Ensure we always write out a blank spd.conf if there are no phase 2 entries. If you delete the last phase 2 and then apply, it will still be in spd.conf and used by racoon even with no phase 2's configured.

1 files changed, 10 insertions, 11 deletions

diff --git a/etc/inc/vpn.inc b/etc/inc/vpn.inc
index 1707a31..6279a79 100644
--- a/etc/inc/vpn.inc
+++ b/etc/inc/vpn.inc
@@ -819,16 +819,15 @@ EOD;
 		/* end racoon.conf */
 
 		/* generate IPsec policies */
-		if (is_array($a_phase2) && count($a_phase2)) {
-			/* generate spd.conf */
-			$fd = fopen("{$g['varetc_path']}/spd.conf", "w");
-			if (!$fd) {
-				printf(gettext("Error: cannot open spd.conf in vpn_ipsec_configure().") . "\n");
-				return 1;
-			}
-
-			$spdconf = "";
+		/* generate spd.conf */
+		$fd = fopen("{$g['varetc_path']}/spd.conf", "w");
+		if (!$fd) {
+			printf(gettext("Error: cannot open spd.conf in vpn_ipsec_configure().") . "\n");
+			return 1;
+		}
 
+		$spdconf = "";
+		if (is_array($a_phase2) && count($a_phase2)) {
 			/* Try to prevent people from locking themselves out of webgui. Just in case. */
 			if ($config['interfaces']['lan']) {
 				$lanip = get_interface_ip("lan");
@@ -925,9 +924,9 @@ EOD;
 					mwexec("/sbin/route delete -host {$rgip}", true);
 			}
 
-			fwrite($fd, $spdconf);
-			fclose($fd);
 		}
+		fwrite($fd, $spdconf);
+		fclose($fd);
 
 		/* needed for racoonctl admin socket */
 		if (!is_dir("/var/db/racoon"))