diff options
author | Matthew Grooms <mgrooms@pfsense.org> | 2008-07-11 01:55:30 +0000 |
---|---|---|
committer | Matthew Grooms <mgrooms@pfsense.org> | 2008-07-11 01:55:30 +0000 |
commit | a93e56c58af2611650d1f97190ffe54782479423 (patch) | |
tree | 4748e51726a04966508a45bd275cf8e0589df7be /usr | |
parent | 2a66b533249a31c4b9ea6f90c696998b2ba8ba49 (diff) | |
download | pfsense-a93e56c58af2611650d1f97190ffe54782479423.zip pfsense-a93e56c58af2611650d1f97190ffe54782479423.tar.gz |
Overhaul IPsec related code. Shared functions have been consolidated into
a new file named /etc/ipsec.inc. Tunnel definitions have been split into
phase1 and phase2. This allows any number of phase2 definitions to be
created for a single phase1 definition. Several facets of configuration
have also been improved. The key size for variable length algorithms can
now be selected and the phase1 ID options have been extended to allow for
more flexible configuration. Several NAT-T related issues have also been
resolved.
Please note, IPsec remote access functionality has been temporarily
disabled. An improved implementation will be included in a follow up
commit.
Diffstat (limited to 'usr')
-rw-r--r-- | usr/local/www/diag_ipsec.php | 236 | ||||
-rwxr-xr-x | usr/local/www/diag_ipsec_sad.php | 174 | ||||
-rwxr-xr-x | usr/local/www/diag_ipsec_spd.php | 201 | ||||
-rwxr-xr-x | usr/local/www/diag_logs_ipsec.php | 8 | ||||
-rwxr-xr-x | usr/local/www/guiconfig.inc | 19 | ||||
-rwxr-xr-x | usr/local/www/pkg_edit.php | 2 | ||||
-rwxr-xr-x | usr/local/www/vpn_ipsec.php | 435 | ||||
-rwxr-xr-x | usr/local/www/vpn_ipsec_ca.php | 16 | ||||
-rwxr-xr-x | usr/local/www/vpn_ipsec_edit.php | 662 | ||||
-rwxr-xr-x | usr/local/www/vpn_ipsec_keys.php | 120 | ||||
-rwxr-xr-x | usr/local/www/vpn_ipsec_keys_edit.php | 128 | ||||
-rwxr-xr-x | usr/local/www/vpn_ipsec_mobile.php | 3 | ||||
-rw-r--r-- | usr/local/www/vpn_ipsec_phase1.php | 635 | ||||
-rw-r--r-- | usr/local/www/vpn_ipsec_phase2.php | 489 | ||||
-rw-r--r-- | usr/local/www/widgets/include/ipsec.inc | 81 | ||||
-rw-r--r-- | usr/local/www/widgets/widgets/ipsec.widget.php | 26 |
16 files changed, 1705 insertions, 1530 deletions
diff --git a/usr/local/www/diag_ipsec.php b/usr/local/www/diag_ipsec.php index 4b16fe5..a61a5a1 100644 --- a/usr/local/www/diag_ipsec.php +++ b/usr/local/www/diag_ipsec.php @@ -3,6 +3,7 @@ /* diag_ipsec.php Copyright (C) 2007 Scott Ullrich + Copyright (C) 2008 Shrew Soft Inc <mgrooms@shrew.net>. All rights reserved. Parts of this code was originally based on vpn_ipsec_sad.php @@ -30,170 +31,111 @@ POSSIBILITY OF SUCH DAMAGE. */ +global $g; + $pgtitle = array("Status","IPsec"); require("guiconfig.inc"); include("head.inc"); + +if (!is_array($config['ipsec']['phase2'])) + $config['ipsec']['phase2'] = array(); + +$a_phase2 = &$config['ipsec']['phase2']; + +$spd = ipsec_dump_spd(); +$sad = ipsec_dump_sad(); + ?> <body link="#0000CC" vlink="#0000CC" alink="#0000CC" onload="<?= $jsevents["body"]["onload"] ?>"> <?php include("fbegin.inc"); ?> <div id="inputerrors"></div> <table width="100%" border="0" cellpadding="0" cellspacing="0"> - <tr> - <td> -<?php - $tab_array = array(); - $tab_array[0] = array("Overview", true, "diag_ipsec.php"); - $tab_array[1] = array("SAD", false, "diag_ipsec_sad.php"); - $tab_array[2] = array("SPD", false, "diag_ipsec_spd.php"); - display_top_tabs($tab_array); -?> - </td> - </tr> - <tr> - <td> -<?php - -if (!is_array($config['ipsec']['tunnel'])) { - $config['ipsec']['tunnel'] = array(); -} - -/* query SAD */ -$fd = @popen("/sbin/setkey -D", "r"); -$sad = array(); -if ($fd) { - while (!feof($fd)) { - $line = chop(fgets($fd)); - if (!$line) - continue; - if ($line == "No SAD entries.") - break; - if ($line[0] != "\t") { - if (is_array($cursa)) - $sad[] = $cursa; - $cursa = array(); - list($cursa['src'],$cursa['dst']) = explode(" ", $line); - $i = 0; - } else { - $linea = explode(" ", trim($line)); - if ($i == 1) { - $cursa['proto'] = $linea[0]; - $cursa['spi'] = substr($linea[2], strpos($linea[2], "x")+1, -1); - } else if ($i == 2) { - $cursa['ealgo'] = $linea[1]; - } else if ($i == 3) { - $cursa['aalgo'] = $linea[1]; - } - } - $i++; - } - if (is_array($cursa) && count($cursa)) - $sad[] = $cursa; - pclose($fd); -} -?> - <div id="mainarea"> - <table class="tabcont" width="100%" border="0" cellpadding="6" cellspacing="0"> -<?php if (count($sad)): ?> - <tr> - <td nowrap class="listhdrr">Source</td> - <td nowrap class="listhdrr">Destination</a></td> - <td nowrap class="listhdrr">Description</a></td> - <td nowrap class="listhdrr">Status</td> - </tr> -<?php -foreach ($config['ipsec']['tunnel'] as $ipsec) { - if(! isset($ipsec['disabled'])) { -?> <tr> - <td class="listlr"><?=htmlspecialchars(get_ipsec_tunnel_src($ipsec));?> - <br/> - <?php if ($ipsec['local-subnet']['network']) - echo strtoupper($ipsecent['local-subnet']['network']); - else - echo $ipsec['local-subnet']['address']; - ?> + <td> + <?php + $tab_array = array(); + $tab_array[0] = array("Overview", true, "diag_ipsec.php"); + $tab_array[1] = array("SAD", false, "diag_ipsec_sad.php"); + $tab_array[2] = array("SPD", false, "diag_ipsec_spd.php"); + display_top_tabs($tab_array); + ?> </td> - <td class="listr"><?=htmlspecialchars($ipsec['remote-gateway']);?> - <br/> - <?=$ipsec['remote-subnet'];?> - </td> - <td class="listr"><?=htmlspecialchars($ipsec['descr']);?></td> - <td class="listr"><?php echo output_ipsec_tunnel_status($ipsec); ?></td> </tr> -<?php - } -} -?> -<?php else: ?> - <tr> - <td> - <p> - <strong>No IPsec security associations.</strong> - </p> - </td> - </tr> -<?php endif; ?> - <tr> - <td colspan="4"> - <p> - <span class="vexpl"> - <span class="red"> - <strong> - Note:<br /> - </strong> - </span> - You can configure your IPsec - <a href="vpn_ipsec.php">here</a>. - </span> - </p> + <tr> + <td> + <div id="mainarea"> + <table class="tabcont" width="100%" border="0" cellpadding="6" cellspacing="0"> + <?php if (count($sad)): ?> + <tr> + <td nowrap class="listhdrr">Local IP</td> + <td nowrap class="listhdrr">Remote IP</a></td> + <td nowrap class="listhdrr">Local Network</td> + <td nowrap class="listhdrr">Remote Network</a></td> + <td nowrap class="listhdrr">Description</a></td> + <td nowrap class="listhdrr">Status</td> + </tr> + <?php + foreach ($a_phase2 as $ph2ent) { + if (!isset($ph2ent['disabled'])) { + ipsec_lookup_phase1($ph2ent,$ph1ent); + if(ipsec_phase2_status($spd,$sad,$ph1ent,$ph2ent)) + $icon = "pass"; + else + $icon = "reject"; + ?> + <tr> + <td class="listlr"> + <?=htmlspecialchars(ipsec_get_phase1_src($ph1ent));?> + </td> + <td class="listr"> + <?=htmlspecialchars($ph1ent['remote-gateway']);?> + </td> + <td class="listr"> + <?php echo ipsec_idinfo_to_text($ph2ent['localid']); ?> + </td> + <td class="listr"> + <?php echo ipsec_idinfo_to_text($ph2ent['remoteid']); ?> + </td> + <td class="listr"><?=htmlspecialchars($ph2ent['descr']);?></td> + <td class="listr"> + <img src ="/themes/<?=$g['theme']?>/images/icons/icon_<?=$icon?>.gif"> + </td> + </tr> + <?php + } + } + ?> + <?php else: ?> + <tr> + <td> + <p> + <strong>No IPsec security associations.</strong> + </p> + </td> + </tr> + <?php endif; ?> + <tr> + <td colspan="4"> + <p> + <span class="vexpl"> + <span class="red"> + <strong>Note:<br /></strong> + </span> + You can configure your IPsec + <a href="vpn_ipsec.php">here</a>. + </span> + </p> + </td> + </tr> + </table> + </div> </td> - </tr> -</table> -</div> - -</td></tr> - + </tr> </table> <?php include("fend.inc"); ?> </body> </html> -<?php - -function get_ipsec_tunnel_src($tunnel) { - global $g, $config, $sad; - $if = "WAN"; - if ($tunnel['interface']) { - $if = $tunnel['interface']; - $realinterface = convert_friendly_interface_to_real_interface_name($if); - $interfaceip = find_interface_ip($realinterface); - } - return $interfaceip; -} - -function output_ipsec_tunnel_status($tunnel) { - global $g, $config, $sad; - $if = "WAN"; - $interfaceip = get_ipsec_tunnel_src($tunnel); - $foundsrc = false; - $founddst = false; - foreach($sad as $sa) { - if($sa['src'] == $interfaceip) - $foundsrc = true; - if($sa['dst'] == $tunnel['remote-gateway']) - $founddst = true; - } - if($foundsrc && $founddst) { - /* tunnel is up */ - $iconfn = "pass"; - } else { - /* tunnel is down */ - $iconfn = "reject"; - } - echo "<img src ='/themes/{$g['theme']}/images/icons/icon_{$iconfn}.gif'>"; -} - -?> diff --git a/usr/local/www/diag_ipsec_sad.php b/usr/local/www/diag_ipsec_sad.php index 5d5b738..f2a08af 100755 --- a/usr/local/www/diag_ipsec_sad.php +++ b/usr/local/www/diag_ipsec_sad.php @@ -33,30 +33,14 @@ require("guiconfig.inc"); -$pgtitle = array("Status","IPsec","SA"); +$pgtitle = array("Status","IPsec","SAD"); include("head.inc"); -?> - -<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> -<?php include("fbegin.inc"); ?> -<table width="100%" border="0" cellpadding="0" cellspacing="0"> - <tr><td> -<?php - $tab_array = array(); - $tab_array[0] = array("Overview", false, "diag_ipsec.php"); - $tab_array[1] = array("SAD", true, "diag_ipsec_sad.php"); - $tab_array[2] = array("SPD", false, "diag_ipsec_spd.php"); - display_top_tabs($tab_array); -?> - </td></tr> - <tr> - <td> -<?php +$sad = ipsec_dump_sad(); /* delete any SA? */ if ($_GET['act'] == "del") { - $fd = @popen("/sbin/setkey -c > /dev/null 2>&1", "w"); + $fd = @popen("/usr/local/sbin/setkey -c > /dev/null 2>&1", "w"); if ($fd) { fwrite($fd, "delete {$_GET['src']} {$_GET['dst']} {$_GET['proto']} {$_GET['spi']} ;\n"); pclose($fd); @@ -64,87 +48,79 @@ if ($_GET['act'] == "del") { } } -/* query SAD */ -$fd = @popen("/sbin/setkey -D", "r"); -$sad = array(); -if ($fd) { - while (!feof($fd)) { - $line = chop(fgets($fd)); - if (!$line) - continue; - if ($line == "No SAD entries.") - break; - if ($line[0] != "\t") { - if (is_array($cursa)) - $sad[] = $cursa; - $cursa = array(); - list($cursa['src'],$cursa['dst']) = explode(" ", $line); - $i = 0; - } else { - $linea = explode(" ", trim($line)); - if ($i == 1) { - $cursa['proto'] = $linea[0]; - $cursa['spi'] = substr($linea[2], strpos($linea[2], "x")+1, -1); - } else if ($i == 2) { - $cursa['ealgo'] = $linea[1]; - } else if ($i == 3) { - $cursa['aalgo'] = $linea[1]; - } - } - $i++; - } - if (is_array($cursa) && count($cursa)) - $sad[] = $cursa; - pclose($fd); -} ?> - <div id="mainarea"> - <table class="tabcont" width="100%" border="0" cellpadding="6" cellspacing="0"> -<?php if (count($sad)): ?> - <tr> - <td nowrap class="listhdrr">Source</td> - <td nowrap class="listhdrr">Destination</a></td> - <td nowrap class="listhdrr">Protocol</td> - <td nowrap class="listhdrr">SPI</td> - <td nowrap class="listhdrr">Enc. alg.</td> - <td nowrap class="listhdr">Auth. alg.</td> - <td nowrap class="list"></td> - </tr> -<?php -foreach ($sad as $sa): ?> - <tr> - <td class="listlr"><?=htmlspecialchars($sa['src']);?></td> - <td class="listr"><?=htmlspecialchars($sa['dst']);?></td> - <td class="listr"><?=htmlspecialchars(strtoupper($sa['proto']));?></td> - <td class="listr"><?=htmlspecialchars($sa['spi']);?></td> - <td class="listr"><?=htmlspecialchars($sa['ealgo']);?></td> - <td class="listr"><?=htmlspecialchars($sa['aalgo']);?></td> - <td class="list" nowrap> - <?php - $args = "src=" . rawurlencode($sa['src']); - $args .= "&dst=" . rawurlencode($sa['dst']); - $args .= "&proto=" . rawurlencode($sa['proto']); - $args .= "&spi=" . rawurlencode("0x" . $sa['spi']); - ?> - <a href="diag_ipsec_sad.php?act=del&<?=$args;?>" onclick="return confirm('Do you really want to delete this security association?')"><img src="/themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" width="17" height="17" border="0"></a> - </td> - - </tr> -<?php endforeach; ?> -<?php else: ?> -<tr><td><p><strong>No IPsec security associations.</strong></p></td></tr> -<?php endif; ?> -<td colspan="4"> - <p><span class="vexpl"><span class="red"><strong>Note:<br> - </strong></span>You can configure your IPsec <a href="vpn_ipsec.php">here</a>.</span></p> - </td> -</table> -</div> -</td></tr> - -</table> - -<?php include("fend.inc"); ?> +<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> + <?php include("fbegin.inc"); ?> + <table width="100%" border="0" cellpadding="0" cellspacing="0"> + <tr> + <td> + <?php + $tab_array = array(); + $tab_array[0] = array("Overview", false, "diag_ipsec.php"); + $tab_array[1] = array("SAD", true, "diag_ipsec_sad.php"); + $tab_array[2] = array("SPD", false, "diag_ipsec_spd.php"); + display_top_tabs($tab_array); + ?> + </td> + </tr> + <tr> + <td> + <div id="mainarea"> + <table class="tabcont" width="100%" border="0" cellpadding="6" cellspacing="0"> + <?php if (count($sad)): ?> + <tr> + <td nowrap class="listhdrr">Source</td> + <td nowrap class="listhdrr">Destination</a></td> + <td nowrap class="listhdrr">Protocol</td> + <td nowrap class="listhdrr">SPI</td> + <td nowrap class="listhdrr">Enc. alg.</td> + <td nowrap class="listhdr">Auth. alg.</td> + <td nowrap class="list"></td> + </tr> + <?php foreach ($sad as $sa): ?> + <tr> + <td class="listlr"><?=htmlspecialchars($sa['src']);?></td> + <td class="listr"><?=htmlspecialchars($sa['dst']);?></td> + <td class="listr"><?=htmlspecialchars(strtoupper($sa['proto']));?></td> + <td class="listr"><?=htmlspecialchars($sa['spi']);?></td> + <td class="listr"><?=htmlspecialchars($sa['ealgo']);?></td> + <td class="listr"><?=htmlspecialchars($sa['aalgo']);?></td> + <td class="list" nowrap> + <?php + $args = "src=" . rawurlencode($sa['src']); + $args .= "&dst=" . rawurlencode($sa['dst']); + $args .= "&proto=" . rawurlencode($sa['proto']); + $args .= "&spi=" . rawurlencode("0x" . $sa['spi']); + ?> + <a href="diag_ipsec_sad.php?act=del&<?=$args;?>" onclick="return confirm('Do you really want to delete this security association?')"> + <img src="/themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" width="17" height="17" border="0"> + </a> + </td> + </tr> + <?php endforeach; ?> + <?php else: ?> + <tr> + <td> + <p><strong>No IPsec security associations.</strong></p> + </td> + </tr> + <?php endif; ?> + <td colspan="4"> + <p> + <span class="vexpl"> + <span class="red"> + <strong>Note:<br></strong> + </span> + You can configure your IPsec <a href="vpn_ipsec.php">here</a>. + </span> + </p> + </td> + </table> + </div> + </td> + </tr> + </table> + <?php include("fend.inc"); ?