Révision 0b5fc1d1
Ajouté par Ermal il y a plus de 9 ans
etc/inc/vpn.inc | ||
---|---|---|
269 | 269 |
# number of worker threads in charon |
270 | 270 |
threads = 16 |
271 | 271 |
|
272 |
# NOTE: Allows to send multiple subnets for IKEv1 |
|
273 |
cisco_unity = yes |
|
274 |
|
|
272 | 275 |
# XXX: There is not much choice here really users win their security! |
273 | 276 |
i_dont_care_about_security_and_use_aggressive_mode_psk=yes |
274 | 277 |
|
... | ... | |
475 | 478 |
} |
476 | 479 |
|
477 | 480 |
/* Add user PSKs */ |
478 |
foreach ($config['system']['user'] as $user) { |
|
479 |
if (!empty($user['ipsecpsk'])) { |
|
480 |
$pskconf .= "{$user['name']} : PSK \"{$user['ipsecpsk']}\"\n"; |
|
481 |
if (is_array($config['system']) && is_array($config['system']['user'])) { |
|
482 |
foreach ($config['system']['user'] as $user) { |
|
483 |
if (!empty($user['ipsecpsk'])) { |
|
484 |
$pskconf .= "{$user['name']} : PSK \"{$user['ipsecpsk']}\"\n"; |
|
485 |
} |
|
481 | 486 |
} |
487 |
unset($user); |
|
482 | 488 |
} |
483 | 489 |
|
484 | 490 |
/* add PSKs for mobile clients */ |
... | ... | |
488 | 494 |
$key['ident'] = ''; |
489 | 495 |
$pskconf .= "{$key['ident']} : PSK \"{$key['pre-shared-key']}\"\n"; |
490 | 496 |
} |
497 |
unset($key); |
|
491 | 498 |
} |
492 | 499 |
|
493 | 500 |
@file_put_contents("{$g['varetc_path']}/ipsec/ipsec.secrets", $pskconf); |
... | ... | |
497 | 504 |
$natfilterrules = false; |
498 | 505 |
/* begin ipsec.conf */ |
499 | 506 |
$ipsecconf = ""; |
500 |
if ((is_array($a_phase1) && count($a_phase1)) || (is_array($a_phase2) && count($a_phase2))) {
|
|
507 |
if (is_array($a_phase1) && count($a_phase1)) {
|
|
501 | 508 |
|
502 | 509 |
$ipsecconf .= "# This file is automatically generated. Do not edit\n"; |
503 |
if (is_array($a_phase2) && count($a_phase2)) { |
|
504 |
$ipsecconf .= "config setup\n\tuniqueids = yes\n"; |
|
505 |
$ipsecconf .= "\tcharondebug=\"" . vpn_ipsec_configure_loglevels(true) . "\"\n"; |
|
510 |
$ipsecconf .= "config setup\n\tuniqueids = yes\n"; |
|
511 |
$ipsecconf .= "\tcharondebug=\"" . vpn_ipsec_configure_loglevels(true) . "\"\n"; |
|
506 | 512 |
|
507 |
foreach ($a_phase2 as $ph2ent) { |
|
508 |
$ikeid = $ph2ent['ikeid']; |
|
513 |
foreach ($a_phase1 as $ph1ent) { |
|
514 |
if (isset($ph1ent['disabled'])) |
|
515 |
continue; |
|
509 | 516 |
|
510 |
$ph1ent = false; |
|
511 |
if (!ipsec_lookup_phase1($ph2ent,$ph1ent)) |
|
512 |
continue; |
|
517 |
if ($ph1ent['mode'] == "aggressive") |
|
518 |
$aggressive = "yes"; |
|
519 |
else |
|
520 |
$aggressive = "no"; |
|
513 | 521 |
|
514 |
if (isset($ph1ent['disabled'])) |
|
515 |
continue; |
|
522 |
$ep = ipsec_get_phase1_src($ph1ent); |
