diff options
| author | Ermal <eri@pfsense.org> | 2012-11-14 19:31:09 +0000 |
|---|---|---|
| committer | Ermal <eri@pfsense.org> | 2012-11-14 19:31:09 +0000 |
| commit | 52c9f9faafec960a9016fd9b41f32660beff61a2 (patch) | |
| tree | c1755bef8baefdf578c10529d9515d809e309c42 /etc/inc/vpn.inc | |
| parent | 9a6d6728e8ca7b4a2264d420892a90cadb83f29e (diff) | |
| download | pfsense-52c9f9faafec960a9016fd9b41f32660beff61a2.zip pfsense-52c9f9faafec960a9016fd9b41f32660beff61a2.tar.gz | |
Allow other system authentication types to be used with ipsec. LDAP/RADIUS/local acc
Diffstat (limited to 'etc/inc/vpn.inc')
| -rw-r--r-- | etc/inc/vpn.inc | 201 |
1 files changed, 75 insertions, 126 deletions
diff --git a/etc/inc/vpn.inc b/etc/inc/vpn.inc index c5ced75..5e92fe8 100644 --- a/etc/inc/vpn.inc +++ b/etc/inc/vpn.inc @@ -84,6 +84,7 @@ function vpn_ipsec_configure($ipchg = false) if ($g['platform'] == 'jail') return; + /* get the automatic ping_hosts.sh ready */ unlink_if_exists("{$g['vardb_path']}/ipsecpinghosts"); touch("{$g['vardb_path']}/ipsecpinghosts"); @@ -97,16 +98,15 @@ function vpn_ipsec_configure($ipchg = false) $a_client = $config['ipsec']['client']; if (!isset($ipseccfg['enable'])) { - mwexec("/sbin/ifconfig enc0 down"); - - /* send a SIGKILL to be sure */ - sigkillbypid("{$g['varrun_path']}/racoon.pid", "KILL"); - - /* kill racoon */ - if(is_process_running("racoon")) - mwexec("/usr/bin/killall racoon", true); + /* try to stop racoon*/ + killbypid("{$g['varrun_path']}/racoon.pid"); + /* Stop dynamic monitoring */ killbypid("{$g['varrun_path']}/filterdns-ipsec.pid"); + /* kill racoon forcefully */ + if (is_process_running("racoon")) + mwexec("/usr/bin/killall -9 racoon", true); + /* wait for racoon process to die */ sleep(2); @@ -115,12 +115,20 @@ function vpn_ipsec_configure($ipchg = false) mwexec("/usr/local/sbin/setkey -FP"); /* disallow IPSEC, it is off */ + mwexec("/sbin/ifconfig enc0 down"); exec("/sbin/sysctl net.inet.ip.ipsec_in_use=0"); return true; } else { mwexec("/sbin/ifconfig enc0 up"); mwexec("/sbin/sysctl net.inet.ip.ipsec_in_use=1"); + /* needed for racoonctl admin socket */ + if (!is_dir("/var/db/racoon")) + mkdir("/var/db/racoon/"); + /* needed for config files */ + if (!is_dir("{$g['varetc_path']}/ipsec")) + mkdir("{$g['varetc_path']}/ipsec"); + if ($g['booting']) echo gettext("Configuring IPsec VPN... "); @@ -218,7 +226,7 @@ function vpn_ipsec_configure($ipchg = false) $ipsecpinghosts[] = "{$srcip}|{$dstip}|3|||||{$family}|\n"; } } - file_put_contents("{$g['vardb_path']}/ipsecpinghosts", $ipsecpinghosts); + @file_put_contents("{$g['vardb_path']}/ipsecpinghosts", $ipsecpinghosts); } } } @@ -236,21 +244,14 @@ function vpn_ipsec_configure($ipchg = false) log_error(sprintf(gettext("Error: Invalid certificate hash info for %s"), $ca['descr'])); continue; } - $fname = $g['varetc_path']."/".$x509cert['hash'].".0"; - if (!file_put_contents($fname, $cert)) { + $fname = "{$g['varetc_path']}/ipsec/{$x509cert['hash']}.0"; + if (!@file_put_contents($fname, $cert)) { log_error(sprintf(gettext("Error: Cannot write IPsec CA file for %s"), $ca['descr'])); continue; } } } - /* generate psk.txt */ - $fd = fopen("{$g['varetc_path']}/psk.txt", "w"); - if (!