To avoid issues with clashing SAIDs go back to specifying the reqid in strongswan config.
To be able to manage this first upgrade the config to assign each phase2 an reqid Second use that during config generation Ticket #4208
This commit is contained in:
parent
6db7ee23db
commit
b40137258e
|
@ -1,6 +1,6 @@
|
|||
<?xml version="1.0"?>
|
||||
<pfsense>
|
||||
<version>11.5</version>
|
||||
<version>11.6</version>
|
||||
<lastchange/>
|
||||
<theme>pfsense_ng</theme>
|
||||
<system>
|
||||
|
|
|
@ -671,4 +671,27 @@ function ipsec_fixup_network($network) {
|
|||
return $result;
|
||||
}
|
||||
|
||||
function ipsec_new_reqid() {
|
||||
global $config;
|
||||
|
||||
if (!is_array($config['ipsec']) || !is_array($config['ipsec']['phase2']))
|
||||
return;
|
||||
|
||||
$ipsecreqid = lock('ipsecreqids', LOCK_EX);
|
||||
$keyids = array();
|
||||
$keyid = 1;
|
||||
foreach ($config['ipsec']['phase2'] as $ph2)
|
||||
$keyids[$ph2['reqid']] = $ph2['reqid'];
|
||||
|
||||
for ($i = 1; $i < 16000; $i++) {
|
||||
if (!isset($keyids[$i])) {
|
||||
$keyid = $i;
|
||||
break;
|
||||
}
|
||||
}
|
||||
unlock($ipsecreqid);
|
||||
|
||||
return $keyid;
|
||||
}
|
||||
|
||||
?>
|
||||
|
|
|
@ -3539,4 +3539,17 @@ function upgrade_114_to_115() {
|
|||
$config['unbound']['custom_options'] = base64_encode($config['unbound']['custom_options']);
|
||||
}
|
||||
|
||||
function upgrade_115_to_116() {
|
||||
global $config;
|
||||
|
||||
if (!is_array($config['ipsec']) || !is_array($config['ipsec']['phase2']))
|
||||
return;
|
||||
|
||||
$keyid = 1;
|
||||
foreach ($config['ipsec']['phase2'] as $idx => $ph2) {
|
||||
$config['ipsec']['phase2'][$idx]['reqid'] = $keyid;
|
||||
$keyid++;
|
||||
}
|
||||
}
|
||||
|
||||
?>
|
||||
|
|
|
@ -668,6 +668,7 @@ EOD;
|
|||
$ipseclifetime = 0;
|
||||
$rightsubnet_spec = array();
|
||||
$leftsubnet_spec = array();
|
||||
$reqids = array();
|
||||
$ealgoAHsp2arr = array();
|
||||
$ealgoESPsp2arr = array();
|
||||
if (is_array($a_phase2) && count($a_phase2)) {
|
||||
|
@ -807,6 +808,7 @@ EOD;
|
|||
}
|
||||
}
|
||||
|
||||
$reqids[] = $ph2ent['reqid'];
|
||||
|
||||
if (!empty($ph2ent['lifetime'])) {
|
||||
if ($ipseclifetime == 0 || intval($ipseclifetime) > intval($ph2ent['lifetime']))
|
||||
|
@ -860,6 +862,7 @@ EOD;
|
|||
$ipsecfin = '';
|
||||
foreach ($rightsubnet_spec as $idx => $rsubnet) {
|
||||
$ipsecfin .= "\nconn con{$ph1ent['ikeid']}00{$idx}\n";
|
||||
$ipsecfin .= "\treqid = " . $reqids[$idx] . "\n";
|
||||
$ipsecfin .= $ipsecconnect;
|
||||
$ipsecfin .= "\trightsubnet = {$rsubnet}\n";
|
||||
$ipsecfin .= "\tleftsubnet = " . $leftsubnet_spec[$idx] . "\n";
|
||||
|
@ -868,6 +871,7 @@ EOD;
|
|||
log_error("No phase2 specifications for tunnel with REQID = {$ikeid}");
|
||||
} else {
|
||||
$ipsecfin = "\nconn con{$ph1ent['ikeid']}\n";
|
||||
$ipsecfin .= "\treqid = " . $reqids[0] . "\n";
|
||||
$ipsecfin .= $ipsecconnect;
|
||||
if (!empty($rightsubnet_spec)) {
|
||||
$tempsubnets = array();
|
||||
|
|
|
@ -93,6 +93,7 @@ if ($ph2found === true)
|
|||
$pconfig['pfsgroup'] = $ph2['pfsgroup'];
|
||||
$pconfig['lifetime'] = $ph2['lifetime'];
|
||||
$pconfig['pinghost'] = $ph2['pinghost'];
|
||||
$pconfig['reqid'] = $ph2['reqid'];
|
||||
|
||||
if (isset($ph2['mobile']))
|
||||
$pconfig['mobile'] = true;
|
||||
|
@ -320,6 +321,10 @@ if ($_POST) {
|
|||
$ph2ent['uniqid'] = $pconfig['uniqid'];
|
||||
$ph2ent['mode'] = $pconfig['mode'];
|
||||
$ph2ent['disabled'] = $pconfig['disabled'] ? true : false;
|
||||
if (!isset($pconfig['reqid']))
|
||||
$ph2ent['reqid'] = ipsec_new_reqid();
|
||||
else
|
||||
$ph2ent['reqid'] = $pconfig['reqid'];
|
||||
|
||||
if(($ph2ent['mode'] == "tunnel") || ($ph2ent['mode'] == "tunnel6")){
|
||||
if (!empty($pconfig['natlocalid_address']))
|
||||
|
@ -832,6 +837,9 @@ function change_protocol() {
|
|||
<?php endif; ?>
|
||||
<input name="Submit" type="submit" class="formbtn" value="<?=gettext("Save"); ?>" />
|
||||
<input name="ikeid" type="hidden" value="<?=htmlspecialchars($pconfig['ikeid']);?>" />
|
||||
<?php if (!empty($pconfig['reqid'])): ?>
|
||||
<input name="reqid" type="hidden" value="<?=htmlspecialchars($pconfig['reqid']);?>" />
|
||||
<?php endif; ?>
|
||||
<input name="uniqid" type="hidden" value="<?=htmlspecialchars($pconfig['uniqid']);?>" />
|
||||
</td>
|
||||
</tr>
|
||||
|
|
Reference in New Issue