|
523 |
if (!$ep) |
|
524 |
continue; |
|
516 | 525 |
|
517 |
if (isset($ph2ent['disabled'])) |
|
518 |
continue; |
|
526 |
$keyexchange = "ikev1"; |
|
527 |
if (!empty($ph1ent['iketype']) && $ph1ent['iketype'] != "ikev1") { |
|
528 |
$keyexchange = "ikev2"; |
|
529 |
$passive = "start"; |
|
530 |
} else |
|
531 |
$passive = "route"; |
|
532 |
|
|
533 |
if (isset($ph1ent['mobile'])) { |
|
534 |
$right_spec = "%any"; |
|
535 |
$passive = 'add'; |
|
536 |
} else |
|
537 |
$right_spec = $ph1ent['remote-gateway']; |
|
538 |
|
|
539 |
list ($myid_type, $myid_data) = ipsec_find_id($ph1ent, "local"); |
|
540 |
list ($peerid_type, $peerid_data) = ipsec_find_id($ph1ent, "peer", $rgmap); |
|
541 |
|
|
542 |
/* Only specify peer ID if we are not dealing with a mobile PSK-only tunnel */ |
|
543 |
$peerid_spec = ''; |
|
544 |
if (!isset($ph1ent['mobile'])) |
|
545 |
$peerid_spec = $peerid_data; |
|
546 |
|
|
547 |
if (is_array($ph1ent['encryption-algorithm']) && !empty($ph1ent['encryption-algorithm']['name']) && !empty($ph1ent['hash-algorithm'])) { |
|
548 |
$ealgosp1 = ''; |
|
549 |
$ealg_id = $ph1ent['encryption-algorithm']['name']; |
|
550 |
$ealg_kl = $ph1ent['encryption-algorithm']['keylen']; |
|
551 |
if ($ealg_kl) |
|
552 |
$ealgosp1 = "ike = {$ealg_id}{$ealg_kl}-{$ph1ent['hash-algorithm']}"; |
|
553 |
else |
|
554 |
$ealgosp1 = "ike = {$ealg_id}-{$ph1ent['hash-algorithm']}"; |
|
519 | 555 |
|
520 |
if (isset($ph2ent['mobile']) && !isset($a_client['enable'])) |
|
521 |
continue; |
|
556 |
$modp = vpn_ipsec_convert_to_modp($ph1ent['dhgroup']); |
|
557 |
if (!empty($modp)) |
|
558 |
$ealgosp1 .= "-{$modp}"; |
|
522 | 559 |
|
523 |
$ikeid = $ph1ent['ikeid']; |
|
560 |
if ($keyexchange == "ikev1") |
|
561 |
$ealgosp1 .= "!"; |
|
562 |
} |
|
524 | 563 |
|
525 |
if ($ph1ent['mode'] == "aggressive") |
|
526 |
$aggressive = "yes"; |
|
564 |
if ($ph1ent['dpd_delay'] && $ph1ent['dpd_maxfail']) { |
|
565 |
if ($passive == "start") |
|
566 |
$dpdline = "dpdaction = restart"; |
|
527 | 567 |
else |
528 |
$aggressive = "no"; |
|
568 |
$dpdline = "dpdaction = clear"; |
|
569 |
$dpdline .= "\n\tdpddelay = {$ph1ent['dpd_delay']}s"; |
|
570 |
$dpdtimeout = $ph1ent['dpd_delay'] * ($ph1ent['dpd_maxfail'] + 1); |
|
571 |
$dpdline .= "\n\tdpdtimeout = {$dpdtimeout}s"; |
|
572 |
} else |
|
573 |
$dpdline = "dpdaction = none"; |
|
574 |
|
|
575 |
$ikelifeline = ''; |
|
576 |
if ($ph1ent['lifetime']) |
|
577 |
$ikelifeline = "ikelifetime = {$ph1ent['lifetime']}s"; |
|
578 |
|
|
579 |
$authentication = ""; |
|
580 |
switch ($ph1ent['authentication_method']) { |
|
581 |
case 'xauth_rsa_server': |
|
582 |
