summaryrefslogtreecommitdiffstats
path: root/src/usr/local/www/diag_ipsec.php
diff options
context:
space:
mode:
Diffstat (limited to 'src/usr/local/www/diag_ipsec.php')
-rw-r--r--src/usr/local/www/diag_ipsec.php555
1 files changed, 555 insertions, 0 deletions
diff --git a/src/usr/local/www/diag_ipsec.php b/src/usr/local/www/diag_ipsec.php
new file mode 100644
index 0000000..96c6835
--- /dev/null
+++ b/src/usr/local/www/diag_ipsec.php
@@ -0,0 +1,555 @@
+<?php
+/* $Id$ */
+/*
+ diag_ipsec.php
+ Copyright (C) 2004-2009 Scott Ullrich
+ Copyright (C) 2008 Shrew Soft Inc <mgrooms@shrew.net>.
+ Copyright (C) 2013-2015 Electric Sheep Fencing, LP
+ All rights reserved.
+
+ Parts of this code was originally based on vpn_ipsec_sad.php
+ Copyright (C) 2003-2004 Manuel Kasper
+
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are met:
+
+ 1. Redistributions of source code must retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+
+ THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ POSSIBILITY OF SUCH DAMAGE.
+*/
+
+/*
+ pfSense_MODULE: ipsec
+*/
+
+##|+PRIV
+##|*IDENT=page-status-ipsec
+##|*NAME=Status: IPsec page
+##|*DESCR=Allow access to the 'Status: IPsec' page.
+##|*MATCH=diag_ipsec.php*
+##|-PRIV
+
+
+global $g;
+
+$pgtitle = array(gettext("Status"), gettext("IPsec"));
+$shortcut_section = "ipsec";
+
+require("guiconfig.inc");
+include("head.inc");
+require("ipsec.inc");
+
+if ($_GET['act'] == 'connect') {
+ if (ctype_digit($_GET['ikeid'])) {
+ $ph1ent = ipsec_get_phase1($_GET['ikeid']);
+ if (!empty($ph1ent)) {
+ if (empty($ph1ent['iketype']) || $ph1ent['iketype'] == 'ikev1') {
+ $ph2entries = ipsec_get_number_of_phase2($_GET['ikeid']);
+ for ($i = 0; $i < $ph2entries; $i++) {
+ $connid = escapeshellarg("con{$_GET['ikeid']}00{$i}");
+ mwexec("/usr/local/sbin/ipsec down {$connid}");
+ mwexec("/usr/local/sbin/ipsec up {$connid}");
+ }
+ } else {
+ mwexec("/usr/local/sbin/ipsec down con" . escapeshellarg($_GET['ikeid']));
+ mwexec("/usr/local/sbin/ipsec up con" . escapeshellarg($_GET['ikeid']));
+ }
+ }
+ }
+} else if ($_GET['act'] == 'ikedisconnect') {
+ if (ctype_digit($_GET['ikeid'])) {
+ if (!empty($_GET['ikesaid']) && ctype_digit($_GET['ikesaid'])) {
+ mwexec("/usr/local/sbin/ipsec down con" . escapeshellarg($_GET['ikeid']) . "[" . escapeshellarg($_GET['ikesaid']) . "]");
+ } else {
+ mwexec("/usr/local/sbin/ipsec down con" . escapeshellarg($_GET['ikeid']));
+ }
+ }
+} else if ($_GET['act'] == 'childdisconnect') {
+ if (ctype_digit($_GET['ikeid'])) {
+ if (!empty($_GET['ikesaid']) && ctype_digit($_GET['ikesaid'])) {
+ mwexec("/usr/local/sbin/ipsec down con" . escapeshellarg($_GET['ikeid']) . "{" . escapeshellarg($_GET['ikesaid']) . "}");
+ }
+ }
+}
+
+if (!is_array($config['ipsec']['phase1'])) {
+ $config['ipsec']['phase1'] = array();
+}
+
+$a_phase1 = &$config['ipsec']['phase1'];
+
+$status = ipsec_smp_dump_status();
+
+?>
+
+<body link="#0000CC" vlink="#0000CC" alink="#0000CC" onload="<?php echo $jsevents["body"]["onload"]; ?>">
+<?php include("fbegin.inc"); ?>
+<div id="inputerrors"></div>
+<table width="100%" border="0" cellpadding="0" cellspacing="0" summary="status ipsec">
+ <tr>
+ <td>
+<?php
+ $tab_array = array();
+ $tab_array[0] = array(gettext("Overview"), true, "diag_ipsec.php");
+ $tab_array[1] = array(gettext("Leases"), false, "diag_ipsec_leases.php");
+ $tab_array[2] = array(gettext("SAD"), false, "diag_ipsec_sad.php");