> </body> </html> diff --git a/usr/local/www/diag_ipsec_spd.php b/usr/local/www/diag_ipsec_spd.php index dc6ee6f..d9dfe54 100755 --- a/usr/local/www/diag_ipsec_spd.php +++ b/usr/local/www/diag_ipsec_spd.php @@ -36,129 +36,104 @@ require("guiconfig.inc"); $pgtitle = array("Status","IPsec","SPD"); include("head.inc"); -?> - -<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> -<?php include("fbegin.inc"); ?> -<table width="100%" border="0" cellpadding="0" cellspacing="0"> - <tr><td> -<?php - $tab_array = array(); - $tab_array[0] = array("Overview", false, "diag_ipsec.php"); - $tab_array[1] = array("SAD", false, "diag_ipsec_sad.php"); - $tab_array[2] = array("SPD", true, "diag_ipsec_spd.php"); - display_top_tabs($tab_array); -?> - </td></tr> - <tr> - <td> -<?php - /* delete any SP? */ if ($_GET['act'] == "del") { - $fd = @popen("/sbin/setkey -c > /dev/null 2>&1", "w"); + $fd = @popen("/usr/local/sbin/setkey -c > /dev/null 2>&1", "w"); if ($fd) { - fwrite($fd, "spddelete {$_GET['src']} {$_GET['dst']} any -P {$_GET['dir']} ;\n"); + fwrite($fd, "spddelete {$_GET['srcid']} {$_GET['dstid']} any -P {$_GET['dir']} ;\n"); pclose($fd); sleep(1); } } -/* query SAD */ -$fd = @popen("/sbin/setkey -DP", "r"); -$spd = array(); -if ($fd) { - while (!feof($fd)) { - $line = chop(fgets($fd)); - if (!$line) - continue; - if ($line == "No SPD entries.") - break; - if ($line[0] != "\t") { - if (is_array($cursp)) - $spd[] = $cursp; - $cursp = array(); - $linea = explode(" ", $line); - $cursp['src'] = substr($linea[0], 0, strpos($linea[0], "[")); - $cursp['dst'] = substr($linea[1], 0, strpos($linea[1], "[")); - $i = 0; - } else if (is_array($cursp)) { - $linea = explode(" ", trim($line)); - if ($i == 1) { - if ($linea[1] == "none") /* don't show default anti-lockout rule */ - unset($cursp); - else - $cursp['dir'] = $linea[0]; - } else if ($i == 2) { - $upperspec = explode("/", $linea[0]); - $cursp['proto'] = $upperspec[0]; - list($cursp['ep_src'], $cursp['ep_dst']) = explode("-", $upperspec[2]); - } - } - $i++; - } - if (is_array($cursp) && count($cursp)) - $spd[] = $cursp; - pclose($fd); -} +$spd = ipsec_dump_spd(); ?> -<div id="mainarea" style="background:#eeeeee"> - <table class="tabcont" width="100%" border="0" cellpadding="6" cellspacing="0"> -<?php if (count($spd)): ?> - <tr> - <td nowrap class="listhdrr">Source</td> - <td nowrap class="listhdrr">Destination</a></td> - <td nowrap class="listhdrr">Direction</td> - <td nowrap class="listhdrr">Protocol</td> - <td nowrap class="listhdrr">Tunnel endpoints</td> - <td nowrap class="list"></td> - </tr> -<?php -foreach ($spd as $sp): ?> - <tr> - <td class="listlr" valign="top"><?=htmlspecialchars($sp['src']);?></td> - <td class="listr" valign="top"><?=htmlspecialchars($sp['dst']);?></td> - <td class="listr" valign="top"><img src="/themes/<?= $g['theme']; ?>/images/icons/icon_<?=$sp['dir'];?>.gif" width="11" height="11" style="margin-top: 2px"></td> - <td class="listr" valign="top"><?=htmlspecialchars(strtoupper($sp['proto']));?></td> - <td class="listr" valign="top"><?=htmlspecialchars($sp['ep_src']);?> - <br> - <?=htmlspecialchars($sp['ep_dst']);?></td> - <td class="list" nowrap> - <?php - $args = "src=" . rawurlencode($sp['src']); - $args .= "&dst=" . rawurlencode($sp['dst']); - $args .= "&dir=" . rawurlencode($sp['dir']); - ?> - <a href="diag_ipsec_spd.php?act=del&<?=$args;?>" onclick="return confirm('Do you really want to delete this security policy?')"> - <img src="/themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" width="17" height="17" border="0"></a> - </td> - </tr> -<?php endforeach; ?> -</table> -<br> -<table class="tabcont" border="0" cellspacing="0" cellpadding="6"> - <tr> - <td width="16"><img src="/themes/<?= $g['theme']; ?>/images/icons/icon_in.gif" width="11" height="11"></td> - <td>incoming (as seen by firewall)</td> - </tr> - <tr> - <td colspan="5" height="4"></td> - </tr> - <tr> - <td><img src="/themes/<?= $g['theme']; ?>/images/icons/icon_out.gif" width="11" height="11"></td> - <td>outgoing (as seen by firewall)</td> - </tr> -<?php else: ?> -<tr><td><p><strong>No IPsec security policies.</strong></p></td></tr> -<?php endif; ?> -<td colspan="4"> - <p><span class="vexpl"><span class="red"><strong>Note:<br> - </strong></span>You can configure your IPsec <a href="vpn_ipsec.php">here</a>.</span></p> - </td> -</table> -</div> -</td></tr></table> -<?php include("fend.inc"); ?> +<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> + <?php include("fbegin.inc"); ?> + <table width="100%" border="0" cellpadding="0" cellspacing="0"> + <tr> + <td> + <?php + $tab_array = array(); + $tab_array[0] = array("Overview", false, "diag_ipsec.php"); + $tab_array[1] = array("SAD", false, "diag_ipsec_sad.php"); + $tab_array[2] = array("SPD", true, "diag_ipsec_spd.php"); + display_top_tabs($tab_array); + ?> + </td> + </tr> + <tr> + <td> + <div id="mainarea" style="background:#eeeeee"> + <table class="tabcont" width="100%" border="0" cellpadding="6" cellspacing="0"> + <?php if (count($spd)): ?> + <tr> + <td nowrap class="listhdrr">Source</td> + <td nowrap class="listhdrr">Destination</td> + <td nowrap class="listhdrr">Direction</td> + <td nowrap class="listhdrr">Protocol</td> + <td nowrap class="listhdrr">Tunnel endpoints</td> + <td nowrap class="list"></td> + </tr> + <?php foreach ($spd as $sp): ?> + <tr> + <td class="listlr" valign="top"><?=htmlspecialchars($sp['srcid']);?></td> + <td class="listr" valign="top"><?=htmlspecialchars($sp['dstid']);?></td> + <td class="listr" valign="top"> + <img src="/themes/<?= $g['theme']; ?>/images/icons/icon_<?=$sp['dir'];?>.gif" width="11" height="11" style="margin-top: 2px"> + </td> + <td class="listr" valign="top"><?=htmlspecialchars(strtoupper($sp['proto']));?></td> + <td class="listr" valign="top"><?=htmlspecialchars($sp['src']);?> -> <?=htmlspecialchars($sp['dst']);?></td> + <td class="list" nowrap> + <?php + $args = "srcid=".rawurlencode($sp['srcid']); + $args .= "&dstid=".rawurlencode($sp['dstid']); + $args .= "&dir=".rawurlencode($sp['dir']); + ?> + <a href="diag_ipsec_spd.php?act=del&<?=$args;?>" onclick="return confirm('Do you really want to delete this security policy?')"> + <img src="/themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" width="17" height="17" border="0"> + </a> + </td> + </tr> + <?php endforeach; ?> + </table> + <br> + <table class="tabcont" border="0" cellspacing="0" cellpadding="6"> + <tr> + <td width="16"><img src="/themes/<?= $g['theme']; ?>/images/icons/icon_in.gif" width="11" height="11"></td> + <td>incoming (as seen by firewall)</td> + </tr> + <tr> + <td colspan="5" height="4"></td> + </tr> + <tr> + <td><img src="/themes/<?= $g['theme']; ?>/images/icons/icon_out.gif" width="11" height="11"></td> + <td>outgoing (as seen by firewall)</td> + </tr> + <?php else: ?> + <tr> + <td> + <p><strong>No IPsec security policies.</strong></p> + </td> + </tr> + <?php endif; ?> + <td colspan="4"> + <p> + <span class="vexpl"> + <span class="red"> + <strong>Note:<br></strong> + </span> + You can configure your IPsec <a href="vpn_ipsec.php">here</a>. + </span> + </p> + </td> + </table> + </div> + </td> + </tr> + </table> + <?php include("fend.inc"); ?> </body> </html> diff --git a/usr/local/www/diag_logs_ipsec.php b/usr/local/www/diag_logs_ipsec.php index a6b8ae6..74cf757 100755 --- a/usr/local/www/diag_logs_ipsec.php +++ b/usr/local/www/diag_logs_ipsec.php @@ -38,11 +38,11 @@ $ipsec_logfile = "{$g['varlog_path']}/ipsec.log"; /* Create array with all IPsec tunnel descriptions */ $search = array(); $replace = array(); -if(is_array($config['ipsec']['tunnel'])) - foreach($config['ipsec']['tunnel'] as $tunnel) { - $gateway = "{$tunnel['remote-gateway']}"; +if(is_array($config['ipsec']['phase1'])) + foreach($config['ipsec']['phase1'] as $ph1ent) { + $gateway = "{$ph1ent['remote-gateway']}"; $search[] = "/(racoon: )([A-Z:].*?)({$gateway}\[[0-9].+\]|{$gateway})(.*)/i"; - $replace[] = "$1<strong>[{$tunnel['descr']}]</strong>: $2$3$4"; + $replace[] = "$1<strong>[{$ph1ent['descr']}]</strong>: $2$3$4"; } /* collect all our own ip addresses */ exec("/sbin/ifconfig|/usr/bin/awk '/inet / {print $2}'", $ip_address_list); diff --git a/usr/local/www/guiconfig.inc b/usr/local/www/guiconfig.inc index 1c6ab78..9fecc45 100755 --- a/usr/local/www/guiconfig.inc +++ b/usr/local/www/guiconfig.inc @@ -157,25 +157,6 @@ $medias = array("auto" => "autoselect", "100full" => "100BASE-TX full-duplex", /* platforms that support firmware updating */ $fwupplatforms = array('pfSense', 'net45xx', 'net48xx', 'generic-pc', 'embedded', 'wrap'); -/* IPsec defines */ -$my_identifier_list = array('myaddress' => 'My IP address', - 'address' => 'IP address', - 'fqdn' => 'Domain name', - 'user_fqdn' => 'User FQDN', - 'asn1dn' => 'Distinguished Name', - 'dyn_dns' => 'Dynamic DNS'); - -$p1_ealgos = array('des' => 'DES', '3des' => '3DES', 'blowfish' => 'Blowfish', - 'cast128' => 'CAST128','rijndael' => 'Rijndael (AES)', 'rijndael 256' => 'Rijndael 256'); -$p2_ealgos = array('des' => 'DES', '3des' => '3DES', 'blowfish' => 'Blowfish', - 'cast128' => 'CAST128', 'rijndael' => 'Rijndael (AES)', 'rijndael 256' => 'Rijndael 256'); - -$p1_halgos = array('sha1' => 'SHA1', 'md5' => 'MD5'); -$p1_authentication_methods = array('pre_shared_key' => 'Pre-shared key', 'rsasig' => 'RSA signature'); -$p2_halgos = array('hmac_sha1' => 'SHA1', 'hmac_md5' => 'MD5'); -$p2_protos = array('esp' => 'ESP', 'ah' => 'AH'); -$p2_pfskeygroups = array('0' => 'off', '1' => '1', '2' => '2', '5' => '5'); - function do_input_validation($postdata, $reqdfields, $reqdfieldsn, $input_errors) { /* check for bad control characters */ diff --git a/usr/local/www/pkg_edit.php b/usr/local/www/pkg_edit.php index a2a2442..64826d0 100755 --- a/usr/local/www/pkg_edit.php +++ b/usr/local/www/pkg_edit.php @@ -381,7 +381,7 @@ if ($pkg['tabs'] <> "") { print("</select>\n<br />\n" . fixup_string($pkga['description']) . "\n"); } else if($pkga['type'] == "vpn_selection") { echo "<select id='" . $pkga['fieldname'] . "' name='" . $vpn['name'] . "'>\n"; - foreach ($config['ipsec']['tunnel'] as $vpn) { + foreach ($config['ipsec']['phase1'] as $vpn) { echo "\t<option value=\"" . $vpn['descr'] . "\">" . $vpn['descr'] . "</option>\n"; } echo "</select>\n"; diff --git a/usr/local/www/vpn_ipsec.php b/usr/local/www/vpn_ipsec.php index 4946d73..94f4c37 100755 --- a/usr/local/www/vpn_ipsec.php +++ b/usr/local/www/vpn_ipsec.php @@ -4,6 +4,7 @@ part of m0n0wall (http://m0n0.ch/wall) Copyright (C) 2003-2005 Manuel Kasper <mk@neon1.net>. + Copyright (C) 2008 Shrew Soft Inc All rights reserved. Redistribution and use in source and binary forms, with or without @@ -30,14 +31,18 @@ require("guiconfig.inc"); -if (!is_array($config['ipsec']['tunnel'])) { - $config['ipsec']['tunnel'] = array(); -} -$a_ipsec = &$config['ipsec']['tunnel']; +if (!is_array($config['ipsec']['phase1'])) + $config['ipsec']['phase1'] = array(); + +if (!is_array($config['ipsec']['phase2'])) + $config['ipsec']['phase2'] = array(); + +$a_phase1 = &$config['ipsec']['phase1']; +$a_phase2 = &$config['ipsec']['phase2']; + $wancfg = &$config['interfaces']['wan']; $pconfig['enable'] = isset($config['ipsec']['enable']); -$pconfig['ipcomp'] = isset($config['ipsec']['ipcomp']); if ($_POST) { @@ -53,7 +58,6 @@ if ($_POST) { $pconfig = $_POST; $config['ipsec']['enable'] = $_POST['enable'] ? true : false; - $config['ipsec']['ipcomp'] = $_POST['ipcomp'] ? true : false; write_config(); @@ -72,13 +76,41 @@ if ($_POST) { } } -if ($_GET['act'] == "del") { - if ($a_ipsec[$_GET['id']]) { +if ($_GET['act'] == "delph1") +{ + if ($a_phase1[$_GET['p1index']]) { /* remove static route if interface is not WAN */ - if($a_ipsec[$_GET['id']]['interface'] <> "wan") { - mwexec("/sbin/route delete -host {$$a_ipsec[$_GET['id']]['remote-gateway']}"); + if ($a_phase1[$_GET['p1index']]['interface'] <> "wan") { + mwexec("/sbin/route delete -host {$$a_phase1[$_GET['p1index']]['remote-gateway']}"); + } + + /* remove all phase2 entries that match the ikeid */ + $ikeid = $a_phase1[$_GET['p1index']]['ikeid']; + $p2index = 0; + foreach ($a_phase2 as $ph2tmp) { + if ($ph2tmp['ikeid'] == $ikeid) { + /* remove the phase2 entry */ + unset($a_phase2[$p2index]); + continue; + } + /* only skip if we remove an entry */ + $p2index++; } - unset($a_ipsec[$_GET['id']]); + + /* remove the phase1 entry */ + unset($a_phase1[$_GET['p1index']]); + filter_configure(); + write_config(); + header("Location: vpn_ipsec.php"); + exit; + } +} + +if ($_GET['act'] == "delph2") +{ + if ($a_phase2[$_GET['p2index']]) { + /* remove the phase2 entry */ + unset($a_phase2[$_GET['p2index']]); filter_configure(); write_config(); header("Location: vpn_ipsec.php"); @@ -95,133 +127,270 @@ include("head.inc"); <body link="#0000CC" vlink="#0000CC" alink="#0000CC"> <?php include("fbegin.inc"); ?> <form action="vpn_ipsec.php" method="post"> -<?php if ($savemsg) print_info_box($savemsg); ?> -<?php if (file_exists($d_ipsecconfdirty_path)): ?><p> -<?php if ($pconfig['enable']) - print_info_box_np("The IPsec tunnel configuration has been changed.<br>You must apply the changes in order for them to take effect.");?><br> -<?php endif; ?> -<table width="100%" border="0" cellpadding="0" cellspacing="0"> - <tr><td class="tabnavtbl"> <?php - $tab_array = array(); - $tab_array[0] = array("Tunnels", true, "vpn_ipsec.php"); - $tab_array[1] = array("Mobile clients", false, "vpn_ipsec_mobile.php"); - $tab_array[2] = array("Pre-shared keys", false, "vpn_ipsec_keys.php"); - $tab_array[3] = array("CAs", false, "vpn_ipsec_ca.php"); - display_top_tabs($tab_array); + if ($savemsg) + print_info_box($savemsg); + if ($pconfig['enable'] && file_exists($d_ipsecconfdirty_path)) + print_info_box_np("The IPsec tunnel configuration has been changed.<br>You must apply the changes in order for them to take effect."); ?> - </td></tr> - <tr> - <td> - <div id="mainarea"> - <table class="tabcont" width="100%" border="0" cellpadding="6" cellspacing="0"> - <tr> - <td class="vtable"> - <input name="enable" type="checkbox" id="enable" value="yes" <?php if ($pconfig['enable']) echo "checked";?