diff options
| author | Ermal LUÇI <eri@pfsense.org> | 2014-12-19 19:30:09 +0100 |
|---|---|---|
| committer | Ermal LUÇI <eri@pfsense.org> | 2014-12-19 19:30:09 +0100 |
| commit | 7a683b46b9d5cb98086fdac1ebcd05052e0c1025 (patch) | |
| tree | 2b824f0a035a2629558722337ccb846ce056d52d /etc/inc/vpn.inc | |
| parent | 1aac62911872d93ed7b7c2e96bde130df98963ef (diff) | |
| download | pfsense-7a683b46b9d5cb98086fdac1ebcd05052e0c1025.zip pfsense-7a683b46b9d5cb98086fdac1ebcd05052e0c1025.tar.gz | |
Just whitespace save from removing a useless else { branch
Diffstat (limited to 'etc/inc/vpn.inc')
| -rw-r--r-- | etc/inc/vpn.inc | 1196 |
1 files changed, 599 insertions, 597 deletions
diff --git a/etc/inc/vpn.inc b/etc/inc/vpn.inc index cb10924..a179538 100644 --- a/etc/inc/vpn.inc +++ b/etc/inc/vpn.inc @@ -127,726 +127,728 @@ function vpn_ipsec_configure($ipchg = false) set_single_sysctl("net.inet.ip.ipsec_in_use", "0"); return 0; - } else { - $certpath = "{$g['varetc_path']}/ipsec/ipsec.d/certs"; - $capath = "{$g['varetc_path']}/ipsec/ipsec.d/cacerts"; - $keypath = "{$g['varetc_path']}/ipsec/ipsec.d/private"; - - mwexec("/sbin/ifconfig enc0 up"); - set_single_sysctl("net.inet.ip.ipsec_in_use", "1"); - /* needed for config files */ - if (!is_dir("{$g['varetc_path']}/ipsec")) - mkdir("{$g['varetc_path']}/ipsec"); - if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d")) - mkdir("{$g['varetc_path']}/ipsec/ipsec.d"); - if (!is_dir($capath)) - mkdir($capath); - if (!is_dir($keypath)) - mkdir($keypath); - if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d/crls")) - mkdir("{$g['varetc_path']}/ipsec/ipsec.d/crls"); - if (!is_dir($certpath)) - mkdir($certpath); - if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d/aacerts")) - mkdir("{$g['varetc_path']}/ipsec/ipsec.d/aacerts"); - if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d/acerts")) - mkdir("{$g['varetc_path']}/ipsec/ipsec.d/acerts"); - if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d/ocspcerts")) - mkdir("{$g['varetc_path']}/ipsec/ipsec.d/ocspcerts"); - if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d/reqs")) - mkdir("{$g['varetc_path']}/ipsec/ipsec.d/reqs"); - - - if (platform_booting()) - echo gettext("Configuring IPsec VPN... "); - - /* fastforwarding is not compatible with ipsec tunnels */ - set_single_sysctl("net.inet.ip.fastforwarding", "0"); - - /* resolve all local, peer addresses and setup pings */ - $ipmap = array(); - $rgmap = array(); - $filterdns_list = array(); - $listeniflist = array(); - $aggressive_mode_psk = false; - unset($iflist); - if (is_array($a_phase1) && count($a_phase1)) { - - $ipsecpinghosts = ""; - /* step through each phase1 entry */ - foreach ($a_phase1 as $ph1ent) { - if (isset($ph1ent['disabled'])) - continue; + } - if ($ph1ent['mode'] == "aggressive" && ($ph1ent['authentication_method'] == "pre_shared_key" || $ph1ent['authentication_method'] == "xauth_psk_server")) - $aggressive_mode_psk = true; + $certpath = "{$g['varetc_path']}/ipsec/ipsec.d/certs"; + $capath = "{$g['varetc_path']}/ipsec/ipsec.d/cacerts"; + $keypath = "{$g['varetc_path']}/ipsec/ipsec.d/private"; + + mwexec("/sbin/ifconfig enc0 up"); + set_single_sysctl("net.inet.ip.ipsec_in_use", "1"); + /* needed for config files */ + if (!is_dir("{$g['varetc_path']}/ipsec")) + mkdir("{$g['varetc_path']}/ipsec"); + if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d")) + mkdir("{$g['varetc_path']}/ipsec/ipsec.d"); + if (!is_dir($capath)) + mkdir($capath); + if (!is_dir($keypath)) + mkdir($keypath); + if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d/crls")) + mkdir("{$g['varetc_path']}/ipsec/ipsec.d/crls"); + if (!is_dir($certpath)) + mkdir($certpath); + if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d/aacerts")) + mkdir("{$g['varetc_path']}/ipsec/ipsec.d/aacerts"); + if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d/acerts")) + mkdir("{$g['varetc_path']}/ipsec/ipsec.d/acerts"); + if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d/ocspcerts")) + mkdir("{$g['varetc_path']}/ipsec/ipsec.d/ocspcerts"); + if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d/reqs")) + mkdir("{$g['varetc_path']}/ipsec/ipsec.d/reqs"); + - $ikeid = $ph1ent['ikeid']; - $listeniflist = get_real_interface($a_phase1['interface']); + if (platform_booting()) + echo gettext("Configuring IPsec VPN... "); - $ep = ipsec_get_phase1_src($ph1ent); - if (!is_ipaddr($ep)) - continue; + /* fastforwarding is not compatible with ipsec tunnels */ + set_single_sysctl("net.inet.ip.fastforwarding", "0"); - if(!in_array($ep,$ipmap)) - $ipmap[] = $ep; + /* resolve all local, peer addresses and setup pings */ + $ipmap = array(); + $rgmap = array(); + $filterdns_list = array(); + $listeniflist = array(); + $aggressive_mode_psk = false; + unset($iflist); + if (is_array($a_phase1) && count($a_phase1)) { - /* see if this tunnel has a hostname for the remote-gateway. If so, - try to resolve it now and add it to the list for filterdns */ + $ipsecpinghosts = ""; + /* step through each phase1 entry */ + foreach ($a_phase1 as $ph1ent) { + if (isset($ph1ent['disabled'])) + continue; - if (isset ($ph1ent['mobile'])) - continue; + if ($ph1ent['mode'] == "aggressive" && ($ph1ent['authentication_method'] == "pre_shared_key" || $ph1ent['authentication_method'] == "xauth_psk_server")) + $aggressive_mode_psk = true; - $rg = $ph1ent['remote-gateway']; + $ikeid = $ph1ent['ikeid']; + $listeniflist = get_real_interface($a_phase1['interface']); - if (!is_ipaddr($rg)) { - $filterdns_list[] = "{$rg}"; - add_hostname_to_watch($rg); - if (!platform_booting()) - $rg = resolve_retry($rg); - if (!is_ipaddr($rg)) - continue; - } - if(array_search($rg, $rgmap)) { - log_error("The