diff options
author | Renato Botelho <renato@netgate.com> | 2015-08-25 08:08:24 -0300 |
---|---|---|
committer | Renato Botelho <renato@netgate.com> | 2015-08-25 14:49:54 -0300 |
commit | 46bc6e545a17e77202aaf01ec0cd8d5a46567525 (patch) | |
tree | 32d18dda436ec739c67c489ceb771e8629cd926f /usr/local/www/vpn_ipsec_settings.php | |
parent | 4d9801c2dbd2b3e54a39578ee62b93af66607227 (diff) | |
download | pfsense-46bc6e545a17e77202aaf01ec0cd8d5a46567525.zip pfsense-46bc6e545a17e77202aaf01ec0cd8d5a46567525.tar.gz |
Move main pfSense content to src/
Diffstat (limited to 'usr/local/www/vpn_ipsec_settings.php')
-rw-r--r-- | usr/local/www/vpn_ipsec_settings.php | 445 |
1 files changed, 0 insertions, 445 deletions
diff --git a/usr/local/www/vpn_ipsec_settings.php b/usr/local/www/vpn_ipsec_settings.php deleted file mode 100644 index ac3fde9..0000000 --- a/usr/local/www/vpn_ipsec_settings.php +++ /dev/null @@ -1,445 +0,0 @@ -<?php -/* - vpn_ipsec_settings.php - - Copyright (C) 2015 Electric Sheep Fencing, LLC - All rights reserved. - - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. -*/ - -##|+PRIV -##|*IDENT=page-vpn-ipsec-settings -##|*NAME=VPN: IPsec: Settings page -##|*DESCR=Allow access to the 'VPN: IPsec: Settings' page. -##|*MATCH=vpn_ipsec_settings.php* -##|-PRIV - -require("functions.inc"); -require("guiconfig.inc"); -require_once("filter.inc"); -require_once("shaper.inc"); -require_once("ipsec.inc"); -require_once("vpn.inc"); - -foreach ($ipsec_loglevels as $lkey => $ldescr) { - if (!empty($config['ipsec']["ipsec_{$lkey}"])) { - $pconfig["ipsec_{$lkey}"] = $config['ipsec']["ipsec_{$lkey}"]; - } -} -$pconfig['unityplugin'] = isset($config['ipsec']['unityplugin']); -$pconfig['strictcrlpolicy'] = isset($config['ipsec']['strictcrlpolicy']); -$pconfig['makebeforebreak'] = isset($config['ipsec']['makebeforebreak']); -$pconfig['noshuntlaninterfaces'] = isset($config['ipsec']['noshuntlaninterfaces']); -$pconfig['compression'] = isset($config['ipsec']['compression']); -$pconfig['enableinterfacesuse'] = isset($config['ipsec']['enableinterfacesuse']); -$pconfig['acceptunencryptedmainmode'] = isset($config['ipsec']['acceptunencryptedmainmode']); -$pconfig['maxmss_enable'] = isset($config['system']['maxmss_enable']); -$pconfig['maxmss'] = $config['system']['maxmss']; -$pconfig['uniqueids'] = $config['ipsec']['uniqueids']; - -if ($_POST) { - - unset($input_errors); - $pconfig = $_POST; - - if (!in_array($pconfig['ipsec_dmn'], array('0', '1', '2', '3', '4', '5'), true)) { - $input_errors[] = "A valid value must be specified for Daemon debug."; - } - if (!in_array($pconfig['ipsec_mgr'], array('0', '1', '2', '3', '4', '5'), true)) { - $input_errors[] = "A valid value must be specified for SA Manager debug."; - } - if (!in_array($pconfig['ipsec_ike'], array('0', '1', '2', '3', '4', '5'), true)) { - $input_errors[] = "A valid value must be specified for IKE SA debug."; - } - if (!in_array($pconfig['ipsec_chd'], array('0', '1', '2', '3', '4', '5'), true)) { - $input_errors[] = "A valid value must be specified for IKE Child SA debug."; - } - if (!in_array($pconfig['ipsec_job'], array('0', '1', '2', '3', '4', '5'), true)) { - $input_errors[] = "A valid value must be specified for Job Processing debug."; - } - if (!in_array($pconfig['ipsec_cfg'], array('0', '1', '2', '3', '4', '5'), true)) { - $input_errors[] = "A valid value must be specified for Configuration backend debug."; - } - if (!in_array($pconfig['ipsec_knl'], array('0', '1', '2', '3', '4', '5'), true)) { - $input_errors[] = "A valid value must be specified for Kernel Interface