lucaspalomodevelop/core
1
0
Fork 0
mirror of https://github.com/lucaspalomodevelop/core.git synced 2026-03-15 17:14:46 +00:00
Code Issues Packages Projects Releases Wiki Activity

VPN / IPsec / Advanced settings - add charon.max_ikev1_exchanges option, closes https://github.com/opnsense/core/issues/5268

Browse Source
This commit is contained in:
Ad Schellevis 2021-10-11 15:27:02 +02:00
parent d54a1c386b
commit a16fbdf2c5
2 changed files with 29 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
src/etc/inc/plugins.inc.d/ipsec.inc
View File

@ -1142,6 +1142,9 @@ function ipsec_configure_do($verbose = false, $interface = '')
if (isset($a_client['enable']) && isset($a_client['net_list'])) {
$strongswanTree['charon']['cisco_unity'] = 'yes';
}
if (!empty($config['ipsec']['max_ikev1_exchanges'])) {
$strongswanTree['charon']['max_ikev1_exchanges'] = $config['ipsec']['max_ikev1_exchanges'];
}
// Debugging configuration
// lkey is the log key, which is a three-letter abbreviation of the subsystem to log, e.g. `ike`.

26
src/www/vpn_ipsec_settings.php
View File

@ -40,6 +40,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
$pconfig['disablevpnrules'] = isset($config['system']['disablevpnrules']);
$pconfig['preferoldsa_enable'] = isset($config['ipsec']['preferoldsa']);
$pconfig['auto_routes_disable'] = isset($config['ipsec']['auto_routes_disable']);
$pconfig['max_ikev1_exchanges'] = !empty($config['ipsec']['max_ikev1_exchanges']) ? $config['ipsec']['max_ikev1_exchanges'] : null;
if (!empty($config['ipsec']['passthrough_networks'])) {
$pconfig['passthrough_networks'] = explode(',', $config['ipsec']['passthrough_networks']);
} else {
@ -66,6 +67,13 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
$pconfig['passthrough_networks'] = array();
}
if (!empty($pconfig['max_ikev1_exchanges']) && (
(int)$pconfig['max_ikev1_exchanges'] != $pconfig['max_ikev1_exchanges'] ||
(int)$pconfig['max_ikev1_exchanges'] < 0
)) {
$input_errors[] = gettext('Maximum IKEv1 phase 2 exchanges should be a positive integer number.');
}
// save form data
if (count($input_errors) == 0) {
if (!empty($pconfig['disablevpnrules'])) {
@ -101,6 +109,12 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
unset($config['ipsec']['auto_routes_disable']);
}
if (!empty($pconfig['max_ikev1_exchanges'])) {
$config['ipsec']['max_ikev1_exchanges'] = $pconfig['max_ikev1_exchanges'];
} elseif (isset($config['ipsec']['max_ikev1_exchanges'])) {
unset($config['ipsec']['max_ikev1_exchanges']);
}
write_config();
$savemsg = get_std_save_message();
filter_configure();
@ -201,6 +215,18 @@ if (isset($input_errors) && count($input_errors) > 0) {
</div>
</td>
</tr>
<tr>
<td><a id="help_for_max_ikev1_exchanges" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Maximum IKEv1 phase 2 exchanges"); ?></td>
<td style="width:78%" class="vtable">
<input name="max_ikev1_exchanges" type="text" id="max_ikev1_exchanges" value="<?=$pconfig['max_ikev1_exchanges'];?>" />
<div class="hidden" data-for="help_for_max_ikev1_exchanges">
<?=gettext(
"Maximum number of IKEv1 phase 2 exchanges per IKE_SA to keep state about and track concurrently. ".
"When using multiple phase 2 definitions a higher value than the default (3) would be advisable to prevent re-keying issues."
); ?>
</div>
</td>
</tr>
<tr>
<td><a id="help_for_ipsec_debug" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("IPsec Debug"); ?></td>
<td>