diff options
| author | Matthew Grooms <mgrooms@pfsense.org> | 2008-07-11 01:55:30 +0000 |
|---|---|---|
| committer | Matthew Grooms <mgrooms@pfsense.org> | 2008-07-11 01:55:30 +0000 |
| commit | a93e56c58af2611650d1f97190ffe54782479423 (patch) | |
| tree | 4748e51726a04966508a45bd275cf8e0589df7be /usr/local/www/vpn_ipsec.php | |
| parent | 2a66b533249a31c4b9ea6f90c696998b2ba8ba49 (diff) | |
| download | pfsense-a93e56c58af2611650d1f97190ffe54782479423.zip pfsense-a93e56c58af2611650d1f97190ffe54782479423.tar.gz | |
Overhaul IPsec related code. Shared functions have been consolidated into
a new file named /etc/ipsec.inc. Tunnel definitions have been split into
phase1 and phase2. This allows any number of phase2 definitions to be
created for a single phase1 definition. Several facets of configuration
have also been improved. The key size for variable length algorithms can
now be selected and the phase1 ID options have been extended to allow for
more flexible configuration. Several NAT-T related issues have also been
resolved.
Please note, IPsec remote access functionality has been temporarily
disabled. An improved implementation will be included in a follow up
commit.
Diffstat (limited to 'usr/local/www/vpn_ipsec.php')
| -rwxr-xr-x | usr/local/www/vpn_ipsec.php | 435 |
1 files changed, 302 insertions, 133 deletions
diff --git a/usr/local/www/vpn_ipsec.php b/usr/local/www/vpn_ipsec.php index 4946d73..94f4c37 100755 --- a/usr/local/www/vpn_ipsec.php +++ b/usr/local/www/vpn_ipsec.php @@ -4,6 +4,7 @@ part of m0n0wall (http://m0n0.ch/wall) Copyright (C) 2003-2005 Manuel Kasper <mk@neon1.net>. + Copyright (C) 2008 Shrew Soft Inc All rights reserved. Redistribution and use in source and binary forms, with or without @@ -30,14 +31,18 @@ require("guiconfig.inc"); -if (!is_array($config['ipsec']['tunnel'])) { - $config['ipsec']['tunnel'] = array(); -} -$a_ipsec = &$config['ipsec']['tunnel']; +if (!is_array($config['ipsec']['phase1'])) + $config['ipsec']['phase1'] = array(); + +if (!is_array($config['ipsec']['phase2'])) + $config['ipsec']['phase2'] = array(); + +$a_phase1 = &$config['ipsec']['phase1']; +$a_phase2 = &$config['ipsec']['phase2']; + $wancfg = &$config['interfaces']['wan']; $pconfig['enable'] = isset($config['ipsec']['enable']); -$pconfig['ipcomp'] = isset($config['ipsec']['ipcomp']); if ($_POST) { @@ -53,7 +58,6 @@ if ($_POST) { $pconfig = $_POST; $config['ipsec']['enable'] = $_POST['enable'] ? true : false; - $config['ipsec']['ipcomp'] = $_POST['ipcomp'] ? true : false; write_config(); @@ -72,13 +76,41 @@ if ($_POST) { } } -if ($_GET['act'] == "del") { - if ($a_ipsec[$_GET['id']]) { +if ($_GET['act'] == "delph1") +{ + if ($a_phase1[$_GET['p1index']]) { /* remove static route if interface is not WAN */ - if($a_ipsec[$_GET['id']]['interface'] <> "wan") { - mwexec("/sbin/route delete -host {$$a_ipsec[$_GET['id']]['remote-gateway']}"); + if ($a_phase1[$_GET['p1index']]['interface'] <> "wan") { + mwexec("/sbin/route delete -host {$$a_phase1[$_GET['p1index']]['remote-gateway']}"); + } + + /* remove all phase2 entries that match the ikeid */ + $ikeid = $a_phase1[$_GET['p1index']]['ikeid']; + $p2index = 0; + foreach ($a_phase2 as $ph2tmp) { + if ($ph2tmp['ikeid'] == $ikeid) { + /* remove the phase2 entry */ + unset($a_phase2[$p2index]); + continue; + } + /* only skip if we remove an entry */ + $p2index++; } - unset($a_ipsec[$_GET['id']]); + + /* remove the phase1 entry */ + unset($a_phase1[$_GET['p1index']]); + filter_configure(); + write_config(); + header("Location: vpn_ipsec.php"); + exit; + } +} + +if ($_GET['act'] == "delph2") +{ + if ($a_phase2[$_GET['p2index']]) { + /* remove the phase2 entry */ + unset($a_phase2[$_GET['p2index']]); filter_configure(); write_config(); header("Location: vpn_ipsec.php"); @@ -95,133 +127,270 @@ include("head.inc"); <body link="#0000CC" vlink="#0000CC" alink="#0000CC"> <?php include("fbegin.inc"); ?> <form action="vpn_ipsec.php" method="post"> -<?php if ($savemsg) print_info_box($savemsg); ?> -<?php if (file_exists($d_ipsecconfdirty_path)): ?><p> -<?php if ($pconfig['enable']) - print_info_box_np("The IPsec tunnel configuration has been changed.<br>You must apply the changes in order for them to take effect.");?><br> -<?php endif; ?> -<table width="100%" border="0" cellpadding="0" cellspacing="0"> - <tr><td class="tabnavtbl"> <?php - $tab_array = array(); - $tab_array[0] = array("Tunnels", true, "vpn_ipsec.php"); - $tab_array[1] = array("Mobile clients", false, "vpn_ipsec_mobile.php"); - $tab_array[2] = array("Pre-shared keys", false, "vpn_ipsec_keys.php"); - $tab_array[3] = array("CAs", false, "vpn_ipsec_ca.php"); - display_top_tabs($tab_array); + if ($savemsg) + print_info_box($savemsg); + if ($pconfig['enable'] && file_exists($d_ipsecconfdirty_path)) + print_info_box_np("The IPsec tunnel configuration has been changed.<br>You must apply the changes in order for them to take effect."); ?> - </td></tr> - <tr> - <td> - <div id="mainarea"> - <table class="tabcont" width="100%" border="0" cellpadding="6" cellspacing="0"> - <tr> - <td class="vtable"> - <input name="enable" type="checkbox" id="enable" value="yes" <?php if ($pconfig['enable']) echo "checked";?>> - <strong>Enable IPsec</strong></td> - </tr> - <tr> - <td> <input name="submit" type="submit" class="formbtn" value="Save"> - </td> - </tr> - </table> - <table class="tabcont" width="100%" border="0" cellpadding="0" cellspacing="0"> - <tr> - <td nowrap class="listhdrr">Local net<br> - Remote net</td> - <td class="listhdrr">Interface<br>Remote gw</td> - <td class="listhdrr">P1 mode</td> - <td class="listhdrr">P1 Enc. Algo</td> - <td class="listhdrr">P1 Hash Algo</td> - <td class="listhdr">Description</td> - <td class="list" > - <table border="0" cellspacing="0" cellpadding="1"> - <tr> - <td width="17" heigth="17"></td> - <td><a href="vpn_ipsec_edit.php"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" title="add tunnel" width="17" height="17" border="0"></a></td> - </tr> - </table> - </td> - </tr> - <?php $i = 0; foreach ($a_ipsec as $ipsecent): - if (isset($ipsecent['disabled'])) { - $spans = "<span class=\"gray\">"; - $spane = "</span>"; - } else { - $spans = $spane = ""; - } - ?> - <tr valign="top"> - <td nowrap class="listlr" ondblclick="document.location='vpn_ipsec_edit.php?id=<?=$i;?>'"><?=$spans;?> - <?php if ($ipsecent['local-subnet']['network']) - echo strtoupper($ipsecent['local-subnet']['network']); +<table width="100%" border="0" cellpadding="0" cellspacing="0"> + <tr> + <td class="tabnavtbl"> + <?php + $tab_array = array(); + $tab_array[0] = array("Tunnels", true, "vpn_ipsec.php"); +// $tab_array[1] = array("Mobile clients", false, "vpn_ipsec_mobile.php"); + $tab_array[2] = array("CAs", false, "vpn_ipsec_ca.php"); + display_top_tabs($tab_array); + ?