pfSense

DNSWatch core dumps when it encounters white spaces.

Properly check and set "Prefer older IPsec SAs" setting in the config and its associated sysctl. Move setting the sysctl to its own function to avoid code duplication.

Actually decode before writing to mpd.secret. Alos correct variable names. Discovered-by: Efonne(IRC)

Make possible to run multiple instances of pppoe server. Not yet switched to mpd4.

CA/CERT Move

also include split_dns, as Cisco VPN clients won't query across the VPN without it.

Fix spelling error. Thanks-to: wagnoza (IRC)

Do proper checking on the interval used for dnswatch. Otherwise might pass wrong parameters to dnswatch.

Fix some PPPoE server radius variable references. Fixes #853.

Let the user choose the IPsec CA instead of assuming.

Only write out the CA if one exists.

Flip this check

When using a certificate for IPsec, also write out and reference the certificate's CA.

Honor a phase 1 proposal_check if one is set, otherwise use the default.

Resolves #815. Do not add protection rules if lan interface has no ip.

Fix test of preferoldsa to check the proper variable name.

Ticket #655. Another try at this.

Fixes #755. Workaround bug on dnswatch and properties_read by actually creating a correct file for properties_read API.

Remove gif creation/deletion in ipsec code it seems unlikely and unused for a long time. This also removes the risk of doing damages on gifs configured through the GUI.

Honor GUI configured DNS settings for PPTP/PPPoE/L2TP if present.

Add per-user PSKs to racoon.

Various fixes to usage of ip2long, long2ip, and negated subnet masks, mostly affecting 64-bit. Ticket #459

Add a few comments. This should be ready for testing/feedback. Ticket #108

Add missing ;

Set proposal check and passive as needed for this scenario also. Ticket #108

Ensure initial_contact is 'on' in this case to behave as 1.2.3 did. Ticket #108

Set generate_policy to "on" to behave as 1.2.3 does in this case. Ticket #108

Only specify peer ID if we are not dealing with a mobile PSK-only tunnel. Ticket #108.

Do not specify subnet in sainfo if we are dealing with a mobile PSK-only tunnel. Ticket #108

Write out IPsec PSKs for mobile clients. Part of ticket #108.

Use the -s ident option of mpd to send the logs for the PPPoE/PPTP/L2TP servers to syslogs appropriate files. Create the files for these vpn's as for the others. Logs can be viewed in the VPN tab of the system log.

Ticket #430. Give a none option to allow for roadwarriors configs.

Only fetch inet family routes.

Prevent errors when running without a lan defined interface. Also remove some dead code.

Three fixes:
- ipsec-tools 0.8 ignores 'adminsock' directive, so until upstream is fixed, we need to use the default /var/db/racoon/racoon.sock
- Fix spd files reloading in /tmp
- Revert initial patch from Scott
Ticket #137

Ticket #332. Simplify creating the ipsecpinghosts file.

ping_hosts.sh is no more in /etc. Remove some unneeded lines.

Use global variable.

Use global variable and do not loop all entries undefinitely.

Do propper checking on sasyncd to not try to start this damon uselessly.

Do not fail to create racoon.conf if there is no ip on wan. this might be a valid config.

Use better interface names.

Fix racoon file gneration when selected type is dyn_dns. Reported-by: http://forum.pfsense.org/index.php/board,49.0.html.

Check to see if processes are running before killing

Reload tunnel policies Ticket #137

Restore lost code. Noticed-by: Ermal

Combine PPTP Server subnet and clients. Code imported from m0n0wall. Ticket #139

Remove ipsec_in_use sysctl

Add newline after set radius server Resolves #184

Rework includes/require. This saves about 4 megabytes.
Simplify get_memory(). Tested on mips/i386

Turn off IPSEC net.inet.ip.ipsec_in_use when IPSEC is disabled

Set sysctl net.inet.ip.ipsec_in_use=1 when starting racoon

More IPSec, filter.inc changes

Here we go again .. IPSec stuff

Add neccessary include.

Add pfSense_BUILDER_BINARIES: and pfSense_MODULE: additions

Fix typo in variable name which resulted in a incorrect format for the /var/db/ipsecpinghosts file.
Fixes half of #61

Unbreak ipsec on my firewall. For some reason p2_ealgos is not being defined and requires a 'require' to bring it in. Not sure why this is happening but this fix unbreaks my case at least.

remove debugging echo

Check correct variables

Do not enter for loop if all variables are 0. Apparently we have some include ordering issues that are preventing these variables from being set.

Ipsec.inc is in functions.inc

Unbreak IPSEC!

Do not send a HUP to racoon as that causes issue with initial
configuration loading.

Switch over the dns list from arguments to dnswatch to a file which holds them which dnswatch will use.

Make the dnswatch_list array unique before processing it

Silence route delete, this will also match on local network connected
vpn endpoints, those routes can not be deleted and throw a error.

Correct variable names so that the logging is useful.
Remove racoon reload signal

Remove some unneccessary calls to filter_configure() they just give recursivity!

Use is_dir, not is_file for detecting directory existance.

fix route deletion

clarify log message

Ensure /var/db/racoon exists

Fix PPTP+RADIUS. See ticket #1926.

Rename filter_translate_type_to_real_interface to interface_translate_type_to_real
Move this function to interfaces.inc where it belongs.

Use correct variable name.

Fix a spd.conf not loading changes issue.

• Do not apply the settings directly from hitting the SAVE button show the apply settings option for consistency with other pages.

• Fix ipsec over carp handling.
• do not useinterface in Upper case when working on the backends.
• Do not print Configuring IPSec during bootup if there is nothing configured.

• Hide interfaces internals to other code and use the propper interfaces.
  Basically use get_interface*() functions instead of accessing fields like 'ipaddr'/'descr' etc...
• Make get_interfaces_with_gateway less heavyweight by getting information from the configuration stored in config.xml...

Add secret option required on some setups.

We include ng_l2tp in kernel already, do not kldload

Correct a typo in vpn.inc that broke esp encryption algorithm configuration.

Modify IPsec code to allow for transport mode. All existing configurations are
marked as tunnel for backwards compatibility. There are problems with the spd
read code which Will likely choke on transport entries. We can fix this later.

Move the IPsec pinghost option from phase1 to phase2. Correct some
bugs that were preventing the local address from being selected.

Move the admin socket parameter into the existing listen section.

Actually remove the spd reload files after processing it. This would break the tunnels as it would re-process all files in order every time the configuration reloads a
tunnel.

Correct and expand the local and remote IP address endpoint check so that it specifies which one is at fault.

Migrate IPsec certificate management to centralized system.

Fix typo in function names

If either the old or new local or remote endpoint is not a IP address we make sure to abort.

Correct spelling to the past tense

Use the new is_module_loaded function to avoid spamming the System log.

Increase time to wait after killing mpd4 on l2tp case.

Remove all global decalarations regarding pptp/pppoe/l2tp they are no more needed.

L2TP improvements.

Fix typo.

Remove radius-ip option also non present on mpd4.

radius-fallback option is no more present on mpd4.

Fix ltp links creation.