summaryrefslogtreecommitdiffstats
path: root/src/etc/inc/vpn.inc
Commit message (Collapse)AuthorAgeFilesLines
* Review license / copyright on all files (final round)Renato Botelho2016-07-151-2/+2
|
* Review license / copyright on all files (1st round)Renato Botelho2016-07-141-55/+55
|
* set net.isr.dispatch instead since net.inet.ipsec.directdispatch no longer ↵Chris Buechler2016-07-091-1/+1
| | | | exists. Ticket #4754
* Always use require_oncePhil Davis2016-06-271-1/+1
| | | | | | | | | The usage of require() and require_once() throughout the system is inconsistent, and "bugs" come up now and then when the order of "requires" is a bit different and some require() happens after the include file is already included/required. It seems to me that there is no harm at all in always using require_once().
* require_once auth.inc in vpn.inc since it uses functions from there, though ↵Chris Buechler2016-06-211-0/+1
| | | | normal use of the system won't require that, those who run certain things manually/custom may require it
* Only omit aggressive line from ipsec.conf where IKEv2. Ticket #6513Chris Buechler2016-06-211-1/+1
|
* Disable ipcomp regardless of config setting to avoid problem. Ticket #6167Chris Buechler2016-05-131-1/+2
|
* Omit local identifier for mobile PSKs. Ticket #6286Chris Buechler2016-04-281-1/+1
|
* Use leftsendcert=always where leftcert is defined. Ticket #6082Chris Buechler2016-04-231-0/+3
|
* Add lock in vpn_ipsec_configure. Ticket #6160Chris Buechler2016-04-141-0/+4
|
* Always set ignore_acquire_ts = yes. No need for that in any of our use ↵Chris Buechler2016-03-041-0/+1
| | | | cases, and it fixes problems like Ticket #4719.
* Fix indentRenato Botelho2016-02-241-115/+115
|
* Internationalize etc inc uvxPhil Davis2016-02-191-22/+22
|
* Add support for splitting ipsec.conf conn entries for IKEv2. Ticket #4704Chris Buechler2016-02-181-1/+1
|
* Add support for IPsec TFC. Ticket #4688Chris Buechler2016-02-111-0/+9
|
* Fix IKE version "auto". Ticket #5880Chris Buechler2016-02-111-1/+2
|
* Review of CARP uniqid changes.Luiz Otavio O Souza2016-02-091-28/+22
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | It turns out that current CARP implementation is not much different from an IP alias. This commit converts the IP alias to also use the CARP uniqid scheme, this simplify the code in all other places because now we have only two different cases to deal with: - A friendly interface name (lan, wan, opt1, etc.); - A Virtual IP - VIP alias (_vip{$uniqid}) - CARP or IP Alias. The parent of a CARP is always a friendly interface. The parent of an IP alias can be a friendly interface or a CARP (this is the only case of recursion of a VIP). This commit removes a few cases where CARP were still considered a interface (the old CARP implementation), fixes all the wrong cases of strpos() being used to detect a VIP address (wont work as it returns '0' which fails when tested as 'TRUE'), review the usage of CARP and IP alias as services bind addresses, fixes general issues of adding and editing VIP addresses. The following subsystems were affected by this changes: - IPSEC; - OpenVPN; - dnsmasq; - NTP; - gateways and gateway groups; - IPv6 RA; - GRE interfaces; - CARP status; - Referrer authentication. Fixes (and/or revisit) the following tickets: - Ticket #3257 - Ticket #3716 - Ticket #4450 - Ticket #4858 - Ticket #5441 - Ticket #5442 - Ticket #5500 - Ticket #5783 - Ticket #5844
* Use the NAS IP configured for PPPoE server instances. Ticket #185Chris Buechler2016-02-021-0/+3
|
* Fix #5816 (re)start of IPsecPhil Davis2016-01-261-5/+7
|
* Switch to disabling strongswan unity plugin by default. Ticket #4178Chris Buechler2016-01-231-1/+1
|
* Somehow missed this in the committed version.jim-p2016-01-221-1/+1
|
* Relocate subnet mask drop-down to a more sensible place on the PPPoE server, ↵jim-p2016-01-221-1/+6
| | | | add a user login count option.
