Revision bd4c337c
Added by Jim Pingle about 7 years ago
| src/etc/inc/interfaces.inc | ||
|---|---|---|
| 1212 | 1212 |
return $gifif; |
| 1213 | 1213 |
} |
| 1214 | 1214 |
|
| 1215 |
function interface_ipsec_vti_configure($ph1ent) {
|
|
| 1216 |
global $config; |
|
| 1217 |
|
|
| 1218 |
if (empty($ph1ent) || !is_array($ph1ent) || !is_array($config['ipsec']['phase2'])) {
|
|
| 1219 |
return false; |
|
| 1220 |
} |
|
| 1221 |
|
|
| 1222 |
$vtisubnet_spec = ipsec_vti($ph1ent, true); |
|
| 1223 |
|
|
| 1224 |
if ($vtisubnet_spec && is_array($vtisubnet_spec)) {
|
|
| 1225 |
$left_spec = ipsec_get_phase1_src($ph1ent); |
|
| 1226 |
$right_spec = $ph1ent['remote-gateway']; |
|
| 1227 |
$ipsecif = "ipsec{$ph1ent['ikeid']}";
|
|
| 1228 |
|
|
| 1229 |
if (platform_booting() || !does_interface_exist($ipsecif)) {
|
|
| 1230 |
mwexec("/sbin/ifconfig " . escapeshellarg($ipsecif) . " destroy", false);
|
|
| 1231 |
mwexec("/sbin/ifconfig " . escapeshellarg($ipsecif) . " create reqid " . escapeshellarg($ph1ent['ikeid']), false);
|
|
| 1232 |
} else {
|
|
| 1233 |
mwexec("/sbin/ifconfig " . escapeshellarg($ipsecif) . " create reqid " . escapeshellarg($ph1ent['ikeid']), false);
|
|
| 1234 |
} |
|
| 1235 |
|
|
| 1236 |
$inet = is_ipaddrv6($left_spec) ? "inet6" : "inet"; |
|
| 1237 |
mwexec("/sbin/ifconfig " . escapeshellarg($ipsecif) . " {$inet} tunnel " . escapeshellarg($left_spec) . " " . escapeshellarg($right_spec) . " up", false);
|
|
| 1238 |
|
|
| 1239 |
$have_v4 = false; |
|
| 1240 |
$have_v6 = false; |
|
| 1241 |
foreach ($vtisubnet_spec as $vtisub) {
|
|
| 1242 |
$alias = ""; |
|
| 1243 |
if (is_ipaddrv6($vtisub['left'])) {
|
|
| 1244 |
if ($have_v6) {
|
|
| 1245 |
$alias = " alias"; |
|
| 1246 |
} else {
|
|
| 1247 |
// Write out gwv6 file |
|
| 1248 |
file_put_contents("/tmp/{$ipsecif}_routerv6", $vtisub['right']);
|
|
| 1249 |
} |
|
| 1250 |
$inet = "inet6"; |
|
| 1251 |
$have_v6 = true; |
|
| 1252 |
} else {
|
|
| 1253 |
if ($have_v4) {
|
|
| 1254 |
$alias = " alias"; |
|
| 1255 |
} else {
|
|
| 1256 |
// Write out gw file |
|
| 1257 |
file_put_contents("/tmp/{$ipsecif}_router", $vtisub['right']);
|
|
| 1258 |
} |
|
| 1259 |
$inet = "inet"; |
|
| 1260 |
$have_v4 = true; |
|
| 1261 |
} |
|
| 1262 |
/* ifconfig ipsec0 inet <p2 local> <p2 remote> */ |
|
| 1263 |
mwexec("/sbin/ifconfig " . escapeshellarg($ipsecif) . " {$inet} " . escapeshellarg($vtisub['left']) . " " . escapeshellarg($vtisub['right']), false) . $alias;
|
|
| 1264 |
} |
|
| 1265 |
|
|
| 1266 |
if (!platform_booting()) {
|
|
| 1267 |
system_routing_configure($ipsecif); |
|
| 1268 |
} |
|
| 1269 |
} |
|
| 1270 |
} |
|
| 1271 |
|
|
| 1272 |
function interfaces_ipsec_vti_configure() {
|
|
| 1273 |
global $config; |
|
| 1274 |
if (platform_booting()) {
|
|
| 1275 |
echo gettext("Configuring IPsec VTI interfaces...");
|
|
| 1276 |
} |
|
| 1277 |
if (is_array($config['ipsec']) && is_array($config['ipsec']['phase1']) && is_array($config['ipsec']['phase2'])) {
|
|
| 1278 |
foreach ($config['ipsec']['phase1'] as $ph1ent) {
|
|
| 1279 |
interface_ipsec_vti_configure($ph1ent); |
|
| 1280 |
} |
|
| 1281 |
} |
|
| 1282 |
} |
|
| 1283 |
|
|
| 1215 | 1284 |
function interfaces_configure() {
|
| 1216 | 1285 |
global $config, $g; |
| 1217 | 1286 |
|
| ... | ... | |
| 1229 | 1298 |
|
| 1230 | 1299 |
interfaces_qinq_configure(); |
