diff options
| author | Scott Ullrich <sullrich@pfsense.org> | 2006-09-22 23:22:23 +0000 |
|---|---|---|
| committer | Scott Ullrich <sullrich@pfsense.org> | 2006-09-22 23:22:23 +0000 |
| commit | c52719a8abf33e22af70d1b4d295d79eff628ab5 (patch) | |
| tree | eb0e6b8eca52c963e354d7bee2258c299defd328 /etc | |
| parent | 70a6aeb0d4f166fa2314eacc4a0ea7b9c5b3ec5c (diff) | |
| download | pfsense-c52719a8abf33e22af70d1b4d295d79eff628ab5.zip pfsense-c52719a8abf33e22af70d1b4d295d79eff628ab5.tar.gz | |
Do not destroy previous items, whiping out the listen directive.
Diffstat (limited to 'etc')
| -rw-r--r-- | etc/inc/vpn.inc | 214 |
1 files changed, 107 insertions, 107 deletions
diff --git a/etc/inc/vpn.inc b/etc/inc/vpn.inc index 65d44ea..4056d24 100644 --- a/etc/inc/vpn.inc +++ b/etc/inc/vpn.inc @@ -39,7 +39,7 @@ function vpn_setup() { vpn_pptpd_configure(); /* start pppoe server */ - vpn_pppoe_configure(); + vpn_pppoe_configure(); } function vpn_ipsec_failover_configure() { @@ -70,9 +70,9 @@ function vpn_ipsec_failover_configure() { fwrite($fd, $sasyncd_text); fclose($fd); chmod("{$g['varetc_path']}/sasyncd.conf", 0600); - + mwexec("killall sasyncd"); - + /* launch sasyncd, oh wise one */ /* mwexec_bg("/usr/local/sbin/sasyncd -d -v -v -v"); */ } @@ -104,7 +104,7 @@ function vpn_ipsec_configure($ipchg = false) { if($g['booting'] == true) { /* determine if we should load the via padlock module */ $dmesg_boot = `cat /var/log/dmesg.boot | grep CPU`; - if(stristr($dmesg_boot, "ACE") == true) { + if(stristr($dmesg_boot, "ACE") == true) { //echo "Enabling [VIA Padlock] ..."; //mwexec("/sbin/kldload padlock"); //mwexec("/sbin/sysctl net.inet.ipsec.crypto_support=1"); @@ -128,7 +128,7 @@ function vpn_ipsec_configure($ipchg = false) { $curwanip = get_current_wan_address(); if($config['installedpackages']['sasyncd']['config'] <> "") foreach($config['installedpackages']['sasyncd']['config'] as $sasyncd) { - if($sasyncd['ip'] <> "") + if($sasyncd['ip'] <> "") $curwanip = $sasyncd['ip']; } @@ -220,9 +220,9 @@ function vpn_ipsec_configure($ipchg = false) { $curwanip = get_current_wan_address(); if($config['installedpackages']['sasyncd']['config'] <> "") foreach($config['installedpackages']['sasyncd']['config'] as $sasyncd) { - if($sasyncd['ip'] <> "") + if($sasyncd['ip'] <> "") $curwanip = $sasyncd['ip']; - } + } mwexec("/sbin/ifconfig gif" . $number_of_gifs . " tunnel" . $curwanip . " " . $tunnel['remote-gateway']); mwexec("/sbin/ifconfig gif" . $number_of_gifs . " {$lansa}/{$lansn} {$lanip}/32"); } @@ -257,15 +257,15 @@ function vpn_ipsec_configure($ipchg = false) { if($config['installedpackages']['sasyncd']['config'] <> "") foreach($config['installedpackages']['sasyncd']['config'] as $sasyncd) { - if($sasyncd['ip'] <> "") + if($sasyncd['ip'] <> "") $curwanip = $sasyncd['ip']; /* natt - turn on if <developer/> exists */ if(isset($config['system']['developer']) <> "") { $lanip = $config['interfaces']['lan']['ipaddr']; - if($lanip <> "") + if($lanip <> "") $natt = "isakmp_natt {$lanip}[4500];\n"; - - } + + } $interface_ip = $sasyncd['ip']; $racoonconf .