diff options
author | Matthew Grooms <mgrooms@pfsense.org> | 2008-07-13 23:28:45 +0000 |
---|---|---|
committer | Matthew Grooms <mgrooms@pfsense.org> | 2008-07-13 23:28:45 +0000 |
commit | 3462a52903223da3bf931ab0dda9267242c4bb6c (patch) | |
tree | c48c6e58b55e61d592bea303dbbb9a9bdf4c4f05 /usr/local/www | |
parent | 916c50019bb2bf3116f023fd5933f236598c5fd7 (diff) | |
download | pfsense-3462a52903223da3bf931ab0dda9267242c4bb6c.zip pfsense-3462a52903223da3bf931ab0dda9267242c4bb6c.tar.gz |
Introduce a new and improved version of IPsec mobile client support. The
mobile client tab is now used to configure user authentication (Xauth) and
client configuration (mode-cfg) options. User authentication is currently
limited to system password file entries. This will be extended to support
external RADIUS and LDAP account DBs in a follow up comiit.
Diffstat (limited to 'usr/local/www')
-rwxr-xr-x | usr/local/www/guiconfig.inc | 2 | ||||
-rwxr-xr-x | usr/local/www/vpn_ipsec.php | 19 | ||||
-rwxr-xr-x | usr/local/www/vpn_ipsec_ca.php | 2 | ||||
-rwxr-xr-x | usr/local/www/vpn_ipsec_mobile.php | 808 | ||||
-rw-r--r-- | usr/local/www/vpn_ipsec_phase1.php | 268 | ||||
-rw-r--r-- | usr/local/www/vpn_ipsec_phase2.php | 107 |
6 files changed, 759 insertions, 447 deletions
diff --git a/usr/local/www/guiconfig.inc b/usr/local/www/guiconfig.inc index 9fecc45..acb3c1f 100755 --- a/usr/local/www/guiconfig.inc +++ b/usr/local/www/guiconfig.inc @@ -228,7 +228,7 @@ function print_info_box_np($msg, $name="apply",$value="Apply changes") { echo " </td>\n"; echo " <td width='70%'><font color='white'><b>{$msg}</b></font>\n"; echo " </td>"; - if(stristr($msg, "apply") == true || stristr($msg, "save")) { + if(stristr($msg, "apply") == true || stristr($msg, "save") || stristr($msg, "create")) { echo " <td>"; echo " <input name=\"{$name}\" type=\"submit\" class=\"formbtn\" id=\"${name}\" value=\"{$value}\">\n"; echo " </td>"; diff --git a/usr/local/www/vpn_ipsec.php b/usr/local/www/vpn_ipsec.php index 94f4c37..d6761be 100755 --- a/usr/local/www/vpn_ipsec.php +++ b/usr/local/www/vpn_ipsec.php @@ -139,7 +139,7 @@ include("head.inc"); <?php $tab_array = array(); $tab_array[0] = array("Tunnels", true, "vpn_ipsec.php"); -// $tab_array[1] = array("Mobile clients", false, "vpn_ipsec_mobile.php"); + $tab_array[1] = array("Mobile clients", false, "vpn_ipsec_mobile.php"); $tab_array[2] = array("CAs", false, "vpn_ipsec_ca.php"); display_top_tabs($tab_array); ?> @@ -179,6 +179,7 @@ include("head.inc"); </table> </td> </tr> + <?php $i = 0; foreach ($a_phase1 as $ph1ent) { @@ -205,7 +206,10 @@ include("head.inc"); else $if = "WAN"; - echo $if . "<br>" . $ph1ent['remote-gateway']; + if (!isset($ph1ent['mobile'])) + echo $if."<br>".$ph1ent['remote-gateway']; + else + echo $if."<br><strong>Mobile Client</strong>"; ?> <?=$spane;?> </td> @@ -275,7 +279,7 @@ include("head.inc"); <td class="listhdrr">P2 Transforms</td> <td class="listhdrr">P2 Auth Methods</td> <td class ="list"> - <a href="vpn_ipsec_phase2.php?ikeid=<?=$ph1ent['ikeid'];?>"> + <a href="vpn_ipsec_phase2.php?ikeid=<?=$ph1ent['ikeid'];?><?php if (isset($ph1ent['mobile'])) echo "&mobile=true";?>"> <img src="./themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" title="add phase2 entry" width="17" height="17" border="0"> </a> </td> @@ -296,19 +300,20 @@ include("head.inc"); $spans = $spane = ""; ?> <tr valign="top"> + <td nowrap class="listr" ondblclick="document.location='vpn_ipsec_phase2.php?id=<?=$i;?>'"> <?=$spans;?> - <?php echo ipsec_idinfo_to_text($ph2ent['localid']); ?> + <?=ipsec_idinfo_to_text($ph2ent['localid']); ?> <?=$spane;?> </td> <td nowrap class="listr" ondblclick="document.location='vpn_ipsec_phase2.php?id=<?=$i;?>'"> <?=$spans;?> - <?php echo ipsec_idinfo_to_text($ph2ent['remoteid']); ?> + <?=ipsec_idinfo_to_text($ph2ent['remoteid']); ?> <?=$spane;?> </td> <td nowrap class="listr" ondblclick="document.location='vpn_ipsec_phase2.php?id=<?=$i;?>'"> <?=$spans;?> - <?php echo $p2_protos[$ph2ent['protocol']]; ?> + <?php echo $p2_protos[$ph2ent['protocol']]; ?> <?=$spane;?> </td> <td nowrap class="listr" ondblclick="document.location='vpn_ipsec_phase2.php?id=<?=$i;?>'"> @@ -350,6 +355,7 @@ include("head.inc"); </a> </td> </tr> + <?php $j++; } @@ -361,6 +367,7 @@ include("head.inc"); $i++; } ?> + <tr> <td class="list" colspan="5"></td> <td class="list"> diff --git a/usr/local/www/vpn_ipsec_ca.php b/usr/local/www/vpn_ipsec_ca.php index b94c66d..25d0f4e 100755 --- a/usr/local/www/vpn_ipsec_ca.php +++ b/usr/local/www/vpn_ipsec_ca.php @@ -65,7 +65,7 @@ include("head.inc"); <?php $tab_array = array(); $tab_array[0] = array("Tunnels", false, "vpn_ipsec.php"); -// $tab_array[1] = array("Mobile clients", false, "vpn_ipsec_mobile.php"); + $tab_array[1] = array("Mobile clients", false, "vpn_ipsec_mobile.php"); $tab_array[2] = array("CAs", true, "vpn_ipsec_ca.php"); display_top_tabs($tab_array); ?> diff --git a/usr/local/www/vpn_ipsec_mobile.php b/usr/local/www/vpn_ipsec_mobile.php index 5a88b66..5d78b73 100755 --- a/usr/local/www/vpn_ipsec_mobile.php +++ b/usr/local/www/vpn_ipsec_mobile.php @@ -1,9 +1,8 @@ <?php /* vpn_ipsec_mobile.php - part of m0n0wall (http://m0n0.ch/wall) - Copyright (C) 2003-2005 Manuel Kasper <mk@neon1.net>. + Copyright (C) 2008 Shrew Soft Inc All rights reserved. Redistribution and use in source and binary forms, with or without @@ -30,129 +29,170 @@ require("guiconfig.inc"); -if (!is_array($config['ipsec']['mobileclients'])) { - $config['ipsec']['mobileclients'] = array(); +if (!is_array($config['ipsec']['phase1'])) + $config['ipsec']['phase1'] = array(); + +$a_phase1 = &$config['ipsec']['phase1']; + +$a_client = &$config['ipsec']['client']; + +if (!is_array($config['ipsec']['client'])) + $config['ipsec']['client'] = array(); + +$a_client = &$config['ipsec']['client']; + +if (count($a_client)) { + + $pconfig['enable'] = $a_client['enable']; + + $pconfig['user_source'] = $a_client['user_source']; + $pconfig['group_source'] = $a_client['group_source']; + + $pconfig['pool_address'] = $a_client['pool_address']; + $pconfig['pool_netbits'] = $a_client['pool_netbits']; + $pconfig['net_list'] = $a_client['net_list']; + $pconfig['dns_domain'] = $a_client['dns_domain']; + $pconfig['dns_server1'] = $a_client['dns_server1']; + $pconfig['dns_server2'] = $a_client['dns_server2']; + $pconfig['dns_server3'] = $a_client['dns_server3']; + $pconfig['dns_server4'] = $a_client['dns_server4']; + $pconfig['wins_server1'] = $a_client['wins_server1']; + $pconfig['wins_server2'] = $a_client['wins_server2']; + $pconfig['pfs_group'] = $a_client['pfs_group']; + $pconfig['login_banner'] = $a_client['login_banner']; + + if (isset($pconfig['enable'])) + $pconfig['enable'] = true; + + if ($pconfig['pool_address']&&$pconfig['pool_netbits']) + $pconfig['pool_enable'] = true; + else + $pconfig['pool_netbits'] = 24; + + if (isset($pconfig['net_list'])) + $pconfig['net_list_enable'] = true; + + if ($pconfig['dns_domain']) + $pconfig['dns_domain_enable'] = true; + + if ($pconfig['dns_server1']||$pconfig['dns_server2']||$pconfig['dns_server3']||$pconfig['dns_server4']) + $pconfig['dns_server_enable'] = true; + + if ($pconfig['wins_server1']||$pconfig['wins_server2']) + $pconfig['wins_server_enable'] = true; + + if (isset($pconfig['pfs_group'])) + $pconfig['pfs_group_enable'] = true; + + if ($pconfig['login_banner']) + $pconfig['login_banner_enable'] = true; } -$a_ipsec = &$config['ipsec']['mobileclients']; - -if (count($a_ipsec) == 0) { - /* defaults */ - $pconfig['p1mode'] = "aggressive"; - $pconfig['p1myidentt'] = "myaddress"; - $pconfig['p1ealgo'] = "3des"; - $pconfig['p1halgo'] = "sha1"; - $pconfig['p1dhgroup'] = "2"; - $pconfig['p1authentication_method'] = "pre_shared_key"; - $pconfig['p2proto'] = "esp"; - $pconfig['p2ealgos'] = explode(",", "3des,blowfish,cast128,rijndael"); - $pconfig['p2halgos'] = explode(",", "hmac_sha1,hmac_md5"); - $pconfig['p2pfsgroup'] = "0"; -} else { - $pconfig['enable'] = isset($a_ipsec['enable']); - $pconfig['natt'] = isset($a_ipsec['natt']); - $pconfig['p1mode'] = $a_ipsec['p1']['mode']; - - if (isset($a_ipsec['p1']['myident']['myaddress'])) - $pconfig['p1myidentt'] = 'myaddress'; - else if (isset($a_ipsec['p1']['myident']['address'])) { - $pconfig['p1myidentt'] = 'address'; - $pconfig['p1myident'] = $a_ipsec['p1']['myident']['address']; - } else if (isset($a_ipsec['p1']['myident']['fqdn'])) { - $pconfig['p1myidentt'] = 'fqdn'; - $pconfig['p1myident'] = $a_ipsec['p1']['myident']['fqdn']; - } else if (isset($a_ipsec['p1']['myident']['ufqdn'])) { - $pconfig['p1myidentt'] = 'user_fqdn'; - $pconfig['p1myident'] = $a_ipsec['p1']['myident']['ufqdn']; - } - - $pconfig['p1ealgo'] = $a_ipsec['p1']['encryption-algorithm']; - $pconfig['p1halgo'] = $a_ipsec['p1']['hash-algorithm']; - $pconfig['p1dhgroup'] = $a_ipsec['p1']['dhgroup']; - $pconfig['p1lifetime'] = $a_ipsec['p1']['lifetime']; - $pconfig['p1authentication_method'] = $a_ipsec['p1']['authentication_method']; - $pconfig['p1cert'] = base64_decode($a_ipsec['p1']['cert']); - $pconfig['p1privatekey'] = base64_decode($a_ipsec['p1']['private-key']); - $pconfig['p2proto'] = $a_ipsec['p2']['protocol']; - $pconfig['p2ealgos'] = $a_ipsec['p2']['encryption-algorithm-option']; - $pconfig['p2halgos'] = $a_ipsec['p2']['hash-algorithm-option']; - $pconfig['p2pfsgroup'] = $a_ipsec['p2']['pfsgroup']; - $pconfig['p2lifetime'] = $a_ipsec['p2']['lifetime']; + +if ($_POST['create']) { + header("Location: vpn_ipsec_phase1.php?mobile=true"); +} + +if ($_POST['apply']) { + $retval = 0; + $retval = vpn_ipsec_configure(); + $savemsg = get_std_save_message($retval); + if ($retval == 0) + if (file_exists($d_ipsecconfdirty_path)) + unlink($d_ipsecconfdirty_path); } -if ($_POST) { +if ($_POST['submit']) { + unset($input_errors); $pconfig = $_POST; - /* input validation */ - $reqdfields = explode(" ", "p2ealgos p2halgos"); - $reqdfieldsn = explode(",", "P2 Encryption Algorithms,P2 Hash Algorithms"); - - do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); - - if ($_POST['p1authentication_method']== "rsasig") { - if (!strstr($_POST['p1cert'], "BEGIN CERTIFICATE") || !strstr($_POST['p1cert'], "END CERTIFICATE")) - $input_errors[] = "This certificate does not appear to be valid."; - if (!strstr($_POST['p1privatekey'], "BEGIN RSA PRIVATE KEY") || !strstr($_POST['p1privatekey'], "END RSA PRIVATE KEY")) - $input_errors[] = "This key does not appear to be valid."; - } + /* input consolidation */ + - if (($_POST['p1lifetime'] && !is_numeric($_POST['p1lifetime']))) { - $input_errors[] = "The P1 lifetime must be an integer."; - } - if (($_POST['p2lifetime'] && !is_numeric($_POST['p2lifetime']))) { - $input_errors[] = "The P2 lifetime must be an integer."; - } - if ((($_POST['p1myidentt'] == "address") && !is_ipaddr($_POST['p1myident']))) { - $input_errors[] = "A valid IP address for 'My identifier' must be specified."; - } - if ((($_POST['p1myidentt'] == "fqdn") && !is_domain($_POST['p1myident']))) { - $input_errors[] = "A valid domain name for 'My identifier' must be specified."; + + /* input validation */ + + $reqdfields = explode(" ", "user_source group_source"); + $reqdfieldsn = explode(",", "User Authentication Source,Group Authentication Source"); + + do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); + + if ($pconfig['pool_enable']) + if (!is_ipaddr($pconfig['pool_address'])) + $input_errors[] = "A valid IP address for 'Virtual Address Pool Network' must be specified."; + + if ($pconfig['dns_domain_enable']) + if (!is_domain($pconfig['dns_domain'])) + $input_errors[] = "A valid value for 'DNS Default Domain' must be specified."; + + if ($pconfig['dns_server_enable']) { + if (!$pconfig['dns_server1'] && !$pconfig['dns_server2'] && + !$pconfig['dns_server3'] && !$pconfig['dns_server4'] ) + $input_errors[] = "At least one DNS server must be specified to enable the DNS Server option."; + if ($pconfig['dns_server1'] && !is_ipaddr($pconfig['dns_server1'])) + $input_errors[] = "A valid IP address for 'DNS Server #1' must be specified."; + if ($pconfig['dns_server2'] && !is_ipaddr($pconfig['dns_server2'])) + $input_errors[] = "A valid IP address for 'DNS Server #2' must be specified."; + if ($pconfig['dns_server3'] && !is_ipaddr($pconfig['dns_server3'])) + $input_errors[] = "A valid IP address for 'DNS Server #3' must be specified."; + if ($pconfig['dns_server4'] && !is_ipaddr($pconfig['dns_server4'])) + $input_errors[] = "A valid IP address for 'DNS Server #4' must be specified."; } - if ($_POST['p1myidentt'] == "user_fqdn") { - $ufqdn = explode("@",$_POST['p1myident']); - if (!is_domain($ufqdn[1])) - $input_errors[] = "A valid User FQDN in the form of user@my.domain.com for 'My identifier' must be specified."; + + if ($pconfig['wins_server_enable']) { + if (!$pconfig['wins_server1'] && !$pconfig['wins_server2']) + $input_errors[] = "At least one WINS server must be specified to enable the DNS Server option."; + if ($pconfig['wins_server1'] && !is_ipaddr($pconfig['wins_server1'])) + $input_errors[] = "A valid IP address for 'WINS Server #1' must be specified."; + if ($pconfig['wins_server2'] && !is_ipaddr($pconfig['wins_server2'])) + $input_errors[] = "A valid IP address for 'WINS Server #2' must be specified."; } - - if ($_POST['p1myidentt'] == "myaddress") - $_POST['p1myident'] = ""; + + if ($pconfig['login_banner_enable']) + if (!strlen($pconfig['login_banner'])) + $input_errors[] = "A valid value for 'Login Banner' must be specified."; if (!$input_errors) { - $ipsecent = array(); - $ipsecent['enable'] = $_POST['enable'] ? true : false; - $ipsecent['p1']['mode'] = $_POST['p1mode']; - $ipsecent['natt'] = $_POST['natt'] ? true : false; + $client = array(); - $ipsecent['p1']['myident'] = array(); - switch ($_POST['p1myidentt']) { - case 'myaddress': - $ipsecent['p1']['myident']['myaddress'] = true; - break; - case 'address': - $ipsecent['p1']['myident']['address'] = $_POST['p1myident']; - break; - case 'fqdn': - $ipsecent['p1']['myident']['fqdn'] = $_POST['p1myident']; - break; - case 'user_fqdn': - $ipsecent['p1']['myident']['ufqdn'] = $_POST['p1myident']; - break; + if ($pconfig['enable']) + $client['enable'] = true; + + $client['user_source'] = $pconfig['user_source']; + $client['group_source'] = $pconfig['group_source']; + + if ($pconfig['pool_enable']) { + $client['pool_address'] = $pconfig['pool_address']; + $client['pool_netbits'] = $pconfig['pool_netbits']; } - - $ipsecent['p1']['encryption-algorithm'] = $_POST['p1ealgo']; - $ipsecent['p1']['hash-algorithm'] = $_POST['p1halgo']; - $ipsecent['p1']['dhgroup'] = $_POST['p1dhgroup']; - $ipsecent['p1']['lifetime'] = $_POST['p1lifetime']; - $ipsecent['p1']['private-key'] = base64_encode($_POST['p1privatekey']); - $ipsecent['p1']['cert'] = base64_encode($_POST['p1cert']); - $ipsecent['p1']['authentication_method'] = $_POST['p1authentication_method']; - $ipsecent['p2']['protocol'] = $_POST['p2proto']; - $ipsecent['p2']['encryption-algorithm-option'] = $_POST['p2ealgos']; - $ipsecent['p2']['hash-algorithm-option'] = $_POST['p2halgos']; - $ipsecent['p2']['pfsgroup'] = $_POST['p2pfsgroup']; - $ipsecent['p2']['lifetime'] = $_POST['p2lifetime']; - - $a_ipsec = $ipsecent; + + if ($pconfig['net_list_enable']) + $client['net_list'] = true; + + if ($pconfig['dns_domain_enable']) + $client['dns_domain'] = $pconfig['dns_domain']; + + if ($pconfig['dns_server_enable']) { + $client['dns_server1'] = $pconfig['dns_server1']; + $client['dns_server2'] = $pconfig['dns_server2']; + $client['dns_server3'] = $pconfig['dns_server3']; + $client['dns_server4'] = $pconfig['dns_server4']; + } + + if ($pconfig['wins_server_enable']) { + $client['wins_server1'] = $pconfig['wins_server1']; + $client['wins_server2'] = $pconfig['wins_server2']; + } + + if ($pconfig['pfs_group_enable']) + $client['pfs_group'] = $pconfig['pfs_group']; + + if ($pconfig['login_banner_enable']) + $client['login_banner'] = $pconfig['login_banner']; + +// $echo "login banner = {$pconfig['login_banner']}"; + + $a_client = $client; write_config(); touch($d_ipsecconfdirty_path); @@ -164,235 +204,357 @@ if ($_POST) { $pgtitle = array("VPN","IPsec","Mobile"); include("head.inc"); - ?