diff options
author | Ermal <eri@pfsense.org> | 2013-02-11 09:29:23 +0000 |
---|---|---|
committer | Ermal <eri@pfsense.org> | 2013-02-11 09:29:23 +0000 |
commit | d83045b5fab90d0e0ceccadae18d0a5058d0bb85 (patch) | |
tree | 60234a8168c1b218225fcbd16142f651d935cf92 | |
parent | 2ffafea3d1f74f87f4ff8c4e8b603cdac55b1a64 (diff) | |
download | pfsense-d83045b5fab90d0e0ceccadae18d0a5058d0bb85.zip pfsense-d83045b5fab90d0e0ceccadae18d0a5058d0bb85.tar.gz |
Properly generate all address data based on configuration selected
-rw-r--r-- | etc/inc/filter.inc | 12 | ||||
-rw-r--r-- | etc/inc/vpn.inc | 41 | ||||
-rw-r--r-- | usr/local/www/vpn_ipsec_phase2.php | 12 |
3 files changed, 36 insertions, 29 deletions
diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc index e930119..a71fecb 100644 --- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -717,6 +717,9 @@ function filter_get_vpns_list() { if ((!$ph2ent['mobile']) && ($ph2ent['mode'] != 'transport')) { if (!function_exists('ipsec_idinfo_to_cidr')) require_once("ipsec.inc"); + if (!is_array($ph2ent['remoteid'])) + ; + $ph2ent['remoteid']['mode'] = $ph2ent['mode']; $vpns_subnet = ipsec_idinfo_to_cidr($ph2ent['remoteid']); if ($vpns_subnet == "0.0.0.0/0") continue; @@ -1455,16 +1458,25 @@ function filter_nat_rules_generate() { if ($ph2ent['mode'] != 'transport' && !empty($ph2ent['natlocalid'])) { if (!function_exists('ipsec_idinfo_to_cidr')) require_once("ipsec.inc"); + if (!is_array($ph2ent['localid'])) + $ph2ent['localid'] = array(); + $ph2ent['localid']['mode'] = $ph2ent['mode']; $local_subnet = ipsec_idinfo_to_cidr($ph2ent['localid']); if (empty($local_subnet) || $local_subnet == "0.0.0.0/0") continue; if (!is_subnet($local_subnet) && !is_ipaddr($local_subnet)) continue; + if (!is_array($ph2ent['natlocalid'])) + $ph2ent['natlocalid'] = array(); + $ph2ent['natlocalid']['mode'] = $ph2ent['mode']; $natlocal_subnet = ipsec_idinfo_to_cidr($ph2ent['natlocalid']); if (empty($natlocal_subnet) || $natlocal_subnet == "0.0.0.0/0") continue; if (!is_subnet($natlocal_subnet) && !is_ipaddr($natlocal_subnet)) continue; + if (!is_array($ph2ent['remoteid'])) + $ph2ent['remoteid'] = array(); + $ph2ent['remoteid']['mode'] = $ph2ent['mode']; $remote_subnet = ipsec_idinfo_to_cidr($ph2ent['remoteid']); if (empty($remote_subnet)) continue; diff --git a/etc/inc/vpn.inc b/etc/inc/vpn.inc index 75fa74c..3af1a94 100644 --- a/etc/inc/vpn.inc +++ b/etc/inc/vpn.inc @@ -190,7 +190,6 @@ function vpn_ipsec_configure($ipchg = false) if ($ikeid != $ph1ent['ikeid']) continue; - $ph2ent['localid']['mode'] = $ph2ent['mode']; /* add an ipsec pinghosts entry */ if ($ph2ent['pinghost']) { if (!is_array($iflist)) @@ -200,7 +199,7 @@ function vpn_ipsec_configure($ipchg = false) $interface_ip = get_interface_ipv6($ifent); if(!is_ipaddrv6($interface_ip)) continue; - $local_subnet = ipsec_idinfo_to_cidr($ph2ent['localid'], true); + $local_subnet = ipsec_idinfo_to_cidr($ph2ent['localid'], true, $ph2ent['mode']); if (ip_in_subnet($interface_ip, $local_subnet)) { $srcip = $interface_ip; break; @@ -209,7 +208,7 @@ function vpn_ipsec_configure($ipchg = false) $interface_ip = get_interface_ip($ifent); if(!is_ipaddrv4($interface_ip)) continue; - $local_subnet = ipsec_idinfo_to_cidr($ph2ent['localid'], true); + $local_subnet = ipsec_idinfo_to_cidr($ph2ent['localid'], true, $ph2ent['mode']); if ($local_subnet == "0.0.0.0/0" || ip_in_subnet($interface_ip, $local_subnet)) { $srcip = $interface_ip; break; @@ -362,7 +361,7 @@ function vpn_ipsec_configure($ipchg = false) if (!isset($ph2ent['mobile'])) continue; - $localid = ipsec_idinfo_to_cidr($ph2ent['localid'],true); + $localid = ipsec_idinfo_to_cidr($ph2ent['localid'], true, $ph2ent['mode']); if ($net_list) $net_list .