From e2534f5a09abc8d5bda930907dd14f6c7ba4e913 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Wed, 21 Apr 2021 18:26:22 +0200
Subject: [PATCH] add "keyingtries" to IPsec Phase1 config, closes
 https://github.com/opnsense/core/issues/4204

---
 src/etc/inc/plugins.inc.d/ipsec.inc |  7 +++++++
 src/www/vpn_ipsec_phase1.php        | 19 +++++++++++++++++--
 2 files changed, 24 insertions(+), 2 deletions(-)

diff --git a/src/etc/inc/plugins.inc.d/ipsec.inc b/src/etc/inc/plugins.inc.d/ipsec.inc
index fad3684ad..6eb9c9b2a 100644
--- a/src/etc/inc/plugins.inc.d/ipsec.inc
+++ b/src/etc/inc/plugins.inc.d/ipsec.inc
@@ -1532,6 +1532,12 @@ function ipsec_configure_do($verbose = false, $interface = '')
                 } else {
                     $inactivityline = '';
                 }
+                if (!empty($ph1ent['keyingtries'])) {
+                    $keyingtriesline = "keyingtries = " ;
+                    $keyingtriesline .= $ph1ent['keyingtries'] == -1 ? "%forever" : $ph1ent['keyingtries'];
+                } else {
+                    $keyingtriesline = '';
+                }
 
                 if (!empty($ph1ent['lifetime'])) {
                     $ikelifeline = "ikelifetime = {$ph1ent['lifetime']}s";
@@ -1663,6 +1669,7 @@ conn con<<connectionId>>
   type = {$parsed_phase2['type']}
   {$dpdline}
   {$inactivityline}
+  {$keyingtriesline}
   left = {$left_spec}
   right = {$right_spec}
   {$right_any}
diff --git a/src/www/vpn_ipsec_phase1.php b/src/www/vpn_ipsec_phase1.php
index 473381568..20978a506 100644
--- a/src/www/vpn_ipsec_phase1.php
+++ b/src/www/vpn_ipsec_phase1.php
@@ -88,7 +88,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
     $phase1_fields = "mode,protocol,myid_type,myid_data,peerid_type,peerid_data
     ,encryption-algorithm,lifetime,authentication_method,descr,nat_traversal,rightallowany,inactivity_timeout
     ,interface,iketype,dpd_delay,dpd_maxfail,dpd_action,remote-gateway,pre-shared-key,certref,margintime,rekeyfuzz
-    ,caref,local-kpref,peer-kpref,reauth_enable,rekey_enable,auto,tunnel_isolation,authservers,mobike";
+    ,caref,local-kpref,peer-kpref,reauth_enable,rekey_enable,auto,tunnel_isolation,authservers,mobike,keyingtries";
     if (isset($p1index) && isset($config['ipsec']['phase1'][$p1index])) {
         // 1-on-1 copy
         foreach (explode(",", $phase1_fields) as $fieldname) {
@@ -236,6 +236,9 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
     if (!empty($pconfig['inactivity_timeout']) && !is_numericint($pconfig['inactivity_timeout'])) {
         $input_errors[] = gettext("The inactivity timeout must be an integer.");
     }
+    if (!empty($pconfig['keyingtries']) && !is_numericint($pconfig['keyingtries']) && $pconfig['keyingtries'] != "-1") {
+        $input_errors[] = gettext("The keyingtries must be an integer.");
+    }
 
     if ((!empty($pconfig['lifetime']) && !is_numeric($pconfig['lifetime']))) {
         $input_errors[] = gettext("The P1 lifetime must be an integer.");
@@ -393,7 +396,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
 
     if (count($input_errors) == 0) {
         $copy_fields = "ikeid,iketype,interface,mode,protocol,myid_type,myid_data
-        ,peerid_type,peerid_data,encryption-algorithm,margintime,rekeyfuzz,inactivity_timeout
+        ,peerid_type,peerid_data,encryption-algorithm,margintime,rekeyfuzz,inactivity_timeout,keyingtries
         ,lifetime,pre-shared-key,certref,caref,authentication_method,descr,local-kpref,peer-kpref
         ,nat_traversal,auto,mobike";
 
@@ -1202,6 +1205,18 @@ endforeach; ?>
                       </div>
                     </td>
                   </tr>
+                  <tr>
+                    <td><a id="help_for_keyingtries" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a>  <?=gettext("Keyingtries"); ?></td>
+                    <td>
+                      <input name="keyingtries" type="text" id="keyingtries" value="<?=$pconfig['keyingtries'];?>" />
+                      <div class="hidden" data-for="help_for_keyingtries">
+                        <?=gettext(
+                          "How many attempts should be made to negotiate a connection, or a replacement for one, before giving up (default 3). ".
+                          "Leave empty for default, -1 for forever or any positive integer for the number of tries"
+                        ); ?>
+                      </div>
+                    </td>
+                  </tr>
                   <tr>
                     <td><a id="help_for_margintime" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a>  <?=gettext("Margintime"); ?></td>
                     <td>