pfSense

<?php

/*

	vpn.inc

	Copyright (C) 2004 Scott Ullrich

	Copyright (C) 2008 Shrew Soft Inc

	Copyright (C) 2008 Ermal Lu?i

	All rights reserved.

	originally part of m0n0wall (http://m0n0.ch/wall)

	Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>.

	All rights reserved.

	Redistribution and use in source and binary forms, with or without

	modification, are permitted provided that the following conditions are met:

	1. Redistributions of source code must retain the above copyright notice,

	   this list of conditions and the following disclaimer.

	2. Redistributions in binary form must reproduce the above copyright

	   notice, this list of conditions and the following disclaimer in the

	   documentation and/or other materials provided with the distribution.

	THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,

	INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY

	AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE

	AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,

	OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF

	SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS

	INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN

	CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)

	ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE

	POSSIBILITY OF SUCH DAMAGE.

*/

/* include all configuration functions */

require_once ("functions.inc");

function vpn_ipsec_failover_configure() {

	global $config, $g;

	$sasyncd_text = "";

	if ($config['installedpackages']['sasyncd'] <> "")

		foreach ($config['installedpackages']['sasyncd']['config'] as $sasyncd) {

			$enabled = isset ($sasyncd['enable']);

			if (!$enabled)

				return;

			if ($sasyncd['peerip'] <> "")

				$sasyncd_text .= "peer {$sasyncd['peerip']}\n";

			if ($sasyncd['interface'])

				$sasyncd_text .= "carp interface {$sasyncd['interface']}\n";

			if ($sasyncd['sharedkey'] <> "")

				$sasyncd_text .= "sharedkey {$sasyncd['sharedkey']}\n";

			if ($sasyncd['mode'] <> "")

				$sasyncd_text .= "mode {$sasyncd['mode']}\n";

			if ($sasyncd['listenon'] <> "")

				$sasyncd_text .= "listen on {$sasyncd['listenon']}\n";

			if ($sasyncd['flushmodesync'] <> "")

				$sasyncd_text .= "flushmode sync {$sasyncd['flushmodesync']}\n";

		}

	$fd = fopen("{$g['varetc_path']}/sasyncd.conf", "w");

	fwrite($fd, $sasyncd_text);

	fclose($fd);

	chmod("{$g['varetc_path']}/sasyncd.conf", 0600);

	mwexec("killall sasyncd", true);

	/* launch sasyncd, oh wise one */

	mwexec_bg("/usr/local/sbin/sasyncd -d -v -v -v");

}

function find_last_gif_device() {

	$last_gif_found = -1;

	$regs = "";

	if (!($fp = popen("/sbin/ifconfig -l", "r")))

		return -1;

	$ifconfig_data = fread($fp, 4096);

	pclose($fp);

	$ifconfig_array = split(" ", $ifconfig_data);

	foreach ($ifconfig_array as $ifconfig) {

		ereg("gif(.)", $ifconfig, $regs);

		if ($regs[0] && $regs[0] > $last_gif_found) {

			$last_gif_found = $regs[1];

		}

	}

	return $last_gif_found;

}

function vpn_ipsec_configure($ipchg = false)

{

	global $config, $g, $sa, $sn, $p1_ealgos, $p2_ealgos;

	mwexec("/sbin/ifconfig enc0 up");

	/* get the automatic /etc/ping_hosts.sh ready */

	unlink_if_exists("/var/db/ipsecpinghosts");

	touch("/var/db/ipsecpinghosts");

	if(isset($config['ipsec']['preferredoldsa']))

		mwexec("/sbin/sysctl -w net.key.preferred_oldsa=-30");

	else

		mwexec("/sbin/sysctl net.key.preferred_oldsa=0");

	$number_of_gifs = find_last_gif_device();

	for ($x = 0; $x < $number_of_gifs; $x++)

		mwexec("/sbin/ifconfig gif" . $x . " delete");

	$curwanip = get_interface_ip();

	$syscfg = $config['system'];

	$ipseccfg = $config['ipsec'];

