summaryrefslogtreecommitdiffstats
path: root/usr/local
diff options
context:
space:
mode:
authorRenato Botelho <garga@FreeBSD.org>2013-01-24 17:33:13 -0200
committerRenato Botelho <garga@FreeBSD.org>2013-01-24 17:33:13 -0200
commite4ffca08822057400f6a8c2af91622e0c32f6140 (patch)
tree47588f1f0ee20af929530fb0e3fe44a841ab0ba5 /usr/local
parentab2ccd9f8c5c12bee3d5bcf8ceacd53b9e3f316f (diff)
downloadpfsense-e4ffca08822057400f6a8c2af91622e0c32f6140.zip
pfsense-e4ffca08822057400f6a8c2af91622e0c32f6140.tar.gz
Make IPv4/IPv6 validation on IPSec
It should fix #2769
Diffstat (limited to 'usr/local')
-rw-r--r--usr/local/www/vpn_ipsec_phase1.php25
-rw-r--r--usr/local/www/vpn_ipsec_phase2.php20
2 files changed, 43 insertions, 2 deletions
diff --git a/usr/local/www/vpn_ipsec_phase1.php b/usr/local/www/vpn_ipsec_phase1.php
index ee50cf8..90c2c34 100644
--- a/usr/local/www/vpn_ipsec_phase1.php
+++ b/usr/local/www/vpn_ipsec_phase1.php
@@ -176,8 +176,14 @@ if ($_POST) {
if (($pconfig['lifetime'] && !is_numeric($pconfig['lifetime'])))
$input_errors[] = gettext("The P1 lifetime must be an integer.");
- if (($pconfig['remotegw'] && !is_ipaddr($pconfig['remotegw']) && !is_domain($pconfig['remotegw'])))
- $input_errors[] = gettext("A valid remote gateway address or host name must be specified.");
+ if ($pconfig['remotegw']) {
+ if (!is_ipaddr($pconfig['remotegw']) && !is_domain($pconfig['remotegw']))
+ $input_errors[] = gettext("A valid remote gateway address or host name must be specified.");
+ elseif (is_ipaddrv4($pconfig['remotegw']) && ($pconfig['protocol'] != "inet"))
+ $input_errors[] = gettext("A valid remote gateway IPv4 address must be specified or you need to change protocol to IPv6");
+ elseif (is_ipaddrv6($pconfig['remotegw']) && ($pconfig['protocol'] != "inet6"))
+ $input_errors[] = gettext("A valid remote gateway IPv6 address must be specified or you need to change protocol to IPv4");
+ }
if (($pconfig['remotegw'] && is_ipaddr($pconfig['remotegw']) && !isset($pconfig['disabled']) )) {
$t = 0;
@@ -192,6 +198,21 @@ if ($_POST) {
}
}
+ if (is_array($a_phase2) && (count($a_phase2))) {
+ foreach ($a_phase2 as $phase2) {
+ if($phase2['ikeid'] == $pconfig['ikeid']) {
+ if (($pconfig['protocol'] == "inet") && ($phase2['mode'] == "tunnel6")) {
+ $input_errors[] = gettext("There is a Phase 2 using IPv6, you cannot use IPv4.");
+ break;
+ }
+ if (($pconfig['protocol'] == "inet6") && ($phase2['mode'] == "tunnel")) {
+ $input_errors[] = gettext("There is a Phase 2 using IPv4, you cannot use IPv6.");
+ break;
+ }
+ }
+ }
+ }
+
/* My identity */
if ($pconfig['myid_type'] == "myaddress")
diff --git a/usr/local/www/vpn_ipsec_phase2.php b/usr/local/www/vpn_ipsec_phase2.php
index a8c859e..4e4ac3c 100644
--- a/usr/local/www/vpn_ipsec_phase2.php
+++ b/usr/local/www/vpn_ipsec_phase2.php
@@ -129,6 +129,10 @@ if ($_POST) {
case "address":
if (!$pconfig['localid_address'] || !is_ipaddr($pconfig['localid_address']))
$input_errors[] = gettext("A valid local network IP address must be specified.");
+ elseif (is_ipaddrv4($pconfig['localid_address']) && ($pconfig['mode'] != "tunnel"))
+ $input_errors[] = gettext("A valid local network IPv4 address must be specified or you need to change Mode to IPv6");
+ elseif (is_ipaddrv6($pconfig['localid_address']) && ($pconfig['mode'] != "tunnel6"))
+ $input_errors[] = gettext("A valid local network IPv6 address must be specified or you need to change Mode to IPv4");
break;
}
/* Check if the localid_type is an interface, to confirm if it has a valid subnet. */
@@ -151,6 +155,10 @@ if ($_POST) {
case "address":
if (!empty($pconfig['natlocalid_address']) && !is_ipaddr($pconfig['natlocalid_address']))
$input_errors[] = gettext("A valid nat local network IP address must be specified.");
+ elseif (is_ipaddrv4($pconfig['natlocalid_address']) && ($pconfig['mode'] != "tunnel"))
+ $input_errors[] = gettext("A valid nat local network IPv4 address must be specified or you need to change Mode to IPv6");
+ elseif (is_ipaddrv6($pconfig['natlocalid_address']) && ($pconfig['mode'] != "tunnel6"))
+ $input_errors[] = gettext("A valid nat local network IPv6 address must be specified or you need to change Mode to IPv4");
break;
}
@@ -171,6 +179,10 @@ if ($_POST) {
case "address":
if (!$pconfig['remoteid_address'] || !is_ipaddr($pconfig['remoteid_address']))
$input_errors[] = gettext("A valid remote network IP address must be specified.");
+ elseif (is_ipaddrv4($pconfig['remoteid_address']) && ($pconfig['mode'] != "tunnel"))
+ $input_errors[] = gettext("A valid remote network IPv4 address must be specified or you need to change Mode to IPv6");
+ elseif (is_ipaddrv6($pconfig['remoteid_address']) && ($pconfig['mode'] != "tunnel6"))
+ $input_errors[] = gettext("A valid remote network IPv6 address must be specified or you need to change Mode to IPv4");
break;
}
}
@@ -270,6 +282,14 @@ if ($_POST) {
if (isset($pconfig['mobile']))
$ph2ent['mobile'] = true;
+ ipsec_lookup_phase1($ph2ent, $ph1ent);
+ if (($ph1ent['protocol'] == "inet") && ($ph2ent['mode'] == "tunnel6"))
+ $input_errors[] = gettext("Phase 1 is using IPv4. You cannot use Tunnel IPv6 on Phase 2.");
+ if (($ph1ent['protocol'] == "inet6") && ($ph2ent['mode'] == "tunnel"))
+ $input_errors[] = gettext("Phase 1 is using IPv6. You cannot use Tunnel IPv4 on Phase 2.");
+ }
+
+ if (!$input_errors) {
if (isset($p2index) && $a_phase2[$p2index])
$a_phase2[$p2index] = $ph2ent;
else
OpenPOWER on IntegriCloud