
| 506 |
512 |
|
| 507 |
|
foreach ($a_phase2 as $ph2ent) {
|
| 508 |
|
$ikeid = $ph2ent['ikeid'];
|
|
513 |
foreach ($a_phase1 as $ph1ent) {
|
|
514 |
if (isset($ph1ent['disabled']))
|
|
515 |
continue;
|
| 509 |
516 |
|
| 510 |
|
$ph1ent = false;
|
| 511 |
|
if (!ipsec_lookup_phase1($ph2ent,$ph1ent))
|
| 512 |
|
continue;
|
|
517 |
if ($ph1ent['mode'] == "aggressive")
|
|
518 |
$aggressive = "yes";
|
|
519 |
else
|
|
520 |
$aggressive = "no";
|
| 513 |
521 |
|
| 514 |
|
if (isset($ph1ent['disabled']))
|
| 515 |
|
continue;
|
|
522 |
$ep = ipsec_get_phase1_src($ph1ent);
|
|
523 |
if (!$ep)
|
|
524 |
continue;
|
| 516 |
525 |
|
| 517 |
|
if (isset($ph2ent['disabled']))
|
| 518 |
|
continue;
|
|
526 |
$keyexchange = "ikev1";
|
|
527 |
if (!empty($ph1ent['iketype']) && $ph1ent['iketype'] != "ikev1") {
|
|
528 |
$keyexchange = "ikev2";
|
|
529 |
$passive = "start";
|
|
530 |
} else
|
|
531 |
$passive = "route";
|
|
532 |
|
|
533 |
if (isset($ph1ent['mobile'])) {
|
|
534 |
$right_spec = "%any";
|
|
535 |
$passive = 'add';
|
|
536 |
} else
|
|
537 |
$right_spec = $ph1ent['remote-gateway'];
|
|
538 |
|
|
539 |
list ($myid_type, $myid_data) = ipsec_find_id($ph1ent, "local");
|
|
540 |
list ($peerid_type, $peerid_data) = ipsec_find_id($ph1ent, "peer", $rgmap);
|
|
541 |
|
|
542 |
/* Only specify peer ID if we are not dealing with a mobile PSK-only tunnel */
|
|
543 |
$peerid_spec = '';
|
|
544 |
if (!isset($ph1ent['mobile']))
|
|
545 |
$peerid_spec = $peerid_data;
|
|
546 |
|
|
547 |
if (is_array($ph1ent['encryption-algorithm']) && !empty($ph1ent['encryption-algorithm']['name']) && !empty($ph1ent['hash-algorithm'])) {
|
|
548 |
$ealgosp1 = '';
|
|
549 |
$ealg_id = $ph1ent['encryption-algorithm']['name'];
|
|
550 |
$ealg_kl = $ph1ent['encryption-algorithm']['keylen'];
|
|
551 |
if ($ealg_kl)
|
|
552 |
$ealgosp1 = "ike = {$ealg_id}{$ealg_kl}-{$ph1ent['hash-algorithm']}";
|
|
553 |
else
|
|
554 |
$ealgosp1 = "ike = {$ealg_id}-{$ph1ent['hash-algorithm']}";
|
| 519 |
555 |
|
| 520 |
|
if (isset($ph2ent['mobile']) && !isset($a_client['enable']))
|
| 521 |
|
continue;
|
|
556 |
$modp = vpn_ipsec_convert_to_modp($ph1ent['dhgroup']);
|
|
557 |
if (!empty($modp))
|
|
558 |
$ealgosp1 .= "-{$modp}";
|
| 522 |
559 |
|
| 523 |
|
$ikeid = $ph1ent['ikeid'];
|
|
560 |
if ($keyexchange == "ikev1")
|
|
561 |
$ealgosp1 .= "!";
|
|
562 |
}
|
| 524 |
563 |
|
| 525 |
|
if ($ph1ent['mode'] == "aggressive")
|
| 526 |
|
$aggressive = "yes";
|
|
564 |
if ($ph1ent['dpd_delay'] && $ph1ent['dpd_maxfail']) {
|
|
565 |
if ($passive == "start")
|
|
566 |
$dpdline = "dpdaction = restart";
|
| 527 |
567 |
else
|
| 528 |
|
$aggressive = "no";
|
|
568 |
$dpdline = "dpdaction = clear";
|
|
569 |
$dpdline .= "\n\tdpddelay = {$ph1ent['dpd_delay']}s";
|
|
