diff options
| author | Scott Ullrich <sullrich@pfsense.org> | 2007-12-17 00:30:54 +0000 |
|---|---|---|
| committer | Scott Ullrich <sullrich@pfsense.org> | 2007-12-17 00:30:54 +0000 |
| commit | 979cd6db9c6a81493498660f7205faabf25ed6ec (patch) | |
| tree | e5c249e3c3ab0edc377b2222db58df954f8eea29 | |
| parent | e4f12d21fff0aa68637300dcbee69b4705e9d91c (diff) | |
| download | pfsense-979cd6db9c6a81493498660f7205faabf25ed6ec.zip pfsense-979cd6db9c6a81493498660f7205faabf25ed6ec.tar.gz | |
Adding dnswatch support.
Obtained-from: m0n0wall
| -rw-r--r-- | etc/inc/util.inc | 19 | ||||
| -rw-r--r-- | etc/inc/vpn.inc | 924 |
2 files changed, 576 insertions, 367 deletions
diff --git a/etc/inc/util.inc b/etc/inc/util.inc index 487efed..7c46eac 100644 --- a/etc/inc/util.inc +++ b/etc/inc/util.inc @@ -555,4 +555,23 @@ function mac_format($clientmac) { } } +function resolve_retry($hostname, $retries = 5) { + + if (is_ipaddr($hostname)) + return $hostname; + + for ($i = 0; $i < $retries; $i++) { + $ip = gethostbyname($hostname); + + if ($ip && $ip != $hostname) { + /* success */ + return $ip; + } + + sleep(1); + } + + return false; +} + ?>
\ No newline at end of file diff --git a/etc/inc/vpn.inc b/etc/inc/vpn.inc index a984c5b..2c30acf 100644 --- a/etc/inc/vpn.inc +++ b/etc/inc/vpn.inc @@ -1,7 +1,8 @@ <?php + /* vpn.inc - Copyright (C) 2004-2006 Scott Ullrich + Copyright (C) 2004 Scott Ullrich All rights reserved. originally part of m0n0wall (http://m0n0.ch/wall) @@ -31,7 +32,7 @@ */ /* include all configuration functions */ -require_once("functions.inc"); +require_once ("functions.inc"); /* master setup for vpn (mpd) */ function vpn_setup() { @@ -40,6 +41,9 @@ function vpn_setup() { /* start pppoe server */ vpn_pppoe_configure(); + + /* setup l2tp */ + vpn_l2tp_configure(); } function vpn_ipsec_failover_configure() { @@ -47,22 +51,22 @@ function vpn_ipsec_failover_configure() { $sasyncd_text = ""; - if($config['installedpackages']['sasyncd']['config'] <> "") - foreach($config['installedpackages']['sasyncd']['config'] as $sasyncd) { - $enabled = isset($sasyncd['enable']); - if(!$enabled) + if ($config['installedpackages']['sasyncd'] <> "") + foreach ($config['installedpackages']['sasyncd']['config'] as $sasyncd) { + $enabled = isset ($sasyncd['enable']); + if (!$enabled) return; - if($sasyncd['peerip'] <> "") + if ($sasyncd['peerip'] <> "") $sasyncd_text .= "peer {$sasyncd['peerip']}\n"; - if($sasyncd['interface']) + if ($sasyncd['interface']) $sasyncd_text .= "carp interface {$sasyncd['interface']}\n"; - if($sasyncd['sharedkey'] <> "") + if ($sasyncd['sharedkey'] <> "") $sasyncd_text .= "sharedkey {$sasyncd['sharedkey']}\n"; - if($sasyncd['mode'] <> "") + if ($sasyncd['mode'] <> "") $sasyncd_text .= "mode {$sasyncd['mode']}\n"; - if($sasyncd['listenon'] <> "") + if ($sasyncd['listenon'] <> "") $sasyncd_text .= "listen on {$sasyncd['listenon']}\n"; - if($sasyncd['flushmodesync'] <> "") + if ($sasyncd['flushmodesync'] <> "") $sasyncd_text .= "flushmode sync {$sasyncd['flushmodesync']}\n"; } @@ -74,40 +78,39 @@ function vpn_ipsec_failover_configure() { mwexec("killall sasyncd"); /* launch sasyncd, oh wise one */ - /* mwexec_bg("/usr/local/sbin/sasyncd -d -v -v -v"); */ + mwexec_bg("/usr/local/sbin/sasyncd -d -v -v -v"); } function find_last_gif_device() { - $regs = ""; - $last_gif_found = -1; - if (!($fp = popen("/sbin/ifconfig -l", "r"))) return -1; - $ifconfig_data = fread($fp, 4096); - pclose($fp); - $ifconfig_array = split(" ", $ifconfig_data); - foreach ($ifconfig_array as $ifconfig) { - ereg("gif(.)", $ifconfig, $regs); - if($regs[0]) { - if($regs[0] > $last_gif_found) - $last_gif_found = $regs[1]; - } - } - return $last_gif_found; + $last_gif_found = -1; + $regs = ""; + if (!($fp = popen("/sbin/ifconfig -l", "r"))) + return -1; + $ifconfig_data = fread($fp, 4096); + pclose($fp); + $ifconfig_array = split(" ", $ifconfig_data); + foreach ($ifconfig_array as $ifconfig) { + ereg("gif(.)", $ifconfig, $regs); + if ($regs[0] && $regs[0] > $last_gif_found) { + $last_gif_found = $regs[1]; + } + } + return $last_gif_found; } function vpn_ipsec_configure($ipchg = false) { global $config, $g, $sa, $sn; - mwexec("/sbin/ifconfig enc0 create"); mwexec("/sbin/ifconfig enc0 up"); /* get the automatic /etc/ping_hosts.sh ready */ unlink_if_exists("/var/db/ipsecpinghosts"); touch("/var/db/ipsecpinghosts"); - if($g['booting'] == true) { + if ($g['booting'] == true) { /* determine if we should load the via padlock module */ - $dmesg_boot = `cat /var/log/dmesg.boot | grep CPU`; - if(stristr($dmesg_boot, "ACE") == true) { + $dmesg_boot = `/usr/bin/grep CPU {$g['varlog_path']}/dmesg.boot`; + if (stristr($dmesg_boot, "ACE") == true) { //echo "Enabling [VIA Padlock] ..."; //mwexec("/sbin/kldload padlock"); //mwexec("/sbin/sysctl net.inet.ipsec.crypto_support=1"); @@ -124,7 +127,7 @@ function vpn_ipsec_configure($ipchg = false) { } $number_of_gifs = find_last_gif_device(); - for($x=0; $x<$number_of_gifs; $x++) { + for ($x = 0; $x < $number_of_gifs; $x++) { mwexec("/sbin/ifconfig gif" . $x . " delete"); } @@ -137,14 +140,16 @@ function vpn_ipsec_configure($ipchg = false) { $lansa = gen_subnet($lancfg['ipaddr'], $lancfg['subnet']); $lansn = $lancfg['subnet']; + if (!isset($ipseccfg['enable'])) { mwexec("/sbin/ifconfig enc0 down"); mwexec("/sbin/ifconfig enc0 destroy"); /* kill racoon */ mwexec("/usr/bin/killall racoon"); - - /* wait for process to die */ + killbypid("{$g['varrun_path']}/dnswatch-ipsec.pid"); + + /* wait for racoon process to die */ sleep(2); /* send a SIGKILL to be sure */ @@ -161,10 +166,9 @@ function vpn_ipsec_configure($ipchg = false) { echo "Configuring IPsec VPN... "; } - if (isset($ipseccfg['enable'])) { - + if (isset ($ipseccfg['enable'])) { /* fastforwarding is not compatible with ipsec tunnels */ - system("/sbin/sysctl net.inet.ip.fastforwarding=0 >/dev/null 2>&1"); + mwexec("/sbin/sysctl net.inet.ip.fastforwarding=0"); if (!