From af183eeb785d5a2ba0e233da168a4f2f8ef06260 Mon Sep 17 00:00:00 2001
From: Michael Tremer <michael.tremer@ipfire.org>
Date: Mon, 4 Dec 2017 17:31:53 +0000
Subject: [PATCH] IPsec: Allow configuring inactivity timeout when in on-demand
 mode

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
 doc/language_issues.es   |  6 ++++
 doc/language_issues.fr   |  6 ++++
 doc/language_issues.it   |  6 ++++
 doc/language_issues.nl   |  6 ++++
 doc/language_issues.pl   |  6 ++++
 doc/language_issues.ru   |  6 ++++
 doc/language_issues.tr   |  6 ++++
 doc/language_missings    | 42 +++++++++++++++++++++++++++
 html/cgi-bin/vpnmain.cgi | 61 +++++++++++++++++++++++++++++++++++++---
 langs/de/cgi-bin/de.pl   |  6 ++++
 langs/en/cgi-bin/en.pl   |  6 ++++
 11 files changed, 153 insertions(+), 4 deletions(-)

diff --git a/doc/language_issues.es b/doc/language_issues.es
index f030fdaa09..6df3241592 100644
--- a/doc/language_issues.es
+++ b/doc/language_issues.es
@@ -787,6 +787,7 @@ WARNING: untranslated string: emerging rules
 WARNING: untranslated string: encryption
 WARNING: untranslated string: entropy
 WARNING: untranslated string: entropy graphs
+WARNING: untranslated string: fifteen minutes
 WARNING: untranslated string: fireinfo ipfire version
 WARNING: untranslated string: fireinfo is disabled
 WARNING: untranslated string: fireinfo is enabled
@@ -813,6 +814,7 @@ WARNING: untranslated string: firewall log port
 WARNING: untranslated string: firewall logs country
 WARNING: untranslated string: firewall rules
 WARNING: untranslated string: first
+WARNING: untranslated string: five minutes
 WARNING: untranslated string: flag
 WARNING: untranslated string: four hours
 WARNING: untranslated string: fw default drop
@@ -1020,6 +1022,7 @@ WARNING: untranslated string: info messages
 WARNING: untranslated string: integrity
 WARNING: untranslated string: invalid input for dpd delay
 WARNING: untranslated string: invalid input for dpd timeout
+WARNING: untranslated string: invalid input for inactivity timeout
 WARNING: untranslated string: invalid input for valid till days
 WARNING: untranslated string: invalid logserver protocol
 WARNING: untranslated string: ipsec
@@ -1139,6 +1142,8 @@ WARNING: untranslated string: system has rdrand
 WARNING: untranslated string: system information
 WARNING: untranslated string: ta key
 WARNING: untranslated string: tcp more reliable
+WARNING: untranslated string: ten minutes
+WARNING: untranslated string: thirty minutes
 WARNING: untranslated string: tor
 WARNING: untranslated string: tor accounting
 WARNING: untranslated string: tor accounting bytes
@@ -1204,6 +1209,7 @@ WARNING: untranslated string: visit us at
 WARNING: untranslated string: vpn broken
 WARNING: untranslated string: vpn connecting
 WARNING: untranslated string: vpn force mobike
+WARNING: untranslated string: vpn inactivity timeout
 WARNING: untranslated string: vpn keyexchange
 WARNING: untranslated string: vpn on-demand
 WARNING: untranslated string: vpn start action
diff --git a/doc/language_issues.fr b/doc/language_issues.fr
index 2c5fc31d63..f8360f3b62 100644
--- a/doc/language_issues.fr
+++ b/doc/language_issues.fr
@@ -796,6 +796,7 @@ WARNING: untranslated string: emerging rules
 WARNING: untranslated string: encryption
 WARNING: untranslated string: entropy
 WARNING: untranslated string: entropy graphs
+WARNING: untranslated string: fifteen minutes
 WARNING: untranslated string: fireinfo ipfire version
 WARNING: untranslated string: fireinfo is disabled
 WARNING: untranslated string: fireinfo is enabled
@@ -822,6 +823,7 @@ WARNING: untranslated string: firewall log port
 WARNING: untranslated string: firewall logs country
 WARNING: untranslated string: firewall rules
 WARNING: untranslated string: first
+WARNING: untranslated string: five minutes
 WARNING: untranslated string: flag
 WARNING: untranslated string: four hours
 WARNING: untranslated string: fw default drop
@@ -1036,6 +1038,7 @@ WARNING: untranslated string: info messages
 WARNING: untranslated string: integrity
 WARNING: untranslated string: invalid input for dpd delay
 WARNING: untranslated string: invalid input for dpd timeout
+WARNING: untranslated string: invalid input for inactivity timeout
 WARNING: untranslated string: invalid input for valid till days
 WARNING: untranslated string: invalid logserver protocol
 WARNING: untranslated string: ipsec
@@ -1152,6 +1155,8 @@ WARNING: untranslated string: system has rdrand
 WARNING: untranslated string: system information
 WARNING: untranslated string: ta key