+ $tab_array[3] = array(gettext("SPD"), false, "diag_ipsec_spd.php");
+ $tab_array[4] = array(gettext("Logs"), false, "diag_logs_ipsec.php");
+ display_top_tabs($tab_array);
+?>
+ </td>
+ </tr>
+ <tr>
+ <td>
+ <div id="mainarea">
+ <table width="100%" border="0" cellpadding="6" cellspacing="0" class="tabcont sortable" summary="status">
+ <thead>
+ <tr>
+ <th class="listhdrr nowrap"><?php echo gettext("Description");?></th>
+ <th class="listhdrr nowrap"><?php echo gettext("Local ID");?></th>
+ <th class="listhdrr nowrap"><?php echo gettext("Local IP");?></th>
+ <th class="listhdrr nowrap"><?php echo gettext("Remote ID");?></th>
+ <th class="listhdrr nowrap"><?php echo gettext("Remote IP");?></th>
+ <th class="listhdrr nowrap"><?php echo gettext("Role");?></th>
+ <th class="listhdrr nowrap"><?php echo gettext("Reauth");?></th>
+ <th class="listhdrr nowrap"><?php echo gettext("Algo");?></th>
+ <th class="listhdrr nowrap"><?php echo gettext("Status");?></th>
+ <th class="list nowrap"></th>
+ </tr>
+ </thead>
+ <tbody>
+<?php
+ $ipsecconnected = array();
+ if (is_array($status['query']) && is_array($status['query']['ikesalist']) && is_array($status['query']['ikesalist']['ikesa'])):
+ foreach ($status['query']['ikesalist']['ikesa'] as $ikeid => $ikesa):
+ $con_id = substr($ikesa['peerconfig'], 3);
+ if ($ikesa['version'] == 1) {
+ $ph1idx = substr($con_id, 0, strrpos(substr($con_id, 0, -1), '00'));
+ $ipsecconnected[$ph1idx] = $ph1idx;
+ } else {
+ $ipsecconnected[$con_id] = $ph1idx = $con_id;
+ }
+
+ if (ipsec_phase1_status($status['query']['ikesalist']['ikesa'], $ikesa['id'])) {
+ $icon = "pass";
+ } elseif (!isset($config['ipsec']['enable'])) {
+ $icon = "block";
+ } else {
+ $icon = "reject";
+ }
+?>
+ <tr>
+ <td class="listlr">
+<?php
+ echo htmlspecialchars(ipsec_get_descr($ph1idx));
+?>
+ </td>
+ <td class="listr">
+<?php
+ if (!is_array($ikesa['local'])) {
+ echo gettext("Unknown");
+ } else {
+ if (!empty($ikesa['local']['identification'])) {
+ if ($ikesa['local']['identification'] == '%any') {
+ echo gettext('Any identifier');
+ } else {
+ echo htmlspecialchars($ikesa['local']['identification']);
+ }
+ } else {
+ echo gettext("Unknown");
+ }
+ }
+?>
+ </td>
+ <td class="listr">
+<?php
+ if (!is_array($ikesa['local'])) {
+ echo gettext("Unknown");
+ } else {
+ if (!empty($ikesa['local']['address'])) {
+ echo htmlspecialchars($ikesa['local']['address']) . '<br/>' .
+ gettext('Port: ') . htmlspecialchars($ikesa['local']['port']);
+ } else {
+ echo gettext("Unknown");
+ }
+ if ($ikesa['local']['port'] == '4500') {
+ echo " NAT-T";
+ }
+ }
+?>
+ </td>
+ <td class="listr">
+<?php
+ if (!is_array($ikesa['remote'])) {
+ echo gettext("Unknown");
+ } else {
+ $identity = "";
+ if (!empty($ikesa['remote']['identification'])) {
+ if ($ikesa['remote']['identification'] == '%any') {
+ $identity = 'Any identifier';
+ } else {
+ $identity = htmlspecialchars($ikesa['remote']['identification']);
+ }
+ }
+
+ if (is_array($ikesa['remote']['auth']) && !empty($ikesa['remote']['auth'][0]['identity'])) {
+ echo htmlspecialchars($ikesa['remote']['auth'][0]['identity']);
+ echo "<br/>{$identity}";
+ } else {
+ if (empty($identity)) {
+ echo gettext("Unknown");
+ } else {
+ echo $identity;
+ }
+ }
+ }
+?>
+ </td>
+ <td class="listr">
+<?php
+ if (!is_array($ikesa['remote'])) {
+ echo gettext("Unknown");
+ } else {
+ if (!empty($ikesa['remote']['address'])) {
+ echo htmlspecialchars($ikesa['remote']['address']) . '<br/>' .
