(legacy) ipsec configuration issue when using carp ip (https://github.com/opnsense/core/issues/267)

57526fb8 · Ad Schellevis · Franco Fichtner · 44c72304 · 57526fb8 · 57526fb8
Commit 57526fb8 authored Jul 24, 2015 by Ad Schellevis Committed by Franco Fichtner Jul 24, 2015
Hide whitespace changes
Inline Side-by-side

Showing with 33 additions and 26 deletions

ipsec.inc src/etc/inc/ipsec.inc +17 -14

vpn.inc src/etc/inc/vpn.inc +16 -12

No files found.
--- a/src/etc/inc/ipsec.inc
+++ b/src/etc/inc/ipsec.inc
@@ -95,28 +95,31 @@ $p2_pfskeygroups = array(
 * Return phase1 local address
 */
 function ipsec_get_phase1_src(& $ph1ent) {
+	if (!empty($ph1ent['interface'])) {
-	if ($ph1ent['interface']) {
 		if (!is_ipaddr($ph1ent['interface'])) {
-			if ($ph1ent['protocol'] == "inet6") {
+			if (strpos($ph1ent['interface'],'_vip') !== false) {
-				$if = get_failover_interface($ph1ent['interface'], "inet6");
+				// if this is a vip, set the interface to $ph1ent['interface']
-				$interfaceip = get_interface_ipv6($if);
+				$if = $ph1ent['interface'];
 			} else {
-				$if = get_failover_interface($ph1ent['interface']);
+				// not a vip, check failover interface
-				$interfaceip = get_interface_ip($if);
+				if ($ph1ent['protocol'] == "inet6") {
+						$if = get_failover_interface($ph1ent['interface'], "inet6");
+				} else {
+						$if = get_failover_interface($ph1ent['interface']);
+				}
 			}
 		} else {
-			$interfaceip=$ph1ent['interface'];
+			// interface is an ip address, return
+			return $ph1ent['interface'];
 		}
 	} else {
 		$if = "wan";
-		if ($ph1ent['protocol'] == "inet6")
-			$interfaceip = get_interface_ipv6($if);
-		else
-			$interfaceip = get_interface_ip($if);
 	}
+	if ($ph1ent['protocol'] == "inet6") {
-	return $interfaceip;
+		return get_interface_ipv6($if);
+	} else {
+		return get_interface_ip($if);
+	}
 }
 /*

--- a/src/etc/inc/vpn.inc
+++ b/src/etc/inc/vpn.inc
@@ -40,7 +40,7 @@ function vpn_ipsec_configure_loglevels($forconfig = false)
 		foreach ($ipsec_loglevels as $lkey => $ldescr) {
 			if (!isset($config['ipsec']["ipsec_{$lkey}"]) && !$forconfig)
 				mwexec("/usr/local/sbin/ipsec stroke loglevel {$lkey} -- -1", false);
-			else if (is_numeric($config['ipsec']["ipsec_{$lkey}"]) &&
+			else if (isset($config['ipsec']["ipsec_{$lkey}"]) && is_numeric($config['ipsec']["ipsec_{$lkey}"]) &&
 			    intval($config['ipsec']["ipsec_{$lkey}"]) >= 1 && intval($config['ipsec']["ipsec_{$lkey}"]) <= 5)
 				$forconfig ? $cfgtext[] = "${lkey} " . (intval($config['ipsec']["ipsec_{$lkey}"]) - 1) :
 					mwexec("/usr/local/sbin/ipsec stroke loglevel {$lkey} " . (intval($config['ipsec']["ipsec_{$lkey}"]) - 1) , false);
@@ -146,7 +146,6 @@ function vpn_ipsec_configure($ipchg = false)
 		$ipmap = array();
 		$rgmap = array();
 		$filterdns_list = array();
-		$listeniflist = array();
 		unset($iflist);
 		if (is_array($a_phase1) && count($a_phase1)) {
@@ -157,7 +156,6 @@ function vpn_ipsec_configure($ipchg = false)
 					continue;
 				$ikeid = $ph1ent['ikeid'];
-				$listeniflist = get_real_interface($a_phase1['interface']);
 				$ep = ipsec_get_phase1_src($ph1ent);
 				if (!is_ipaddr($ep))
@@ -392,7 +390,7 @@ EOD;
 		unset($strongswan);
 		/* generate CA certificates files */
-		if (is_array($config['ca']) && count($config['ca'])) {
+		if (isset($config['ca'])) {
 			foreach ($config['ca'] as $ca) {
 				if (!isset($ca['crt'])) {
 					log_error(sprintf(gettext("Error: Invalid certificate info for %s"), $ca['descr']));
@@ -477,7 +475,7 @@ EOD;
 		}
 		/* add PSKs for mobile clients */
-		if (is_array($ipseccfg['mobilekey'])) {
+		if (isset($ipseccfg['mobilekey'])) {
 			foreach ($ipseccfg['mobilekey'] as $key) {
 				if ($key['ident'] == "allusers")
 					$key['ident'] = '';
@@ -535,14 +533,15 @@ EOD;
 				if (!isset($ph1ent['mobile']))
 					$peerid_spec = $peerid_data;
-				if (is_array($ph1ent['encryption-algorithm']) && !empty($ph1ent['encryption-algorithm']['name']) && !empty($ph1ent['hash-algorithm'])) {
+				if (!empty($ph1ent['encryption-algorithm']['name']) && !empty($ph1ent['hash-algorithm'])) {
 					$ealgosp1 = '';
 					$ealg_id = $ph1ent['encryption-algorithm']['name'];
-					$ealg_kl = $ph1ent['encryption-algorithm']['keylen'];
+					if (isset($ph1ent['encryption-algorithm']['keylen'])){
-					if ($ealg_kl)
+						$ealgosp1 = "ike = {$ealg_id}{$ph1ent['encryption-algorithm']['keylen']}-{$ph1ent['hash-algorithm']}";
-						$ealgosp1 = "ike = {$ealg_id}{$ealg_kl}-{$ph1ent['hash-algorithm']}";
+					} else {
-					else
+							$ealgosp1 = "ike = {$ealg_id}-{$ph1ent['hash-algorithm']}";
-						$ealgosp1 = "ike = {$ealg_id}-{$ph1ent['hash-algorithm']}";
+					}
 					$modp = vpn_ipsec_convert_to_modp($ph1ent['dhgroup']);
 					if (!empty($modp))
@@ -691,7 +690,12 @@ EOD;
 						if (is_array($ph2ent['encryption-algorithm-option'])) {
 							foreach ($ph2ent['encryption-algorithm-option'] as $ealg) {
 								$ealg_id = $ealg['name'];
-								$ealg_kl = $ealg['keylen'];
+								if (isset($ealg['keylen'])) {
+									$ealg_kl = $ealg['keylen'];
+								} else {
+									$ealg_kl = null;
+								}
 								if (!empty($ealg_kl) && $ealg_kl == "auto") {
 									if (empty($p2_ealgos) || !is_array($p2_ealgos))