> + </td> + </tr> + <tr> + <td> + <div id="mainarea"> + <table class="tabcont" width="100%" border="0" cellpadding="6" cellspacing="0"> + <tr> + <td class="vtable"> + <input name="enable" type="checkbox" id="enable" value="yes" <?php if ($pconfig['enable']) echo "checked";?>> + <strong>Enable IPsec</strong> + </td> + </tr> + <tr> + <td> + <input name="submit" type="submit" class="formbtn" value="Save"> + </td> + </tr> + </table> + <table class="tabcont" width="100%" border="0" cellpadding="0" cellspacing="0"> + <tr> + <td class="listhdrr">Interface<br>Remote gw</td> + <td class="listhdrr">P1 mode</td> + <td class="listhdrr">P1 Enc. Algo</td> + <td class="listhdrr">P1 Hash Algo</td> + <td class="listhdr">Description</td> + <td class="list" > + <table border="0" cellspacing="0" cellpadding="o"> + <tr> + <td width="17" heigth="17"></td> + <td> + <a href="vpn_ipsec_phase1.php"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" title="add phase1 entry" width="17" height="17" border="0"></a> + </td> + </tr> + </table> + </td> + </tr> + <?php + $i = 0; + foreach ($a_phase1 as $ph1ent) { + if (isset( $ph1ent['disabled'])) { + $spans = "<span class=\"gray\">"; + $spane = "</span>"; + } else - echo $ipsecent['local-subnet']['address']; + $spans = $spane = ""; ?> - <br> - <?=$ipsecent['remote-subnet'];?> - <?=$spane;?></td> - <td class="listr" ondblclick="document.location='vpn_ipsec_edit.php?id=<?=$i;?>'"><?=$spans;?> - <?php if ($ipsecent['interface']) { - $iflabels = get_configured_interface_with_descr(); - $carpips = find_number_of_needed_carp_interfaces(); - for($j=0; $j<$carpips; $j++) { - $carpip = find_interface_ip("carp" . $j); - $iflabels['carp' . $j] = "CARP{$j} ({$carpip})"; - } - $if = htmlspecialchars($iflabels[$ipsecent['interface']]); - } else - $if = "WAN"; - - echo $if . "<br>" . $ipsecent['remote-gateway']; + <tr valign="top"> + <td class="listlr" ondblclick="document.location='vpn_ipsec_phase1.php?id=<?=$i;?>'"> + <?=$spans;?> + <?php + if ($ph1ent['interface']) { + $iflabels = get_configured_interface_with_descr(); + $carpips = find_number_of_needed_carp_interfaces(); + for( $j=0; $j<$carpips; $j++ ) { + $carpip = find_interface_ip("carp" . $j); + $iflabels['carp' . $j] = "CARP{$j} ({$carpip})"; + } + $if = htmlspecialchars($iflabels[$ph1ent['interface']]); + } + else + $if = "WAN"; + + echo $if . "<br>" . $ph1ent['remote-gateway']; + ?> + <?=$spane;?> + </td> + <td class="listr" ondblclick="document.location='vpn_ipsec_phase1.php?id=<?=$i;?>'"> + <?=$spans;?> + <?=$ph1ent['mode'];?> + <?=$spane;?> + </td> + <td class="listr" ondblclick="document.location='vpn_ipsec_phase1.php?id=<?=$i;?>'"> + <?=$spans;?> + <?=$p1_ealgos[$ph1ent['encryption-algorithm']['name']]['name'];?> + <?php + if ($ph1ent['encryption-algorithm']['keylen']) { + if ($ph1ent['encryption-algorithm']['keylen']=="auto") + echo " (auto)"; + else + echo " ({$ph1ent['encryption-algorithm']['keylen']} bits)"; + } + ?> + <?=$spane;?> + </td> + <td class="listr" ondblclick="document.location='vpn_ipsec_phase1.php?id=<?=$i;?>'"> + <?=$spans;?> + <?