remote gateway {$rg} already exists on another phase 1 entry"); + $ep = ipsec_get_phase1_src($ph1ent); + if (!is_ipaddr($ep)) + continue; + + if(!in_array($ep,$ipmap)) + $ipmap[] = $ep; + + /* see if this tunnel has a hostname for the remote-gateway. If so, + try to resolve it now and add it to the list for filterdns */ + + if (isset ($ph1ent['mobile'])) + continue; + + $rg = $ph1ent['remote-gateway']; + + if (!is_ipaddr($rg)) { + $filterdns_list[] = "{$rg}"; + add_hostname_to_watch($rg); + if (!platform_booting()) + $rg = resolve_retry($rg); + if (!is_ipaddr($rg)) continue; - } - $rgmap[$ph1ent['remote-gateway']] = $rg; + } + if(array_search($rg, $rgmap)) { + log_error("The remote gateway {$rg} already exists on another phase 1 entry"); + continue; + } + $rgmap[$ph1ent['remote-gateway']] = $rg; - if (is_array($a_phase2)) { - /* step through each phase2 entry */ - foreach ($a_phase2 as $ph2ent) { - if (isset($ph2ent['disabled'])) - continue; + if (is_array($a_phase2)) { + /* step through each phase2 entry */ + foreach ($a_phase2 as $ph2ent) { + if (isset($ph2ent['disabled'])) + continue; - if ($ikeid != $ph2ent['ikeid']) - continue; + if ($ikeid != $ph2ent['ikeid']) + continue; - /* add an ipsec pinghosts entry */ - if ($ph2ent['pinghost']) { - if (!is_array($iflist)) - $iflist = get_configured_interface_list(); - $viplist = get_configured_vips_list(); - $srcip = null; - $local_subnet = ipsec_idinfo_to_cidr($ph2ent['localid'], true, $ph2ent['mode']); - if(is_ipaddrv6($ph2ent['pinghost'])) { - foreach ($iflist as $ifent => $ifname) { - $interface_ip = get_interface_ipv6($ifent); - if(!is_ipaddrv6($interface_ip)) - continue; - if (ip_in_subnet($interface_ip, $local_subnet)) { - $srcip = $interface_ip; - break; - } - } - } else { - foreach ($iflist as $ifent => $ifname) { - $interface_ip = get_interface_ip($ifent); - if(!is_ipaddrv4($interface_ip)) - continue; - if ($local_subnet == "0.0.0.0/0" || ip_in_subnet($interface_ip, $local_subnet)) { - $srcip = $interface_ip; - break; - } + /* add an ipsec pinghosts entry */ + if ($ph2ent['pinghost']) { + if (!is_array($iflist)) + $iflist = get_configured_interface_list(); + $viplist = get_configured_vips_list(); + $srcip = null; + $local_subnet = ipsec_idinfo_to_cidr($ph2ent['localid'], true, $ph2ent['mode']); + if(is_ipaddrv6($ph2ent['pinghost'])) { + foreach ($iflist as $ifent => $ifname) { + $interface_ip = get_interface_ipv6($ifent); + if(!is_ipaddrv6($interface_ip)) + continue; + if (ip_in_subnet($interface_ip, $local_subnet)) { + $srcip = $interface_ip; + break; } } - /* if no valid src IP was found in configured interfaces, try the vips */ - if (is_null($srcip)) { - foreach ($viplist as $vip) { - if (ip_in_subnet($vip['ipaddr'], $local_subnet)) { - $srcip = $vip['ipaddr']; - break; - } + } else { + foreach ($iflist as $ifent => $ifname) { + $interface_ip = get_interface_ip($ifent); + if(!is_ipaddrv4($interface_ip)) + continue; + if ($local_subnet == "0.0.0.0/0" || ip_in_subnet($interface_ip, $local_subnet)) { + $srcip = $interface_ip; + break; } } - $dstip = $ph2ent['pinghost']; - if(is_ipaddrv6($dstip)) { - $family = "inet6"; - } else { - $family = "inet"; + } + /* if no valid src IP was found in configured interfaces, try the vips */ + if (is_null($srcip)) { + foreach ($viplist as $vip) { + if (ip_in_subnet($vip['ipaddr'], $local_subnet)) { + $srcip = $vip['ipaddr']; + break; + } } - if (is_ipaddr($srcip)) - $ipsecpinghosts[] = "{$srcip}|{$dstip}|3|||||{$family}|\n"; } + $dstip = $ph2ent['pinghost']; + if(is_ipaddrv6($dstip)) { + $family = "inet6"; + } else { + $family = "inet"; + } + if (is_ipaddr($srcip)) + $ipsecpinghosts[] = "{$srcip}|{$dstip}|3|||||{$family}|\n"; } } } - @file_put_contents("{$g['vardb_path']}/ipsecpinghosts", $ipsecpinghosts); - unset($ipsecpinghosts); } - unset($iflist); + @file_put_contents("{$g['vardb_path']}/ipsecpinghosts", $ipsecpinghosts); + unset($ipsecpinghosts); + } + unset($iflist); - $accept_unencrypted = ""; - if (isset($config['ipsec']['acceptunencryptedmainmode'])) - $accept_unencrypted = "accept_unencrypted_mainmode_messages = yes"; + $accept_unencrypted = ""; + if (isset($config['ipsec']['acceptunencryptedmainmode'])) + $accept_unencrypted = "accept_unencrypted_mainmode_messages = yes"; - $i_dont_care_about_security_and_use_aggressive_mode_psk = ""; - if ($aggressive_mode_psk) { - log_error("WARNING: Setting i_dont_care_about_security_and_use_aggressive_mode_psk option because a phase 1 is configured using aggressive mode with pre-shared keys. This is not a secure configuration."); - $i_dont_care_about_security_and_use_aggressive_mode_psk = "i_dont_care_about_security_and_use_aggressive_mode_psk=yes"; - } - $strongswan = <<<EOD + $i_dont_care_about_security_and_use_aggressive_mode_psk = ""; + if ($aggressive_mode_psk) { + log_error("WARNING: Setting i_dont_care_about_security_and_use_aggressive_mode_psk option because a phase 1 is configured using aggressive mode with pre-shared keys. This is not a secure configuration."); + $i_dont_care_about_security_and_use_aggressive_mode_psk = "i_dont_care_about_security_and_use_aggressive_mode_psk=yes"; + } + $strongswan = <<<EOD # Automatically generated config file - DO NOT MODIFY. Changes will be overwritten. starter { - load_warning = no +load_warning = no } charon { - # number of worker threads in charon - threads = 16 - ikesa_table_size = 32 - ikesa_table_segments = 4 - init_limit_half_open = 1000 - install_routes = no - {$i_dont_care_about_security_and_use_aggressive_mode_psk} - {$accept_unencrypted} - cisco_unity = yes - - # And two loggers using syslog. The subsections define the facility to log - # to, currently one of: daemon, auth. - syslog { - identifier = charon - # default level to the LOG_DAEMON facility - daemon { - } - # very minimalistic IKE auditing logs to LOG_AUTHPRIV - auth { - default = -1 - ike = 1 - ike_name = yes - } +# number of worker threads in charon +threads = 16 +ikesa_table_size = 32 +ikesa_table_segments = 4 +init_limit_half_open = 1000 +install_routes = no +{$i_dont_care_about_security_and_use_aggressive_mode_psk} +{$accept_unencrypted} +cisco_unity = yes + +# And two loggers using syslog. The subsections define the facility to log +# to, currently one of: daemon, auth. +syslog { + identifier = charon + # default level to the LOG_DAEMON facility + daemon { + } + # very minimalistic IKE auditing logs to LOG_AUTHPRIV + auth { + default = -1 + ike = 1 + ike_name = yes } +} EOD; - $strongswan .