diff options
| author | mgrooms <mgrooms@shrew.net> | 2009-03-15 06:14:54 +0000 |
|---|---|---|
| committer | mgrooms <mgrooms@shrew.net> | 2009-03-15 06:18:35 +0000 |
| commit | 4b96b3675a8ee4fd0d276ad0a7c3b8b93bd14cac (patch) | |
| tree | 958b9cad6a732f92151e4d2fb4238125af08150c /etc | |
| parent | 030f0cb794e2cc477432aa108eceb3dd2a01a4b0 (diff) | |
| download | pfsense-4b96b3675a8ee4fd0d276ad0a7c3b8b93bd14cac.zip pfsense-4b96b3675a8ee4fd0d276ad0a7c3b8b93bd14cac.tar.gz | |
Modify IPsec code to allow for transport mode. All existing configurations are
marked as tunnel for backwards compatibility. There are problems with the spd
read code which Will likely choke on transport entries. We can fix this later.
Diffstat (limited to 'etc')
| -rw-r--r-- | etc/inc/globals.inc | 4 | ||||
| -rw-r--r-- | etc/inc/ipsec.inc | 4 | ||||
| -rw-r--r-- | etc/inc/upgrade_config.inc | 8 | ||||
| -rw-r--r-- | etc/inc/vpn.inc | 136 |
4 files changed, 102 insertions, 50 deletions
diff --git a/etc/inc/globals.inc b/etc/inc/globals.inc index c8ae12d..bab855b 100644 --- a/etc/inc/globals.inc +++ b/etc/inc/globals.inc @@ -32,7 +32,7 @@ */ $g = array( - "factory_shipped_username" => "admin", + "factory_shipped_username" => "admin", "factory_shipped_password" => "pfsense", "upload_path" => "/root", "dhcpd_chroot_path" => "/var/dhcpd", @@ -58,7 +58,7 @@ $g = array( "product_website_footer" => "http://www.pfsense.org/?gui20", "product_email" => "coreteam@pfsense.org", "debug" => false, - "latest_config" => "5.7", + "latest_config" => "5.8", "nopkg_platforms" => array("cdrom"), "minimum_ram_warning" => "115", "minimum_ram_warning_text" => "128 megabytes", diff --git a/etc/inc/ipsec.inc b/etc/inc/ipsec.inc index 6e206b3..44853d6 100644 --- a/etc/inc/ipsec.inc +++ b/etc/inc/ipsec.inc @@ -77,6 +77,10 @@ $p1_authentication_methods = array( 'rsasig' => array( 'name' => 'Mutual RSA', 'mobile' => false ), 'pre_shared_key' => array( 'name' => 'Mutual PSK', 'mobile' => false ) ); +$p2_modes = array( + 'tunnel' => 'Tunnel', + 'transport' => 'Transport'); + $p2_protos = array( 'esp' => 'ESP', 'ah' => 'AH'); diff --git a/etc/inc/upgrade_config.inc b/etc/inc/upgrade_config.inc index e8d6192..db59e6f 100644 --- a/etc/inc/upgrade_config.inc +++ b/etc/inc/upgrade_config.inc @@ -1725,4 +1725,12 @@ function upgrade_056_to_057() { unset($config['captiveportal']['user']); } } + +function upgrade_057_to_058() { + global $config; + /* set all phase2 entries to tunnel mode */ + if (is_array($config['ipsec']['phase2'])) + foreach($config['ipsec']['phase2'] as & $ph2ent) + $ph2ent['mode'] = 'tunnel'; +} ?> diff --git a/etc/inc/vpn.inc b/etc/inc/vpn.inc index 1e9ea34..18090db 100644 --- a/etc/inc/vpn.inc +++ b/etc/inc/vpn.inc @@ -587,75 +587,103 @@ EOD; $ikeid = $ph2ent['ikeid']; + if( !ipsec_lookup_phase1($ph2ent,$ph1ent)) + continue; + + if (isset($ph1ent['disabled'])) + continue; + if (isset($ph2ent['disabled'])) continue; if (isset($ph2ent['mobile']) && !isset($a_client['enable'])) continue; - $localid_type = $ph2ent['localid']['type']; - if ($localid_type != "address") - $localid_type = "subnet"; + if ($ph2ent['mode'] == 'tunnel') { - $localid_data = ipsec_idinfo_to_cidr($ph2ent['localid']); - $localid_spec = $localid_type." ".$localid_data." any"; + $localid_type = $ph2ent['localid']['type']; + if ($localid_type != "address") + $localid_type = "subnet"; - if (!isset($ph2ent['mobile'])) { + $localid_data = ipsec_idinfo_to_cidr($ph2ent['localid']); + $localid_spec = $localid_type." ".$localid_data." any"; - $remoteid_type = $ph2ent['remoteid']['type']; - if ($remoteid_type != "address") - $remoteid_type = "subnet"; + if (!isset($ph2ent['mobile'])) { + $remoteid_type = $ph2ent['remoteid']['type']; + if ($remoteid_type != "address") + $remoteid_type = "subnet"; - $remoteid_data = ipsec_idinfo_to_cidr($ph2ent['remoteid']); - $remoteid_spec = $remoteid_type." ".$remoteid_data." any"; + $remoteid_data = ipsec_idinfo_to_cidr($ph2ent['remoteid']); + $remoteid_spec = $remoteid_type." ".