=$p1_halgos[$ph1ent['hash-algorithm']];?> + <?=$spane;?> + </td> + <td class="listtopic" ondblclick="document.location='vpn_ipsec_phase1.php?id=<?=$i;?>'"> + <?=$spans;?> + <font color="#FFFFFF"> + <?=htmlspecialchars($ph1ent['descr']);?> + </font> + <?=$spane;?> + </td> + <td valign="middle" nowrap class="list"> + <table border="0" cellspacing="0" cellpadding="1"> + <tr> + <td> + <a href="vpn_ipsec_phase1.php?p1index=<?=$i;?>"> + <img src="./themes/<?= $g['theme']; ?>/images/icons/icon_e.gif" title="edit phase1 entry" width="17" height="17" border="0"> + </a> + </td> + <td> + <a href="vpn_ipsec.php?act=delph1&p1index=<?=$i;?>" onclick="return confirm('Do you really want to delete this phase1 and all associated phase2 entries?')"> + <img src="./themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" title="delete phase1 entry" width="17" height="17" border="0"> + </a> + </td> + </tr> + <tr> + <td> + </td> + <td> + <a href="vpn_ipsec_phase1.php?dup=<?=$i;?>"> + <img src="./themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" title="copy phase1 entry" width="17" height="17" border="0"> + </a> + </td> + </tr> + </table> + </td> + </tr> + <tr> + <td class="listbg" colspan="5"> + <table width="100%" height="100%"border="0" cellspacing="0" cellpadding="0"> + <tr> + <td class="listhdrr">Local Network</td> + <td class="listhdrr">Remote Network</td> + <td class="listhdrr">P2 Protocol</td> + <td class="listhdrr">P2 Transforms</td> + <td class="listhdrr">P2 Auth Methods</td> + <td class ="list"> + <a href="vpn_ipsec_phase2.php?ikeid=<?=$ph1ent['ikeid'];?>"> + <img src="./themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" title="add phase2 entry" width="17" height="17" border="0"> + </a> + </td> + </tr> + <?php + $j = 0; + foreach ($a_phase2 as $ph2ent) { + if ($ph2ent['ikeid'] != $ph1ent['ikeid']) { + $j++; + continue; + } + + if (isset( $ph2ent['disabled']) || isset($ph1ent['disabled'])) { + $spans = "<span class=\"gray\">"; + $spane = "</span>"; + } + else + $spans = $spane = ""; + ?> + <tr valign="top"> + <td nowrap class="listr" ondblclick="document.location='vpn_ipsec_phase2.php?id=<?=$i;?>'"> + <?=$spans;?> + <?php echo ipsec_idinfo_to_text($ph2ent['localid']); ?> + <?=$spane;?> + </td> + <td nowrap class="listr" ondblclick="document.location='vpn_ipsec_phase2.php?id=<?=$i;?>'"> + <?=$spans;?> + <?php echo ipsec_idinfo_to_text($ph2ent['remoteid']); ?> + <?=$spane;?> + </td> + <td nowrap class="listr" ondblclick="document.location='vpn_ipsec_phase2.php?id=<?=$i;?>'"> + <?=$spans;?> + <?php echo $p2_protos[$ph2ent['protocol']]; ?> + <?=$spane;?> + </td> + <td nowrap class="listr" ondblclick="document.location='vpn_ipsec_phase2.php?id=<?=$i;?>'"> + <?=$spans;?> + <?php + $k = 0; + foreach ($ph2ent['encryption-algorithm-option'] as $ph2ea) { + if ($k++) + echo ", "; + echo $p2_ealgos[$ph2ea['name']]['name']; + if ($ph2ea['keylen']) { + if ($ph2ea['keylen']=="auto") + echo " (auto)"; + else + echo " ({$ph2ea['keylen']} bits)"; + } + } + ?> + <?=$spane;?> + </td> + <td nowrap class="listr" ondblclick="document.location='vpn_ipsec_phase2.php?id=<?=$i;?>'"> + <?=$spans;?> + <?php + $k = 0; + foreach ($ph2ent['hash-algorithm-option'] as $ph2ha) { + if ($k++) + echo ", "; + echo $p2_halgos[$ph2ha]; + } + ?> + <?=$spane;?