From 979cd6db9c6a81493498660f7205faabf25ed6ec Mon Sep 17 00:00:00 2001
From: Scott Ullrich <sullrich@pfsense.org>
Date: Mon, 17 Dec 2007 00:30:54 +0000
Subject: Adding dnswatch support.

Obtained-from: m0n0wall
---
 etc/inc/util.inc |  19 ++
 etc/inc/vpn.inc  | 924 +++++++++++++++++++++++++++++++++----------------------
 2 files changed, 576 insertions(+), 367 deletions(-)

diff --git a/etc/inc/util.inc b/etc/inc/util.inc
index 487efed..7c46eac 100644
--- a/etc/inc/util.inc
+++ b/etc/inc/util.inc
@@ -555,4 +555,23 @@ function mac_format($clientmac) {
     }
 }
 
+function resolve_retry($hostname, $retries = 5) {
+
+       if (is_ipaddr($hostname))
+               return $hostname;
+
+       for ($i = 0; $i < $retries; $i++) {
+               $ip = gethostbyname($hostname);
+
+               if ($ip && $ip != $hostname) {
+                       /* success */
+                       return $ip;
+               }
+
+               sleep(1);
+       }
+
+       return false;
+}
+
 ?>
\ No newline at end of file
diff --git a/etc/inc/vpn.inc b/etc/inc/vpn.inc
index a984c5b..2c30acf 100644
--- a/etc/inc/vpn.inc
+++ b/etc/inc/vpn.inc
@@ -1,7 +1,8 @@
 <?php
+
 /*
 	vpn.inc
-	Copyright (C) 2004-2006 Scott Ullrich
+	Copyright (C) 2004 Scott Ullrich
 	All rights reserved.
 
 	originally part of m0n0wall (http://m0n0.ch/wall)
@@ -31,7 +32,7 @@
 */
 
 /* include all configuration functions */
-require_once("functions.inc");
+require_once ("functions.inc");
 
 /* master setup for vpn (mpd) */
 function vpn_setup() {
@@ -40,6 +41,9 @@ function vpn_setup() {
 
 	/* start pppoe server */
 	vpn_pppoe_configure();
+
+	/* setup l2tp */
+	vpn_l2tp_configure();
 }
 
 function vpn_ipsec_failover_configure() {
@@ -47,22 +51,22 @@ function vpn_ipsec_failover_configure() {
 
 	$sasyncd_text = "";
 
-	if($config['installedpackages']['sasyncd']['config'] <> "")
-		foreach($config['installedpackages']['sasyncd']['config'] as $sasyncd) {
-			$enabled = isset($sasyncd['enable']);
-			if(!$enabled)
+	if ($config['installedpackages']['sasyncd'] <> "")
+		foreach ($config['installedpackages']['sasyncd']['config'] as $sasyncd) {
+			$enabled = isset ($sasyncd['enable']);
+			if (!$enabled)
 				return;
-			if($sasyncd['peerip'] <> "")
+			if ($sasyncd['peerip'] <> "")
 				$sasyncd_text .= "peer {$sasyncd['peerip']}\n";
-			if($sasyncd['interface'])
+			if ($sasyncd['interface'])
 				$sasyncd_text .= "carp interface {$sasyncd['interface']}\n";
-			if($sasyncd['sharedkey'] <> "")
+			if ($sasyncd['sharedkey'] <> "")
 				$sasyncd_text .= "sharedkey {$sasyncd['sharedkey']}\n";
-			if($sasyncd['mode'] <> "")
+			if ($sasyncd['mode'] <> "")
 				$sasyncd_text .= "mode {$sasyncd['mode']}\n";
-			if($sasyncd['listenon'] <> "")
+			if ($sasyncd['listenon'] <> "")
 				$sasyncd_text .= "listen on {$sasyncd['listenon']}\n";
-			if($sasyncd['flushmodesync'] <> "")
+			if ($sasyncd['flushmodesync'] <> "")
 				$sasyncd_text .= "flushmode sync {$sasyncd['flushmodesync']}\n";
 		}
 
@@ -74,40 +78,39 @@ function vpn_ipsec_failover_configure() {
 	mwexec("killall sasyncd");
 
 	/* launch sasyncd, oh wise one */
-	/* mwexec_bg("/usr/local/sbin/sasyncd -d -v -v -v"); */
+	mwexec_bg("/usr/local/sbin/sasyncd -d -v -v -v");
 }
 
 function find_last_gif_device() {
-	 	$regs = "";
-        $last_gif_found = -1;
-        if (!($fp = popen("/sbin/ifconfig -l", "r"))) return -1;
-        $ifconfig_data = fread($fp, 4096);
-        pclose($fp);
-        $ifconfig_array = split(" ", $ifconfig_data);
-        foreach ($ifconfig_array as $ifconfig) {
-                ereg("gif(.)", $ifconfig, $regs);
-                if($regs[0]) {
-                        if($regs[0] > $last_gif_found)
-                                $last_gif_found = $regs[1];
-                }
-        }
-        return $last_gif_found;
+	$last_gif_found = -1;
+	$regs = "";
+	if (!($fp = popen("/sbin/ifconfig -l", "r")))
+		return -1;
+	$ifconfig_data = fread($fp, 4096);
+	pclose($fp);
+	$ifconfig_array = split(" ", $ifconfig_data);
+	foreach ($ifconfig_array as $ifconfig) {
+		ereg("gif(.)", $ifconfig, $regs);
+		if ($regs[0] && $regs[0] > $last_gif_found) {
+			$last_gif_found = $regs[1];
+		}
+	}
+	return $last_gif_found;
 }
 
 function vpn_ipsec_configure($ipchg = false) {
 	global $config, $g, $sa, $sn;
 
-	mwexec("/sbin/ifconfig enc0 create");
 	mwexec("/sbin/ifconfig enc0 up");
 
 	/* get the automatic /etc/ping_hosts.sh ready */
 	unlink_if_exists("/var/db/ipsecpinghosts");
 	touch("/var/db/ipsecpinghosts");
 
-	if($g['booting'] == true) {
+	if ($g['booting'] == true) {
 		/* determine if we should load the via padlock module */
-		$dmesg_boot = `cat /var/log/dmesg.boot | grep CPU`;
-		if(stristr($dmesg_boot, "ACE") == true) {
+		$dmesg_boot = `/usr/bin/grep CPU {$g['varlog_path']}/dmesg.boot`;
+		if (stristr($dmesg_boot, "ACE") == true) {
 			//echo "Enabling [VIA Padlock] ...";
 			//mwexec("/sbin/kldload padlock");
 			//mwexec("/sbin/sysctl net.inet.ipsec.crypto_support=1");
@@ -124,7 +127,7 @@ function vpn_ipsec_configure($ipchg = false) {
 	}
 
 	$number_of_gifs = find_last_gif_device();
-	for($x=0; $x<$number_of_gifs; $x++) {
+	for ($x = 0; $x < $number_of_gifs; $x++) {
 		mwexec("/sbin/ifconfig gif" . $x . " delete");
 	}
 
@@ -137,14 +140,16 @@ function vpn_ipsec_configure($ipchg = false) {
 	$lansa = gen_subnet($lancfg['ipaddr'], $lancfg['subnet']);
 	$lansn = $lancfg['subnet'];
 
+
 	if (!isset($ipseccfg['enable'])) {
 		mwexec("/sbin/ifconfig enc0 down");
 		mwexec("/sbin/ifconfig enc0 destroy");
 
 		/* kill racoon */
 		mwexec("/usr/bin/killall racoon");
-
-		/* wait for process to die */
+		killbypid("{$g['varrun_path']}/dnswatch-ipsec.pid");
+		
+		/* wait for racoon process to die */
 		sleep(2);
 
