diff options
Diffstat (limited to 'src/usr/local/www/diag_ipsec.php')
-rw-r--r-- | src/usr/local/www/diag_ipsec.php | 518 |
1 files changed, 518 insertions, 0 deletions
diff --git a/src/usr/local/www/diag_ipsec.php b/src/usr/local/www/diag_ipsec.php new file mode 100644 index 0000000..f5a83c8 --- /dev/null +++ b/src/usr/local/www/diag_ipsec.php @@ -0,0 +1,518 @@ +<?php +/* $Id$ */ +/* + diag_ipsec.php +*/ +/* ==================================================================== + * Copyright (c) 2004-2015 Electric Sheep Fencing, LLC. All rights reserved. + * Copyright (c) 2004, 2005 Scott Ullrich + * + * Redistribution and use in source and binary forms, with or without modification, + * are permitted provided that the following conditions are met: + * + * 1. Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgment: + * "This product includes software developed by the pfSense Project + * for use in the pfSense software distribution. (http://www.pfsense.org/). + * + * 4. The names "pfSense" and "pfSense Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * coreteam@pfsense.org. + * + * 5. Products derived from this software may not be called "pfSense" + * nor may "pfSense" appear in their names without prior written + * permission of the Electric Sheep Fencing, LLC. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * + * "This product includes software developed by the pfSense Project + * for use in the pfSense software distribution (http://www.pfsense.org/). + * + * THIS SOFTWARE IS PROVIDED BY THE pfSense PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE pfSense PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + * ==================================================================== + * + */ + +/* + pfSense_MODULE: ipsec +*/ + +##|+PRIV +##|*IDENT=page-status-ipsec +##|*NAME=Status: IPsec page +##|*DESCR=Allow access to the 'Status: IPsec' page. +##|*MATCH=diag_ipsec.php* +##|-PRIV + + +global $g; + +$pgtitle = array(gettext("Status"), gettext("IPsec")); +$shortcut_section = "ipsec"; + +require("guiconfig.inc"); +include("head.inc"); +require("ipsec.inc"); + +if ($_GET['act'] == 'connect') { + if (ctype_digit($_GET['ikeid'])) { + $ph1ent = ipsec_get_phase1($_GET['ikeid']); + if (!empty($ph1ent)) { + if (empty($ph1ent['iketype']) || $ph1ent['iketype'] == 'ikev1') { + $ph2entries = ipsec_get_number_of_phase2($_GET['ikeid']); + for ($i = 0; $i < $ph2entries; $i++) { + $connid = escapeshellarg("con{$_GET['ikeid']}00{$i}"); + mwexec("/usr/local/sbin/ipsec down {$connid}"); + mwexec("/usr/local/sbin/ipsec up {$connid}"); + } + } else { + mwexec("/usr/local/sbin/ipsec down con" . escapeshellarg($_GET['ikeid'])); + mwexec("/usr/local/sbin/ipsec up con" . escapeshellarg($_GET['ikeid'])); + } + } + } +} else if ($_GET['act'] == 'ikedisconnect') { + if (ctype_digit($_GET['ikeid'])) { + if (!empty($_GET['ikesaid']) && ctype_digit($_GET['ikesaid'])) { + mwexec("/usr/local/sbin/ipsec down con" . escapeshellarg($_GET['ikeid']) . "[" . escapeshellarg($_GET['ikesaid']) . "]"); + } else { + mwexec("/usr/local/sbin/ipsec down con" . escapeshellarg($_GET['ikeid'])); + } + } +} else if ($_GET['act'] == 'childdisconnect') { + if (ctype_digit($_GET['ikeid'])) { + if (!empty($_GET['ikesaid']) && ctype_digit($_GET['ikesaid'])) { + mwexec("/usr/local/sbin/ipsec down con" . escapeshellarg($_GET['ikeid']) . "{" . escapeshellarg($_GET['ikesaid']) . "}"); + } + } +} + +if (!is_array($config['ipsec']['phase1'])) { + $config['ipsec']['phase1'] = array(); +} + +$a_phase1 = &$config['ipsec']['phase1']; + +$status = ipsec_smp_dump_status(); + +$tab_array = array(); +$tab_array[] = array(gettext("Overview"), true, "diag_ipsec.php"); +$tab_array[] = array(gettext("Leases"), false, "diag_ipsec_leases.php"); +$tab_array[] = array(gettext("SAD"), false, "diag_ipsec_sad.php"); +$tab_array[] = array(gettext("SPD"), false, "diag_ipsec_spd.php"); +$tab_array[] = array(gettext("Logs"), false, "diag_logs_ipsec.php"); +display_top_tabs($tab_array); +?> + +<div class="panel panel-default"> + <div class="panel-heading">IPSec status</div> + <div class="panel-body table responsive"> + <table class="table table-striped table-hover table-condensed"> + <thead> + <tr> + <th><?=gettext("Description")?></th> + <th><?=gettext("Local ID")?></th> + <th><?=gettext("Local IP")?></th> + <th><?=gettext("Remote ID")?></th> + <th><?=gettext("Remote IP")?></th> + <th><?=gettext("Role")?></th> + <th><?=gettext("Reauth")?></th> + <th><?=gettext("Algo")?></th> + <th><?=gettext("Status")?></th> + <th></th> + </tr> + </thead> + <tbody> +<?php +$ipsecconnected = array(); + +if (is_array($status['query']) && is_array($status['query']['ikesalist']) && is_array($status['query']['ikesalist']['ikesa'])): + foreach ($status['query']['ikesalist']['ikesa'] as $ikeid => $ikesa): + $con_id = substr($ikesa['peerconfig'], 3); + + if ($ikesa['version'] == 1) { + $ph1idx = substr($con_id, 0, strrpos(substr($con_id, 0, -1), '00')); + $ipsecconnected[$ph1idx] = $ph1idx; + } else { + $ipsecconnected[$con_id] = $ph1idx = $con_id; + } + + if (ipsec_phase1_status($status['query']['ikesalist']['ikesa'], $ikesa['id'])) + $icon = "pass"; + elseif (!isset($config['ipsec']['enable'])) + $icon = "block"; + else + $icon = "reject"; +?> + <tr> + <td> + <?=htmlspecialchars(ipsec_get_descr($ph1idx))?> + </td> + <td> +<?php + if (!is_array($ikesa['local'])) + echo gettext("Unknown"); + else { + if (!empty($ikesa['local']['identification'])) { + if ($ikesa['local']['identification'] == '%any') + print(gettext('Any identifier')); + else + print(htmlspecialchars($ikesa['local']['identification'])); + } else + print(gettext("Unknown")); + } + + if (ipsec_phase1_status($status['query']['ikesalist']['ikesa'], $ikesa['id'])) { + $icon = "pass"; + } elseif (!isset($config['ipsec']['enable'])) { + $icon = "block"; + } else { + $icon = "reject"; + } +?> + </td> + <td> +<?php + if (!is_array($ikesa['local'])) + print(gettext("Unknown")); + else { + if (!empty($ikesa['local']['address'])) + print(htmlspecialchars($ikesa['local']['address']) . '<br/>' . gettext('Port: ') . htmlspecialchars($ikesa['local']['port'])); + else + print(gettext("Unknown")); + if ($ikesa['local']['port'] == '4500') + print(" NAT-T"); + } +?> + </td> + <td> +<?php + if (!is_array($ikesa['remote'])) + print(gettext("Unknown")); + else { + $identity = ""; + if (!empty($ikesa['remote']['identification'])) { + if ($ikesa['remote']['identification'] == '%any') + $identity = 'Any identifier'; + else + $identity = htmlspecialchars($ikesa['remote']['identification']); + } + + if (is_array($ikesa['remote']['auth']) && !empty($ikesa['remote']['auth'][0]['identity'])) { + print(htmlspecialchars($ikesa['remote']['auth'][0]['identity'])); + print('<br/>' . $identity); + } else { + if (empty($identity)) + print(ettext("Unknown")); + else + print($identity); + } + } +?