diff options
| author | Chris Buechler <cmb@pfsense.org> | 2015-03-03 00:16:33 -0600 |
|---|---|---|
| committer | Chris Buechler <cmb@pfsense.org> | 2015-03-03 00:18:50 -0600 |
| commit | 911cc213abd60d2d090778a080ac144e9501716a (patch) | |
| tree | edd1615a5e2369d3a9fd8bc7a9c671c3444a4948 | |
| parent | c8703520b5c4b39c7363a67267ae94dae1660e48 (diff) | |
| download | pfsense-911cc213abd60d2d090778a080ac144e9501716a.zip pfsense-911cc213abd60d2d090778a080ac144e9501716a.tar.gz | |
Remove "Prefer old SA" option, and ignore it in all existing configurations. Breaks things in many cases with strongSwan. For the very rare circumstances where this is actually desirable, it's just a sysctl that can be set in tunables.
| -rw-r--r-- | etc/inc/vpn.inc | 10 | ||||
| -rw-r--r-- | usr/local/www/vpn_ipsec_settings.php | 18 |
2 files changed, 0 insertions, 28 deletions
diff --git a/etc/inc/vpn.inc b/etc/inc/vpn.inc index d4a0e55..eb5eaf2 100644 --- a/etc/inc/vpn.inc +++ b/etc/inc/vpn.inc @@ -105,8 +105,6 @@ function vpn_ipsec_configure($restart = false) unlink_if_exists("{$g['vardb_path']}/ipsecpinghosts"); touch("{$g['vardb_path']}/ipsecpinghosts"); - vpn_ipsec_configure_preferoldsa(); - $syscfg = $config['system']; $ipseccfg = $config['ipsec']; if (!isset($ipseccfg['enable'])) { @@ -1769,12 +1767,4 @@ EOD; return 0; } -function vpn_ipsec_configure_preferoldsa() { - global $config; - if(isset($config['ipsec']['preferoldsa'])) - set_single_sysctl("net.key.preferred_oldsa", "-30"); - else - set_single_sysctl("net.key.preferred_oldsa", "0"); -} - ?> diff --git a/usr/local/www/vpn_ipsec_settings.php b/usr/local/www/vpn_ipsec_settings.php index 5c3ea27..39c1862 100644 --- a/usr/local/www/vpn_ipsec_settings.php +++ b/usr/local/www/vpn_ipsec_settings.php @@ -41,7 +41,6 @@ require_once("shaper.inc"); require_once("ipsec.inc"); require_once("vpn.inc"); -$pconfig['preferoldsa_enable'] = isset($config['ipsec']['preferoldsa']); foreach ($ipsec_loglevels as $lkey => $ldescr) { if (!empty($config['ipsec']["ipsec_{$lkey}"])) $pconfig["ipsec_{$lkey}"] = $config['ipsec']["ipsec_{$lkey}"]; @@ -115,11 +114,6 @@ if ($_POST) { if (!$input_errors) { - if($_POST['preferoldsa_enable'] == "yes") - $config['ipsec']['preferoldsa'] = true; - elseif (isset($config['ipsec']['preferoldsa'])) - unset($config['ipsec']['preferoldsa']); - if (is_array($config['ipsec'])) { foreach ($ipsec_loglevels as $lkey => $ldescr) { if (empty($_POST["ipsec_{$lkey}"])) { @@ -182,7 +176,6 @@ if ($_POST) { else $savemsg = gettext($retval); - vpn_ipsec_configure_preferoldsa(); vpn_ipsec_configure($needsrestart); vpn_ipsec_configure_loglevels(); @@ -243,17 +236,6 @@ function maxmss_checked(obj) { <td colspan="2" valign="top" class="listtopic"><?=gettext("IPsec Advanced Settings"); ?></td> </tr> <tr> - <td width="22%" valign="top" class="vncell"><?=gettext("Security Associations"); ?></td> - <td width="78%" class="vtable"> - <input name="preferoldsa_enable" type="checkbox" id="preferoldsa_enable" value="yes" <?php if ($pconfig['preferoldsa_enable']) echo "checked=\"checked\""; ?> /> - <strong><?=gettext("Prefer older IPsec SAs"); ?></strong> - <br /> - <?=gettext("By default, if several SAs match, the newest one is " . - "preferred if it's at least 30 seconds old. Select this " . - "option to always prefer old SAs over new ones."); ?> - </td> - </tr> - <tr> <td width="22%" valign="top" class="vncell"><?=gettext("IPsec Debug"); ?></td> <td width="78%" class="vtable"> <strong><?=gettext("Start IPsec in debug mode based on sections selected"); ?></strong> |
