Move the IPsec pinghost option from phase1 to phase2. Correct some

bugs that were preventing the local address from being selected.

5 files changed, 56 insertions, 29 deletions

diff --git a/etc/inc/upgrade_config.inc b/etc/inc/upgrade_config.inc
index 53e8f34..e8d6192 100644
--- a/etc/inc/upgrade_config.inc
+++ b/etc/inc/upgrade_config.inc
@@ -927,9 +927,6 @@ function upgrade_046_to_047() {
 				if (isset($tunnel['p1']['private-key']))
 					$ph1ent['private-key'] = $tunnel['p1']['private-key'];
 
-				if (isset($tunnel['pinghost']['pinghost']))
-					$ph1ent['pinghost'] = $tunnel['pinghost'];
-
 				$ph1ent['nat_traversal'] = "on";
 				$ph1ent['dpd_enable'] = 1;
 				$ph1ent['dpd_delay'] = 10;
@@ -1009,6 +1006,9 @@ function upgrade_046_to_047() {
 			$ph2ent['pfsgroup'] = $tunnel['p2']['pfsgroup'];
 			$ph2ent['lifetime'] = $tunnel['p2']['lifetime'];
 
+			if (isset($tunnel['pinghost']['pinghost']))
+				$ph2ent['pinghost'] = $tunnel['pinghost'];
+
 			$a_phase2[] = $ph2ent;
 		}
 
@@ -1725,4 +1725,4 @@ function upgrade_056_to_057() {
 		unset($config['captiveportal']['user']);
 	}
 }
-?>
\ No newline at end of file
+?>
diff --git a/etc/inc/vpn.inc b/etc/inc/vpn.inc
index 5db241d..1e9ea34 100644
--- a/etc/inc/vpn.inc
+++ b/etc/inc/vpn.inc
@@ -162,6 +162,8 @@ function vpn_ipsec_configure($ipchg = false)
 		$rgmap = array();
 		$dnswatch_list = array();
 		if (is_array($a_phase1) && count($a_phase1)) {
+
+			/* step through each phase1 entry */
 			foreach ($a_phase1 as $ph1ent) {
 				if (isset($ph1ent['disabled']))
 					continue;
@@ -191,19 +193,31 @@ function vpn_ipsec_configure($ipchg = false)
 
 				$rgmap[$ph1ent['remote-gateway']] = $rg;
 
-				/* add an ipsec pinghosts entry */
+				/* step through each phase2 entry */
+				foreach ($a_phase2 as $ph2ent) {
+
+					$ikeid = $ph2ent['ikeid'];
+
+					if (isset($ph2ent['disabled']))
+						continue;
 
-				if ($ph1ent['pinghost']) {
-					$pfd = fopen("/var/db/ipsecpinghosts", "a");
-					$iflist = get_configured_interface_list();
-					foreach ($iflist as $ifent => $ifname) {
-						$interface_ip = find_interface_ip($config['interfaces'][$ifname]['if']);
-						if (ip_in_subnet($interface_ip, $sa . "/" . $sn))
-						$srcip = find_interface_ip($config['interfaces'][$ifname]['if']);
+					if ($ikeid != $ph1ent['ikeid'])
+						continue;
+
+					/* add an ipsec pinghosts entry */
+					if ($ph2ent['pinghost']) {
+						$pfd = fopen("/var/db/ipsecpinghosts", "a");
+						$iflist = get_configured_interface_list();
+						foreach ($iflist as $ifent => $ifname) {
+							$interface_ip = find_interface_ip($config['interfaces'][$ifname]['if']);
+							$local_subnet = ipsec_idinfo_to_cidr($ph2ent['localid'], true);
+							if (ip_in_subnet($interface_ip, $local_subnet))
+								$srcip = $interface_ip;
+						}
+						$dstip = $ph2ent['pinghost'];
+						fwrite($pfd, "$srcip|$dstip|3\n");
+						fclose($pfd);
 					}
-					$dstip = $ph1ent['pinghost'];
-					fwrite($pfd, "$srcip|$dstip|3\n");
-					fclose($pfd);
 				}
 			}
 		}
diff --git a/usr/local/www/vpn_ipsec.php b/usr/local/www/vpn_ipsec.php
index 44efa5a..c309986 100755
--- a/usr/local/www/vpn_ipsec.php
+++ b/usr/local/www/vpn_ipsec.php
@@ -440,7 +440,7 @@ function show_ipsec_header() {
 		<td class="listhdrr">Mode</td>
 		<td class="listhdrr">P1 Protocol</td>
 		<td class="listhdrr">P1 Transforms</td>
-		<td class="listhdrr">P2 DEscription</td>
+		<td class="listhdrr">P1 Description</td>
 		<td class ="list">
 			<a href="vpn_ipsec_phase2.php?ikeid={$ph1ent['ikeid']}{$mobile}">
 				<img src="./themes/{$g['theme']}/images/icons/icon_plus.gif" title="add phase2 entry" width="17" height="17" border="0">
diff --git a/usr/local/www/vpn_ipsec_phase1.php b/usr/local/www/vpn_ipsec_phase1.php
index 174f884..36e1924 100644
--- a/usr/local/www/vpn_ipsec_phase1.php
+++ b/usr/local/www/vpn_ipsec_phase1.php
@@ -106,8 +106,6 @@ if (isset($p1index) && $a_phase1[$p1index])
 		$pconfig['dpd_delay'] = $a_phase1[$p1index]['dpd_delay'];
 		$pconfig['dpd_maxfail'] = $a_phase1[$p1index]['dpd_maxfail'];
 	}
-
-	$pconfig['pinghost'] = $a_phase1[$p1index]['pinghost'];
 }
 else
 {
@@ -302,8 +300,6 @@ if ($_POST) {
 			$ph1ent['dpd_maxfail'] = $pconfig['dpd_maxfail'];
 		}
 