 		/* send a SIGKILL to be sure */
@@ -161,10 +166,9 @@ function vpn_ipsec_configure($ipchg = false) {
 		echo "Configuring IPsec VPN... ";
 	}
 
-	if (isset($ipseccfg['enable'])) {
-
+	if (isset ($ipseccfg['enable'])) {
 		/* fastforwarding is not compatible with ipsec tunnels */
-		system("/sbin/sysctl net.inet.ip.fastforwarding=0 >/dev/null 2>&1");
+		mwexec("/sbin/sysctl net.inet.ip.fastforwarding=0");
 
 		if (!$curwanip) {
 			/* IP address not configured yet, exit */
@@ -174,10 +178,12 @@ function vpn_ipsec_configure($ipchg = false) {
 		}
 
 		if ((is_array($ipseccfg['tunnel']) && count($ipseccfg['tunnel'])) ||
-				isset($ipseccfg['mobileclients']['enable'])) {
-
+		  isset ($ipseccfg['mobileclients']['enable'])) {
+		  
+			$dnswatch_list = array();
+			$rgmap = array();
+		  
 			if (is_array($ipseccfg['tunnel']) && count($ipseccfg['tunnel'])) {
-
 				/* generate spd.conf */
 				$fd = fopen("{$g['varetc_path']}/spd.conf", "w");
 				if (!$fd) {
@@ -191,21 +197,32 @@ function vpn_ipsec_configure($ipchg = false) {
 				$spdconf .= "spdadd {$lanip}/32 {$lansa}/{$lansn} any -P out none;\n";
 
 				foreach ($ipseccfg['tunnel'] as $tunnel) {
-
-					if (isset($tunnel['disabled']))
+					if (isset ($tunnel['disabled']))
 						continue;
 
+				   /* see if this tunnel has a hostname for the remote-gateway, and if so,
+				      try to resolve it now and add it to the list for dnswatch */
+				   if (!is_ipaddr($tunnel['remote-gateway'])) {
+				           $dnswatch_list[] = $tunnel['remote-gateway'];
+				           $rgip = resolve_retry($tunnel['remote-gateway']);
+				
+				           if (!$rgip)
+				                   continue;
+				
+				   } else {
+				           $rgip = $tunnel['remote-gateway'];
+				   }
+				   $rgmap[$tunnel['remote-gateway']] = $rgip;
+
 					$ep = vpn_endpoint_determine($tunnel, $curwanip);
-					if (!$ep) {
-						log_error("Could not deterimine VPN endpoint for {$tunnel['descr']}");
-						continue;	
-					}
+					if (!$ep)
+						continue;
 
 					vpn_localnet_determine($tunnel['local-subnet'], $sa, $sn);
 
-					if(is_domain($tunnel['remote-gateway'])) {
+					if (is_domain($tunnel['remote-gateway'])) {
 						$tmp = gethostbyname($tunnel['remote-gateway']);
-						if($tmp)
+						if ($tmp)
 							$tunnel['remote-gateway'] = $tmp;
 					}
 
@@ -225,31 +242,28 @@ function vpn_ipsec_configure($ipchg = false) {
 						fclose($pfd);
 					}
 
-					if(isset($tunnel['creategif'])) {
+					if (isset ($tunnel['creategif'])) {
 						$number_of_gifs = find_last_gif_device();
 						$number_of_gifs++;
 						$curwanip = get_current_wan_address();
-
+						if ($config['installedpackages']['sasyncd']['config'] <> "")
+							foreach ($config['installedpackages']['sasyncd']['config'] as $sasyncd) {
+								if ($sasyncd['ip'] <> "")
+									$curwanip = $sasyncd['ip'];
+							}
 						mwexec("/sbin/ifconfig gif" . $number_of_gifs . " tunnel" . $curwanip . " " . $tunnel['remote-gateway']);
 						mwexec("/sbin/ifconfig gif" . $number_of_gifs . " {$lansa}/{$lansn} {$lanip}/32");
 					}
 
 					$spdconf .= "spdadd {$sa}/{$sn} " .
-						"{$tunnel['remote-subnet']} any -P out ipsec " .
-						"{$tunnel['p2']['protocol']}/tunnel/{$ep}-" .
-						"{$tunnel['remote-gateway']}/unique;\n";
+					  "{$tunnel['remote-subnet']} any -P out ipsec " .
+					  "{$tunnel['p2']['protocol']}/tunnel/{$ep}-" .
+					  "{$rgip}/unique;\n";
 
 					$spdconf .= "spdadd {$tunnel['remote-subnet']} " .
-						"{$sa}/{$sn} any -P in ipsec " .
-						"{$tunnel['p2']['protocol']}/tunnel/{$tunnel['remote-gateway']}-" .
-						"{$ep}/unique;\n";
-				
-					if($tunnel['interface'] <> "wan") {
-						/* static route needed? */
-						if(strstr("carp", $tunnel['interface'])) {
-							
-						}
-					}
+					  "{$sa}/{$sn} any -P in ipsec " .
+					  "{$tunnel['p2']['protocol']}/tunnel/{$rgip}-" .
+					  "{$ep}/unique;\n";
 				}
 
 				fwrite($fd, $spdconf);
@@ -272,11 +286,11 @@ function vpn_ipsec_configure($ipchg = false) {
 			$cacertnum = 0;
 			if (is_array($ipseccfg['cacert']) && count($ipseccfg['cacert']))
 				foreach ($ipseccfg['cacert'] as $cacert) {
-					++$cacertnum;
-					if (isset($cacert['cert'])) {
+					++ $cacertnum;
+					if (isset ($cacert['cert'])) {
 						$cert = base64_decode($cacert['cert']);
 						$x509cert = openssl_x509_parse(openssl_x509_read($cert));
-						if(is_array($x509cert) && isset($x509cert['hash'])) {
+						if (is_array($x509cert) && isset ($x509cert['hash'])) {
 							$fd1 = fopen("{$g['varetc_path']}/{$x509cert['hash']}.0", "w");
 							if (!$fd1) {
 								printf("Error: cannot open {$x509cert['hash']}.0 in vpn.\n");
@@ -293,108 +307,118 @@ function vpn_ipsec_configure($ipchg = false) {
 			if (is_array($ipseccfg['tunnel']) && count($ipseccfg['tunnel']))
 				foreach ($ipseccfg['tunnel'] as $tunnel) {
 
-				++$tunnelnumber;
-
-				if (isset($tunnel['disabled']))
-					continue;
+					++ $tunnelnumber;
 
-				$ep = vpn_endpoint_determine($tunnel, $curwanip);
-				if (!$ep)
-					continue;
+					if (isset ($tunnel['disabled']))
+						continue;
 
-				vpn_localnet_determine($tunnel['local-subnet'], $sa, $sn);
 
-				if (isset($tunnel['p1']['myident']['myaddress'])) {
-					$myidentt = "address";
-					$myident = $ep;
-				} else if (isset($tunnel['p1']['myident']['address'])) {
-					$myidentt = "address";
-					$myident = $tunnel['p1']['myident']['address'];
-				} else if (isset($tunnel['p1']['myident']['fqdn'])) {
-					$myidentt = "fqdn";
-					$myident = $tunnel['p1']['myident']['fqdn'];
-				} else if (isset($tunnel['p1']['myident']['ufqdn'])) {
-					$myidentt = "user_fqdn";
-					$myident = $tunnel['p1']['myident']['ufqdn'];
-				} else if (isset($tunnel['p1']['myident']['asn1dn'])) {
-					$myidentt = "asn1dn";
-					$myident = $tunnel['p1']['myident']['asn1dn'];
- 				} else if (isset($tunnel['p1']['myident']['dyn_dns'])) {
-					$myidentt = "dyn_dns";
-					$myident = gethostbyname($tunnel['p1']['myident']['dyn_dns']);
- 				}
-
-				$nattline = '';
-				if (isset($tunnel['natt'])) {
-					$nattline = "nat_traversal on;";
-				}
+					  $rgip = $rgmap[$tunnel['remote-gateway']];
+					   if (!$rgip)
+					           continue;
 
