diff options
Diffstat (limited to 'src/usr/local/www/vpn_ipsec_settings.php')
-rw-r--r-- | src/usr/local/www/vpn_ipsec_settings.php | 298 |
1 files changed, 120 insertions, 178 deletions
diff --git a/src/usr/local/www/vpn_ipsec_settings.php b/src/usr/local/www/vpn_ipsec_settings.php index ac3fde9..29c687b 100644 --- a/src/usr/local/www/vpn_ipsec_settings.php +++ b/src/usr/local/www/vpn_ipsec_settings.php @@ -111,7 +111,7 @@ if ($_POST) { $input_errors[] = "A valid value must be specified for StrongSwan Lib debug."; } if (isset($pconfig['maxmss'])) { - if (!is_numericint($pconfig['maxmss']) && $pconfig['maxmss'] <> '') { + if (!is_numericint($pconfig['maxmss']) && $pconfig['maxmss'] != '') { $input_errors[] = "An integer must be specified for Maximum MSS."; } if ($pconfig['maxmss'] <> '' && $pconfig['maxmss'] < 576 || $pconfig['maxmss'] > 65535) { @@ -243,9 +243,6 @@ $shortcut_section = "ipsec"; include("head.inc"); ?> -<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> -<?php include("fbegin.inc"); ?> - <script type="text/javascript"> //<![CDATA[ @@ -260,8 +257,6 @@ function maxmss_checked(obj) { //]]> </script> -<form action="vpn_ipsec_settings.php" method="post" name="iform" id="iform"> - <?php if ($savemsg) { print_info_box($savemsg); @@ -271,175 +266,122 @@ function maxmss_checked(obj) { } ?> -<table width="100%" border="0" cellpadding="0" cellspacing="0" summary="vpn ipsec settings"> - <tr> - <td class="tabnavtbl"> - <?php - $tab_array = array(); - $tab_array[0] = array(gettext("Tunnels"), false, "vpn_ipsec.php"); - $tab_array[1] = array(gettext("Mobile clients"), false, "vpn_ipsec_mobile.php"); - $tab_array[2] = array(gettext("Pre-Shared Key"), false, "vpn_ipsec_keys.php"); - $tab_array[3] = array(gettext("Advanced Settings"), true, "vpn_ipsec_settings.php"); - display_top_tabs($tab_array); - ?> - </td> - </tr> - <tr> - <td id="mainarea"> - <div class="tabcont"> - <table width="100%" border="0" cellpadding="6" cellspacing="0" summary="main area"> - <tr> - <td colspan="2" valign="top" class="listtopic"><?=gettext("IPsec Advanced Settings"); ?></td> - </tr> - <tr> - <td width="22%" valign="top" class="vncell"><?=gettext("IPsec Debug"); ?></td> - <td width="78%" class="vtable"> - <strong><?=gettext("Start IPsec in debug mode based on sections selected"); ?></strong> - <br /> - <table summary="ipsec debug"> - <?php foreach ($ipsec_loglevels as $lkey => $ldescr): ?> - <tr> - <td width="22%" valign="top" class="vncell"><?=$ldescr;?></td> - <td width="78%" valign="top" class="vncell"> - <?php - echo "<select name=\"ipsec_{$lkey}\" id=\"ipsec_{$lkey}\">\n"; - foreach (array("Silent", "Audit", "Control", "Diag", "Raw", "Highest") as $lidx => $lvalue) { - echo "<option value=\"{$lidx}\" "; - if ($pconfig["ipsec_{$lkey}"] == $lidx) { - echo "selected=\"selected\""; - } - echo ">{$lvalue}</option>\n"; - } - ?> - </select> - </td> - </tr> - <?php endforeach; ?> - <tr style="display:none;"> - <td></td> - </tr> - </table> - <br /><?=gettext("Launches IPsec in debug mode so that more verbose logs " . - "will be generated to aid in troubleshooting."); ?> - </td> - </tr> - <tr> - <td width="22%" valign="top" class="vncell"><?=gettext("Unique IDs"); ?></td> - <td width="78%" class="vtable"> - <strong><?=gettext("Configure Unique IDs as: "); ?></strong> - <?php - echo "<select name=\"uniqueids\" id=\"uniqueids\">\n"; - foreach ($ipsec_idhandling as $value => $lvalue) { - echo "<option value=\"{$value}\" "; - if ($pconfig['uniqueids'] == $value) { - echo "selected=\"selected\""; - } - echo ">{$lvalue}</option>\n"; - } - ?