$curwanip) { /* IP address not configured yet, exit */ @@ -174,10 +178,12 @@ function vpn_ipsec_configure($ipchg = false) { } if ((is_array($ipseccfg['tunnel']) && count($ipseccfg['tunnel'])) || - isset($ipseccfg['mobileclients']['enable'])) { - + isset ($ipseccfg['mobileclients']['enable'])) { + + $dnswatch_list = array(); + $rgmap = array(); + if (is_array($ipseccfg['tunnel']) && count($ipseccfg['tunnel'])) { - /* generate spd.conf */ $fd = fopen("{$g['varetc_path']}/spd.conf", "w"); if (!$fd) { @@ -191,21 +197,32 @@ function vpn_ipsec_configure($ipchg = false) { $spdconf .= "spdadd {$lanip}/32 {$lansa}/{$lansn} any -P out none;\n"; foreach ($ipseccfg['tunnel'] as $tunnel) { - - if (isset($tunnel['disabled'])) + if (isset ($tunnel['disabled'])) continue; + /* see if this tunnel has a hostname for the remote-gateway, and if so, + try to resolve it now and add it to the list for dnswatch */ + if (!is_ipaddr($tunnel['remote-gateway'])) { + $dnswatch_list[] = $tunnel['remote-gateway']; + $rgip = resolve_retry($tunnel['remote-gateway']); + + if (!$rgip) + continue; + + } else { + $rgip = $tunnel['remote-gateway']; + } + $rgmap[$tunnel['remote-gateway']] = $rgip; + $ep = vpn_endpoint_determine($tunnel, $curwanip); - if (!$ep) { - log_error("Could not deterimine VPN endpoint for {$tunnel['descr']}"); - continue; - } + if (!$ep) + continue; vpn_localnet_determine($tunnel['local-subnet'], $sa, $sn); - if(is_domain($tunnel['remote-gateway'])) { + if (is_domain($tunnel['remote-gateway'])) { $tmp = gethostbyname($tunnel['remote-gateway']); - if($tmp) + if ($tmp) $tunnel['remote-gateway'] = $tmp; } @@ -225,31 +242,28 @@ function vpn_ipsec_configure($ipchg = false) { fclose($pfd); } - if(isset($tunnel['creategif'])) { + if (isset ($tunnel['creategif'])) { $number_of_gifs = find_last_gif_device(); $number_of_gifs++; $curwanip = get_current_wan_address(); - + if ($config['installedpackages']['sasyncd']['config'] <> "") + foreach ($config['installedpackages']['sasyncd']['config'] as $sasyncd) { + if ($sasyncd['ip'] <> "") + $curwanip = $sasyncd['ip']; + } mwexec("/sbin/ifconfig gif" . $number_of_gifs . " tunnel" . $curwanip . " " . $tunnel['remote-gateway']); mwexec("/sbin/ifconfig gif" . $number_of_gifs . " {$lansa}/{$lansn} {$lanip}/32"); } $spdconf .= "spdadd {$sa}/{$sn} " . - "{$tunnel['remote-subnet']} any -P out ipsec " . - "{$tunnel['p2']['protocol']}/tunnel/{$ep}-" . - "{$tunnel['remote-gateway']}/unique;\n"; + "{$tunnel['remote-subnet']} any -P out ipsec " . + "{$tunnel['p2']['protocol']}/tunnel/{$ep}-" . + "{$rgip}/unique;\n"; $spdconf .= "spdadd {$tunnel['remote-subnet']} " . - "{$sa}/{$sn} any -P in ipsec " . - "{$tunnel['p2']['protocol']}/tunnel/{$tunnel['remote-gateway']}-" . - "{$ep}/unique;\n"; - - if($tunnel['interface'] <> "wan") { - /* static route needed? */ - if(strstr("carp", $tunnel['interface'])) { - - } - } + "{$sa}/{$sn} any -P in ipsec " . + "{$tunnel['p2']['protocol']}/tunnel/{$rgip}-" . + "{$ep}/unique;\n"; } fwrite($fd, $spdconf); @@ -272,11 +286,11 @@ function vpn_ipsec_configure($ipchg = false) { $cacertnum = 0; if (is_array($ipseccfg['cacert']) && count($ipseccfg['cacert'])) foreach ($ipseccfg['cacert'] as $cacert) { - ++$cacertnum; - if (isset($cacert['cert'])) { + ++ $cacertnum; + if (isset ($cacert['cert'])) { $cert = base64_decode($cacert['cert']); $x509cert = openssl_x509_parse(openssl_x509_read($cert)); - if(is_array($x509cert) && isset($x509cert['hash'])) { + if (is_array($x509cert) && isset ($x509cert['hash'])) { $fd1 = fopen("{$g['varetc_path']}/{$x509cert['hash']}.0", "w"); if (!$fd1) { printf("Error: cannot open {$x509cert['hash']}.0 in vpn.\n"); @@ -293,108 +307,118 @@ function vpn_ipsec_configure($ipchg = false) { if (is_array($ipseccfg['tunnel']) && count($ipseccfg['tunnel'])) foreach ($ipseccfg['tunnel'] as $tunnel) { - ++$tunnelnumber; - - if (isset($tunnel['disabled'])) - continue; + ++ $tunnelnumber; - $ep = vpn_endpoint_determine($tunnel, $curwanip); - if (!