diff options
Diffstat (limited to 'src/etc/inc/ipsec.inc')
-rw-r--r-- | src/etc/inc/ipsec.inc | 163 |
1 files changed, 100 insertions, 63 deletions
diff --git a/src/etc/inc/ipsec.inc b/src/etc/inc/ipsec.inc index 6654166..b1e8c19 100644 --- a/src/etc/inc/ipsec.inc +++ b/src/etc/inc/ipsec.inc @@ -28,10 +28,6 @@ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - - pfSense_BUILDER_BINARIES: /sbin/setkey /sbin/route - pfSense_MODULE: ipsec - */ /* IPsec defines */ @@ -42,6 +38,36 @@ $ipsec_loglevels = array("dmn" => "Daemon", "mgr" => "SA Manager", "ike" => "IKE "imc" => "Integrity checker", "imv" => "Integrity Verifier", "pts" => "Platform Trust Service", "tls" => "TLS handler", "esp" => "IPsec traffic", "lib" => "StrongSwan Lib"); +global $ipsec_log_sevs; +$ipsec_log_sevs = array( + '-1' => 'Silent', + '0' => 'Audit', + '1' => 'Control', + '2' => 'Diag', + '3' => 'Raw', + '4' => 'Highest' +); + +global $ipsec_log_cats; +$ipsec_log_cats = array( + "dmn" => "Daemon", + "mgr" => "SA Manager", + "ike" => "IKE SA", + "chd" => "IKE Child SA", + "job" => "Job Processing", + "cfg" => "Configuration backend", + "knl" => "Kernel Interface", + "net" => "Networking", + "asn" => "ASN encoding", + "enc" => "Message encoding", + "imc" => "Integrity checker", + "imv" => "Integrity Verifier", + "pts" => "Platform Trust Service", + "tls" => "TLS handler", + "esp" => "IPsec traffic", + "lib" => "StrongSwan Lib" +); + global $my_identifier_list; $my_identifier_list = array( 'myaddress' => array('desc' => gettext('My IP address'), 'mobile' => true), @@ -70,13 +96,9 @@ $ipsec_idhandling = array( global $p1_ealgos; $p1_ealgos = array( 'aes' => array('name' => 'AES', 'keysel' => array('lo' => 128, 'hi' => 256, 'step' => 64)), - 'aes128gcm' => array('name' => 'AES128-GCM', 'keysel' => array('lo' => 64, 'hi' => 128, 'step' => 32)), - 'aes192gcm' => array('name' => 'AES192-GCM', 'keysel' => array('lo' => 64, 'hi' => 128, 'step' => 32)), - 'aes256gcm' => array('name' => 'AES256-GCM', 'keysel' => array('lo' => 64, 'hi' => 128, 'step' => 32)), 'blowfish' => array('name' => 'Blowfish', 'keysel' => array('lo' => 128, 'hi' => 256, 'step' => 64)), '3des' => array('name' => '3DES'), - 'cast128' => array('name' => 'CAST128'), - 'des' => array('name' => 'DES')); + 'cast128' => array('name' => 'CAST128')); global $p2_ealgos; $p2_ealgos = array( @@ -86,8 +108,7 @@ $p2_ealgos = array( 'aes256gcm' => array('name' => 'AES256-GCM', 'keysel' => array('lo' => 64, 'hi' => 128, 'step' => 32)), 'blowfish' => array('name' => 'Blowfish', 'keysel' => array('lo' => 128, 'hi' => 256, 'step' => 64)), '3des' => array('name' => '3DES'), - 'cast128' => array('name' => 'CAST128'), - 'des' => array('name' => 'DES')); + 'cast128' => array('name' => 'CAST128')); global $p1_halgos; $p1_halgos = array( @@ -177,6 +198,29 @@ $p2_pfskeygroups = array( 30 => '30 (brainpool ecp512)' ); +function ipsec_enabled() { + global $config; + + if (!isset($config['ipsec']) || !is_array($config['ipsec'])) { + return false; + } + + /* Check if we have at least one phase 1 entry. */ + if (!isset($config['ipsec']['phase1']) || + !is_array($config['ipsec']['phase1']) || + empty($config['ipsec']['phase1'])) { + return false; + } + /* Check if at least one phase 1 entry is enabled. */ + foreach ($config['ipsec']['phase1'] as $phase1) { + if (!isset($phase1['disabled'])) { + return true; + } + } + + return false; +} + /* * ikeid management functions */ @@ -426,51 +470,16 @@ function ipsec_phase2_status(&$ipsec_status, &$phase2) { return false; } -function ipsec_smp_dump_status() { - global $config, $g, $custom_listtags; - - if (isset($config['ipsec']['enable'])) { - if (!file_exists("{$g['varrun_path']}/charon.xml")) { - log_error("IPsec daemon not running or has a problem!"); - return; - } - } else { - return; - } - - $fd = @fsockopen("unix://{$g['varrun_path']}/charon.xml"); - if (!