> - </select> - <br /> - <?=gettext("whether a particular participant ID should be kept unique, with any new IKE_SA using an ID " . - "deemed to replace all old ones using that ID. Participant IDs normally are unique, so a new " . - "IKE_SA using the same ID is almost invariably intended to replace an old one. " . - "The difference between <b>no</b> and <b>never</b> is that the old IKE_SAs will be replaced when receiving an " . - "INITIAL_CONTACT notify if the option is no but will ignore these notifies if <b>never</b> is configured. " . - "The daemon also accepts the value <b>keep</b> to reject " . - "new IKE_SA setups and keep the duplicate established earlier. Defaults to Yes."); ?> - </td> - </tr> - <tr> - <td width="22%" valign="top" class="vncell"><?=gettext("IP Compression"); ?></td> - <td width="78%" class="vtable"> - <input name="compression" type="checkbox" id="compression" value="yes" <?php if ($pconfig['compression']) echo "checked=\"checked\""; ?> /> - <strong><?=gettext("Enable IPCompression"); ?></strong> - <br /> - <?=gettext("IPComp compression of content is proposed on the connection."); ?> - </td> - </tr> - <tr> - <td width="22%" valign="top" class="vncell"><?=gettext("Strict interface binding"); ?></td> - <td width="78%" class="vtable"> - <input name="enableinterfacesuse" type="checkbox" id="enableinterfacesuse" value="yes" <?php if ($pconfig['enableinterfacesuse']) echo "checked=\"checked\""; ?> /> - <strong><?=gettext("Enable strict interface binding"); ?></strong> - <br /> - <?=gettext("Enable strongSwan's interfaces_use option to bind specific interfaces only. This option is known to break IPsec with dynamic IP interfaces. This is not recommended at this time."); ?> - </td> - </tr> - <tr> - <td width="22%" valign="top" class="vncell"><?=gettext("Unencrypted payloads in IKEv1 Main Mode"); ?></td> - <td width="78%" class="vtable"> - <input name="acceptunencryptedmainmode" type="checkbox" id="acceptunencryptedmainmode" value="yes" <?php if ($pconfig['acceptunencryptedmainmode']) echo "checked=\"checked\""; ?> /> - <strong><?=gettext("Accept unencrypted ID and HASH payloads in IKEv1 Main Mode"); ?></strong> - <br /> - <?=gettext("Some implementations send the third Main Mode message unencrypted, probably to find the PSKs for the specified ID for authentication." . - "This is very similar to Aggressive Mode, and has the same security implications: " . - "A passive attacker can sniff the negotiated Identity, and start brute forcing the PSK using the HASH payload." . - " It is recommended to keep this option to no, unless you know exactly what the implications are and require compatibility to such devices (for example, some SonicWall boxes).");?> - </td> - </tr> - <tr> - <td width="22%" valign="top" class="vncell"><?=gettext("Maximum MSS"); ?></td> - <td width="78%" class="vtable"> - <input name="maxmss_enable" type="checkbox" id="maxmss_enable" value="yes" <?php if ($pconfig['maxmss_enable'] == true) echo "checked=\"checked\""; ?> onclick="maxmss_checked(this)" /> - <strong><?=gettext("Enable MSS clamping on VPN traffic"); ?></strong> - <br /> - <input name="maxmss" id="maxmss" value="<?php if ($pconfig['maxmss'] <> "") echo htmlspecialchars($pconfig['maxmss']); else "1400"; ?>" class="formfld unknown" <?php if ($pconfig['maxmss_enable'] == false) echo "disabled=\"disabled\""; ?> /> - <br /> - <?=gettext("Enable MSS clamping on TCP flows over VPN. " . - "This helps overcome problems with PMTUD on IPsec VPN links. If left blank, the default value is 1400 bytes. "); ?