From 673e8095015198040e4319d70d86432205cf89ed Mon Sep 17 00:00:00 2001 From: Scott Ullrich Date: Wed, 22 Dec 2010 10:39:12 -0500 Subject: nuke trailing carriage returns --- etc/inc/vpn.inc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'etc/inc/vpn.inc') diff --git a/etc/inc/vpn.inc b/etc/inc/vpn.inc index ef06f61..713e72d 100644 --- a/etc/inc/vpn.inc +++ b/etc/inc/vpn.inc @@ -1746,4 +1746,4 @@ function vpn_ipsec_configure_preferoldsa() { mwexec("/sbin/sysctl net.key.preferred_oldsa=0"); } -?> +?> \ No newline at end of file -- cgit v1.1 From c513c30900f98d47dfa77dcf03d42382fae34cd7 Mon Sep 17 00:00:00 2001 From: Ermal Date: Wed, 22 Dec 2010 22:32:50 +0000 Subject: Prevent other types of interface for being added to ng_ether(4). It might be the cause of panics reported here http://forum.pfsense.org/index.php/topic,31404.0.html --- etc/inc/vpn.inc | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'etc/inc/vpn.inc') diff --git a/etc/inc/vpn.inc b/etc/inc/vpn.inc index 713e72d..a3b681a 100644 --- a/etc/inc/vpn.inc +++ b/etc/inc/vpn.inc @@ -968,7 +968,9 @@ function vpn_netgraph_support() { foreach ($iflist as $iface) { $realif = get_real_interface($iface); /* Get support for netgraph(4) from the nic */ - pfSense_ngctl_attach(".", $realif); + $ifinfo = pfSense_get_interface_addresses($realif); + if (!empty($ifinfo) && in_array($ifinfo['iftype'], array("ether", "vlan", "bridge"))) + pfSense_ngctl_attach(".", $realif); } } @@ -1746,4 +1748,4 @@ function vpn_ipsec_configure_preferoldsa() { mwexec("/sbin/sysctl net.key.preferred_oldsa=0"); } -?> \ No newline at end of file +?> -- cgit v1.1 From 8f5c3d8d8af906fab96a81a97bcd62d908bc5761 Mon Sep 17 00:00:00 2001 From: Pierre POMES Date: Tue, 28 Dec 2010 16:23:36 -0500 Subject: Ticket #1116: anonymous sainfo may be used only for single phase2 ipsec VPN's --- etc/inc/vpn.inc | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'etc/inc/vpn.inc') diff --git a/etc/inc/vpn.inc b/etc/inc/vpn.inc index a3b681a..0e172cc 100644 --- a/etc/inc/vpn.inc +++ b/etc/inc/vpn.inc @@ -636,11 +636,12 @@ EOD; $localid_type = $ph2ent['localid']['type']; $localid_data = ipsec_idinfo_to_cidr($ph2ent['localid']); - /* Do not print localid in some cases, such as a pure-psk or psk/xauth mobile tunnel */ + /* Do not print localid in some cases, such as a pure-psk or psk/xauth single phase2 mobile tunnel */ if (($localid_type == "none") || (($ph1ent['authentication_method'] == "xauth_psk_server") || ($ph1ent['authentication_method'] == "pre_shared_key")) - && isset($ph1ent['mobile'])) + && isset($ph1ent['mobile']) + && (ipsec_get_number_of_phase2($ikeid)==1)) $localid_spec = " "; else { if ($localid_type != "address") { -- cgit v1.1 From c3583058a0c2cd89ceacbbbcceb68a976e07a890 Mon Sep 17 00:00:00 2001 From: Ermal Date: Tue, 28 Dec 2010 22:08:42 +0000 Subject: Add radius port and radius accounting port to config if supplied. --- etc/inc/vpn.inc | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) (limited to 'etc/inc/vpn.inc') diff --git a/etc/inc/vpn.inc b/etc/inc/vpn.inc index 0e172cc..3022e60 100644 --- a/etc/inc/vpn.inc +++ b/etc/inc/vpn.inc @@ -1303,8 +1303,14 @@ EOD; } if (isset ($pppoecfg['radius']['server']['enable'])) { + $radiusport = ""; + $radiusacctport = ""; + if (isset($pppoecfg['radius']['server']['port'])) + $radiusport = $pppoecfg['radius']['server']['port']; + if (isset($pppoecfg['radius']['server']['acctport'])) + $radiusacctport = $pppoecfg['radius']['server']['acctport']; $mpdconf .=<< Date: Wed, 5 Jan 2011 20:41:12 +0000 Subject: Send a HUP to racoon which is equivalent to the reload-config racoonctl command which seems to not work in 0.7.3 of ipsec-tools. --- etc/inc/vpn.inc | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'etc/inc/vpn.inc') diff --git a/etc/inc/vpn.inc b/etc/inc/vpn.inc index 3022e60..88fee3d 100644 --- a/etc/inc/vpn.inc +++ b/etc/inc/vpn.inc @@ -880,7 +880,9 @@ EOD; /* mange racoon process */ if (is_process_running("racoon")) { sleep("0.1"); - mwexec("/usr/local/sbin/racoonctl -s /var/db/racoon/racoon.sock reload-config", false); + /* XXX: This seems to not work in ipsec-tools 0.7.3 but a HUP signal is equivalent. */ + //mwexec("/usr/local/sbin/racoonctl -s /var/db/racoon/racoon.sock reload-config", false); + mwexec("/bin/pkill -HUP -x racoon"); /* load SPD without flushing to be safe on config additions or changes. */ mwexec("/usr/local/sbin/setkey -f {$g['varetc_path']}/spd.conf", false); } else { -- cgit v1.1 From 6ae19856e03a55a90192b1ba3d7acae98ff478bb Mon Sep 17 00:00:00 2001 From: Ermal Date: Wed, 5 Jan 2011 20:43:45 +0000 Subject: Actually use sigkillbypid. --- etc/inc/vpn.inc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'etc/inc/vpn.inc') diff --git a/etc/inc/vpn.inc b/etc/inc/vpn.inc index 88fee3d..e4b49ec 100644 --- a/etc/inc/vpn.inc +++ b/etc/inc/vpn.inc @@ -882,7 +882,7 @@ EOD; sleep("0.1"); /* XXX: This seems to not work in ipsec-tools 0.7.3 but a HUP signal is equivalent. */ //mwexec("/usr/local/sbin/racoonctl -s /var/db/racoon/racoon.sock reload-config", false); - mwexec("/bin/pkill -HUP -x racoon"); + sigkillbypid("{$g['varrun_path']}/racoon.pid", "HUP"); /* load SPD without flushing to be safe on config additions or changes. */ mwexec("/usr/local/sbin/setkey -f {$g['varetc_path']}/spd.conf", false); } else { -- cgit v1.1