+ gettext('Port: ') . htmlspecialchars($ikesa['remote']['port']);
+ } else {
+ echo gettext("Unknown");
+ }
+ if ($ikesa['remote']['port'] == '4500') {
+ echo " NAT-T";
+ }
+ }
+?>
+ </td>
+ <td class="listr">
+ IKEv<?php echo htmlspecialchars($ikesa['version']);?>
+ <br/>
+<?php
+ echo htmlspecialchars($ikesa['role']);
+?>
+ </td>
+ <td class="listr">
+<?php
+ echo htmlspecialchars($ikesa['reauth']);
+?>
+ </td>
+ <td class="listr">
+<?php
+ echo htmlspecialchars($ikesa['encalg']);
+ echo "<br/>";
+ echo htmlspecialchars($ikesa['intalg']);
+ echo "<br/>";
+ echo htmlspecialchars($ikesa['prfalg']);
+ echo "<br/>";
+ echo htmlspecialchars($ikesa['dhgroup']);
+?>
+ </td>
+ <td class="listr">
+ <center>
+ <img src ="/themes/<?php echo $g['theme']; ?>/images/icons/icon_<?php echo $icon; ?>.gif" title="<?php echo $ikesa['status']; ?>" alt=""/>
+ <br/><?php echo htmlspecialchars($ikesa['status']);?>
+ <br/><?php echo htmlspecialchars($ikesa['established']);?>
+ </center>
+ </td>
+ <td >
+<?php
+ if ($icon != "pass"):
+?>
+ <center>
+ <a href="diag_ipsec.php?act=connect&amp;ikeid=<?php echo $con_id; ?>">
+ <img src ="/themes/<?php echo $g['theme']; ?>/images/icons/icon_service_start.gif" alt=<?php echo gettext("Connect VPN");?> title=<?php echo gettext("Connect VPN");?> border="0"/>
+ </a>
+ </center>
+<?php
+ else:
+?>
+ <center>
+ <a href="diag_ipsec.php?act=ikedisconnect&amp;ikeid=<?php echo $con_id; ?>">
+ <img src ="/themes/<?php echo $g['theme']; ?>/images/icons/icon_service_stop.gif" alt=<?php echo gettext("Disconnect VPN");?> title=<?php echo gettext("Disconnect VPN");?> border="0"/>
+ </a>
+ <a href="diag_ipsec.php?act=ikedisconnect&amp;ikeid=<?php echo $con_id; ?>&amp;ikesaid=<?php echo $ikesa['id']; ?>">
+ <img src ="/themes/<?php echo $g['theme']; ?>/images/icons/icon_x.gif" alt=<?php echo gettext("Disconnect VPN Connection");?> title=<?php echo gettext("Disconnect VPN Connection");?> border="0"/>
+ </a>
+ </center>
+<?php
+ endif;
+?>
+ </td>
+ <td valign="middle" class="list nowrap">
+ <table border="0" cellspacing="0" cellpadding="1" summary="">
+ </table>
+ </td>
+ </tr>
+<?php
+ if (is_array($ikesa['childsalist'])):
+?>
+ <tr>
+ <td class="listrborder" colspan="9">
+ <div id="btnchildsa-<?=$ikeid;?>">
+ <input type="button" onclick="show_childsa('childsa-<?=$ikeid;?>', 'btnchildsa-<?=$ikeid;?>');" value="+" /> - Show child SA entries
+ </div>
+ <table class="tabcont" width="100%" height="100%" border="0" cellspacing="0" cellpadding="0" id="childsa-<?=$ikeid;?>" style="display:none" summary="">
+ <thead>
+ <tr>
+ <th class="listhdrr nowrap"><?php echo gettext("Local subnets");?></th>
+ <th class="listhdrr nowrap"><?php echo gettext("Local SPI(s)");?></th>
+ <th class="listhdrr nowrap"><?php echo gettext("Remote subnets");?></th>
+ <th class="listhdrr nowrap"><?php echo gettext("Times");?></th>
+ <th class="listhdrr nowrap"><?php echo gettext("Algo");?></th>
+ <th class="listhdrr nowrap"><?php echo gettext("Stats");?></th>
+ </tr>
