diff options
| author | mgrooms <mgrooms@shrew.net> | 2009-03-15 06:14:54 +0000 |
|---|---|---|
| committer | mgrooms <mgrooms@shrew.net> | 2009-03-15 06:18:35 +0000 |
| commit | 4b96b3675a8ee4fd0d276ad0a7c3b8b93bd14cac (patch) | |
| tree | 958b9cad6a732f92151e4d2fb4238125af08150c | |
| parent | 030f0cb794e2cc477432aa108eceb3dd2a01a4b0 (diff) | |
| download | pfsense-4b96b3675a8ee4fd0d276ad0a7c3b8b93bd14cac.zip pfsense-4b96b3675a8ee4fd0d276ad0a7c3b8b93bd14cac.tar.gz | |
Modify IPsec code to allow for transport mode. All existing configurations are
marked as tunnel for backwards compatibility. There are problems with the spd
read code which Will likely choke on transport entries. We can fix this later.
| -rw-r--r-- | conf.default/config.xml | 2 | ||||
| -rw-r--r-- | etc/inc/globals.inc | 4 | ||||
| -rw-r--r-- | etc/inc/ipsec.inc | 4 | ||||
| -rw-r--r-- | etc/inc/upgrade_config.inc | 8 | ||||
| -rw-r--r-- | etc/inc/vpn.inc | 136 | ||||
| -rwxr-xr-x | usr/local/www/vpn_ipsec.php | 10 | ||||
| -rw-r--r-- | usr/local/www/vpn_ipsec_phase2.php | 85 |
7 files changed, 172 insertions, 77 deletions
diff --git a/conf.default/config.xml b/conf.default/config.xml index 76967fc..68ce2e1 100644 --- a/conf.default/config.xml +++ b/conf.default/config.xml @@ -1,7 +1,7 @@ <?xml version="1.0"?> <!-- pfSense default system configuration --> <pfsense> - <version>5.7</version> + <version>5.8</version> <lastchange></lastchange> <theme>nervecenter</theme> <sysctl> diff --git a/etc/inc/globals.inc b/etc/inc/globals.inc index c8ae12d..bab855b 100644 --- a/etc/inc/globals.inc +++ b/etc/inc/globals.inc @@ -32,7 +32,7 @@ */ $g = array( - "factory_shipped_username" => "admin", + "factory_shipped_username" => "admin", "factory_shipped_password" => "pfsense", "upload_path" => "/root", "dhcpd_chroot_path" => "/var/dhcpd", @@ -58,7 +58,7 @@ $g = array( "product_website_footer" => "http://www.pfsense.org/?gui20", "product_email" => "coreteam@pfsense.org", "debug" => false, - "latest_config" => "5.7", + "latest_config" => "5.8", "nopkg_platforms" => array("cdrom"), "minimum_ram_warning" => "115", "minimum_ram_warning_text" => "128 megabytes", diff --git a/etc/inc/ipsec.inc b/etc/inc/ipsec.inc index 6e206b3..44853d6 100644 --- a/etc/inc/ipsec.inc +++ b/etc/inc/ipsec.inc @@ -77,6 +77,10 @@ $p1_authentication_methods = array( 'rsasig' => array( 'name' => 'Mutual RSA', 'mobile' => false ), 'pre_shared_key' => array( 'name' => 'Mutual PSK', 'mobile' => false ) ); +$p2_modes = array( + 'tunnel' => 'Tunnel', + 'transport' => 'Transport'); + $p2_protos = array( 'esp' => 'ESP', 'ah' => 'AH'); diff --git a/etc/inc/upgrade_config.inc b/etc/inc/upgrade_config.inc index e8d6192..db59e6f 100644 --- a/etc/inc/upgrade_config.inc +++ b/etc/inc/upgrade_config.inc @@ -1725,4 +1725,12 @@ function upgrade_056_to_057() { unset($config['captiveportal']['user']); } } + +function upgrade_057_to_058() { + global $config; + /* set all phase2 entries to tunnel mode */ + if (is_array($config['ipsec']['phase2'])) + foreach($config['ipsec']['phase2'] as & $ph2ent) + $ph2ent['mode'] = 'tunnel'; +} ?