pfSense

Fix various PHP issues in vpn.inc

Also rewrite the method used to get DNS servers. It's still not perfect
but the old code had several potential problems like sending invalid DNS
servers to clients.

Restart L2TP VPN on interface IP change. Fixes #13066

Update the Copyright year of the files owned by Rubicon/Netgate.

Do not detach ng_ether from physical interfaces

There's no measurable performance impact¹ of leaving an unused ng_ether
node attached to ethernet interfaces, so don't waste time trying to
ensure we only attach to interfaces where we expect to use netgraph....

Remove unused L2TP VPN directory. Fixes #11299

L2TP VPN MTU option. Feature #11406

Update the Copyright year.

A subsequent commit will deal with .po's.

Create poesX interfaces for PPPoE server. Issue #11034

Do not restart L2TP VPN server when deleting user. Fixes #11059

Different interface name for L2TP VPN. Fixes #11006

Merge pull request #4454 from vktg/pppoesecondradius

PPPoE Server secondary RADIUS server fixes. Issue #10926

Do not restart PPPoE server after adding/modifying users. Implements #10318

PPPoE Server Accounting Update fix. Issue #10869

L2TP empty secret fix. Issue #10710

L2TP server secret is not base64 encoded. Fixes #10527

L2TP VPN shared secret. Issue #10527

L2TP RADIUS issued IPs fix. Issue #7562

Do not restart L2TP server after adding/modifying users. Issue #4866

L2TP and PPPoE user password validation. Fixes #10275

This is 2020. Issue #9245

IPsec swanctl conversion. Implements #9603

• Converted IPsec configuration code from ipsec.conf ipsec/stroke style
  to swanctl.conf swanctl/vici style. Issue #9603
• Split up much of the single large IPsec configuration function into
  multiple functions as appropriate....

Rename IPsec "RSA" options to "Certificate". Implements #9903

GUI improvements for ECDSA certificate handling

• Make central functions to check and test ECDSA compatibility. Issue #9843
• Filter incompatible certificates from being offered for the GUI or Captive Portal. Implements #9897
• Do the same for IPsec, which implements #4991...

Fix random typos

Fix #6263: Deduplicate encryption options on ipsec.conf

On a configuration with multiple P2, all encryption options from all P2
are added to ipsec.conf. The list could have duplicated itens when
multiple P2 use the same options. Deduplicate this list.

Add GUI option for IPsec tunnel closeaction. Fixes #9767

Add IPsec DH/PFS groups 25/26/27. Implements #9757

IPsec ID type parsing changes. Fixes #9243

• Move code to function to avoid unnecessary duplication of code
• Clean up the logic to avoid further redundancies
• Set keyid type to be quoted and to have its type prefixed

Fix copyright message years to reflect BSDP -> ESF -> Netgate

Add in DH 32, a patch for strongSwan will be in soon to test with. Issue #9531

Add RFC 8031 Group 31 to IPsec. Implements #9531

Update copyright notices to 2019. Happy New Year

Fix previous regex. Issue #9106

Replace '.' in radius name for strongSwan. Fixes #9106

Add 0.0.0.0/0 to VTI left/rightsubnets. Fixes #8859

No negative feedback from testing, time for a wider push.

This helps with third party devices that require 0.0.0.0/0 to route
traffic on a VTI P2.

Strictly define the EAP Identifier for custom local client entries. Fixes #9055

Revise async_crypto setting

Make async_crypto explicit enabled/disabled rather than current isset

Move IPsec VTI interface cleanup list. Fixes #8858

Generate the cleanup list before the P1 loop but after the initial
interface configuration.

Use safe_mkdir() for IPsec dirs. Fixes #8856

Simplifies the process of making IPsec dirs, though it may not correct
the original reported issue since that appears to be a disk problem,
it's still better/safer than what was done here before.

Merge pull request #3965 from Hobby-Student/master

Add GUI control for IPsec async crypto. Implements #8772

Remove unneeded VTIs in IPsec sync. Issue #8674

Still needs input validation to prevent changes that would remove an
assigned interface.

PHP7 initialize as array instead of string

changes to mobile ipsec dns to support new features

fixed wrong if conditions
added support of dns server

Make IPsec IKEv2 conn IDs consistent with IKEv1 or IKEv2 split. Also fix vti test for reqid.

