/src/etc/inc/ipsec.inc - Annotate - pfSense - pfSense bugtracker

| Branch: | Tag: | Revision:

root/src/etc/inc/ipsec.inc @ f50c6543

-            a93e56c5
+<?php
 /*
-            ac24dc24
+ * ipsec.inc
+ *
  * part of pfSense (https://www.pfsense.org)
-            c5d81585
+ * Copyright (c) 2008 Shrew Soft Inc.
-d47
+ * Copyright (c) 2007-2013 BSD Perimeter
  * Copyright (c) 2013-2016 Electric Sheep Fencing
-f585441
+ * Copyright (c) 2014-2021 Rubicon Communications, LLC (Netgate)
-            ac24dc24
+ * All rights reserved.
+ *
-            b12ea3fb
+ * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
-            ac24dc24
+            Renato Botelho
-            b12ea3fb
+ * http://www.apache.org/licenses/LICENSE-2.0
-            ac24dc24
+            Renato Botelho
-            b12ea3fb
+ * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
-            ac24dc24
+ */
-            a93e56c5
+            Matthew Grooms
-            c6220dcf
+require_once("filter.inc");
 require_once("auth.inc");
 require_once("certs.inc");
-            b08a1fa1
+require_once("interfaces.inc");
-            c6220dcf
+            jim-p
-a529
+/* IPsec defines */
-a7f
+global $ipsec_loglevels;
-            e8c516a0
+$ipsec_loglevels = array(
 	"dmn" => gettext("Daemon"),
 	"mgr" => gettext("SA Manager"),
 	"ike" => gettext("IKE SA"),
 	"chd" => gettext("IKE Child SA"),
 	"job" => gettext("Job Processing"),
 	"cfg" => gettext("Configuration backend"),
 	"knl" => gettext("Kernel Interface"),
 	"net" => gettext("Networking"),
 	"asn" => gettext("ASN encoding"),
 	"enc" => gettext("Message encoding"),
 	"imc" => gettext("Integrity checker"),
 	"imv" => gettext("Integrity Verifier"),
 	"pts" => gettext("Platform Trust Service"),
 	"tls" => gettext("TLS handler"),
 	"esp" => gettext("IPsec traffic"),
 	"lib" => gettext("StrongSwan Lib")
 );
-            c6efc8fd
+            Ermal
-            c53e411f
+global $ipsec_log_sevs;
 $ipsec_log_sevs = array(
-            e8c516a0
+	'-1' => gettext('Silent'),
 	'0' => gettext('Audit'),
 	'1' => gettext('Control'),
 	'2' => gettext('Diag'),
 	'3' => gettext('Raw'),
 	'4' => gettext('Highest')
-            c53e411f
+);
 global $ipsec_log_cats;
 $ipsec_log_cats = array(
-            e8c516a0
+	"dmn" => gettext("Daemon"),
 	"mgr" => gettext("SA Manager"),
 	"ike" => gettext("IKE SA"),
 	"chd" => gettext("IKE Child SA"),
 	"job" => gettext("Job Processing"),
 	"cfg" => gettext("Configuration backend"),
 	"knl" => gettext("Kernel Interface"),
 	"net" => gettext("Networking"),
 	"asn" => gettext("ASN encoding"),
 	"enc" => gettext("Message encoding"),
 	"imc" => gettext("Integrity checker"),
 	"imv" => gettext("Integrity Verifier"),
 	"pts" => gettext("Platform Trust Service"),
 	"tls" => gettext("TLS handler"),
 	"esp" => gettext("IPsec traffic"),
 	"lib" => gettext("StrongSwan Lib")
-            c53e411f
+);
-e461d38
+global $ipsec_identifier_list;
 $ipsec_identifier_list = array(
 	// 'ipv4' => array('desc' => gettext('IPv4 address'), 'mobile' => true),
 	// 'ipv6' => array('desc' => gettext('IPv6 address'), 'mobile' => true),
 	// 'rfc822' => array('desc' => gettext('RFC822'), 'mobile' => true),
 	'none' => array('desc' => '', 'mobile' => true),
 	'email' => array('desc' => gettext('E-mail address'), 'mobile' => true),
 	'userfqdn' => array('desc' => gettext('User Fully Qualified Domain Name'), 'mobile' => true)
 	// 'fqdn' => array('desc' => gettext('Fully Qualified Domain Name'), 'mobile' => true),
 	// 'dns' => array('desc' => gettext('DNS'), 'mobile' => true),
 	// 'asn1dn' => array('desc' => gettext('ASN.1 Distinguished Name'), 'mobile' => true),
 	// 'asn1gn' => array('desc' => gettext('ASN.1 GN'), 'mobile' => true),
 	// 'keyid' => array('desc' => gettext('KeyID'), 'mobile' => true)
 );
-a7f
+global $my_identifier_list;
-a529
+$my_identifier_list = array(
-cf944
+	'myaddress' => array('desc' => gettext('My IP address'), 'mobile' => true),
 	'address' => array('desc' => gettext('IP address'), 'mobile' => true),
 	'fqdn' => array('desc' => gettext('Distinguished name'), 'mobile' => true),
 	'user_fqdn' => array('desc' => gettext('User distinguished name'), 'mobile' => true),
 	'asn1dn' => array('desc' => gettext('ASN.1 distinguished Name'), 'mobile' => true),
 	'keyid tag' => array('desc' => gettext('KeyID tag'), 'mobile' => true),
-            e8c516a0
+	'dyn_dns' => array('desc' => gettext('Dynamic DNS'), 'mobile' => true)
 );
-a529
+            Matthew Grooms
-a7f
+global $peer_identifier_list;
-a529
+$peer_identifier_list = array(
-            b0994811
+	'any' => array('desc' => gettext('Any'), 'mobile' => true),
-cf944
+	'peeraddress' => array('desc' => gettext('Peer IP address'), 'mobile' => false),
 	'address' => array('desc' => gettext('IP address'), 'mobile' => false),
 	'fqdn' => array('desc' => gettext('Distinguished name'), 'mobile' => true),
 	'user_fqdn' => array('desc' => gettext('User distinguished name'), 'mobile' => true),
 	'asn1dn' => array('desc' => gettext('ASN.1 distinguished Name'), 'mobile' => true),
-            e8c516a0
+	'keyid tag' => array('desc' =>gettext('KeyID tag'), 'mobile' => true)
 );
-a529
+            Matthew Grooms
-a7f
+global $ipsec_idhandling;
-e1846f
+$ipsec_idhandling = array(
-            c6220dcf
+	'replace' => 'Yes (Replace)', 'no' => 'No', 'never' => 'Never', 'keep' => 'Keep'
-            e8c516a0
+);
-e1846f
+            Ermal LUÇI
-a7f
+global $p1_ealgos;
-a529
+$p1_ealgos = array(
-cf944
+	'aes' => array('name' => 'AES', 'keysel' => array('lo' => 128, 'hi' => 256, 'step' => 64)),
-            a46e0d74
+	'aes128gcm' => array('name' => 'AES128-GCM', 'keysel' => array('lo' => 64, 'hi' => 128, 'step' => 32)),
 	'aes192gcm' => array('name' => 'AES192-GCM', 'keysel' => array('lo' => 64, 'hi' => 128, 'step' => 32)),
 	'aes256gcm' => array('name' => 'AES256-GCM', 'keysel' => array('lo' => 64, 'hi' => 128, 'step' => 32)),
-cf944
+	'blowfish' => array('name' => 'Blowfish', 'keysel' => array('lo' => 128, 'hi' => 256, 'step' => 64)),
 	'3des' => array('name' => '3DES'),
-            e8c516a0
+	'cast128' => array('name' => 'CAST128')
 );
-a529
+            Matthew Grooms
-a7f
+global $p2_ealgos;
-a529
+$p2_ealgos = array(
-cf944
+	'aes' => array('name' => 'AES', 'keysel' => array('lo' => 128, 'hi' => 256, 'step' => 64)),
 	'aes128gcm' => array('name' => 'AES128-GCM', 'keysel' => array('lo' => 64, 'hi' => 128, 'step' => 32)),
 	'aes192gcm' => array('name' => 'AES192-GCM', 'keysel' => array('lo' => 64, 'hi' => 128, 'step' => 32)),
 	'aes256gcm' => array('name' => 'AES256-GCM', 'keysel' => array('lo' => 64, 'hi' => 128, 'step' => 32)),
 	'blowfish' => array('name' => 'Blowfish', 'keysel' => array('lo' => 128, 'hi' => 256, 'step' => 64)),
 	'3des' => array('name' => '3DES'),
-            e8c516a0
+	'cast128' => array('name' => 'CAST128')
 );
-a529
+            Matthew Grooms
-a7f
+global $p1_halgos;
-a529
+$p1_halgos = array(
-db
+	'md5' => 'MD5',
-a529
+	'sha1' => 'SHA1',
-db
+	'sha256' => 'SHA256',
 	'sha384' => 'SHA384',
-            b0cbebeb
+	'sha512' => 'SHA512',
 	'aesxcbc' => 'AES-XCBC'
-db
+);
-a7f
+global $p1_dhgroups;
-db
+$p1_dhgroups = array(
 => '1 (768 bit)',
 => '2 (1024 bit)',
 => '5 (1536 bit)',
 => '14 (2048 bit)',
 => '15 (3072 bit)',
 => '16 (4096 bit)',
 => '17 (6144 bit)',
-            b0cbebeb
+=> '18 (8192 bit)',
-a747654
+=> '19 (nist ecp256)',
 => '20 (nist ecp384)',
 => '21 (nist ecp521)',
-            b0cbebeb
+=> '22 (1024(sub 160) bit)',
 => '23 (2048(sub 224) bit)',
-            c55ec98a
+=> '24 (2048(sub 256) bit)',
-bee028
+=> '25 (nist ecp192)',
 => '26 (nist ecp224)',
 => '27 (brainpool ecp224)',
-            c55ec98a
+=> '28 (brainpool ecp256)',
 => '29 (brainpool ecp384)',
-fc26748
+=> '30 (brainpool ecp512)',
 => '31 (Elliptic Curve 25519, 256 bit)',
-f45cc99
+=> '32 (Elliptic Curve 25519, 448 bit)',
-db
+);
-a529
+            Matthew Grooms
-a7f
+global $p2_halgos;
-a529
+$p2_halgos = array(
-db
+	'hmac_md5' => 'MD5',
-a529
+	'hmac_sha1' => 'SHA1',
-db
+	'hmac_sha256' => 'SHA256',
 	'hmac_sha384' => 'SHA384',
-            b0cbebeb
+	'hmac_sha512' => 'SHA512',
 	'aesxcbc' => 'AES-XCBC'
-db
+);
-a529
+            Matthew Grooms
-a7f
+global $p1_authentication_methods;
-a529
+$p1_authentication_methods = array(
-            d1f5587d
+	'hybrid_cert_server' => array('name' => gettext('Hybrid Certificate + Xauth'), 'mobile' => true),
 	'xauth_cert_server' => array('name' => gettext('Mutual Certificate + Xauth'), 'mobile' => true),
-            e8c516a0
+	'xauth_psk_server' => array('name' => gettext('Mutual PSK + Xauth'), 'mobile' => true),
 	'eap-tls' => array('name' => gettext('EAP-TLS'), 'mobile' => true),
 	'eap-radius' => array('name' => gettext('EAP-RADIUS'), 'mobile' => true),
 	'eap-mschapv2' => array('name' => gettext('EAP-MSChapv2'), 'mobile' => true),
-c2b5
+	'cert' => array('name' => gettext('Mutual Certificate'), 'mobile' => false),
-            f645d52a
+	'pkcs11' => array('name' => gettext('Mutual Certificate (PKCS#11)'), 'mobile' => false),
-            e8c516a0
+	'pre_shared_key' => array('name' => gettext('Mutual PSK'), 'mobile' => false)
 );
-a529
+            Matthew Grooms
-a7f
+global $ipsec_preshared_key_type;
-e2acb5
+$ipsec_preshared_key_type = array(
 	'PSK' => 'PSK',
 	'EAP' => 'EAP'
-            e8c516a0
+);
-e2acb5
+            Ermal LUÇI
-c85e89
+global $ipsec_closeactions;
 $ipsec_closeactions = array(
 	'' => gettext('Default'),
-e75
+	'none' => gettext('Close connection and clear SA'),
 	'start' => gettext('Restart/Reconnect'),
-a6bd5e
+	'trap' => gettext('Close connection and reconnect on demand'),
-c85e89
+);
-a7f
+global $p2_modes;
-b96b367
+$p2_modes = array(
-            e8c516a0
+	'tunnel' => gettext('Tunnel IPv4'),
 	'tunnel6' => gettext('Tunnel IPv6'),
-            bd4c337c
+	'transport' => gettext('Transport'),
 	'vti' => gettext('Routed (VTI)')
-            e8c516a0
+);
-b96b367
+            mgrooms
-a7f
+global $p2_protos;
-a529
+$p2_protos = array(
 	'esp' => 'ESP',
-            e8c516a0
+	'ah' => 'AH'
 );
-a529
+            Matthew Grooms
-a7f
+global $p2_pfskeygroups;
-a529
+$p2_pfskeygroups = array(
-            e8c516a0
+=> gettext('off'),
 => gettext('1 (768 bit)'),
 => gettext('2 (1024 bit)'),
 => gettext('5 (1536 bit)'),
 => gettext('14 (2048 bit)'),
 => gettext('15 (3072 bit)'),
 => gettext('16 (4096 bit)'),
 => gettext('17 (6144 bit)'),
 => gettext('18 (8192 bit)'),
 => gettext('19 (nist ecp256)'),
 => gettext('20 (nist ecp384)'),
 => gettext('21 (nist ecp521)'),
-be9d722
+=> gettext('22 (1024(sub 160) bit)'),
 => gettext('23 (2048(sub 224) bit)'),
 => gettext('24 (2048(sub 256) bit)'),
-bee028
+=> gettext('25 (nist ecp192)'),
 => gettext('26 (nist ecp224)'),
 => gettext('27 (brainpool ecp224)'),
-            e8c516a0
+=> gettext('28 (brainpool ecp256)'),
 => gettext('29 (brainpool ecp384)'),
-fc26748
+=> gettext('30 (brainpool ecp512)'),
 => gettext('31 (Elliptic Curve 25519, 256 bit)'),
-f45cc99
+=> gettext('32 (Elliptic Curve 25519, 448 bit)'),
-db
+);
-a529
+            Matthew Grooms
-e96112a
+function ipsec_enabled() {
 	global $config;
-e322e2c
+	if (!isset($config['ipsec']) || !is_array($config['ipsec'])) {
-e96112a
+		return false;
-e322e2c
+            Phil Davis
-e96112a
+            Luiz Otavio O Souza
-            fef38e5a
+	/* Check if we have at least one phase 1 entry. */
-e96112a
+	if (!isset($config['ipsec']['phase1']) ||
 	    !is_array($config['ipsec']['phase1']) ||
 	    empty($config['ipsec']['phase1'])) {
 		return false;
+	}
-            fef38e5a
+	/* Check if at least one phase 1 entry is enabled. */
 	foreach ($config['ipsec']['phase1'] as $phase1) {
-e322e2c
+		if (!isset($phase1['disabled'])) {
-            fef38e5a
+			return true;
-e322e2c
+            Phil Davis
-            fef38e5a
+            Luiz Otavio O Souza
-e96112a
+            Luiz Otavio O Souza
-            fef38e5a
+	return false;
-e96112a
+            Luiz Otavio O Souza
-            d799787e
+/*
  * ikeid management functions
  */
 function ipsec_ikeid_used($ikeid) {
 	global $config;
-            b37a2e8c
+	foreach ($config['ipsec']['phase1'] as $ph1ent) {
-cf944
+		if ($ikeid == $ph1ent['ikeid']) {
-            d799787e
+			return true;
-            b37a2e8c
+            Phil Davis
+	}
-            d799787e
+            Matthew Grooms
 	return false;
+}
 function ipsec_ikeid_next() {
 	$ikeid = 1;
-            b37a2e8c
+	while (ipsec_ikeid_used($ikeid)) {
-            d799787e
+		$ikeid++;
-            b37a2e8c
+            Phil Davis
-            d799787e
+            Matthew Grooms
 	return $ikeid;
+}
-            a93e56c5
+/*
  * Return phase1 local address
  */
 function ipsec_get_phase1_src(& $ph1ent) {
-f6730a
+	if ($ph1ent['interface']) {
-            d9901ff4
+		if (substr($ph1ent['interface'], 0, 4) == "_vip") {
-a5960b0
+			$if = $ph1ent['interface'];
-            d9901ff4
+		} else {
-a5960b0
+			$if = get_failover_interface($ph1ent['interface']);
-            d9901ff4
+            Chris Buechler
 	} else {
-a8
+		$if = "wan";
-            d9901ff4
+            Chris Buechler
-            d1f69741
+	$ip6 = get_interface_ipv6($if);
 	$ip4 = get_interface_ip($if);
-            d9901ff4
+	if ($ph1ent['protocol'] == "inet6") {
-            d1f69741
+		$interfaceip = $ip6;
 	} elseif ($ph1ent['protocol'] == "inet") {
 		$interfaceip = $ip4;
 	} elseif ($ph1ent['protocol'] == "both") {
 		$ifips = array();
 		if (!empty($ip4)) {
 			$ifips[] = $ip4;
+		}
 		if (!empty($ip6)) {
 			$ifips[] = $ip6;
+		}
 		$interfaceip = implode(',', $ifips);
-            d9901ff4
+            Chris Buechler
-            a93e56c5
+            Matthew Grooms
 	return $interfaceip;
+}
-a529
+/*
  * Return phase1 local address
  */
 function ipsec_get_phase1_dst(& $ph1ent) {
-            df82fae1
+	global $g;
-ffafea3
+            Ermal
-            b37a2e8c
+	if (empty($ph1ent['remote-gateway'])) {
-f3554bb
+		return false;
-            b37a2e8c
+            Phil Davis
-a529
+	$rg = $ph1ent['remote-gateway'];
-d5cb7a
+	if (!is_ipaddr($rg)) {
-cf944
+		if (!platform_booting()) {
-            d3ac1cea
+			return resolve_retry($rg, $ph1ent['protocol']);
-            b37a2e8c
+            Phil Davis
-d5cb7a
+            smos
-            b37a2e8c
+	if (!is_ipaddr($rg)) {
-af7398a
+		return false;
-            b37a2e8c
+            Phil Davis
-af7398a
+            Matthew Grooms
-a529
+	return $rg;
+}
-            a93e56c5
+/*
  * Return phase2 idinfo in cidr format
  */
-ffafea3
+function ipsec_idinfo_to_cidr(& $idinfo, $addrbits = false, $mode = "") {
-            a93e56c5
+	global $config;
-ffafea3
+	switch ($idinfo['type']) {
-            a93e56c5
+		case "address":
-f61
+			if ($addrbits) {
-            b37a2e8c
+				if ($mode == "tunnel6") {
-f61
+					return $idinfo['address']."/128";
-ab21bb
+				} elseif (($mode == "vti") && is_ipaddrv4($idinfo['address'])) {
 					return $idinfo['address']."/30";
-            c519b62f
+				} elseif (($mode == "vti") && is_ipaddrv6($idinfo['address'])) {
 					return $idinfo['address']."/64";
-            b37a2e8c
+				} else {
-f61
+					return $idinfo['address']."/32";
