diff options
Diffstat (limited to 'usr')
| -rw-r--r-- | usr/local/www/diag_ipsec.php | 236 | ||||
| -rwxr-xr-x | usr/local/www/diag_ipsec_sad.php | 174 | ||||
| -rwxr-xr-x | usr/local/www/diag_ipsec_spd.php | 201 | ||||
| -rwxr-xr-x | usr/local/www/diag_logs_ipsec.php | 8 | ||||
| -rwxr-xr-x | usr/local/www/guiconfig.inc | 19 | ||||
| -rwxr-xr-x | usr/local/www/pkg_edit.php | 2 | ||||
| -rwxr-xr-x | usr/local/www/vpn_ipsec.php | 435 | ||||
| -rwxr-xr-x | usr/local/www/vpn_ipsec_ca.php | 16 | ||||
| -rwxr-xr-x | usr/local/www/vpn_ipsec_edit.php | 662 | ||||
| -rwxr-xr-x | usr/local/www/vpn_ipsec_keys.php | 120 | ||||
| -rwxr-xr-x | usr/local/www/vpn_ipsec_keys_edit.php | 128 | ||||
| -rwxr-xr-x | usr/local/www/vpn_ipsec_mobile.php | 3 | ||||
| -rw-r--r-- | usr/local/www/vpn_ipsec_phase1.php | 635 | ||||
| -rw-r--r-- | usr/local/www/vpn_ipsec_phase2.php | 489 | ||||
| -rw-r--r-- | usr/local/www/widgets/include/ipsec.inc | 81 | ||||
| -rw-r--r-- | usr/local/www/widgets/widgets/ipsec.widget.php | 26 |
16 files changed, 1705 insertions, 1530 deletions
diff --git a/usr/local/www/diag_ipsec.php b/usr/local/www/diag_ipsec.php index 4b16fe5..a61a5a1 100644 --- a/usr/local/www/diag_ipsec.php +++ b/usr/local/www/diag_ipsec.php @@ -3,6 +3,7 @@ /* diag_ipsec.php Copyright (C) 2007 Scott Ullrich + Copyright (C) 2008 Shrew Soft Inc <mgrooms@shrew.net>. All rights reserved. Parts of this code was originally based on vpn_ipsec_sad.php @@ -30,170 +31,111 @@ POSSIBILITY OF SUCH DAMAGE. */ +global $g; + $pgtitle = array("Status","IPsec"); require("guiconfig.inc"); include("head.inc"); + +if (!is_array($config['ipsec']['phase2'])) + $config['ipsec']['phase2'] = array(); + +$a_phase2 = &$config['ipsec']['phase2']; + +$spd = ipsec_dump_spd(); +$sad = ipsec_dump_sad(); + ?> <body link="#0000CC" vlink="#0000CC" alink="#0000CC" onload="<?= $jsevents["body"]["onload"] ?>"> <?php include("fbegin.inc"); ?> <div id="inputerrors"></div> <table width="100%" border="0" cellpadding="0" cellspacing="0"> - <tr> - <td> -<?php - $tab_array = array(); - $tab_array[0] = array("Overview", true, "diag_ipsec.php"); - $tab_array[1] = array("SAD", false, "diag_ipsec_sad.php"); - $tab_array[2] = array("SPD", false, "diag_ipsec_spd.php"); - display_top_tabs($tab_array); -?> - </td> - </tr> - <tr> - <td> -<?php - -if (!is_array($config['ipsec']['tunnel'])) { - $config['ipsec']['tunnel'] = array(); -} - -/* query SAD */ -$fd = @popen("/sbin/setkey -D", "r"); -$sad = array(); -if ($fd) { - while (!feof($fd)) { - $line = chop(fgets($fd)); - if (!$line) - continue; - if ($line == "No SAD entries.") - break; - if ($line[0] != "\t") { - if (is_array($cursa)) - $sad[] = $cursa; - $cursa = array(); - list($cursa['src'],$cursa['dst']) = explode(" ", $line); - $i = 0; - } else { - $linea = explode(" ", trim($line)); - if ($i == 1) { - $cursa['proto'] = $linea[0]; - $cursa['spi'] = substr($linea[2], strpos($linea[2], "x")+1, -1); - } else if ($i == 2) { - $cursa['ealgo'] = $linea[1]; - } else if ($i == 3) { - $cursa['aalgo'] = $linea[1]; - } - } - $i++; - } - if (is_array($cursa) && count($cursa)) - $sad[] = $cursa; - pclose($fd); -} -?