 WARNING: untranslated string: tcp more reliable
+WARNING: untranslated string: ten minutes
+WARNING: untranslated string: thirty minutes
 WARNING: untranslated string: tor
 WARNING: untranslated string: tor accounting
 WARNING: untranslated string: tor accounting bytes
@@ -1220,6 +1225,7 @@ WARNING: untranslated string: visit us at
 WARNING: untranslated string: vpn broken
 WARNING: untranslated string: vpn connecting
 WARNING: untranslated string: vpn force mobike
+WARNING: untranslated string: vpn inactivity timeout
 WARNING: untranslated string: vpn keyexchange
 WARNING: untranslated string: vpn on-demand
 WARNING: untranslated string: vpn start action
diff --git a/doc/language_issues.it b/doc/language_issues.it
index 805bc1209f..abd7da4a0b 100644
--- a/doc/language_issues.it
+++ b/doc/language_issues.it
@@ -769,12 +769,14 @@ WARNING: untranslated string: email settings
 WARNING: untranslated string: email testmail
 WARNING: untranslated string: email tls
 WARNING: untranslated string: email usemail
+WARNING: untranslated string: fifteen minutes
 WARNING: untranslated string: firewall graph country
 WARNING: untranslated string: firewall graph ip
 WARNING: untranslated string: firewall graph port
 WARNING: untranslated string: firewall log country
 WARNING: untranslated string: firewall log ip
 WARNING: untranslated string: firewall log port
+WARNING: untranslated string: five minutes
 WARNING: untranslated string: four hours
 WARNING: untranslated string: fwdfw err concon
 WARNING: untranslated string: fwdfw err ratecon
@@ -837,6 +839,7 @@ WARNING: untranslated string: ike lifetime should be between 1 and 8 hours
 WARNING: untranslated string: incoming compression in bytes per second
 WARNING: untranslated string: incoming overhead in bytes per second
 WARNING: untranslated string: info messages
+WARNING: untranslated string: invalid input for inactivity timeout
 WARNING: untranslated string: invalid input for valid till days
 WARNING: untranslated string: invalid logserver protocol
 WARNING: untranslated string: log server protocol
@@ -869,6 +872,8 @@ WARNING: untranslated string: samba join a domain
 WARNING: untranslated string: samba join domain
 WARNING: untranslated string: search
 WARNING: untranslated string: tcp more reliable
+WARNING: untranslated string: ten minutes
+WARNING: untranslated string: thirty minutes
 WARNING: untranslated string: twelve hours
 WARNING: untranslated string: two weeks
 WARNING: untranslated string: udp less overhead
@@ -880,6 +885,7 @@ WARNING: untranslated string: uplink bit rate
 WARNING: untranslated string: vpn broken
 WARNING: untranslated string: vpn connecting
 WARNING: untranslated string: vpn force mobike
+WARNING: untranslated string: vpn inactivity timeout
 WARNING: untranslated string: vpn on-demand
 WARNING: untranslated string: vpn start action
 WARNING: untranslated string: vpn start action route
diff --git a/doc/language_issues.nl b/doc/language_issues.nl
index 65670849e2..005fdcd851 100644
--- a/doc/language_issues.nl
+++ b/doc/language_issues.nl
@@ -781,6 +781,7 @@ WARNING: untranslated string: email settings
 WARNING: untranslated string: email testmail
 WARNING: untranslated string: email tls
 WARNING: untranslated string: email usemail
+WARNING: untranslated string: fifteen minutes
 WARNING: untranslated string: firewall graph country
 WARNING: untranslated string: firewall graph ip
 WARNING: untranslated string: firewall graph port
@@ -788,6 +789,7 @@ WARNING: untranslated string: firewall log country
 WARNING: untranslated string: firewall log ip
 WARNING: untranslated string: firewall log port
 WARNING: untranslated string: firewall logs country
+WARNING: untranslated string: five minutes
 WARNING: untranslated string: four hours
 WARNING: untranslated string: fwdfw err concon
 WARNING: untranslated string: fwdfw err ratecon
@@ -853,6 +855,7 @@ WARNING: untranslated string: imsi
 WARNING: untranslated string: incoming compression in bytes per second
 WARNING: untranslated string: incoming overhead in bytes per second
 WARNING: untranslated string: info messages
+WARNING: untranslated string: invalid input for inactivity timeout
 WARNING: untranslated string: invalid input for valid till days
 WARNING: untranslated string: invalid logserver protocol
 WARNING: untranslated string: log server protocol
@@ -915,6 +918,8 @@ WARNING: untranslated string: software version
 WARNING: untranslated string: source ip country
 WARNING: untranslated string: ta key