570 |
$dpdtimeout = $ph1ent['dpd_delay'] * ($ph1ent['dpd_maxfail'] + 1);
|
|
571 |
$dpdline .= "\n\tdpdtimeout = {$dpdtimeout}s";
|
|
572 |
} else
|
|
573 |
$dpdline = "dpdaction = none";
|
|
574 |
|
|
575 |
$ikelifeline = '';
|
|
576 |
if ($ph1ent['lifetime'])
|
|
577 |
$ikelifeline = "ikelifetime = {$ph1ent['lifetime']}s";
|
|
578 |
|
|
579 |
$authentication = "";
|
|
580 |
switch ($ph1ent['authentication_method']) {
|
|
581 |
case 'xauth_rsa_server':
|
|
582 |
$authentication = "leftauth = pubkey\n\trightauth = pubkey";
|
|
583 |
$authentication .= "\n\trightauth2 = xauth-generic";
|
|
584 |
break;
|
|
585 |
case 'xauth_psk_server':
|
|
586 |
$authentication = "leftauth = psk\n\trightauth = psk";
|
|
587 |
$authentication .= "\n\trightauth2 = xauth-generic";
|
|
588 |
break;
|
|
589 |
case 'pre_shared_key':
|
|
590 |
$authentication = "leftauth = psk\n\trightauth = psk";
|
|
591 |
break;
|
|
592 |
case 'rsasig':
|
|
593 |
$authentication = "leftauth = pubkey\n\trightauth = pubkey";
|
|
594 |
break;
|
|
595 |
case 'hybrid_rsa_server':
|
|
596 |
$authentication = "leftauth = xauth-generic\n\trightauth = pubkey";
|
|
597 |
$authentication .= "\n\trightauth2 = xauth";
|
|
598 |
break;
|
|
599 |
}
|
| 529 |
600 |
|
| 530 |
|
$ep = ipsec_get_phase1_src($ph1ent);
|
| 531 |
|
if (!$ep)
|
| 532 |
|
continue;
|
|
601 |
$left_spec = $ep;
|
| 533 |
602 |
|
| 534 |
|
$passive = "start";
|
| 535 |
|
if (isset($ph1ent['mobile'])) {
|
| 536 |
|
$rgip = "%any";
|
| 537 |
|
$passive = 'add';
|
| 538 |
|
} else
|
| 539 |
|
$rgip = $ph1ent['remote-gateway'];
|
| 540 |
|
|
| 541 |
|
$keyexchange = "ikev1";
|
| 542 |
|
if (!empty($ph1ent['iketype']) && $ph1ent['iketype'] != "ikev1") {
|
| 543 |
|
$keyexchange = "ikev2";
|
| 544 |
|
$rekey = "rekey = yes";
|
| 545 |
|
} else {
|
| 546 |
|
$rekey = "rekey = yes";
|
| 547 |
|
}
|
|
603 |
$ipseclifetime = 0;
|
|
604 |
$rightsubnet_spec = array();
|
|
605 |
$leftsubnet_spec = array();
|
|
606 |
$ealgoAHsp2arr = array();
|
|
607 |
$ealgoESPsp2arr = array();
|
|
608 |
if (is_array($a_phase2) && count($a_phase2)) {
|
|
609 |
foreach ($a_phase2 as $ph2ent) {
|
|
610 |
$ikeid = $ph2ent['ikeid'];
|
|
611 |
if ($ikeid != $ph1ent['ikeid'])
|
|
612 |
continue;
|
| 548 |
613 |
|
| 549 |
|
list ($myid_type, $myid_data) = ipsec_find_id($ph1ent, "local");
|
| 550 |
|
list ($peerid_type, $peerid_data) = ipsec_find_id($ph1ent, "peer", $rgmap);
|
|
614 |
if (isset($ph2ent['disabled']))
|
|
615 |
continue;
|
| 551 |
616 |
|
| 552 |
|
/* Only specify peer ID if we are not dealing with a mobile PSK-only tunnel */
|
| 553 |
|
$peerid_spec = '';
|
| 554 |
|
if (!isset($ph1ent['mobile']))
|
| 555 |
|
$peerid_spec = $peerid_data;
|
| 556 |
|
|
| 557 |
|
