Let the kernel handle REQID rather than handling it manually. The connection name is the one needed here.
fix strongswan conf file generation with ipcomp. Ticket #4182
Fixes #4188 use the same reqid over same phase1 but different phase2 connections. The dashboard will be fixed with the ticket already open. This should fix a lot of instabilities reported on the forums for people having a dozen or more tunnels
Correct the sense of the check by default unity is enabled
Provide an advanced setting to be able to disable Unity Plugin(Cisco extensions)
Move to specifically specifying the ID type apart when an ip address to have strongswan do proper behaviour. Also for DynDNS names use the dns type id so strongswan does the resolving by its own.
fix spelling of compression
Fixes #4182 by properly managing IPcomp on ipsec tunnels.Also retires IPsec force reloading advanced sysctl since its useless nowdays with strongswan and remove its call on rc.newipsecdns.
Oops this should be 0s rather than 00. Linked with Ticket #4158
Check for fqdn peerid/myids and prepend @ so strongswan does not try to be smart. Also use %any for myid instead of risking of putting the wrong value in the secrets file for traffic selector
Use base64 encoded secrets which Fixes #4158
Correct dashboard with new ipsec generation
Create a separate connection for IKEv1 with multiple phase2 definitions.
Correct the leftsubnet specification for transport mode.
Heh remove debugging code
Ooops fix this identation on final config
Just whitespace save from removing a useless else { branch
include $myid in these PSK lines. Ticket #4126
Give the proper value for the logging level since even 0 is the correct value coming from GUI.
Make sure this message is only displayed on console
Proper fix was put on f658bacRevert "Can't skip this if booting, ends up breaking config. Ticket #4071"
This reverts commit effb3a3cfe4e57b781f35ba8a145eb627014d8ce.
Can't skip this if booting, ends up breaking config. Ticket #4071
Only set i_dont_care_about_security_and_use_aggressive_mode_psk=yes where there is a P1 with aggressive+PSK enabled. Log a warning when such a configuration is in use.
Rather than set the g['booting'] on globals provide a function to test for that doing the right checks
Ooops do the right things for a correct config and php syntax
Put the aggressive line only during ikev1 configs
clean up tabs in strongswan.conf
Matching bracket in vpn.inc
Reported forum https://forum.pfsense.org/index.php?topic=84322.0
Ticket #3987. Strongswan support autodetection of IKE version exchange. Support this by allowing an auto version in the GUI.
Ticket #3809 use the setting with number rather than string since the parser of attr plugin understands only numbers. Reported on: https://forum.pfsense.org/index.php?topic=84304.0
Fix the generation of certificates for rsa type. strpos returns the pos as 0 for rsasig but it php considers that as false anyhow
Oops wrong choice the checkbox is only for javascript
Remove redundant code and check for dpd_enable checkbox to be set
Use leftcert for more options on IPsec authentication
Fixes #3995. Do not set rightsourceip on site-to-site VPNs but only on mobile users ones otherwise nothing works.
Reload also the configuration not only the secrets before trying to apply existing configuration. Ticket #3981
fix text, PPPoE Server, not VPN
set install_routes=no for charon to avoid the issues noted in ticket
use tabs rather than spaces, as most of this already did.
fix invalid ipsec.conf
Restore 3 values back on NAT-T settings Just Enable now its Auto as per strongswan default. and off disabled mobike. Ticket #3979
Properly configure NAT Tranversal setting.
Remove debugging code
Allow accept_unencrypted_mainmode_messages to be enabled if needed
Enable unity plugin as per request from https://forum.pfsense.org/index.php?topic=79737.msg452808#msg452808
This really does not need the =
Ooops restore this
Inverse the sense of the toggles to avoid configuration upgrades
Actually use the new toggles
Provide a first implementation of EAP-TLS authentication with IKEv2. It is a start and might not work on all cases
Make this work properly and not throw out errors.
Put some tuning on number of half open connection possible in one time.
Provide some parallellizm on the IKESA lookups for heavy loaded boxes.
Actually roll this back since it was a testing glitch
Correct generating loglevels for startup through ipsec.conf
Blah unconditionally set rightsourceip per https://forum.pfsense.org/index.php?topic=80300.0 Until pools can be supported properly.
Correct processing and assignment on ikeid variable so it does the right thing
Allow HASH algorithms to be empty for phase2 in case the encryption one is AES-GCM
Do not allow duplicate subnet entries on left|rightsubnet specification since it will blackhole all traffic to that subnet when connection is setup as route
Do not accept proposal out of that configured even for IKEv2 even though there is no possibility in the GUI to set more than one proposal for Phase1 so far.
Restore behaviour as with racoon to trigger tunnel startup from traffic that needs to go into the tunnel. Even related to Ticket #3806.
rightsourceip must be used with PSK+Xauth.
This is required for PSK+Xauth. I'll commit that clarification in a bit.Revert "Revert "Fix assignment of tunnel IPs to mobile clients.""
This reverts commit 23ba08fc940b711f3b44551199890dc8e28a63b6.
Revert "Fix assignment of tunnel IPs to mobile clients." This normally is not needed since the attr plugin deals with all this.
This reverts commit 00311d6a841c0f6fc162ea11da06569f10220f5e.
Actually disable this plugin for now. It was not really needed for solving the issues with IKEv1
Fix assignment of tunnel IPs to mobile clients.
Fix #3798 - 'IPsec phase 2 pinghost is not used if the source IP should be a virtual IP address'
Correct this so the dpdaction is created properly as restart
Do a reload on the cofniguration which is better than update. Also let the keyingtries to 3 rather than forever to avoid problems on recovery.
Change the logic of the vpn config generation to make connectivity more stable especially ipsec. Also for IKEv1 just generate the policies and only on traffic start them.
Move the rekey to yes always to avoid issues.
Do not try to rekey for IKEv1.
Use a uniqid() to track phase2 entries to avoid confustion and various mistakes when modifying and editing them.
Fix for #3785 - 'strongswan config being generated with ike SA lifetime set to value of ipsec SA lifetime'
Fix #3781 - 'strongswan dpdtimeout value not generated correctly'
Fix for bug 3769
Convert almost all /sbin/sysctl calls to php functions
Actually use ph1ent ikeid here otherwise will duplicate ids here.
Correct variable test here, too. Ticket #3662
Fix test (variable is a checkbox, not an array/string). Fixes #3662
Use correct variable name here.
Make some fixes related to Ticket #3662. Its mostly cleanup.
Actually make this correct
Use subnet rather than address/netmask to allow multiple clients to behave properly
Move duplicated code into a function; Include local ID on mobile tunnel key line in ipsec.secrets.
Use the right specification for ahnding over the subnet to mobile clients
Do not specify the rightid in mobile tunnels since it makes things not work
Oops this was moved accidentally
Correct sense of match and move the code up to since it makes more sense
Actually this should be rightauth2 since they should send the extra infor to be validated
Allow to use PSK+agressive mode since user should have the choice even though it poses security risks
This slipped in wrongly
Allow a key to specified for all users as for exmpale when connecting from Apple iOS
Pass the loglevels on the config rather than execing commands to specify these loglevels. This allows somethings to be properly logged as config logs
No need to have the ip let strongswan do it for us! Keeping still filterdns to properly evaluate dns behaviour here
Strongswan does not need the quotes here
Remove generate policy option since its not relevant with strongswan
Some adjustments to the code for logging
If unbound is configured then assign it for the vpn service
Another dir to be created