> - <div id="mainarea"> - <table class="tabcont" width="100%" border="0" cellpadding="6" cellspacing="0"> -<?php if (count($sad)): ?> - <tr> - <td nowrap class="listhdrr">Source</td> - <td nowrap class="listhdrr">Destination</a></td> - <td nowrap class="listhdrr">Description</a></td> - <td nowrap class="listhdrr">Status</td> - </tr> -<?php -foreach ($config['ipsec']['tunnel'] as $ipsec) { - if(! isset($ipsec['disabled'])) { -?> <tr> - <td class="listlr"><?=htmlspecialchars(get_ipsec_tunnel_src($ipsec));?> - <br/> - <?php if ($ipsec['local-subnet']['network']) - echo strtoupper($ipsecent['local-subnet']['network']); - else - echo $ipsec['local-subnet']['address']; - ?> + <td> + <?php + $tab_array = array(); + $tab_array[0] = array("Overview", true, "diag_ipsec.php"); + $tab_array[1] = array("SAD", false, "diag_ipsec_sad.php"); + $tab_array[2] = array("SPD", false, "diag_ipsec_spd.php"); + display_top_tabs($tab_array); + ?> </td> - <td class="listr"><?=htmlspecialchars($ipsec['remote-gateway']);?> - <br/> - <?=$ipsec['remote-subnet'];?> - </td> - <td class="listr"><?=htmlspecialchars($ipsec['descr']);?></td> - <td class="listr"><?php echo output_ipsec_tunnel_status($ipsec); ?></td> </tr> -<?php - } -} -?> -<?php else: ?> - <tr> - <td> - <p> - <strong>No IPsec security associations.</strong> - </p> - </td> - </tr> -<?php endif; ?> - <tr> - <td colspan="4"> - <p> - <span class="vexpl"> - <span class="red"> - <strong> - Note:<br /> - </strong> - </span> - You can configure your IPsec - <a href="vpn_ipsec.php">here</a>. - </span> - </p> + <tr> + <td> + <div id="mainarea"> + <table class="tabcont" width="100%" border="0" cellpadding="6" cellspacing="0"> + <?php if (count($sad)): ?> + <tr> + <td nowrap class="listhdrr">Local IP</td> + <td nowrap class="listhdrr">Remote IP</a></td> + <td nowrap class="listhdrr">Local Network</td> + <td nowrap class="listhdrr">Remote Network</a></td> + <td nowrap class="listhdrr">Description</a></td> + <td nowrap class="listhdrr">Status</td> + </tr> + <?php + foreach ($a_phase2 as $ph2ent) { + if (!isset($ph2ent['disabled'])) { + ipsec_lookup_phase1($ph2ent,$ph1ent); + if(ipsec_phase2_status($spd,$sad,$ph1ent,$ph2ent)) + $icon = "pass"; + else + $icon = "reject"; + ?> + <tr> + <td class="listlr"> + <?=htmlspecialchars(ipsec_get_phase1_src($ph1ent));?> + </td> + <td class="listr"> + <?=htmlspecialchars($ph1ent['remote-gateway']);?> + </td> + <td class="listr"> + <?php echo ipsec_idinfo_to_text($ph2ent['localid']); ?> + </td> + <td class="listr"> + <?php echo ipsec_idinfo_to_text($ph2ent['remoteid']); ?> + </td> + <td class="listr"><?=htmlspecialchars($ph2ent['descr']);?></td> + <td class="listr"> + <img src ="/themes/<?=$g['theme']?>/images/icons/icon_<?=$icon?>.gif"> + </td> + </tr> + <?php + } + } + ?> + <?php else: ?> + <tr> + <td> + <p> + <strong>No IPsec security associations.</strong> + </p> + </td> + </tr> + <?php endif; ?