diff options
| -rw-r--r-- | etc/inc/ipsec.inc | 6 | ||||
| -rw-r--r-- | etc/inc/vpn.inc | 12 | ||||
| -rw-r--r-- | usr/local/www/vpn_ipsec_keys.php | 21 | ||||
| -rw-r--r-- | usr/local/www/vpn_ipsec_keys_edit.php | 20 | ||||
| -rw-r--r-- | usr/local/www/vpn_ipsec_phase1.php | 5 |
5 files changed, 61 insertions, 3 deletions
diff --git a/etc/inc/ipsec.inc b/etc/inc/ipsec.inc index 2762616..e9519e4 100644 --- a/etc/inc/ipsec.inc +++ b/etc/inc/ipsec.inc @@ -112,9 +112,15 @@ $p1_authentication_methods = array( 'xauth_rsa_server' => array( 'name' => 'Mutual RSA + Xauth', 'mobile' => true ), 'xauth_psk_server' => array( 'name' => 'Mutual PSK + Xauth', 'mobile' => true ), 'eap-tls' => array( 'name' => 'EAP-TLS', 'mobile' => true), + 'eap-mschapv2' => array( 'name' => 'EAP-MSChapv2', 'mobile' => true), 'rsasig' => array( 'name' => 'Mutual RSA', 'mobile' => false ), 'pre_shared_key' => array( 'name' => 'Mutual PSK', 'mobile' => false ) ); +$ipsec_preshared_key_type = array( + 'PSK' => 'PSK', + 'EAP' => 'EAP' + ); + $p2_modes = array( 'tunnel' => 'Tunnel IPv4', 'tunnel6' => 'Tunnel IPv6', diff --git a/etc/inc/vpn.inc b/etc/inc/vpn.inc index 1e3335d..06c16fb 100644 --- a/etc/inc/vpn.inc +++ b/etc/inc/vpn.inc @@ -516,7 +516,9 @@ EOD; foreach ($ipseccfg['mobilekey'] as $key) { if ($key['ident'] == "allusers") $key['ident'] = '%any'; - $pskconf .= "%any {$key['ident']} : PSK 0s" . base64_encode($key['pre-shared-key']) . "\n"; + if (empty($key['type'])) + $key['type'] = 'PSK'; + $pskconf .= "%any {$key['ident']} : {$key['type']} 0s" . base64_encode($key['pre-shared-key']) . "\n"; } unset($key); } @@ -616,6 +618,14 @@ EOD; $authentication = ""; switch ($ph1ent['authentication_method']) { + case 'eap-mschapv2': + if (isset($ph1ent['mobile'])) { + $authentication = "eap_identity=%any\n\t"; + $authentication .= "leftauth=pubkey\n\trightauth=eap-mschapv2"; + if (!empty($ph1ent['certref'])) + $authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt"; + } + break; case 'eap-tls': $authentication = "leftauth=eap-tls\n\trightauth=eap-tls"; if (!empty($ph1ent['certref'])) diff --git a/usr/local/www/vpn_ipsec_keys.php b/usr/local/www/vpn_ipsec_keys.php index a9bd0f0..ebddcc9 100644 --- a/usr/local/www/vpn_ipsec_keys.php +++ b/usr/local/www/vpn_ipsec_keys.php @@ -52,7 +52,7 @@ $a_secret = &$config['ipsec']['mobilekey']; $userkeys = array(); foreach ($config['system']['user'] as $id => $user) { if (!empty($user['ipsecpsk'])) { - $userkeys[] = array('ident' => $user['name'], 'pre-shared-key' => $user['ipsecpsk'], 'id' => $id);; + $userkeys[] = array('ident' => $user['name'], 'type' => 'PSK', 'pre-shared-key' => $user['ipsecpsk'], 'id' => $id);; } } @@ -110,6 +110,7 @@ if (is_subsystem_dirty('ipsec')) <table class="tabcont" width="100%" border="0" cellpadding="0" cellspacing="0" summary="main area"> <tr> <td class="listhdrr"><?=gettext("Identifier"); ?></td> + <td class="listhdrr"><?=gettext("Type"); ?></td> <td class="listhdr"><?=gettext("Pre-Shared Key"); ?></td> <td class="list"> <table border="0" cellspacing="0" cellpadding="1" summary="add key"> @@ -130,6 +131,14 @@ if (is_subsystem_dirty('ipsec')) echo htmlspecialchars($secretent['ident']); ?> </td> + <td class="listlr gray"> + <?php + if (empty($secretent['type'])) + echo 'PSK'; + else + echo htmlspecialchars($secretent['type']); + ?> + </td> <td class="listr gray"> <?=htmlspecialchars($secretent['pre-shared-key']);?