> diff --git a/etc/inc/vpn.inc b/etc/inc/vpn.inc index 1e9ea34..18090db 100644 --- a/etc/inc/vpn.inc +++ b/etc/inc/vpn.inc @@ -587,75 +587,103 @@ EOD; $ikeid = $ph2ent['ikeid']; + if( !ipsec_lookup_phase1($ph2ent,$ph1ent)) + continue; + + if (isset($ph1ent['disabled'])) + continue; + if (isset($ph2ent['disabled'])) continue; if (isset($ph2ent['mobile']) && !isset($a_client['enable'])) continue; - $localid_type = $ph2ent['localid']['type']; - if ($localid_type != "address") - $localid_type = "subnet"; + if ($ph2ent['mode'] == 'tunnel') { - $localid_data = ipsec_idinfo_to_cidr($ph2ent['localid']); - $localid_spec = $localid_type." ".$localid_data." any"; + $localid_type = $ph2ent['localid']['type']; + if ($localid_type != "address") + $localid_type = "subnet"; - if (!isset($ph2ent['mobile'])) { + $localid_data = ipsec_idinfo_to_cidr($ph2ent['localid']); + $localid_spec = $localid_type." ".$localid_data." any"; - $remoteid_type = $ph2ent['remoteid']['type']; - if ($remoteid_type != "address") - $remoteid_type = "subnet"; + if (!isset($ph2ent['mobile'])) { + $remoteid_type = $ph2ent['remoteid']['type']; + if ($remoteid_type != "address") + $remoteid_type = "subnet"; - $remoteid_data = ipsec_idinfo_to_cidr($ph2ent['remoteid']); - $remoteid_spec = $remoteid_type." ".$remoteid_data." any"; + $remoteid_data = ipsec_idinfo_to_cidr($ph2ent['remoteid']); + $remoteid_spec = $remoteid_type." ".$remoteid_data." any"; + } else + $remoteid_spec = "anonymous"; - } else - $remoteid_spec = "anonymous"; + } else { - $ealgos = ''; - $halgos = join(",", $ph2ent['hash-algorithm-option']); + $rgip = $rgmap[$ph1ent['remote-gateway']]; - $pfsline = ''; - if ($ph2ent['pfsgroup']) - $pfsline = "pfs_group {$ph2ent['pfsgroup']};"; - if (isset($a_client['pfs_group'])) { - $pfsline = ''; - if ($a_client['pfs_group']) - $pfsline = "pfs_group {$a_client['pfs_group']};"; + $localid_data = ipsec_get_phase1_src($ph1ent); + $localid_spec = "address {$localid_data}"; + + $remoteid_data = $rgmap[$ph1ent['remote-gateway']]; + $remoteid_spec = "address {$remoteid_data}"; } - $lifeline = ''; - if ($ph2ent['lifetime']) - $lifeline = "lifetime time {$ph2ent['lifetime']} secs;"; + if($ph2ent['proto'] == "esp") { + + $ealgos = ''; - foreach ($ph2ent['encryption-algorithm-option'] as $ealg) { + foreach ($ph2ent['encryption-algorithm-option'] as $ealg) { - $ealg_id = $ealg['name']; - $ealg_kl = $ealg['keylen']; + $ealg_id = $ealg['name']; + $ealg_kl = $ealg['keylen']; - if ($ealg_kl) { - if( $ealg_kl == "auto" ) { - $key_hi = $p2_ealgos[$ealg_id]['keysel']['hi']; - $key_lo = $p2_ealgos[$ealg_id]['keysel']['lo']; - $key_step = $p2_ealgos[$ealg_id]['keysel']['step']; + if ($ealg_kl) { + if( $ealg_kl == "auto" ) { + $key_hi = $p2_ealgos[$ealg_id]['keysel']['hi']; + $key_lo = $p2_ealgos[$ealg_id]['keysel']['lo']; + $key_step = $p2_ealgos[$ealg_id]['keysel']['step']; - for ($keylen = $key_hi; $keylen >= $key_lo; $keylen -= $key_step) { - if( $ealgos ) + for ($keylen = $key_hi; $keylen >= $key_lo; $keylen -= $key_step) { + if ($ealgos) + $ealgos = $ealgos.", "; + $ealgos = $ealgos.$ealg_id." ".