diff options
author | mgrooms <mgrooms@shrew.net> | 2009-03-15 03:47:18 +0000 |
---|---|---|
committer | mgrooms <mgrooms@shrew.net> | 2009-03-15 03:47:18 +0000 |
commit | 87e07f5242b8018a9c45afee448377d05fbe00c4 (patch) | |
tree | 9d49712e09c5eafd81d59c4e7f0ae0da4f43fb58 /etc/inc | |
parent | 07ea77d066fafcf8121dddf83cec8f38e051e986 (diff) | |
download | pfsense-87e07f5242b8018a9c45afee448377d05fbe00c4.zip pfsense-87e07f5242b8018a9c45afee448377d05fbe00c4.tar.gz |
Move the IPsec pinghost option from phase1 to phase2. Correct some
bugs that were preventing the local address from being selected.
Diffstat (limited to 'etc/inc')
-rw-r--r-- | etc/inc/upgrade_config.inc | 8 | ||||
-rw-r--r-- | etc/inc/vpn.inc | 36 |
2 files changed, 29 insertions, 15 deletions
diff --git a/etc/inc/upgrade_config.inc b/etc/inc/upgrade_config.inc index 53e8f34..e8d6192 100644 --- a/etc/inc/upgrade_config.inc +++ b/etc/inc/upgrade_config.inc @@ -927,9 +927,6 @@ function upgrade_046_to_047() { if (isset($tunnel['p1']['private-key'])) $ph1ent['private-key'] = $tunnel['p1']['private-key']; - if (isset($tunnel['pinghost']['pinghost'])) - $ph1ent['pinghost'] = $tunnel['pinghost']; - $ph1ent['nat_traversal'] = "on"; $ph1ent['dpd_enable'] = 1; $ph1ent['dpd_delay'] = 10; @@ -1009,6 +1006,9 @@ function upgrade_046_to_047() { $ph2ent['pfsgroup'] = $tunnel['p2']['pfsgroup']; $ph2ent['lifetime'] = $tunnel['p2']['lifetime']; + if (isset($tunnel['pinghost']['pinghost'])) + $ph2ent['pinghost'] = $tunnel['pinghost']; + $a_phase2[] = $ph2ent; } @@ -1725,4 +1725,4 @@ function upgrade_056_to_057() { unset($config['captiveportal']['user']); } } -?>
\ No newline at end of file +?> diff --git a/etc/inc/vpn.inc b/etc/inc/vpn.inc index 5db241d..1e9ea34 100644 --- a/etc/inc/vpn.inc +++ b/etc/inc/vpn.inc @@ -162,6 +162,8 @@ function vpn_ipsec_configure($ipchg = false) $rgmap = array(); $dnswatch_list = array(); if (is_array($a_phase1) && count($a_phase1)) { + + /* step through each phase1 entry */ foreach ($a_phase1 as $ph1ent) { if (isset($ph1ent['disabled'])) continue; @@ -191,19 +193,31 @@ function vpn_ipsec_configure($ipchg = false) $rgmap[$ph1ent['remote-gateway']] = $rg; - /* add an ipsec pinghosts entry */ + /* step through each phase2 entry */ + foreach ($a_phase2 as $ph2ent) { + + $ikeid = $ph2ent['ikeid']; + + if (isset($ph2ent['disabled'])) + continue; - if ($ph1ent['pinghost']) { - $pfd = fopen("/var/db/ipsecpinghosts", "a"); - $iflist = get_configured_interface_list(); - foreach ($iflist as $ifent => $ifname) { - $interface_ip = find_interface_ip($config['interfaces'][$ifname]['if']); - if (ip_in_subnet($interface_ip, $sa . "/" . $sn)) - $srcip = find_interface_ip($config['interfaces'][$ifname]['if']); + if ($ikeid != $ph1ent['ikeid']) + continue; + + /* add an ipsec pinghosts entry */ + if ($ph2ent['pinghost']) { + $pfd = fopen("/var/db/ipsecpinghosts", "a"); + $iflist = get_configured_interface_list(); + foreach ($iflist as $ifent => $ifname) { + $interface_ip = find_interface_ip($config['interfaces'][$ifname]['if']); + $local_subnet = ipsec_idinfo_to_cidr($ph2ent['localid'], true); + if (ip_in_subnet($interface_ip, $local_subnet)) + $srcip = $interface_ip; + } + $dstip = $ph2ent['pinghost']; + fwrite($pfd, "$srcip|$dstip|3\n"); + fclose($pfd); } - $dstip = $ph1ent['pinghost']; - fwrite($pfd, "$srcip|$dstip|3\n"); - fclose($pfd); } } } |