-				if (isset($tunnel['p1']['authentication_method'])) {
-					$authmethod = $tunnel['p1']['authentication_method'];
-				} else {$authmethod = 'pre_shared_key';}
+					$ep = vpn_endpoint_determine($tunnel, $curwanip);
+					if (!$ep)
+						continue;
 
-				$certline = '';
+					vpn_localnet_determine($tunnel['local-subnet'], $sa, $sn);
 
-				if ($authmethod == 'rsasig') {
-					if ($tunnel['p1']['cert'] && $tunnel['p1']['private-key']) {
-						$cert = base64_decode($tunnel['p1']['cert']);
-						$private_key = base64_decode($tunnel['p1']['private-key']);
-					} else {
-						/* null certificate/key */
-						$cert = '';
-						$private_key = '';
+					if (isset ($tunnel['p1']['myident']['myaddress'])) {
+						$myidentt = "address";
+						$myident = $ep;
+					} elseif (isset ($tunnel['p1']['myident']['address'])) {
+						$myidentt = "address";
+						$myident = $tunnel['p1']['myident']['address'];
+					} elseif (isset ($tunnel['p1']['myident']['fqdn'])) {
+						$myidentt = "fqdn";
+						$myident = $tunnel['p1']['myident']['fqdn'];
+					} elseif (isset ($tunnel['p1']['myident']['ufqdn'])) {
+						$myidentt = "user_fqdn";
+						$myident = $tunnel['p1']['myident']['ufqdn'];
+					} else if (isset($tunnel['p1']['myident']['asn1dn'])) {
+						$myidentt = "asn1dn";
+						$myident = $tunnel['p1']['myident']['asn1dn'];					
+					} else if (isset($tunnel['p1']['myident']['asn1dn'])) {
+						$myidentt = "asn1dn";
+						$myident = $tunnel['p1']['myident']['asn1dn'];						
+					} elseif (isset ($tunnel['p1']['myident']['dyn_dns'])) {
+						$myidentt = "dyn_dns";
+						$myident = gethostbyname($tunnel['p1']['myident']['dyn_dns']);
 					}
 
-					if ($tunnel['p1']['peercert'])
-						$peercert = base64_decode($tunnel['p1']['peercert']);
-					else
-						$peercert = '';
-
-					$fd1 = fopen("{$g['varetc_path']}/server{$tunnelnumber}-signed.pem", "w");
-					if (!$fd1) {
-						printf("Error: cannot open server{$tunnelnumber}-signed.pem in vpn.\n");
-						return 1;
+					$nattline = '';
+					if (isset($tunnel['natt'])) {
+						$nattline = "nat_traversal on;";
 					}
-					chmod("{$g['varetc_path']}/server{$tunnelnumber}-signed.pem", 0600);
-					fwrite($fd1, $cert);
-					fclose($fd1);
 
-					$fd1 = fopen("{$g['varetc_path']}/server{$tunnelnumber}-key.pem", "w");
-					if (!$fd1) {
-						printf("Error: cannot open server{$tunnelnumber}-key.pem in vpn.\n");
-						return 1;
+					if (isset ($tunnel['p1']['authentication_method'])) {
+						$authmethod = $tunnel['p1']['authentication_method'];
+					} else {
+						$authmethod = 'pre_shared_key';
 					}
-					chmod("{$g['varetc_path']}/server{$tunnelnumber}-key.pem", 0600);
-					fwrite($fd1, $private_key);
-					fclose($fd1);
 
-					$certline = "certificate_type x509 \"server{$tunnelnumber}-signed.pem\" \"server{$tunnelnumber}-key.pem\";";
+					$certline = '';
+
+					if ($authmethod == 'rsasig') {
+						if ($tunnel['p1']['cert'] && $tunnel['p1']['private-key']) {
+							$cert = base64_decode($tunnel['p1']['cert']);
+							$private_key = base64_decode($tunnel['p1']['private-key']);
+						} else {
+							/* null certificate/key */
+							$cert = '';
+							$private_key = '';
+						}
 
-					if ($peercert!=''){
-						$fd1 = fopen("{$g['varetc_path']}/peer{$tunnelnumber}-signed.pem", "w");
+						if ($tunnel['p1']['peercert'])
+							$peercert = base64_decode($tunnel['p1']['peercert']);
+						else
+							$peercert = '';
+
+						$fd1 = fopen("{$g['varetc_path']}/server{$tunnelnumber}-signed.pem", "w");
 						if (!$fd1) {
 							printf("Error: cannot open server{$tunnelnumber}-signed.pem in vpn.\n");
 							return 1;
 						}
-						chmod("{$g['varetc_path']}/peer{$tunnelnumber}-signed.pem", 0600);
-						fwrite($fd1, $peercert);
+						chmod("{$g['varetc_path']}/server{$tunnelnumber}-signed.pem", 0600);
+						fwrite($fd1, $cert);
+						fclose($fd1);
+
+						$fd1 = fopen("{$g['varetc_path']}/server{$tunnelnumber}-key.pem", "w");
+						if (!$fd1) {
+							printf("Error: cannot open server{$tunnelnumber}-key.pem in vpn.\n");
+							return 1;
+						}
+						chmod("{$g['varetc_path']}/server{$tunnelnumber}-key.pem", 0600);
+						fwrite($fd1, $private_key);
 						fclose($fd1);
-						$certline .= <<<EOD
+
+						$certline = "certificate_type x509 \"server{$tunnelnumber}-signed.pem\" \"server{$tunnelnumber}-key.pem\";";
+
+						if ($peercert != '') {
+							$fd1 = fopen("{$g['varetc_path']}/peer{$tunnelnumber}-signed.pem", "w");
+							if (!$fd1) {
+								printf("Error: cannot open server{$tunnelnumber}-signed.pem in vpn.\n");
+								return 1;
+							}
+							chmod("{$g['varetc_path']}/peer{$tunnelnumber}-signed.pem", 0600);
+							fwrite($fd1, $peercert);
+							fclose($fd1);
+							$certline .=<<<EOD
 
 	peers_certfile "peer{$tunnelnumber}-signed.pem";
 EOD;
+						}
 					}
-				}
-				$myidentifier = $myidentt;
-				if (!empty($myident)) 
-					$myidentifier .= ' "' . $myident . '"';
-				$racoonconf .= <<<EOD
+					$myidentifier = $myidentt;
+					if (!empty($myident)) 
+						$myidentifier .= ' "' . $myident . '"';					
+					$racoonconf .=<<<EOD
 remote {$tunnel['remote-gateway']} \{
 	exchange_mode {$tunnel['p1']['mode']};
 	my_identifier {$myidentifier};
 	{$nattline}
 	{$certline}
-	peers_identifier address {$tunnel['remote-gateway']};
+	peers_identifier address {$rgip};
 	initial_contact on;
 	support_proxy on;
 	proposal_check obey;
@@ -406,20 +430,20 @@ remote {$tunnel['remote-gateway']} \{
 		dh_group {$tunnel['p1']['dhgroup']};
 
 EOD;
-				if ($tunnel['p1']['lifetime'])
-					$racoonconf .= "		lifetime time {$tunnel['p1']['lifetime']} secs;\n";
+					if ($tunnel['p1']['lifetime'])
+						$racoonconf .= "		lifetime time {$tunnel['p1']['lifetime']} secs;\n";
 
-				$racoonconf .= "	}\n";
+					$racoonconf .= "	}\n";
 