$remoteid_data." any"; + } else + $remoteid_spec = "anonymous"; - } else - $remoteid_spec = "anonymous"; + } else { - $ealgos = ''; - $halgos = join(",", $ph2ent['hash-algorithm-option']); + $rgip = $rgmap[$ph1ent['remote-gateway']]; - $pfsline = ''; - if ($ph2ent['pfsgroup']) - $pfsline = "pfs_group {$ph2ent['pfsgroup']};"; - if (isset($a_client['pfs_group'])) { - $pfsline = ''; - if ($a_client['pfs_group']) - $pfsline = "pfs_group {$a_client['pfs_group']};"; + $localid_data = ipsec_get_phase1_src($ph1ent); + $localid_spec = "address {$localid_data}"; + + $remoteid_data = $rgmap[$ph1ent['remote-gateway']]; + $remoteid_spec = "address {$remoteid_data}"; } - $lifeline = ''; - if ($ph2ent['lifetime']) - $lifeline = "lifetime time {$ph2ent['lifetime']} secs;"; + if($ph2ent['proto'] == "esp") { + + $ealgos = ''; - foreach ($ph2ent['encryption-algorithm-option'] as $ealg) { + foreach ($ph2ent['encryption-algorithm-option'] as $ealg) { - $ealg_id = $ealg['name']; - $ealg_kl = $ealg['keylen']; + $ealg_id = $ealg['name']; + $ealg_kl = $ealg['keylen']; - if ($ealg_kl) { - if( $ealg_kl == "auto" ) { - $key_hi = $p2_ealgos[$ealg_id]['keysel']['hi']; - $key_lo = $p2_ealgos[$ealg_id]['keysel']['lo']; - $key_step = $p2_ealgos[$ealg_id]['keysel']['step']; + if ($ealg_kl) { + if( $ealg_kl == "auto" ) { + $key_hi = $p2_ealgos[$ealg_id]['keysel']['hi']; + $key_lo = $p2_ealgos[$ealg_id]['keysel']['lo']; + $key_step = $p2_ealgos[$ealg_id]['keysel']['step']; - for ($keylen = $key_hi; $keylen >= $key_lo; $keylen -= $key_step) { - if( $ealgos ) + for ($keylen = $key_hi; $keylen >= $key_lo; $keylen -= $key_step) { + if ($ealgos) + $ealgos = $ealgos.", "; + $ealgos = $ealgos.$ealg_id." ".$keylen; + } + } else { + if ($ealgos) $ealgos = $ealgos.", "; - $ealgos = $ealgos.$ealg_id." ".$keylen; + $ealgos = $ealgos.$ealg_id." ".$ealg_kl; } } else { if ($ealgos) $ealgos = $ealgos.", "; - $ealgos = $ealgos.$ealg_id." ".$ealg_kl; + $ealgos = $ealgos.$ealg_id; } - } else { - if ($ealgos) - $ealgos = $ealgos.", "; - $ealgos = $ealgos.$ealg_id; } + + $ealgosline = "encryption_algorithm {$ealgos};"; + + } else { + + $ealgosline = "encryption_algorithm null_enc;"; } + $halgos = join(",", $ph2ent['hash-algorithm-option']); + $halgosline = "authentication_algorithm {$halgos};"; + + $pfsline = ''; + if ($ph2ent['pfsgroup']) + $pfsline = "pfs_group {$ph2ent['pfsgroup']};"; + if (isset($a_client['pfs_group'])) { + $pfsline = ''; + if ($a_client['pfs_group']) + $pfsline = "pfs_group {$a_client['pfs_group']};"; + } + + $lifeline = ''; + if ($ph2ent['lifetime']) + $lifeline = "lifetime time {$ph2ent['lifetime']} secs;"; + /* add sainfo section to configuration */ $racoonconf .=<<<EOD @@ -663,11 +691,11 @@ EOD; sainfo {$localid_spec} {$remoteid_spec} { remoteid {$ikeid}; - encryption_algorithm {$ealgos}; - authentication_algorithm {$halgos}; - compression_algorithm deflate; + {$ealgosline} + {$halgosline} {$pfsline} {$lifeline} + compression_algorithm deflate; } EOD; @@ -735,11 +763,23 @@ EOD; mwexec("/sbin/ifconfig gif" . $number_of_gifs . " {$lansa}/{$lansn} {$lanip}/32"); } - $spdconf .= "spdadd {$localid} {$remoteid} any -P out ipsec " . - "{$ph2ent['protocol']}/tunnel/{$ep}-{$rgip}/unique;\n"; + if($ph2ent['mode'] == "tunnel") { + + $spdconf .= "spdadd {$localid} {$remoteid} any -P out ipsec " . + "{$ph2ent['protocol']}/tunnel/{$ep}-{$rgip}/unique;\n"; + + $spdconf .= "spdadd {$remoteid} {$localid} any -P in ipsec " . + "{$ph2ent['protocol']}/tunnel/{$rgip}-{$ep}/unique;\n"; - $spdconf .= "spdadd {$remoteid} {$localid} any -P in ipsec " . - "{$ph2ent['protocol']}/tunnel/{$rgip}-{$ep}/unique;\n"; + } else { + + $spdconf .= "spdadd {$localid} {$remoteid} any -P out ipsec " . + "{$ph2ent['protocol']}/transport//unique;\n"; + + $spdconf .= "spdadd {$remoteid} {$localid} any -P in ipsec " . + "{$ph2ent['protocol']}/transport//unique;\n"; + + } /* static route needed? */ if (preg_match("/^carp/i", $ph1ent['interface'])) |