> + <body link="#0000CC" vlink="#0000CC" alink="#0000CC"> <?php include("fbegin.inc"); ?> + <script language="JavaScript"> <!-- -function methodsel_change() { - switch (document.iform.p1authentication_method.selectedIndex) { - case 1: /* rsa */ - document.iform.p1privatekey.disabled = 0; - document.iform.p1cert.disabled = 0; - break; - default: /* pre-shared */ - document.iform.p1privatekey.disabled = 1; - document.iform.p1cert.disabled = 1; - break; + +function pool_change() { + + if (document.iform.pool_enable.checked) { + document.iform.pool_address.disabled = 0; + document.iform.pool_netbits.disabled = 0; + } else { + document.iform.pool_address.disabled = 1; + document.iform.pool_netbits.disabled = 1; + } +} + +function dns_domain_change() { + + if (document.iform.dns_domain_enable.checked) + document.iform.dns_domain.disabled = 0; + else + document.iform.dns_domain.disabled = 1; +} + +function dns_server_change() { + + if (document.iform.dns_server_enable.checked) { + document.iform.dns_server1.disabled = 0; + document.iform.dns_server2.disabled = 0; + document.iform.dns_server3.disabled = 0; + document.iform.dns_server4.disabled = 0; + } else { + document.iform.dns_server1.disabled = 1; + document.iform.dns_server2.disabled = 1; + document.iform.dns_server3.disabled = 1; + document.iform.dns_server4.disabled = 1; + } +} + +function wins_server_change() { + + if (document.iform.wins_server_enable.checked) { + document.iform.wins_server1.disabled = 0; + document.iform.wins_server2.disabled = 0; + } else { + document.iform.wins_server1.disabled = 1; + document.iform.wins_server2.disabled = 1; } } + +function pfs_group_change() { + + if (document.iform.pfs_group_enable.checked) + document.iform.pfs_group.disabled = 0; + else + document.iform.pfs_group.disabled = 1; +} + +function login_banner_change() { + + if (document.iform.login_banner_enable.checked) + document.iform.login_banner.disabled = 0; + else + document.iform.login_banner.disabled = 1; +} + //--> </script> -<form action="vpn_ipsec.php" method="post"> -<?php if ($input_errors) print_input_errors($input_errors); ?> -<?php if (file_exists($d_ipsecconfdirty_path)): ?><p> -<?php print_info_box_np("The IPsec tunnel configuration has been changed.<br>You must apply the changes in order for them to take effect.");?><br> -<?php endif; ?> -</form> + <form action="vpn_ipsec_mobile.php" method="post" name="iform" id="iform"> -<table width="100%" border="0" cellpadding="0" cellspacing="0"> - <tr><td class="tabnavtbl"> <?php - $tab_array = array(); - $tab_array[0] = array("Tunnels", false, "vpn_ipsec.php"); - $tab_array[1] = array("Mobile clients", true, "vpn_ipsec_mobile.php"); - $tab_array[2] = array("CAs", false, "vpn_ipsec_ca.php"); - display_top_tabs($tab_array); + if ($savemsg) + print_info_box($savemsg); + if (file_exists($d_ipsecconfdirty_path)) + print_info_box_np("The IPsec tunnel configuration has been changed.<br>You must apply the changes in order for them to take effect."); + foreach ($a_phase1 as $ph1ent) + if (isset($ph1ent['mobile'])) + $ph1found = true; + if ($pconfig['enable'] && !$ph1found) + print_info_box_np("Support for IPsec Mobile clients is enabled but a Phase1 definition was not found.<br>Please click Create to define one.","create","Create Phase1"); ?> - </td></tr> - <tr> - <td> - <div id="mainarea"> - <table class="tabcont" width="100%" border="0" cellpadding="6" cellspacing="0"> - <tr> - <td width="22%" valign="top"> </td> - <td width="78%"> - <input name="enable" type="checkbox" id="enable" value="yes" <?php if ($pconfig['enable']) echo "checked"; ?>> - <strong>Allow mobile clients</strong></td> - </tr> - <tr> - <td width="22%" valign="top"> </td> - <td width="78%"> - <input name="natt" type="checkbox" id="natt" value="yes" <?php if ($pconfig['natt']) echo "checked"; ?>> - <strong>Enable NAT Traversal (NAT-T)</strong><br> - <span class="vexpl">Set this option to enable the use of NAT-T (i.e. the encapsulation of ESP in UDP packets) if needed, - which can help with clients that are behind restrictive firewalls.</span></td> - </tr> - <tr> - <td colspan="2" valign="top" class="listtopic">Phase 1 proposal - (Authentication)</td> - </tr> - <tr> - <td width="22%" valign="top" class="vncellreq">Negotiation mode</td> - <td width="78%" class="vtable"> - <select name="p1mode" class="formselect"> - <?php $modes = explode(" ", "main aggressive"); foreach ($modes as $mode): ?> - <option value="<?=$mode;?>" <?php if ($mode == $pconfig['p1mode']) echo "selected"; ?>> - <?=htmlspecialchars($mode);?> - </option> - <?php endforeach; ?> - </select> <br> <span class="vexpl">Aggressive is faster, but - less secure.</span></td> - </tr> - <tr> - <td width="22%" valign="top" class="vncellreq">My identifier</td> - <td width="78%" class="vtable"> - <select name="p1myidentt" class="formselect"> - <?php foreach ($my_identifier_list as $mode => $modename): ?> - <option value="<?=$mode;?>" <?php if ($mode == $pconfig['p1myidentt']) echo "selected"; ?>> - <?=htmlspecialchars($modename);?> - </option> - <?php endforeach; ?> - </select> <input name="p1myident" type="text" class="formfld unknown" id="p1myident" size="30" value="<?=$pconfig['p1myident'];?>"> - </td> - </tr> - <tr> - <td width="22%" valign="top" class="vncellreq">Encryption algorithm</td> - <td width="78%" class="vtable"> - <select name="p1ealgo" class="formselect"> - <?php foreach ($p1_ealgos as $algo => $algoname): ?> - <option value="<?=$algo;?>" <?php if ($algo == $pconfig['p1ealgo']) echo "selected"; ?>> - <?=htmlspecialchars($algoname);?> - </option> - <?php endforeach; ?> - </select> <br> <span class="vexpl">Must match the setting - chosen on the remote side. </span></td> - </tr> - <tr> - <td width="22%" valign="top" class="vncellreq">Hash algorithm</td> - <td width="78%" class="vtable"> - <select name="p1halgo" class="formselect"> - <?php foreach ($p1_halgos as $algo => $algoname): ?> - <option value="<?=$algo;?>" <?php if ($algo == $pconfig['p1halgo']) echo "selected"; ?>> - <?=htmlspecialchars($algoname);?> - </option> - <?php endforeach; ?> - </select> <br> <span class="vexpl">Must match the setting - chosen on the remote side. </span></td> - </tr> - <tr> - <td width="22%" valign="top" class="vncellreq">DH key group</td> - <td width="78%" class="vtable"> - <select name="p1dhgroup" class="formselect"> - <?php $keygroups = explode(" ", "1 2 5"); foreach ($keygroups as $keygroup): ?> - <option value="<?=$keygroup;?>" <?php if ($keygroup == $pconfig['p1dhgroup']) echo "selected"; ?>> - <?=htmlspecialchars($keygroup);?> - </option> - <?php endforeach; ?> - </select> <br> <span class="vexpl"><em>1 = 768 bit, 2 = 1024 - bit, 5 = 1536 bit</em><br> - Must match the setting chosen on the remote side. </span></td> - </tr> - <tr> - <td width="22%" valign="top" class="vncell">Lifetime</td> - <td width="78%" class="vtable"> - <input name="p1lifetime" type="text" class="formfld unknown" id="p1lifetime" size="20" value="<?