debug."; - } - if (!in_array($pconfig['ipsec_net'], array('0', '1', '2', '3', '4', '5'), true)) { - $input_errors[] = "A valid value must be specified for Networking debug."; - } - if (!in_array($pconfig['ipsec_asn'], array('0', '1', '2', '3', '4', '5'), true)) { - $input_errors[] = "A valid value must be specified for ASN Encoding debug."; - } - if (!in_array($pconfig['ipsec_enc'], array('0', '1', '2', '3', '4', '5'), true)) { - $input_errors[] = "A valid value must be specified for Message encoding debug."; - } - if (!in_array($pconfig['ipsec_imc'], array('0', '1', '2', '3', '4', '5'), true)) { - $input_errors[] = "A valid value must be specified for Integrity checker debug."; - } - if (!in_array($pconfig['ipsec_imv'], array('0', '1', '2', '3', '4', '5'), true)) { - $input_errors[] = "A valid value must be specified for Integrity Verifier debug."; - } - if (!in_array($pconfig['ipsec_pts'], array('0', '1', '2', '3', '4', '5'), true)) { - $input_errors[] = "A valid value must be specified for Platform Trust Service debug."; - } - if (!in_array($pconfig['ipsec_tls'], array('0', '1', '2', '3', '4', '5'), true)) { - $input_errors[] = "A valid value must be specified for TLS Handler debug."; - } - if (!in_array($pconfig['ipsec_esp'], array('0', '1', '2', '3', '4', '5'), true)) { - $input_errors[] = "A valid value must be specified for IPsec Traffic debug."; - } - if (!in_array($pconfig['ipsec_lib'], array('0', '1', '2', '3', '4', '5'), true)) { - $input_errors[] = "A valid value must be specified for StrongSwan Lib debug."; - } - if (isset($pconfig['maxmss'])) { - if (!is_numericint($pconfig['maxmss']) && $pconfig['maxmss'] <> '') { - $input_errors[] = "An integer must be specified for Maximum MSS."; - } - if ($pconfig['maxmss'] <> '' && $pconfig['maxmss'] < 576 || $pconfig['maxmss'] > 65535) { - $input_errors[] = "An integer between 576 and 65535 must be specified for Maximum MSS"; - } - } - - if (!$input_errors) { - - foreach ($ipsec_loglevels as $lkey => $ldescr) { - if (empty($_POST["ipsec_{$lkey}"])) { - if (isset($config['ipsec']["ipsec_{$lkey}"])) { - unset($config['ipsec']["ipsec_{$lkey}"]); - } - } else { - $config['ipsec']["ipsec_{$lkey}"] = $_POST["ipsec_{$lkey}"]; - } - } - - $needsrestart = false; - - if ($_POST['compression'] == "yes") { - if (!isset($config['ipsec']['compression'])) { - $needsrestart = true; - } - $config['ipsec']['compression'] = true; - } elseif (isset($config['ipsec']['compression'])) { - $needsrestart = true; - unset($config['ipsec']['compression']); - } - - if ($_POST['enableinterfacesuse'] == "yes") { - if (!isset($config['ipsec']['enableinterfacesuse'])) { - $needsrestart = true; - } - $config['ipsec']['enableinterfacesuse'] = true; - } elseif (isset($config['ipsec']['enableinterfacesuse'])) { - $needsrestart = true; - unset($config['ipsec']['enableinterfacesuse']); - } - - if ($_POST['unityplugin'] == "yes") { - if (!isset($config['ipsec']['unityplugin'])) { - $needsrestart = true; - } - $config['ipsec']['unityplugin'] = true; - } elseif (isset($config['ipsec']['unityplugin'])) { - $needsrestart = true; - unset($config['ipsec']['unityplugin']); - } - - if ($_POST['strictcrlpolicy'] == "yes") { - $config['ipsec']['strictcrlpolicy'] = true; - } elseif (isset($config['ipsec']['strictcrlpolicy'])) { - unset($config['ipsec']['strictcrlpolicy']); - } - - if ($_POST['makebeforebreak'] == "yes") { - $config['ipsec']['makebeforebreak'] = true; - } elseif (isset($config['ipsec']['makebeforebreak'])) { - unset($config['ipsec']['makebeforebreak']); - } - - if ($_POST['noshuntlaninterfaces'] == "yes") { - if (isset($config['ipsec']['noshuntlaninterfaces'])) { - unset($config['ipsec']['noshuntlaninterfaces']); - } - } else { - $config['ipsec']['noshuntlaninterfaces'] = true; - } - - if ($_POST['acceptunencryptedmainmode'] == "yes") { - if (!isset($config['ipsec']['acceptunencryptedmainmode'])) { - $needsrestart = true; - } - $config['ipsec']['acceptunencryptedmainmode'] = true; - } elseif (isset($config['ipsec']['acceptunencryptedmainmode'])) { - $needsrestart = true; - unset($config['ipsec']['acceptunencryptedmainmode']); - } - - if (!empty($_POST['uniqueids'])) { - $config['ipsec']['uniqueids'] = $_POST['uniqueids']; - } else if (isset($config['ipsec']['uniqueids'])) { - unset($config['ipsec']['uniqueids']); - } - - if ($_POST['maxmss_enable'] == "yes") { - $config['system']['maxmss_enable'] = true; - $config['system']['maxmss'] = $_POST['maxmss']; - } else { - if (isset($config['system']['maxmss_enable'])) { - unset($config['system']['maxmss_enable']); - } - if (isset($config['system']['maxmss'])) { - unset($config['system']['maxmss']); - } - } - - write_config(); - - $retval = 0; - $retval = filter_configure(); - if (stristr($retval, "error") <> true) { - $savemsg = get_std_save_message(gettext($retval)); - } else { - $savemsg = gettext($retval); - } - - vpn_ipsec_configure($needsrestart); - vpn_ipsec_configure_loglevels(); - - header("Location: vpn_ipsec_settings.php"); - return; - } - - // The logic value sent by $POST is opposite to the way it is stored in the config. - // Reset the $pconfig value so it reflects the opposite of what was $POSTed. - if ($_POST['noshuntlaninterfaces'] == "yes") { - $pconfig['noshuntlaninterfaces'] = false; - } else { - $pconfig['noshuntlaninterfaces'] = true; - } -} - -$pgtitle = array(gettext("VPN"), gettext("IPsec"), gettext("Settings")); -$shortcut_section = "ipsec"; - -include("head.inc"); -?> - -<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> -<?php include("fbegin.inc"); ?> - -<script type="text/javascript"> -//<![CDATA[ - -function maxmss_checked(obj) { - if (obj.checked) { - jQuery('#maxmss').attr('disabled', false); - } else { - jQuery('#maxmss').attr('disabled', 'true'); - } -} - -//]]> -</script> - -<form action="vpn_ipsec_settings.php" method="post" name="iform" id="iform"> - -<?php - if ($savemsg) { - print_info_box($savemsg); - } - if ($input_errors) { - print_input_errors($input_errors); - } -?> - -<table width="100%" border="0" cellpadding="0" cellspacing="0" summary="vpn ipsec settings"> - <tr> - <td class="tabnavtbl"> - <?php - $tab_array = array(); - $tab_array[0] = array(gettext("Tunnels"), false, "vpn_ipsec.php"); - $tab_array[1] = array(gettext("Mobile clients"), false, "vpn_ipsec_mobile.php"); - $tab_array[2] = array(gettext("Pre-Shared Key"), false, "vpn_ipsec_keys.php"); - $tab_array[3] = array(gettext("Advanced Settings"), true, "vpn_ipsec_settings.php"); - display_top_tabs($tab_array); - ?> - </td> - </tr> - <tr> - <td id="mainarea"> - <div class="tabcont"> - <table width="100%" border="0" cellpadding="6" cellspacing="0" summary="main area"> - <tr> - <td colspan="2" valign="top" class="listtopic"><?=gettext("IPsec Advanced Settings"); ?></td> - </tr> - <tr> - <td width="22%" valign="top" class="vncell"><?=gettext("IPsec Debug"); ?></td> - <td width="78%" class="vtable"> - <strong><?=gettext("Start IPsec in debug mode based on sections selected"); ?></strong> - <br /> - <table summary="ipsec debug"> - <?php foreach ($ipsec_loglevels as $lkey => $ldescr): ?> - <tr> - <td width="22%" valign="top" class="vncell"><?=$ldescr;?