* Fix #4178:Renato Botelho2016-01-201-13/+9
| | | | | | | - Stop moving unity .so file around to make it not being loaded - Include all modules default .conf file from strongswan.d/charon - After default files are included, define custom settings - When unity is disabled, add a rule to make strongswan to not load it
* Fix strongswan.conf indent levelRenato Botelho2016-01-201-1/+1
|
* Fix strongswan.conf indent levelRenato Botelho2016-01-201-22/+22
|
* Update license on files from /etc/incRenato Botelho2016-01-151-15/+39
|
* redmine 5702 - switch to high level IPv4 functions instead of low level ↵stilez2016-01-121-2/+2
| | | | ip2long32() etc
* Remove all pfSense_MODULE and pfSense_BUILDER_BINARIES definitions, whatever ↵Renato Botelho2015-12-151-7/+0
| | | | was the reason they were added, it was never finished and it's not being used
* Code style and white space in etcPhil Davis2015-12-101-1/+2
|
* Run ping_hosts.sh once after IPsec start if it's enabled, to avoid a wait of ↵Chris Buechler2015-12-041-0/+7
| | | | up to 4 minutes for minicron to run it.
* Merge pull request #2103 from jlduran/escape-strongswan-radius-keyRenato Botelho2015-11-231-1/+1
|\
| * Escape RADIUS secret in strongswan.confJose Luis Duran2015-11-211-1/+1
| | | | | | | | | | | | | | | | If a RADIUS secret is, for example, `#secret-key#`, EAP-RADIUS authentication will fail, as the `#` can be interpreted by the strongswan.conf parser as a comment. To avoid this from happening, set the key within double quotes.
* | Remove the last usage cases of $config['ipsec']['enable'].Luiz Otavio O Souza2015-11-221-1/+1
|/ | | | IPSEC is always on in 2.3, where necessary (IPSEC rules, IPSEC daemon), we check the existence of phase 1 entries.
* Create symlinks when target doesn't exist, not only when it's not a linkRenato Botelho2015-11-171-2/+2
|
* Revert "Use --conf when call ipsec start/stop, this make it work with ↵Renato Botelho2015-11-121-2/+2
| | | | | | | | regular package, without changing sysconfdir" It's not necessary after creating all symlinks This reverts commit d92c10130df38e264c7c77367cf0d542d10794c0.
* Fix #5350. Correct issues with strongswan logging (setting changes did not ↵Matt Smith2015-11-111-13/+24
| | | | persist across reboots, setting silent did not work).
* Make sure symlink is createdRenato Botelho2015-11-111-2/+4
|
* Make sure symlinks is createdRenato Botelho2015-11-111-2/+6
|
* strongswan.d symlink was created the opposite way, pointy hat to meRenato Botelho2015-11-111-5/+5
|
* Create symlinks of ipsec files and directories under /usr/local to deal with ↵Renato Botelho2015-11-111-3/+39
| | | | hardcoded paths in strongswan
* Use --conf when call ipsec start/stop, this make it work with regular ↵Renato Botelho2015-11-111-2/+2
| | | | package, without changing sysconfdir
* etc inc delete $Id commentsPhil Davis2015-11-101-2/+1
| | | | | | and bits of white space. Note: There are plenty of files still with old-format copyright sections in here.
* changes for #5219 accidentally reverted unrelated changes made by other ↵Matt Smith2015-11-031-30/+6
| | | | commits. Restore those & remove some dead code that was commented out.
* Don't allow IPsec mobile clients user auth source to not be a RADIUS server ifMatt Smith2015-11-031-6/+43
| | | | | the phase1 auth method is EAP-RADIUS. Properly handle selection of multiple RADIUS servers when using EAP-RADIUS. Fixes #5219.
* It is not necessary manually disable the IPSEC processing when not used.Luiz Otavio O Souza2015-10-311-3/+1
| | | | | | | With the recent IPSEC changes by gnn@, there is no more performance penalty for 1G networks if you have IPSEC compiled in kernel but not used. TAG: tryforward
* The net.inet.ip.fastforward sysctl is retired now.Luiz Otavio O Souza2015-10-311-3/+0
| | | | | | Tryforward instead, is always on and is compatible with IPSEC. TAG: tryforward
* Set leftsendcert=always for IKEv2 configurations with certificates to better ↵jim-p2015-10-281-0/+5
| | | | accommodate OS X and iOS manual configurations. Fixes #5353
* Make setting charon.plugins.attr.subnet conditional on net_list being set. SetMatt Smith2015-10-211-3/+1
| | | | it's value to list of subnets configured as P2's for mobile IPsec. Fixes #5327.
* Disable strongswan logging under auth since it's all logged under daemon,Chris Buechler2015-10-201-0/+5
| | | | so nothing is duplicated. Ticket #5242
* Limit strongswan trusted CA certificates to those required for authentication ofMatt Smith2015-10-161-22/+46
| | | | the configured IPsec SA's instead of trusting all known CA's. Fixes #5243.
OpenPOWER on IntegriCloud