diff options
-rw-r--r-- | conf.default/config.xml | 2 | ||||
-rw-r--r-- | etc/inc/globals.inc | 4 | ||||
-rw-r--r-- | etc/inc/ipsec.inc | 4 | ||||
-rw-r--r-- | etc/inc/upgrade_config.inc | 8 | ||||
-rw-r--r-- | etc/inc/vpn.inc | 136 | ||||
-rwxr-xr-x | usr/local/www/vpn_ipsec.php | 10 | ||||
-rw-r--r-- | usr/local/www/vpn_ipsec_phase2.php | 85 |
7 files changed, 172 insertions, 77 deletions
diff --git a/conf.default/config.xml b/conf.default/config.xml index 76967fc..68ce2e1 100644 --- a/conf.default/config.xml +++ b/conf.default/config.xml @@ -1,7 +1,7 @@ <?xml version="1.0"?> <!-- pfSense default system configuration --> <pfsense> - <version>5.7</version> + <version>5.8</version> <lastchange></lastchange> <theme>nervecenter</theme> <sysctl> diff --git a/etc/inc/globals.inc b/etc/inc/globals.inc index c8ae12d..bab855b 100644 --- a/etc/inc/globals.inc +++ b/etc/inc/globals.inc @@ -32,7 +32,7 @@ */ $g = array( - "factory_shipped_username" => "admin", + "factory_shipped_username" => "admin", "factory_shipped_password" => "pfsense", "upload_path" => "/root", "dhcpd_chroot_path" => "/var/dhcpd", @@ -58,7 +58,7 @@ $g = array( "product_website_footer" => "http://www.pfsense.org/?gui20", "product_email" => "coreteam@pfsense.org", "debug" => false, - "latest_config" => "5.7", + "latest_config" => "5.8", "nopkg_platforms" => array("cdrom"), "minimum_ram_warning" => "115", "minimum_ram_warning_text" => "128 megabytes", diff --git a/etc/inc/ipsec.inc b/etc/inc/ipsec.inc index 6e206b3..44853d6 100644 --- a/etc/inc/ipsec.inc +++ b/etc/inc/ipsec.inc @@ -77,6 +77,10 @@ $p1_authentication_methods = array( 'rsasig' => array( 'name' => 'Mutual RSA', 'mobile' => false ), 'pre_shared_key' => array( 'name' => 'Mutual PSK', 'mobile' => false ) ); +$p2_modes = array( + 'tunnel' => 'Tunnel', + 'transport' => 'Transport'); + $p2_protos = array( 'esp' => 'ESP', 'ah' => 'AH'); diff --git a/etc/inc/upgrade_config.inc b/etc/inc/upgrade_config.inc index e8d6192..db59e6f 100644 --- a/etc/inc/upgrade_config.inc +++ b/etc/inc/upgrade_config.inc @@ -1725,4 +1725,12 @@ function upgrade_056_to_057() { unset($config['captiveportal']['user']); } } + +function upgrade_057_to_058() { + global $config; + /* set all phase2 entries to tunnel mode */ + if (is_array($config['ipsec']['phase2'])) + foreach($config['ipsec']['phase2'] as & $ph2ent) + $ph2ent['mode'] = 'tunnel'; +} ?> diff --git a/etc/inc/vpn.inc b/etc/inc/vpn.inc index 1e9ea34..18090db 100644 --- a/etc/inc/vpn.inc +++ b/etc/inc/vpn.inc @@ -587,75 +587,103 @@ EOD; $ikeid = $ph2ent['ikeid']; + if( !ipsec_lookup_phase1($ph2ent,$ph1ent)) + continue; + + if (isset($ph1ent['disabled'])) + continue; + if (isset($ph2ent['disabled'])) continue; if (isset($ph2ent['mobile']) && !isset($a_client['enable'])) continue; - $localid_type = $ph2ent['localid']['type']; - if ($localid_type != "address") - $localid_type = "subnet"; + if ($ph2ent['mode'] == 'tunnel') { - $localid_data = ipsec_idinfo_to_cidr($ph2ent['localid']); - $localid_spec = $localid_type." ".$localid_data." any"; + $localid_type = $ph2ent['localid']['type']; + if ($localid_type != "address") + $localid_type = "subnet"; - if (!isset($ph2ent['mobile'])) { + $localid_data = ipsec_idinfo_to_cidr($ph2ent['localid']); + $localid_spec = $localid_type." ".$localid_data." any"; - $remoteid_type = $ph2ent['remoteid']['type']; - if ($remoteid_type != "address") - $remoteid_type = "subnet"; + if (!isset($ph2ent['mobile'])) { + $remoteid_type = $ph2ent['remoteid']['type']; + if ($remoteid_type != "address") + $remoteid_type = "subnet"; - $remoteid_data = ipsec_idinfo_to_cidr($ph2ent['remoteid']); - $remoteid_spec = $remoteid_type." ".