=$pconfig['p1lifetime'];?>"> - seconds</td> - </tr> - <tr> - <td width="22%" valign="top" class="vncellreq">Authentication method</td> - <td width="78%" class="vtable"> - <select name="p1authentication_method" class="formselect" onChange="methodsel_change()"> - <?php foreach ($p1_authentication_methods as $method => $methodname): ?> - <option value="<?=$method;?>" <?php if ($method == $pconfig['p1authentication_method']) echo "selected"; ?>> - <?=htmlspecialchars($methodname);?> - </option> - <?php endforeach; ?> - </select> <br> <span class="vexpl">Must match the setting - chosen on the remote side. </span></td> - </tr> - <tr> - <td width="22%" valign="top" class="vncellreq">Certificate</td> - <td width="78%" class="vtable"> - <textarea name="p1cert" cols="65" rows="7" id="p1cert" class="formpre"><?=htmlspecialchars($pconfig['p1cert']);?></textarea> - <br> - Paste a certificate in X.509 PEM format here.</td> - </tr> - <tr> - <td width="22%" valign="top" class="vncellreq">Key</td> - <td width="78%" class="vtable"> - <textarea name="p1privatekey" cols="65" rows="7" id="p1privatekey" class="formpre"><?=htmlspecialchars($pconfig['p1privatekey']);?></textarea> - <br> - Paste an RSA private key in PEM format here.</td> - </tr> - <tr> - <td colspan="2" class="list" height="12"></td> - </tr> - <tr> - <td colspan="2" valign="top" class="listtopic">Phase 2 proposal - (SA/Key Exchange)</td> - </tr> - <tr> - <td width="22%" valign="top" class="vncellreq">Protocol</td> - <td width="78%" class="vtable"> - <select name="p2proto" class="formselect"> - <?php foreach ($p2_protos as $proto => $protoname): ?> - <option value="<?=$proto;?>" <?php if ($proto == $pconfig['p2proto']) echo "selected"; ?>> - <?=htmlspecialchars($protoname);?> - </option> - <?php endforeach; ?> - </select> <br> <span class="vexpl">ESP is encryption, AH is - authentication only </span></td> - </tr> - <tr> - <td width="22%" valign="top" class="vncellreq">Encryption algorithms</td> - <td width="78%" class="vtable"> - <?php foreach ($p2_ealgos as $algo => $algoname): ?> - <input type="checkbox" name="p2ealgos[]" value="<?=$algo;?>" <?php if (in_array($algo, $pconfig['p2ealgos'])) echo "checked"; ?>> - <?=htmlspecialchars($algoname);?> - <br> - <?php endforeach; ?> - <br> - Hint: use 3DES for best compatibility or if you have a hardware - crypto accelerator card. Blowfish is usually the fastest in - software encryption. </td> - </tr> - <tr> - <td width="22%" valign="top" class="vncellreq">Hash algorithms</td> - <td width="78%" class="vtable"> - <?php foreach ($p2_halgos as $algo => $algoname): ?> - <input type="checkbox" name="p2halgos[]" value="<?=$algo;?>" <?php if (in_array($algo, $pconfig['p2halgos'])) echo "checked"; ?>> - <?=htmlspecialchars($algoname);?> - <br> - <?php endforeach; ?> - </td> - </tr> - <tr> - <td width="22%" valign="top" class="vncellreq">PFS key group</td> - <td width="78%" class="vtable"> - <select name="p2pfsgroup" class="formselect"> - <?php foreach ($p2_pfskeygroups as $keygroup => $keygroupname): ?> - <option value="<?=$keygroup;?>" <?php if ($keygroup == $pconfig['p2pfsgroup']) echo "selected"; ?>> - <?=htmlspecialchars($keygroupname);?> - </option> - <?php endforeach; ?> - </select> <br> <span class="vexpl"><em>1 = 768 bit, 2 = 1024 - bit, 5 = 1536 bit</em></span></td> - </tr> - <tr> - <td width="22%" valign="top" class="vncell">Lifetime</td> - <td width="78%" class="vtable"> - <input name="p2lifetime" type="text" class="formfld unknown" id="p2lifetime" size="20" value="<?=$pconfig['p2lifetime'];?>"> - seconds</td> - </tr> - <tr> - <td width="22%" valign="top"> </td> - <td width="78%"> - <input name="Submit" type="submit" class="formbtn" value="Save"> - </td> - </tr> - </table> - </div> - </td> +<?php if ($input_errors) print_input_errors($input_errors); ?> +<table width="100%" border="0" cellpadding="0" cellspacing="0"> + <tr> + <td class="tabnavtbl"> + <?php + $tab_array = array(); + $tab_array[0] = array("Tunnels", false, "vpn_ipsec.php"); + $tab_array[1] = array("Mobile clients", true, "vpn_ipsec_mobile.php"); + $tab_array[2] = array("CAs", false, "vpn_ipsec_ca.php"); + display_top_tabs($tab_array); + ?> + </td> + </tr> + <tr> + <td> + <div id="mainarea"> + <table class="tabcont" width="100%" border="0" cellpadding="6" cellspacing="0"> + <tr> + <td width="22%" valign="top" class="vncellreq">IKE Extensions</td> + <td width="78%" class="vtable"> + <?php set_checked($pconfig['enable'],$chk); ?> + <input name="enable" type="checkbox" id="enable" value="yes" <?=$chk;?>> + <strong>Enable Support of Mobile Clients</strong> + <br> + </td> + </td> + </tr> + <tr> + <td colspan="2" class="list" height="12"></td> + </tr> + <tr> + <td colspan="2" valign="top" class="listtopic"> + Extended Authentication (Xauth) + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncellreq">User Authentication</td> + <td width="78%" class="vtable"> + Source: + <select name="user_source" class="formselect" id="user_source"> + <option value="system">system</option> + </select> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncellreq">Group Authentication</td> + <td width="78%" class="vtable"> + Source: + <select name="group_source" class="formselect" id="group_source"> + <option value="system">system</option> + </select> + </td> + </tr> + <tr> + <td colspan="2" class="list" height="12"></td> + </tr> + <tr> + <td colspan="2" valign="top" class="listtopic"> + Client Configuration (mode-cfg) + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncellreq">Virtual Address Pool</td> + <td width="78%" class="vtable"> + <table border="0" cellspacing="2" cellpadding="0"> + <tr> + <td> + <?php set_checked($pconfig['pool_enable'],$chk); ?> + <input name="pool_enable" type="checkbox" id="pool_enable" value="yes" <?=$chk;?> onClick="pool_change()"> + Provide a vitual IP address to clients<br> + <br> + </td> + </tr> + <tr> + <td> + Network: + <input name="pool_address" type="text" class="formfld unknown" id="pool_address" size="20" value="<?=$pconfig['pool_address'];?>"> + / + <select name="pool_netbits" class="formselect" id="pool_netbits"> + <?php for ($i = 32; $i >= 0; $i--): ?> + <option value="<?=$i;?>" <?php if ($i == $pconfig['pool_netbits']) echo "selected"; ?>> + <?=$i;?> + </option> + <?php endfor; ?> + </select> + </td> + </tr> + </table> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncellreq">Network List</td> + <td width="78%" class="vtable"> + <?php set_checked($pconfig['net_list_enable'],$chk); ?> + <input name="net_list_enable" type="checkbox" id="net_list_enable" value="yes" <?=$chk;?>> + Provide a list of accessable networks to clients<br> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncellreq">DNS Default Domain</td> + <td width="78%" class="vtable"> + <table border="0" cellspacing="2" cellpadding="0"> + <tr> + <td> + <?php set_checked($pconfig['dns_domain_enable'],$chk); ?> + <input name="dns_domain_enable" type="checkbox" id="dns_domain_enable" value="yes" <?=$chk;?> onClick="dns_domain_change()"> + Provide a default domain name to clients<br> + <br> + </td> + </tr> + <tr> + <td> + <input name="dns_domain" type="text" class="formfld unknown" id="dns_domain" size="30" value="<?=htmlspecialchars($pconfig['dns_domain']);?>"> + </td> + </tr> + </table> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncellreq">DNS Servers</td> + <td width="78%" class="vtable"> + <table border="0" cellspacing="2" cellpadding="0"> + <tr> + <td> + <?php set_checked($pconfig['dns_server_enable'],$chk); ?> + <input name="dns_server_enable" type="checkbox" id="dns_server_enable" value="yes" <?=$chk;?