diff options
author | mgrooms <mgrooms@shrew.net> | 2009-03-15 03:47:18 +0000 |
---|---|---|
committer | mgrooms <mgrooms@shrew.net> | 2009-03-15 03:47:18 +0000 |
commit | 87e07f5242b8018a9c45afee448377d05fbe00c4 (patch) | |
tree | 9d49712e09c5eafd81d59c4e7f0ae0da4f43fb58 | |
parent | 07ea77d066fafcf8121dddf83cec8f38e051e986 (diff) | |
download | pfsense-87e07f5242b8018a9c45afee448377d05fbe00c4.zip pfsense-87e07f5242b8018a9c45afee448377d05fbe00c4.tar.gz |
Move the IPsec pinghost option from phase1 to phase2. Correct some
bugs that were preventing the local address from being selected.
-rw-r--r-- | etc/inc/upgrade_config.inc | 8 | ||||
-rw-r--r-- | etc/inc/vpn.inc | 36 | ||||
-rwxr-xr-x | usr/local/www/vpn_ipsec.php | 2 | ||||
-rw-r--r-- | usr/local/www/vpn_ipsec_phase1.php | 11 | ||||
-rw-r--r-- | usr/local/www/vpn_ipsec_phase2.php | 28 |
5 files changed, 56 insertions, 29 deletions
diff --git a/etc/inc/upgrade_config.inc b/etc/inc/upgrade_config.inc index 53e8f34..e8d6192 100644 --- a/etc/inc/upgrade_config.inc +++ b/etc/inc/upgrade_config.inc @@ -927,9 +927,6 @@ function upgrade_046_to_047() { if (isset($tunnel['p1']['private-key'])) $ph1ent['private-key'] = $tunnel['p1']['private-key']; - if (isset($tunnel['pinghost']['pinghost'])) - $ph1ent['pinghost'] = $tunnel['pinghost']; - $ph1ent['nat_traversal'] = "on"; $ph1ent['dpd_enable'] = 1; $ph1ent['dpd_delay'] = 10; @@ -1009,6 +1006,9 @@ function upgrade_046_to_047() { $ph2ent['pfsgroup'] = $tunnel['p2']['pfsgroup']; $ph2ent['lifetime'] = $tunnel['p2']['lifetime']; + if (isset($tunnel['pinghost']['pinghost'])) + $ph2ent['pinghost'] = $tunnel['pinghost']; + $a_phase2[] = $ph2ent; } @@ -1725,4 +1725,4 @@ function upgrade_056_to_057() { unset($config['captiveportal']['user']); } } -?>
\ No newline at end of file +?> diff --git a/etc/inc/vpn.inc b/etc/inc/vpn.inc index 5db241d..1e9ea34 100644 --- a/etc/inc/vpn.inc +++ b/etc/inc/vpn.inc @@ -162,6 +162,8 @@ function vpn_ipsec_configure($ipchg = false) $rgmap = array(); $dnswatch_list = array(); if (is_array($a_phase1) && count($a_phase1)) { + + /* step through each phase1 entry */ foreach ($a_phase1 as $ph1ent) { if (isset($ph1ent['disabled'])) continue; @@ -191,19 +193,31 @@ function vpn_ipsec_configure($ipchg = false) $rgmap[$ph1ent['remote-gateway']] = $rg; - /* add an ipsec pinghosts entry */ + /* step through each phase2 entry */ + foreach ($a_phase2 as $ph2ent) { + + $ikeid = $ph2ent['ikeid']; + + if (isset($ph2ent['disabled'])) + continue; - if ($ph1ent['pinghost']) { - $pfd = fopen("/var/db/ipsecpinghosts", "a"); - $iflist = get_configured_interface_list(); - foreach ($iflist as $ifent => $ifname) { - $interface_ip = find_interface_ip($config['interfaces'][$ifname]['if']); - if (ip_in_subnet($interface_ip, $sa . "/" . $sn)) - $srcip = find_interface_ip($config['interfaces'][$ifname]['if']); + if ($ikeid != $ph1ent['ikeid']) + continue; + + /* add an ipsec pinghosts entry */ + if ($ph2ent['pinghost']) { + $pfd = fopen("/var/db/ipsecpinghosts", "a"); + $iflist = get_configured_interface_list(); + foreach ($iflist as $ifent => $ifname) { + $interface_ip = find_interface_ip($config['interfaces'][$ifname]['if']); + $local_subnet = ipsec_idinfo_to_cidr($ph2ent['localid'], true); + if (ip_in_subnet($interface_ip, $local_subnet)) + $srcip = $interface_ip; + } + $dstip = $ph2ent['pinghost']; + fwrite($pfd, "$srcip|$dstip|3\n"); + fclose($pfd); } - $dstip = $ph1ent['pinghost']; - fwrite($pfd, "$srcip|$dstip|3\n"); - fclose($pfd); } } } diff --git a/usr/local/www/vpn_ipsec.php b/usr/local/www/vpn_ipsec.php index 44efa5a..c309986 100755 --- a/usr/local/www/vpn_ipsec.php +++ b/usr/local/www/vpn_ipsec.php @@ -440,7 +440,7 @@ function show_ipsec_header() { <td class="listhdrr">Mode</td> <td class="listhdrr">P1 Protocol</td> <td class="listhdrr">P1 Transforms</td> - <td class="listhdrr">P2 DEscription</td> + <td class="listhdrr">P1 