	$a_phase1 = $config['ipsec']['phase1'];

	$a_phase2 = $config['ipsec']['phase2'];

	$a_client = $config['ipsec']['client'];

	$lancfg = $config['interfaces']['lan'];

	$lanip = $lancfg['ipaddr'];

	$lansa = gen_subnet($lancfg['ipaddr'], $lancfg['subnet']);

	$lansn = $lancfg['subnet'];

	if (!isset($ipseccfg['enable'])) {

		mwexec("/sbin/ifconfig enc0 down");

		/* kill racoon */

		mwexec("/usr/bin/killall racoon", true);

		killbypid("{$g['varrun_path']}/dnswatch-ipsec.pid");

		/* wait for racoon process to die */

		sleep(2);

		/* send a SIGKILL to be sure */

		sigkillbypid("{$g['varrun_path']}/racoon.pid", "KILL");

		/* flush SPD and SAD */

		mwexec("/usr/local/sbin/setkey -FP");

		mwexec("/usr/local/sbin/setkey -F");

		return true;

	}

	if ($g['booting'])

		echo "Configuring IPsec VPN... ";

	if (isset ($ipseccfg['enable'])) {

		/* fastforwarding is not compatible with ipsec tunnels */

		mwexec("/sbin/sysctl net.inet.ip.fastforwarding=0");

		if (!$curwanip) {

			/* IP address not configured yet, exit */

			if ($g['booting'])

				echo "done\n";

			return 0;

		}

		/* this loads a route table which is used to determine if a route needs to be removed. */

		exec("/usr/bin/netstat -rn", $route_arr, $retval);

		$route_str = implode("\n", $route_arr);

		/* resolve all local, peer addresses and setup pings */

		$ipmap = array();

		$rgmap = array();

		$dnswatch_list = array();

		if (is_array($a_phase1) && count($a_phase1)) {

			foreach ($a_phase1 as $ph1ent) {

				if (isset($ph1ent['disabled']))

					continue;

				$ep = ipsec_get_phase1_src($ph1ent);

				if (!$ep)

					continue;

				if(!in_array($ep,$ipmap))

					$ipmap[] = $ep;

				/* see if this tunnel has a hostname for the remote-gateway. If so,

				   try to resolve it now and add it to the list for dnswatch */

				if (isset ($ph1ent['mobile']))

					continue;

				$rg = $ph1ent['remote-gateway'];

				if (!is_ipaddr($rg)) {

					$dnswatch_list[] = $rg;

					add_hostname_to_watch($rg);

					$rg = resolve_retry($rg);

					if (!$rg)

						continue;

				}

				$rgmap[$ph1ent['remote-gateway']] = $rg;

				/* add an ipsec pinghosts entry */

				if ($ph1ent['pinghost']) {

					$pfd = fopen("/var/db/ipsecpinghosts", "a");

					$iflist = get_configured_interface_list();

					foreach ($iflist as $ifent => $ifname) {

						$interface_ip = find_interface_ip($config['interfaces'][$ifname]['if']);

						if (ip_in_subnet($interface_ip, $sa . "/" . $sn))

						$srcip = find_interface_ip($config['interfaces'][$ifname]['if']);

					}

					$dstip = $ph1ent['pinghost'];

					fwrite($pfd, "$srcip|$dstip|3\n");

					fclose($pfd);

				}

			}

		}

		/* generate CA certificates files */

		if (is_array($config['system']['ca']) && count($config['system']['ca'])) {

			foreach ($config['system']['ca'] as $ca) {

				if (!isset($ca['crt'])) {

					log_error("Error: Invalid certificate info for {$ca['name']}");

					continue;

				}

				$cert = base64_decode($ca['crt']);

				$x509cert = openssl_x509_parse(openssl_x509_read($cert));

				if (!is_array($x509cert) || !isset($x509cert['hash'])) {

					log_error("Error: Invalid certificate hash info for {$ca['name']}");

					continue;