 WARNING: untranslated string: tcp more reliable
+WARNING: untranslated string: ten minutes
+WARNING: untranslated string: thirty minutes
 WARNING: untranslated string: twelve hours
 WARNING: untranslated string: two weeks
 WARNING: untranslated string: udp less overhead
@@ -928,6 +933,7 @@ WARNING: untranslated string: vendor
 WARNING: untranslated string: vpn broken
 WARNING: untranslated string: vpn connecting
 WARNING: untranslated string: vpn force mobike
+WARNING: untranslated string: vpn inactivity timeout
 WARNING: untranslated string: vpn on-demand
 WARNING: untranslated string: vpn start action
 WARNING: untranslated string: vpn start action route
diff --git a/doc/language_issues.pl b/doc/language_issues.pl
index f030fdaa09..6df3241592 100644
--- a/doc/language_issues.pl
+++ b/doc/language_issues.pl
@@ -787,6 +787,7 @@ WARNING: untranslated string: emerging rules
 WARNING: untranslated string: encryption
 WARNING: untranslated string: entropy
 WARNING: untranslated string: entropy graphs
+WARNING: untranslated string: fifteen minutes
 WARNING: untranslated string: fireinfo ipfire version
 WARNING: untranslated string: fireinfo is disabled
 WARNING: untranslated string: fireinfo is enabled
@@ -813,6 +814,7 @@ WARNING: untranslated string: firewall log port
 WARNING: untranslated string: firewall logs country
 WARNING: untranslated string: firewall rules
 WARNING: untranslated string: first
+WARNING: untranslated string: five minutes
 WARNING: untranslated string: flag
 WARNING: untranslated string: four hours
 WARNING: untranslated string: fw default drop
@@ -1020,6 +1022,7 @@ WARNING: untranslated string: info messages
 WARNING: untranslated string: integrity
 WARNING: untranslated string: invalid input for dpd delay
 WARNING: untranslated string: invalid input for dpd timeout
+WARNING: untranslated string: invalid input for inactivity timeout
 WARNING: untranslated string: invalid input for valid till days
 WARNING: untranslated string: invalid logserver protocol
 WARNING: untranslated string: ipsec
@@ -1139,6 +1142,8 @@ WARNING: untranslated string: system has rdrand
 WARNING: untranslated string: system information
 WARNING: untranslated string: ta key
 WARNING: untranslated string: tcp more reliable
+WARNING: untranslated string: ten minutes
+WARNING: untranslated string: thirty minutes
 WARNING: untranslated string: tor
 WARNING: untranslated string: tor accounting
 WARNING: untranslated string: tor accounting bytes
@@ -1204,6 +1209,7 @@ WARNING: untranslated string: visit us at
 WARNING: untranslated string: vpn broken
 WARNING: untranslated string: vpn connecting
 WARNING: untranslated string: vpn force mobike
+WARNING: untranslated string: vpn inactivity timeout
 WARNING: untranslated string: vpn keyexchange
 WARNING: untranslated string: vpn on-demand
 WARNING: untranslated string: vpn start action
diff --git a/doc/language_issues.ru b/doc/language_issues.ru
index 68e7b9384d..2b4c9385d5 100644
--- a/doc/language_issues.ru
+++ b/doc/language_issues.ru
@@ -798,6 +798,7 @@ WARNING: untranslated string: extrahd maybe the device is in use
 WARNING: untranslated string: extrahd to
 WARNING: untranslated string: extrahd to root
 WARNING: untranslated string: extrahd you cant mount
+WARNING: untranslated string: fifteen minutes
 WARNING: untranslated string: firewall graph country
 WARNING: untranslated string: firewall graph ip
 WARNING: untranslated string: firewall graph port
@@ -807,6 +808,7 @@ WARNING: untranslated string: firewall log port
 WARNING: untranslated string: firewall logs country
 WARNING: untranslated string: firewall rules
 WARNING: untranslated string: first
+WARNING: untranslated string: five minutes
 WARNING: untranslated string: flag
 WARNING: untranslated string: four hours
 WARNING: untranslated string: fw default drop
@@ -1022,6 +1024,7 @@ WARNING: untranslated string: info messages
 WARNING: untranslated string: integrity
 WARNING: untranslated string: invalid input for dpd delay
 WARNING: untranslated string: invalid input for dpd timeout
+WARNING: untranslated string: invalid input for inactivity timeout
 WARNING: untranslated string: invalid input for valid till days
 WARNING: untranslated string: invalid logserver protocol
 WARNING: untranslated string: ipsec
@@ -1134,6 +1137,8 @@ WARNING: untranslated string: system has hwrng
 WARNING: untranslated string: system has rdrand
 WARNING: untranslated string: ta key
 WARNING: untranslated string: tcp more reliable
+WARNING: untranslated string: ten minutes
+WARNING: untranslated string: thirty minutes
