summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--conf.default/config.xml2
-rw-r--r--etc/inc/globals.inc4
-rw-r--r--etc/inc/ipsec.inc4
-rw-r--r--etc/inc/upgrade_config.inc8
-rw-r--r--etc/inc/vpn.inc136
-rwxr-xr-xusr/local/www/vpn_ipsec.php10
-rw-r--r--usr/local/www/vpn_ipsec_phase2.php85
7 files changed, 172 insertions, 77 deletions
diff --git a/conf.default/config.xml b/conf.default/config.xml
index 76967fc..68ce2e1 100644
--- a/conf.default/config.xml
+++ b/conf.default/config.xml
@@ -1,7 +1,7 @@
<?xml version="1.0"?>
<!-- pfSense default system configuration -->
<pfsense>
- <version>5.7</version>
+ <version>5.8</version>
<lastchange></lastchange>
<theme>nervecenter</theme>
<sysctl>
diff --git a/etc/inc/globals.inc b/etc/inc/globals.inc
index c8ae12d..bab855b 100644
--- a/etc/inc/globals.inc
+++ b/etc/inc/globals.inc
@@ -32,7 +32,7 @@
*/
$g = array(
- "factory_shipped_username" => "admin",
+ "factory_shipped_username" => "admin",
"factory_shipped_password" => "pfsense",
"upload_path" => "/root",
"dhcpd_chroot_path" => "/var/dhcpd",
@@ -58,7 +58,7 @@ $g = array(
"product_website_footer" => "http://www.pfsense.org/?gui20",
"product_email" => "coreteam@pfsense.org",
"debug" => false,
- "latest_config" => "5.7",
+ "latest_config" => "5.8",
"nopkg_platforms" => array("cdrom"),
"minimum_ram_warning" => "115",
"minimum_ram_warning_text" => "128 megabytes",
diff --git a/etc/inc/ipsec.inc b/etc/inc/ipsec.inc
index 6e206b3..44853d6 100644
--- a/etc/inc/ipsec.inc
+++ b/etc/inc/ipsec.inc
@@ -77,6 +77,10 @@ $p1_authentication_methods = array(
'rsasig' => array( 'name' => 'Mutual RSA', 'mobile' => false ),
'pre_shared_key' => array( 'name' => 'Mutual PSK', 'mobile' => false ) );
+$p2_modes = array(
+ 'tunnel' => 'Tunnel',
+ 'transport' => 'Transport');
+
$p2_protos = array(
'esp' => 'ESP',
'ah' => 'AH');
diff --git a/etc/inc/upgrade_config.inc b/etc/inc/upgrade_config.inc
index e8d6192..db59e6f 100644
--- a/etc/inc/upgrade_config.inc
+++ b/etc/inc/upgrade_config.inc
@@ -1725,4 +1725,12 @@ function upgrade_056_to_057() {
unset($config['captiveportal']['user']);
}
}
+
+function upgrade_057_to_058() {
+ global $config;
+ /* set all phase2 entries to tunnel mode */
+ if (is_array($config['ipsec']['phase2']))
+ foreach($config['ipsec']['phase2'] as & $ph2ent)
+ $ph2ent['mode'] = 'tunnel';
+}
?>
diff --git a/etc/inc/vpn.inc b/etc/inc/vpn.inc
index 1e9ea34..18090db 100644
--- a/etc/inc/vpn.inc
+++ b/etc/inc/vpn.inc
@@ -587,75 +587,103 @@ EOD;
$ikeid = $ph2ent['ikeid'];
