diff options
author | Ermal <eri@pfsense.org> | 2014-02-25 11:09:46 +0100 |
---|---|---|
committer | Ermal <eri@pfsense.org> | 2014-02-25 11:10:01 +0100 |
commit | c6efc8fd152c41d8552301e4abda9f616bc9f20c (patch) | |
tree | 1fc9d4def554977b5407fb69c1785ff8e172baa1 | |
parent | 7335fa538070b28498b34ca278e8a314a96a182a (diff) | |
download | pfsense-c6efc8fd152c41d8552301e4abda9f616bc9f20c.zip pfsense-c6efc8fd152c41d8552301e4abda9f616bc9f20c.tar.gz |
Push log changes for IPSec and fix generation of strongswan.conf and ipsec.secrets to be properly considered
-rw-r--r-- | etc/inc/ipsec.inc | 6 | ||||
-rw-r--r-- | etc/inc/vpn.inc | 21 | ||||
-rw-r--r-- | usr/local/www/system_advanced_misc.php | 53 |
3 files changed, 56 insertions, 24 deletions
diff --git a/etc/inc/ipsec.inc b/etc/inc/ipsec.inc index 8b8f1b9..8df0382 100644 --- a/etc/inc/ipsec.inc +++ b/etc/inc/ipsec.inc @@ -35,6 +35,12 @@ */ /* IPsec defines */ +$ipsec_loglevels = array("dmn" => "Daemon", "mgr" => "SA Manager", "ike" => "IKE SA", "chd" => "IKE Child SA", + "job" => "Job Processing", "cfg" => "Configuration backend", "knl" => "Kernel Interface", + "net" => "Networking", "asn" => "ASN encoding", "enc" => "Message encoding", + "imc" => "Integrity checker", "imv" => "Integrity Verifier", "pts" => "Platform Trust Service", + "tls" => "TLS handler", "app" => "Not daemon", "esp" => "IPSec traffic", "lib" => "StrongSWAN Lib"); + $my_identifier_list = array( 'myaddress' => array( 'desc' => gettext('My IP address'), 'mobile' => true ), 'address' => array( 'desc' => gettext('IP address'), 'mobile' => true ), diff --git a/etc/inc/vpn.inc b/etc/inc/vpn.inc index 8b5354c..5a6a5e5 100644 --- a/etc/inc/vpn.inc +++ b/etc/inc/vpn.inc @@ -43,6 +43,19 @@ require_once("ipsec.inc"); +function vpn_ipsec_configure_loglevels() +{ + global $config; + + foreach ($ipsec_loglevels as $lkey => $ldescr) { + if (empty($config['ipsec']["ipsec_{$lkey}"])) + mwexec("/usr/local/sbin/ipsec stroke loglevel {$lkey} -1", false); + else if (is_numeric($config['ipsec']["ipsec_{$lkey}"]) && + intval($config['ipsec']["ipsec_{$lkey}"]) >= 1 && intval($config['ipsec']["ipsec_{$lkey}"]) <= 4) + mwexec("/usr/local/sbin/ipsec stroke loglevel {$lkey} " . (intval($config['ipsec']["ipsec_{$lkey}"]) - 1) , false); + } +} + /* include all configuration functions */ function vpn_ipsec_convert_to_modp($index) { @@ -269,6 +282,7 @@ charon { ike = 1 } } + EOD; if (is_array($a_client) && isset($a_client['enable']) && !empty($a_client['net_list'])) @@ -356,9 +370,10 @@ EOD; if ($a_client['user_source'] != "none") { $strongswan .= "\txauth-generic {\n"; - $strongswan .= "\t\tscript = /etc/inc/ipsec.auth-user.php"; + $strongswan .= "\t\tscript = /etc/inc/ipsec.auth-user.php\n"; $strongswan .= "\t\tauthcfg = "; $firstsed = 0; + $authcfgs = explode(",", $a_client['user_source']); foreach ($authcfgs as $authcfg) { if ($firstsed > 0) $strongswan .= ","; @@ -468,7 +483,7 @@ EOD; } if (!empty($peerid_data) && !empty($ph1ent['pre-shared-key'])) - $pskconf .= trim($peerid_data) . ": PSK \"" . trim($ph1ent['pre-shared-key']) . "\"\n"; + $pskconf .