$authentication = "leftauth = pubkey\n\trightauth = pubkey"; |
|
583 |
$authentication .= "\n\trightauth2 = xauth-generic"; |
|
584 |
break; |
|
585 |
case 'xauth_psk_server': |
|
586 |
$authentication = "leftauth = psk\n\trightauth = psk"; |
|
587 |
$authentication .= "\n\trightauth2 = xauth-generic"; |
|
588 |
break; |
|
589 |
case 'pre_shared_key': |
|
590 |
$authentication = "leftauth = psk\n\trightauth = psk"; |
|
591 |
break; |
|
592 |
case 'rsasig': |
|
593 |
$authentication = "leftauth = pubkey\n\trightauth = pubkey"; |
|
594 |
break; |
|
595 |
case 'hybrid_rsa_server': |
|
596 |
$authentication = "leftauth = xauth-generic\n\trightauth = pubkey"; |
|
597 |
$authentication .= "\n\trightauth2 = xauth"; |
|
598 |
break; |
|
599 |
} |
|
529 | 600 |
|
530 |
$ep = ipsec_get_phase1_src($ph1ent); |
|
531 |
if (!$ep) |
|
532 |
continue; |
|
601 |
$left_spec = $ep; |
|
533 | 602 |
|
534 |
$passive = "start"; |
|
535 |
if (isset($ph1ent['mobile'])) { |
|
536 |
$rgip = "%any"; |
|
537 |
$passive = 'add'; |
|
538 |
} else |
|
539 |
$rgip = $ph1ent['remote-gateway']; |
|
540 |
|
|
541 |
$keyexchange = "ikev1"; |
|
542 |
if (!empty($ph1ent['iketype']) && $ph1ent['iketype'] != "ikev1") { |
|
543 |
$keyexchange = "ikev2"; |
|
544 |
$rekey = "rekey = yes"; |
|
545 |
} else { |
|
546 |
$rekey = "rekey = yes"; |
|
547 |
} |
|
603 |
$ipseclifetime = 0; |
|
604 |
$rightsubnet_spec = array(); |
|
605 |
$leftsubnet_spec = array(); |
|
606 |
$ealgoAHsp2arr = array(); |
|
607 |
$ealgoESPsp2arr = array(); |
|
608 |
if (is_array($a_phase2) && count($a_phase2)) { |
|
609 |
foreach ($a_phase2 as $ph2ent) { |
|
610 |
$ikeid = $ph2ent['ikeid']; |
|
611 |
if ($ikeid != $ph1ent['ikeid']) |
|
612 |
continue; |
|
548 | 613 |
|
549 |
list ($myid_type, $myid_data) = ipsec_find_id($ph1ent, "local");
|
|
550 |
list ($peerid_type, $peerid_data) = ipsec_find_id($ph1ent, "peer", $rgmap);
|
|
614 |
if (isset($ph2ent['disabled']))
|
|
615 |
continue;
|
|
551 | 616 |
|
552 |
/* Only specify peer ID if we are not dealing with a mobile PSK-only tunnel */ |
|
553 |
$peerid_spec = ''; |
|
554 |
if (!isset($ph1ent['mobile'])) |
|
555 |
$peerid_spec = $peerid_data; |
|
556 |
|
|
557 |
if (is_array($ph1ent['encryption-algorithm']) && !empty($ph1ent['encryption-algorithm']['name']) && !empty($ph1ent['hash-algorithm'])) { |
|
558 |
$ealgosp1 = ''; |
|
559 |
$ealg_id = $ph1ent['encryption-algorithm']['name']; |
|
560 |
$ealg_kl = $ph1ent['encryption-algorithm']['keylen']; |
|
561 |
if ($ealg_kl) |
|
562 |
$ealgosp1 = "ike = {$ealg_id}{$ealg_kl}-{$ph1ent['hash-algorithm']}"; |
|
563 |
else |
|
564 |
$ealgosp1 = "ike = {$ealg_id}-{$ph1ent['hash-algorithm']}"; |
|
565 |
|
|
566 |