-            b37a2e8c
+            Phil Davis
-cf944
+			} else {
-            a93e56c5
+				return $idinfo['address'];
-cf944
+            Phil Davis
-ffafea3
+			break; /* NOTREACHED */
-            a93e56c5
+		case "network":
-ffafea3
+			return "{$idinfo['address']}/{$idinfo['netbits']}";
 			break; /* NOTREACHED */
-a73
+		case "none":
-a529
+		case "mobile":
-b56e04
+			return '0.0.0.0/0';
-ffafea3
+			break; /* NOTREACHED */
-            a55e9c70
+		default:
-            b37a2e8c
+			if (empty($mode) && !empty($idinfo['mode'])) {
-ffafea3
+				$mode = $idinfo['mode'];
-            b37a2e8c
+            Phil Davis
-ffafea3
+            Ermal
 			if ($mode == "tunnel6") {
-f61
+				$address = get_interface_ipv6($idinfo['type']);
 				$netbits = get_interface_subnetv6($idinfo['type']);
-cf944
+				$address = gen_subnetv6($address, $netbits);
-ffafea3
+				return "{$address}/{$netbits}";
-f61
+			} else {
 				$address = get_interface_ip($idinfo['type']);
 				$netbits = get_interface_subnet($idinfo['type']);
-cf944
+				$address = gen_subnet($address, $netbits);
-ffafea3
+				return "{$address}/{$netbits}";
-f61
+            Seth Mos
-ffafea3
+			break; /* NOTREACHED */
-f61
+            Seth Mos
-            a93e56c5
+            Matthew Grooms
 /*
  * Return phase2 idinfo in address/netmask format
  */
-cf944
+function ipsec_idinfo_to_subnet(& $idinfo, $addrbits = false) {
-            a93e56c5
+	global $config;
-ffafea3
+	switch ($idinfo['type']) {
-            a93e56c5
+		case "address":
-f61
+			if ($addrbits) {
-            b37a2e8c
+				if ($idinfo['mode'] == "tunnel6") {
-f61
+					return $idinfo['address']."/128";
-            b37a2e8c
+				} else {
-f61
+					return $idinfo['address']."/255.255.255.255";
-            b37a2e8c
+            Phil Davis
-cf944
+			} else {
-            a93e56c5
+				return $idinfo['address'];
-cf944
+            Phil Davis
-ffafea3
+			break; /* NOTREACHED */
-a73
+		case "none":
-            a93e56c5
+		case "network":
 			return $idinfo['address']."/".gen_subnet_mask($idinfo['netbits']);
-ffafea3
+			break; /* NOTREACHED */
-a529
+		case "mobile":
 			return "0.0.0.0/0";
-ffafea3
+			break; /* NOTREACHED */
-a73
+		default:
-ffafea3
+			if ($idinfo['mode'] == "tunnel6") {
-f61
+				$address = get_interface_ipv6($idinfo['type']);
 				$netbits = get_interface_subnetv6($idinfo['type']);
-cf944
+				$address = gen_subnetv6($address, $netbits);
-f61
+				return $address."/".$netbits;
 			} else {
 				$address = get_interface_ip($idinfo['type']);
 				$netbits = get_interface_subnet($idinfo['type']);
-cf944
+				$address = gen_subnet($address, $netbits);
-f61
+				return $address."/".$netbits;
+			}
-ffafea3
+			break; /* NOTREACHED */
-f61
+            Seth Mos
-            a93e56c5
+            Matthew Grooms
 /*
  *  Return phase2 idinfo in text format
  */
 function ipsec_idinfo_to_text(& $idinfo) {
-ffafea3
+	global $config;
-            a93e56c5
+            Matthew Grooms
-ffafea3
+	switch ($idinfo['type']) {
-            b37a2e8c
+		case "address":
 			return $idinfo['address'];
 			break; /* NOTREACHED */
 		case "network":
 			return $idinfo['address']."/".$idinfo['netbits'];
 			break; /* NOTREACHED */
 		case "mobile":
 			return gettext("Mobile Client");
 			break; /* NOTREACHED */
 		case "none":
 			return gettext("None");
 			break; /* NOTREACHED */
 		default:
 			if (!empty($config['interfaces'][$idinfo['type']])) {
 				return convert_friendly_interface_to_friendly_descr($idinfo['type']);
 			} else {
 				return strtoupper($idinfo['type']);
+			}
 			break; /* NOTREACHED */
-ffafea3
+            Ermal
-            a93e56c5
+            Matthew Grooms
 /*
  * Return phase1 association for phase2
  */
-cf944
+function ipsec_lookup_phase1(& $ph2ent, & $ph1ent) {
-ffafea3
+	global $config;
-            b37a2e8c
+	if (!is_array($config['ipsec'])) {
-            fe12d7ea
+		return false;
-            b37a2e8c
+            Phil Davis
 	if (!is_array($config['ipsec']['phase1'])) {
-            fe12d7ea
+		return false;
-            b37a2e8c
+            Phil Davis
 	if (empty($config['ipsec']['phase1'])) {
-            fe12d7ea
+		return false;
-            b37a2e8c
+            Phil Davis
-ffafea3
+            Ermal
 	foreach ($config['ipsec']['phase1'] as $ph1tmp) {
-            b37a2e8c
+		if ($ph1tmp['ikeid'] == $ph2ent['ikeid']) {
 			$ph1ent = $ph1tmp;
 			return $ph1ent;
+		}
-ffafea3
+            Ermal
 	return false;
-            a93e56c5
+            Matthew Grooms
 /*
  * Check phase1 communications status
  */
-            ed6e93ea
+function ipsec_phase1_status(&$ipsec_status, $ikeid) {
-            a93e56c5
+            Matthew Grooms
-f93e00
+	foreach ($ipsec_status as $ike) {
-            17318511
+		if ($ike['id'] == $ikeid) {
-            b37a2e8c
+			if ($ike['status'] == 'established') {
-            17318511
+				return true;
-            b37a2e8c
+            Phil Davis
-            17318511
+            Ermal LUÇI
-            fe12d7ea
+            Ermal
-            a93e56c5
+            Matthew Grooms
 	return false;
+}
 /*
  * Check phase2 communications status
  */
-            ed6e93ea
+function ipsec_phase2_status(&$ipsec_status, &$phase2) {
-            a93e56c5
+            Matthew Grooms
-cf944
+	if (ipsec_lookup_phase1($ph2ent, $ph1ent)) {
-            fe12d7ea
+		return ipsec_phase1_status($ipsec_status, $ph1ent['ikeid']);
-            b37a2e8c
+            Phil Davis
-            a93e56c5
+            Matthew Grooms
 	return false;
+}
-dade399
+/*
  * Wrapper to call pfSense_ipsec_list_sa() when IPsec is enabled
  */
 function ipsec_list_sa() {
-e322e2c
+	if (ipsec_enabled()) {
-dade399
+		return pfSense_ipsec_list_sa();
-e322e2c
+            Phil Davis
-dade399
+            Renato Botelho
 	return array();
+}
-            e1c34c69
+/*
  * Return dump of SPD table
  */
 function ipsec_dump_spd() {
 	$fd = @popen("/sbin/setkey -DP", "r");
 	$spd = array();
 	if ($fd) {
 		while (!feof($fd)) {
 			$line = chop(fgets($fd));
 			if (!$line) {
 				continue;
+			}
 			if ($line == "No SPD entries.") {
 				break;
+			}
 			if ($line[0] != "\t") {
 				if (is_array($cursp)) {
 					$spd[] = $cursp;
+				}
 				$cursp = array();
 				$linea = explode(" ", $line);
 				$cursp['srcid'] = substr($linea[0], 0, strpos($linea[0], "["));
 				$cursp['dstid'] = substr($linea[1], 0, strpos($linea[1], "["));
 				$i = 0;
 			} else if (is_array($cursp)) {
 				$line = trim($line, "\t\r\n ");
 				$linea = explode(" ", $line);
 				switch ($i) {
 					case 1:
 						if ($linea[1] == "none")	/* don't show default anti-lockout rule */ {
 							unset($cursp);
 						} else {
 							$cursp['dir'] = $linea[0];
+						}
 						break;
 					case 2:
 						$upperspec = explode("/", $linea[0]);
 						$cursp['proto'] = $upperspec[0];
 						list($cursp['src'], $cursp['dst']) = explode("-", $upperspec[2]);
 						$cursp['reqid'] = substr($upperspec[3], strpos($upperspec[3], "#")+1);
 						break;
+				}
+			}
 			$i++;
+		}
 		if (is_array($cursp) && count($cursp)) {
 			$spd[] = $cursp;
+		}
 		pclose($fd);
+	}
 	return $spd;
+}
-            a93e56c5
+/*
  * Return dump of SAD table
  */
-cf944
+function ipsec_dump_sad() {
-c591d6
+	$fd = @popen("/sbin/setkey -D", "r");
-            a93e56c5
+	$sad = array();
 	if ($fd) {
 		while (!feof($fd)) {
 			$line = chop(fgets($fd));
-            b37a2e8c
+			if (!$line || $line[0] == " ") {
-            a93e56c5
+				continue;
-            b37a2e8c
+            Phil Davis
 			if ($line == "No SAD entries.") {
-            a93e56c5
+				break;
-            b37a2e8c
+            Phil Davis
 			if ($line[0] != "\t") {
 				if (is_array($cursa)) {
-            a93e56c5
+					$sad[] = $cursa;
-            b37a2e8c
+            Phil Davis
-            a93e56c5
+				$cursa = array();
-cf944
+				list($cursa['src'], $cursa['dst']) = explode(" ", $line);
-            b37a2e8c
+			} else {
-c5
+				$line = trim($line, "\t\n\r ");
 				$linea = explode(" ", $line);
 				foreach ($linea as $idx => $linee) {
-            b37a2e8c
+					if ($linee == 'esp' || $linee == 'ah' || $linee[0] == '#') {
-c5
+						$cursa['proto'] = $linee;
-            b37a2e8c
+					} else if (substr($linee, 0, 3) == 'spi') {
-c5
+						$cursa['spi'] = substr($linee, strpos($linee, 'x') + 1, -1);
-            b37a2e8c
+					} else if (substr($linee, 0, 5) == 'reqid') {
-c5
+						$cursa['reqid'] = substr($linee, strpos($linee, 'x') + 1, -1);
-            b37a2e8c
+					} else if (substr($linee, 0, 2) == 'E:') {
-c5
+						$cursa['ealgo'] = $linea[$idx + 1];
-            a93e56c5
+						break;
-c5
+					} else if (substr($linee, 0, 2) == 'A:') {
 						$cursa['aalgo'] = $linea[$idx + 1];
-            a93e56c5
+						break;
-c5
+					} else if (substr($linee, 0, 8) == 'current:') {
 						$cursa['data'] = substr($linea[$idx + 1], 0, strpos($linea[$idx + 1], 'bytes') - 1) . ' B';
-            f451ea09
+						break;
-c5
+            Ermal LUÇI
-            a93e56c5
+            Matthew Grooms
+			}
+		}
-            b37a2e8c
+		if (is_array($cursa) && count($cursa)) {
-            a93e56c5
+			$sad[] = $cursa;
-            b37a2e8c
+            Phil Davis
-            a93e56c5
+		pclose($fd);
+	}
 	return $sad;
+}
-e0b68bf
+/*
  * Return dump of mobile user list
  */
 function ipsec_dump_mobile() {
-            33927941
+	global $g, $config;
-            ed5fc757
+            Ermal
-            33927941
+	if(!isset($config['ipsec']['client']['enable'])) {
 		return array();
+	}
-be9d722
+            Steve Beaver
-            c6220dcf
+	/* Fetch the pool contents and leases from swanctl. */
 	$_gb = exec("/usr/local/sbin/swanctl --list-pools --leases 2>/dev/null", $output, $rc);
-e0b68bf
+            jim-p
-b7651
+	if ($rc != 0) {
-efd64
+		log_error(gettext("Unable to find IPsec daemon leases file. Could not display mobile user stats!"));
-ab6ad70
+		return array();
-e0b68bf
+            jim-p
-            c6220dcf
+	$response = array(
 		'pool' => array(),
 	);
-b7651
+            Renato Botelho
-            c6220dcf
+	/* swanctl --list-pools --leases example output, field names can be confirmed by
 	 * looking at --raw or --pretty output. */
 	/* mobile-pool          10.7.200.0                          0 / 1 / 254 */
 	$pool_regex='/^(?P<name>\S+)\s+(?P<base>\S+)\s+(?P<online>\d+) \/ (?P<offline>\d+) \/ (?P<size>\d+)/';
 	/*   10.7.200.1                     online   'jimp' */
 	$lease_regex='/\s*(?P<host>[\d\.]+)\s+(?P<status>online|offline)\s+\'(?P<id>.*)\'/';
-b7651
+	foreach ($output as $line) {
-            c6220dcf
+		if (preg_match($pool_regex, $line, $matches)) {
-b7651
+			$id++;
 			$response['pool'][$id] = array(
 			    'name'   => $matches['name'],
-            c6220dcf
+			    'base'   => $matches['base'],
-b7651
+			    'online' => $matches['online'],
-            c6220dcf
+			    'offline'  => $matches['offline'],
 			    'size'   => $matches['size'],
 			);
 		} elseif (preg_match($lease_regex, $line, $matches)) {
 			$response['pool'][$id]['lease'][] = array(
 			    'host'   => $matches['host'],
 			    'status' => $matches['status'],
 			    'id'     => $matches['id']
-b7651
+			);
+		}
-            f3e15492
+            Renato Botelho
-            c6220dcf
+	unset($_gb, $output, $rc, $pool_regex);
-ab6ad70
+            Ermal
 	return $response;
-e0b68bf
+            jim-p
-c5
+function ipsec_mobilekey_sort() {
 	global $config;
 	function mobilekeycmp($a, $b) {
 		return strcmp($a['ident'][0], $b['ident'][0]);
+	}
 	usort($config['ipsec']['mobilekey'], "mobilekeycmp");
+}
-f5c3d8d
+function ipsec_get_number_of_phase2($ikeid) {
 	global $config;
-            b37a2e8c
+	$a_phase2 = $config['ipsec']['phase2'];
-f5c3d8d
+            Pierre POMES
-c07db48
+	$nbph2 = 0;
-f5c3d8d
+            Pierre POMES
-            b37a2e8c
+	if (is_array($a_phase2) && count($a_phase2)) {
 		foreach ($a_phase2 as $ph2tmp) {
 			if ($ph2tmp['ikeid'] == $ikeid) {
-f5c3d8d
+				$nbph2++;
+			}
+		}
+	}
 	return $nbph2;
+}
-a5304
+function ipsec_get_descr($ikeid) {
 	global $config;
 	if (!isset($config['ipsec']['phase1']) ||
-            b37a2e8c
+	    !is_array($config['ipsec']['phase1'])) {
-            c607f306
+		return '';
-            b37a2e8c
+            Phil Davis
-a5304
+            Renato Botelho
-            c607f306
+	foreach ($config['ipsec']['phase1'] as $p1) {
-a5304
+		if ($p1['ikeid'] == $ikeid) {
-            c607f306
+			return $p1['descr'];
-a5304
+            Renato Botelho
+	}
-            c607f306
+	return '';
-a5304
+            Renato Botelho
-c3b5b
+function ipsec_get_phase1($ikeid) {
-            b37a2e8c
+		global $config;
 		if (!isset($config['ipsec']['phase1']) ||
 		    !is_array($config['ipsec']['phase1'])) {
 			return '';
+		}
 		$a_phase1 = $config['ipsec']['phase1'];
 		foreach ($a_phase1 as $p1) {
 			if ($p1['ikeid'] == $ikeid) {
 				return $p1;
+			}
+		}
 		unset($a_phase1);
-c3b5b
+            Ermal LUÇI
-ec026a4
+function ipsec_fixup_ip($ipaddr) {
-            b37a2e8c
+	if (is_ipaddrv6($ipaddr) || is_subnetv6($ipaddr)) {
-fb
+		return text_to_compressed_ip6($ipaddr);
-            b37a2e8c
+	} else {
-ec026a4
+		return $ipaddr;
-            b37a2e8c
+            Phil Davis
-ec026a4
+            jim-p
-abd
+function ipsec_find_id(& $ph1ent, $side = "local", $rgmap = array()) {
 	if ($side == "local") {
 		$id_type = $ph1ent['myid_type'];
 		$id_data = $ph1ent['myid_data'];
 		$addr = ipsec_get_phase1_src($ph1ent);
-            b37a2e8c
+		if (!$addr) {
-abd
+			return array();
-            b37a2e8c
+            Phil Davis
-            d1f69741
+		/* When automatically guessing, use the first address. */
 		$addr = explode(',', $addr);
 		$addr = $addr[0];
-aef0b
+	} elseif ($side == "peer") {
-abd
+		$id_type = $ph1ent['peerid_type'];
 		$id_data = $ph1ent['peerid_data'];
-            b37a2e8c
+		if (isset($ph1ent['mobile'])) {
-abd
+			$addr = "%any";
-            b37a2e8c
+		} else {
-abd
+			$addr = $ph1ent['remote-gateway'];
-            b37a2e8c
+            Phil Davis
 	} else {
-abd
+		return array();
-            b37a2e8c
+            Phil Davis
-abd
+            jim-p
 	$thisid_type = $id_type;
 	switch ($thisid_type) {
-            b37a2e8c
+		case 'myaddress':
 			$thisid_type = 'address';
 			$thisid_data = $addr;
 			break;
 		case 'dyn_dns':
 			$thisid_type = 'dns';
 			$thisid_data = $id_data;
 			break;
 		case 'peeraddress':
 			$thisid_type = 'address';
 			$thisid_data = $rgmap[$ph1ent['remote-gateway']];
 			break;
 		case 'address':
 			$thisid_data = $id_data;
 			break;
 		case 'fqdn':
 			$thisid_data = "{$id_data}";
 			break;
 		case 'keyid tag':
 			$thisid_type = 'keyid';
-            10439116
+			$thisid_data = "{$id_data}";
-            b37a2e8c
+			break;
 		case 'user_fqdn':
 			$thisid_type = 'userfqdn';
 			$thisid_data = "{$id_data}";
 			break;
 		case 'asn1dn':
 			$thisid_data = $id_data;
 			break;
-abd
+            jim-p
 	return array($thisid_type, $thisid_data);
+}
-c3ac0
+            Renato Botelho
-a73fc74
+/*
  * Fixup ID type/data to include prefix when necessary, add quotes, etc.