$keylen; + } + } else { + if ($ealgos) $ealgos = $ealgos.", "; - $ealgos = $ealgos.$ealg_id." ".$keylen; + $ealgos = $ealgos.$ealg_id." ".$ealg_kl; } } else { if ($ealgos) $ealgos = $ealgos.", "; - $ealgos = $ealgos.$ealg_id." ".$ealg_kl; + $ealgos = $ealgos.$ealg_id; } - } else { - if ($ealgos) - $ealgos = $ealgos.", "; - $ealgos = $ealgos.$ealg_id; } + + $ealgosline = "encryption_algorithm {$ealgos};"; + + } else { + + $ealgosline = "encryption_algorithm null_enc;"; } + $halgos = join(",", $ph2ent['hash-algorithm-option']); + $halgosline = "authentication_algorithm {$halgos};"; + + $pfsline = ''; + if ($ph2ent['pfsgroup']) + $pfsline = "pfs_group {$ph2ent['pfsgroup']};"; + if (isset($a_client['pfs_group'])) { + $pfsline = ''; + if ($a_client['pfs_group']) + $pfsline = "pfs_group {$a_client['pfs_group']};"; + } + + $lifeline = ''; + if ($ph2ent['lifetime']) + $lifeline = "lifetime time {$ph2ent['lifetime']} secs;"; + /* add sainfo section to configuration */ $racoonconf .=<<<EOD @@ -663,11 +691,11 @@ EOD; sainfo {$localid_spec} {$remoteid_spec} { remoteid {$ikeid}; - encryption_algorithm {$ealgos}; - authentication_algorithm {$halgos}; - compression_algorithm deflate; + {$ealgosline} + {$halgosline} {$pfsline} {$lifeline} + compression_algorithm deflate; } EOD; @@ -735,11 +763,23 @@ EOD; mwexec("/sbin/ifconfig gif" . $number_of_gifs . " {$lansa}/{$lansn} {$lanip}/32"); } - $spdconf .= "spdadd {$localid} {$remoteid} any -P out ipsec " . - "{$ph2ent['protocol']}/tunnel/{$ep}-{$rgip}/unique;\n"; + if($ph2ent['mode'] == "tunnel") { + + $spdconf .= "spdadd {$localid} {$remoteid} any -P out ipsec " . + "{$ph2ent['protocol']}/tunnel/{$ep}-{$rgip}/unique;\n"; + + $spdconf .= "spdadd {$remoteid} {$localid} any -P in ipsec " . + "{$ph2ent['protocol']}/tunnel/{$rgip}-{$ep}/unique;\n"; - $spdconf .= "spdadd {$remoteid} {$localid} any -P in ipsec " . - "{$ph2ent['protocol']}/tunnel/{$rgip}-{$ep}/unique;\n"; + } else { + + $spdconf .= "spdadd {$localid} {$remoteid} any -P out ipsec " . + "{$ph2ent['protocol']}/transport//unique;\n"; + + $spdconf .= "spdadd {$remoteid} {$localid} any -P in ipsec " . + "{$ph2ent['protocol']}/transport//unique;\n"; + + } /* static route needed? */ if (preg_match("/^carp/i", $ph1ent['interface'])) diff --git a/usr/local/www/vpn_ipsec.php b/usr/local/www/vpn_ipsec.php index c309986..d43f457 100755 --- a/usr/local/www/vpn_ipsec.php +++ b/usr/local/www/vpn_ipsec.php @@ -285,8 +285,11 @@ include("head.inc"); </div> <table class="tabcont" width="100%" height="100%" border="0" cellspacing="0" cellpadding="0" id="tdph2-<?=$i?>" style="display:none"> <tr> + <td class="listhdrr">Mode</td> + <?php if($ph2ent['mode'] == "tunnel"): ?> <td class="listhdrr">Local Subnet</td> <td class="listhdrr">Remote Subnet</td> + <?php endif; ?> <td class="listhdrr">P2 Protocol</td> <td class="listhdrr">P2 Transforms</td> <td class="listhdrr">P2 Auth Methods</td> @@ -315,6 +318,12 @@ include("head.inc"); <td nowrap class="listlr"> <?=$spans;?> + <?=$ph2ent['mode'];?> + <?=$spane;?> + </td> + <?php if($ph2ent['mode'] == "tunnel"): ?