> + <tr> + <td colspan="4"> + <p> + <span class="vexpl"> + <span class="red"> + <strong>Note:<br /></strong> + </span> + You can configure your IPsec + <a href="vpn_ipsec.php">here</a>. + </span> + </p> + </td> + </tr> + </table> + </div> </td> - </tr> -</table> -</div> - -</td></tr> - + </tr> </table> <?php include("fend.inc"); ?> </body> </html> -<?php - -function get_ipsec_tunnel_src($tunnel) { - global $g, $config, $sad; - $if = "WAN"; - if ($tunnel['interface']) { - $if = $tunnel['interface']; - $realinterface = convert_friendly_interface_to_real_interface_name($if); - $interfaceip = find_interface_ip($realinterface); - } - return $interfaceip; -} - -function output_ipsec_tunnel_status($tunnel) { - global $g, $config, $sad; - $if = "WAN"; - $interfaceip = get_ipsec_tunnel_src($tunnel); - $foundsrc = false; - $founddst = false; - foreach($sad as $sa) { - if($sa['src'] == $interfaceip) - $foundsrc = true; - if($sa['dst'] == $tunnel['remote-gateway']) - $founddst = true; - } - if($foundsrc && $founddst) { - /* tunnel is up */ - $iconfn = "pass"; - } else { - /* tunnel is down */ - $iconfn = "reject"; - } - echo "<img src ='/themes/{$g['theme']}/images/icons/icon_{$iconfn}.gif'>"; -} - -?> diff --git a/usr/local/www/diag_ipsec_sad.php b/usr/local/www/diag_ipsec_sad.php index 5d5b738..f2a08af 100755 --- a/usr/local/www/diag_ipsec_sad.php +++ b/usr/local/www/diag_ipsec_sad.php @@ -33,30 +33,14 @@ require("guiconfig.inc"); -$pgtitle = array("Status","IPsec","SA"); +$pgtitle = array("Status","IPsec","SAD"); include("head.inc"); -?> - -<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> -<?php include("fbegin.inc"); ?> -<table width="100%" border="0" cellpadding="0" cellspacing="0"> - <tr><td> -<?php - $tab_array = array(); - $tab_array[0] = array("Overview", false, "diag_ipsec.php"); - $tab_array[1] = array("SAD", true, "diag_ipsec_sad.php"); - $tab_array[2] = array("SPD", false, "diag_ipsec_spd.php"); - display_top_tabs($tab_array); -?> - </td></tr> - <tr> - <td> -<?php +$sad = ipsec_dump_sad(); /* delete any SA? */ if ($_GET['act'] == "del") { - $fd = @popen("/sbin/setkey -c > /dev/null 2>&1", "w"); + $fd = @popen("/usr/local/sbin/setkey -c > /dev/null 2>&1", "w"); if ($fd) { fwrite($fd, "delete {$_GET['src']} {$_GET['dst']} {$_GET['proto']} {$_GET['spi']} ;\n"); pclose($fd); @@ -64,87 +48,79 @@ if ($_GET['act'] == "del") { } } -/* query SAD */ -$fd = @popen("/sbin/setkey -D", "r"); -$sad = array(); -if ($fd) { - while (!feof($fd)) { - $line = chop(fgets($fd)); - if (!$line) - continue; - if ($line == "No SAD entries.") - break; - if ($line[0] != "\t") { - if (is_array($cursa)) - $sad[] = $cursa; - $cursa = array(); - list($cursa['src'],$cursa['dst']) = explode(" ", $line); - $i = 0; - } else { - $linea = explode(" ", trim($line)); - if ($i == 1) { - $cursa['proto'] = $linea[0]; - $cursa['spi'] = substr($linea[2], strpos($linea[2], "x")+1, -1); - } else if ($i == 2) { - $cursa['ealgo'] = $linea[1]; - } else if ($i == 3) { - $cursa['aalgo'] = $linea[1]; - } - } - $i++; - } - if (is_array($cursa) && count($cursa)) - $sad[] = $cursa; - pclose($fd); -} ?> - <div id="mainarea"> - <table class="tabcont" width="100%" border="0" cellpadding="6" cellspacing="0"> -<?php if (count($sad)): ?