= "\tplugins {\n"; - - if (is_array($a_client) && isset($a_client['enable'])) { - $strongswan .= "\t\tattr {\n"; - if ($a_client['pool_address'] && $a_client['pool_netbits']) - $strongswan .= "\t\t\tsubnet = {$a_client['pool_address']}/{$a_client['pool_netbits']}\n"; - - $cfgservers = array(); - if (!empty($a_client['dns_server1'])) - $cfgservers[] = $a_client['dns_server1']; - if (!empty($a_client['dns_server2'])) - $cfgservers[] = $a_client['dns_server2']; - if (!empty($a_client['dns_server3'])) - $cfgservers[] = $a_client['dns_server3']; - if (!empty($a_client['dns_server4'])) - $cfgservers[] = $a_client['dns_server4']; - - if (!empty($cfgservers)) - $strongswan .= "\t\t\tdns = " . implode(",", $cfgservers) . "\n"; - unset($cfgservers); - $cfgservers = array(); - if (!empty($a_client['wins_server1'])) - $cfgservers[] = $a_client['wins_server1']; - if (!empty($a_client['wins_server2'])) - $cfgservers[] = $a_client['wins_server2']; - if (!empty($cfgservers)) - $strongswan .= "\t\t\tnbns = " . implode(",", $cfgservers) . "\n"; - unset($cfgservers); - - if (isset($a_client['net_list'])) { - $net_list = ''; - foreach ($a_phase2 as $ph2ent) { - if (isset($ph2ent['disabled'])) - continue; - - if (!isset($ph2ent['mobile'])) - continue; - - $localid = ipsec_idinfo_to_cidr($ph2ent['localid'], true, $ph2ent['mode']); + $strongswan .= "\tplugins {\n"; + + if (is_array($a_client) && isset($a_client['enable'])) { + $strongswan .= "\t\tattr {\n"; + if ($a_client['pool_address'] && $a_client['pool_netbits']) + $strongswan .= "\t\t\tsubnet = {$a_client['pool_address']}/{$a_client['pool_netbits']}\n"; + + $cfgservers = array(); + if (!empty($a_client['dns_server1'])) + $cfgservers[] = $a_client['dns_server1']; + if (!empty($a_client['dns_server2'])) + $cfgservers[] = $a_client['dns_server2']; + if (!empty($a_client['dns_server3'])) + $cfgservers[] = $a_client['dns_server3']; + if (!empty($a_client['dns_server4'])) + $cfgservers[] = $a_client['dns_server4']; + + if (!empty($cfgservers)) + $strongswan .= "\t\t\tdns = " . implode(",", $cfgservers) . "\n"; + unset($cfgservers); + $cfgservers = array(); + if (!empty($a_client['wins_server1'])) + $cfgservers[] = $a_client['wins_server1']; + if (!empty($a_client['wins_server2'])) + $cfgservers[] = $a_client['wins_server2']; + if (!empty($cfgservers)) + $strongswan .= "\t\t\tnbns = " . implode(",", $cfgservers) . "\n"; + unset($cfgservers); + + if (isset($a_client['net_list'])) { + $net_list = ''; + foreach ($a_phase2 as $ph2ent) { + if (isset($ph2ent['disabled'])) + continue; - if (!empty($net_list)) - $net_list .= ","; - $net_list .= $localid; - } + if (!isset($ph2ent['mobile'])) + continue; - if (!empty($net_list)) { - $strongswan .= "\t\t\tsplit-include = {$net_list}\n"; - unset($net_list); - } - } + $localid = ipsec_idinfo_to_cidr($ph2ent['localid'], true, $ph2ent['mode']); - if (!empty($a_client['dns_domain'])) { - $strongswan .= "\t\t\t# Search domain and default domain\n"; - $strongswan .= "\t\t\t28674 = {$a_client['dns_domain']}\n"; - if (empty($a_client['dns_split'])) - $strongswan .= "\t\t\t28675 = {$a_client['dns_domain']}"; - $strongswan .= "\n"; + if (!empty($net_list)) + $net_list .= ","; + $net_list .= $localid; } - if (!empty($a_client['dns_split'])) { - $strongswan .= "\t\t\t28675 = {$a_client['dns_split']}\n"; + if (!empty($net_list)) { + $strongswan .= "\t\t\tsplit-include = {$net_list}\n"; + unset($net_list); } + } - if (!empty($a_client['login_banner'])) - $strongswan .= "\t\t\t28672 = {$a_client['login_banner']}\n"; - - if (isset($a_client['save_passwd'])) - $strongswan .= "\t\t\t28673 = 1\n"; + if (!empty($a_client['dns_domain'])) { + $strongswan .= "\t\t\t# Search domain and default domain\n"; + $strongswan .= "\t\t\t28674 = {$a_client['dns_domain']}\n"; + if (empty($a_client['dns_split'])) + $strongswan .= "\t\t\t28675 = {$a_client['dns_domain']}"; + $strongswan .= "\n"; + } - if ($a_client['pfs_group']) - $strongswan .= "\t\t\t28679 = {$a_client['pfs_group']}\n"; - $strongswan .= "\t\t}\n"; + if (!empty($a_client['dns_split'])) { + $strongswan .= "\t\t\t28675 = {$a_client['dns_split']}\n"; + } - if ($a_client['user_source'] != "none") { - $strongswan .= "\t\txauth-generic {\n"; - $strongswan .= "\t\t\tscript = /etc/inc/ipsec.auth-user.php\n"; - $strongswan .= "\t\t\tauthcfg = "; - $firstsed = 0; - $authcfgs = explode(",", $a_client['user_source']); - foreach ($authcfgs as $authcfg) { - if ($firstsed > 0) - $strongswan .= ","; - if ($authcfg == "system") - $authcfg = "Local Database"; - $strongswan .= $authcfg; - $firstsed = 1; - } - $strongswan .= "\n"; - $strongswan .= "\t\t}\n"; + if (!empty($a_client['login_banner'])) + $strongswan .= "\t\t\t28672 = {$a_client['login_banner']}\n"; + + if (isset($a_client['save_passwd'])) + $strongswan .= "\t\t\t28673 = 1\n"; + + if ($a_client['pfs_group']) + $strongswan .