> + <td nowrap class="listr"> + <?=$spans;?> <?=ipsec_idinfo_to_text($ph2ent['localid']); ?> <?=$spane;?> </td> @@ -323,6 +332,7 @@ include("head.inc"); <?=ipsec_idinfo_to_text($ph2ent['remoteid']); ?> <?=$spane;?> </td> + <?php endif; ?> <td nowrap class="listr"> <?=$spans;?> <?php echo $p2_protos[$ph2ent['protocol']]; ?> diff --git a/usr/local/www/vpn_ipsec_phase2.php b/usr/local/www/vpn_ipsec_phase2.php index bd922b4..1056497 100644 --- a/usr/local/www/vpn_ipsec_phase2.php +++ b/usr/local/www/vpn_ipsec_phase2.php @@ -63,6 +63,7 @@ if (isset($p2index) && $a_phase2[$p2index]) { $pconfig['ikeid'] = $a_phase2[$p2index]['ikeid']; $pconfig['disabled'] = isset($a_phase2[$p2index]['disabled']); + $pconfig['mode'] = $a_phase2[$p2index]['mode']; $pconfig['descr'] = $a_phase2[$p2index]['descr']; $old_ph2ent = $a_phase2[$p2index]; @@ -118,24 +119,27 @@ if ($_POST) { do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); - switch ($pconfig['localid_type']) { - case "network": - if (!$pconfig['localid_netbits'] || !is_numeric($pconfig['localid_netbits'])) - $input_errors[] = "A valid local network bit count must be specified.."; - case "address": - if (!$pconfig['localid_address'] || !is_ipaddr($pconfig['localid_address'])) - $input_errors[] = "A valid local network IP address must be specified."; - break; - } + if($pconfig['mode'] == "tunnel") + { + switch ($pconfig['localid_type']) { + case "network": + if (!$pconfig['localid_netbits'] || !is_numeric($pconfig['localid_netbits'])) + $input_errors[] = "A valid local network bit count must be specified.."; + case "address": + if (!$pconfig['localid_address'] || !is_ipaddr($pconfig['localid_address'])) + $input_errors[] = "A valid local network IP address must be specified."; + break; + } - switch ($pconfig['remoteid_type']) { - case "network": - if (!$pconfig['remoteid_netbits'] || !is_numeric($pconfig['remoteid_netbits'])) - $input_errors[] = "A valid remote network bit count must be specified.."; - case "address": - if (!$pconfig['remoteid_address'] || !is_ipaddr($pconfig['remoteid_address'])) - $input_errors[] = "A valid remote network IP address must be specified."; - break; + switch ($pconfig['remoteid_type']) { + case "network": + if (!$pconfig['remoteid_netbits'] || !is_numeric($pconfig['remoteid_netbits'])) + $input_errors[] = "A valid remote network bit count must be specified.."; + case "address": + if (!$pconfig['remoteid_address'] || !is_ipaddr($pconfig['remoteid_address'])) + $input_errors[] = "A valid remote network IP address must be specified."; + break; + } } /* TODO : Validate enabled phase2's are not duplicates */ @@ -152,10 +156,13 @@ if ($_POST) { if (!$input_errors) { $ph2ent['ikeid'] = $pconfig['ikeid']; + $ph2ent['mode'] = $pconfig['mode']; $ph2ent['disabled'] = $pconfig['disabled'] ? true : false; - $ph2ent['localid'] = pconfig_to_idinfo("local",$pconfig); - $ph2ent['remoteid'] = pconfig_to_idinfo("remote",$pconfig); + if($ph2ent['mode'] == "tunnel") { + $ph2ent['localid'] = pconfig_to_idinfo("local",$pconfig); + $ph2ent['remoteid'] = pconfig_to_idinfo("remote",$pconfig); + } $ph2ent['protocol'] = $pconfig['proto']; $ph2ent['encryption-algorithm-option'] = $ealgos; @@ -202,6 +209,19 @@ include("head.inc"); <?php include("fbegin.inc"); ?