> - <tr> - <td nowrap class="listhdrr">Source</td> - <td nowrap class="listhdrr">Destination</a></td> - <td nowrap class="listhdrr">Protocol</td> - <td nowrap class="listhdrr">SPI</td> - <td nowrap class="listhdrr">Enc. alg.</td> - <td nowrap class="listhdr">Auth. alg.</td> - <td nowrap class="list"></td> - </tr> -<?php -foreach ($sad as $sa): ?> - <tr> - <td class="listlr"><?=htmlspecialchars($sa['src']);?></td> - <td class="listr"><?=htmlspecialchars($sa['dst']);?></td> - <td class="listr"><?=htmlspecialchars(strtoupper($sa['proto']));?></td> - <td class="listr"><?=htmlspecialchars($sa['spi']);?></td> - <td class="listr"><?=htmlspecialchars($sa['ealgo']);?></td> - <td class="listr"><?=htmlspecialchars($sa['aalgo']);?></td> - <td class="list" nowrap> - <?php - $args = "src=" . rawurlencode($sa['src']); - $args .= "&dst=" . rawurlencode($sa['dst']); - $args .= "&proto=" . rawurlencode($sa['proto']); - $args .= "&spi=" . rawurlencode("0x" . $sa['spi']); - ?> - <a href="diag_ipsec_sad.php?act=del&<?=$args;?>" onclick="return confirm('Do you really want to delete this security association?')"><img src="/themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" width="17" height="17" border="0"></a> - </td> - - </tr> -<?php endforeach; ?> -<?php else: ?> -<tr><td><p><strong>No IPsec security associations.</strong></p></td></tr> -<?php endif; ?> -<td colspan="4"> - <p><span class="vexpl"><span class="red"><strong>Note:<br> - </strong></span>You can configure your IPsec <a href="vpn_ipsec.php">here</a>.</span></p> - </td> -</table> -</div> -</td></tr> - -</table> - -<?php include("fend.inc"); ?> +<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> + <?php include("fbegin.inc"); ?> + <table width="100%" border="0" cellpadding="0" cellspacing="0"> + <tr> + <td> + <?php + $tab_array = array(); + $tab_array[0] = array("Overview", false, "diag_ipsec.php"); + $tab_array[1] = array("SAD", true, "diag_ipsec_sad.php"); + $tab_array[2] = array("SPD", false, "diag_ipsec_spd.php"); + display_top_tabs($tab_array); + ?> + </td> + </tr> + <tr> + <td> + <div id="mainarea"> + <table class="tabcont" width="100%" border="0" cellpadding="6" cellspacing="0"> + <?php if (count($sad)): ?> + <tr> + <td nowrap class="listhdrr">Source</td> + <td nowrap class="listhdrr">Destination</a></td> + <td nowrap class="listhdrr">Protocol</td> + <td nowrap class="listhdrr">SPI</td> + <td nowrap class="listhdrr">Enc. alg.</td> + <td nowrap class="listhdr">Auth. alg.</td> + <td nowrap class="list"></td> + </tr> + <?php foreach ($sad as $sa): ?> + <tr> + <td class="listlr"><?=htmlspecialchars($sa['src']);?></td> + <td class="listr"><?=htmlspecialchars($sa['dst']);?></td> + <td class="listr"><?=htmlspecialchars(strtoupper($sa['proto']));?></td> + <td class="listr"><?=htmlspecialchars($sa['spi']);?></td> + <td class="listr"><?=htmlspecialchars($sa['ealgo']);?></td> + <td class="listr"><?=htmlspecialchars($sa['aalgo']);?></td> + <td class="list" nowrap> + <?php + $args = "src=" . rawurlencode($sa['src']); + $args .= "&dst=" . rawurlencode($sa['dst']); + $args .= "&proto=" . rawurlencode($sa['proto']); + $args .