diff options
author | Ermal LUÇI <eri@pfsense.org> | 2015-01-31 19:36:13 +0100 |
---|---|---|
committer | Ermal LUÇI <eri@pfsense.org> | 2015-01-31 19:36:13 +0100 |
commit | 908edbd3d17a6fac747b6583322be9e547026f7f (patch) | |
tree | 39cc00f922d019153daac1139bb92bfd2c2c11ff | |
parent | b8150520dd5c980d48cff07441ade313776653a3 (diff) | |
download | pfsense-908edbd3d17a6fac747b6583322be9e547026f7f.zip pfsense-908edbd3d17a6fac747b6583322be9e547026f7f.tar.gz |
Fixes #4359 Allow controlling uniqueids
-rw-r--r-- | etc/inc/ipsec.inc | 4 | ||||
-rw-r--r-- | etc/inc/vpn.inc | 7 | ||||
-rw-r--r-- | usr/local/www/vpn_ipsec_settings.php | 29 |
3 files changed, 39 insertions, 1 deletions
diff --git a/etc/inc/ipsec.inc b/etc/inc/ipsec.inc index 364d814..c3c6cfc 100644 --- a/etc/inc/ipsec.inc +++ b/etc/inc/ipsec.inc @@ -58,6 +58,10 @@ $peer_identifier_list = array( 'asn1dn' => array( 'desc' => gettext('ASN.1 distinguished Name'), 'mobile' => true ), 'keyid tag' => array( 'desc' =>gettext('KeyID tag'), 'mobile' => true )); +$ipsec_idhandling = array( + 'yes' => 'YES', 'no' => 'NO', 'never' => 'NEVER', 'keep' => 'KEEP' + ); + $p1_ealgos = array( 'aes' => array( 'name' => 'AES', 'keysel' => array( 'lo' => 128, 'hi' => 256, 'step' => 64 ) ), 'blowfish' => array( 'name' => 'Blowfish', 'keysel' => array( 'lo' => 128, 'hi' => 256, 'step' => 64 ) ), diff --git a/etc/inc/vpn.inc b/etc/inc/vpn.inc index 48cc331..8889709 100644 --- a/etc/inc/vpn.inc +++ b/etc/inc/vpn.inc @@ -554,6 +554,11 @@ EOD; chmod("{$g['varetc_path']}/ipsec/ipsec.secrets", 0600); unset($pskconf); + $uniqueids = 'yes'; + if (!empty($config['ipsec']['uniqueids'])) { + if (in_array($uniqueids, $ipsec_idhandling)) + $uniqueids = $config['ipsec']['uniqueids']; + } $natfilterrules = false; /* begin ipsec.conf */ $ipsecconf = ""; @@ -561,7 +566,7 @@ EOD; if (is_array($a_phase1) && count($a_phase1)) { $ipsecconf .= "# This file is automatically generated. Do not edit\n"; - $ipsecconf .= "config setup\n\tuniqueids = yes\n"; + $ipsecconf .= "config setup\n\tuniqueids = {$uniqueids}\n"; $ipsecconf .= "\tcharondebug=\"" . vpn_ipsec_configure_loglevels(true) . "\"\n"; foreach ($a_phase1 as $ph1ent) { diff --git a/usr/local/www/vpn_ipsec_settings.php b/usr/local/www/vpn_ipsec_settings.php index fa9ae0b..5c3ea27 100644 --- a/usr/local/www/vpn_ipsec_settings.php +++ b/usr/local/www/vpn_ipsec_settings.php @@ -159,6 +159,12 @@ if ($_POST) { unset($config['ipsec']['acceptunencryptedmainmode']); } + if(!empty($_POST['uniqueids'])) { + $config['ipsec']['uniqueids'] = $_POST['uniqueids']; + } else { + unset($config['ipsec']['uniqueids']); + } + if($_POST['maxmss_enable'] == "yes") { $config['system']['maxmss_enable'] = true; $config['system']['maxmss'] = $_POST['maxmss']; @@ -276,6 +282,29 @@ function maxmss_checked(obj) { </td> </tr> <tr> + <td width="22%" valign="top" class="vncell"><?=gettext("Unique IDs"); ?></td> + <td width="78%" class="vtable"> + <strong><?=gettext("Handle IDs as: "); ?></strong> + <?php echo "<select name=\"uniqueids\" id=\"uniqueids\">\n"; + foreach ($ipsec_idhandling as $value => $lvalue) { + echo "<option value=\"{$value}\" "; + if ($pconfig['uniqueids'] == $value) + echo "selected=\"selected\""; + echo ">{$lvalue}</option>\n"; + } + ?> + </select> + <br /> + <?=gettext("whether a particular participant ID should be kept unique, with any new IKE_SA using an ID " . + "deemed to replace all old ones using that ID. Participant IDs normally are unique, so a new " . + "IKE_SA using the same ID is almost invariably intended to replace an old one. " . + "The difference between <b>no</b> and <b>never</b> is that the old IKE_SAs will be replaced when receiving an " . + "INITIAL_CONTACT notify if the option is no but will ignore these notifies if <b>never</b> is configured. " . + "The daemon also accepts the value <b>keep</b> to reject " . + "new IKE_SA setups and keep the duplicate established earlier."); ?> + </td> + </tr> + <tr> <td width="22%" valign="top" class="vncell"><?=gettext("IP Compression"); ?></td> <td width="78%" class="vtable"> <input name="compression" type="checkbox" id="compression" value="yes" <?php if ($pconfig['compression']) echo "checked=\"checked\""; ?> /> |