> onClick="dns_server_change()"> + Provide a DNS server list to clients<br> + <br> + </td> + </tr> + <tr> + <td> + Server #1: + <input name="dns_server1" type="text" class="formfld unknown" id="dns_server1" size="20" value="<?=$pconfig['dns_server1'];?>"> + </td> + </tr> + <tr> + <td> + Server #2: + <input name="dns_server2" type="text" class="formfld unknown" id="dns_server2" size="20" value="<?=$pconfig['dns_server2'];?>"> + </td> + </tr> + <tr> + <td> + Server #3: + <input name="dns_server3" type="text" class="formfld unknown" id="dns_server3" size="20" value="<?=$pconfig['dns_server3'];?>"> + </td> + </tr> + <tr> + <td> + Server #4: + <input name="dns_server4" type="text" class="formfld unknown" id="dns_server4" size="20" value="<?=$pconfig['dns_server4'];?>"> + </td> + </tr> + </table> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncellreq">WINS Servers</td> + <td width="78%" class="vtable"> + <table border="0" cellspacing="2" cellpadding="0"> + <tr> + <td> + <?php set_checked($pconfig['wins_server_enable'],$chk); ?> + <input name="wins_server_enable" type="checkbox" id="wins_server_enable" value="yes" <?=$chk;?> onClick="wins_server_change()"> + Provide a WINS server list to clients<br> + <br> + </td> + </tr> + <tr> + <td> + Server #1: + <input name="wins_server1" type="text" class="formfld unknown" id="wins_server1" size="20" value="<?=$pconfig['wins_server1'];?>"> + </td> + </tr> + <tr> + <td> + Server #2: + <input name="wins_server2" type="text" class="formfld unknown" id="wins_server2" size="20" value="<?=$pconfig['wins_server2'];?>"> + </td> + </tr> + </table> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncellreq">Phase2 PFS Group</td> + <td width="78%" class="vtable"> + <table border="0" cellspacing="2" cellpadding="0"> + <tr> + <td> + <?php set_checked($pconfig['pfs_group_enable'],$chk); ?> + <input name="pfs_group_enable" type="checkbox" id="pfs_group_enable" value="yes" <?=$chk;?> onClick="pfs_group_change()"> + Provide the Phase2 PFS group to clients ( overrides all mobile phase2 settings )<br> + <br> + </td> + </tr> + <tr> + <td> + Group: + <select name="pfs_group" class="formselect" id="pfs_group"> + <?php foreach ($p2_pfskeygroups as $keygroup => $keygroupname): ?> + <option value="<?=$keygroup;?>" <?php if ($pconfig['pfs_group'] == $keygroup) echo "selected"; ?>> + <?=htmlspecialchars($keygroupname);?> + </option> + <?php endforeach; ?> + </select> + </td> + </tr> + </table> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncellreq">Login Banner</td> + <td width="78%" class="vtable"> + <table border="0" cellspacing="2" cellpadding="0"> + <tr> + <td> + <?php set_checked($pconfig['login_banner_enable'],$chk); ?> + <input name="login_banner_enable" type="checkbox" id="login_banner_enable" value="yes" <?=$chk;?> onClick="login_banner_change()"> + Provide a login banner to clients<br> + <br> + </td> + </tr> + <tr> + <td> + <?php $banner = htmlspecialchars($pconfig['login_banner']); ?> + <textarea name="login_banner" cols="65" rows="7" id="login_banner" class="formpre"><?=$banner;?></textarea> + </td> + </tr> + </table> + </td> + </tr> + <tr> + <td width="22%" valign="top"> </td> + <td width="78%"> + <input name="submit" type="submit" class="formbtn" value="Save"> + </td> + </tr> + </table> + </div> + </td> </tr> </table> </form> <script language="JavaScript"> -<!-- -methodsel_change(); +pool_change(); +dns_domain_change(); +dns_server_change(); +wins_server_change(); +pfs_group_change(); +login_banner_change(); //--> </script> <?php include("fend.inc"); ?> </body> </html> + +<?php + +/* local utility functions */ + +function set_checked($var,& $chk) { + if($var) + $chk = '"checked"'; + else + $chk = ''; +} + +?> + diff --git a/usr/local/www/vpn_ipsec_phase1.php b/usr/local/www/vpn_ipsec_phase1.php index 0a21362..0378105 100644 --- a/usr/local/www/vpn_ipsec_phase1.php +++ b/usr/local/www/vpn_ipsec_phase1.php @@ -58,7 +58,12 @@ if (isset($p1index) && $a_phase1[$p1index]) $pconfig['interface'] = "wan"; list($pconfig['remotenet'],$pconfig['remotebits']) = explode("/", $a_phase1[$p1index]['remote-subnet']); - $pconfig['remotegw'] = $a_phase1[$p1index]['remote-gateway']; + + if (isset($a_phase1[$p1index]['mobile'])) + $pconfig['mobile'] = 'true'; + else + $pconfig['remotegw'] = $a_phase1[$p1index]['remote-gateway']; + $pconfig['mode'] = $a_phase1[$p1index]['mode']; $pconfig['myid_type'] = $a_phase1[$p1index]['myid_type']; $pconfig['myid_data'] = $a_phase1[$p1index]['myid_data']; @@ -76,9 +81,13 @@ if (isset($p1index) && $a_phase1[$p1index]) $pconfig['descr'] = $a_phase1[$p1index]['descr']; $pconfig['nat_traversal'] = $a_phase1[$p1index]['nat_traversal']; - $pconfig['dpd_enable'] = $a_phase1[$p1index]['dpd_enable']; - $pconfig['dpd_delay'] = $a_phase1[$p1index]['dpd_delay']; - $pconfig['dpd_maxfail'] = $a_phase1[$p1index]['dpd_maxfail']; + + if ($a_phase1[$p1index]['dpd_delay'] && $a_phase1[$p1index]['dpd_maxfail']) { + $pconfig['dpd_enable'] = true; + $pconfig['dpd_delay'] = $a_phase1[$p1index]['dpd_delay']; + $pconfig['dpd_maxfail'] = $a_phase1[$p1index]['dpd_maxfail']; + } + $pconfig['pinghost'] = $a_phase1[$p1index]['pinghost']; } else @@ -96,9 +105,11 @@ else $pconfig['dhgroup'] = "2"; $pconfig['lifetime'] = "28800"; $pconfig['nat_traversal'] = "on"; - $pconfig['dpd_enable'] = 1; - $pconfig['dpd_delay'] = 10; - $pconfig['dpd_maxfail'] = 5; + $pconfig['dpd_enable'] = true; + + /* mobile client */ + if($_GET['mobile']) + $pconfig['mobile']=true; } if (isset($_GET['dup'])) @@ -109,29 +120,33 @@ if ($_POST) { $pconfig = $_POST; /* input validation */ - if ($_POST['authentication_method'] == "pre_shared_key") { - $reqdfields = explode(" ", "remotegw pskey"); - $reqdfieldsn = explode(",", "Remote gateway,Pre-Shared Key"); + + $method = $pconfig['authentication_method']; + if (($method == "pre_shared_key")||($method == "xauth_psk_server")) { + $reqdfields = explode(" ", "pskey"); + $reqdfieldsn = explode(",", "Pre-Shared Key"); } else { - $reqdfields = explode(" ", "remotegw"); - $reqdfieldsn = explode(",", "Remote gateway"); - if (!strstr($_POST['cert'], "BEGIN CERTIFICATE") || !strstr($_POST['cert'], "END CERTIFICATE")) + if (!strstr($pconfig['cert'], "BEGIN CERTIFICATE") || !strstr($pconfig['cert'], "END CERTIFICATE")) $input_errors[] = "This certificate does not appear to be valid."; - if (!strstr($_POST['privatekey'], "BEGIN RSA PRIVATE KEY") || !strstr($_POST['privatekey'], "END RSA PRIVATE KEY")) + if (!strstr($pconfig['privatekey'], "BEGIN RSA PRIVATE KEY") || !strstr($pconfig['privatekey'], "END RSA PRIVATE KEY")) $input_errors[] = "This key does not appear to be valid."; - if ($_POST['peercert']!="" && (!strstr($_POST['peercert'], "BEGIN CERTIFICATE") || !strstr($_POST['peercert'], "END CERTIFICATE"))) + if ($pconfig['peercert']!="" && (!strstr($pconfig['peercert'], "BEGIN CERTIFICATE") || !strstr($pconfig['peercert'], "END CERTIFICATE"))) $input_errors[] = "This peer certificate does not appear to be valid."; } + if (!