$remoteid_data." any"; + $remoteid_data = ipsec_idinfo_to_cidr($ph2ent['remoteid']); + $remoteid_spec = $remoteid_type." ".$remoteid_data." any"; + } else + $remoteid_spec = "anonymous"; - } else - $remoteid_spec = "anonymous"; + } else { - $ealgos = ''; - $halgos = join(",", $ph2ent['hash-algorithm-option']); + $rgip = $rgmap[$ph1ent['remote-gateway']]; - $pfsline = ''; - if ($ph2ent['pfsgroup']) - $pfsline = "pfs_group {$ph2ent['pfsgroup']};"; - if (isset($a_client['pfs_group'])) { - $pfsline = ''; - if ($a_client['pfs_group']) - $pfsline = "pfs_group {$a_client['pfs_group']};"; + $localid_data = ipsec_get_phase1_src($ph1ent); + $localid_spec = "address {$localid_data}"; + + $remoteid_data = $rgmap[$ph1ent['remote-gateway']]; + $remoteid_spec = "address {$remoteid_data}"; } - $lifeline = ''; - if ($ph2ent['lifetime']) - $lifeline = "lifetime time {$ph2ent['lifetime']} secs;"; + if($ph2ent['proto'] == "esp") { + + $ealgos = ''; - foreach ($ph2ent['encryption-algorithm-option'] as $ealg) { + foreach ($ph2ent['encryption-algorithm-option'] as $ealg) { - $ealg_id = $ealg['name']; - $ealg_kl = $ealg['keylen']; + $ealg_id = $ealg['name']; + $ealg_kl = $ealg['keylen']; - if ($ealg_kl) { - if( $ealg_kl == "auto" ) { - $key_hi = $p2_ealgos[$ealg_id]['keysel']['hi']; - $key_lo = $p2_ealgos[$ealg_id]['keysel']['lo']; - $key_step = $p2_ealgos[$ealg_id]['keysel']['step']; + if ($ealg_kl) { + if( $ealg_kl == "auto" ) { + $key_hi = $p2_ealgos[$ealg_id]['keysel']['hi']; + $key_lo = $p2_ealgos[$ealg_id]['keysel']['lo']; + $key_step = $p2_ealgos[$ealg_id]['keysel']['step']; - for ($keylen = $key_hi; $keylen >= $key_lo; $keylen -= $key_step) { - if( $ealgos ) + for ($keylen = $key_hi; $keylen >= $key_lo; $keylen -= $key_step) { + if ($ealgos) + $ealgos = $ealgos.", "; + $ealgos = $ealgos.$ealg_id." ".$keylen; + } + } else { + if ($ealgos) $ealgos = $ealgos.", "; - $ealgos = $ealgos.$ealg_id." ".$keylen; + $ealgos = $ealgos.$ealg_id." ".$ealg_kl; } } else { if ($ealgos) $ealgos = $ealgos.", "; - $ealgos = $ealgos.$ealg_id." ".$ealg_kl; + $ealgos = $ealgos.$ealg_id; } - } else { - if ($ealgos) - $ealgos = $ealgos.", "; - $ealgos = $ealgos.$ealg_id; } + + $ealgosline = "encryption_algorithm {$ealgos};"; + + } else { + + $ealgosline = "encryption_algorithm null_enc;"; } + $halgos = join(",", $ph2ent['hash-algorithm-option']); + $halgosline = "authentication_algorithm {$halgos};"; + + $pfsline = ''; + if ($ph2ent['pfsgroup']) + $pfsline = "pfs_group {$ph2ent['pfsgroup']};"; + if (isset($a_client['pfs_group'])) { + $pfsline = ''; + if ($a_client['pfs_group']) + $pfsline = "pfs_group {$a_client['pfs_group']};"; + } + + $lifeline = ''; + if ($ph2ent['lifetime']) + $lifeline = "lifetime time {$ph2ent['lifetime']} secs;"; + /* add sainfo section to configuration */ $racoonconf .=<<<EOD @@ -663,11 +691,11 @@ EOD; sainfo {$localid_spec} {$remoteid_spec} { remoteid {$ikeid}; - encryption_algorithm {$ealgos}; - authentication_algorithm {$halgos}; - compression_algorithm deflate; + {$ealgosline} + {$halgosline} {$pfsline} {$lifeline} + compression_algorithm deflate; } EOD; @@ -735,11 +763,23 @@ EOD; mwexec("/sbin/ifconfig gif" . $number_of_gifs . " {$lansa}/{$lansn} {$lanip}/32"); } - $spdconf .= "spdadd {$localid} {$remoteid} any -P out ipsec " . - "{$ph2ent['protocol']}/tunnel/{$ep}-{$rgip}/unique;\n"; + if($ph2ent['mode'] == "tunnel") { + + $spdconf .= "spdadd {$localid} {$remoteid} any -P out ipsec " . + "{$ph2ent['protocol']}/tunnel/{$ep}-{$rgip}/unique;\n"; + + $spdconf .= "spdadd {$remoteid} {$localid} any -P in ipsec " . + "{$ph2ent['protocol']}/tunnel/{$rgip}-{$ep}/unique;\n"; - $spdconf .= "spdadd {$remoteid} {$localid} any -P in ipsec " . - "{$ph2ent['protocol']}/tunnel/{$rgip}-{$ep}/unique;\n"; + } else { + + $spdconf .