From dcb406cc675c42f9add4a41c8a1e07eea7c3ab08 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Wed, 15 Feb 2017 10:11:58 +0000 Subject: [PATCH] IPsec: Allow to create on-demand connections This will create IPsec VPN connections with auto=route set instead of auto=start which will cause the connection being created, but not brought up yet. As soon as the first packet is received, the connection will be established and data will be passed through it. This allows IPFire to handle more VPN connections on weaker systems and avoids negotiating many connections which are rarely used. Suggested-by: Tom Rymes Signed-off-by: Michael Tremer Fixes: #10733 --- doc/language_issues.es | 3 +++ doc/language_issues.fr | 3 +++ doc/language_issues.it | 3 +++ doc/language_issues.nl | 3 +++ doc/language_issues.pl | 3 +++ doc/language_issues.ru | 3 +++ doc/language_issues.tr | 3 +++ doc/language_missings | 12 +++++++++++ html/cgi-bin/vpnmain.cgi | 43 +++++++++++++++++++++++++++++----------- langs/de/cgi-bin/de.pl | 3 +++ langs/en/cgi-bin/en.pl | 3 +++ 11 files changed, 70 insertions(+), 12 deletions(-) diff --git a/doc/language_issues.es b/doc/language_issues.es index 60ba499c95..36d4a8211a 100644 --- a/doc/language_issues.es +++ b/doc/language_issues.es @@ -1144,6 +1144,9 @@ WARNING: untranslated string: vendor WARNING: untranslated string: visit us at WARNING: untranslated string: vpn force mobike WARNING: untranslated string: vpn keyexchange +WARNING: untranslated string: vpn start action +WARNING: untranslated string: vpn start action route +WARNING: untranslated string: vpn start action start WARNING: untranslated string: vpn statistic n2n WARNING: untranslated string: vpn statistic rw WARNING: untranslated string: vpn statistics n2n diff --git a/doc/language_issues.fr b/doc/language_issues.fr index 863b5291a7..b21c33851c 100644 --- a/doc/language_issues.fr +++ b/doc/language_issues.fr @@ -1161,6 +1161,9 @@ WARNING: untranslated string: vendor WARNING: untranslated string: visit us at WARNING: untranslated string: vpn force mobike WARNING: untranslated string: vpn keyexchange +WARNING: untranslated string: vpn start action +WARNING: untranslated string: vpn start action route +WARNING: untranslated string: vpn start action start WARNING: untranslated string: vpn statistic n2n WARNING: untranslated string: vpn statistic rw WARNING: untranslated string: vpn statistics n2n diff --git a/doc/language_issues.it b/doc/language_issues.it index 6efef40f4b..e7230280f9 100644 --- a/doc/language_issues.it +++ b/doc/language_issues.it @@ -819,6 +819,9 @@ WARNING: untranslated string: unblock WARNING: untranslated string: unblock all WARNING: untranslated string: uncheck all WARNING: untranslated string: vpn force mobike +WARNING: untranslated string: vpn start action +WARNING: untranslated string: vpn start action route +WARNING: untranslated string: vpn start action start WARNING: untranslated string: vpn statistic n2n WARNING: untranslated string: vpn statistic rw WARNING: untranslated string: vpn statistics n2n diff --git a/doc/language_issues.nl b/doc/language_issues.nl index c9b10dcd61..22a8934378 100644 --- a/doc/language_issues.nl +++ b/doc/language_issues.nl @@ -867,6 +867,9 @@ WARNING: untranslated string: uncheck all WARNING: untranslated string: upload dh key WARNING: untranslated string: vendor WARNING: untranslated string: vpn force mobike +WARNING: untranslated string: vpn start action +WARNING: untranslated string: vpn start action route +WARNING: untranslated string: vpn start action start WARNING: untranslated string: vpn statistic n2n WARNING: untranslated string: vpn statistic rw WARNING: untranslated string: vpn statistics n2n diff --git a/doc/language_issues.pl b/doc/language_issues.pl index 60ba499c95..36d4a8211a 100644 --- a/doc/language_issues.pl +++ b/doc/language_issues.pl @@ -1144,6 +1144,9 @@ WARNING: untranslated string: vendor WARNING: untranslated string: visit us at WARNING: untranslated string: vpn force mobike WARNING: untranslated string: vpn keyexchange +WARNING: untranslated string: vpn start action +WARNING: untranslated string: vpn start action route +WARNING: untranslated string: vpn start action start WARNING: untranslated string: vpn statistic n2n WARNING: untranslated string: vpn statistic rw WARNING: untranslated string: vpn statistics n2n diff --git a/doc/language_issues.ru b/doc/language_issues.ru index 255df2f688..fc727d607a 100644 --- a/doc/language_issues.ru +++ b/doc/language_issues.ru @@ -1139,6 +1139,9 @@ WARNING: untranslated string: vendor WARNING: untranslated string: visit us at WARNING: untranslated string: vpn force mobike WARNING: untranslated string: vpn keyexchange +WARNING: untranslated string: vpn start action +WARNING: untranslated