$pconfig['mobile']) { + $reqdfields[] = "remotegw"; + $reqdfieldsn[] = "Remote gateway"; + } - do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); + do_input_validation($pconfig, $reqdfields, $reqdfieldsn, &$input_errors); - if (($_POST['lifetime'] && !is_numeric($_POST['lifetime']))) + if (($pconfig['lifetime'] && !is_numeric($pconfig['lifetime']))) $input_errors[] = "The P1 lifetime must be an integer."; - if (($_POST['remotegw'] && !is_ipaddr($_POST['remotegw']) && !is_domain($_POST['remotegw']))) + if (($pconfig['remotegw'] && !is_ipaddr($pconfig['remotegw']) && !is_domain($pconfig['remotegw']))) $input_errors[] = "A valid remote gateway address or host name must be specified."; - if (($_POST['remotegw'] && is_ipaddr($_POST['remotegw']) && !isset($_POST['disabled']) )) { + if (($pconfig['remotegw'] && is_ipaddr($pconfig['remotegw']) && !isset($pconfig['disabled']) )) { $t = 0; foreach ($a_phase1 as $ph1tmp) { if ($p1index <> $t) { @@ -146,123 +161,134 @@ if ($_POST) { /* My identity */ - if ($_POST['myid_type'] == "myaddress") - $_POST['myid_data'] = ""; + if ($pconfig['myid_type'] == "myaddress") + $pconfig['myid_data'] = ""; - if ($_POST['myid_type'] == "address" and $_POST['myid_data'] == "") + if ($pconfig['myid_type'] == "address" and $pconfig['myid_data'] == "") $input_errors[] = gettext("Please enter an address for 'My Identifier'"); - if ($_POST['myid_type'] == "keyid tag" and $_POST['myid_data'] == "") + if ($pconfig['myid_type'] == "keyid tag" and $pconfig['myid_data'] == "") $input_errors[] = gettext("Please enter a keyid tag for 'My Identifier'"); - if ($_POST['myid_type'] == "fqdn" and $_POST['myid_data'] == "") + if ($pconfig['myid_type'] == "fqdn" and $pconfig['myid_data'] == "") $input_errors[] = gettext("Please enter a fully qualified domain name for 'My Identifier'"); - if ($_POST['myid_type'] == "user_fqdn" and $_POST['myid_data'] == "") + if ($pconfig['myid_type'] == "user_fqdn" and $pconfig['myid_data'] == "") $input_errors[] = gettext("Please enter a user and fully qualified domain name for 'My Identifier'"); - if ($_POST['myid_type'] == "dyn_dns" and $_POST['myid_data'] == "") + if ($pconfig['myid_type'] == "dyn_dns" and $pconfig['myid_data'] == "") $input_errors[] = gettext("Please enter a dynamic domain name for 'My Identifier'"); - if ((($_POST['myid_type'] == "address") && !is_ipaddr($_POST['myid_data']))) + if ((($pconfig['myid_type'] == "address") && !is_ipaddr($pconfig['myid_data']))) $input_errors[] = "A valid IP address for 'My identifier' must be specified."; - if ((($_POST['myid_type'] == "fqdn") && !is_domain($_POST['myid_data']))) + if ((($pconfig['myid_type'] == "fqdn") && !is_domain($pconfig['myid_data']))) $input_errors[] = "A valid domain name for 'My identifier' must be specified."; - if ($_POST['myid_type'] == "fqdn") - if (is_domain($_POST['myid_data']) == false) + if ($pconfig['myid_type'] == "fqdn") + if (is_domain($pconfig['myid_data']) == false) $input_errors[] = "A valid FQDN for 'My identifier' must be specified."; - if ($_POST['myid_type'] == "user_fqdn") { - $user_fqdn = explode("@",$_POST['myid_data']); + if ($pconfig['myid_type'] == "user_fqdn") { + $user_fqdn = explode("@",$pconfig['myid_data']); if (is_domain($user_fqdn[1]) == false) $input_errors[] = "A valid User FQDN in the form of user@my.domain.com for 'My identifier' must be specified."; } - if ($_POST['myid_type'] == "dyn_dns") - if (is_domain($_POST['myid_data']) == false) + if ($pconfig['myid_type'] == "dyn_dns") + if (is_domain($pconfig['myid_data']) == false) $input_errors[] = "A valid Dynamic DNS address for 'My identifier' must be specified."; /* Peer identity */ - if ($_POST['peerid_type'] == "address" and $_POST['peerid_data'] == "") + if ($pconfig['myid_type'] == "peeraddress") + $pconfig['peerid_data'] = ""; + + if ($pconfig['peerid_type'] == "address" and $pconfig['peerid_data'] == "") $input_errors[] = gettext("Please enter an address for 'Peer Identifier'"); - if ($_POST['peerid_type'] == "keyid tag" and $_POST['peerid_data'] == "") + if ($pconfig['peerid_type'] == "keyid tag" and $pconfig['peerid_data'] == "") $input_errors[] = gettext("Please enter a keyid tag for 'Peer Identifier'"); - if ($_POST['peerid_type'] == "fqdn" and $_POST['peerid_data'] == "") + if ($pconfig['peerid_type'] == "fqdn" and $pconfig['peerid_data'] == "") $input_errors[] = gettext("Please enter a fully qualified domain name for 'Peer Identifier'"); - if ($_POST['peerid_type'] == "user_fqdn" and $_POST['peerid_data'] == "") + if ($pconfig['peerid_type'] == "user_fqdn" and $pconfig['peerid_data'] == "") $input_errors[] = gettext("Please enter a user and fully qualified domain name for 'Peer Identifier'"); - if ((($_POST['peerid_type'] == "address") && !is_ipaddr($_POST['peerid_data']))) + if ((($pconfig['peerid_type'] == "address") && !is_ipaddr($pconfig['peerid_data']))) $input_errors[] = "A valid IP address for 'Peer identifier' must be specified."; - if ((($_POST['peerid_type'] == "fqdn") && !is_domain($_POST['peerid_data']))) + if ((($pconfig['peerid_type'] == "fqdn") && !is_domain($pconfig['peerid_data']))) $input_errors[] = "A valid domain name for 'Peer identifier' must be specified."; - if ($_POST['peerid_type'] == "fqdn") - if (is_domain($_POST['peerid_data']) == false) + if ($pconfig['peerid_type'] == "fqdn") + if (is_domain($pconfig['peerid_data']) == false) $input_errors[] = "A valid FQDN for 'Peer identifier' must be specified."; - if ($_POST['peerid_type'] == "user_fqdn") { - $user_fqdn = explode("@",$_POST['peerid_data']); + if ($pconfig['peerid_type'] == "user_fqdn") { + $user_fqdn = explode("@",$pconfig['peerid_data']); if (is_domain($user_fqdn[1]) == false) $input_errors[] = "A valid User FQDN in the form of user@my.domain.com for 'Peer identifier' must be specified."; } - if ($_POST['dpd_enable']) { - if (!is_numeric($_POST['dpd_delay'])) + if ($pconfig['dpd_enable']) { + if (!is_numeric($pconfig['dpd_delay'])) $input_errors[] = "A numeric value must be specified for DPD delay."; - if (!is_numeric($_POST['dpd_maxfail'])) + if (!is_numeric($pconfig['dpd_maxfail'])) $input_errors[] = "A numeric value must be specified for DPD retries."; } /* build our encryption algorithms array */ $pconfig['ealgo'] = array(); $pconfig['ealgo']['name'] = $_POST['ealgo']; - if($_POST['ealgo_keylen']) + if($pconfig['ealgo_keylen']) $pconfig['ealgo']['keylen'] = $_POST['ealgo_keylen']; if (!$input_errors) { - $ph1ent['ikeid'] = $_POST['ikeid']; - $ph1ent['disabled'] = $_POST['disabled'] ? true : false; + $ph1ent['ikeid'] = $pconfig['ikeid']; + $ph1ent['disabled'] = $pconfig['disabled'] ? true : false; $ph1ent['interface'] = $pconfig['interface']; /* if the remote gateway changed and the interface is not WAN then remove route */ /* the vpn_ipsec_configure() handles adding the route */ - if ($_POST['interface'] <> "wan") { - if($ph1ent['remote-gateway'] <> $_POST['remotegw']) { + if ($pconfig['interface'] <> "wan") { + if($ph1ent['remote-gateway'] <> $pconfig['remotegw']) { mwexec("/sbin/route delete -host {$ph1ent['remote-gateway']}"); } } - $ph1ent['remote-gateway'] = $_POST['remotegw']; - $ph1ent['mode'] = $_POST['mode']; - $ph1ent['myid_type'] = $_POST['myid_type']; - $ph1ent['myid_data'] = $_POST['myid_data']; - $ph1ent['peerid_type'] = $_POST['peerid_type']; - $ph1ent['peerid_data'] = $_POST['peerid_data']; + if ($pconfig['mobile']) + $ph1ent['mobile'] = true; + else + $ph1ent['remote-gateway'] = $pconfig['remotegw']; + + $ph1ent['mode'] = $pconfig['mode']; + + $ph1ent['myid_type'] = $pconfig['myid_type']; + $ph1ent['myid_data'] = $pconfig['myid_data']; + $ph1ent['peerid_type'] = $pconfig['peerid_type']; + $ph1ent['peerid_data'] = $pconfig['peerid_data']; $ph1ent['encryption-algorithm'] = $pconfig['ealgo']; - $ph1ent['hash-algorithm'] = $_POST['halgo']; - $ph1ent['dhgroup'] = $_POST['dhgroup']; - $ph1ent['lifetime'] = $_POST['lifetime']; - $ph1ent['pre-shared-key'] = $_POST['pskey']; - $ph1ent['private-key'] = base64_encode($_POST['privatekey']); - $ph1ent['cert'] = base64_encode($_POST['cert']); - $ph1ent['peercert'] = base64_encode($_POST['peercert']); - $ph1ent['authentication_method'] = $_POST['authentication_method']; - - $ph1ent['descr'] = $_POST['descr']; - $ph1ent['nat_traversal'] = $_POST['nat_traversal']; - $ph1ent['dpd_enable'] = $_POST['dpd_enable']; - $ph1ent['dpd_delay'] = $_POST['dpd_delay']; - $ph1ent['dpd_maxfail'] = $_POST['dpd_maxfail']; - $ph1ent['pinghost'] = $_POST['pinghost']; + $ph1ent['hash-algorithm'] = $pconfig['halgo']; + $ph1ent['dhgroup'] = $pconfig['dhgroup']; + $ph1ent['lifetime'] = $pconfig['lifetime']; + $ph1ent['pre-shared-key'] = $pconfig['pskey']; + $ph1ent['private-key'] = base64_encode($pconfig['privatekey']); + $ph1ent['cert'] = base64_encode($pconfig['cert']); + $ph1ent['peercert'] = base64_encode($pconfig['peercert']); + $ph1ent['authentication_method'] = $pconfig['authentication_method']; + + $ph1ent['descr'] = $pconfig['descr']; + $ph1ent['nat_traversal'] = $pconfig['nat_traversal']; + + if (isset($pconfig['dpd_enable'])) { + $ph1ent['dpd_delay'] = $pconfig['dpd_delay']; + $ph1ent['dpd_maxfail'] = $pconfig['dpd_maxfail']; + } + + $ph1ent['pinghost'] = $pconfig['pinghost']; /* generate unique phase1 ikeid */ if ($ph1ent['ikeid'] == 0) { @@ -290,7 +316,11 @@ if ($_POST) { } } -$pgtitle = array("VPN","IPsec","Edit Phase 1"); +if ($pconfig['mobile']) + $pgtitle = array("VPN","IPsec","Edit Phase 1", "Mobile Client"); +else + $pgtitle = array("VPN","IPsec","Edit Phase 1"); + include("head.inc"); ?