From 911cc213abd60d2d090778a080ac144e9501716a Mon Sep 17 00:00:00 2001
From: Chris Buechler <cmb@pfsense.org>
Date: Tue, 3 Mar 2015 00:16:33 -0600
Subject: Remove "Prefer old SA" option, and ignore it in all existing
 configurations. Breaks things in many cases with strongSwan. For the very
 rare circumstances where this is actually desirable, it's just a sysctl that
 can be set in tunables.

---
 etc/inc/vpn.inc | 10 ----------
 1 file changed, 10 deletions(-)

(limited to 'etc')

diff --git a/etc/inc/vpn.inc b/etc/inc/vpn.inc
index d4a0e55..eb5eaf2 100644
--- a/etc/inc/vpn.inc
+++ b/etc/inc/vpn.inc
@@ -105,8 +105,6 @@ function vpn_ipsec_configure($restart = false)
 	unlink_if_exists("{$g['vardb_path']}/ipsecpinghosts");
 	touch("{$g['vardb_path']}/ipsecpinghosts");
 
-	vpn_ipsec_configure_preferoldsa();
-
 	$syscfg = $config['system'];
 	$ipseccfg = $config['ipsec'];
 	if (!isset($ipseccfg['enable'])) {
@@ -1769,12 +1767,4 @@ EOD;
 	return 0;
 }
 
-function vpn_ipsec_configure_preferoldsa() {
-	global $config;
-	if(isset($config['ipsec']['preferoldsa']))
-		set_single_sysctl("net.key.preferred_oldsa", "-30");
-	else
-		set_single_sysctl("net.key.preferred_oldsa", "0");
-}
-
 ?>
-- 
cgit v1.1