Add EAP-MSChapv2 implementation for Windows ipsec support as reported here https://forum.pfsense.org/index.php?topic=81657.15
Actually remove rekey/reauth from config to avoid strange issues. Ticket #4208
Default IPsec to AES
Default IPsec to main mode, unless mobile client.
Fix lineup of copyright lines
and module names and other bits of formatting and typos in headercomment sections.
Welcome 2015
Unset the aggressive mode settings for not IKEv1 settings
fix up text
Fixes #4015. Hide Negotiation mode when in IKEv2 since it is not required.
Ticket #3987. Strongswan support autodetection of IKE version exchange. Support this by allowing an auto version in the GUI.
Change copyright statement to reflect reality
strongswan only has two options for NAT-T, force or auto.
Restore 3 values back on NAT-T settings Just Enable now its Auto as per strongswan default. and off disabled mobike. Ticket #3979
Rename the options to actually make sense with strongswan
Remove Force options since it has not meaning for now.
Correct dispaly of checkboxes for ipsec
Fix PSK for non-ascii also here, ticket #3917
Correct speeling as reported by: Phil Davis via github
Inverse the sense of the toggles to avoid configuration upgrades
Provide Advanced Options for controlling rekey and reauth, might be usable with iOS devices
Provide a first implementation of EAP-TLS authentication with IKEv2. It is a start and might not work on all cases
Tidy up "vpn_ipsec_phase1.php" XHTML
Add CDATA sections to SCRIPTSAdd SUMMARY to TABLESUpdate HTML Boolean operatorsClose INPUT tags
Oops unbreak this
Remove Proposal check as a racoon thingy
Remove generate policy option since its not relevant with strongswan
Use better looking description and remove base type from negotiation. This is only IKEv1 parameter. JS will be added later
Allow to select IKE version to be used.
Check the right field here
Move the IPsec settings from System > Advanced, Misc tab to "Advanced Settings" tab under VPN > IPsec.
replaced uppercase html tags with lowercasejs files saved as UTF-8 / LFlanguage="JavaScript" deprecated, replaced with type="text/javascript"
xhtml Compliancereplaced <br>, <br/> and </br> with <br />
Improve checks for params 'id', 'dup' and other similar ones to make sure they are numeric integer, also, pass them through htmlspecialchars() before print
First swing at converting from racoon to StrongSWAN.It allows to use existing configurations on xml to generate StrongSWAN configurations.So its only IKEv1
Remove call-time pass by reference for do_input_validation, helps ticket #2565
Make IPv4/IPv6 validation on IPSec
It should fix #2769
Fix indent and blanks at EOL
Update usr/local/www/vpn_ipsec_phase1.php
Correct missing $
Standardize hypenation and capitalization of Pre-Shared Key
Activate new shortcuts/status in the rest of the areas that are currently setup.
Activate "base" exchange mode also supported by racoon.
Activate more Hash, DH, and PFS options that are available in racoon now. Note that SHA256-512 are RFC4868 compliant in FreeBSD, may break with other incompatible stacks.
Add Gateway Group support to the IPsec interface drop down.Edit of gateway group correctly reflects the new IP Address.We need to make a blacklist for interface names in the gateway group edit page.Redmine ticket #1965
Merge remote-tracking branch 'upstream/master'
Conflicts: etc/inc/easyrule.inc etc/inc/filter.inc etc/inc/interfaces.inc etc/inc/services.inc etc/inc/xmlrpc_client.inc usr/local/www/fbegin.inc usr/local/www/services_dhcp.php
Merge remote-tracking branch 'mainline/master' into inc
Merge remote branch 'upstream/master'
Conflicts: etc/inc/filter.inc etc/inc/util.inc
Do not store CA and CERT in config unless needed. Will allow deleting unused certs.
Conflicts: etc/inc/voucher.inc usr/local/www/fbegin.inc
Conflicts: etc/inc/openvpn.inc
Add a GUI selection for racoon's generate_policy directive since it may be useful in certain configurations, especially for mobile clients.