+ </thead>
+ <tbody>
+<?php
+ if (is_array($ikesa['childsalist']['childsa'])):
+ foreach ($ikesa['childsalist']['childsa'] as $childsa):
+?>
+ <tr valign="top">
+ <td class="listlr nowrap">
+<?php
+ if (is_array($childsa['local']) &&
+ is_array($childsa['local']['networks']) &&
+ is_array($childsa['local']['networks']['network'])) {
+ foreach ($childsa['local']['networks']['network'] as $lnets) {
+ echo htmlspecialchars(ipsec_fixup_network($lnets)) . "<br />";
+ }
+ } else {
+ echo gettext("Unknown");
+ }
+?>
+ </td>
+ <td class="listr nowrap">
+<?php
+ if (is_array($childsa['local'])) {
+ echo gettext("Local: ") . htmlspecialchars($childsa['local']['spi']);
+ }
+ if (is_array($childsa['remote'])) {
+ echo "<br/>" . gettext("Remote: ") . htmlspecialchars($childsa['remote']['spi']);
+ }
+?>
+ </td>
+ <td class="listr nowrap">
+<?php
+ if (is_array($childsa['remote']) &&
+ is_array($childsa['remote']['networks']) &&
+ is_array($childsa['remote']['networks']['network'])) {
+ foreach ($childsa['remote']['networks']['network'] as $rnets) {
+ echo htmlspecialchars(ipsec_fixup_network($rnets)) . "<br />";
+ }
+ } else {
+ echo gettext("Unknown");
+ }
+?>
+ </td>
+ <td class="listr nowrap">
+<?php
+ echo gettext("Rekey: ") . htmlspecialchars($childsa['rekey']);
+ echo "<br/>" . gettext("Life: ") . htmlspecialchars($childsa['lifetime']);
+ echo "<br/>" . gettext("Install: ") .htmlspecialchars($childsa['installtime']);
+
+?>
+ </td>
+ <td class="listr nowrap">
+<?php
+ echo htmlspecialchars($childsa['encalg']);
+ echo "<br/>";
+ echo htmlspecialchars($childsa['intalg']);
+ echo "<br/>";
+ if (!empty($childsa['prfalg'])) {
+ echo htmlspecialchars($childsa['prfalg']);
+ echo "<br/>";
+ }
+ if (!empty($childsa['dhgroup'])) {
+ echo htmlspecialchars($childsa['dhgroup']);
+ echo "<br/>";
+ }
+ if (!empty($childsa['esn'])) {
+ echo htmlspecialchars($childsa['esn']);
+ echo "<br/>";
+ }
+ echo gettext("IPComp: ") . htmlspecialchars($childsa['ipcomp']);
+?>
+ </td>
+ <td class="listr nowrap">
+<?php
+ echo gettext("Bytes-In: ") . htmlspecialchars($childsa['bytesin']);
+ echo "<br/>";
+ echo gettext("Packets-In: ") . htmlspecialchars($childsa['packetsin']);
+ echo "<br/>";
+ echo gettext("Bytes-Out: ") . htmlspecialchars($childsa['bytesout']);
+ echo "<br/>";
+ echo gettext("Packets-Out: ") . htmlspecialchars($childsa['packetsout']);
+?>
+ </td>
+ <td>
+ <center>
+ <a href="diag_ipsec.php?act=childdisconnect&amp;ikeid=<?php echo $con_id; ?>&amp;ikesaid=<?php echo $childsa['reqid']; ?>">
+ <img src ="/themes/<?php echo $g['theme']; ?>/images/icons/icon_x.gif" alt=<?php echo gettext("Disconnect Child SA");?> title=<?php echo gettext("Disconnect Child SA");?> border="0"/>
+ </a>
+ </center>
+ </td>
+ <td class="list nowrap">
+ &nbsp;
+ </td>
+ </tr>
+<?php
+ endforeach;
+ endif;
+?>
+ <tr style="display:none;"><td></td></tr>
+ </tbody>
+ </table>
+ </td>
+ </tr>
+<?php
+ endif;
+
+ unset($con_id);
+ endforeach;
+ endif;
+
+ $rgmap = array();
+ foreach ($a_phase1 as $ph1ent):