> + </td> + <td> +<?php + if (!is_array($ikesa['remote'])) + print(gettext("Unknown")); + else { + if (!empty($ikesa['remote']['address'])) + print(htmlspecialchars($ikesa['remote']['address']) . '<br/>' . gettext('Port: ') . htmlspecialchars($ikesa['remote']['port'])); + else + print(gettext("Unknown")); + if ($ikesa['remote']['port'] == '4500') + print(" NAT-T"); + } +?> + </td> + <td> + IKEv<?=htmlspecialchars($ikesa['version'])?> + <br/> + <?=htmlspecialchars($ikesa['role'])?> + </td> + <td> + <?=htmlspecialchars($ikesa['reauth']);?> + </td> + <td> + <?=htmlspecialchars($ikesa['encalg'])?> + <br/> + <?=htmlspecialchars($ikesa['intalg'])?> + <br/> + <?=htmlspecialchars($ikesa['prfalg'])?> + <br/> + <?=htmlspecialchars($ikesa['dhgroup'])?> + </td> + <td> +<?php + if($ikesa['status'] == 'established') + print('<span style="color:green">'); + else + print('<span>'); +?> + <?=ucfirst(htmlspecialchars($ikesa['status']))?> + <br/><?=htmlspecialchars($ikesa['established'])?> + </span> + </td> + <td > +<?php + if ($icon != "pass"): +?> + <a href="diag_ipsec.php?act=connect&ikeid=<?=$con_id; ?>" class="btn btn-xs btn-success" data-toggle="tooltip" title="Connect VPN" > + <?=gettext("Connect VPN")?> + </a> +<?php + else: +?> + <a href="diag_ipsec.php?act=ikedisconnect&ikeid=<?=$con_id; ?>" class="btn btn-xs btn-danger" data-toggle="tooltip" title="Disconnect VPN"> + <?=gettext("Disconnect")?> + </a><br /> + <a href="diag_ipsec.php?act=ikedisconnect&ikeid=<?=$con_id; ?>&ikesaid=<?=$ikesa['id']; ?>" class="btn btn-xs btn-warning" data-toggle="tooltip" title="Disconnect VPN connection"> + <?=gettext("Disconnect")?> + </a> +<?php + endif; +?> + </td> + </tr> + <tr> + <td colspan = 10> +<?php + if (is_array($ikesa['childsalist'])): +?> + <div id="btnchildsa-<?=$ikeid?>"> + <a type="button" onclick="show_childsa('childsa-<?=$ikeid?>','btnchildsa-<?=$ikeid?>');" class="btn btn-sm btn-default" /> + <?=gettext('Show child SA entries')?> + </a> + </div> + + <table class="table table-hover table-condensed" id="childsa-<?=$ikeid?>" style="display:none"> + <thead> + <tr class="info"> + <th><?=gettext("Local subnets")?></th> + <th><?=gettext("Local SPI(s)")?></th> + <th><?=gettext("Remote subnets")?></th> + <th><?=gettext("Times")?></th> + <th><?=gettext("Algo")?></th> + <th><?=gettext("Stats")?></th> + <th><!-- Buttons --></th> + </tr> + </thead> + <tbody> +<?php + if (is_array($ikesa['childsalist']['childsa'])): + foreach ($ikesa['childsalist']['childsa'] as $childsa): +?> + <tr> + <td> +<?php + if (is_array($childsa['local']) && + is_array($childsa['local']['networks']) && + is_array($childsa['local']['networks']['network'])) + foreach ($childsa['local']['networks']['network'] as $lnets) + print(htmlspecialchars(ipsec_fixup_network($lnets)) . "<br />"); + else + print(gettext("Unknown")); +?> + </td> + <td> +<?php + if (is_array($childsa['local'])) + print(gettext("Local: ") . htmlspecialchars($childsa['local']['spi'])); + + if (is_array($childsa['remote'])) + print('<br/>' . gettext('Remote: ') . htmlspecialchars($childsa['remote']['spi'])); +?> + </td> + <td> +<?php + if (is_array($childsa['remote']) && + is_array($childsa['remote']['networks']) && + is_array($childsa['remote']['networks']['network'])) + foreach ($childsa['remote']['networks']['network'] as $rnets) + print(htmlspecialchars(ipsec_fixup_network($rnets)) . '<br />'); + else + print(gettext("Unknown")); +?