pfSense

Revert "Fix typos introduced by chaning to explicit id specification when necessary. Fixes #4202"

This reverts commit 324311043385aed357ca8838bde2c3af3111e564.

Add EAP-MSChapv2 implementation for Windows ipsec support as reported here https://forum.pfsense.org/index.php?topic=81657.15

To avoid issues with clashing SAIDs go back to specifying the reqid in strongswan config.

To be able to manage this first upgrade the config to assign each phase2 an reqid
Second use that during config generation

Ticket #4208

Fix typos introduced by chaning to explicit id specification when necessary. Fixes #4202

Move to specifically specifying the ID type apart when an ip address to have strongswan do proper behaviour. Also for DynDNS names use the dns type id so strongswan does the resolving by its own.

Enforce subnet check here to avoid any issues resulting from function call.

ipsec_smp_dump_status get out of loop if error

when reading response from socket.
Otherwise it would be in a loop and end up like: https://forum.pfsense.org/index.php?topic=86039.msg471848#msg471848
PHP Fatal error: Maximum execution time of 900 seconds exceeded in /etc/inc/ipsec.inc on line 383...

Fixes #4130 Check for a certain size of file to start showing data on dashboard and avoiding xml parser errors

Fix displaying description for IKEv1 connected tunnels

Make this function readble

Correct ipsec status page to make connect button work

Remove unused function

get_failover_interface() is already called inside get_interface_ip(v6), no need to call it twice. It should fix #4089

Add input validation on vpn_ipsec_settings.php. Fixes #4052.

Make the parsing of setkey -d(SAs) more reliable. Fixes #4043

Rather than set the g['booting'] on globals provide a function to test for that doing the right checks

Remove AES-GCM from phase1 settings algos since its not recommended

remove unused function referencing racoon

correctly specify arrays here. Fixes last of issue with Ticket #3955, and
probably a variety of other bugs.

Revert "Make phase1_status function wok whnever there is a smp dump. This should unbreak Ticket #3955"

This reverts commit 694d368d818508a40bdef4f1a3f64b414b11c442.

Make phase1_status function wok whnever there is a smp dump. This should unbreak Ticket #3955

touch up text

get back to our standard RFC-defined capitalization of IPsec

Remove wrongly used type

Only for movile users

Provide a first implementation of EAP-TLS authentication with IKEv2. It is a start and might not work on all cases

Fix path to xml and make sure the parser will see the custom tags

Make use of the xml output from stroke leases command

Return something meaningful until the widget is made to work correctly

Remove traces of older implementation still present

Fixes #3823 Properly parse auth tags as variables

Fix subnet display for IPsec status. Ticket #3826

Correct the ipsec status pages to show proper information as needed.

Use proper path to setkey now that ipsec-tools are not used anymore

Correct the functions for returning tunnel status to use strongswan status reports

Add the AESGCM and XCBC on the list of algos availble

Fix #3665, show IPSec tunnel description on status page

Move duplicated code into a function; Include local ID on mobile tunnel key line in ipsec.secrets.

Correct the step for phase2 algos as well

Use a step of 64 here too to comply with what the daemon can parse/understand

Make the IPSec status page work with strongswan

Oops forgot the query message

Add a function to read the status of connections/SAs/SPDs from smp plugin of StrongSWAN. No need to go through the setkey dumps

Push log changes for IPSec and fix generation of strongswan.conf and ipsec.secrets to be properly considered

Try to remove as much as possible _stf special case through the code

Fixes IPSec Status for natted tunnels

See http://redmine.pfsense.org/issues/2884 for details.

Thanks, Michele

IPsec status corrections, should fix #2861

When auth algorithm is hmac-sha512, it produces long lines and wrap them, what breaks the parser. Ignore lines that starts with a space to fix it. Fixes #2842

Make function return correct address info for respective family

Correct function name

Fix IPsec status when using interface macros (e.g. "LAN subnet") and handle matching better when IPs may not match up due to IPv6 formatting/compression.

Correct displaying of ipsec status for natted networks.

This should fix ipsec status for natted tunnel(s).

Activate more Hash, DH, and PFS options that are available in racoon now. Note that SHA256-512 are RFC4868 compliant in FreeBSD, may break with other incompatible stacks.

Add Gateway Group support to the IPsec interface drop down.
Edit of gateway group correctly reflects the new IP Address.
We need to make a blacklist for interface names in the gateway group edit page.
Redmine ticket #1965

Don't display a "mobile" user without a username.

List logged-in IPsec xauth users and provide a mechanism to disconnect them. Implements #1986

Don't do resolve_retry on ipsec_get_phase1_dst() results, because ipsec_get_phase1_dst() already does that before returning output.

Test for empty here, rather than !, so a blank value (as from mobile clients) doesn't fall to the other tests.