| 1231 | 1300 |
|
| 1301 |
/* set up IPsec VTI interfaces */ |
|
| 1302 |
interfaces_ipsec_vti_configure(); |
|
| 1303 |
|
|
| 1232 | 1304 |
$iflist = get_configured_interface_with_descr(); |
| 1233 | 1305 |
$delayed_list = array(); |
| 1234 | 1306 |
$bridge_list = array(); |
| ... | ... | |
| 1251 | 1323 |
} else if (strstr($realif, "ovpn")) {
|
| 1252 | 1324 |
//echo "Delaying OpenVPN interface configuration...done.\n"; |
| 1253 | 1325 |
continue; |
| 1326 |
} else if (strstr($realif, "ipsec")) {
|
|
| 1327 |
continue; |
|
| 1254 | 1328 |
} else if (!empty($config['interfaces'][$if]['ipaddrv6']) && $config['interfaces'][$if]['ipaddrv6'] == "track6") {
|
| 1255 | 1329 |
$track6_list[$if] = $ifname; |
| 1256 | 1330 |
} else {
|
| ... | ... | |
| 1583 | 1657 |
} |
| 1584 | 1658 |
|
| 1585 | 1659 |
if ($destroy == true) {
|
| 1586 |
if (preg_match("/^[a-z0-9]+^tun|^ovpn|^gif|^gre|^lagg|^bridge|vlan|_stf$/i", $realif)) {
|
|
| 1660 |
if (preg_match("/^[a-z0-9]+^tun|^ovpn|^ipsec|^gif|^gre|^lagg|^bridge|vlan|_stf$/i", $realif)) {
|
|
| 1587 | 1661 |
pfSense_interface_destroy($realif); |
| 1588 | 1662 |
} |
| 1589 | 1663 |
} |
| ... | ... | |
| 3395 | 3469 |
} |
| 3396 | 3470 |
unset($client); |
| 3397 | 3471 |
} |
| 3472 |
} else if (substr($interface, 0, 5) == "ipsec") {
|
|
| 3473 |
if (is_array($config['ipsec']) && is_array($config['ipsec']['phase1']) && is_array($config['ipsec']['phase2'])) {
|
|
| 3474 |
foreach ($config['ipsec']['phase1'] as $ph1ent) {
|
|
| 3475 |
if ($ph1ent['disabled']) {
|
|
| 3476 |
continue; |
|
| 3477 |
} |
|
| 3478 |
if ($interface == "ipsec{$ph1ent['ikeid']}") {
|
|
| 3479 |
interface_ipsec_vti_configure($ph1ent); |
|
| 3480 |
} |
|
| 3481 |
} |
|
| 3482 |
} |
|
| 3398 | 3483 |
} else if (substr($interface, 0, 4) == "lagg") {
|
| 3399 | 3484 |
interfaces_lagg_configure($interface); |
| 3400 | 3485 |
} else if (substr($interface, 0, 6) == "bridge") {
|
| ... | ... | |
| 3485 | 3570 |
// Need code to handle MLPPP if we ever use $realhwif for MLPPP handling |
| 3486 | 3571 |
$realhwif = $realhwif_array[0]; |
| 3487 | 3572 |
|
| 3488 |
if (!platform_booting() && !(substr($realif, 0, 4) == "ovpn")) {
|
|
| 3573 |
if (!platform_booting() && !(substr($realif, 0, 4) == "ovpn") && !(substr($realif, 0, 5) == "ipsec")) {
|
|
| 3489 | 3574 |
/* remove all IPv4 and IPv6 addresses */ |
| 3490 | 3575 |
$tmpifaces = pfSense_getall_interface_addresses($realif); |
| 3491 | 3576 |
if (is_array($tmpifaces)) {
|
| ... | ... | |
| 3518 | 3603 |
} |
| 3519 | 3604 |
|
| 3520 | 3605 |
/* Need to check that the interface exists or not in the case where its coming back from disabled state see #3270 */ |
| 3521 |
if (!platform_booting() && (in_array(substr($realif, 0, 3), array("gre", "gif")) || !does_interface_exist($interface_to_check))) {
|
|
| 3606 |
if (!platform_booting() && (in_array(substr($realif, 0, 3), array("gre", "gif", "ips")) || !does_interface_exist($interface_to_check))) {
|
|
| 3522 | 3607 |
interface_virtual_create($interface_to_check); |
| 3523 | 3608 |
} |
| 3524 | 3609 |
|
| ... | ... | |
| 3686 | 3771 |
break; |
| 3687 | 3772 |
default: |
| 3688 | 3773 |
/* XXX: Kludge for now related to #3280 */ |
| 3689 |
if (!in_array($tunnelif, array("gif", "gre", "ovp"))) {
|
|
| 3774 |
if (!in_array($tunnelif, array("gif", "gre", "ovp", "ips"))) {
