fix type. Ticket #4504
Fixes #4504 Provide a newline to generate proper config
Fixes #4504 Allow the bypass policy for LAN to be enabled and prevent traffic sent to lan ip to go to the ipsec tunnel
Only use mobile clients PFS config with mobile ph2ent. Ticket #4538
Conflicts: etc/inc/vpn.inc
enable ike_name for daemon facility as well, to add connection identifiers to logs.
Fix IPsec Advanced Settings uniqueids. It was neither set in strongswan config, nor picked up correctly in the UI.
If we bail not being able to find the P1 source, log an error.
Move libstrongswan-unity.so when Unity plugin is disabled so it can't modify the P2. Workaround for Ticket #4178
Need global $ipsec_idhandling here.
Don't enable interfaces_use by default. Add checkbox to enable on Advancedtab, in case there are scenarios where it's desirable. Ticket #4341
Code style etc inc vwx3
rebased version with conflicts resolved due to a bunch of recent changesin vpn.inc
Check if it's an array before call foreach(). Ticket
Stop trying to fix dns_split during strongswan config generation, we have an upgrade code in place for that, it should fix #4418
same change as previous commit, for IPv6. Ticket #4482
Use the parent interface, not the _vip for interfaces_use. Part of Ticket #4482
Remove "Prefer old SA" option, and ignore it in all existing configurations. Breaks things in many cases with strongSwan. For the very rare circumstances where this is actually desirable, it's just a sysctl that can be set in tunables.
Fix type (trime->trim)
Ticket #4418 Actually make each entry a clear token to strongswan parser for dns_split
Ticket #4418 make sure the dns_split is separated with spaces rather than space or comma to comply with strongswan requirements.
Ticket #4418 Make the DNS names attr 28675 space separated as identified by Jeffrey Dvornek
Add GUI control for MOBIKE. Hide it when IKEv1 selected. Enable toggling of NAT-T field display so it's on for IKEv1, off for IKEv2. Do same for reauth while here. Ticket #3979
Surrond the some mobile clients attributes with " ( quote ) to help the strongswan parser identify properly the values. Ticket #4418
Use web-gui setting for pap or chap instead of having it hard-coded to chap.
Allow IPseec clients to properly connect and not stomp over each other. Reported-by https://forum.pfsense.org/index.php?topic=87980.0
Ticket #4353 fix typo on unset var spotted-by: Phil Davis
Fixes #4360 allow marking a connection as responder only, the same behviour as mobile connections
Fixes #4359 Allow controlling uniqueids
Fixes #4353 Identify when strongswan.conf needs a reload and restart ipsec service.
Reload filter when IPsec is disabled, fixes #4245
Ticket #4254 do not put duplicate interface names
Ticket #4254 Actually use proper variables allover to have correct route added
Ticket #4254 Actually use proper interface to check if gateway exists
Ticket #4254 Use proper variable
Ticket #4254 actually use the info on the protocol of the vpn sepcification to be more sure on the family to use
Ticket #4254 Handle even hosts specified throguh dns name
Ticket #4524 Bring back static routes on ipsec to make sure charon does not send traffic through wrong iface. This handles properly ipv6
Be compliant with gatway groups specified on ipsec. Ticket #4254
Ticket #4254 Actually fix this on 2.2 branch since vips are not handled by get_real_interface apparently!
Ticket #4254 specify the list of interfaces to be used by charon. This is a workaround for now. Being investigated the fix.
Just do an update since it will handle itself properly.
Ticket #3997, teach code to track carp through uniqids(). Missing carp GUI changes and upgrade code
Add RSA keys even for eap-mschapv2
Oops add missing curly
Also take care of ph1 mobile settings for eap-tls
Add EAP-MSChapv2 implementation for Windows ipsec support as reported here https://forum.pfsense.org/index.php?topic=81657.15
Add some saftey belts here to be safe
To avoid issues with clashing SAIDs go back to specifying the reqid in strongswan config.