if (is_array($ph1ent['encryption-algorithm']) && !empty($ph1ent['encryption-algorithm']['name']) && !empty($ph1ent['hash-algorithm'])) {
|
| 558 |
|
$ealgosp1 = '';
|
| 559 |
|
$ealg_id = $ph1ent['encryption-algorithm']['name'];
|
| 560 |
|
$ealg_kl = $ph1ent['encryption-algorithm']['keylen'];
|
| 561 |
|
if ($ealg_kl)
|
| 562 |
|
$ealgosp1 = "ike = {$ealg_id}{$ealg_kl}-{$ph1ent['hash-algorithm']}";
|
| 563 |
|
else
|
| 564 |
|
$ealgosp1 = "ike = {$ealg_id}-{$ph1ent['hash-algorithm']}";
|
| 565 |
|
|
| 566 |
|
$modp = vpn_ipsec_convert_to_modp($ph1ent['dhgroup']);
|
| 567 |
|
if (!empty($modp))
|
| 568 |
|
$ealgosp1 .= "-{$modp}";
|
| 569 |
|
|
| 570 |
|
if ($keyexchange == "ikev1")
|
| 571 |
|
$ealgosp1 .= "!";
|
| 572 |
|
}
|
|
617 |
if (isset($ph2ent['mobile']) && !isset($a_client['enable']))
|
|
618 |
continue;
|
| 573 |
619 |
|
| 574 |
|
if ($ph1ent['dpd_delay'] && $ph1ent['dpd_maxfail']) {
|
| 575 |
|
if ($passive == "start")
|
| 576 |
|
$dpdline = "dpdaction = restart";
|
| 577 |
|
else
|
| 578 |
|
$dpdline = "dpdaction = clear";
|
| 579 |
|
$dpdline .= "\n\tdpddelay = {$ph1ent['dpd_delay']}s";
|
| 580 |
|
$dpdtimeout = $ph1ent['dpd_delay'] * ($ph1ent['dpd_maxfail'] + 1);
|
| 581 |
|
$dpdline .= "\n\tdpdtimeout = {$dpdtimeout}s";
|
| 582 |
|
} else
|
| 583 |
|
$dpdline = "dpdaction = none";
|
| 584 |
|
|
| 585 |
|
if (!empty($ph1ent['authentication_method']) && (strpos($ph1ent['authentication_method'], "xauth") || strpos($ph1ent['authentication_method'], "hybrid")))
|
| 586 |
|
$xauth = "xauth = server";
|
| 587 |
|
|
| 588 |
|
$ikelifeline = '';
|
| 589 |
|
if ($ph1ent['lifetime'])
|
| 590 |
|
$ikelifeline = "ikelifetime = {$ph1ent['lifetime']}s";
|
| 591 |
|
|
| 592 |
|
$remoteid_spec = '';
|
| 593 |
620 |
if (($ph2ent['mode'] == 'tunnel') or ($ph2ent['mode'] == 'tunnel6')) {
|
| 594 |
621 |
$tunneltype = "type = tunnel";
|
| 595 |
622 |
|
| 596 |
623 |
$localid_type = $ph2ent['localid']['type'];
|
| 597 |
|
$localid_data = ipsec_idinfo_to_cidr($ph2ent['localid'], false, $ph2ent['mode']);
|
|
624 |
$leftsubnet_data = ipsec_idinfo_to_cidr($ph2ent['localid'], false, $ph2ent['mode']);
|
| 598 |
625 |
/* Do not print localid in some cases, such as a pure-psk or psk/xauth single phase2 mobile tunnel */
|
| 599 |
626 |
if (($localid_type == "none" || $localid_type == "mobile")
|
| 600 |
|
&& isset($ph1ent['mobile'])
|
| 601 |
|
&& (ipsec_get_number_of_phase2($ikeid)==1))
|
| 602 |
|
$localid_spec = "%any";
|
| 603 |
|
else {
|
|
627 |
&& isset($ph1ent['mobile']) && (ipsec_get_number_of_phase2($ikeid)==1)) {
|
|
628 |
$left_spec = '%any';
|
|
629 |
} else {
|
| 604 |
630 |
if ($localid_type != "address") {
|
| 605 |
631 |
$localid_type = "subnet";
|
| 606 |
632 |
}
|
| 607 |
633 |
// Don't let an empty subnet into config, it can cause parse errors. Ticket #2201.