 WARNING: untranslated string: tor
 WARNING: untranslated string: tor accounting
 WARNING: untranslated string: tor accounting bytes
@@ -1199,6 +1204,7 @@ WARNING: untranslated string: visit us at
 WARNING: untranslated string: vpn broken
 WARNING: untranslated string: vpn connecting
 WARNING: untranslated string: vpn force mobike
+WARNING: untranslated string: vpn inactivity timeout
 WARNING: untranslated string: vpn keyexchange
 WARNING: untranslated string: vpn on-demand
 WARNING: untranslated string: vpn start action
diff --git a/doc/language_issues.tr b/doc/language_issues.tr
index b4f6279031..a6aa99f900 100644
--- a/doc/language_issues.tr
+++ b/doc/language_issues.tr
@@ -745,12 +745,14 @@ WARNING: untranslated string: bytes
 WARNING: untranslated string: captive
 WARNING: untranslated string: dnssec disabled warning
 WARNING: untranslated string: eight hours
+WARNING: untranslated string: fifteen minutes
 WARNING: untranslated string: firewall graph country
 WARNING: untranslated string: firewall graph ip
 WARNING: untranslated string: firewall graph port
 WARNING: untranslated string: firewall log country
 WARNING: untranslated string: firewall log ip
 WARNING: untranslated string: firewall log port
+WARNING: untranslated string: five minutes
 WARNING: untranslated string: four hours
 WARNING: untranslated string: fwhost cust geoipgrp
 WARNING: untranslated string: fwhost err hostip
@@ -793,6 +795,7 @@ WARNING: untranslated string: guardian service
 WARNING: untranslated string: guardian watch snort alertfile
 WARNING: untranslated string: ike lifetime should be between 1 and 8 hours
 WARNING: untranslated string: info messages
+WARNING: untranslated string: invalid input for inactivity timeout
 WARNING: untranslated string: invalid logserver protocol
 WARNING: untranslated string: log server protocol
 WARNING: untranslated string: no data
@@ -806,6 +809,8 @@ WARNING: untranslated string: routing config added
 WARNING: untranslated string: routing config changed
 WARNING: untranslated string: routing table
 WARNING: untranslated string: tcp more reliable
+WARNING: untranslated string: ten minutes
+WARNING: untranslated string: thirty minutes
 WARNING: untranslated string: twelve hours
 WARNING: untranslated string: two weeks
 WARNING: untranslated string: udp less overhead
@@ -813,6 +818,7 @@ WARNING: untranslated string: unlimited
 WARNING: untranslated string: uplink bit rate
 WARNING: untranslated string: vpn broken
 WARNING: untranslated string: vpn connecting
+WARNING: untranslated string: vpn inactivity timeout
 WARNING: untranslated string: vpn on-demand
 WARNING: untranslated string: vpn start action
 WARNING: untranslated string: vpn start action route
diff --git a/doc/language_missings b/doc/language_missings
index 383c36ca6e..c9b3b455d4 100644
--- a/doc/language_missings
+++ b/doc/language_missings
@@ -251,6 +251,7 @@
 < encryption
 < entropy
 < entropy graphs
+< fifteen minutes
 < fireinfo ipfire version
 < fireinfo is disabled
 < fireinfo is enabled
@@ -277,6 +278,7 @@
 < firewall logs country
 < firewall rules
 < first
+< five minutes
 < flag
 < forward firewall
 < four hours
@@ -487,6 +489,7 @@
 < integrity
 < invalid input for dpd delay
 < invalid input for dpd timeout
+< invalid input for inactivity timeout
 < invalid input for valid till days
 < invalid logserver protocol
 < ipsec
@@ -624,7 +627,9 @@
 < system information
 < ta key
 < tcp more reliable
+< ten minutes
 < teovpn_fragment
+< thirty minutes
 < tor
 < tor 0 = disabled
 < tor accounting
@@ -701,6 +706,7 @@
 < vpn broken
 < vpn connecting
 < vpn force mobike
+< vpn inactivity timeout
 < vpn keyexchange
 < vpn on-demand
 < vpn start action
@@ -956,6 +962,7 @@
 < encryption
 < entropy
 < entropy graphs
+< fifteen minutes
 < fireinfo ipfire version
 < fireinfo is disabled
 < fireinfo is enabled
@@ -982,6 +989,7 @@
 < firewall logs country
 < firewall rules
 < first
+< five minutes
 < flag
 < forward firewall
 < four hours
@@ -1202,6 +1210,7 @@
 < integrity
 < invalid input for dpd delay
 < invalid input for dpd timeout
+< invalid input for inactivity timeout
 < invalid input for valid till days
 < invalid logserver protocol
 < ipsec
@@ -1323,7 +1332,9 @@
 < system information
 < ta key
 < tcp more reliable
+< ten minutes
 < teovpn_fragment
+< thirty minutes
 < tor
 < tor 0 = disabled
 < tor accounting
@@ -1403,6 +1414,7 @@
 < vpn broken
 < vpn connecting
 < vpn force mobike
+< vpn inactivity timeout
 < vpn keyexchange
 < vpn on-demand
 < vpn start action
