diff options
author | Stephen Beaver <sbeaver@netgate.com> | 2015-09-22 15:37:51 -0400 |
---|---|---|
committer | Stephen Beaver <sbeaver@netgate.com> | 2015-09-22 15:37:51 -0400 |
commit | 7e4abf2603554b8977f492f4e0565f622eb3ebce (patch) | |
tree | 1b3218cb0ae053500b7a702256067a65ba895636 /src | |
parent | af71b28876a8bbf3e0f0dd3fa4dc7ecb338da35a (diff) | |
download | pfsense-7e4abf2603554b8977f492f4e0565f622eb3ebce.zip pfsense-7e4abf2603554b8977f492f4e0565f622eb3ebce.tar.gz |
Fixed #5188
Diffstat (limited to 'src')
-rw-r--r-- | src/usr/local/www/vpn_ipsec_settings.php | 117 |
1 files changed, 78 insertions, 39 deletions
diff --git a/src/usr/local/www/vpn_ipsec_settings.php b/src/usr/local/www/vpn_ipsec_settings.php index 29c687b..28440cb 100644 --- a/src/usr/local/www/vpn_ipsec_settings.php +++ b/src/usr/local/www/vpn_ipsec_settings.php @@ -1,31 +1,58 @@ <?php /* vpn_ipsec_settings.php - - Copyright (C) 2015 Electric Sheep Fencing, LLC - All rights reserved. - - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. */ +/* ==================================================================== + * Copyright (c) 2004-2015 Electric Sheep Fencing, LLC. All rights reserved. + * Copyright (c) 2004, 2005 Scott Ullrich + * + * Redistribution and use in source and binary forms, with or without modification, + * are permitted provided that the following conditions are met: + * + * 1. Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgment: + * "This product includes software developed by the pfSense Project + * for use in the pfSense software distribution. (http://www.pfsense.org/). + * + * 4. The names "pfSense" and "pfSense Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * coreteam@pfsense.org. + * + * 5. Products derived from this software may not be called "pfSense" + * nor may "pfSense" appear in their names without prior written + * permission of the Electric Sheep Fencing, LLC. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * + * "This product includes software developed by the pfSense Project + * for use in the pfSense software distribution (http://www.pfsense.org/). + * + * THIS SOFTWARE IS PROVIDED BY THE pfSense PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE pfSense PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + * ==================================================================== + * + */ ##|+PRIV ##|*IDENT=page-vpn-ipsec-settings @@ -46,6 +73,7 @@ foreach ($ipsec_loglevels as $lkey => $ldescr) { $pconfig["ipsec_{$lkey}"] = $config['ipsec']["ipsec_{$lkey}"]; } } + $pconfig['unityplugin'] = isset($config['ipsec']['unityplugin']); $pconfig['strictcrlpolicy'] = isset($config['ipsec']['strictcrlpolicy']); $pconfig['makebeforebreak'] = isset($config['ipsec']['makebeforebreak']); @@ -58,7 +86,6 @@ $pconfig['maxmss'] = $config['system']['maxmss']; $pconfig['uniqueids'] = $config['ipsec']['uniqueids']; if ($_POST) { - unset($input_errors); $pconfig = $_POST; @@ -162,7 +189,7 @@ if ($_POST) { $needsrestart = true; unset($config['ipsec']['unityplugin']); } - + if ($_POST['strictcrlpolicy'] == "yes") { $config['ipsec']['strictcrlpolicy'] = true; } elseif (isset($config['ipsec']['strictcrlpolicy'])) { @@ -258,15 +285,11 @@ function maxmss_checked(obj) { </script> <?php - if ($savemsg) { - print_info_box($savemsg); - } - if ($input_errors) { - print_input_errors($input_errors); - } -?> +if ($savemsg) + print_info_box($savemsg); -<?php +if ($input_errors) + print_input_errors($input_errors); $tab_array = array(); $tab_array[0] = array(gettext("Tunnels"), false, "vpn_ipsec.php"); @@ -372,11 +395,27 @@ $section->addInput(new Form_Checkbox( ))->setHelp('Disable Unity Plugin which provides Cisco Extension support as Split-Include, Split-Exclude, Split-Dns, ...'); $section->addInput(new Form_Checkbox( - 'shuntlaninterfaces', - 'Bypass LAN address', - 'Enable bypass for LAN interface ip', - $pconfig['shuntlaninterfaces'] -))->setHelp('Prevent LAN ip address to be processed for IPsec traffic.'); + 'strictcrlpolicy', + 'Strict CRL Checking', + 'Enable strict Certificate Revocation List checking', + $pconfig['strictcrlpolicy'] +))->setHelp('Check this to require availability of a fresh CRL for peer authentication based on RSA signatures to succeed.'); + +$section->addInput(new Form_Checkbox( + 'makebeforebreak', + 'Make before Break', + 'Initiate IKEv2 reauthentication with a make-before-break', + $pconfig['makebeforebreak'] +))->setHelp('instead of a break-before-make scheme. Make-before-break uses overlapping IKE and CHILD_SA during reauthentication ' . + 'by first recreating all new SAs before deleting the old ones. This behavior can be beneficial to avoid connectivity gaps ' . + 'during reauthentication, but requires support for overlapping SAs by the peer'); + +$section->addInput(new Form_Checkbox( + 'noshuntlaninterfaces', + 'Auto-exclude LAN address', + 'Enable bypass for LAN interface IP', + !$pconfig['noshuntlaninterfaces'] +))->setHelp('Exclude traffic from LAN subnet to LAN IP address from IPsec.'); $form->add($section); |