$ep) - continue; + if (isset ($tunnel['disabled'])) + continue; - vpn_localnet_determine($tunnel['local-subnet'], $sa, $sn); - if (isset($tunnel['p1']['myident']['myaddress'])) { - $myidentt = "address"; - $myident = $ep; - } else if (isset($tunnel['p1']['myident']['address'])) { - $myidentt = "address"; - $myident = $tunnel['p1']['myident']['address']; - } else if (isset($tunnel['p1']['myident']['fqdn'])) { - $myidentt = "fqdn"; - $myident = $tunnel['p1']['myident']['fqdn']; - } else if (isset($tunnel['p1']['myident']['ufqdn'])) { - $myidentt = "user_fqdn"; - $myident = $tunnel['p1']['myident']['ufqdn']; - } else if (isset($tunnel['p1']['myident']['asn1dn'])) { - $myidentt = "asn1dn"; - $myident = $tunnel['p1']['myident']['asn1dn']; - } else if (isset($tunnel['p1']['myident']['dyn_dns'])) { - $myidentt = "dyn_dns"; - $myident = gethostbyname($tunnel['p1']['myident']['dyn_dns']); - } - - $nattline = ''; - if (isset($tunnel['natt'])) { - $nattline = "nat_traversal on;"; - } + $rgip = $rgmap[$tunnel['remote-gateway']]; + if (!$rgip) + continue; - if (isset($tunnel['p1']['authentication_method'])) { - $authmethod = $tunnel['p1']['authentication_method']; - } else {$authmethod = 'pre_shared_key';} + $ep = vpn_endpoint_determine($tunnel, $curwanip); + if (!$ep) + continue; - $certline = ''; + vpn_localnet_determine($tunnel['local-subnet'], $sa, $sn); - if ($authmethod == 'rsasig') { - if ($tunnel['p1']['cert'] && $tunnel['p1']['private-key']) { - $cert = base64_decode($tunnel['p1']['cert']); - $private_key = base64_decode($tunnel['p1']['private-key']); - } else { - /* null certificate/key */ - $cert = ''; - $private_key = ''; + if (isset ($tunnel['p1']['myident']['myaddress'])) { + $myidentt = "address"; + $myident = $ep; + } elseif (isset ($tunnel['p1']['myident']['address'])) { + $myidentt = "address"; + $myident = $tunnel['p1']['myident']['address']; + } elseif (isset ($tunnel['p1']['myident']['fqdn'])) { + $myidentt = "fqdn"; + $myident = $tunnel['p1']['myident']['fqdn']; + } elseif (isset ($tunnel['p1']['myident']['ufqdn'])) { + $myidentt = "user_fqdn"; + $myident = $tunnel['p1']['myident']['ufqdn']; + } else if (isset($tunnel['p1']['myident']['asn1dn'])) { + $myidentt = "asn1dn"; + $myident = $tunnel['p1']['myident']['asn1dn']; + } else if (isset($tunnel['p1']['myident']['asn1dn'])) { + $myidentt = "asn1dn"; + $myident = $tunnel['p1']['myident']['asn1dn']; + } elseif (isset ($tunnel['p1']['myident']['dyn_dns'])) { + $myidentt = "dyn_dns"; + $myident = gethostbyname($tunnel['p1']['myident']['dyn_dns']); } - if ($tunnel['p1']['peercert']) - $peercert = base64_decode($tunnel['p1']['peercert']); - else - $peercert = ''; - - $fd1 = fopen("{$g['varetc_path']}/server{$tunnelnumber}-signed.pem", "w"); - if (!$fd1) { - printf("Error: cannot open server{$tunnelnumber}-signed.pem in vpn.\n"); - return 1; + $nattline = ''; + if (isset($tunnel['natt'])) { + $nattline = "nat_traversal on;"; } - chmod("{$g['varetc_path']}/server{$tunnelnumber}-signed.pem", 0600); - fwrite($fd1, $cert); - fclose($fd1); - $fd1 = fopen("{$g['varetc_path']}/server{$tunnelnumber}-key.pem", "w"); - if (!$fd1) { - printf("Error: cannot open server{$tunnelnumber}-key.pem in vpn.\n"); - return 1; + if (isset ($tunnel['p1']['authentication_method'])) { + $authmethod = $tunnel['p1']['authentication_method']; + } else { + $authmethod = 'pre_shared_key'; } - chmod("{$g['varetc_path']}/server{$tunnelnumber}-key.pem", 0600); - fwrite($fd1, $private_key); - fclose($fd1); - $certline = "certificate_type x509 \"server{$tunnelnumber}-signed.pem\" \"server{$tunnelnumber}-key.pem\";"; + $certline = ''; + + if ($authmethod == 'rsasig') { + if ($tunnel['p1']['cert'] && $tunnel['p1']['private-key']) { + $cert = base64_decode($tunnel['p1']['cert']); + $private_key = base64_decode($tunnel['p1']['private-key']); + } else { + /* null certificate/key */ + $cert = ''; + $private_key = ''; + } - if ($peercert!=''){ - $fd1 = fopen("{$g['varetc_path']}/peer{$tunnelnumber}-signed.pem", "w"); + if ($tunnel['p1']['peercert']) + $peercert = base64_decode($tunnel['p1']['peercert']); + else + $peercert = ''; + + $fd1 = fopen("{$g['varetc_path']}/server{$tunnelnumber}-signed.pem", "w"); if (!$fd1) { printf("Error: cannot open server{$tunnelnumber}-signed.pem in vpn.\n"); return 1; } - chmod("{$g['varetc_path']}/peer{$tunnelnumber}-signed.pem", 0600); - fwrite($fd1, $peercert); + chmod("{$g['varetc_path']}/server{$tunnelnumber}-signed.pem", 0600); + fwrite($fd1, $cert); + fclose($fd1); + + $fd1 = fopen("{$g['varetc_path']}/server{$tunnelnumber}-key.pem", "w"); + if (!$fd1) { + printf("Error: cannot open server{$tunnelnumber}-key.pem in vpn.\n"); + return 1; + } + chmod("{$g['varetc_path']}/server{$tunnelnumber}-key.pem", 0600); + fwrite($fd1, $private_key); fclose($fd1); - $certline .= <<<EOD + + $certline = "certificate_type x509 \"server{$tunnelnumber}-signed.pem\" \"server{$tunnelnumber}-key.pem\";"; + + if ($peercert != '') { + $fd1 = fopen("{$g['varetc_path']}/peer{$tunnelnumber}-signed.pem", "w"); + if (!$fd1) { + printf("Error: cannot open server{$tunnelnumber}-signed.pem in vpn.\n"); + return 1; + } + chmod("{$g['varetc_path']}/peer{$tunnelnumber}-signed.pem", 0600); + fwrite($fd1, $peercert); + fclose($fd1); + $certline .=<<<EOD peers_certfile "peer{$tunnelnumber}-signed.pem"; EOD; + } } - } - $myidentifier = $myidentt; - if (!empty($myident)) - $myidentifier .= ' "' . $myident . '"'; - $racoonconf .= <<<EOD + $myidentifier = $myidentt; + if (!empty($myident)) + $myidentifier .= ' "' . $myident . '"'; + $racoonconf .