Skip to content

O
OpnSense
Commit c2819c16 authored by Ad Schellevis's avatar Ad Schellevis Committed by Franco Fichtner
Browse files
Options

(ipsec) add mobike switch, change leftsendcert to always, etc. 

PR: https://github.com/opnsense/core/issues/1393

(cherry picked from commit 212fd9aa)
(cherry picked from commit 71bc4cb3)
(cherry picked from commit 0327622c)
parent 50bb60fc
Hide whitespace changes
Inline Side-by-side
Showing with 19 additions and 11 deletions
src/etc/inc/ipsec.inc
View file @ c2819c16
...@@ -884,12 +884,9 @@ EOD; ...@@ -884,12 +884,9 @@ EOD;
if (isset($ph1ent['disabled'])) { if (isset($ph1ent['disabled'])) {
continue; continue;
} }
$conn_params = "";
if ($ph1ent['mode'] == "aggressive") { $aggressive = $ph1ent['mode'] == "aggressive" ? "yes" : "no";
$aggressive = "yes"; $mobike = !empty($ph1ent['mobike']) ? "mobike = no" : " mobike = yes";
} else {
$aggressive = "no";
}
$ep = ipsec_get_phase1_src($ph1ent); $ep = ipsec_get_phase1_src($ph1ent);
if (empty($ep)) { if (empty($ep)) {
...@@ -991,6 +988,7 @@ EOD; ...@@ -991,6 +988,7 @@ EOD;
} }
if (!empty($ph1ent['certref'])) { if (!empty($ph1ent['certref'])) {
$authentication .= "\n\tleftcert = {$certpath}/cert-{$ph1ent['ikeid']}.crt"; $authentication .= "\n\tleftcert = {$certpath}/cert-{$ph1ent['ikeid']}.crt";
$authentication .= "\n\tleftsendcert = always";
} }
if (!empty($ph1ent['caref'])) { if (!empty($ph1ent['caref'])) {
$ca = lookup_ca($ph1ent['caref']); $ca = lookup_ca($ph1ent['caref']);
...@@ -1177,6 +1175,7 @@ conn con<<connectionId>> ...@@ -1177,6 +1175,7 @@ conn con<<connectionId>>
{$reauth} {$reauth}
{$rekey} {$rekey}
{$forceencaps} {$forceencaps}
{$mobike}
installpolicy = yes installpolicy = yes
{$tunneltype} {$tunneltype}
{$dpdline} {$dpdline}
......
src/www/vpn_ipsec_phase1.php
View file @ c2819c16
...@@ -86,7 +86,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') { ...@@ -86,7 +86,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
$phase1_fields = "mode,protocol,myid_type,myid_data,peerid_type,peerid_data $phase1_fields = "mode,protocol,myid_type,myid_data,peerid_type,peerid_data
,encryption-algorithm,hash-algorithm,dhgroup,lifetime,authentication_method,descr,nat_traversal ,encryption-algorithm,hash-algorithm,dhgroup,lifetime,authentication_method,descr,nat_traversal
,interface,iketype,dpd_delay,dpd_maxfail,remote-gateway,pre-shared-key,certref ,interface,iketype,dpd_delay,dpd_maxfail,remote-gateway,pre-shared-key,certref
,caref,reauth_enable,rekey_enable,auto,tunnel_isolation,authservers"; ,caref,reauth_enable,rekey_enable,auto,tunnel_isolation,authservers,mobike";
if (isset($p1index) && isset($config['ipsec']['phase1'][$p1index])) { if (isset($p1index) && isset($config['ipsec']['phase1'][$p1index])) {
// 1-on-1 copy // 1-on-1 copy
foreach (explode(",", $phase1_fields) as $fieldname) { foreach (explode(",", $phase1_fields) as $fieldname) {
...@@ -353,7 +353,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') { ...@@ -353,7 +353,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
$copy_fields = "ikeid,iketype,interface,mode,protocol,myid_type,myid_data $copy_fields = "ikeid,iketype,interface,mode,protocol,myid_type,myid_data
,peerid_type,peerid_data,encryption-algorithm,hash-algorithm,dhgroup ,peerid_type,peerid_data,encryption-algorithm,hash-algorithm,dhgroup
,lifetime,pre-shared-key,certref,caref,authentication_method,descr ,lifetime,pre-shared-key,certref,caref,authentication_method,descr
,nat_traversal,auto"; ,nat_traversal,auto,mobike";
foreach (explode(",",$copy_fields) as $fieldname) { foreach (explode(",",$copy_fields) as $fieldname) {
$fieldname = trim($fieldname); $fieldname = trim($fieldname);
...@@ -361,7 +361,9 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') { ...@@ -361,7 +361,9 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
$ph1ent[$fieldname] = $pconfig[$fieldname]; $ph1ent[$fieldname] = $pconfig[$fieldname];
} }
} }
$ph1ent['authservers'] = implode(',', $pconfig['authservers']); if (!empty($pconfig['authservers'])) {
$ph1ent['authservers'] = implode(',', $pconfig['authservers']);
}
$ph1ent['disabled'] = !empty($pconfig['disabled']) ? true : false; $ph1ent['disabled'] = !empty($pconfig['disabled']) ? true : false;
$ph1ent['private-key'] =isset($pconfig['privatekey']) ? base64_encode($pconfig['privatekey']) : null; $ph1ent['private-key'] =isset($pconfig['privatekey']) ? base64_encode($pconfig['privatekey']) : null;
...@@ -469,8 +471,6 @@ include("head.inc"); ...@@ -469,8 +471,6 @@ include("head.inc");
case 'eap-mschapv2': case 'eap-mschapv2':
$(".auth_eap_tls").show(); $(".auth_eap_tls").show();
$(".auth_eap_tls :input").prop( "disabled", false ); $(".auth_eap_tls :input").prop( "disabled", false );
$(".auth_eap_tls_caref").show();
$(".auth_eap_tls_caref :input").prop( "disabled", false );
break; break;
case 'eap-radius': case 'eap-radius':
$(".auth_eap_tls").show(); $(".auth_eap_tls").show();
...@@ -1016,6 +1016,15 @@ endforeach; ?> ...@@ -1016,6 +1016,15 @@ endforeach; ?>
</div> </div>
</td> </td>
</tr> </tr>
<tr>
<td><a id="help_for_mobike" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Disable MOBIKE"); ?></td>
<td>
<input name="mobike" type="checkbox" id="mobike" <?=!empty($pconfig['mobike']) ? "checked=\"checked\"":"";?> />
<div class="hidden" for="help_for_mobike">
<?=gettext("Disables the IKEv2 MOBIKE protocol defined by RFC 4555");?>
</div>
</td>
</tr>
<tr> <tr>
<td><a id="help_for_dpd_enable" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Dead Peer Detection"); ?></td> <td><a id="help_for_dpd_enable" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Dead Peer Detection"); ?></td>
<td> <td>
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment

Technounit-GROUP 2023