></td> - <td width="78%" valign="top" class="vncell"> - <?php - echo "<select name=\"ipsec_{$lkey}\" id=\"ipsec_{$lkey}\">\n"; - foreach (array("Silent", "Audit", "Control", "Diag", "Raw", "Highest") as $lidx => $lvalue) { - echo "<option value=\"{$lidx}\" "; - if ($pconfig["ipsec_{$lkey}"] == $lidx) { - echo "selected=\"selected\""; - } - echo ">{$lvalue}</option>\n"; - } - ?> - </select> - </td> - </tr> - <?php endforeach; ?> - <tr style="display:none;"> - <td></td> - </tr> - </table> - <br /><?=gettext("Launches IPsec in debug mode so that more verbose logs " . - "will be generated to aid in troubleshooting."); ?> - </td> - </tr> - <tr> - <td width="22%" valign="top" class="vncell"><?=gettext("Unique IDs"); ?></td> - <td width="78%" class="vtable"> - <strong><?=gettext("Configure Unique IDs as: "); ?></strong> - <?php - echo "<select name=\"uniqueids\" id=\"uniqueids\">\n"; - foreach ($ipsec_idhandling as $value => $lvalue) { - echo "<option value=\"{$value}\" "; - if ($pconfig['uniqueids'] == $value) { - echo "selected=\"selected\""; - } - echo ">{$lvalue}</option>\n"; - } - ?> - </select> - <br /> - <?=gettext("whether a particular participant ID should be kept unique, with any new IKE_SA using an ID " . - "deemed to replace all old ones using that ID. Participant IDs normally are unique, so a new " . - "IKE_SA using the same ID is almost invariably intended to replace an old one. " . - "The difference between <b>no</b> and <b>never</b> is that the old IKE_SAs will be replaced when receiving an " . - "INITIAL_CONTACT notify if the option is no but will ignore these notifies if <b>never</b> is configured. " . - "The daemon also accepts the value <b>keep</b> to reject " . - "new IKE_SA setups and keep the duplicate established earlier. Defaults to Yes."); ?> - </td> - </tr> - <tr> - <td width="22%" valign="top" class="vncell"><?=gettext("IP Compression"); ?></td> - <td width="78%" class="vtable"> - <input name="compression" type="checkbox" id="compression" value="yes" <?php if ($pconfig['compression']) echo "checked=\"checked\""; ?> /> - <strong><?=gettext("Enable IPCompression"); ?></strong> - <br /> - <?=gettext("IPComp compression of content is proposed on the connection."); ?> - </td> - </tr> - <tr> - <td width="22%" valign="top" class="vncell"><?=gettext("Strict interface binding"); ?></td> - <td width="78%" class="vtable"> - <input name="enableinterfacesuse" type="checkbox" id="enableinterfacesuse" value="yes" <?php if ($pconfig['enableinterfacesuse']) echo "checked=\"checked\""; ?> /> - <strong><?=gettext("Enable strict interface binding"); ?></strong> - <br /> - <?=gettext("Enable strongSwan's interfaces_use option to bind specific interfaces only. This option is known to break IPsec with dynamic IP interfaces. This is not recommended at this time."); ?> - </td> - </tr> - <tr> - <td width="22%" valign="top" class="vncell"><?=gettext("Unencrypted payloads in IKEv1 Main Mode"); ?></td> - <td width="78%" class="vtable"> - <input name="acceptunencryptedmainmode" type="checkbox" id="acceptunencryptedmainmode" value="yes" <?php if ($pconfig['acceptunencryptedmainmode']) echo "checked=\"checked\""; ?> /> - <strong><?=gettext("Accept unencrypted ID and HASH payloads in IKEv1 Main Mode"); ?></strong> - <br /> - <?=gettext("Some implementations send the third Main Mode message unencrypted, probably to find the PSKs for the specified ID for authentication." . - "This is very similar to Aggressive Mode, and has the same security implications: " . - "A passive attacker can sniff the negotiated Identity, and start brute forcing the PSK using the HASH payload." . - " It is recommended to keep this option to no, unless you know exactly what the implications are and require compatibility to such devices (for example, some SonicWall boxes).");?