pfSense

L2TP and PPPoE user password validation. Fixes #10275

This is 2020. Issue #9245

IPsec swanctl conversion. Implements #9603

• Converted IPsec configuration code from ipsec.conf ipsec/stroke style
  to swanctl.conf swanctl/vici style. Issue #9603
• Split up much of the single large IPsec configuration function into
  multiple functions as appropriate....

Rename IPsec "RSA" options to "Certificate". Implements #9903

GUI improvements for ECDSA certificate handling

• Make central functions to check and test ECDSA compatibility. Issue #9843
• Filter incompatible certificates from being offered for the GUI or Captive Portal. Implements #9897
• Do the same for IPsec, which implements #4991...

Fix random typos

Fix #6263: Deduplicate encryption options on ipsec.conf

On a configuration with multiple P2, all encryption options from all P2
are added to ipsec.conf. The list could have duplicated itens when
multiple P2 use the same options. Deduplicate this list.

Add GUI option for IPsec tunnel closeaction. Fixes #9767

Add IPsec DH/PFS groups 25/26/27. Implements #9757

IPsec ID type parsing changes. Fixes #9243

• Move code to function to avoid unnecessary duplication of code
• Clean up the logic to avoid further redundancies
• Set keyid type to be quoted and to have its type prefixed

Fix copyright message years to reflect BSDP -> ESF -> Netgate

Add in DH 32, a patch for strongSwan will be in soon to test with. Issue #9531

Add RFC 8031 Group 31 to IPsec. Implements #9531

Update copyright notices to 2019. Happy New Year

Fix previous regex. Issue #9106

Replace '.' in radius name for strongSwan. Fixes #9106

Add 0.0.0.0/0 to VTI left/rightsubnets. Fixes #8859

No negative feedback from testing, time for a wider push.

This helps with third party devices that require 0.0.0.0/0 to route
traffic on a VTI P2.

Strictly define the EAP Identifier for custom local client entries. Fixes #9055

Revise async_crypto setting

Make async_crypto explicit enabled/disabled rather than current isset

Move IPsec VTI interface cleanup list. Fixes #8858

Generate the cleanup list before the P1 loop but after the initial
interface configuration.

Use safe_mkdir() for IPsec dirs. Fixes #8856

Simplifies the process of making IPsec dirs, though it may not correct
the original reported issue since that appears to be a disk problem,
it's still better/safer than what was done here before.

Merge pull request #3965 from Hobby-Student/master

Add GUI control for IPsec async crypto. Implements #8772

Remove unneeded VTIs in IPsec sync. Issue #8674

Still needs input validation to prevent changes that would remove an
assigned interface.

PHP7 initialize as array instead of string

changes to mobile ipsec dns to support new features

fixed wrong if conditions
added support of dns server

Make IPsec IKEv2 conn IDs consistent with IKEv1 or IKEv2 split. Also fix vti test for reqid.

Rework how IPsec VTI interfaces and reqid specifications for same are formed. Ticket #8544

IPsec VTI interface refinements/fixes. Ticket #8544

A couple vpn.inc refinements for VTI. Ticket #8544

Add vpn.inc changes for IPsec VTI that missed the previous commit. Ticket #8544

For IPsec mobile clients, write out a more specific ipsec.secrets line to help clients find the right key with strongSwan's new lookup code. Fixes #8426

Merge pull request #3904 from Hobby-Student/master

Allow Dual Stack IPsec P1 interface. Fixes #6886

Allow "Both" to be selected for IPv4/IPv6 on IPsec P1, in the config use both addresses as "left =" if they both exist.
Some cases where a single address was assumed (e.g. ping hosts) default to using the first address....

Consider IPv6 for IPsec bypasslan. Fixes #8321

extended GUI to manage new feature

supporting enhanced user management with strongswan

Merge pull request #3711 from PiBa-NL/20170427-ipsec-multiple-P1-algo

first change for extending mobile connection

Update the Copyright notice for pfSense.

Do not make a bypasslan IPsec config block when it should be disable/empty. Fixes #8239

ipsec, allow configuration of multiple ike phase1 encryption ciphers (algo/bits/hash/dh)
this is useful for mobile users that need to connect with different operating systems. This way there is no need to find a single commonly supported weaker cipher.

Fix logging for L2TP and PPPoE server login/logout events. Fixes #8164

See https://redmine.pfsense.org/issues/8164 for the reasoning about why it was done this way.

When crafting the CA subject for ipsec.conf, handle component values that are arrays. Fixes #7929

Fix a couple of 'route: writing to routing socket: Invalid argument' warnings during the boot.