= <<<EOD listen { @@ -276,9 +276,9 @@ listen { EOD; } - $racoonconf = "path pre_shared_key \"{$g['varetc_path']}/psk.txt\";\n\n"; + $racoonconf .= "path pre_shared_key \"{$g['varetc_path']}/psk.txt\";\n\n"; $racoonconf .= "path certificate \"{$g['varetc_path']}\";\n\n"; - + /* generate CA certificates files */ $cacertnum = 0; if (is_array($ipseccfg['cacert']) && count($ipseccfg['cacert'])) @@ -299,22 +299,22 @@ EOD; } } } - + $tunnelnumber = 0; if (is_array($ipseccfg['tunnel']) && count($ipseccfg['tunnel'])) foreach ($ipseccfg['tunnel'] as $tunnel) { - + ++$tunnelnumber; - + if (isset($tunnel['disabled'])) continue; - + $ep = vpn_endpoint_determine($tunnel, $curwanip); if (!$ep) continue; - + vpn_localnet_determine($tunnel['local-subnet'], $sa, $sn); - + if (isset($tunnel['p1']['myident']['myaddress'])) { $myidentt = "address"; $myident = $ep; @@ -331,13 +331,13 @@ EOD; $myidentt = "dyn_dns"; $myident = gethostbyname($tunnel['p1']['myident']['dyn_dns']); } - + if (isset($tunnel['p1']['authentication_method'])) { $authmethod = $tunnel['p1']['authentication_method']; } else {$authmethod = 'pre_shared_key';} - - $certline = ''; - + + $certline = ''; + if ($authmethod == 'rsasig') { if ($tunnel['p1']['cert'] && $tunnel['p1']['private-key']) { $cert = base64_decode($tunnel['p1']['cert']); @@ -347,12 +347,12 @@ EOD; $cert = ''; $private_key = ''; } - - if ($tunnel['p1']['peercert']) + + if ($tunnel['p1']['peercert']) $peercert = base64_decode($tunnel['p1']['peercert']); - else + else $peercert = ''; - + $fd1 = fopen("{$g['varetc_path']}/server{$tunnelnumber}-signed.pem", "w"); if (!$fd1) { printf("Error: cannot open server{$tunnelnumber}-signed.pem in vpn.\n"); @@ -361,7 +361,7 @@ EOD; chmod("{$g['varetc_path']}/server{$tunnelnumber}-signed.pem", 0600); fwrite($fd1, $cert); fclose($fd1); - + $fd1 = fopen("{$g['varetc_path']}/server{$tunnelnumber}-key.pem", "w"); if (!$fd1) { printf("Error: cannot open server{$tunnelnumber}-key.pem in vpn.\n"); @@ -372,7 +372,7 @@ EOD; fclose($fd1); $certline = "certificate_type x509 \"server{$tunnelnumber}-signed.pem\" \"server{$tunnelnumber}-key.pem\";"; - + if ($peercert!=''){ $fd1 = fopen("{$g['varetc_path']}/peer{$tunnelnumber}-signed.pem", "w"); if (!$fd1) { @@ -381,13 +381,13 @@ EOD; } chmod("{$g['varetc_path']}/peer{$tunnelnumber}-signed.pem", 0600); fwrite($fd1, $peercert); - fclose($fd1); + fclose($fd1); $certline .= <<<EOD - + peers_certfile "peer{$tunnelnumber}-signed.pem"; EOD; - } - } + } + } $racoonconf .= <<<EOD remote {$tunnel['remote-gateway']} \{ exchange_mode {$tunnel['p1']['mode']}; @@ -407,17 +407,17 @@ remote {$tunnel['remote-gateway']} \{ EOD; if ($tunnel['p1']['lifetime']) $racoonconf .= " lifetime time {$tunnel['p1']['lifetime']} secs;\n"; - + $racoonconf .