=<<<EOD remote {$tunnel['remote-gateway']} \{ exchange_mode {$tunnel['p1']['mode']}; my_identifier {$myidentifier}; {$nattline} {$certline} - peers_identifier address {$tunnel['remote-gateway']}; + peers_identifier address {$rgip}; initial_contact on; support_proxy on; proposal_check obey; @@ -406,20 +430,20 @@ remote {$tunnel['remote-gateway']} \{ dh_group {$tunnel['p1']['dhgroup']}; EOD; - if ($tunnel['p1']['lifetime']) - $racoonconf .= " lifetime time {$tunnel['p1']['lifetime']} secs;\n"; + if ($tunnel['p1']['lifetime']) + $racoonconf .= " lifetime time {$tunnel['p1']['lifetime']} secs;\n"; - $racoonconf .= " }\n"; + $racoonconf .= " }\n"; - if ($tunnel['p1']['lifetime']) - $racoonconf .= " lifetime time {$tunnel['p1']['lifetime']} secs;\n"; + if ($tunnel['p1']['lifetime']) + $racoonconf .= " lifetime time {$tunnel['p1']['lifetime']} secs;\n"; - $racoonconf .= "}\n\n"; + $racoonconf .= "}\n\n"; - $p2ealgos = join(",", $tunnel['p2']['encryption-algorithm-option']); - $p2halgos = join(",", $tunnel['p2']['hash-algorithm-option']); + $p2ealgos = join(",", $tunnel['p2']['encryption-algorithm-option']); + $p2halgos = join(",", $tunnel['p2']['hash-algorithm-option']); - $racoonconf .= <<<EOD + $racoonconf .=<<<EOD sainfo address {$sa}/{$sn} any address {$tunnel['remote-subnet']} any \{ encryption_algorithm {$p2ealgos}; authentication_algorithm {$p2halgos}; @@ -427,40 +451,42 @@ sainfo address {$sa}/{$sn} any address {$tunnel['remote-subnet']} any \{ EOD; - if ($tunnel['p2']['pfsgroup']) - $racoonconf .= " pfs_group {$tunnel['p2']['pfsgroup']};\n"; + if ($tunnel['p2']['pfsgroup']) + $racoonconf .= " pfs_group {$tunnel['p2']['pfsgroup']};\n"; - if ($tunnel['p2']['lifetime']) - $racoonconf .= " lifetime time {$tunnel['p2']['lifetime']} secs;\n"; + if ($tunnel['p2']['lifetime']) + $racoonconf .= " lifetime time {$tunnel['p2']['lifetime']} secs;\n"; - $racoonconf .= "}\n\n"; - } + $racoonconf .= "}\n\n"; + } /* mobile clients? */ - if (isset($ipseccfg['mobileclients']['enable'])) { + if (isset ($ipseccfg['mobileclients']['enable'])) { $tunnel = $ipseccfg['mobileclients']; - if (isset($tunnel['p1']['myident']['myaddress'])) { + if (isset ($tunnel['p1']['myident']['myaddress'])) { $myidentt = "address"; $myident = $curwanip; - } else if (isset($tunnel['p1']['myident']['address'])) { - $myidentt = "address"; - $myident = $tunnel['p1']['myident']['address']; - } else if (isset($tunnel['p1']['myident']['fqdn'])) { - $myidentt = "fqdn"; - $myident = $tunnel['p1']['myident']['fqdn']; - } else if (isset($tunnel['p1']['myident']['ufqdn'])) { - $myidentt = "user_fqdn"; - $myident = $tunnel['p1']['myident']['ufqdn']; - } else if (isset($tunnel['p1']['myident']['asn1dn'])) { - $myidentt = "asn1dn"; - $myident = $tunnel['p1']['myident']['asn1dn']; - } - - if (isset($tunnel['p1']['authentication_method'])) { + } else + if (isset ($tunnel['p1']['myident']['address'])) { + $myidentt = "address"; + $myident = $tunnel['p1']['myident']['address']; + } else + if (isset ($tunnel['p1']['myident']['fqdn'])) { + $myidentt = "fqdn"; + $myident = $tunnel['p1']['myident']['fqdn']; + } else + if (isset ($tunnel['p1']['myident']['ufqdn'])) { + $myidentt = "user_fqdn"; + $myident = $tunnel['p1']['myident']['ufqdn']; + } + + if (isset ($tunnel['p1']['authentication_method'])) { $authmethod = $tunnel['p1']['authentication_method']; - } else {$authmethod = 'pre_shared_key';} + } else { + $authmethod = 'pre_shared_key'; + } $certline = ''; if ($authmethod == 'rsasig') { @@ -498,7 +524,7 @@ EOD; $certline = "certificate_type x509 \"server-mobile{$tunnelnumber}-signed.pem\" \"server-mobile{$tunnelnumber}-key.pem\";"; } - $racoonconf .= <<<EOD + $racoonconf .=<<<EOD remote anonymous \{ exchange_mode {$tunnel['p1']['mode']}; my_identifier {$myidentt} "{$myident}"; @@ -529,7 +555,7 @@ EOD; $p2ealgos = join(",", $tunnel['p2']['encryption-algorithm-option']); $p2halgos = join(",", $tunnel['p2']['hash-algorithm-option']); - $racoonconf .= <<<EOD + $racoonconf .=<<<EOD sainfo anonymous \{ encryption_algorithm {$p2ealgos}; authentication_algorithm {$p2halgos}; @@ -560,9 +586,12 @@ EOD; if (is_array($ipseccfg['tunnel'])) { foreach ($ipseccfg['tunnel'] as $tunnel) { - if (isset($tunnel['disabled'])) + if (isset ($tunnel['disabled'])) continue; - $pskconf .= "{$tunnel['remote-gateway']} {$tunnel['p1']['pre-shared-key']}\n"; + $rgip = $rgmap[$tunnel['remote-gateway']]; + if (!$rgip) + continue; + $pskconf .= "{$rgip} {$tunnel['p1']['pre-shared-key']}\n"; } } @@ -577,6 +606,7 @@ EOD; fclose($fd); chmod("{$g['varetc_path']}/psk.txt", 0600); + if(is_process_running("racoon")) { /* We are already online, reload */ mwexec("/usr/bin/killall -HUP racoon"); @@ -598,6 +628,30 @@ EOD; /* load SPD */ mwexec("/bin/cat {$g['varetc_path']}/spd.conf | /usr/local/bin/slowdownpipe.sh | /sbin/setkey -c"); sleep(1); + /* start dnswatch, if necessary */ + if (count($dnswatch_list) > 0) { + $interval = 60; + if ($ipseccfg['dns-interval']) + $interval = $ipseccfg['dns-interval']; + + $hostnames = ""; + foreach ($dnswatch_list as $dns) + $hostnames .