+ if (isset($ph1ent['disabled'])) {
+ continue;
+ }
+ $rgmap[$ph1ent['remote-gateway']] = $ph1ent['remote-gateway'];
+ if ($ipsecconnected[$ph1ent['ikeid']]) {
+ continue;
+ }
+?>
+ <tr>
+ <td class="listlr">
+<?php
+ echo htmlspecialchars($ph1ent['descr']);
+?>
+ </td>
+ <td class="listr">
+<?php
+ list ($myid_type, $myid_data) = ipsec_find_id($ph1ent, "local");
+ if (empty($myid_data)) {
+ echo gettext("Unknown");
+ } else {
+ echo htmlspecialchars($myid_data);
+ }
+?>
+ </td>
+ <td class="listr">
+<?php
+ $ph1src = ipsec_get_phase1_src($ph1ent);
+ if (empty($ph1src)) {
+ echo gettext("Unknown");
+ } else {
+ echo htmlspecialchars($ph1src);
+ }
+?>
+ </td>
+ <td class="listr">
+<?php
+ list ($peerid_type, $peerid_data) = ipsec_find_id($ph1ent, "peer", $rgmap);
+ if (empty($peerid_data)) {
+ echo gettext("Unknown");
+ } else {
+ echo htmlspecialchars($peerid_data);
+ }
+?>
+ </td>
+ <td class="listr">
+<?php
+ $ph1src = ipsec_get_phase1_dst($ph1ent);
+ if (empty($ph1src)) {
+ echo gettext("Unknown");
+ } else {
+ echo htmlspecialchars($ph1src);
+ }
+?>
+ </td>
+ <td class="listr" >
+ </td>
+ <td class="listr" >
+ </td>
+ <td class="listr" >
+ </td>
+<?php
+ if (isset($ph1ent['mobile'])):
+?>
+ <td class="listr">
+ <center>
+ <img src ="/themes/<?php echo $g['theme']; ?>/images/icons/icon_pass.gif" title=<?php echo gettext("Awaiting connections");?> alt=""/>
+ <br/><?php echo gettext("Awaiting connections");?>
+ </center>
+ </td>
+ <td valign="middle" class="list nowrap">
+ <table border="0" cellspacing="0" cellpadding="1" summary="">
+ </table>
+ </td>
+<?php
+ else:
+?>
+ <td class="listr">
+ <center>
+ <img src ="/themes/<?php echo $g['theme']; ?>/images/icons/icon_reject.gif" title=<?php echo gettext("Disconnected");?> alt=""/>
+ <br/><?php echo gettext("Disconnected");?>
+ </center>
+ </td>
+ <td >
+ <center>
+ <a href="diag_ipsec.php?act=connect&amp;ikeid=<?php echo $ph1ent['ikeid']; ?>">
+ <img src ="/themes/<?php echo $g['theme']; ?>/images/icons/icon_service_start.gif" alt=<?php echo gettext("Connect VPN");?> title=<?php echo gettext("Connect VPN");?> border="0"/>
+ </a>
+ </center>
+ </td>
+<?php
+ endif;
+?>
+ <td valign="middle" class="list nowrap">
+ <table border="0" cellspacing="0" cellpadding="1" summary="">
+ </table>
+ </td>
+ </tr>
+<?php
+ endforeach;
+ unset($ipsecconnected, $phase1, $rgmap);
+?>
+ <tr style="display:none;"><td></td></tr>
+ </tbody>
+ </table>
+ </div>
+ </td>
+ </tr>
+</table>
+
+<p class="vexpl">
+ <span class="red">
+ <strong><?php echo gettext("Note:");?><br /></strong>
+ </span>
+ <?php echo gettext("You can configure IPsec");?>
+ <a href="vpn_ipsec.php">here</a>.
+</p>
+<?php unset($status); include("fend.inc"); ?>
+<script type="text/javascript">
+//<![CDATA[
+function show_childsa(id, buttonid) {
+ document.getElementById(buttonid).innerHTML='';
+ aodiv = document.getElementById(id);
+ aodiv.style.display = "block";
+}
+//]]>
+</script>
+</body>
+</html>
OpenPOWER on IntegriCloud