diff options
| author | Ermal LUÇI <eri@pfsense.org> | 2015-01-13 16:38:12 +0100 |
|---|---|---|
| committer | Ermal LUÇI <eri@pfsense.org> | 2015-01-13 19:57:28 +0100 |
| commit | b40137258e69f31a94366eff7ee32722a4f344b1 (patch) | |
| tree | 09bfd29212e204999895a5711a73bb8fe9b044fb | |
| parent | 6db7ee23db8582d1ee06c7fff83c19a014415838 (diff) | |
| download | pfsense-b40137258e69f31a94366eff7ee32722a4f344b1.zip pfsense-b40137258e69f31a94366eff7ee32722a4f344b1.tar.gz | |
To avoid issues with clashing SAIDs go back to specifying the reqid in strongswan config.
To be able to manage this first upgrade the config to assign each phase2 an reqid
Second use that during config generation
Ticket #4208
| -rw-r--r-- | conf.default/config.xml | 2 | ||||
| -rw-r--r-- | etc/inc/ipsec.inc | 23 | ||||
| -rw-r--r-- | etc/inc/upgrade_config.inc | 13 | ||||
| -rw-r--r-- | etc/inc/vpn.inc | 4 | ||||
| -rw-r--r-- | usr/local/www/vpn_ipsec_phase2.php | 8 |
5 files changed, 49 insertions, 1 deletions
diff --git a/conf.default/config.xml b/conf.default/config.xml index 5c0b484..bbb5acb 100644 --- a/conf.default/config.xml +++ b/conf.default/config.xml @@ -1,6 +1,6 @@ <?xml version="1.0"?> <pfsense> - <version>11.5</version> + <version>11.6</version> <lastchange/> <theme>pfsense_ng</theme> <system> diff --git a/etc/inc/ipsec.inc b/etc/inc/ipsec.inc index 3d21753..2762616 100644 --- a/etc/inc/ipsec.inc +++ b/etc/inc/ipsec.inc @@ -671,4 +671,27 @@ function ipsec_fixup_network($network) { return $result; } +function ipsec_new_reqid() { + global $config; + + if (!is_array($config['ipsec']) || !is_array($config['ipsec']['phase2'])) + return; + + $ipsecreqid = lock('ipsecreqids', LOCK_EX); + $keyids = array(); + $keyid = 1; + foreach ($config['ipsec']['phase2'] as $ph2) + $keyids[$ph2['reqid']] = $ph2['reqid']; + + for ($i = 1; $i < 16000; $i++) { + if (!isset($keyids[$i])) { + $keyid = $i; + break; + } + } + unlock($ipsecreqid); + + return $keyid; +} + ?> diff --git a/etc/inc/upgrade_config.inc b/etc/inc/upgrade_config.inc index 72fc80f..690db45 100644 --- a/etc/inc/upgrade_config.inc +++ b/etc/inc/upgrade_config.inc @@ -3539,4 +3539,17 @@ function upgrade_114_to_115() { $config['unbound']['custom_options'] = base64_encode($config['unbound']['custom_options']); } +function upgrade_115_to_116() { + global $config; + + if (!is_array($config['ipsec']) || !is_array($config['ipsec']['phase2'])) + return; + + $keyid = 1; + foreach ($config['ipsec']['phase2'] as $idx => $ph2) { + $config['ipsec']['phase2'][$idx]['reqid'] = $keyid; + $keyid++; + } +} + ?> diff --git a/etc/inc/vpn.inc b/etc/inc/vpn.inc index dac49bc..e0a66e0 100644 --- a/etc/inc/vpn.inc +++ b/etc/inc/vpn.inc @@ -668,6 +668,7 @@ EOD; $ipseclifetime = 0; $rightsubnet_spec = array(); $leftsubnet_spec = array(); + $reqids = array(); $ealgoAHsp2arr = array(); $ealgoESPsp2arr = array(); if (is_array($a_phase2) && count($a_phase2)) { @@ -807,6 +808,7 @@ EOD; } } + $reqids[] = $ph2ent['reqid']; if (!empty($ph2ent['lifetime'])) { if ($ipseclifetime == 0 || intval($ipseclifetime) > intval($ph2ent['lifetime'])) @@ -860,6 +862,7 @@ EOD; $ipsecfin = ''; foreach ($rightsubnet_spec as $idx => $rsubnet) { $ipsecfin .= "\nconn con{$ph1ent['ikeid']}00{$idx}\n"; + $ipsecfin .= "\treqid = " . $reqids[$idx] . "\n"; $ipsecfin .= $ipsecconnect; $ipsecfin .= "\trightsubnet = {$rsubnet}\n"; $ipsecfin .= "\tleftsubnet = " . $leftsubnet_spec[$idx] . "\n"; @@ -868,6 +871,7 @@ EOD; log_error("No phase2 specifications for tunnel with REQID = {$ikeid}"); } else { $ipsecfin = "\nconn con{$ph1ent['ikeid']}\n"; + $ipsecfin .= "\treqid = " . $reqids[0] . "\n"; $ipsecfin .= $ipsecconnect; if (!empty($rightsubnet_spec)) { $tempsubnets = array(); diff --git a/usr/local/www/vpn_ipsec_phase2.php b/usr/local/www/vpn_ipsec_phase2.php index 6f07408..160b264 100644 --- a/usr/local/www/vpn_ipsec_phase2.php +++ b/usr/local/www/vpn_ipsec_phase2.php @@ -93,6 +93,7 @@ if ($ph2found === true) $pconfig['pfsgroup'] = $ph2['pfsgroup']; $pconfig['lifetime'] = $ph2['lifetime']; $pconfig['pinghost'] = $ph2['pinghost']; + $pconfig['reqid'] = $ph2['reqid']; if (isset($ph2['mobile'])) $pconfig['mobile'] = true; @@ -320,6 +321,10 @@ if ($_POST) { $ph2ent['uniqid'] = $pconfig['uniqid']; $ph2ent['mode'] = $pconfig['mode']; $ph2ent['disabled'] = $pconfig['disabled'] ? true : false; + if (!isset($pconfig['reqid'])) + $ph2ent['reqid'] = ipsec_new_reqid(); + else + $ph2ent['reqid'] = $pconfig['reqid']; if(($ph2ent['mode'] == "tunnel") || ($ph2ent['mode'] == "tunnel6")){ if (!empty($pconfig['natlocalid_address'])) @@ -832,6 +837,9 @@ function change_protocol() { <?php endif; ?> <input name="Submit" type="submit" class="formbtn" value="<?=gettext("Save"); ?>" /> <input name="ikeid" type="hidden" value="<?=htmlspecialchars($pconfig['ikeid']);?>" /> + <?php if (!empty($pconfig['reqid'])): ?> + <input name="reqid" type="hidden" value="<?=htmlspecialchars($pconfig['reqid']);?>" /> + <?php endif; ?> <input name="uniqid" type="hidden" value="<?=htmlspecialchars($pconfig['uniqid']);?>" /> </td> </tr> |