+ if( !ipsec_lookup_phase1($ph2ent,$ph1ent))
+ continue;
+
+ if (isset($ph1ent['disabled']))
+ continue;
+
if (isset($ph2ent['disabled']))
continue;
if (isset($ph2ent['mobile']) && !isset($a_client['enable']))
continue;
- $localid_type = $ph2ent['localid']['type'];
- if ($localid_type != "address")
- $localid_type = "subnet";
+ if ($ph2ent['mode'] == 'tunnel') {
- $localid_data = ipsec_idinfo_to_cidr($ph2ent['localid']);
- $localid_spec = $localid_type." ".$localid_data." any";
+ $localid_type = $ph2ent['localid']['type'];
+ if ($localid_type != "address")
+ $localid_type = "subnet";
- if (!isset($ph2ent['mobile'])) {
+ $localid_data = ipsec_idinfo_to_cidr($ph2ent['localid']);
+ $localid_spec = $localid_type." ".$localid_data." any";
- $remoteid_type = $ph2ent['remoteid']['type'];
- if ($remoteid_type != "address")
- $remoteid_type = "subnet";
+ if (!isset($ph2ent['mobile'])) {
+ $remoteid_type = $ph2ent['remoteid']['type'];
+ if ($remoteid_type != "address")
+ $remoteid_type = "subnet";
- $remoteid_data = ipsec_idinfo_to_cidr($ph2ent['remoteid']);
- $remoteid_spec = $remoteid_type." ".$remoteid_data." any";
+ $remoteid_data = ipsec_idinfo_to_cidr($ph2ent['remoteid']);
+ $remoteid_spec = $remoteid_type." ".$remoteid_data." any";
+ } else
+ $remoteid_spec = "anonymous";
- } else
- $remoteid_spec = "anonymous";
+ } else {
- $ealgos = '';
- $halgos = join(",", $ph2ent['hash-algorithm-option']);
+ $rgip = $rgmap[$ph1ent['remote-gateway']];
- $pfsline = '';
- if ($ph2ent['pfsgroup'])
- $pfsline = "pfs_group {$ph2ent['pfsgroup']};";
- if (isset($a_client['pfs_group'])) {
- $pfsline = '';
- if ($a_client['pfs_group'])
- $pfsline = "pfs_group {$a_client['pfs_group']};";
+ $localid_data = ipsec_get_phase1_src($ph1ent);
+ $localid_spec = "address {$localid_data}";
+
+ $remoteid_data = $rgmap[$ph1ent['remote-gateway']];
+ $remoteid_spec = "address {$remoteid_data}";
}
- $lifeline = '';
- if ($ph2ent['lifetime'])
- $lifeline = "lifetime time {$ph2ent['lifetime']} secs;";
+ if($ph2ent['proto'] == "esp") {
+
+ $ealgos = '';
- foreach ($ph2ent['encryption-algorithm-option'] as $ealg) {
+ foreach ($ph2ent['encryption-algorithm-option'] as $ealg) {
- $ealg_id = $ealg['name'];
- $ealg_kl = $ealg['keylen'];
+ $ealg_id = $ealg['name'];
+ $ealg_kl = $ealg['keylen'];
- if ($ealg_kl) {
- if( $ealg_kl == "auto" ) {
- $key_hi = $p2_ealgos[$ealg_id]['keysel']['hi'];
- $key_lo = $p2_ealgos[$ealg_id]['keysel']['lo'];
- $key_step = $p2_ealgos[$ealg_id]['keysel']['step'];
+ if ($ealg_kl) {
+ if( $ealg_kl == "auto" ) {