> + </td> + <td nowrap class="list"> + <a href="vpn_ipsec_phase2.php?p2index=<?=$j;?>"> + <img src="./themes/<?= $g['theme']; ?>/images/icons/icon_e.gif" title="edit phase2 entry" width="17" height="17" border="0"> + </a> + <a href="vpn_ipsec.php?act=delph2&p2index=<?=$j;?>" onclick="return confirm('Do you really want to delete this phase2 entry?')"> + <img src="./themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" title="delete phase2 entry" width="17" height="17" border="0"> + </a> + </td> + </tr> + <?php + $j++; + } + ?> + </table> + </td> + </tr> + <?php + $i++; + } ?> - <?=$spane;?></td> - <td class="listr" ondblclick="document.location='vpn_ipsec_edit.php?id=<?=$i;?>'"><?=$spans;?> - <?=$ipsecent['p1']['mode'];?> - <?=$spane;?></td> - <td class="listr" ondblclick="document.location='vpn_ipsec_edit.php?id=<?=$i;?>'"><?=$spans;?> - <?=$p1_ealgos[$ipsecent['p1']['encryption-algorithm']];?> - <?=$spane;?></td> - <td class="listr" ondblclick="document.location='vpn_ipsec_edit.php?id=<?=$i;?>'"><?=$spans;?> - <?=$p1_halgos[$ipsecent['p1']['hash-algorithm']];?> - <?=$spane;?></td> - <td class="listbg" ondblclick="document.location='vpn_ipsec_edit.php?id=<?=$i;?>'"><?=$spans;?><font color="#FFFFFF"> - <?=htmlspecialchars($ipsecent['descr']);?> - <?=$spane;?></td> - <td valign="middle" nowrap class="list"> - <table border="0" cellspacing="0" cellpadding="1"> - <tr> - <td><a href="vpn_ipsec_edit.php?id=<?=$i;?>"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_e.gif" title="edit tunnel" width="17" height="17" border="0"></a></td> - <td><a href="vpn_ipsec.php?act=del&id=<?=$i;?>" onclick="return confirm('Do you really want to delete this tunnel?')"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" title="delete tunnel" width="17" height="17" border="0"></a></td> - </tr> - <tr> - <td></td> - <td><a href="vpn_ipsec_edit.php?dup=<?=$i;?>"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" title="add a new rule based on this one" width="17" height="17" border="0"></a></td> - </tr> - </table> - </td> - </tr> - <?php $i++; endforeach; ?> - <tr> - <td class="list" colspan="6"></td> - <td class="list"> - <table border="0" cellspacing="0" cellpadding="1"> - <tr> - <td width="17"></td> - <td><a href="vpn_ipsec_edit.php"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" title="add tunnel" width="17" height="17" border="0"></a></td> - </tr> - </table> - <td> - </tr> - <tr> - <td colspan="4"> - <p><span class="vexpl"><span class="red"><strong>Note:<br> - </strong></span>You can check your IPsec status at <a href="diag_ipsec_sad.php">Status:IPsec</a>.</span></p> - </td> - </tr> - </table> - </div> - </td> + <tr> + <td class="list" colspan="5"></td> + <td class="list"> + <table border="0" cellspacing="0" cellpadding="1"> + <tr> + <td width="17"></td> + <td> + <a href="vpn_ipsec_phase1.php"> + <img src="./themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" title="add phase1 entry" width="17" height="17" border="0"> + </a> + </td> + </tr> + </table> + <td> + </tr> + <tr> + <td colspan="4"> + <p> + <span class="vexpl"> + <span class="red"> + <strong>Note:<br></strong> + </span> + You can check your IPsec status at <a href="diag_ipsec.php">Status:IPsec</a>. + </span> + </p> + </td> + </tr> + </table> + </div> + </td> </tr> </table> </form> |