$fd) { - printf(gettext("Error: cannot open psk.txt in vpn_ipsec_configure().") . "\n"); - return 1; - } - $pskconf = ""; if (is_array($a_phase1) && count($a_phase1)) { @@ -300,21 +301,14 @@ function vpn_ipsec_configure($ipchg = false) } } - fwrite($fd, $pskconf); - fclose($fd); - chmod("{$g['varetc_path']}/psk.txt", 0600); + @file_put_contents("{$g['varetc_path']}/ipsec/psk.txt", $pskconf); + chmod("{$g['varetc_path']}/ipsec/psk.txt", 0600); /* begin racoon.conf */ - if ((is_array($a_phase1) && count($a_phase1)) || - (is_array($a_phase2) && count($a_phase2))) { - - $fd = fopen("{$g['varetc_path']}/racoon.conf", "w"); - if (!$fd) { - printf(gettext("Error: cannot open racoon.conf in vpn_ipsec_configure().") . "\n"); - return 1; - } + $racoonconf = ""; + if ((is_array($a_phase1) && count($a_phase1)) || (is_array($a_phase2) && count($a_phase2))) { - $racoonconf = "# This file is automatically generated. Do not edit\n"; + $racoonconf .= "# This file is automatically generated. Do not edit\n"; $racoonconf .= "path pre_shared_key \"{$g['varetc_path']}/psk.txt\";\n\n"; $racoonconf .= "path certificate \"{$g['varetc_path']}\";\n\n"; @@ -336,9 +330,9 @@ function vpn_ipsec_configure($ipchg = false) $racoonconf .= "\nmode_cfg\n"; $racoonconf .= "{\n"; - if ($a_client['user_source']) - $racoonconf .= "\tauth_source {$a_client['user_source']};\n"; - if ($a_client['group_source']) + if (!empty($a_client['user_source']) && $a_client['user_source'] != "none") + $racoonconf .= "\tauth_source external;\n"; + if (!empty($a_client['group_source']) && $a_client['group_source'] != "none") $racoonconf .= "\tgroup_source {$a_client['group_source']};\n"; if ($a_client['pool_address'] && $a_client['pool_netbits']) { @@ -406,16 +400,7 @@ function vpn_ipsec_configure($ipchg = false) $racoonconf .= "\tpfs_group {$a_client['pfs_group']};\n"; if ($a_client['login_banner']) { - $fn = "{$g['varetc_path']}/racoon.motd"; - $fd1 = fopen($fn, "w"); - if (!$fd1) { - printf(gettext("Error: cannot open server %s in vpn.\n"), $fn); - return 1; - } - - fwrite($fd1, $a_client['login_banner']); - fclose($fd1); - + @file_put_contents("{$g['varetc_path']}/ipsec/racoon.motd", $a_client['login_banner']); $racoonconf .= "\tbanner \"{$fn}\";\n"; } @@ -426,33 +411,23 @@ function vpn_ipsec_configure($ipchg = false) } /* end mode_cfg section */ -// Disable this for now, when LDAP support returns it will be via external script auth, -// since we no longer build racoon with LDAP integrated. This is only preventing racoon from running. -// -// if ($a_client['user_source'] != "system") { -// if (is_array($config['system']['authserver'])) { -// foreach ($config['system']['authserver'] as $authcfg) { -// if ($authcfg['type'] == 'ldap' and $authcfg['name'] == $a_client['user_source']) -// $thisauthcfg = $authcfg; -// } -// -// /* begin ldapcfg */ -// $racoonconf .= "ldapcfg {\n"; -// $racoonconf .= "\tversion 3;\n"; -// $racoonconf .= "\thost \"".$thisauthcfg['host']."\";\n"; -// $lport = "389"; -// if ($authcfg['port'] != "") -// $lport = $authcfg['port']; -// $racoonconf .= "\tport ".$lport.";\n"; -// $racoonconf .= "\tbase \"".$thisauthcfg['ldap_basedn']."\";\n"; -// $racoonconf .= "\tsubtree on;\n"; -// $racoonconf .= "\tbind_dn \"".$thisauthcfg['ldap_binddn']."\";\n"; -// $racoonconf .= "\tbind_pw \"".$thisauthcfg['ldap_bindpw']."\";\n"; -// $racoonconf .= "\tattr_user \"".$thisauthcfg['ldap_attr_user']."\";\n"; -// $racoonconf .