Skip to content

O
OpnSense
Commit 2cc1c4a9 authored by Ad Schellevis's avatar Ad Schellevis
Browse files
Options

(ipsec) cleanups in ipsec.inc

parent 3a44d732
Hide whitespace changes
Inline Side-by-side
Showing with 18 additions and 60 deletions
src/etc/inc/ipsec.inc
View file @ 2cc1c4a9
...@@ -343,57 +343,34 @@ function ipsec_find_id(& $ph1ent, $side = "local", $rgmap = array()) { ...@@ -343,57 +343,34 @@ function ipsec_find_id(& $ph1ent, $side = "local", $rgmap = array()) {
$id_data = null; $id_data = null;
if ($side == "local") { if ($side == "local") {
$id_type = $ph1ent['myid_type']; $id_type = $ph1ent['myid_type'];
if (isset($ph1ent['myid_data'])) { $id_data = isset($ph1ent['myid_data']) ? $ph1ent['myid_data'] : null;
$id_data = $ph1ent['myid_data'];
}
$addr = ipsec_get_phase1_src($ph1ent);
if (!$addr) {
return array();
}
} elseif ($side == "peer") { } elseif ($side == "peer") {
$id_type = $ph1ent['peerid_type']; $id_type = $ph1ent['peerid_type'];
if (isset($ph1ent['peerid_data'])) { $id_data = isset($ph1ent['peerid_data']) ? $ph1ent['peerid_data'] : null;
$id_data = $ph1ent['peerid_data']; /* Only specify peer ID if we are not dealing with a mobile PSK-only tunnel */
}
if (isset($ph1ent['mobile'])) { if (isset($ph1ent['mobile'])) {
$addr = "%any"; return null;
} else {
$addr = $ph1ent['remote-gateway'];
} }
} else {
return array();
} }
$thisid_type = $id_type; switch ($id_type) {
switch ($thisid_type) {
case "myaddress": case "myaddress":
$thisid_type = "address"; $thisid_data = ipsec_get_phase1_src($ph1ent);
$thisid_data = $addr;
break; break;
case "dyn_dns": case "dyn_dns":
$thisid_type = "address";
$thisid_data = resolve_retry($id_data); $thisid_data = resolve_retry($id_data);
break; break;
case "peeraddress": case "peeraddress":
$thisid_type = "address";
$thisid_data = $rgmap[$ph1ent['remote-gateway']]; $thisid_data = $rgmap[$ph1ent['remote-gateway']];
break; break;
case "address"; case "address":
$thisid_data = $id_data; $thisid_data = $id_data;
break; break;
case "fqdn"; default:
case "keyid tag"; $thisid_data = !empty($id_data) ? "{$id_data}" : null;
case "user_fqdn";
case "asn1dn";
$thisid_data = $id_data;
if( $thisid_data ) {
$thisid_data = "{$thisid_data}";
}
break; break;
} }
return array($thisid_type, $thisid_data); return $thisid_data;
} }
/* include all configuration functions */ /* include all configuration functions */
...@@ -493,7 +470,6 @@ function ipsec_configure() ...@@ -493,7 +470,6 @@ function ipsec_configure()
set_single_sysctl("net.inet.ip.fastforwarding", "0"); set_single_sysctl("net.inet.ip.fastforwarding", "0");
/* resolve all local, peer addresses and setup pings */ /* resolve all local, peer addresses and setup pings */
$ipmap = array();
$rgmap = array(); $rgmap = array();
$filterdns_list = array(); $filterdns_list = array();
$ipsecpinghosts = ""; $ipsecpinghosts = "";
...@@ -507,14 +483,6 @@ function ipsec_configure() ...@@ -507,14 +483,6 @@ function ipsec_configure()
$aggressive_psk = true; $aggressive_psk = true;
} }
$ep = ipsec_get_phase1_src($ph1ent); $ep = ipsec_get_phase1_src($ph1ent);
if (!is_ipaddr($ep)) {
continue;
}
if(!in_array($ep,$ipmap)) {
$ipmap[] = $ep;
}
/* see if this tunnel has a hostname for the remote-gateway. If so, /* see if this tunnel has a hostname for the remote-gateway. If so,
try to resolve it now and add it to the list for filterdns */ try to resolve it now and add it to the list for filterdns */
...@@ -534,7 +502,7 @@ function ipsec_configure() ...@@ -534,7 +502,7 @@ function ipsec_configure()
continue; continue;
} }
} }
if(array_search($rg, $rgmap)) { if (array_search($rg, $rgmap)) {
log_error("The remote gateway {$rg} already exists on another phase 1 entry"); log_error("The remote gateway {$rg} already exists on another phase 1 entry");
continue; continue;
} }
...@@ -799,16 +767,12 @@ EOD; ...@@ -799,16 +767,12 @@ EOD;
/* XXX" Traffic selectors? */ /* XXX" Traffic selectors? */
$pskconf .= " : RSA {$ph1keyfile}\n"; $pskconf .= " : RSA {$ph1keyfile}\n";
} else { } elseif (!empty($ph1ent['pre-shared-key'])) {
list ($myid_type, $myid_data) = ipsec_find_id($ph1ent, "local"); $myid_data = ipsec_find_id($ph1ent, "local");
list ($peerid_type, $peerid_data) = ipsec_find_id($ph1ent, "peer", $rgmap); $peerid_data = ipsec_find_id($ph1ent, "peer", $rgmap);
if (empty($peerid_data)) { if (!empty($peerid_data)) {
continue; $myid = isset($ph1ent['mobile']) ? trim($myid_data) . " " : "";
}
$myid = isset($ph1ent['mobile']) ? trim($myid_data) . " " : "";
if (!empty($ph1ent['pre-shared-key'])) {
$pskconf .= $myid . trim($peerid_data) . " : PSK \"" . trim($ph1ent['pre-shared-key']) . "\"\n"; $pskconf .= $myid . trim($peerid_data) . " : PSK \"" . trim($ph1ent['pre-shared-key']) . "\"\n";
} }
} }
...@@ -889,14 +853,8 @@ EOD; ...@@ -889,14 +853,8 @@ EOD;
$conn_auto = 'route'; $conn_auto = 'route';
} }
list ($myid_type, $myid_data) = ipsec_find_id($ph1ent, "local"); $myid_data = ipsec_find_id($ph1ent, "local");
list ($peerid_type, $peerid_data) = ipsec_find_id($ph1ent, "peer", $rgmap); $peerid_spec = ipsec_find_id($ph1ent, "peer", $rgmap);
/* Only specify peer ID if we are not dealing with a mobile PSK-only tunnel */
$peerid_spec = '';
if (!isset($ph1ent['mobile'])) {
$peerid_spec = $peerid_data;
}
if (!empty($ph1ent['encryption-algorithm']['name']) && !empty($ph1ent['hash-algorithm'])) { if (!empty($ph1ent['encryption-algorithm']['name']) && !empty($ph1ent['hash-algorithm'])) {
$ealg_id = $ph1ent['encryption-algorithm']['name']; $ealg_id = $ph1ent['encryption-algorithm']['name'];
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment

Technounit-GROUP 2023