= " }\n"; - + if ($tunnel['p1']['lifetime']) $racoonconf .= " lifetime time {$tunnel['p1']['lifetime']} secs;\n"; - + $racoonconf .= "}\n\n"; - + $p2ealgos = join(",", $tunnel['p2']['encryption-algorithm-option']); $p2halgos = join(",", $tunnel['p2']['hash-algorithm-option']); - + $racoonconf .= <<<EOD sainfo address {$sa}/{$sn} any address {$tunnel['remote-subnet']} any \{ encryption_algorithm {$p2ealgos}; @@ -428,18 +428,18 @@ EOD; if ($tunnel['p2']['pfsgroup']) $racoonconf .= " pfs_group {$tunnel['p2']['pfsgroup']};\n"; - + if ($tunnel['p2']['lifetime']) $racoonconf .= " lifetime time {$tunnel['p2']['lifetime']} secs;\n"; - + $racoonconf .= "}\n\n"; } - + /* mobile clients? */ if (isset($ipseccfg['mobileclients']['enable'])) { - + $tunnel = $ipseccfg['mobileclients']; - + if (isset($tunnel['p1']['myident']['myaddress'])) { $myidentt = "address"; $myident = $curwanip; @@ -453,12 +453,12 @@ EOD; $myidentt = "user_fqdn"; $myident = $tunnel['p1']['myident']['ufqdn']; } - + if (isset($tunnel['p1']['authentication_method'])) { $authmethod = $tunnel['p1']['authentication_method']; } else {$authmethod = 'pre_shared_key';} - - $certline = ''; + + $certline = ''; if ($authmethod == 'rsasig') { if ($tunnel['p1']['cert'] && $tunnel['p1']['private-key']) { $cert = base64_decode($tunnel['p1']['cert']); @@ -468,12 +468,12 @@ EOD; $cert = ''; $private_key = ''; } - - if ($tunnel['p1']['peercert']) + + if ($tunnel['p1']['peercert']) $peercert = base64_decode($tunnel['p1']['peercert']); - else + else $peercert = ''; - + $fd1 = fopen("{$g['varetc_path']}/server-mobile{$tunnelnumber}-signed.pem", "w"); if (!$fd1) { printf("Error: cannot open server-mobile{$tunnelnumber}-signed.pem in vpn.\n"); @@ -482,7 +482,7 @@ EOD; chmod("{$g['varetc_path']}/server-mobile{$tunnelnumber}-signed.pem", 0600); fwrite($fd1, $cert); fclose($fd1); - + $fd1 = fopen("{$g['varetc_path']}/server-mobile{$tunnelnumber}-key.pem", "w"); if (!$fd1) { printf("Error: cannot open server-mobile{$tunnelnumber}-key.pem in vpn.\n"); @@ -514,17 +514,17 @@ remote anonymous \{ EOD; if ($tunnel['p1']['lifetime']) $racoonconf .= " lifetime time {$tunnel['p1']['lifetime']} secs;\n"; - + $racoonconf .= " }\n"; - + if ($tunnel['p1']['lifetime']) $racoonconf .= " lifetime time {$tunnel['p1']['lifetime']} secs;\n"; - + $racoonconf .= "}\n\n"; - + $p2ealgos = join(",", $tunnel['p2']['encryption-algorithm-option']); $p2halgos = join(",", $tunnel['p2']['hash-algorithm-option']); - + $racoonconf .= <<<EOD sainfo anonymous \{ encryption_algorithm {$p2ealgos}; @@ -535,25 +535,25 @@ EOD; if ($tunnel['p2']['pfsgroup']) $racoonconf .= " pfs_group {$tunnel['p2']['pfsgroup']};\n"; - + if ($tunnel['p2']['lifetime']) $racoonconf .= " lifetime time {$tunnel['p2']['lifetime']} secs;\n"; - + $racoonconf .= "}\n\n"; } - + fwrite($fd, $racoonconf); fclose($fd); - + /* generate psk.txt */ $fd = fopen("{$g['varetc_path']}/psk.txt", "w"); if (!