Description</td> <td class ="list"> <a href="vpn_ipsec_phase2.php?ikeid={$ph1ent['ikeid']}{$mobile}"> <img src="./themes/{$g['theme']}/images/icons/icon_plus.gif" title="add phase2 entry" width="17" height="17" border="0"> diff --git a/usr/local/www/vpn_ipsec_phase1.php b/usr/local/www/vpn_ipsec_phase1.php index 174f884..36e1924 100644 --- a/usr/local/www/vpn_ipsec_phase1.php +++ b/usr/local/www/vpn_ipsec_phase1.php @@ -106,8 +106,6 @@ if (isset($p1index) && $a_phase1[$p1index]) $pconfig['dpd_delay'] = $a_phase1[$p1index]['dpd_delay']; $pconfig['dpd_maxfail'] = $a_phase1[$p1index]['dpd_maxfail']; } - - $pconfig['pinghost'] = $a_phase1[$p1index]['pinghost']; } else { @@ -302,8 +300,6 @@ if ($_POST) { $ph1ent['dpd_maxfail'] = $pconfig['dpd_maxfail']; } - $ph1ent['pinghost'] = $pconfig['pinghost']; - /* generate unique phase1 ikeid */ if ($ph1ent['ikeid'] == 0) $ph1ent['ikeid'] = ipsec_ikeid_next(); @@ -725,13 +721,6 @@ function dpdchkbox_change() { </td> </tr> <tr> - <td width="22%" valign="top" class="vncell">Automatically ping host</td> - <td width="78%" class="vtable"> - <input name="pinghost" type="text" class="formfld unknown" id="pinghost" size="20" value="<?=$pconfig['pinghost'];?>"> - IP address - </td> - </tr> - <tr> <td width="22%" valign="top"> </td> <td width="78%"> <?php if (isset($p1index) && $a_phase1[$p1index]): ?> diff --git a/usr/local/www/vpn_ipsec_phase2.php b/usr/local/www/vpn_ipsec_phase2.php index a18a1de..bd922b4 100644 --- a/usr/local/www/vpn_ipsec_phase2.php +++ b/usr/local/www/vpn_ipsec_phase2.php @@ -74,6 +74,7 @@ if (isset($p2index) && $a_phase2[$p2index]) $pconfig['halgos'] = $a_phase2[$p2index]['hash-algorithm-option']; $pconfig['pfsgroup'] = $a_phase2[$p2index]['pfsgroup']; $pconfig['lifetime'] = $a_phase2[$p2index]['lifetime']; + $pconfig['pinghost'] = $a_phase2[$p2index]['pinghost']; if (isset($a_phase2[$p2index]['mobile'])) $pconfig['mobile'] = true; @@ -161,6 +162,7 @@ if ($_POST) { $ph2ent['hash-algorithm-option'] = $pconfig['halgos']; $ph2ent['pfsgroup'] = $pconfig['pfsgroup']; $ph2ent['lifetime'] = $pconfig['lifetime']; + $ph2ent['pinghost'] = $pconfig['pinghost']; $ph2ent['descr'] = $pconfig['descr']; if (isset($pconfig['mobile'])) @@ -262,6 +264,15 @@ function typesel_change_remote(bits) { <?php endif; ?> +function protocol_change() { + index = document.iform.proto.selectedIndex; + value = document.iform.proto.options[index].value; + if (value == 'esp') + document.getElementById('opt_enc').style.display = ''; + else + document.getElementById('opt_enc').style.display = 'none'; +} + //--> </script> @@ -395,7 +406,7 @@ function typesel_change_remote(bits) { <tr> <td width="22%" valign="top" class="vncellreq">Protocol</td> <td width="78%" class="vtable"> - <select name="proto" class="formselect"> + <select name="proto" class="formselect" onChange="protocol_change()"> <?php foreach ($p2_protos as $proto => $protoname): ?> <option value="<?=$proto;?>" <?php if ($proto == $pconfig['proto']) echo "selected"; ?>> <?=htmlspecialchars($protoname);?> @@ -408,7 +419,7 @@ function typesel_change_remote(bits) { </span> </td> </tr> - <tr> + <tr id="opt_enc"> <td width="22%" valign="top" class="vncellreq">Encryption algorithms</td> <td width="78%" class="vtable"> <table border="0" cellspacing="0" cellpadding="0"> @@ -503,6 +514,19 @@ function typesel_change_remote(bits) { </td> </tr> <tr> + <td colspan="2" class="list" height="12"></td> + </tr> + <tr> + <td colspan="2" valign="top" class="listtopic">Advanced Options</td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell">Automatically ping host</td> + <td width="78%" class="vtable"> + <input name="pinghost" type="text" class="formfld unknown" id="pinghost" size="20" value="<?=$pconfig['pinghost'];?>"> + IP address + </td> + </tr> + <tr> <td width="22%" valign="top"> </td> <td width="78%"> <?php if (isset($p2index) && $a_phase2[$p2index]): ?> |