= "\t\t\t28679 = {$a_client['pfs_group']}\n"; + $strongswan .= "\t\t}\n"; + + if ($a_client['user_source'] != "none") { + $strongswan .= "\t\txauth-generic {\n"; + $strongswan .= "\t\t\tscript = /etc/inc/ipsec.auth-user.php\n"; + $strongswan .= "\t\t\tauthcfg = "; + $firstsed = 0; + $authcfgs = explode(",", $a_client['user_source']); + foreach ($authcfgs as $authcfg) { + if ($firstsed > 0) + $strongswan .= ","; + if ($authcfg == "system") + $authcfg = "Local Database"; + $strongswan .= $authcfg; + $firstsed = 1; } + $strongswan .= "\n"; + $strongswan .= "\t\t}\n"; } + } - $strongswan .= "\t}\n}\n"; - @file_put_contents("{$g['varetc_path']}/ipsec/strongswan.conf", $strongswan); - unset($strongswan); + $strongswan .= "\t}\n}\n"; + @file_put_contents("{$g['varetc_path']}/ipsec/strongswan.conf", $strongswan); + unset($strongswan); - /* generate CA certificates files */ - if (is_array($config['ca']) && count($config['ca'])) { - foreach ($config['ca'] as $ca) { - if (!isset($ca['crt'])) { - log_error(sprintf(gettext("Error: Invalid certificate info for %s"), $ca['descr'])); - continue; - } - $cert = base64_decode($ca['crt']); - $x509cert = openssl_x509_parse(openssl_x509_read($cert)); - if (!is_array($x509cert) || !isset($x509cert['hash'])) { - log_error(sprintf(gettext("Error: Invalid certificate hash info for %s"), $ca['descr'])); - continue; - } - $fname = "{$capath}/{$x509cert['hash']}.0.crt"; - if (!@file_put_contents($fname, $cert)) { - log_error(sprintf(gettext("Error: Cannot write IPsec CA file for %s"), $ca['descr'])); - continue; - } - unset($cert); + /* generate CA certificates files */ + if (is_array($config['ca']) && count($config['ca'])) { + foreach ($config['ca'] as $ca) { + if (!isset($ca['crt'])) { + log_error(sprintf(gettext("Error: Invalid certificate info for %s"), $ca['descr'])); + continue; + } + $cert = base64_decode($ca['crt']); + $x509cert = openssl_x509_parse(openssl_x509_read($cert)); + if (!is_array($x509cert) || !isset($x509cert['hash'])) { + log_error(sprintf(gettext("Error: Invalid certificate hash info for %s"), $ca['descr'])); + continue; } + $fname = "{$capath}/{$x509cert['hash']}.0.crt"; + if (!@file_put_contents($fname, $cert)) { + log_error(sprintf(gettext("Error: Cannot write IPsec CA file for %s"), $ca['descr'])); + continue; + } + unset($cert); } + } - $pskconf = ""; + $pskconf = ""; - if (is_array($a_phase1) && count($a_phase1)) { - foreach ($a_phase1 as $ph1ent) { + if (is_array($a_phase1) && count($a_phase1)) { + foreach ($a_phase1 as $ph1ent) { - if (isset($ph1ent['disabled'])) - continue; + if (isset($ph1ent['disabled'])) + continue; - if (strstr($ph1ent['authentication_method'], 'rsa') || $ph1ent['authentication_method'] == 'eap-tls') { - $certline = ''; + if (strstr($ph1ent['authentication_method'], 'rsa') || $ph1ent['authentication_method'] == 'eap-tls') { + $certline = ''; - $ikeid = $ph1ent['ikeid']; - $cert = lookup_cert($ph1ent['certref']); + $ikeid = $ph1ent['ikeid']; + $cert = lookup_cert($ph1ent['certref']); - if (!$cert) { - log_error(sprintf(gettext("Error: Invalid phase1 certificate reference for %s"), $ph1ent['name'])); - continue; - } + if (!$cert) { + log_error(sprintf(gettext("Error: Invalid phase1 certificate reference for %s"), $ph1ent['name'])); + continue; + } - @chmod($certpath, 0600); + @chmod($certpath, 0600); - $ph1keyfile = "{$keypath}/cert-{$ikeid}.key"; - if (!file_put_contents($ph1keyfile, base64_decode($cert['prv']))) { - log_error(sprintf(gettext("Error: Cannot write phase1 key file for %s"), $ph1ent['name'])); - continue; - } - @chmod($ph1keyfile, 0600); + $ph1keyfile = "{$keypath}/cert-{$ikeid}.key"; + if (!file_put_contents($ph1keyfile, base64_decode($cert['prv']))) { + log_error(sprintf(gettext("Error: Cannot write phase1 key file for %s"), $ph1ent['name'])); + continue; + } + @chmod($ph1keyfile, 0600); - $ph1certfile = "{$certpath}/cert-{$ikeid}.crt"; - if (!file_put_contents($ph1certfile, base64_decode($cert['crt']))) { - log_error(sprintf(gettext("Error: Cannot write phase1 certificate file for %s"), $ph1ent['name'])); - @unlink($ph1keyfile); - continue; - } - @chmod($ph1certfile, 0600); + $ph1certfile = "{$certpath}/cert-{$ikeid}.crt"; + if (!file_put_contents($ph1certfile, base64_decode($cert['crt']))) { + log_error(sprintf(gettext("Error: Cannot write phase1 certificate file for %s"), $ph1ent['name'])); + @unlink($ph1keyfile); + continue; + } + @chmod($ph1certfile, 0600); - /* XXX" Traffic selectors? */ - $pskconf .= " : RSA {$ph1keyfile}\n"; - } else { - list ($myid_type, $myid_data) = ipsec_find_id($ph1ent, "local"); - list ($peerid_type, $peerid_data) = ipsec_find_id($ph1ent, "peer", $rgmap); + /* XXX" Traffic selectors? */ + $pskconf .= " : RSA {$ph1keyfile}\n"; + } else { + list ($myid_type, $myid_data) = ipsec_find_id($ph1ent, "local"); + list ($peerid_type, $peerid_data) = ipsec_find_id($ph1ent, "peer", $rgmap); - if (empty($peerid_data)) - continue; + if (empty($peerid_data)) + continue; - $myid = isset($ph1ent['mobile']) ? trim($myid_data) . " " : ""; - $peerid = ($peerid_data != "allusers") ? trim($peerid_data) : ""; - if (!empty($ph1ent['pre-shared-key'])) - $pskconf .= $myid . $peerid . " : PSK \"" . trim($ph1ent['pre-shared-key']) . "\"\n"; - } + $myid = isset($ph1ent['mobile']) ? trim($myid_data) . " " : ""; + $peerid = ($peerid_data != "allusers") ? trim($peerid_data) : ""; + if (!empty($ph1ent['pre-shared-key'])) + $pskconf .= $myid . $peerid . " : PSK \"" . trim($ph1ent['pre-shared-key']) . "\"\n"; } } + } - /* Add user PSKs */ - if (is_array($config['system']) && is_array($config['system']['user'])) { - foreach ($config['system']['user'] as $user) { - if (!empty($user['ipsecpsk'])) { - $pskconf .