pfSense

Add input validation to prevent the use of AES > 128 where glxsb is enabled. Ticket #4361

Do not reuse reqid on copy of phase2 Fixes #4349

To avoid issues with clashing SAIDs go back to specifying the reqid in strongswan config.

To be able to manage this first upgrade the config to assign each phase2 an reqid
Second use that during config generation

Ticket #4208

Default to only AES and SHA1 for new P2s.

split is deprecated move to explode

Fix lineup of copyright lines

and module names and other bits of formatting and typos in header
comment sections.

Welcome 2015

Change copyright statement to reflect reality

remove unnecessary is_array check, thanks Renato

Don't allow P2 local+remote network combinations that overlap with
interface+remote-gateway of the P1. Fixes #3812

Add missing s to solve the issue reported on https://forum.pfsense.org/index.php?topic=80722.new#new

Allow HASH algorithms to be empty for phase2 in case the encryption one is AES-GCM

Use a uniqid() to track phase2 entries to avoid confustion and various mistakes when modifying and editing them.

This is not true any longer (and required for L2TP+IPsec)

Tidy up "vpn_ipsec_phase2.php" XHTML

Move script after the FBEGIN.INC include
Add CDATA sections to SCRIPTS
Add SUMMARY to TABLES
Close INPUT tags
Update HTML Boolean operators

Check the right field here

Move the IPsec settings from System > Advanced, Misc tab to "Advanced Settings" tab under VPN > IPsec.

replaced uppercase html tags with lowercase
js files saved as UTF-8 / LF
language="JavaScript" deprecated, replaced with type="text/javascript"

xhtml Compliance
replaced <br>, <br/> and </br> with <br />

Improve checks for params 'id', 'dup' and other similar ones to make sure they are numeric integer, also, pass them through htmlspecialchars() before print

First swing at converting from racoon to StrongSWAN.
It allows to use existing configurations on xml to generate StrongSWAN configurations.
So its only IKEv1

• Missing support for dynamic ips(hostnames)
  - resolver plugin of StrongSWAN needs to be configured in strongswan.conf...

Remove call-time pass by reference for do_input_validation, helps ticket #2565

touch up text, s/nat/NAT/

Remove invallid option 'none' for IPSec Phase 2. Fixes #2816

Properly generate all address data based on configuration selected

Make IPv4/IPv6 validation on IPSec

It should fix #2769

Don't allow transport mode to be selected for mobile clients. Fixes #2713

Commit a revised version of https://github.com/bsdperimeter/pfsense/pull/264.diff

Standardize hypenation and capitalization of Pre-Shared Key

Throw an error when invalid configuration is posted(address->network).

Check against _address since that is the field inputed _type is always there.

Properly set address type selection

Do not make natlocalid required

This field isn't required, so only check it if there is a value

Add a NAT entry for configuring NAT on ipsec phase2. It will add nat rules on enc interface

Activate new shortcuts/status in the rest of the areas that are currently setup.

Activate more Hash, DH, and PFS options that are available in racoon now. Note that SHA256-512 are RFC4868 compliant in FreeBSD, may break with other incompatible stacks.

Ticket #2455: do not check encryption algo for AH protocol

restore default dropdown values of 24/64 bits

now that feature #2320 behavor is a bit different regarding change of
existing set value when switching between ipv4 and ipv6

add feature #2320 to vpn_ipsec_phase2.php.

note: had to disable existing behavior that modified the value of the
behavior.

existing behavior that disables/enables the dropdowns is still active.

Reject an interface without a subnet as a network source in the IPsec Phase 2 GUI. Fixes ticket #2201

Merge remote branch 'upstream/master'

Conflicts:
etc/inc/openvpn.inc

Bug #1560.IPsec GUI needs to reject duplicate subnets in phase 2s for a given phase 1 (fixing p2 edit)

Bug #1560.IPsec GUI needs to reject duplicate subnets in phase 2s for a given phase 1 (improvement of previous patch)

Merge remote branch 'upstream/master'

Conflicts:
conf.default/config.xml
etc/inc/filter.inc
etc/inc/globals.inc
etc/inc/pfsense-utils.inc
etc/inc/upgrade_config.inc
usr/local/www/interfaces.php

Bug #1560. IPsec GUI needs to reject duplicate subnets in phase 2s for a given phase 1(site-to-site).

Bug #1560. IPsec GUI needs to reject duplicate subnets in phase 2s for a given phase 1(mobile clients).

enlarge various address fields for IPv6 addresses

Add the ability to differentiate between v4 and v6 tunnels. Bill says he can test

Make sure to resolve the gateway name before passing it off to the IPsec reload function

Add other interfaces to local network selection and show proper names. Fixes #965

Fix XSS issues

Do not include 'remoteid' javascript functions for mobile ipsec. Ticket #797

Corrections gettext() calls on vpn_ipsec_phase2.php

Implement gettext() calls on vpn_ipsec_phase2.php

Remove Logs tab from OpenVPN, as it is no longer needed.

Add status/log icons to IPsec pages.

Add PSK tab to all IPsec pages, it was missing from some.

Ticket #430. Give a none option to allow for roadwarriors configs.

When editing a P2: reset netmask to 24 only when it is not specified, in case of a new P2. Ticket #352

Ticket #352. Allow 0 mask in remote network bits.

fix text

Rework includes/require. This saves about 4 megabytes.
Simplify get_memory(). Tested on mips/i386

add links to IPsec logs under IPsec status and other pages

Include functions.inc which will then include ipsec.inc

Fix interface list usage

WARN: Please ask before introducing old code on what have changed!

• Reorganize the 'apply' button infrustructure in the GUI.
  - Present three new functions is/mark/clear_subsystem_dirty('name_of_subsystem'). This makes easier to create such things without needing to introduce new globals.
  - Convert all pages to the new infrustructure...

Modify IPsec code to allow for transport mode. All existing configurations are
marked as tunnel for backwards compatibility. There are problems with the spd
read code which Will likely choke on transport entries. We can fix this later.

Move the IPsec pinghost option from phase1 to phase2. Correct some
bugs that were preventing the local address from being selected.

Reload phase2 tunnel items when adding, remoing or editing a phase 2 entry.

Migrate IPsec certificate management to centralized system.

Cleanup ipsec interfaces a bit and make sure they are displayed in tabs for consistency.

Rewrite the pfsense privilege system with the following goals in mind ...

1) Redefine page privileges to not use static urls
2) Accurate generation of privilege definitions from source
3) Merging the user and group privileges into a single set
4) Allow any privilege to be added to users or groups w/ inheritance...

Fix a few bugs in the IPsec pages HTML output that were causing problems
with IE.

Introduce a new and improved version of IPsec mobile client support. The
mobile client tab is now used to configure user authentication (Xauth) and
client configuration (mode-cfg) options. User authentication is currently
limited to system password file entries. This will be extended to support...

Overhaul IPsec related code. Shared functions have been consolidated into
a new file named /etc/ipsec.inc. Tunnel definitions have been split into
phase1 and phase2. This allows any number of phase2 definitions to be
created for a single phase1 definition. Several facets of configuration...