pfSense

Fix IPsec mobile user and pool references. Fixes #10296 Fixes #10314

For mobile IPsec pools, use separate pool for v4 and v6. Fixes #10296

Strip IPsec PH2 hash for AEAD ciphers. Issue #9726

Accomodate both RADIUS and pool IP addresses in IPsec. Issue #8160

Merge pull request #4177 from vktg/gremtu

IPsec VTI IPv6 address correction. Fixes #9801

When setting up IPv6 VTI, assume /64 -- Previous code was assuming /32
which wasn't correct, and it can't be /128 either since the IPv6
addresses are not point-to-point like IPv4.

Merge pull request #4188 from vktg/ipsecph2nohash

Fix IPsec issue if no PH2 hashes selected. Issue #9309

Set correct default MTU for GRE,GIF and GRE/IPsec. Issue #10222

Merge pull request #4165 from vktg/resolve46

IPsec IPv6 dynamic FQDN Remote Gateways, resolve_retry() IPv6 support. Issue #9405

Allow manual selection of IPsec IKE Pseudo-Random Function (PRF). Issue #9309

allow to disable IPsec P1 when P2 is disabled VTI. Issue #10190

This is 2020. Issue #9245

Revert "strip hash algo if ealgo == *gcm"

This reverts commit 1f8e92a30c1db4f96625b4591a65902492084eb3.

strip hash algo if ealgo == *gcm

Rework IPsec P1 Lifetime GUI options. Fixes #9983

Token -> PKCS#11

gui renaming pkcs11 -> token + show ID

cert on token check

some progress

conflicts resolved, needs testing

IPsec swanctl conversion. Implements #9603

• Converted IPsec configuration code from ipsec.conf ipsec/stroke style
  to swanctl.conf swanctl/vici style. Issue #9603
• Split up much of the single large IPsec configuration function into
  multiple functions as appropriate....

cosmetic

Merge branch 'master' into p11ipsec

successful connection

first steps

Rename IPsec "RSA" options to "Certificate". Implements #9903

Add GUI option for IPsec tunnel closeaction. Fixes #9767

Add IPsec DH/PFS groups 25/26/27. Implements #9757

IPsec ID type parsing changes. Fixes #9243

• Move code to function to avoid unnecessary duplication of code
• Clean up the logic to avoid further redundancies
• Set keyid type to be quoted and to have its type prefixed

ipsec.inc: Safety belt in case package array is missing.

Instead of restarting pkgs, add an IPsec reload hook they can use instead. Fixes #9668

Fix copyright message years to reflect BSDP -> ESF -> Netgate

Add in DH 32, a patch for strongSwan will be in soon to test with. Issue #9531

Add RFC 8031 Group 31 to IPsec. Implements #9531

Update copyright notices to 2019. Happy New Year

Rework how IPsec VTI interfaces and reqid specifications for same are formed. Ticket #8544

IPsec VTI interface refinements/fixes. Ticket #8544

Please welcome routed IPsec using if_ipsec VTI interfaces. Implements #8544

To use, create a P1/P2 and set P2 to VTI using local/remote network as tunnel endpoint addresses, then assign the interface (enable, but IP type = none), and use like any other interface for routing.

Merge pull request #3904 from Hobby-Student/master

Allow Dual Stack IPsec P1 interface. Fixes #6886

Allow "Both" to be selected for IPv4/IPv6 on IPsec P1, in the config use both addresses as "left =" if they both exist.
Some cases where a single address was assumed (e.g. ping hosts) default to using the first address....

extended GUI to manage new feature

Update the Copyright notice for pfSense.

Merge pull request #3414 from phil-davis/ipv6-compress

Fixed #6967

Always force compress when calling Net_IPv6

Rework how IPsec log settings are stored/retreived, adjust the default values. Implements #7007

ipsec mobile clients, don't check mobile leases if mobile client isn't enabled to begin with

Move copyright from ESF to Netgate

Allow AES-GCM for P1 where using IKEv2. Ticket #5990

Move to Apache License 2.0

Review license / copyright on all files (final round)

Review license / copyright on all files (1st round)

Internationalize etc inc i through s

Fix style issues.

Review of CARP uniqid changes.

It turns out that current CARP implementation is not much different from an IP alias.

This commit converts the IP alias to also use the CARP uniqid scheme, this simplify the code in all other places because now we have only two different cases to deal with:...

Update license on files from /etc/inc

Remove all pfSense_MODULE and pfSense_BUILDER_BINARIES definitions, whatever was the reason they were added, it was never finished and it's not being used

Code style and white space in etc

Fix what I broke removing DES. pointy-hat-to: me

Remove GCM options from phase 1, it's only supported in P2. Remove DES while here.

Fix ipsec_enabled() to return true only when at least one of the phase 1 entries are enabled.

Convert all the occurrences of $config['ipsec']['enable'] in filter.inc, ipsec.inc and service-utils.inc

Fix ruleset when IPSEC is enabled but there are no Phase 1 entries.

Issue: #5487

Fix #5350. Correct issues with strongswan logging (setting changes did not persist across reboots, setting silent did not work).

Change ipsec_dump_mobile() to parse regular output of ipsec leases, we are removing patch that made it to output xml

Add a new function that returns the current state of IPSEC.

Whenever we have phase1 entries, IPSEC is considered enabled.

A new fix for #4130:

The fix added for this bug, that check xml file size is < 200 to decide
if file must or not be read created a new issue, single entry is not
showed.

Instead of doing this, check parse_xml_config() return and return empty
array when it's -1...

Only call pfSense_ipsec_list_sa() when IPsec is enabled

Restore ipsec_dump_spd() accidentally removed on 7fcd5ea8bb2e7c9c94e1f38008fc3da440eb14e8. Pointy hat to: garga

Retire ipsec_smp_dump_status()

Move main pfSense content to src/