$modp = vpn_ipsec_convert_to_modp($ph1ent['dhgroup']); |
|
567 |
if (!empty($modp)) |
|
568 |
$ealgosp1 .= "-{$modp}"; |
|
569 |
|
|
570 |
if ($keyexchange == "ikev1") |
|
571 |
$ealgosp1 .= "!"; |
|
572 |
} |
|
617 |
if (isset($ph2ent['mobile']) && !isset($a_client['enable'])) |
|
618 |
continue; |
|
573 | 619 |
|
574 |
if ($ph1ent['dpd_delay'] && $ph1ent['dpd_maxfail']) { |
|
575 |
if ($passive == "start") |
|
576 |
$dpdline = "dpdaction = restart"; |
|
577 |
else |
|
578 |
$dpdline = "dpdaction = clear"; |
|
579 |
$dpdline .= "\n\tdpddelay = {$ph1ent['dpd_delay']}s"; |
|
580 |
$dpdtimeout = $ph1ent['dpd_delay'] * ($ph1ent['dpd_maxfail'] + 1); |
|
581 |
$dpdline .= "\n\tdpdtimeout = {$dpdtimeout}s"; |
|
582 |
} else |
|
583 |
$dpdline = "dpdaction = none"; |
|
584 |
|
|
585 |
if (!empty($ph1ent['authentication_method']) && (strpos($ph1ent['authentication_method'], "xauth") || strpos($ph1ent['authentication_method'], "hybrid"))) |
|
586 |
$xauth = "xauth = server"; |
|
587 |
|
|
588 |
$ikelifeline = ''; |
|
589 |
if ($ph1ent['lifetime']) |
|
590 |
$ikelifeline = "ikelifetime = {$ph1ent['lifetime']}s"; |
|
591 |
|
|
592 |
$remoteid_spec = ''; |
|
593 | 620 |
if (($ph2ent['mode'] == 'tunnel') or ($ph2ent['mode'] == 'tunnel6')) { |
594 | 621 |
$tunneltype = "type = tunnel"; |
595 | 622 |
|
596 | 623 |
$localid_type = $ph2ent['localid']['type']; |
597 |
$localid_data = ipsec_idinfo_to_cidr($ph2ent['localid'], false, $ph2ent['mode']);
|
|
624 |
$leftsubnet_data = ipsec_idinfo_to_cidr($ph2ent['localid'], false, $ph2ent['mode']);
|
|
598 | 625 |
/* Do not print localid in some cases, such as a pure-psk or psk/xauth single phase2 mobile tunnel */ |
599 | 626 |
if (($localid_type == "none" || $localid_type == "mobile") |
600 |
&& isset($ph1ent['mobile']) |
|
601 |
&& (ipsec_get_number_of_phase2($ikeid)==1)) |
|
602 |
$localid_spec = "%any"; |
|
603 |
else { |
|
627 |
&& isset($ph1ent['mobile']) && (ipsec_get_number_of_phase2($ikeid)==1)) { |
|
628 |
$left_spec = '%any'; |
|
629 |
} else { |
|
604 | 630 |
if ($localid_type != "address") { |
605 | 631 |
$localid_type = "subnet"; |
606 | 632 |
} |
607 | 633 |
// Don't let an empty subnet into config, it can cause parse errors. Ticket #2201. |
608 |
if (!is_ipaddr($localid_data) && !is_subnet($localid_data) && ($localid_data != "0.0.0.0/0")) {
|
|
634 |
if (!is_ipaddr($leftsubnet_data) && !is_subnet($leftsubnet_data) && ($leftsubnet_data != "0.0.0.0/0")) {
|
|
609 | 635 |
log_error("Invalid IPsec Phase 2 \"{$ph2ent['descr']}\" - {$ph2ent['localid']['type']} has no subnet."); |
610 | 636 |
continue; |
611 | 637 |
} |
612 |
$localid_spec = $ep; |
|
613 | 638 |
if (!empty($ph2ent['natlocalid'])) { |