> </td> @@ -150,6 +159,14 @@ if (is_subsystem_dirty('ipsec')) <td class="listlr"> <?=htmlspecialchars($secretent['ident']);?> </td> + <td class="listlr"> + <?php + if (empty($secretent['type'])) + echo 'PSK'; + else + echo htmlspecialchars($secretent['type']); + ?> + </td> <td class="listr"> <?=htmlspecialchars($secretent['pre-shared-key']);?> </td> @@ -158,7 +175,7 @@ if (is_subsystem_dirty('ipsec')) </tr> <?php $i++; endforeach; ?> <tr> - <td class="list" colspan="2"></td> + <td class="list" colspan="3"></td> <td class="list"> <table border="0" cellspacing="0" cellpadding="1" summary="add key"> <tr> diff --git a/usr/local/www/vpn_ipsec_keys_edit.php b/usr/local/www/vpn_ipsec_keys_edit.php index 741f4ed..82ab80c 100644 --- a/usr/local/www/vpn_ipsec_keys_edit.php +++ b/usr/local/www/vpn_ipsec_keys_edit.php @@ -55,6 +55,7 @@ if (isset($_POST['id']) && is_numericint($_POST['id'])) if (isset($id) && $a_secret[$id]) { $pconfig['ident'] = $a_secret[$id]['ident']; + $pconfig['type'] = $a_secret[$id]['type']; $pconfig['psk'] = $a_secret[$id]['pre-shared-key']; } @@ -99,6 +100,7 @@ if ($_POST) { $secretent = $a_secret[$id]; $secretent['ident'] = $_POST['ident']; + $secretent['type'] = $_POST['type']; $secretent['pre-shared-key'] = $_POST['psk']; $text = ""; @@ -130,6 +132,9 @@ include("head.inc"); <?php if ($input_errors) print_input_errors($input_errors); ?> <form action="vpn_ipsec_keys_edit.php" method="post" name="iform" id="iform"> <table width="100%" border="0" cellpadding="6" cellspacing="0" summary="vpn ipsec keys edit"> + <tr> + <td colspan="2" valign="top" class="listtopic">Edit pre-shared secret</td> + </tr> <tr> <td valign="top" class="vncellreq"><?=gettext("Identifier"); ?></td> <td class="vtable"> @@ -139,6 +144,21 @@ include("head.inc"); </td> </tr> <tr> + <td width="22%" valign="top" class="vncellreq"><?=gettext("Secret type"); ?></td> + <td width="78%" class="vtable"> + <select name="type" class="formselect"> + <?php + foreach ($ipsec_preshared_key_type as $value => $descr) { + echo "<option value='{$value}' "; + if ($pconfig['type'] == $value) + echo "selected=\"selected\""; + echo ">{$descr}</option>"; + } + ?> + </select> + </td> + </tr> + <tr> <td width="22%" valign="top" class="vncellreq"><?=gettext("Pre-Shared Key"); ?></td> <td width="78%" class="vtable"> <?=$mandfldhtml;?><input name="psk" type="text" class="formfld unknown" id="psk" size="40" value="<?=htmlspecialchars($pconfig['psk']);?>" /> diff --git a/usr/local/www/vpn_ipsec_phase1.php b/usr/local/www/vpn_ipsec_phase1.php index 9463d2f..04dd443 100644 --- a/usr/local/www/vpn_ipsec_phase1.php +++ b/usr/local/www/vpn_ipsec_phase1.php @@ -162,6 +162,10 @@ if ($_POST) { // Only require PSK here for normal PSK tunnels (not mobile) or xauth. // For RSA methods, require the CA/Cert. switch ($method) { + case 'eap-mschapv2': + if ($pconfig['iketype'] != 'ikev2') + $input_errors[] = gettext("EAP-MSChapv2 can only be used with IKEv2 type VPNs."); + break; case "eap-tls": if ($pconfig['iketype'] != 'ikev2') $input_errors[] = gettext("EAP-TLS can only be used with IKEv2 type VPNs."); @@ -448,6 +452,7 @@ function methodsel_change() { value = document.iform.authentication_method.options[index].value; switch (value) { + case 'eap-mschapv2': case 'eap-tls': document.getElementById('opt_psk').style.display = 'none'; document.getElementById('opt_peerid').style.display = ''; |