@@ -1575,12 +1587,14 @@
 < email text
 < email tls
 < email usemail
+< fifteen minutes
 < firewall graph country
 < firewall graph ip
 < firewall graph port
 < firewall log country
 < firewall log ip
 < firewall log port
+< five minutes
 < four hours
 < fwdfw err concon
 < fwdfw err ratecon
@@ -1607,6 +1621,7 @@
 < guardian
 < incoming compression in bytes per second
 < incoming overhead in bytes per second
+< invalid input for inactivity timeout
 < invalid input for valid till days
 < invalid logserver protocol
 < log server protocol
@@ -1636,6 +1651,8 @@
 < samba join domain
 < search
 < tcp more reliable
+< ten minutes
+< thirty minutes
 < twelve hours
 < two weeks
 < udp less overhead
@@ -1647,6 +1664,7 @@
 < vpn broken
 < vpn connecting
 < vpn force mobike
+< vpn inactivity timeout
 < vpn on-demand
 < vpn start action
 < vpn start action route
@@ -1785,6 +1803,7 @@
 < email text
 < email tls
 < email usemail
+< fifteen minutes
 < firewall graph country
 < firewall graph ip
 < firewall graph port
@@ -1792,6 +1811,7 @@
 < firewall log ip
 < firewall log port
 < firewall logs country
+< five minutes
 < four hours
 < fwdfw err concon
 < fwdfw err ratecon
@@ -1821,6 +1841,7 @@
 < imsi
 < incoming compression in bytes per second
 < incoming overhead in bytes per second
+< invalid input for inactivity timeout
 < invalid input for valid till days
 < invalid logserver protocol
 < log server protocol
@@ -1883,7 +1904,9 @@
 < source ip country
 < ta key
 < tcp more reliable
+< ten minutes
 < teovpn_fragment
+< thirty minutes
 < twelve hours
 < two weeks
 < udp less overhead
@@ -1897,6 +1920,7 @@
 < vpn broken
 < vpn connecting
 < vpn force mobike
+< vpn inactivity timeout
 < vpn on-demand
 < vpn start action
 < vpn start action route
@@ -2128,6 +2152,7 @@
 < extrahd unable to read
 < extrahd unable to write
 < extrahd you cant mount
+< fifteen minutes
 < firewall graph country
 < firewall graph ip
 < firewall graph port
@@ -2137,6 +2162,7 @@
 < firewall logs country
 < firewall rules
 < first
+< five minutes
 < flag
 < forward firewall
 < four hours
@@ -2357,6 +2383,7 @@
 < integrity
 < invalid input for dpd delay
 < invalid input for dpd timeout
+< invalid input for inactivity timeout
 < invalid input for valid till days
 < invalid logserver protocol
 < ipsec
@@ -2478,7 +2505,9 @@
 < system has rdrand
 < ta key
 < tcp more reliable
+< ten minutes
 < teovpn_fragment
+< thirty minutes
 < tor
 < tor 0 = disabled
 < tor accounting
@@ -2555,6 +2584,7 @@
 < vpn broken
 < vpn connecting
 < vpn force mobike
+< vpn inactivity timeout
 < vpn keyexchange
 < vpn on-demand
 < vpn start action
@@ -2823,6 +2853,7 @@
 < extrahd unable to read
 < extrahd unable to write
 < extrahd you cant mount
+< fifteen minutes
 < firewall graph country
 < firewall graph ip
 < firewall graph port
@@ -2832,6 +2863,7 @@
 < firewall logs country
 < firewall rules
 < first
+< five minutes
 < flag
 < forward firewall
 < four hours
@@ -3055,6 +3087,7 @@
 < integrity
 < invalid input for dpd delay
 < invalid input for dpd timeout
+< invalid input for inactivity timeout
 < invalid input for valid till days
 < invalid logserver protocol
 < ipsec
@@ -3174,7 +3207,9 @@
 < system has rdrand
 < ta key
 < tcp more reliable
+< ten minutes
 < teovpn_fragment
+< thirty minutes
 < tor
 < tor 0 = disabled
 < tor accounting
@@ -3251,6 +3286,7 @@
 < vpn broken
 < vpn connecting
 < vpn force mobike
+< vpn inactivity timeout
 < vpn keyexchange
 < vpn on-demand
 < vpn start action
@@ -3371,14 +3407,17 @@
 < Captive wrong ext
 < dnssec disabled warning
 < eight hours
+< fifteen minutes
 < firewall graph country
 < firewall graph ip
 < firewall graph port
 < firewall log country
 < firewall log ip
 < firewall log port
+< five minutes
 < four hours
 < guardian
+< invalid input for inactivity timeout
 < invalid logserver protocol
 < log server protocol
 < one hour
@@ -3387,6 +3426,8 @@
 < one year
 < rdns
 < tcp more reliable
+< ten minutes
+< thirty minutes
 < twelve hours
 < two weeks
 < udp less overhead
@@ -3394,6 +3435,7 @@
 < uplink bit rate
 < vpn broken
 < vpn connecting
+< vpn inactivity timeout
 < vpn on-demand
 < vpn start action
 < vpn start action route
diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi
index 4683c0c205..be6eb6d157 100644
--- a/html/cgi-bin/vpnmain.cgi
+++ b/html/cgi-bin/vpnmain.cgi
@@ -68,6 +68,17 @@ if (&Header::orange_used() && $netsettings{'ORANGE_DEV'}) {
 	$orange_cidr = &General::ipcidr("$netsettings{'ORANGE_NETADDRESS'}/$netsettings{'ORANGE_NETMASK'}");
 }
 