				}

				$fname = $g['varetc_path']."/".$x509cert['hash'];

				if (!file_put_contents($fname, $cert)) {

					log_error("Error: Cannot write IPsec CA file for {$ca['name']}");

					continue;

				}

			}

		}

		/* generate psk.txt */

		$fd = fopen("{$g['varetc_path']}/psk.txt", "w");

		if (!$fd) {

			printf("Error: cannot open psk.txt in vpn_ipsec_configure().\n");

			return 1;

		}

		$pskconf = "";

		if (is_array($a_phase1) && count($a_phase1)) {

			foreach ($a_phase1 as $ph1ent) {

				if (isset($ph1ent['disabled']))

					continue;

				if (strstr($ph1ent['authentication_method'],'rsa'))

					continue;

				$peerid_type = $ph1ent['peerid_type'];

				switch ($peerid_type) {

					case "peeraddress":

						$peerid_type = "address";

						$peerid_data = $rgmap[$ph1ent['remote-gateway']];

						break;

					case "address";

						$peerid_data = $ph1ent['peerid_data'];

						break;

					case "fqdn";

					case "keyid tag";

					case "user_fqdn";

						$peerid_data = $ph1ent['peerid_data'];

						break;

				}

				$pskconf .= "{$peerid_data}\t{$ph1ent['pre-shared-key']}\n";

			}

		}

		fwrite($fd, $pskconf);

		fclose($fd);

		chmod("{$g['varetc_path']}/psk.txt", 0600);

		/* begin racoon.conf */

		if ((is_array($a_phase1) && count($a_phase1)) ||

			(is_array($a_phase2) && count($a_phase2))) {

			$fd = fopen("{$g['varetc_path']}/racoon.conf", "w");

			if (!$fd) {

				printf("Error: cannot open racoon.conf in vpn_ipsec_configure().\n");

				return 1;

			}

			$racoonconf = "# This file is automatically generated. Do not edit\n";

			$racoonconf .= "listen {\n";

			$racoonconf .= "	adminsock \"/var/run/racoon.sock\" \"root\" \"wheel\" 0660;\n";

			$racoonconf .= "}\n";

			$racoonconf .= "path pre_shared_key \"{$g['varetc_path']}/psk.txt\";\n\n";

			$racoonconf .= "path certificate  \"{$g['varetc_path']}\";\n\n";

			/* begin listen section */

			if (count($ipmap)) {

				$racoonconf .= "\nlisten\n";

				$racoonconf .= "{\n";

				foreach ($ipmap as $addr) {

					$racoonconf .= "\tisakmp {$addr} [500];\n";

					$racoonconf .= "\tisakmp_natt {$addr} [4500];\n";

				}

				$racoonconf .= "}\n\n";

			}

			/* begin mode_cfg section */

			if (is_array($a_client) && isset($a_client['enable'])) {

				$racoonconf .= "\nmode_cfg\n";

				$racoonconf .= "{\n";

				if ($a_client['user_source'])

					$racoonconf .= "\tauth_source {$a_client['user_source']};\n";

				if ($a_client['group_source'])

					$racoonconf .= "\tgroup_source {$a_client['group_source']};\n";

				if ($a_client['pool_address'] && $a_client['pool_netbits']) {

					$pool_address = $a_client['pool_address'];

					$pool_netmask = gen_subnet_mask($a_client['pool_netbits']);

					$pool_address = long2ip(ip2long($pool_address)+1);

					$pool_size = ~ip2long($pool_netmask) - 2;

					$racoonconf .= "\tpool_size {$pool_size};\n";

					$racoonconf .= "\tnetwork4 {$pool_address};\n";

					$racoonconf .= "\tnetmask4 {$pool_netmask};\n";

				}

				if (isset($a_client['net_list'])) {

					$net_list = '';

					foreach ($a_phase2 as $ph2ent) {

						if (isset($ph2ent['disabled']))

							continue;

						if (!isset($ph2ent['mobile']))

							continue;

						$localid = ipsec_idinfo_to_cidr($ph2ent['localid'],true);

						if ($net_list)

							$net_list .= ", ";

						$net_list .= $localid;