+ $key_hi = $p2_ealgos[$ealg_id]['keysel']['hi'];
+ $key_lo = $p2_ealgos[$ealg_id]['keysel']['lo'];
+ $key_step = $p2_ealgos[$ealg_id]['keysel']['step'];
- for ($keylen = $key_hi; $keylen >= $key_lo; $keylen -= $key_step) {
- if( $ealgos )
+ for ($keylen = $key_hi; $keylen >= $key_lo; $keylen -= $key_step) {
+ if ($ealgos)
+ $ealgos = $ealgos.", ";
+ $ealgos = $ealgos.$ealg_id." ".$keylen;
+ }
+ } else {
+ if ($ealgos)
$ealgos = $ealgos.", ";
- $ealgos = $ealgos.$ealg_id." ".$keylen;
+ $ealgos = $ealgos.$ealg_id." ".$ealg_kl;
}
} else {
if ($ealgos)
$ealgos = $ealgos.", ";
- $ealgos = $ealgos.$ealg_id." ".$ealg_kl;
+ $ealgos = $ealgos.$ealg_id;
}
- } else {
- if ($ealgos)
- $ealgos = $ealgos.", ";
- $ealgos = $ealgos.$ealg_id;
}
+
+ $ealgosline = "encryption_algorithm {$ealgos};";
+
+ } else {
+
+ $ealgosline = "encryption_algorithm null_enc;";
}
+ $halgos = join(",", $ph2ent['hash-algorithm-option']);
+ $halgosline = "authentication_algorithm {$halgos};";
+
+ $pfsline = '';
+ if ($ph2ent['pfsgroup'])
+ $pfsline = "pfs_group {$ph2ent['pfsgroup']};";
+ if (isset($a_client['pfs_group'])) {
+ $pfsline = '';
+ if ($a_client['pfs_group'])
+ $pfsline = "pfs_group {$a_client['pfs_group']};";
+ }
+
+ $lifeline = '';
+ if ($ph2ent['lifetime'])
+ $lifeline = "lifetime time {$ph2ent['lifetime']} secs;";
+
/* add sainfo section to configuration */
$racoonconf .=<<<EOD
@@ -663,11 +691,11 @@ EOD;
sainfo {$localid_spec} {$remoteid_spec}
{
remoteid {$ikeid};
- encryption_algorithm {$ealgos};
- authentication_algorithm {$halgos};
- compression_algorithm deflate;
+ {$ealgosline}
+ {$halgosline}
{$pfsline}
{$lifeline}
+ compression_algorithm deflate;
}
EOD;
@@ -735,11 +763,23 @@ EOD;
mwexec("/sbin/ifconfig gif" . $number_of_gifs . " {$lansa}/{$lansn} {$lanip}/32");
}
- $spdconf .= "spdadd {$localid} {$remoteid} any -P out ipsec " .
- "{$ph2ent['protocol']}/tunnel/{$ep}-{$rgip}/unique;\n";
+ if($ph2ent['mode'] == "tunnel") {
+
+ $spdconf .= "spdadd {$localid} {$remoteid} any -P out ipsec " .
+ "{$ph2ent['protocol']}/tunnel/{$ep}-{$rgip}/unique;\n";
+
+ $spdconf .= "spdadd {$remoteid} {$localid} any -P in ipsec " .
+ "{$ph2ent['protocol']}/tunnel/{$rgip}-{$ep}/unique;\n";
- $spdconf .= "spdadd {$remoteid} {$localid} any -P in ipsec " .
- "{$ph2ent['protocol']}/tunnel/{$rgip}-{$ep}/unique;\n";
+ } else {
+
+ $spdconf .= "spdadd {$localid} {$remoteid} any -P out ipsec " .
+ "{$ph2ent['protocol']}/transport//unique;\n";
+
+ $spdconf .= "spdadd {$remoteid} {$localid} any -P in ipsec " .
