diff options
| author | Ermal <eri@pfsense.org> | 2014-09-12 19:22:48 +0200 |
|---|---|---|
| committer | Ermal <eri@pfsense.org> | 2014-09-12 19:22:48 +0200 |
| commit | fa4e059e17708cc12f258b636a7b701a99528c84 (patch) | |
| tree | 88e3d2bc6737f153dd48b9e524607e5644943a4f /usr/local | |
| parent | e373e4cd1cd9557f5ad6ec87c869d44b779357b1 (diff) | |
| download | pfsense-fa4e059e17708cc12f258b636a7b701a99528c84.zip pfsense-fa4e059e17708cc12f258b636a7b701a99528c84.tar.gz | |
Provide a first implementation of EAP-TLS authentication with IKEv2. It is a start and might not work on all cases
Diffstat (limited to 'usr/local')
| -rw-r--r-- | usr/local/www/vpn_ipsec_phase1.php | 165 |
1 files changed, 93 insertions, 72 deletions
diff --git a/usr/local/www/vpn_ipsec_phase1.php b/usr/local/www/vpn_ipsec_phase1.php index c8276fc..9f22a68 100644 --- a/usr/local/www/vpn_ipsec_phase1.php +++ b/usr/local/www/vpn_ipsec_phase1.php @@ -5,6 +5,7 @@ Copyright (C) 2008 Shrew Soft Inc Copyright (C) 2003-2005 Manuel Kasper <mk@neon1.net>. + Copyright (C) 2014 Ermal LUÇI All rights reserved. Redistribution and use in source and binary forms, with or without @@ -79,7 +80,10 @@ if (isset($p1index) && $a_phase1[$p1index]) { else $pconfig['remotegw'] = $a_phase1[$p1index]['remote-gateway']; - $pconfig['iketype'] = $a_phase1[$p1index]['iketype']; + if (empty($a_phase1[$p1index]['iketype'])) + $pconfig['iketype'] = "ikev1"; + else + $pconfig['iketype'] = $a_phase1[$p1index]['iketype']; $pconfig['mode'] = $a_phase1[$p1index]['mode']; $pconfig['protocol'] = $a_phase1[$p1index]['protocol']; $pconfig['myid_type'] = $a_phase1[$p1index]['myid_type']; @@ -150,6 +154,10 @@ if ($_POST) { // Only require PSK here for normal PSK tunnels (not mobile) or xauth. // For RSA methods, require the CA/Cert. switch ($method) { + case "eap-tls": + if ($pconfig['iketype'] != 'ikev2') + $input_errors[] = gettext("EAP-TLS can only be used with IKEv2 type VPNs."); + break; case "pre_shared_key": // If this is a mobile PSK tunnel the user PSKs go on // the PSK tab, not here, so skip the check. @@ -405,41 +413,49 @@ function methodsel_change() { value = document.iform.authentication_method.options[index].value; switch (value) { - case 'hybrid_rsa_server': - document.getElementById('opt_psk').style.display = 'none'; - document.getElementById('opt_peerid').style.display = ''; - document.getElementById('opt_cert').style.display = ''; - document.getElementById('opt_ca').style.display = ''; - document.getElementById('opt_cert').disabled = false; - document.getElementById('opt_ca').disabled = false; - break; - case 'xauth_rsa_server': - case 'rsasig': - document.getElementById('opt_psk').style.display = 'none'; - document.getElementById('opt_peerid').style.display = ''; - document.getElementById('opt_cert').style.display = ''; - document.getElementById('opt_ca').style.display = ''; - document.getElementById('opt_cert').disabled = false; - document.getElementById('opt_ca').disabled = false; - break; + case 'eap-tls': + document.getElementById('opt_psk').style.display = 'none'; + document.getElementById('opt_peerid').style.display = ''; + document.getElementById('opt_cert').style.display = ''; + document.getElementById('opt_ca').style.display = ''; + document.getElementById('opt_cert').disabled = false; + document.getElementById('opt_ca').disabled = false; + break; + case 'hybrid_rsa_server': + document.getElementById('opt_psk').style.display = 'none'; + document.getElementById('opt_peerid').style.display = ''; + document.getElementById('opt_cert').style.display = ''; + document.getElementById('opt_ca').style.display = ''; + document.getElementById('opt_cert').disabled = false; + document.getElementById('opt_ca').disabled = false; + break; + case 'xauth_rsa_server': + case 'rsasig': + document.getElementById('opt_psk').style.display = 'none'; + document.getElementById('opt_peerid').style.display = ''; + document.getElementById('opt_cert').style.display = ''; + document.getElementById('opt_ca').style.display = ''; + document.getElementById('opt_cert').disabled = false; + document.getElementById('opt_ca').disabled = false; + break; <?php if ($pconfig['mobile']) { ?