lucaspalomodevelop/core
1
0
Fork 0
mirror of https://github.com/lucaspalomodevelop/core.git synced 2026-03-14 00:24:40 +00:00
Code Issues Packages Projects Releases Wiki Activity

IPsec: add margintime + rekeyfuzz (https://wiki.strongswan.org/projects/strongswan/wiki/ExpiryRekey), closes https://github.com/opnsense/core/issues/3722

Browse Source
This commit is contained in:
Ad Schellevis 2019-09-24 21:53:45 +02:00
parent 08e7fca0fc
commit 680bd22980
2 changed files with 39 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
src/etc/inc/plugins.inc.d/ipsec.inc
View File

@ -1395,6 +1395,12 @@ function ipsec_configure_do($verbose = false, $interface = '')
$rekey = "rekey = no";
} else {
$rekey = "rekey = yes";
if (!empty($ph1ent['margintime'])) {
$rekey .= "\n\tmargintime = {$ph1ent['margintime']}s";
}
if (!empty($ph1ent['rekeyfuzz'])) {
$rekey .= "\n\trekeyfuzz = {$ph1ent['rekeyfuzz']}%";
}
}
$forceencaps = 'forceencaps = no';

35
src/www/vpn_ipsec_phase1.php
View File

@ -88,7 +88,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
$pconfig['iketype'] = "ikev2";
$phase1_fields = "mode,protocol,myid_type,myid_data,peerid_type,peerid_data
,encryption-algorithm,lifetime,authentication_method,descr,nat_traversal,rightallowany
,interface,iketype,dpd_delay,dpd_maxfail,remote-gateway,pre-shared-key,certref
,interface,iketype,dpd_delay,dpd_maxfail,remote-gateway,pre-shared-key,certref,margintime,rekeyfuzz
,caref,local-kpref,peer-kpref,reauth_enable,rekey_enable,auto,tunnel_isolation,authservers,mobike";
if (isset($p1index) && isset($config['ipsec']['phase1'][$p1index])) {
// 1-on-1 copy
@ -236,6 +236,19 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
if ((!empty($pconfig['lifetime']) && !is_numeric($pconfig['lifetime']))) {
$input_errors[] = gettext("The P1 lifetime must be an integer.");
}
if (!empty($pconfig['margintime'])) {
if (!is_numericint($pconfig['margintime'])) {
$input_errors[] = gettext("The margintime must be an integer.");
} else {
$rekeyfuzz = empty($pconfig['rekeyfuzz']) || !is_numeric($pconfig['rekeyfuzz']) ? 100 : $pconfig['rekeyfuzz'];
if (((int)$pconfig['margintime'] * 2) * ($rekeyfuzz / 100.0) > (int)$pconfig['lifetime']) {
$input_errors[] = gettext("The value margin... + margin... * rekeyfuzz must not exceed the original lifetime limit.");
}
}
}
if (!empty($pconfig['rekeyfuzz']) && !is_numericint($pconfig['rekeyfuzz'])) {
$input_errors[] = gettext("Rekeyfuzz must be an integer.");
}
if (!empty($pconfig['remote-gateway'])) {
if (!is_ipaddr($pconfig['remote-gateway']) && !is_domain($pconfig['remote-gateway'])) {
@ -362,7 +375,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
if (count($input_errors) == 0) {
$copy_fields = "ikeid,iketype,interface,mode,protocol,myid_type,myid_data
,peerid_type,peerid_data,encryption-algorithm,
,peerid_type,peerid_data,encryption-algorithm,margintime,rekeyfuzz
,lifetime,pre-shared-key,certref,caref,authentication_method,descr,local-kpref,peer-kpref
,nat_traversal,auto,mobike";
@ -1151,6 +1164,24 @@ endforeach; ?>
</div>
</td>
</tr>
<tr>
<td><a id="help_for_margintime" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Margintime"); ?></td>
<td>
<input name="margintime" type="text" id="margintime" value="<?=$pconfig['margintime'];?>" />
<div class="hidden" data-for="help_for_margintime">
<?=gettext("Time before SA expiry the rekeying should start. (seconds)"); ?>
</div>
</td>
</tr>
<tr>
<td><a id="help_for_rekeyfuzz" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Rekeyfuzz"); ?></td>
<td>
<input name="rekeyfuzz" type="text" id="rekeyfuzz" value="<?=$pconfig['rekeyfuzz'];?>" />
<div class="hidden" data-for="help_for_rekeyfuzz">
<?=gettext("Percentage by which margintime is randomly increased (may exceed 100%). Randomization may be disabled by setting rekeyfuzz=0%."); ?>
</div>
</td>
</tr>
<tr>
<td>&nbsp;</td>
<td>