Remove "Prefer old SA" option, and ignore it in all existing configurations. Breaks things in many cases with strongSwan. For the very rare circumstances where this is actually desirable, it's just a sysctl that can be set in tunables.

1 files changed, 0 insertions, 10 deletions

diff --git a/etc/inc/vpn.inc b/etc/inc/vpn.inc
index d4a0e55..eb5eaf2 100644
--- a/etc/inc/vpn.inc
+++ b/etc/inc/vpn.inc
@@ -105,8 +105,6 @@ function vpn_ipsec_configure($restart = false)
 	unlink_if_exists("{$g['vardb_path']}/ipsecpinghosts");
 	touch("{$g['vardb_path']}/ipsecpinghosts");
 
-	vpn_ipsec_configure_preferoldsa();
-
 	$syscfg = $config['system'];
 	$ipseccfg = $config['ipsec'];
 	if (!isset($ipseccfg['enable'])) {
@@ -1769,12 +1767,4 @@ EOD;
 	return 0;
 }
 
-function vpn_ipsec_configure_preferoldsa() {
-	global $config;
-	if(isset($config['ipsec']['preferoldsa']))
-		set_single_sysctl("net.key.preferred_oldsa", "-30");
-	else
-		set_single_sysctl("net.key.preferred_oldsa", "0");
-}
-
 ?>