|
| 608 |
|
if (!is_ipaddr($localid_data) && !is_subnet($localid_data) && ($localid_data != "0.0.0.0/0")) {
|
|
634 |
if (!is_ipaddr($leftsubnet_data) && !is_subnet($leftsubnet_data) && ($leftsubnet_data != "0.0.0.0/0")) {
|
| 609 |
635 |
log_error("Invalid IPsec Phase 2 \"{$ph2ent['descr']}\" - {$ph2ent['localid']['type']} has no subnet.");
|
| 610 |
636 |
continue;
|
| 611 |
637 |
}
|
| 612 |
|
$localid_spec = $ep;
|
| 613 |
638 |
if (!empty($ph2ent['natlocalid'])) {
|
| 614 |
|
$natlocalid_data = ipsec_idinfo_to_cidr($ph2ent['natlocalid'], false, $ph2ent['mode']);
|
|
639 |
$natleftsubnet_data = ipsec_idinfo_to_cidr($ph2ent['natlocalid'], false, $ph2ent['mode']);
|
| 615 |
640 |
if ($ph2ent['natlocalid']['type'] != "address") {
|
| 616 |
|
if (is_subnet($natlocalid_data))
|
| 617 |
|
$localid_data = "{$natlocalid_data}|{$localid_data}";
|
|
641 |
if (is_subnet($natleftsubnet_data))
|
|
642 |
$leftsubnet_data = "{$natleftsubnet_data}|{$leftsubnet_data}";
|
| 618 |
643 |
} else {
|
| 619 |
|
if (is_ipaddr($natlocalid_data))
|
| 620 |
|
$localid_data = "{$natlocalid_data}|{$localid_data}";
|
|
644 |
if (is_ipaddr($natleftsubnet_data))
|
|
645 |
$leftsubnet_data = "{$natleftsubnet_data}|{$leftsubnet_data}";
|
| 621 |
646 |
}
|
| 622 |
647 |
$natfilterrules = true;
|
| 623 |
648 |
}
|
| 624 |
649 |
}
|
| 625 |
650 |
|
|
651 |
$leftsubnet_spec[] = $leftsubnet_data;
|
|
652 |
|
| 626 |
653 |
if (!isset($ph2ent['mobile'])) {
|
| 627 |
|
$remoteid_data = ipsec_idinfo_to_cidr($ph2ent['remoteid'], false, $ph2ent['mode']);
|
| 628 |
|
$remoteid_spec = "\trightsubnet = {$remoteid_data}";
|
|
654 |
$rightsubnet_spec[] = ipsec_idinfo_to_cidr($ph2ent['remoteid'], false, $ph2ent['mode']);
|
| 629 |
655 |
} else if (!empty($a_client['pool_address']))
|
| 630 |
|
$remoteid_spec = "\trightsourceip = {$a_client['pool_address']}/{$a_client['pool_netbits']}";
|
|
656 |
$rightsubnet_spec[] = "{$a_client['pool_address']}/{$a_client['pool_netbits']}";
|
| 631 |
657 |
} else {
|
| 632 |
658 |
$tunneltype = "type = transport";
|
| 633 |
|
$rgip = $ph1ent['remote-gateway'];
|
| 634 |
659 |
|
| 635 |
660 |
if ((($ph1ent['authentication_method'] == "xauth_psk_server") ||
|
| 636 |
|
($ph1ent['authentication_method'] == "pre_shared_key"))
|
| 637 |
|
&& isset($ph1ent['mobile']))
|
| 638 |
|
$localid_spec = "%any";
|
| 639 |
|
else {
|
| 640 |
|
$localid_data = ipsec_get_phase1_src($ph1ent);
|
| 641 |
|
$localid_spec = $ep;
|
| 642 |
|
}
|
| 643 |
|
if (!isset($ph2ent['mobile'])) {
|
| 644 |
|
$remoteid_spec = "\trightsubnet = {$rgip}";
|
|
661 |
($ph1ent['authentication_method'] == "pre_shared_key")) && isset($ph1ent['mobile'])) {
|
|
662 |
$left_spec = "%any";
|
|
663 |
} else {
|
|
664 |
$leftsubnet_spec[] = ipsec_get_phase1_src($ph1ent);
|
| 645 |
665 |
}
|
| 646 |
|
}
|
| 647 |
|
$authentication = "";
|
| 648 |
|
switch ($ph1ent['authentication_method']) {
|
| 649 |
