diff options
| author | Ermal LUÇI <eri@pfsense.org> | 2015-01-07 16:33:46 +0100 |
|---|---|---|
| committer | Ermal LUÇI <eri@pfsense.org> | 2015-01-07 16:33:46 +0100 |
| commit | 45efe1b672f16a5c4b1e856f1deb2e55dde1c6e4 (patch) | |
| tree | c415d12ce24f48edc18113d5f27c3af7b528635d /etc | |
| parent | d4e894f6a6f464fd00e39356a23586f8420b31af (diff) | |
| download | pfsense-45efe1b672f16a5c4b1e856f1deb2e55dde1c6e4.zip pfsense-45efe1b672f16a5c4b1e856f1deb2e55dde1c6e4.tar.gz | |
Fixes #4182 by properly managing IPcomp on ipsec tunnels.
Also retires IPsec force reloading advanced sysctl since its useless nowdays with strongswan and remove its call on rc.newipsecdns.
Diffstat (limited to 'etc')
| -rw-r--r-- | etc/inc/vpn.inc | 10 | ||||
| -rwxr-xr-x | etc/rc.newipsecdns | 3 |
2 files changed, 10 insertions, 3 deletions
diff --git a/etc/inc/vpn.inc b/etc/inc/vpn.inc index f591456..278fb45 100644 --- a/etc/inc/vpn.inc +++ b/etc/inc/vpn.inc @@ -523,6 +523,7 @@ EOD; $natfilterrules = false; /* begin ipsec.conf */ $ipsecconf = ""; + $enablecompression = false; if (is_array($a_phase1) && count($a_phase1)) { $ipsecconf .= "# This file is automatically generated. Do not edit\n"; @@ -824,6 +825,10 @@ EOD; EOD; + if (isset($config['ipsec']['commpression'])) { + $ipsecconnect .= '\tcompress = yes\n'; + $enablecompression = true; + } if (!empty($ikelifeline)) $ipsecconnect .= "\t{$ikelifeline}\n"; if ($ipseclifetime > 0) @@ -884,6 +889,11 @@ EOD; unset($ipsecconf); /* end ipsec.conf */ + if ($enablecompression === true) + set_single_sysctl('net.inet.ipcomp.ipcomp_enable', 1); + else + set_single_sysctl('net.inet.ipcomp.ipcomp_enable', 0); + /* mange process */ if (isvalidpid("{$g['varrun_path']}/charon.pid")) { /* Read secrets */ diff --git a/etc/rc.newipsecdns b/etc/rc.newipsecdns index 431ad93..870283a 100755 --- a/etc/rc.newipsecdns +++ b/etc/rc.newipsecdns @@ -54,8 +54,5 @@ $ipseclck = lock('ipsecdns', LOCK_EX); vpn_ipsec_configure(); -if (isset($config['ipsec']['failoverforcereload'])) - vpn_ipsec_force_reload(); - unlock($ipseclck); ?> |