string: vpn start action route +WARNING: untranslated string: vpn start action start WARNING: untranslated string: vpn statistic n2n WARNING: untranslated string: vpn statistic rw WARNING: untranslated string: vpn statistics n2n diff --git a/doc/language_issues.tr b/doc/language_issues.tr index 8cf2dfe11e..59c904657d 100644 --- a/doc/language_issues.tr +++ b/doc/language_issues.tr @@ -752,4 +752,7 @@ WARNING: untranslated string: route config changed WARNING: untranslated string: routing config added WARNING: untranslated string: routing config changed WARNING: untranslated string: routing table +WARNING: untranslated string: vpn start action +WARNING: untranslated string: vpn start action route +WARNING: untranslated string: vpn start action start WARNING: untranslated string: vpn statistics n2n diff --git a/doc/language_missings b/doc/language_missings index 32e1e48ecc..49def615f3 100644 --- a/doc/language_missings +++ b/doc/language_missings @@ -561,6 +561,9 @@ < vendor < visit us at < vpn keyexchange +< vpn start action +< vpn start action route +< vpn start action start < vpn statistic n2n < vpn statistic rw < wlanap access point @@ -1175,6 +1178,9 @@ < vendor < visit us at < vpn keyexchange +< vpn start action +< vpn start action route +< vpn start action start < vpn statistic n2n < vpn statistic rw < wlanap country @@ -1754,6 +1760,9 @@ < vendor < visit us at < vpn keyexchange +< vpn start action +< vpn start action route +< vpn start action start < vpn statistic n2n < vpn statistic rw < wlanap country @@ -2338,6 +2347,9 @@ < vendor < visit us at < vpn keyexchange +< vpn start action +< vpn start action route +< vpn start action start < vpn statistic n2n < vpn statistic rw < week-graph diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index f1cffb8844..b6469c03c2 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -108,6 +108,7 @@ $cgiparams{'RW_NET'} = ''; $cgiparams{'DPD_DELAY'} = '30'; $cgiparams{'DPD_TIMEOUT'} = '120'; $cgiparams{'FORCE_MOBIKE'} = 'off'; +$cgiparams{'START_ACTION'} = 'start'; &Header::getcgihash(\%cgiparams, {'wantfile' => 1, 'filevar' => 'FH'}); ### @@ -401,12 +402,17 @@ sub writeipsecfiles { print CONF "\trightrsasigkey=%cert\n"; } + my $start_action = $lconfighash{$key}[33]; + if (!$start_action) { + $start_action = "start"; + } + # Automatically start only if a net-to-net connection if ($lconfighash{$key}[3] eq 'host') { print CONF "\tauto=add\n"; print CONF "\trightsourceip=$lvpnsettings{'RW_NET'}\n"; } else { - print CONF "\tauto=start\n"; + print CONF "\tauto=$start_action\n"; } # Fragmentation @@ -1778,7 +1784,7 @@ END my $key = $cgiparams{'KEY'}; if (! $key) { $key = &General::findhasharraykey (\%confighash); - foreach my $i (0 .. 32) { $confighash{$key}[$i] = "";} + foreach my $i (0 .. 33) { $confighash{$key}[$i] = "";} } $confighash{$key}[0] = $cgiparams{'ENABLED'}; $confighash{$key}[1] = $cgiparams{'NAME'}; @@ -2256,6 +2262,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || $confighash{$cgiparams{'KEY'}}[30] = $cgiparams{'DPD_TIMEOUT'}; $confighash{$cgiparams{'KEY'}}[31] = $cgiparams{'DPD_DELAY'}; $confighash{$cgiparams{'KEY'}}[32] = $cgiparams{'FORCE_MOBIKE'}; + $confighash{$cgiparams{'KEY'}}[33] = $cgiparams{'START_ACTION'}; &General::writehasharray("${General::swroot}/vpn/config", \%confighash); &writeipsecfiles(); if (&vpnenabled) { @@ -2283,6 +2290,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || $cgiparams{'DPD_TIMEOUT'} = $confighash{$cgiparams{'KEY'}}[30]; $cgiparams{'DPD_DELAY'} = $confighash{$cgiparams{'KEY'}}[31]; $cgiparams{'FORCE_MOBIKE'} = $confighash{$cgiparams{'KEY'}}[32]; + $cgiparams{'START_ACTION'} = $confighash{$cgiparams{'KEY'}}[33]; if (!$cgiparams{'DPD_DELAY'}) { $cgiparams{'DPD_DELAY'} = 30; @@ -2291,6 +2299,10 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || if (!$cgiparams{'DPD_TIMEOUT'}) { $cgiparams{'DPD_TIMEOUT'} = 120; } + + if (!$cgiparams{'START_ACTION'}) { + $cgiparams{'START_ACTION'} = "start"; + } } ADVANCED_ERROR: @@ -2387,6 +2399,10 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || $selected{'DPD_ACTION'}{'none'} = ''; $selected{'DPD_ACTION'}{$cgiparams{'DPD_ACTION'}} = "selected='selected'"; + $selected{'START_ACTION'}{'route'} = ''; + $selected{'START_ACTION'}{'start'} = ''; + $selected{'START_ACTION'}{$cgiparams{'START_ACTION'}} = "selected='selected'"; + &Header::showhttpheaders(); &Header::openpage($Lang::tr{'ipsec'}, 1, ''); &Header::openbigbox('100%', 'left', '', $errormessage); @@ -2406,7 +2422,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || } &Header::openbox('100%', 'left', "$Lang::tr{'advanced'}:"); - print < @@ -2599,9 +2615,16 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || IKE+ESP: $Lang::tr{'use only proposed settings'} + + + + - +