= "&spi=" . rawurlencode("0x" . $sa['spi']); + ?> + <a href="diag_ipsec_sad.php?act=del&<?=$args;?>" onclick="return confirm('Do you really want to delete this security association?')"> + <img src="/themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" width="17" height="17" border="0"> + </a> + </td> + </tr> + <?php endforeach; ?> + <?php else: ?> + <tr> + <td> + <p><strong>No IPsec security associations.</strong></p> + </td> + </tr> + <?php endif; ?> + <td colspan="4"> + <p> + <span class="vexpl"> + <span class="red"> + <strong>Note:<br></strong> + </span> + You can configure your IPsec <a href="vpn_ipsec.php">here</a>. + </span> + </p> + </td> + </table> + </div> + </td> + </tr> + </table> + <?php include("fend.inc"); ?> </body> </html> diff --git a/usr/local/www/diag_ipsec_spd.php b/usr/local/www/diag_ipsec_spd.php index dc6ee6f..d9dfe54 100755 --- a/usr/local/www/diag_ipsec_spd.php +++ b/usr/local/www/diag_ipsec_spd.php @@ -36,129 +36,104 @@ require("guiconfig.inc"); $pgtitle = array("Status","IPsec","SPD"); include("head.inc"); -?> - -<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> -<?php include("fbegin.inc"); ?> -<table width="100%" border="0" cellpadding="0" cellspacing="0"> - <tr><td> -<?php - $tab_array = array(); - $tab_array[0] = array("Overview", false, "diag_ipsec.php"); - $tab_array[1] = array("SAD", false, "diag_ipsec_sad.php"); - $tab_array[2] = array("SPD", true, "diag_ipsec_spd.php"); - display_top_tabs($tab_array); -?> - </td></tr> - <tr> - <td> -<?php - /* delete any SP? */ if ($_GET['act'] == "del") { - $fd = @popen("/sbin/setkey -c > /dev/null 2>&1", "w"); + $fd = @popen("/usr/local/sbin/setkey -c > /dev/null 2>&1", "w"); if ($fd) { - fwrite($fd, "spddelete {$_GET['src']} {$_GET['dst']} any -P {$_GET['dir']} ;\n"); + fwrite($fd, "spddelete {$_GET['srcid']} {$_GET['dstid']} any -P {$_GET['dir']} ;\n"); pclose($fd); sleep(1); } } -/* query SAD */ -$fd = @popen("/sbin/setkey -DP", "r"); -$spd = array(); -if ($fd) { - while (!feof($fd)) { - $line = chop(fgets($fd)); - if (!$line) - continue; - if ($line == "No SPD entries.") - break; - if ($line[0] != "\t") { - if (is_array($cursp)) - $spd[] = $cursp; - $cursp = array(); - $linea = explode(" ", $line); - $cursp['src'] = substr($linea[0], 0, strpos($linea[0], "[")); - $cursp['dst'] = substr($linea[1], 0, strpos($linea[1], "[")); - $i = 0; - } else if (is_array($cursp)) { - $linea = explode(" ", trim($line)); - if ($i == 1) { - if ($linea[1] == "none") /* don't show default anti-lockout rule */ - unset($cursp); - else - $cursp['dir'] = $linea[0]; - } else if ($i == 2) { - $upperspec = explode("/", $linea[0]); - $cursp['proto'] = $upperspec[0]; - list($cursp['ep_src'], $cursp['ep_dst']) = explode("-", $upperspec[2]); - } - } - $i++; - } - if (is_array($cursp) && count($cursp)) - $spd[] = $cursp; - pclose($fd); -} +$spd = ipsec_dump_spd(); ?> -<div id="mainarea" style="background:#eeeeee"> - <table class="tabcont" width="100%" border="0" cellpadding="6" cellspacing="0"> -<?php if (count($spd)): ?