diff options
| author | Ermal LUÇI <eri@pfsense.org> | 2014-12-30 23:34:55 +0100 |
|---|---|---|
| committer | Ermal <eri@pfsense.org> | 2014-12-30 23:21:34 +0000 |
| commit | f3106b3f4a6f2ab089f425dfe4d99e43024b11f0 (patch) | |
| tree | ba2cb6c101bbd51570309070b4d2cd7c54e37cac /etc/inc | |
| parent | 1e7d24824fdc5a799b69c5370cf7c1d8baaf0b1c (diff) | |
| download | pfsense-f3106b3f4a6f2ab089f425dfe4d99e43024b11f0.zip pfsense-f3106b3f4a6f2ab089f425dfe4d99e43024b11f0.tar.gz | |
Check for fqdn peerid/myids and prepend @ so strongswan does not try to be smart. Also use %any for myid instead of risking of putting the wrong value in the secrets file for traffic selector
Diffstat (limited to 'etc/inc')
| -rw-r--r-- | etc/inc/vpn.inc | 18 |
1 files changed, 13 insertions, 5 deletions
diff --git a/etc/inc/vpn.inc b/etc/inc/vpn.inc index 3c92188..49d4f87 100644 --- a/etc/inc/vpn.inc +++ b/etc/inc/vpn.inc @@ -484,10 +484,14 @@ EOD; if (empty($peerid_data)) continue; - $myid = isset($ph1ent['mobile']) ? trim($myid_data) . " " : ""; + $myid = isset($ph1ent['mobile']) ? trim($myid_data) : "%any"; $peerid = ($peerid_data != "allusers") ? trim($peerid_data) : ""; - if (!empty($ph1ent['pre-shared-key'])) - $pskconf .= $myid . $peerid . " : PSK 0s" . base64_encode(trim($ph1ent['pre-shared-key'])) . "\n"; + if (!empty($ph1ent['pre-shared-key'])) { + if ($myid_type == 'fqdn' && !empty($myid_data)) + $pskconf .= "@{$myid} {$peerid} : PSK 00" . base64_encode(trim($ph1ent['pre-shared-key'])) . "\n"; + else + $pskconf .= "{$myid} {$peerid} : PSK 00" . base64_encode(trim($ph1ent['pre-shared-key'])) . "\n"; + } } } } @@ -496,7 +500,7 @@ EOD; if (is_array($config['system']) && is_array($config['system']['user'])) { foreach ($config['system']['user'] as $user) { if (!empty($user['ipsecpsk'])) { - $pskconf .= "{$myid} {$user['name']} : PSK 0s" . base64_encode($user['ipsecpsk']) . "\n"; + $pskconf .= "%any {$user['name']} : PSK 00" . base64_encode($user['ipsecpsk']) . "\n"; } } unset($user); @@ -507,7 +511,7 @@ EOD; foreach ($ipseccfg['mobilekey'] as $key) { if ($key['ident'] == "allusers") $key['ident'] = '%any'; - $pskconf .= "{$myid} {$key['ident']} : PSK 0s" . base64_encode($key['pre-shared-key']) . "\n"; + $pskconf .= "%any {$key['ident']} : PSK 0s" . base64_encode($key['pre-shared-key']) . "\n"; } unset($key); } @@ -556,7 +560,11 @@ EOD; $right_spec = $ph1ent['remote-gateway']; list ($myid_type, $myid_data) = ipsec_find_id($ph1ent, "local"); + if ($myid_type == 'fqdn') + $myid_data = "@{$myid_data}"; list ($peerid_type, $peerid_data) = ipsec_find_id($ph1ent, "peer", $rgmap); + if ($peerid_type == 'fqdn') + $peerid_data = "@{$peerid_data}"; /* Only specify peer ID if we are not dealing with a mobile PSK-only tunnel */ $peerid_spec = ''; |