  */
 function ipsec_fixup_id($type, $data) {
 	/* List of types to pass through as-is without changes or adding prefix */
 	$auto_types = array('address');
 	/* List of types which need the resulting string double quoted. */
 	$quote_types = array('keyid', 'asn1dn');
 	/* If the first character of asn1dn type data is not #, then rely on
 	 * automatic parsing https://redmine.pfsense.org/issues/4792 */
 	if (($type == 'asn1dn') && !empty($data) && ($data[0] != '#')) {
 		$auto_types[] = 'asn1dn';
+	}
 	if ($type == 'any') {
 		$idstring = "";
 	} elseif (!in_array($type, $auto_types)) {
 		$idstring = "{$type}:{$data}";
 	} else {
 		$idstring = $data;
+	}
 	if (in_array($type, $quote_types)) {
 		$idstring = "\"{$idstring}\"";
+	}
 	return $idstring;
+}
-c3ac0
+function ipsec_fixup_network($network) {
-            b37a2e8c
+	if (substr($network, -3) == '|/0') {
-c3ac0
+		$result = substr($network, 0, -3);
-            b37a2e8c
+	} else {
-c3ac0
+		$tmp = explode('|', $network);
-            b37a2e8c
+		if (isset($tmp[1])) {
-c3ac0
+			$result = $tmp[1];
-            b37a2e8c
+		} else {
-c3ac0
+			$result = $tmp[0];
-            b37a2e8c
+            Phil Davis
-c3ac0
+		unset($tmp);
+	}
 	return $result;
+}
-fe208ec
+function ipsec_new_reqid() {
 	global $config;
-            b37a2e8c
+	if (!is_array($config['ipsec']) || !is_array($config['ipsec']['phase2'])) {
-fe208ec
+		return;
-            b37a2e8c
+            Phil Davis
-fe208ec
+            Ermal LUÇI
 	$ipsecreqid = lock('ipsecreqids', LOCK_EX);
 	$keyids = array();
 	$keyid = 1;
-            b37a2e8c
+	foreach ($config['ipsec']['phase2'] as $ph2) {
-fe208ec
+		$keyids[$ph2['reqid']] = $ph2['reqid'];
-            b37a2e8c
+            Phil Davis
-fe208ec
+            Ermal LUÇI
 	for ($i = 1; $i < 16000; $i++) {
 		if (!isset($keyids[$i])) {
 			$keyid = $i;
 			break;
+		}
+	}
 	unlock($ipsecreqid);
 	return $keyid;
+}
-            e470f721
+function ipsec_get_loglevels() {
 	global $config, $ipsec_log_cats;
 	$def_loglevel = '1';
 	$levels = array();
 	foreach (array_keys($ipsec_log_cats) as $cat) {
 		if (isset($config['ipsec']['logging'][$cat])) {
 			$levels[$cat] = $config['ipsec']['logging'][$cat];
 		} elseif (in_array($cat, array('ike', 'chd', 'cfg'))) {
 			$levels[$cat] = "2";
 		} else {
 			$levels[$cat] = $def_loglevel;
+		}
+	}
 	return $levels;
+}
-            bd4c337c
+            jim-p
-b5
+function ipsec_vti($ph1ent, $returnaddresses = false, $skipdisabled = true) {
-            bd4c337c
+	global $config;
 	if (empty($ph1ent) || !is_array($ph1ent) || !is_array($config['ipsec']['phase2'])) {
 		return false;
+	}
 	$is_vti = false;
 	$vtisubnet_spec = array();
 	foreach ($config['ipsec']['phase2'] as $ph2ent) {
 		if ($ph1ent['ikeid'] != $ph2ent['ikeid']) {
 			continue;
+		}
 		if ($ph2ent['mode'] == 'vti') {
 			if ($returnaddresses) {
 				$vtisubnet_spec[] = array(
-            65767828
+					'left' => ipsec_idinfo_to_cidr($ph2ent['localid'], true, $ph2ent['mode']),
-            bd4c337c
+					'right' => ipsec_idinfo_to_cidr($ph2ent['remoteid'], false, $ph2ent['mode']),
-c051f
+					'descr' => $ph2ent['descr'],
-            bd4c337c
+				);
+			}
-b5
+			if (!$skipdisabled && isset($ph2ent['disabled'])) {
 				continue;
 			} else {
 				$is_vti = true;
+			}
-            bd4c337c
+            jim-p
+	}
 	return ($returnaddresses) ? $vtisubnet_spec : $is_vti;
+}
-            a264f870
+/* Called when IPsec is reloaded through rc.newipsecdns and similar, gives
  * packages an opportunity to execute custom code when IPsec reloads.
  */
 function ipsec_reload_package_hook() {
 	global $g, $config;
-f19e11
+            jim-p
 	init_config_arr(array('installedpackages', 'package'));
-            a264f870
+	foreach ($config['installedpackages']['package'] as $package) {
 		if (!file_exists("/usr/local/pkg/" . $package['configurationfile'])) {
 			continue;
+		}
 		$pkg_config = parse_xml_config_pkg("/usr/local/pkg/" . $package['configurationfile'], 'packagegui');
 		if (!empty($pkg_config['include_file']) &&
 		    file_exists($pkg_config['include_file'])) {
 			require_once($pkg_config['include_file']);
+		}
 		if (empty($pkg_config['ipsec_reload_function'])) {
 			continue;
+		}
 		$pkg_ipsec_reload = $pkg_config['ipsec_reload_function'];
 		if (!function_exists($pkg_ipsec_reload)) {
 			continue;
+		}
 		$pkg_ipsec_reload();
+	}
+}
-            c6220dcf
+/****f* certs/ipsec_convert_to_modp
  * NAME
  *   ipsec_convert_to_modp - Take a DH Group number value and return the
  *                           associated name
  * INPUTS
  *   $index: DH group index number to look up
  * RESULT
  *   Returns the Diffie Hellman Group keyword associated with the group number.
  ******/
 function ipsec_convert_to_modp($index) {
 	$modpmap = array(
 		'1' => 'modp768',
 		'2' => 'modp1024',
 		'5' => 'modp1536',
 		'14' => 'modp2048',
 		'15' => 'modp3072',
 		'16' => 'modp4096',
 		'17' => 'modp6144',
 		'18' => 'modp8192',
 		'19' => 'ecp256',
 		'20' => 'ecp384',
 		'21' => 'ecp521',
 		'22' => 'modp1024s160',
 		'23' => 'modp2048s224',
 		'24' => 'modp2048s256',
 		'25' => 'ecp192',
 		'26' => 'ecp224',
 		'27' => 'ecp224bp',
 		'28' => 'ecp256bp',
 		'29' => 'ecp384bp',
 		'30' => 'ecp512bp',
 		'31' => 'curve25519',
 		'32' => 'curve448',
 	);
 	return $modpmap[$index];
+}
 /*
  * Forcefully restart IPsec
  * This is required for when dynamic interfaces reload
  * For all other occasions the normal ipsec_configure()
  * will gracefully reload the settings without restarting
  */
 function ipsec_force_reload($interface = "") {
 	global $g, $config;
 	if (!ipsec_enabled()) {
 		return;
+	}
 	$ipseccfg = $config['ipsec'];
 	if (!empty($interface) && is_array($ipseccfg['phase1'])) {
 		$found = false;
 		foreach ($ipseccfg['phase1'] as $ipsec) {
 			if (!isset($ipsec['disabled']) && ($ipsec['interface'] == $interface)) {
 				$found = true;
 				break;
+			}
+		}
 		if (!$found) {
 			log_error(sprintf(gettext("Ignoring IPsec reload since there are no tunnels on interface %s"), $interface));
 			return;
+		}
+	}
 	/* If we get this far then we need to take action. */
 	log_error(gettext("Forcefully reloading IPsec"));
 	ipsec_configure();
+}
 /****f* ipsec/ipsec_strongswan_confgen
  * NAME
  *   ipsec_strongswan_confgen - Generate strongswan.conf style formatted output
  *                              From a multi-dimensional array.
  * INPUTS
  *   $confarr: An array of key=value pairs or key=array entries for subsections.
  *   $indent : A string of tabs used when indenting lines.
  * RESULT
  *   Returns a string of key=value pairs with proper indenting, and with named
  *   subsections enclosed in braces.
  * NOTES
  *   Values starting with a "#" (comments) or "include " will be printed
  *   directly without their associated key name.
  ******/
 function ipsec_strongswan_confgen($confarr, $indent = "") {
 	$confstr = "";
 	/* Only process the contents if it's an array. */
 	if (is_array($confarr)) {
 		foreach ($confarr as $key => $value) {
 			if (is_array($value)) {
 				/* If the array is empty, do not print anything */
 				if (empty($value)) {
 					continue;
+				}
 				/* If this is an array, setup the subsection name
 				 * and structure, then call this function
 				 * recursively to walk the lower array. */
 				$confstr .= "{$indent}{$key} {\n";
 				$confstr .= ipsec_strongswan_confgen($value, $indent . "\t");
 				$confstr .= "{$indent}}\n";
 			} else {
 				$confstr .= "{$indent}";
 				if ((substr($value, 0 , 1) != '#') &&
 				    (substr($value, 0 , 8) != 'include ')) {
 					/* Not a comment or include, print the key */
 					$confstr .= "{$key} = ";
+				}
 				$confstr .= "{$value}\n";
+			}
+		}
+	}
 	return $confstr;
+}
 global $g, $ipsec_swanctl_basedir, $ipsec_swanctl_dirs;
 $ipsec_swanctl_basedir = "{$g['varetc_path']}/ipsec";
 $ipsec_swanctl_dirs = array(
 	'conf'     => "{$ipsec_swanctl_basedir}/conf.d",
 	'certpath' => "{$ipsec_swanctl_basedir}/x509",
 	'capath'   => "{$ipsec_swanctl_basedir}/x509ca",
 	'aapath'   => "{$ipsec_swanctl_basedir}/x509aa",
 	'ocsppath' => "{$ipsec_swanctl_basedir}/x509ocsp",
 	'crlpath'  => "{$ipsec_swanctl_basedir}/x509crl",
 	'acpath'   => "{$ipsec_swanctl_basedir}/x509ac",
 	'rsakeys'  => "{$ipsec_swanctl_basedir}/rsa",
 	'eckeys'   => "{$ipsec_swanctl_basedir}/ecdsa",
 	'keypath'  => "{$ipsec_swanctl_basedir}/private",
 	'pubkpath' => "{$ipsec_swanctl_basedir}/pubkey",
 	'blisspath' => "{$ipsec_swanctl_basedir}/bliss",
 	'pkcs8path' => "{$ipsec_swanctl_basedir}/pkcs8",
 	'pkcs12path' => "{$ipsec_swanctl_basedir}/pkcs12",
 );
 /****f* ipsec/ipsec_create_dirs
  * NAME
  *   ipsec_create_dirs - Create default set of strongSwan configuration directories.
  * INPUTS
  *   None
  * RESULT
  *   Cleans up and creates strongSwan configuration directories and links.