-				if ($tunnel['p1']['lifetime'])
-					$racoonconf .= "	lifetime time {$tunnel['p1']['lifetime']} secs;\n";
+					if ($tunnel['p1']['lifetime'])
+						$racoonconf .= "	lifetime time {$tunnel['p1']['lifetime']} secs;\n";
 
-				$racoonconf .= "}\n\n";
+					$racoonconf .= "}\n\n";
 
-				$p2ealgos = join(",", $tunnel['p2']['encryption-algorithm-option']);
-				$p2halgos = join(",", $tunnel['p2']['hash-algorithm-option']);
+					$p2ealgos = join(",", $tunnel['p2']['encryption-algorithm-option']);
+					$p2halgos = join(",", $tunnel['p2']['hash-algorithm-option']);
 
-				$racoonconf .= <<<EOD
+					$racoonconf .=<<<EOD
 sainfo address {$sa}/{$sn} any address {$tunnel['remote-subnet']} any \{
 	encryption_algorithm {$p2ealgos};
 	authentication_algorithm {$p2halgos};
@@ -427,40 +451,42 @@ sainfo address {$sa}/{$sn} any address {$tunnel['remote-subnet']} any \{
 
 EOD;
 
-				if ($tunnel['p2']['pfsgroup'])
-					$racoonconf .= "	pfs_group {$tunnel['p2']['pfsgroup']};\n";
+					if ($tunnel['p2']['pfsgroup'])
+						$racoonconf .= "	pfs_group {$tunnel['p2']['pfsgroup']};\n";
 
-				if ($tunnel['p2']['lifetime'])
-					$racoonconf .= "	lifetime time {$tunnel['p2']['lifetime']} secs;\n";
+					if ($tunnel['p2']['lifetime'])
+						$racoonconf .= "	lifetime time {$tunnel['p2']['lifetime']} secs;\n";
 
-				$racoonconf .= "}\n\n";
-			}
+					$racoonconf .= "}\n\n";
+				}
 
 			/* mobile clients? */
-			if (isset($ipseccfg['mobileclients']['enable'])) {
+			if (isset ($ipseccfg['mobileclients']['enable'])) {
 
 				$tunnel = $ipseccfg['mobileclients'];
 
-				if (isset($tunnel['p1']['myident']['myaddress'])) {
+				if (isset ($tunnel['p1']['myident']['myaddress'])) {
 					$myidentt = "address";
 					$myident = $curwanip;
-				} else if (isset($tunnel['p1']['myident']['address'])) {
-					$myidentt = "address";
-					$myident = $tunnel['p1']['myident']['address'];
-				} else if (isset($tunnel['p1']['myident']['fqdn'])) {
-					$myidentt = "fqdn";
-					$myident = $tunnel['p1']['myident']['fqdn'];
-				} else if (isset($tunnel['p1']['myident']['ufqdn'])) {
-					$myidentt = "user_fqdn";
-					$myident = $tunnel['p1']['myident']['ufqdn'];
-				} else if (isset($tunnel['p1']['myident']['asn1dn'])) {
-					$myidentt = "asn1dn";
-					$myident = $tunnel['p1']['myident']['asn1dn'];
- 				}
-
-				if (isset($tunnel['p1']['authentication_method'])) {
+				} else
+					if (isset ($tunnel['p1']['myident']['address'])) {
+						$myidentt = "address";
+						$myident = $tunnel['p1']['myident']['address'];
+					} else
+						if (isset ($tunnel['p1']['myident']['fqdn'])) {
+							$myidentt = "fqdn";
+							$myident = $tunnel['p1']['myident']['fqdn'];
+						} else
+							if (isset ($tunnel['p1']['myident']['ufqdn'])) {
+								$myidentt = "user_fqdn";
+								$myident = $tunnel['p1']['myident']['ufqdn'];
+							}
+
+				if (isset ($tunnel['p1']['authentication_method'])) {
 					$authmethod = $tunnel['p1']['authentication_method'];
-				} else {$authmethod = 'pre_shared_key';}
+				} else {
+					$authmethod = 'pre_shared_key';
+				}
 
 				$certline = '';
 				if ($authmethod == 'rsasig') {
@@ -498,7 +524,7 @@ EOD;
 
 					$certline = "certificate_type x509 \"server-mobile{$tunnelnumber}-signed.pem\" \"server-mobile{$tunnelnumber}-key.pem\";";
 				}
-				$racoonconf .= <<<EOD
+				$racoonconf .=<<<EOD
 remote anonymous \{
 	exchange_mode {$tunnel['p1']['mode']};
 	my_identifier {$myidentt} "{$myident}";
@@ -529,7 +555,7 @@ EOD;
 				$p2ealgos = join(",", $tunnel['p2']['encryption-algorithm-option']);
 				$p2halgos = join(",", $tunnel['p2']['hash-algorithm-option']);
 
-				$racoonconf .= <<<EOD
+				$racoonconf .=<<<EOD
 sainfo anonymous \{
 	encryption_algorithm {$p2ealgos};
 	authentication_algorithm {$p2halgos};
@@ -560,9 +586,12 @@ EOD;
 
 			if (is_array($ipseccfg['tunnel'])) {
 				foreach ($ipseccfg['tunnel'] as $tunnel) {
-					if (isset($tunnel['disabled']))
+					if (isset ($tunnel['disabled']))
 						continue;
-					$pskconf .= "{$tunnel['remote-gateway']}	 {$tunnel['p1']['pre-shared-key']}\n";
+                   $rgip = $rgmap[$tunnel['remote-gateway']];
+                   if (!$rgip)
+                           continue;
+                   $pskconf .= "{$rgip}     {$tunnel['p1']['pre-shared-key']}\n";
 				}
 			}
 
@@ -577,6 +606,7 @@ EOD;
 			fclose($fd);
 			chmod("{$g['varetc_path']}/psk.txt", 0600);
 
+
 			if(is_process_running("racoon")) {
 				/* We are already online, reload */
 				mwexec("/usr/bin/killall -HUP racoon");
@@ -598,6 +628,30 @@ EOD;
 				/* load SPD */
 				mwexec("/bin/cat {$g['varetc_path']}/spd.conf | /usr/local/bin/slowdownpipe.sh | /sbin/setkey -c");
 				sleep(1);
+			   /* start dnswatch, if necessary */
+			   if (count($dnswatch_list) > 0) {
+			           $interval = 60;
+			           if ($ipseccfg['dns-interval'])
+			                   $interval = $ipseccfg['dns-interval'];
+			
+			           $hostnames = "";
+			           foreach ($dnswatch_list as $dns)
+			                   $hostnames .= " " . escapeshellarg($dns);
+			
+			           mwexec("/usr/local/bin/dnswatch {$g['varrun_path']}/dnswatch-ipsec.pid $interval " .
+			                   escapeshellarg("/etc/rc.newipsecdns") . $hostnames);
+			   }
+			}
+
+			if (is_array($ipseccfg['tunnel'])) {
+				foreach ($ipseccfg['tunnel'] as $tunnel) {
+					if (isset ($tunnel['auto'])) {
+						$remotehost = substr($tunnel['remote-subnet'], 0, strpos($tunnel['remote-subnet'], "/"));
+						$srchost = vpn_endpoint_determine($tunnel, $curwanip);
+						if ($srchost)
+							mwexec_bg("/sbin/ping -c 10 -S {$srchost} {$remotehost}");
+					}
+				}
 			}
 		}
 	}
@@ -621,7 +675,7 @@ function vpn_pptpd_configure() {
 	$syscfg = $config['system'];
 	$pptpdcfg = $config['pptpd'];
 
