From 538b6eb353ce568627513e681483329ecb0d1ec8 Mon Sep 17 00:00:00 2001
From: Evgeny Yurchenko <ey@tm-k.com>
Date: Tue, 31 May 2011 23:41:32 -0400
Subject: Bug #1560. IPsec GUI needs to reject duplicate subnets in phase 2s
 for a given phase 1(site-to-site).

---
 usr/local/www/vpn_ipsec_phase2.php | 43 ++++++++++++++++++++++++++++++++++++--
 1 file changed, 41 insertions(+), 2 deletions(-)

(limited to 'usr/local/www/vpn_ipsec_phase2.php')

diff --git a/usr/local/www/vpn_ipsec_phase2.php b/usr/local/www/vpn_ipsec_phase2.php
index bd71191..c0ddf0e 100644
--- a/usr/local/www/vpn_ipsec_phase2.php
+++ b/usr/local/www/vpn_ipsec_phase2.php
@@ -141,8 +141,9 @@ if ($_POST) {
 		}
 	}
 
-	/* TODO : Validate enabled phase2's are not duplicates */
+	/* Validate enabled phase2's are not duplicates */
 	if (isset($pconfig['mobile'])){
+		/* User is adding phase 2 for mobile phase1 */
 		foreach($a_phase2 as $name){
 			if (isset($name['mobile'])){
 				/* check duplicate localids only for mobile clents */
@@ -169,7 +170,45 @@ if ($_POST) {
 				}
 			}
 		}
-	}
+	}else{
+		/* User is adding phase 2 for site-to-site phase1 */
+		$input_error = 0;
+		foreach($a_phase2 as $name){
+			if (!isset($name['mobile']) && $pconfig['ikeid'] == $name['ikeid']){
+				/* check duplicate subnets only for given phase1 */
+				if ($name['localid']['type'] == $pconfig['localid_type'] &&
+				    $name['remoteid']['type'] == $pconfig['remoteid_type']){ 
+					/* Types match, check further */
+					$configured_remote_string = $name['remoteid']['address'] . $name['remoteid']['netbits'];
+					$eneterd_remote_string = $pconfig['remoteid_address'] . $pconfig['remoteid_netbits'];
+					switch($pconfig['localid_type']){
+						case "none":
+						case "lan":
+						case "wan":
+							if ($configured_remote_string == $eneterd_remote_string)
+								$input_error = 1;
+							break;
+						case "address":
+							if ($name['localid']['address'] == $pconfig['localid_address'] &&
+							    $configured_remote_string == $eneterd_remote_string)
+								$input_error = 1;
+							break;
+						case "network":
+							if ($name['localid']['address'] == $pconfig['localid_address'] &&
+							    $name['localid']['netbits'] == $pconfig['localid_netbits'] &&
+							    $configured_remote_string == $eneterd_remote_string)
+								$input_error = 1;
+							break;
+					}
+					if ($input_error){
+						$input_errors[] = gettext("Phase2 with this Local/Remote Networks combination is already defined for this Phase1.");
+						break;	/* there is an error, stop checking other phase2 definitions */
+					}
+				}
+			}
+		}
+        }
+	
 	$ealgos = pconfig_to_ealgos($pconfig);
 
 	if (!count($ealgos)) {
-- 
cgit v1.1