diff options
author | Ermal LUÇI <eri@pfsense.org> | 2015-04-18 10:34:46 +0200 |
---|---|---|
committer | Ermal LUÇI <eri@pfsense.org> | 2015-04-18 10:35:51 +0200 |
commit | 1d839e6da61e7ce8eca949111ab41e59744d5e1e (patch) | |
tree | ba164760538f3f9b27b607bcf46debb5f3b2d098 | |
parent | e6130125dc49d005ac2c503be8a374cae375e16c (diff) | |
download | pfsense-1d839e6da61e7ce8eca949111ab41e59744d5e1e.zip pfsense-1d839e6da61e7ce8eca949111ab41e59744d5e1e.tar.gz |
Implement make bofre break feature avaliable on strongswan 5.3.0 useful for IKEv2. Fixes #4626
-rw-r--r-- | etc/inc/vpn.inc | 8 | ||||
-rw-r--r-- | usr/local/www/vpn_ipsec_settings.php | 18 |
2 files changed, 25 insertions, 1 deletions
diff --git a/etc/inc/vpn.inc b/etc/inc/vpn.inc index 103bd70..4dbf94b 100644 --- a/etc/inc/vpn.inc +++ b/etc/inc/vpn.inc @@ -322,7 +322,12 @@ function vpn_ipsec_configure($restart = false) mwexec("mv /usr/local/lib/ipsec/plugins/libstrongswan-unity.MOVED /usr/local/lib/ipsec/plugins/libstrongswan-unity.so"); conf_mount_ro(); } - + + $makebeforebreak = ''; + if (isset($config['ipsec']['makebeforebreak'])) { + $makebeforebreak = 'make_before_break = yes'; + } + if (isset($config['ipsec']['enableinterfacesuse'])) { if (!empty($ifacesuse)) { $ifacesuse = 'interfaces_use = ' . implode(',', array_unique($ifacesuse)); @@ -353,6 +358,7 @@ install_routes = no {$accept_unencrypted} cisco_unity = {$unity_enabled} {$ifacesuse} +{$makebeforebreak} # And two loggers using syslog. The subsections define the facility to log # to, currently one of: daemon, auth. diff --git a/usr/local/www/vpn_ipsec_settings.php b/usr/local/www/vpn_ipsec_settings.php index 7c21817..aab4f47 100644 --- a/usr/local/www/vpn_ipsec_settings.php +++ b/usr/local/www/vpn_ipsec_settings.php @@ -46,6 +46,7 @@ foreach ($ipsec_loglevels as $lkey => $ldescr) { $pconfig["ipsec_{$lkey}"] = $config['ipsec']["ipsec_{$lkey}"]; } $pconfig['unityplugin'] = isset($config['ipsec']['unityplugin']); +$pconfig['makebeforebreak'] = isset($config['ipsec']['makebeforebreak']); $pconfig['noshuntlaninterfaces'] = isset($config['ipsec']['noshuntlaninterfaces']); $pconfig['compression'] = isset($config['ipsec']['compression']); $pconfig['enableinterfacesuse'] = isset($config['ipsec']['enableinterfacesuse']); @@ -156,6 +157,12 @@ if ($_POST) { unset($config['ipsec']['unityplugin']); } + if($_POST['makebeforebreak'] == "yes") { + $config['ipsec']['makebeforebreak'] = true; + } elseif (isset($config['ipsec']['makebeforebreak'])) { + unset($config['ipsec']['makebeforebreak']); + } + if($_POST['noshuntlaninterfaces'] == "yes") { $config['ipsec']['noshuntlaninterfaces'] = true; } elseif (isset($config['ipsec']['noshuntlaninterfaces'])) { @@ -356,6 +363,17 @@ function maxmss_checked(obj) { </td> </tr> <tr> + <td width="22%" valign="top" class="vncell"><?=gettext("Make before Break"); ?></td> + <td width="78%" class="vtable"> + <input name="makebeforebreak" type="checkbox" id="makebeforebreak" value="yes" <?php if ($pconfig['makebeforebreak'] == true) echo "checked=\"checked\""; ?> /> + <strong><?=gettext("Initiate IKEv2 reauthentication with a make-before-break"); ?></strong> + <br /> + <?=gettext("instead of a break-before-make scheme. Make-before-break uses overlapping IKE and CHILD_SA during reauthentication " . + "by first recreating all new SAs before deleting the old ones. This behavior can be beneficial to avoid connectivity gaps " . + "during reauthentication, but requires support for overlapping SAs by the peer.");?> + </td> + </tr> + <tr> <td width="22%" valign="top" class="vncell"><?=gettext("Auto-exclude LAN address"); ?></td> <td width="78%" class="vtable"> <input name="noshuntlaninterfaces" type="checkbox" id="noshuntlaninterfaces" value="yes" <?php if (!$pconfig['noshuntlaninterfaces'] == true) echo "checked=\"checked\""; ?> /> |