summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--etc/inc/vpn.inc26
-rw-r--r--usr/local/www/vpn_ipsec_mobile.php5
-rw-r--r--usr/local/www/vpn_ipsec_settings.php28
3 files changed, 42 insertions, 17 deletions
diff --git a/etc/inc/vpn.inc b/etc/inc/vpn.inc
index a37f069..48cc331 100644
--- a/etc/inc/vpn.inc
+++ b/etc/inc/vpn.inc
@@ -94,7 +94,7 @@ function vpn_ipsec_convert_to_modp($index)
return $convertion;
}
-function vpn_ipsec_configure($ipchg = false)
+function vpn_ipsec_configure($restart = false)
{
global $config, $g, $sa, $sn, $p1_ealgos, $p2_ealgos;
@@ -293,9 +293,15 @@ function vpn_ipsec_configure($ipchg = false)
if (isset($config['ipsec']['acceptunencryptedmainmode']))
$accept_unencrypted = "accept_unencrypted_mainmode_messages = yes";
+ $stronconf = '';
+ if (file_exists("{$g['varetc_path']}/ipsec/strongswan.conf"))
+ $stronconf = file_get_contents("{$g['varetc_path']}/ipsec/strongswan.conf");
+
$i_dont_care_about_security_and_use_aggressive_mode_psk = "";
if ($aggressive_mode_psk) {
log_error("WARNING: Setting i_dont_care_about_security_and_use_aggressive_mode_psk option because a phase 1 is configured using aggressive mode with pre-shared keys. This is not a secure configuration.");
+ if (!empty($stronconf) && strpos($stronconf, 'i_dont_care_about_security_and_use_aggressive_mode_psk') === FALSE)
+ $restart = true;
$i_dont_care_about_security_and_use_aggressive_mode_psk = "i_dont_care_about_security_and_use_aggressive_mode_psk=yes";
}
@@ -308,6 +314,8 @@ function vpn_ipsec_configure($ipchg = false)
else
$ifacesuse = '';
+ unset($strongconf);
+
$strongswan = <<<EOD
# Automatically generated config file - DO NOT MODIFY. Changes will be overwritten.
@@ -993,13 +1001,17 @@ EOD;
set_single_sysctl('net.inet.ipcomp.ipcomp_enable', 0);
/* mange process */
- if (isvalidpid("{$g['varrun_path']}/charon.pid")) {
- /* Read secrets */
- mwexec("/usr/local/sbin/ipsec rereadall", false);
- /* Update configuration changes */
- mwexec("/usr/local/sbin/ipsec update", false);
+ if ($restart === true) {
+ mwexec("/usr/local/sbin/ipsec restart", false);
} else {
- mwexec("/usr/local/sbin/ipsec start", false);
+ if (isvalidpid("{$g['varrun_path']}/charon.pid")) {
+ /* Read secrets */
+ mwexec("/usr/local/sbin/ipsec rereadall", false);
+ /* Update configuration changes */
+ mwexec("/usr/local/sbin/ipsec update", false);
+ } else {
+ mwexec("/usr/local/sbin/ipsec start", false);
+ }
}
if ($natfilterrules == true)
diff --git a/usr/local/www/vpn_ipsec_mobile.php b/usr/local/www/vpn_ipsec_mobile.php
index ac32a87..98072d8 100644
--- a/usr/local/www/vpn_ipsec_mobile.php
+++ b/usr/local/www/vpn_ipsec_mobile.php
@@ -112,7 +112,8 @@ if ($_POST['create']) {
if ($_POST['apply']) {
$retval = 0;
- $retval = vpn_ipsec_configure();
+ /* NOTE: #4353 Always restart ipsec when mobile clients settings change */
+ $retval = vpn_ipsec_configure(true);
$savemsg = get_std_save_message($retval);
if ($retval >= 0)
if (is_subsystem_dirty('ipsec'))
@@ -227,8 +228,6 @@ if ($_POST['submit']) {
if ($pconfig['login_banner_enable'])
$client['login_banner'] = $pconfig['login_banner'];
-// $echo "login banner = {$pconfig['login_banner']}";
-
$a_client = $client;
write_config();
diff --git a/usr/local/www/vpn_ipsec_settings.php b/usr/local/www/vpn_ipsec_settings.php
index 9de5a26..fa9ae0b 100644
--- a/usr/local/www/vpn_ipsec_settings.php
+++ b/usr/local/www/vpn_ipsec_settings.php
@@ -130,20 +130,34 @@ if ($_POST) {
}
}
- if($_POST['compression'] == "yes")
+ $needsrestart = false;
+
+ if($_POST['compression'] == "yes") {
+ if (!isset($config['ipsec']['compression']))
+ $needsrestart = true;
$config['ipsec']['compression'] = true;
- elseif (isset($config['ipsec']['compression']))
+ } elseif (isset($config['ipsec']['compression'])) {
+ $needsrestart = true;
unset($config['ipsec']['compression']);
+ }
- if($_POST['unityplugin'] == "yes")
+ if($_POST['unityplugin'] == "yes") {
+ if (!isset($config['ipsec']['unityplugin']))
+ $needsrestart = true;
$config['ipsec']['unityplugin'] = true;
- elseif (isset($config['ipsec']['unityplugin']))
+ } elseif (isset($config['ipsec']['unityplugin'])) {
+ $needsrestart = true;
unset($config['ipsec']['unityplugin']);
+ }
- if($_POST['acceptunencryptedmainmode'] == "yes")
+ if($_POST['acceptunencryptedmainmode'] == "yes") {
+ if (!isset($config['ipsec']['acceptunencryptedmainmode']))
+ $needsrestart = true;
$config['ipsec']['acceptunencryptedmainmode'] = true;
- elseif (isset($config['ipsec']['acceptunencryptedmainmode']))
+ } elseif (isset($config['ipsec']['acceptunencryptedmainmode'])) {
+ $needsrestart = true;
unset($config['ipsec']['acceptunencryptedmainmode']);
+ }
if($_POST['maxmss_enable'] == "yes") {
$config['system']['maxmss_enable'] = true;
@@ -163,7 +177,7 @@ if ($_POST) {
$savemsg = gettext($retval);
vpn_ipsec_configure_preferoldsa();
- vpn_ipsec_configure();
+ vpn_ipsec_configure($needsrestart);
vpn_ipsec_configure_loglevels();
// header("Location: vpn_ipsec_settings.php");
OpenPOWER on IntegriCloud