= "{$myid} {$user['name']} : PSK \"{$user['ipsecpsk']}\"\n"; - } + /* Add user PSKs */ + if (is_array($config['system']) && is_array($config['system']['user'])) { + foreach ($config['system']['user'] as $user) { + if (!empty($user['ipsecpsk'])) { + $pskconf .= "{$myid} {$user['name']} : PSK \"{$user['ipsecpsk']}\"\n"; } - unset($user); } + unset($user); + } - /* add PSKs for mobile clients */ - if (is_array($ipseccfg['mobilekey'])) { - foreach ($ipseccfg['mobilekey'] as $key) { - if ($key['ident'] == "allusers") - $key['ident'] = ''; - $pskconf .= "{$myid} {$key['ident']} : PSK \"{$key['pre-shared-key']}\"\n"; - } - unset($key); + /* add PSKs for mobile clients */ + if (is_array($ipseccfg['mobilekey'])) { + foreach ($ipseccfg['mobilekey'] as $key) { + if ($key['ident'] == "allusers") + $key['ident'] = ''; + $pskconf .= "{$myid} {$key['ident']} : PSK \"{$key['pre-shared-key']}\"\n"; } + unset($key); + } - @file_put_contents("{$g['varetc_path']}/ipsec/ipsec.secrets", $pskconf); - chmod("{$g['varetc_path']}/ipsec/ipsec.secrets", 0600); - unset($pskconf); + @file_put_contents("{$g['varetc_path']}/ipsec/ipsec.secrets", $pskconf); + chmod("{$g['varetc_path']}/ipsec/ipsec.secrets", 0600); + unset($pskconf); - $natfilterrules = false; - /* begin ipsec.conf */ - $ipsecconf = ""; - if (is_array($a_phase1) && count($a_phase1)) { + $natfilterrules = false; + /* begin ipsec.conf */ + $ipsecconf = ""; + if (is_array($a_phase1) && count($a_phase1)) { - $ipsecconf .= "# This file is automatically generated. Do not edit\n"; - $ipsecconf .= "config setup\n\tuniqueids = yes\n"; - $ipsecconf .= "\tcharondebug=\"" . vpn_ipsec_configure_loglevels(true) . "\"\n"; + $ipsecconf .= "# This file is automatically generated. Do not edit\n"; + $ipsecconf .= "config setup\n\tuniqueids = yes\n"; + $ipsecconf .= "\tcharondebug=\"" . vpn_ipsec_configure_loglevels(true) . "\"\n"; - foreach ($a_phase1 as $ph1ent) { - if (isset($ph1ent['disabled'])) - continue; + foreach ($a_phase1 as $ph1ent) { + if (isset($ph1ent['disabled'])) + continue; - if ($ph1ent['mode'] == "aggressive") - $aggressive = "yes"; - else - $aggressive = "no"; - - $ep = ipsec_get_phase1_src($ph1ent); - if (!$ep) - continue; - - $ikeid = $ph1ent['ikeid']; - $keyexchange = "ikev1"; - $passive = "route"; - if (!empty($ph1ent['iketype'])) { - if ($ph1ent['iketype'] == "ikev2") { - $keyexchange = "ikev2"; - //$passive = "start"; - } else if ($ph1ent['iketype'] == "auto") - $keyexchange = "ike"; - } + if ($ph1ent['mode'] == "aggressive") + $aggressive = "yes"; + else + $aggressive = "no"; + + $ep = ipsec_get_phase1_src($ph1ent); + if (!$ep) + continue; + + $ikeid = $ph1ent['ikeid']; + $keyexchange = "ikev1"; + $passive = "route"; + if (!empty($ph1ent['iketype'])) { + if ($ph1ent['iketype'] == "ikev2") { + $keyexchange = "ikev2"; + //$passive = "start"; + } else if ($ph1ent['iketype'] == "auto") + $keyexchange = "ike"; + } - if (isset($ph1ent['mobile'])) { - $right_spec = "%any"; - $passive = 'add'; - } else - $right_spec = $ph1ent['remote-gateway']; + if (isset($ph1ent['mobile'])) { + $right_spec = "%any"; + $passive = 'add'; + } else + $right_spec = $ph1ent['remote-gateway']; + + list ($myid_type, $myid_data) = ipsec_find_id($ph1ent, "local"); + list ($peerid_type, $peerid_data) = ipsec_find_id($ph1ent, "peer", $rgmap); + + /* Only specify peer ID if we are not dealing with a mobile PSK-only tunnel */ + $peerid_spec = ''; + if (!isset($ph1ent['mobile'])) + $peerid_spec = $peerid_data; + + if (is_array($ph1ent['encryption-algorithm']) && !empty($ph1ent['encryption-algorithm']['name']) && !empty($ph1ent['hash-algorithm'])) { + $ealgosp1 = ''; + $ealg_id = $ph1ent['encryption-algorithm']['name']; + $ealg_kl = $ph1ent['encryption-algorithm']['keylen']; + if ($ealg_kl) + $ealgosp1 = "ike = {$ealg_id}{$ealg_kl}-{$ph1ent['hash-algorithm']}"; + else + $ealgosp1 = "ike = {$ealg_id}-{$ph1ent['hash-algorithm']}"; - list ($myid_type, $myid_data) = ipsec_find_id($ph1ent, "local"); - list ($peerid_type, $peerid_data) = ipsec_find_id($ph1ent, "peer", $rgmap); + $modp = vpn_ipsec_convert_to_modp($ph1ent['dhgroup']); + if (!empty($modp)) + $ealgosp1 .= "-{$modp}"; - /* Only specify peer ID if we are not dealing with a mobile PSK-only tunnel */ - $peerid_spec = ''; - if (!isset($ph1ent['mobile'])) - $peerid_spec = $peerid_data; - - if (is_array($ph1ent['encryption-algorithm']) && !empty($ph1ent['encryption-algorithm']['name']) && !empty($ph1ent['hash-algorithm'])) { - $ealgosp1 = ''; - $ealg_id = $ph1ent['encryption-algorithm']['name']; - $ealg_kl = $ph1ent['encryption-algorithm']['keylen']; - if ($ealg_kl) - $ealgosp1 = "ike = {$ealg_id}{$ealg_kl}-{$ph1ent['hash-algorithm']}"; - else - $ealgosp1 = "ike = {$ealg_id}-{$ph1ent['hash-algorithm']}"; - - $modp = vpn_ipsec_convert_to_modp($ph1ent['dhgroup']); - if (!empty($modp)) - $ealgosp1 .= "-{$modp}"; - - $ealgosp1 .= "!"; - } + $ealgosp1 .= "!"; + } - if ($ph1ent['dpd_delay'] && $ph1ent['dpd_maxfail']) { - if ($passive == "route") - $dpdline = "dpdaction = restart"; - else - $dpdline = "dpdaction = clear"; - $dpdline .= "\n\tdpddelay = {$ph1ent['dpd_delay']}s"; - $dpdtimeout = $ph1ent['dpd_delay'] * ($ph1ent['dpd_maxfail'] + 1); - $dpdline .= "\n\tdpdtimeout = {$dpdtimeout}s"; - } else - $dpdline = "dpdaction = none"; - - $ikelifeline = ''; - if ($ph1ent['lifetime']) - $ikelifeline = "ikelifetime = {$ph1ent['lifetime']}s"; - - $rightsourceip = NULL; - if (isset($ph1ent['mobile']) && !empty($a_client['pool_address'])) - $rightsourceip = "\trightsourceip = {$a_client['pool_address']}/{$a_client['pool_netbits']}\n"; - - $authentication = ""; - switch ($ph1ent['authentication_method']) { - case 'eap-tls': - $authentication = "leftauth=eap-tls\n\trightauth=eap-tls"; - if (!empty($ph1ent['certref'])) - $authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt"; - break; - case 'xauth_rsa_server': - $authentication = "leftauth = pubkey\n\trightauth = pubkey"; - $authentication .