IPsec: Add option to force using MOBIKE

Some peers that are behind a NAT router that fails to properly forward IKE packets on UDP port 500 cannot establish an IPsec connection. MOBIKE tries to solve that by sending these packets to UDP port 4500 instead. Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2026-04-15 13:32:59 +02:00 · 2015-09-10 13:35:24 +01:00
parent 257ce821ee
commit f6529a04a3
11 changed files with 36 additions and 1 deletions
--- a/config/rootfiles/core/94/filelists/files
+++ b/config/rootfiles/core/94/filelists/files
@@ -3,6 +3,7 @@ etc/issue
 etc/rc.d/init.d/sshd
 srv/web/ipfire/cgi-bin/logs.cgi/log.dat
 srv/web/ipfire/cgi-bin/mail.cgi
+srv/web/ipfire/cgi-bin/vpnmain.cgi
 var/ipfire/langs
 var/ipfire/menu.d/40-services.menu
 var/ipfire/network-functions.pl
--- a/doc/language_issues.de
+++ b/doc/language_issues.de
@@ -651,4 +651,5 @@ WARNING: untranslated string: routing config added
 WARNING: untranslated string: routing config changed
 WARNING: untranslated string: routing table
 WARNING: untranslated string: show tls-auth key
+WARNING: untranslated string: vpn force mobike
 WARNING: untranslated string: vpn statistics n2n
--- a/doc/language_issues.es
+++ b/doc/language_issues.es
@@ -1047,6 +1047,7 @@ WARNING: untranslated string: uptime load average
 WARNING: untranslated string: urlfilter redirect template
 WARNING: untranslated string: vendor
 WARNING: untranslated string: visit us at
+WARNING: untranslated string: vpn force mobike
 WARNING: untranslated string: vpn keyexchange
 WARNING: untranslated string: vpn statistic n2n
 WARNING: untranslated string: vpn statistic rw
--- a/doc/language_issues.fr
+++ b/doc/language_issues.fr
@@ -1062,6 +1062,7 @@ WARNING: untranslated string: urlfilter mode block
 WARNING: untranslated string: urlfilter redirect template
 WARNING: untranslated string: vendor
 WARNING: untranslated string: visit us at
+WARNING: untranslated string: vpn force mobike
 WARNING: untranslated string: vpn keyexchange
 WARNING: untranslated string: vpn statistic n2n
 WARNING: untranslated string: vpn statistic rw
--- a/doc/language_issues.it
+++ b/doc/language_issues.it
@@ -720,6 +720,7 @@ WARNING: untranslated string: samba join a domain
 WARNING: untranslated string: samba join domain
 WARNING: untranslated string: search
 WARNING: untranslated string: uncheck all
+WARNING: untranslated string: vpn force mobike
 WARNING: untranslated string: vpn statistic n2n
 WARNING: untranslated string: vpn statistic rw
 WARNING: untranslated string: vpn statistics n2n
--- a/doc/language_issues.nl
+++ b/doc/language_issues.nl
@@ -769,6 +769,7 @@ WARNING: untranslated string: ta key
 WARNING: untranslated string: uncheck all
 WARNING: untranslated string: upload dh key
 WARNING: untranslated string: vendor
+WARNING: untranslated string: vpn force mobike
 WARNING: untranslated string: vpn statistic n2n
 WARNING: untranslated string: vpn statistic rw
 WARNING: untranslated string: vpn statistics n2n
--- a/doc/language_issues.pl
+++ b/doc/language_issues.pl
@@ -1047,6 +1047,7 @@ WARNING: untranslated string: uptime load average
 WARNING: untranslated string: urlfilter redirect template
 WARNING: untranslated string: vendor
 WARNING: untranslated string: visit us at
+WARNING: untranslated string: vpn force mobike
 WARNING: untranslated string: vpn keyexchange
 WARNING: untranslated string: vpn statistic n2n
 WARNING: untranslated string: vpn statistic rw
--- a/doc/language_issues.ru
+++ b/doc/language_issues.ru
@@ -1040,6 +1040,7 @@ WARNING: untranslated string: uptime load average
 WARNING: untranslated string: urlfilter redirect template
 WARNING: untranslated string: vendor
 WARNING: untranslated string: visit us at
+WARNING: untranslated string: vpn force mobike
 WARNING: untranslated string: vpn keyexchange
 WARNING: untranslated string: vpn statistic n2n
 WARNING: untranslated string: vpn statistic rw
--- a/doc/language_issues.tr
+++ b/doc/language_issues.tr
@@ -697,6 +697,7 @@ WARNING: untranslated string: routing config changed
 WARNING: untranslated string: routing table
 WARNING: untranslated string: search
 WARNING: untranslated string: uncheck all
+WARNING: untranslated string: vpn force mobike
 WARNING: untranslated string: vpn statistic n2n
 WARNING: untranslated string: vpn statistic rw
 WARNING: untranslated string: vpn statistics n2n
--- a/html/cgi-bin/vpnmain.cgi
+++ b/html/cgi-bin/vpnmain.cgi
@@ -108,6 +108,7 @@ $cgiparams{'ROOTCERT_STATE'} = '';
 $cgiparams{'RW_NET'} = '';
 $cgiparams{'DPD_DELAY'} = '30';
 $cgiparams{'DPD_TIMEOUT'} = '120';
+$cgiparams{'FORCE_MOBIKE'} = 'off';
 &Header::getcgihash(\%cgiparams, {'wantfile' => 1, 'filevar' => 'FH'});