> + </td> + <td> +<?php + print(gettext("Rekey: ") . htmlspecialchars($childsa['rekey'])); + print('<br/>' . gettext('Life: ') . htmlspecialchars($childsa['lifetime'])); + print('<br/>' . gettext('Install: ') .htmlspecialchars($childsa['installtime'])); + +?> + </td> + <td> +<?php + print(htmlspecialchars($childsa['encalg']) . '<br/>'); + print(htmlspecialchars($childsa['intalg']) . '<br/>'); + + if (!empty($childsa['prfalg'])) + print(htmlspecialchars($childsa['prfalg']) . '<br/>'); + + if (!empty($childsa['dhgroup'])) + print(htmlspecialchars($childsa['dhgroup']) . '<br/>'); + + if (!empty($childsa['esn'])) + + print(gettext("IPComp: ") . htmlspecialchars($childsa['ipcomp'])); +?> + </td> + <td> +<?php + print(gettext("Bytes-In: ") . htmlspecialchars($childsa['bytesin']) . '<br/>'); + print(gettext("Packets-In: ") . htmlspecialchars($childsa['packetsin']) . '<br/>'); + print(gettext("Bytes-Out: ") . htmlspecialchars($childsa['bytesout']) . '<br/>'); + print(gettext("Packets-Out: ") . htmlspecialchars($childsa['packetsout']) . '<br/>'); +?> + </td> + <td> + <a href="diag_ipsec.php?act=childdisconnect&ikeid=<?=$con_id; ?>&ikesaid=<?=$childsa['reqid']; ?>" class="btn btn-xs btn-warning" data-toggle="tooltip" title="<?=gettext('Disconnect Child SA')?>"> + <?=gettext("Disconnect")?> + </a> + </td> + </tr> +<?php + endforeach; + endif; +?> + + </tbody> + </table> + </td> + </tr> +<?php + endif; + + unset($con_id); + endforeach; +endif; + +$rgmap = array(); +foreach ($a_phase1 as $ph1ent): + if (isset($ph1ent['disabled'])) + continue; + + $rgmap[$ph1ent['remote-gateway']] = $ph1ent['remote-gateway']; + + if ($ipsecconnected[$ph1ent['ikeid']]) + continue; +?> + <tr> + <td> +<?php + print(htmlspecialchars($ph1ent['descr'])); +?> + </td> + <td> +<?php + list ($myid_type, $myid_data) = ipsec_find_id($ph1ent, "local"); + if (empty($myid_data)) + print(gettext("Unknown")); + else + print(htmlspecialchars($myid_data)); +?> + </td> + <td> +<?php + $ph1src = ipsec_get_phase1_src($ph1ent); + + if (empty($ph1src)) + print(gettext("Unknown")); + else + print(htmlspecialchars($ph1src)); +?> + </td> + <td> +<?php + list ($peerid_type, $peerid_data) = ipsec_find_id($ph1ent, "peer", $rgmap); + if (empty($peerid_data)) + print(gettext("Unknown")); + else + print(htmlspecialchars($peerid_data)); +?> + </td> + <td> +<?php + $ph1src = ipsec_get_phase1_dst($ph1ent); + if (empty($ph1src)) + print(gettext("Unknown")); + else + print(htmlspecialchars($ph1src)); +?> + </td> + <td> + </td> + <td> + </td> + <td> + </td> +<?php + if (isset($ph1ent['mobile'])): +?> + <td> + <?=gettext("Awaiting connections")?> + </td> + <td> + </td> +<?php + else: +?> + <td> + <?=gettext("Disconnected")?> + </td> + <td > + <a href="diag_ipsec.php?act=connect&ikeid=<?=$ph1ent['ikeid']; ?>" class="btn btn-xs btn-success"> + <?=gettext("Connect VPN")?> + </a> + </td> +<?php + endif; +?> + <td>> + </td> + </tr> +<?php +endforeach; +unset($ipsecconnected, $phase1, $rgmap); +?> + </tbody> + </table> + </div> +</div> + +<script type="text/javascript"> +//<![CDATA[ +function show_childsa(id, buttonid) { + document.getElementById(buttonid).innerHTML=''; + aodiv = document.getElementById(id); + aodiv.style.display = "block"; +} +//]]> +</script> + +<?php +unset($status); +print_info_box(gettext("You can configure IPsec ") . '<a href="vpn_ipsec.php">Here</a>'); +include("foot.inc"); ?> |