= "\n\trightauth2 = xauth-generic"; - if (!empty($ph1ent['certref'])) - $authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt"; - break; - case 'xauth_psk_server': - $authentication = "leftauth = psk\n\trightauth = psk"; - $authentication .= "\n\trightauth2 = xauth-generic"; - break; - case 'pre_shared_key': - $authentication = "leftauth = psk\n\trightauth = psk"; - break; - case 'rsasig': - $authentication = "leftauth = pubkey\n\trightauth = pubkey"; - if (!empty($ph1ent['certref'])) - $authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt"; - break; - case 'hybrid_rsa_server': - $authentication = "leftauth = xauth-generic\n\trightauth = pubkey"; - $authentication .= "\n\trightauth2 = xauth"; - if (!empty($ph1ent['certref'])) - $authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt"; - break; - } + if ($ph1ent['dpd_delay'] && $ph1ent['dpd_maxfail']) { + if ($passive == "route") + $dpdline = "dpdaction = restart"; + else + $dpdline = "dpdaction = clear"; + $dpdline .= "\n\tdpddelay = {$ph1ent['dpd_delay']}s"; + $dpdtimeout = $ph1ent['dpd_delay'] * ($ph1ent['dpd_maxfail'] + 1); + $dpdline .= "\n\tdpdtimeout = {$dpdtimeout}s"; + } else + $dpdline = "dpdaction = none"; + + $ikelifeline = ''; + if ($ph1ent['lifetime']) + $ikelifeline = "ikelifetime = {$ph1ent['lifetime']}s"; + + $rightsourceip = NULL; + if (isset($ph1ent['mobile']) && !empty($a_client['pool_address'])) + $rightsourceip = "\trightsourceip = {$a_client['pool_address']}/{$a_client['pool_netbits']}\n"; + + $authentication = ""; + switch ($ph1ent['authentication_method']) { + case 'eap-tls': + $authentication = "leftauth=eap-tls\n\trightauth=eap-tls"; + if (!empty($ph1ent['certref'])) + $authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt"; + break; + case 'xauth_rsa_server': + $authentication = "leftauth = pubkey\n\trightauth = pubkey"; + $authentication .= "\n\trightauth2 = xauth-generic"; + if (!empty($ph1ent['certref'])) + $authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt"; + break; + case 'xauth_psk_server': + $authentication = "leftauth = psk\n\trightauth = psk"; + $authentication .= "\n\trightauth2 = xauth-generic"; + break; + case 'pre_shared_key': + $authentication = "leftauth = psk\n\trightauth = psk"; + break; + case 'rsasig': + $authentication = "leftauth = pubkey\n\trightauth = pubkey"; + if (!empty($ph1ent['certref'])) + $authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt"; + break; + case 'hybrid_rsa_server': + $authentication = "leftauth = xauth-generic\n\trightauth = pubkey"; + $authentication .= "\n\trightauth2 = xauth"; + if (!empty($ph1ent['certref'])) + $authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt"; + break; + } - $left_spec = $ep; + $left_spec = $ep; - if (isset($ph1ent['reauth_enable'])) - $reauth = "reauth = no"; - else - $reauth = "reauth = yes"; - if (isset($ph1ent['rekey_enable'])) - $rekey = "rekey = no"; - else - $rekey = "rekey = yes"; + if (isset($ph1ent['reauth_enable'])) + $reauth = "reauth = no"; + else + $reauth = "reauth = yes"; + if (isset($ph1ent['rekey_enable'])) + $rekey = "rekey = no"; + else + $rekey = "rekey = yes"; - if ($ph1ent['nat_traversal'] == 'off') - $forceencaps = 'forceencaps = no'; - else if ($ph1ent['nat_traversal'] == 'force') - $forceencaps = 'forceencaps = yes'; - else - $forceencaps = 'forceencaps = no'; - - $ipseclifetime = 0; - $rightsubnet_spec = array(); - $leftsubnet_spec = array(); - $ealgoAHsp2arr = array(); - $ealgoESPsp2arr = array(); - if (is_array($a_phase2) && count($a_phase2)) { - foreach ($a_phase2 as $ph2ent) { - if ($ikeid != $ph2ent['ikeid']) - continue; + if ($ph1ent['nat_traversal'] == 'off') + $forceencaps = 'forceencaps = no'; + else if ($ph1ent['nat_traversal'] == 'force') + $forceencaps = 'forceencaps = yes'; + else + $forceencaps = 'forceencaps = no'; + + $ipseclifetime = 0; + $rightsubnet_spec = array(); + $leftsubnet_spec = array(); + $ealgoAHsp2arr = array(); + $ealgoESPsp2arr = array(); + if (is_array($a_phase2) && count($a_phase2)) { + foreach ($a_phase2 as $ph2ent) { + if ($ikeid != $ph2ent['ikeid']) + continue; - if (isset($ph2ent['disabled'])) - continue; + if (isset($ph2ent['disabled'])) + continue; - if (isset($ph2ent['mobile']) && !isset($a_client['enable'])) - continue; + if (isset($ph2ent['mobile']) && !isset($a_client['enable'])) + continue; - if (($ph2ent['mode'] == 'tunnel') or ($ph2ent['mode'] == 'tunnel6')) { - $tunneltype = "type = tunnel"; + if (($ph2ent['mode'] == 'tunnel') or ($ph2ent['mode'] == 'tunnel6')) { + $tunneltype = "type = tunnel"; - $localid_type = $ph2ent['localid']['type']; - $leftsubnet_data = ipsec_idinfo_to_cidr($ph2ent['localid'], false, $ph2ent['mode']); - /* Do not print localid in some cases, such as a pure-psk or psk/xauth single phase2 mobile tunnel */ - if (($localid_type == "none" || $localid_type == "mobile") - && isset($ph1ent['mobile']) && (ipsec_get_number_of_phase2($ikeid)==1)) { - $left_spec = '%any'; - } else { - if ($localid_type != "address") { - $localid_type = "subnet"; - } - // Don't let an empty subnet into config, it can cause parse errors. Ticket #2201. - if (!is_ipaddr($leftsubnet_data) && !is_subnet($leftsubnet_data) && ($leftsubnet_data != "0.0.0.0/0")) { - log_error("Invalid IPsec Phase 2 \"{$ph2ent['descr']}\" - {$ph2ent['localid']['type']} has no subnet."); - continue; - } - if (!empty($ph2ent['natlocalid'])) { - $natleftsubnet_data = ipsec_idinfo_to_cidr($ph2ent['natlocalid'], false, $ph2ent['mode']); - if ($ph2ent['natlocalid']['type'] != "address") { - if (is_subnet($natleftsubnet_data)) - $leftsubnet_data = "{$natleftsubnet_data}|{$leftsubnet_data}"; - } else { - if (is_ipaddr($natleftsubnet_data)) - $leftsubnet_data = "{$natleftsubnet_data}|{$leftsubnet_data}"; - } - $natfilterrules = true; + $localid_type = $ph2ent['localid']['type']; + $leftsubnet_data = ipsec_idinfo_to_cidr($ph2ent['localid'], false, $ph2ent['mode']); + /* Do not print localid in some cases, such as a pure-psk or psk/xauth single phase2 mobile tunnel */ + if (($localid_type == "none" || $localid_type == "mobile") + && isset($ph1ent['mobile']) && (ipsec_get_number_of_phase2($ikeid)==1)) { + $left_spec = '%any'; + } else { + if ($localid_type != "address") { + $localid_type = "subnet"; + } + // Don't let an empty subnet into config, it can cause parse errors. Ticket #2201. + if (!is_ipaddr($leftsubnet_data) && !is_subnet($leftsubnet_data) && ($leftsubnet_data != "0.0.0.0/0")) { + log_error("Invalid IPsec Phase 2 \"{$ph2ent['descr']}\" - {$ph2ent['localid']['type']} has no subnet."); + continue; + } + if (!empty($ph2ent['natlocalid'])) { + $natleftsubnet_data = ipsec_idinfo_to_cidr($ph2ent['natlocalid'], false, $ph2ent['mode']); + if ($ph2ent['natlocalid']['type'] != "address") { + if (is_subnet($natleftsubnet_data)) + $leftsubnet_data = "{$natleftsubnet_data}|{$leftsubnet_data}"; + } else { + if (is_ipaddr($natleftsubnet_data)) + $leftsubnet_data = "{$natleftsubnet_data}|{$leftsubnet_data}"; } + $natfilterrules = true; } + } - if (empty($leftsubnet_spec[$leftsubnet_data])) - $leftsubnet_spec[$leftsubnet_data] = $leftsubnet_data; + if (empty($leftsubnet_spec[$leftsubnet_data])) + $leftsubnet_spec[$leftsubnet_data] = $leftsubnet_data; - if (!isset($ph2ent['mobile'])) { - $tmpsubnet = ipsec_idinfo_to_cidr($ph2ent['remoteid'], false, $ph2ent['mode']); - if (empty($rightsubnet_spec[$tmpsubnet])) - $rightsubnet_spec[$tmpsubnet] = $tmpsubnet; - } else if (!empty($a_client['pool_address'])) { - if (empty($rightsubnet_spec["{$a_client['pool_address']}/{$a_client['pool_netbits']}"])) - $rightsubnet_spec["{$a_client['pool_address']}/{$a_client['pool_netbits']}"] = "{$a_client['pool_address']}/{$a_client['pool_netbits']}"; - } - } else { - $tunneltype = "type = transport"; + if (!isset($ph2ent['mobile'])) { + $tmpsubnet = ipsec_idinfo_to_cidr($ph2ent['remoteid'], false, $ph2ent['mode']); + if (empty($rightsubnet_spec[$tmpsubnet])) + $rightsubnet_spec[$tmpsubnet] = $tmpsubnet; + } else if (!empty($a_client['pool_address'])) { + if (empty($rightsubnet_spec["{$a_client['pool_address']}/{$a_client['pool_netbits']}"])) + $rightsubnet_spec["{$a_client['pool_address']}/{$a_client['pool_netbits']}"] = "{$a_client['pool_address']}/{$a_client['pool_netbits']}"; + } + } else { + $tunneltype = "type = transport"; - if ((($ph1ent['authentication_method'] == "xauth_psk_server") || - ($ph1ent['authentication_method'] == "pre_shared_key")) && isset($ph1ent['mobile'])) { - $left_spec = "%any"; - } else { - $tmpsubnet = ipsec_get_phase1_src($ph1ent); - if ($leftsubnet_spec[$tmpsubnet]) - $leftsubnet_spec[$tmpsubnet] = $tmpsubnet; - } + if ((($ph1ent['authentication_method'] == "xauth_psk_server") || + ($ph1ent['authentication_method'] == "pre_shared_key")) && isset($ph1ent['mobile'])) { + $left_spec = "%any"; + } else { + $tmpsubnet = ipsec_get_phase1_src($ph1ent); + if ($leftsubnet_spec[$tmpsubnet]) + $leftsubnet_spec[$tmpsubnet] = $tmpsubnet; + } - if (!isset($ph2ent['mobile'])) { - if (empty($rightsubnet_spec[$right_spec])) - $rightsubnet_spec[$right_spec] = $right_spec; - } + if (!isset($ph2ent['mobile'])) { + if (empty($rightsubnet_spec[$right_spec])) + $rightsubnet_spec[$right_spec] = $right_spec; } + } - if (isset($a_client['pfs_group'])) - $ph2ent['pfsgroup'] = $a_client['pfs_group']; - - if ($ph2ent['protocol'] == 'esp') { - if (is_array($ph2ent['encryption-algorithm-option'])) { - foreach ($ph2ent['encryption-algorithm-option'] as $ealg) { - $ealg_id = $ealg['name']; - $ealg_kl = $ealg['keylen']; - - if (!empty($ealg_kl) && $ealg_kl == "auto") { - if (empty($p2_ealgos) || !is_array($p2_ealgos)) - require("ipsec.inc"); - $key_hi = $p2_ealgos[$ealg_id]['keysel']['hi']; - $key_lo = $p2_ealgos[$ealg_id]['keysel']['lo']; - $key_step = $p2_ealgos[$ealg_id]['keysel']['step']; - /* XXX: in some cases where include ordering is suspect these variables - * are somehow 0 and we enter this loop forever and timeout after 900 - * seconds wrecking bootup */ - if ($key_hi != 0 and $key_lo !=0 and $key_step !=0) { - for ($keylen = $key_hi; $keylen >= $key_lo; $keylen -= $key_step) { - if (!empty($ph2ent['hash-algorithm-option']) && is_array($ph2ent['hash-algorithm-option'])) { - foreach ($ph2ent['hash-algorithm-option'] as $halgo) { - $halgo = str_replace('hmac_', '', $halgo); - $tmpealgo = "{$ealg_id}{$keylen}-{$halgo}"; - $modp = vpn_ipsec_convert_to_modp($ph2ent['pfsgroup']); - if (!empty($modp)) - $tmpealgo .= "-{$modp}"; - $ealgoESPsp2arr[] = $tmpealgo; - } - } else { - $tmpealgo = "{$ealg_id}{$keylen}"; + if (isset($a_client['pfs_group'])) + $ph2ent['pfsgroup'] = $a_client['pfs_group']; + + if ($ph2ent['protocol'] == 'esp') { + if (is_array($ph2ent['encryption-algorithm-option'])) { + foreach ($ph2ent['encryption-algorithm-option'] as $ealg) { + $ealg_id = $ealg['name']; + $ealg_kl = $ealg['keylen']; + + if (!empty($ealg_kl) && $ealg_kl == "auto") { + if (empty($p2_ealgos) || !is_array($p2_ealgos)) + require("ipsec.inc"); + $key_hi = $p2_ealgos[$ealg_id]['keysel']['hi']; + $key_lo = $p2_ealgos[$ealg_id]['keysel']['lo']; + $key_step = $p2_ealgos[$ealg_id]['keysel']['step']; + /* XXX: in some cases where include ordering is suspect these variables + * are somehow 0 and we enter this loop forever and timeout after 900 + * seconds wrecking bootup */ + if ($key_hi != 0 and $key_lo !