 ###
@@ -360,6 +361,11 @@ sub writeipsecfiles {
 	# Compression
 	print CONF "\tcompress=yes\n" if ($lconfighash{$key}[13] eq 'on');

+	# Force MOBIKE?
+	if (($lconfighash{$key}[29] eq "ikev2") && ($lconfighash{$key}[32] eq 'on')) {
+		print CONF "\tmobike=yes\n";
+	}
+
 	# Dead Peer Detection
 	my $dpdaction = $lconfighash{$key}[27];
 	print CONF "\tdpdaction=$dpdaction\n";
@@ -1286,6 +1292,7 @@ END
 	$cgiparams{'VHOST'}            	= $confighash{$cgiparams{'KEY'}}[14];
 	$cgiparams{'DPD_TIMEOUT'}		= $confighash{$cgiparams{'KEY'}}[30];
 	$cgiparams{'DPD_DELAY'}		= $confighash{$cgiparams{'KEY'}}[31];
+	$cgiparams{'FORCE_MOBIKE'}	= $confighash{$cgiparams{'KEY'}}[32];

 	if (!$cgiparams{'DPD_DELAY'}) {
 		$cgiparams{'DPD_DELAY'} = 30;
@@ -1768,7 +1775,7 @@ END
 	my $key = $cgiparams{'KEY'};
 	if (! $key) {
 	    $key = &General::findhasharraykey (\%confighash);
-	    foreach my $i (0 .. 31) { $confighash{$key}[$i] = "";}
+	    foreach my $i (0 .. 32) { $confighash{$key}[$i] = "";}
 	}
 	$confighash{$key}[0] = $cgiparams{'ENABLED'};
 	$confighash{$key}[1] = $cgiparams{'NAME'};
@@ -1810,6 +1817,7 @@ END
 	$confighash{$key}[14] = $cgiparams{'VHOST'};
 	$confighash{$key}[30] = $cgiparams{'DPD_TIMEOUT'};
 	$confighash{$key}[31] = $cgiparams{'DPD_DELAY'};
+	$confighash{$key}[32] = $cgiparams{'FORCE_MOBIKE'};

 	#free unused fields!
 	$confighash{$key}[6] = 'off';
@@ -1858,6 +1866,10 @@ END
 		$cgiparams{'DPD_TIMEOUT'} = 120;
 	}