Merge remote-tracking branch 'upstream/master'

Conflicts:
etc/inc/easyrule.inc
etc/inc/filter.inc
etc/inc/interfaces.inc
etc/inc/services.inc
etc/inc/xmlrpc_client.inc
usr/local/www/fbegin.inc
usr/local/www/services_dhcp.php

Merge remote-tracking branch 'mainline/master' into inc

Merge remote branch 'upstream/master'

Bail out of ipsec_get_phase1_dst if there is no remote gateway, else it falls into running resolve_retry() with invalid parameters causing a long delay in returning.

Merge remote-tracking branch 'mainline/master' into inc

Conflicts:
etc/inc/voucher.inc
usr/local/www/fbegin.inc

Merge remote branch 'upstream/master'

Conflicts:
etc/inc/openvpn.inc

Show how much data has passed on an SAD entry.

Merge remote-tracking branch 'mainline/master' into inc

Conflicts:
etc/inc/auth.inc
etc/inc/config.lib.inc
etc/inc/filter.inc
etc/inc/pfsense-utils.inc
etc/inc/pkg-utils.inc
etc/inc/priv.defs.inc
etc/inc/services.inc...

Try to make IPv6 feature complete for IPv6 support. Looks like ipsec-tools was built without v6 support, make sure you have a newer build

Extend the IPsec configuration with a protocol family for the phase 1

Make sure to note the limitations to gethostbyname, it does not work for Quad A records. Fix resolve_retry in the process, use that.

Add the ability to differentiate between v4 and v6 tunnels. Bill says he can test

Don't forget to include $g, otherwise the check will fail and still perform a DNS resolve

Hold off on resolve_retry during boot. The rest of the IPsec config is already delayed during boot for tunnels with hostnames

Merge branch 'master' into inc

Conflicts:
etc/inc/captiveportal.inc
etc/inc/config.console.inc
etc/inc/config.lib.inc
etc/inc/easyrule.inc
etc/inc/filter.inc
etc/inc/ipsec.inc
etc/inc/pkg-utils.inc
etc/inc/shaper.inc...

Ticket #1116: anonymous sainfo may be used only for single phase2 ipsec VPN's

Merge remote branch 'mainline/master' into inc

Conflicts:
etc/inc/auth.inc
etc/inc/config.lib.inc
etc/inc/filter.inc
etc/inc/gwlb.inc
etc/inc/interfaces.inc
etc/inc/pfsense-utils.inc
etc/inc/pkg-utils.inc...

Add IPSec 'ipalias' VIP support. Ticket #1041

Remove trailing carriage return

Implement gettext() calls on ipsec.inc

Bring back IPsec PSK Tab/Edit. Part of ticket #108. Still needs backend code to use the resulting keys.

Ticket #430. Give a none option to allow for roadwarriors configs.

Revert "Turn off xauth by default. Ticket #108"

This reverts commit 7998c3f280370991beca62c6a99ae6dd6051228a.

Turn off xauth by default. Ticket #108

Add pfSense_BUILDER_BINARIES: and pfSense_MODULE: additions

• Make the carp ip fix for ipsec more general so other services that use the same methodology work.
  - Basically get_interface_ip() now knows how to handle carp(4).
• Move interface related function from pfsense-utils.inc to interfaces.inc that is their place....

• Fix ipsec over carp handling.
• do not useinterface in Upper case when working on the backends.
• Do not print Configuring IPSec during bootup if there is nothing configured.

• Hide interfaces internals to other code and use the propper interfaces.
  Basically use get_interface*() functions instead of accessing fields like 'ipaddr'/'descr' etc...
• Make get_interfaces_with_gateway less heavyweight by getting information from the configuration stored in config.xml...

Modify IPsec code to allow for transport mode. All existing configurations are
marked as tunnel for backwards compatibility. There are problems with the spd
read code which Will likely choke on transport entries. We can fix this later.

fix display of ipsec tunnel status when using DNS entries for the endpoints

Correctly return phase2 status for tunnels with hostnames

Rework most of the OpenVPN support. The interfaces have been updated to
not use the pkg system and the configuration has been migrated to an
openvpn prefix. The centralized user and certificate manager is now used
to support the openvpn configurations. Most of the files removed in this...

Remove the vpn_endpoint_determine function. It did not work properly when
CARP devices were in use. Use the newer ipsec_get_phase1_src instead.

Introduce a new and improved version of IPsec mobile client support. The
mobile client tab is now used to configure user authentication (Xauth) and
client configuration (mode-cfg) options. User authentication is currently
limited to system password file entries. This will be extended to support...

Overhaul IPsec related code. Shared functions have been consolidated into
a new file named /etc/ipsec.inc. Tunnel definitions have been split into
phase1 and phase2. This allows any number of phase2 definitions to be
created for a single phase1 definition. Several facets of configuration...