diff options
| author | Ermal <eri@pfsense.org> | 2014-10-30 21:35:51 +0100 |
|---|---|---|
| committer | Ermal <eri@pfsense.org> | 2014-10-30 21:35:51 +0100 |
| commit | 737b18f23bfc27185eda513d9ffe2600ecde9cd7 (patch) | |
| tree | 73a873d7a7b41d1e9e20b65e37416baa974ef261 /usr/local | |
| parent | 461eac099b80692b1feb4002357da6a61f4a3aff (diff) | |
| download | pfsense-737b18f23bfc27185eda513d9ffe2600ecde9cd7.zip pfsense-737b18f23bfc27185eda513d9ffe2600ecde9cd7.tar.gz | |
Allow accept_unencrypted_mainmode_messages to be enabled if needed
Diffstat (limited to 'usr/local')
| -rw-r--r-- | usr/local/www/vpn_ipsec_settings.php | 18 |
1 files changed, 18 insertions, 0 deletions
diff --git a/usr/local/www/vpn_ipsec_settings.php b/usr/local/www/vpn_ipsec_settings.php index ba68596..0e05089 100644 --- a/usr/local/www/vpn_ipsec_settings.php +++ b/usr/local/www/vpn_ipsec_settings.php @@ -48,6 +48,7 @@ foreach ($ipsec_loglevels as $lkey => $ldescr) { $pconfig["ipsec_{$lkey}"] = $config['ipsec']["ipsec_{$lkey}"]; } $pconfig['failoverforcereload'] = isset($config['ipsec']['failoverforcereload']); +$pconfig['acceptunencryptedmainmode'] = isset($config['ipsec']['acceptunencryptedmainmode']); $pconfig['maxmss_enable'] = isset($config['system']['maxmss_enable']); $pconfig['maxmss'] = $config['system']['maxmss']; @@ -86,6 +87,11 @@ if ($_POST) { elseif (isset($config['ipsec']['failoverforcereload'])) unset($config['ipsec']['failoverforcereload']); + if($_POST['acceptunencryptedmainmode'] == "yes") + $config['ipsec']['acceptunencryptedmainmode'] = true; + elseif (isset($config['ipsec']['acceptunencryptedmainmode'])) + unset($config['ipsec']['acceptunencryptedmainmode']); + if($_POST['maxmss_enable'] == "yes") { $config['system']['maxmss_enable'] = true; $config['system']['maxmss'] = $_POST['maxmss']; @@ -225,6 +231,18 @@ function maxmss_checked(obj) { </td> </tr> <tr> + <td width="22%" valign="top" class="vncell"><?=gettext("Unencrypted payloads in IKEv1 Main Mode"); ?></td> + <td width="78%" class="vtable"> + <input name="acceptunencryptedmainmode" type="checkbox" id="acceptunencryptedmainmode" value="yes" <?php if ($pconfig['acceptunencryptedmainmode']) echo "checked=\"checked\""; ?> /> + <strong><?=gettext("Accept unencrypted ID and HASH payloads in IKEv1 Main Mode"); ?></strong> + <br /> + <?=gettext("Some implementations send the third Main Mode message unencrypted, probably to find the PSKs for the specified ID for authentication." . + "This is very similar to Aggressive Mode, and has the same security implications: " . + "A passive attacker can sniff the negotiated Identity, and start brute forcing the PSK using the HASH payload." . + " It is recommended to keep this option to no, unless you know exactly what the implications are and require compatibility to such devices (for example, some SonicWall boxes).");?> + </td> + </tr> + <tr> <td width="22%" valign="top" class="vncell"><?=gettext("Maximum MSS"); ?></td> <td width="78%" class="vtable"> <input name="maxmss_enable" type="checkbox" id="maxmss_enable" value="yes" <?php if ($pconfig['maxmss_enable'] == true) echo "checked=\"checked\""; ?> onclick="maxmss_checked(this)" /> |