Remove gettext from negotiation mode
It is causing errors on raccon because config file were generated withtranslated words
enlarge various address fields for IPv6 addresses
Extend the IPsec configuration with a protocol family for the phase 1
Correct variable name. This could never have deleted the static route for IPsec vpns on multi wan
Don't save CA/Cert for a PSK IPsec tunnel.
Ticket 1041. Fix bad commit...
Add IPSec 'ipalias' VIP support. Ticket #1041
Fix vip descriptions in openvpn and ipsec screens. Ticket #1042
Fix XSS issues
Rename 'name' to 'descr' for CA, Certificates, and CRLs, to gain CDATA protection and standardize field names. Ticket #320.
Fixup comments a little.
Correct and cleanup this input validation logic for IPsec Phase 1 PSK/Cert config. In some cases the test was not being evaluated as expected.
CA/CERT Move
Let the user choose the IPsec CA instead of assuming.
Add a GUI selection for the proposal_check config option. Provide all the choices from racoon.conf(5) plus a "default" which will keep the old behavior.
Modify various (s)printf format strings to allow translations to change the order of the inserted strings.
Fix gettext implementation on vpn_ipsec_phase1.php
Implement gettext() calls on vpn_ipsec_phase1.php
Remove Logs tab from OpenVPN, as it is no longer needed.
Add status/log icons to IPsec pages.
Only enforce peer ID and psk on p1 screen if we are NOT dealing with a pure-psk mobile tunnel (which is the behavior in 1.2.3). Hide irrelevant options. Part of ticket #108.
Reorder Auth. Method and PSK field to a more logical sequence. Part of ticket #108.
Move { and } to same line.
Rework includes/require. This saves about 4 megabytes.Simplify get_memory(). Tested on mips/i386
add links to IPsec logs under IPsec status and other pages
Reviewed-by: scott@ and billm@
Include functions.inc which will then include ipsec.inc
Unbreak ipsec. ipsec.inc is needed to set the various drop down box values such as 'IP Address, Encryption Algo, etc.. Someone needs a big pointy hat.
Fix interface list usage
WARN: Please ask before introducing old code on what have changed!
Fix ipsec vpn phase1 post code so that we correctly try to delete the old static route if required.
Move the IPsec pinghost option from phase1 to phase2. Correct somebugs that were preventing the local address from being selected.
Migrate IPsec certificate management to centralized system.
Cleanup ipsec interfaces a bit and make sure they are displayed in tabs for consistency.
Add initial support for granular IPsec SPD changes.
Fix a few minor problems with the IPsec configuration interface. Make surewe don't copy the ikeid when duplicating a phase1 entry. Simplify the codethat deletes all associated phase2 entries when a phase1 is deleted. I wasand still am learning the finer points of php.
Add CSS header
Rework most of the OpenVPN support. The interfaces have been updated tonot use the pkg system and the configuration has been migrated to anopenvpn prefix. The centralized user and certificate manager is now usedto support the openvpn configurations. Most of the files removed in this...
Only read ipsec phase1 configuration values that are relvent for theconfigured authentication method. This silences harmless php warnings.Reported by Scott Ullrich.
Rewrite the pfsense privilege system with the following goals in mind ...
1) Redefine page privileges to not use static urls2) Accurate generation of privilege definitions from source3) Merging the user and group privileges into a single set4) Allow any privilege to be added to users or groups w/ inheritance...
Introduce a new and improved version of IPsec mobile client support. Themobile client tab is now used to configure user authentication (Xauth) andclient configuration (mode-cfg) options. User authentication is currentlylimited to system password file entries. This will be extended to support...
Overhaul IPsec related code. Shared functions have been consolidated intoa new file named /etc/ipsec.inc. Tunnel definitions have been split intophase1 and phase2. This allows any number of phase2 definitions to becreated for a single phase1 definition. Several facets of configuration...