Use the correct variable and only add the route when the hostname is resolved (if the remote address is a hostname).
route: writing to routing socket: Invalid argument

Use attribute rekey_enable as usual but optionally allow to set margintime if rekeying is not disabled

Hide margintime if rekeying is disabled

Activate RADIUS accounting for mobile ipsec if it was selected on the auth server view

Add strongswan rekeymargin attribute to vpn ipsec phase1 view

Disable internal L2TP users when activating RADIUS, to follow the behavior stated in the GUI. Fixes #7561

Remove unused WINS code for L2TP. Fixes #7559

Rework how IPsec log settings are stored/retreived, adjust the default values. Implements #7007

ipsec, apply routes also for IP-aliases with carp parents

Fix #6828

Until 2.3.x pfSense carried a patch that changed the behavior of 'route
change' command, making it add the route when it fails to change.
On 2.4 this patch was removed and will not be added back. This change
adjust PHP code to deal with route add / change and make it work...

Remove all calls to conf_mount_r* functions

Move copyright from ESF to Netgate

Convert L2TP Server code to mpd5

Add ng interface to pppoe group on mpd.conf and remove dead code from vpn-linkup script

Convert PPPoE Server code to mpd5

Move to Apache License 2.0

Review license / copyright on all files (final round)

Review license / copyright on all files (1st round)

Remove workaround for Ticket #4754 in 2.4 since 32 bit is dead.

Always use require_once

The usage of require() and require_once() throughout the system is
inconsistent, and "bugs" come up now and then when the order of
"requires" is a bit different and some require() happens after the
include file is already included/required....

require_once auth.inc in vpn.inc since it uses functions from there, though normal use of the system won't require that, those who run certain things manually/custom may require it

Only omit aggressive line from ipsec.conf where IKEv2. Ticket #6513

Disable ipcomp regardless of config setting to avoid problem. Ticket #6167

Omit local identifier for mobile PSKs. Ticket #6286

Use leftsendcert=always where leftcert is defined. Ticket #6082

Add lock in vpn_ipsec_configure. Ticket #6160

Always set ignore_acquire_ts = yes. No need for that in any of our use cases, and it fixes problems like Ticket #4719.

Fix indent

Internationalize etc inc uvx

Add support for splitting ipsec.conf conn entries for IKEv2. Ticket #4704

Add support for IPsec TFC. Ticket #4688

Fix IKE version "auto". Ticket #5880

Review of CARP uniqid changes.

It turns out that current CARP implementation is not much different from an IP alias.

This commit converts the IP alias to also use the CARP uniqid scheme, this simplify the code in all other places because now we have only two different cases to deal with:...

Use the NAS IP configured for PPPoE server instances. Ticket #185

Fix #5816 (re)start of IPsec

Switch to disabling strongswan unity plugin by default. Ticket #4178

Somehow missed this in the committed version.

Relocate subnet mask drop-down to a more sensible place on the PPPoE server, add a user login count option.

Fix #4178:

- Stop moving unity .so file around to make it not being loaded
- Include all modules default .conf file from strongswan.d/charon
- After default files are included, define custom settings
- When unity is disabled, add a rule to make strongswan to not load it

Fix strongswan.conf indent level

Fix strongswan.conf indent level

Update license on files from /etc/inc

redmine 5702 - switch to high level IPv4 functions instead of low level ip2long32() etc

Remove all pfSense_MODULE and pfSense_BUILDER_BINARIES definitions, whatever was the reason they were added, it was never finished and it's not being used

Code style and white space in etc

Run ping_hosts.sh once after IPsec start if it's enabled, to avoid a wait of up to 4 minutes for minicron to run it.

Merge pull request #2103 from jlduran/escape-strongswan-radius-key

Remove the last usage cases of $config['ipsec']['enable'].

IPSEC is always on in 2.3, where necessary (IPSEC rules, IPSEC daemon), we check the existence of phase 1 entries.

Escape RADIUS secret in strongswan.conf

If a RADIUS secret is, for example, `#secret-key#`, EAP-RADIUS
authentication will fail, as the `#` can be interpreted by the
strongswan.conf parser as a comment.

To avoid this from happening, set the key within double quotes.

Create symlinks when target doesn't exist, not only when it's not a link

Revert "Use --conf when call ipsec start/stop, this make it work with regular package, without changing sysconfdir"

It's not necessary after creating all symlinks

This reverts commit d92c10130df38e264c7c77367cf0d542d10794c0.

Fix #5350. Correct issues with strongswan logging (setting changes did not persist across reboots, setting silent did not work).

Make sure symlink is created

Make sure symlinks is created