Add diag IPSEC screen.

1 files changed, 191 insertions, 0 deletions

diff --git a/usr/local/www/diag_ipsec.php b/usr/local/www/diag_ipsec.php
new file mode 100644
index 0000000..80e80a5
--- /dev/null
+++ b/usr/local/www/diag_ipsec.php
@@ -0,0 +1,191 @@
+<?php
+/* $Id$ */
+/*
+	diag_ipsec.php
+	Copyright (C) 2007 Scott Ullrich
+	All rights reserved.
+
+	Parts of this code was originally based on vpn_ipsec_sad.php
+	Copyright (C) 2003-2004 Manuel Kasper
+
+	Redistribution and use in source and binary forms, with or without
+	modification, are permitted provided that the following conditions are met:
+
+	1. Redistributions of source code must retain the above copyright notice,
+	   this list of conditions and the following disclaimer.
+
+	2. Redistributions in binary form must reproduce the above copyright
+	   notice, this list of conditions and the following disclaimer in the
+	   documentation and/or other materials provided with the distribution.
+
+	THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+	INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+	AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+	AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+	OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+	SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+	INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+	CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+	ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+	POSSIBILITY OF SUCH DAMAGE.
+*/
+
+$pgtitle = "Diagnostics: IPSec";
+
+require("guiconfig.inc");
+include("head.inc");
+?>
+
+<body link="#0000CC" vlink="#0000CC" alink="#0000CC" onload="<?= $jsevents["body"]["onload"] ?>">
+<?php include("fbegin.inc"); ?>
+<p class="pgtitle"><?=$pgtitle?></p>
+<div id="inputerrors"></div>
+<table width="100%" border="0" cellpadding="0" cellspacing="0">
+  <tr>
+    <td>
+<?php
+	$tab_array = array();
+	$tab_array[0] = array("Overview", true, "diag_ipsec_sad.php");
+	$tab_array[1] = array("SAD", false, "diag_ipsec_sad.php");
+	$tab_array[2] = array("SPD", false, "diag_ipsec_spd.php");
+	display_top_tabs($tab_array);
+?>
+    </td>
+  </tr>
+  <tr>
+    <td>
+<?php
+
+/* query SAD */
+$fd = @popen("/sbin/setkey -D", "r");
+$sad = array();
+if ($fd) {
+	while (!feof($fd)) {
+		$line = chop(fgets($fd));
+		if (!$line)
+			continue;
+		if ($line == "No SAD entries.")
+			break;
+		if ($line[0] != "\t") {
+			if (is_array($cursa))
+				$sad[] = $cursa;
+			$cursa = array();
+			list($cursa['src'],$cursa['dst']) = explode(" ", $line);
+			$i = 0;
+		} else {
+			$linea = explode(" ", trim($line));
+			if ($i == 1) {
+				$cursa['proto'] = $linea[0];
+				$cursa['spi'] = substr($linea[2], strpos($linea[2], "x")+1, -1);
+			} else if ($i == 2) {
+				$cursa['ealgo'] = $linea[1];
+			} else if ($i == 3) {
+				$cursa['aalgo'] = $linea[1];
+			}
+		}
+		$i++;
+	}
+	if (is_array($cursa) && count($cursa))
+		$sad[] = $cursa;
+	pclose($fd);
+}
+?>
+	<div id="mainarea">
+            <table class="tabcont" width="100%" border="0" cellpadding="6" cellspacing="0">
+<?php if (count($sad)): ?>
+  <tr>
+                <td nowrap class="listhdrr">Source</td>
+                <td nowrap class="listhdrr">Destination</a></td>
+                <td nowrap class="listhdrr">Status</td>
+	</tr>
+<?php
+foreach ($config['ipsec']['tunnel'] as $ipsec): ?>
+	<tr>
+		<td class="listlr"><?=htmlspecialchars(get_ipsec_tunnel_src($ipsec));?></td>
+		<td class="listr"><?=htmlspecialchars($ipsec['remote-gateway']);?></td>
+		<td class="listr"><?php echo output_ipsec_tunnel_status($ipsec); ?></td>
+	</tr>
+<?php endforeach; ?>
+<?php else: ?>
+  <tr>
+    <td>
+      <p>
+        <strong>No IPsec security associations.</strong>
+      </p>
+    </td>
+  </tr>
+<?php endif; ?>
+  <tr>
+    <td colspan="4">
+		  <p>
+        <span class="vexpl">
+          <span class="red">
+            <strong>
+              Note:<br />
+            </strong>
+          </span>
+          You can configure your IPSEC 
+          <a href="vpn_ipsec.php">here</a>.
+        </span>
+      </p>
+		</td>
+  </tr>
+</table>
+</div>
+
+</td></tr>
+
+</table>
+
+<?php include("fend.inc"); ?>
+</body>
+</html>
+
+<?php
+
+function get_ipsec_tunnel_src($tunnel) {
+	global $g, $config, $sad;
+	$if = "WAN";
+	if ($tunnel['interface']) {
+		$iflabels = array('lan' => 'LAN', 'wan' => 'WAN');
+ 		$carpips = find_number_of_needed_carp_interfaces();
+	    for($j=0; $j<$carpips; $j++) {
+   			$interfaceip = find_interface_ip("carp" . $j);
+  			$iflabels['carp' . $j] = $interfaceip; 
+		}
+		for ($j = 1; isset($config['interfaces']['opt' . $j]); $j++) {
+			$realinterface = convert_friendly_interface_to_real_interface_name('opt' . $j);
+			$iflabels['opt' . $j] = find_interface_ip($realinterface);
+		}
+		$interfaceip = $iflabels[$tunnel['interface']];
+	} else {
+		$realinterface = convert_friendly_interface_to_real_interface_name($if);
+		$interfaceip = find_interface_ip($realinterface);
+	}
+	return $interfaceip;
+}
+
+function output_ipsec_tunnel_status($tunnel) {
+	global $g, $config, $sad;
+	$if = "WAN";
+	$interfaceip = get_ipsec_tunnel_src($tunnel);
+	echo $interfaceip;
+	$foundsrc = false;
+	$founddst = false;
+	foreach($sad as $sa) {
+		if($sa['src'] == $interfaceip) 
+			$foundsrc = true;
+		if($sa['dst'] == $tunnel['remote-gateway']) 
+			$founddst = true;
+	}
+	if($foundsrc && $founddst) { 
+		/* tunnel is up */
+		$iconfn = "pass";
+	} else {
+		/* tunnel is down */
+		$iconfn = "reject";
+	}
+	echo "<img src ='/themes/{$g['theme']}/images/icons/icon_{$iconfn}.gif'>";
+}
+
+?>
\ No newline at end of file