Project

General

Profile

« Previous | Next » 

Revision 5fc2f163

Added by Chris Buechler over 17 years ago

touch up text

Ticket #1569

View differences:

etc/inc/config.inc
1004 1004 
		$rule_item['type'] = "pass";
1005 1005 
		$rule_item['source']['any'] = true;
1006 1006 
		$rule_item['destination']['any'] = true;
1007 
		$rule_item['descr'] = "Permit IPSEC traffic.";
1007 
		$rule_item['descr'] = "Permit IPsec traffic.";
1008 1008 
		$rule_item['statetype'] = "keep state";
1009 1009 
		$a_filter[] = $rule_item;
1010 1010 
		$config['version'] = "2.9";
etc/inc/filter.inc
2898 2898 
			foreach ($config['ipsec']['tunnel'] as $tunnel) {
2899 2899 
				if(isset($tunnel['disabled']))
2900 2900 
					continue;
2901 
				update_filter_reload_status("Creating IPSEC tunnel items {$tunnel['descr']}...");
2901 
				update_filter_reload_status("Creating IPsec tunnel items {$tunnel['descr']}...");
2902 2902 
				/* if tunnel is disabled, lets skip to next item */
2903 2903 
				$ipsec_ips = array(get_current_wan_address($tunnel['interface']));
2904 2904 
				/* is this a dynamic dns hostname? */
......
2921 2921 
							continue;
2922 2922 
						if(!$remote_gateway)
2923 2923 
							continue;
2924 
						$ipfrules .= "pass out quick on \${$iface} proto udp from any to {$remote_gateway} port = 500 keep state label \"IPSEC: {$tunnel['descr']} - outbound isakmp\"\n";
2925 
						$ipfrules .= "pass in quick on \${$iface} proto udp from {$remote_gateway} to any port = 500 keep state label \"IPSEC: {$tunnel['descr']} - inbound isakmp\"\n";
2924 
						$ipfrules .= "pass out quick on \${$iface} proto udp from any to {$remote_gateway} port = 500 keep state label \"IPsec: {$tunnel['descr']} - outbound isakmp\"\n";
2925 
						$ipfrules .= "pass in quick on \${$iface} proto udp from {$remote_gateway} to any port = 500 keep state label \"IPsec: {$tunnel['descr']} - inbound isakmp\"\n";
2926 2926 
						if ($tunnel['p2']['protocol'] == 'esp') {
2927 
							$ipfrules .= "pass out quick on \${$iface} proto esp from any to {$remote_gateway} keep state label \"IPSEC: {$tunnel['descr']} - outbound esp proto\"\n";
2928 
							$ipfrules .= "pass in quick on \${$iface} proto esp from {$remote_gateway} to any keep state label \"IPSEC: {$tunnel['descr']} - inbound esp proto\"\n";
2927 
							$ipfrules .= "pass out quick on \${$iface} proto esp from any to {$remote_gateway} keep state label \"IPsec: {$tunnel['descr']} - outbound esp proto\"\n";
2928 
							$ipfrules .= "pass in quick on \${$iface} proto esp from {$remote_gateway} to any keep state label \"IPsec: {$tunnel['descr']} - inbound esp proto\"\n";
2929 2929 
						}
2930 2930 
						if ($tunnel['p2']['protocol'] == 'ah') {
2931 
							$ipfrules .= "pass out quick on \${$iface} proto ah from any to {$remote_gateway} keep state label \"IPSEC: {$tunnel['descr']} - outbound ah proto\"\n";
2932 
							$ipfrules .= "pass in quick on \${$iface} proto ah from {$remote_gateway} to any keep state label \"IPSEC: {$tunnel['descr']} - inbound ah proto\"\n";
2931 
							$ipfrules .= "pass out quick on \${$iface} proto ah from any to {$remote_gateway} keep state label \"IPsec: {$tunnel['descr']} - outbound ah proto\"\n";
2932 
							$ipfrules .= "pass in quick on \${$iface} proto ah from {$remote_gateway} to any keep state label \"IPsec: {$tunnel['descr']} - inbound ah proto\"\n";
2933 2933 
						}
2934 2934 
					}
2935 2935 
				}
......
2942 2942 
		$ipseccfg = $config['ipsec'];
2943 2943 
		if (isset($ipseccfg['mobileclients']['enable'])) {
2944 2944 
			foreach($ifdescrs as $iface) {
2945 
				$ipfrules .= "pass in quick on \${$iface} proto udp from any to any port = 500 keep state label \"IPSEC: Mobile - inbound isakmp\"\n";
2946 
				$ipfrules .= "pass in quick on \${$iface} proto esp from any to any keep state label \"IPSEC: Mobile - inbound esp proto\"\n";
2947 
				$ipfrules .= "pass in quick on \${$iface} proto ah from any to any  keep state label \"IPSEC: Mobile - inbound ah proto\"\n";
2945 
				$ipfrules .= "pass in quick on \${$iface} proto udp from any to any port = 500 keep state label \"IPsec: Mobile - inbound isakmp\"\n";
2946 
				$ipfrules .= "pass in quick on \${$iface} proto esp from any to any keep state label \"IPsec: Mobile - inbound esp proto\"\n";
2947 
				$ipfrules .= "pass in quick on \${$iface} proto ah from any to any  keep state label \"IPsec: Mobile - inbound ah proto\"\n";
2948 2948 
			}
2949 2949 
		}
2950 2950 
	}
......
3067 3067 
		$ints = array();
3068 3068 
		$int = filter_translate_type_to_real_interface($ifname);
3069 3069 
		/* if the interface is pppoe, set the ng0 interface */
3070 
		update_filter_reload_status("Creating IPSEC tunnel items {$tunnel['descr']}...");
3070 
		update_filter_reload_status("Creating IPsec tunnel items {$tunnel['descr']}...");
3071 3071 
		$ip = find_interface_ip($int);
3072 3072 
		if ($config['interfaces'][$ifname]['ipaddr'] == "pppoe")
3073 3073 
			$int = " { " . filter_translate_type_to_real_interface($ifname) . " ng0 } ";
......
3154 3154 
	}
3155 3155 

