diff options
author | Matthew Grooms <mgrooms@pfsense.org> | 2008-08-02 02:04:05 +0000 |
---|---|---|
committer | Matthew Grooms <mgrooms@pfsense.org> | 2008-08-02 02:04:05 +0000 |
commit | 0af7398aabc8d2ae09bc46c89067cfcddb706aab (patch) | |
tree | 041ee7d02404699a83d5fa734c84ddb0b0a55c99 /etc | |
parent | 5878ca478dd08bdc6e0ea23f49131595fd71af04 (diff) | |
download | pfsense-0af7398aabc8d2ae09bc46c89067cfcddb706aab.zip pfsense-0af7398aabc8d2ae09bc46c89067cfcddb706aab.tar.gz |
Remove the vpn_endpoint_determine function. It did not work properly when
CARP devices were in use. Use the newer ipsec_get_phase1_src instead.
Diffstat (limited to 'etc')
-rw-r--r-- | etc/inc/filter.inc | 7 | ||||
-rw-r--r-- | etc/inc/ipsec.inc | 3 | ||||
-rw-r--r-- | etc/inc/vpn.inc | 37 |
3 files changed, 9 insertions, 38 deletions
diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc index 2b57578..bde090b 100644 --- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -2513,11 +2513,8 @@ EOD; /* determine local and remote peer addresses */ if (!isset($ph1ent['mobile'])) { - $rgip = $ph1ent['remote-gateway']; - if(!is_ipaddr($rgip)) - $rgip = resolve_retry($rgip); - - if (!is_ipaddr($rgip)) { + $rgip = ipsec_get_phase1_dst($ph1ent); + if (!$rgip) { $ipfrules .= "# ERROR! Unable to determine remote IPsec peer address for {$ph1ent['remote-gateway']}\n"; continue; } diff --git a/etc/inc/ipsec.inc b/etc/inc/ipsec.inc index e5cd46d..76ea0f8 100644 --- a/etc/inc/ipsec.inc +++ b/etc/inc/ipsec.inc @@ -112,6 +112,9 @@ function ipsec_get_phase1_dst(& $ph1ent) { if (!is_ipaddr($rg)) return resolve_retry($rg); + if(!is_ipaddr($rg)) + return false; + return $rg; } diff --git a/etc/inc/vpn.inc b/etc/inc/vpn.inc index 19b6932..a8b6e56 100644 --- a/etc/inc/vpn.inc +++ b/etc/inc/vpn.inc @@ -176,7 +176,7 @@ function vpn_ipsec_configure($ipchg = false) if (isset($ph1ent['disabled'])) continue; - $ep = vpn_endpoint_determine($ph1ent, $curwanip); + $ep = ipsec_get_phase1_src($ph1ent); if (!$ep) continue; @@ -194,8 +194,7 @@ function vpn_ipsec_configure($ipchg = false) if (!is_ipaddr($rg)) { $dnswatch_list[] = $rg; $rg = resolve_retry($rg); - - if (!$rgip) + if (!$rg) continue; } @@ -408,7 +407,7 @@ function vpn_ipsec_configure($ipchg = false) $ikeid = $ph1ent['ikeid']; - $ep = vpn_endpoint_determine($ph1ent, $curwanip); + $ep = ipsec_get_phase1_src($ph1ent); if (!$ep) continue; @@ -723,7 +722,7 @@ EOD; if (isset($ph2ent['disabled'])) continue; - $ep = vpn_endpoint_determine($ph1ent, $curwanip); + $ep = ipsec_get_phase1_src($ph1ent); if (!$ep) continue; @@ -863,34 +862,6 @@ function vpn_localnet_determine($adr, & $sa, & $sn) { } } -/* XXX: is there a need for this get_current_wan_address() does already this?! */ -function vpn_endpoint_determine($ph1ent, $curwanip) { - - global $g, $config; - - if ((!$ph1ent['interface']) || ($ph1ent['interface'] == "wan")) { - if ($curwanip) - return $curwanip; - else - return null; - } elseif ($ph1ent['interface'] == "lan") { - return $config['interfaces']['lan']['ipaddr']; - } else { - $iface = $config['interfaces'][$ph1ent['interface']]['if']; - $oc = $config['interfaces'][$ph1ent['interface']]; - /* carp ips, etc */ - $ip = find_interface_ip($iface); - if($ip) - return $ip; - - if (isset ($oc['enable']) && $oc['if']) { - return $oc['ipaddr']; - } - } - - return null; -} - /* Forcefully restart IPsec * This is required for when dynamic interfaces reload * For all other occasions the normal vpn_ipsec_configure() |