  ******/
 function ipsec_create_dirs() {
 	global $config, $g, $ipsec_swanctl_basedir, $ipsec_swanctl_dirs;
 	/* Cleanup base paths to ensure old files are not left behind (#5238) */
 	if (!empty($ipsec_swanctl_basedir)) {
 		@rmdir_recursive($ipsec_swanctl_basedir, false);
+	}
 	/* Create directory structure */
 	array_map('safe_mkdir', array_values($ipsec_swanctl_dirs));
 	/* Create and link strongSwan config */
 	$ssdpath = "{$g['varetc_path']}/ipsec/strongswan.d";
 	if (!file_exists($ssdpath) || !is_link($ssdpath)) {
 		if (is_dir($ssdpath) && !is_link($ssdpath)) {
 			@rmdir_recursive($ssdpath, false);
 		} else {
 			@unlink($ssdpath);
+		}
 		@symlink("/usr/local/etc/strongswan.d",
 		    $ssdpath);
+	}
 	if (!file_exists("/usr/local/etc/strongswan.conf") ||
 	    !is_link("/usr/local/etc/strongswan.conf")) {
 		@unlink("/usr/local/etc/strongswan.conf");
 		@symlink("{$g['varetc_path']}/ipsec/strongswan.conf",
 		    "/usr/local/etc/strongswan.conf");
+	}
+}
 /****f* ipsec/ipsec_setup_gwifs
  * NAME
  *   ipsec_setup_gwifs - Setup IPsec-related interfaces and gateways
  * INPUTS
  *   None
  * RESULT
  *   Sets up VTI interfaces and gateways, populates ipsecpinghosts
  ******/
 function ipsec_setup_gwifs() {
 	global $g, $a_phase1, $a_phase2, $rgmap, $filterdns_list,
 		$aggressive_mode_psk, $mobile_ipsec_auth, $ifacesuse,
 		$ipsecpinghostsactive;
 	/* resolve all local, peer addresses and setup pings */
 	unset($iflist);
 	if (is_array($a_phase1) && count($a_phase1)) {
 		$ipsecpinghosts = array();
 		/* step through each phase1 entry */
 		foreach ($a_phase1 as $ph1ent) {
 			if (isset($ph1ent['disabled'])) {
 				continue;
+			}
 			if (substr($ph1ent['interface'], 0, 4) == "_vip") {
 				$vpninterface = get_configured_vip_interface($ph1ent['interface']);
 				$ifacesuse[] = get_real_interface($vpninterface);
 			} else {
 				$vpninterface = get_failover_interface($ph1ent['interface']);
 				if (substr($vpninterface, 0, 4) == "_vip") {
 					$vpninterface = get_configured_vip_interface($vpninterface);
 					$ifacesuse[] = get_real_interface($vpninterface);
 				} elseif (!empty($vpninterface)) {
 					$ifacesuse[] = $vpninterface;
+				}
+			}
 			if ($ph1ent['mode'] == "aggressive" && ($ph1ent['authentication_method'] == "pre_shared_key" || $ph1ent['authentication_method'] == "xauth_psk_server")) {
 				$aggressive_mode_psk = true;
+			}
 			$ikeid = $ph1ent['ikeid'];
 			$local_spec = ipsec_get_phase1_src($ph1ent);
 			/* When automatically guessing, use the first address. */
 			$local_spec  = explode(',', $local_spec);
 			$local_spec  = $local_spec[0];
 			if (!is_ipaddr($local_spec)) {
 				log_error(sprintf(gettext("IPsec ERROR: Could not find phase 1 source for connection %s. Omitting from configuration file."), $ph1ent['descr']));
 				continue;
+			}
 			if (isset($ph1ent['mobile'])) {
 				$mobile_ipsec_auth = $ph1ent['authentication_method'];
 				continue;
+			}
 			/* see if this tunnel has a hostname for the remote-gateway. If so,
 			   try to resolve it now and add it to the list for filterdns */
 			$rg = $ph1ent['remote-gateway'];
 			if (!is_ipaddr($rg)) {
 				$filterdns_list[] = "{$rg}";
 				add_hostname_to_watch($rg);
 				if (!platform_booting()) {
-            d3ac1cea
+					$rg = resolve_retry($rg, $ph1ent['protocol']);
-            c6220dcf
+            jim-p
 				if (!is_ipaddr($rg)) {
 					continue;
+				}
+			}
-            d0cd4fc7
+			if (!isset($ph1ent['gw_duplicates']) && array_search($rg, $rgmap)) {
-            c6220dcf
+				log_error(sprintf(gettext("The remote gateway %s already exists on another phase 1 entry"), $rg));
 				continue;
+			}
 			$rgmap[$ph1ent['remote-gateway']] = $rg;
 			$is_vti = false;
 			if (is_array($a_phase2)) {
 				/* step through each phase2 entry */
 				foreach ($a_phase2 as $ph2ent) {
 					if ($ph2ent['mode'] == 'vti') {
 						$is_vti = true;
+					}
 					if (isset($ph2ent['disabled']) || ($ikeid != $ph2ent['ikeid'])) {
 						continue;
+					}
 					/* add an ipsec pinghosts entry */
 					if ($ph2ent['pinghost']) {
 						if (!is_array($iflist)) {
 							$iflist = get_configured_interface_list();
+						}
 						$srcip = null;
 						$local_subnet = ipsec_idinfo_to_cidr($ph2ent['localid'], true, $ph2ent['mode']);
 						if (is_ipaddrv6($ph2ent['pinghost'])) {
 							foreach ($iflist as $ifent => $ifname) {
 								$interface_ip = get_interface_ipv6($ifent);
 								if (!is_ipaddrv6($interface_ip)) {
 									continue;
+								}
 								if (ip_in_subnet($interface_ip, $local_subnet)) {
 									$srcip = $interface_ip;
 									break;
+								}
+							}
 						} else {
 							foreach ($iflist as $ifent => $ifname) {
 								$interface_ip = get_interface_ip($ifent);
 								if (!is_ipaddrv4($interface_ip)) {
 									continue;
+								}
 								if ($local_subnet == "0.0.0.0/0" || ip_in_subnet($interface_ip, $local_subnet)) {
 									$srcip = $interface_ip;
 									break;
+								}
+							}
+						}
 						/* if no valid src IP was found in configured interfaces, try the vips */
 						if (is_null($srcip)) {
 							$viplist = get_configured_vip_list();
 							foreach ($viplist as $vip => $address) {
 								if (ip_in_subnet($address, $local_subnet)) {
 									$srcip = $address;
 									break;
+								}
+							}
+						}
 						$dstip = $ph2ent['pinghost'];
 						$family = "inet" . (is_ipaddrv6($dstip)) ? "6" : "";
 						if (is_ipaddr($srcip)) {
 							$ipsecpinghosts[] = "{$srcip}|{$dstip}|3|||||{$family}|\n";
 							$ipsecpinghostsactive = true;
+						}
+					}
+				}
+			}
 			if ($is_vti) {
 				interface_ipsec_vti_configure($ph1ent);
+			}
+		}
 		@file_put_contents("{$g['vardb_path']}/ipsecpinghosts", $ipsecpinghosts);
 		unset($ipsecpinghosts);
+	}
 	unset($iflist);
+}
 /****f* ipsec/ipsec_logging_config
  * NAME
  *   ipsec_logging_config - Generate an array containing strongSwan logging
  *                          values.
  * INPUTS
  *   None
  * RESULT
  *   Returns an array which can be merged into the strongswan daemon logging
  *   values so that each logging category is represented, even those not listed
  *   in config.xml.
  ******/
 function ipsec_logging_config() {
 	global $config, $ipsec_log_cats, $ipsec_log_sevs;
 	$logcfg = array();
 	$log_levels = ipsec_get_loglevels();
 	foreach (array_keys($ipsec_log_cats) as $cat) {
 		if (is_numeric($log_levels[$cat]) &&
 		    in_array(intval($log_levels[$cat]), array_keys($ipsec_log_sevs), true)) {
 			$logcfg[$cat] = $log_levels[$cat];
+		}
+	}
 	return $logcfg;
+}
 /****f* ipsec/ipsec_setup_strongswan
  * NAME
  *   ipsec_setup_strongswan - Generate the strongswan.conf configuration file.
  * INPUTS
  *   None
  * RESULT
  *   Determines strongswan.conf values and crafts the configuration file in the
  *   appropriate format.
  * NOTES
  *   Called from ipsec_configure()
  ******/
 function ipsec_setup_strongswan() {
 	global $config, $g, $mobile_ipsec_auth, $a_client, $a_phase2, $aggressive_mode_psk, $ifacesuse;
 	/* strongswan.conf array */
 	$ssconf = array();
 	$ssconf[] = "# Automatically generated config file - DO NOT MODIFY. Changes will be overwritten.";
 	$ssconf['starter'] = array();
 	$ssconf['starter']['load_warning'] = "no";
 	$ssconf['charon'] = array();
 	$ssconf['charon'][] = '# number of worker threads in charon';
 	$ssconf['charon']['threads'] = '16';
 	$ssconf['charon']['ikesa_table_size'] = '32';
 	$ssconf['charon']['ikesa_table_segments'] = '4';
 	$ssconf['charon']['init_limit_half_open'] = '1000';
 	$ssconf['charon']['install_routes'] = 'no';
 	$ssconf['charon']['load_modular'] = 'yes';
 	$ssconf['charon']['ignore_acquire_ts'] = 'yes';
 	if ($aggressive_mode_psk) {
 		$stronconf = '';
 		if (file_exists("{$g['varetc_path']}/ipsec/strongswan.conf")) {
 			$stronconf = file_get_contents("{$g['varetc_path']}/ipsec/strongswan.conf");
+		}
 		log_error("WARNING: Setting i_dont_care_about_security_and_use_aggressive_mode_psk option because a phase 1 is configured using aggressive mode with pre-shared keys. This is not a secure configuration.");
 		$restart = (!empty($stronconf) && strpos($stronconf, 'i_dont_care_about_security_and_use_aggressive_mode_psk') === FALSE);
 		unset($stronconf);
 		$ssconf['charon']['i_dont_care_about_security_and_use_aggressive_mode_psk'] = "yes";
+	}
 	if (isset($config['ipsec']['acceptunencryptedmainmode'])) {
 		$ssconf['charon']['accept_unencrypted_mainmode_messages'] = "yes";
+	}
-a879d79
+	if (isset($config['ipsec']['maxexchange'])) {
 		$ssconf['charon']['max_ikev1_exchanges'] = $config['ipsec']['maxexchange'];
+	}
-            c6220dcf
+	$unity_enabled = isset($config['ipsec']['unityplugin']) ? 'yes' : 'no';
 	$ssconf['charon']['cisco_unity'] = $unity_enabled;
 	if (isset($config['ipsec']['enableinterfacesuse']) && !empty($ifacesuse)) {
 		$ssconf['charon']['interfaces_use'] = implode(',', array_unique($ifacesuse));
+	}
 	if (isset($config['ipsec']['makebeforebreak'])) {
 		$ssconf['charon']['make_before_break'] = "yes";
+	}
-ed9792
+	if (isset($config['ipsec']['port'])) {
 		$ssconf['charon']['port'] = $config['ipsec']['port'];
+	}
 	if (isset($config['ipsec']['port_nat_t'])) {
 		$ssconf['charon']['port_nat_t'] = $config['ipsec']['port_nat_t'];
+	}
-            c6220dcf
+	$ssconf['charon']['syslog'] = array();
 	$ssconf['charon']['syslog']['identifier'] = 'charon';
 	$ssconf['charon']['syslog'][] = "# log everything under daemon since it ends up in the same place regardless with our syslog.conf";
 	$ssconf['charon']['syslog']['daemon'] = array();
 	$ssconf['charon']['syslog']['daemon']['ike_name'] = 'yes';
 	$ssconf['charon']['syslog']['daemon'] = array_merge($ssconf['charon']['syslog']['daemon'], ipsec_logging_config());
 	$ssconf['charon']['syslog'][] = '# disable logging under auth so logs aren\'t duplicated';
 	$ssconf['charon']['syslog']['auth'] = array();
 	$ssconf['charon']['syslog']['auth']['default'] = -1;
 	$ssconf['charon']['plugins'] = array();
 	$ssconf['charon']['plugins'][] = "# Load defaults";
 	$ssconf['charon']['plugins'][] = "include {$g['varetc_path']}/ipsec/strongswan.d/charon/*.conf";
 	$ssconf['charon']['plugins']['unity'] = array('load' => $unity_enabled);
 	$ssconf['charon']['plugins']['curve25519'] = array('load' => "yes");
-f143b6e
+	$ssconf['charon']['plugins']['pkcs11'] = array();
 	$ssconf['charon']['plugins']['pkcs11']['load'] = "yes";
 	$ssconf['charon']['plugins']['pkcs11']['modules'] = array();
 	$ssconf['charon']['plugins']['pkcs11']['modules']['opensc'] = array();
 	$ssconf['charon']['plugins']['pkcs11']['modules']['opensc']['load_certs'] = "yes";
 	$ssconf['charon']['plugins']['pkcs11']['modules']['opensc']['path'] = "/usr/local/lib/opensc-pkcs11.so";
-            c6220dcf
+	/* Find RADIUS servers designated for Mobile IPsec user auth */
 	$radius_servers = array();
 	foreach (explode(',', $config['ipsec']['client']['user_source']) as $user_source) {
 		$auth_server = auth_get_authserver($user_source);
 		$nice_user_source = strtolower(preg_replace('/[\s\.]+/', '_', $user_source));
 		if ($auth_server && ($auth_server['type'] === 'radius')) {
 			$radius_servers[$nice_user_source] = array();
 			$radius_servers[$nice_user_source]['address'] = $auth_server['host'];
 			$radius_servers[$nice_user_source]['secret'] = "\"{$auth_server['radius_secret']}\"";
 			$radius_servers[$nice_user_source]['auth_port'] = empty($auth_server['radius_auth_port']) ? 1812 : $auth_server['radius_auth_port'];;
 			$radius_servers[$nice_user_source]['acct_port'] = empty($auth_server['radius_acct_port']) ? 1813 : $auth_server['radius_acct_port'];
+		}
+	}
 	/* Generate an eap-radius config section if appropriate */
 	if (count($radius_servers) && ($mobile_ipsec_auth === "eap-radius")) {
 		$ssconf['charon']['plugins']['eap-radius'] = array();
-            f9c9899b
+		$ssconf['charon']['plugins']['eap-radius']['load'] = "2";
-            c6220dcf
+		$ssconf['charon']['plugins']['eap-radius']['class_group'] = "yes";
 		$ssconf['charon']['plugins']['eap-radius']['eap_start'] = "no";
 		/* Activate RADIUS accounting only if it was selected on the IPsec Mobile Clients tab */
 		if ($auth_server && isset($auth_server['radius_acct_port']) &&
 		    (is_array($a_client) && ($a_client['radiusaccounting'] == "enabled"))){
 			$ssconf['charon']['plugins']['eap-radius']['accounting'] = "yes";
 			$ssconf['charon']['plugins']['eap-radius']['accounting_close_on_timeout'] = "no";
+		}
 		$ssconf['charon']['plugins']['eap-radius']['servers'] = $radius_servers;
+	}
 	if (is_array($a_client) && isset($a_client['enable'])) {
 		if ($a_client['user_source'] != "none") {
 			$ssconf['charon']['plugins']['xauth-generic'] = array();
 			$ssconf['charon']['plugins']['xauth-generic']['script'] = "/etc/inc/ipsec.auth-user.php";
 			$authcfgs = array();
 			foreach (explode(",", $a_client['user_source']) as $authcfg) {
 				$authcfgs[] = ($authcfg == "system") ? "Local Database" : $authcfg;
+			}
 			$ssconf['charon']['plugins']['xauth-generic']['authcfg'] = implode(",", $authcfgs);
+		}
+	}
 	@file_put_contents("{$g['varetc_path']}/ipsec/strongswan.conf", ipsec_strongswan_confgen($ssconf));
+}
 /****f* ipsec/ipsec_setup_pools
  * NAME
  *   ipsec_setup_pools - Generate primary mobile pool configuration for swanctl
   * INPUTS
  *   None
  * RESULT
  *   Adds configured mobile pool settings to $scconf
  * NOTES
  *   These values were formerly in strongswan.conf but may now be configured in
  *   pools, making future expansion to support multiple pools possible.
