From 647c7c48a5b64100aa3e4f28f391b0f6403ab921 Mon Sep 17 00:00:00 2001
From: Seth Mos <seth.mos@xs4all.nl>
Date: Fri, 16 Jan 2009 15:02:25 +0000
Subject: Add initial support for granular IPsec SPD changes.

---
 usr/local/www/vpn_ipsec.php        |  6 ++++++
 usr/local/www/vpn_ipsec_phase1.php | 16 ++++++++++++++++
 2 files changed, 22 insertions(+)

diff --git a/usr/local/www/vpn_ipsec.php b/usr/local/www/vpn_ipsec.php
index 0ba58fe..dc3d45c 100755
--- a/usr/local/www/vpn_ipsec.php
+++ b/usr/local/www/vpn_ipsec.php
@@ -56,6 +56,7 @@ if ($_POST) {
 
 	if ($_POST['apply']) {
 		$retval = 0;
+		$retval = vpn_ipsec_refresh_policies();
 		$retval = vpn_ipsec_configure();
 		$savemsg = get_std_save_message($retval);
 		if ($retval == 0) {
@@ -71,6 +72,7 @@ if ($_POST) {
 
 		$retval = 0;
 		config_lock();
+		$retval = vpn_ipsec_refresh_policies();
 		$retval = vpn_ipsec_configure();
 		config_unlock();
 		/* reload the filter in the background */
@@ -99,6 +101,8 @@ if ($_GET['act'] == "delph1")
 
 		/* remove the phase1 entry */
 		unset($a_phase1[$_GET['p1index']]);
+		vpn_ipsec_refresh_policies();
+		vpn_ipsec_configure();
 		filter_configure();
 		write_config();
 		header("Location: vpn_ipsec.php");
@@ -111,6 +115,8 @@ if ($_GET['act'] == "delph2")
 	if ($a_phase2[$_GET['p2index']]) {
 		/* remove the phase2 entry */
 		unset($a_phase2[$_GET['p2index']]);
+		vpn_ipsec_refresh_policies();
+		vpn_ipsec_configure();
 		filter_configure();
 		write_config();
 		header("Location: vpn_ipsec.php");
diff --git a/usr/local/www/vpn_ipsec_phase1.php b/usr/local/www/vpn_ipsec_phase1.php
index 936a8dc..21b3f3c 100644
--- a/usr/local/www/vpn_ipsec_phase1.php
+++ b/usr/local/www/vpn_ipsec_phase1.php
@@ -42,7 +42,11 @@ require("guiconfig.inc");
 if (!is_array($config['ipsec']['phase1']))
 	$config['ipsec']['phase1'] = array();
 
+if (!is_array($config['ipsec']['phase2']))
+	$config['ipsec']['phase2'] = array();
+
 $a_phase1 = &$config['ipsec']['phase1'];
+$a_phase2 = &$config['ipsec']['phase2'];
 
 if($config['interfaces']['lan']) 
 		$specialsrcdst = explode(" ", "lan");
@@ -60,6 +64,7 @@ if (isset($p1index) && $a_phase1[$p1index])
 	// don't copy the ikeid on dup
 	if (!isset($_GET['dup']))
 		$pconfig['ikeid'] = $a_phase1[$p1index]['ikeid'];
+	$old_ph1ent = $a_phase1[$p1index];
 
 	$pconfig['disabled'] = isset($a_phase1[$p1index]['disabled']);
 
@@ -315,6 +320,17 @@ if ($_POST) {
 		else
 			$a_phase1[] = $ph1ent;
 
+		/* now we need to find all phase2 entries for this host */
+		if (is_array($a_phase2) && (count($a_phase2))) {
+			foreach ($a_phase2 as $phase2) {
+				if($phase2['ikeid'] == $ph1ent['ikeid']) {
+					log_error("Reload {$ph1ent['descr']} tunnels");
+					$old_ph1ent['remote-gateway'] = resolve_retry($old_ph1ent['remote-gateway']);
+					$old_phase2 = $phase2;
+					reload_tunnel_spd_policy ($ph1ent, $phase2, $old_ph1ent, $old_phase2);
+				}
+			}
+		}
 		write_config();
 		touch($d_ipsecconfdirty_path);
 
-- 
cgit v1.1