= " " . escapeshellarg($dns); + + mwexec("/usr/local/bin/dnswatch {$g['varrun_path']}/dnswatch-ipsec.pid $interval " . + escapeshellarg("/etc/rc.newipsecdns") . $hostnames); + } + } + + if (is_array($ipseccfg['tunnel'])) { + foreach ($ipseccfg['tunnel'] as $tunnel) { + if (isset ($tunnel['auto'])) { + $remotehost = substr($tunnel['remote-subnet'], 0, strpos($tunnel['remote-subnet'], "/")); + $srchost = vpn_endpoint_determine($tunnel, $curwanip); + if ($srchost) + mwexec_bg("/sbin/ping -c 10 -S {$srchost} {$remotehost}"); + } + } } } } @@ -621,7 +675,7 @@ function vpn_pptpd_configure() { $syscfg = $config['system']; $pptpdcfg = $config['pptpd']; - $starting_ng = get_number_of_wan_netgraph_interfaces_needed(); + $starting_ng = get_number_of_wan_netgraph_interfaces_needed(); if ($g['booting']) { if (!$pptpdcfg['mode'] || ($pptpdcfg['mode'] == "off")) @@ -630,81 +684,73 @@ function vpn_pptpd_configure() { echo "Configuring PPTP VPN service... "; } else { /* kill mpd */ - killbypid("{$g['varrun_path']}/mpd-pptpd.pid"); + killbypid("{$g['varrun_path']}/mpd-vpn.pid"); /* wait for process to die */ sleep(3); - if (is_process_running("mpd4 -b")) { - killbypid("{$g['varrun_path']}/mpd-pptpd.pid"); + if (is_process_running("mpd -b")) { + killbypid("{$g['varrun_path']}/mpd-vpn.pid"); log_error("Could not kill mpd within 3 seconds. Trying again."); } /* remove mpd.conf, if it exists */ - unlink_if_exists("{$g['varetc_path']}/mpd-pptpd/mpd.conf"); - unlink_if_exists("{$g['varetc_path']}/mpd-pptpd/mpd.links"); - unlink_if_exists("{$g['varetc_path']}/mpd-pptpd/mpd.secret"); + unlink_if_exists("{$g['varetc_path']}/mpd-vpn/mpd.conf"); + unlink_if_exists("{$g['varetc_path']}/mpd-vpn/mpd.links"); + unlink_if_exists("{$g['varetc_path']}/mpd-vpn/mpd.secret"); } /* make sure mpd-vpn directory exists */ - if (!file_exists("{$g['varetc_path']}/mpd-pptpd")) - mkdir("{$g['varetc_path']}/mpd-pptpd"); + if (!file_exists("{$g['varetc_path']}/mpd-vpn")) + mkdir("{$g['varetc_path']}/mpd-vpn"); switch ($pptpdcfg['mode']) { - - case 'server': - + case 'server' : /* write mpd.conf */ - $fd = fopen("{$g['varetc_path']}/mpd-pptpd/mpd.conf", "w"); + $fd = fopen("{$g['varetc_path']}/mpd-vpn/mpd.conf", "w"); if (!$fd) { printf("Error: cannot open mpd.conf in vpn_pptpd_configure().\n"); return 1; } - $mpdconf = <<<EOD -startup: + $mpdconf =<<<EOD pptpd: EOD; - for ($i = 0; $i < $pptpdcfg['n_pptp_units']; $i++) { + for ($i = 0; $i < $g['n_pptp_units']; $i++) { $mpdconf .= " load pt{$i}\n"; } - for ($i = 0; $i < $pptpdcfg['n_pptp_units']; $i++) { + for ($i = 0; $i < $g['n_pptp_units']; $i++) { $clientip = long2ip(ip2long($pptpdcfg['remoteip']) + $i); - $ngif = "ng" . ($i+1); + $ngif = "ng" . ($i + $starting_ng); - if(isset($pptpdcfg['radius']['radiusissueips']) && isset($pptpdcfg['radius']['enable'])) { - $isssue_ip_type = "set ipcp ranges {$pptpdcfg['localip']}/32 0.0.0.0/0"; - } else { - $isssue_ip_type = "set ipcp ranges {$pptpdcfg['localip']}/32 {$clientip}/32"; - } - - $mpdconf .= <<<EOD + $mpdconf .=<<<EOD pt{$i}: new -i {$ngif} pt{$i} pt{$i} - {$isssue_ip_type} - load pptpd_standard + set ipcp ranges {$pptpdcfg['localip']}/32 {$clientip}/32 + load pts EOD; } - $mpdconf .= <<<EOD + $mpdconf .=<<<EOD -pptpd_standard: - set iface up-script /usr/local/sbin/vpn-linkup - set iface down-script /usr/local/sbin/vpn-linkdown +pts: set iface disable on-demand set iface enable proxy-arp - set iface idle 1800 set iface enable tcpmssfix + set iface idle 1800 + set iface up-script /usr/local/sbin/vpn-linkup + set iface down-script /usr/local/sbin/vpn-linkdown set bundle enable multilink + set bundle enable crypt-reqd set link yes acfcomp protocomp set link no pap chap - set link enable chap + set link enable chap-msv2 set link mtu 1460 set link keep-alive 10 60 set ipcp yes vjcomp @@ -715,78 +761,55 @@ pptpd_standard: EOD; - if (!isset($pptpdcfg['req128'])) { - $mpdconf .= <<<EOD + if (!isset ($pptpdcfg['req128'])) { + $mpdconf .=<<<EOD set ccp yes mpp-e40 + set ccp yes mpp-e56 EOD; } - if (isset($pptpdcfg['wins'])) { - $mpdconf .= <<<EOD - set ipcp nbns {$pptpdcfg['wins']} - -EOD; - } - if (isset($pptpdcfg['dns1'])) { - $mpdconf .= <<<EOD - set ipcp dns {$pptpdcfg['dns1']} {$pptpdcfg['dns2']} -EOD; - } else if (isset($config['dnsmasq']['enable'])) { - $mpdconf .= " set ipcp dns " . $config['interfaces']['lan']['ipaddr']; - if ($syscfg['dnsserver'][0]) - $mpdconf .= " " . $syscfg['dnsserver'][0]; - $mpdconf .= "\n"; - } else if (is_array($syscfg['dnsserver']) && ($syscfg['dnsserver'][0])) { - $mpdconf .= " set ipcp dns " . join(" ", $syscfg['dnsserver']) . "\n"; - } - - if (isset($pptpdcfg['radius']['server']['enable'])) { - $mpdconf .= <<<EOD - load radius + if (isset($pptpdcfg["wins"])) + $mpdconf .= " set ipcp nbns {$pptpdcfg['wins']}\n"; + if (is_array($pptpdcfg['dnsserver']) && ($pptpdcfg['dnsserver'][0])) { + $mpdconf .= " set ipcp dns " . join(" ", $pptpdcfg['dnsserver']) . "\n"; + } else + if (isset ($config['dnsmasq']['enable'])) { + $mpdconf .= " set ipcp dns " . $config['interfaces']['lan']['ipaddr']; + if ($syscfg['dnsserver'][0]) + $mpdconf .= " " . $syscfg['dnsserver'][0]; + $mpdconf .= "\n"; + } else + if (is_array($syscfg['dnsserver']) && ($syscfg['dnsserver'][0])) { + $mpdconf .= " set ipcp dns " . join(" ", $syscfg['dnsserver']) . "\n"; + } -radius: + if (isset ($pptpdcfg['radius']['enable'])) { + $authport = isset($pptpdcfg['radius']['port']) ? $pptpdcfg['radius']['port'] : 1812; + $acctport = $authport + 1; + $mpdconf .