					}

					if ($net_list)

						$racoonconf .= "\tsplit_network include {$net_list};\n";

				}

				if ($a_client['dns_server1'])

					$racoonconf .= "\tdns4 {$a_client['dns_server1']};\n";

				if ($a_client['dns_server2'])

					$racoonconf .= "\tdns4 {$a_client['dns_server2']};\n";

				if ($a_client['dns_server3'])

					$racoonconf .= "\tdns4 {$a_client['dns_server3']};\n";

				if ($a_client['dns_server4'])

					$racoonconf .= "\tdns4 {$a_client['dns_server4']};\n";

				if ($a_client['wins_server1'])

					$racoonconf .= "\twins4 {$a_client['wins_server1']};\n";

				if ($a_client['wins_server2'])

					$racoonconf .= "\twins4 {$a_client['wins_server2']};\n";

				if ($a_client['dns_domain'])

					$racoonconf .= "\tdefault_domain \"{$a_client['dns_domain']}\";\n";

				if ($a_client['pfs_group'])

					$racoonconf .= "\tpfs_group {$a_client['pfs_group']};\n";

				if ($a_client['login_banner']) {

					$fn = "{$g['varetc_path']}/racoon.motd";

					$fd1 = fopen($fn, "w");

					if (!$fd1) {

						printf("Error: cannot open server{$fn} in vpn.\n");

						return 1;

					}

					fwrite($fd1, $a_client['login_banner']);

					fclose($fd1);

					$racoonconf .= "\tbanner \"{$fn}\";\n";

				}

				$racoonconf .= "}\n\n";

			}

			/* end mode_cfg section */

			/* begin remote sections */

			if (is_array($a_phase1) && count($a_phase1)) {

				/* begin remote */

				foreach ($a_phase1 as $ph1ent) {

					if (isset($ph1ent['disabled']))

						continue;

					if (isset($ph1ent['mobile']) && !isset($a_client['enable']))

						continue;

					$ikeid = $ph1ent['ikeid'];

					$ep = ipsec_get_phase1_src($ph1ent);

					if (!$ep)

						continue;

					if (!isset($ph1ent['mobile'])) {

						$rgip = $rgmap[$ph1ent['remote-gateway']];

						if (!$rgip)

							continue;

					}

					$myid_type = $ph1ent['myid_type'];

					switch ($myid_type) {

						case "myaddress":

							$myid_type = "address";

							$myid_data = $ep;

							break;

						case "dyn_dns":

							$myid_data = gethostbyname($ph1ent['myid_data']);

							break;

						case "address";

							$myid_data = $ph1ent['myid_data'];

							break;

						case "fqdn";

						case "keyid tag";

						case "user_fqdn";

						case "asn1dn";

							$myid_data = $ph1ent['myid_data'];

							if( $myid_data )

								$myid_data = "\"".$myid_data."\"";

							break;

					}

					$peerid_type = $ph1ent['peerid_type'];

					switch ($peerid_type) {

						case "peeraddress":

							$peerid_type = "address";

							$peerid_data = $rgip;

							break;

						case "address";

							$peerid_data = $ph1ent['peerid_data'];

							break;

						case "fqdn";

						case "keyid tag";

						case "user_fqdn";

						case "asn1dn";

							$peerid_data = $ph1ent['peerid_data'];

							if( $peerid_data )

								$peerid_data = "\"".$peerid_data."\"";

							break;

					}

					$natt = "off";

					if (isset($ph1ent['nat_traversal']))

						$natt = $ph1ent['nat_traversal'];

					$init = "on";

					$genp = "off";

					if (isset($ph1ent['mobile'])) {

						$rgip = "anonymous";

						$init = "off";

						$genp = "unique";

					}

					$dpdline1 = '';

					$dpdline2 = '';

					if ($ph1ent['dpd_delay'] && $ph1ent['dpd_maxfail']) {

						$dpdline1 = "dpd_delay = {$ph1ent['dpd_delay']};";

						$dpdline2 = "dpd_maxfail = {$ph1ent['dpd_maxfail']};";