  		




  3156
  3156
  
    
	/* permit internal ipsec outbound traffic */


  		




  3157
  
  
    
	$rule .="pass out quick on \$enc0 keep state label \"IPSEC internal host to host\"";


  		




  
  3157
  
    
	$rule .="pass out quick on \$enc0 keep state label \"IPsec internal host to host\"";


  		




  3158
  3158
  
    

  		




  3159
  3159
  
    
	return $rule;


  		




  3160
  3160
  
    
}


  		












  

    
      etc/inc/pfsense-utils.inc
    
  





  3049
  3049
  
    
		);


  		




  3050
  3050
  
    
		$ifdescrs = get_interface_list(true, true, $vfaces);


  		




  3051
  3051
  
    
		$ifdescrs['enc0']['friendly'] = "ipsec";


  		




  3052
  
  
    
		$ifdescrs['enc0']['descr'] = "IPSEC";


  		




  
  3052
  
    
		$ifdescrs['enc0']['descr'] = "IPsec";


  		




  3053
  3053
  
    
		$ifdescrs['enc0']['up'] = true;


  		




  3054
  3054
  
    

  		




  3055
  3055
  
    
		foreach ($ifdescrs as $realif => $ifdescr) {


  		












  

    
      etc/inc/vpn.inc
    
  





  1316
  1316
  
    
	return 0;


  		




  1317
  1317
  
    
}


  		




  1318
  1318
  
    

  		




  1319
  
  
    
/* Forcefully restart IPSEC


  		




  
  1319
  
    
/* Forcefully restart IPsec


  		




  1320
  1320
  
    
 * This is required for when dynamic interfaces reload


  		




  1321
  1321
  
    
 * For all other occasions the normal vpn_ipsec_configure()


  		




  1322
  1322
  
    
 * will gracefully reload the settings without restarting


  		




  ......




  1341
  1341
  
    

  		




  1342
  1342
  
    
	/* if ipsec is enabled, start up again */


  		




  1343
  1343
  
    
	if (isset($ipseccfg['enable'])) {


  		




  1344
  
  
    
		log_error("Forcefully reloading IPSEC racoon daemon");


  		




  
  1344
  
    
		log_error("Forcefully reloading IPsec racoon daemon");


  		




  1345
  1345
  
    
		vpn_ipsec_configure();


  		




  1346
  1346
  
    
	}


  		




  1347
  1347
  
    

  		












Also available in:  Unified diff