diff options
author | Renato Botelho <garga@FreeBSD.org> | 2013-01-24 17:33:13 -0200 |
---|---|---|
committer | Renato Botelho <garga@FreeBSD.org> | 2013-01-24 17:33:13 -0200 |
commit | e4ffca08822057400f6a8c2af91622e0c32f6140 (patch) | |
tree | 47588f1f0ee20af929530fb0e3fe44a841ab0ba5 /usr/local | |
parent | ab2ccd9f8c5c12bee3d5bcf8ceacd53b9e3f316f (diff) | |
download | pfsense-e4ffca08822057400f6a8c2af91622e0c32f6140.zip pfsense-e4ffca08822057400f6a8c2af91622e0c32f6140.tar.gz |
Make IPv4/IPv6 validation on IPSec
It should fix #2769
Diffstat (limited to 'usr/local')
-rw-r--r-- | usr/local/www/vpn_ipsec_phase1.php | 25 | ||||
-rw-r--r-- | usr/local/www/vpn_ipsec_phase2.php | 20 |
2 files changed, 43 insertions, 2 deletions
diff --git a/usr/local/www/vpn_ipsec_phase1.php b/usr/local/www/vpn_ipsec_phase1.php index ee50cf8..90c2c34 100644 --- a/usr/local/www/vpn_ipsec_phase1.php +++ b/usr/local/www/vpn_ipsec_phase1.php @@ -176,8 +176,14 @@ if ($_POST) { if (($pconfig['lifetime'] && !is_numeric($pconfig['lifetime']))) $input_errors[] = gettext("The P1 lifetime must be an integer."); - if (($pconfig['remotegw'] && !is_ipaddr($pconfig['remotegw']) && !is_domain($pconfig['remotegw']))) - $input_errors[] = gettext("A valid remote gateway address or host name must be specified."); + if ($pconfig['remotegw']) { + if (!is_ipaddr($pconfig['remotegw']) && !is_domain($pconfig['remotegw'])) + $input_errors[] = gettext("A valid remote gateway address or host name must be specified."); + elseif (is_ipaddrv4($pconfig['remotegw']) && ($pconfig['protocol'] != "inet")) + $input_errors[] = gettext("A valid remote gateway IPv4 address must be specified or you need to change protocol to IPv6"); + elseif (is_ipaddrv6($pconfig['remotegw']) && ($pconfig['protocol'] != "inet6")) + $input_errors[] = gettext("A valid remote gateway IPv6 address must be specified or you need to change protocol to IPv4"); + } if (($pconfig['remotegw'] && is_ipaddr($pconfig['remotegw']) && !isset($pconfig['disabled']) )) { $t = 0; @@ -192,6 +198,21 @@ if ($_POST) { } } + if (is_array($a_phase2) && (count($a_phase2))) { + foreach ($a_phase2 as $phase2) { + if($phase2['ikeid'] == $pconfig['ikeid']) { + if (($pconfig['protocol'] == "inet") && ($phase2['mode'] == "tunnel6")) { + $input_errors[] = gettext("There is a Phase 2 using IPv6, you cannot use IPv4."); + break; + } + if (($pconfig['protocol'] == "inet6") && ($phase2['mode'] == "tunnel")) { + $input_errors[] = gettext("There is a Phase 2 using IPv4, you cannot use IPv6."); + break; + } + } + } + } + /* My identity */ if ($pconfig['myid_type'] == "myaddress") diff --git a/usr/local/www/vpn_ipsec_phase2.php b/usr/local/www/vpn_ipsec_phase2.php index a8c859e..4e4ac3c 100644 --- a/usr/local/www/vpn_ipsec_phase2.php +++ b/usr/local/www/vpn_ipsec_phase2.php @@ -129,6 +129,10 @@ if ($_POST) { case "address": if (!$pconfig['localid_address'] || !is_ipaddr($pconfig['localid_address'])) $input_errors[] = gettext("A valid local network IP address must be specified."); + elseif (is_ipaddrv4($pconfig['localid_address']) && ($pconfig['mode'] != "tunnel")) + $input_errors[] = gettext("A valid local network IPv4 address must be specified or you need to change Mode to IPv6"); + elseif (is_ipaddrv6($pconfig['localid_address']) && ($pconfig['mode'] != "tunnel6")) + $input_errors[] = gettext("A valid local network IPv6 address must be specified or you need to change Mode to IPv4"); break; } /* Check if the localid_type is an interface, to confirm if it has a valid subnet. */ @@ -151,6 +155,10 @@ if ($_POST) { case "address": if (!empty($pconfig['natlocalid_address']) && !is_ipaddr($pconfig['natlocalid_address'])) $input_errors[] = gettext("A valid nat local network IP address must be specified."); + elseif (is_ipaddrv4($pconfig['natlocalid_address']) && ($pconfig['mode'] != "tunnel")) + $input_errors[] = gettext("A valid nat local network IPv4 address must be specified or you need to change Mode to IPv6"); + elseif (is_ipaddrv6($pconfig['natlocalid_address']) && ($pconfig['mode'] != "tunnel6")) + $input_errors[] = gettext("A valid nat local network IPv6 address must be specified or you need to change Mode to IPv4"); break; } @@ -171,6 +179,10 @@ if ($_POST) { case "address": if (!$pconfig['remoteid_address'] || !is_ipaddr($pconfig['remoteid_address'])) $input_errors[] = gettext("A valid remote network IP address must be specified."); + elseif (is_ipaddrv4($pconfig['remoteid_address']) && ($pconfig['mode'] != "tunnel")) + $input_errors[] = gettext("A valid remote network IPv4 address must be specified or you need to change Mode to IPv6"); + elseif (is_ipaddrv6($pconfig['remoteid_address']) && ($pconfig['mode'] != "tunnel6")) + $input_errors[] = gettext("A valid remote network IPv6 address must be specified or you need to change Mode to IPv4"); break; } } @@ -270,6 +282,14 @@ if ($_POST) { if (isset($pconfig['mobile'])) $ph2ent['mobile'] = true; + ipsec_lookup_phase1($ph2ent, $ph1ent); + if (($ph1ent['protocol'] == "inet") && ($ph2ent['mode'] == "tunnel6")) + $input_errors[] = gettext("Phase 1 is using IPv4. You cannot use Tunnel IPv6 on Phase 2."); + if (($ph1ent['protocol'] == "inet6") && ($ph2ent['mode'] == "tunnel")) + $input_errors[] = gettext("Phase 1 is using IPv6. You cannot use Tunnel IPv4 on Phase 2."); + } + + if (!$input_errors) { if (isset($p2index) && $a_phase2[$p2index]) $a_phase2[$p2index] = $ph2ent; else |