					}

					if (isset ($ph1ent['authentication_method']))

						$authmethod = $ph1ent['authentication_method'];

					else

						$authmethod = 'pre_shared_key';

					$certline = '';

					if (strstr($authmethod,'rsa')) {

						$cert = lookup_cert($ph1ent['certref']);

						if (!$cert)

						{

							log_error("Error: Invalid phase1 certificate reference for {$ph1ent['name']}");

							continue;

						}

						$certfile = "cert-".$ikeid.".crt";

						$certpath = $g['varetc_path']."/".$certfile;

						if (!file_put_contents($certpath, base64_decode($cert['crt'])))

						{

							log_error("Error: Cannot write phase1 certificate file for {$ph1ent['name']}");

							continue;

						}

						chmod($certpath, 0600);

						$keyfile = "cert-".$ikeid.".key";

						$keypath = $g['varetc_path']."/".$keyfile;

						if (!file_put_contents($keypath, base64_decode($cert['crt'])))

						{

							log_error("Error: Cannot write phase1 key file for {$ph1ent['name']}");

							continue;

						}

						chmod($keypath, 0600);

						$certline = "certificate_type x509 \"{$certpath}\" \"{$keypath}.key\";";

					}

					$ealgos = '';

					$ealg_id = $ph1ent['encryption-algorithm']['name'];

					$ealg_kl = $ph1ent['encryption-algorithm']['keylen'];

					if ($ealg_kl)

						$ealgos = $ealgos.$ealg_id." ".$ealg_kl;

					else

						$ealgos = $ealgos.$ealg_id;

					$lifeline = '';

					if ($ph1ent['lifetime'])

						$lifeline = "lifetime time {$ph1ent['lifetime']} secs;";

					/* add remote section to configuration */

					$racoonconf .=<<<EOD

remote {$rgip}

{

	ph1id {$ikeid};

	exchange_mode {$ph1ent['mode']};

	my_identifier {$myid_type} {$myid_data};

	peers_identifier {$peerid_type} {$peerid_data};

	ike_frag on;

	generate_policy = {$genp};

	initial_contact = {$init};

	nat_traversal = {$natt};

	{$certline}

	{$dpdline1}

	{$dpdline2}

	support_proxy on;

	proposal_check claim;

	proposal

	{

		authentication_method {$authmethod};

		encryption_algorithm ${ealgos};

		hash_algorithm {$ph1ent['hash-algorithm']};

		dh_group {$ph1ent['dhgroup']};

		${lifeline}

	}

}

EOD;

				}

				/* end remote */

			}

			/* end remote sections */

			/* begin sainfo sections */

			if (is_array($a_phase2) && count($a_phase2)) {

				/* begin sainfo */

				foreach ($a_phase2 as $ph2ent) {

					$ikeid = $ph2ent['ikeid'];

					if (isset($ph2ent['disabled']))

						continue;

					if (isset($ph2ent['mobile']) && !isset($a_client['enable']))

						continue;

					$localid_type = $ph2ent['localid']['type'];

					if ($localid_type != "address")

						$localid_type = "subnet";

					$localid_data = ipsec_idinfo_to_cidr($ph2ent['localid']);

					$localid_spec = $localid_type." ".$localid_data." any";

					if (!isset($ph2ent['mobile'])) {

						$remoteid_type = $ph2ent['remoteid']['type'];

						if ($remoteid_type != "address")

							$remoteid_type = "subnet";

						$remoteid_data = ipsec_idinfo_to_cidr($ph2ent['remoteid']);

						$remoteid_spec = $remoteid_type." ".$remoteid_data." any";

					} else

						$remoteid_spec = "anonymous";

					$ealgos = '';

					$halgos = join(",", $ph2ent['hash-algorithm-option']);

					$pfsline = '';

					if ($ph2ent['pfsgroup'])

						$pfsline = "pfs_group {$ph2ent['pfsgroup']};";

					if (isset($a_client['pfs_group'])) {

						$pfsline = '';

						if ($a_client['pfs_group'])