> - </td> - </tr> - <tr> - <td width="22%" valign="top" class="vncell"><?=gettext("Disable Cisco Extensions"); ?></td> - <td width="78%" class="vtable"> - <input name="unityplugin" type="checkbox" id="unityplugin" value="yes" <?php if ($pconfig['unityplugin'] == true) echo "checked=\"checked\""; ?> /> - <strong><?=gettext("Disable Unity Plugin"); ?></strong> - <br /> - <?=gettext("Disable Unity Plugin which provides Cisco Extension support as Split-Include, Split-Exclude, Split-Dns, ..."); ?> - </td> - </tr> - <tr> - <td width="22%" valign="top" class="vncell"><?=gettext("Strict CRL Checking"); ?></td> - <td width="78%" class="vtable"> - <input name="strictcrlpolicy" type="checkbox" id="strictcrlpolicy" value="yes" <?php if ($pconfig['strictcrlpolicy'] == true) echo "checked=\"checked\""; ?> /> - <strong><?=gettext("Enable strict Certificate Revocation List checking"); ?></strong> - <br /> - <?=gettext("Check this to require availability of a fresh CRL for peer authentication based on RSA signatures to succeed."); ?> - </td> - </tr> - <tr> - <td width="22%" valign="top" class="vncell"><?=gettext("Make before Break"); ?></td> - <td width="78%" class="vtable"> - <input name="makebeforebreak" type="checkbox" id="makebeforebreak" value="yes" <?php if ($pconfig['makebeforebreak'] == true) echo "checked=\"checked\""; ?> /> - <strong><?=gettext("Initiate IKEv2 reauthentication with a make-before-break"); ?></strong> - <br /> - <?=gettext("instead of a break-before-make scheme. Make-before-break uses overlapping IKE and CHILD_SA during reauthentication " . - "by first recreating all new SAs before deleting the old ones. This behavior can be beneficial to avoid connectivity gaps " . - "during reauthentication, but requires support for overlapping SAs by the peer.");?> - </td> - </tr> - <tr> - <td width="22%" valign="top" class="vncell"><?=gettext("Auto-exclude LAN address"); ?></td> - <td width="78%" class="vtable"> - <input name="noshuntlaninterfaces" type="checkbox" id="noshuntlaninterfaces" value="yes" <?php if ($pconfig['noshuntlaninterfaces'] != true) echo "checked=\"checked\""; ?> /> - <strong><?=gettext("Enable bypass for LAN interface IP"); ?></strong> - <br /> - <?=gettext("Exclude traffic from LAN subnet to LAN IP address from IPsec."); ?> - </td> - </tr> - <tr> - <td width="22%" valign="top"> </td> - <td width="78%"> - <input name="submit" type="submit" class="formbtn" value="<?=gettext("Save"); ?>" /> - </td> - </tr> - </table> - </div> - </td> - </tr> -</table> -</form> -<?php include("fend.inc"); ?> -</body> -</html> +<?php + +$tab_array = array(); +$tab_array[0] = array(gettext("Tunnels"), false, "vpn_ipsec.php"); +$tab_array[1] = array(gettext("Mobile clients"), false, "vpn_ipsec_mobile.php"); +$tab_array[2] = array(gettext("Pre-Shared Key"), false, "vpn_ipsec_keys.php"); +$tab_array[3] = array(gettext("Advanced Settings"), true, "vpn_ipsec_settings.php"); +display_top_tabs($tab_array); + +require_once('classes/Form.class.php'); +$form = new Form; + +$section = new Form_Section('Start IPsec in debug mode based on sections selected'); + +foreach ($ipsec_loglevels as $lkey => $ldescr) +{ + $section->addInput(new Form_Select( + 'ipsec_' . $lkey, + $ldescr, + $pconfig['ipsec_' . $lkey], + array('Silent', 'Audit', 'Control', 'Diag', 'Raw', 'Highest') + ))->setWidth(2); +} + +$section->addInput(new Form_StaticText('', ''))->setHelp( + 'Launches IPsec in debug mode so that more verbose logs will be generated to aid