=<<<EOD + set radius server {$pptpdcfg['radius']['server']} "{$pptpdcfg['radius']['secret']}" {$authport} {$acctport} set radius retries 3 - set radius timeout 3 - set radius me {$pptpdcfg['radius']['nasip']} - set auth enable radius-auth - set radius enable message-authentic + set radius timeout 10 + set bundle enable radius-auth + set bundle disable radius-fallback EOD; - if (isset($pptpdcfg['radius']['server2']['enable'])) { - $mpdconf .= <<<EOD - set radius server {$pptpdcfg['radius']['server2']['ip']} "{$pptpdcfg['radius']['server2']['secret']}" {$pptpdcfg['radius']['server2']['port']} {$pptpdcfg['radius']['server2']['acctport']} + if (isset ($pptpdcfg['radius']['accounting'])) { + $mpdconf .=<<<EOD + set bundle enable radius-acct + set radius acct-update 300 EOD; } - - if (isset($pptpdcfg['radius']['server']['enable'])) { - $mpdconf .= <<<EOD - set radius server {$pptpdcfg['radius']['server']['ip']} "{$pptpdcfg['radius']['server']['secret']}" {$pptpdcfg['radius']['server']['port']} {$pptpdcfg['radius']['server']['acctport']} - -EOD; } - if (isset($pptpdcfg['radius']['accounting'])) { - $mpdconf .= <<<EOD - set auth enable radius-acct - set auth acct-update {$pptpdcfg['radius']['acct_update']} -EOD; - } - } else { - $mpdconf .= <<<EOD - set auth enable system - set auth timeout 30 - -EOD; - - } fwrite($fd, $mpdconf); fclose($fd); /* write mpd.links */ - $fd = fopen("{$g['varetc_path']}/mpd-pptpd/mpd.links", "w"); + $fd = fopen("{$g['varetc_path']}/mpd-vpn/mpd.links", "w"); if (!$fd) { printf("Error: cannot open mpd.links in vpn_pptpd_configure().\n"); return 1; @@ -795,13 +818,14 @@ EOD; $mpdlinks = ""; for ($i = 0; $i < $g['n_pptp_units']; $i++) { - $mpdlinks .= <<<EOD + $mpdlinks .=<<<EOD pt{$i}: set link type pptp - set pptp self 127.0.0.1 set pptp enable incoming set pptp disable originate + set pptp disable windowing + set pptp self 127.0.0.1 EOD; } @@ -810,7 +834,7 @@ EOD; fclose($fd); /* write mpd.secret */ - $fd = fopen("{$g['varetc_path']}/mpd-pptpd/mpd.secret", "w"); + $fd = fopen("{$g['varetc_path']}/mpd-vpn/mpd.secret", "w"); if (!$fd) { printf("Error: cannot open mpd.secret in vpn_pptpd_configure().\n"); return 1; @@ -825,14 +849,14 @@ EOD; fwrite($fd, $mpdsecret); fclose($fd); - chmod("{$g['varetc_path']}/mpd-pptpd/mpd.secret", 0600); + chmod("{$g['varetc_path']}/mpd-vpn/mpd.secret", 0600); /* fire up mpd */ - mwexec("/usr/local/sbin/mpd4 -b -d {$g['varetc_path']}/mpd-pptpd -p {$g['varrun_path']}/mpd-pptpd.pid pptpd"); + mwexec("/usr/local/sbin/mpd -b -d {$g['varetc_path']}/mpd-vpn -p {$g['varrun_path']}/mpd-vpn.pid pptpd"); break; - case 'redir': + case 'redir' : break; } @@ -847,22 +871,23 @@ EOD; return 0; } -function vpn_localnet_determine($adr, &$sa, &$sn) { +function vpn_localnet_determine($adr, & $sa, & $sn) { global $config, $g; - if (isset($adr)) { + if (isset ($adr)) { if ($adr['network']) { switch ($adr['network']) { - case 'lan': + case 'lan' : $sn = $config['interfaces']['lan']['subnet']; $sa = gen_subnet($config['interfaces']['lan']['ipaddr'], $sn); break; } - } else if ($adr['address']) { - list($sa,$sn) = explode("/", $adr['address']); - if (is_null($sn)) - $sn = 32; - } + } else + if ($adr['address']) { + list ($sa, $sn) = explode("/", $adr['address']); + if (is_null($sn)) + $sn = 32; + } } else { $sn = $config['interfaces']['lan']['subnet']; $sa = gen_subnet($config['interfaces']['lan']['ipaddr'], $sn); @@ -878,7 +903,7 @@ function vpn_endpoint_determine($tunnel, $curwanip) { return $curwanip; else return null; - } else if ($tunnel['interface'] == "lan") { + } elseif ($tunnel['interface'] == "lan") { return $config['interfaces']['lan']['ipaddr']; } else { $oc = $config['interfaces'][$tunnel['interface']]; @@ -886,8 +911,8 @@ function vpn_endpoint_determine($tunnel, $curwanip) { $ip = find_interface_ip($tunnel['interface']); if($ip) return $ip; - - if (isset($oc['enable']) && $oc['if']) { + + if (isset ($oc['enable']) && $oc['if']) { return $oc['ipaddr']; } } @@ -901,47 +926,49 @@ function vpn_pppoe_configure() { $syscfg = $config['system']; $pppoecfg = $config['pppoe']; - $starting_ng = get_number_of_wan_netgraph_interfaces_needed(); + $starting_ng = get_number_of_wan_netgraph_interfaces_needed(); /* create directory if it does not exist */ - if (!is_dir("{$g['varetc_path']}/mpd-pppoe")) - mkdir("{$g['varetc_path']}/mpd-pppoe"); + if (!is_dir("{$g['varetc_path']}/mpd-vpn")) + mkdir("{$g['varetc_path']}/mpd-vpn"); if ($g['booting']) { if (!$pppoecfg['mode'] || ($pppoecfg['mode'] == "off")) return 0; echo "Configuring PPPoE VPN service... "; - } else { - /* kill mpd */ - killbypid("{$g['varrun_path']}/mpd-pppoe.pid"); - - /* wait for process to die */ - sleep(2); - unlink_if_exists("{$g['varetc_path']}/mpd-pppoe/mpd.conf"); - unlink_if_exists("{$g['varetc_path']}/mpd-pppoe/mpd.links"); - unlink_if_exists("{$g['varetc_path']}/mpd-pppoe/mpd.secret"); + } else { + /* kill mpd */ + killbypid("{$g['varrun_path']}/mpd-vpn.pid"); + + /* wait for process to die */ + sleep(2); + } /* make sure mpd-vpn directory exists */ - if (!file_exists("{$g['varetc_path']}/mpd-pppoe")) - mkdir("{$g['varetc_path']}/mpd-pppoe"); + if (!file_exists("{$g['varetc_path']}/mpd-vpn")) + mkdir("{$g['varetc_path']}/mpd-vpn"); switch ($pppoecfg['mode']) { - case 'server': + case 'server' : $pppoe_interface = filter_translate_type_to_real_interface($pppoecfg['interface']); + if ($pppoecfg['paporchap'] == "chap") + $paporchap = "set link enable chap"; + else + $paporchap = "set link enable pap"; + /* write mpd.conf */ - $fd = fopen("{$g['varetc_path']}/mpd-pppoe/mpd.conf", "a"); + $fd = fopen("{$g['varetc_path']}/mpd-vpn/mpd.conf", "a"); if (!