>> - <strong>Enable IPsec</strong></td> - </tr> - <tr> - <td> <input name="submit" type="submit" class="formbtn" value="Save"> - </td> - </tr> - </table> - <table class="tabcont" width="100%" border="0" cellpadding="0" cellspacing="0"> - <tr> - <td nowrap class="listhdrr">Local net<br> - Remote net</td> - <td class="listhdrr">Interface<br>Remote gw</td> - <td class="listhdrr">P1 mode</td> - <td class="listhdrr">P1 Enc. Algo</td> - <td class="listhdrr">P1 Hash Algo</td> - <td class="listhdr">Description</td> - <td class="list" > - <table border="0" cellspacing="0" cellpadding="1"> - <tr> - <td width="17" heigth="17"></td> - <td><a href="vpn_ipsec_edit.php"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" title="add tunnel" width="17" height="17" border="0"></a></td> - </tr> - </table> - </td> - </tr> - <?php $i = 0; foreach ($a_ipsec as $ipsecent): - if (isset($ipsecent['disabled'])) { - $spans = "<span class=\"gray\">"; - $spane = "</span>"; - } else { - $spans = $spane = ""; - } - ?> - <tr valign="top"> - <td nowrap class="listlr" ondblclick="document.location='vpn_ipsec_edit.php?id=<?=$i;?>'"><?=$spans;?> - <?php if ($ipsecent['local-subnet']['network']) - echo strtoupper($ipsecent['local-subnet']['network']); +<table width="100%" border="0" cellpadding="0" cellspacing="0"> + <tr> + <td class="tabnavtbl"> + <?php + $tab_array = array(); + $tab_array[0] = array("Tunnels", true, "vpn_ipsec.php"); +// $tab_array[1] = array("Mobile clients", false, "vpn_ipsec_mobile.php"); + $tab_array[2] = array("CAs", false, "vpn_ipsec_ca.php"); + display_top_tabs($tab_array); + ?> + </td> + </tr> + <tr> + <td> + <div id="mainarea"> + <table class="tabcont" width="100%" border="0" cellpadding="6" cellspacing="0"> + <tr> + <td class="vtable"> + <input name="enable" type="checkbox" id="enable" value="yes" <?php if ($pconfig['enable']) echo "checked";?>> + <strong>Enable IPsec</strong> + </td> + </tr> + <tr> + <td> + <input name="submit" type="submit" class="formbtn" value="Save"> + </td> + </tr> + </table> + <table class="tabcont" width="100%" border="0" cellpadding="0" cellspacing="0"> + <tr> + <td class="listhdrr">Interface<br>Remote gw</td> + <td class="listhdrr">P1 mode</td> + <td class="listhdrr">P1 Enc. Algo</td> + <td class="listhdrr">P1 Hash Algo</td> + <td class="listhdr">Description</td> + <td class="list" > + <table border="0" cellspacing="0" cellpadding="o"> + <tr> + <td width="17" heigth="17"></td> + <td> + <a href="vpn_ipsec_phase1.php"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" title="add phase1 entry" width="17" height="17" border="0"></a> + </td> + </tr> + </table> + </td> + </tr> + <?php + $i = 0; + foreach ($a_phase1 as $ph1ent) { + if (isset( $ph1ent['disabled'])) { + $spans = "<span class=\"gray\">"; + $spane = "</span>"; + } else - echo $ipsecent['local-subnet']['address']; + $spans = $spane = ""; ?> - <br> - <?=$ipsecent['remote-subnet'];?> - <?=$spane;?></td> - <td class="listr" ondblclick="document.location='vpn_ipsec_edit.php?id=<?=$i;?>'"><?=$spans;?> - <?php if ($ipsecent['interface']) { - $iflabels = get_configured_interface_with_descr(); - $carpips = find_number_of_needed_carp_interfaces(); - for($j=0; $j<$carpips; $j++) { - $carpip = find_interface_ip("carp" . $j); - $iflabels['carp' . $j] = "CARP{$j} ({$carpip})"; - } - $if = htmlspecialchars($iflabels[$ipsecent['interface']]); - } else - $if = "WAN"; - - echo $if . "<br>" . $ipsecent['remote-gateway']; + <tr valign="top"> + <td class="listlr" ondblclick="document.location='vpn_ipsec_phase1.php?id=<?=$i;?>'"> + <?=$spans;?> + <?php + if ($ph1ent['interface']) { + $iflabels = get_configured_interface_with_descr(); + $carpips = find_number_of_needed_carp_interfaces(); + for( $j=0; $j<$carpips; $j++ ) { + $carpip = find_interface_ip("carp" . $j); + $iflabels['carp' . $j] = "CARP{$j} ({$carpip})"; + } + $if = htmlspecialchars($iflabels[$ph1ent['interface']]); + } + else + $if = "WAN"; + + echo $if . "<br>" . $ph1ent['remote-gateway']; + ?> + <?=$spane;?> + </td> + <td class="listr" ondblclick="document.location='vpn_ipsec_phase1.php?id=<?=$i;?>'"> + <?=$spans;?> + <?=$ph1ent['mode'];?> + <?=$spane;?> + </td> + <td class="listr" ondblclick="document.location='vpn_ipsec_phase1.php?id=<?=$i;?>'"> + <?=$spans;?> + <?=$p1_ealgos[$ph1ent['encryption-algorithm']['name']]['name'];?> + <?php + if ($ph1ent['encryption-algorithm']['keylen']) { + if ($ph1ent['encryption-algorithm']['keylen']=="auto") + echo " (auto)"; + else + echo " ({$ph1ent['encryption-algorithm']['keylen']} bits)"; + } + ?> + <?=$spane;?> + </td> + <td class="listr" ondblclick="document.location='vpn_ipsec_phase1.php?id=<?=$i;?>'"> + <?=$spans;?> + <?=$p1_halgos[$ph1ent['hash-algorithm']];?> + <?=$spane;?> + </td> + <td class="listtopic" ondblclick="document.location='vpn_ipsec_phase1.php?id=<?=$i;?>'"> + <?=$spans;?> + <font color="#FFFFFF"> + <?=htmlspecialchars($ph1ent['descr']);?> + </font> + <?=$spane;?> + </td> + <td valign="middle" nowrap class="list"> + <table border="0" cellspacing="0" cellpadding="1"> + <tr> + <td> + <a href="vpn_ipsec_phase1.php?p1index=<?=$i;?>"> + <img src="./themes/<?= $g['theme']; ?>/images/icons/icon_e.gif" title="edit phase1 entry" width="17" height="17" border="0"> + </a> + </td> + <td> + <a href="vpn_ipsec.php?act=delph1&p1index=<?=$i;?>" onclick="return confirm('Do you really want to delete this phase1 and all associated phase2 entries?')"> + <img src="./themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" title="delete phase1 entry" width="17" height="17" border="0"> + </a> + </td> + </tr> + <tr> + <td> + </td> + <td> + <a href="vpn_ipsec_phase1.php?dup=<?=$i;?>"> + <img src="./themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" title="copy phase1 entry" width="17" height="17" border="0"> + </a> + </td> + </tr> + </table> + </td> + </tr> + <tr> + <td class="listbg" colspan="5"> + <table width="100%" height="100%"border="0" cellspacing="0" cellpadding="0"> + <tr> + <td class="listhdrr">Local Network</td> + <td class="listhdrr">Remote Network</td> + <td class="listhdrr">P2 Protocol</td> + <td class="listhdrr">P2 Transforms</td> + <td class="listhdrr">P2 Auth Methods</td> + <td class ="list"> + <a href="vpn_ipsec_phase2.php?ikeid=<?=$ph1ent['ikeid'];?>"> + <img src="./themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" title="add phase2 entry" width="17" height="17" border="0"> + </a> + </td> + </tr> + <?php + $j = 0; + foreach ($a_phase2 as $ph2ent) { + if ($ph2ent['ikeid'] != $ph1ent['ikeid']) { + $j++; + continue; + } + + if (isset( $ph2ent['disabled']) || isset($ph1ent['disabled'])) { + $spans = "<span class=\"gray\">"; + $spane = "</span>"; + } + else + $spans = $spane = ""; + ?> + <tr valign="top"> + <td nowrap class="listr" ondblclick="document.location='vpn_ipsec_phase2.php?id=<?=$i;?>'"> + <?=$spans;?> + <?php echo ipsec_idinfo_to_text($ph2ent['localid']); ?> + <?=$spane;?> + </td> + <td nowrap class="listr" ondblclick="document.location='vpn_ipsec_phase2.php?id=<?=$i;?>'"> + <?=$spans;?> + <?php echo ipsec_idinfo_to_text($ph2ent['remoteid']); ?> + <?=$spane;?> + </td> + <td nowrap class="listr" ondblclick="document.location='vpn_ipsec_phase2.php?id=<?=$i;?>'"> + <?=$spans;?> + <?php echo $p2_protos[$ph2ent['protocol']]; ?> + <?=$spane;?> + </td> + <td nowrap class="listr" ondblclick="document.location='vpn_ipsec_phase2.php?id=<?=$i;?>'"> + <?=$spans;?> + <?php + $k = 0; + foreach ($ph2ent['encryption-algorithm-option'] as $ph2ea) { + if ($k++) + echo ", "; + echo $p2_ealgos[$ph2ea['name']]['name']; + if ($ph2ea['keylen']) { + if ($ph2ea['keylen']=="auto") + echo " (auto)"; + else + echo " ({$ph2ea['keylen']} bits)"; + } + } + ?> + <?=$spane;?> + </td> + <td nowrap class="listr" ondblclick="document.location='vpn_ipsec_phase2.php?id=<?=$i;?>'"> + <?=$spans;?> + <?php + $k = 0; + foreach ($ph2ent['hash-algorithm-option'] as $ph2ha) { + if ($k++) + echo ", "; + echo $p2_halgos[$ph2ha]; + } + ?> + <?=$spane;?> + </td> + <td nowrap class="list"> + <a href="vpn_ipsec_phase2.php?p2index=<?=$j;?>"> + <img src="./themes/<?= $g['theme']; ?>/images/icons/icon_e.gif" title="edit phase2 entry" width="17" height="17" border="0"> + </a> + <a href="vpn_ipsec.php?act=delph2&p2index=<?=$j;?>" onclick="return confirm('Do you really want to delete this phase2 entry?')"> + <img src="./themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" title="delete phase2 entry" width="17" height="17" border="0"> + </a> + </td> + </tr> + <?php + $j++; + } + ?> + </table> + </td> + </tr> + <?php + $i++; + } ?> - <?=$spane;?></td> - <td class="listr" ondblclick="document.location='vpn_ipsec_edit.php?id=<?=$i;?>'"><?=$spans;?> - <?=$ipsecent['p1']['mode'];?> - <?=$spane;?></td> - <td class="listr" ondblclick="document.location='vpn_ipsec_edit.php?id=<?=$i;?>'"><?=$spans;?> - <?=$p1_ealgos[$ipsecent['p1']['encryption-algorithm']];?> - <?=$spane;?></td> - <td class="listr" ondblclick="document.location='vpn_ipsec_edit.php?id=<?=$i;?>'"><?=$spans;?> - <?=$p1_halgos[$ipsecent['p1']['hash-algorithm']];?> - <?=$spane;?></td> - <td class="listbg" ondblclick="document.location='vpn_ipsec_edit.php?id=<?=$i;?>'"><?=$spans;?><font color="#FFFFFF"> - <?=htmlspecialchars($ipsecent['descr']);?> - <?=$spane;?></td> - <td valign="middle" nowrap class="list"> - <table border="0" cellspacing="0" cellpadding="1"> - <tr> - <td><a href="vpn_ipsec_edit.php?id=<?=$i;?>"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_e.gif" title="edit tunnel" width="17" height="17" border="0"></a></td> - <td><a href="vpn_ipsec.php?act=del&id=<?=$i;?>" onclick="return confirm('Do you really want to delete this tunnel?')"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" title="delete tunnel" width="17" height="17" border="0"></a></td> - </tr> - <tr> - <td></td> - <td><a href="vpn_ipsec_edit.php?dup=<?=$i;?>"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" title="add a new rule based on this one" width="17" height="17" border="0"></a></td> - </tr> - </table> - </td> - </tr> - <?php $i++; endforeach; ?> - <tr> - <td class="list" colspan="6"></td> - <td class="list"> - <table border="0" cellspacing="0" cellpadding="1"> - <tr> - <td width="17"></td> - <td><a href="vpn_ipsec_edit.php"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" title="add tunnel" width="17" height="17" border="0"></a></td> - </tr> - </table> - <td> - </tr> - <tr> - <td colspan="4"> - <p><span class="vexpl"><span class="red"><strong>Note:<br> - </strong></span>You can check your IPsec status at <a href="diag_ipsec_sad.php">Status:IPsec</a>.</span></p> - </td> - </tr> - </table> - </div> - </td> + <tr> + <td class="list" colspan="5"></td> + <td class="list"> + <table border="0" cellspacing="0" cellpadding="1"> + <tr> + <td width="17"></td> + <td> + <a href="vpn_ipsec_phase1.php"> + <img src="./themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" title="add phase1 entry" width="17" height="17" border="0"> + </a> + </td> + </tr> + </table> + <td> + </tr> + <tr> + <td colspan="4"> + <p> + <span class="vexpl"> + <span class="red"> + <strong>Note:<br></strong> + </span> + You can check your IPsec status at <a href="diag_ipsec.php">Status:IPsec</a>. + </span> + </p> + </td> + </tr> + </table> + </div> + </td> </tr> </table> </form> diff --git a/usr/local/www/vpn_ipsec_ca.php b/usr/local/www/vpn_ipsec_ca.php index 17195ae..b94c66d 100755 --- a/usr/local/www/vpn_ipsec_ca.php +++ b/usr/local/www/vpn_ipsec_ca.php @@ -51,22 +51,22 @@ include("head.inc"); ?> - <body link="#0000CC" vlink="#0000CC" alink="#0000CC"> <?php include("fbegin.inc"); ?> <form action="vpn_ipsec.php" method="post"> -<?php if ($savemsg) print_info_box($savemsg); ?> -<?php if (file_exists($d_ipsecconfdirty_path)): ?><p> -<?php print_info_box_np("The IPsec tunnel configuration has been changed.<br>You must apply the changes in order for them to take effect.");?><br> -<?php endif; ?> +<?php + if ($savemsg) + print_info_box($savemsg); + if ($pconfig['enable'] && file_exists($d_ipsecconfdirty_path)) + print_info_box_np("The IPsec tunnel configuration has been changed.<br>You must apply the changes in order for them to take effect."); +?> <table width="100%" border="0" cellpadding="0" cellspacing="0"> <tr><td> <?php $tab_array = array(); $tab_array[0] = array("Tunnels", false, "vpn_ipsec.php"); - $tab_array[1] = array("Mobile clients", false, "vpn_ipsec_mobile.php"); - $tab_array[2] = array("Pre-shared keys", false, "vpn_ipsec_keys.php"); - $tab_array[3] = array("CAs", true, "vpn_ipsec_ca.php"); +// $tab_array[1] = array("Mobile clients", false, "vpn_ipsec_mobile.php"); + $tab_array[2] = array("CAs", true, "vpn_ipsec_ca.php"); display_top_tabs($tab_array); ?