= "}\n\n"; -// /* end ldapcfg */ -// } -// } + if ($a_client['user_source'] != "none") { + $authcfgs = explode(",", $a_client['user_source']); + $sed = "\$authmodes=array("; + $firstsed = 0; + foreach ($authcfgs as $authcfg) { + if ($firstsed > 0) + $sed .= ","; + $firstsed = 1; + $sed .= "\"{$authcfg}\""; + } + $sed .= ");\\\n"; + if ($a_client['strictusercn']) + $sed .= "\$strictusercn = true;"; + mwexec("/bin/cat /etc/inc/ipsec.auth-user.php | /usr/bin/sed 's/\/\/<template>/{$sed}/g' > {$g['varetc_path']}/ipsec/ipsec.php"); + mwexec("/bin/chmod a+x {$g['varetc_path']}/ipsec/ipsec.php"); + $racoonconf .= "extcfg { script \"{$g['varetc_path']}/ipsec/ipsec.php\" }\n"; + } /* begin remote sections */ if (is_array($a_phase1) && count($a_phase1)) { @@ -838,20 +813,12 @@ EOD; /* end sainfo */ } /* end sainfo sections */ - - fwrite($fd, $racoonconf); - fclose($fd); } + @file_put_contents("{$g['varetc_path']}/ipsec/racoon.conf", $racoonconf); /* end racoon.conf */ /* generate IPsec policies */ /* generate spd.conf */ - $fd = fopen("{$g['varetc_path']}/spd.conf", "w"); - if (!$fd) { - printf(gettext("Error: cannot open spd.conf in vpn_ipsec_configure().") . "\n"); - return 1; - } - $spdconf = ""; $natfilterrules = false; if (is_array($a_phase2) && count($a_phase2)) { @@ -966,19 +933,14 @@ EOD; } } } - fwrite($fd, $spdconf); - fclose($fd); + @file_put_contents("{$g['varetc_path']}/ipsec/spd.conf", $spdconf); - /* needed for racoonctl admin socket */ - if (!is_dir("/var/db/racoon")) - mkdir("/var/db/racoon/"); - /* mange racoon process */ if (is_process_running("racoon")) { sleep("0.1"); mwexec("/usr/local/sbin/racoonctl -s /var/db/racoon/racoon.sock reload-config", false); /* load SPD without flushing to be safe on config additions or changes. */ - mwexec("/usr/local/sbin/setkey -f {$g['varetc_path']}/spd.conf", false); + mwexec("/usr/local/sbin/setkey -f {$g['varetc_path']}/ipsec/spd.conf", false); } else { /* flush SA + SPD entries */ mwexec("/usr/local/sbin/setkey -FP", false); @@ -987,10 +949,10 @@ EOD; sleep("0.1"); /* start racoon */ $ipsecdebug = isset($config['ipsec']['racoondebug']) ? "-d -v" : ""; - mwexec("/usr/local/sbin/racoon {$ipsecdebug} -f {$g['varetc_path']}/racoon.conf", false); + mwexec("/usr/local/sbin/racoon {$ipsecdebug} -f {$g['varetc_path']}/ipsec/racoon.conf", false); sleep("0.1"); /* load SPD */ - mwexec("/usr/local/sbin/setkey -f {$g['varetc_path']}/spd.conf", false); + mwexec("/usr/local/sbin/setkey -f {$g['varetc_path']}/ipsec/spd.conf", false); } if ($natfilterrules == true) @@ -1005,11 +967,11 @@ EOD; array_unique($filterdns_list); foreach ($filterdns_list as $hostname) $hostnames .= "cmd {$hostname} '/usr/local/sbin/pfSctl -c \"service reload ipsecdns\"'\n"; - file_put_contents("{$g['varetc_path']}/filterdns-ipsec.hosts", $hostnames); + file_put_contents("{$g['varetc_path']}/ipsec/filterdns-ipsec.hosts", $hostnames); killbypid("{$g['varrun_path']}/filterdns-ipsec.pid"); sleep(1); - mwexec("/usr/local/sbin/filterdns -p {$g['varrun_path']}/filterdns-ipsec.pid -i {$interval} -c {$g['varetc_path']}/filterdns-ipsec.hosts -d 1"); + mwexec("/usr/local/sbin/filterdns -p {$g['varrun_path']}/filterdns-ipsec.pid -i {$interval} -c {$g['varetc_path']}/ipsec/filterdns-ipsec.hosts -d 1"); } vpn_ipsec_failover_configure(); @@ -1021,7 +983,8 @@ EOD; return 0; } -/* Forcefully restart IPsec +/* + * Forcefully restart IPsec * This is required for when dynamic interfaces reload * For all other