  ******/
 function ipsec_setup_pools() {
 	global $config, $g, $mobile_ipsec_auth, $a_client, $a_phase2, $scconf;
 	if (!is_array($a_client) || !isset($a_client['enable'])) {
 		return;
+	}
-            f9c9899b
+	if (($mobile_ipsec_auth == "eap-radius") && empty($a_client['pool_address']) &&
 	    empty($a_client['pool_address_v6'])) {
 		return;
+	}
-            faf07413
+	$scconf['mobile-pool'] = array();
 	$scconf['pools'] = array();
 	$pool_common =& $scconf['mobile-pool'];
-            c6220dcf
+            jim-p
 	$rightdnsservers = array();
 	if (!empty($a_client['dns_server1'])) {
 		$rightdnsservers[] = $a_client['dns_server1'];
+	}
 	if (!empty($a_client['dns_server2'])) {
 		$rightdnsservers[] = $a_client['dns_server2'];
+	}
 	if (!empty($a_client['dns_server3'])) {
 		$rightdnsservers[] = $a_client['dns_server3'];
+	}
 	if (!empty($a_client['dns_server4'])) {
 		$rightdnsservers[] = $a_client['dns_server4'];
+	}
 	if (count($rightdnsservers)) {
-a5c28
+		$pool_common['dns'] = implode(',', $rightdnsservers);
-            c6220dcf
+            jim-p
 	$cfgservers = array();
 	if (!empty($a_client['wins_server1'])) {
 		$cfgservers[] = $a_client['wins_server1'];
+	}
 	if (!empty($a_client['wins_server2'])) {
 		$cfgservers[] = $a_client['wins_server2'];
+	}
 	if (!empty($cfgservers)) {
-a5c28
+		$pool_common['nbns'] = implode(",", $cfgservers);
-            c6220dcf
+            jim-p
 	unset($cfgservers);
-a5c28
+	$net_list4 = array();
 	$net_list6 = array();
-            c6220dcf
+	if (isset($a_client['net_list']) && is_array($a_phase2)) {
 		foreach ($a_phase2 as $ph2ent) {
 			if (isset($ph2ent['disabled']) ||
 			    !isset($ph2ent['mobile'])) {
 				continue;
+			}
-a5c28
+			$nlent = ipsec_idinfo_to_cidr($ph2ent['localid'], true, $ph2ent['mode']);
 			if (is_subnetv4($nlent)) {
 				$net_list4[] = $nlent;
 			} elseif (is_subnetv6($nlent)) {
 				$net_list6[] = $nlent;
+			}
 			unset($nlent);
-            c6220dcf
+            jim-p
+	}
 	if (!empty($a_client['dns_domain'])) {
-a5c28
+		$pool_common[] = "# Search domain and default domain";
 		$pool_common['28674'] = "\"{$a_client['dns_domain']}\"";
-            c6220dcf
+		if (empty($a_client['dns_split'])) {
-a5c28
+			$pool_common['28675'] = "\"{$a_client['dns_domain']}\"";
-            c6220dcf
+            jim-p
+	}
 	if (!empty($a_client['dns_split'])) {
-a5c28
+		$pool_common['28675'] = "\"{$a_client['dns_split']}\"";
-            c6220dcf
+            jim-p
 	if (!empty($a_client['login_banner'])) {
-a5c28
+		$pool_common['28672'] = "\"{$a_client['login_banner']}\"";
-            c6220dcf
+            jim-p
 	if (isset($a_client['save_passwd'])) {
-a5c28
+		$pool_common['28673'] = "1";
-            c6220dcf
+            jim-p
 	if ($a_client['pfs_group']) {
-a5c28
+		$pool_common['28679'] = "\"{$a_client['pfs_group']}\"";
+	}
 	if (!empty($a_client['pool_address'])) {
 		$scconf['pools']['mobile-pool-v4 : mobile-pool'] = array();
 		$v4pool =& $scconf['pools']['mobile-pool-v4 : mobile-pool'];
 		$v4pool['addrs'] = "{$a_client['pool_address']}/{$a_client['pool_netbits']}";
 		if (!empty($net_list4)) {
 			$v4pool['subnet'] = implode(",", $net_list4);
 			$v4pool['split_include'] = implode(",", $net_list4);
 			unset($net_list4);
+		}
+	}
 	if (!empty($a_client['pool_address_v6'])) {
 		$scconf['pools']['mobile-pool-v6 : mobile-pool'] = array();
 		$v6pool =& $scconf['pools']['mobile-pool-v6 : mobile-pool'];
 		$v6pool['addrs'] = "{$a_client['pool_address_v6']}/{$a_client['pool_netbits_v6']}";
 		if (!empty($net_list6)) {
 			$v6pool['subnet'] = implode(",", $net_list6);
 			$v6pool['split_include'] = implode(",", $net_list6);
 			unset($net_list6);
+		}
-            c6220dcf
+            jim-p
 	return;
+}
 /****f* ipsec/ipsec_setup_userpools
  * NAME
  *   ipsec_setup_userpools - Generate per-user custom pool settings for swanctl
   * INPUTS
  *   None
  * RESULT
  *   Adds configured per-user pool settings to $scconf using the primary mobile
  *   pool as a base configuration.
  * NOTES
  *   Given this new flexible format, it is now possible to override any valid
  *   pool setting, so future expansion of per-user settings is possible.
  ******/
 function ipsec_setup_userpools() {
 	global $config, $scconf;
 	$a_mobilekey = $config['ipsec']['mobilekey'];
 	/* Do not waste time if we do not have all the necessary information. */
 	if (!is_array($a_mobilekey) ||
 	    empty($a_mobilekey) ||
 	    !is_array($scconf['connections']) ||
-            faf07413
+	    !is_array($scconf['con-mobile-defaults']) ||
-            c6220dcf
+	    !is_array($scconf['pools']) ||
-            faf07413
+	    !is_array($scconf['mobile-pool'])) {
-            c6220dcf
+		return;
+	}
 	$suffix = 1;
 	foreach ($a_mobilekey as $mkent) {
 		if (($mkent['type'] != "EAP") ||
 		    !isset($mkent['ident_type']) ||
 		    !isset($mkent['pool_address']) ||
 		    !isset($mkent['pool_netbits']) ||
 		    (strlen($mkent['pool_address']) < 1) ||
 		    !is_ipaddr($mkent['pool_address'])) {
 			continue;
+		}
 		/* The name of just this pool */
 		$upbase = "mobile-userpool-{$suffix}";
 		/* The full connection name including a reference to the primary
 		 * mobile connection */
-            faf07413
+		$upconn = "con-{$upbase} : con-mobile-defaults";
-            c6220dcf
+		/* The full pool name including a reference to the primary
 		 * mobile pool */
 		$upname = "{$upbase} : mobile-pool";
 		$scconf['connections'][$upconn] = array();
 		$scconf['pools'][$upname] = array();
 		$clientid = ($mkent['ident_type'] == "none") ? "\"{$mkent['ident']}\"" : "{$mkent['ident_type']}:{$mkent['ident']}";
 		$clienteapid = ($ph1ent['authentication_method'] == "eap-mschapv2") ? $clientid : '%any';
 		/* Craft a cloned connection with the ID information to match */
 		$scconf['connections'][$upconn]['remote'] = array();
 		$scconf['connections'][$upconn]['remote']['id'] = $clientid;
 		$scconf['connections'][$upconn]['remote']['eap_id'] = $clienteapid;
 		$scconf['connections'][$upconn]['pools'] = $upbase;
 		/* Craft a cloned pool with pool settings to override for this user */
 		$scconf['pools'][$upname]['addrs'] = "{$mkent['pool_address']}/{$mkent['pool_netbits']}";
 		if (isset($mkent['dns_address']) && strlen($mkent['dns_address']) > 0 && is_ipaddr($mkent['dns_address'])) {
 			$scconf['pools'][$upname]['dns'] = $mkent['dns_address'];
+		}
 		$suffix++;
+	}
 	return;
+}
-b52494
+/****f* ipsec/ipsec_setup_bypass
-            c6220dcf
+ * NAME
-b52494
+ *   ipsec_setup_bypass - Generate a bypass connection for LAN-LAN and custom rules traffic
-            c6220dcf
+ * INPUTS
  *   None
  * RESULT
  *   Sets up a bypass connection to prevent local traffic from being caught by
  *   IPsec policies.
  ******/
-b52494
+function ipsec_setup_bypass() {
-            c6220dcf
+	global $config, $scconf;
-b52494
+            Viktor Gurov
 	$scconf['connections']['bypass'] = array();
 	/* Prevents the connection from being considered for remote peers */
 	$scconf['connections']['bypass']['remote_addrs'] = "127.0.0.1";
 	$scconf['connections']['bypass']['children'] = array();
-            c6220dcf
+	/* Locate the LAN IPv4 and IPv6 subnets */
-b52494
+	$bypassnets = array();
-            c6220dcf
+	if ($config['interfaces']['lan']) {
 		$lanip = get_interface_ip("lan");
 		if (!empty($lanip) && is_ipaddrv4($lanip)) {
 			$lansn = get_interface_subnet("lan");
 			$lansa = gen_subnetv4($lanip, $lansn);
 			if (!empty($lansa) && !empty($lansn)) {
 				$bypassnets[] = "{$lansa}/{$lansn}";
+			}
+		}
 		$lanip6 = get_interface_ipv6("lan");
 		if (!empty($lanip6) && is_ipaddrv6($lanip6)) {
 			$lansn6 = get_interface_subnetv6("lan");
 			$lansa6 = gen_subnetv6($lanip6, $lansn6);
 			if (!empty($lansa6) && !empty($lansn6)) {
 				$bypassnets[] = "{$lansa6}/{$lansn6}";
+			}
+		}
+	}
-b52494
+	/* If we have viable targets, setup a bypass LAN connection */
 	if (!empty($bypassnets) && !isset($config['ipsec']['noshuntlaninterfaces'])) {
-            c6220dcf
+		$bypass = implode(',', $bypassnets);
-b52494
+		$scconf['connections']['bypass']['children']['bypasslan'] = array();
 		$scconf['connections']['bypass']['children']['bypasslan']['local_ts'] = $bypass;
 		$scconf['connections']['bypass']['children']['bypasslan']['remote_ts'] = $bypass;
 		$scconf['connections']['bypass']['children']['bypasslan']['mode'] = "pass";
 		$scconf['connections']['bypass']['children']['bypasslan']['start_action'] = "trap";
-            c6220dcf
+            jim-p
-b52494
+            Viktor Gurov
 	/* Setup custom bypass rules */
 	if ((isset($config['ipsec']['ipsecbypass']) && $config['ipsec']['bypassrules']) &&
 	    is_array($config['ipsec']['bypassrules'])) {
 		foreach ($config['ipsec']['bypassrules']['rule'] as $id => $rule) {
 			$scconf['connections']['bypass']['children']["rule{$id}"] = array();
 			$scconf['connections']['bypass']['children']["rule{$id}"]["local_ts"] = $rule['source'] .
 			       	"/" . $rule['srcmask'];
 			$scconf['connections']['bypass']['children']["rule{$id}"]["remote_ts"] = $rule['destination'] .
 			       	"/" . $rule['dstmask'];
 			$scconf['connections']['bypass']['children']["rule{$id}"]["mode"] = "pass";
 			$scconf['connections']['bypass']['children']["rule{$id}"]["start_action"] = "trap";
+		}
+	}
-            c6220dcf
+	return;
+}
 /****f* ipsec/ipsec_setup_routes
  * NAME
  *   ipsec_setup_routes - Setup OS routing table static routes for remote peers.
  *                        This ensures that IPsec connections are routed out of
  *                        the expected interface on egress.
  * INPUTS
  *   $interface : The interface upon which routes will be configured.
  *   $family    : The address family ('inet' or 'inet6')
  *   $sourcehost: The local source address used for initiating connections.
-            d0cd4fc7
+ *   $duplicates: If the ipsec tunnel allows duplicates remote peers
-            c6220dcf
+ * RESULT
  *   Static routes in the OS routing table for IPsec peers
  ******/
-            ab380916
+function ipsec_setup_routes($interface, $family, $sourcehost, $duplicates) {
-            c6220dcf
+	if (substr($interface, 0, 4) == "_vip") {
 		$vpninterface = get_configured_vip_interface($interface);
 		if (substr($vpninterface, 0, 4) == "_vip") {
 			// vips are nested if its a ipalias with a carp parent
 			$vpninterface = get_configured_vip_interface($vpninterface);
+		}
 		$ifacesuse = get_real_interface($vpninterface);
 	} else {
 		$ifacesuse = get_failover_interface($interface);
 		if (substr($ifacesuse, 0, 4) == "_vip") {
 			$vpninterface = get_configured_vip_interface($ifacesuse);
 			$ifacesuse = get_real_interface($vpninterface);
 		} else {
 			$vpninterface = convert_real_interface_to_friendly_interface_name($ifacesuse);
+		}
+	}
-d8a9b0
+	if ($family == 'inet' && !empty($ifacesuse) &&
 	    interface_has_gateway($vpninterface)) {
 		$gatewayip = get_interface_gateway($vpninterface);
 		$interfaceip = get_interface_ip($vpninterface);
 		$subnet_bits = get_interface_subnet($vpninterface);
 		$subnet_ip = gen_subnetv4($interfaceip, $subnet_bits);
-cb4df
+		/*
 		 * if the remote gateway is in the local subnet, then don't add
 		 * a route
 		 */
-d8a9b0
+		if (is_ipaddrv4($sourcehost) &&
 		    !ip_in_subnet($sourcehost, "{$subnet_ip}/{$subnet_bits}") &&
 		    is_ipaddrv4($gatewayip) && !$duplicates) {
-            c428cdf4
+			route_add_or_change($sourcehost, $gatewayip);
-            c6220dcf
+            jim-p
-d8a9b0
+	} else if ($family == 'inet6' && !empty($ifacesuse) &&
 	    interface_has_gatewayv6($vpninterface)) {
 		$gatewayip = get_interface_gateway_v6($vpninterface);
 		$interfaceip = get_interface_ipv6($vpninterface);
 		$subnet_bits = get_interface_subnetv6($vpninterface);
 		$subnet_ip = gen_subnetv6($interfaceip, $subnet_bits);
-cb4df
+		/*
 		 * if the remote gateway is in the local subnet, then don't add
 		 * a route
 		 */
-d8a9b0
+		if (is_ipaddrv6($sourcehost) &&
 		    !ip_in_subnet($sourcehost, "{$subnet_ip}/{$subnet_bits}") &&
 		    is_ipaddrv6($gatewayip) && !$duplicates) {
-            c428cdf4
+			route_add_or_change($sourcehost, $gatewayip);
-            c6220dcf
+            jim-p
+	}
 	return $ifacesuse;
+}
 /****f* ipsec/ipsec_setup_authentication
  * NAME
  *   ipsec_setup_authentication - Generate an array with local/remote
  *                                authentication information for a given IPsec
  *                                Phase 1.
  * INPUTS
  *   $ph1ent: An IPsec Phase 1 configuration
  *   $conn  : A swanctl connection array corresponding to the IPsec Phase 1.
  * RESULT
  *   Populates $conn with local and remote arrays containing authentication
  *   details.
