693 |
693 |
$ph2ent['pfsgroup'] = $a_client['pfs_group'];
|
694 |
694 |
|
695 |
695 |
if ($ph2ent['protocol'] == 'esp') {
|
696 |
|
if (is_array($ph2ent['encryption-algorithm-option']) && is_array($ph2ent['hash-algorithm-option'])) {
|
|
696 |
if (is_array($ph2ent['encryption-algorithm-option'])) {
|
697 |
697 |
foreach ($ph2ent['encryption-algorithm-option'] as $ealg) {
|
698 |
698 |
$ealg_id = $ealg['name'];
|
699 |
699 |
$ealg_kl = $ealg['keylen'];
|
... | ... | |
709 |
709 |
* seconds wrecking bootup */
|
710 |
710 |
if ($key_hi != 0 and $key_lo !=0 and $key_step !=0) {
|
711 |
711 |
for ($keylen = $key_hi; $keylen >= $key_lo; $keylen -= $key_step) {
|
712 |
|
foreach ($ph2ent['hash-algorithm-option'] as $halgo) {
|
713 |
|
$halgo = str_replace('hmac_', '', $halgo);
|
714 |
|
$tmpealgo = "{$ealg_id}{$keylen}-{$halgo}";
|
|
712 |
if (!empty($ph2ent['hash-algorithm-option']) && is_array($ph2ent['hash-algorithm-option'])) {
|
|
713 |
foreach ($ph2ent['hash-algorithm-option'] as $halgo) {
|
|
714 |
$halgo = str_replace('hmac_', '', $halgo);
|
|
715 |
$tmpealgo = "{$ealg_id}{$keylen}-{$halgo}";
|
|
716 |
$modp = vpn_ipsec_convert_to_modp($ph2ent['pfsgroup']);
|
|
717 |
if (!empty($modp))
|
|
718 |
$tmpealgo .= "-{$modp}";
|
|
719 |
$ealgoESPsp2arr[] = $tmpealgo;
|
|
720 |
}
|
|
721 |
} else {
|
|
722 |
$tmpealgo = "{$ealg_id}{$keylen}";
|
715 |
723 |
$modp = vpn_ipsec_convert_to_modp($ph2ent['pfsgroup']);
|
716 |
724 |
if (!empty($modp))
|
717 |
725 |
$tmpealgo .= "-{$modp}";
|
... | ... | |
720 |
728 |
}
|
721 |
729 |
}
|
722 |
730 |
} else {
|
723 |
|
foreach ($ph2ent['hash-algorithm-option'] as $halgo) {
|
724 |
|
$halgo = str_replace('hmac_', '', $halgo);
|
725 |
|
$tmpealgo = "{$ealg_id}{$ealg_kl}-{$halgo}";
|
|
731 |
if (!empty($ph2ent['hash-algorithm-option']) && is_array($ph2ent['hash-algorithm-option'])) {
|
|
732 |
foreach ($ph2ent['hash-algorithm-option'] as $halgo) {
|
|
733 |
$halgo = str_replace('hmac_', '', $halgo);
|
|
734 |
$tmpealgo = "{$ealg_id}{$ealg_kl}-{$halgo}";
|
|
735 |
$modp = vpn_ipsec_convert_to_modp($ph2ent['pfsgroup']);
|
|
736 |
if (!empty($modp))
|
|
737 |
$tmpealgo .= "-{$modp}";
|
|
738 |
$ealgoESPsp2arr[] = $tmpealgo;
|
|
739 |
}
|
|
740 |
} else {
|
|
741 |
$tmpealgo = "{$ealg_id}{$ealg_kl}";
|
726 |
742 |
$modp = vpn_ipsec_convert_to_modp($ph2ent['pfsgroup']);
|
727 |
743 |
if (!empty($modp))
|
728 |
744 |
$tmpealgo .= "-{$modp}";
|
... | ... | |
732 |
748 |
}
|
733 |
749 |
}
|
734 |
750 |
} else if ($ph2ent['protocol'] == 'ah') {
|
735 |
|
if (is_array($ph2ent['hash-algorithm-option'])) {
|
|
751 |
if (!empty($ph2ent['hash-algorithm-option']) && is_array($ph2ent['hash-algorithm-option'])) {
|
736 |
752 |
$modp = vpn_ipsec_convert_to_modp($ph2ent['pfsgroup']);
|
737 |
753 |
foreach ($ph2ent['hash-algorithm-option'] as $tmpAHalgo) {
|
738 |
754 |
$tmpAHalgo = str_replace('hmac_', '', $tmpAHalgo);
|
... | ... | |
784 |
800 |
$ipsecconf .= "\t{$ealgosp1}\n";
|
785 |
801 |
if (!empty($ealgoAHsp2arr))
|
786 |
802 |
$ipsecconf .= "\tah = " . join(',', $ealgoAHsp2arr) . "!\n";
|
787 |
|
if (!empty($ealgoESPsp2arr))
|
|
803 |
if (!empty($ealgoESPsp2arr)) {
|
|
804 |
file_put_contents("/var/etc/ipsec/dump_test", print_r($ealgoESPsp2arr, true));
|
788 |
805 |
$ipsecconf .= "\tesp = " . join(',', $ealgoESPsp2arr) . "!\n";
|
|
806 |
}
|
789 |
807 |
if (!empty($authentication))
|
790 |
808 |
$ipsecconf .= "\t{$authentication}\n";
|
791 |
809 |
if (!empty($peerid_spec))
|
Allow HASH algorithms to be empty for phase2 in case the encryption one is AES-GCM