+my %INACTIVITY_TIMEOUTS = (
+	300		=> $Lang::tr{'five minutes'},
+	600		=> $Lang::tr{'ten minutes'},
+	900		=> $Lang::tr{'fifteen minutes'},
+	1800		=> $Lang::tr{'thirty minutes'},
+	3600		=> $Lang::tr{'one hour'},
+	43200		=> $Lang::tr{'twelve hours'},
+	86400		=> $Lang::tr{'24 hours'},
+	0		=> "- $Lang::tr{'unlimited'} -",
+);
+
 my $col="";
 
 $cgiparams{'ENABLED'} = 'off';
@@ -109,6 +120,7 @@ $cgiparams{'DPD_DELAY'} = '30';
 $cgiparams{'DPD_TIMEOUT'} = '120';
 $cgiparams{'FORCE_MOBIKE'} = 'off';
 $cgiparams{'START_ACTION'} = 'start';
+$cgiparams{'INACTIVITY_TIMEOUT'} = 900;
 &Header::getcgihash(\%cgiparams, {'wantfile' => 1, 'filevar' => 'FH'});
 
 ###
@@ -407,6 +419,11 @@ sub writeipsecfiles {
 			$start_action = "start";
 		}
 
+		my $inactivity_timeout = $lconfighash{$key}[34];
+		if ($inactivity_timeout eq "") {
+			$inactivity_timeout = 900;
+		}
+
 		# Automatically start only if a net-to-net connection
 		if ($lconfighash{$key}[3] eq 'host') {
 			print CONF "\tauto=add\n";
@@ -416,8 +433,8 @@ sub writeipsecfiles {
 
 			# If in on-demand mode, we terminate the tunnel
 			# after 15 min of no traffic
-			if ($start_action eq 'route') {
-				print CONF "\tinactivity=900\n";
+			if ($start_action eq 'route' && $inactivity_timeout > 0) {
+				print CONF "\tinactivity=$inactivity_timeout\n";
 			}
 		}
 
@@ -1299,6 +1316,7 @@ END
 		$cgiparams{'DPD_TIMEOUT'}		= $confighash{$cgiparams{'KEY'}}[30];
 		$cgiparams{'DPD_DELAY'}			= $confighash{$cgiparams{'KEY'}}[31];
 		$cgiparams{'FORCE_MOBIKE'}		= $confighash{$cgiparams{'KEY'}}[32];
+		$cgiparams{'INACTIVITY_TIMEOUT'}	= $confighash{$cgiparams{'KEY'}}[34];
 
 		if (!$cgiparams{'DPD_DELAY'}) {
 			$cgiparams{'DPD_DELAY'} = 30;
@@ -1308,6 +1326,10 @@ END
 			$cgiparams{'DPD_TIMEOUT'} = 120;
 		}
 
+		if ($cgiparams{'INACTIVITY_TIMEOUT'} eq "") {
+			$cgiparams{'INACTIVITY_TIMEOUT'} = 900;
+		}
+
 	} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'save'}) {
 		$cgiparams{'REMARK'} = &Header::cleanhtml($cgiparams{'REMARK'});
 		if ($cgiparams{'TYPE'} !~ /^(host|net)$/) {
@@ -1790,7 +1812,7 @@ END
 	my $key = $cgiparams{'KEY'};
 	if (! $key) {
 		$key = &General::findhasharraykey (\%confighash);
-		foreach my $i (0 .. 33) { $confighash{$key}[$i] = "";}
+		foreach my $i (0 .. 34) { $confighash{$key}[$i] = "";}
 	}
 	$confighash{$key}[0] = $cgiparams{'ENABLED'};
 	$confighash{$key}[1] = $cgiparams{'NAME'};
@@ -1834,6 +1856,7 @@ END
 	$confighash{$key}[30] = $cgiparams{'DPD_TIMEOUT'};
 	$confighash{$key}[31] = $cgiparams{'DPD_DELAY'};
 	$confighash{$key}[32] = $cgiparams{'FORCE_MOBIKE'};
+	$confighash{$key}[34] = $cgiparams{'INACTIVITY_TIMEOUT'};
 
 	# free unused fields!
 	$confighash{$key}[6] = 'off';
@@ -1907,6 +1930,7 @@ END
 	$cgiparams{'COMPRESSION'}		= 'off'; #[13];
 	$cgiparams{'ONLY_PROPOSED'}		= 'on'; #[24];
 	$cgiparams{'PFS'}				= 'on'; #[28];
+	$cgiparams{'INACTIVITY_TIMEOUT'}        = 900;
 }
 
 VPNCONF_ERROR:
@@ -2251,6 +2275,11 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
 			goto ADVANCED_ERROR;
 		}
 
+		if ($cgiparams{'INACTIVITY_TIMEOUT'} !~ /^\d+$/) {
+			$errormessage = $Lang::tr{'invalid input for inactivity timeout'};
+			goto ADVANCED_ERROR;
+		}
+
 		$confighash{$cgiparams{'KEY'}}[29] = $cgiparams{'IKE_VERSION'};
 		$confighash{$cgiparams{'KEY'}}[18] = $cgiparams{'IKE_ENCRYPTION'};
 		$confighash{$cgiparams{'KEY'}}[19] = $cgiparams{'IKE_INTEGRITY'};
@@ -2269,6 +2298,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
 		$confighash{$cgiparams{'KEY'}}[31] = $cgiparams{'DPD_DELAY'};
 		$confighash{$cgiparams{'KEY'}}[32] = $cgiparams{'FORCE_MOBIKE'};
 		$confighash{$cgiparams{'KEY'}}[33] = $cgiparams{'START_ACTION'};
+		$confighash{$cgiparams{'KEY'}}[34] = $cgiparams{'INACTIVITY_TIMEOUT'};
 		&General::writehasharray("${General::swroot}/vpn/config", \%confighash);
 		&writeipsecfiles();
 		if (&vpnenabled) {
@@ -2297,6 +2327,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
 		$cgiparams{'DPD_DELAY'}			= $confighash{$cgiparams{'KEY'}}[31];
 		$cgiparams{'FORCE_MOBIKE'}		= $confighash{$cgiparams{'KEY'}}[32];
 		$cgiparams{'START_ACTION'}		= $confighash{$cgiparams{'KEY'}}[33];
+		$cgiparams{'INACTIVITY_TIMEOUT'}	= $confighash{$cgiparams{'KEY'}}[34];
 
