From 45efe1b672f16a5c4b1e856f1deb2e55dde1c6e4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ermal=20LU=C3=87I?= <eri@pfsense.org>
Date: Wed, 7 Jan 2015 16:33:46 +0100
Subject: Fixes #4182 by properly managing IPcomp on ipsec tunnels. Also
 retires IPsec force reloading advanced sysctl since its useless nowdays with
 strongswan and remove its call on rc.newipsecdns.

---
 etc/inc/vpn.inc    | 10 ++++++++++
 etc/rc.newipsecdns |  3 ---
 2 files changed, 10 insertions(+), 3 deletions(-)

(limited to 'etc')

diff --git a/etc/inc/vpn.inc b/etc/inc/vpn.inc
index f591456..278fb45 100644
--- a/etc/inc/vpn.inc
+++ b/etc/inc/vpn.inc
@@ -523,6 +523,7 @@ EOD;
 	$natfilterrules = false;
 	/* begin ipsec.conf */
 	$ipsecconf = "";
+	$enablecompression = false;
 	if (is_array($a_phase1) && count($a_phase1))  {
 
 		$ipsecconf .= "# This file is automatically generated. Do not edit\n";
@@ -824,6 +825,10 @@ EOD;
 
 EOD;
 
+			if (isset($config['ipsec']['commpression'])) {
+				$ipsecconnect .= '\tcompress = yes\n';
+				$enablecompression = true;
+			}
 			if (!empty($ikelifeline))
 				$ipsecconnect .= "\t{$ikelifeline}\n";
 			if ($ipseclifetime > 0)
@@ -884,6 +889,11 @@ EOD;
 	unset($ipsecconf);
 	/* end ipsec.conf */
 
+	if ($enablecompression === true)
+		set_single_sysctl('net.inet.ipcomp.ipcomp_enable', 1);
+	else
+		set_single_sysctl('net.inet.ipcomp.ipcomp_enable', 0);
+
 	/* mange process */
 	if (isvalidpid("{$g['varrun_path']}/charon.pid")) {
 		/* Read secrets */
diff --git a/etc/rc.newipsecdns b/etc/rc.newipsecdns
index 431ad93..870283a 100755
--- a/etc/rc.newipsecdns
+++ b/etc/rc.newipsecdns
@@ -54,8 +54,5 @@ $ipseclck = lock('ipsecdns', LOCK_EX);
 
 vpn_ipsec_configure();
 
-if (isset($config['ipsec']['failoverforcereload']))
-	vpn_ipsec_force_reload();
-
 unlock($ipseclck);
 ?>
-- 
cgit v1.1