  ******/
 function ipsec_setup_authentication(& $ph1ent, & $conn) {
-ed92e19
+	global $rgmap, $ipsec_swanctl_dirs, $config;
-            c6220dcf
+	$local = array();
 	$remote = array();
 	$remote2 = array();
 	list($myid_type, $myid_data) = ipsec_find_id($ph1ent, 'local');
 	$localid = ipsec_fixup_id($myid_type, $myid_data);
 	if (!empty($localid)) {
 		$local['id'] = $localid;
+	}
 	// Only specify peer ID if we are not dealing with mobile PSK
 	if (!(isset($ph1ent['mobile']) &&
 	    in_array($ph1ent['authentication_method'], array("pre_shared_key", "xauth_psk_server")))) {
 		list ($remoteid_type, $remoteid_data) = ipsec_find_id($ph1ent, 'peer', $rgmap);
 		$remoteid = ipsec_fixup_id($remoteid_type, $remoteid_data);
+	}
 	if (!empty($remoteid)) {
 		$remote['id'] = $remoteid;
+	}
 	if (!empty($ph1ent['caref'])) {
 		$ca = lookup_ca($ph1ent['caref']);
 		if ($ca) {
 			/* Get hash value to use for filename */
 			$ca_details = openssl_x509_parse(base64_decode($ca['crt']));
 			$cafn = "{$ipsec_swanctl_dirs['capath']}/{$ca_details['hash']}.0";
+		}
+	}
 	$authentication = "";
 	switch ($ph1ent['authentication_method']) {
 		case 'eap-mschapv2':
 			if (isset($ph1ent['mobile'])) {
 				$local['auth'] = "pubkey";
 				$remote['eap_id'] = "%any";
 				$remote['auth'] = "eap-mschapv2";
+			}
 			break;
 		case 'eap-tls':
 			if (isset($ph1ent['mobile'])) {
 				$local['auth'] = "pubkey";
 				$remote['eap_id'] = "%any";
 			} else {
 				$local['auth'] = "eap-tls";
+			}
 			$remote['auth'] = "eap-tls";
 			break;
 		case 'eap-radius':
 			if (isset($ph1ent['mobile'])) {
 				$local['auth'] = "pubkey";
 				$remote['eap_id'] = "%any";
 			} else {
 				$local['auth'] = "eap-radius";
+			}
-ed92e19
+			if (($config['ipsec']['client']['group_source'] == 'enabled') &&
 			    !empty($config['ipsec']['client']['auth_groups'])) {
 				$remote['groups'] = $config['ipsec']['client']['auth_groups'];
+			}
-            c6220dcf
+			$remote['auth'] = "eap-radius";
 			break;
 		case 'xauth_cert_server':
 			$local['auth'] = "pubkey";
 			$remote['auth'] = "pubkey";
 			$remote2['auth'] = "xauth-generic";
 			break;
 		case 'xauth_psk_server':
 			$local['auth'] = "psk";
 			$remote['auth'] = "psk";
 			$remote2['auth'] = "xauth-generic";
 			break;
 		case 'pre_shared_key':
 			$local['auth'] = "psk";
 			$remote['auth'] = "psk";
 			break;
 		case 'cert':
-c120b1f
+		case 'pkcs11':
-            c6220dcf
+			$local['auth'] = "pubkey";
 			$remote['auth'] = "pubkey";
 			break;
 		case 'hybrid_cert_server':
 			$local['auth'] = "pubkey";
 			$remote['auth'] = "xauth-generic";
 			break;
+	}
 	if (in_array($ph1ent['authentication_method'], array('eap-mschapv2', 'eap-tls', 'eap-radius', 'xauth_cert_server', 'cert', 'hybrid_cert_server')) &&
 	    !empty($ph1ent['certref'])) {
-f143b6e
+		$local['cert'] = array('file' => "{$ipsec_swanctl_dirs['certpath']}/cert-{$ph1ent['ikeid']}.crt");
 		$conn['send_cert'] = "always";
+	}
 	if ($ph1ent['authentication_method'] == 'pkcs11') {
 		$local['cert'] = array('handle' => "{$ph1ent['pkcs11certref']}");
-            c6220dcf
+		$conn['send_cert'] = "always";
+	}
-f143b6e
+	if (in_array($ph1ent['authentication_method'], array('eap-tls', 'xauth_cert_server', 'cert', 'pkcs11')) &&
-            c6220dcf
+	    isset($cafn)) {
 		$remote['cacerts'] = $cafn;
+	}
 	$conn['local'] = $local;
 	/* If there is data for a second remote auth round, setup two remote
 	 * arrays with unique names, otherwise setup a single remote. */
 	if (empty($remote2)) {
 		$conn['remote'] = $remote;
 	} else {
 		$conn['remote-1'] = $remote;
 		$conn['remote-2'] = $remote2;
+	}
+}
 /****f* ipsec/ipsec_setup_proposal_algo
  * NAME
  *   ipsec_setup_proposal_algo - Form a single proposal algorithm string
  * INPUTS
  *   $ealg_id: Encryption algorithm ID
  *   $keylen : Key length for the encryption algorithm
  *   $halgo  : Hash algorithm
  *   $modp   : DH Group number
  * RESULT
  *   Returns a string using the available information to form a single proposal
  *   algorithm definition.
  * NOTES
  *   Values left empty will not be added to the string. Some combinations may
  *   require one or more parts to be omitted.
  ******/
-            f5ddbec1
+function ipsec_setup_proposal_algo($ealg_id, $keylen, $halgo, $prfalgo, $modp) {
-            c6220dcf
+	$palgo = "";
 	/* Add the encryption algorithm (if present) */
 	if (!empty($ealg_id)) {
 		$palgo .= "{$ealg_id}";
+	}
 	/* Add the key length (if present) */
 	if (!empty($keylen)) {
 		$palgo .= "{$keylen}";
+	}
 	/* Add the hash algorithm (if present) */
-cdd7dd2
+	if (!empty($halgo)) {
-            c6220dcf
+		/* If there is some content in the propsal already, add a
 		 * separator */
 		if (!empty($palgo)) {
 			$palgo .= "-";
+		}
 		$halgo = str_replace('hmac_', '', $halgo);
 		$palgo .= "{$halgo}";
+	}
-            f5ddbec1
+	if (!empty($prfalgo)) {
 		$palgo .= "-prf{$prfalgo}";
+	}
-            c6220dcf
+	/* Convert the DH group to its keyword and add (if present) */
 	$modp = ipsec_convert_to_modp($modp);
 	if (!empty($modp)) {
 		$palgo .= "-{$modp}";
+	}
 	return $palgo;
+}
 /****f* ipsec/ipsec_setup_proposal_entry
  * NAME
  *   ipsec_setup_proposal_entry - Generate a full proposal string for an IPsec
  *                                Phase 2 configuration.
  * INPUTS
  *   $ph2ent  : An IPsec Phase 2 configuration
  *   $algo_arr: An array in which all proposal algorithms are collected
  *   $ealg_id : Encryption algorithm ID
  *   $keylen  : Key length for the encryption algorithm
  * RESULT
  *   Returns a string containing all proposal elements, and merges the entries
  *   to $algo_arr as well.
  ******/
 function ipsec_setup_proposal_entry(& $ph2ent, & $algo_arr, $ealg_id, $keylen) {
 	global $config, $p2_ealgos;
 	$proposal = array();
 	/* If multiple hash algorithms are present, loop through and add them all. */
-d60be2a
+	if (!empty($ph2ent['hash-algorithm-option']) && is_array($ph2ent['hash-algorithm-option'])
 	    && !strpos($ealg_id, "gcm")) {
-            c6220dcf
+		foreach ($ph2ent['hash-algorithm-option'] as $halgo) {
-            f5ddbec1
+			$proposal[] = ipsec_setup_proposal_algo($ealg_id, $keylen, $halgo, false, $ph2ent['pfsgroup']);
-            c6220dcf
+            jim-p
 	} else {
-            ffcfddc6
+		$proposal[] = ipsec_setup_proposal_algo($ealg_id, $keylen, false, false, $ph2ent['pfsgroup']);
-            c6220dcf
+            jim-p
 	/* Add to master list */
 	$algo_arr = array_merge($algo_arr, $proposal);
 	return implode(',', $proposal);
+}
 /****f* ipsec/ipsec_setup_vtireq
  * NAME
  *   ipsec_setup_vtireq - Setup a VTI type IPsec request
  * INPUTS
  *   $child                : A swanctl child array
  *   $ipsec_vti_cleanup_ifs: An array of VTI interface names for later cleanup
  *   $ikeid                : The IKE ID of this child
  *   $idx                  : The index of this child (for split connections/IKEv1)
  * RESULT
  *   Sets up VTI-specific values for a request.
  ******/
 function ipsec_setup_vtireq(& $child, & $ipsec_vti_cleanup_ifs, $ikeid, $idx = 0) {
-b85b43b
+	$child['reqid'] = get_ipsecifnum($ikeid, $idx);
-            c6220dcf
+	/* This interface will be a valid IPsec interface, so remove it from the cleanup list. */
 	$ipsec_vti_cleanup_ifs = array_diff($ipsec_vti_cleanup_ifs, array("ipsec{$child['reqid']}"));
 	$child['local_ts'] .= ",0.0.0.0/0";
 	$child['remote_ts'] .= ",0.0.0.0/0";
+}
 /****f* ipsec/ipsec_setup_tunnels
  * NAME
  *   ipsec_setup_tunnels - Configure all P1/P2 entries as swanctl connections
  * INPUTS
  *   None
  * RESULT
  *   Sets up a swanctl array for all connections in the configuration along with
  *   their children, authentication, etc.
  ******/
 function ipsec_setup_tunnels() {
 	global $aggressive_mode_psk, $a_client, $config,
 		$filterdns_list, $g, $ifacesuse, $ipsec_idhandling, $ipsec_log_cats,
 		$ipsec_log_sevs, $ipsec_swanctl_basedir, $ipsec_swanctl_dirs,
 		$ipseccfg, $mobile_ipsec_auth, $natfilterrules, $p1_ealgos,
 		$p2_ealgos, $rgmap, $sa, $sn, $scconf, $conn, $tunnels,
 		$ipsec_vti_cleanup_ifs, $conn_defaults;
 	foreach ($tunnels as $ph1ent) {
 		/* Skip disabled entries */
 		if (isset($ph1ent['disabled'])) {
 			continue;
+		}
 		/* If the local source is invalid, skip this entry. */
 		$local_spec = ipsec_get_phase1_src($ph1ent);
 		if (!$local_spec) {
 			continue;
+		}
 		/* Determine the name of this connection, either con-mobile for
 		 * mobile clients, or a name based on the IKE ID otherwise. */
-            faf07413
+		if (isset($ph1ent['mobile'])) {
 			$cname = "con-mobile";
 			/* Start with common default values */
 			$scconf["{$cname}-defaults"] = $conn_defaults;
 			/* Array reference to make things easier */
 			$conn =& $scconf["{$cname}-defaults"];
 			$scconf['connections']["{$cname} : {$cname}-defaults"] = array("# Stub to load con-mobile-defaults");
 		} else {
-b4cb00f
+			if (get_ipsecifnum($ph1ent['ikeid'], 0)) {
 				$cname = "con" . get_ipsecifnum($ph1ent['ikeid'], 0);
 			} else {
 				$cname = "con{$ph1ent['ikeid']}00000";
+			}
-            faf07413
+			/* Start with common default values */
 			$scconf['connections'][$cname] = $conn_defaults;
 			/* Array reference to make things easier */
 			$conn =& $scconf['connections'][$cname];
+		}
-            c6220dcf
+            jim-p
 		/* Common parameters for all children */
 		$child_params = array();
 		if (!empty($ph1ent['closeaction'])) {
 			$child_params['close_action'] = $ph1ent['closeaction'];
+		}
 		$ikeid = $ph1ent['ikeid'];
 		/* "trap" adds policies to start a tunnel when interesting
 		 * traffic is observed by the host. */
 		$start_action = "trap";
 		/* Set the IKE version appropriately (empty = IKEv1) */
 		switch ($ph1ent['iketype']) {
 			case 'auto':
 				$ikeversion = 0;
 				break;
 			case 'ikev2':
 				$ikeversion = 2;
 				break;
 			case 'ikev1':
 			default:
 				$ikeversion = 1;
 				break;
+		}
 		$conn['version'] = $ikeversion;
 		/* For IKEv1 or auto, setup aggressive mode if configured */
 		if ($ikeversion != 2){
 			$conn['aggressive'] = ($ph1ent['mode'] == "aggressive") ? "yes" : "no";
+		}
 		if (isset($ph1ent['mobile'])) {
 			/* Mobile tunnels allow 'any' as a peer */
 			$remote_spec = "0.0.0.0/0,::/0";
 			/* Mobile tunnels cannot start automatically */
 			$start_action = 'none';
 		} else {
 			$remote_spec = $ph1ent['remote-gateway'];
 			$sourcehost = (is_ipaddr($remote_spec)) ? $remote_spec : $rgmap[$remote_spec];
-            d0cd4fc7
+			$ifacesuse = ipsec_setup_routes($ph1ent['interface'], $ph1ent['protocol'], $sourcehost, isset($ph1ent['gw_duplicates']));
-            c6220dcf
+            jim-p
 		/* Setup IKE proposals */
 		if (is_array($ph1ent['encryption']['item'])) {
 			$ciphers = array();
 			foreach($ph1ent['encryption']['item'] as $p1enc) {
 				if (!is_array($p1enc['encryption-algorithm']) ||
 						empty($p1enc['encryption-algorithm']['name']) ||
 						empty($p1enc['hash-algorithm'])) {
 					continue;
+				}
-            f5ddbec1
+				if ($ph1ent['prfselect_enable'] != 'yes') {
 					$p1enc['prf-algorithm'] = false;
+				}
-            c6220dcf
+				$ciphers[] = ipsec_setup_proposal_algo($p1enc['encryption-algorithm']['name'],
 									$p1enc['encryption-algorithm']['keylen'],
 									$p1enc['hash-algorithm'],
-            f5ddbec1
+									$p1enc['prf-algorithm'],
-            c6220dcf
+									$p1enc['dhgroup']);
+			}
 			$conn['proposals'] = implode(",", $ciphers);
+		}
 		/* Configure DPD values. The DPD action is a per-child parameter,
 		 * not per-connection like the delay and timeout. */
 		if ($ph1ent['dpd_delay'] && $ph1ent['dpd_maxfail']) {
 			if ($start_action == "trap") {
-            d4e1fdea
+				$child_params['dpd_action'] = "trap";
-            c6220dcf
+			} else {
 				$child_params['dpd_action'] = "clear";
+			}
 			$conn['dpd_delay'] = "{$ph1ent['dpd_delay']}s";
 			$conn['dpd_timeout'] =  $ph1ent['dpd_delay'] * ($ph1ent['dpd_maxfail'] + 1) . "s";
-            d4e1fdea
+            jim-p
 			/* Adjust dpd_action if the close_action is explicitly set */
 			if (!empty($child_params['close_action'])) {
 				switch ($ph1ent['closeaction']) {
 					case 'trap':
 						$child_params['dpd_action'] = 'trap';
 						break;
 					case 'start':
 						$child_params['dpd_action'] = 'restart';
 						break;
 					case 'none':
 					default:
 						$child_params['dpd_action'] = 'clear';
+				}
+			}
-            c6220dcf
+		} else {
-            d4e1fdea
+			$child_params['dpd_action'] = "clear";
-            c6220dcf
+            jim-p
-            9701089e
+		/* Rekey (IKEv2 or Auto only, not supported by IKEv1) */
-            c6220dcf
+		if (($ikeversion == 0) || ($ikeversion == 2)) {
-ef
+			$conn['rekey_time'] = ipsec_get_rekey_time($ph1ent) . "s";
-            9701089e
+            jim-p
-ef
+		/* Reauth (Any) */
 		$conn['reauth_time'] = ipsec_get_reauth_time($ph1ent) . "s";
-            9701089e
+		/* Over Time */
-ef
+		$conn['over_time'] = ipsec_get_over_time($ph1ent) . "s";
 		/* Rand Time */
 		$conn['rand_time'] = ipsec_get_rand_time($ph1ent) . "s";
-            c6220dcf
+            jim-p
 		/* NAT Traversal */
 		$conn['encap'] = ($ph1ent['nat_traversal'] == 'force') ? "yes" : "no";
 		/* MOBIKE support */
 		$conn['mobike'] = ($ph1ent['mobike'] == 'on') ? "yes" : "no";
 		/* TFC Padding */
 		if (isset($ph1ent['tfc_enable'])) {
 			$conn['tfc_padding'] = (isset($ph1ent['tfc_bytes']) && is_numericint($ph1ent['tfc_bytes'])) ? $ph1ent['tfc_bytes'] : "mtu";
+		}
-ed9792
+		/* Custom Ports */
 		if (isset($ph1ent['ikeport'])) {
 			/* For a connection without encapsulation, do not set local_port */
 			$conn['remote_port'] = $ph1ent['ikeport'];
 		} elseif (isset($ph1ent['nattport'])) {
 			/* For an encapsulated connection,
 			 * set local_port to the server NAT-T port value or default (4500) */
 			$conn['local_port'] = isset($config['ipsec']['port_nat_t']) ? $config['ipsec']['port_nat_t'] : 4500;
 			$conn['remote_port'] = $ph1ent['nattport'];
+		}
-            c6220dcf
+		/* Arrays for P2s/children */
 		$children = array();
 		$remote_ts_spec = array();
 		$local_ts_spec = array();
 		$reqids = array();
 		$has_vti = false;
 		$ealgoAHsp2arr = array();
 		$ealgoESPsp2arr = array();
 		$suffix = 0;
 		foreach ($ph1ent['p2'] as $ph2ent) {
 			/* If this entry is disabled, or cannot be configured, skip. */
 			if (isset($ph2ent['disabled']) ||
 			    (isset($ph2ent['mobile']) && !isset($a_client['enable']))) {
 				continue;
+			}
 			$child = array();
 			$local_ts = "";
 			$remote_ts = "";
 			if (($ph2ent['mode'] == 'tunnel') or ($ph2ent['mode'] == 'tunnel6')) {
 				/* Normal tunnel child config */
 				$child['mode'] = "tunnel";
 				$child['policies'] = "yes";
 				$localid_type = $ph2ent['localid']['type'];
 				$localsubnet_data = ipsec_idinfo_to_cidr($ph2ent['localid'], false, $ph2ent['mode']);
 				/* Do not print localid in some cases, such as a pure-psk or psk/xauth single phase2 mobile tunnel */
 				if (($localid_type == "none" || $localid_type == "mobile") &&
 				    isset($ph1ent['mobile']) && (ipsec_get_number_of_phase2($ikeid) == 1)) {
 					$local_spec = '0.0.0.0/0,::/0';
 				} else {
 					if ($localid_type != "address") {
 						$localid_type = "subnet";
+					}
 					// Don't let an empty subnet into config, it can cause parse errors. Ticket #2201.