|
|
| 3690 | 3775 |
if (is_ipaddrv4($wancfg['ipaddr']) && $wancfg['subnet'] <> "") {
|
| 3691 | 3776 |
pfSense_interface_setaddress($realif, "{$wancfg['ipaddr']}/{$wancfg['subnet']}");
|
| 3692 | 3777 |
} |
| ... | ... | |
| 3718 | 3803 |
break; |
| 3719 | 3804 |
default: |
| 3720 | 3805 |
/* XXX: Kludge for now related to #3280 */ |
| 3721 |
if (!in_array($tunnelif, array("gif", "gre", "ovp"))) {
|
|
| 3806 |
if (!in_array($tunnelif, array("gif", "gre", "ovp", "ips"))) {
|
|
| 3722 | 3807 |
if (is_ipaddrv6($wancfg['ipaddrv6']) && $wancfg['subnetv6'] <> "") {
|
| 3723 | 3808 |
//pfSense_interface_setaddress($realif, "{$wancfg['ipaddrv6']}/{$wancfg['subnetv6']}");
|
| 3724 | 3809 |
// FIXME: Add IPv6 Support to the pfSense module |
| ... | ... | |
| 3749 | 3834 |
} |
| 3750 | 3835 |
} |
| 3751 | 3836 |
|
| 3752 |
if ($linkupevent == false || substr($realif, 0, 4) == "ovpn") {
|
|
| 3837 |
if (($linkupevent == false) || (substr($realif, 0, 4) == "ovpn") || (substr($realif, 0, 5) == "ipsec")) {
|
|
| 3753 | 3838 |
unset($bridgetmp); |
| 3754 | 3839 |
$bridgetmp = link_interface_to_bridge($interface); |
| 3755 | 3840 |
if (!empty($bridgetmp)) {
|
| ... | ... | |
| 5920 | 6005 |
} |
| 5921 | 6006 |
} |
| 5922 | 6007 |
} |
| 6008 |
if (is_array($config['ipsec']) && is_array($config['ipsec']['phase1']) && is_array($config['ipsec']['phase2'])) {
|
|
| 6009 |
foreach ($config['ipsec']['phase1'] as $ph1ent) {
|
|
| 6010 |
if ($ph1ent['disabled']) {
|
|
| 6011 |
continue; |
|
| 6012 |
} |
|
| 6013 |
if (ipsec_vti($ph1ent)) {
|
|
| 6014 |
$sourceips_key = "ipsec{$ph1ent['ikeid']}";
|
|
| 6015 |
$sourceips[$sourceips_key] = gettext("IPsec VTI") . ": " . htmlspecialchars($ph1ent['descr']);
|
|
| 6016 |
} |
|
| 6017 |
} |
|
| 6018 |
} |
|
| 5923 | 6019 |
return $sourceips; |
| 5924 | 6020 |
} |
| 5925 | 6021 |
|
| ... | ... | |
| 6115 | 6211 |
if (substr($ifname['if'], 0, 4) == "ovpn" || |
| 6116 | 6212 |
!empty($ifname['gateway'])) {
|
| 6117 | 6213 |
$ints[$ifdescr] = $ifdescr; |
| 6214 |
} elseif (substr($ifname['if'], 0, 5) == "ipsec" || |
|
| 6215 |
!empty($ifname['gateway'])) {
|
|
| 6216 |
$ints[$ifdescr] = $ifdescr; |
|
| 6118 | 6217 |
} |
| 6218 |
|
|
| 6119 | 6219 |
break; |
| 6120 | 6220 |
} |
| 6121 | 6221 |
} |
| ... | ... | |
| 6137 | 6237 |
return true; |
| 6138 | 6238 |
break; |
| 6139 | 6239 |
default: |
| 6140 |
if (substr($ifname['if'], 0, 4) == "ovpn") {
|
|
| 6240 |
if ((substr($ifname['if'], 0, 4) == "ovpn") || |
|
| 6241 |
(substr($ifname['if'], 0, 5) == "ipsec")) {
|
|
| 6141 | 6242 |
return true; |
| 6142 | 6243 |
} |
| 6143 | 6244 |
$tunnelif = substr($ifname['if'], 0, 3); |
| ... | ... | |
| 6170 | 6271 |
return true; |
| 6171 | 6272 |
break; |
| 6172 | 6273 |
default: |
| 6173 |
if (substr($ifname['if'], 0, 4) == "ovpn") {
|
|
| 6274 |
if ((substr($ifname['if'], 0, 4) == "ovpn") || |
|
| 6275 |
(substr($ifname['if'], 0, 5) == "ipsec")) {
|
|
| 6174 | 6276 |
return true; |
| 6175 | 6277 |
} |
| 6176 | 6278 |
$tunnelif = substr($ifname['if'], 0, 3); |
Also available in: Unified diff
Please welcome routed IPsec using if_ipsec VTI interfaces. Implements #8544
To use, create a P1/P2 and set P2 to VTI using local/remote network as tunnel endpoint addresses, then assign the interface (enable, but IP type = none), and use like any other interface for routing.