 		if (!$cgiparams{'DPD_DELAY'}) {
 			$cgiparams{'DPD_DELAY'} = 30;
@@ -2309,6 +2340,10 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
 		if (!$cgiparams{'START_ACTION'}) {
 			$cgiparams{'START_ACTION'} = "start";
 		}
+
+		if ($cgiparams{'INACTIVITY_TIMEOUT'} eq "") {
+			$cgiparams{'INACTIVITY_TIMEOUT'} = 900; # 15 min
+		}
 	}
 
 	ADVANCED_ERROR:
@@ -2408,6 +2443,12 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
 	$selected{'START_ACTION'}{'start'} = '';
 	$selected{'START_ACTION'}{$cgiparams{'START_ACTION'}} = "selected='selected'";
 
+	$selected{'INACTIVITY_TIMEOUT'} = ();
+	foreach my $timeout (keys %INACTIVITY_TIMEOUTS) {
+		$selected{'INACTIVITY_TIMEOUT'}{$timeout} = "";
+	}
+	$selected{'INACTIVITY_TIMEOUT'}{$cgiparams{'INACTIVITY_TIMEOUT'}} = "selected";
+
 	&Header::showhttpheaders();
 	&Header::openpage($Lang::tr{'ipsec'}, 1, '');
 	&Header::openbigbox('100%', 'left', '', $errormessage);
@@ -2627,12 +2668,24 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
 		</td>
 	</tr>
 	<tr>
-		<td colspan="2">
+		<td>
 			<label>
 				<input type='checkbox' name='PFS' $checked{'PFS'} />
 				$Lang::tr{'pfs yes no'}
 			</label>
 		</td>
+		<td>
+			<label>$Lang::tr{'vpn inactivity timeout'}</label>
+			<select name="INACTIVITY_TIMEOUT">
+EOF
+	foreach my $t (sort { $a <=> $b } keys %INACTIVITY_TIMEOUTS) {
+		print "<option value=\"$t\" $selected{'INACTIVITY_TIMEOUT'}{$t}>$INACTIVITY_TIMEOUTS{$t}</option>\n";
+	}
+
+	print <<EOF;
+
+			</select>
+		</td>
 	</tr>
 	<tr>
 		<td colspan="2">
diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
index f87071db7a..fd9355f7a6 100644
--- a/langs/de/cgi-bin/de.pl
+++ b/langs/de/cgi-bin/de.pl
@@ -984,6 +984,7 @@
 'false min bandwith' => 'Mindestbandbreite ist ungültig.',
 'february' => 'Februar',
 'fetch ip from' => 'Schätze die echte öffentliche IP-Adresse mit Hilfe eines externen Servers',
+'fifteen minutes' => '15 Minuten',
 'filename' => 'Dateiname',
 'filesystem full' => 'Dateisystem voll',
 'fireinfo ipfire version' => 'IPFire-Version',
@@ -1022,6 +1023,7 @@
 'firmware' => 'Firmware',
 'firmware upload' => 'Hochladen der Firmware/Treiber',
 'first' => 'Erste',
+'five minutes' => '5 Minuten',
 'fixed ip lease added' => 'Feste IP-Zuordnung hinzugefügt',
 'fixed ip lease modified' => 'Feste IP-Zuordnung geändert',
 'fixed ip lease removed' => 'Feste IP-Zuordnung gelöscht',
@@ -1388,6 +1390,7 @@
 'invalid input for esp keylife' => 'Ungültige Eingabe für ESP Schlüssel-Lebensdauer',
 'invalid input for hostname' => 'Ungültige Eingabe für Hostname',
 'invalid input for ike lifetime' => 'Ungültige Eingabe für IKE Lebensdauer',
+'invalid input for inactivity timeout' => 'Ungültige Eingabe für Inaktivitätstimeout',
 'invalid input for keepalive 1' => 'Ungültige Eingabe für Keepalive ping',
 'invalid input for keepalive 1:2' => 'Ungültige Eingabe für Keepalive (mindestens ein Verhältnis von 1:2)',
 'invalid input for keepalive 2' => 'Ungültige Eingabe für Keepalive ping-restart',
@@ -2207,6 +2210,7 @@
 'telephone not set' => 'Telefonnummer nicht angegeben.',
 'template' => 'Vorlage',
 'template warning' => 'Zur Einrichtung von QoS stehen Ihnen 2 Möglichkeiten zur Auswahl. Entweder Sie wählen speichern und erstellen Klassen und Regeln nach Ihren Wünschen, oder Sie wählen Vorlage, dann werden die Klassen und Regeln durch ein Template generiert.',
+'ten minutes' => '10 Minuten',
 'test' => 'test',
 'test email could not be sent' => 'Könnte Test-E-Mail nicht senden',
 'test email was sent' => 'Test-E-Mail wurde erfolgreich versand',
@@ -2216,6 +2220,7 @@
 'there are updates' => 'Für Ihr System sind Updates verfügbar. Im Abschnitt &quot;Updates&quot; erhalten Sie weitere Informationen dazu.',
 'there are updates available' => 'Für Ihr System sind Programm-Updates verfügbar. Es wird dringend empfohlen, daß Sie Ihr System baldmöglichst aktualisieren.',
