pfSense

Eventhough you can set the racoon admin socket to a different path in the configuration it will be ignored by ipsec-tools 0.8+
Align all the sockets into the new path /var/db/racoon so that we can find it.
Remove the old killall -HUP racoon as this prevents the newer racoon from properly loading it's initial configuration. This might actually also have been a possible problem on the old ipsec-tools...

Oops, make that /bin/mkdir

fix static route deletion

Ensure /var/db/racoon exists

Since they're listed by name, order alphabetically.

Change log message. This doesn't necessarily mean the IP has changed, so it was misleading.

Log actual interface rather than CARP interface

Ensure dpddelay is a value, not that its simply set leading to racoon.conf errors:

my /var/etc/racoon.conf file has: "dpd_delay ;"

Reported in ##pfSense on FreeNODE by Overrand

Prevent creation of invalid racoon.conf with omitted or non-numeric DPD delay.

Add the DPD option to the mobile ipsec page. The DPD option makes the most sense for the mobile IPSEC clients as this is
helps cleaning up any dangling SA entries before their lifetime expires.
The default value is 120 seconds.
Move the NAT-T into the actual layout instead of on top of it.

Add DPD backend configuration to the racoon configuration.

Use NAT-T when enabled on a per tunnel basis

changes from smos@

Initial changes for NAT-T

fix for IPsec timeouts/issues with large frames

Make sure we match the right SPI to src and dst address, otherwise the purge of the old
spi fails.

- Add proper support for using hostnames for the remote IPsec gateway.
- Make IPsec reloading granular, this resolves the long standing issue
that a IPsec reload will cause all tunnels to drop.
- Change IPsec edit screen description for remote gateway that a IP...

Include IPSEC reload patch from Seth Mos which was tested on his work
IPSEC cluster.

Do not destroy enc0

Remove newlines at end of files

Correct path to netstat

Correct Route lookup

Surpress enc0 creation

Lookup remote endpoint in routing table before attempting to delete route.

Mute killall commands

Extra sighup not needed on 7

add missing quotes in mobile IPsec my_identifier

missing spaces for mobile IPsec

Check in fix that hopefully fixes IPSEC on pppoe or pptp

Disable DPD per default. It is not always safe and can result in
flapping tunnels.

attempt to fix ipsec for carp interfaces. Please test!

Switch over to ipsec-tools setkey preferred over the native FreeBSD setkey

Use /sbin/setkey

Change /sbin/setkey to ipsec-tools /usr/local/sbin/setkey

The physical interface must be passed to find_interface_ip()

this was breaking the racoon.conf for OPT WAN IPsec when interface is not statically addressed

Correctly process non carp interfaces

Correctly update static routes on change

Make the vpn configuration add static routes on interfaces other then WAN.
link_carp_interface_to_parent() now correctly returns parent interface instead of always WAN.

Do not quote an empty string when the DN identifier is blank.

Obtained-from: m0n0wall

bump dpd from 20 to 120

Use DPD and frag support we already have

MFC: Send extra sighup after starting
Might fix mobile ipsec after startup

With the current Racoon we need to inform that we are reloading
our SPD entries with a SIGHUP

Update to racoon-0.7-cvs with Timo Teras patches.
Use setkey -f because spd loading works normally now.

attempt loading SPD entries 4 times

Somehow sending a SIGHUP before flushing and reloading works better then
after. Technically a SIGHUP to racoon should not do anything.

Flush both SA and SPD entries

Make 3 passes at loading the SPD entries as this will fail on large configurations > 250 tunnels
Tested by smos@ 399 tunnels 239 active, ok by sullrich@

IPSEC keep alive pinger using the wrong source IP address

Ticket #1482

Adding keep alive host to IPsec causes warning in webGUI

Ticket #1509

Ticket #1482 - set the source to an interface that is inside the subnet definition

Sync NATT support from m0n0wall

Oops, correct path to binaries

MFC IPSEC fixes from seth, this should properly reload and handle large
configs > 300 tunnels.

use killall

• Flush SPD's on reload
• Kilall -HUP racoon if its already running since racoonctl is brokie brokie

• Remove path from racoon grep
• Remove [r] from racoon and simply grep for racoon

Correct ps location

Kill trailing space

Commit forgotten vpn_ipsec_force_reload()

Do not flush SPA and SPD before starting. It upsets racoon.

Rework stop and start logic. If we are already alive, reload instead of stop and start.
Tested by Seth.

PPPoE server fixes

Ticket #1283

Add link_carp_interface_to_parent() function

Allow CARP addresses to be the IPSEC endpoint.

This cleans up the code GREATLY and removes the FAILOVER IPSEC hack.

Make tabs consistent

Use a comma to seperate multiple hosts instead of a carriage return which is being stripped by the package manager

Allow multiple racoon listen ips so that racoon can live on two different wan carp ips (multiple isps)

Only install listen directive when value is filled in.

Backport IPSEC filtering to 1.0.1.

Requested and will be tested by Seth

Add back missing WINS statement that was accidently chopped in commit #9051

Ticket #1209

Do not destroy previous items, whiping out the listen directive.

Disable sasyncd. Sniff sniff. I gave it all I could, cap'n.

Maybe 1.1.

We're in 2006 now, toto

Ticket #854 fixes

• Compute the correct amount of ng interface for pptp and pppoe
• Restart mpd processes in one function so that duplicates do not end up in mpd.conf file

• Sleep a little longer after killing mpd to allow it to cleanup
• If there was a problem killing mpd, try killing once more and log the attempt

Add c/r

MFC vpn ping code

Remove trailing newline

Use correct variable for radius issued ips

Correct warnings and errors found eclipse

Set: set link mru 1492 in addition to set link mtu 1492

Do not apply option when radius is disabled

Allow issuing of PPOE ips from RADIUS server

Ticket #709

Import m0n0wall 1.21 PPTP Server

Remove auto establish. It's never worked.

Alert that we are auto establishing tunnel

Back off a little bit on the insane debugging levels. This brings the debugging levels back similar to m0n0wall.

Move setkey to /sbin/setkey from /usr/sbin/setkey due to FreeBSD changing the location.

• Use 0.0.0.0/0 so radius can allocate ips
• Do not set link mtu twice

• Turn of ACE. It doesn't work at all.
• Killall racoon. IPSEC Tools racoon seems to work a bit diff

Enable padlock support

Move )

Pointy-hat-to: Me

Missing )

Pointy-hat-to: Me

Forced commit to note that failover ipsec should be enabled as well (even if your not using failover, it simply sets the racoon listen ip address)

Add NATT support. Currently this option is disabled. To enable simply set the <developer/> tag inside <system> in config.xml

Use correct mtu for pptp when wan is pppoe.

Have I mentioned how much I HATE pptp lately?

Set /sbin/sysctl net.inet.ipsec.crypto_support=1 if Padlock

Detect ACE in CPU line

Do not set net.inet.ipsec.crypto_support