Project

General

Profile

Regression #12549 » patch-12549.diff

Jim Pingle, 11/30/2021 11:54 AM

View differences:

src/etc/inc/ipsec.inc
1940 1940
 * NAME
1941 1941
 *   ipsec_setup_userpools - Generate per-user custom pool settings for swanctl
1942 1942
  * INPUTS
1943
 *   None
1943
 *   $ph1ent = Mobile IPsec Phase 1 entry
1944 1944
 * RESULT
1945 1945
 *   Adds configured per-user pool settings to $scconf using the primary mobile
1946 1946
 *   pool as a base configuration.
......
1948 1948
 *   Given this new flexible format, it is now possible to override any valid
1949 1949
 *   pool setting, so future expansion of per-user settings is possible.
1950 1950
 ******/
1951
function ipsec_setup_userpools() {
1951
function ipsec_setup_userpools($ph1ent) {
1952 1952
	global $config, $scconf;
1953 1953
	$a_mobilekey = $config['ipsec']['mobilekey'];
1954 1954

  
......
1956 1956
	if (!is_array($a_mobilekey) ||
1957 1957
	    empty($a_mobilekey) ||
1958 1958
	    !is_array($scconf['connections']) ||
1959
	    !is_array($scconf['con-mobile-defaults']) ||
1960 1959
	    !is_array($scconf['pools']) ||
1961 1960
	    !is_array($scconf['mobile-pool'])) {
1962 1961
		return;
......
1989 1988

  
1990 1989
		/* Craft a cloned connection with the ID information to match */
1991 1990
		$scconf['connections'][$upconn]['remote'] = array();
1992
		$scconf['connections'][$upconn]['remote']['id'] = $clientid;
1991
		if ($ph1ent['authentication_method'] != "eap-mschapv2") {
1992
			$scconf['connections'][$upconn]['remote']['id'] = $clientid;
1993
		}
1993 1994
		$scconf['connections'][$upconn]['remote']['eap_id'] = $clienteapid;
1994 1995
		$scconf['connections'][$upconn]['pools'] = $upbase;
1995 1996

  
......
2184 2185
		case 'eap-mschapv2':
2185 2186
			if (isset($ph1ent['mobile'])) {
2186 2187
				$local['auth'] = "pubkey";
2188
				unset($remote['id']);
2187 2189
				$remote['eap_id'] = "%any";
2188 2190
				$remote['auth'] = "eap-mschapv2";
2189 2191
			}
......
2418 2420
 *   their children, authentication, etc.
2419 2421
 ******/
2420 2422
function ipsec_setup_tunnels($gateways_status = false) {
2421
	global $aggressive_mode_psk, $a_client, $config,
2423
	global $aggressive_mode_psk, $a_phase2, $a_client, $config,
2422 2424
		$filterdns_list, $g, $ifacesuse, $ipsec_idhandling, $ipsec_log_cats,
2423 2425
		$ipsec_log_sevs, $ipsec_swanctl_basedir, $ipsec_swanctl_dirs,
2424 2426
		$ipseccfg, $mobile_ipsec_auth, $natfilterrules, $p1_ealgos,
......
2449 2451
			$scconf["{$cname}-defaults"] = $conn_defaults;
2450 2452
			/* Array reference to make things easier */
2451 2453
			$conn =& $scconf["{$cname}-defaults"];
2452
			$scconf['connections']["{$cname} : {$cname}-defaults"] = array("# Stub to load con-mobile-defaults");
2453 2454
		} else {
2454 2455
			$cname = ipsec_conid($ph1ent);
2455 2456
			/* Start with common default values */
......
3174 3175
		}
3175 3176
		if (isset($p1['mobile']) && !isset($p1['disabled'])) {
3176 3177
			$mobile_configured = true;
3178
			$mobilep1 = $p1;
3177 3179
		}
3178 3180
		$tunnels[$p1['ikeid']] = $p1;
3179 3181
		$tunnels[$p1['ikeid']]['p2'] = array();
......
3239 3241
		/* Setup mobile address pools */
3240 3242
		ipsec_setup_pools();
3241 3243
		/* Setup per-user pools */
3242
		ipsec_setup_userpools();
3244
		ipsec_setup_userpools($mobilep1);
3245
		$scconf['connections']["con-mobile : con-mobile-defaults"] = array("# Stub to load con-mobile-defaults");
3246

  
3243 3247
	}
3244 3248
	/* Setup secret data */
3245 3249
	$scconf['secrets'] = array();
(1-1/2)