> - </td> - </tr> - <tr> - <td width="22%" valign="top" class="vncell"><?=gettext("Maximum MSS"); ?></td> - <td width="78%" class="vtable"> - <input name="maxmss_enable" type="checkbox" id="maxmss_enable" value="yes" <?php if ($pconfig['maxmss_enable'] == true) echo "checked=\"checked\""; ?> onclick="maxmss_checked(this)" /> - <strong><?=gettext("Enable MSS clamping on VPN traffic"); ?></strong> - <br /> - <input name="maxmss" id="maxmss" value="<?php if ($pconfig['maxmss'] <> "") echo htmlspecialchars($pconfig['maxmss']); else "1400"; ?>" class="formfld unknown" <?php if ($pconfig['maxmss_enable'] == false) echo "disabled=\"disabled\""; ?> /> - <br /> - <?=gettext("Enable MSS clamping on TCP flows over VPN. " . - "This helps overcome problems with PMTUD on IPsec VPN links. If left blank, the default value is 1400 bytes. "); ?> - </td> - </tr> - <tr> - <td width="22%" valign="top" class="vncell"><?=gettext("Disable Cisco Extensions"); ?></td> - <td width="78%" class="vtable"> - <input name="unityplugin" type="checkbox" id="unityplugin" value="yes" <?php if ($pconfig['unityplugin'] == true) echo "checked=\"checked\""; ?> /> - <strong><?=gettext("Disable Unity Plugin"); ?></strong> - <br /> - <?=gettext("Disable Unity Plugin which provides Cisco Extension support as Split-Include, Split-Exclude, Split-Dns, ..."); ?> - </td> - </tr> - <tr> - <td width="22%" valign="top" class="vncell"><?=gettext("Strict CRL Checking"); ?></td> - <td width="78%" class="vtable"> - <input name="strictcrlpolicy" type="checkbox" id="strictcrlpolicy" value="yes" <?php if ($pconfig['strictcrlpolicy'] == true) echo "checked=\"checked\""; ?> /> - <strong><?=gettext("Enable strict Certificate Revocation List checking"); ?></strong> - <br /> - <?=gettext("Check this to require availability of a fresh CRL for peer authentication based on RSA signatures to succeed."); ?> - </td> - </tr> - <tr> - <td width="22%" valign="top" class="vncell"><?=gettext("Make before Break"); ?></td> - <td width="78%" class="vtable"> - <input name="makebeforebreak" type="checkbox" id="makebeforebreak" value="yes" <?php if ($pconfig['makebeforebreak'] == true) echo "checked=\"checked\""; ?> /> - <strong><?=gettext("Initiate IKEv2 reauthentication with a make-before-break"); ?></strong> - <br /> - <?=gettext("instead of a break-before-make scheme. Make-before-break uses overlapping IKE and CHILD_SA during reauthentication " . - "by first recreating all new SAs before deleting the old ones. This behavior can be beneficial to avoid connectivity gaps " . - "during reauthentication, but requires support for overlapping SAs by the peer.");?> - </td> - </tr> - <tr> - <td width="22%" valign="top" class="vncell"><?=gettext("Auto-exclude LAN address"); ?></td> - <td width="78%" class="vtable"> - <input name="noshuntlaninterfaces" type="checkbox" id="noshuntlaninterfaces" value="yes" <?php if ($pconfig['noshuntlaninterfaces'] != true) echo "checked=\"checked\""; ?> /> - <strong><?=gettext("Enable bypass for LAN interface IP"); ?></strong> - <br /> - <?=gettext("Exclude traffic from LAN subnet to LAN IP address from IPsec."); ?> - </td> - </tr> - <tr> - <td width="22%" valign="top"> </td> - <td width="78%"> - <input name="submit" type="submit" class="formbtn" value="<?=gettext("Save"); ?>" /> - </td> - </tr> - </table> - </div> - </td> - </tr> -</table> -</form> -<?php include("fend.inc"); ?> -</body> -</html> |