diff options
author | Chris Buechler <cmb@pfsense.org> | 2014-11-29 13:43:33 -0600 |
---|---|---|
committer | Chris Buechler <cmb@pfsense.org> | 2014-11-29 13:43:33 -0600 |
commit | e3afacbb410da30eb47c41f702c1cc896b3fb042 (patch) | |
tree | ebeadf0de2fdca40bae31fb57e35ada62e1f586d /etc | |
parent | cc62e5eda0fad842cd13d56937248300d96b1c13 (diff) | |
download | pfsense-e3afacbb410da30eb47c41f702c1cc896b3fb042.zip pfsense-e3afacbb410da30eb47c41f702c1cc896b3fb042.tar.gz |
Only set i_dont_care_about_security_and_use_aggressive_mode_psk=yes where there is a P1 with aggressive+PSK enabled. Log a warning when such a configuration is in use.
Diffstat (limited to 'etc')
-rw-r--r-- | etc/inc/vpn.inc | 14 |
1 files changed, 10 insertions, 4 deletions
diff --git a/etc/inc/vpn.inc b/etc/inc/vpn.inc index 5b018b7..54b4347 100644 --- a/etc/inc/vpn.inc +++ b/etc/inc/vpn.inc @@ -168,6 +168,7 @@ function vpn_ipsec_configure($ipchg = false) $rgmap = array(); $filterdns_list = array(); $listeniflist = array(); + $aggressive_mode_psk = false; unset($iflist); if (is_array($a_phase1) && count($a_phase1)) { @@ -177,6 +178,9 @@ function vpn_ipsec_configure($ipchg = false) if (isset($ph1ent['disabled'])) continue; + if ($ph1ent['mode'] == "aggressive" && ($ph1ent['authentication_method'] == "pre_shared_key" || $ph1ent['authentication_method'] == "xauth_psk_server")) + $aggressive_mode_psk = true; + $ikeid = $ph1ent['ikeid']; $listeniflist = get_real_interface($a_phase1['interface']); @@ -276,6 +280,11 @@ function vpn_ipsec_configure($ipchg = false) if (isset($config['ipsec']['acceptunencryptedmainmode'])) $accept_unencrypted = "accept_unencrypted_mainmode_messages = yes"; + $i_dont_care_about_security_and_use_aggressive_mode_psk = ""; + if ($aggressive_mode_psk) { + log_error("WARNING: Setting i_dont_care_about_security_and_use_aggressive_mode_psk option because a phase 1 is configured using aggressive mode with pre-shared keys. This is not a secure configuration."); + $i_dont_care_about_security_and_use_aggressive_mode_psk = "i_dont_care_about_security_and_use_aggressive_mode_psk=yes"; + } $strongswan = <<<EOD # Automatically generated config file - DO NOT MODIFY. Changes will be overwritten. @@ -290,10 +299,7 @@ charon { ikesa_table_segments = 4 init_limit_half_open = 1000 install_routes = no - - # XXX: There is not much choice here really users win their security! - i_dont_care_about_security_and_use_aggressive_mode_psk=yes - + {$i_dont_care_about_security_and_use_aggressive_mode_psk} {$accept_unencrypted} cisco_unity = yes |