Project

General

Profile

« Previous | Next » 

Revision f3106b3f

Added by Ermal Luçi over 10 years ago

Check for fqdn peerid/myids and prepend @ so strongswan does not try to be smart. Also use %any for myid instead of risking of putting the wrong value in the secrets file for traffic selector

View differences:

etc/inc/vpn.inc
484 484 
				if (empty($peerid_data))
485 485 
					continue;
486 486 

  		




  487
  
  
    
				$myid = isset($ph1ent['mobile']) ? trim($myid_data) . " " : "";


  		




  
  487
  
    
				$myid = isset($ph1ent['mobile']) ? trim($myid_data) : "%any";


  		




  488
  488
  
    
				$peerid = ($peerid_data != "allusers") ? trim($peerid_data) : "";


  		




  489
  
  
    
				if (!empty($ph1ent['pre-shared-key']))


  		




  490
  
  
    
					$pskconf .= $myid . $peerid . " : PSK 0s" . base64_encode(trim($ph1ent['pre-shared-key'])) . "\n";


  		




  
  489
  
    
				if (!empty($ph1ent['pre-shared-key'])) {


  		




  
  490
  
    
					if ($myid_type == 'fqdn' && !empty($myid_data))


  		




  
  491
  
    
						$pskconf .= "@{$myid} {$peerid} : PSK 00" . base64_encode(trim($ph1ent['pre-shared-key'])) . "\n";


  		




  
  492
  
    
					else


  		




  
  493
  
    
						$pskconf .= "{$myid} {$peerid} : PSK 00" . base64_encode(trim($ph1ent['pre-shared-key'])) . "\n";


  		




  
  494
  
    
				}


  		




  491
  495
  
    
			}


  		




  492
  496
  
    
		}


  		




  493
  497
  
    
	}


  		




  ......




  496
  500
  
    
	if (is_array($config['system']) && is_array($config['system']['user'])) {


  		




  497
  501
  
    
		foreach ($config['system']['user'] as $user) {


  		




  498
  502
  
    
			if (!empty($user['ipsecpsk'])) {


  		




  499
  
  
    
				$pskconf .= "{$myid} {$user['name']} : PSK 0s" . base64_encode($user['ipsecpsk']) . "\n";


  		




  
  503
  
    
				$pskconf .= "%any {$user['name']} : PSK 00" . base64_encode($user['ipsecpsk']) . "\n";


  		




  500
  504
  
    
			}


  		




  501
  505
  
    
		}


  		




  502
  506
  
    
		unset($user);


  		




  ......




  507
  511
  
    
		foreach ($ipseccfg['mobilekey'] as $key) {


  		




  508
  512
  
    
			if ($key['ident'] == "allusers")


  		




  509
  513
  
    
				$key['ident'] = '%any';


  		




  510
  
  
    
			$pskconf .= "{$myid} {$key['ident']} : PSK 0s" . base64_encode($key['pre-shared-key']) . "\n";


  		




  
  514
  
    
			$pskconf .= "%any {$key['ident']} : PSK 0s" . base64_encode($key['pre-shared-key']) . "\n";


  		




  511
  515
  
    
		}


  		




  512
  516
  
    
		unset($key);


  		




  513
  517
  
    
	}


  		




  ......




  556
  560
  
    
				$right_spec = $ph1ent['remote-gateway'];


  		




  557
  561
  
    

  		




  558
  562
  
    
			list ($myid_type, $myid_data) = ipsec_find_id($ph1ent, "local");


  		




  
  563
  
    
			if ($myid_type == 'fqdn')


  		




  
  564
  
    
				$myid_data = "@{$myid_data}";


  		




  559
  565
  
    
			list ($peerid_type, $peerid_data) = ipsec_find_id($ph1ent, "peer", $rgmap);


  		




  
  566
  
    
			if ($peerid_type == 'fqdn')


  		




  
  567
  
    
				$peerid_data = "@{$peerid_data}";


  		




  560
  568
  
    

  		




  561
  569
  
    
			/* Only specify peer ID if we are not dealing with a mobile PSK-only tunnel */


  		




  562
  570
  
    
			$peerid_spec = '';


  		












Also available in:  Unified diff