> - <tr> - <td nowrap class="listhdrr">Source</td> - <td nowrap class="listhdrr">Destination</a></td> - <td nowrap class="listhdrr">Direction</td> - <td nowrap class="listhdrr">Protocol</td> - <td nowrap class="listhdrr">Tunnel endpoints</td> - <td nowrap class="list"></td> - </tr> -<?php -foreach ($spd as $sp): ?> - <tr> - <td class="listlr" valign="top"><?=htmlspecialchars($sp['src']);?></td> - <td class="listr" valign="top"><?=htmlspecialchars($sp['dst']);?></td> - <td class="listr" valign="top"><img src="/themes/<?= $g['theme']; ?>/images/icons/icon_<?=$sp['dir'];?>.gif" width="11" height="11" style="margin-top: 2px"></td> - <td class="listr" valign="top"><?=htmlspecialchars(strtoupper($sp['proto']));?></td> - <td class="listr" valign="top"><?=htmlspecialchars($sp['ep_src']);?> - <br> - <?=htmlspecialchars($sp['ep_dst']);?></td> - <td class="list" nowrap> - <?php - $args = "src=" . rawurlencode($sp['src']); - $args .= "&dst=" . rawurlencode($sp['dst']); - $args .= "&dir=" . rawurlencode($sp['dir']); - ?> - <a href="diag_ipsec_spd.php?act=del&<?=$args;?>" onclick="return confirm('Do you really want to delete this security policy?')"> - <img src="/themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" width="17" height="17" border="0"></a> - </td> - </tr> -<?php endforeach; ?> -</table> -<br> -<table class="tabcont" border="0" cellspacing="0" cellpadding="6"> - <tr> - <td width="16"><img src="/themes/<?= $g['theme']; ?>/images/icons/icon_in.gif" width="11" height="11"></td> - <td>incoming (as seen by firewall)</td> - </tr> - <tr> - <td colspan="5" height="4"></td> - </tr> - <tr> - <td><img src="/themes/<?= $g['theme']; ?>/images/icons/icon_out.gif" width="11" height="11"></td> - <td>outgoing (as seen by firewall)</td> - </tr> -<?php else: ?> -<tr><td><p><strong>No IPsec security policies.</strong></p></td></tr> -<?php endif; ?> -<td colspan="4"> - <p><span class="vexpl"><span class="red"><strong>Note:<br> - </strong></span>You can configure your IPsec <a href="vpn_ipsec.php">here</a>.</span></p> - </td> -</table> -</div> -</td></tr></table> -<?php include("fend.inc"); ?> +<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> + <?php include("fbegin.inc"); ?> + <table width="100%" border="0" cellpadding="0" cellspacing="0"> + <tr> + <td> + <?php + $tab_array = array(); + $tab_array[0] = array("Overview", false, "diag_ipsec.php"); + $tab_array[1] = array("SAD", false, "diag_ipsec_sad.php"); + $tab_array[2] = array("SPD", true, "diag_ipsec_spd.php"); + display_top_tabs($tab_array); + ?> + </td> + </tr> + <tr> + <td> + <div id="mainarea" style="background:#eeeeee"> + <table class="tabcont" width="100%" border="0" cellpadding="6" cellspacing="0"> + <?php if (count($spd)): ?> + <tr> + <td nowrap class="listhdrr">Source</td> + <td nowrap class="listhdrr">Destination</td> + <td nowrap class="listhdrr">Direction</td> + <td nowrap class="listhdrr">Protocol</td> + <td nowrap class="listhdrr">Tunnel endpoints</td> + <td nowrap class="list"></td> + </tr> + <?php foreach ($spd as $sp): ?> + <tr> + <td class="listlr" valign="top"><?=htmlspecialchars($sp['srcid']);?></td> + <td class="listr" valign="top"><?=htmlspecialchars($sp['dstid']);?