							$pfsline = "pfs_group {$a_client['pfs_group']};";

					}

					$lifeline = '';

					if ($ph2ent['lifetime'])

						$lifeline = "lifetime time {$ph2ent['lifetime']} secs;";

					foreach ($ph2ent['encryption-algorithm-option'] as $ealg) {

						$ealg_id = $ealg['name'];

						$ealg_kl = $ealg['keylen'];

						if ($ealg_kl) {

							if( $ealg_kl == "auto" ) {

								$key_hi = $p2_ealgos[$ealg_id]['keysel']['hi'];

								$key_lo = $p2_ealgos[$ealg_id]['keysel']['lo'];

								$key_step = $p2_ealgos[$ealg_id]['keysel']['step'];

								for ($keylen = $key_hi; $keylen >= $key_lo; $keylen -= $key_step) {

									if( $ealgos )

										$ealgos = $ealgos.", ";

									$ealgos = $ealgos.$ealg_id." ".$keylen;

								}

							} else {

								if ($ealgos)

									$ealgos = $ealgos.", ";

								$ealgos = $ealgos.$ealg_id." ".$ealg_kl;

							}

						} else {

							if ($ealgos)

								$ealgos = $ealgos.", ";

							$ealgos = $ealgos.$ealg_id;

						}

					}

					/* add sainfo section to configuration */

					$racoonconf .=<<<EOD

sainfo {$localid_spec} {$remoteid_spec}

{

	remoteid {$ikeid};

	encryption_algorithm {$ealgos};

	authentication_algorithm {$halgos};

	compression_algorithm deflate;

	{$pfsline}

	{$lifeline}

}

EOD;

				}

				/* end sainfo */

			}

			/* end sainfo sections */

			fwrite($fd, $racoonconf);

			fclose($fd);

		}

		/* end racoon.conf */

		/* generate IPsec policies */

		if (is_array($a_phase2) && count($a_phase2)) {

			/* generate spd.conf */

			$fd = fopen("{$g['varetc_path']}/spd.conf", "w");

			if (!$fd) {

				printf("Error: cannot open spd.conf in vpn_ipsec_configure().\n");

				return 1;

			}

			$spdconf = "";

			/* What are these SPD entries for?

			 * -mgrooms 07/10/2008

			 */

			$spdconf .= "spdadd {$lanip}/32 {$lansa}/{$lansn} any -P out none;\n";

			$spdconf .= "spdadd {$lansa}/{$lansn} {$lanip}/32 any -P in none;\n";

			foreach ($a_phase2 as $ph2ent) {

				if( !ipsec_lookup_phase1($ph2ent,$ph1ent))

					continue;

				if (isset($ph1ent['mobile']))

					continue;

				if (isset($ph1ent['disabled']))

					continue;

				if (isset($ph2ent['disabled']))

					continue;

				$ep = ipsec_get_phase1_src($ph1ent);

				if (!$ep)

					continue;

				$rgip = $rgmap[$ph1ent['remote-gateway']];

				$localid = ipsec_idinfo_to_cidr($ph2ent['localid'],true);

				$remoteid = ipsec_idinfo_to_cidr($ph2ent['remoteid'],true);

				if (isset ($ph2ent['creategif'])) {

					$number_of_gifs = find_last_gif_device();

					$number_of_gifs++;

					$curwanip = get_interface_ip();

					if ($config['installedpackages']['sasyncd']['config'] <> "") {

						foreach ($config['installedpackages']['sasyncd']['config'] as $sasyncd) {

							if ($sasyncd['ip'] <> "")

								$curwanip = $sasyncd['ip'];

						}

					}

					mwexec("/sbin/ifconfig gif" . $number_of_gifs . " tunnel" . $curwanip . " " . $rgip);

					mwexec("/sbin/ifconfig gif" . $number_of_gifs . " {$lansa}/{$lansn} {$lanip}/32");

				}

				$spdconf .= "spdadd {$localid} {$remoteid} any -P out ipsec " .