> </td></tr> diff --git a/usr/local/www/vpn_ipsec_edit.php b/usr/local/www/vpn_ipsec_edit.php deleted file mode 100755 index 74de623..0000000 --- a/usr/local/www/vpn_ipsec_edit.php +++ /dev/null @@ -1,662 +0,0 @@ -<?php -/* - vpn_ipsec_edit.php - part of m0n0wall (http://m0n0.ch/wall) - - Copyright (C) 2003-2005 Manuel Kasper <mk@neon1.net>. - All rights reserved. - - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. -*/ - -require("guiconfig.inc"); - -if (!is_array($config['ipsec']['tunnel'])) { - $config['ipsec']['tunnel'] = array(); -} -$a_ipsec = &$config['ipsec']['tunnel']; - -if($config['interfaces']['lan']) - $specialsrcdst = explode(" ", "lan"); - -$id = $_GET['id']; -if (isset($_POST['id'])) - $id = $_POST['id']; - -if (isset($_GET['dup'])) { - $id = $_GET['dup']; -} - -if (isset($id) && $a_ipsec[$id]) { - $pconfig['disabled'] = isset($a_ipsec[$id]['disabled']); - $pconfig['auto'] = isset($a_ipsec[$id]['auto']); - - if (!isset($a_ipsec[$id]['local-subnet'])) { - if($config['interfaces']['lan']) - $pconfig['localnet'] = "lan"; - } else { - if($config['interfaces']['lan']) - address_to_pconfig_vpn($a_ipsec[$id]['local-subnet'], $pconfig['localnet'], $pconfig['localnetmask']); - } - - if ($a_ipsec[$id]['interface']) - $pconfig['interface'] = $a_ipsec[$id]['interface']; - else - $pconfig['interface'] = "wan"; - - list($pconfig['remotenet'],$pconfig['remotebits']) = explode("/", $a_ipsec[$id]['remote-subnet']); - $pconfig['remotegw'] = $a_ipsec[$id]['remote-gateway']; - $pconfig['p1mode'] = $a_ipsec[$id]['p1']['mode']; - - if (isset($a_ipsec[$id]['p1']['myident']['myaddress'])) - $pconfig['p1myidentt'] = 'myaddress'; - else if (isset($a_ipsec[$id]['p1']['myident']['address'])) { - $pconfig['p1myidentt'] = 'address'; - $pconfig['p1myident'] = $a_ipsec[$id]['p1']['myident']['address']; - } else if (isset($a_ipsec[$id]['p1']['myident']['fqdn'])) { - $pconfig['p1myidentt'] = 'fqdn'; - $pconfig['p1myident'] = $a_ipsec[$id]['p1']['myident']['fqdn']; - } else if (isset($a_ipsec[$id]['p1']['myident']['ufqdn'])) { - $pconfig['p1myidentt'] = 'user_fqdn'; - $pconfig['p1myident'] = $a_ipsec[$id]['p1']['myident']['ufqdn']; - } else if (isset($a_ipsec[$id]['p1']['myident']['asn1dn'])) { - $pconfig['p1myidentt'] = 'asn1dn'; - $pconfig['p1myident'] = $a_ipsec[$id]['p1']['myident']['asn1dn']; - } else if (isset($a_ipsec[$id]['p1']['myident']['dyn_dns'])) { - $pconfig['p1myidentt'] = 'dyn_dns'; - $pconfig['p1myident'] = $a_ipsec[$id]['p1']['myident']['dyn_dns']; - } - - $pconfig['p1ealgo'] = $a_ipsec[$id]['p1']['encryption-algorithm']; - $pconfig['p1halgo'] = $a_ipsec[$id]['p1']['hash-algorithm']; - $pconfig['p1dhgroup'] = $a_ipsec[$id]['p1']['dhgroup']; - $pconfig['p1lifetime'] = $a_ipsec[$id]['p1']['lifetime']; - $pconfig['p1authentication_method'] = $a_ipsec[$id]['p1']['authentication_method']; - $pconfig['p1pskey'] = $a_ipsec[$id]['p1']['pre-shared-key']; - $pconfig['p1cert'] = base64_decode($a_ipsec[$id]['p1']['cert']); - $pconfig['p1peercert'] = base64_decode($a_ipsec[$id]['p1']['peercert']); - $pconfig['p1privatekey'] = base64_decode($a_ipsec[$id]['p1']['private-key']); - $pconfig['p2proto'] = $a_ipsec[$id]['p2']['protocol']; - $pconfig['p2ealgos'] = $a_ipsec[$id]['p2']['encryption-algorithm-option']; - $pconfig['p2halgos'] = $a_ipsec[$id]['p2']['hash-algorithm-option']; - $pconfig['p2pfsgroup'] = $a_ipsec[$id]['p2']['pfsgroup']; - $pconfig['p2lifetime'] = $a_ipsec[$id]['p2']['lifetime']; - $pconfig['descr'] = $a_ipsec[$id]['descr']; - $pconfig['pinghost'] = $a_ipsec[$id]['pinghost']; - -} else { - /* defaults */ - $pconfig['interface'] = "wan"; - if($config['interfaces']['lan']) - $pconfig['localnet'] = "lan"; - $pconfig['p1mode'] = "aggressive"; - $pconfig['p1myidentt'] = "myaddress"; - $pconfig['p1authentication_method'] = "pre_shared_key"; - $pconfig['p1ealgo'] = "3des"; - $pconfig['p1halgo'] = "sha1"; - $pconfig['p1dhgroup'] = "2"; - $pconfig['p2proto'] = "esp"; - $pconfig['p2ealgos'] = explode(",", "3des,blowfish,cast128,rijndael,rijndael 256"); - $pconfig['p2halgos'] = explode(",", "hmac_sha1,hmac_md5"); - $pconfig['p2pfsgroup'] = "0"; - $pconfig['remotebits'] = 32; -} - -if (isset($_GET['dup'])) - unset($id); - -if ($_POST) { - if (is_specialnet($_POST['localnettype'])) { - $_POST['localnet'] = $_POST['localnettype']; - $_POST['localnetmask'] = 0; - } else if ($_POST['localnettype'] == "single") { - $_POST['localnetmask'] = 32; - } - - unset($input_errors); - $pconfig = $_POST; - - /* input validation */ - if ($_POST['p1authentication_method'] == "pre_shared_key") { - $reqdfields = explode(" ", "localnet remotenet remotebits remotegw p1pskey p2ealgos p2halgos"); - $reqdfieldsn = explode(",", "Local network,Remote network,Remote network bits,Remote gateway,Pre-Shared Key,P2 Encryption Algorithms,P2 Hash Algorithms"); - } - else { - $reqdfields = explode(" ", "localnet remotenet remotebits remotegw p2ealgos p2halgos"); - $reqdfieldsn = explode(",", "Local network,Remote network,Remote network bits,Remote gateway,P2 Encryption Algorithms,P2 Hash Algorithms"); - if (!strstr($_POST['p1cert'], "BEGIN CERTIFICATE") || !strstr($_POST['p1cert'], "END CERTIFICATE")) - $input_errors[] = "This certificate does not appear to be valid."; - if (!strstr($_POST['p1privatekey'], "BEGIN RSA PRIVATE KEY") || !strstr($_POST['p1privatekey'], "END RSA PRIVATE KEY")) - $input_errors[] = "This key does not appear to be valid."; - if ($_POST['p1peercert']!="" && (!strstr($_POST['p1peercert'], "BEGIN CERTIFICATE") || !strstr($_POST['p1peercert'], "END CERTIFICATE"))) - $input_errors[] = "This peer certificate does not appear to be valid."; - } - - do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); - - if (!is_specialnet($_POST['localnettype'])) { - if (($_POST['localnet'] && !is_ipaddr($_POST['localnet']))) { - $input_errors[] = "A valid local network IP address must be specified."; - } - if (($_POST['localnetmask'] && !is_numeric($_POST['localnetmask']))) { - $input_errors[] = "A valid local network bit count must be specified."; - } - } - if (($_POST['p1lifetime'] && !is_numeric($_POST['p1lifetime']))) { - $input_errors[] = "The P1 lifetime must be an integer."; - } - if (($_POST['p2lifetime'] && !is_numeric($_POST['p2lifetime']))) { - $input_errors[] = "The P2 lifetime must be an integer."; - } - if ($_POST['remotebits'] && (!is_numeric($_POST['remotebits']) || ($_POST['remotebits'] < 0) || ($_POST['remotebits'] > 32))) { - if(!$_POST['remotebits'] == "0.0.0.0") - $input_errors[] = "The remote network bits are invalid."; - } - if (($_POST['remotenet'] && !is_ipaddr($_POST['remotenet'])) or $_POST['remotenet'] == "0.0.0.0") { - /* allow 0.0.0.0 remote net usage */ - if($_POST['remotenet'] <> "0.0.0.0") - $input_errors[] = "A valid remote network address must be specified."; - } - if (($_POST['remotenet'] && is_ipaddr($_POST['remotenet']) && !isset($_POST['disabled']) )) { - $t = 0; - foreach($a_ipsec as $tunnel) { - if($id <> $t) { - $tremotecidr = $pconfig['remotenet'] ."/". $pconfig['remotebits']; - if(($tunnel['remote-subnet'] == $tremotecidr) && !isset($tunnel['disabled'])) { - $input_errors[] = "The remote network \"$tremotecidr\" is already used by tunnel \"${tunnel['descr']}\"."; - } - } - $t++; - } - } - if (($_POST['remotegw'] && !is_ipaddr($_POST['remotegw']) && !is_domain($_POST['remotegw']))) - $input_errors[] = "A valid remote gateway address or host name must be specified."; - if (($_POST['remotegw'] && is_ipaddr($_POST['remotegw']) && !isset($_POST['disabled']) )) { - $t = 0; - foreach($a_ipsec as $tunnel) { - if($id <> $t) { - $tremotegw = $pconfig['remotegw']; - if(($tunnel['remote-gateway'] == $tremotegw) && !isset($tunnel['disabled'])) { - $input_errors[] = "The remote gateway \"$tremotegw\" is already used by tunnel \"${tunnel['descr']}\"."; - } - } - $t++; - } - } - if ((($_POST['p1myidentt'] == "address") && !is_ipaddr($_POST['p1myident']))) { - $input_errors[] = "A valid IP address for 'My identifier' must be specified."; - } - if ((($_POST['p1myidentt'] == "fqdn") && !is_domain($_POST['p1myident']))) { - $input_errors[] = "A valid domain name for 'My identifier' must be specified."; - } - if ($_POST['p1myidentt'] == "user_fqdn") { - $ufqdn = explode("@",$_POST['p1myident']); - if (is_domain($ufqdn[1]) == false) - $input_errors[] = "A valid User FQDN in the form of user@my.domain.com for 'My identifier' must be specified."; - } - if ($_POST['p1myidentt'] == "dyn_dns") { - if (is_domain($_POST['p1myidentt']) == false) - $input_errors[] = "A valid Dynamic DNS address for 'My identifier' must be specified."; - } - - if($_POST['p1myidentt'] == "fqdn" and $_POST['p1myident'] == "") - $input_errors[] = gettext("Please enter a domain name for 'My Identifier'"); - - if($_POST['p1myidentt'] == "dyn_dns" and $_POST['p1myident'] == "") - $input_errors[] = gettext("Please enter a domain name for 'My Identifier'"); - - if($_POST['p1myidentt'] == "address" and $_POST['p1myident'] == "") - $input_errors[] = gettext("Please enter a domain name for 'My Identifier'"); - - if($_POST['p1myidentt'] == "user_fqdn" and $_POST['p1myident'] == "") - $input_errors[] = gettext("Please enter a domain name for 'My Identifier'"); - - if ($_POST['p1myidentt'] == "myaddress") - $_POST['p1myident'] = ""; - - if (!$input_errors) { - $ipsecent['disabled'] = $_POST['disabled'] ? true : false; - //$ipsecent['auto'] = $_POST['auto'] ? true : false; - $ipsecent['interface'] = $pconfig['interface']; - pconfig_to_address($ipsecent['local-subnet'], $_POST['localnet'], $_POST['localnetmask']); - $ipsecent['remote-subnet'] = $_POST['remotenet'] . "/" . $_POST['remotebits']; - /* if the remote gateway changed and the interface is not WAN then remove route */ - /* the vpn_ipsec_configure() handles adding the route */ - if($_POST['interface'] <> "wan") { - if($ipsecent['remote-gateway'] <> $_POST['remotegw']) { - mwexec("/sbin/route delete -host {$ipsecent['remote-gateway']}"); - } - } - $ipsecent['remote-gateway'] = $_POST['remotegw']; - $ipsecent['p1']['mode'] = $_POST['p1mode']; - - $ipsecent['p1']['myident'] = array(); - switch ($_POST['p1myidentt']) { - case 'myaddress': - $ipsecent['p1']['myident']['myaddress'] = true; - break; - case 'address': - $ipsecent['p1']['myident']['address'] = $_POST['p1myident']; - break; - case 'fqdn': - $ipsecent['p1']['myident']['fqdn'] = $_POST['p1myident']; - break; - case 'user_fqdn': - $ipsecent['p1']['myident']['ufqdn'] = $_POST['p1myident']; - break; - case 'asn1dn': - $ipsecent['p1']['myident']['asn1dn'] = $_POST['p1myident']; - break; - case 'dyn_dns': - $ipsecent['p1']['myident']['dyn_dns'] = $_POST['p1myident']; - break; - } - - $ipsecent['p1']['encryption-algorithm'] = $_POST['p1ealgo']; - $ipsecent['p1']['hash-algorithm'] = $_POST['p1halgo']; - $ipsecent['p1']['dhgroup'] = $_POST['p1dhgroup']; - $ipsecent['p1']['lifetime'] = $_POST['p1lifetime']; - $ipsecent['p1']['pre-shared-key'] = $_POST['p1pskey']; - $ipsecent['p1']['private-key'] = base64_encode($_POST['p1privatekey']); - $ipsecent['p1']['cert'] = base64_encode($_POST['p1cert']); - $ipsecent['p1']['peercert'] = base64_encode($_POST['p1peercert']); - $ipsecent['p1']['authentication_method'] = $_POST['p1authentication_method']; - $ipsecent['p2']['protocol'] = $_POST['p2proto']; - $ipsecent['p2']['encryption-algorithm-option'] = $_POST['p2ealgos']; - $ipsecent['p2']['hash-algorithm-option'] = $_POST['p2halgos']; - $ipsecent['p2']['pfsgroup'] = $_POST['p2pfsgroup']; - $ipsecent['p2']['lifetime'] = $_POST['p2lifetime']; - $ipsecent['descr'] = $_POST['descr']; - $ipsecent['pinghost'] = $_POST['pinghost']; - - if (isset($id) && $a_ipsec[$id]) - $a_ipsec[$id] = $ipsecent; - else - $a_ipsec[] = $ipsecent; - - write_config(); - touch($d_ipsecconfdirty_path); - - header("Location: vpn_ipsec.php"); - exit; - } -} - -$pgtitle = array("VPN","IPsec","Edit tunnel"); -include("head.inc"); - -?> - -<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> -<?php include("fbegin.inc"); ?> -<script language="JavaScript"> -<!-- -function typesel_change() { - switch (document.iform.localnettype.selectedIndex) { - case 0: /* single */ - document.iform.localnet.disabled = 0; - document.iform.localnetmask.value = ""; - document.iform.localnetmask.disabled = 1; - break; - case 1: /* network */ - document.iform.localnet.disabled = 0; - document.iform.localnetmask.disabled = 0; - break; - default: - document.iform.localnet.value = ""; - document.iform.localnet.disabled = 1; - document.iform.localnetmask.value = ""; - document.iform.localnetmask.disabled = 1; - break; - } -} -function methodsel_change() { - switch (document.iform.p1authentication_method.selectedIndex) { - case 1: /* rsa */ - document.iform.p1pskey.disabled = 1; - document.iform.p1privatekey.disabled = 0; - document.iform.p1cert.disabled = 0; - document.iform.p1peercert.disabled = 0; - break; - default: /* pre-shared */ - document.iform.p1pskey.disabled = 0; - document.iform.p1privatekey.disabled = 1; - document.iform.p1cert.disabled = 1; - document.iform.p1peercert.disabled = 1; - break; - } -} -//--> -</script> -<?php if ($input_errors) print_input_errors($input_errors); ?> - <form action="vpn_ipsec_edit.php" method="post" name="iform" id="iform"> - <table width="100%" border="0" cellpadding="6" cellspacing="0"> - <tr> - <td width="22%" valign="top" class="vncellreq">Mode</td> - <td width="78%" class="vtable"> Tunnel</td> - </tr> - <tr> - <td width="22%" valign="top" class="vncellreq">Disabled</td> - <td width="78%" class="vtable"> - <input name="disabled" type="checkbox" id="disabled" value="yes" <?php if ($pconfig['disabled']) echo "checked"; ?>> - <strong>Disable this tunnel</strong><br> - <span class="vexpl">Set this option to disable this tunnel without - removing it from the list.</span></td> - </tr> - <tr> - <td width="22%" valign="top" class="vncellreq">Interface</td> - <td width="78%" class="vtable"><select name="interface" class="formselect"> - <?php - $interfaces = get_configured_interface_with_descr(); - $carpips = find_number_of_needed_carp_interfaces(); - for($i=0; $i<$carpips; $i++) { - $carpip = find_interface_ip("carp" . $i); - $interfaces['carp' . $i] = "CARP{$i} ({$carpip})"; - } - foreach ($interfaces as $iface => $ifacename): ?> - <option value="<?=$iface;?>" <?php if ($iface == $pconfig['interface']) echo "selected"; ?>> - <?=htmlspecialchars($ifacename);?> - </option> - <?php endforeach; ?> - </select> <br> - <span class="vexpl">Select the interface for the local endpoint of this tunnel.</span></td> - </tr> - <tr> - <td width="22%" valign="top" class="vncellreq">Local subnet</td> - <td width="78%" class="vtable"> - <table border="0" cellspacing="0" cellpadding="0"> - <tr> - <td>Type: </td> - <td></td> - <td><select name="localnettype" class="formselect" onChange="typesel_change()"> - <?php $sel = is_specialnet($pconfig['localnet']); ?> - <option value="single" <?php if (($pconfig['localnetmask'] == 32) && !$sel) { echo "selected"; $sel = 1; } ?>> - Single host</option> - <option value="network" <?php if (!$sel) echo "selected"; ?>> - Network</option> - <?php if($config['interfaces']['lan']): ?> - <option value="lan" <?php if ($pconfig['localnet'] == "lan") { echo "selected"; } ?>> - LAN subnet</option> - <?php endif; ?> - </select></td> - </tr> - <tr> - <td>Address: </td> - <td><?=$mandfldhtmlspc;?></td> - <td><input name="localnet" type="text" class="formfld unknown" id="localnet" size="20" value="<?php if (!is_specialnet($pconfig['localnet'])) echo htmlspecialchars($pconfig['localnet']);?>"> - / - <select name="localnetmask" class="formselect" id="localnetmask"> - <?php for ($i = 31; $i >= 0; $i--): ?> - <option value="<?=$i;?>" <?php if ($i == $pconfig['localnetmask']) echo "selected"; ?>> - <?=$i;?> - </option> - <?php endfor; ?> - </select> </td> - </tr> - </table></td> - </tr> - <tr> - <td width="22%" valign="top" class="vncellreq">Remote subnet</td> - <td width="78%" class="vtable"> - <?=$mandfldhtml;?><input name="remotenet" type="text" class="formfld unknown" id="remotenet" size="20" value="<?=$pconfig['remotenet'];?>"> - / - <select name="remotebits" class="formselect" id="remotebits"> - <?php for ($i = 32; $i >= 0; $i--): ?> - <option value="<?=$i;?>" <?php if ($i == $pconfig['remotebits']) echo "selected"; ?>> - <?=$i;?> - </option> - <?php endfor; ?