Fix a couple of 'route: writing to routing socket: Invalid argument' warnings during the boot.
Use the correct variable and only add the route when the hostname is resolved (if the remote address is a hostname).route: writing to routing socket: Invalid argument
Use attribute rekey_enable as usual but optionally allow to set margintime if rekeying is not disabled
Hide margintime if rekeying is disabled
Activate RADIUS accounting for mobile ipsec if it was selected on the auth server view
Add strongswan rekeymargin attribute to vpn ipsec phase1 view
Disable internal L2TP users when activating RADIUS, to follow the behavior stated in the GUI. Fixes #7561
Remove unused WINS code for L2TP. Fixes #7559
Rework how IPsec log settings are stored/retreived, adjust the default values. Implements #7007
ipsec, apply routes also for IP-aliases with carp parents
Fix #6828
Until 2.3.x pfSense carried a patch that changed the behavior of 'routechange' command, making it add the route when it fails to change.On 2.4 this patch was removed and will not be added back. This changeadjust PHP code to deal with route add / change and make it work...
Remove all calls to conf_mount_r* functions
Move copyright from ESF to Netgate
Convert L2TP Server code to mpd5
Add ng interface to pppoe group on mpd.conf and remove dead code from vpn-linkup script
Convert PPPoE Server code to mpd5
Move to Apache License 2.0
Review license / copyright on all files (final round)
Review license / copyright on all files (1st round)
Remove workaround for Ticket #4754 in 2.4 since 32 bit is dead.
Always use require_once
The usage of require() and require_once() throughout the system isinconsistent, and "bugs" come up now and then when the order of"requires" is a bit different and some require() happens after theinclude file is already included/required....
require_once auth.inc in vpn.inc since it uses functions from there, though normal use of the system won't require that, those who run certain things manually/custom may require it
Only omit aggressive line from ipsec.conf where IKEv2. Ticket #6513
Disable ipcomp regardless of config setting to avoid problem. Ticket #6167
Omit local identifier for mobile PSKs. Ticket #6286
Use leftsendcert=always where leftcert is defined. Ticket #6082
Add lock in vpn_ipsec_configure. Ticket #6160
Always set ignore_acquire_ts = yes. No need for that in any of our use cases, and it fixes problems like Ticket #4719.
Fix indent
Internationalize etc inc uvx
Add support for splitting ipsec.conf conn entries for IKEv2. Ticket #4704
Add support for IPsec TFC. Ticket #4688
Fix IKE version "auto". Ticket #5880
Review of CARP uniqid changes.
It turns out that current CARP implementation is not much different from an IP alias.
This commit converts the IP alias to also use the CARP uniqid scheme, this simplify the code in all other places because now we have only two different cases to deal with:...
Use the NAS IP configured for PPPoE server instances. Ticket #185
Fix #5816 (re)start of IPsec
Switch to disabling strongswan unity plugin by default. Ticket #4178
Somehow missed this in the committed version.
Relocate subnet mask drop-down to a more sensible place on the PPPoE server, add a user login count option.
Fix #4178:
- Stop moving unity .so file around to make it not being loaded- Include all modules default .conf file from strongswan.d/charon- After default files are included, define custom settings- When unity is disabled, add a rule to make strongswan to not load it
Fix strongswan.conf indent level
Update license on files from /etc/inc
redmine 5702 - switch to high level IPv4 functions instead of low level ip2long32() etc
Remove all pfSense_MODULE and pfSense_BUILDER_BINARIES definitions, whatever was the reason they were added, it was never finished and it's not being used
Code style and white space in etc
Run ping_hosts.sh once after IPsec start if it's enabled, to avoid a wait of up to 4 minutes for minicron to run it.
Merge pull request #2103 from jlduran/escape-strongswan-radius-key
Remove the last usage cases of $config['ipsec']['enable'].
IPSEC is always on in 2.3, where necessary (IPSEC rules, IPSEC daemon), we check the existence of phase 1 entries.