> @@ -299,15 +329,44 @@ include("head.inc"); <?php include("fbegin.inc"); ?> <script language="JavaScript"> <!-- + +function myidsel_change() { + index = document.iform.myid_type.selectedIndex; + value = document.iform.myid_type.options[index].value; + if (value == 'myaddress') + document.iform.myid_data.style.visibility = 'hidden'; + else + document.iform.myid_data.style.visibility = 'visible'; +} + +function peeridsel_change() { + index = document.iform.peerid_type.selectedIndex; + value = document.iform.peerid_type.options[index].value; + if (value == 'peeraddress') + document.iform.peerid_data.style.visibility = 'hidden'; + else + document.iform.peerid_data.style.visibility = 'visible'; +} + function methodsel_change() { - switch (document.iform.authentication_method.selectedIndex) { - case 1: /* rsa */ + index = document.iform.authentication_method.selectedIndex; + value = document.iform.authentication_method.options[index].value; + + switch (value) { + case 'hybrid_rsa_server': + document.iform.pskey.disabled = 1; + document.iform.privatekey.disabled = 0; + document.iform.cert.disabled = 0; + document.iform.peercert.disabled = 1; + break; + case 'xauth_rsa_server': + case 'rsasig': document.iform.pskey.disabled = 1; document.iform.privatekey.disabled = 0; document.iform.cert.disabled = 0; document.iform.peercert.disabled = 0; break; - default: /* pre-shared */ + default: /* psk modes*/ document.iform.pskey.disabled = 0; document.iform.privatekey.disabled = 1; document.iform.cert.disabled = 1; @@ -349,6 +408,7 @@ function ealgosel_change(bits) { if( bits ) document.iform.ealgo_keylen.value = bits; } + function dpdchkbox_change() { if( document.iform.dpd_enable.checked ) { document.iform.dpd_delay.disabled = 0; @@ -357,7 +417,14 @@ function dpdchkbox_change() { document.iform.dpd_delay.disabled = 1; document.iform.dpd_maxfail.disabled = 1; } + + if (!document.iform.dpd_delay.value) + document.iform.dpd_delay.value = "10"; + + if (!document.iform.dpd_maxfail.value) + document.iform.dpd_maxfail.value = "5"; } + //--> </script> <?php if ($input_errors) print_input_errors($input_errors); ?> @@ -394,6 +461,7 @@ function dpdchkbox_change() { <span class="vexpl">Select the interface for the local endpoint of this phase1 entry.</span> </td> </tr> + <?php if (!$pconfig['mobile']): ?> <tr> <td width="22%" valign="top" class="vncellreq">Remote gateway</td> <td width="78%" class="vtable"> @@ -402,6 +470,7 @@ function dpdchkbox_change() { Enter the public IP address or host name of the remote gateway </td> </tr> + <?php endif; ?> <tr> <td width="22%" valign="top" class="vncell">Description</td> <td width="78%" class="vtable"> @@ -436,10 +505,10 @@ function dpdchkbox_change() { <tr> <td width="22%" valign="top" class="vncellreq">My identifier</td> <td width="78%" class="vtable"> - <select name="myid_type" class="formselect"> - <?php foreach ($my_identifier_list as $mode => $modename): ?> - <option value="<?=$mode;?>" <?php if ($mode == $pconfig['myid_type']) echo "selected"; ?>> - <?=htmlspecialchars($modename);?> + <select name="myid_type" class="formselect" onChange="myidsel_change()"> + <?php foreach ($my_identifier_list as $id_type => $id_params): ?> + <option value="<?=$id_type;?>" <?php if ($id_type == $pconfig['myid_type']) echo "selected"; ?>> + <?=htmlspecialchars($id_params['desc']);?> </option> <?php endforeach; ?> </select> @@ -449,10 +518,14 @@ function dpdchkbox_change() { <tr> <td width="22%" valign="top" class="vncellreq">Peer identifier</td> <td width="78%" class="vtable"> - <select name="peerid_type" class="formselect"> - <?php foreach ($peer_identifier_list as $mode => $modename): ?> - <option value="<?=$mode;?>" <?php if ($mode == $pconfig['peerid_type']) echo "selected"; ?>> - <?=htmlspecialchars($modename);?> + <select name="peerid_type" class="formselect" onChange="peeridsel_change()"> + <?php + foreach ($peer_identifier_list as $id_type => $id_params): + if ($pconfig['mobile'] && !$id_params['mobile']) + continue; + ?> + <option value="<?=$id_type;?>" <?php if ($id_type == $pconfig['peerid_type']) echo "selected"; ?>> + <?=htmlspecialchars($id_params['desc']);?> </option> <?php endforeach; ?> </select> @@ -523,9 +596,13 @@ function dpdchkbox_change() { <td width="22%" valign="top" class="vncellreq">Authentication method</td> <td width="78%" class="vtable"> <select name="authentication_method" class="formselect" onChange="methodsel_change()"> - <?php foreach ($p1_authentication_methods as $method => $methodname): ?> - <option value="<?=$method;?>" <?php if ($method == $pconfig['authentication_method']) echo "selected"; ?>> - <?=htmlspecialchars($methodname);?> + <?php + foreach ($p1_authentication_methods as $method_type => $method_params): + if (!$pconfig['mobile'] && $method_params['mobile']) + continue; + ?> + <option value="<?=$method_type;?>" <?php if ($method_type == $pconfig['authentication_method']) echo "selected"; ?>> + <?=htmlspecialchars($method_params['name']);?> </option> <?php endforeach; ?> </select> @@ -587,10 +664,10 @@ function dpdchkbox_change() { <tr> <td width="22%" valign="top" class="vncell">Dead Peer Detection</td> <td width="78%" class="vtable"> - <input name="dpd_enable" type="checkbox" id="dpd_enable" value="yes" <?php if ($pconfig['dpd_enable']) echo "checked"; ?> onClick="dpdchkbox_change()"> + <input name="dpd_enable" type="checkbox" id="dpd_enable" value="yes" <?php if (isset($pconfig['dpd_enable'])) echo "checked"; ?> onClick="dpdchkbox_change()"> Enable DPD<br> <br> - <input name="dpd_delay" type="text" class="formfld unknown" id="dpd_delay" size="5" value="<?=$pconfig['dpd_delay'];?>"> + <input name="dpd_delay" type="text" class="formfld unknown" id="dpd_delay" size="5" value="<?=$pconfig['dpd_delay'];?>"> seconds<br> <span class="vexpl">Delay between requesting peer acknowledgement.</span><br> <br> @@ -609,11 +686,14 @@ function dpdchkbox_change() { <tr> <td width="22%" valign="top"> </td> <td width="78%"> - <input name="Submit" type="submit" class="formbtn" value="Save"> - <input name="ikeid" type="hidden" value="<?=$pconfig['ikeid'];?>"> <?php if (isset($p1index) && $a_phase1[$p1index]): ?> <input name="p1index" type="hidden" value="<?=$p1index;?>"> <?php endif; ?> + <?php if ($pconfig['mobile']): ?> + <input name="mobile" type="hidden" value="true"> + <?php endif; ?> + <input name="ikeid" type="hidden" value="<?=$pconfig['ikeid'];?>"> + <input name="Submit" type="submit" class="formbtn" value="Save"> </td> </tr> </table> @@ -627,9 +707,13 @@ function dpdchkbox_change() { if (is_numeric($pconfig['ealgo']['keylen'])) $keyset = $pconfig['ealgo']['keylen']; ?