= ", "; @@ -671,8 +670,7 @@ EOD; if (($ph2ent['mode'] == 'tunnel') or ($ph2ent['mode'] == 'tunnel6')) { $localid_type = $ph2ent['localid']['type']; - $ph2ent['localid']['mode'] = $ph2ent['mode']; - $localid_data = ipsec_idinfo_to_cidr($ph2ent['localid']); + $localid_data = ipsec_idinfo_to_cidr($ph2ent['localid'], false, $ph2ent['mode']); /* Do not print localid in some cases, such as a pure-psk or psk/xauth single phase2 mobile tunnel */ if (($localid_type == "none") || (($ph1ent['authentication_method'] == "xauth_psk_server") || @@ -691,7 +689,7 @@ EOD; } $localid_spec = "{$localid_type} {$localid_data} any"; if (!empty($ph2ent['natlocalid'])) { - $natlocalid_data = ipsec_idinfo_to_cidr($ph2ent['natlocalid']); + $natlocalid_data = ipsec_idinfo_to_cidr($ph2ent['natlocalid'], false, $ph2ent['mode']); if ($ph2ent['natlocalid']['type'] != "address") { if (is_subnet($natlocalid_data)) $localid_spec .= " nat subnet {$natlocalid_data} any"; @@ -707,7 +705,7 @@ EOD; if ($remoteid_type != "address") $remoteid_type = "subnet"; - $remoteid_data = ipsec_idinfo_to_cidr($ph2ent['remoteid']); + $remoteid_data = ipsec_idinfo_to_cidr($ph2ent['remoteid'], false, $ph2ent['mode']); $remoteid_spec = $remoteid_type." ".$remoteid_data." any"; } else $remoteid_spec = "anonymous"; @@ -868,9 +866,8 @@ EOD; if(!is_ipaddr($rgip)) continue; - $ph2ent['localid']['mode'] = $ph2ent['mode']; - $localid = ipsec_idinfo_to_cidr($ph2ent['localid'],true); - $remoteid = ipsec_idinfo_to_cidr($ph2ent['remoteid'],true); + $localid = ipsec_idinfo_to_cidr($ph2ent['localid'], true, $ph2ent['mode']); + $remoteid = ipsec_idinfo_to_cidr($ph2ent['remoteid'], true, $ph2ent['mode']); if(($ph2ent['mode'] == "tunnel") or ($ph2ent['mode'] == 'tunnel6')) { // Error will be logged above, no need to log this twice. #2201 @@ -886,7 +883,7 @@ EOD; "{$ph2ent['protocol']}/tunnel/{$ep}-{$rgip}/unique;\n"; if (!empty($ph2ent['natlocalid'])) { - $natlocalid = ipsec_idinfo_to_cidr($ph2ent['natlocalid'],true); + $natlocalid = ipsec_idinfo_to_cidr($ph2ent['natlocalid'], true, $ph2ent['mode']); $spdconf .= "spdadd {$family} {$remoteid} {$natlocalid} any -P in ipsec " . "{$ph2ent['protocol']}/tunnel/{$rgip}-{$ep}/unique;\n"; $natfilterrules = true; @@ -1751,12 +1748,12 @@ function remove_tunnel_spd_policy($phase1,$phase2) { $ep = ipsec_get_phase1_src($phase1); $gw = trim($phase1['remote-gateway']); $sad_arr = ipsec_dump_sad(); - $remote_subnet = ipsec_idinfo_to_cidr($phase2['remoteid']); + $remote_subnet = ipsec_idinfo_to_cidr($phase2['remoteid'], false, $phase2['mode']); if (!empty($phase2['natlocalid'])) - $local_subnet = ipsec_idinfo_to_cidr($phase2['natlocalid']); + $local_subnet = ipsec_idinfo_to_cidr($phase2['natlocalid'], false, $phase2['mode']); else - $local_subnet = ipsec_idinfo_to_cidr($phase2['localid']); + $local_subnet = ipsec_idinfo_to_cidr($phase2['localid'], false, $phase2['mode']); if ($phase2['mode'] == "tunnel6") $family = "-6"; @@ -1809,17 +1806,15 @@ function reload_tunnel_spd_policy($phase1, $phase2, $old_phase1, $old_phase2) { $sad_arr = ipsec_dump_sad(); $ep = ipsec_get_phase1_src($phase1); - $phase2['localid']['mode'] = $phase2['mode']; - $local_subnet = ipsec_idinfo_to_cidr($phase2['localid']); - $remote_subnet = ipsec_idinfo_to_cidr($phase2['remoteid']); + $local_subnet = ipsec_idinfo_to_cidr($phase2['localid'], false, $phase2['mode']); + $remote_subnet = ipsec_idinfo_to_cidr($phase2['remoteid'], false, $phase2['mode']); /* make sure we pass the oldtunnel array with a IP for the remote gw */ $old_gw = trim($old_phase1['remote-gateway']); $old_ep = ipsec_get_phase1_src($old_phase1); - $old_phase2['localid']['mode'] = $old_phase2['mode']; - $old_local_subnet = ipsec_idinfo_to_cidr($old_phase2['localid']); - $old_remote_subnet = ipsec_idinfo_to_cidr($old_phase2['remoteid']); + $old_local_subnet = ipsec_idinfo_to_cidr($old_phase2['localid'], false, $old_phase2['mode']); + $old_remote_subnet = ipsec_idinfo_to_cidr($old_phase2['remoteid'], false, $old_phase2['mode']); /* see if this tunnel has a hostname for the remote-gateway, and if so, * try to resolve it now and add it to the list for filterdns */ @@ -1863,7 +1858,7 @@ function reload_tunnel_spd_policy($phase1, $phase2, $old_phase1, $old_phase2) { "{$old_phase2['protocol']}/tunnel/{$old_ep}-" . "{$old_gw}/unique;\n"; if (!empty($old_phase2['natlocalid'])) - $old_local_subnet = ipsec_idinfo_to_cidr($old_phase2['natlocalid']); + $old_local_subnet = ipsec_idinfo_to_cidr($old_phase2['natlocalid'], false, $old_phase2['mode']); $spdconf .= "spddelete {$family} {$old_remote_subnet} " . "{$old_local_subnet} any -P in ipsec " . "{$old_phase2['protocol']}/tunnel/{$old_gw}-" . @@ -1903,7 +1898,7 @@ function reload_tunnel_spd_policy($phase1, $phase2, $old_phase1, $old_phase2) { "{$rgip}/unique;\n"; if (!empty($phase2['natlocalid'])) - $local_subnet = ipsec_idinfo_to_cidr($phase2['natlocalid']); + $local_subnet = ipsec_idinfo_to_cidr($phase2['natlocalid'], false, $phase2['mode']); $spdconf .= "spdadd {$family} {$remote_subnet} " . "{$local_subnet} any -P in ipsec " . "{$phase2['protocol']}/tunnel/{$rgip}-" . diff --git a/usr/local/www/vpn_ipsec_phase2.php b/usr/local/www/vpn_ipsec_phase2.php index 4e4ac3c..a7eaf91 100644 --- a/usr/local/www/vpn_ipsec_phase2.php +++ b/usr/local/www/vpn_ipsec_phase2.php @@ -194,12 +194,12 @@ if ($_POST) { foreach($a_phase2 as $key => $name){ if (isset($name['mobile'])){ /* check duplicate localids only for mobile clents */ - $localid_data = ipsec_idinfo_to_cidr($name['localid']); + $localid_data = ipsec_idinfo_to_cidr($name['localid'], false, $name['mode']); $entered = array(); $entered['type'] = $pconfig['localid_type']; if (isset($pconfig['localid_address'])) $entered['address'] = $pconfig['localid_address']; if (isset($pconfig['localid_netbits'])) $entered['netbits'] = $pconfig['localid_netbits']; - $entered_localid_data = ipsec_idinfo_to_cidr($entered); + $entered_localid_data = ipsec_idinfo_to_cidr($entered, false, $pconfig['mode']); if ($localid_data == $entered_localid_data){ if (!isset($pconfig['p2index'])){ /* adding new p2 entry */ @@ -219,18 +219,18 @@ if ($_POST) { foreach($a_phase2 as $key => $name){ if (!isset($name['mobile']) && $pconfig['ikeid'] == $name['ikeid']){ /* check duplicate subnets only for given phase1 */ - $localid_data = ipsec_idinfo_to_cidr($name['localid']); - $remoteid_data = ipsec_idinfo_to_cidr($name['remoteid']); + $localid_data = ipsec_idinfo_to_cidr($name['localid'], false, $name['mode']); + $remoteid_data = ipsec_idinfo_to_cidr($name['remoteid'], false, $name['mode']); $entered_local = array(); $entered_local['type'] = $pconfig['localid_type']; if (isset($pconfig['localid_address'])) $entered_local['address'] = $pconfig['localid_address']; if (isset($pconfig['localid_netbits'])) $entered_local['netbits'] = $pconfig['localid_netbits']; - $entered_localid_data = ipsec_idinfo_to_cidr($entered_local); + $entered_localid_data = ipsec_idinfo_to_cidr($entered_local, false, $pconfig['mode']); $entered_remote = array(); $entered_remote['type'] = $pconfig['remoteid_type']; if (isset($pconfig['remoteid_address'])) $entered_remote['address'] = $pconfig['remoteid_address']; if (isset($pconfig['remoteid_netbits'])) $entered_remote['netbits'] = $pconfig['remoteid_netbits']; - $entered_remoteid_data = ipsec_idinfo_to_cidr($entered_remote); + $entered_remoteid_data = ipsec_idinfo_to_cidr($entered_remote, false, $pconfig['mode']); if ($localid_data == $entered_localid_data && $remoteid_data == $entered_remoteid_data) { if (!isset($pconfig['p2index'])){ /* adding new p2 entry */ |