diff options
| author | Rafael Abdo <rafaelabdo@Rafaels-Mac-mini.local> | 2013-01-09 13:50:19 -0200 |
|---|---|---|
| committer | Rafael Abdo <rafael.abdo@bluepex.com> | 2013-01-09 17:53:22 +0000 |
| commit | 6fd8526b6b051529642500a38e272d4711bc6a33 (patch) | |
| tree | bf8a52610da4010a83c33c8c04774e59c3db1417 /etc/inc/vpn.inc | |
| parent | b13a841bc2a83061e42ecbc5c9a73fd133f054fd (diff) | |
| download | pfsense-6fd8526b6b051529642500a38e272d4711bc6a33.zip pfsense-6fd8526b6b051529642500a38e272d4711bc6a33.tar.gz | |
Delete SPDs when an IPSec tunnel is deleted.
- Add new function to delete SPDs (see 'remove_tunnel_spd_policy($phase1,$phase2)' on vpn.inc)
- Change vpn_ipsec.php to delete SPDs on phase 2 and phase 1.
- Change the method GET to delete phase 2 (needs to inform which is the phase 1)
It should fix #2719.
Diffstat (limited to 'etc/inc/vpn.inc')
| -rw-r--r-- | etc/inc/vpn.inc | 51 |
1 files changed, 51 insertions, 0 deletions
diff --git a/etc/inc/vpn.inc b/etc/inc/vpn.inc index f7cd290..c86ecd3 100644 --- a/etc/inc/vpn.inc +++ b/etc/inc/vpn.inc @@ -1734,6 +1734,57 @@ function vpn_ipsec_refresh_policies() { } } +/* remove SPD polices */ +function remove_tunnel_spd_policy($phase1,$phase2) { + global $config; + global $g; + + $spdconf = ""; + if($phase1 && $phase2) { + $ep = ipsec_get_phase1_src($phase1); + $gw = trim($phase1['remote-gateway']); + $sad_arr = ipsec_dump_sad(); + $remote_subnet = ipsec_idinfo_to_cidr($phase2['remoteid']); + + if (!empty($phase2['natlocalid'])) + $local_subnet = ipsec_idinfo_to_cidr($phase2['natlocalid']); + else + $local_subnet = ipsec_idinfo_to_cidr($phase2['localid']); + + if ($phase2['mode'] == "tunnel6") + $family = "-6"; + else + $family = "-4"; + + $spdconf .= "spddelete {$family} {$local_subnet} " . + "{$remote_subnet} any -P out ipsec " . + "{$phase2['protocol']}/tunnel/{$ep}-" . + "{$gw}/unique;\n"; + + $spdconf .= "spddelete {$family} {$remote_subnet} " . + "{$local_subnet} any -P in ipsec " . + "{$phase2['protocol']}/tunnel/{$gw}-" . + "{$ep}/unique;\n"; + + /* zap any existing SA entries */ + foreach($sad_arr as $sad) { + if(($sad['dst'] == $ep) && ($sad['src'] == $gw)) + $spdconf .= "delete {$family} {$ep} {$gw} {$phase2['protocol']} 0x{$sad['spi']};\n"; + if(($sad['src'] == $ep) && ($sad['dst'] == $_gw)) + $spdconf .= "delete {$family} {$gw} {$ep} {$phase2['protocol']} 0x{$sad['spi']};\n"; + } + } + + log_error(sprintf(gettext("Removing SPDs from tunnel gw '%1\$s'. Local Subnet '%2\$s' and Remote Subnet '%3\$s'. Reloading policy"),$phase1['remote-gateway'],$local_subnet,$remote_subnet)); + + $now = time(); + $spdfile = tempnam("{$g['tmp_path']}", "spd.conf.reload.{$now}."); + /* generate temporary spd.conf */ + @file_put_contents($spdfile, $spdconf); + unset($spdconf); + return true; +} + /* reloads the tunnel configuration for a tunnel item * Will remove and add SPD polices */ function reload_tunnel_spd_policy($phase1, $phase2, $old_phase1, $old_phase2) { |