> - </select></td> - </tr> - <tr> - <td width="22%" valign="top" class="vncellreq">Remote gateway</td> - <td width="78%" class="vtable"> - <?=$mandfldhtml;?><input name="remotegw" type="text" class="formfld unknown" id="remotegw" size="20" value="<?=$pconfig['remotegw'];?>"> - <br> - Enter the public IP address or host name of the remote gateway</td> - </tr> - <tr> - <td width="22%" valign="top" class="vncell">Description</td> - <td width="78%" class="vtable"> - <input name="descr" type="text" class="formfld unknown" id="descr" size="40" value="<?=htmlspecialchars($pconfig['descr']);?>"> - <br> <span class="vexpl">You may enter a description here - for your reference (not parsed).</span></td> - </tr> - <tr> - <td colspan="2" class="list" height="12"></td> - </tr> - <tr> - <td colspan="2" valign="top" class="listtopic">Phase 1 proposal - (Authentication)</td> - </tr> - <tr> - <td width="22%" valign="top" class="vncellreq">Negotiation mode</td> - <td width="78%" class="vtable"> - <select name="p1mode" class="formfld unknown"> - <?php $modes = explode(" ", "main aggressive"); foreach ($modes as $mode): ?> - <option value="<?=$mode;?>" <?php if ($mode == $pconfig['p1mode']) echo "selected"; ?>> - <?=htmlspecialchars($mode);?> - </option> - <?php endforeach; ?> - </select> <br> <span class="vexpl">Aggressive is faster, but - less secure.</span></td> - </tr> - <tr> - <td width="22%" valign="top" class="vncellreq">My identifier</td> - <td width="78%" class="vtable"> - <select name="p1myidentt" class="formselect"> - <?php foreach ($my_identifier_list as $mode => $modename): ?> - <option value="<?=$mode;?>" <?php if ($mode == $pconfig['p1myidentt']) echo "selected"; ?>> - <?=htmlspecialchars($modename);?> - </option> - <?php endforeach; ?> - </select> <input name="p1myident" type="text" class="formfld unknown" id="p1myident" size="30" value="<?=$pconfig['p1myident'];?>"> - </td> - </tr> - <tr> - <td width="22%" valign="top" class="vncellreq">Encryption algorithm</td> - <td width="78%" class="vtable"> - <select name="p1ealgo" class="formselect"> - <?php foreach ($p1_ealgos as $algo => $algoname): ?> - <option value="<?=$algo;?>" <?php if ($algo == $pconfig['p1ealgo']) echo "selected"; ?>> - <?=htmlspecialchars($algoname);?> - </option> - <?php endforeach; ?> - </select> <br> <span class="vexpl">Must match the setting - chosen on the remote side. </span></td> - </tr> - <tr> - <td width="22%" valign="top" class="vncellreq">Hash algorithm</td> - <td width="78%" class="vtable"> - <select name="p1halgo" class="formselect"> - <?php foreach ($p1_halgos as $algo => $algoname): ?> - <option value="<?=$algo;?>" <?php if ($algo == $pconfig['p1halgo']) echo "selected"; ?>> - <?=htmlspecialchars($algoname);?> - </option> - <?php endforeach; ?> - </select> <br> <span class="vexpl">Must match the setting - chosen on the remote side. </span></td> - </tr> - <tr> - <td width="22%" valign="top" class="vncellreq">DH key group</td> - <td width="78%" class="vtable"> - <select name="p1dhgroup" class="formselect"> - <?php $keygroups = explode(" ", "1 2 5"); foreach ($keygroups as $keygroup): ?> - <option value="<?=$keygroup;?>" <?php if ($keygroup == $pconfig['p1dhgroup']) echo "selected"; ?>> - <?=htmlspecialchars($keygroup);?> - </option> - <?php endforeach; ?> - </select> <br> <span class="vexpl"><em>1 = 768 bit, 2 = 1024 - bit, 5 = 1536 bit</em><br> - Must match the setting chosen on the remote side. </span></td> - </tr> - <tr> - <td width="22%" valign="top" class="vncell">Lifetime</td> - <td width="78%" class="vtable"> - <input name="p1lifetime" type="text" class="formfld unknown" id="p1lifetime" size="20" value="<?=$pconfig['p1lifetime'];?>"> - seconds</td> - </tr> - <tr> - <td width="22%" valign="top" class="vncellreq">Authentication method</td> - <td width="78%" class="vtable"> - <select name="p1authentication_method" class="formselect" onChange="methodsel_change()"> - <?php foreach ($p1_authentication_methods as $method => $methodname): ?> - <option value="<?=$method;?>" <?php if ($method == $pconfig['p1authentication_method']) echo "selected"; ?>> - <?=htmlspecialchars($methodname);?> - </option> - <?php endforeach; ?> - </select> <br> <span class="vexpl">Must match the setting - chosen on the remote side.</span></td> - </tr> - <tr> - <td width="22%" valign="top" class="vncellreq">Pre-Shared Key</td> - <td width="78%" class="vtable"> - <?=$mandfldhtml;?><input name="p1pskey" type="text" class="formfld unknown" id="p1pskey" size="40" value="<?=htmlspecialchars($pconfig['p1pskey']);?>"> - </td> - </tr> - <tr> - <td width="22%" valign="top" class="vncellreq">Certificate</td> - <td width="78%" class="vtable"> - <textarea name="p1cert" cols="65" rows="7" id="p1cert" class="formpre"><?=htmlspecialchars($pconfig['p1cert']);?></textarea> - <br> - Paste a certificate in X.509 PEM format here.</td> - </tr> - <tr> - <td width="22%" valign="top" class="vncellreq">Key</td> - <td width="78%" class="vtable"> - <textarea name="p1privatekey" cols="65" rows="7" id="p1privatekey" class="formpre"><?=htmlspecialchars($pconfig['p1privatekey']);?></textarea> - <br> - Paste an RSA private key in PEM format here.</td> - </tr> - <tr> - <td width="22%" valign="top" class="vncell">Peer certificate</td> - <td width="78%" class="vtable"> - <textarea name="p1peercert" cols="65" rows="7" id="p1peercert" class="formpre"><?=htmlspecialchars($pconfig['p1peercert']);?></textarea> - <br> - Paste the peer X.509 certificate in PEM format here.<br> - Leave this blank if you want to use a CA certificate for identity validation.</td> - </tr> - <tr> - <td colspan="2" class="list" height="12"></td> - </tr> - <tr> - <td colspan="2" valign="top" class="listtopic">Phase 2 proposal - (SA/Key Exchange)</td> - </tr> - <tr> - <td width="22%" valign="top" class="vncellreq">Protocol</td> - <td width="78%" class="vtable"> - <select name="p2proto" class="formselect"> - <?php foreach ($p2_protos as $proto => $protoname): ?> - <option value="<?=$proto;?>" <?php if ($proto == $pconfig['p2proto']) echo "selected"; ?>> - <?=htmlspecialchars($protoname);?> - </option> - <?php endforeach; ?> - </select> <br> <span class="vexpl">ESP is encryption, AH is - authentication only </span></td> - </tr> - <tr> - <td width="22%" valign="top" class="vncellreq">Encryption algorithms</td> - <td width="78%" class="vtable"> - <?php foreach ($p2_ealgos as $algo => $algoname): ?> - <input type="checkbox" name="p2ealgos[]" value="<?=$algo;?>" <?php if (in_array($algo, $pconfig['p2ealgos'])) echo "checked"; ?>> - <?=htmlspecialchars($algoname);?> - <br> - <?php endforeach; ?> - <br> - Hint: use 3DES for best compatibility or if you have a hardware - crypto accelerator card. Blowfish is usually the fastest in - software encryption. </td> - </tr> - <tr> - <td width="22%" valign="top" class="vncellreq">Hash algorithms</td> - <td width="78%" class="vtable"> - <?php foreach ($p2_halgos as $algo => $algoname): ?> - <input type="checkbox" name="p2halgos[]" value="<?=$algo;?>" <?php if (in_array($algo, $pconfig['p2halgos'])) echo "checked"; ?>> - <?=htmlspecialchars($algoname);?> - <br> - <?php endforeach; ?> - </td> - </tr> - <tr> - <td width="22%" valign="top" class="vncellreq">PFS key group</td> - <td width="78%" class="vtable"> - <select name="p2pfsgroup" class="formselect"> - <?php foreach ($p2_pfskeygroups as $keygroup => $keygroupname): ?> - <option value="<?=$keygroup;?>" <?php if ($keygroup == $pconfig['p2pfsgroup']) echo "selected"; ?>> - <?=htmlspecialchars($keygroupname);?> - </option> - <?php endforeach; ?> - </select> <br> <span class="vexpl"><em>1 = 768 bit, 2 = 1024 - bit, 5 = 1536 bit</em></span></td> - </tr> - <tr> - <td width="22%" valign="top" class="vncell">Lifetime</td> - <td width="78%" class="vtable"> - <input name="p2lifetime" type="text" class="formfld unknown" id="p2lifetime" size="20" value="<?=$pconfig['p2lifetime'];?>"> - seconds</td> - </tr> - <tr> - <td colspan="2" class="list" height="12"></td> - </tr> - <tr> - <td colspan="2" valign="top" class="listtopic">Keep alive</td> - </tr> - <tr> - <td width="22%" valign="top" class="vncell">Automatically ping host</td> - <td width="78%" class="vtable"> - <input name="pinghost" type="text" class="formfld unknown" id="pinghost" size="20" value="<?=$pconfig['pinghost'];?>"> IP address</td> - </tr> - <tr> - <td width="22%" valign="top"> </td> - <td width="78%"> - <input name="Submit" type="submit" class="formbtn" value="Save"> - <?php if (isset($id) && $a_ipsec[$id]): ?> - <input name="id" type="hidden" value="<?=$id;?>"> - <?php endif; ?> - </td> - </tr> - </table> -</form> -<script lannguage="JavaScript"> -<!-- -typesel_change(); -methodsel_change(); -//--> -</script> -<?php include("fend.inc"); ?> - - -<?php - -function address_to_pconfig_vpn($adr, &$padr, &$pmask) { - - if ($adr['network']) - $padr = $adr['network']; - else if ($adr['address']) { - list($padr, $pmask) = explode("/", $adr['address']); - if (is_null($pmask)) - $pmask = 32; - } -} - -?> diff --git a/usr/local/www/vpn_ipsec_keys.php b/usr/local/www/vpn_ipsec_keys.php deleted file mode 100755 index 49112ff..0000000 --- a/usr/local/www/vpn_ipsec_keys.php +++ /dev/null @@ -1,120 +0,0 @@ -<?php -/* - vpn_ipsec_keys.php - part of m0n0wall (http://m0n0.ch/wall) - - Copyright (C) 2003-2005 Manuel Kasper <mk@neon1.net>. - All rights reserved. - - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. -*/ - -require("guiconfig.inc"); - -if (!is_array($config['ipsec']['mobilekey'])) { - $config['ipsec']['mobilekey'] = array(); -} -ipsec_mobilekey_sort(); -$a_secret = &$config['ipsec']['mobilekey']; - -if ($_GET['act'] == "del") { - if ($a_secret[$_GET['id']]) { - unset($a_secret[$_GET['id']]); - write_config(); - touch($d_ipsecconfdirty_path); - header("Location: vpn_ipsec_keys.php"); - exit; - } -} - -$pgtitle = array("VPN","IPsec","Keys"); - -include("head.inc"); - -?> - -<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> -<?php include("fbegin.inc"); ?> -<form action="vpn_ipsec.php" method="post"> -<?php if ($savemsg) print_info_box($savemsg); ?> -<?php if (file_exists($d_ipsecconfdirty_path)): ?><p> -<?php print_info_box_np("The IPsec tunnel configuration has been changed.<br>You must apply the changes in order for them to take effect.");?><br> -<?php endif; ?> -<table width="100%" border="0" cellpadding="0" cellspacing="0"> - <tr><td class="tabnavtbl"> -<?php - $tab_array = array(); - $tab_array[0] = array("Tunnels", false, "vpn_ipsec.php"); - $tab_array[1] = array("Mobile clients", false, "vpn_ipsec_mobile.php"); - $tab_array[2] = array("Pre-shared keys", true, "vpn_ipsec_keys.php"); - $tab_array[3] = array("CAs", false, "vpn_ipsec_ca.php"); - display_top_tabs($tab_array); -?> - </td></tr> - <tr> - <td> - <div id="mainarea"> - <table class="tabcont" width="100%" border="0" cellpadding="0" cellspacing="0"> - <tr> - <td class="listhdrr">Identifier</td> - <td class="listhdr">Pre-shared key</td> - <td class="list"> - <table border="0" cellspacing="0" cellpadding="1"> - <tr> - <td width="20" heigth="17"></td> - <td><a href="vpn_ipsec_keys_edit.php"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" title="add key" width="17" height="17" border="0"></a></td> - </tr> - </table> - </td> - </tr> - <?php $i = 0; foreach ($a_secret as $secretent): ?> - <tr> - <td class="listlr"> - <?=htmlspecialchars($secretent['ident']);?> - </td> - <td class="listr"> - <?=htmlspecialchars($secretent['pre-shared-key']);?> - </td> - <td class="list" nowrap> <a href="vpn_ipsec_keys_edit.php?id=<?=$i;?>"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_e.gif" title="edit key" width="17" height="17" border="0"></a> - <a href="vpn_ipsec_keys.php?act=del&id=<?=$i;?>" onclick="return confirm('Do you really want to delete this pre-shared key?')"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" title="delete key" width="17" height="17" border="0"></a></td> - </tr> - <?php $i++; endforeach; ?> - <tr> - <td class="list" colspan="2"></td> - <td class="list"> - <table border="0" cellspacing="0" cellpadding="1"> - <tr> - <td width="20" heigth="17"></td> - <td><a href="vpn_ipsec_keys_edit.php"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" title="add key" width="17" height="17" border="0"></a></td> - </tr> - </table> - </td> - </tr> - </table> - </div> - </td> - </tr> -</table> -</form> -<?php include("fend.inc"); ?> -</body> -</html> diff --git a/usr/local/www/vpn_ipsec_keys_edit.php b/usr/local/www/vpn_ipsec_keys_edit.php deleted file mode 100755 index f612bcc..0000000 --- a/usr/local/www/vpn_ipsec_keys_edit.php +++ /dev/null @@ -1,128 +0,0 @@ -<?php -/* - vpn_ipsec_keys_edit.php - part of m0n0wall (http://m0n0.ch/wall) - - Copyright (C) 2003-2005 Manuel Kasper <mk@neon1.net>. - All rights reserved. - - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. -*/ - -require("guiconfig.inc"); - -if (!is_array($config['ipsec']['mobilekey'])) { - $config['ipsec']['mobilekey'] = array(); -} -ipsec_mobilekey_sort(); -$a_secret = &$config['ipsec']['mobilekey']; - -$id = $_GET['id']; -if (isset($_POST['id'])) - $id = $_POST['id']; - -if (isset($id) && $a_secret[$id]) { - $pconfig['ident'] = $a_secret[$id]['ident']; - $pconfig['psk'] = $a_secret[$id]['pre-shared-key']; -} - -if ($_POST) { - - unset($input_errors); - $pconfig = $_POST; - - /* input validation */ - $reqdfields = explode(" ", "ident psk"); - $reqdfieldsn = explode(",", "Identifier,Pre-shared key"); - - do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); - - if (preg_match("/[^a-zA-Z0-9@\.\-]/", $_POST['ident'])) - $input_errors[] = "The identifier contains invalid characters."; - - if (!$input_errors && !(isset($id) && $a_secret[$id])) { - /* make sure there are no dupes */ - foreach ($a_secret as $secretent) { - if ($secretent['ident'] == $_POST['ident']) { - $input_errors[] = "Another entry with the same identifier already exists."; - break; - } - } - } - - if (!$input_errors) { - - if (isset($id) && $a_secret[$id]) - $secretent = $a_secret[$id]; - - $secretent['ident'] = $_POST['ident']; - $secretent['pre-shared-key'] = $_POST['psk']; - - if (isset($id) && $a_secret[$id]) - $a_secret[$id] = $secretent; - else - $a_secret[] = $secretent; - - write_config(); - touch($d_ipsecconfdirty_path); - - header("Location: vpn_ipsec_keys.php"); - exit; - } -} - -$pgtitle = array("VPN","IPsec","Edit pre-shared key"); -include("head.inc"); - -?