diff --git a/src/etc/inc/plugins.inc.d/ipsec.inc b/src/etc/inc/plugins.inc.d/ipsec.inc
index 31c409be6..3f102b550 100644
--- a/src/etc/inc/plugins.inc.d/ipsec.inc
+++ b/src/etc/inc/plugins.inc.d/ipsec.inc
@@ -1395,6 +1395,12 @@ function ipsec_configure_do($verbose = false, $interface = '')
$rekey = "rekey = no";
} else {
$rekey = "rekey = yes";
+ if (!empty($ph1ent['margintime'])) {
+ $rekey .= "\n\tmargintime = {$ph1ent['margintime']}s";
+ }
+ if (!empty($ph1ent['rekeyfuzz'])) {
+ $rekey .= "\n\trekeyfuzz = {$ph1ent['rekeyfuzz']}%";
+ }
}
$forceencaps = 'forceencaps = no';
diff --git a/src/www/vpn_ipsec_phase1.php b/src/www/vpn_ipsec_phase1.php
index 2b8ea5788..66846345b 100644
--- a/src/www/vpn_ipsec_phase1.php
+++ b/src/www/vpn_ipsec_phase1.php
@@ -88,7 +88,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
$pconfig['iketype'] = "ikev2";
$phase1_fields = "mode,protocol,myid_type,myid_data,peerid_type,peerid_data
,encryption-algorithm,lifetime,authentication_method,descr,nat_traversal,rightallowany
- ,interface,iketype,dpd_delay,dpd_maxfail,remote-gateway,pre-shared-key,certref
+ ,interface,iketype,dpd_delay,dpd_maxfail,remote-gateway,pre-shared-key,certref,margintime,rekeyfuzz
,caref,local-kpref,peer-kpref,reauth_enable,rekey_enable,auto,tunnel_isolation,authservers,mobike";
if (isset($p1index) && isset($config['ipsec']['phase1'][$p1index])) {
// 1-on-1 copy
@@ -236,6 +236,19 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
if ((!empty($pconfig['lifetime']) && !is_numeric($pconfig['lifetime']))) {
$input_errors[] = gettext("The P1 lifetime must be an integer.");
}
+ if (!empty($pconfig['margintime'])) {
+ if (!is_numericint($pconfig['margintime'])) {
+ $input_errors[] = gettext("The margintime must be an integer.");
+ } else {
+ $rekeyfuzz = empty($pconfig['rekeyfuzz']) || !is_numeric($pconfig['rekeyfuzz']) ? 100 : $pconfig['rekeyfuzz'];
+ if (((int)$pconfig['margintime'] * 2) * ($rekeyfuzz / 100.0) > (int)$pconfig['lifetime']) {
+ $input_errors[] = gettext("The value margin... + margin... * rekeyfuzz must not exceed the original lifetime limit.");
+ }
+ }
+ }
+ if (!empty($pconfig['rekeyfuzz']) && !is_numericint($pconfig['rekeyfuzz'])) {
+ $input_errors[] = gettext("Rekeyfuzz must be an integer.");
+ }
if (!empty($pconfig['remote-gateway'])) {
if (!is_ipaddr($pconfig['remote-gateway']) && !is_domain($pconfig['remote-gateway'])) {
@@ -362,7 +375,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
if (count($input_errors) == 0) {
$copy_fields = "ikeid,iketype,interface,mode,protocol,myid_type,myid_data
- ,peerid_type,peerid_data,encryption-algorithm,
+ ,peerid_type,peerid_data,encryption-algorithm,margintime,rekeyfuzz
,lifetime,pre-shared-key,certref,caref,authentication_method,descr,local-kpref,peer-kpref
,nat_traversal,auto,mobike";
@@ -1151,6 +1164,24 @@ endforeach; ?>
+
+ | |
+
+
+
+
+
+ |
+
+
+ | |
+
+
+
+
+
+ |
+
| |
|