$fd) { printf("Error: cannot open mpd.conf in vpn_pppoe_configure().\n"); return 1; } $mpdconf = "\n\n"; - $mpdconf .= <<<EOD -startup: + $mpdconf .=<<<EOD pppoe: EOD; @@ -953,15 +980,16 @@ EOD; for ($i = 0; $i < $pppoecfg['n_pppoe_units']; $i++) { $clientip = long2ip(ip2long($pppoecfg['remoteip']) + $i); - $ngif = "ng" . ($i+1); + $ngif = "ng" . ($i + $starting_ng); - if(isset($pppoecfg['radius']['radiusissueips']) && isset($pppoecfg['radius']['enable'])) { + if (isset ($pppoecfg['radius']['radiusissueips']) && isset ($pppoecfg['radius']['enable'])) { $isssue_ip_type = "set ipcp ranges {$pppoecfg['localip']}/32 0.0.0.0/0"; + $isssue_ip_type .= "\n\tset ipcp yes radius-ip"; } else { $isssue_ip_type = "set ipcp ranges {$pppoecfg['localip']}/32 {$clientip}/32"; } - $mpdconf .= <<<EOD + $mpdconf .=<<<EOD pppoe{$i}: new -i {$ngif} pppoe{$i} pppoe{$i} @@ -971,95 +999,73 @@ pppoe{$i}: EOD; } - $mpdconf .= <<<EOD + $mpdconf .=<<<EOD pppoe_standart: set link type pppoe set pppoe iface {$pppoe_interface} set pppoe service "*" - set iface up-script /usr/local/sbin/vpn-linkup - set iface down-script /usr/local/sbin/vpn-linkdown - set bundle enable compression - set auth max-logins 1 - set link max-redial -1 - set pppoe enable incoming set pppoe disable originate + set pppoe enable incoming + set bundle no multilink + set bundle enable compression + set bundle max-logins 1 + set iface idle 0 set iface disable on-demand set iface disable proxy-arp - set iface idle 0 set iface enable tcpmssfix - set bundle no multilink - set link no acfcomp - set link no protocomp + set iface mtu 1500 set link no pap chap - set link enable chap - set link keep-alive 30 100 - set link mtu 1460 + {$paporchap} + set link keep-alive 60 180 + set ipcp yes vjcomp + set ipcp no vjcomp + set link max-redial -1 + set link mtu 1492 + set link mru 1492 set ccp yes mpp-e40 set ccp yes mpp-e128 set ccp yes mpp-stateless - set ipcp no vjcomp + set link latency 1 + #set ipcp dns 10.10.1.3 + #set bundle accept encryption EOD; - if (isset($pppoecfg['dns1'])) { - $mpdconf .= <<<EOD - set ipcp dns {$pppoecfg['dns1']} {$pppoecfg['dns2']} -EOD; - - } else if (isset($config['dnsmasq']['enable'])) { + if (isset ($config['dnsmasq']['enable'])) { $mpdconf .= " set ipcp dns " . $config['interfaces']['lan']['ipaddr']; if ($syscfg['dnsserver'][0]) $mpdconf .= " " . $syscfg['dnsserver'][0]; $mpdconf .= "\n"; - } else if (is_array($syscfg['dnsserver']) && ($syscfg['dnsserver'][0])) { - $mpdconf .= " set ipcp dns " . join(" ", $syscfg['dnsserver']) . "\n"; - } - - if (isset($pppoecfg['radius']['server']['enable'])) { - $mpdconf .= <<<EOD - load radius + } else + if (is_array($syscfg['dnsserver']) && ($syscfg['dnsserver'][0])) { + $mpdconf .= " set ipcp dns " . join(" ", $syscfg['dnsserver']) . "\n"; + } -radius: + if (isset ($pppoecfg['radius']['enable'])) { + $mpdconf .=<<<EOD + set radius server {$pppoecfg['radius']['server']} "{$pppoecfg['radius']['secret']}" + set ipcp radius-ip set radius retries 3 - set radius timeout 3 - set radius me {$pppoecfg['radius']['nasip']} - set auth enable radius-auth - set radius enable message-authentic + set radius timeout 10 + set bundle enable radius-auth + set bundle disable radius-fallback EOD; - if (isset($pppoecfg['radius']['server2']['enable'])) { - $mpdconf .= <<<EOD - set radius server {$pppoecfg['radius']['server2']['ip']} "{$pppoecfg['radius']['server2']['secret']}" {$pppoecfg['radius']['server2']['port']} {$pppoecfg['radius']['server2']['acctport']} -EOD; - } - - if (isset($pppoecfg['radius']['server']['enable'])) { - $mpdconf .= <<<EOD - set radius server {$pppoecfg['radius']['server']['ip']} "{$pppoecfg['radius']['server']['secret']}" {$pppoecfg['radius']['server']['port']} {$pppoecfg['radius']['server']['acctport']} + if (isset ($pppoecfg['radius']['accounting'])) { + $mpdconf .=<<<EOD + set bundle enable radius-acct EOD; } - - if (isset($pppoecfg['radius']['accounting'])) { - $mpdconf .= <<<EOD - set auth enable radius-acct - set auth acct-update {$pppoecfg['radius']['acct_update']} -EOD; } - } else { - $mpdconf .= <<<EOD - set auth enable system - set auth timeout 30 -EOD; - } fwrite($fd, $mpdconf); fclose($fd); /* write mpd.links */ - $fd = fopen("{$g['varetc_path']}/mpd-pppoe/mpd.links", "a"); + $fd = fopen("{$g['varetc_path']}/mpd-vpn/mpd.links", "a"); if (!$fd) { printf("Error: cannot open mpd.links in vpn_pppoe_configure().\n"); return 1; @@ -1068,15 +1074,11 @@ EOD; $mpdlinks = ""; for ($i = 0; $i < $pppoecfg['n_pppoe_units']; $i++) { - $mpdlinks .= <<<EOD + $mpdlinks .