Update copyright notices to 2019. Happy New Year
(cherry picked from commit 0b4c14a491664053aad3cc76e1ffd67b70ff2da1)
Fix previous regex. Issue #9106
(cherry picked from commit 16b78f3879bdf658274caf750c9360ec97bb8f77)
Replace '.' in radius name for strongSwan. Fixes #9106
(cherry picked from commit cc955fe63ad44b5aac66721e54965d9bc13e990c)
Add 0.0.0.0/0 to VTI left/rightsubnets. Fixes #8859
No negative feedback from testing, time for a wider push.
This helps with third party devices that require 0.0.0.0/0 to routetraffic on a VTI P2.
(cherry picked from commit 5c4aa94a90256b13b19209f11e4c75b2d0e85ece)
Strictly define the EAP Identifier for custom local client entries. Fixes #9055
(cherry picked from commit 2d7ed31e3227566d0474929a3aed84509247f91e)
Revise async_crypto setting
Make async_crypto explicit enabled/disabled rather than current isset
Move IPsec VTI interface cleanup list. Fixes #8858
Generate the cleanup list before the P1 loop but after the initialinterface configuration.
Use safe_mkdir() for IPsec dirs. Fixes #8856
Simplifies the process of making IPsec dirs, though it may not correctthe original reported issue since that appears to be a disk problem,it's still better/safer than what was done here before.
Merge pull request #3965 from Hobby-Student/master
Add GUI control for IPsec async crypto. Implements #8772
Remove unneeded VTIs in IPsec sync. Issue #8674
Still needs input validation to prevent changes that would remove anassigned interface.
PHP7 initialize as array instead of string
changes to mobile ipsec dns to support new features
fixed wrong if conditionsadded support of dns server
Make IPsec IKEv2 conn IDs consistent with IKEv1 or IKEv2 split. Also fix vti test for reqid.
Rework how IPsec VTI interfaces and reqid specifications for same are formed. Ticket #8544
IPsec VTI interface refinements/fixes. Ticket #8544
A couple vpn.inc refinements for VTI. Ticket #8544
Add vpn.inc changes for IPsec VTI that missed the previous commit. Ticket #8544
For IPsec mobile clients, write out a more specific ipsec.secrets line to help clients find the right key with strongSwan's new lookup code. Fixes #8426
Merge pull request #3904 from Hobby-Student/master
Allow Dual Stack IPsec P1 interface. Fixes #6886
Allow "Both" to be selected for IPv4/IPv6 on IPsec P1, in the config use both addresses as "left =" if they both exist.Some cases where a single address was assumed (e.g. ping hosts) default to using the first address....
Consider IPv6 for IPsec bypasslan. Fixes #8321
extended GUI to manage new feature
supporting enhanced user management with strongswan
Merge pull request #3711 from PiBa-NL/20170427-ipsec-multiple-P1-algo
first change for extending mobile connection
Update the Copyright notice for pfSense.
Do not make a bypasslan IPsec config block when it should be disable/empty. Fixes #8239
ipsec, allow configuration of multiple ike phase1 encryption ciphers (algo/bits/hash/dh)this is useful for mobile users that need to connect with different operating systems. This way there is no need to find a single commonly supported weaker cipher.
Fix logging for L2TP and PPPoE server login/logout events. Fixes #8164
See https://redmine.pfsense.org/issues/8164 for the reasoning about why it was done this way.
When crafting the CA subject for ipsec.conf, handle component values that are arrays. Fixes #7929
Fix a couple of 'route: writing to routing socket: Invalid argument' warnings during the boot.
Use the correct variable and only add the route when the hostname is resolved (if the remote address is a hostname).route: writing to routing socket: Invalid argument
Use attribute rekey_enable as usual but optionally allow to set margintime if rekeying is not disabled
Hide margintime if rekeying is disabled
Activate RADIUS accounting for mobile ipsec if it was selected on the auth server view
Add strongswan rekeymargin attribute to vpn ipsec phase1 view
Disable internal L2TP users when activating RADIUS, to follow the behavior stated in the GUI. Fixes #7561
Remove unused WINS code for L2TP. Fixes #7559
Rework how IPsec log settings are stored/retreived, adjust the default values. Implements #7007
ipsec, apply routes also for IP-aliases with carp parents
Fix #6828
Until 2.3.x pfSense carried a patch that changed the behavior of 'routechange' command, making it add the route when it fails to change.On 2.4 this patch was removed and will not be added back. This changeadjust PHP code to deal with route add / change and make it work...
Remove all calls to conf_mount_r* functions
Move copyright from ESF to Netgate
Convert L2TP Server code to mpd5
Add ng interface to pppoe group on mpd.conf and remove dead code from vpn-linkup script
Convert PPPoE Server code to mpd5
Move to Apache License 2.0
Review license / copyright on all files (final round)
Review license / copyright on all files (1st round)
Remove workaround for Ticket #4754 in 2.4 since 32 bit is dead.
