pfSense

Add GUI control for MOBIKE. Hide it when IKEv1 selected. Enable toggling of NAT-T field display so it's on for IKEv1, off for IKEv2. Do same for reauth while here. Ticket #3979

fix responder-only IPsec text

Add input validation to prevent the use of AES > 128 where glxsb is enabled. Ticket #4361

Fixes #4360 allow marking a connection as responder only, the same behviour as mobile connections

Add missing require for filter.inc since vpn_ipsec_configure() calls filter_configure(). It should fix #4236

Add EAP-MSChapv2 implementation for Windows ipsec support as reported here https://forum.pfsense.org/index.php?topic=81657.15

Actually remove rekey/reauth from config to avoid strange issues. Ticket #4208

Default IPsec to AES

Default IPsec to main mode, unless mobile client.

Fix lineup of copyright lines

and module names and other bits of formatting and typos in header
comment sections.

Welcome 2015

Unset the aggressive mode settings for not IKEv1 settings

fix up text

Fixes #4015. Hide Negotiation mode when in IKEv2 since it is not required.

Ticket #3987. Strongswan support autodetection of IKE version exchange. Support this by allowing an auto version in the GUI.

Change copyright statement to reflect reality

strongswan only has two options for NAT-T, force or auto.

Restore 3 values back on NAT-T settings Just Enable now its Auto as per strongswan default. and off disabled mobike. Ticket #3979

Rename the options to actually make sense with strongswan

Remove Force options since it has not meaning for now.

Correct dispaly of checkboxes for ipsec

Fix PSK for non-ascii also here, ticket #3917

Correct speeling as reported by: Phil Davis via github

Inverse the sense of the toggles to avoid configuration upgrades

Provide Advanced Options for controlling rekey and reauth, might be usable with iOS devices

Provide a first implementation of EAP-TLS authentication with IKEv2. It is a start and might not work on all cases

Tidy up "vpn_ipsec_phase1.php" XHTML

Add CDATA sections to SCRIPTS
Add SUMMARY to TABLES
Update HTML Boolean operators
Close INPUT tags

Oops unbreak this

Remove Proposal check as a racoon thingy

Remove generate policy option since its not relevant with strongswan

Use better looking description and remove base type from negotiation. This is only IKEv1 parameter. JS will be added later

Allow to select IKE version to be used.

Check the right field here

Move the IPsec settings from System > Advanced, Misc tab to "Advanced Settings" tab under VPN > IPsec.

replaced uppercase html tags with lowercase
js files saved as UTF-8 / LF
language="JavaScript" deprecated, replaced with type="text/javascript"

xhtml Compliance
replaced <br>, <br/> and </br> with <br />

Improve checks for params 'id', 'dup' and other similar ones to make sure they are numeric integer, also, pass them through htmlspecialchars() before print

First swing at converting from racoon to StrongSWAN.
It allows to use existing configurations on xml to generate StrongSWAN configurations.
So its only IKEv1

• Missing support for dynamic ips(hostnames)
  - resolver plugin of StrongSWAN needs to be configured in strongswan.conf...

Remove call-time pass by reference for do_input_validation, helps ticket #2565

Make IPv4/IPv6 validation on IPSec

It should fix #2769

Fix indent and blanks at EOL

Update usr/local/www/vpn_ipsec_phase1.php

Correct missing $

Standardize hypenation and capitalization of Pre-Shared Key

Activate new shortcuts/status in the rest of the areas that are currently setup.

Activate "base" exchange mode also supported by racoon.

Activate more Hash, DH, and PFS options that are available in racoon now. Note that SHA256-512 are RFC4868 compliant in FreeBSD, may break with other incompatible stacks.

Add Gateway Group support to the IPsec interface drop down.
Edit of gateway group correctly reflects the new IP Address.
We need to make a blacklist for interface names in the gateway group edit page.
Redmine ticket #1965

Merge remote-tracking branch 'upstream/master'

Conflicts:
etc/inc/easyrule.inc
etc/inc/filter.inc
etc/inc/interfaces.inc
etc/inc/services.inc
etc/inc/xmlrpc_client.inc
usr/local/www/fbegin.inc
usr/local/www/services_dhcp.php

Merge remote-tracking branch 'mainline/master' into inc

Merge remote branch 'upstream/master'

Conflicts:
etc/inc/filter.inc
etc/inc/util.inc

Do not store CA and CERT in config unless needed. Will allow deleting unused certs.

