diff options
author | Chris Buechler <cmb@pfsense.org> | 2015-03-10 17:17:10 -0500 |
---|---|---|
committer | Chris Buechler <cmb@pfsense.org> | 2015-03-10 17:20:11 -0500 |
commit | eb6495c3b1dfdd3639a01bb27e7bf2285f9ae2ce (patch) | |
tree | 1c556a5206d23b28ad069384536208005d72f82d | |
parent | ea7ad4c25fcc2cf341b7ffbf478588b54d0248f6 (diff) | |
download | pfsense-eb6495c3b1dfdd3639a01bb27e7bf2285f9ae2ce.zip pfsense-eb6495c3b1dfdd3639a01bb27e7bf2285f9ae2ce.tar.gz |
Don't enable interfaces_use by default. Add checkbox to enable on Advanced
tab, in case there are scenarios where it's desirable. Ticket #4341
Conflicts:
etc/inc/vpn.inc
-rw-r--r-- | etc/inc/vpn.inc | 11 | ||||
-rw-r--r-- | usr/local/www/vpn_ipsec_settings.php | 19 |
2 files changed, 27 insertions, 3 deletions
diff --git a/etc/inc/vpn.inc b/etc/inc/vpn.inc index cd2b985..4c353ee 100644 --- a/etc/inc/vpn.inc +++ b/etc/inc/vpn.inc @@ -310,10 +310,15 @@ function vpn_ipsec_configure($restart = false) if (isset($config['ipsec']['unityplugin'])) $unity_enabled = 'no'; - if (!empty($ifacesuse)) - $ifacesuse = 'interfaces_use = ' . implode(',', array_unique($ifacesuse)); - else + if (isset($config['ipsec']['enableinterfacesuse'])) { + if (!empty($ifacesuse)) { + $ifacesuse = 'interfaces_use = ' . implode(',', array_unique($ifacesuse)); + } else { + $ifacesuse = ''; + } + } else { $ifacesuse = ''; + } unset($stronconf); diff --git a/usr/local/www/vpn_ipsec_settings.php b/usr/local/www/vpn_ipsec_settings.php index 39c1862..c944ef7 100644 --- a/usr/local/www/vpn_ipsec_settings.php +++ b/usr/local/www/vpn_ipsec_settings.php @@ -47,6 +47,7 @@ foreach ($ipsec_loglevels as $lkey => $ldescr) { } $pconfig['unityplugin'] = isset($config['ipsec']['unityplugin']); $pconfig['compression'] = isset($config['ipsec']['compression']); +$pconfig['enableinterfacesuse'] = isset($config['ipsec']['enableinterfacesuse']); $pconfig['acceptunencryptedmainmode'] = isset($config['ipsec']['acceptunencryptedmainmode']); $pconfig['maxmss_enable'] = isset($config['system']['maxmss_enable']); $pconfig['maxmss'] = $config['system']['maxmss']; @@ -134,6 +135,15 @@ if ($_POST) { $needsrestart = true; unset($config['ipsec']['compression']); } + + if($_POST['enableinterfacesuse'] == "yes") { + if (!isset($config['ipsec']['enableinterfacesuse'])) + $needsrestart = true; + $config['ipsec']['enableinterfacesuse'] = true; + } elseif (isset($config['ipsec']['enableinterfacesuse'])) { + $needsrestart = true; + unset($config['ipsec']['enableinterfacesuse']); + } if($_POST['unityplugin'] == "yes") { if (!isset($config['ipsec']['unityplugin'])) @@ -296,6 +306,15 @@ function maxmss_checked(obj) { </td> </tr> <tr> + <td width="22%" valign="top" class="vncell"><?=gettext("Strict interface binding"); ?></td> + <td width="78%" class="vtable"> + <input name="enableinterfacesuse" type="checkbox" id="enableinterfacesuse" value="yes" <?php if ($pconfig['enableinterfacesuse']) echo "checked=\"checked\""; ?> /> + <strong><?=gettext("Enable strict interface binding"); ?></strong> + <br /> + <?=gettext("Enable strongSwan's interfaces_use option to bind specific interfaces only. This option is known to break IPsec with dynamic IP interfaces. This is not recommended at this time."); ?> + </td> + </tr> + <tr> <td width="22%" valign="top" class="vncell"><?=gettext("Unencrypted payloads in IKEv1 Main Mode"); ?></td> <td width="78%" class="vtable"> <input name="acceptunencryptedmainmode" type="checkbox" id="acceptunencryptedmainmode" value="yes" <?php if ($pconfig['acceptunencryptedmainmode']) echo "checked=\"checked\""; ?> /> |