diff options
author | Ermal <eri@pfsense.org> | 2014-08-18 21:51:35 +0200 |
---|---|---|
committer | Ermal <eri@pfsense.org> | 2014-08-18 21:51:35 +0200 |
commit | fe12d7ea125649dde541394e10002ba9cbc136b8 (patch) | |
tree | 7d8d9f0fca2db288e50c39e6de53f305c574d1eb | |
parent | c650b2f74932b2e7042c2d0c4e47a254918463bc (diff) | |
download | pfsense-fe12d7ea125649dde541394e10002ba9cbc136b8.zip pfsense-fe12d7ea125649dde541394e10002ba9cbc136b8.tar.gz |
Correct the functions for returning tunnel status to use strongswan status reports
-rw-r--r-- | etc/inc/ipsec.inc | 39 | ||||
-rw-r--r-- | usr/local/www/diag_ipsec_xml.php | 7 |
2 files changed, 17 insertions, 29 deletions
diff --git a/etc/inc/ipsec.inc b/etc/inc/ipsec.inc index 6c1b52c..22b95f2 100644 --- a/etc/inc/ipsec.inc +++ b/etc/inc/ipsec.inc @@ -324,11 +324,11 @@ function ipsec_lookup_phase1(& $ph2ent,& $ph1ent) { global $config; if (!is_array($config['ipsec'])) - return; + return false; if (!is_array($config['ipsec']['phase1'])) - return; + return false; if (empty($config['ipsec']['phase1'])) - return; + return false; foreach ($config['ipsec']['phase1'] as $ph1tmp) { if ($ph1tmp['ikeid'] == $ph2ent['ikeid']) { @@ -343,13 +343,15 @@ function ipsec_lookup_phase1(& $ph2ent,& $ph1ent) { /* * Check phase1 communications status */ -function ipsec_phase1_status(& $ph1ent) { +function ipsec_phase1_status($ipsec_status, $ikeid) { - $loc_ip = get_ipsec_tunnel_src($ph1ent); - $rmt_ip = $ph1ent['remote-gateway']; - - if (ipsec_lookup_ipsakmp_sa($loc_ip,$rmt_ip)) - return true; + foreach ($ipsec_status as $ike) { + if ($ike['peerconfig'] != "con{$ikeid}") + continue; + if ($ike['status'] == "established") + return true; + break; + } return false; } @@ -357,23 +359,10 @@ function ipsec_phase1_status(& $ph1ent) { /* * Check phase2 communications status */ -function ipsec_phase2_status(& $spd,& $sad,& $ph1ent,& $ph2ent) { - - $loc_ip = ipsec_get_phase1_src($ph1ent); - $rmt_ip = ipsec_get_phase1_dst($ph1ent); +function ipsec_phase2_status($ipsec_status, &$phase2) { - $loc_id = ipsec_idinfo_to_cidr($ph2ent['localid'],true,$ph2ent['mode']); - if (!empty($ph2ent['natlocalid'])) - $natloc_id = ipsec_idinfo_to_cidr($ph2ent['natlocalid'],true,$ph2ent['mode']); - $rmt_id = ipsec_idinfo_to_cidr($ph2ent['remoteid'],true,$ph2ent['mode']); - - /* check for established SA in both directions */ - if( ipsec_lookup_ipsec_sa($spd,$sad,"out",$loc_ip,$rmt_ip,$loc_id,$rmt_id)) { - if (empty($ph2ent['natlocalid']) && ipsec_lookup_ipsec_sa($spd,$sad,"in",$rmt_ip,$loc_ip,$rmt_id,$loc_id)) - return true; - else if (!empty($ph2ent['natlocalid']) && ipsec_lookup_ipsec_sa($spd,$sad,"out",$loc_ip,$rmt_ip,$loc_id,$rmt_id)) - return true; - } + if (ipsec_lookup_phase1($ph2ent,$ph1ent)) + return ipsec_phase1_status($ipsec_status, $ph1ent['ikeid']); return false; } diff --git a/usr/local/www/diag_ipsec_xml.php b/usr/local/www/diag_ipsec_xml.php index b2c2ad6..2d74c1b 100644 --- a/usr/local/www/diag_ipsec_xml.php +++ b/usr/local/www/diag_ipsec_xml.php @@ -50,15 +50,14 @@ $ipsec_status = array(); $a_phase2 = &$config['ipsec']['phase2']; -$spd = ipsec_dump_spd(); -$sad = ipsec_dump_sad(); +$status = ipsec_smp_dump_status(); -if(is_array($a_phase2)) { +if (is_array($status['query']) && $status['query']['ikesalist'] && $status['query']['ikesalist']['ikesa'])) { foreach ($a_phase2 as $ph2ent) { ipsec_lookup_phase1($ph2ent,$ph1ent); $tunnel = array(); if (!isset($ph2ent['disabled']) && !isset($ph1ent['disabled'])) { - if(ipsec_phase2_status($spd,$sad,$ph1ent,$ph2ent)) + if(ipsec_phase1_status($status['query']['ikesalist']['ikesa'], $ph1ent['ikeid'])) $tunnel['state'] = "up"; elseif(!isset($config['ipsec']['enable'])) $tunnel['state'] = "disabled"; |