614 |
$natlocalid_data = ipsec_idinfo_to_cidr($ph2ent['natlocalid'], false, $ph2ent['mode']);
|
|
639 |
$natleftsubnet_data = ipsec_idinfo_to_cidr($ph2ent['natlocalid'], false, $ph2ent['mode']);
|
|
615 | 640 |
if ($ph2ent['natlocalid']['type'] != "address") { |
616 |
if (is_subnet($natlocalid_data))
|
|
617 |
$localid_data = "{$natlocalid_data}|{$localid_data}";
|
|
641 |
if (is_subnet($natleftsubnet_data))
|
|
642 |
$leftsubnet_data = "{$natleftsubnet_data}|{$leftsubnet_data}";
|
|
618 | 643 |
} else { |
619 |
if (is_ipaddr($natlocalid_data))
|
|
620 |
$localid_data = "{$natlocalid_data}|{$localid_data}";
|
|
644 |
if (is_ipaddr($natleftsubnet_data))
|
|
645 |
$leftsubnet_data = "{$natleftsubnet_data}|{$leftsubnet_data}";
|
|
621 | 646 |
} |
622 | 647 |
$natfilterrules = true; |
623 | 648 |
} |
624 | 649 |
} |
625 | 650 |
|
651 |
$leftsubnet_spec[] = $leftsubnet_data; |
|
652 |
|
|
626 | 653 |
if (!isset($ph2ent['mobile'])) { |
627 |
$remoteid_data = ipsec_idinfo_to_cidr($ph2ent['remoteid'], false, $ph2ent['mode']); |
|
628 |
$remoteid_spec = "\trightsubnet = {$remoteid_data}"; |
|
654 |
$rightsubnet_spec[] = ipsec_idinfo_to_cidr($ph2ent['remoteid'], false, $ph2ent['mode']); |
|
629 | 655 |
} else if (!empty($a_client['pool_address'])) |
630 |
$remoteid_spec = "\trightsourceip = {$a_client['pool_address']}/{$a_client['pool_netbits']}";
|
|
656 |
$rightsubnet_spec[] = "{$a_client['pool_address']}/{$a_client['pool_netbits']}";
|
|
631 | 657 |
} else { |
632 | 658 |
$tunneltype = "type = transport"; |
633 |
$rgip = $ph1ent['remote-gateway']; |
|
634 | 659 |
|
635 | 660 |
if ((($ph1ent['authentication_method'] == "xauth_psk_server") || |
636 |
($ph1ent['authentication_method'] == "pre_shared_key")) |
|
637 |
&& isset($ph1ent['mobile'])) |
|
638 |
$localid_spec = "%any"; |
|
639 |
else { |
|
640 |
$localid_data = ipsec_get_phase1_src($ph1ent); |
|
641 |
$localid_spec = $ep; |
|
642 |
} |
|
643 |
if (!isset($ph2ent['mobile'])) { |
|
644 |
$remoteid_spec = "\trightsubnet = {$rgip}"; |
|
661 |
($ph1ent['authentication_method'] == "pre_shared_key")) && isset($ph1ent['mobile'])) { |
|
662 |
$left_spec = "%any"; |
|
663 |
} else { |
|
664 |
$leftsubnet_spec[] = ipsec_get_phase1_src($ph1ent); |
|
645 | 665 |
} |
646 |
} |
|
647 |
$authentication = ""; |
|
648 |
switch ($ph1ent['authentication_method']) { |
|
649 |
case 'xauth_rsa_server': |
|
650 |
$authentication = "leftauth = pubkey\n\trightauth = pubkey"; |
|
651 |
$authentication .= "\n\trightauth2 = xauth-generic"; |
|
652 |
break; |
|
653 |
case 'xauth_psk_server': |
|
654 |
$authentication = "leftauth = psk\n\trightauth = psk"; |
|
655 |
