diff options
author | Ermal <eri@pfsense.org> | 2014-10-30 21:35:51 +0100 |
---|---|---|
committer | Ermal <eri@pfsense.org> | 2014-10-30 21:35:51 +0100 |
commit | 737b18f23bfc27185eda513d9ffe2600ecde9cd7 (patch) | |
tree | 73a873d7a7b41d1e9e20b65e37416baa974ef261 | |
parent | 461eac099b80692b1feb4002357da6a61f4a3aff (diff) | |
download | pfsense-737b18f23bfc27185eda513d9ffe2600ecde9cd7.zip pfsense-737b18f23bfc27185eda513d9ffe2600ecde9cd7.tar.gz |
Allow accept_unencrypted_mainmode_messages to be enabled if needed
-rw-r--r-- | etc/inc/vpn.inc | 5 | ||||
-rw-r--r-- | usr/local/www/vpn_ipsec_settings.php | 18 |
2 files changed, 23 insertions, 0 deletions
diff --git a/etc/inc/vpn.inc b/etc/inc/vpn.inc index 8344a20..076edb1 100644 --- a/etc/inc/vpn.inc +++ b/etc/inc/vpn.inc @@ -272,6 +272,10 @@ function vpn_ipsec_configure($ipchg = false) } unset($iflist); + $accept_unencrypted = ""; + if (isset($config['ipsec']['acceptunencryptedmainmode'])) + $accept_unencrypted = "accept_unencrypted_mainmode_messages = yes"; + $strongswan = <<<EOD #Automatically generated please do not modify @@ -290,6 +294,7 @@ charon { # XXX: There is not much choice here really users win their security! i_dont_care_about_security_and_use_aggressive_mode_psk=yes + {$accept_unencrypted} cisco_unity = yes # And two loggers using syslog. The subsections define the facility to log diff --git a/usr/local/www/vpn_ipsec_settings.php b/usr/local/www/vpn_ipsec_settings.php index ba68596..0e05089 100644 --- a/usr/local/www/vpn_ipsec_settings.php +++ b/usr/local/www/vpn_ipsec_settings.php @@ -48,6 +48,7 @@ foreach ($ipsec_loglevels as $lkey => $ldescr) { $pconfig["ipsec_{$lkey}"] = $config['ipsec']["ipsec_{$lkey}"]; } $pconfig['failoverforcereload'] = isset($config['ipsec']['failoverforcereload']); +$pconfig['acceptunencryptedmainmode'] = isset($config['ipsec']['acceptunencryptedmainmode']); $pconfig['maxmss_enable'] = isset($config['system']['maxmss_enable']); $pconfig['maxmss'] = $config['system']['maxmss']; @@ -86,6 +87,11 @@ if ($_POST) { elseif (isset($config['ipsec']['failoverforcereload'])) unset($config['ipsec']['failoverforcereload']); + if($_POST['acceptunencryptedmainmode'] == "yes") + $config['ipsec']['acceptunencryptedmainmode'] = true; + elseif (isset($config['ipsec']['acceptunencryptedmainmode'])) + unset($config['ipsec']['acceptunencryptedmainmode']); + if($_POST['maxmss_enable'] == "yes") { $config['system']['maxmss_enable'] = true; $config['system']['maxmss'] = $_POST['maxmss']; @@ -225,6 +231,18 @@ function maxmss_checked(obj) { </td> </tr> <tr> + <td width="22%" valign="top" class="vncell"><?=gettext("Unencrypted payloads in IKEv1 Main Mode"); ?></td> + <td width="78%" class="vtable"> + <input name="acceptunencryptedmainmode" type="checkbox" id="acceptunencryptedmainmode" value="yes" <?php if ($pconfig['acceptunencryptedmainmode']) echo "checked=\"checked\""; ?> /> + <strong><?=gettext("Accept unencrypted ID and HASH payloads in IKEv1 Main Mode"); ?></strong> + <br /> + <?=gettext("Some implementations send the third Main Mode message unencrypted, probably to find the PSKs for the specified ID for authentication." . + "This is very similar to Aggressive Mode, and has the same security implications: " . + "A passive attacker can sniff the negotiated Identity, and start brute forcing the PSK using the HASH payload." . + " It is recommended to keep this option to no, unless you know exactly what the implications are and require compatibility to such devices (for example, some SonicWall boxes).");?> + </td> + </tr> + <tr> <td width="22%" valign="top" class="vncell"><?=gettext("Maximum MSS"); ?></td> <td width="78%" class="vtable"> <input name="maxmss_enable" type="checkbox" id="maxmss_enable" value="yes" <?php if ($pconfig['maxmss_enable'] == true) echo "checked=\"checked\""; ?> onclick="maxmss_checked(this)" /> |