></td> + <td class="listr" valign="top"> + <img src="/themes/<?= $g['theme']; ?>/images/icons/icon_<?=$sp['dir'];?>.gif" width="11" height="11" style="margin-top: 2px"> + </td> + <td class="listr" valign="top"><?=htmlspecialchars(strtoupper($sp['proto']));?></td> + <td class="listr" valign="top"><?=htmlspecialchars($sp['src']);?> -> <?=htmlspecialchars($sp['dst']);?></td> + <td class="list" nowrap> + <?php + $args = "srcid=".rawurlencode($sp['srcid']); + $args .= "&dstid=".rawurlencode($sp['dstid']); + $args .= "&dir=".rawurlencode($sp['dir']); + ?> + <a href="diag_ipsec_spd.php?act=del&<?=$args;?>" onclick="return confirm('Do you really want to delete this security policy?')"> + <img src="/themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" width="17" height="17" border="0"> + </a> + </td> + </tr> + <?php endforeach; ?> + </table> + <br> + <table class="tabcont" border="0" cellspacing="0" cellpadding="6"> + <tr> + <td width="16"><img src="/themes/<?= $g['theme']; ?>/images/icons/icon_in.gif" width="11" height="11"></td> + <td>incoming (as seen by firewall)</td> + </tr> + <tr> + <td colspan="5" height="4"></td> + </tr> + <tr> + <td><img src="/themes/<?= $g['theme']; ?>/images/icons/icon_out.gif" width="11" height="11"></td> + <td>outgoing (as seen by firewall)</td> + </tr> + <?php else: ?> + <tr> + <td> + <p><strong>No IPsec security policies.</strong></p> + </td> + </tr> + <?php endif; ?> + <td colspan="4"> + <p> + <span class="vexpl"> + <span class="red"> + <strong>Note:<br></strong> + </span> + You can configure your IPsec <a href="vpn_ipsec.php">here</a>. + </span> + </p> + </td> + </table> + </div> + </td> + </tr> + </table> + <?php include("fend.inc"); ?> </body> </html> diff --git a/usr/local/www/diag_logs_ipsec.php b/usr/local/www/diag_logs_ipsec.php index a6b8ae6..74cf757 100755 --- a/usr/local/www/diag_logs_ipsec.php +++ b/usr/local/www/diag_logs_ipsec.php @@ -38,11 +38,11 @@ $ipsec_logfile = "{$g['varlog_path']}/ipsec.log"; /* Create array with all IPsec tunnel descriptions */ $search = array(); $replace = array(); -if(is_array($config['ipsec']['tunnel'])) - foreach($config['ipsec']['tunnel'] as $tunnel) { - $gateway = "{$tunnel['remote-gateway']}"; +if(is_array($config['ipsec']['phase1'])) + foreach($config['ipsec']['phase1'] as $ph1ent) { + $gateway = "{$ph1ent['remote-gateway']}"; $search[] = "/(racoon: )([A-Z:].*?)({$gateway}\[[0-9].+\]|{$gateway})(.*)/i"; - $replace[] = "$1<strong>[{$tunnel['descr']}]</strong>: $2$3$4"; + $replace[] = "$1<strong>[{$ph1ent['descr']}]</strong>: $2$3$4"; } /* collect all our own ip addresses */ exec("/sbin/ifconfig|/usr/bin/awk '/inet / {print $2}'", $ip_address_list); diff --git a/usr/local/www/guiconfig.inc b/usr/local/www/guiconfig.inc index 1c6ab78..9fecc45 100755 --- a/usr/local/www/guiconfig.inc +++ b/usr/local/www/guiconfig.inc @@ -157,25 +157,6 @@ $medias = array("auto" => "autoselect", "100full" => "100BASE-TX full-duplex", /* platforms that support firmware updating */ $fwupplatforms = array('pfSense', 'net45xx', 'net48xx', 'generic-pc', 'embedded', 'wrap'); -/* IPsec