> - -<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> -<?php include("fbegin.inc"); ?> -<?php if ($input_errors) print_input_errors($input_errors); ?> - <form action="vpn_ipsec_keys_edit.php" method="post" name="iform" id="iform"> - <table width="100%" border="0" cellpadding="6" cellspacing="0"> - <tr> - <td valign="top" class="vncellreq">Identifier</td> - <td class="vtable"> - <?=$mandfldhtml;?><input name="ident" type="text" class="formfld" id="ident" size="30" value="<?=$pconfig['ident'];?>"> - <br> -This can be either an IP address, fully qualified domain name or an e-mail address. - </td> - </tr> - <tr> - <td width="22%" valign="top" class="vncellreq">Pre-shared key</td> - <td width="78%" class="vtable"> - <?=$mandfldhtml;?><input name="psk" type="text" class="formfld" id="psk" size="40" value="<?=htmlspecialchars($pconfig['psk']);?>"> - </td> - </tr> - <tr> - <td width="22%" valign="top"> </td> - <td width="78%"> - <input name="Submit" type="submit" class="formbtn" value="Save"> - <?php if (isset($id) && $a_secret[$id]): ?> - <input name="id" type="hidden" value="<?=$id;?>"> - <?php endif; ?> - </td> - </tr> - </table> -</form> -<?php include("fend.inc"); ?> diff --git a/usr/local/www/vpn_ipsec_mobile.php b/usr/local/www/vpn_ipsec_mobile.php index 6a105e3..5a88b66 100755 --- a/usr/local/www/vpn_ipsec_mobile.php +++ b/usr/local/www/vpn_ipsec_mobile.php @@ -197,8 +197,7 @@ function methodsel_change() { $tab_array = array(); $tab_array[0] = array("Tunnels", false, "vpn_ipsec.php"); $tab_array[1] = array("Mobile clients", true, "vpn_ipsec_mobile.php"); - $tab_array[2] = array("Pre-shared keys", false, "vpn_ipsec_keys.php"); - $tab_array[3] = array("CAs", false, "vpn_ipsec_ca.php"); + $tab_array[2] = array("CAs", false, "vpn_ipsec_ca.php"); display_top_tabs($tab_array); ?> </td></tr> diff --git a/usr/local/www/vpn_ipsec_phase1.php b/usr/local/www/vpn_ipsec_phase1.php new file mode 100644 index 0000000..0a21362 --- /dev/null +++ b/usr/local/www/vpn_ipsec_phase1.php @@ -0,0 +1,635 @@ +<?php +/* + vpn_ipsec_phase1.php + part of m0n0wall (http://m0n0.ch/wall) + + Copyright (C) 2008 Shrew Soft Inc + Copyright (C) 2003-2005 Manuel Kasper <mk@neon1.net>. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +if (!is_array($config['ipsec']['phase1'])) + $config['ipsec']['phase1'] = array(); + +$a_phase1 = &$config['ipsec']['phase1']; + +if($config['interfaces']['lan']) + $specialsrcdst = explode(" ", "lan"); + +$p1index = $_GET['p1index']; +if (isset($_POST['p1index'])) + $p1index = $_POST['p1index']; + +if (isset($_GET['dup'])) { + $p1index = $_GET['dup']; +} + +if (isset($p1index) && $a_phase1[$p1index]) +{ + $pconfig['ikeid'] = $a_phase1[$p1index]['ikeid']; + $pconfig['disabled'] = isset($a_phase1[$p1index]['disabled']); + + if ($a_phase1[$p1index]['interface']) + $pconfig['interface'] = $a_phase1[$p1index]['interface']; + else + $pconfig['interface'] = "wan"; + + list($pconfig['remotenet'],$pconfig['remotebits']) = explode("/", $a_phase1[$p1index]['remote-subnet']); + $pconfig['remotegw'] = $a_phase1[$p1index]['remote-gateway']; + $pconfig['mode'] = $a_phase1[$p1index]['mode']; + $pconfig['myid_type'] = $a_phase1[$p1index]['myid_type']; + $pconfig['myid_data'] = $a_phase1[$p1index]['myid_data']; + $pconfig['peerid_type'] = $a_phase1[$p1index]['peerid_type']; + $pconfig['peerid_data'] = $a_phase1[$p1index]['peerid_data']; + $pconfig['ealgo'] = $a_phase1[$p1index]['encryption-algorithm']; + $pconfig['halgo'] = $a_phase1[$p1index]['hash-algorithm']; + $pconfig['dhgroup'] = $a_phase1[$p1index]['dhgroup']; + $pconfig['lifetime'] = $a_phase1[$p1index]['lifetime']; + $pconfig['authentication_method'] = $a_phase1[$p1index]['authentication_method']; + $pconfig['pskey'] = $a_phase1[$p1index]['pre-shared-key']; + $pconfig['cert'] = base64_decode($a_phase1[$p1index]['cert']); + $pconfig['peercert'] = base64_decode($a_phase1[$p1index]['peercert']); + $pconfig['privatekey'] = base64_decode($a_phase1[$p1index]['private-key']); + + $pconfig['descr'] = $a_phase1[$p1index]['descr']; + $pconfig['nat_traversal'] = $a_phase1[$p1index]['nat_traversal']; + $pconfig['dpd_enable'] = $a_phase1[$p1index]['dpd_enable']; + $pconfig['dpd_delay'] = $a_phase1[$p1index]['dpd_delay']; + $pconfig['dpd_maxfail'] = $a_phase1[$p1index]['dpd_maxfail']; + $pconfig['pinghost'] = $a_phase1[$p1index]['pinghost']; +} +else +{ + /* defaults */ + $pconfig['interface'] = "wan"; + if($config['interfaces']['lan']) + $pconfig['localnet'] = "lan"; + $pconfig['mode'] = "aggressive"; + $pconfig['myid_type'] = "myaddress"; + $pconfig['peerid_type'] = "peeraddress"; + $pconfig['authentication_method'] = "pre_shared_key"; + $pconfig['ealgo'] = array( name => "3des" ); + $pconfig['halgo'] = "sha1"; + $pconfig['dhgroup'] = "2"; + $pconfig['lifetime'] = "28800"; + $pconfig['nat_traversal'] = "on"; + $pconfig['dpd_enable'] = 1; + $pconfig['dpd_delay'] = 10; + $pconfig['dpd_maxfail'] = 5; +} + +if (isset($_GET['dup'])) + unset($p1index); + +if ($_POST) { + unset($input_errors); + $pconfig = $_POST; + + /* input validation */ + if ($_POST['authentication_method'] == "pre_shared_key") { + $reqdfields = explode(" ", "remotegw pskey"); + $reqdfieldsn = explode(",", "Remote gateway,Pre-Shared Key"); + } else { + $reqdfields = explode(" ", "remotegw"); + $reqdfieldsn = explode(",", "Remote gateway"); + if (!strstr($_POST['cert'], "BEGIN CERTIFICATE") || !strstr($_POST['cert'], "END CERTIFICATE")) + $input_errors[] = "This certificate does not appear to be valid."; + if (!strstr($_POST['privatekey'], "BEGIN RSA PRIVATE KEY") || !strstr($_POST['privatekey'], "END RSA PRIVATE KEY")) + $input_errors[] = "This key does not appear to be valid."; + if ($_POST['peercert']!="" && (!strstr($_POST['peercert'], "BEGIN CERTIFICATE") || !strstr($_POST['peercert'], "END CERTIFICATE"))) + $input_errors[] = "This peer certificate does not appear to be valid."; + } + + do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); + + if (($_POST['lifetime'] && !is_numeric($_POST['lifetime']))) + $input_errors[] = "The P1 lifetime must be an integer."; + + if (($_POST['remotegw'] && !is_ipaddr($_POST['remotegw']) && !is_domain($_POST['remotegw']))) + $input_errors[] = "A valid remote gateway address or host name must be specified."; + + if (($_POST['remotegw'] && is_ipaddr($_POST['remotegw']) && !isset($_POST['disabled']) )) { + $t = 0; + foreach ($a_phase1 as $ph1tmp) { + if ($p1index <> $t) { + $tremotegw = $pconfig['remotegw']; + if (($ph1tmp['remote-gateway'] == $tremotegw) && !isset($ph1tmp['disabled'])) { + $input_errors[] = "The remote gateway \"$tremotegw\" is already used by phase1 \"${ph1tmp['descr']}\"."; + } + } + $t++; + } + } + + /* My identity */ + + if ($_POST['myid_type'] == "myaddress") + $_POST['myid_data'] = ""; + + if ($_POST['myid_type'] == "address" and $_POST['myid_data'] == "") + $input_errors[] = gettext("Please enter an address for 'My Identifier'"); + + if ($_POST['myid_type'] == "keyid tag" and $_POST['myid_data'] == "") + $input_errors[] = gettext("Please enter a keyid tag for 'My Identifier'"); + + if ($_POST['myid_type'] == "fqdn" and $_POST['myid_data'] == "") + $input_errors[] = gettext("Please enter a fully qualified domain name for 'My Identifier'"); + + if ($_POST['myid_type'] == "user_fqdn" and $_POST['myid_data'] == "") + $input_errors[] = gettext("Please enter a user and fully qualified domain name for 'My Identifier'"); + + if ($_POST['myid_type'] == "dyn_dns" and $_POST['myid_data'] == "") + $input_errors[] = gettext("Please enter a dynamic domain name for 'My Identifier'"); + + if ((($_POST['myid_type'] == "address") && !is_ipaddr($_POST['myid_data']))) + $input_errors[] = "A valid IP address for 'My identifier' must be specified."; + + if ((($_POST['myid_type'] == "fqdn") && !is_domain($_POST['myid_data']))) + $input_errors[] = "A valid domain name for 'My identifier' must be specified."; + + if ($_POST['myid_type'] == "fqdn") + if (is_domain($_POST['myid_data']) == false) + $input_errors[] = "A valid FQDN for 'My identifier' must be specified."; + + if ($_POST['myid_type'] == "user_fqdn") { + $user_fqdn = explode("@",$_POST['myid_data']); + if (is_domain($user_fqdn[1]) == false) + $input_errors[] = "A valid User FQDN in the form of user@my.domain.com for 'My identifier' must be specified."; + } + + if ($_POST['myid_type'] == "dyn_dns") + if (is_domain($_POST['myid_data']) == false) + $input_errors[] = "A valid Dynamic DNS address for 'My identifier' must be specified."; + + /* Peer identity */ + + if ($_POST['peerid_type'] == "address" and $_POST['peerid_data'] == "") + $input_errors[] = gettext("Please enter an address for 'Peer Identifier'"); + + if ($_POST['peerid_type'] == "keyid tag" and $_POST['peerid_data'] == "") + $input_errors[] = gettext("Please enter a keyid tag for 'Peer Identifier'"); + + if ($_POST['peerid_type'] == "fqdn" and $_POST['peerid_data'] == "") + $input_errors[] = gettext("Please enter a fully qualified domain name for 'Peer Identifier'"); + + if ($_POST['peerid_type'] == "user_fqdn" and $_POST['peerid_data'] == "") + $input_errors[] = gettext("Please enter a user and fully qualified domain name for 'Peer Identifier'"); + + if ((($_POST['peerid_type'] == "address") && !is_ipaddr($_POST['peerid_data']))) + $input_errors[] = "A valid IP address for 'Peer identifier' must be specified."; + + if ((($_POST['peerid_type'] == "fqdn") && !is_domain($_POST['peerid_data']))) + $input_errors[] = "A valid domain name for 'Peer identifier' must be specified."; + + if ($_POST['peerid_type'] == "fqdn") + if (is_domain($_POST['peerid_data']) == false) + $input_errors[] = "A valid FQDN for 'Peer identifier' must be specified."; + + if ($_POST['peerid_type'] == "user_fqdn") { + $user_fqdn = explode("@",$_POST['peerid_data']); + if (is_domain($user_fqdn[1]) == false) + $input_errors[] = "A valid User FQDN in the form of user@my.domain.com for 'Peer identifier' must be specified."; + } + + if ($_POST['dpd_enable']) { + if (!is_numeric($_POST['dpd_delay'])) + $input_errors[] = "A numeric value must be specified for DPD delay."; + + if (!is_numeric($_POST['dpd_maxfail'])) + $input_errors[] = "A numeric value must be specified for DPD retries."; + } + + /* build our encryption algorithms array */ + $pconfig['ealgo'] = array(); + $pconfig['ealgo']['name'] = $_POST['ealgo']; + if($_POST['ealgo_keylen']) + $pconfig['ealgo']['keylen'] = $_POST['ealgo_keylen']; + + if (!$input_errors) { + $ph1ent['ikeid'] = $_POST['ikeid']; + $ph1ent['disabled'] = $_POST['disabled'] ? true : false; + $ph1ent['interface'] = $pconfig['interface']; + /* if the remote gateway changed and the interface is not WAN then remove route */ + /* the vpn_ipsec_configure() handles adding the route */ + if ($_POST['interface'] <> "wan") { + if($ph1ent['remote-gateway'] <> $_POST['remotegw']) { + mwexec("/sbin/route delete -host {$ph1ent['remote-gateway']}"); + } + } + $ph1ent['remote-gateway'] = $_POST['remotegw']; + $ph1ent['mode'] = $_POST['mode']; + + $ph1ent['myid_type'] = $_POST['myid_type']; + $ph1ent['myid_data'] = $_POST['myid_data']; + $ph1ent['peerid_type'] = $_POST['peerid_type']; + $ph1ent['peerid_data'] = $_POST['peerid_data']; + + $ph1ent['encryption-algorithm'] = $pconfig['ealgo']; + $ph1ent['hash-algorithm'] = $_POST['halgo']; + $ph1ent['dhgroup'] = $_POST['dhgroup']; + $ph1ent['lifetime'] = $_POST['lifetime']; + $ph1ent['pre-shared-key'] = $_POST['pskey']; + $ph1ent['private-key'] = base64_encode($_POST['privatekey']); + $ph1ent['cert'] = base64_encode($_POST['cert']); + $ph1ent['peercert'] = base64_encode($_POST['peercert']); + $ph1ent['authentication_method'] = $_POST['authentication_method']; + + $ph1ent['descr'] = $_POST['descr']; + $ph1ent['nat_traversal'] = $_POST['nat_traversal']; + $ph1ent['dpd_enable'] = $_POST['dpd_enable']; + $ph1ent['dpd_delay'] = $_POST['dpd_delay']; + $ph1ent['dpd_maxfail'] = $_POST['dpd_maxfail']; + $ph1ent['pinghost'] = $_POST['pinghost']; + + /* generate unique phase1 ikeid */ + if ($ph1ent['ikeid'] == 0) { + while (true) { + $ph1ent['ikeid']++; + foreach ($a_phase1 as $ph1tmp) + if( $ph1ent['ikeid'] == $ph1tmp['ikeid'] ) + break; + + if( $ph1ent['ikeid'] != $ph1tmp['ikeid'] ) + break; + } + } + + if (isset($p1index) && $a_phase1[$p1index]) + $a_phase1[$p1index] = $ph1ent; + else + $a_phase1[] = $ph1ent; + + write_config(); + touch($d_ipsecconfdirty_path); + + header("Location: vpn_ipsec.php"); + exit; + } +} + +$pgtitle = array("VPN","IPsec","Edit Phase 1"); +include("head.inc"); + +?> + +<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> +<?php include("fbegin.inc"); ?> +<script language="JavaScript"> +<!-- +function methodsel_change() { + switch (document.iform.authentication_method.selectedIndex) { + case 1: /* rsa */ + document.iform.pskey.disabled = 1; + document.iform.privatekey.disabled = 0; + document.iform.cert.disabled = 0; + document.iform.peercert.disabled = 0; + break; + default: /* pre-shared */ + document.iform.pskey.disabled = 0; + document.iform.privatekey.disabled = 1; + document.iform.cert.disabled = 1; + document.iform.peercert.disabled = 1; + break; + } +} + +/* PHP generated java script for variable length keys */ +function ealgosel_change(bits) { + switch (document.iform.ealgo.selectedIndex) { +<?php + $i = 0; + foreach ($p1_ealgos as $algo => $algodata) { + if (is_array($algodata['keysel'])) { + echo " case {$i}:\n"; + echo " document.iform.ealgo_keylen.style.visibility = 'visible';\n"; + echo " document.iform.ealgo_keylen.options.length = 0;\n"; +// echo " document.iform.ealgo_keylen.options[document.iform.ealgo_keylen.options.length] = new Option( 'auto', 'auto' );\n"; + + $key_hi = $algodata['keysel']['hi']; + $key_lo = $algodata['keysel']['lo']; + $key_step = $algodata['keysel']['step']; + + for ($keylen = $key_hi; $keylen >= $key_lo; $keylen -= $key_step) + echo " document.iform.ealgo_keylen.options[document.iform.ealgo_keylen.options.length] = new Option( '{$keylen} bits', '{$keylen}' );\n"; + echo " break;\n"; + } else { + echo " case {$i}:\n"; + echo " document.iform.ealgo_keylen.style.visibility = 'hidden';\n"; + echo " document.iform.ealgo_keylen.options.length = 0;\n"; + echo " break;\n"; + } + $i++; + } +?