= "spdadd {$localid} {$remoteid} any -P out ipsec " . + "{$ph2ent['protocol']}/transport//unique;\n"; + + $spdconf .= "spdadd {$remoteid} {$localid} any -P in ipsec " . + "{$ph2ent['protocol']}/transport//unique;\n"; + + } /* static route needed? */ if (preg_match("/^carp/i", $ph1ent['interface'])) diff --git a/usr/local/www/vpn_ipsec.php b/usr/local/www/vpn_ipsec.php index c309986..d43f457 100755 --- a/usr/local/www/vpn_ipsec.php +++ b/usr/local/www/vpn_ipsec.php @@ -285,8 +285,11 @@ include("head.inc"); </div> <table class="tabcont" width="100%" height="100%" border="0" cellspacing="0" cellpadding="0" id="tdph2-<?=$i?>" style="display:none"> <tr> + <td class="listhdrr">Mode</td> + <?php if($ph2ent['mode'] == "tunnel"): ?> <td class="listhdrr">Local Subnet</td> <td class="listhdrr">Remote Subnet</td> + <?php endif; ?> <td class="listhdrr">P2 Protocol</td> <td class="listhdrr">P2 Transforms</td> <td class="listhdrr">P2 Auth Methods</td> @@ -315,6 +318,12 @@ include("head.inc"); <td nowrap class="listlr"> <?=$spans;?> + <?=$ph2ent['mode'];?> + <?=$spane;?> + </td> + <?php if($ph2ent['mode'] == "tunnel"): ?> + <td nowrap class="listr"> + <?=$spans;?> <?=ipsec_idinfo_to_text($ph2ent['localid']); ?> <?=$spane;?> </td> @@ -323,6 +332,7 @@ include("head.inc"); <?=ipsec_idinfo_to_text($ph2ent['remoteid']); ?> <?=$spane;?> </td> + <?php endif; ?> <td nowrap class="listr"> <?=$spans;?> <?php echo $p2_protos[$ph2ent['protocol']]; ?> diff --git a/usr/local/www/vpn_ipsec_phase2.php b/usr/local/www/vpn_ipsec_phase2.php index bd922b4..1056497 100644 --- a/usr/local/www/vpn_ipsec_phase2.php +++ b/usr/local/www/vpn_ipsec_phase2.php @@ -63,6 +63,7 @@ if (isset($p2index) && $a_phase2[$p2index]) { $pconfig['ikeid'] = $a_phase2[$p2index]['ikeid']; $pconfig['disabled'] = isset($a_phase2[$p2index]['disabled']); + $pconfig['mode'] = $a_phase2[$p2index]['mode']; $pconfig['descr'] = $a_phase2[$p2index]['descr']; $old_ph2ent = $a_phase2[$p2index]; @@ -118,24 +119,27 @@ if ($_POST) { do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); - switch ($pconfig['localid_type']) { - case "network": - if (!$pconfig['localid_netbits'] || !is_numeric($pconfig['localid_netbits'])) - $input_errors[] = "A valid local network bit count must be specified.."; - case "address": - if (!$pconfig['localid_address'] || !is_ipaddr($pconfig['localid_address'])) - $input_errors[] = "A valid local network IP address must be specified."; - break; - } + if($pconfig['mode'] == "tunnel") + { + switch ($pconfig['localid_type']) { + case "network": + if (!$pconfig['localid_netbits'] || !is_numeric($pconfig['localid_netbits'])) + $input_errors[] = "A valid local network bit count must be specified.."; + case "address": + if (!$pconfig['localid_address'] || !is_ipaddr($pconfig['localid_address'])) + $input_errors[] = "A valid local network IP address must be specified."; + break; + } - switch ($pconfig['remoteid_type']) { - case "network": - if (!$pconfig['remoteid_netbits'] || !is_numeric($pconfig['remoteid_netbits'])) - $input_errors[] = "A valid remote network bit count must be specified.."; - case "address": - if (!$pconfig['remoteid_address'] || !is_ipaddr($pconfig['remoteid_address'])) - $input_errors[] = "A valid remote network IP address must be specified."; - break; + switch ($pconfig['remoteid_type']) { + case "network": + if (!$pconfig['remoteid_netbits'] || !is_numeric($pconfig['remoteid_netbits'])) + $input_errors[] = "A valid remote network bit count must be specified.."; + case "address": + if (!