pfSense

Correct required param after optional param syntax errors

Revert "Destroy deleted/disabled IPsec SA. Fixes #13102"

This appears to be causing a pileup of swanctl processes on systems with
a significant number of disabled tunnels.

This reverts commit d90552c59e51fb13c712b6a96a51ca2462424156.

Destroy deleted/disabled IPsec SA. Fixes #13102

Do not restart IPv4 IPsec on IPv6 gateway events and vice versa. Issue #3132

WebGUI option for IPsec <dns-interval> option. Feature #13057

Skip IPsec VTI interface if remote FQDN gateway is not resolved. Issue #12763

IPSec IKEv2 Mobile INTERNAL_DNS_DOMAIN (value 25) attribute. Fixes #12975

Remove unused add_hostname_to_watch() from ipsec_setup_gwifs(). Issue #12645

Update the Copyright year of the files owned by Rubicon/Netgate.

IPsec IKEv2 Retransmission options. Implements #12184

IPsec on backup CARP group validation. Fixes #12566

IPsec SPD status updates. Implements #12397

• Fix backend parsing of setkey data
• Check for VTI vs tunnel mode
• Output mode in GUI status, and VTI interface name if available
• Make directionality of endpoints and arrow icon match in both the
  direction column and tunnel endpoints column.

Elliptic Curve 25519, 448 bit -> Elliptic Curve 448, 448 bit PH2 rename. Fixes #12350

Elliptic Curve 25519, 448 bit -> Elliptic Curve 448, 448 bit rename. Fixes #12350

IPsec Widget none/disabled tunnels fixes. Issue #12337

IPsec PH2 AH proposals order fix. Issue #12323

Consider GWG in ipsec_force_reload. Fixes #12315

Don't wait on manual IPsec actions. Fixes #12298

Use a timeout with swanctl --initiate, and use --force for swanctl
--terminate. This will allow the commands to succeed and return without
waiting on the remote to respond. The negotiation continues in the...

Move IPsec Mobile additional configuration attributes to strongswan.conf. Fixes #11447

Do not create disabled IPsec VTI interfaces. Fixes #12212

Write CRL files only if certificate authentication is used in IPsec. Fixes #12195

IPsec identifier type updates. Implements #12044

Correct names to reflect what the actual types are (e.g. Distinguished
name is really FQDN)

Add an explicit "auto" type which passes the user input through as-is.
Previously some users took advantage of ASN.1 DN behaving this way to...

IPsec updates to address multiple issues

• Configure/apply code changes. * Vast performance increase. Fixes #12026 * Changed connection naming to be easier to interpret. Issue #11910
• VTI interface numbering changes. * Name is now "ipsec<reqid>" since reqid is unique per P2 and a low number....

IPsec PKCS#11 support as an optional feature. Issue #11933

Always apply IPsec changes on HA secondary. Fixes #12075

ipsec: Simplify logic

ipsec: Use correct variable name

ipsec: Remove unneeded references on parameters

ipsec: Normalize ipsec_lookup_phase1()

- $ph2ent doesn't need to be a pointer
- Return true when $ph1ent is found since $ph1ent is a pointer and is
filled with proper content in this case

Back out recent changes in mobile IPsec

These changes led to the pool failing to load and thus clients could not
connect. Will revisit for future releases. Affects:

• Issue #11447
• Issue #11891

ipsec_vti() skipdisabled fix. Issue #11832

Ensure mobile IPsec pools are always in config. Issue #11891

Add IPsec GUI control for Child SA Start Action. Implements #11576

Correct source IP for IPsec on 6RD/6to4 interfaces. Fixes #11643

IPsec Mobile users swanctl.conf fix. Issue #11564

IPsec peer ID Any fix. Issue #11555

Correct location and config for Strict CRLs in IPsec. Fixes #11526

IPsec Mobile EAP-RADIUS additional configuration fix. Issue #11447

Don't add empty pools line. Fixes #11488

Fix child SA name generation. Fixes #11487

RADIUS Advanced parameters. Feature #11211

Do not prefix FQDN IPsec IDs with @. Fixes #11442

IPsec P1/P2 expiration and replacement refresh. Implements #11219

Update the Copyright year.