+ "{$ph2ent['protocol']}/transport//unique;\n";
+
+ }
/* static route needed? */
if (preg_match("/^carp/i", $ph1ent['interface']))
diff --git a/usr/local/www/vpn_ipsec.php b/usr/local/www/vpn_ipsec.php
index c309986..d43f457 100755
--- a/usr/local/www/vpn_ipsec.php
+++ b/usr/local/www/vpn_ipsec.php
@@ -285,8 +285,11 @@ include("head.inc");
</div>
<table class="tabcont" width="100%" height="100%" border="0" cellspacing="0" cellpadding="0" id="tdph2-<?=$i?>" style="display:none">
<tr>
+ <td class="listhdrr">Mode</td>
+ <?php if($ph2ent['mode'] == "tunnel"): ?>
<td class="listhdrr">Local Subnet</td>
<td class="listhdrr">Remote Subnet</td>
+ <?php endif; ?>
<td class="listhdrr">P2 Protocol</td>
<td class="listhdrr">P2 Transforms</td>
<td class="listhdrr">P2 Auth Methods</td>
@@ -315,6 +318,12 @@ include("head.inc");
<td nowrap class="listlr">
<?=$spans;?>
+ <?=$ph2ent['mode'];?>
+ <?=$spane;?>
+ </td>
+ <?php if($ph2ent['mode'] == "tunnel"): ?>
+ <td nowrap class="listr">
+ <?=$spans;?>
<?=ipsec_idinfo_to_text($ph2ent['localid']); ?>
<?=$spane;?>
</td>
@@ -323,6 +332,7 @@ include("head.inc");
<?=ipsec_idinfo_to_text($ph2ent['remoteid']); ?>
<?=$spane;?>
</td>
+ <?php endif; ?>
<td nowrap class="listr">
<?=$spans;?>
<?php echo $p2_protos[$ph2ent['protocol']]; ?>
diff --git a/usr/local/www/vpn_ipsec_phase2.php b/usr/local/www/vpn_ipsec_phase2.php
index bd922b4..1056497 100644
--- a/usr/local/www/vpn_ipsec_phase2.php
+++ b/usr/local/www/vpn_ipsec_phase2.php
@@ -63,6 +63,7 @@ if (isset($p2index) && $a_phase2[$p2index])
{
$pconfig['ikeid'] = $a_phase2[$p2index]['ikeid'];
$pconfig['disabled'] = isset($a_phase2[$p2index]['disabled']);
+ $pconfig['mode'] = $a_phase2[$p2index]['mode'];
$pconfig['descr'] = $a_phase2[$p2index]['descr'];
$old_ph2ent = $a_phase2[$p2index];
@@ -118,24 +119,27 @@ if ($_POST) {
do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors);
- switch ($pconfig['localid_type']) {
- case "network":
- if (!$pconfig['localid_netbits'] || !is_numeric($pconfig['localid_netbits']))
- $input_errors[] = "A valid local network bit count must be specified..";
- case "address":
- if (!$pconfig['localid_address'] || !is_ipaddr($pconfig['localid_address']))
- $input_errors[] = "A valid local network IP address must be specified.";
- break;
- }
+ if($pconfig['mode'] == "tunnel")
+ {
+ switch ($pconfig['localid_type']) {
+ case "network":
+ if (!$pconfig['localid_netbits'] || !is_numeric($pconfig['localid_netbits']))
+ $input_errors[] = "A valid local network bit count must be specified..";
+ case "address":
+ if (!$pconfig['localid_address'] || !is_ipaddr($pconfig['localid_address']))
+ $input_errors[] = "A valid local network IP address must be specified.";
+ break;
+ }
- switch ($pconfig['remoteid_type']) {
- case "network":
- if (!$pconfig['remoteid_netbits'] || !is_numeric($pconfig['remoteid_netbits']))
- $input_errors[] = "A valid remote network bit count must be specified..";
- case "address":
- if (!$pconfig['remoteid_address'] || !is_ipaddr($pconfig['remoteid_address']))
- $input_errors[] = "A valid remote network IP address must be specified.";
- break;
+ switch ($pconfig['remoteid_type']) {
+ case "network":
+ if (!$pconfig['remoteid_netbits'] || !is_numeric($pconfig['remoteid_netbits']))
+ $input_errors[] = "A valid remote network bit count must be specified..";
+ case "address":
+ if (!$pconfig['remoteid_address'] || !is_ipaddr($pconfig['remoteid_address']))
+ $input_errors[] = "A valid remote network IP address must be specified.";
+ break;
+ }
}
/* TODO : Validate enabled phase2's are not duplicates */