occasions the normal vpn_ipsec_configure() * will gracefully reload the settings without restarting @@ -1032,15 +995,15 @@ function vpn_ipsec_force_reload() { $ipseccfg = $config['ipsec']; - /* kill racoon */ - if(is_process_running("racoon")) - mwexec("/usr/bin/killall racoon", true); + /* send a SIGKILL to be sure */ + killbypid("{$g['varrun_path']}/racoon.pid"); /* wait for process to die */ sleep(4); - /* send a SIGKILL to be sure */ - sigkillbypid("{$g['varrun_path']}/racoon.pid", "KILL"); + /* kill racoon forcefully */ + if (is_process_running("racoon")) + mwexec("/usr/bin/killall -9 racoon", true); /* wait for flushing to finish */ sleep(1); @@ -1050,7 +1013,6 @@ function vpn_ipsec_force_reload() { log_error(gettext("Forcefully reloading IPsec racoon daemon")); vpn_ipsec_configure(); } - } /* master setup for vpn (mpd) */ @@ -1713,54 +1675,41 @@ function vpn_ipsec_refresh_policies() { } /* Walk the Ipsec tunnel array */ - if (!is_array($a_phase1) || (!count($a_phase1))) { + if (!is_array($a_phase1) || (!count($a_phase1))) return; - } foreach ($a_phase1 as $phase1) { - if (isset($phase1['disabled'])) { + if (isset($phase1['disabled'])) continue; - } - if (is_ipaddr($phase1['remote-gateway'])) { + if (is_ipaddr($phase1['remote-gateway'])) continue; - } if (!is_ipaddr($phase1['remote-gateway'])) { $dnscache = compare_hostname_to_dnscache($phase1['remote-gateway']); $dnscache = trim($dnscache); /* we should have the old IP addresses in the dnscache now */ - if($dnscache <> "") { + if(!empty($dnscache)) { $oldphase1 = $phase1; - $oldphase1['remote-gateway'] = trim($dnscache); + $oldphase1['remote-gateway'] = $dnscache; /* now we need to find all tunnels for this host */ - if (!is_array($a_phase2) || (!count($a_phase2))) { + if (!is_array($a_phase2) || (!count($a_phase2))) continue; - } foreach ($a_phase2 as $phase2) { - if($phase2['ikeid'] == $phase1['ikeid']) { + if ($phase2['ikeid'] == $phase1['ikeid']) reload_tunnel_spd_policy ($phase1, $phase2, $oldphase1, $oldphase2); - } } } } } - /* process all generated spd.conf files from tmp which are left behind - * behind by either changes of dynamic tunnels or manual edits - * scandir() is only available in PHP5 */ - $tmpfiles = array(); - $dh = opendir($g['tmp_path']); - while (false !== ($filename = readdir($dh))) { - if(preg_match("/^spd.conf.reload./", $filename)) { - $tmpfiles[] = $filename; - } - } - sort($tmpfiles); + /* process all generated temporary spd.conf files */ + $tmpfiles = glob("{$g['tmp_path']}/spd.conf.reload.*"); foreach($tmpfiles as $tmpfile) { - $ret = mwexec("/usr/local/sbin/setkey -f {$g['tmp_path']}/{$tmpfile} 2>&1", false); - if($ret == 0) { - unlink_if_exists("{$g['tmp_path']}/{$tmpfile}"); - } else { - rename("{$g['tmp_path']}/{$tmpfile}", ("{$g['tmp_path']}/failed.{$tmpfile}")); + $ret = mwexec("/usr/local/sbin/setkey -f {$tmpfile} 2>&1", false); + if ($ret == 0) + unlink_if_exists($tmpfile); + else { + $tmpfile = basename($tmpfile); + @rename("{$g['tmp_path']}/{$tmpfile}", ("{$g['tmp_path']}/failed.{$tmpfile}")); } } } @@ -1888,7 +1837,7 @@ function reload_tunnel_spd_policy($phase1, $phase2, $old_phase1, $old_phase2) { $now = time(); $spdfile = tempnam("{$g['tmp_path']}", "spd.conf.reload.{$now}."); /* generate temporary spd.conf */ - file_put_contents($spdfile, $spdconf); + @file_put_contents($spdfile, $spdconf); return true; } |
