diff options
author | Chris Buechler <cmb@pfsense.org> | 2016-02-11 02:38:23 -0600 |
---|---|---|
committer | Chris Buechler <cmb@pfsense.org> | 2016-02-11 02:38:23 -0600 |
commit | 54c3605675c3581303ed52e61f0e6c956aad3a06 (patch) | |
tree | c9c998a72fecc7e713876ae5a0588ac0786e51c1 /src | |
parent | d1981cc67f5c2c76f1812bb3009d944a597bb2db (diff) | |
download | pfsense-54c3605675c3581303ed52e61f0e6c956aad3a06.zip pfsense-54c3605675c3581303ed52e61f0e6c956aad3a06.tar.gz |
Add support for IPsec TFC. Ticket #4688
Diffstat (limited to 'src')
-rw-r--r-- | src/etc/inc/vpn.inc | 9 | ||||
-rw-r--r-- | src/usr/local/www/vpn_ipsec_phase1.php | 50 |
2 files changed, 58 insertions, 1 deletions
diff --git a/src/etc/inc/vpn.inc b/src/etc/inc/vpn.inc index 8c9e4b5..c2de452 100644 --- a/src/etc/inc/vpn.inc +++ b/src/etc/inc/vpn.inc @@ -1165,6 +1165,14 @@ EOD; $mobike = 'mobike = no'; } + if (isset($ph1ent['tfc_enable'])) { + if (isset($ph1ent['tfc_bytes']) && is_numericint($ph1ent['tfc_bytes'])) { + $tfc = "tfc = {$ph1ent['tfc_bytes']}"; + } else { + $tfc = "tfc = %mtu"; + } + } + $ipseclifetime = 0; $rightsubnet_spec = array(); $leftsubnet_spec = array(); @@ -1338,6 +1346,7 @@ EOD; {$reauth} {$forceencaps} {$mobike} + {$tfc} {$rekey} installpolicy = yes {$tunneltype} diff --git a/src/usr/local/www/vpn_ipsec_phase1.php b/src/usr/local/www/vpn_ipsec_phase1.php index 52b3c81..ef754f4 100644 --- a/src/usr/local/www/vpn_ipsec_phase1.php +++ b/src/usr/local/www/vpn_ipsec_phase1.php @@ -160,6 +160,14 @@ if (isset($p1index) && $a_phase1[$p1index]) { $pconfig['dpd_delay'] = $a_phase1[$p1index]['dpd_delay']; $pconfig['dpd_maxfail'] = $a_phase1[$p1index]['dpd_maxfail']; } + + if (isset($a_phase1[$p1index]['tfc_enable'])) { + $pconfig['tfc_enable'] = true; + } + + if (isset($a_phase1[$p1index]['tfc_bytes'])) { + $pconfig['tfc_bytes'] = $a_phase1[$p1index]['tfc_bytes']; + } } else { /* defaults */ $pconfig['interface'] = "wan"; @@ -404,8 +412,12 @@ if ($_POST) { } } + if ($pconfig['tfc_bytes'] && !is_numericint($pconfig['tfc_bytes'])) { + $input_errors[] = gettext("A numeric value must be specified for TFC bytes."); + } + if (!empty($pconfig['iketype']) && $pconfig['iketype'] != "ikev1" && $pconfig['iketype'] != "ikev2" && $pconfig['iketype'] != "auto") { - $input_errors[] = gettext("Valid arguments for IKE type is v1, v2 or auto"); + $input_errors[] = gettext("Valid arguments for IKE type are v1, v2 or auto"); } if (!empty($_POST['ealgo']) && isset($config['system']['crypto_hardware'])) { @@ -502,6 +514,14 @@ if ($_POST) { $ph1ent['dpd_maxfail'] = $pconfig['dpd_maxfail']; } + if (isset($pconfig['tfc_enable'])) { + $ph1ent['tfc_enable'] = true; + } + + if (isset($pconfig['tfc_bytes'])) { + $ph1ent['tfc_bytes'] = $pconfig['tfc_bytes']; + } + /* generate unique phase1 ikeid */ if ($ph1ent['ikeid'] == 0) { $ph1ent['ikeid'] = ipsec_ikeid_next(); @@ -865,6 +885,20 @@ $section->addInput(new Form_Select( ))->setHelp('Set this option to control the use of MOBIKE'); $section->addInput(new Form_Checkbox( + 'tfc_enable', + 'Traffic Flow Confidentiality', + 'Enable TFC', + $pconfig['tfc_enable'] +))->setHelp('Enable Traffic Flow Confidentiality'); + +$section->addInput(new Form_Input( + 'tfc_bytes', + 'TFC Bytes', + 'Bytes TFC', + $pconfig['tfc_bytes'] +))->setHelp('Enter the number of bytes to pad ESP data to, or leave blank to fill to MTU size'); + +$section->addInput(new Form_Checkbox( 'dpd_enable', 'Dead Peer Detection', 'Enable DPD', @@ -940,11 +974,14 @@ events.push(function() { hideInput('mode', true); hideInput('mobike', false); hideInput('nat_traversal', true); + hideCheckbox('tfc_enable', false); hideCheckbox('reauth_enable', false); } else { hideInput('mode', false); hideInput('mobike', true); hideInput('nat_traversal', false); + hideCheckbox('tfc_enable', true); + hideInput('tfc_bytes', true); hideCheckbox('reauth_enable', true); } } @@ -1056,6 +1093,12 @@ events.push(function() { } } + function tfcchkbox_change() { + hide = !$('#tfc_enable').prop('checked'); + + hideInput('tfc_bytes', hide); + } + // ---------- Monitor elements for change and call the appropriate display functions ---------- // Enable DPD @@ -1063,6 +1106,11 @@ events.push(function() { dpdchkbox_change(); }); + // TFC + $('#tfc_enable').click(function () { + tfcchkbox_change(); + }); + // Peer identifier $('#peerid_type').click(function () { peeridsel_change(); |