-    $starting_ng = get_number_of_wan_netgraph_interfaces_needed();
+	$starting_ng = get_number_of_wan_netgraph_interfaces_needed();
 
 	if ($g['booting']) {
 		if (!$pptpdcfg['mode'] || ($pptpdcfg['mode'] == "off"))
@@ -630,81 +684,73 @@ function vpn_pptpd_configure() {
 		echo "Configuring PPTP VPN service... ";
 	} else {
 		/* kill mpd */
-        killbypid("{$g['varrun_path']}/mpd-pptpd.pid");
+		killbypid("{$g['varrun_path']}/mpd-vpn.pid");
 
 		/* wait for process to die */
 		sleep(3);
 
-        if (is_process_running("mpd4 -b")) {
-            killbypid("{$g['varrun_path']}/mpd-pptpd.pid");
+		if (is_process_running("mpd -b")) {
+			killbypid("{$g['varrun_path']}/mpd-vpn.pid");
 			log_error("Could not kill mpd within 3 seconds.   Trying again.");
 		}
 
 		/* remove mpd.conf, if it exists */
-        unlink_if_exists("{$g['varetc_path']}/mpd-pptpd/mpd.conf");
-        unlink_if_exists("{$g['varetc_path']}/mpd-pptpd/mpd.links");
-        unlink_if_exists("{$g['varetc_path']}/mpd-pptpd/mpd.secret");
+		unlink_if_exists("{$g['varetc_path']}/mpd-vpn/mpd.conf");
+		unlink_if_exists("{$g['varetc_path']}/mpd-vpn/mpd.links");
+		unlink_if_exists("{$g['varetc_path']}/mpd-vpn/mpd.secret");
 	}
 
 	/* make sure mpd-vpn directory exists */
-    if (!file_exists("{$g['varetc_path']}/mpd-pptpd"))
-        mkdir("{$g['varetc_path']}/mpd-pptpd");
+	if (!file_exists("{$g['varetc_path']}/mpd-vpn"))
+		mkdir("{$g['varetc_path']}/mpd-vpn");
 
 	switch ($pptpdcfg['mode']) {
-
-		case 'server':
-
+		case 'server' :
 			/* write mpd.conf */
-			$fd = fopen("{$g['varetc_path']}/mpd-pptpd/mpd.conf", "w");
+			$fd = fopen("{$g['varetc_path']}/mpd-vpn/mpd.conf", "w");
 			if (!$fd) {
 				printf("Error: cannot open mpd.conf in vpn_pptpd_configure().\n");
 				return 1;
 			}
 
-			$mpdconf = <<<EOD
-startup:
+			$mpdconf =<<<EOD
 pptpd:
 
 EOD;
 
-			for ($i = 0; $i < $pptpdcfg['n_pptp_units']; $i++) {
+			for ($i = 0; $i < $g['n_pptp_units']; $i++) {
 				$mpdconf .= "	load pt{$i}\n";
 			}
 
-			for ($i = 0; $i < $pptpdcfg['n_pptp_units']; $i++) {
+			for ($i = 0; $i < $g['n_pptp_units']; $i++) {
 
 				$clientip = long2ip(ip2long($pptpdcfg['remoteip']) + $i);
-				$ngif = "ng" . ($i+1);
+				$ngif = "ng" . ($i + $starting_ng);
 
-				if(isset($pptpdcfg['radius']['radiusissueips']) && isset($pptpdcfg['radius']['enable'])) {
-					$isssue_ip_type = "set ipcp ranges {$pptpdcfg['localip']}/32 0.0.0.0/0";
-				} else {
-					$isssue_ip_type = "set ipcp ranges {$pptpdcfg['localip']}/32 {$clientip}/32";
-				}
-
-				$mpdconf .= <<<EOD
+				$mpdconf .=<<<EOD
 
 pt{$i}:
 	new -i {$ngif} pt{$i} pt{$i}
-	{$isssue_ip_type}
-	load pptpd_standard
+	set ipcp ranges {$pptpdcfg['localip']}/32 {$clientip}/32
+	load pts
 
 EOD;
 			}
 
-			$mpdconf .= <<<EOD
+			$mpdconf .=<<<EOD
 
-pptpd_standard:
-	set iface up-script /usr/local/sbin/vpn-linkup
-	set iface down-script /usr/local/sbin/vpn-linkdown
+pts:
 	set iface disable on-demand
 	set iface enable proxy-arp
-	set iface idle 1800
 	set iface enable tcpmssfix
+	set iface idle 1800
+	set iface up-script /usr/local/sbin/vpn-linkup
+	set iface down-script /usr/local/sbin/vpn-linkdown
 	set bundle enable multilink
+	set bundle enable crypt-reqd
 	set link yes acfcomp protocomp
 	set link no pap chap
-	set link enable chap
+	set link enable chap-msv2
 	set link mtu 1460
 	set link keep-alive 10 60
 	set ipcp yes vjcomp
@@ -715,78 +761,55 @@ pptpd_standard:
 
 EOD;
 
-			if (!isset($pptpdcfg['req128'])) {
-				$mpdconf .= <<<EOD
+			if (!isset ($pptpdcfg['req128'])) {
+				$mpdconf .=<<<EOD
 	set ccp yes mpp-e40
+	set ccp yes mpp-e56
 
 EOD;
 			}
-			if (isset($pptpdcfg['wins'])) {
-				$mpdconf .= <<<EOD
-	set ipcp nbns {$pptpdcfg['wins']}
-
-EOD;
-			}
-		       if (isset($pptpdcfg['dns1'])) {
-					$mpdconf .= <<<EOD
-	set ipcp dns {$pptpdcfg['dns1']} {$pptpdcfg['dns2']}
 
-EOD;
-			} else if (isset($config['dnsmasq']['enable'])) {
-				$mpdconf .= "	set ipcp dns " . $config['interfaces']['lan']['ipaddr'];
-				if ($syscfg['dnsserver'][0])
-					$mpdconf .= " " . $syscfg['dnsserver'][0];
-				$mpdconf .= "\n";
-			} else if (is_array($syscfg['dnsserver']) && ($syscfg['dnsserver'][0])) {
-				$mpdconf .= "	set ipcp dns " . join(" ", $syscfg['dnsserver']) . "\n";
-			}
-
-			if (isset($pptpdcfg['radius']['server']['enable'])) {
-				$mpdconf .= <<<EOD
-	load radius
+			if  (isset($pptpdcfg["wins"]))
+				$mpdconf  .=  "	set ipcp nbns {$pptpdcfg['wins']}\n";
+			if (is_array($pptpdcfg['dnsserver']) && ($pptpdcfg['dnsserver'][0])) {
+				$mpdconf .= "	set ipcp dns " . join(" ", $pptpdcfg['dnsserver']) . "\n";
+			} else
+				if (isset ($config['dnsmasq']['enable'])) {
+					$mpdconf .= "	set ipcp dns " . $config['interfaces']['lan']['ipaddr'];
+					if ($syscfg['dnsserver'][0])
+						$mpdconf .= " " . $syscfg['dnsserver'][0];
+					$mpdconf .= "\n";
+				} else
+					if (is_array($syscfg['dnsserver']) && ($syscfg['dnsserver'][0])) {
+						$mpdconf .= "	set ipcp dns " . join(" ", $syscfg['dnsserver']) . "\n";
+					}
 
-radius: 
+			if (isset ($pptpdcfg['radius']['enable'])) {
+				$authport = isset($pptpdcfg['radius']['port']) ? $pptpdcfg['radius']['port'] : 1812;
+				$acctport = $authport + 1;
+				$mpdconf .=<<<EOD
+	set radius server {$pptpdcfg['radius']['server']} "{$pptpdcfg['radius']['secret']}" {$authport} {$acctport}
 	set radius retries 3
-	set radius timeout 3 
-	set radius me {$pptpdcfg['radius']['nasip']}
-	set auth enable radius-auth 
-	set radius enable message-authentic
+	set radius timeout 10
+	set bundle enable radius-auth
+	set bundle disable radius-fallback
 