+	if (!$cgiparams{'FORCE_MOBIKE'}) {
+		$cgiparams{'FORCE_MOBIKE'} = 'no';
+	}
+
 	# Default IKE Version to v2
 	if (!$cgiparams{'IKE_VERSION'}) {
 	    $cgiparams{'IKE_VERSION'} = 'ikev2';
@@ -1935,6 +1947,7 @@ END
 	<input type='hidden' name='DPD_ACTION' value='$cgiparams{'DPD_ACTION'}' />
 	<input type='hidden' name='DPD_DELAY' value='$cgiparams{'DPD_DELAY'}' />
 	<input type='hidden' name='DPD_TIMEOUT' value='$cgiparams{'DPD_TIMEOUT'}' />
+	<input type='hidden' name='FORCE_MOBIKE' value='$cgiparams{'FORCE_MOBIKE'}' />
 END
    ;
    if ($cgiparams{'KEY'}) {
@@ -2206,6 +2219,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||

 	if (
 	    ($cgiparams{'COMPRESSION'} !~ /^(|on|off)$/) ||
+	    ($cgiparams{'FORCE_MOBIKE'} !~ /^(|on|off)$/) ||
 	    ($cgiparams{'ONLY_PROPOSED'} !~ /^(|on|off)$/) ||
 	    ($cgiparams{'PFS'} !~ /^(|on|off)$/) ||
 	    ($cgiparams{'VHOST'} !~ /^(|on|off)$/)
@@ -2241,6 +2255,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
 	$confighash{$cgiparams{'KEY'}}[27] = $cgiparams{'DPD_ACTION'};
 	$confighash{$cgiparams{'KEY'}}[30] = $cgiparams{'DPD_TIMEOUT'};
 	$confighash{$cgiparams{'KEY'}}[31] = $cgiparams{'DPD_DELAY'};
+	$confighash{$cgiparams{'KEY'}}[32] = $cgiparams{'FORCE_MOBIKE'};
 	&General::writehasharray("${General::swroot}/vpn/config", \%confighash);
 	&writeipsecfiles();
 	if (&vpnenabled) {
@@ -2268,6 +2283,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
 	$cgiparams{'DPD_ACTION'}     = $confighash{$cgiparams{'KEY'}}[27];
 	$cgiparams{'DPD_TIMEOUT'}    = $confighash{$cgiparams{'KEY'}}[30];
 	$cgiparams{'DPD_DELAY'}      = $confighash{$cgiparams{'KEY'}}[31];
+	$cgiparams{'FORCE_MOBIKE'}   = $confighash{$cgiparams{'KEY'}}[32];

 	if (!$cgiparams{'DPD_DELAY'}) {
 		$cgiparams{'DPD_DELAY'} = 30;
@@ -2362,6 +2378,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
    foreach my $key (@temp) {$checked{'ESP_GROUPTYPE'}{$key} = "selected='selected'"; }

    $checked{'COMPRESSION'} = $cgiparams{'COMPRESSION'} eq 'on' ? "checked='checked'" : '' ;
+    $checked{'FORCE_MOBIKE'} = $cgiparams{'FORCE_MOBIKE'} eq 'on' ? "checked='checked'" : '' ;
    $checked{'ONLY_PROPOSED'} = $cgiparams{'ONLY_PROPOSED'} eq 'on' ? "checked='checked'" : '' ;
    $checked{'PFS'} = $cgiparams{'PFS'} eq 'on' ? "checked='checked'" : '' ;
    $checked{'VHOST'} = $cgiparams{'VHOST'} eq 'on' ? "checked='checked'" : '' ;
@@ -2605,6 +2622,14 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
 			</label>
 		</td>
 	</tr>
+	<tr>
+		<td>
+			<label>
+				<input type='checkbox' name='FORCE_MOBIKE' $checked{'FORCE_MOBIKE'} />
+				$Lang::tr{'vpn force mobike'}
+			</label>
+		</td>
+	</tr>
 EOF
    ;
    if ($confighash{$cgiparams{'KEY'}}[3] eq 'net') {
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -2648,6 +2648,7 @@
 'vpn configuration main' => 'VPN Configuration',
 'vpn delayed start' => 'Delay before launching VPN (seconds)',
 'vpn delayed start help' => 'If required, this delay can be used to allow dynamic DNS updates to propagate properly. 60 is a common value when RED is a dynamic IP.',
+'vpn force mobike' => 'Force using MOBIKE (only IKEv2)',
 'vpn incompatible use of defaultroute' => 'hostname=%defaultroute not allowed',
 'vpn keyexchange' => 'Keyexchange',
 'vpn local id' => 'Local ID',