= trim($peerid_data) . " : PSK \"" . trim($ph1ent['pre-shared-key']) . "\"\n"; } } } @@ -825,7 +840,7 @@ EOD; /* generate IPsec policies */ $natfilterrules = false; /* mange process */ - if (isvalidpid("{$g['varrun_path']/charon.pid")) { + if (isvalidpid("{$g['varrun_path']}/charon.pid")) { /* Read secrets */ mwexec("/usr/local/sbin/ipsec rereadall", false); /* Update configuration changes */ diff --git a/usr/local/www/system_advanced_misc.php b/usr/local/www/system_advanced_misc.php index b3ed759..558c40d 100644 --- a/usr/local/www/system_advanced_misc.php +++ b/usr/local/www/system_advanced_misc.php @@ -60,7 +60,10 @@ $pconfig['lb_use_sticky'] = isset($config['system']['lb_use_sticky']); $pconfig['srctrack'] = $config['system']['srctrack']; $pconfig['gw_switch_default'] = isset($config['system']['gw_switch_default']); $pconfig['preferoldsa_enable'] = isset($config['ipsec']['preferoldsa']); -$pconfig['racoondebug_enable'] = isset($config['ipsec']['racoondebug']); +foreach ($ipsec_loglevel as $lkey => $ldescr) { + if (!empty($config['ipsec']["ipsec_{$lkey}"])) + $pconfig["ipsec_{$lkey}"] = $config['ipsec']["ipsec_{$lkey}"]; +} $pconfig['failoverforcereload'] = isset($config['ipsec']['failoverforcereload']); $pconfig['maxmss_enable'] = isset($config['system']['maxmss_enable']); $pconfig['maxmss'] = $config['system']['maxmss']; @@ -167,25 +170,17 @@ if ($_POST) { elseif (isset($config['ipsec']['failoverforcereload'])) unset($config['ipsec']['failoverforcereload']); - $need_racoon_restart = false; - if($_POST['racoondebug_enable'] == "yes") { - if (!isset($config['ipsec']['racoondebug'])) { - $config['ipsec']['racoondebug'] = true; - $need_racoon_restart = true; - } - } else { - if (isset($config['ipsec']['racoondebug'])) { - unset($config['ipsec']['racoondebug']); - $need_racoon_restart = true; - } + foreach ($ipsec_loglevel as $lkey => $ldescr) { + if (empty($_POST["ipsec_{$lkey}"])) + unset($config['ipsec']["ipsec_{$lkey}"]); + else + $config['ipsec']["ipsec_{$lkey}"] = $_POST["ipsec_{$lkey}"]; } if($_POST['noinstalllanspd'] == "yes") { if (!isset($pconfig['noinstalllanspd'])) - $need_racoon_restart = true; $config['system']['noinstalllanspd'] = true; } else { if (isset($config['system']['noinstalllanspd'])) - $need_racoon_restart = true; unset($config['system']['noinstalllanspd']); } @@ -266,8 +261,8 @@ if ($_POST) { load_crypto(); load_thermal_hardware(); vpn_ipsec_configure_preferoldsa(); - if ($need_racoon_restart) - vpn_ipsec_force_reload(); + vpn_ipsec_configure(); + vpn_ipsec_configure_loglevels(); if ($need_relayd_restart) relayd_configure(); } @@ -536,12 +531,28 @@ function tmpvar_checked(obj) { <tr> <td width="22%" valign="top" class="vncell"><?=gettext("IPsec Debug"); ?></td> <td width="78%" class="vtable"> - <input name="racoondebug_enable" type="checkbox" id="racoondebug_enable" value="yes" <?php if ($pconfig['racoondebug_enable']) echo "checked=\"checked\""; ?> /> - <strong><?=gettext("Start racoon in debug mode"); ?></strong> + <strong><?=gettext("Start IPSec in debug mode based on sections selected"); ?></strong> <br /> - <?=gettext("Launches racoon in debug mode so that more verbose logs " . - "will be generated to aid in troubleshooting."); ?><br/> - <?=gettext("NOTE: Changing this setting will restart racoon."); ?> + <table> + <?php foreach ($ipsec_loglevels as $lkey => $ldescr): ?> + <tr> + <td width="22%" valign="top" class="vncell"><?=$ldescr;?></td> + <td width="78%" valign="top" class="vncell"> + <?php echo "<select name=\"ipsec_{$lkey}\" id=\"ipsec_{$lkey}\">\n"; + foreach (array("Silent", "Audit", "Control", "Diag", "Raw", "Highest") as $lidx => $lvalue) { + echo "<option value=\"{$lidx}\" "; + if ($pconfig["ipsec_{$lkey}"] == $lidx) + echo "\"selected\""; + echo ">{$lvalue}</option>\n"; + } + ?> /> + </select> + </td> + </tr> + <?php endforeach; ?> + </table> + <br/><?=gettext("Launches IPSec in debug mode so that more verbose logs " . + "will be generated to aid in troubleshooting."); ?> </td> </tr> <tr> |