 					if (!is_ipaddr($localsubnet_data) && !is_subnet($localsubnet_data) && ($localsubnet_data != "0.0.0.0/0")) {
 						log_error("Invalid IPsec Phase 2 \"{$ph2ent['descr']}\" - {$ph2ent['localid']['type']} has no subnet.");
 						continue;
+					}
 					if (!empty($ph2ent['natlocalid'])) {
 						$natlocalsubnet_data = ipsec_idinfo_to_cidr($ph2ent['natlocalid'], false, $ph2ent['mode']);
 						if ($ph2ent['natlocalid']['type'] != "address") {
 							if (is_subnet($natlocalsubnet_data)) {
 								$localsubnet_data = "{$natlocalsubnet_data}|{$localsubnet_data}";
+							}
 						} else {
 							if (is_ipaddr($natlocalsubnet_data)) {
 								$localsubnet_data = "{$natlocalsubnet_data}|{$localsubnet_data}";
+							}
+						}
 						$natfilterrules = true;
+					}
+				}
 				$local_ts = $localsubnet_data;
 				if (!isset($ph2ent['mobile'])) {
 					$remote_ts = ipsec_idinfo_to_cidr($ph2ent['remoteid'], false, $ph2ent['mode']);
 				} else if (!empty($a_client['pool_address'])) {
 					$remote_ts = "{$a_client['pool_address']}/{$a_client['pool_netbits']}";
+				}
 			} elseif ($ph2ent['mode'] == 'vti') {
 				/* VTI-specific child config */
 				$child['policies'] = "no";
 				/* VTI cannot use trap policies, so start automatically instead */
 				$start_action = 'start';
-            d4e1fdea
+				if ($child_params['dpd_action'] == "trap") {
 					$child_params['dpd_action'] = "restart";
+				}
-            c6220dcf
+				$localid_type = $ph2ent['localid']['type'];
 				$localsubnet_data = ipsec_idinfo_to_cidr($ph2ent['localid'], false, $ph2ent['mode']);
 				$local_ts = $localsubnet_data;
 				$remote_ts = ipsec_idinfo_to_cidr($ph2ent['remoteid'], false, $ph2ent['mode']);
 				$has_vti = true;
 			} else {
 				/* Transport mode child config */
 				$child['mode'] = "transport";
 				$child['policies'] = "yes";
 				if ((($ph1ent['authentication_method'] == "xauth_psk_server") ||
 				    ($ph1ent['authentication_method'] == "pre_shared_key")) &&
 				    isset($ph1ent['mobile'])) {
 					$local_spec = "0.0.0.0/0,::/0";
 				} else {
 					$local_ts = ipsec_get_phase1_src($ph1ent);
+				}
 				if (!isset($ph2ent['mobile'])) {
 					$remote_ts = $remote_spec;
+				}
+			}
 			if (!empty($local_ts)) {
 				$local_ts_spec[] = $local_ts;
+			}
 			if (!empty($remote_ts)) {
 				$remote_ts_spec[] = $remote_ts;
+			}
 			/* If a PFS group is configured on the Mobile Clients tab,
 			 * and this is a mobile P2, use it here. */
 			if (isset($a_client['pfs_group']) && isset($ph2ent['mobile'])) {
 				$ph2ent['pfsgroup'] = $a_client['pfs_group'];
+			}
 			$reqids[] = $ph2ent['reqid'];
 			if (!empty($ph2ent['lifetime'])) {
-ef
+				$child['life_time'] = ipsec_get_life_time($ph2ent) . "s";
-c0f08
+				/* Rekey at 90% of lifetime */
-ef
+				$child['rekey_time'] = ipsec_get_rekey_time($ph2ent) . "s";
-c0f08
+				/* Random rekey fuzz time */
-ef
+				$child['rand_time'] = ipsec_get_rand_time($ph2ent) . "s";
-            c6220dcf
+            jim-p
 			/* If we are to act only as a responder, disable the start action */
 			$child['start_action'] = isset($ph1ent['responderonly']) ? 'none' : $start_action;
 			/* Setup child SA proposals */
 			$proposal = array();
-c9f5
+			$ph2ent_ealgos = array();
 			$ph2ent_ealgos_aead = array();
-            c6220dcf
+			if ($ph2ent['protocol'] == 'esp') {
 				if (is_array($ph2ent['encryption-algorithm-option'])) {
 					foreach ($ph2ent['encryption-algorithm-option'] as $ealg) {
-c9f5
+						if (strpos($ealg['name'], "gcm")) {
 							/* put AEAD ciphers on top,
 							*  see https://redmine.pfsense.org/issues/11078 */
 							$ph2ent_ealgos_aead[] = $ealg;
 						} else {
 							$ph2ent_ealgos[] = $ealg;
+						}
+					}
 					$ph2ent_ealgos = array_merge(array_reverse($ph2ent_ealgos_aead), $ph2ent_ealgos);
 					foreach ($ph2ent_ealgos as $ealg) {
-            c6220dcf
+						$ealg_id = $ealg['name'];
 						$ealg_kl = $ealg['keylen'];
 						if (!empty($ealg_kl) && $ealg_kl == "auto") {
 							if (empty($p2_ealgos) || !is_array($p2_ealgos)) {
 								require_once("ipsec.inc");
+							}
 							$key_hi = $p2_ealgos[$ealg_id]['keysel']['hi'];
 							$key_lo = $p2_ealgos[$ealg_id]['keysel']['lo'];
 							$key_step = $p2_ealgos[$ealg_id]['keysel']['step'];
 							/* XXX: in some cases where include ordering is suspect these variables
 							 * are somehow 0 and we enter this loop forever and timeout after 900
 							 * seconds wrecking bootup */
 							if ($key_hi != 0 and $key_lo != 0 and $key_step != 0) {
 								for ($keylen = $key_hi; $keylen >= $key_lo; $keylen -= $key_step) {
 									$proposal[] = ipsec_setup_proposal_entry($ph2ent, $ealgoESPsp2arr, $ealg_id, $keylen);
+								}
+							}
 						} else {
 							$proposal[] = ipsec_setup_proposal_entry($ph2ent, $ealgoESPsp2arr, $ealg_id, $ealg_kl);
+						}
+					}
+				}
 			} else if ($ph2ent['protocol'] == 'ah') {
 				$proposal[] = ipsec_setup_proposal_entry($ph2ent, $ealgoAHsp2arr, '', '');
+			}
 			/* Not mobile, and IKEv1 or Split Connections active */
 			if (!isset($ph1ent['mobile']) && (($ikeversion == 1) || isset($ph1ent['splitconn']))) {
 				if (!empty($remote_ts)) {
 					/* Setup child sub-connections using unique names with a suffix */
-b85b43b
+					$subconname = "con" . get_ipsecifnum($ph1ent['ikeid'], $idx) . $suffix;
-            c6220dcf
+					$children[$subconname] = $child;
 					$children[$subconname]['local_ts'] = $local_ts;
 					$children[$subconname]['remote_ts'] = $remote_ts;
 					if ($has_vti) {
 						ipsec_setup_vtireq($children[$subconname], $ipsec_vti_cleanup_ifs, $ph1ent['ikeid'], $suffix);
+					}
 					if (!empty($ph2ent['protocol']) && !empty($proposal)) {
 						$children[$subconname][$ph2ent['protocol'] . '_proposals'] = implode(',', $proposal);
+					}
 				} else {
 					log_error(sprintf(gettext("No phase2 specifications for tunnel with REQID = %s"), $ikeid));
+				}
 			} else {
 				/* TODO: Fix this to nicely merge all P2 params for single child case */
 				if (!is_array($children[$cname])) {
 					$children[$cname] = array();
+				}
 				$children[$cname] = array_merge($children[$cname], $child);
+			}
 			$suffix++;
+		}
 		$conn['local_addrs'] = $local_spec;
 		$conn['remote_addrs'] = $remote_spec;
-a5c28
+		$pools = array();
-            c6220dcf
+		if (isset($ph1ent['mobile'])) {
-            f9c9899b
+			if (($ph1ent['authentication_method'] == 'eap-radius') &&
 			    empty($a_client['pool_address']) && empty($a_client['pool_address_v6'])) {
-a5c28
+				$pools[] = "radius";
-            f9c9899b
+			} else {
-a5c28
+				if (!empty($a_client['pool_address'])) {
 					$pools[] = "mobile-pool-v4";
+				}
 				if (!empty($a_client['pool_address_v6'])) {
 					$pools[] = "mobile-pool-v6";
+				}
-            f9c9899b
+				if (isset($a_client['radius_ip_priority_enable'])) {
-a5c28
+					$pools[] .= "radius";
-            f9c9899b
+            Viktor Gurov
+			}
-            c6220dcf
+            jim-p
-a5c28
+		$conn['pools'] = implode(', ', $pools);
-            c6220dcf
+            jim-p
 		/* For IKEv2 without Split Connections, setup combined sets of
 		 * local/remote traffic selectors and propsals */
 		if (!(!isset($ph1ent['mobile']) && (($ikeversion == 1) || isset($ph1ent['splitconn'])))) {
 			if (!isset($ph1ent['mobile']) && !empty($remote_ts_spec)) {
 				$children[$cname]['remote_ts'] = implode(",", $remote_ts_spec);
+			}
 			if (!empty($local_ts_spec)) {
 				$children[$cname]['local_ts'] = implode(",", $local_ts_spec);
+			}
 			if ($has_vti) {
 				ipsec_setup_vtireq($children[$cname], $ipsec_vti_cleanup_ifs, $ph1ent['ikeid']);
+			}
 			if (!empty($ealgoAHsp2arr)) {
 				$children[$cname]['ah_proposals'] = implode(',', array_unique($ealgoAHsp2arr));
+			}
 			if (!empty($ealgoESPsp2arr)) {
 				$children[$cname]['esp_proposals'] = implode(',', array_unique($ealgoESPsp2arr));
+			}
+		}
 		/* Setup connection authentication */
 		ipsec_setup_authentication($ph1ent, $conn);
 		/* Add children to this connection, including default child parameters */
 		if (count($children)) {
 			foreach($children as $name => $child) {
 				$conn['children'][$name] = array_merge($child_params, $child);
+			}
+		}
+	}
 	return;
+}
 /****f* ipsec/ipsec_setup_secrets
  * NAME
  *   ipsec_setup_secrets - Setup swanctl authentication secrets
  * INPUTS
  *   None
  * RESULT
  *   Returns a swanctl array containing secrets (PSKs, certs, etc) and writes out
  *   necessary CA, CRL, and certificate data.
  ******/
 function ipsec_setup_secrets() {
 	global $config, $a_phase1, $ipsec_swanctl_dirs, $ipseccfg, $rgmap, $scconf;
 	$suffix = 0;
 	/* write out CRL files */
 	if (is_array($config['crl']) && count($config['crl'])) {
 		foreach ($config['crl'] as $crl) {
 			if (!isset($crl['text'])) {
 				log_error(sprintf(gettext("Warning: Missing CRL data for %s"), $crl['descr']));
 				continue;
+			}
 			$fpath = "{$ipsec_swanctl_dirs['crlpath']}/{$crl['refid']}.crl";
 			if (!@file_put_contents($fpath, base64_decode($crl['text']))) {
 				log_error(sprintf(gettext("Error: Cannot write IPsec CRL file for %s"), $crl['descr']));
 				continue;
+			}
+		}
+	}
 	$vpncas = array();
 	if (is_array($a_phase1) && count($a_phase1)) {
 		foreach ($a_phase1 as $ph1ent) {
 			if (isset($ph1ent['disabled'])) {
 				continue;
+			}
 			if (strstr($ph1ent['authentication_method'], 'cert') ||
 			    in_array($ph1ent['authentication_method'], array('eap-mschapv2', 'eap-tls', 'eap-radius'))) {
 				/* Write certificate and private key, point to private key */
 				$certline = '';
 				$ikeid = $ph1ent['ikeid'];
 				$cert = lookup_cert($ph1ent['certref']);
 				if (!$cert) {
 					log_error(sprintf(gettext("Error: Invalid phase1 certificate reference for %s"), $ph1ent['name']));
 					continue;
+				}
 				/* add signing CA cert chain of server cert
 				 * to the list of CAs to write
 				 */
 				$cachain = ca_chain_array($cert);
 				if ($cachain && is_array($cachain)) {
 					foreach ($cachain as $cacrt) {
 						$vpncas[$cacrt['refid']] = $cacrt;
+					}
+				}
 				@chmod($ipsec_swanctl_dirs['certpath'], 0600);
 				$ph1keyfile = "{$ipsec_swanctl_dirs['keypath']}/cert-{$ikeid}.key";
 				if (!file_put_contents($ph1keyfile, base64_decode($cert['prv']))) {
 					log_error(sprintf(gettext("Error: Cannot write phase1 key file for %s"), $ph1ent['name']));
 					continue;
+				}
 				@chmod($ph1keyfile, 0600);
 				$ph1certfile = "{$ipsec_swanctl_dirs['certpath']}/cert-{$ikeid}.crt";
 				if (!file_put_contents($ph1certfile, base64_decode($cert['crt']))) {
 					log_error(sprintf(gettext("Error: Cannot write phase1 certificate file for %s"), $ph1ent['name']));
 					@unlink($ph1keyfile);
 					continue;
+				}
 				@chmod($ph1certfile, 0600);
 				$scconf['secrets']['private-' . $suffix++] = array('file' => $ph1keyfile);
-f143b6e
+			} else if (strstr($ph1ent['authentication_method'], 'pkcs11')) {
-d8609
+				$p11_id = array();
 				$output = shell_exec('/usr/local/bin/pkcs15-tool -c');
 				preg_match_all('/ID\s+: (.*)/', $output, $p11_id);
 				if (!empty($ph1ent['pkcs11certref']) && in_array($ph1ent['pkcs11certref'], $p11_id[1])) {
-f143b6e
+					$scconf['secrets']['token-' . $suffix++] = array(
 						'handle' => $ph1ent['pkcs11certref'],
 						'pin' => $ph1ent['pkcs11pin'],
 					);
 				} else {
-d8609
+					log_error(sprintf(gettext("Error: Invalid phase1 PKCS#11 certificate reference or PKCS#11 is not present for %s"), $ph1ent['name']));
 					continue;
-f143b6e
+            Viktor Gurov
-            c6220dcf
+			} else {
 				/* Setup pre-shared keys */
 				list($myid_type, $myid_data) = ipsec_find_id($ph1ent, 'local');
 				list($peerid_type, $peerid_data) = ipsec_find_id($ph1ent, 'peer', $rgmap);
 				$myid = trim($myid_data);
 				if (empty($peerid_data)) {
 					continue;
+				}
 				if ($myid_type == 'fqdn' && !empty($myid)) {
 					$myid = "@{$myid}";
+				}
-b41fc
+				$myid = isset($ph1ent['mobile']) ? ipsec_fixup_id($myid_type, trim($myid_data)) : "%any";
 				$peerid = ($peerid_data != 'allusers') ? ipsec_fixup_id($peerid_type, trim($peerid_data)) : '';
-            c6220dcf
+            jim-p
 				if ($peerid_type == 'fqdn' && !empty($peerid)) {
 					$peerid = "@{$peerid}";
+				}
 				if (!empty($ph1ent['pre-shared-key'])) {
 					$scconf['secrets']['ike-' . $suffix++] = array(
 						'secret' => '0s' . base64_encode(trim($ph1ent['pre-shared-key'])),
 						'id-0' => $myid,
 						'id-1' => $peerid,
 					);
 					if (isset($ph1ent['mobile'])) {
 						$scconf['secrets']['ike-' . $suffix++] = array(
 							'secret' => '0s' . base64_encode(trim($ph1ent['pre-shared-key'])),
 							'id-0' => $myid,
 							'id-1' => '%any',
 						);
 						$scconf['secrets']['ike-' . $suffix++] = array(
 							'secret' => '0s' . base64_encode(trim($ph1ent['pre-shared-key'])),
 						);
+					}
+				}
+			}
 			/* if the client authenticates with a cert add the
 			 * client cert CA chain to the list of CAs to write
 			 */
 			if (in_array($ph1ent['authentication_method'],
-c120b1f
+			    array('cert', 'eap-tls', 'xauth_cert_server', 'pkcs11'))) {
-            c6220dcf
+				if (!empty($ph1ent['caref']) && !array_key_exists($ph1ent['caref'], $vpncas)) {
 					$thisca = lookup_ca($ph1ent['caref']);
 					$vpncas[$ph1ent['caref']] = $thisca;
 					/* follow chain up to root */
 					$cachain = ca_chain_array($thisca);
 					if ($cachain and is_array($cachain)) {
 						foreach ($cachain as $cacrt) {
 							$vpncas[$cacrt['refid']] = $cacrt;
+						}
+					}
+				}
+			}
+		}
+	}
 	/* Write the required CAs */
 	foreach ($vpncas as $carefid => $cadata) {
 		$cacrt = base64_decode($cadata['crt']);
 		$cacrtattrs = openssl_x509_parse($cacrt);
 		if (!is_array($cacrtattrs) || !isset($cacrtattrs['hash'])) {
 			log_error(sprintf(gettext("Error: Invalid certificate hash info for %s"), $cadata['descr']));
 			continue;
+		}
 		$cafilename = "{$ipsec_swanctl_dirs['capath']}/{$cacrtattrs['hash']}.0";
 		if (!@file_put_contents($cafilename, $cacrt)) {
 				log_error(sprintf(gettext("Error: Cannot write IPsec CA file for %s"), $cadata['descr']));
 				continue;
+		}
+	}
 	/* Add user PSKs */
 	if (is_array($config['system']) && is_array($config['system']['user'])) {
 		foreach ($config['system']['user'] as $user) {
 			if (!empty($user['ipsecpsk'])) {
 				$scconf['secrets']['ike-' . $suffix++] = array(
 					'secret' => '0s' . base64_encode(trim($user['ipsecpsk'])),
 					'id-0' => $myid,
 					'id-1' => $user['name'],
 				);
+			}
+		}
 		unset($user);
+	}
 	/* add PSKs for mobile clients */
 	if (is_array($ipseccfg['mobilekey'])) {
 		foreach ($ipseccfg['mobilekey'] as $key) {
 			if (($key['ident'] == 'allusers') ||
 			    ($key['ident'] == 'any')) {
 				$key['ident'] = '%any';
+			}
-c9c2891
+			$userkeyprefix = (strtolower($key['type']) == 'eap') ? 'eap' : 'ike';
 			$scconf['secrets'][$userkeyprefix . '-' . $suffix++] = array(
-            c6220dcf
+				'secret' => '0s' . base64_encode(trim($key['pre-shared-key'])),
 				'id-0' => $key['ident'],
 			);
+		}
 		unset($key);
+	}
 	return;
+}
 /****f* ipsec/ipsec_configure
  * NAME
  *   ipsec_configure - Configure IPsec
  * INPUTS
  *   $restart: Boolean (default false), whether or not to restart the IPsec
  *             daemons.