@@ -152,10 +156,13 @@ if ($_POST) {
if (!$input_errors) {
$ph2ent['ikeid'] = $pconfig['ikeid'];
+ $ph2ent['mode'] = $pconfig['mode'];
$ph2ent['disabled'] = $pconfig['disabled'] ? true : false;
- $ph2ent['localid'] = pconfig_to_idinfo("local",$pconfig);
- $ph2ent['remoteid'] = pconfig_to_idinfo("remote",$pconfig);
+ if($ph2ent['mode'] == "tunnel") {
+ $ph2ent['localid'] = pconfig_to_idinfo("local",$pconfig);
+ $ph2ent['remoteid'] = pconfig_to_idinfo("remote",$pconfig);
+ }
$ph2ent['protocol'] = $pconfig['proto'];
$ph2ent['encryption-algorithm-option'] = $ealgos;
@@ -202,6 +209,19 @@ include("head.inc");
<?php include("fbegin.inc"); ?>
<script language="JavaScript">
<!--
+
+function change_mode() {
+ index = document.iform.mode.selectedIndex;
+ value = document.iform.mode.options[index].value;
+ if (value == 'tunnel') {
+ document.getElementById('opt_localid').style.display = '';
+ document.getElementById('opt_remoteid').style.display = '';
+ } else {
+ document.getElementById('opt_localid').style.display = 'none';
+ document.getElementById('opt_remoteid').style.display = 'none';
+ }
+}
+
function typesel_change_local(bits) {
if (!bits)
@@ -264,7 +284,7 @@ function typesel_change_remote(bits) {
<?php endif; ?>
-function protocol_change() {
+function change_protocol() {
index = document.iform.proto.selectedIndex;
value = document.iform.proto.options[index].value;
if (value == 'esp')
@@ -299,10 +319,6 @@ function protocol_change() {
<div class="tabcont">
<table width="100%" border="0" cellpadding="6" cellspacing="0">
<tr>
- <td width="22%" valign="top" class="vncellreq">Mode</td>
- <td width="78%" class="vtable"> Tunnel</td>
- </tr>
- <tr>
<td width="22%" valign="top" class="vncellreq">Disabled</td>
<td width="78%" class="vtable">
<input name="disabled" type="checkbox" id="disabled" value="yes" <?php if ($pconfig['disabled']) echo "checked"; ?>>
@@ -314,6 +330,21 @@ function protocol_change() {
</td>
</tr>
<tr>
+ <td width="22%" valign="top" class="vncellreq">Mode</td>
+ <td width="78%" class="vtable">
+ <select name="mode" class="formselect" onChange="change_mode()">
+ <?php
+ foreach($p2_modes as $name => $value):
+ $selected = "";
+ if ($name == $pconfig['mode'])
+ $selected = "selected";
+ ?>
+ <option value="<?=$name;?>" <?=$selected;?>><?=$value;?></option>
+ <?php endforeach; ?>
+ </select>
+ </td>
+ </tr>
+ <tr id="opt_localid">
<td width="22%" valign="top" class="vncellreq">Local Network</td>
<td width="78%" class="vtable">
<table border="0" cellspacing="0" cellpadding="0">
@@ -349,7 +380,7 @@ function protocol_change() {
<?php if (!isset($pconfig['mobile'])): ?>
- <tr>
+ <tr id="opt_remoteid">
<td width="22%" valign="top" class="vncellreq">Remote Network</td>
<td width="78%" class="vtable">
<table border="0" cellspacing="0" cellpadding="0">
@@ -406,7 +437,7 @@ function protocol_change() {
<tr>
<td width="22%" valign="top" class="vncellreq">Protocol</td>
<td width="78%" class="vtable">
- <select name="proto" class="formselect" onChange="protocol_change()">
+ <select name="proto" class="formselect" onChange="change_protocol()">
<?php foreach ($p2_protos as $proto => $protoname): ?>
<option value="<?=$proto;?>" <?php if ($proto == $pconfig['proto']) echo "selected"; ?>>
<?=htmlspecialchars($protoname);?>
@@ -548,6 +579,8 @@ function protocol_change() {
</form>
<script lannguage="JavaScript">
<!--
+change_mode('<?=$pconfig['mode']?>');
+change_protocol('<?=$pconfig['proto']?>');
typesel_change_local(<?=$pconfig['localid_netbits']?>);
typesel_change_remote(<?=$pconfig['remoteid_netbits']?>);
//-->
OpenPOWER on IntegriCloud