> +myidsel_change(); +peeridsel_change(); methodsel_change(); ealgosel_change(<?=$keyset;?>); dpdchkbox_change(); //--> </script> <?php include("fend.inc"); ?> +</body> +</html> diff --git a/usr/local/www/vpn_ipsec_phase2.php b/usr/local/www/vpn_ipsec_phase2.php index 7a3c5ce..f32c567 100644 --- a/usr/local/www/vpn_ipsec_phase2.php +++ b/usr/local/www/vpn_ipsec_phase2.php @@ -31,6 +31,11 @@ require("guiconfig.inc"); +if (!is_array($config['ipsec']['client'])) + $config['ipsec']['client'] = array(); + +$a_client = &$config['ipsec']['client']; + if (!is_array($config['ipsec']['phase2'])) $config['ipsec']['phase2'] = array(); @@ -60,6 +65,9 @@ if (isset($p2index) && $a_phase2[$p2index]) $pconfig['halgos'] = $a_phase2[$p2index]['hash-algorithm-option']; $pconfig['pfsgroup'] = $a_phase2[$p2index]['pfsgroup']; $pconfig['lifetime'] = $a_phase2[$p2index]['lifetime']; + + if (isset($a_phase2[$p2index]['mobile'])) + $pconfig['mobile'] = true; } else { @@ -73,6 +81,10 @@ else $pconfig['halgos'] = explode(",", "hmac_sha1,hmac_md5"); $pconfig['pfsgroup'] = "0"; $pconfig['lifetime'] = "3600"; + + /* mobile client */ + if($_GET['mobile']) + $pconfig['mobile']=true; } if (isset($_GET['dup'])) @@ -83,41 +95,43 @@ if ($_POST) { unset($input_errors); $pconfig = $_POST; - $ealgos = pconfig_to_ealgos($pconfig); - $localid = pconfig_to_idinfo("local",$pconfig); - $remoteid = pconfig_to_idinfo("remote",$pconfig); - if (!isset( $_POST['ikeid'])) $input_errors[] = "A valid ikeid must be specified."; /* input validation */ - $reqdfields = explode(" ", "localid_type remoteid_type halgos"); - $reqdfieldsn = explode(",", "Local network type,Remote network type,P2 Hash Algorithms"); + $reqdfields = explode(" ", "localid_type halgos"); + $reqdfieldsn = explode(",", "Local network type,P2 Hash Algorithms"); + if (!isset($pconfig['mobile'])){ + $reqdfields[] = "remoteid_type"; + $reqdfieldsn[] = "Remote network type"; + } do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); - switch ($_POST['localid_type']) { + switch ($pconfig['localid_type']) { case "network": - if (!$_POST['localid_netbits'] || !is_numeric($_POST['localid_netbits'])) + if (!$pconfig['localid_netbits'] || !is_numeric($pconfig['localid_netbits'])) $input_errors[] = "A valid local network bit count must be specified.."; case "address": - if (!$_POST['localid_address'] || !is_ipaddr($_POST['localid_address'])) + if (!$pconfig['localid_address'] || !is_ipaddr($pconfig['localid_address'])) $input_errors[] = "A valid local network IP address must be specified."; break; } - switch ($_POST['remoteid_type']) { + switch ($pconfig['remoteid_type']) { case "network": - if (!$_POST['remoteid_netbits'] || !is_numeric($_POST['remoteid_netbits'])) + if (!$pconfig['remoteid_netbits'] || !is_numeric($pconfig['remoteid_netbits'])) $input_errors[] = "A valid remote network bit count must be specified.."; case "address": - if (!$_POST['remoteid_address'] || !is_ipaddr($_POST['remoteid_address'])) + if (!$pconfig['remoteid_address'] || !is_ipaddr($pconfig['remoteid_address'])) $input_errors[] = "A valid remote network IP address must be specified."; break; } /* TODO : Validate enabled phase2's are not duplicates */ + $ealgos = pconfig_to_ealgos($pconfig); + if (!count($ealgos)) { $input_errors[] = "At least one encryption algorithm must be selected."; } @@ -126,16 +140,22 @@ if ($_POST) { } if (!$input_errors) { - $ph2ent['ikeid'] = $_POST['ikeid']; - $ph2ent['disabled'] = $_POST['disabled'] ? true : false; - $ph2ent['localid'] = $localid; - $ph2ent['remoteid'] = $remoteid; - $ph2ent['protocol'] = $_POST['proto']; + + $ph2ent['ikeid'] = $pconfig['ikeid']; + $ph2ent['disabled'] = $pconfig['disabled'] ? true : false; + + $ph2ent['localid'] = pconfig_to_idinfo("local",$pconfig); + $ph2ent['remoteid'] = pconfig_to_idinfo("remote",$pconfig); + + $ph2ent['protocol'] = $pconfig['proto']; $ph2ent['encryption-algorithm-option'] = $ealgos; - $ph2ent['hash-algorithm-option'] = $_POST['halgos']; - $ph2ent['pfsgroup'] = $_POST['pfsgroup']; - $ph2ent['lifetime'] = $_POST['lifetime']; - $ph2ent['descr'] = $_POST['descr']; + $ph2ent['hash-algorithm-option'] = $pconfig['halgos']; + $ph2ent['pfsgroup'] = $pconfig['pfsgroup']; + $ph2ent['lifetime'] = $pconfig['lifetime']; + $ph2ent['descr'] = $pconfig['descr']; + + if (isset($pconfig['mobile'])) + $ph2ent['mobile'] = true; if (isset($p2index) && $a_phase2[$p2index]) $a_phase2[$p2index] = $ph2ent; @@ -150,7 +170,11 @@ if ($_POST) { } } -$pgtitle = array("VPN","IPsec","Edit Phase 2"); +if ($pconfig['mobile']) + $pgtitle = array("VPN","IPsec","Edit Phase 2", "Mobile Client"); +else + $pgtitle = array("VPN","IPsec","Edit Phase 2"); + include("head.inc"); ?> @@ -183,6 +207,17 @@ function typesel_change_local(bits) { break; } } + +<?php if (isset($pconfig['mobile'])): ?> + +function typesel_change_remote(bits) { + + document.iform.remoteid_address.disabled = 1; + document.iform.remoteid_netbits.disabled = 1; +} + +<?php else: ?> + function typesel_change_remote(bits) { if (!bits) @@ -207,6 +242,9 @@ function typesel_change_remote(bits) { break; } } + +<?php endif; ?> + //--> </script> @@ -260,6 +298,8 @@ function typesel_change_remote(bits) { </table> </td> </tr> + <?php if (!isset($pconfig['mobile'])): ?> + <tr> <td width="22%" valign="top" class="vncellreq">Remote Network</td> <td width="78%" class="vtable"> <table border="0" cellspacing="0" cellpadding="0"> @@ -291,6 +331,7 @@ function typesel_change_remote(bits) { </table> </td> </tr> + <?php endif; ?> <tr> <td width="22%" valign="top" class="vncell">Description</td> <td width="78%" class="vtable"> @@ -380,6 +421,7 @@ function typesel_change_remote(bits) { <tr> <td width="22%" valign="top" class="vncellreq">PFS key group</td> <td width="78%" class="vtable"> + <?php if (!isset($pconfig['mobile']) || !isset($a_client['pfs_group'])): ?> <select name="pfsgroup" class="formselect"> <?php foreach ($p2_pfskeygroups as $keygroup => $keygroupname): ?> <option value="<?=$keygroup;?>" <?php if ($keygroup == $pconfig['pfsgroup']) echo "selected"; ?>> @@ -389,6 +431,14 @@ function typesel_change_remote(bits) { </select> <br> <span class="vexpl"><em>1 = 768 bit, 2 = 1024 bit, 5 = 1536 bit</em></span> + <?php else: ?> + <select class="formselect" disabled> + <option selected><?=$p2_pfskeygroups[$a_client['pfs_group']];?></option> + </select> + <input name="pfsgroup" type="hidden" value="<?=$pconfig['pfsgroup'];?>"> + <br> + <span class="vexpl"><em>Set globally in mobile client options</em></span> + <?php endif; ?> </td> </tr> <tr> @@ -401,11 +451,15 @@ function typesel_change_remote(bits) { <tr> <td width="22%" valign="top"> </td> <td width="78%"> - <input name="Submit" type="submit" class="formbtn" value="Save"> - <input name="ikeid" type="hidden" value="<?=$pconfig['ikeid'];?>"> <?php if (isset($p2index) && $a_phase2[$p2index]): ?> <input name="p2index" type="hidden" value="<?=$p2index;?>"> <?php endif; ?> + <?php if ($pconfig['mobile']): ?> + <input name="mobile" type="hidden" value="true"> + <input name="remoteid_type" type="hidden" value="mobile"> + <?php endif; ?> + <input name="Submit" type="submit" class="formbtn" value="Save"> + <input name="ikeid" type="hidden" value="<?=$pconfig['ikeid'];?>"> </td> </tr> </table> @@ -417,9 +471,13 @@ typesel_change_remote(<?=$pconfig['remoteid_netbits']?>); //--> </script> <?php include("fend.inc"); ?> +</body> +</html> <?php +/* local utility functions */ + function pconfig_to_ealgos(& $pconfig) { global $p2_ealgos; @@ -487,3 +545,4 @@ function idinfo_to_pconfig($prefix,& $idinfo,& $pconfig) { } ?> + |