in troubleshooting.' +); + +$form->add($section); + +$section = new Form_Section('IPsec Advanced Settings'); + +$section->addInput(new Form_Select( + 'uniqueids', + 'Configure Unique IDs as', + $pconfig['uniqueids'], + $ipsec_idhandling +))->setHelp( + 'Whether a particular participant ID should be kept unique, with any new IKE_SA using an ID ' . + 'deemed to replace all old ones using that ID. Participant IDs normally are unique, so a new ' . + 'IKE_SA using the same ID is almost invariably intended to replace an old one. ' . + 'The difference between <b>no</b> and <b>never</b> is that the old IKE_SAs will be replaced when receiving an ' . + 'INITIAL_CONTACT notify if the option is no but will ignore these notifies if <b>never</b> is configured. ' . + 'The daemon also accepts the value <b>keep</b> to reject ' . + 'new IKE_SA setups and keep the duplicate established earlier. Defaults to Yes.' +); + +$section->addInput(new Form_Checkbox( + 'compression', + 'IP Compression', + 'Enable IPCompression', + $pconfig['compression'] +))->setHelp('IPComp compression of content is proposed on the connection.'); + +$section->addInput(new Form_Checkbox( + 'enableinterfacesuse', + 'Strict interface binding', + 'Enable strict interface binding', + $pconfig['enableinterfacesuse'] +))->setHelp('Enable strongSwan\'s interfaces_use option to bind specific interfaces only. This option is known to break IPsec with dynamic IP interfaces. This is not recommended at this time.'); + +$section->addInput(new Form_Checkbox( + 'acceptunencryptedmainmode', + 'Unencrypted payloads in IKEv1 Main Mode', + 'Accept unencrypted ID and HASH payloads in IKEv1 Main Mode', + $pconfig['acceptunencryptedmainmode'] +))->setHelp( + 'Some implementations send the third Main Mode message unencrypted, probably to find the PSKs for the specified ID for authentication.' . + 'This is very similar to Aggressive Mode, and has the same security implications: ' . + 'A passive attacker can sniff the negotiated Identity, and start brute forcing the PSK using the HASH payload.' . + 'It is recommended to keep this option to no, unless you know exactly what the implications are and require compatibility to such devices (for example, some SonicWall boxes).' +); + +$section->addInput(new Form_Checkbox( + 'maxmss_enable', + 'Enable Maximum MSS', + 'Enable MSS clamping on VPN traffic', + $pconfig['maxmss_enable'] +))->toggles('.toggle-maxmss', 'collapse'); + +$group = new Form_Group('Maximum MSS'); +$group->addClass('toggle-maxmss collapse'); + +if (!empty($pconfig['maxmss_enable'])) + $group->addClass('in'); + +$group->add(new Form_Input( + 'maxmss', + 'Maximum MSS', + 'text', + ($pconfig['maxmss'] ? $pconfig['maxmss'] : '1400') +))->setHelp( + 'Enable MSS clamping on TCP flows over VPN. ' . + 'This helps overcome problems with PMTUD on IPsec VPN links. If left blank, the default value is 1400 bytes. ' +); + +$section->add($group); + +$section->addInput(new Form_Checkbox( + 'unityplugin', + 'Disable Cisco Extensions', + 'Disable Unity Plugin', + $pconfig['unityplugin'] +))->setHelp('Disable Unity Plugin which provides Cisco Extension support as Split-Include, Split-Exclude, Split-Dns, ...'); + +$section->addInput(new Form_Checkbox( + 'shuntlaninterfaces', + 'Bypass LAN address', + 'Enable bypass for LAN interface ip', + $pconfig['shuntlaninterfaces'] +))->setHelp('Prevent LAN ip address to be processed for IPsec traffic.'); + +$form->add($section); + +print $form; + +?> + +<?php include("foot.inc"); ?>
\ No newline at end of file |