Revision 96a6f4cb
Added by Cyrill B over 12 years ago
| etc/inc/vpn.inc | ||
|---|---|---|
| 1739 | 1739 |
global $config; |
| 1740 | 1740 |
global $g; |
| 1741 | 1741 |
|
| 1742 |
if (!$phase1 || !$phase2) |
|
| 1743 |
return false; |
|
| 1744 |
|
|
| 1745 |
if (isset($phase1['mobile'])) |
|
| 1746 |
return false; |
|
| 1747 |
|
|
| 1742 | 1748 |
$spdconf = ""; |
| 1743 |
if($phase1 && $phase2) {
|
|
| 1744 |
$ep = ipsec_get_phase1_src($phase1); |
|
| 1745 |
$gw = trim($phase1['remote-gateway']); |
|
| 1746 |
$sad_arr = ipsec_dump_sad(); |
|
| 1747 |
$remote_subnet = ipsec_idinfo_to_cidr($phase2['remoteid']); |
|
| 1749 |
$ep = ipsec_get_phase1_src($phase1); |
|
| 1750 |
$gw = trim($phase1['remote-gateway']); |
|
| 1751 |
$sad_arr = ipsec_dump_sad(); |
|
| 1752 |
$remote_subnet = ipsec_idinfo_to_cidr($phase2['remoteid']); |
|
| 1748 | 1753 |
|
| 1749 |
if (!empty($phase2['natlocalid']))
|
|
| 1750 |
$local_subnet = ipsec_idinfo_to_cidr($phase2['natlocalid']);
|
|
| 1751 |
else
|
|
| 1752 |
$local_subnet = ipsec_idinfo_to_cidr($phase2['localid']);
|
|
| 1754 |
if (!empty($phase2['natlocalid'])) |
|
| 1755 |
$local_subnet = ipsec_idinfo_to_cidr($phase2['natlocalid']); |
|
| 1756 |
else |
|
| 1757 |
$local_subnet = ipsec_idinfo_to_cidr($phase2['localid']); |
|
| 1753 | 1758 |
|
| 1754 |
if ($phase2['mode'] == "tunnel6")
|
|
| 1755 |
$family = "-6";
|
|
| 1756 |
else
|
|
| 1757 |
$family = "-4";
|
|
| 1759 |
if ($phase2['mode'] == "tunnel6") |
|
| 1760 |
$family = "-6"; |
|
| 1761 |
else |
|
| 1762 |
$family = "-4"; |
|
| 1758 | 1763 |
|
| 1759 |
$spdconf .= "spddelete {$family} {$local_subnet} " .
|
|
| 1760 |
"{$remote_subnet} any -P out ipsec " .
|
|
| 1761 |
"{$phase2['protocol']}/tunnel/{$ep}-" .
|
|
| 1762 |
"{$gw}/unique;\n";
|
|
| 1764 |
$spdconf .= "spddelete {$family} {$local_subnet} " .
|
|
| 1765 |
"{$remote_subnet} any -P out ipsec " .
|
|
| 1766 |
"{$phase2['protocol']}/tunnel/{$ep}-" .
|
|
| 1767 |
"{$gw}/unique;\n";
|
|
| 1763 | 1768 |
|
| 1764 |
$spdconf .= "spddelete {$family} {$remote_subnet} " .
|
|
| 1765 |
"{$local_subnet} any -P in ipsec " .
|
|
| 1766 |
"{$phase2['protocol']}/tunnel/{$gw}-" .
|
|
| 1767 |
"{$ep}/unique;\n";
|
|
| 1769 |
$spdconf .= "spddelete {$family} {$remote_subnet} " .
|
|
| 1770 |
"{$local_subnet} any -P in ipsec " .
|
|
| 1771 |
"{$phase2['protocol']}/tunnel/{$gw}-" .
|
|
| 1772 |
"{$ep}/unique;\n";
|
|
| 1768 | 1773 |
|
| 1769 |
/* zap any existing SA entries */ |
|
| 1770 |
foreach($sad_arr as $sad) {
|
|
| 1771 |
if(($sad['dst'] == $ep) && ($sad['src'] == $gw)) |
|
| 1772 |
$spdconf .= "delete {$family} {$ep} {$gw} {$phase2['protocol']} 0x{$sad['spi']};\n";
|
|
| 1773 |
if(($sad['src'] == $ep) && ($sad['dst'] == $_gw)) |
|
| 1774 |
$spdconf .= "delete {$family} {$gw} {$ep} {$phase2['protocol']} 0x{$sad['spi']};\n";
|
|
| 1775 |
} |
|
| 1774 |
/* zap any existing SA entries */ |
|
| 1775 |
foreach($sad_arr as $sad) {
|
|
| 1776 |
if(($sad['dst'] == $ep) && ($sad['src'] == $gw)) |
|
| 1777 |
$spdconf .= "delete {$family} {$ep} {$gw} {$phase2['protocol']} 0x{$sad['spi']};\n";
|
|
| 1778 |
if(($sad['src'] == $ep) && ($sad['dst'] == $_gw)) |
|
| 1779 |
$spdconf .= "delete {$family} {$gw} {$ep} {$phase2['protocol']} 0x{$sad['spi']};\n";
|
|
| 1776 | 1780 |
} |
| 1777 | 1781 |
|
| 1778 | 1782 |
log_error(sprintf(gettext("Removing SPDs from tunnel gw '%1\$s'. Local Subnet '%2\$s' and Remote Subnet '%3\$s'. Reloading policy"),$phase1['remote-gateway'],$local_subnet,$remote_subnet));
|
| ... | ... | |
| 1782 | 1786 |
/* generate temporary spd.conf */ |
| 1783 | 1787 |
@file_put_contents($spdfile, $spdconf); |
| 1784 | 1788 |
unset($spdconf); |
| 1789 |
|
|
| 1785 | 1790 |
return true; |
| 1786 | 1791 |
} |
| 1787 | 1792 |
|
Also available in: Unified diff
Update etc/inc/vpn.inc
There's no need to create a spd.conf.reload file if it's empty.
Phase 1 entries for mobile clients are not handled by this function, thus exclude them. Their SPD have a limited lifetime anyway.