diff options
author | Ermal LUÇI <eri@pfsense.org> | 2015-01-31 11:06:44 +0100 |
---|---|---|
committer | Ermal LUÇI <eri@pfsense.org> | 2015-01-31 11:06:55 +0100 |
commit | 41da54ce14d2d43a5ce9738bd80b73355fa26180 (patch) | |
tree | e1b43369e9ab358d95dfcf49688fe8b207cdf002 | |
parent | ee65c642df6466ed59c332d448a4804690ce55c1 (diff) | |
download | pfsense-41da54ce14d2d43a5ce9738bd80b73355fa26180.zip pfsense-41da54ce14d2d43a5ce9738bd80b73355fa26180.tar.gz |
Fixes #4353 Identify when strongswan.conf needs a reload and restart ipsec service.
-rw-r--r-- | etc/inc/vpn.inc | 26 | ||||
-rw-r--r-- | usr/local/www/vpn_ipsec_mobile.php | 5 | ||||
-rw-r--r-- | usr/local/www/vpn_ipsec_settings.php | 28 |
3 files changed, 42 insertions, 17 deletions
diff --git a/etc/inc/vpn.inc b/etc/inc/vpn.inc index a37f069..48cc331 100644 --- a/etc/inc/vpn.inc +++ b/etc/inc/vpn.inc @@ -94,7 +94,7 @@ function vpn_ipsec_convert_to_modp($index) return $convertion; } -function vpn_ipsec_configure($ipchg = false) +function vpn_ipsec_configure($restart = false) { global $config, $g, $sa, $sn, $p1_ealgos, $p2_ealgos; @@ -293,9 +293,15 @@ function vpn_ipsec_configure($ipchg = false) if (isset($config['ipsec']['acceptunencryptedmainmode'])) $accept_unencrypted = "accept_unencrypted_mainmode_messages = yes"; + $stronconf = ''; + if (file_exists("{$g['varetc_path']}/ipsec/strongswan.conf")) + $stronconf = file_get_contents("{$g['varetc_path']}/ipsec/strongswan.conf"); + $i_dont_care_about_security_and_use_aggressive_mode_psk = ""; if ($aggressive_mode_psk) { log_error("WARNING: Setting i_dont_care_about_security_and_use_aggressive_mode_psk option because a phase 1 is configured using aggressive mode with pre-shared keys. This is not a secure configuration."); + if (!empty($stronconf) && strpos($stronconf, 'i_dont_care_about_security_and_use_aggressive_mode_psk') === FALSE) + $restart = true; $i_dont_care_about_security_and_use_aggressive_mode_psk = "i_dont_care_about_security_and_use_aggressive_mode_psk=yes"; } @@ -308,6 +314,8 @@ function vpn_ipsec_configure($ipchg = false) else $ifacesuse = ''; + unset($strongconf); + $strongswan = <<<EOD # Automatically generated config file - DO NOT MODIFY. Changes will be overwritten. @@ -993,13 +1001,17 @@ EOD; set_single_sysctl('net.inet.ipcomp.ipcomp_enable', 0); /* mange process */ - if (isvalidpid("{$g['varrun_path']}/charon.pid")) { - /* Read secrets */ - mwexec("/usr/local/sbin/ipsec rereadall", false); - /* Update configuration changes */ - mwexec("/usr/local/sbin/ipsec update", false); + if ($restart === true) { + mwexec("/usr/local/sbin/ipsec restart", false); } else { - mwexec("/usr/local/sbin/ipsec start", false); + if (isvalidpid("{$g['varrun_path']}/charon.pid")) { + /* Read secrets */ + mwexec("/usr/local/sbin/ipsec rereadall", false); + /* Update configuration changes */ + mwexec("/usr/local/sbin/ipsec update", false); + } else { + mwexec("/usr/local/sbin/ipsec start", false); + } } if ($natfilterrules == true) diff --git a/usr/local/www/vpn_ipsec_mobile.php b/usr/local/www/vpn_ipsec_mobile.php index ac32a87..98072d8 100644 --- a/usr/local/www/vpn_ipsec_mobile.php +++ b/usr/local/www/vpn_ipsec_mobile.php @@ -112,7 +112,8 @@ if ($_POST['create']) { if ($_POST['apply']) { $retval = 0; - $retval = vpn_ipsec_configure(); + /* NOTE: #4353 Always restart ipsec when mobile clients settings change */ + $retval = vpn_ipsec_configure(true); $savemsg = get_std_save_message($retval); if ($retval >= 0) if (is_subsystem_dirty('ipsec')) @@ -227,8 +228,6 @@ if ($_POST['submit']) { if ($pconfig['login_banner_enable']) $client['login_banner'] = $pconfig['login_banner']; -// $echo "login banner = {$pconfig['login_banner']}"; - $a_client = $client; write_config(); diff --git a/usr/local/www/vpn_ipsec_settings.php b/usr/local/www/vpn_ipsec_settings.php index 9de5a26..fa9ae0b 100644 --- a/usr/local/www/vpn_ipsec_settings.php +++ b/usr/local/www/vpn_ipsec_settings.php @@ -130,20 +130,34 @@ if ($_POST) { } } - if($_POST['compression'] == "yes") + $needsrestart = false; + + if($_POST['compression'] == "yes") { + if (!isset($config['ipsec']['compression'])) + $needsrestart = true; $config['ipsec']['compression'] = true; - elseif (isset($config['ipsec']['compression'])) + } elseif (isset($config['ipsec']['compression'])) { + $needsrestart = true; unset($config['ipsec']['compression']); + } - if($_POST['unityplugin'] == "yes") + if($_POST['unityplugin'] == "yes") { + if (!isset($config['ipsec']['unityplugin'])) + $needsrestart = true; $config['ipsec']['unityplugin'] = true; - elseif (isset($config['ipsec']['unityplugin'])) + } elseif (isset($config['ipsec']['unityplugin'])) { + $needsrestart = true; unset($config['ipsec']['unityplugin']); + } - if($_POST['acceptunencryptedmainmode'] == "yes") + if($_POST['acceptunencryptedmainmode'] == "yes") { + if (!isset($config['ipsec']['acceptunencryptedmainmode'])) + $needsrestart = true; $config['ipsec']['acceptunencryptedmainmode'] = true; - elseif (isset($config['ipsec']['acceptunencryptedmainmode'])) + } elseif (isset($config['ipsec']['acceptunencryptedmainmode'])) { + $needsrestart = true; unset($config['ipsec']['acceptunencryptedmainmode']); + } if($_POST['maxmss_enable'] == "yes") { $config['system']['maxmss_enable'] = true; @@ -163,7 +177,7 @@ if ($_POST) { $savemsg = gettext($retval); vpn_ipsec_configure_preferoldsa(); - vpn_ipsec_configure(); + vpn_ipsec_configure($needsrestart); vpn_ipsec_configure_loglevels(); // header("Location: vpn_ipsec_settings.php"); |