diff options
| author | Ermal LUÇI <eri@pfsense.org> | 2014-12-30 23:34:55 +0100 |
|---|---|---|
| committer | Ermal LUÇI <eri@pfsense.org> | 2014-12-30 23:34:55 +0100 |
| commit | 13403bd102c4a25b366ac7d8556ab13a581c31a0 (patch) | |
| tree | 367206c80f52f7346333aabbc48c959f7325793b | |
| parent | 7f69cbe7d442650671fe29a2d4804fbd77bc9855 (diff) | |
| download | pfsense-13403bd102c4a25b366ac7d8556ab13a581c31a0.zip pfsense-13403bd102c4a25b366ac7d8556ab13a581c31a0.tar.gz | |
Check for fqdn peerid/myids and prepend @ so strongswan does not try to be smart. Also use %any for myid instead of risking of putting the wrong value in the secrets file for traffic selector
| -rw-r--r-- | etc/inc/vpn.inc | 18 |
1 files changed, 13 insertions, 5 deletions
diff --git a/etc/inc/vpn.inc b/etc/inc/vpn.inc index d0fb807..e582fcd 100644 --- a/etc/inc/vpn.inc +++ b/etc/inc/vpn.inc @@ -484,10 +484,14 @@ EOD; if (empty($peerid_data)) continue; - $myid = isset($ph1ent['mobile']) ? trim($myid_data) . " " : ""; + $myid = isset($ph1ent['mobile']) ? trim($myid_data) : "%any"; $peerid = ($peerid_data != "allusers") ? trim($peerid_data) : ""; - if (!empty($ph1ent['pre-shared-key'])) - $pskconf .= $myid . $peerid . " : PSK 00" . base64_encode(trim($ph1ent['pre-shared-key'])) . "\n"; + if (!empty($ph1ent['pre-shared-key'])) { + if ($myid_type == 'fqdn' && !empty($myid_data)) + $pskconf .= "@{$myid} {$peerid} : PSK 00" . base64_encode(trim($ph1ent['pre-shared-key'])) . "\n"; + else + $pskconf .= "{$myid} {$peerid} : PSK 00" . base64_encode(trim($ph1ent['pre-shared-key'])) . "\n"; + } } } } @@ -496,7 +500,7 @@ EOD; if (is_array($config['system']) && is_array($config['system']['user'])) { foreach ($config['system']['user'] as $user) { if (!empty($user['ipsecpsk'])) { - $pskconf .= "{$myid} {$user['name']} : PSK 00" . base64_encode($user['ipsecpsk']) . "\n"; + $pskconf .= "%any {$user['name']} : PSK 00" . base64_encode($user['ipsecpsk']) . "\n"; } } unset($user); @@ -507,7 +511,7 @@ EOD; foreach ($ipseccfg['mobilekey'] as $key) { if ($key['ident'] == "allusers") $key['ident'] = '%any'; - $pskconf .= "{$myid} {$key['ident']} : PSK 00" . base64_encode($key['pre-shared-key']) . "\n"; + $pskconf .= "%any {$key['ident']} : PSK 00" . base64_encode($key['pre-shared-key']) . "\n"; } unset($key); } @@ -556,7 +560,11 @@ EOD; $right_spec = $ph1ent['remote-gateway']; list ($myid_type, $myid_data) = ipsec_find_id($ph1ent, "local"); + if ($myid_type == 'fqdn') + $myid_data = "@{$myid_data}"; list ($peerid_type, $peerid_data) = ipsec_find_id($ph1ent, "peer", $rgmap); + if ($peerid_type == 'fqdn') + $peerid_data = "@{$peerid_data}"; /* Only specify peer ID if we are not dealing with a mobile PSK-only tunnel */ $peerid_spec = ''; |