> + } + + if( bits ) + document.iform.ealgo_keylen.value = bits; +} +function dpdchkbox_change() { + if( document.iform.dpd_enable.checked ) { + document.iform.dpd_delay.disabled = 0; + document.iform.dpd_maxfail.disabled = 0; + } else { + document.iform.dpd_delay.disabled = 1; + document.iform.dpd_maxfail.disabled = 1; + } +} +//--> +</script> +<?php if ($input_errors) print_input_errors($input_errors); ?> + <form action="vpn_ipsec_phase1.php" method="post" name="iform" id="iform"> + <table width="100%" border="0" cellpadding="6" cellspacing="0"> + <tr> + <td width="22%" valign="top" class="vncellreq">Disabled</td> + <td width="78%" class="vtable"> + <input name="disabled" type="checkbox" id="disabled" value="yes" <?php if ($pconfig['disabled']) echo "checked"; ?>> + <strong>Disable this phase1 entry</strong><br> + <span class="vexpl">Set this option to disable this phase1 without + removing it from the list. + </span> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncellreq">Interface</td> + <td width="78%" class="vtable"> + <select name="interface" class="formselect"> + <?php + $interfaces = get_configured_interface_with_descr(); + $carpips = find_number_of_needed_carp_interfaces(); + for ($i=0; $i<$carpips; $i++) { + $carpip = find_interface_ip("carp" . $i); + $interfaces['carp' . $i] = "CARP{$i} ({$carpip})"; + } + foreach ($interfaces as $iface => $ifacename): + ?> + <option value="<?=$iface;?>" <?php if ($iface == $pconfig['interface']) echo "selected"; ?>> + <?=htmlspecialchars($ifacename);?> + </option> + <?php endforeach; ?> + </select> <br> + <span class="vexpl">Select the interface for the local endpoint of this phase1 entry.</span> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncellreq">Remote gateway</td> + <td width="78%" class="vtable"> + <?=$mandfldhtml;?><input name="remotegw" type="text" class="formfld unknown" id="remotegw" size="20" value="<?=$pconfig['remotegw'];?>"> + <br> + Enter the public IP address or host name of the remote gateway + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell">Description</td> + <td width="78%" class="vtable"> + <input name="descr" type="text" class="formfld unknown" id="descr" size="40" value="<?=htmlspecialchars($pconfig['descr']);?>"> + <br> <span class="vexpl">You may enter a description here + for your reference (not parsed).</span> + </td> + </tr> + <tr> + <td colspan="2" class="list" height="12"></td> + </tr> + <tr> + <td colspan="2" valign="top" class="listtopic">Phase 1 proposal + (Authentication) + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncellreq">Negotiation mode</td> + <td width="78%" class="vtable"> + <select name="mode" class="formselect"> + <?php + $modes = explode(" ", "main aggressive"); + foreach ($modes as $mode): + ?> + <option value="<?=$mode;?>" <?php if ($mode == $pconfig['mode']) echo "selected"; ?>> + <?=htmlspecialchars($mode);?> + </option> + <?php endforeach; ?> + </select> <br> <span class="vexpl">Aggressive is more flexible, but less secure.</span> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncellreq">My identifier</td> + <td width="78%" class="vtable"> + <select name="myid_type" class="formselect"> + <?php foreach ($my_identifier_list as $mode => $modename): ?> + <option value="<?=$mode;?>" <?php if ($mode == $pconfig['myid_type']) echo "selected"; ?>> + <?=htmlspecialchars($modename);?> + </option> + <?php endforeach; ?> + </select> + <input name="myid_data" type="text" class="formfld unknown" id="myid_data" size="30" value="<?=$pconfig['myid_data'];?>"> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncellreq">Peer identifier</td> + <td width="78%" class="vtable"> + <select name="peerid_type" class="formselect"> + <?php foreach ($peer_identifier_list as $mode => $modename): ?> + <option value="<?=$mode;?>" <?php if ($mode == $pconfig['peerid_type']) echo "selected"; ?>> + <?=htmlspecialchars($modename);?> + </option> + <?php endforeach; ?> + </select> + <input name="peerid_data" type="text" class="formfld unknown" id="peerid_data" size="30" value="<?=$pconfig['peerid_data'];?>"> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncellreq">Encryption algorithm</td> + <td width="78%" class="vtable"> + <select name="ealgo" class="formselect" onChange="ealgosel_change()"> + <?php + foreach ($p1_ealgos as $algo => $algodata): + $selected = ''; + if ($algo == $pconfig['ealgo']['name']) + $selected = ' selected'; + ?> + <option value="<?=$algo;?>"<?=$selected?>> + <?=htmlspecialchars($algodata['name']);?> + </option> + <?php endforeach; ?> + </select> + <select name="ealgo_keylen" width="30" class="formselect"> + </select> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncellreq">Hash algorithm</td> + <td width="78%" class="vtable"> + <select name="halgo" class="formselect"> + <?php foreach ($p1_halgos as $algo => $algoname): ?> + <option value="<?=$algo;?>" <?php if ($algo == $pconfig['halgo']) echo "selected"; ?>> + <?=htmlspecialchars($algoname);?> + </option> + <?php endforeach; ?> + </select> + <br> + <span class="vexpl"> + Must match the setting chosen on the remote side. + </span> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncellreq">DH key group</td> + <td width="78%" class="vtable"> + <select name="dhgroup" class="formselect"> + <?php $keygroups = explode(" ", "1 2 5"); foreach ($keygroups as $keygroup): ?> + <option value="<?=$keygroup;?>" <?php if ($keygroup == $pconfig['dhgroup']) echo "selected"; ?>> + <?=htmlspecialchars($keygroup);?> + </option> + <?php endforeach; ?> + </select> + <br> + <span class="vexpl"> + <em>1 = 768 bit, 2 = 1024 bit, 5 = 1536 bit</em> + <br> + Must match the setting chosen on the remote side. + </span> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell">Lifetime</td> + <td width="78%" class="vtable"> + <input name="lifetime" type="text" class="formfld unknown" id="lifetime" size="20" value="<?=$pconfig['lifetime'];?>"> + seconds + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncellreq">Authentication method</td> + <td width="78%" class="vtable"> + <select name="authentication_method" class="formselect" onChange="methodsel_change()"> + <?php foreach ($p1_authentication_methods as $method => $methodname): ?> + <option value="<?=$method;?>" <?php if ($method == $pconfig['authentication_method']) echo "selected"; ?>> + <?=htmlspecialchars($methodname);?> + </option> + <?php endforeach; ?> + </select> + <br> + <span class="vexpl">Must match the setting chosen on the remote side.</span> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncellreq">Pre-Shared Key</td> + <td width="78%" class="vtable"> + <?=$mandfldhtml;?><input name="pskey" type="text" class="formfld unknown" id="pskey" size="40" value="<?=htmlspecialchars($pconfig['pskey']);?>"> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncellreq">My Certificate</td> + <td width="78%" class="vtable"> + <textarea name="cert" cols="65" rows="7" id="cert" class="formpre"><?=htmlspecialchars($pconfig['cert']);?></textarea> + <br> + Paste a certificate in X.509 PEM format here.</td> + </tr> + <tr> + <td width="22%" valign="top" class="vncellreq">My Private Key</td> + <td width="78%" class="vtable"> + <textarea name="privatekey" cols="65" rows="7" id="privatekey" class="formpre"><?=htmlspecialchars($pconfig['privatekey']);?></textarea> + <br> + Paste an RSA private key in PEM format here. + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell">Peer certificate</td> + <td width="78%" class="vtable"> + <textarea name="peercert" cols="65" rows="7" id="peercert" class="formpre"><?=htmlspecialchars($pconfig['peercert']);?></textarea> + <br> + Paste the peer X.509 certificate in PEM format here.<br> + Leave this blank if you want to use a CA certificate for identity validation. + </td> + </tr> + <tr> + <td colspan="2" class="list" height="12"></td> + </tr> + <tr> + <td colspan="2" valign="top" class="listtopic">Advanced Options</td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell">NAT Traversal</td> + <td width="78%" class="vtable"> + <select name="nat_traversal" class="formselect"> + <option value="off" <?php if ($pconfig['nat_traversal'] == "off") echo "selected"; ?>>Disable</option> + <option value="on" <?php if ($pconfig['nat_traversal'] == "on") echo "selected"; ?>>Enable</option> + <option value="force" <?php if ($pconfig['nat_traversal'] == "force") echo "selected"; ?>>Force</option> + </select> + <br/> + <span class="vexpl"> + Set this option to enable the use of NAT-T (i.e. the encapsulation of ESP in UDP packets) if needed, + which can help with clients that are behind restrictive firewalls. + </span> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell">Dead Peer Detection</td> + <td width="78%" class="vtable"> + <input name="dpd_enable" type="checkbox" id="dpd_enable" value="yes" <?php if ($pconfig['dpd_enable']) echo "checked"; ?> onClick="dpdchkbox_change()"> + Enable DPD<br> + <br> + <input name="dpd_delay" type="text" class="formfld unknown" id="dpd_delay" size="5" value="<?=$pconfig['dpd_delay'];?>"> + seconds<br> + <span class="vexpl">Delay between requesting peer acknowledgement.</span><br> + <br> + <input name="dpd_maxfail" type="text" class="formfld unknown" id="dpd_maxfail" size="5" value="<?=$pconfig['dpd_maxfail'];?>"> + retries<br> + <span class="vexpl">Number consecutive failures allowed before disconnect.</span><br> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell">Automatically ping host</td> + <td width="78%" class="vtable"> + <input name="pinghost" type="text" class="formfld unknown" id="pinghost" size="20" value="<?=$pconfig['pinghost'];?>"> + IP address + </td> + </tr> + <tr> + <td width="22%" valign="top"> </td> + <td width="78%"> + <input name="Submit" type="submit" class="formbtn" value="Save"> + <input name="ikeid" type="hidden" value="<?=$pconfig['ikeid'];?>"> + <?php if (isset($p1index) && $a_phase1[$p1index]): ?> + <input name="p1index" type="hidden" value="<?=$p1index;?>"> + <?php endif; ?> + </td> + </tr> + </table> +</form> +<script lannguage="JavaScript"> +<!-- +<?php + /* determine if we should init the key length */ + $keyset = ''; + if (isset($pconfig['ealgo']['keylen'])) + if (is_numeric($pconfig['ealgo']['keylen'])) + $keyset = $pconfig['ealgo']['keylen']; +?> +methodsel_change(); +ealgosel_change(<?=$keyset;?>); +dpdchkbox_change(); +//--> +</script> +<?php include("fend.inc"); ?> diff --git a/usr/local/www/vpn_ipsec_phase2.php b/usr/local/www/vpn_ipsec_phase2.php new file mode 100644 index 0000000..7a3c5ce --- /dev/null +++ b/usr/local/www/vpn_ipsec_phase2.php @@ -0,0 +1,489 @@ +<?php +/* + vpn_ipsec_phase2.php + part of m0n0wall (http://m0n0.ch/wall) + + Copyright (C) 2008 Shrew Soft Inc + Copyright (C) 2003-2005 Manuel Kasper <mk@neon1.net>. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +if (!is_array($config['ipsec']['phase2'])) + $config['ipsec']['phase2'] = array(); + +$a_phase2 = &$config['ipsec']['phase2']; + +if($config['interfaces']['lan']) + $specialsrcdst = explode(" ", "lan"); + +$p2index = $_GET['p2index']; +if (isset($_POST['p2index'])) + $p2index = $_POST['p2index']; + +if (isset($_GET['dup'])) + $p2index = $_GET['dup']; + +if (isset($p2index) && $a_phase2[$p2index]) +{ + $pconfig['ikeid'] = $a_phase2[$p2index]['ikeid']; + $pconfig['disabled'] = isset($a_phase2[$p2index]['disabled']); + $pconfig['descr'] = $a_phase2[$p2index]['descr']; + + idinfo_to_pconfig("local",$a_phase2[$p2index]['localid'],$pconfig); + idinfo_to_pconfig("remote",$a_phase2[$p2index]['remoteid'],$pconfig); + + $pconfig['proto'] = $a_phase2[$p2index]['protocol']; + ealgos_to_pconfig($a_phase2[$p2index]['encryption-algorithm-option'],$pconfig); + $pconfig['halgos'] = $a_phase2[$p2index]['hash-algorithm-option']; + $pconfig['pfsgroup'] = $a_phase2[$p2index]['pfsgroup']; + $pconfig['lifetime'] = $a_phase2[$p2index]['lifetime']; +} +else +{ + $pconfig['ikeid'] = $_GET['ikeid']; + + /* defaults */ + $pconfig['localid_type'] = "lan"; + $pconfig['remoteid_type'] = "network"; + $pconfig['proto'] = "esp"; + $pconfig['ealgos'] = explode(",", "3des,blowfish,cast128,aes"); + $pconfig['halgos'] = explode(",", "hmac_sha1,hmac_md5"); + $pconfig['pfsgroup'] = "0"; + $pconfig['lifetime'] = "3600"; +} + +if (isset($_GET['dup'])) + unset($p2index); + +if ($_POST) { + + unset($input_errors); + $pconfig = $_POST; + + $ealgos = pconfig_to_ealgos($pconfig); + $localid = pconfig_to_idinfo("local",$pconfig); + $remoteid = pconfig_to_idinfo("remote",$pconfig); + + if (!isset( $_POST['ikeid'])) + $input_errors[] = "A valid ikeid must be specified."; + + /* input validation */ + $reqdfields = explode(" ", "localid_type remoteid_type halgos"); + $reqdfieldsn = explode(",", "Local network type,Remote network type,P2 Hash Algorithms"); + + do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); + + switch ($_POST['localid_type']) { + case "network": + if (!$_POST['localid_netbits'] || !is_numeric($_POST['localid_netbits'])) + $input_errors[] = "A valid local network bit count must be specified.."; + case "address": + if (!$_POST['localid_address'] || !is_ipaddr($_POST['localid_address'])) + $input_errors[] = "A valid local network IP address must be specified."; + break; + } + + switch ($_POST['remoteid_type']) { + case "network": + if (!$_POST['remoteid_netbits'] || !is_numeric($_POST['remoteid_netbits'])) + $input_errors[] = "A valid remote network bit count must be specified.."; + case "address": + if (!$_POST['remoteid_address'] || !is_ipaddr($_POST['remoteid_address'])) + $input_errors[] = "A valid remote network IP address must be specified."; + break; + } + +/* TODO : Validate enabled phase2's are not duplicates */ + + if (!count($ealgos)) { + $input_errors[] = "At least one encryption algorithm must be selected."; + } + if (($_POST['lifetime'] && !is_numeric($_POST['lifetime']))) { + $input_errors[] = "The P2 lifetime must be an integer."; + } + + if (!$input_errors) { + $ph2ent['ikeid'] = $_POST['ikeid']; + $ph2ent['disabled'] = $_POST['disabled'] ? true : false; + $ph2ent['localid'] = $localid; + $ph2ent['remoteid'] = $remoteid; + $ph2ent['protocol'] = $_POST['proto']; + $ph2ent['encryption-algorithm-option'] = $ealgos; + $ph2ent['hash-algorithm-option'] = $_POST['halgos']; + $ph2ent['pfsgroup'] = $_POST['pfsgroup']; + $ph2ent['lifetime'] = $_POST['lifetime']; + $ph2ent['descr'] = $_POST['descr']; + + if (isset($p2index) && $a_phase2[$p2index]) + $a_phase2[$p2index] = $ph2ent; + else + $a_phase2[] = $ph2ent; + + write_config(); + touch($d_ipsecconfdirty_path); + + header("Location: vpn_ipsec.php"); + exit; + } +} + +$pgtitle = array("VPN","IPsec","Edit Phase 2"); +include("head.inc"); + +?