-		$ph1ent['pinghost'] = $pconfig['pinghost'];
-
 		/* generate unique phase1 ikeid */
 		if ($ph1ent['ikeid'] == 0)
 			$ph1ent['ikeid'] = ipsec_ikeid_next();
@@ -725,13 +721,6 @@ function dpdchkbox_change() {
 						</td>
 					</tr>
 					<tr>
-						<td width="22%" valign="top" class="vncell">Automatically ping host</td>
-						<td width="78%" class="vtable">
-							<input name="pinghost" type="text" class="formfld unknown" id="pinghost" size="20" value="<?=$pconfig['pinghost'];?>">
-							IP address
-						</td>
-					</tr>
-					<tr>
 						<td width="22%" valign="top">&nbsp;</td>
 						<td width="78%">
 							<?php if (isset($p1index) && $a_phase1[$p1index]): ?>
diff --git a/usr/local/www/vpn_ipsec_phase2.php b/usr/local/www/vpn_ipsec_phase2.php
index a18a1de..bd922b4 100644
--- a/usr/local/www/vpn_ipsec_phase2.php
+++ b/usr/local/www/vpn_ipsec_phase2.php
@@ -74,6 +74,7 @@ if (isset($p2index) && $a_phase2[$p2index])
 	$pconfig['halgos'] = $a_phase2[$p2index]['hash-algorithm-option'];
 	$pconfig['pfsgroup'] = $a_phase2[$p2index]['pfsgroup'];
 	$pconfig['lifetime'] = $a_phase2[$p2index]['lifetime'];
+	$pconfig['pinghost'] = $a_phase2[$p2index]['pinghost'];
 
 	if (isset($a_phase2[$p2index]['mobile']))
 		$pconfig['mobile'] = true;
@@ -161,6 +162,7 @@ if ($_POST) {
 		$ph2ent['hash-algorithm-option'] = $pconfig['halgos'];
 		$ph2ent['pfsgroup'] = $pconfig['pfsgroup'];
 		$ph2ent['lifetime'] = $pconfig['lifetime'];
+		$ph2ent['pinghost'] = $pconfig['pinghost'];
 		$ph2ent['descr'] = $pconfig['descr'];
 
 		if (isset($pconfig['mobile']))
@@ -262,6 +264,15 @@ function typesel_change_remote(bits) {
 
 <?php endif; ?>
 
+function protocol_change() {
+	index = document.iform.proto.selectedIndex;
+	value = document.iform.proto.options[index].value;
+	if (value == 'esp')
+		document.getElementById('opt_enc').style.display = '';
+	else
+		document.getElementById('opt_enc').style.display = 'none';
+}
+
 //-->
 </script>
 
@@ -395,7 +406,7 @@ function typesel_change_remote(bits) {
 					<tr>
 						<td width="22%" valign="top" class="vncellreq">Protocol</td>
 						<td width="78%" class="vtable">
-							<select name="proto" class="formselect">
+							<select name="proto" class="formselect" onChange="protocol_change()">
 							<?php foreach ($p2_protos as $proto => $protoname): ?>
 								<option value="<?=$proto;?>" <?php if ($proto == $pconfig['proto']) echo "selected"; ?>>
 									<?=htmlspecialchars($protoname);?>
@@ -408,7 +419,7 @@ function typesel_change_remote(bits) {
 							</span>
 						</td>
 					</tr>
-					<tr>
+					<tr id="opt_enc">
 						<td width="22%" valign="top" class="vncellreq">Encryption algorithms</td>
 						<td width="78%" class="vtable">
 							<table border="0" cellspacing="0" cellpadding="0">
@@ -503,6 +514,19 @@ function typesel_change_remote(bits) {
 						</td>
 					</tr>
 					<tr>
+						<td colspan="2" class="list" height="12"></td>
+					</tr>
+					<tr>
+						<td colspan="2" valign="top" class="listtopic">Advanced Options</td>
+					</tr>
+					<tr>
+						<td width="22%" valign="top" class="vncell">Automatically ping host</td>
+						<td width="78%" class="vtable">
+							<input name="pinghost" type="text" class="formfld unknown" id="pinghost" size="20" value="<?=$pconfig['pinghost'];?>">
+							IP address
+						</td>
+					</tr>
+					<tr>
 						<td width="22%" valign="top">&nbsp;</td>
 						<td width="78%">
 						<?php if (isset($p2index) && $a_phase2[$p2index]): ?>