Also consider 0.0.0.0/0 here since it fails both these tests but is still a valid/special config.
If the old configuration is present there use the new one for local users
Fix location of banner file for ipsec and also sprinkle some unset to avoid php keeping data in memory
Correct path even for generated certs for ipsec
Correct path to certificates as well
Corrected racoon path to psk.txt.
"path pre_shared_key \"{$g['varetc_path']}/psk.txt\";\n\n"; is incorrected, ammended to "path pre_shared_key \"{$g['varetc_path']}/ipsec/psk.txt\";\n\n";
Remove none per Jim since it is confusing
Allow other system authentication types to be used with ipsec. LDAP/RADIUS/local acc
Fixes #2394. If an entry of 0.0.0.0/0 is configured than use the first interface ip matching. Also do a microptimization to not retrieve the interface list every ping host entry
Fixes #2300. Take into consideration ip aliases on carp
Fixes #2300. Add static route even for ip aliases selected to avoid issues.
Use a proposal check value of obey for all mobile, not just pure-PSK. (The docs recommend setting this, may as well make it the default)
Correct the config generation
config.xml might have some elusive data so do not fail sainfo section for localside if there is an empty nat address. Just do not put the nat side in there
Correctly build the sainfo to avoid errors
Use .= for strings rather than +=
Add a NAT entry for configuring NAT on ipsec phase2. It will add nat rules on enc interface
Add forgotten part of the IPsec split dns fix from yesterday
Ticket #2635: during ipsec reload, do not generate spd for disabled ph1
Don't add ldapcfg to racoon.conf since we're not using racoon's built-in LDAP support now. Moving to external script-based auth, see ticket #1112
Restructure these IP/subnet tests so they don't break transport mode.
Fixes #2364. On busy pppoe servers it might take some time before mpd exits. Check for this before trying to restart
Make sure that we match multiple characters.Ticket #2415
First round of CARP vip renaming changesTicket #2415
routes should not be skipped when IPsec is on WAN, as WAN may not be the default gateway.
this is only valid in mpd5 (really?...) Revert "RADIUS accounting updates are needed for PPPoE and L2TP too"
This reverts commit 02b14dcb49da8dc278e87785bb3f811336bf1fd0.
RADIUS accounting updates are needed for PPPoE and L2TP too
Don't let an empty subnet into racoon.conf, it can cause parse errors. Ticket #2201
Fix reference to PPTP secondary RADIUS server shared secret.See http://forum.pfsense.org/index.php/topic,46103.0/topicseen.html
Only do foreach on the p2's if it's actually an array.
Ensure we always write out a blank spd.conf if there are no phase 2 entries. If you delete the last phase 2 and then apply, it will still be in spd.conf and used by racoon even with no phase 2's configured.
Fix several issues in pppoe code and remove duplicated code.
Make initial changes to allow pfSense to work in a jail.
This mostly avoids starting things that will not work and gets theinitial config. Most of the pfSense functionality will not work(pf rules, routing, etc) but it can be used for testing.
Also escape \ in pptp passwords.
Correct whitespace and some problems in the just merged ldap auth sorce for racoon
Merge pull request #8 from ninja76/master
IPSec xAuth allowing LDAP to be used as a backend
Prevent php from coring if the wrong parameters are passed to ip2long
Relax PPTP password restrictions, just prevent starting with a !, and limit to common printable/keyboard characters so it doesn't result in invalid xml. Fixes #1720
Improved ipsec ldap xauth
Always send the route delete command even if it fails its ok. This avoids having to dump the routing table.
Use the new change to be less distuptive
format error
More sanity checking
Ipsec xAuth patch
removes variables concatenation on gettext strings
Merge remote-tracking branch 'upstream/master'
Conflicts: etc/inc/easyrule.inc etc/inc/filter.inc etc/inc/interfaces.inc etc/inc/services.inc etc/inc/xmlrpc_client.inc usr/local/www/fbegin.inc usr/local/www/services_dhcp.php
Merge remote branch 'upstream/master'
Merge remote-tracking branch 'mainline/master' into inc
Conflicts: etc/inc/voucher.inc usr/local/www/fbegin.inc
Correct event calling during bootup for rc.newipsecdns and also convert the command executed during an ipsec even to go through check_reload_status which will prevent races on calling rc.newipsecdns. Which might lead to many filterdns processes.
Conflicts: etc/inc/openvpn.inc
Add a GUI selection for racoon's generate_policy directive since it may be useful in certain configurations, especially for mobile clients.
