IPsec: Bring down connections after reloading configuration

It could happen that the remote peer re-established the connection
before "ipsec reload" removed it from the daemon.

Now, we write the configuration files first, reload them
and then bring down any connections that are still established.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi
index e0f2c7a5e53f81dddae4e7176d17378fbb24c9da..ae5e80d38e7026b3d522847e10157771d0fe2a77 100644 (file)
--- a/html/cgi-bin/vpnmain.cgi
+++ b/html/cgi-bin/vpnmain.cgi
@@ -689,12 +689,12 @@ END
                        my $test = `/usr/bin/openssl verify -CAfile ${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem ${General::swroot}/certs/$confighash{$key}[1]cert.pem`;
                        if ($test =~ /: OK/) {
                                # Delete connection
-                               system('/usr/local/bin/ipsecctrl', 'D', $key) if (&vpnenabled);
                                unlink ("${General::swroot}/certs/$confighash{$key}[1]cert.pem");
                                unlink ("${General::swroot}/certs/$confighash{$key}[1].p12");
                                delete $confighash{$key};
                                &General::writehasharray("${General::swroot}/vpn/config", \%confighash);
                                &writeipsecfiles();
+                               system('/usr/local/bin/ipsecctrl', 'D', $key) if (&vpnenabled);
                        }
                }
                unlink ("${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem");
@@ -1227,10 +1227,10 @@ END
                        &writeipsecfiles();
                        system('/usr/local/bin/ipsecctrl', 'S', $cgiparams{'KEY'}) if (&vpnenabled);
                } else {
-                       system('/usr/local/bin/ipsecctrl', 'D', $cgiparams{'KEY'}) if (&vpnenabled);
                        $confighash{$cgiparams{'KEY'}}[0] = 'off';
                        &General::writehasharray("${General::swroot}/vpn/config", \%confighash);
                        &writeipsecfiles();
+                       system('/usr/local/bin/ipsecctrl', 'D', $cgiparams{'KEY'}) if (&vpnenabled);
                }
                sleep $sleepDelay;
        } else {
@@ -1261,12 +1261,12 @@ END
        &General::readhasharray("${General::swroot}/vpn/config", \%confighash);
 
        if ($confighash{$cgiparams{'KEY'}}) {
-               system('/usr/local/bin/ipsecctrl', 'D', $cgiparams{'KEY'}) if (&vpnenabled);
                unlink ("${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem");
                unlink ("${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1].p12");
                delete $confighash{$cgiparams{'KEY'}};
                &General::writehasharray("${General::swroot}/vpn/config", \%confighash);
                &writeipsecfiles();
+               system('/usr/local/bin/ipsecctrl', 'D', $cgiparams{'KEY'}) if (&vpnenabled);
        } else {
                $errormessage = $Lang::tr{'invalid key'};
        }

diff --git a/src/misc-progs/ipsecctrl.c b/src/misc-progs/ipsecctrl.c
index 2a64775f025fcb6cef634bf00c173ff90d834c0c..001587fca0d72434b348e6e49dbd5016c01c3797 100644 (file)
--- a/src/misc-progs/ipsecctrl.c
+++ b/src/misc-progs/ipsecctrl.c
@@ -141,14 +141,14 @@ void turn_connection_off (char *name) {
         */
         char command[STRING_SIZE];
 
+       // Reload, so the connection is dropped.
+       ipsec_reload();
+
        // Bring down the connection.
         snprintf(command, STRING_SIZE - 1, 
                 "/usr/sbin/ipsec down %s >/dev/null", name);
         safe_system(command);
 
-       // Reload, so the connection is dropped.
-       ipsec_reload();
-
        // Reload the IPsec firewall policy
        safe_system("/usr/lib/firewall/ipsec-policy >/dev/null");