summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--etc/inc/filter.inc9
-rw-r--r--etc/inc/vpn.inc5
-rw-r--r--usr/local/www/vpn_ipsec_phase1.php19
3 files changed, 20 insertions, 13 deletions
diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc
index 402f064..586c9e7 100644
--- a/etc/inc/filter.inc
+++ b/etc/inc/filter.inc
@@ -1791,9 +1791,16 @@ function filter_nat_rules_generate() {
if (is_array($config['ipsec']) && isset($config['ipsec']['enable'])) {
if (is_array($config['ipsec']['phase2'])) {
foreach ($config['ipsec']['phase2'] as $ph2ent) {
- if ($ph2ent['mode'] != 'transport' && !empty($ph2ent['natlocalid'])) {
+ if ($ph2ent['mode'] != 'transport' && !empty($ph2ent['natlocalid']) && !isset($ph2ent['disabled'])) {
if (!function_exists('ipsec_idinfo_to_cidr'))
require_once("ipsec.inc");
+ ipsec_lookup_phase1($ph2ent, $ph1ent);
+ if (!is_array($ph1ent)) {
+ continue;
+ }
+ if (isset($ph1ent['disabled'])) {
+ continue;
+ }
if (!is_array($ph2ent['localid']))
$ph2ent['localid'] = array();
$ph2ent['localid']['mode'] = $ph2ent['mode'];
diff --git a/etc/inc/vpn.inc b/etc/inc/vpn.inc
index f1a376d..7ff5146 100644
--- a/etc/inc/vpn.inc
+++ b/etc/inc/vpn.inc
@@ -434,10 +434,15 @@ cisco_unity = {$unity_enabled}
syslog {
identifier = charon
+ # log everything under daemon since it ends up in the same place regardless with our syslog.conf
daemon {
ike_name = yes
{$strongswanlog}
}
+ # disable logging under auth so logs aren't duplicated
+ auth {
+ default = -1
+ }
}
EOD;
diff --git a/usr/local/www/vpn_ipsec_phase1.php b/usr/local/www/vpn_ipsec_phase1.php
index 7834315..4984f12 100644
--- a/usr/local/www/vpn_ipsec_phase1.php
+++ b/usr/local/www/vpn_ipsec_phase1.php
@@ -160,10 +160,12 @@ if ($_POST) {
$method = $pconfig['authentication_method'];
// Unset ca and cert if not required to avaoid storing in config
if ($method == "pre_shared_key" || $method == "xauth_psk_server"){
- unset($pconfig['caref']);
unset($pconfig['certref']);
}
+ if ($method != "rsasig" && $method != "xauth_rsa_server" && $method != "eap-tls") {
+ unset($pconfig['caref']);
+ }
// Only require PSK here for normal PSK tunnels (not mobile) or xauth.
// For RSA methods, require the CA/Cert.
switch ($method) {
@@ -496,23 +498,16 @@ function methodsel_change() {
switch (value) {
case 'eap-mschapv2':
- case 'eap-tls':
case 'eap-radius':
- document.getElementById('opt_psk').style.display = 'none';
- document.getElementById('opt_peerid').style.display = '';
- document.getElementById('opt_cert').style.display = '';
- document.getElementById('opt_ca').style.display = '';
- document.getElementById('opt_cert').disabled = false;
- document.getElementById('opt_ca').disabled = false;
- break;
case 'hybrid_rsa_server':
document.getElementById('opt_psk').style.display = 'none';
document.getElementById('opt_peerid').style.display = '';
document.getElementById('opt_cert').style.display = '';
- document.getElementById('opt_ca').style.display = '';
+ document.getElementById('opt_ca').style.display = 'none';
document.getElementById('opt_cert').disabled = false;
- document.getElementById('opt_ca').disabled = false;
+ document.getElementById('opt_ca').disabled = true;
break;
+ case 'eap-tls':
case 'xauth_rsa_server':
case 'rsasig':
document.getElementById('opt_psk').style.display = 'none';
@@ -829,7 +824,7 @@ function dpdchkbox_change() {
</td>
</tr>
<tr id="opt_ca">
- <td width="22%" valign="top" class="vncellreq"><?=gettext("My Certificate Authority"); ?></td>
+ <td width="22%" valign="top" class="vncellreq"><?=gettext("Peer Certificate Authority"); ?></td>
<td width="78%" class="vtable">
<select name="caref" class="formselect">
<?php
OpenPOWER on IntegriCloud