$fd) { - log_error("Could not read status from IPsec"); - return; - } - $query = '<?xml version="1.0"?><message xmlns="http://www.strongswan.org/smp/1.0" type="request" id="1">'; - $query .= '<query><ikesalist/></query></message>'; - - @fwrite($fd, $query); - $response = ""; - while (!strstr($sread, "</message>")) { - $sread = fgets($fd); - if ($sread === false) { - break; - } - $response .= $sread; - } - fclose($fd); +/* + * Wrapper to call pfSense_ipsec_list_sa() when IPsec is enabled + */ +function ipsec_list_sa() { - if ($sread === false) { - log_error("Error during reading of status from IPsec"); - return; + if (ipsec_enabled()) { + return pfSense_ipsec_list_sa(); } - @file_put_contents("{$g['tmp_path']}/smp_status.xml", $response); - unset($response, $sread); - - $custom_listtags = array('ikesa', 'childsa', 'network', 'auth'); - $response = parse_xml_config("{$g['tmp_path']}/smp_status.xml", "message"); - @unlink("{$g['tmp_path']}/smp_status.xml"); - unset($custom_listtags); - - return $response; + return array(); } /* @@ -584,24 +593,52 @@ function ipsec_dump_sad() { * Return dump of mobile user list */ function ipsec_dump_mobile() { - global $g, $custom_listtags; + global $g; - $_gb = exec("/usr/local/sbin/ipsec stroke leases > {$g['tmp_path']}/strongswan_leases.xml"); + $_gb = exec("/usr/local/sbin/ipsec leases 2>/dev/null", $output, $rc); - if (!file_exists("{$g['tmp_path']}/strongswan_leases.xml")) { + if ($rc != 0) { log_error(gettext("Unable to find IPsec daemon leases file. Could not display mobile user stats!")); return array(); } - /* This is needed for fixing #4130 */ - if (filesize("{$g['tmp_path']}/strongswan_leases.xml") < 200) { - return array(); + $response = array(); + $id = -1; + + /* Leases in pool '10.7.200.0/24', usage: 1/254, 1 online */ + $lease_regex='/^Leases *in *pool *\'(?P<name>.+)\', *usage: *(?P<usage>\d+)\/(?P<size>\d+), *(?P<online>\d+) *online/'; + /* 10.7.200.1 online 'jimp' */ + $pool_regex='/\s*(?P<host>[\d\.]+)\s+(?P<status>online|offline)\s+\'(?P<id>.*)\'/'; + /* no matching leases found */ + $nopool_regex='/no *matching *leases *found/'; + + $lease=false; + foreach ($output as $line) { + if (preg_match($lease_regex, $line, $matches)) { + $id++; + $response['pool'][$id] = array( + 'name' => $matches['name'], + 'usage' => $matches['usage'], + 'size' => $matches['size'], + 'online' => $matches['online'], + ); + $lease=true; + } else if ($lease) { + if (preg_match($nopool_regex, $line)) { + $response['pool'][$id]['lease'][] = array(); + $lease=false; + } else if (preg_match($pool_regex, $line, $matches)) { + $response['pool'][$id]['lease'][] = array( + 'host' => $matches['host'], + 'status' => $matches['status'], + 'id' => $matches['id'] + ); + } + } } - $custom_listtags = array('lease', 'pool'); - $response = parse_xml_config("{$g['tmp_path']}/strongswan_leases.xml", "leases"); - @unlink("{$g['tmp_path']}/strongswan_leases.xml"); - unset($custom_listtags, $_gb); + unset($_gb, $lease, $output, $rc, $id, $lease_regex, $pool_regex, + $nopool_regex); return $response; } |