A subsequent commit will deal with .po's.

Correct DPD syntax and values. Fixes #11196

IPsec P2 life_time changes. May help with issue #10176

• We currently only set life_time which isn't ideal
• Swanctl format wants rekey_time set, defaults to 1h (3600)
• Many users set P2 lifetime to 3600
• With rekey_time and life_time equal, rand_time is 0, so both always...

Correct IPsec secrets section ID type handling. Fixes #11193

IPsec PH2 proposals order fix. Issue #11078

IPsec PH1 creation fix. Issue #9592

Merge pull request #4176 from vktg/maxikev1exchanges

Merge pull request #4436 from f-bor/ipsec_custom_port

add custom ipsec ports

Merge pull request #4190 from vktg/remove00vti

Rework route functions

- Created route_table() that returns an array containing all items from
route table. It uses --libxo to get a json object
- Created route_get() that return an array with route items to desired
target
- Created route_get_default() to get current default route for inet or...

Remove extra 00 padding of VTI interface names. Issue #9592

Add option to increase parallel IKEv1 Phase 2 rekeys. Issue #9331

Style: Break a couple of long lines

Combine nested conditionals into a single one

Remove commented out lines

Combine nested conditionals into a single one

Merge pull request #4230 from vktg/ipsecp2shunt

IPsec Mobile RADIUS Group authentication. Implements #10748

More complete IPsec close_action conversion. Fixes #10632

Use close_action=trap, not hold. Fixes #10632

Improve handling of an empty IPsec phase1 tag. Fixes #10580

Also fixes another PHP error after config upgrade which behaved in a
similar way.

Use correct prefix for IPsec user keys. Fixes #10505

IPsec VTI /30 netmask. Issue #10418

IPsec PH2 bypass mode. Issue #3329

Merge pull request #4173 from f-bor/gw_duplicates

Fix IPsec mobile user and pool references. Fixes #10296 Fixes #10314

For mobile IPsec pools, use separate pool for v4 and v6. Fixes #10296

Strip IPsec PH2 hash for AEAD ciphers. Issue #9726

Accomodate both RADIUS and pool IP addresses in IPsec. Issue #8160

Merge pull request #4177 from vktg/gremtu

IPsec VTI IPv6 address correction. Fixes #9801

When setting up IPv6 VTI, assume /64 -- Previous code was assuming /32
which wasn't correct, and it can't be /128 either since the IPv6
addresses are not point-to-point like IPv4.

Merge pull request #4188 from vktg/ipsecph2nohash

Fix IPsec issue if no PH2 hashes selected. Issue #9309

Set correct default MTU for GRE,GIF and GRE/IPsec. Issue #10222

fix requested changes

Merge pull request #4165 from vktg/resolve46

enable gateway duplicates on ipsec

IPsec IPv6 dynamic FQDN Remote Gateways, resolve_retry() IPv6 support. Issue #9405

Allow manual selection of IPsec IKE Pseudo-Random Function (PRF). Issue #9309

allow to disable IPsec P1 when P2 is disabled VTI. Issue #10190

This is 2020. Issue #9245

Revert "strip hash algo if ealgo == *gcm"

This reverts commit 1f8e92a30c1db4f96625b4591a65902492084eb3.

strip hash algo if ealgo == *gcm

Rework IPsec P1 Lifetime GUI options. Fixes #9983

Token -> PKCS#11

gui renaming pkcs11 -> token + show ID

cert on token check

some progress

conflicts resolved, needs testing

IPsec swanctl conversion. Implements #9603

• Converted IPsec configuration code from ipsec.conf ipsec/stroke style
  to swanctl.conf swanctl/vici style. Issue #9603
• Split up much of the single large IPsec configuration function into
  multiple functions as appropriate....

cosmetic

Merge branch 'master' into p11ipsec

successful connection

first steps

Rename IPsec "RSA" options to "Certificate". Implements #9903

Add GUI option for IPsec tunnel closeaction. Fixes #9767