 EOD;
 
-				if (isset($pptpdcfg['radius']['server2']['enable'])) {
-					$mpdconf .= <<<EOD
-	set radius server {$pptpdcfg['radius']['server2']['ip']} "{$pptpdcfg['radius']['server2']['secret']}" {$pptpdcfg['radius']['server2']['port']} {$pptpdcfg['radius']['server2']['acctport']} 
+				if (isset ($pptpdcfg['radius']['accounting'])) {
+					$mpdconf .=<<<EOD
+	set bundle enable radius-acct
+	set radius acct-update 300
 
 EOD;
 				}
-
-			if (isset($pptpdcfg['radius']['server']['enable'])) {
-				$mpdconf .= <<<EOD
-	set radius server {$pptpdcfg['radius']['server']['ip']} "{$pptpdcfg['radius']['server']['secret']}" {$pptpdcfg['radius']['server']['port']} {$pptpdcfg['radius']['server']['acctport']} 
-
-EOD;
 			}
 
-				if (isset($pptpdcfg['radius']['accounting'])) {
-					$mpdconf .= <<<EOD
-	set auth enable radius-acct 
-	set auth acct-update {$pptpdcfg['radius']['acct_update']}
-EOD;
-				}
-			} else {
-				$mpdconf .= <<<EOD
-	set auth enable system
-	set auth timeout 30
-
-EOD;
-
-		}
 			fwrite($fd, $mpdconf);
 			fclose($fd);
 
 			/* write mpd.links */
-			$fd = fopen("{$g['varetc_path']}/mpd-pptpd/mpd.links", "w");
+			$fd = fopen("{$g['varetc_path']}/mpd-vpn/mpd.links", "w");
 			if (!$fd) {
 				printf("Error: cannot open mpd.links in vpn_pptpd_configure().\n");
 				return 1;
@@ -795,13 +818,14 @@ EOD;
 			$mpdlinks = "";
 
 			for ($i = 0; $i < $g['n_pptp_units']; $i++) {
-				$mpdlinks .= <<<EOD
+				$mpdlinks .=<<<EOD
 
 pt{$i}:
 	set link type pptp
-	set pptp self 127.0.0.1
 	set pptp enable incoming
 	set pptp disable originate
+	set pptp disable windowing
+	set pptp self 127.0.0.1
 
 EOD;
 			}
@@ -810,7 +834,7 @@ EOD;
 			fclose($fd);
 
 			/* write mpd.secret */
-			$fd = fopen("{$g['varetc_path']}/mpd-pptpd/mpd.secret", "w");
+			$fd = fopen("{$g['varetc_path']}/mpd-vpn/mpd.secret", "w");
 			if (!$fd) {
 				printf("Error: cannot open mpd.secret in vpn_pptpd_configure().\n");
 				return 1;
@@ -825,14 +849,14 @@ EOD;
 
 			fwrite($fd, $mpdsecret);
 			fclose($fd);
-			chmod("{$g['varetc_path']}/mpd-pptpd/mpd.secret", 0600);
+			chmod("{$g['varetc_path']}/mpd-vpn/mpd.secret", 0600);
 
 			/* fire up mpd */
-			mwexec("/usr/local/sbin/mpd4 -b -d {$g['varetc_path']}/mpd-pptpd -p {$g['varrun_path']}/mpd-pptpd.pid pptpd");
+			mwexec("/usr/local/sbin/mpd -b -d {$g['varetc_path']}/mpd-vpn -p {$g['varrun_path']}/mpd-vpn.pid pptpd");
 
 			break;
 
-		case 'redir':
+		case 'redir' :
 			break;
 	}
 
@@ -847,22 +871,23 @@ EOD;
 	return 0;
 }
 
-function vpn_localnet_determine($adr, &$sa, &$sn) {
+function vpn_localnet_determine($adr, & $sa, & $sn) {
 	global $config, $g;
 
-	if (isset($adr)) {
+	if (isset ($adr)) {
 		if ($adr['network']) {
 			switch ($adr['network']) {
-				case 'lan':
+				case 'lan' :
 					$sn = $config['interfaces']['lan']['subnet'];
 					$sa = gen_subnet($config['interfaces']['lan']['ipaddr'], $sn);
 					break;
 			}
-		} else if ($adr['address']) {
-			list($sa,$sn) = explode("/", $adr['address']);
-			if (is_null($sn))
-				$sn = 32;
-		}
+		} else
+			if ($adr['address']) {
+				list ($sa, $sn) = explode("/", $adr['address']);
+				if (is_null($sn))
+					$sn = 32;
+			}
 	} else {
 		$sn = $config['interfaces']['lan']['subnet'];
 		$sa = gen_subnet($config['interfaces']['lan']['ipaddr'], $sn);
@@ -878,7 +903,7 @@ function vpn_endpoint_determine($tunnel, $curwanip) {
 			return $curwanip;
 		else
 			return null;
-	} else if ($tunnel['interface'] == "lan") {
+	} elseif ($tunnel['interface'] == "lan") {
 		return $config['interfaces']['lan']['ipaddr'];
 	} else {
 		$oc = $config['interfaces'][$tunnel['interface']];
@@ -886,8 +911,8 @@ function vpn_endpoint_determine($tunnel, $curwanip) {
 		$ip = find_interface_ip($tunnel['interface']);
 		if($ip) 
 			return $ip;
-
-		if (isset($oc['enable']) && $oc['if']) {
+			
+		if (isset ($oc['enable']) && $oc['if']) {
 			return $oc['ipaddr'];
 		}
 	}
@@ -901,47 +926,49 @@ function vpn_pppoe_configure() {
 	$syscfg = $config['system'];
 	$pppoecfg = $config['pppoe'];
 
-   $starting_ng = get_number_of_wan_netgraph_interfaces_needed();
+	$starting_ng = get_number_of_wan_netgraph_interfaces_needed();
 
 	/* create directory if it does not exist */
-    if (!is_dir("{$g['varetc_path']}/mpd-pppoe"))
-        mkdir("{$g['varetc_path']}/mpd-pppoe");
+	if (!is_dir("{$g['varetc_path']}/mpd-vpn"))
+		mkdir("{$g['varetc_path']}/mpd-vpn");
 
 	if ($g['booting']) {
 		if (!$pppoecfg['mode'] || ($pppoecfg['mode'] == "off"))
 			return 0;
 
 		echo "Configuring PPPoE VPN service... ";
-    } else {
-        /* kill mpd */
-        killbypid("{$g['varrun_path']}/mpd-pppoe.pid");
-
-        /* wait for process to die */
-        sleep(2);
-        unlink_if_exists("{$g['varetc_path']}/mpd-pppoe/mpd.conf");
-        unlink_if_exists("{$g['varetc_path']}/mpd-pppoe/mpd.links");
-        unlink_if_exists("{$g['varetc_path']}/mpd-pppoe/mpd.secret");
+	} else {
+		/* kill mpd */
+		killbypid("{$g['varrun_path']}/mpd-vpn.pid");
+
+		/* wait for process to die */
+		sleep(2);
+
 	}
 
 	/* make sure mpd-vpn directory exists */
-    if (!file_exists("{$g['varetc_path']}/mpd-pppoe"))
-        mkdir("{$g['varetc_path']}/mpd-pppoe");
+	if (!file_exists("{$g['varetc_path']}/mpd-vpn"))
+		mkdir("{$g['varetc_path']}/mpd-vpn");
 
 	switch ($pppoecfg['mode']) {
 
-		case 'server':
+		case 'server' :
 
 			$pppoe_interface = filter_translate_type_to_real_interface($pppoecfg['interface']);
 