> - case 'pre_shared_key': - document.getElementById('opt_psk').style.display = 'none'; - document.getElementById('opt_peerid').style.display = 'none'; - document.getElementById('opt_cert').style.display = 'none'; - document.getElementById('opt_ca').style.display = 'none'; - document.getElementById('opt_cert').disabled = true; - document.getElementById('opt_ca').disabled = true; - break; + case 'pre_shared_key': + document.getElementById('opt_psk').style.display = 'none'; + document.getElementById('opt_peerid').style.display = 'none'; + document.getElementById('opt_cert').style.display = 'none'; + document.getElementById('opt_ca').style.display = 'none'; + document.getElementById('opt_cert').disabled = true; + document.getElementById('opt_ca').disabled = true; + break; <?php } ?> - default: /* psk modes*/ - document.getElementById('opt_psk').style.display = ''; - document.getElementById('opt_peerid').style.display = ''; - document.getElementById('opt_cert').style.display = 'none'; - document.getElementById('opt_ca').style.display = 'none'; - document.getElementById('opt_cert').disabled = true; - document.getElementById('opt_ca').disabled = true; - break; + default: /* psk modes*/ + document.getElementById('opt_psk').style.display = ''; + document.getElementById('opt_peerid').style.display = ''; + document.getElementById('opt_cert').style.display = 'none'; + document.getElementById('opt_ca').style.display = 'none'; + document.getElementById('opt_cert').disabled = true; + document.getElementById('opt_ca').disabled = true; + break; } } @@ -709,6 +725,49 @@ function dpdchkbox_change() { </span> </td> </tr> + <tr id="opt_cert"> + <td width="22%" valign="top" class="vncellreq"><?=gettext("My Certificate"); ?></td> + <td width="78%" class="vtable"> + <select name="certref" class="formselect"> + <?php + foreach ($config['cert'] as $cert): + $selected = ""; + if ($pconfig['certref'] == $cert['refid']) + $selected = "selected=\"selected\""; + ?> + <option value="<?=$cert['refid'];?>" <?=$selected;?>><?=$cert['descr'];?></option> + <?php endforeach; ?> + </select> + <br /> + <span class="vexpl"> + <?=gettext("Select a certificate previously configured in the Certificate Manager"); ?>. + </span> + </td> + </tr> + <tr id="opt_ca"> + <td width="22%" valign="top" class="vncellreq"><?=gettext("My Certificate Authority"); ?></td> + <td width="78%" class="vtable"> + <select name="caref" class="formselect"> + <?php + foreach ($config['ca'] as $ca): + $selected = ""; + if ($pconfig['caref'] == $ca['refid']) + $selected = "selected=\"selected\""; + ?> + <option value="<?=$ca['refid'];?>" <?=$selected;?>><?=$ca['descr'];?></option> + <?php endforeach; ?> + </select> + <br /> + <span class="vexpl"> + <?=gettext("Select a certificate authority previously configured in the Certificate Manager"); ?>. + </span> + </td> + </tr> + <tr> + <td colspan="2" valign="top" class="listtopic"> + <?=gettext("Phase 1 proposal (Algorithms)"); ?> + </td> + </tr> <tr> <td width="22%" valign="top" class="vncellreq"><?=gettext("Encryption algorithm"); ?></td> <td width="78%" class="vtable"> @@ -767,44 +826,6 @@ function dpdchkbox_change() { <?=gettext("seconds"); ?> </td> </tr> - <tr id="opt_cert"> - <td width="22%" valign="top" class="vncellreq"><?=gettext("My Certificate"); ?></td> - <td width="78%" class="vtable"> - <select name="certref" class="formselect"> - <?php - foreach ($config['cert'] as $cert): - $selected = ""; - if ($pconfig['certref'] == $cert['refid']) - $selected = "selected=\"selected\""; - ?> - <option value="<?=$cert['refid'];?>" <?=$selected;?>><?=$cert['descr'];?></option> - <?php endforeach; ?> - </select> - <br /> - <span class="vexpl"> - <?=gettext("Select a certificate previously configured in the Certificate Manager"); ?>. - </span> - </td> - </tr> - <tr id="opt_ca"> - <td width="22%" valign="top" class="vncellreq"><?=gettext("My Certificate Authority"); ?></td> - <td width="78%" class="vtable"> - <select name="caref" class="formselect"> - <?php - foreach ($config['ca'] as $ca): - $selected = ""; - if ($pconfig['caref'] == $ca['refid']) - $selected = "selected=\"selected\""; - ?> - <option value="<?=$ca['refid'];?>" <?=$selected;?>><?=$ca['descr'];?></option> - <?php endforeach; ?> - </select> - <br /> - <span class="vexpl"> - <?=gettext("Select a certificate authority previously configured in the Certificate Manager"); ?>. - </span> - </td> - </tr> <tr> <td colspan="2" class="list" height="12"></td> </tr> |
