From eb6495c3b1dfdd3639a01bb27e7bf2285f9ae2ce Mon Sep 17 00:00:00 2001
From: Chris Buechler <cmb@pfsense.org>
Date: Tue, 10 Mar 2015 17:17:10 -0500
Subject: Don't enable interfaces_use by default. Add checkbox to enable on
 Advanced tab, in case there are scenarios where it's desirable. Ticket #4341

Conflicts:
	etc/inc/vpn.inc
---
 etc/inc/vpn.inc                      | 11 ++++++++---
 usr/local/www/vpn_ipsec_settings.php | 19 +++++++++++++++++++
 2 files changed, 27 insertions(+), 3 deletions(-)

diff --git a/etc/inc/vpn.inc b/etc/inc/vpn.inc
index cd2b985..4c353ee 100644
--- a/etc/inc/vpn.inc
+++ b/etc/inc/vpn.inc
@@ -310,10 +310,15 @@ function vpn_ipsec_configure($restart = false)
 	if (isset($config['ipsec']['unityplugin']))
 		$unity_enabled = 'no';
 
-	if (!empty($ifacesuse))
-		$ifacesuse = 'interfaces_use = ' . implode(',', array_unique($ifacesuse));
-	else
+	if (isset($config['ipsec']['enableinterfacesuse'])) {
+		if (!empty($ifacesuse)) {
+			$ifacesuse = 'interfaces_use = ' . implode(',', array_unique($ifacesuse));
+		} else {
+			$ifacesuse = '';
+		}
+	} else {
 		$ifacesuse = '';
+	}
 
 	unset($stronconf);
 
diff --git a/usr/local/www/vpn_ipsec_settings.php b/usr/local/www/vpn_ipsec_settings.php
index 39c1862..c944ef7 100644
--- a/usr/local/www/vpn_ipsec_settings.php
+++ b/usr/local/www/vpn_ipsec_settings.php
@@ -47,6 +47,7 @@ foreach ($ipsec_loglevels as $lkey => $ldescr) {
 }
 $pconfig['unityplugin'] = isset($config['ipsec']['unityplugin']);
 $pconfig['compression'] = isset($config['ipsec']['compression']);
+$pconfig['enableinterfacesuse'] = isset($config['ipsec']['enableinterfacesuse']);
 $pconfig['acceptunencryptedmainmode'] = isset($config['ipsec']['acceptunencryptedmainmode']);
 $pconfig['maxmss_enable'] = isset($config['system']['maxmss_enable']);
 $pconfig['maxmss'] = $config['system']['maxmss'];
@@ -134,6 +135,15 @@ if ($_POST) {
 			$needsrestart = true;
 			unset($config['ipsec']['compression']);
 		}
+		
+		if($_POST['enableinterfacesuse'] == "yes") {
+			if (!isset($config['ipsec']['enableinterfacesuse']))
+				$needsrestart = true;
+			$config['ipsec']['enableinterfacesuse'] = true;
+		} elseif (isset($config['ipsec']['enableinterfacesuse'])) {
+			$needsrestart = true;
+			unset($config['ipsec']['enableinterfacesuse']);
+		}
 
 		if($_POST['unityplugin'] == "yes") {
 			if (!isset($config['ipsec']['unityplugin']))
@@ -296,6 +306,15 @@ function maxmss_checked(obj) {
 						</td>
 					</tr>
 					<tr>
+						<td width="22%" valign="top" class="vncell"><?=gettext("Strict interface binding"); ?></td>
+						<td width="78%" class="vtable">
+							<input name="enableinterfacesuse" type="checkbox" id="enableinterfacesuse" value="yes" <?php if ($pconfig['enableinterfacesuse']) echo "checked=\"checked\""; ?> />
+							<strong><?=gettext("Enable strict interface binding"); ?></strong>
+							<br />
+							<?=gettext("Enable strongSwan's interfaces_use option to bind specific interfaces only. This option is known to break IPsec with dynamic IP interfaces. This is not recommended at this time."); ?>
+						</td>
+					</tr>
+					<tr>
 						<td width="22%" valign="top" class="vncell"><?=gettext("Unencrypted payloads in IKEv1 Main Mode"); ?></td>
 						<td width="78%" class="vtable">
 							<input name="acceptunencryptedmainmode" type="checkbox" id="acceptunencryptedmainmode" value="yes" <?php if ($pconfig['acceptunencryptedmainmode']) echo "checked=\"checked\""; ?> />
-- 
cgit v1.1