Always use require_once
The usage of require() and require_once() throughout the system isinconsistent, and "bugs" come up now and then when the order of"requires" is a bit different and some require() happens after theinclude file is already included/required....
require_once auth.inc in vpn.inc since it uses functions from there, though normal use of the system won't require that, those who run certain things manually/custom may require it
Only omit aggressive line from ipsec.conf where IKEv2. Ticket #6513
Disable ipcomp regardless of config setting to avoid problem. Ticket #6167
Omit local identifier for mobile PSKs. Ticket #6286
Use leftsendcert=always where leftcert is defined. Ticket #6082
Add lock in vpn_ipsec_configure. Ticket #6160
Always set ignore_acquire_ts = yes. No need for that in any of our use cases, and it fixes problems like Ticket #4719.
Fix indent
Internationalize etc inc uvx
Add support for splitting ipsec.conf conn entries for IKEv2. Ticket #4704
Add support for IPsec TFC. Ticket #4688
Fix IKE version "auto". Ticket #5880
Review of CARP uniqid changes.
It turns out that current CARP implementation is not much different from an IP alias.
This commit converts the IP alias to also use the CARP uniqid scheme, this simplify the code in all other places because now we have only two different cases to deal with:...
Use the NAS IP configured for PPPoE server instances. Ticket #185
Fix #5816 (re)start of IPsec
Switch to disabling strongswan unity plugin by default. Ticket #4178
Somehow missed this in the committed version.
Relocate subnet mask drop-down to a more sensible place on the PPPoE server, add a user login count option.
Fix #4178:
- Stop moving unity .so file around to make it not being loaded- Include all modules default .conf file from strongswan.d/charon- After default files are included, define custom settings- When unity is disabled, add a rule to make strongswan to not load it
Fix strongswan.conf indent level
Update license on files from /etc/inc
redmine 5702 - switch to high level IPv4 functions instead of low level ip2long32() etc
Remove all pfSense_MODULE and pfSense_BUILDER_BINARIES definitions, whatever was the reason they were added, it was never finished and it's not being used
Code style and white space in etc
Run ping_hosts.sh once after IPsec start if it's enabled, to avoid a wait of up to 4 minutes for minicron to run it.
Merge pull request #2103 from jlduran/escape-strongswan-radius-key
Remove the last usage cases of $config['ipsec']['enable'].
IPSEC is always on in 2.3, where necessary (IPSEC rules, IPSEC daemon), we check the existence of phase 1 entries.
Escape RADIUS secret in strongswan.conf
If a RADIUS secret is, for example, `#secret-key#`, EAP-RADIUSauthentication will fail, as the `#` can be interpreted by thestrongswan.conf parser as a comment.
To avoid this from happening, set the key within double quotes.
Create symlinks when target doesn't exist, not only when it's not a link
Revert "Use --conf when call ipsec start/stop, this make it work with regular package, without changing sysconfdir"
It's not necessary after creating all symlinks
This reverts commit d92c10130df38e264c7c77367cf0d542d10794c0.
Fix #5350. Correct issues with strongswan logging (setting changes did not persist across reboots, setting silent did not work).
Make sure symlink is created
Make sure symlinks is created
strongswan.d symlink was created the opposite way, pointy hat to me
Create symlinks of ipsec files and directories under /usr/local to deal with hardcoded paths in strongswan
Use --conf when call ipsec start/stop, this make it work with regular package, without changing sysconfdir
etc inc delete $Id comments
and bits of white space.Note: There are plenty of files still with old-format copyright sectionsin here.
changes for #5219 accidentally reverted unrelated changes made by other commits. Restore those & remove some dead code that was commented out.
Don't allow IPsec mobile clients user auth source to not be a RADIUS server ifthe phase1 auth method is EAP-RADIUS. Properly handle selection of multipleRADIUS servers when using EAP-RADIUS. Fixes #5219.
It is not necessary manually disable the IPSEC processing when not used.
With the recent IPSEC changes by gnn@, there is no more performance penaltyfor 1G networks if you have IPSEC compiled in kernel but not used.
TAG: tryforward
The net.inet.ip.fastforward sysctl is retired now.
Tryforward instead, is always on and is compatible with IPSEC.
Set leftsendcert=always for IKEv2 configurations with certificates to better accommodate OS X and iOS manual configurations. Fixes #5353
Make setting charon.plugins.attr.subnet conditional on net_list being set. Setit's value to list of subnets configured as P2's for mobile IPsec. Fixes #5327.
Disable strongswan logging under auth since it's all logged under daemon,so nothing is duplicated. Ticket #5242
Limit strongswan trusted CA certificates to those required for authentication ofthe configured IPsec SA's instead of trusting all known CA's. Fixes #5243.
only use daemon and not auth for strongswan logging. As it was, all logs were duplicated. Ticket #5242