$fd) { printf("Error: cannot open psk.txt in vpn_ipsec_configure().\n"); return 1; } - + $pskconf = ""; - + if (is_array($ipseccfg['tunnel'])) { foreach ($ipseccfg['tunnel'] as $tunnel) { if (isset($tunnel['disabled'])) @@ -561,18 +561,18 @@ EOD; $pskconf .= "{$tunnel['remote-gateway']} {$tunnel['p1']['pre-shared-key']}\n"; } } - + /* add PSKs for mobile clients */ if (is_array($ipseccfg['mobilekey'])) { foreach ($ipseccfg['mobilekey'] as $key) { $pskconf .= "{$key['ident']} {$key['pre-shared-key']}\n"; } } - + fwrite($fd, $pskconf); fclose($fd); chmod("{$g['varetc_path']}/psk.txt", 0600); - + /* start racoon */ mwexec("/usr/local/sbin/racoon -f {$g['varetc_path']}/racoon.conf"); } @@ -593,48 +593,48 @@ EOD; function vpn_pptpd_configure() { global $config, $g; - + $syscfg = $config['system']; $pptpdcfg = $config['pptpd']; - + if ($g['booting']) { if (!$pptpdcfg['mode'] || ($pptpdcfg['mode'] == "off")) return 0; - + echo "Configuring PPTP VPN service... "; - } else { + } else { /* kill mpd */ killbypid("{$g['varrun_path']}/mpd-vpn.pid"); - + /* wait for process to die */ sleep(3); - + if(is_process_running("mpd -b")) { killbypid("{$g['varrun_path']}/mpd-vpn.pid"); log_error("Could not kill mpd within 3 seconds. Trying again."); } - + /* remove mpd.conf, if it exists */ unlink_if_exists("{$g['varetc_path']}/mpd-vpn/mpd.conf"); unlink_if_exists("{$g['varetc_path']}/mpd-vpn/mpd.links"); unlink_if_exists("{$g['varetc_path']}/mpd-vpn/mpd.secret"); } - + /* make sure mpd-vpn directory exists */ if (!file_exists("{$g['varetc_path']}/mpd-vpn")) mkdir("{$g['varetc_path']}/mpd-vpn"); - + switch ($pptpdcfg['mode']) { - + case 'server': - + /* write mpd.conf */ $fd = fopen("{$g['varetc_path']}/mpd-vpn/mpd.conf", "w"); if (!$fd) { printf("Error: cannot open mpd.conf in vpn_pptpd_configure().\n"); return 1; } - + $mpdconf = <<<EOD pptpd: @@ -643,12 +643,12 @@ EOD; for ($i = 0; $i < $g['n_pptp_units']; $i++) { $mpdconf .= " load pt{$i}\n"; } - + for ($i = 0; $i < $g['n_pptp_units']; $i++) { - + $clientip = long2ip(ip2long($pptpdcfg['remoteip']) + $i); $ngif = "ng" . ($i+1); - + $mpdconf .= <<<EOD pt{$i}: @@ -658,7 +658,7 @@ pt{$i}: EOD; } - + $mpdconf .= <<<EOD pts: @@ -682,7 +682,7 @@ pts: set ccp yes mpp-stateless EOD; - + if (!isset($pptpdcfg['req128'])) { $mpdconf .= <<<EOD set ccp yes mpp-e40 @@ -690,7 +690,7 @@ EOD; EOD; } - + if (is_array($pptpdcfg['dnsserver']) && ($pptpdcfg['dnsserver'][0])) { $mpdconf .= " set ipcp dns " . join(" ", $pptpdcfg['dnsserver']) . "\n"; } else if (isset($config['dnsmasq']['enable'])) { @@ -701,7 +701,7 @@ EOD; } else if (is_array($syscfg['dnsserver']) && ($syscfg['dnsserver'][0])) { $mpdconf .= " set ipcp dns " . join(" ", $syscfg['dnsserver']) . "\n"; } - + if (isset($pptpdcfg['radius']['enable'])) { $mpdconf .= <<<EOD set radius server {$pptpdcfg['radius']['server']} "{$pptpdcfg['radius']['secret']}" @@ -722,16 +722,16 @@ EOD; fwrite($fd, $mpdconf); fclose($fd); - + /* write mpd.links */ $fd = fopen("{$g['varetc_path']}/mpd-vpn/mpd.links", "w"); if (!