From b84506acd042a348fa0a776d15b49f4bfe6d6809 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Fri, 24 Jul 2015 15:34:17 +0000
Subject: [PATCH] (legacy) ipsec configuration issue when using carp ip
 (https://github.com/opnsense/core/issues/267)

---
 src/etc/inc/ipsec.inc | 31 +++++++++++++++++--------------
 src/etc/inc/vpn.inc   | 28 ++++++++++++++++------------
 2 files changed, 33 insertions(+), 26 deletions(-)

diff --git a/src/etc/inc/ipsec.inc b/src/etc/inc/ipsec.inc
index 6cb3ff755..bc57773fb 100644
--- a/src/etc/inc/ipsec.inc
+++ b/src/etc/inc/ipsec.inc
@@ -94,28 +94,31 @@ $p2_pfskeygroups = array(
  * Return phase1 local address
  */
 function ipsec_get_phase1_src(& $ph1ent) {
-
-	if ($ph1ent['interface']) {
+	if (!empty($ph1ent['interface'])) {
 		if (!is_ipaddr($ph1ent['interface'])) {
-			if ($ph1ent['protocol'] == "inet6") {
-				$if = get_failover_interface($ph1ent['interface'], "inet6");
-				$interfaceip = get_interface_ipv6($if);
+			if (strpos($ph1ent['interface'],'_vip') !== false) {
+				// if this is a vip, set the interface to $ph1ent['interface']
+				$if = $ph1ent['interface'];
 			} else {
-				$if = get_failover_interface($ph1ent['interface']);
-				$interfaceip = get_interface_ip($if);
+				// not a vip, check failover interface
+				if ($ph1ent['protocol'] == "inet6") {
+						$if = get_failover_interface($ph1ent['interface'], "inet6");
+				} else {
+						$if = get_failover_interface($ph1ent['interface']);
+				}
 			}
 		} else {
-			$interfaceip=$ph1ent['interface'];
+			// interface is an ip address, return
+			return $ph1ent['interface'];
 		}
 	} else {
 		$if = "wan";
-		if ($ph1ent['protocol'] == "inet6")
-			$interfaceip = get_interface_ipv6($if);
-		else
-			$interfaceip = get_interface_ip($if);
 	}
-
-	return $interfaceip;
+	if ($ph1ent['protocol'] == "inet6") {
+		return get_interface_ipv6($if);
+	} else {
+		return get_interface_ip($if);
+	}
 }
 
 /*
diff --git a/src/etc/inc/vpn.inc b/src/etc/inc/vpn.inc
index c7f67e6c7..f1084e677 100644
--- a/src/etc/inc/vpn.inc
+++ b/src/etc/inc/vpn.inc
@@ -40,7 +40,7 @@ function vpn_ipsec_configure_loglevels($forconfig = false)
 		foreach ($ipsec_loglevels as $lkey => $ldescr) {
 			if (!isset($config['ipsec']["ipsec_{$lkey}"]) && !$forconfig)
 				mwexec("/usr/local/sbin/ipsec stroke loglevel {$lkey} -- -1", false);
-			else if (is_numeric($config['ipsec']["ipsec_{$lkey}"]) &&
+			else if (isset($config['ipsec']["ipsec_{$lkey}"]) && is_numeric($config['ipsec']["ipsec_{$lkey}"]) &&
 			    intval($config['ipsec']["ipsec_{$lkey}"]) >= 1 && intval($config['ipsec']["ipsec_{$lkey}"]) <= 5)
 				$forconfig ? $cfgtext[] = "${lkey} " . (intval($config['ipsec']["ipsec_{$lkey}"]) - 1) :
 					mwexec("/usr/local/sbin/ipsec stroke loglevel {$lkey} " . (intval($config['ipsec']["ipsec_{$lkey}"]) - 1) , false);
@@ -146,7 +146,6 @@ function vpn_ipsec_configure($ipchg = false)
 		$ipmap = array();
 		$rgmap = array();
 		$filterdns_list = array();
-		$listeniflist = array();
 		unset($iflist);
 		if (is_array($a_phase1) && count($a_phase1)) {
 
@@ -157,7 +156,6 @@ function vpn_ipsec_configure($ipchg = false)
 					continue;
 
 				$ikeid = $ph1ent['ikeid'];
-				$listeniflist = get_real_interface($a_phase1['interface']);
 
 				$ep = ipsec_get_phase1_src($ph1ent);
 				if (!is_ipaddr($ep))
@@ -392,7 +390,7 @@ EOD;
 		unset($strongswan);
 
 		/* generate CA certificates files */
-		if (is_array($config['ca']) && count($config['ca'])) {
+		if (isset($config['ca'])) {
 			foreach ($config['ca'] as $ca) {
 				if (!isset($ca['crt'])) {
 					log_error(sprintf(gettext("Error: Invalid certificate info for %s"), $ca['descr']));
@@ -477,7 +475,7 @@ EOD;
 		}
 
 		/* add PSKs for mobile clients */
-		if (is_array($ipseccfg['mobilekey'])) {
+		if (isset($ipseccfg['mobilekey'])) {
 			foreach ($ipseccfg['mobilekey'] as $key) {
 				if ($key['ident'] == "allusers")
 					$key['ident'] = '';
@@ -535,14 +533,15 @@ EOD;
 				if (!isset($ph1ent['mobile']))
 					$peerid_spec = $peerid_data;
 
-				if (is_array($ph1ent['encryption-algorithm']) && !empty($ph1ent['encryption-algorithm']['name']) && !empty($ph1ent['hash-algorithm'])) {
+				if (!empty($ph1ent['encryption-algorithm']['name']) && !empty($ph1ent['hash-algorithm'])) {
 					$ealgosp1 = '';
 					$ealg_id = $ph1ent['encryption-algorithm']['name'];
-					$ealg_kl = $ph1ent['encryption-algorithm']['keylen'];
-					if ($ealg_kl)
-						$ealgosp1 = "ike = {$ealg_id}{$ealg_kl}-{$ph1ent['hash-algorithm']}";
-					else
-						$ealgosp1 = "ike = {$ealg_id}-{$ph1ent['hash-algorithm']}";
+					if (isset($ph1ent['encryption-algorithm']['keylen'])){
+						$ealgosp1 = "ike = {$ealg_id}{$ph1ent['encryption-algorithm']['keylen']}-{$ph1ent['hash-algorithm']}";
+					} else {
+							$ealgosp1 = "ike = {$ealg_id}-{$ph1ent['hash-algorithm']}";
+					}
+
 
 					$modp = vpn_ipsec_convert_to_modp($ph1ent['dhgroup']);
 					if (!empty($modp))
@@ -691,7 +690,12 @@ EOD;
 						if (is_array($ph2ent['encryption-algorithm-option'])) {
 							foreach ($ph2ent['encryption-algorithm-option'] as $ealg) {
 								$ealg_id = $ealg['name'];
-								$ealg_kl = $ealg['keylen'];
+								if (isset($ealg['keylen'])) {
+									$ealg_kl = $ealg['keylen'];
+								} else {
+									$ealg_kl = null;
+								}
+
 
 								if (!empty($ealg_kl) && $ealg_kl == "auto") {
 									$key_hi = $p2_ealgos[$ealg_id]['keysel']['hi'];