Fixes #4359 Allow controlling uniqueids

3 files changed, 39 insertions, 1 deletions

diff --git a/etc/inc/ipsec.inc b/etc/inc/ipsec.inc
index 364d814..c3c6cfc 100644
--- a/etc/inc/ipsec.inc
+++ b/etc/inc/ipsec.inc
@@ -58,6 +58,10 @@ $peer_identifier_list = array(
 	'asn1dn' => array( 'desc' => gettext('ASN.1 distinguished Name'), 'mobile' => true ),
 	'keyid tag' => array( 'desc' =>gettext('KeyID tag'), 'mobile' => true ));
 
+$ipsec_idhandling = array(
+	'yes' => 'YES', 'no' => 'NO', 'never' => 'NEVER', 'keep' => 'KEEP'
+	);
+
 $p1_ealgos = array(
 	'aes' => array( 'name' => 'AES', 'keysel' => array( 'lo' => 128, 'hi' => 256, 'step' => 64 ) ),
 	'blowfish' => array( 'name' => 'Blowfish', 'keysel' => array( 'lo' => 128, 'hi' => 256, 'step' => 64 ) ),
diff --git a/etc/inc/vpn.inc b/etc/inc/vpn.inc
index 48cc331..8889709 100644
--- a/etc/inc/vpn.inc
+++ b/etc/inc/vpn.inc
@@ -554,6 +554,11 @@ EOD;
 	chmod("{$g['varetc_path']}/ipsec/ipsec.secrets", 0600);
 	unset($pskconf);
 
+	$uniqueids = 'yes';
+	if (!empty($config['ipsec']['uniqueids'])) {
+		if (in_array($uniqueids, $ipsec_idhandling))
+			$uniqueids = $config['ipsec']['uniqueids'];
+	}
 	$natfilterrules = false;
 	/* begin ipsec.conf */
 	$ipsecconf = "";
@@ -561,7 +566,7 @@ EOD;
 	if (is_array($a_phase1) && count($a_phase1))  {
 
 		$ipsecconf .= "# This file is automatically generated. Do not edit\n";
-		$ipsecconf .= "config setup\n\tuniqueids = yes\n";
+		$ipsecconf .= "config setup\n\tuniqueids = {$uniqueids}\n";
 		$ipsecconf .= "\tcharondebug=\"" . vpn_ipsec_configure_loglevels(true) . "\"\n";
 
 		foreach ($a_phase1 as $ph1ent) {
diff --git a/usr/local/www/vpn_ipsec_settings.php b/usr/local/www/vpn_ipsec_settings.php
index fa9ae0b..5c3ea27 100644
--- a/usr/local/www/vpn_ipsec_settings.php
+++ b/usr/local/www/vpn_ipsec_settings.php
@@ -159,6 +159,12 @@ if ($_POST) {
 			unset($config['ipsec']['acceptunencryptedmainmode']);
 		}
 
+		if(!empty($_POST['uniqueids'])) {
+			$config['ipsec']['uniqueids'] = $_POST['uniqueids'];
+		} else {
+			unset($config['ipsec']['uniqueids']);
+		}
+
 		if($_POST['maxmss_enable'] == "yes") {
 			$config['system']['maxmss_enable'] = true;
 			$config['system']['maxmss'] = $_POST['maxmss'];
@@ -276,6 +282,29 @@ function maxmss_checked(obj) {
 						</td>
 					</tr>
 					<tr>
+						<td width="22%" valign="top" class="vncell"><?=gettext("Unique IDs"); ?></td>
+						<td width="78%" class="vtable">
+							<strong><?=gettext("Handle IDs as: "); ?></strong>
+							<?php	echo "<select name=\"uniqueids\" id=\"uniqueids\">\n";
+								foreach ($ipsec_idhandling as $value => $lvalue) {
+									echo "<option value=\"{$value}\" ";
+									 if ($pconfig['uniqueids'] == $value)
+										echo "selected=\"selected\"";
+									echo ">{$lvalue}</option>\n";
+								}
+							?>
+								</select>
+							<br />
+							<?=gettext("whether a particular participant ID should be kept unique, with any new IKE_SA using an ID " .
+								"deemed to replace all old ones using that ID. Participant IDs normally are unique, so a new " .
+								"IKE_SA using the same ID is almost invariably intended to replace an old one. " .
+								"The difference between <b>no</b> and <b>never</b> is that the old IKE_SAs will be replaced when receiving an " .
+								"INITIAL_CONTACT notify if the option is no but will ignore these notifies if <b>never</b> is configured. " .
+								"The daemon also accepts the value <b>keep</b> to reject " .
+								"new IKE_SA setups and keep the duplicate established earlier."); ?>
+						</td>
+					</tr>
+					<tr>
 						<td width="22%" valign="top" class="vncell"><?=gettext("IP Compression"); ?></td>
 						<td width="78%" class="vtable">
 							<input name="compression" type="checkbox" id="compression" value="yes" <?php if ($pconfig['compression']) echo "checked=\"checked\""; ?> />