 'there was no file upload' => 'Es wurde keine Datei hochgeladen',
+'thirty minutes' => '30 Minuten',
 'this feature has been sponsored by' => 'Diese Funktion wurde gesponsort von',
 'this is not a valid archive' => 'Dies ist kein gültiges Archiv.',
 'this is not an authorised update' => 'Dies ist kein autorisiertes Update.',
@@ -2683,6 +2688,7 @@
 'vpn connecting' => 'VERBINDUNGSAUFBAU',
 'vpn delayed start' => 'Verzögerung, bevor VPN gestartet wird (in Sekunden)',
 'vpn delayed start help' => 'Falls notwendig, kann diese Verzögerung dazu verwendet werden, um Dynamic-DNS-Updates ordnungsgemäß anzuwenden. 60 ist ein gängiger Wert, wenn ROT (RED) eine dynamische IP Adresse ist.',
+'vpn inactivity timeout' => 'Inaktivitätstimeout',
 'vpn incompatible use of defaultroute' => 'Hostname=%defaultroute nicht zulässig',
 'vpn keyexchange' => 'Schlüsseltausch',
 'vpn local id' => 'Lokale ID',
diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
index 44696f8d61..3940d7b7c7 100644
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -1011,6 +1011,7 @@
 'false min bandwith' => 'Minimum bandwith is false.',
 'february' => 'February',
 'fetch ip from' => 'Guess the real public IP with help of an external server',
+'fifteen minutes' => '15 Minutes',
 'filename' => 'Filename',
 'filesystem full' => 'Filesystem full',
 'fireinfo ipfire version' => 'IPFire version',
@@ -1049,6 +1050,7 @@
 'firmware' => 'Firmware',
 'firmware upload' => 'Upload Firmware/Drivers',
 'first' => 'First',
+'five minutes' => '5 Minutes',
 'fixed ip lease added' => 'Fixed IP lease added',
 'fixed ip lease modified' => 'Fixed IP lease modified',
 'fixed ip lease removed' => 'Fixed IP lease removed',
@@ -1419,6 +1421,7 @@
 'invalid input for esp keylife' => 'Invalid input for ESP Keylife',
 'invalid input for hostname' => 'Invalid input for hostname.',
 'invalid input for ike lifetime' => 'Invalid input for IKE lifetime',
+'invalid input for inactivity timeout' => 'Invalid input for Inactivity Timeout',
 'invalid input for keepalive 1' => 'Invalid input for Keepalive ping',
 'invalid input for keepalive 1:2' => 'Invalid input for Keepalive use at least a ratio of 1:2',
 'invalid input for keepalive 2' => 'Invalid input for Keepalive ping-restart',
@@ -2245,6 +2248,7 @@
 'telephone not set' => 'Telephone not set.',
 'template' => 'Preset',
 'template warning' => 'You have two options to set up Qos. The First, you press the save button and generate the classes and rules on your own. The second, you press the preset button and classes and rules will be set up by a template.',
+'ten minutes' => '10 Minutes',
 'teovpn_fragment' => 'Fragmentsize',
 'test' => 'test',
 'test email could not be sent' => 'Could not sent Testemail',
@@ -2255,6 +2259,7 @@
 'there are updates' => 'There are updates available for your system. Please go to the "updates" section for more information.',
 'there are updates available' => 'There are updates available for your system. It is strongly urged that you install them as soon as possible.',
 'there was no file upload' => 'There was no file upload.',
+'thirty minutes' => '30 Minutes',
 'this feature has been sponsored by' => 'This feature has been sponsored by',
 'this is not a valid archive' => 'This is not a valid archive.',
 'this is not an authorised update' => 'This is not an authorised update.',
@@ -2728,6 +2733,7 @@
 'vpn delayed start' => 'Delay before launching VPN (seconds)',
 'vpn delayed start help' => 'If required, this delay can be used to allow dynamic DNS updates to propagate properly. 60 is a common value when RED is a dynamic IP.',
 'vpn force mobike' => 'Force using MOBIKE (only IKEv2)',
+'vpn inactivity timeout' => 'Inactivity Timeout',
 'vpn incompatible use of defaultroute' => 'hostname=%defaultroute not allowed',
 'vpn keyexchange' => 'Keyexchange',
 'vpn local id' => 'Local ID',
-- 
2.39.2