(ipsec) add mobike switch, change leftsendcert to always. for...

(ipsec) add mobike switch, change leftsendcert to always. for https://github.com/opnsense/core/issues/1393

(ipsec) add mobike switch, change leftsendcert to always. for...
(ipsec) add mobike switch, change leftsendcert to always. for https://github.com/opnsense/core/issues/1393
212fd9aa · Ad Schellevis · ee0e0eae · 212fd9aa · 212fd9aa
Commit 212fd9aa authored Feb 11, 2017 by Ad Schellevis
Show whitespace changes
Inline Side-by-side

Showing with 16 additions and 8 deletions

ipsec.inc src/etc/inc/ipsec.inc +5 -6

vpn_ipsec_phase1.php src/www/vpn_ipsec_phase1.php +11 -2

No files found.
--- a/src/etc/inc/ipsec.inc
+++ b/src/etc/inc/ipsec.inc
@@ -884,12 +884,9 @@ EOD;
                if (isset($ph1ent['disabled'])) {
                    continue;
                }
-
-                if ($ph1ent['mode'] == "aggressive") {
-                    $aggressive = "yes";
-                } else {
-                    $aggressive = "no";
-                }
+                $conn_params = "";
+                $aggressive = $ph1ent['mode'] == "aggressive" ? "yes" : "no";
+                $mobike = !empty($ph1ent['mobike']) ? "mobike = no" : "  mobike = yes";

                $ep = ipsec_get_phase1_src($ph1ent);
                if (empty($ep)) {
@@ -991,6 +988,7 @@ EOD;
                }
                if (!empty($ph1ent['certref'])) {
                    $authentication .= "\n\tleftcert = {$certpath}/cert-{$ph1ent['ikeid']}.crt";
+                    $authentication .= "\n\tleftsendcert = always";
                }
                if (!empty($ph1ent['caref'])) {
                    $ca = lookup_ca($ph1ent['caref']);
@@ -1177,6 +1175,7 @@ conn con<<connectionId>>
  {$reauth}
  {$rekey}
  {$forceencaps}
+  {$mobike}
  installpolicy = yes
  {$tunneltype}
  {$dpdline}

--- a/src/www/vpn_ipsec_phase1.php
+++ b/src/www/vpn_ipsec_phase1.php
@@ -86,7 +86,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
    $phase1_fields = "mode,protocol,myid_type,myid_data,peerid_type,peerid_data
    ,encryption-algorithm,hash-algorithm,dhgroup,lifetime,authentication_method,descr,nat_traversal
    ,interface,iketype,dpd_delay,dpd_maxfail,remote-gateway,pre-shared-key,certref
-    ,caref,reauth_enable,rekey_enable,auto,tunnel_isolation,authservers";
+    ,caref,reauth_enable,rekey_enable,auto,tunnel_isolation,authservers,mobike";
    if (isset($p1index) && isset($config['ipsec']['phase1'][$p1index])) {
        // 1-on-1 copy
        foreach (explode(",", $phase1_fields) as $fieldname) {
@@ -353,7 +353,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
        $copy_fields = "ikeid,iketype,interface,mode,protocol,myid_type,myid_data
        ,peerid_type,peerid_data,encryption-algorithm,hash-algorithm,dhgroup
        ,lifetime,pre-shared-key,certref,caref,authentication_method,descr
-        ,nat_traversal,auto";
+        ,nat_traversal,auto,mobike";

        foreach (explode(",",$copy_fields) as $fieldname) {
            $fieldname = trim($fieldname);
@@ -1016,6 +1016,15 @@ endforeach; ?>
                      </div>
                    </td>
                  </tr>
+                  <tr>
+                    <td><a id="help_for_mobike" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a>  <?=gettext("Disable MOBIKE"); ?></td>
+                    <td>
+                      <input name="mobike" type="checkbox" id="mobike"  <?=!empty($pconfig['mobike']) ? "checked=\"checked\"":"";?> />
+                      <div class="hidden" for="help_for_mobike">
+                          <?=gettext("Disables the IKEv2 MOBIKE protocol defined by RFC 4555");?>
+                      </div>
+                    </td>
+                  </tr>
                  <tr>
                    <td><a id="help_for_dpd_enable" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a>  <?=gettext("Dead Peer Detection"); ?></td>
                    <td>