|
case 'xauth_rsa_server':
|
| 650 |
|
$authentication = "leftauth = pubkey\n\trightauth = pubkey";
|
| 651 |
|
$authentication .= "\n\trightauth2 = xauth-generic";
|
| 652 |
|
break;
|
| 653 |
|
case 'xauth_psk_server':
|
| 654 |
|
$authentication = "leftauth = psk\n\trightauth = psk";
|
| 655 |
|
$authentication .= "\n\trightauth2 = xauth-generic";
|
| 656 |
|
break;
|
| 657 |
|
case 'pre_shared_key':
|
| 658 |
|
$authentication = "leftauth = psk\n\trightauth = psk";
|
| 659 |
|
break;
|
| 660 |
|
case 'rsasig':
|
| 661 |
|
$authentication = "leftauth = pubkey\n\trightauth = pubkey";
|
| 662 |
|
break;
|
| 663 |
|
case 'hybrid_rsa_server':
|
| 664 |
|
$authentication = "leftauth = xauth-generic\n\trightauth = pubkey";
|
| 665 |
|
$authentication .= "\n\trightauth2 = xauth";
|
| 666 |
|
break;
|
|
666 |
|
|
667 |
if (!isset($ph2ent['mobile']))
|
|
668 |
$rightsubnet_spec[] = $right_spec;
|
| 667 |
669 |
}
|
| 668 |
670 |
|
| 669 |
671 |
if (isset($a_client['pfs_group']))
|
| 670 |
672 |
$ph2ent['pfsgroup'] = $a_client['pfs_group'];
|
| 671 |
673 |
|
| 672 |
|
$ealgosp2 = '';
|
| 673 |
674 |
if ($ph2ent['protocol'] == 'esp') {
|
| 674 |
675 |
if (is_array($ph2ent['encryption-algorithm-option']) && is_array($ph2ent['hash-algorithm-option'])) {
|
| 675 |
|
$ealgosp2arr = array();
|
| 676 |
676 |
foreach ($ph2ent['encryption-algorithm-option'] as $ealg) {
|
| 677 |
677 |
$ealg_id = $ealg['name'];
|
| 678 |
678 |
$ealg_kl = $ealg['keylen'];
|
| ... | ... | |
| 694 |
694 |
$modp = vpn_ipsec_convert_to_modp($ph2ent['pfsgroup']);
|
| 695 |
695 |
if (!empty($modp))
|
| 696 |
696 |
$tmpealgo .= "-{$modp}";
|
| 697 |
|
$ealgosp2arr[] = $tmpealgo;
|
|
697 |
$ealgoESPsp2arr[] = $tmpealgo;
|
| 698 |
698 |
}
|
| 699 |
699 |
}
|
| 700 |
700 |
}
|
| ... | ... | |
| 705 |
705 |
$modp = vpn_ipsec_convert_to_modp($ph2ent['pfsgroup']);
|
| 706 |
706 |
if (!empty($modp))
|
| 707 |
707 |
$tmpealgo .= "-{$modp}";
|
| 708 |
|
$ealgosp2arr[] = $tmpealgo;
|
|
708 |
$ealgoESPsp2arr[] = $tmpealgo;
|
| 709 |
709 |
}
|
| 710 |
710 |
}
|
| 711 |
711 |
}
|
| 712 |
|
$ealgosp2 = "esp = " . join(",", $ealgosp2arr);
|
| 713 |
|
unset($ealgosp2arr);
|
| 714 |
|
$ealgosp2 .= "!";
|
| 715 |
712 |
}
|
| 716 |
713 |
} else if ($ph2ent['protocol'] == 'ah') {
|
| 717 |
714 |
if (is_array($ph2ent['hash-algorithm-option'])) {
|
| 718 |
|
$ealgosp2 = "ah = " . join(",", $ph2ent['hash-algorithm-option']);
|
| 719 |
|
$ealgosp2 = str_replace('hmac_', '', $ealgosp2);
|
| 720 |
715 |
$modp = vpn_ipsec_convert_to_modp($ph2ent['pfsgroup']);
|
| 721 |
|
if (!empty($modp))
|
| 722 |
|
$ealgosp2 .= "-{$modp}";
|
| 723 |
|
$ealgosp2 .= "!";
|
|
716 |
foreach ($ph2ent['hash-algorithm-option'] as $tmpAHalgo) {
|
|
717 |
$tmpAHalgo = str_replace('hmac_', '', $tmpAHalgo);
|
|
718 |
if (!empty($modp))
|
|
719 |
$tmpAHalgo = "-{$modp}";
|
|
720 |
$ealgoAHsp2arr[] = $tmpAHalgo;
|
|
721 |
}
|
| 724 |