> <script language="JavaScript"> <!-- + +function change_mode() { + index = document.iform.mode.selectedIndex; + value = document.iform.mode.options[index].value; + if (value == 'tunnel') { + document.getElementById('opt_localid').style.display = ''; + document.getElementById('opt_remoteid').style.display = ''; + } else { + document.getElementById('opt_localid').style.display = 'none'; + document.getElementById('opt_remoteid').style.display = 'none'; + } +} + function typesel_change_local(bits) { if (!bits) @@ -264,7 +284,7 @@ function typesel_change_remote(bits) { <?php endif; ?> -function protocol_change() { +function change_protocol() { index = document.iform.proto.selectedIndex; value = document.iform.proto.options[index].value; if (value == 'esp') @@ -299,10 +319,6 @@ function protocol_change() { <div class="tabcont"> <table width="100%" border="0" cellpadding="6" cellspacing="0"> <tr> - <td width="22%" valign="top" class="vncellreq">Mode</td> - <td width="78%" class="vtable"> Tunnel</td> - </tr> - <tr> <td width="22%" valign="top" class="vncellreq">Disabled</td> <td width="78%" class="vtable"> <input name="disabled" type="checkbox" id="disabled" value="yes" <?php if ($pconfig['disabled']) echo "checked"; ?>> @@ -314,6 +330,21 @@ function protocol_change() { </td> </tr> <tr> + <td width="22%" valign="top" class="vncellreq">Mode</td> + <td width="78%" class="vtable"> + <select name="mode" class="formselect" onChange="change_mode()"> + <?php + foreach($p2_modes as $name => $value): + $selected = ""; + if ($name == $pconfig['mode']) + $selected = "selected"; + ?> + <option value="<?=$name;?>" <?=$selected;?>><?=$value;?></option> + <?php endforeach; ?> + </select> + </td> + </tr> + <tr id="opt_localid"> <td width="22%" valign="top" class="vncellreq">Local Network</td> <td width="78%" class="vtable"> <table border="0" cellspacing="0" cellpadding="0"> @@ -349,7 +380,7 @@ function protocol_change() { <?php if (!isset($pconfig['mobile'])): ?> - <tr> + <tr id="opt_remoteid"> <td width="22%" valign="top" class="vncellreq">Remote Network</td> <td width="78%" class="vtable"> <table border="0" cellspacing="0" cellpadding="0"> @@ -406,7 +437,7 @@ function protocol_change() { <tr> <td width="22%" valign="top" class="vncellreq">Protocol</td> <td width="78%" class="vtable"> - <select name="proto" class="formselect" onChange="protocol_change()"> + <select name="proto" class="formselect" onChange="change_protocol()"> <?php foreach ($p2_protos as $proto => $protoname): ?> <option value="<?=$proto;?>" <?php if ($proto == $pconfig['proto']) echo "selected"; ?>> <?=htmlspecialchars($protoname);?> @@ -548,6 +579,8 @@ function protocol_change() { </form> <script lannguage="JavaScript"> <!-- +change_mode('<?=$pconfig['mode']?>'); +change_protocol('<?=$pconfig['proto']?>'); typesel_change_local(<?=$pconfig['localid_netbits']?>); typesel_change_remote(<?=$pconfig['remoteid_netbits']?>); //--> |
