From d55e5d50b697f6b58f8a2a739ac8ac5937971cdb Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Wed, 23 Nov 2022 17:31:03 +0100
Subject: [PATCH] VPN: IPsec: Tunnel Settings - add Unique selection so people
 can easily revert to Strongswan's default (no) if they want.

Not going to backport this, but in 22.7.x unique was called uniqueids and forcefully set to "yes", which according to the documentation (https://wiki.strongswan.org/projects/strongswan/wiki/connsection) is not compatible with a closeaction as this might lead to an avalanche of reconnecting children for the same connection. Although swanctl (https://docs.strongswan.org/docs/5.9/swanctl/swanctlConf.html) doesn't explicitly mention an incompatibility, our defaults are different than the ones being configured nowadays. Adding the option does seem to make sense.
---
 src/etc/inc/plugins.inc.d/ipsec.inc |  2 +-
 src/www/vpn_ipsec_phase1.php        | 31 +++++++++++++++++++++++++++--
 2 files changed, 30 insertions(+), 3 deletions(-)

diff --git a/src/etc/inc/plugins.inc.d/ipsec.inc b/src/etc/inc/plugins.inc.d/ipsec.inc
index cf61da854..05e39015e 100644
--- a/src/etc/inc/plugins.inc.d/ipsec.inc
+++ b/src/etc/inc/plugins.inc.d/ipsec.inc
@@ -1304,7 +1304,7 @@ function ipsec_configure_do($verbose = false, $interface = '')
                 }
 
                 $connection = [
-                    'unique' => 'replace',
+                    'unique' => !empty($ph1ent['unique']) ? $ph1ent['unique'] : 'replace',
                     'aggressive' => $ph1ent['mode'] ?? '' == 'aggressive' ? 'yes' : 'no',
                     'version' => ($ph1ent['iketype'] ?? '') == 'ikev2' ? 2 : 1,
                     'mobike' => !empty($ph1ent['mobike']) ? 'no' : 'yes',
diff --git a/src/www/vpn_ipsec_phase1.php b/src/www/vpn_ipsec_phase1.php
index 7ca2ab712..9c78449d7 100644
--- a/src/www/vpn_ipsec_phase1.php
+++ b/src/www/vpn_ipsec_phase1.php
@@ -89,7 +89,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
     ,encryption-algorithm,lifetime,authentication_method,descr,nat_traversal,rightallowany,inactivity_timeout
     ,interface,iketype,dpd_delay,dpd_maxfail,dpd_action,remote-gateway,pre-shared-key,certref,margintime,rekeyfuzz
     ,caref,local-kpref,peer-kpref,reauth_enable,rekey_enable,auto,tunnel_isolation,authservers,mobike,keyingtries
-    ,closeaction";
+    ,closeaction,unique";
     if (isset($p1index) && isset($config['ipsec']['phase1'][$p1index])) {
         // 1-on-1 copy
         foreach (explode(",", $phase1_fields) as $fieldname) {
@@ -347,6 +347,10 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
         $input_errors[] = gettext('Invalid argument for close action.');
     }
 
+    if (!empty($pconfig['unique']) && !in_array($pconfig['unique'], ['no', 'replace', 'never', 'keep'])) {
+        $input_errors[] = gettext('Invalid argument for unique.');
+    }
+
     if (!empty($pconfig['dpd_enable'])) {
         if (!is_numeric($pconfig['dpd_delay'])) {
             $input_errors[] = gettext("A numeric value must be specified for DPD delay.");
@@ -403,7 +407,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
         $copy_fields = "ikeid,iketype,interface,mode,protocol,myid_type,myid_data
         ,peerid_type,peerid_data,encryption-algorithm,margintime,rekeyfuzz,inactivity_timeout,keyingtries
         ,lifetime,pre-shared-key,certref,caref,authentication_method,descr,local-kpref,peer-kpref
-        ,nat_traversal,auto,mobike,closeaction";
+        ,nat_traversal,auto,mobike,closeaction,unique";
 
         foreach (explode(",",$copy_fields) as $fieldname) {
             $fieldname = trim($fieldname);
@@ -1211,6 +1215,29 @@ endforeach; ?>
                     </td>
                   </tr>
                   <tr>
+                    <td><a id="help_for_unique" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a>  <?=gettext("Unique"); ?></td>
+                    <td>
+                      <select name="unique" class="selectpicker">
+                        <option value="" <?= empty($pconfig['unique']) ? "selected=\"selected\"" :"" ;?> >
+                          <?=gettext("Replace"); ?>
+                        </option>
+                        <option value="no" <?= $pconfig['unique'] == "no" ? "selected=\"selected\"" :"" ;?> >
+                          <?=gettext("No"); ?>
+                        </option>
+                        <option value="never" <?= $pconfig['unique'] == "never" ? "selected=\"selected\"" :"" ;?> >
+                          <?=gettext("Never"); ?>
+                        </option>
+                        <option value="keep" <?= $pconfig['unique'] == "keep" ? "selected=\"selected\"" :"" ;?> >
+                          <?=gettext("Keep"); ?>
+                        </option>
+                      </select>
+                      <div class="hidden" data-for="help_for_unique">
+                          <?=gettext(
+                            "Connection uniqueness policy to enforce. To avoid multiple connections from the same user, a uniqueness policy can be enforced."
+                          )?>
+                      </div>
+                    </td>
+                  </tr>                  <tr>
                     <td><a id="help_for_dpd_enable" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a>  <?=gettext("Dead Peer Detection"); ?></td>
                     <td>
                       <input name="dpd_enable" type="checkbox" id="dpd_enable" value="yes" <?=!empty($pconfig['dpd_delay']) && !empty($pconfig['dpd_maxfail'])?"checked=\"checked\"":"";?> />