					"{$ph2ent['protocol']}/tunnel/{$ep}-{$rgip}/unique;\n";

				$spdconf .= "spdadd {$remoteid} {$localid} any -P in ipsec " .

					"{$ph2ent['protocol']}/tunnel/{$rgip}-{$ep}/unique;\n";

				/* static route needed? */

				if (preg_match("/^carp/i", $ph1ent['interface']))

					$parentinterface = link_carp_interface_to_parent($ph1ent['interface']);

				else

					$parentinterface = $ph1ent['interface'];

				if ($parentinterface <> "wan") {

					/* add endpoint routes to correct gateway on interface */

					if (interface_has_gateway($parentinterface)) {

						$gatewayip = get_interface_gateway("$parentinterface");

						$interfaceip = $config['interfaces'][$parentinterface]['ipaddr'];

						$subnet_bits = $config['interfaces'][$parentinterface]['subnet'];

						$subnet_ip = gen_subnet("{$interfaceip}", "{$subnet_bits}");

						/* if the remote gateway is in the local subnet, then don't add a route */

						if (! ip_in_subnet($rgip, "{$subnet_ip}/{$subnet_bits}")) {

							if(is_ipaddr($gatewayip)) {

								/* FIXME: does adding route-to and reply-to on the in/outbound

								 * rules fix this? smos@ 13-01-2009 */

								log_error("IPSEC interface is not WAN but {$parentinterface}, adding static route for VPN endpoint {$rgip} via {$gatewayip}");

								mwexec("/sbin/route delete -host {$rgip}");

								mwexec("/sbin/route add -host {$rgip} {$gatewayip}");

							}

						}

					}

				}

				else

				{

					if(stristr($route_str, "/{$rgip}/")) {

						mwexec("/sbin/route delete -host {$rgip}");

					}

				}

			}

			fwrite($fd, $spdconf);

			fclose($fd);

		}

		/* needed for racoonctl admin socket */

		if (!file_exists("/var/db/racoon"))

			mkdir("/var/db/racoon/");

		/* mange racoon process */

		if (is_process_running("racoon")) {

			sleep("0.1");

			log_error("IPSEC: Sent a reload signal to the IPsec process");

			mwexec("/usr/local/sbin/racoonctl -s /var/run/racoon.sock reload-config", false);

		} else {

			/* flush SA + SPD entries */

			mwexec("/usr/local/sbin/setkey -FP", false);

 			sleep("0.1");

			mwexec("/usr/local/sbin/setkey -F", false);

 			sleep("0.1");

 			/* start racoon */

			mwexec("/usr/local/sbin/racoon -f {$g['varetc_path']}/racoon.conf", false);

 			sleep("0.1");

 			/* load SPD */

			mwexec("/usr/local/sbin/setkey -f {$g['varetc_path']}/spd.conf", false);

 			/* We are already online, reload */

 			sleep("0.1");

			mwexec("/usr/bin/killall -HUP racoon", false);

			/* start dnswatch, if necessary */

			if (count($dnswatch_list) > 0) {

				$interval = 60;

				if ($ipseccfg['dns-interval'])

					$interval = $ipseccfg['dns-interval'];

				$hostnames = "";

				foreach ($dnswatch_list as $dns)

					$hostnames .= " " . escapeshellarg($dns);

				killbypid("{$g['varrun_path']}/dnswatch-ipsec.pid");

				mwexec("/usr/local/sbin/dnswatch {$g['varrun_path']}/dnswatch-ipsec.pid $interval " .

				escapeshellarg("/etc/rc.newipsecdns") . $hostnames);

			}

		}

	}

	vpn_ipsec_failover_configure();

	if (!$g['booting']) {

		/* reload the filter */

		filter_configure();

	}

	if ($g['booting'])

		echo "done\n";

	return 0;

}

/* Forcefully restart IPsec

 * This is required for when dynamic interfaces reload

 * For all other occasions the normal vpn_ipsec_configure()

 * will gracefully reload the settings without restarting

 */

function vpn_ipsec_force_reload() {

	global $config;

	global $g;