  * RESULT
  *   IPsec-related configuration files are written, daemon is started or stopped
  *   appropriately.
  ******/
 function ipsec_configure($restart = false) {
 	global $aggressive_mode_psk, $a_client, $a_phase1, $a_phase2, $config,
 		$filterdns_list, $g, $ifacesuse, $ipsec_idhandling, $ipsec_log_cats,
 		$ipsec_log_sevs, $ipsec_swanctl_basedir, $ipsec_swanctl_dirs,
 		$ipseccfg, $mobile_ipsec_auth, $natfilterrules, $p1_ealgos,
 		$p2_ealgos, $rgmap, $sa, $sn, $scconf, $tunnels, $mobile_configured,
 		$ipsec_vti_cleanup_ifs, $conn_defaults, $pool_addrs;
 	/* service may have been enabled, disabled, or otherwise changed in a
 	 *way requiring rule updates */
 	filter_configure();
 	if (!ipsec_enabled()) {
 		/* IPsec is disabled */
 		/* Stop charon */
 		mwexec("/usr/local/sbin/strongswanrc stop");
 		/* Stop dynamic monitoring */
 		killbypid("{$g['varrun_path']}/filterdns-ipsec.pid");
 		/* Wait for process to die */
 		sleep(2);
 		/* Shutdown enc0 interface*/
 		mwexec("/sbin/ifconfig enc0 down");
-            b08a1fa1
+		ipsec_gre_default_mtu();
-            c6220dcf
+		return 0;
 	} else {
 		/* Startup enc0 interface */
 		mwexec("/sbin/ifconfig enc0 up");
+	}
 	if (platform_booting()) {
 		echo gettext("Configuring IPsec VPN... ");
+	}
 	$ipsecstartlock = lock('ipsec', LOCK_EX);
 	/* Prepare automatic ping_hosts.sh data */
 	unlink_if_exists("{$g['vardb_path']}/ipsecpinghosts");
 	touch("{$g['vardb_path']}/ipsecpinghosts");
 	$ipsecpinghostsactive = false;
 	/* Populate convenience variables */
 	$syscfg = $config['system'];
 	init_config_arr(array('ipsec', 'phase1'));
 	$ipseccfg = $config['ipsec'];
 	$a_phase1 = $config['ipsec']['phase1'];
 	init_config_arr(array('ipsec', 'phase2'));
 	$a_phase2 = $config['ipsec']['phase2'];
 	init_config_arr(array('ipsec', 'client'));
 	$a_client = $config['ipsec']['client'];
 	$mobile_configured = false;
 	/* Setup a single structured array to process, to avoid repeatedly
 	 * looping through the arrays to locate entries later. */
 	$tunnels = array();
 	foreach ($a_phase1 as $p1) {
-            d2abe7c9
+		if (empty($p1)) {
 			continue;
+		}
-            c6220dcf
+		if (isset($p1['mobile']) && !isset($p1['disabled'])) {
 			$mobile_configured = true;
+		}
 		$tunnels[$p1['ikeid']] = $p1;
 		$tunnels[$p1['ikeid']]['p2'] = array();
+	}
 	foreach ($a_phase2 as $p2) {
 		$tunnels[$p2['ikeid']]['p2'][] = $p2;
+	}
 	$ipsec_vti_cleanup_ifs = array();
 	$rgmap = array();
 	$filterdns_list = array();
 	$aggressive_mode_psk = false;
 	$mobile_ipsec_auth = "";
 	$ifacesuse = array();
 	$natfilterrules = false;
 	/* Configure asynchronous crypto. See https://redmine.pfsense.org/issues/8772 */
 	set_sysctl(array('net.inet.ipsec.async_crypto' => (int) (isset($ipseccfg['async_crypto']) && ($ipseccfg['async_crypto'] == "enabled"))));
 	/* Build a list of all IPsec interfaces configured on the firewall at the OS level */
 	foreach (get_interface_arr() as $thisif) {
 		if (substr($thisif, 0, 5) == "ipsec") {
 			$ipsec_vti_cleanup_ifs[] = $thisif;
+		}
+	}
 	/* Create directory structure for IPsec */
 	ipsec_create_dirs();
 	/* Setup gateways and interfaces */
 	ipsec_setup_gwifs();
 	/* Setup and write strongswan.conf */
 	ipsec_setup_strongswan();
 	/* Start Global Connection default values */
 	$conn_defaults = array();
 	/* Fragmentation is on for everyone */
 	$conn_defaults['fragmentation'] = "yes";
 	/* Default to 'replace' for unique IDs (was 'yes' in ipsec.conf previously) */
 	$conn_defaults['unique'] = 'replace';
 	/* If the configuration has a valid alternate value for unique ID handling,
 	 * use it instead. */
 	if (!empty($config['ipsec']['uniqueids']) &&
 	    array_key_exists($config['ipsec']['uniqueids'], $ipsec_idhandling)) {
 		$conn_defaults['unique'] = $config['ipsec']['uniqueids'];
+	}
 	if (isset($config['ipsec']['strictcrlpolicy'])) {
 		$conn_defaults['strictcrlpolicy'] = "yes";
+	}
 	/* Disable ipcomp for now. redmine #6167
 	if (isset($config['ipsec']['compression'])) {
 		$conn_defaults['compress'] = "yes";
+	}
 	set_single_sysctl('net.inet.ipcomp.ipcomp_enable', (isset($config['ipsec']['compression'])) ? 1 : 0);
 	*/
 	/* End Global Connection Defaults */
 	/* Start swanctl configuration (scconf) */
 	$scconf = array();
 	$scconf[] = "# This file is automatically generated. Do not edit";
 	$scconf['connections'] = array();
-b52494
+	/* Setup IPsec bypass */
 	ipsec_setup_bypass();
-            c6220dcf
+	/* Setup connections */
 	ipsec_setup_tunnels();
 	$scconf['pools'] = array();
 	if ($mobile_configured) {
 		/* Setup mobile address pools */
 		ipsec_setup_pools();
 		/* Setup per-user pools */
 		ipsec_setup_userpools();
+	}
 	/* Setup secret data */
 	$scconf['secrets'] = array();
 	ipsec_setup_secrets();
 	@file_put_contents("{$g['varetc_path']}/ipsec/swanctl.conf", ipsec_strongswan_confgen($scconf));
 	/* Clean up unused VTI interfaces */
 	foreach ($ipsec_vti_cleanup_ifs as $cleanif) {
 		if (does_interface_exist($cleanif)) {
 			mwexec("/sbin/ifconfig " . escapeshellarg($cleanif) . " destroy", false);
+		}
+	}
-            b08a1fa1
+	/* set default MTU to 1400 for GRE over IPsec, othewise to 1476 */
 	ipsec_gre_default_mtu();
-            c6220dcf
+	/* Manage process */
 	if ($restart === true) {
 		mwexec_bg("/usr/local/sbin/strongswanrc restart", false);
 	} else {
 		if (isvalidpid("{$g['varrun_path']}/charon.pid")) {
 			mwexec_bg("/usr/local/sbin/strongswanrc reload", false);
 		} else {
 			mwexec_bg("/usr/local/sbin/strongswanrc start", false);
+		}
+	}
 	// Run ping_hosts.sh once if it's enabled to avoid wait for minicron
 	if ($ipsecpinghostsactive) {
 		mwexec_bg("/usr/local/bin/ping_hosts.sh");
+	}
 	if ($natfilterrules == true) {
 		filter_configure();
+	}
 	/* start filterdns, if necessary */
 	if (count($filterdns_list) > 0) {
 		$interval = 60;
 		if (!empty($ipseccfg['dns-interval']) && is_numeric($ipseccfg['dns-interval'])) {
 			$interval = $ipseccfg['dns-interval'];
+		}
 		$hostnames = "";
 		array_unique($filterdns_list);
 		foreach ($filterdns_list as $hostname) {
 			$hostnames .= "cmd {$hostname} '/usr/local/sbin/pfSctl -c \"service reload ipsecdns\"'\n";
+		}
 		file_put_contents("{$g['varetc_path']}/ipsec/filterdns-ipsec.hosts", $hostnames);
 		unset($hostnames);
 		if (isvalidpid("{$g['varrun_path']}/filterdns-ipsec.pid")) {
 			sigkillbypid("{$g['varrun_path']}/filterdns-ipsec.pid", "HUP");
 		} else {
 			mwexec_bg("/usr/local/sbin/filterdns -p {$g['varrun_path']}/filterdns-ipsec.pid -i {$interval} -c {$g['varetc_path']}/ipsec/filterdns-ipsec.hosts -d 1");
+		}
 	} else {
 		killbypid("{$g['varrun_path']}/filterdns-ipsec.pid");
 		@unlink("{$g['varrun_path']}/filterdns-ipsec.pid");
+	}
 	if (platform_booting()) {
 		echo "done\n";
+	}
 	unlock($ipsecstartlock);
 	return count($filterdns_list);
+}
-            b08a1fa1
+            Viktor Gurov
 function ipsec_gre_default_mtu() {
 	global $config;
 	foreach ($config['interfaces'] as $if => $ifdetail) {
 		if (interface_is_type($ifdetail['if'], 'gre') && !isset($ifdetail['mtu'])) {
 			if (is_greipsec($ifdetail['if'])) {
 				set_interface_mtu($ifdetail['if'], 1400);
 			} else {
 				set_interface_mtu($ifdetail['if'], 1476);
+			}
+		}
+	}
+}
-ef
+            jim-p
 /* Return the larger of derived SA rekey time and reauth time */
 function ipsec_get_renewmax($entry) {
 	if (empty($entry) || !is_array($entry)) {
 		return 0;
+	}
 	return max(ipsec_get_rekey_time($entry), ipsec_get_reauth_time($entry));
+}
 /* Determine the life time of an SA entry (Hard upper total time limit for SA before it is removed) */
 function ipsec_get_life_time($entry) {
 	if (empty($entry) || !is_array($entry)) {
 		return 0;
+	}
 	/* Use a hardcoded value if present in the configuration */
 	if ($entry['lifetime'] > 0) {
 		return $entry['lifetime'];
+	}
 	/* If rekey or reauth are enabled, attempt to derive a lifetime from one of those */
 	$renewmax = ipsec_get_renewmax($entry);
 	if ($renewmax > 0) {
 		return intval($renewmax / 0.9);
+	}
 	/* To reach here, rekey_time and lifetime are both 0 which is invalid
 	 * Default to 16000 for p1 and 4000 for p2 */
 	if ($entry['iketype']) {
 		return 16000;
 	} else {
 		return 4000;
+	}
+}
 /* Determine the rekey time of an SA entry (Time at which to rekey IKEv2 or Child SA entries) */
 function ipsec_get_rekey_time($entry) {
 	if (empty($entry) || !is_array($entry)) {
 		return 0;
+	}
 	/* Use a hardcoded value if present in the configuration */
 	if (strlen($entry['rekey_time'])) {
 		/* Check via strlen since 0 is a valid value */
 		return $entry['rekey_time'];
 	} elseif ($entry['lifetime'] > 0) {
 		/* If rekey_time is empty and lifetime is non-zero, use 90% lifetime */
 		return intval($entry['lifetime'] * 0.9);
+	}
 	/* To reach here, rekey_time and lifetime are empty
 	 * Default to 14400 for p1 and 3600 for p2 */
 	if ($entry['iketype']) {
 		return 14400;
 	} else {
 		return 3600;
+	}
+}
 /* Determine the reauth time of an SA entry (IKE SA tear-down/reauthenticate) */
 function ipsec_get_reauth_time($entry) {
 	if (empty($entry) || !is_array($entry)) {
 		return 0;
+	}
 	/* Use a hardcoded value if present in the configuration */
 	if (strlen($entry['reauth_time'])) {
 		/* Check via strlen since 0 is a valid value */
 		return $entry['reauth_time'];
 	} elseif ($entry['lifetime'] > 0) {
 		/* If reauth_time is empty and lifetime is non-zero,
 		 * use 90% lifetime for IKEv1, disable for IKEv2/auto */
 		if ($entry['iketype'] == 'ikev1') {
 			return intval($entry['lifetime'] * 0.9);
 		} else {
 			return 0;
+		}
+	}
 	/* To reach here, rekey_time and lifetime are empty
 	 * Default to disabled (0) */
 	return 0;
+}
 /* Determine the over time of an SA entry (Hard upper IKE SA time limit, relative to rekey/reauth time) */
 function ipsec_get_over_time($entry) {
 	if (empty($entry) || !is_array($entry)) {
 		return 0;
+	}
 	/* Automatically derive the value for rand_time */
 	$lifetime = ipsec_get_life_time($entry);
 	$renewmax = ipsec_get_renewmax($entry);
 	if (($lifetime > 0) && ($renewmax > 0)) {
 		/* If life time and rekey/reauth time both have values, subtract to get rand time */
 		return $lifetime - $renewmax;
 	} elseif ($lifetime > 0) {
 		/* If only life time has a value, use 10% of that */
 		return intval($lifetime * 0.1);
 	} elseif ($renewmax > 0) {
 		/* If only rekey/reauth time has a value, use 10% of that */
 		return intval($renewmax * 0.1);
+	}
 	/* No value can be determined, default to 0 */
 	return 0;
+}
 /* Determine the rand time of an SA entry (random value subtracted from renewal time to prevent collisions) */
 function ipsec_get_rand_time($entry) {
 	if (empty($entry) || !is_array($entry)) {
 		return 0;
+	}
 	/* Use a hardcoded value if present in the configuration */
 	if (strlen($entry['rand_time'])) {
 		/* Check via strlen since 0 is a valid value */
 		return $entry['rand_time'];
+	}
 	/* Logic to automatically determine rand time is identical to calculating over time */
 	return ipsec_get_over_time($entry);
+}
-f5c3d8d
+?>

Project

General

Profile

pfSense