summaryrefslogtreecommitdiffstats
path: root/etc/inc/vpn.inc
diff options
context:
space:
mode:
authorChris Buechler <cmb@pfsense.org>2014-11-29 13:43:33 -0600
committerChris Buechler <cmb@pfsense.org>2014-11-29 13:43:33 -0600
commite3afacbb410da30eb47c41f702c1cc896b3fb042 (patch)
treeebeadf0de2fdca40bae31fb57e35ada62e1f586d /etc/inc/vpn.inc
parentcc62e5eda0fad842cd13d56937248300d96b1c13 (diff)
downloadpfsense-e3afacbb410da30eb47c41f702c1cc896b3fb042.zip
pfsense-e3afacbb410da30eb47c41f702c1cc896b3fb042.tar.gz
Only set i_dont_care_about_security_and_use_aggressive_mode_psk=yes where there is a P1 with aggressive+PSK enabled. Log a warning when such a configuration is in use.
Diffstat (limited to 'etc/inc/vpn.inc')
-rw-r--r--etc/inc/vpn.inc14
1 files changed, 10 insertions, 4 deletions
diff --git a/etc/inc/vpn.inc b/etc/inc/vpn.inc
index 5b018b7..54b4347 100644
--- a/etc/inc/vpn.inc
+++ b/etc/inc/vpn.inc
@@ -168,6 +168,7 @@ function vpn_ipsec_configure($ipchg = false)
$rgmap = array();
$filterdns_list = array();
$listeniflist = array();
+ $aggressive_mode_psk = false;
unset($iflist);
if (is_array($a_phase1) && count($a_phase1)) {
@@ -177,6 +178,9 @@ function vpn_ipsec_configure($ipchg = false)
if (isset($ph1ent['disabled']))
continue;
+ if ($ph1ent['mode'] == "aggressive" && ($ph1ent['authentication_method'] == "pre_shared_key" || $ph1ent['authentication_method'] == "xauth_psk_server"))
+ $aggressive_mode_psk = true;
+
$ikeid = $ph1ent['ikeid'];
$listeniflist = get_real_interface($a_phase1['interface']);
@@ -276,6 +280,11 @@ function vpn_ipsec_configure($ipchg = false)
if (isset($config['ipsec']['acceptunencryptedmainmode']))
$accept_unencrypted = "accept_unencrypted_mainmode_messages = yes";
+ $i_dont_care_about_security_and_use_aggressive_mode_psk = "";
+ if ($aggressive_mode_psk) {
+ log_error("WARNING: Setting i_dont_care_about_security_and_use_aggressive_mode_psk option because a phase 1 is configured using aggressive mode with pre-shared keys. This is not a secure configuration.");
+ $i_dont_care_about_security_and_use_aggressive_mode_psk = "i_dont_care_about_security_and_use_aggressive_mode_psk=yes";
+ }
$strongswan = <<<EOD
# Automatically generated config file - DO NOT MODIFY. Changes will be overwritten.
@@ -290,10 +299,7 @@ charon {
ikesa_table_segments = 4
init_limit_half_open = 1000
install_routes = no
-
- # XXX: There is not much choice here really users win their security!
- i_dont_care_about_security_and_use_aggressive_mode_psk=yes
-
+ {$i_dont_care_about_security_and_use_aggressive_mode_psk}
{$accept_unencrypted}
cisco_unity = yes
OpenPOWER on IntegriCloud