From c13f8dd9877d5bdccdb9132f7774ab361685e1ea Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Tue, 20 Dec 2022 10:07:46 +0100
Subject: [PATCH] VPN/IPsec - disable charon.install_routes at all in case
 anyone upstream would implement it for FreeBSD at some point int time, the
 feature itself only seems to be relevant for linux:

* https://github.com/strongswan/strongswan/blob/e09bc70d124554f8ee892f3ee4a988ce6d2e7c90/configure.ac#L63
* https://github.com/strongswan/strongswan/search?q=routing_table
---
 src/etc/inc/plugins.inc.d/ipsec.inc |  4 +---
 src/www/vpn_ipsec_settings.php      | 18 ------------------
 2 files changed, 1 insertion(+), 21 deletions(-)

diff --git a/src/etc/inc/plugins.inc.d/ipsec.inc b/src/etc/inc/plugins.inc.d/ipsec.inc
index 6fc9896e4..b237aff9a 100644
--- a/src/etc/inc/plugins.inc.d/ipsec.inc
+++ b/src/etc/inc/plugins.inc.d/ipsec.inc
@@ -947,9 +947,7 @@ function ipsec_write_strongswan_conf()
         }
     }
 
-    if (!empty($config['ipsec']['auto_routes_disable'])) {
-        $strongswanTree['charon']['install_routes'] = 'no';
-    }
+    $strongswanTree['charon']['install_routes'] = 'no';
     if (isset($a_client['enable']) && isset($a_client['net_list'])) {
         $strongswanTree['charon']['cisco_unity'] = 'yes';
     }
diff --git a/src/www/vpn_ipsec_settings.php b/src/www/vpn_ipsec_settings.php
index 4f96b19c7..b47590d25 100644
--- a/src/www/vpn_ipsec_settings.php
+++ b/src/www/vpn_ipsec_settings.php
@@ -39,7 +39,6 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
     $pconfig  = array();
     $pconfig['disablevpnrules'] = isset($config['system']['disablevpnrules']);
     $pconfig['preferoldsa_enable'] = isset($config['ipsec']['preferoldsa']);
-    $pconfig['auto_routes_disable'] = isset($config['ipsec']['auto_routes_disable']);
     $pconfig['max_ikev1_exchanges'] = !empty($config['ipsec']['max_ikev1_exchanges']) ? $config['ipsec']['max_ikev1_exchanges'] : null;
     if (!empty($config['ipsec']['passthrough_networks'])) {
         $pconfig['passthrough_networks'] = explode(',', $config['ipsec']['passthrough_networks']);
@@ -103,11 +102,6 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
         } elseif (isset($config['ipsec']['passthrough_networks'])) {
             unset($config['ipsec']['passthrough_networks']);
         }
-        if (!empty($pconfig['auto_routes_disable'])) {
-            $config['ipsec']['auto_routes_disable'] = true;
-        } elseif (isset($config['ipsec']['auto_routes_disable'])) {
-            unset($config['ipsec']['auto_routes_disable']);
-        }
 
         if (!empty($pconfig['max_ikev1_exchanges'])) {
             $config['ipsec']['max_ikev1_exchanges'] = $pconfig['max_ikev1_exchanges'];
@@ -203,18 +197,6 @@ if (isset($input_errors) && count($input_errors) > 0) {
                         </div>
                       </td>
                     </tr>
-                    <tr>
-                      <td><a id="help_for_auto_routes_disable" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Do not install routes"); ?></td>
-                      <td style="width:78%" class="vtable">
-                        <input name="auto_routes_disable" type="checkbox" id="auto_routes_disable" value="yes" <?= !empty($pconfig['auto_routes_disable']) ? "checked=\"checked\"" : "";?> />
-                        <strong><?=gettext("Do not automatically install routes"); ?></strong>
-                        <div class="hidden" data-for="help_for_auto_routes_disable">
-                            <?=gettext("By default, IPsec installs routes when a tunnel becomes active. " .
-                                                  "Select this option to prevent automatically adding routes" .
-                                                  " to the system routing table. See charon.install_routes"); ?>
-                        </div>
-                      </td>
-                    </tr>
                     <tr>
                       <td><a id="help_for_max_ikev1_exchanges" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Maximum IKEv1 phase 2 exchanges"); ?></td>
                       <td style="width:78%" class="vtable">