Conflicts: conf.default/config.xml etc/inc/filter.inc etc/inc/globals.inc etc/inc/pfsense-utils.inc etc/inc/upgrade_config.inc usr/local/www/interfaces.php
Silence the route changing since it fills the logs with not needed info.
Conflicts: etc/inc/interfaces.inc etc/inc/upgrade_config.inc etc/inc/vpn.inc
Don't put an empty PSK into the file, and try to avoid extra whitespace to be safe.
Conflicts: etc/inc/vslb.inc etc/version
passive should always be on for mobile clients per racoon man page
Disable this log message, as it can be extremely spammy in the logs.
Remove stray debugging lines in VPN
Conflicts: usr/local/www/status_rrd_graph_img.php
Give time to filterdns to exit gracefully and after that start a new process.
Conflicts: etc/inc/gwlb.inc
Add missing fields for l2tp to define dns and wins servers
Add a toggle under System > Advanced on the misc tab to enable/disable debug mode for racoon.
Conflicts: etc/inc/interfaces.inc etc/inc/priv.defs.inc etc/inc/shaper.inc etc/inc/system.inc
Conflicts: etc/inc/auth.inc etc/inc/config.lib.inc etc/inc/filter.inc etc/inc/pfsense-utils.inc etc/inc/pkg-utils.inc etc/inc/priv.defs.inc etc/inc/services.inc...
Fix merge conflict
Swap if statement, add fields into ipsecpinghosts file
Correct ping hosts functionality for > 1 tunnel. Add v6 functionality
Fix the IPsec ping hosts file generation. This only worked for the lasttunnel
Try to make IPv6 feature complete for IPv6 support. Looks like ipsec-tools was built without v6 support, make sure you have a newer build
Commit the backend function that writes out the racoon.conf
Make sure to note the limitations to gethostbyname, it does not work for Quad A records. Fix resolve_retry in the process, use that.
Use racoonctl now that ipsec-0.8 is back to reload the config.
Always write out the filterdns-ipsec.hosts file, otherwise deleted tunnels will never get removed from thefilterdns-ipsec.hosts
Add a check that should prevent configuration of racoon with duplicate phase 1 IP entries.
Add more safeguards and IP address checks
Do not resolve the hostname during boot, also make really sure we have a IP address here.
Prevent a empty remote gateway IP from ending up in the config
Make sure to initialize the remote gateway IP variable so that it does not end up with a broken config
Do not resolve the dyndns hostnames during boot. With many tunnels that have a hostname this cancause huge boot issues if the DNS server is slow or not responding at all. By skipping those butadding them to the DNS watchlist it should reload these later. This should allow the box to start...
Fix typo (swapped parameters)
Fix typo
Correct configuration file name.
Merge branch 'master' into inc
Conflicts: etc/inc/captiveportal.inc etc/inc/config.console.inc etc/inc/config.lib.inc etc/inc/easyrule.inc etc/inc/filter.inc etc/inc/ipsec.inc etc/inc/pkg-utils.inc etc/inc/shaper.inc...
Use filterdns instead of dnswatch which will be retired.
Actually use sigkillbypid.
Send a HUP to racoon which is equivalent to the reload-config racoonctl command which seems to not work in 0.7.3 of ipsec-tools.
Add radius port and radius accounting port to config if supplied.
Ticket #1116: anonymous sainfo may be used only for single phase2 ipsec VPN's
Prevent other types of interface for being added to ng_ether(4). It might be the cause of panics reported here http://forum.pfsense.org/index.php/topic,31404.0.html
nuke trailing carriage returns
Do not attach ng_etther(4) to every system interface. Instead do a search if netgraph is needed on single/every interface during interface configuration. Also enable netgraph support for interface as needed when enabling pptp/l2tp/pppoe/... . This should prevent the netgraph queue to slow down network performance on fast links.
Merge remote branch 'mainline/master' into inc
Conflicts: etc/inc/auth.inc etc/inc/config.lib.inc etc/inc/filter.inc etc/inc/gwlb.inc etc/inc/interfaces.inc etc/inc/pfsense-utils.inc etc/inc/pkg-utils.inc...
Some IPsec mobile changes to inch a little closer to working L2TP+IPsec. Ticket #475
Only print "sainfo anonymous" also for xauth-psk setups. See http://forum.pfsense.org/index.php/topic,29164.msg157864.html#msg157864