$authentication .= "\n\trightauth2 = xauth-generic"; |
|
656 |
break; |
|
657 |
case 'pre_shared_key': |
|
658 |
$authentication = "leftauth = psk\n\trightauth = psk"; |
|
659 |
break; |
|
660 |
case 'rsasig': |
|
661 |
$authentication = "leftauth = pubkey\n\trightauth = pubkey"; |
|
662 |
break; |
|
663 |
case 'hybrid_rsa_server': |
|
664 |
$authentication = "leftauth = xauth-generic\n\trightauth = pubkey"; |
|
665 |
$authentication .= "\n\trightauth2 = xauth"; |
|
666 |
break; |
|
666 |
|
|
667 |
if (!isset($ph2ent['mobile'])) |
|
668 |
$rightsubnet_spec[] = $right_spec; |
|
667 | 669 |
} |
668 | 670 |
|
669 | 671 |
if (isset($a_client['pfs_group'])) |
670 | 672 |
$ph2ent['pfsgroup'] = $a_client['pfs_group']; |
671 | 673 |
|
672 |
$ealgosp2 = ''; |
|
673 | 674 |
if ($ph2ent['protocol'] == 'esp') { |
674 | 675 |
if (is_array($ph2ent['encryption-algorithm-option']) && is_array($ph2ent['hash-algorithm-option'])) { |
675 |
$ealgosp2arr = array(); |
|
676 | 676 |
foreach ($ph2ent['encryption-algorithm-option'] as $ealg) { |
677 | 677 |
$ealg_id = $ealg['name']; |
678 | 678 |
$ealg_kl = $ealg['keylen']; |
... | ... | |
694 | 694 |
$modp = vpn_ipsec_convert_to_modp($ph2ent['pfsgroup']); |
695 | 695 |
if (!empty($modp)) |
696 | 696 |
$tmpealgo .= "-{$modp}"; |
697 |
$ealgosp2arr[] = $tmpealgo; |
|
697 |
$ealgoESPsp2arr[] = $tmpealgo;
|
|
698 | 698 |
} |
699 | 699 |
} |
700 | 700 |
} |
... | ... | |
705 | 705 |
$modp = vpn_ipsec_convert_to_modp($ph2ent['pfsgroup']); |
706 | 706 |
if (!empty($modp)) |
707 | 707 |
$tmpealgo .= "-{$modp}"; |
708 |
$ealgosp2arr[] = $tmpealgo; |
|
708 |
$ealgoESPsp2arr[] = $tmpealgo;
|
|
709 | 709 |
} |
710 | 710 |
} |
711 | 711 |
} |
712 |
$ealgosp2 = "esp = " . join(",", $ealgosp2arr); |
|
713 |
unset($ealgosp2arr); |
|
714 |
$ealgosp2 .= "!"; |
|
715 | 712 |
} |
716 | 713 |
} else if ($ph2ent['protocol'] == 'ah') { |
717 | 714 |
if (is_array($ph2ent['hash-algorithm-option'])) { |
718 |
$ealgosp2 = "ah = " . join(",", $ph2ent['hash-algorithm-option']); |
|
719 |
$ealgosp2 = str_replace('hmac_', '', $ealgosp2); |
|
720 | 715 |
$modp = vpn_ipsec_convert_to_modp($ph2ent['pfsgroup']); |
721 |
if (!empty($modp)) |
|
722 |
$ealgosp2 .= "-{$modp}"; |
|
723 |
$ealgosp2 .= "!"; |
|
716 |
foreach ($ph2ent['hash-algorithm-option'] as $tmpAHalgo) { |
|
717 |
$tmpAHalgo = str_replace('hmac_', '', $tmpAHalgo); |
|
718 |
if (!empty($modp)) |
|
719 |
$tmpAHalgo = "-{$modp}"; |
|
720 |
$ealgoAHsp2arr[] = $tmpAHalgo; |
|
721 |
} |
|
724 | 722 |
} |
725 | 723 |
} |
726 | 724 |
|
727 | 725 |
|
728 |
$ipseclifetime = ''; |
|
729 |
if ($ph2ent['lifetime']) |
|
730 |
$ipseclifeline = "lifetime = {$ph2ent['lifetime']}s"; |
