Project

General

Profile

« Previous | Next » 

Revision 22dbacd0

Added by Pi Ba over 7 years ago

ipsec, allow configuration of multiple ike phase1 encryption ciphers (algo/bits/hash/dh)
this is useful for mobile users that need to connect with different operating systems. This way there is no need to find a single commonly supported weaker cipher.

View differences:

src/etc/inc/vpn.inc
951 951 
				}
952 952 
			}
953 953 

  		




  954
  
  
    
			if (is_array($ph1ent['encryption-algorithm']) && !empty($ph1ent['encryption-algorithm']['name']) && !empty($ph1ent['hash-algorithm'])) {


  		




  955
  
  
    
				$ealgosp1 = '';


  		




  956
  
  
    
				$ealg_id = $ph1ent['encryption-algorithm']['name'];


  		




  957
  
  
    
				$ealg_kl = $ph1ent['encryption-algorithm']['keylen'];


  		




  958
  
  
    
				if ($ealg_kl) {


  		




  959
  
  
    
					$ealgosp1 = "ike = {$ealg_id}{$ealg_kl}-{$ph1ent['hash-algorithm']}";


  		




  960
  
  
    
				} else {


  		




  961
  
  
    
					$ealgosp1 = "ike = {$ealg_id}-{$ph1ent['hash-algorithm']}";


  		




  962
  
  
    
				}


  		




  
  954
  
    
			$ealgosp1 = '';


  		




  
  955
  
    
			if (is_array($ph1ent['encryption']['item'])) {


  		




  
  956
  
    
				$ciphers = "";


  		




  
  957
  
    
				foreach($ph1ent['encryption']['item'] as $p1enc) {


  		




  
  958
  
    
					if (!is_array($p1enc['encryption-algorithm']) ||


  		




  
  959
  
    
							empty($p1enc['encryption-algorithm']['name']) ||


  		




  
  960
  
    
							empty($p1enc['hash-algorithm'])) {


  		




  
  961
  
    
						continue;


  		




  
  962
  
    
					}


  		




  
  963
  
    
					$ciphers .= ",";


  		




  
  964
  
    
					$ciphers .= $p1enc['encryption-algorithm']['name'];


  		




  
  965
  
    
					$ealg_kl = $p1enc['encryption-algorithm']['keylen'];


  		




  
  966
  
    
					if ($ealg_kl) {


  		




  
  967
  
    
						$ciphers .= "{$ealg_kl}";


  		




  
  968
  
    
					}


  		




  
  969
  
    
					$ciphers .= "-{$p1enc['hash-algorithm']}";


  		




  963
  970
  
    

  		




  964
  
  
    
				$modp = vpn_ipsec_convert_to_modp($ph1ent['dhgroup']);


  		




  965
  
  
    
				if (!empty($modp)) {


  		




  966
  
  
    
					$ealgosp1 .= "-{$modp}";


  		




  
  971
  
    
					$modp = vpn_ipsec_convert_to_modp($p1enc['dhgroup']);


  		




  
  972
  
    
					if (!empty($modp)) {


  		




  
  973
  
    
						$ciphers .= "-{$modp}";


  		




  
  974
  
    
					}


  		




  967
  975
  
    
				}


  		




  968
  
  
    

  		




  969
  
  
    
				$ealgosp1 .= "!";


  		




  
  976
  
    
				$ciphers = substr($ciphers, 1);


  		




  
  977
  
    
				$ealgosp1 = "ike = {$ciphers}!";


  		




  970
  978
  
    
			}


  		




  971
  979
  
    

  		




  972
  980
  
    
			if ($ph1ent['dpd_delay'] && $ph1ent['dpd_maxfail']) {


  		












Also available in:  Unified diff