$pconfig['remoteid_address'] || !is_ipaddr($pconfig['remoteid_address'])) + $input_errors[] = "A valid remote network IP address must be specified."; + break; + } } /* TODO : Validate enabled phase2's are not duplicates */ @@ -152,10 +156,13 @@ if ($_POST) { if (!$input_errors) { $ph2ent['ikeid'] = $pconfig['ikeid']; + $ph2ent['mode'] = $pconfig['mode']; $ph2ent['disabled'] = $pconfig['disabled'] ? true : false; - $ph2ent['localid'] = pconfig_to_idinfo("local",$pconfig); - $ph2ent['remoteid'] = pconfig_to_idinfo("remote",$pconfig); + if($ph2ent['mode'] == "tunnel") { + $ph2ent['localid'] = pconfig_to_idinfo("local",$pconfig); + $ph2ent['remoteid'] = pconfig_to_idinfo("remote",$pconfig); + } $ph2ent['protocol'] = $pconfig['proto']; $ph2ent['encryption-algorithm-option'] = $ealgos; @@ -202,6 +209,19 @@ include("head.inc"); <?php include("fbegin.inc"); ?> <script language="JavaScript"> <!-- + +function change_mode() { + index = document.iform.mode.selectedIndex; + value = document.iform.mode.options[index].value; + if (value == 'tunnel') { + document.getElementById('opt_localid').style.display = ''; + document.getElementById('opt_remoteid').style.display = ''; + } else { + document.getElementById('opt_localid').style.display = 'none'; + document.getElementById('opt_remoteid').style.display = 'none'; + } +} + function typesel_change_local(bits) { if (!bits) @@ -264,7 +284,7 @@ function typesel_change_remote(bits) { <?php endif; ?> -function protocol_change() { +function change_protocol() { index = document.iform.proto.selectedIndex; value = document.iform.proto.options[index].value; if (value == 'esp') @@ -299,10 +319,6 @@ function protocol_change() { <div class="tabcont"> <table width="100%" border="0" cellpadding="6" cellspacing="0"> <tr> - <td width="22%" valign="top" class="vncellreq">Mode</td> - <td width="78%" class="vtable"> Tunnel</td> - </tr> - <tr> <td width="22%" valign="top" class="vncellreq">Disabled</td> <td width="78%" class="vtable"> <input name="disabled" type="checkbox" id="disabled" value="yes" <?php if ($pconfig['disabled']) echo "checked"; ?>> @@ -314,6 +330,21 @@ function protocol_change() { </td> </tr> <tr> + <td width="22%" valign="top" class="vncellreq">Mode</td> + <td width="78%" class="vtable"> + <select name="mode" class="formselect" onChange="change_mode()"> + <?php + foreach($p2_modes as $name => $value): + $selected = ""; + if ($name == $pconfig['mode']) + $selected = "selected"; + ?> + <option value="<?=$name;?>" <?=$selected;?>><?=$value;?></option> + <?php endforeach; ?> + </select> + </td> + </tr> + <tr id="opt_localid"> <td width="22%" valign="top" class="vncellreq">Local Network</td> <td width="78%" class="vtable"> <table border="0" cellspacing="0" cellpadding="0"> @@ -349,7 +380,7 @@ function protocol_change() { <?php if (!isset($pconfig['mobile'])): ?> - <tr> + <tr id="opt_remoteid"> <td width="22%" valign="top" class="vncellreq">Remote Network</td> <td width="78%" class="vtable"> <table border="0" cellspacing="0" cellpadding="0"> @@ -406,7 +437,7 @@ function protocol_change() { <tr> <td width="22%" valign="top" class="vncellreq">Protocol</td> <td width="78%" class="vtable"> - <select name="proto" class="formselect" onChange="protocol_change()"> + <select name="proto" class="formselect" onChange="change_protocol()"> <?php foreach ($p2_protos as $proto => $protoname): ?> <option value="<?=$proto;?>" <?php if ($proto == $pconfig['proto']) echo "selected"; ?>> <?=htmlspecialchars($protoname);?> @@ -548,6 +579,8 @@ function protocol_change() { </form> <script lannguage="JavaScript"> <!-- +change_mode('<?=$pconfig['mode']?>'); +change_protocol('<?=$pconfig['proto']?>'); typesel_change_local(<?=$pconfig['localid_netbits']?>); typesel_change_remote(<?=$pconfig['remoteid_netbits']?>); //--> |