722 |
}
|
| 725 |
723 |
}
|
| 726 |
724 |
|
| 727 |
725 |
|
| 728 |
|
$ipseclifetime = '';
|
| 729 |
|
if ($ph2ent['lifetime'])
|
| 730 |
|
$ipseclifeline = "lifetime = {$ph2ent['lifetime']}s";
|
|
726 |
if (!empty($ph2ent['lifetime'])) {
|
|
727 |
if ($ipseclifetime == 0 || intval($ipseclifetime) > intval($ph2ent['lifetime']))
|
|
728 |
$ipseclifetime = intval($ph2ent['lifetime']);
|
|
729 |
}
|
|
730 |
}
|
|
731 |
}
|
| 731 |
732 |
|
| 732 |
|
$ipsecconf .=<<<EOD
|
|
733 |
$ipsecconf .=<<<EOD
|
| 733 |
734 |
|
| 734 |
|
conn con{$ph1ent['ikeid']}-{$ph2ent['uniqid']}
|
|
735 |
conn con{$ph1ent['ikeid']}
|
| 735 |
736 |
aggressive = {$aggressive}
|
| 736 |
737 |
fragmentation = yes
|
| 737 |
738 |
keyexchange = {$keyexchange}
|
| 738 |
739 |
keyingtries = %forever
|
| 739 |
740 |
reauth = yes
|
| 740 |
|
{$rekey}
|
|
741 |
rekey = yes
|
| 741 |
742 |
reqid = {$ikeid}
|
| 742 |
743 |
installpolicy = yes
|
| 743 |
|
{$ikelifeline}
|
| 744 |
|
{$ipseclifeline}
|
| 745 |
744 |
{$tunneltype}
|
| 746 |
745 |
{$dpdline}
|
| 747 |
746 |
auto = {$passive}
|
| 748 |
|
left = {$localid_spec}
|
| 749 |
|
leftsubnet = {$localid_data}
|
| 750 |
|
right = {$rgip}
|
|
747 |
left = {$left_spec}
|
|
748 |
right = {$right_spec}
|
| 751 |
749 |
leftid = {$myid_data}
|
| 752 |
750 |
|
| 753 |
751 |
EOD;
|
| 754 |
752 |
|
| 755 |
|
if (!empty($remoteid_spec))
|
| 756 |
|
$ipsecconf .= "{$remoteid_spec}\n";
|
| 757 |
|
if (!empty($ealgosp1))
|
| 758 |
|
$ipsecconf .= "\t{$ealgosp1}\n";
|
| 759 |
|
if (!empty($ealgosp2))
|
| 760 |
|
$ipsecconf .= "\t{$ealgosp2}\n";
|
| 761 |
|
if (!empty($authentication))
|
| 762 |
|
$ipsecconf .= "\t{$authentication}\n";
|
| 763 |
|
if (!empty($peerid_spec))
|
| 764 |
|
$ipsecconf .= "\trightid = {$peerid_spec}\n";
|
| 765 |
|
}
|
|
753 |
if (!empty($ikelifeline))
|
|
754 |
$ipsecconf .= "\t{$ikelifeline}\n";
|
|
755 |
if ($ipseclifetime > 0)
|
|
756 |
$ipsecconf .= "\tlifetime = {$ipseclifetime}s\n";
|
|
757 |
if (!empty($rightsubnet_spec))
|
|
758 |
$ipsecconf .= "\trightsubnet = " . join(",", $rightsubnet_spec) . "\n";
|
|
759 |
if (!empty($leftsubnet_spec))
|
|
760 |
$ipsecconf .= "\tleftsubnet = " . join(",", $leftsubnet_spec) . "\n";
|
|
761 |
if (!empty($ealgosp1))
|
|
762 |
$ipsecconf .= "\t{$ealgosp1}\n";
|
|
763 |
if (!empty($ealgoAHsp2arr))
|
|
764 |
$ipsecconf .= "\tah = " . join(',', $ealgoAHsp2arr) . "!\n";
|
|
765 |
if (!empty($ealgoESPsp2arr))
|
|
766 |
$ipsecconf .= "\tesp = " . join(',', $ealgoESPsp2arr) . "!\n";
|
|
767 |
if (!empty($authentication))
|
|
768 |
$ipsecconf .= "\t{$authentication}\n";
|
|
769 |
if (!empty($peerid_spec))
|
|
770 |
$ipsecconf .= "\trightid = {$peerid_spec}\n";
|
| 766 |
771 |
}
|
| 767 |
772 |
}
|
| 768 |
773 |
}
|
Change the logic of the vpn config generation to make connectivity more stable especially ipsec. Also for IKEv1 just generate the policies and only on traffic start them.