=0 and $key_step !=0) { + for ($keylen = $key_hi; $keylen >= $key_lo; $keylen -= $key_step) { + if (!empty($ph2ent['hash-algorithm-option']) && is_array($ph2ent['hash-algorithm-option'])) { + foreach ($ph2ent['hash-algorithm-option'] as $halgo) { + $halgo = str_replace('hmac_', '', $halgo); + $tmpealgo = "{$ealg_id}{$keylen}-{$halgo}"; $modp = vpn_ipsec_convert_to_modp($ph2ent['pfsgroup']); if (!empty($modp)) $tmpealgo .= "-{$modp}"; $ealgoESPsp2arr[] = $tmpealgo; } - } - } - } else { - if (!empty($ph2ent['hash-algorithm-option']) && is_array($ph2ent['hash-algorithm-option'])) { - foreach ($ph2ent['hash-algorithm-option'] as $halgo) { - $halgo = str_replace('hmac_', '', $halgo); - $tmpealgo = "{$ealg_id}{$ealg_kl}-{$halgo}"; + } else { + $tmpealgo = "{$ealg_id}{$keylen}"; $modp = vpn_ipsec_convert_to_modp($ph2ent['pfsgroup']); if (!empty($modp)) $tmpealgo .= "-{$modp}"; $ealgoESPsp2arr[] = $tmpealgo; } - } else { - $tmpealgo = "{$ealg_id}{$ealg_kl}"; + } + } + } else { + if (!empty($ph2ent['hash-algorithm-option']) && is_array($ph2ent['hash-algorithm-option'])) { + foreach ($ph2ent['hash-algorithm-option'] as $halgo) { + $halgo = str_replace('hmac_', '', $halgo); + $tmpealgo = "{$ealg_id}{$ealg_kl}-{$halgo}"; $modp = vpn_ipsec_convert_to_modp($ph2ent['pfsgroup']); if (!empty($modp)) $tmpealgo .= "-{$modp}"; $ealgoESPsp2arr[] = $tmpealgo; } + } else { + $tmpealgo = "{$ealg_id}{$ealg_kl}"; + $modp = vpn_ipsec_convert_to_modp($ph2ent['pfsgroup']); + if (!empty($modp)) + $tmpealgo .= "-{$modp}"; + $ealgoESPsp2arr[] = $tmpealgo; } } } - } else if ($ph2ent['protocol'] == 'ah') { - if (!empty($ph2ent['hash-algorithm-option']) && is_array($ph2ent['hash-algorithm-option'])) { - $modp = vpn_ipsec_convert_to_modp($ph2ent['pfsgroup']); - foreach ($ph2ent['hash-algorithm-option'] as $tmpAHalgo) { - $tmpAHalgo = str_replace('hmac_', '', $tmpAHalgo); - if (!empty($modp)) - $tmpAHalgo = "-{$modp}"; - $ealgoAHsp2arr[] = $tmpAHalgo; - } + } + } else if ($ph2ent['protocol'] == 'ah') { + if (!empty($ph2ent['hash-algorithm-option']) && is_array($ph2ent['hash-algorithm-option'])) { + $modp = vpn_ipsec_convert_to_modp($ph2ent['pfsgroup']); + foreach ($ph2ent['hash-algorithm-option'] as $tmpAHalgo) { + $tmpAHalgo = str_replace('hmac_', '', $tmpAHalgo); + if (!empty($modp)) + $tmpAHalgo = "-{$modp}"; + $ealgoAHsp2arr[] = $tmpAHalgo; } } + } - if (!empty($ph2ent['lifetime'])) { - if ($ipseclifetime == 0 || intval($ipseclifetime) > intval($ph2ent['lifetime'])) - $ipseclifetime = intval($ph2ent['lifetime']); - } - + if (!empty($ph2ent['lifetime'])) { + if ($ipseclifetime == 0 || intval($ipseclifetime) > intval($ph2ent['lifetime'])) + $ipseclifetime = intval($ph2ent['lifetime']); } + } + } - $ipsecconf .=<<<EOD + $ipsecconf .=<<<EOD + $ipsecconnect .=<<<EOD conn con{$ph1ent['ikeid']} - fragmentation = yes - keyexchange = {$keyexchange} - {$reauth} - {$forceencaps} - {$rekey} - reqid = {$ikeid} - installpolicy = yes - {$tunneltype} - {$dpdline} - auto = {$passive} - left = {$left_spec} - right = {$right_spec} - leftid = {$myid_data} +fragmentation = yes +keyexchange = {$keyexchange} +{$reauth} +{$forceencaps} +{$rekey} +reqid = {$ikeid} +installpolicy = yes +{$tunneltype} +{$dpdline} +auto = {$passive} +left = {$left_spec} +right = {$right_spec} +leftid = {$myid_data} EOD; - if (!empty($ikelifeline)) - $ipsecconf .= "\t{$ikelifeline}\n"; - if ($ipseclifetime > 0) - $ipsecconf .= "\tlifetime = {$ipseclifetime}s\n"; - if (!empty($rightsourceip)) - $ipsecconf .= "{$rightsourceip}"; - if (!empty($rightsubnet_spec)) - $ipsecconf .= "\trightsubnet = " . join(",", $rightsubnet_spec) . "\n"; - if (!empty($leftsubnet_spec)) - $ipsecconf .= "\tleftsubnet = " . join(",", $leftsubnet_spec) . "\n"; - if (!empty($ealgosp1)) - $ipsecconf .= "\t{$ealgosp1}\n"; - if (!empty($ealgoAHsp2arr)) - $ipsecconf .= "\tah = " . join(',', $ealgoAHsp2arr) . "!\n"; - if (!empty($ealgoESPsp2arr)) - $ipsecconf .= "\tesp = " . join(',', $ealgoESPsp2arr) . "!\n"; - if (!empty($authentication)) - $ipsecconf .= "\t{$authentication}\n"; - if (!empty($peerid_spec)) - $ipsecconf .= "\trightid = {$peerid_spec}\n"; - if ($keyexchange == 'ikev1') - $ipsecconf .= "\taggressive = {$aggressive}\n"; - } + if (!empty($ikelifeline)) + $ipsecconf .= "\t{$ikelifeline}\n"; + if ($ipseclifetime > 0) + $ipsecconf .= "\tlifetime = {$ipseclifetime}s\n"; + if (!empty($rightsourceip)) + $ipsecconf .= "{$rightsourceip}"; + if (!empty($ealgosp1)) + $ipsecconf .= "\t{$ealgosp1}\n"; + if (!empty($ealgoAHsp2arr)) + $ipsecconf .= "\tah = " . join(',', $ealgoAHsp2arr) . "!\n"; + if (!empty($ealgoESPsp2arr)) + $ipsecconf .= "\tesp = " . join(',', $ealgoESPsp2arr) . "!\n"; + if (!empty($authentication)) + $ipsecconf .= "\t{$authentication}\n"; + if (!empty($peerid_spec)) + $ipsecconf .= "\trightid = {$peerid_spec}\n"; + if ($keyexchange == 'ikev1') + $ipsecconf .= "\taggressive = {$aggressive}\n"; + if (!empty($rightsubnet_spec)) + $ipsecconf .= "\trightsubnet = " . join(",", $rightsubnet_spec) . "\n"; + if (!empty($leftsubnet_spec)) + $ipsecconf .= "\tleftsubnet = " . join(",", $leftsubnet_spec) . "\n"; } } + @file_put_contents("{$g['varetc_path']}/ipsec/ipsec.conf", $ipsecconf); unset($ipsecconf); /* end ipsec.conf */ @@ -1602,4 +1604,4 @@ function vpn_ipsec_configure_preferoldsa() { set_single_sysctl("net.key.preferred_oldsa", "0"); } -?>
\ No newline at end of file +?> |
