| 734 |
734 |
$ikeid = substr($ifcfg['if'], 5);
|
| 735 |
735 |
if (is_array($config['ipsec']) && is_array($config['ipsec']['phase1']) && is_array($config['ipsec']['phase2'])) {
|
| 736 |
736 |
foreach ($config['ipsec']['phase1'] as $ph1ent) {
|
| 737 |
|
// Skip disabled or non-matching IPsec
|
| 738 |
|
if (($ikeid != $ph1ent['ikeid']) || $ph1ent['disabled']) {
|
|
737 |
if ($ph1ent['disabled']) {
|
| 739 |
738 |
continue;
|
| 740 |
739 |
}
|
| 741 |
|
$vti_addrs = ipsec_vti($ph1ent, true);
|
|
740 |
$vtisubnet_spec = ipsec_vti($ph1ent, true);
|
| 742 |
741 |
// Skip non-VTI tunnels
|
| 743 |
|
if (!$vti_addrs || !is_array($vti_addrs)) {
|
|
742 |
if (!$vtisubnet_spec || !is_array($vtisubnet_spec)) {
|
| 744 |
743 |
continue;
|
| 745 |
744 |
}
|
| 746 |
|
// If any of the VTI remotes is v4, then we can make a v4 gw
|
| 747 |
|
foreach ($vti_addrs as $vtia) {
|
| 748 |
|
if (is_ipaddrv4($vtia['right'])) {
|
| 749 |
|
$ctype = "VTIv4";
|
|
745 |
if (!isset($ph1ent['mobile']) && ($keyexchange == 'ikev1' || isset($ph1ent['splitconn']))) {
|
|
746 |
foreach ($vtisubnet_spec as $idx => $vtisub) {
|
|
747 |
if ($ifcfg['if'] == "ipsec{$ph1ent['ikeid']}00{$idx}") {
|
|
748 |
// If this specific VTI remote is v4, then we can make a v4 gw
|
|
749 |
if (is_ipaddrv4($vtisub['right'])) {
|
|
750 |
$ctype = "VTIv4";
|
|
751 |
}
|
|
752 |
}
|
|
753 |
}
|
|
754 |
} else {
|
|
755 |
if ($ifcfg['if'] == "ipsec{$ph1ent['ikeid']}000") {
|
|
756 |
// If any of the VTI remotes are v4, then we can make a v4 gw
|
|
757 |
foreach ($vtisubnet_spec as $vtisub) {
|
|
758 |
if (is_ipaddrv4($vtisub['right'])) {
|
|
759 |
$ctype = "VTIv4";
|
|
760 |
}
|
|
761 |
}
|
| 750 |
762 |
}
|
| 751 |
763 |
}
|
| 752 |
764 |
}
|
| ... | ... | |
| 864 |
876 |
$ikeid = substr($ifcfg['if'], 5);
|
| 865 |
877 |
if (is_array($config['ipsec']) && is_array($config['ipsec']['phase1']) && is_array($config['ipsec']['phase2'])) {
|
| 866 |
878 |
foreach ($config['ipsec']['phase1'] as $ph1ent) {
|
| 867 |
|
// Skip disabled or non-matching IPsec
|
| 868 |
|
if (($ikeid != $ph1ent['ikeid']) || $ph1ent['disabled']) {
|
|
879 |
if ($ph1ent['disabled']) {
|
| 869 |
880 |
continue;
|
| 870 |
881 |
}
|
| 871 |
|
$vti_addrs = ipsec_vti($ph1ent, true);
|
|
882 |
$vtisubnet_spec = ipsec_vti($ph1ent, true);
|
| 872 |
883 |
// Skip non-VTI tunnels
|
| 873 |
|
if (!$vti_addrs || !is_array($vti_addrs)) {
|
|
884 |
if (!$vtisubnet_spec || !is_array($vtisubnet_spec)) {
|
| 874 |
885 |
continue;
|
| 875 |
886 |
}
|
| 876 |
|
// If any of the VTI remotes is v6, then we can make a v6 gw
|
| 877 |
|
foreach ($vti_addrs as $vtia) {
|
| 878 |
|
if (is_ipaddrv6($vtia['right'])) {
|
| 879 |
|
$ctype = "VTIv6";
|
|
887 |
if (!isset($ph1ent['mobile']) && ($keyexchange == 'ikev1' || isset($ph1ent['splitconn']))) {
|
|
888 |
foreach ($vtisubnet_spec as $idx => $vtisub) {
|
|
889 |
if ($ifcfg['if'] == "ipsec{$ph1ent['ikeid']}00{$idx}") {
|
|
890 |
// If this specific VTI remote is v6, then we can make a v6 gw
|
|
891 |
if (is_ipaddrv6($vtisub['right'])) {
|
|
892 |
$ctype = "VTIv6";
|
|
893 |
}
|
|
894 |
}
|
|
895 |
}
|
|
896 |
} else {
|
|
897 |
if ($ifcfg['if'] == "ipsec{$ph1ent['ikeid']}000") {
|
|
898 |
// If any of the VTI remotes are v6, then we can make a v6 gw
|
|
899 |
foreach ($vtisubnet_spec as $vtisub) {
|
|
900 |
if (is_ipaddrv6($vtisub['right'])) {
|
|
901 |
$ctype = "VTIv6";
|
|
902 |
}
|
|
903 |
}
|
| 880 |
904 |
}
|
| 881 |
905 |
}
|
| 882 |
906 |
}
|
Added by Jim Pingle about 7 years ago
Fix IPsec VTI gateway generation to match interface changes. Fixes #8544