From 58c58dcfa7b13aef5e3a0997bce61018fba6d3ec Mon Sep 17 00:00:00 2001
From: Chris Buechler <cmb@pfsense.org>
Date: Tue, 3 Mar 2015 00:16:33 -0600
Subject: Remove "Prefer old SA" option, and ignore it in all existing
 configurations. Breaks things in many cases with strongSwan. For the very
 rare circumstances where this is actually desirable, it's just a sysctl that
 can be set in tunables.

---
 usr/local/www/vpn_ipsec_settings.php | 18 ------------------
 1 file changed, 18 deletions(-)

(limited to 'usr')

diff --git a/usr/local/www/vpn_ipsec_settings.php b/usr/local/www/vpn_ipsec_settings.php
index 5c3ea27..39c1862 100644
--- a/usr/local/www/vpn_ipsec_settings.php
+++ b/usr/local/www/vpn_ipsec_settings.php
@@ -41,7 +41,6 @@ require_once("shaper.inc");
 require_once("ipsec.inc");
 require_once("vpn.inc");
 
-$pconfig['preferoldsa_enable'] = isset($config['ipsec']['preferoldsa']);
 foreach ($ipsec_loglevels as $lkey => $ldescr) {
 	if (!empty($config['ipsec']["ipsec_{$lkey}"]))
 		$pconfig["ipsec_{$lkey}"] = $config['ipsec']["ipsec_{$lkey}"];
@@ -115,11 +114,6 @@ if ($_POST) {
 	
 	if (!$input_errors) {
 
-		if($_POST['preferoldsa_enable'] == "yes")
-			$config['ipsec']['preferoldsa'] = true;
-		elseif (isset($config['ipsec']['preferoldsa']))
-			unset($config['ipsec']['preferoldsa']);
-
 		if (is_array($config['ipsec'])) {
 			foreach ($ipsec_loglevels as $lkey => $ldescr) {
 				if (empty($_POST["ipsec_{$lkey}"])) {
@@ -182,7 +176,6 @@ if ($_POST) {
 		else
 			$savemsg = gettext($retval);
 
-		vpn_ipsec_configure_preferoldsa();
 		vpn_ipsec_configure($needsrestart);
 		vpn_ipsec_configure_loglevels();
 
@@ -243,17 +236,6 @@ function maxmss_checked(obj) {
 						<td colspan="2" valign="top" class="listtopic"><?=gettext("IPsec Advanced Settings"); ?></td>
 					</tr>
 					<tr>
-						<td width="22%" valign="top" class="vncell"><?=gettext("Security Associations"); ?></td>
-						<td width="78%" class="vtable">
-							<input name="preferoldsa_enable" type="checkbox" id="preferoldsa_enable" value="yes" <?php if ($pconfig['preferoldsa_enable']) echo "checked=\"checked\""; ?> />
-							<strong><?=gettext("Prefer older IPsec SAs"); ?></strong>
-							<br />
-							<?=gettext("By default, if several SAs match, the newest one is " .
-							"preferred if it's at least 30 seconds old. Select this " .
-							"option to always prefer old SAs over new ones."); ?>
-						</td>
-					</tr>
-					<tr>
 						<td width="22%" valign="top" class="vncell"><?=gettext("IPsec Debug"); ?></td>
 						<td width="78%" class="vtable">
 							<strong><?=gettext("Start IPsec in debug mode based on sections selected"); ?></strong>
-- 
cgit v1.1