> + +<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> +<?php include("fbegin.inc"); ?> +<script language="JavaScript"> +<!-- +function typesel_change_local(bits) { + + if (!bits) + bits = 24; + + switch (document.iform.localid_type.selectedIndex) { + case 0: /* single */ + document.iform.localid_address.disabled = 0; + document.iform.localid_netbits.value = 0; + document.iform.localid_netbits.disabled = 1; + break; + case 1: /* network */ + document.iform.localid_address.disabled = 0; + document.iform.localid_netbits.value = bits; + document.iform.localid_netbits.disabled = 0; + break; + default: + document.iform.localid_address.value = ""; + document.iform.localid_address.disabled = 1; + document.iform.localid_netbits.value = 0; + document.iform.localid_netbits.disabled = 1; + break; + } +} +function typesel_change_remote(bits) { + + if (!bits) + bits = 24; + + switch (document.iform.remoteid_type.selectedIndex) { + case 0: /* single */ + document.iform.remoteid_address.disabled = 0; + document.iform.remoteid_netbits.value = 0; + document.iform.remoteid_netbits.disabled = 1; + break; + case 1: /* network */ + document.iform.remoteid_address.disabled = 0; + document.iform.remoteid_netbits.value = bits; + document.iform.remoteid_netbits.disabled = 0; + break; + default: + document.iform.remoteid_address.value = ""; + document.iform.remoteid_address.disabled = 1; + document.iform.remoteid_netbits.value = 0; + document.iform.remoteid_netbits.disabled = 1; + break; + } +} +//--> + +</script> +<?php if ($input_errors) print_input_errors($input_errors); ?> + <form action="vpn_ipsec_phase2.php" method="post" name="iform" id="iform"> + <table width="100%" border="0" cellpadding="6" cellspacing="0"> + <tr> + <td width="22%" valign="top" class="vncellreq">Mode</td> + <td width="78%" class="vtable"> Tunnel</td> + </tr> + <tr> + <td width="22%" valign="top" class="vncellreq">Disabled</td> + <td width="78%" class="vtable"> + <input name="disabled" type="checkbox" id="disabled" value="yes" <?php if ($pconfig['disabled']) echo "checked"; ?>> + <strong>Disable this phase2 entry</strong><br> + <span class="vexpl">Set this option to disable this phase2 entry without + removing it from the list. + </span> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncellreq">Local Network</td> + <td width="78%" class="vtable"> + <table border="0" cellspacing="0" cellpadding="0"> + <tr> + <td>Type: </td> + <td></td> + <td> + <select name="localid_type" class="formselect" onChange="typesel_change_local()"> + <option value="address" <?php if ($pconfig['localid_type'] == "address") echo "selected";?>>Address</option> + <option value="network" <?php if ($pconfig['localid_type'] == "network") echo "selected";?>>Network</option> + <option value="lan" <?php if ($pconfig['localid_type'] == "lan" ) echo "selected";?>>LAN subnet</option> + </select> + </td> + </tr> + <tr> + <td>Address: </td> + <td><?=$mandfldhtmlspc;?></td> + <td> + <input name="localid_address" type="text" class="formfld unknown" id="localid_address" size="20" value="<?=$pconfig['localid_address'];?>"> + / + <select name="localid_netbits" class="formselect" id="localid_netbits"> + <?php for ($i = 32; $i >= 0; $i--): ?> + <option value="<?=$i;?>" <?php if ($i == $pconfig['localid_netbits']) echo "selected"; ?>> + <?=$i;?> + </option> + <?php endfor; ?> + </select> + </td> + </tr> + </table> + </td> + </tr> + <td width="22%" valign="top" class="vncellreq">Remote Network</td> + <td width="78%" class="vtable"> + <table border="0" cellspacing="0" cellpadding="0"> + <tr> + <td>Type: </td> + <td></td> + <td> + <select name="remoteid_type" class="formselect" onChange="typesel_change_remote()"> + <option value="address" <?php if ($pconfig['remoteid_type'] == "address") echo "selected"; ?>>Address</option> + <option value="network" <?php if ($pconfig['remoteid_type'] == "network") echo "selected"; ?>>Network</option> + </select> + </td> + </tr> + <tr> + <td>Address: </td> + <td><?=$mandfldhtmlspc;?></td> + <td> + <input name="remoteid_address" type="text" class="formfld unknown" id="remoteid_address" size="20" value="<?=$pconfig['remoteid_address'];?>"> + / + <select name="remoteid_netbits" class="formselect" id="remoteid_netbits"> + <?php for ($i = 32; $i >= 0; $i--): ?> + <option value="<?=$i;?>" <?php if ($i == $pconfig['remoteid_netbits']) echo "selected"; ?>> + <?=$i;?> + </option> + <?php endfor; ?> + </select> + </td> + </tr> + </table> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell">Description</td> + <td width="78%" class="vtable"> + <input name="descr" type="text" class="formfld unknown" id="descr" size="40" value="<?=htmlspecialchars($pconfig['descr']);?>"> + <br> <span class="vexpl">You may enter a description here + for your reference (not parsed).</span> + </td> + </tr> + <tr> + <td colspan="2" class="list" height="12"></td> + </tr> + <tr> + <td colspan="2" valign="top" class="listtopic">Phase 2 proposal + (SA/Key Exchange) + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncellreq">Protocol</td> + <td width="78%" class="vtable"> + <select name="proto" class="formselect"> + <?php foreach ($p2_protos as $proto => $protoname): ?> + <option value="<?=$proto;?>" <?php if ($proto == $pconfig['proto']) echo "selected"; ?>> + <?=htmlspecialchars($protoname);?> + </option> + <?php endforeach; ?> + </select> + <br> + <span class="vexpl">ESP is encryption, AH is authentication only </span> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncellreq">Encryption algorithms</td> + <td width="78%" class="vtable"> + <table border="0" cellspacing="0" cellpadding="0"> + <?php + foreach ($p2_ealgos as $algo => $algodata): + $checked = ''; + if (in_array($algo,$pconfig['ealgos'])) + $checked = " checked"; + ?> + <tr> + <td> + <input type="checkbox" name="ealgos[]?>" value="<?=$algo;?>"<?=$checked?>> + </td> + <td> + <?=htmlspecialchars($algodata['name']);?> + </td> + <td> + <?php if(is_array($algodata['keysel'])): ?> + + <select name="keylen_<?=$algo;?>" class="formselect"> + <option value="auto">auto</option> + <?php + $key_hi = $algodata['keysel']['hi']; + $key_lo = $algodata['keysel']['lo']; + $key_step = $algodata['keysel']['step']; + for ($keylen = $key_hi; $keylen >= $key_lo; $keylen -= $key_step): + $selected = ''; +// if ($checked && in_array("keylen_".$algo,$pconfig)) + if ($keylen == $pconfig["keylen_".$algo]) + $selected = " selected"; + ?> + <option value="<?=$keylen;?>"<?=$selected;?>><?=$keylen;?> bits</option> + <?php endfor; ?> + </select> + <?php endif; ?> + </td> + </tr> + <?php endforeach; ?> + </table> + <br> + Hint: use 3DES for best compatibility or if you have a hardware + crypto accelerator card. Blowfish is usually the fastest in + software encryption. + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncellreq">Hash algorithms</td> + <td width="78%" class="vtable"> + <?php foreach ($p2_halgos as $algo => $algoname): ?> + <input type="checkbox" name="halgos[]" value="<?=$algo;?>" <?php if (in_array($algo, $pconfig['halgos'])) echo "checked"; ?>> + <?=htmlspecialchars($algoname);?> + <br> + <?php endforeach; ?> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncellreq">PFS key group</td> + <td width="78%" class="vtable"> + <select name="pfsgroup" class="formselect"> + <?php foreach ($p2_pfskeygroups as $keygroup => $keygroupname): ?> + <option value="<?=$keygroup;?>" <?php if ($keygroup == $pconfig['pfsgroup']) echo "selected"; ?>> + <?=htmlspecialchars($keygroupname);?> + </option> + <?php endforeach; ?> + </select> + <br> + <span class="vexpl"><em>1 = 768 bit, 2 = 1024 bit, 5 = 1536 bit</em></span> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell">Lifetime</td> + <td width="78%" class="vtable"> + <input name="lifetime" type="text" class="formfld unknown" id="lifetime" size="20" value="<?=$pconfig['lifetime'];?>"> + seconds + </td> + </tr> + <tr> + <td width="22%" valign="top"> </td> + <td width="78%"> + <input name="Submit" type="submit" class="formbtn" value="Save"> + <input name="ikeid" type="hidden" value="<?=$pconfig['ikeid'];?>"> + <?php if (isset($p2index) && $a_phase2[$p2index]): ?> + <input name="p2index" type="hidden" value="<?=$p2index;?>"> + <?php endif; ?> + </td> + </tr> + </table> +</form> +<script lannguage="JavaScript"> +<!-- +typesel_change_local(<?=$pconfig['localid_netbits']?>); +typesel_change_remote(<?=$pconfig['remoteid_netbits']?>); +//--> +</script> +<?php include("fend.inc"); ?> + +<?php + +function pconfig_to_ealgos(& $pconfig) { + + global $p2_ealgos; + + $ealgos = array(); + foreach ($p2_ealgos as $algo_name => $algo_data) { + if (in_array($algo_name,$pconfig['ealgos'])) { + $ealg = array(); + $ealg['name'] = $algo_name; + if (is_array($algo_data['keysel'])) + $ealg['keylen'] = $_POST["keylen_".$algo_name]; + $ealgos[] = $ealg; + } + } + + return $ealgos; +} + +function ealgos_to_pconfig(& $ealgos,& $pconfig) { + + $pconfig['ealgos'] = array(); + foreach ($ealgos as $algo_data) { + $pconfig['ealgos'][] = $algo_data['name']; + if (isset($algo_data['keylen'])) + $pconfig["keylen_".$algo_data['name']] = $algo_data['keylen']; + } + + return $ealgos; +} + +function pconfig_to_idinfo($prefix,& $pconfig) { + + $type = $pconfig[$prefix."id_type"]; + $address = $pconfig[$prefix."id_address"]; + $netbits = $pconfig[$prefix."id_netbits"]; + + switch( $type ) + { + case "address": + return array('type' => $type, 'address' => $address); + case "network": + return array('type' => $type, 'address' => $address, 'netbits' => $netbits); + default: + return array('type' => $type ); + } +} + +function idinfo_to_pconfig($prefix,& $idinfo,& $pconfig) { + + switch( $idinfo['type'] ) + { + case "address": + $pconfig[$prefix."id_type"] = $idinfo['type']; + $pconfig[$prefix."id_address"] = $idinfo['address']; + break; + case "network": + $pconfig[$prefix."id_type"] = $idinfo['type']; + $pconfig[$prefix."id_address"] = $idinfo['address']; + $pconfig[$prefix."id_netbits"] = $idinfo['netbits']; + break; + default: + $pconfig[$prefix."id_type"] = $idinfo['type']; + break; + } +} + +?> diff --git a/usr/local/www/widgets/include/ipsec.inc b/usr/local/www/widgets/include/ipsec.inc deleted file mode 100644 index 5484d63..0000000 --- a/usr/local/www/widgets/include/ipsec.inc +++ /dev/null @@ -1,81 +0,0 @@ -<?php -//set variable for custom title -$ipsec_title = "IPsec"; - -function get_ipsec_tunnel_sad() { - /* query SAD */ - $fd = @popen("/usr/local/sbin/setkey -D", "r"); - $sad = array(); - if ($fd) { - while (!feof($fd)) { - $line = chop(fgets($fd)); - if (!$line) - continue; - if ($line == "No SAD entries.") - break; - if ($line[0] != "\t") { - if (is_array($cursa)) - $sad[] = $cursa; - $cursa = array(); - list($cursa['src'],$cursa['dst']) = explode(" ", $line); - $i = 0; - } else { - $linea = explode(" ", trim($line)); - if ($i == 1) { - $cursa['proto'] = $linea[0]; - $cursa['spi'] = substr($linea[2], strpos($linea[2], "x")+1, -1); - } else if ($i == 2) { - $cursa['ealgo'] = $linea[1]; - } else if ($i == 3) { - $cursa['aalgo'] = $linea[1]; - } - } - $i++; - } - if (is_array($cursa) && count($cursa)) - $sad[] = $cursa; - pclose($fd); - } - return($sad); -} - -function get_ipsec_tunnel_src($tunnel) { - global $g, $config, $sad; - $if = "WAN"; - if ($tunnel['interface']) { - $if = $tunnel['interface']; - $realinterface = convert_friendly_interface_to_real_interface_name($if); - $interfaceip = find_interface_ip($realinterface); - } - return $interfaceip; -} - -function output_ipsec_tunnel_status($tunnel) { - global $g, $config, $sad; - $if = "WAN"; - $interfaceip = get_ipsec_tunnel_src($tunnel); - $foundsrc = false; - $founddst = false; - - if(!is_array($sad)) { - /* we have no sad array, bail */ - return(false); - } - foreach($sad as $sa) { - if($sa['src'] == $interfaceip) - $foundsrc = true; - if($sa['dst'] == $tunnel['remote-gateway']) - $founddst = true; - } - if($foundsrc && $founddst) { - /* tunnel is up */ - $iconfn = "pass"; - return(true); - } else { - /* tunnel is down */ - $iconfn = "reject"; - return(false); - } -} - -?> diff --git a/usr/local/www/widgets/widgets/ipsec.widget.php b/usr/local/www/widgets/widgets/ipsec.widget.php index dd033c0..1a63029 100644 --- a/usr/local/www/widgets/widgets/ipsec.widget.php +++ b/usr/local/www/widgets/widgets/ipsec.widget.php @@ -33,9 +33,8 @@ require_once("guiconfig.inc"); require_once("pfsense-utils.inc"); require_once("functions.inc"); -require_once("/usr/local/www/widgets/include/ipsec.inc"); - if (isset($config['ipsec']['tunnel'])){?> + if (isset($config['ipsec']['phase1'])){?> <div> </div> <?php $tab_array = array(); @@ -43,26 +42,27 @@ require_once("/usr/local/www/widgets/include/ipsec.inc"); $tab_array[1] = array("Tunnel Status", false, "ipsec-tunnel"); display_widget_tabs($tab_array); - $sad = array(); - $sad = get_ipsec_tunnel_sad(); + $spd = ipsec_dump_spd(); + $sad = ipsec_dump_sad(); $activecounter = 0; $inactivecounter = 0; $ipsec_detail_array = array(); - foreach ($config['ipsec']['tunnel'] as $tunnel){ + foreach ($config['ipsec']['phase2'] as $ph2ent){ + ipsec_lookup_phase1($ph2ent,$ph1ent); $ipsecstatus = false; $tun_disabled = "false"; $foundsrc = false; $founddst = false; - if (isset($tunnel['disabled'])) { + if (isset($ph1ent['disabled']) || isset($ph2ent['disabled'])) { $tun_disabled = "true"; continue; - } + } - if(output_ipsec_tunnel_status($tunnel)) { + if(ipsec_phase2_status($spd,$sad,$ph1ent,$ph2ent)) { /* tunnel is up */ $iconfn = "true"; $activecounter++; @@ -72,16 +72,16 @@ require_once("/usr/local/www/widgets/include/ipsec.inc"); $inactivecounter++; } - $ipsec_detail_array[] = array('src' => $tunnel['interface'], - 'dest' => $tunnel['remote-gateway'], - 'remote-subnet' => $tunnel['remote-subnet'], - 'descr' => $tunnel['descr'], + $ipsec_detail_array[] = array('src' => $ph1ent['interface'], + 'dest' => $ph1ent['remote-gateway'], + 'remote-subnet' => ipsec_idinfo_to_text($ph2ent['remoteid']), + 'descr' => $ph2ent['descr'], 'status' => $iconfn, 'disabled' => $tun_disabled); } } - if (isset($config['ipsec']['tunnel'])){ ?> + if (isset($config['ipsec']['phase2'])){ ?> <div id="ipsec-Overview" style="display:block;background-color:#EEEEEE;"> <div> |