$fd) { printf("Error: cannot open mpd.links in vpn_pptpd_configure().\n"); return 1; } - + $mpdlinks = ""; - + for ($i = 0; $i < $g['n_pptp_units']; $i++) { $mpdlinks .= <<<EOD @@ -747,16 +747,16 @@ EOD; fwrite($fd, $mpdlinks); fclose($fd); - + /* write mpd.secret */ $fd = fopen("{$g['varetc_path']}/mpd-vpn/mpd.secret", "w"); if (!$fd) { printf("Error: cannot open mpd.secret in vpn_pptpd_configure().\n"); return 1; } - + $mpdsecret = ""; - + if (is_array($pptpdcfg['user'])) { foreach ($pptpdcfg['user'] as $user) $mpdsecret .= "{$user['name']} \"{$user['password']}\" {$user['ip']}\n"; @@ -765,24 +765,24 @@ EOD; fwrite($fd, $mpdsecret); fclose($fd); chmod("{$g['varetc_path']}/mpd-vpn/mpd.secret", 0600); - + /* fire up mpd */ mwexec("/usr/local/sbin/mpd -b -d {$g['varetc_path']}/mpd-vpn -p {$g['varrun_path']}/mpd-vpn.pid pptpd"); - + break; - + case 'redir': break; } - + if (!$g['booting']) { /* reload the filter */ filter_configure(); } - + if ($g['booting']) echo "done\n"; - + return 0; } @@ -790,7 +790,7 @@ function vpn_localnet_determine($adr, &$sa, &$sn) { global $config, $g; if (isset($adr)) { - if ($adr['network']) { + if ($adr['network']) { switch ($adr['network']) { case 'lan': $sn = $config['interfaces']['lan']['subnet']; @@ -809,9 +809,9 @@ function vpn_localnet_determine($adr, &$sa, &$sn) { } function vpn_endpoint_determine($tunnel, $curwanip) { - + global $g, $config; - + if ((!$tunnel['interface']) || ($tunnel['interface'] == "wan")) { if ($curwanip) return $curwanip; @@ -821,12 +821,12 @@ function vpn_endpoint_determine($tunnel, $curwanip) { return $config['interfaces']['lan']['ipaddr']; } else { $oc = $config['interfaces'][$tunnel['interface']]; - + if (isset($oc['enable']) && $oc['if']) { return $oc['ipaddr']; } } - + return null; } @@ -839,7 +839,7 @@ function vpn_pppoe_configure() { /* create directory if it does not exist */ if(!is_dir("{$g['varetc_path']}/mpd-vpn")) mkdir("{$g['varetc_path']}/mpd-vpn"); - + if ($g['booting']) { if (!$pppoecfg['mode'] || ($pppoecfg['mode'] == "off")) return 0; @@ -877,14 +877,14 @@ EOD; $clientip = long2ip(ip2long($pppoecfg['remoteip']) + $i); $ngif = "ng" . ($i+1); - + if(isset($pppoecfg['radius']['radiusissueips']) && isset($pppoecfg['radius']['enable'])) { $isssue_ip_type = "set ipcp ranges {$pppoecfg['localip']}/32 0.0.0.0/0"; - $isssue_ip_type .="\n\tset ipcp yes radius-ip"; + $isssue_ip_type .="\n\tset ipcp yes radius-ip"; } else { $isssue_ip_type = "set ipcp ranges {$pppoecfg['localip']}/32 {$clientip}/32"; } - + $mpdconf .= <<<EOD pppoe{$i}: @@ -918,13 +918,13 @@ pppoe_standart: set ipcp no vjcomp set link max-redial -1 set link mtu 1492 - set link mru 1492 + set link mru 1492 set ccp yes mpp-e40 set ccp yes mpp-e128 set ccp yes mpp-stateless set link latency 1 #set ipcp dns 10.10.1.3 - #set bundle accept encryption + #set bundle accept encryption EOD; |