Rework how IPsec VTI interfaces and reqid specifications for same are formed. Ticket #8544

IPsec VTI interface refinements/fixes. Ticket #8544

A couple vpn.inc refinements for VTI. Ticket #8544

Add vpn.inc changes for IPsec VTI that missed the previous commit. Ticket #8544

For IPsec mobile clients, write out a more specific ipsec.secrets line to help clients find the right key with strongSwan's new lookup code. Fixes #8426

Merge pull request #3904 from Hobby-Student/master

Allow Dual Stack IPsec P1 interface. Fixes #6886

Allow "Both" to be selected for IPv4/IPv6 on IPsec P1, in the config use both addresses as "left =" if they both exist.
Some cases where a single address was assumed (e.g. ping hosts) default to using the first address....

Consider IPv6 for IPsec bypasslan. Fixes #8321

extended GUI to manage new feature

supporting enhanced user management with strongswan

Merge pull request #3711 from PiBa-NL/20170427-ipsec-multiple-P1-algo

first change for extending mobile connection

Update the Copyright notice for pfSense.

Do not make a bypasslan IPsec config block when it should be disable/empty. Fixes #8239

ipsec, allow configuration of multiple ike phase1 encryption ciphers (algo/bits/hash/dh)
this is useful for mobile users that need to connect with different operating systems. This way there is no need to find a single commonly supported weaker cipher.

Fix logging for L2TP and PPPoE server login/logout events. Fixes #8164

See https://redmine.pfsense.org/issues/8164 for the reasoning about why it was done this way.

When crafting the CA subject for ipsec.conf, handle component values that are arrays. Fixes #7929

Fix a couple of 'route: writing to routing socket: Invalid argument' warnings during the boot.

Use the correct variable and only add the route when the hostname is resolved (if the remote address is a hostname).
route: writing to routing socket: Invalid argument

Use attribute rekey_enable as usual but optionally allow to set margintime if rekeying is not disabled

Hide margintime if rekeying is disabled

Activate RADIUS accounting for mobile ipsec if it was selected on the auth server view

Add strongswan rekeymargin attribute to vpn ipsec phase1 view

Disable internal L2TP users when activating RADIUS, to follow the behavior stated in the GUI. Fixes #7561

Remove unused WINS code for L2TP. Fixes #7559

Rework how IPsec log settings are stored/retreived, adjust the default values. Implements #7007

ipsec, apply routes also for IP-aliases with carp parents

Fix #6828

Until 2.3.x pfSense carried a patch that changed the behavior of 'route
change' command, making it add the route when it fails to change.
On 2.4 this patch was removed and will not be added back. This change
adjust PHP code to deal with route add / change and make it work...

Remove all calls to conf_mount_r* functions

Move copyright from ESF to Netgate

Convert L2TP Server code to mpd5

Add ng interface to pppoe group on mpd.conf and remove dead code from vpn-linkup script

Convert PPPoE Server code to mpd5

Move to Apache License 2.0

Review license / copyright on all files (final round)

Review license / copyright on all files (1st round)

Remove workaround for Ticket #4754 in 2.4 since 32 bit is dead.

Always use require_once

The usage of require() and require_once() throughout the system is
inconsistent, and "bugs" come up now and then when the order of
"requires" is a bit different and some require() happens after the
include file is already included/required....

require_once auth.inc in vpn.inc since it uses functions from there, though normal use of the system won't require that, those who run certain things manually/custom may require it

Only omit aggressive line from ipsec.conf where IKEv2. Ticket #6513

Disable ipcomp regardless of config setting to avoid problem. Ticket #6167

Omit local identifier for mobile PSKs. Ticket #6286

Use leftsendcert=always where leftcert is defined. Ticket #6082

Add lock in vpn_ipsec_configure. Ticket #6160

Always set ignore_acquire_ts = yes. No need for that in any of our use cases, and it fixes problems like Ticket #4719.

Fix indent

Internationalize etc inc uvx

Add support for splitting ipsec.conf conn entries for IKEv2. Ticket #4704

Add support for IPsec TFC. Ticket #4688

Fix IKE version "auto". Ticket #5880

Review of CARP uniqid changes.

It turns out that current CARP implementation is not much different from an IP alias.

This commit converts the IP alias to also use the CARP uniqid scheme, this simplify the code in all other places because now we have only two different cases to deal with:...

Use the NAS IP configured for PPPoE server instances. Ticket #185

Fix #5816 (re)start of IPsec