summaryrefslogtreecommitdiffstats
path: root/etc
diff options
context:
space:
mode:
authormgrooms <mgrooms@shrew.net>2009-03-15 03:47:18 +0000
committermgrooms <mgrooms@shrew.net>2009-03-15 03:47:18 +0000
commit87e07f5242b8018a9c45afee448377d05fbe00c4 (patch)
tree9d49712e09c5eafd81d59c4e7f0ae0da4f43fb58 /etc
parent07ea77d066fafcf8121dddf83cec8f38e051e986 (diff)
downloadpfsense-87e07f5242b8018a9c45afee448377d05fbe00c4.zip
pfsense-87e07f5242b8018a9c45afee448377d05fbe00c4.tar.gz
Move the IPsec pinghost option from phase1 to phase2. Correct some
bugs that were preventing the local address from being selected.
Diffstat (limited to 'etc')
-rw-r--r--etc/inc/upgrade_config.inc8
-rw-r--r--etc/inc/vpn.inc36
2 files changed, 29 insertions, 15 deletions
diff --git a/etc/inc/upgrade_config.inc b/etc/inc/upgrade_config.inc
index 53e8f34..e8d6192 100644
--- a/etc/inc/upgrade_config.inc
+++ b/etc/inc/upgrade_config.inc
@@ -927,9 +927,6 @@ function upgrade_046_to_047() {
if (isset($tunnel['p1']['private-key']))
$ph1ent['private-key'] = $tunnel['p1']['private-key'];
- if (isset($tunnel['pinghost']['pinghost']))
- $ph1ent['pinghost'] = $tunnel['pinghost'];
-
$ph1ent['nat_traversal'] = "on";
$ph1ent['dpd_enable'] = 1;
$ph1ent['dpd_delay'] = 10;
@@ -1009,6 +1006,9 @@ function upgrade_046_to_047() {
$ph2ent['pfsgroup'] = $tunnel['p2']['pfsgroup'];
$ph2ent['lifetime'] = $tunnel['p2']['lifetime'];
+ if (isset($tunnel['pinghost']['pinghost']))
+ $ph2ent['pinghost'] = $tunnel['pinghost'];
+
$a_phase2[] = $ph2ent;
}
@@ -1725,4 +1725,4 @@ function upgrade_056_to_057() {
unset($config['captiveportal']['user']);
}
}
-?> \ No newline at end of file
+?>
diff --git a/etc/inc/vpn.inc b/etc/inc/vpn.inc
index 5db241d..1e9ea34 100644
--- a/etc/inc/vpn.inc
+++ b/etc/inc/vpn.inc
@@ -162,6 +162,8 @@ function vpn_ipsec_configure($ipchg = false)
$rgmap = array();
$dnswatch_list = array();
if (is_array($a_phase1) && count($a_phase1)) {
+
+ /* step through each phase1 entry */
foreach ($a_phase1 as $ph1ent) {
if (isset($ph1ent['disabled']))
continue;
@@ -191,19 +193,31 @@ function vpn_ipsec_configure($ipchg = false)
$rgmap[$ph1ent['remote-gateway']] = $rg;
- /* add an ipsec pinghosts entry */
+ /* step through each phase2 entry */
+ foreach ($a_phase2 as $ph2ent) {
+
+ $ikeid = $ph2ent['ikeid'];
+
+ if (isset($ph2ent['disabled']))
+ continue;
- if ($ph1ent['pinghost']) {
- $pfd = fopen("/var/db/ipsecpinghosts", "a");
- $iflist = get_configured_interface_list();
- foreach ($iflist as $ifent => $ifname) {
- $interface_ip = find_interface_ip($config['interfaces'][$ifname]['if']);
- if (ip_in_subnet($interface_ip, $sa . "/" . $sn))
- $srcip = find_interface_ip($config['interfaces'][$ifname]['if']);
+ if ($ikeid != $ph1ent['ikeid'])
+ continue;
+
+ /* add an ipsec pinghosts entry */
+ if ($ph2ent['pinghost']) {
+ $pfd = fopen("/var/db/ipsecpinghosts", "a");
+ $iflist = get_configured_interface_list();
+ foreach ($iflist as $ifent => $ifname) {
+ $interface_ip = find_interface_ip($config['interfaces'][$ifname]['if']);
+ $local_subnet = ipsec_idinfo_to_cidr($ph2ent['localid'], true);
+ if (ip_in_subnet($interface_ip, $local_subnet))
+ $srcip = $interface_ip;
+ }
+ $dstip = $ph2ent['pinghost'];
+ fwrite($pfd, "$srcip|$dstip|3\n");
+ fclose($pfd);
}
- $dstip = $ph1ent['pinghost'];
- fwrite($pfd, "$srcip|$dstip|3\n");
- fclose($pfd);
}
}
}
OpenPOWER on IntegriCloud