Ipsec.inc is in functions.inc
Unbreak IPSEC!
Do not send a HUP to racoon as that causes issue with initialconfiguration loading.
Switch over the dns list from arguments to dnswatch to a file which holds them which dnswatch will use.
Make the dnswatch_list array unique before processing it
Silence route delete, this will also match on local network connectedvpn endpoints, those routes can not be deleted and throw a error.
Correct variable names so that the logging is useful.Remove racoon reload signal
Remove some unneccessary calls to filter_configure() they just give recursivity!
Use is_dir, not is_file for detecting directory existance.
fix route deletion
clarify log message
Ensure /var/db/racoon exists
Fix PPTP+RADIUS. See ticket #1926.
Rename filter_translate_type_to_real_interface to interface_translate_type_to_realMove this function to interfaces.inc where it belongs.
Use correct variable name.
Fix a spd.conf not loading changes issue.
Add secret option required on some setups.
We include ng_l2tp in kernel already, do not kldload
Correct a typo in vpn.inc that broke esp encryption algorithm configuration.
Modify IPsec code to allow for transport mode. All existing configurations aremarked as tunnel for backwards compatibility. There are problems with the spdread code which Will likely choke on transport entries. We can fix this later.
Move the IPsec pinghost option from phase1 to phase2. Correct somebugs that were preventing the local address from being selected.
Move the admin socket parameter into the existing listen section.
Actually remove the spd reload files after processing it. This would break the tunnels as it would re-process all files in order every time the configuration reloads atunnel.
Correct and expand the local and remote IP address endpoint check so that it specifies which one is at fault.
Migrate IPsec certificate management to centralized system.
Fix typo in function names
If either the old or new local or remote endpoint is not a IP address we make sure to abort.
Correct spelling to the past tense
Use the new is_module_loaded function to avoid spamming the System log.
Increase time to wait after killing mpd4 on l2tp case.
Remove all global decalarations regarding pptp/pppoe/l2tp they are no more needed.
L2TP improvements.
Fix typo.
Remove radius-ip option also non present on mpd4.
radius-fallback option is no more present on mpd4.
Fix ltp links creation.
Catch up on mpd4 changes even when operation as pppoe/pptp/l2tp server.
can't continue when you aren't in a loop
Use correct var so dnswatch will launch correctly.
Modify our function to process according to the new IPsec config.xmlarray format of 2.0This should now correctly reload ipsec tunnels where a hostname is usedas the endpoint.TODO: The UI pages still need to be changed for the granular IPsecpolicy reloading.
Improved logic to delete old ipsec policies. It can now be used in a generic fashion to replacespd policies instead of just dynamic dns endpoints.We know leave files in tmp which are picked up by vpn_ipsec_refresh_policies().This allows us to use the apply buton again.
Oops forgot to modify and commit the code that tells racoon to re-read the configuration files.
Port the code for granular adding and removing IPsec SPD policies.This is the backend part of it which is uses by rc.newipsecdns when ahostname changes IP
Merge the preferred SA logic from 1.113 of HEAD 2 years 7 months later
I think mpd 4.x doesn't like "set pptp self 127.0.0.1" - removing thisallows my iphone to connect to my pfsense box just like it does on1.2.1
Don't try to configure a blank WINS server, while it doesn't kill mpd, itsure whines about it.
Try to use where possible filter_configure so upcoming event modifications can be easily integrated.
Correct path to netstat
Correct route lookup
Lookup route table before attempting a delete
Surpress killall messages
Extra sighup not needed on 7
Make sure the /var/db/racoon path exists before starting racoon. This isneeded to ensure racoonctl can communicate properly with racoon.
Remove unused and possibly erroneous code.
Remove the vpn_endpoint_determine function. It did not work properly whenCARP devices were in use. Use the newer ipsec_get_phase1_src instead.
Fix regression on interface list.(missed merge from RELENG_1_MULTI_ANYTHING)
Add myself to the Copyright.
NOTE: this is only half part of the changes the other half will come after
Introduce a new and improved version of IPsec mobile client support. Themobile client tab is now used to configure user authentication (Xauth) andclient configuration (mode-cfg) options. User authentication is currentlylimited to system password file entries. This will be extended to support...
Overhaul IPsec related code. Shared functions have been consolidated intoa new file named /etc/ipsec.inc. Tunnel definitions have been split intophase1 and phase2. This allows any number of phase2 definitions to becreated for a single phase1 definition. Several facets of configuration...
Correct setkey path to correct usr local sbin location.
PPPoE server fixes. Patch submitted by Ermal.
Update binary to use mpd4
Get correct interface list.
Interface list improvements.
The physical interface must be passed to find_interface_ip()
this was breaking the racoon.conf for OPT WAN IPsec when interface is not statically addressed
Correctly process non carp interfaces
Correctly update static routes on change
Make the vpn configuration add static routes on interfaces other then WAN.link_carp_interface_to_parent() now correctly returns parent interface instead of always WAN.
Start PPTPD.
Start MPD correctly on newer mpd
Fix mpd startup
Unbreak racoon
Do not quote an empty string when the DN identifier is blank.
Obtained-from: m0n0wall
Bump dpd from 20 to 120
Use DPD and frag support we already have
Send extra sighup after starting
Pass -c along to mpd
With the current Racoon we need to inform that we are reloading our SPDentries with a SIGHUP
Update to racoon-0.7-cvs with Timo Teras patches.Use setkey -f because spd loading works normally now.
attempt loading SPD entries 4 times
Somehow sending a SIGHUP before flushing and reloading works better thenafter. Technically a SIGHUP to racoon should not do anything.
Flush both SA and SPD entries
repair logic I think. Can we please use more curlies?
Make 3 passes at loading the SPD entries as this will fail on large configurations > 250 tunnels.Tested by smos@ 399 tunnels, 239 active, ok by sullrich@
touch up text
Ticket #1569
freeradius and pptp changes by forum-user 'cybrsrfr'
Adding dnswatch support.
IPSEC keep alive pinger using the wrong source IP address
Ticket #1482
Adding keep alive host to IPsec causes warning in webGUI
Ticket #1509
Ticket #1482 - set the source to an interface that is inside the subnet definition
Sync NATT support from m0n0wall
Unbreak IPSEC, correct pathnames
Fix loading and reloading config for IPSEC.MFC: Possible candidate, works for seth. Needs test.
Add ASN1DN identities support to IPSEC.
Subbmitted-by: Nic Bernstein <nic_AT_onlight.com>