|
726 |
if (!empty($ph2ent['lifetime'])) { |
|
727 |
if ($ipseclifetime == 0 || intval($ipseclifetime) > intval($ph2ent['lifetime'])) |
|
728 |
$ipseclifetime = intval($ph2ent['lifetime']); |
|
729 |
} |
|
730 |
} |
|
731 |
} |
|
731 | 732 |
|
732 |
$ipsecconf .=<<<EOD
|
|
733 |
$ipsecconf .=<<<EOD |
|
733 | 734 |
|
734 |
conn con{$ph1ent['ikeid']}-{$ph2ent['uniqid']}
|
|
735 |
conn con{$ph1ent['ikeid']} |
|
735 | 736 |
aggressive = {$aggressive} |
736 | 737 |
fragmentation = yes |
737 | 738 |
keyexchange = {$keyexchange} |
738 | 739 |
keyingtries = %forever |
739 | 740 |
reauth = yes |
740 |
{$rekey}
|
|
741 |
rekey = yes
|
|
741 | 742 |
reqid = {$ikeid} |
742 | 743 |
installpolicy = yes |
743 |
{$ikelifeline} |
|
744 |
{$ipseclifeline} |
|
745 | 744 |
{$tunneltype} |
746 | 745 |
{$dpdline} |
747 | 746 |
auto = {$passive} |
748 |
left = {$localid_spec} |
|
749 |
leftsubnet = {$localid_data} |
|
750 |
right = {$rgip} |
|
747 |
left = {$left_spec} |
|
748 |
right = {$right_spec} |
|
751 | 749 |
leftid = {$myid_data} |
752 | 750 |
|
753 | 751 |
EOD; |
754 | 752 |
|
755 |
if (!empty($remoteid_spec)) |
|
756 |
$ipsecconf .= "{$remoteid_spec}\n"; |
|
757 |
if (!empty($ealgosp1)) |
|
758 |
$ipsecconf .= "\t{$ealgosp1}\n"; |
|
759 |
if (!empty($ealgosp2)) |
|
760 |
$ipsecconf .= "\t{$ealgosp2}\n"; |
|
761 |
if (!empty($authentication)) |
|
762 |
$ipsecconf .= "\t{$authentication}\n"; |
|
763 |
if (!empty($peerid_spec)) |
|
764 |
$ipsecconf .= "\trightid = {$peerid_spec}\n"; |
|
765 |
} |
|
753 |
if (!empty($ikelifeline)) |
|
754 |
$ipsecconf .= "\t{$ikelifeline}\n"; |
|
755 |
if ($ipseclifetime > 0) |
|
756 |
$ipsecconf .= "\tlifetime = {$ipseclifetime}s\n"; |
|
757 |
if (!empty($rightsubnet_spec)) |
|
758 |
$ipsecconf .= "\trightsubnet = " . join(",", $rightsubnet_spec) . "\n"; |
|
759 |
if (!empty($leftsubnet_spec)) |
|
760 |
$ipsecconf .= "\tleftsubnet = " . join(",", $leftsubnet_spec) . "\n"; |
|
761 |
if (!empty($ealgosp1)) |
|
762 |
$ipsecconf .= "\t{$ealgosp1}\n"; |
|
763 |
if (!empty($ealgoAHsp2arr)) |
|
764 |
$ipsecconf .= "\tah = " . join(',', $ealgoAHsp2arr) . "!\n"; |
|
765 |
if (!empty($ealgoESPsp2arr)) |
|
766 |
$ipsecconf .= "\tesp = " . join(',', $ealgoESPsp2arr) . "!\n"; |
|
767 |
if (!empty($authentication)) |
|
768 |
$ipsecconf .= "\t{$authentication}\n"; |
|
769 |
if (!empty($peerid_spec)) |
|
770 |
$ipsecconf .= "\trightid = {$peerid_spec}\n"; |
|
766 | 771 |
} |
767 | 772 |
} |
768 | 773 |
} |
Formats disponibles : Unified diff
Change the logic of the vpn config generation to make connectivity more stable especially ipsec. Also for IKEv1 just generate the policies and only on traffic start them.