Escape RADIUS secret in strongswan.conf
If a RADIUS secret is, for example, `#secret-key#`, EAP-RADIUSauthentication will fail, as the `#` can be interpreted by thestrongswan.conf parser as a comment.
To avoid this from happening, set the key within double quotes.
Create symlinks when target doesn't exist, not only when it's not a link
Revert "Use --conf when call ipsec start/stop, this make it work with regular package, without changing sysconfdir"
It's not necessary after creating all symlinks
This reverts commit d92c10130df38e264c7c77367cf0d542d10794c0.
Fix #5350. Correct issues with strongswan logging (setting changes did not persist across reboots, setting silent did not work).
Make sure symlink is created
Make sure symlinks is created
strongswan.d symlink was created the opposite way, pointy hat to me
Create symlinks of ipsec files and directories under /usr/local to deal with hardcoded paths in strongswan
Use --conf when call ipsec start/stop, this make it work with regular package, without changing sysconfdir
etc inc delete $Id comments
and bits of white space.Note: There are plenty of files still with old-format copyright sectionsin here.
changes for #5219 accidentally reverted unrelated changes made by other commits. Restore those & remove some dead code that was commented out.
Don't allow IPsec mobile clients user auth source to not be a RADIUS server ifthe phase1 auth method is EAP-RADIUS. Properly handle selection of multipleRADIUS servers when using EAP-RADIUS. Fixes #5219.
It is not necessary manually disable the IPSEC processing when not used.
With the recent IPSEC changes by gnn@, there is no more performance penaltyfor 1G networks if you have IPSEC compiled in kernel but not used.
TAG: tryforward
The net.inet.ip.fastforward sysctl is retired now.
Tryforward instead, is always on and is compatible with IPSEC.
Set leftsendcert=always for IKEv2 configurations with certificates to better accommodate OS X and iOS manual configurations. Fixes #5353
Make setting charon.plugins.attr.subnet conditional on net_list being set. Setit's value to list of subnets configured as P2's for mobile IPsec. Fixes #5327.
Disable strongswan logging under auth since it's all logged under daemon,so nothing is duplicated. Ticket #5242
Limit strongswan trusted CA certificates to those required for authentication ofthe configured IPsec SA's instead of trusting all known CA's. Fixes #5243.
only use daemon and not auth for strongswan logging. As it was, all logs were duplicated. Ticket #5242
Set rightca for IPsec phase 1 using Mutual RSA, Mutual RSA + xauth, or EAP-TLS. Fixes #5241.
Merge pull request #1689 from jlduran/l2tp-mschapv2
Remove strongswan's cert directories and repopulate them, to ensure no removed CAs, certs, or CRLs remain. Ticket #5238
Fix up strongswan logging levels. Remove charondebug since strongswan.conf settings take precedence. Set logging levels in strongswan.conf to match what's set on a running system via 'ipsec stroke loglevel', and remove log levels that were hard coded in strongswan.conf. Ticket #5242
https://redmine.pfsense.org/issues/5207change auth methods for both peers when using hybrid RSA + xauth with IKEv1
Add support for an IPv6 pool for mobile clients.
Specify PSK for mobile configurations without the leading ID selectors. Fixes PSK mismatches from iOS clients.
When using eap-radius, if the virtual address pool is left blank, pull the IP addresses from RADIUS instead. (Will need an IP address defined for each account.)Doesn't seem to be possible to pull from either RADIUS or a local pool that I can see from experimenting and looking at strongSwan's docs.
Specify %any where identifier is "any", so the note on these pagesactually works.
Add MS-CHAPv2 option to L2TP Configuration
See [#4732](https://redmine.pfsense.org/issues/4732)
Merge pull request #1750 from TarasSavchuk/patch-1
Merge pull request #1808 from miken32/master
White space and minor bits in etc
Cleaner version of https://github.com/pfsense/pfsense/pull/1846
Retire PPTP server, fixes #4226:
- Remove PPTP server and all related code- Bump config version 12.2- Write upgrade config code to remove pptpd section and also cleanup firewall and NAT rules using PPTP interface or src/des
Move main pfSense content to src/