changes for #5219 accidentally reverted unrelated changes made by other commits. Restore those & remove some dead code that was commented out.
Don't allow IPsec mobile clients user auth source to not be a RADIUS server ifthe phase1 auth method is EAP-RADIUS. Properly handle selection of multipleRADIUS servers when using EAP-RADIUS. Fixes #5219.
It is not necessary manually disable the IPSEC processing when not used.
With the recent IPSEC changes by gnn@, there is no more performance penaltyfor 1G networks if you have IPSEC compiled in kernel but not used.
TAG: tryforward
The net.inet.ip.fastforward sysctl is retired now.
Tryforward instead, is always on and is compatible with IPSEC.
Set leftsendcert=always for IKEv2 configurations with certificates to better accommodate OS X and iOS manual configurations. Fixes #5353
Make setting charon.plugins.attr.subnet conditional on net_list being set. Setit's value to list of subnets configured as P2's for mobile IPsec. Fixes #5327.
Disable strongswan logging under auth since it's all logged under daemon,so nothing is duplicated. Ticket #5242
Limit strongswan trusted CA certificates to those required for authentication ofthe configured IPsec SA's instead of trusting all known CA's. Fixes #5243.
only use daemon and not auth for strongswan logging. As it was, all logs were duplicated. Ticket #5242
Set rightca for IPsec phase 1 using Mutual RSA, Mutual RSA + xauth, or EAP-TLS. Fixes #5241.
Merge pull request #1689 from jlduran/l2tp-mschapv2
Remove strongswan's cert directories and repopulate them, to ensure no removed CAs, certs, or CRLs remain. Ticket #5238
Fix up strongswan logging levels. Remove charondebug since strongswan.conf settings take precedence. Set logging levels in strongswan.conf to match what's set on a running system via 'ipsec stroke loglevel', and remove log levels that were hard coded in strongswan.conf. Ticket #5242
https://redmine.pfsense.org/issues/5207change auth methods for both peers when using hybrid RSA + xauth with IKEv1
Add support for an IPv6 pool for mobile clients.
Specify PSK for mobile configurations without the leading ID selectors. Fixes PSK mismatches from iOS clients.
When using eap-radius, if the virtual address pool is left blank, pull the IP addresses from RADIUS instead. (Will need an IP address defined for each account.)Doesn't seem to be possible to pull from either RADIUS or a local pool that I can see from experimenting and looking at strongSwan's docs.
Specify %any where identifier is "any", so the note on these pagesactually works.
Add MS-CHAPv2 option to L2TP Configuration
See [#4732](https://redmine.pfsense.org/issues/4732)
Merge pull request #1750 from TarasSavchuk/patch-1
Merge pull request #1808 from miken32/master
White space and minor bits in etc
Cleaner version of https://github.com/pfsense/pfsense/pull/1846
Retire PPTP server, fixes #4226:
- Remove PPTP server and all related code- Bump config version 12.2- Write upgrade config code to remove pptpd section and also cleanup firewall and NAT rules using PPTP interface or src/des
Move main pfSense content to src/