diff options
| author | Ermal <eri@pfsense.org> | 2014-09-12 19:22:48 +0200 |
|---|---|---|
| committer | Ermal <eri@pfsense.org> | 2014-09-12 19:22:48 +0200 |
| commit | fa4e059e17708cc12f258b636a7b701a99528c84 (patch) | |
| tree | 88e3d2bc6737f153dd48b9e524607e5644943a4f /etc/inc/vpn.inc | |
| parent | e373e4cd1cd9557f5ad6ec87c869d44b779357b1 (diff) | |
| download | pfsense-fa4e059e17708cc12f258b636a7b701a99528c84.zip pfsense-fa4e059e17708cc12f258b636a7b701a99528c84.tar.gz | |
Provide a first implementation of EAP-TLS authentication with IKEv2. It is a start and might not work on all cases
Diffstat (limited to 'etc/inc/vpn.inc')
| -rw-r--r-- | etc/inc/vpn.inc | 82 |
1 files changed, 40 insertions, 42 deletions
diff --git a/etc/inc/vpn.inc b/etc/inc/vpn.inc index 581479c..804a27c 100644 --- a/etc/inc/vpn.inc +++ b/etc/inc/vpn.inc @@ -49,7 +49,7 @@ function vpn_ipsec_configure_loglevels($forconfig = false) $cfgtext = array(); foreach ($ipsec_loglevels as $lkey => $ldescr) { if (!isset($config['ipsec']["ipsec_{$lkey}"]) && !$forconfig) - mwexec("/usr/local/sbin/ipsec stroke loglevel {$lkey} -- -1", false); + mwexec("/usr/local/sbin/ipsec stroke loglevel {$lkey} -1", false); else if (is_numeric($config['ipsec']["ipsec_{$lkey}"]) && intval($config['ipsec']["ipsec_{$lkey}"]) >= 1 && intval($config['ipsec']["ipsec_{$lkey}"]) <= 5) $forconfig ? $cfgtext[] = "${lkey} = " . (intval($config['ipsec']["ipsec_{$lkey}"]) - 1) : @@ -128,6 +128,10 @@ function vpn_ipsec_configure($ipchg = false) return 0; } else { + $certpath = "{$g['varetc_path']}/ipsec/ipsec.d/certs"; + $capath = "{$g['varetc_path']}/ipsec/ipsec.d/cacerts"; + $keypath = "{$g['varetc_path']}/ipsec/ipsec.d/private"; + mwexec("/sbin/ifconfig enc0 up"); set_single_sysctl("net.inet.ip.ipsec_in_use", "1"); /* needed for config files */ @@ -135,14 +139,14 @@ function vpn_ipsec_configure($ipchg = false) mkdir("{$g['varetc_path']}/ipsec"); if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d")) mkdir("{$g['varetc_path']}/ipsec/ipsec.d"); - if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d/cacerts")) - mkdir("{$g['varetc_path']}/ipsec/ipsec.d/cacerts"); - if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d/private")) - mkdir("{$g['varetc_path']}/ipsec/ipsec.d/private"); + if (!is_dir($capath)) + mkdir($capath); + if (!is_dir($keypath)) + mkdir($keypath); if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d/crls")) mkdir("{$g['varetc_path']}/ipsec/ipsec.d/crls"); - if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d/certs")) - mkdir("{$g['varetc_path']}/ipsec/ipsec.d/certs"); + if (!is_dir($certpath)) + mkdir($certpath); if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d/aacerts")) mkdir("{$g['varetc_path']}/ipsec/ipsec.d/aacerts"); if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d/acerts")) @@ -416,7 +420,7 @@ EOD; log_error(sprintf(gettext("Error: Invalid certificate hash info for %s"), $ca['descr'])); continue; } - $fname = "{$g['varetc_path']}/ipsec/ipsec.d/cacerts/{$x509cert['hash']}.0"; + $fname = "{$capath}/{$x509cert['hash']}.0.crt"; if (!@file_put_contents($fname, $cert)) { log_error(sprintf(gettext("Error: Cannot write IPsec CA file for %s"), $ca['descr'])); continue; @@ -433,47 +437,36 @@ EOD; if (isset($ph1ent['disabled'])) continue; - if (strstr($ph1ent['authentication_method'],'rsa')) { + if (strpos($ph1ent['authentication_method'], 'rsa') || $ph1ent['authentication_method'] == 'eap-tls') { $certline = ''; - if (strstr($authmethod,'rsa')) { - - $ikeid = $ph1ent['ikeid']; - $cert = lookup_cert($ph1ent['certref']); - - if (!$cert) { - log_error(sprintf(gettext("Error: Invalid phase1 certificate reference for %s"), $ph1ent['name'])); - continue; - } - - chmod($certpath, 0600); - - $keyfile = "cert-{$ikeid}.key"; - $keypath = "{$g['varetc_path']}/ipsec/{$keyfile}"; - - if (!file_put_contents($keypath, base64_decode($cert['prv']))) { - log_error(sprintf(gettext("Error: Cannot write phase1 key file for %s"), $ph1ent['name'])); - continue; - } + $ikeid = $ph1ent['ikeid']; + $cert = lookup_cert($ph1ent['certref']); - chmod($keypath, 0600); - /* XXX" Traffic selectors? */ - $pskconf .= " : RSA {$keypath}\n"; + if (!$cert) { + log_error(sprintf(gettext("Error: Invalid phase1 certificate reference for %s"), $ph1ent['name'])); + continue; + } - $ca = lookup_ca($ph1ent['caref']); - if ($ca) { - $cafile = "ca-{$ikeid}.crt"; - $capath = "{$g['varetc_path']}/ipsec/ipsec.d/cacerts/{$cafile}"; + @chmod($certpath, 0600); - if (!file_put_contents($capath, base64_decode($ca['crt']))) - { - log_error(sprintf(gettext("Error: Cannot write phase1 CA certificate file for %s"), $ph1ent['name'])); - continue; - } + $ph1keyfile = "{$keypath}/cert-{$ikeid}.key"; + if (!file_put_contents($ph1keyfile, base64_decode($cert['prv']))) { + log_error(sprintf(gettext("Error: Cannot write phase1 key file for %s"), $ph1ent['name'])); + continue; + } + @chmod($ph1keyfile, 0600); - chmod($capath, 0600); - } + $ph1certfile = "{$certpath}/cert-{$ikeid}.crt"; + if (!file_put_contents($ph1certfile, base64_decode($cert['crt']))) { + log_error(sprintf(gettext("Error: Cannot write phase1 certificate file for %s"), $ph1ent['name'])); + @unlink($ph1keyfile); + continue; } + @chmod($ph1certfile, 0600); + + /* XXX" Traffic selectors? */ + $pskconf .= " : RSA {$ph1keyfile}\n"; } else { list ($myid_type, $myid_data) = ipsec_find_id($ph1ent, "local"); list ($peerid_type, $peerid_data) = ipsec_find_id($ph1ent, "peer", $rgmap); @@ -595,6 +588,11 @@ EOD; $authentication = ""; switch ($ph1ent['authentication_method']) { + case 'eap-tls': + $authentication = "leftauth=eap-tls\n\trightauth=eap-tls"; + if (!empty($ph1ent['certref'])) + $authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt"; + break; case 'xauth_rsa_server': $authentication = "leftauth = pubkey\n\trightauth = pubkey"; $authentication .= "\n\trightauth2 = xauth-generic"; |
