2 files changed, 25 insertions, 1 deletions

diff --git a/etc/inc/vpn.inc b/etc/inc/vpn.inc
index 103bd70..4dbf94b 100644
--- a/etc/inc/vpn.inc
+++ b/etc/inc/vpn.inc
@@ -322,7 +322,12 @@ function vpn_ipsec_configure($restart = false)
 		mwexec("mv /usr/local/lib/ipsec/plugins/libstrongswan-unity.MOVED /usr/local/lib/ipsec/plugins/libstrongswan-unity.so");
 		conf_mount_ro();
 	}
-	
+
+	$makebeforebreak = '';
+	if (isset($config['ipsec']['makebeforebreak'])) {
+		$makebeforebreak = 'make_before_break = yes';
+	}
+
 	if (isset($config['ipsec']['enableinterfacesuse'])) {
 		if (!empty($ifacesuse)) {
 			$ifacesuse = 'interfaces_use = ' . implode(',', array_unique($ifacesuse));
@@ -353,6 +358,7 @@ install_routes = no
 {$accept_unencrypted}
 cisco_unity = {$unity_enabled}
 {$ifacesuse}
+{$makebeforebreak}
 
 # And two loggers using syslog. The subsections define the facility to log
 # to, currently one of: daemon, auth.
diff --git a/usr/local/www/vpn_ipsec_settings.php b/usr/local/www/vpn_ipsec_settings.php
index 7c21817..aab4f47 100644
--- a/usr/local/www/vpn_ipsec_settings.php
+++ b/usr/local/www/vpn_ipsec_settings.php
@@ -46,6 +46,7 @@ foreach ($ipsec_loglevels as $lkey => $ldescr) {
 		$pconfig["ipsec_{$lkey}"] = $config['ipsec']["ipsec_{$lkey}"];
 }
 $pconfig['unityplugin'] = isset($config['ipsec']['unityplugin']);
+$pconfig['makebeforebreak'] = isset($config['ipsec']['makebeforebreak']);
 $pconfig['noshuntlaninterfaces'] = isset($config['ipsec']['noshuntlaninterfaces']);
 $pconfig['compression'] = isset($config['ipsec']['compression']);
 $pconfig['enableinterfacesuse'] = isset($config['ipsec']['enableinterfacesuse']);
@@ -156,6 +157,12 @@ if ($_POST) {
 			unset($config['ipsec']['unityplugin']);
 		}
 
+		if($_POST['makebeforebreak'] == "yes") {
+			$config['ipsec']['makebeforebreak'] = true;
+		} elseif (isset($config['ipsec']['makebeforebreak'])) {
+			unset($config['ipsec']['makebeforebreak']);
+		}
+
 		if($_POST['noshuntlaninterfaces'] == "yes") {
 			$config['ipsec']['noshuntlaninterfaces'] = true;
 		} elseif (isset($config['ipsec']['noshuntlaninterfaces'])) {
@@ -356,6 +363,17 @@ function maxmss_checked(obj) {
 						</td>
 					</tr>
 					<tr>
+						<td width="22%" valign="top" class="vncell"><?=gettext("Make before Break"); ?></td>
+						<td width="78%" class="vtable">
+							<input name="makebeforebreak" type="checkbox" id="makebeforebreak" value="yes" <?php if ($pconfig['makebeforebreak'] == true) echo "checked=\"checked\""; ?> />
+							<strong><?=gettext("Initiate IKEv2 reauthentication with a make-before-break"); ?></strong>
+							<br />
+							<?=gettext("instead of a break-before-make scheme. Make-before-break uses overlapping IKE and CHILD_SA during reauthentication " .
+								"by first recreating all new SAs before deleting the old ones. This behavior can be beneficial to avoid connectivity gaps " .
+								"during reauthentication, but requires support for overlapping SAs by the peer.");?>
+						</td>
+					</tr>
+					<tr>
 						<td width="22%" valign="top" class="vncell"><?=gettext("Auto-exclude LAN address"); ?></td>
 						<td width="78%" class="vtable">
 							<input name="noshuntlaninterfaces" type="checkbox" id="noshuntlaninterfaces" value="yes" <?php if (!$pconfig['noshuntlaninterfaces'] == true) echo "checked=\"checked\""; ?> />