From 13403bd102c4a25b366ac7d8556ab13a581c31a0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ermal=20LU=C3=87I?= Date: Tue, 30 Dec 2014 23:34:55 +0100 Subject: Check for fqdn peerid/myids and prepend @ so strongswan does not try to be smart. Also use %any for myid instead of risking of putting the wrong value in the secrets file for traffic selector --- etc/inc/vpn.inc | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/etc/inc/vpn.inc b/etc/inc/vpn.inc index d0fb807..e582fcd 100644 --- a/etc/inc/vpn.inc +++ b/etc/inc/vpn.inc @@ -484,10 +484,14 @@ EOD; if (empty($peerid_data)) continue; - $myid = isset($ph1ent['mobile']) ? trim($myid_data) . " " : ""; + $myid = isset($ph1ent['mobile']) ? trim($myid_data) : "%any"; $peerid = ($peerid_data != "allusers") ? trim($peerid_data) : ""; - if (!empty($ph1ent['pre-shared-key'])) - $pskconf .= $myid . $peerid . " : PSK 00" . base64_encode(trim($ph1ent['pre-shared-key'])) . "\n"; + if (!empty($ph1ent['pre-shared-key'])) { + if ($myid_type == 'fqdn' && !empty($myid_data)) + $pskconf .= "@{$myid} {$peerid} : PSK 00" . base64_encode(trim($ph1ent['pre-shared-key'])) . "\n"; + else + $pskconf .= "{$myid} {$peerid} : PSK 00" . base64_encode(trim($ph1ent['pre-shared-key'])) . "\n"; + } } } } @@ -496,7 +500,7 @@ EOD; if (is_array($config['system']) && is_array($config['system']['user'])) { foreach ($config['system']['user'] as $user) { if (!empty($user['ipsecpsk'])) { - $pskconf .= "{$myid} {$user['name']} : PSK 00" . base64_encode($user['ipsecpsk']) . "\n"; + $pskconf .= "%any {$user['name']} : PSK 00" . base64_encode($user['ipsecpsk']) . "\n"; } } unset($user); @@ -507,7 +511,7 @@ EOD; foreach ($ipseccfg['mobilekey'] as $key) { if ($key['ident'] == "allusers") $key['ident'] = '%any'; - $pskconf .= "{$myid} {$key['ident']} : PSK 00" . base64_encode($key['pre-shared-key']) . "\n"; + $pskconf .= "%any {$key['ident']} : PSK 00" . base64_encode($key['pre-shared-key']) . "\n"; } unset($key); } @@ -556,7 +560,11 @@ EOD; $right_spec = $ph1ent['remote-gateway']; list ($myid_type, $myid_data) = ipsec_find_id($ph1ent, "local"); + if ($myid_type == 'fqdn') + $myid_data = "@{$myid_data}"; list ($peerid_type, $peerid_data) = ipsec_find_id($ph1ent, "peer", $rgmap); + if ($peerid_type == 'fqdn') + $peerid_data = "@{$peerid_data}"; /* Only specify peer ID if we are not dealing with a mobile PSK-only tunnel */ $peerid_spec = ''; -- cgit v1.1