To be able to manage this first upgrade the config to assign each phase2 an reqidSecond use that during config generation
Ticket #4208
Let the kernel handle REQID rather than handling it manually. The connection name is the one needed here.
fix strongswan conf file generation with ipcomp. Ticket #4182
Fixes #4188 use the same reqid over same phase1 but different phase2 connections. The dashboard will be fixed with the ticket already open. This should fix a lot of instabilities reported on the forums for people having a dozen or more tunnels
Correct the sense of the check by default unity is enabled
Provide an advanced setting to be able to disable Unity Plugin(Cisco extensions)
Move to specifically specifying the ID type apart when an ip address to have strongswan do proper behaviour. Also for DynDNS names use the dns type id so strongswan does the resolving by its own.
fix spelling of compression
Fixes #4182 by properly managing IPcomp on ipsec tunnels.Also retires IPsec force reloading advanced sysctl since its useless nowdays with strongswan and remove its call on rc.newipsecdns.
Oops this should be 0s rather than 00. Linked with Ticket #4158
Check for fqdn peerid/myids and prepend @ so strongswan does not try to be smart. Also use %any for myid instead of risking of putting the wrong value in the secrets file for traffic selector
Use base64 encoded secrets which Fixes #4158
Correct dashboard with new ipsec generation
Create a separate connection for IKEv1 with multiple phase2 definitions.
Correct the leftsubnet specification for transport mode.
Heh remove debugging code
Ooops fix this identation on final config
Just whitespace save from removing a useless else { branch
include $myid in these PSK lines. Ticket #4126
Give the proper value for the logging level since even 0 is the correct value coming from GUI.
Make sure this message is only displayed on console
Proper fix was put on f658bacRevert "Can't skip this if booting, ends up breaking config. Ticket #4071"
This reverts commit effb3a3cfe4e57b781f35ba8a145eb627014d8ce.
Can't skip this if booting, ends up breaking config. Ticket #4071
Only set i_dont_care_about_security_and_use_aggressive_mode_psk=yes where there is a P1 with aggressive+PSK enabled. Log a warning when such a configuration is in use.
Rather than set the g['booting'] on globals provide a function to test for that doing the right checks
Ooops do the right things for a correct config and php syntax
Put the aggressive line only during ikev1 configs
clean up tabs in strongswan.conf
Matching bracket in vpn.inc
Reported forum https://forum.pfsense.org/index.php?topic=84322.0
Ticket #3987. Strongswan support autodetection of IKE version exchange. Support this by allowing an auto version in the GUI.
Ticket #3809 use the setting with number rather than string since the parser of attr plugin understands only numbers. Reported on: https://forum.pfsense.org/index.php?topic=84304.0
Fix the generation of certificates for rsa type. strpos returns the pos as 0 for rsasig but it php considers that as false anyhow
Oops wrong choice the checkbox is only for javascript
Remove redundant code and check for dpd_enable checkbox to be set
Use leftcert for more options on IPsec authentication
Fixes #3995. Do not set rightsourceip on site-to-site VPNs but only on mobile users ones otherwise nothing works.
Reload also the configuration not only the secrets before trying to apply existing configuration. Ticket #3981
fix text, PPPoE Server, not VPN
set install_routes=no for charon to avoid the issues noted in ticket
use tabs rather than spaces, as most of this already did.
fix invalid ipsec.conf
Restore 3 values back on NAT-T settings Just Enable now its Auto as per strongswan default. and off disabled mobike. Ticket #3979
Properly configure NAT Tranversal setting.
Remove debugging code
Allow accept_unencrypted_mainmode_messages to be enabled if needed
Enable unity plugin as per request from https://forum.pfsense.org/index.php?topic=79737.msg452808#msg452808
This really does not need the =
Ooops restore this
Inverse the sense of the toggles to avoid configuration upgrades
Actually use the new toggles
Provide a first implementation of EAP-TLS authentication with IKEv2. It is a start and might not work on all cases
Make this work properly and not throw out errors.
Put some tuning on number of half open connection possible in one time.
Provide some parallellizm on the IKESA lookups for heavy loaded boxes.