Revision ce0dbd72
Added by Matthew Smith over 9 years ago
| src/etc/inc/vpn.inc | ||
|---|---|---|
| 143 | 143 |
/* wait for process to die */ |
| 144 | 144 |
sleep(2); |
| 145 | 145 |
|
| 146 |
/* disallow IPSEC, it is off */
|
|
| 146 |
/* IPSEC is off, shutdown enc interface.*/
|
|
| 147 | 147 |
mwexec("/sbin/ifconfig enc0 down");
|
| 148 |
set_single_sysctl("net.inet.ip.ipsec_in_use", "0");
|
|
| 149 | 148 |
|
| 150 | 149 |
return 0; |
| 151 | 150 |
} |
| ... | ... | |
| 160 | 159 |
$crlpath = "{$g['varetc_path']}/ipsec/ipsec.d/crls";
|
| 161 | 160 |
|
| 162 | 161 |
mwexec("/sbin/ifconfig enc0 up");
|
| 163 |
set_single_sysctl("net.inet.ip.ipsec_in_use", "1");
|
|
| 164 | 162 |
if (php_uname('m') != "amd64") {
|
| 165 | 163 |
set_single_sysctl("net.inet.ipsec.directdispatch", "0");
|
| 166 | 164 |
} |
| ... | ... | |
| 207 | 205 |
echo gettext("Configuring IPsec VPN... ");
|
| 208 | 206 |
} |
| 209 | 207 |
|
| 210 |
/* fastforwarding is not compatible with ipsec tunnels */ |
|
| 211 |
set_single_sysctl("net.inet.ip.fastforwarding", "0");
|
|
| 212 |
|
|
| 213 | 208 |
/* resolve all local, peer addresses and setup pings */ |
| 214 | 209 |
$ipmap = array(); |
| 215 | 210 |
$rgmap = array(); |
| ... | ... | |
| 480 | 475 |
EOD; |
| 481 | 476 |
} |
| 482 | 477 |
|
| 483 |
/* |
|
| 484 |
$a_servers = auth_get_authserver_list(); |
|
| 485 |
foreach ($a_servers as $id => $pconfig) {
|
|
| 486 |
if ($id == $config['ipsec']['client']['user_source'] && $pconfig['type'] == "radius") {
|
|
| 487 |
$strongswan .= <<<EOD |
|
| 488 |
eap-radius {
|
|
| 489 |
class_group = yes |
|
| 490 |
eap_start = no |
|
| 491 |
servers {
|
|
| 492 |
primary {
|
|
| 493 |
address = {$pconfig['host']}
|
|
| 494 |
secret = {$pconfig['radius_secret']}
|
|
| 495 |
auth_port = {$pconfig['radius_auth_port']}
|
|
| 496 |
acct_port = {$pconfig['radius_acct_port']}
|
|
| 497 |
} |
|
| 498 |
} |
|
| 499 |
} |
|
| 500 |
|
|
| 501 |
EOD; |
|
| 502 |
break; |
|
| 503 |
} |
|
| 504 |
} |
|
| 505 |
*/ |
|
| 506 |
|
|
| 507 | 478 |
if (is_array($a_client) && isset($a_client['enable'])) {
|
| 508 | 479 |
$strongswan .= "\t\tattr {\n";
|
| 509 | 480 |
|
| ... | ... | |
| 1032 | 1003 |
$authentication .= "leftauth=pubkey\n\trightauth=eap-mschapv2"; |
| 1033 | 1004 |
if (!empty($ph1ent['certref'])) {
|
| 1034 | 1005 |
$authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt";
|
| 1006 |
$authentication .= "\n\tleftsendcert=always"; |
|
| 1035 | 1007 |
} |
| 1036 | 1008 |
} |
| 1037 | 1009 |
break; |
| ... | ... | |
| 1041 | 1013 |
$authentication .= "leftauth=pubkey\n\trightauth=eap-tls"; |
| 1042 | 1014 |
if (!empty($ph1ent['certref'])) {
|
| 1043 | 1015 |
$authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt";
|
| 1016 |
$authentication .= "\n\tleftsendcert=always"; |
|
| 1044 | 1017 |
} |
| 1045 | 1018 |
} else {
|
| 1046 | 1019 |
$authentication = "leftauth=eap-tls\n\trightauth=eap-tls"; |
| 1047 | 1020 |
if (!empty($ph1ent['certref'])) {
|
| 1048 | 1021 |
$authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt";
|
| 1022 |
$authentication .= "\n\tleftsendcert=always"; |
|
| 1049 | 1023 |
} |
| 1050 | 1024 |
} |
| 1051 | 1025 |
if (isset($casub)) {
|
| ... | ... | |
| 1058 | 1032 |
$authentication .= "leftauth=pubkey\n\trightauth=eap-radius"; |
| 1059 | 1033 |
if (!empty($ph1ent['certref'])) {
|
| 1060 | 1034 |
$authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt";
|
| 1035 |
$authentication .= "\n\tleftsendcert=always"; |
|
| 1061 | 1036 |
} |
| 1062 | 1037 |
} else {
|
| 1063 | 1038 |
$authentication = "leftauth=eap-radius\n\trightauth=eap-radius"; |
| 1064 | 1039 |
if (!empty($ph1ent['certref'])) {
|
| 1065 | 1040 |
$authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt";
|
| 1041 |
$authentication .= "\n\tleftsendcert=always"; |
|
| 1066 | 1042 |
} |
| 1067 | 1043 |
} |
| 1068 | 1044 |
break; |
Also available in: Unified diff
changes for #5219 accidentally reverted unrelated changes made by other commits. Restore those & remove some dead code that was commented out.