diff options
author | Ermal LUÇI <eri@pfsense.org> | 2015-04-03 19:59:23 +0200 |
---|---|---|
committer | Ermal LUÇI <eri@pfsense.org> | 2015-04-03 19:59:23 +0200 |
commit | 534753890c74d7ce1188fe9a7b6f5f1b153f802d (patch) | |
tree | 6a92685abfa8a2156eaa05fb38237284d60a6c23 | |
parent | 9bbc482102d7a0a562a4368e9034e499651ac2e6 (diff) | |
download | pfsense-534753890c74d7ce1188fe9a7b6f5f1b153f802d.zip pfsense-534753890c74d7ce1188fe9a7b6f5f1b153f802d.tar.gz |
Fixes #4504 Allow the bypass policy for LAN to be enabled and prevent traffic sent to lan ip to go to the ipsec tunnel
-rw-r--r-- | etc/inc/vpn.inc | 19 | ||||
-rw-r--r-- | usr/local/www/vpn_ipsec_settings.php | 16 |
2 files changed, 35 insertions, 0 deletions
diff --git a/etc/inc/vpn.inc b/etc/inc/vpn.inc index 8df1e6f..3131666 100644 --- a/etc/inc/vpn.inc +++ b/etc/inc/vpn.inc @@ -590,6 +590,25 @@ EOD; $ipsecconf .= "config setup\n\tuniqueids = {$uniqueids}\n"; $ipsecconf .= "\tcharondebug=\"" . vpn_ipsec_configure_loglevels(true) . "\"\n"; + if (isset($config['ipsec']['shuntlaninterfaces'])) { + if ($config['interfaces']['lan']) { + $lanip = get_interface_ip("lan"); + if (!empty($lanip) && is_ipaddrv4($lanip)) { + $lansn = get_interface_subnet("lan"); + $lansa = gen_subnet($lanip, $lansn); + $ipsecconf .= <<<EOD +conn bypasslan + leftsubnet={$lanip}/32 + rightsubnet={$lansa}/{$lansn} + authby=never + type=pass + auto=route + +EOD; + } + } + } + foreach ($a_phase1 as $ph1ent) { if (isset($ph1ent['disabled'])) continue; diff --git a/usr/local/www/vpn_ipsec_settings.php b/usr/local/www/vpn_ipsec_settings.php index 41d6a3a..203566e 100644 --- a/usr/local/www/vpn_ipsec_settings.php +++ b/usr/local/www/vpn_ipsec_settings.php @@ -46,6 +46,7 @@ foreach ($ipsec_loglevels as $lkey => $ldescr) { $pconfig["ipsec_{$lkey}"] = $config['ipsec']["ipsec_{$lkey}"]; } $pconfig['unityplugin'] = isset($config['ipsec']['unityplugin']); +$pconfig['shuntlaninterfaces'] = isset($config['ipsec']['shuntlaninterfaces']); $pconfig['compression'] = isset($config['ipsec']['compression']); $pconfig['enableinterfacesuse'] = isset($config['ipsec']['enableinterfacesuse']); $pconfig['acceptunencryptedmainmode'] = isset($config['ipsec']['acceptunencryptedmainmode']); @@ -155,6 +156,12 @@ if ($_POST) { unset($config['ipsec']['unityplugin']); } + if($_POST['shuntlaninterfaces'] == "yes") { + $config['ipsec']['unityplugin'] = true; + } elseif (isset($config['ipsec']['shuntlaninterfaces'])) { + unset($config['ipsec']['shuntlaninterfaces']); + } + if($_POST['acceptunencryptedmainmode'] == "yes") { if (!isset($config['ipsec']['acceptunencryptedmainmode'])) $needsrestart = true; @@ -349,6 +356,15 @@ function maxmss_checked(obj) { </td> </tr> <tr> + <td width="22%" valign="top" class="vncell"><?=gettext("Bypass LAN address"); ?></td> + <td width="78%" class="vtable"> + <input name="shuntlaninterfaces" type="checkbox" id="shuntlaninterfaces" value="yes" <?php if ($pconfig['shuntlaninterfaces'] == true) echo "checked=\"checked\""; ?> /> + <strong><?=gettext("Enable bypass for LAN interface ip"); ?></strong> + <br /> + <?=gettext("Prevent LAN ip address to be proccessed for IPsec traffic."); ?> + </td> + </tr> + <tr> <td width="22%" valign="top"> </td> <td width="78%"> <input name="submit" type="submit" class="formbtn" value="<?=gettext("Save"); ?>" /> |