Merge remote-tracking branch 'mainline/master' into inc

Conflicts:
etc/inc/voucher.inc
usr/local/www/fbegin.inc

Merge remote branch 'upstream/master'

Conflicts:
etc/inc/openvpn.inc

Add a GUI selection for racoon's generate_policy directive since it may be useful in certain configurations, especially for mobile clients.

Remove gettext from negotiation mode

It is causing errors on raccon because config file were generated with
translated words

enlarge various address fields for IPv6 addresses

Extend the IPsec configuration with a protocol family for the phase 1

Correct variable name. This could never have deleted the static route for IPsec vpns on multi wan

Don't save CA/Cert for a PSK IPsec tunnel.

Ticket 1041. Fix bad commit...

Add IPSec 'ipalias' VIP support. Ticket #1041

Fix vip descriptions in openvpn and ipsec screens. Ticket #1042

Fix XSS issues

Rename 'name' to 'descr' for CA, Certificates, and CRLs, to gain CDATA protection and standardize field names. Ticket #320.

Fixup comments a little.

Correct and cleanup this input validation logic for IPsec Phase 1 PSK/Cert config. In some cases the test was not being evaluated as expected.

CA/CERT Move

Let the user choose the IPsec CA instead of assuming.

Add a GUI selection for the proposal_check config option. Provide all the choices from racoon.conf(5) plus a "default" which will keep the old behavior.

Modify various (s)printf format strings to allow translations to change the order of the inserted strings.

Fix gettext implementation on vpn_ipsec_phase1.php

Implement gettext() calls on vpn_ipsec_phase1.php

Remove Logs tab from OpenVPN, as it is no longer needed.

Add status/log icons to IPsec pages.

Only enforce peer ID and psk on p1 screen if we are NOT dealing with a pure-psk mobile tunnel (which is the behavior in 1.2.3). Hide irrelevant options. Part of ticket #108.

Reorder Auth. Method and PSK field to a more logical sequence. Part of ticket #108.

Move { and } to same line.

Rework includes/require. This saves about 4 megabytes.
Simplify get_memory(). Tested on mips/i386

add links to IPsec logs under IPsec status and other pages

• Convert carp/vips code to behave the same as other interfaces.
• Make optimizations around it.
• Make sure when we reload teh underlying interface we reload carp too.
• Some fixes around the code.

Reviewed-by: scott@ and billm@

Include functions.inc which will then include ipsec.inc

Unbreak ipsec. ipsec.inc is needed to set the various drop down box values such as 'IP Address, Encryption Algo, etc.. Someone needs a big pointy hat.

Fix interface list usage

WARN: Please ask before introducing old code on what have changed!

Fix ipsec vpn phase1 post code so that we correctly try to delete the old static route if required.

• Reorganize the 'apply' button infrustructure in the GUI.
  - Present three new functions is/mark/clear_subsystem_dirty('name_of_subsystem'). This makes easier to create such things without needing to introduce new globals.
  - Convert all pages to the new infrustructure...

Move the IPsec pinghost option from phase1 to phase2. Correct some
bugs that were preventing the local address from being selected.

Migrate IPsec certificate management to centralized system.

Cleanup ipsec interfaces a bit and make sure they are displayed in tabs for consistency.

Add initial support for granular IPsec SPD changes.

Fix a few minor problems with the IPsec configuration interface. Make sure
we don't copy the ikeid when duplicating a phase1 entry. Simplify the code
that deletes all associated phase2 entries when a phase1 is deleted. I was
and still am learning the finer points of php.

Add CSS header

Rework most of the OpenVPN support. The interfaces have been updated to
not use the pkg system and the configuration has been migrated to an
openvpn prefix. The centralized user and certificate manager is now used
to support the openvpn configurations. Most of the files removed in this...

Only read ipsec phase1 configuration values that are relvent for the
configured authentication method. This silences harmless php warnings.
Reported by Scott Ullrich.

Rewrite the pfsense privilege system with the following goals in mind ...

1) Redefine page privileges to not use static urls
2) Accurate generation of privilege definitions from source
3) Merging the user and group privileges into a single set
4) Allow any privilege to be added to users or groups w/ inheritance...

Introduce a new and improved version of IPsec mobile client support. The
mobile client tab is now used to configure user authentication (Xauth) and
client configuration (mode-cfg) options. User authentication is currently
limited to system password file entries. This will be extended to support...

Overhaul IPsec related code. Shared functions have been consolidated into
a new file named /etc/ipsec.inc. Tunnel definitions have been split into
phase1 and phase2. This allows any number of phase2 definitions to be
created for a single phase1 definition. Several facets of configuration...