+			if ($pppoecfg['paporchap'] == "chap")
+				$paporchap = "set link enable chap";
+			else
+				$paporchap = "set link enable pap";
+
 			/* write mpd.conf */
-			$fd = fopen("{$g['varetc_path']}/mpd-pppoe/mpd.conf", "a");
+			$fd = fopen("{$g['varetc_path']}/mpd-vpn/mpd.conf", "a");
 			if (!$fd) {
 				printf("Error: cannot open mpd.conf in vpn_pppoe_configure().\n");
 				return 1;
 			}
 			$mpdconf = "\n\n";
-			$mpdconf .= <<<EOD
-startup:
+			$mpdconf .=<<<EOD
 pppoe:
 
 EOD;
@@ -953,15 +980,16 @@ EOD;
 			for ($i = 0; $i < $pppoecfg['n_pppoe_units']; $i++) {
 
 				$clientip = long2ip(ip2long($pppoecfg['remoteip']) + $i);
-				$ngif = "ng" . ($i+1);
+				$ngif = "ng" . ($i + $starting_ng);
 
-				if(isset($pppoecfg['radius']['radiusissueips']) && isset($pppoecfg['radius']['enable'])) {
+				if (isset ($pppoecfg['radius']['radiusissueips']) && isset ($pppoecfg['radius']['enable'])) {
 					$isssue_ip_type = "set ipcp ranges {$pppoecfg['localip']}/32 0.0.0.0/0";
+					$isssue_ip_type .= "\n\tset ipcp yes radius-ip";
 				} else {
 					$isssue_ip_type = "set ipcp ranges {$pppoecfg['localip']}/32 {$clientip}/32";
 				}
 
-				$mpdconf .= <<<EOD
+				$mpdconf .=<<<EOD
 
 pppoe{$i}:
 	new -i {$ngif} pppoe{$i} pppoe{$i}
@@ -971,95 +999,73 @@ pppoe{$i}:
 EOD;
 			}
 
-			$mpdconf .= <<<EOD
+			$mpdconf .=<<<EOD
 
 pppoe_standart:
 	set link type pppoe
 	set pppoe iface {$pppoe_interface}
 	set pppoe service "*"
-	set iface up-script /usr/local/sbin/vpn-linkup
-	set iface down-script /usr/local/sbin/vpn-linkdown
-	set bundle enable compression
-	set auth max-logins 1
-	set link max-redial -1
-	set pppoe enable incoming
 	set pppoe disable originate
+	set pppoe enable incoming
+	set bundle no multilink
+	set bundle enable compression
+	set bundle max-logins 1
+	set iface idle 0
 	set iface disable on-demand
 	set iface disable proxy-arp
-	set iface idle 0 
 	set iface enable tcpmssfix
-	set bundle no multilink  
-	set link no acfcomp 
-	set link no protocomp 
+	set iface mtu 1500
 	set link no pap chap
-	set link enable chap
-	set link keep-alive 30 100 
-	set link mtu 1460 
+	{$paporchap}
+	set link keep-alive 60 180
+	set ipcp yes vjcomp
+	set ipcp no vjcomp
+	set link max-redial -1
+	set link mtu 1492
+	set link mru 1492
 	set ccp yes mpp-e40
 	set ccp yes mpp-e128
 	set ccp yes mpp-stateless
-	set ipcp no vjcomp 
+	set link latency 1
+	#set ipcp dns 10.10.1.3
+	#set bundle accept encryption
 
 EOD;
-		if (isset($pppoecfg['dns1'])) {
-					$mpdconf .= <<<EOD
-	set ipcp dns {$pppoecfg['dns1']} {$pppoecfg['dns2']}
 
-EOD;
-
-			} else if (isset($config['dnsmasq']['enable'])) {
+			if (isset ($config['dnsmasq']['enable'])) {
 				$mpdconf .= "	set ipcp dns " . $config['interfaces']['lan']['ipaddr'];
 				if ($syscfg['dnsserver'][0])
 					$mpdconf .= " " . $syscfg['dnsserver'][0];
 				$mpdconf .= "\n";
-			} else if (is_array($syscfg['dnsserver']) && ($syscfg['dnsserver'][0])) {
-				$mpdconf .= "	set ipcp dns " . join(" ", $syscfg['dnsserver']) . "\n";
-			}
-
-			if (isset($pppoecfg['radius']['server']['enable'])) {
-				$mpdconf .= <<<EOD
-	load radius
+			} else
+				if (is_array($syscfg['dnsserver']) && ($syscfg['dnsserver'][0])) {
+					$mpdconf .= "	set ipcp dns " . join(" ", $syscfg['dnsserver']) . "\n";
+				}
 
-radius: 
+			if (isset ($pppoecfg['radius']['enable'])) {
+				$mpdconf .=<<<EOD
+	set radius server {$pppoecfg['radius']['server']} "{$pppoecfg['radius']['secret']}"
+	set ipcp radius-ip
 	set radius retries 3
-	set radius timeout 3 
-	set radius me {$pppoecfg['radius']['nasip']}
-	set auth enable radius-auth 
-	set radius enable message-authentic
+	set radius timeout 10
+	set bundle enable radius-auth
+	set bundle disable radius-fallback
 
 EOD;
-				if (isset($pppoecfg['radius']['server2']['enable'])) {
-					$mpdconf .= <<<EOD
-	set radius server {$pppoecfg['radius']['server2']['ip']} "{$pppoecfg['radius']['server2']['secret']}" {$pppoecfg['radius']['server2']['port']} {$pppoecfg['radius']['server2']['acctport']}
 
-EOD;
-				}
-
-			if (isset($pppoecfg['radius']['server']['enable'])) {
-					$mpdconf .= <<<EOD
-	set radius server {$pppoecfg['radius']['server']['ip']} "{$pppoecfg['radius']['server']['secret']}" {$pppoecfg['radius']['server']['port']} {$pppoecfg['radius']['server']['acctport']}
+				if (isset ($pppoecfg['radius']['accounting'])) {
+					$mpdconf .=<<<EOD
+	set bundle enable radius-acct
 
 EOD;
 				}
-
-				if (isset($pppoecfg['radius']['accounting'])) {
-					$mpdconf .= <<<EOD
-	set auth enable radius-acct 
-	set auth acct-update {$pppoecfg['radius']['acct_update']}
-EOD;
 			}
-			} else {
-				$mpdconf .= <<<EOD
-	set auth enable system
-	set auth timeout 30
 
-EOD;
-			}
 			fwrite($fd, $mpdconf);
 			fclose($fd);
 
 			/* write mpd.links */
-			$fd = fopen("{$g['varetc_path']}/mpd-pppoe/mpd.links", "a");
+			$fd = fopen("{$g['varetc_path']}/mpd-vpn/mpd.links", "a");
 			if (!$fd) {
 				printf("Error: cannot open mpd.links in vpn_pppoe_configure().\n");
 				return 1;
@@ -1068,15 +1074,11 @@ EOD;
 			$mpdlinks = "";
 
 			for ($i = 0; $i < $pppoecfg['n_pppoe_units']; $i++) {
-				$mpdlinks .= <<<EOD
+				$mpdlinks .=<<<EOD
 
 pppoe:
 	set link type pppoe
 	set pppoe iface {$pppoe_interface}
-        set pppoe service "*"
-	 set pppoe disable incoming
-	 set pppoe enable originate
-
 
 EOD;
 			}
@@ -1085,7 +1087,7 @@ EOD;
 			fclose($fd);
 