=<<<EOD pppoe: set link type pppoe set pppoe iface {$pppoe_interface} - set pppoe service "*" - set pppoe disable incoming - set pppoe enable originate - EOD; } @@ -1085,7 +1087,7 @@ EOD; fclose($fd); /* write mpd.secret */ - $fd = fopen("{$g['varetc_path']}/mpd-pppoe/mpd.secret", "a"); + $fd = fopen("{$g['varetc_path']}/mpd-vpn/mpd.secret", "a"); if (!$fd) { printf("Error: cannot open mpd.secret in vpn_pppoe_configure().\n"); return 1; @@ -1100,14 +1102,202 @@ EOD; fwrite($fd, $mpdsecret); fclose($fd); - chmod("{$g['varetc_path']}/mpd-pppoe/mpd.secret", 0600); + chmod("{$g['varetc_path']}/mpd-vpn/mpd.secret", 0600); + + /* fire up mpd */ + mwexec("/usr/local/sbin/mpd -b -d {$g['varetc_path']}/mpd-vpn -p {$g['varrun_path']}/mpd-vpn.pid pppoe"); + + break; + + case 'redir' : + break; + } + + touch("{$g["tmp_path"]}/filter_dirty"); + + if ($g['booting']) + echo "done\n"; + + return 0; +} + +function vpn_l2tp_configure() { + global $config, $g; + + $syscfg = $config['system']; + $l2tpcfg = $config['l2tp']; + + mwexec("/sbin/kldload /boot/kernel/ng_l2tp.ko"); + + $starting_ng = get_number_of_wan_netgraph_interfaces_needed(); + + /* create directory if it does not exist */ + if (!is_dir("{$g['varetc_path']}/mpd-vpn")) + mkdir("{$g['varetc_path']}/mpd-vpn"); + + if ($g['booting']) { + if (!$l2tpcfg['mode'] || ($l2tpcfg['mode'] == "off")) + return 0; + + echo "Configuring l2tp VPN service... "; + } else { + /* kill mpd */ + killbypid("{$g['varrun_path']}/mpd-vpn.pid"); + + /* wait for process to die */ + sleep(2); + + } + + /* make sure mpd-vpn directory exists */ + if (!file_exists("{$g['varetc_path']}/mpd-vpn")) + mkdir("{$g['varetc_path']}/mpd-vpn"); + + switch ($l2tpcfg['mode']) { + + case 'server' : + + $l2tp_interface = filter_translate_type_to_real_interface($l2tpcfg['interface']); + + if ($l2tpcfg['paporchap'] == "chap") + $paporchap = "set link enable chap"; + else + $paporchap = "set link enable pap"; + + /* write mpd.conf */ + $fd = fopen("{$g['varetc_path']}/mpd-vpn/mpd.conf", "a"); + if (!$fd) { + printf("Error: cannot open mpd.conf in vpn_l2tp_configure().\n"); + return 1; + } + $mpdconf = "\n\n"; + $mpdconf .=<<<EOD +l2tp: + +EOD; + + for ($i = 0; $i < $l2tpcfg['n_l2tp_units']; $i++) { + $mpdconf .= " load l2tp{$i}\n"; + } + + for ($i = 0; $i < $l2tpcfg['n_l2tp_units']; $i++) { + + $clientip = long2ip(ip2long($l2tpcfg['remoteip']) + $i); + $ngif = "ng" . ($i + $starting_ng); + + if (isset ($l2tpcfg['radius']['radiusissueips']) && isset ($l2tpcfg['radius']['enable'])) { + $isssue_ip_type = "set ipcp ranges {$l2tpcfg['localip']}/32 0.0.0.0/0"; + $isssue_ip_type .= "\n\tset ipcp yes radius-ip"; + } else { + $isssue_ip_type = "set ipcp ranges {$l2tpcfg['localip']}/32 {$clientip}/32"; + } + + $mpdconf .=<<<EOD + +l2tp{$i}: + new -i {$ngif} l2tp{$i} l2tp{$i} + {$isssue_ip_type} + load l2tp_standard + +EOD; + } + + $mpdconf .=<<<EOD + +l2tp_standard: + set bundle disable multilink + set bundle enable compression + set bundle yes crypt-reqd + set ipcp yes vjcomp + # set ipcp ranges 131.188.69.161/32 131.188.69.170/28 + set ccp yes mppc + set iface disable on-demand + set iface enable proxy-arp + set link yes acfcomp protocomp + set link no pap chap + set link enable chap + set link keep-alive 10 180 + +EOD; + + if (isset ($config['dnsmasq']['enable'])) { + $mpdconf .= " set ipcp dns " . $config['interfaces']['lan']['ipaddr']; + if ($syscfg['dnsserver'][0]) + $mpdconf .= " " . $syscfg['dnsserver'][0]; + $mpdconf .= "\n"; + } else + if (is_array($syscfg['dnsserver']) && ($syscfg['dnsserver'][0])) { + $mpdconf .= " set ipcp dns " . join(" ", $syscfg['dnsserver']) . "\n"; + } + + if (isset ($l2tpcfg['radius']['enable'])) { + $mpdconf .=<<<EOD + set radius server {$l2tpcfg['radius']['server']} "{$l2tpcfg['radius']['secret']}" + set ipcp radius-ip + set radius retries 3 + set radius timeout 10 + set bundle enable radius-auth + set bundle disable radius-fallback + +EOD; + + if (isset ($l2tpcfg['radius']['accounting'])) { + $mpdconf .=<<<EOD + set bundle enable radius-acct + +EOD; + } + } + + fwrite($fd, $mpdconf); + fclose($fd); + + /* write mpd.links */ + $fd = fopen("{$g['varetc_path']}/mpd-vpn/mpd.links", "a"); + if (!$fd) { + printf("Error: cannot open mpd.links in vpn_l2tp_configure().\n"); + return 1; + } + + $mpdlinks = ""; + + for ($i = 0; $i < $l2tpcfg['n_l2tp_units']; $i++) { + $mpdlinks .=<<<EOD + +l2tp: + set link type l2tp + set l2tp iface {$l2tp_interface} + +EOD; + } + + fwrite($fd, $mpdlinks); + fclose($fd); + + /* write mpd.secret */ + $fd = fopen("{$g['varetc_path']}/mpd-vpn/mpd.secret", "a"); + if (!$fd) { + printf("Error: cannot open mpd.secret in vpn_l2tp_configure().\n"); + return 1; + } + + $mpdsecret = "\n\n"; + + if (is_array($l2tpcfg['user'])) { + foreach ($l2tpcfg['user'] as $user) + $mpdsecret .= "{$user['name']} \"{$user['password']}\" {$user['ip']}\n"; + } + + fwrite($fd, $mpdsecret); + fclose($fd); + chmod("{$g['varetc_path']}/mpd-vpn/mpd.secret", 0600); /* fire up mpd */ - mwexec("/usr/local/sbin/mpd4 -b -d {$g['varetc_path']}/mpd-pppoe -p {$g['varrun_path']}/mpd-pppoe.pid pppoe"); + mwexec("/usr/local/sbin/mpd -b -d {$g['varetc_path']}/mpd-vpn -p {$g['varrun_path']}/mpd-vpn.pid l2tp"); break; - case 'redir': + case 'redir' : break; } @@ -1150,4 +1340,4 @@ function vpn_ipsec_force_reload() { } -?> +?>
\ No newline at end of file |