 			/* write mpd.secret */
-			$fd = fopen("{$g['varetc_path']}/mpd-pppoe/mpd.secret", "a");
+			$fd = fopen("{$g['varetc_path']}/mpd-vpn/mpd.secret", "a");
 			if (!$fd) {
 				printf("Error: cannot open mpd.secret in vpn_pppoe_configure().\n");
 				return 1;
@@ -1100,14 +1102,202 @@ EOD;
 
 			fwrite($fd, $mpdsecret);
 			fclose($fd);
-			chmod("{$g['varetc_path']}/mpd-pppoe/mpd.secret", 0600);
+			chmod("{$g['varetc_path']}/mpd-vpn/mpd.secret", 0600);
+
+			/* fire up mpd */
+			mwexec("/usr/local/sbin/mpd -b -d {$g['varetc_path']}/mpd-vpn -p {$g['varrun_path']}/mpd-vpn.pid pppoe");
+
+			break;
+
+		case 'redir' :
+			break;
+	}
+
+	touch("{$g["tmp_path"]}/filter_dirty");
+
+	if ($g['booting'])
+		echo "done\n";
+
+	return 0;
+}
+
+function vpn_l2tp_configure() {
+	global $config, $g;
+
+	$syscfg = $config['system'];
+	$l2tpcfg = $config['l2tp'];
+
+	mwexec("/sbin/kldload /boot/kernel/ng_l2tp.ko");
+
+	$starting_ng = get_number_of_wan_netgraph_interfaces_needed();
+
+	/* create directory if it does not exist */
+	if (!is_dir("{$g['varetc_path']}/mpd-vpn"))
+		mkdir("{$g['varetc_path']}/mpd-vpn");
+
+	if ($g['booting']) {
+		if (!$l2tpcfg['mode'] || ($l2tpcfg['mode'] == "off"))
+			return 0;
+
+		echo "Configuring l2tp VPN service... ";
+	} else {
+		/* kill mpd */
+		killbypid("{$g['varrun_path']}/mpd-vpn.pid");
+
+		/* wait for process to die */
+		sleep(2);
+
+	}
+
+	/* make sure mpd-vpn directory exists */
+	if (!file_exists("{$g['varetc_path']}/mpd-vpn"))
+		mkdir("{$g['varetc_path']}/mpd-vpn");
+
+	switch ($l2tpcfg['mode']) {
+
+		case 'server' :
+
+			$l2tp_interface = filter_translate_type_to_real_interface($l2tpcfg['interface']);
+
+			if ($l2tpcfg['paporchap'] == "chap")
+				$paporchap = "set link enable chap";
+			else
+				$paporchap = "set link enable pap";
+
+			/* write mpd.conf */
+			$fd = fopen("{$g['varetc_path']}/mpd-vpn/mpd.conf", "a");
+			if (!$fd) {
+				printf("Error: cannot open mpd.conf in vpn_l2tp_configure().\n");
+				return 1;
+			}
+			$mpdconf = "\n\n";
+			$mpdconf .=<<<EOD
+l2tp:
+
+EOD;
+
+			for ($i = 0; $i < $l2tpcfg['n_l2tp_units']; $i++) {
+				$mpdconf .= "	load l2tp{$i}\n";
+			}
+
+			for ($i = 0; $i < $l2tpcfg['n_l2tp_units']; $i++) {
+
+				$clientip = long2ip(ip2long($l2tpcfg['remoteip']) + $i);
+				$ngif = "ng" . ($i + $starting_ng);
+
+				if (isset ($l2tpcfg['radius']['radiusissueips']) && isset ($l2tpcfg['radius']['enable'])) {
+					$isssue_ip_type = "set ipcp ranges {$l2tpcfg['localip']}/32 0.0.0.0/0";
+					$isssue_ip_type .= "\n\tset ipcp yes radius-ip";
+				} else {
+					$isssue_ip_type = "set ipcp ranges {$l2tpcfg['localip']}/32 {$clientip}/32";
+				}
+
+				$mpdconf .=<<<EOD
+
+l2tp{$i}:
+	new -i {$ngif} l2tp{$i} l2tp{$i}
+	{$isssue_ip_type}
+	load l2tp_standard
+
+EOD;
+			}
+
+			$mpdconf .=<<<EOD
+
+l2tp_standard:
+        set bundle disable multilink
+        set bundle enable compression
+        set bundle yes crypt-reqd
+        set ipcp yes vjcomp
+        # set ipcp ranges 131.188.69.161/32 131.188.69.170/28
+        set ccp yes mppc
+        set iface disable on-demand
+        set iface enable proxy-arp
+        set link yes acfcomp protocomp
+        set link no pap chap
+        set link enable chap
+        set link keep-alive 10 180
+
+EOD;
+
+			if (isset ($config['dnsmasq']['enable'])) {
+				$mpdconf .= "	set ipcp dns " . $config['interfaces']['lan']['ipaddr'];
+				if ($syscfg['dnsserver'][0])
+					$mpdconf .= " " . $syscfg['dnsserver'][0];
+				$mpdconf .= "\n";
+			} else
+				if (is_array($syscfg['dnsserver']) && ($syscfg['dnsserver'][0])) {
+					$mpdconf .= "	set ipcp dns " . join(" ", $syscfg['dnsserver']) . "\n";
+				}
+
+			if (isset ($l2tpcfg['radius']['enable'])) {
+				$mpdconf .=<<<EOD
+	set radius server {$l2tpcfg['radius']['server']} "{$l2tpcfg['radius']['secret']}"
+	set ipcp radius-ip
+	set radius retries 3
+	set radius timeout 10
+	set bundle enable radius-auth
+	set bundle disable radius-fallback
+
+EOD;
+
+				if (isset ($l2tpcfg['radius']['accounting'])) {
+					$mpdconf .=<<<EOD
+	set bundle enable radius-acct
+
+EOD;
+				}
+			}
+
+			fwrite($fd, $mpdconf);
+			fclose($fd);
+
+			/* write mpd.links */
+			$fd = fopen("{$g['varetc_path']}/mpd-vpn/mpd.links", "a");
+			if (!$fd) {
+				printf("Error: cannot open mpd.links in vpn_l2tp_configure().\n");
+				return 1;
+			}
+
+			$mpdlinks = "";
+
+			for ($i = 0; $i < $l2tpcfg['n_l2tp_units']; $i++) {
+				$mpdlinks .=<<<EOD
+
+l2tp:
+	set link type l2tp
+	set l2tp iface {$l2tp_interface}
+
+EOD;
+			}
+
+			fwrite($fd, $mpdlinks);
+			fclose($fd);
+
+			/* write mpd.secret */
+			$fd = fopen("{$g['varetc_path']}/mpd-vpn/mpd.secret", "a");
+			if (!$fd) {
+				printf("Error: cannot open mpd.secret in vpn_l2tp_configure().\n");
+				return 1;
+			}
+
+			$mpdsecret = "\n\n";
+
+			if (is_array($l2tpcfg['user'])) {
+				foreach ($l2tpcfg['user'] as $user)
+					$mpdsecret .= "{$user['name']} \"{$user['password']}\" {$user['ip']}\n";
+			}
+
+			fwrite($fd, $mpdsecret);
+			fclose($fd);
+			chmod("{$g['varetc_path']}/mpd-vpn/mpd.secret", 0600);
 
 			/* fire up mpd */
-			mwexec("/usr/local/sbin/mpd4 -b -d {$g['varetc_path']}/mpd-pppoe -p {$g['varrun_path']}/mpd-pppoe.pid pppoe");
+			mwexec("/usr/local/sbin/mpd -b -d {$g['varetc_path']}/mpd-vpn -p {$g['varrun_path']}/mpd-vpn.pid l2tp");
 
 			break;
 
-		case 'redir':
+		case 'redir' :
 			break;
 	}
 
@@ -1150,4 +1340,4 @@ function vpn_ipsec_force_reload() {
 
 }
 
-?>
+?>
\ No newline at end of file
-- 
cgit v1.1