defines */ -$my_identifier_list = array('myaddress' => 'My IP address', - 'address' => 'IP address', - 'fqdn' => 'Domain name', - 'user_fqdn' => 'User FQDN', - 'asn1dn' => 'Distinguished Name', - 'dyn_dns' => 'Dynamic DNS'); - -$p1_ealgos = array('des' => 'DES', '3des' => '3DES', 'blowfish' => 'Blowfish', - 'cast128' => 'CAST128','rijndael' => 'Rijndael (AES)', 'rijndael 256' => 'Rijndael 256'); -$p2_ealgos = array('des' => 'DES', '3des' => '3DES', 'blowfish' => 'Blowfish', - 'cast128' => 'CAST128', 'rijndael' => 'Rijndael (AES)', 'rijndael 256' => 'Rijndael 256'); - -$p1_halgos = array('sha1' => 'SHA1', 'md5' => 'MD5'); -$p1_authentication_methods = array('pre_shared_key' => 'Pre-shared key', 'rsasig' => 'RSA signature'); -$p2_halgos = array('hmac_sha1' => 'SHA1', 'hmac_md5' => 'MD5'); -$p2_protos = array('esp' => 'ESP', 'ah' => 'AH'); -$p2_pfskeygroups = array('0' => 'off', '1' => '1', '2' => '2', '5' => '5'); - function do_input_validation($postdata, $reqdfields, $reqdfieldsn, $input_errors) { /* check for bad control characters */ diff --git a/usr/local/www/pkg_edit.php b/usr/local/www/pkg_edit.php index a2a2442..64826d0 100755 --- a/usr/local/www/pkg_edit.php +++ b/usr/local/www/pkg_edit.php @@ -381,7 +381,7 @@ if ($pkg['tabs'] <> "") { print("</select>\n<br />\n" . fixup_string($pkga['description']) . "\n"); } else if($pkga['type'] == "vpn_selection") { echo "<select id='" . $pkga['fieldname'] . "' name='" . $vpn['name'] . "'>\n"; - foreach ($config['ipsec']['tunnel'] as $vpn) { + foreach ($config['ipsec']['phase1'] as $vpn) { echo "\t<option value=\"" . $vpn['descr'] . "\">" . $vpn['descr'] . "</option>\n"; } echo "</select>\n"; diff --git a/usr/local/www/vpn_ipsec.php b/usr/local/www/vpn_ipsec.php index 4946d73..94f4c37 100755 --- a/usr/local/www/vpn_ipsec.php +++ b/usr/local/www/vpn_ipsec.php @@ -4,6 +4,7 @@ part of m0n0wall (http://m0n0.ch/wall) Copyright (C) 2003-2005 Manuel Kasper <mk@neon1.net>. + Copyright (C) 2008 Shrew Soft Inc All rights reserved. Redistribution and use in source and binary forms, with or without @@ -30,14 +31,18 @@ require("guiconfig.inc"); -if (!is_array($config['ipsec']['tunnel'])) { - $config['ipsec']['tunnel'] = array(); -} -$a_ipsec = &$config['ipsec']['tunnel']; +if (!is_array($config['ipsec']['phase1'])) + $config['ipsec']['phase1'] = array(); + +if (!is_array($config['ipsec']['phase2'])) + $config['ipsec']['phase2'] = array(); + +$a_phase1 = &$config['ipsec']['phase1']; +$a_phase2 = &$config['ipsec']['phase2']; + $wancfg = &$config['interfaces']['wan']; $pconfig['enable'] = isset($config['ipsec']['enable']); -$pconfig['ipcomp'] = isset($config['ipsec']['ipcomp']); if ($_POST) { @@ -53,7 +58,6 @@ if ($_POST) { $pconfig = $_POST; $config['ipsec']['enable'] = $_POST['enable'] ? true : false; - $config['ipsec']['ipcomp'] = $_POST['ipcomp'] ? true : false; write_config(); @@ -72,13 +76,41 @@ if ($_POST) { } } -if ($_GET['act'] == "del") { - if ($a_ipsec[$_GET['id']]) { +if ($_GET['act'] == "delph1") +{ + if ($a_phase1[$_GET['p1index']]) { /* remove static route if interface is not WAN */ - if($a_ipsec[$_GET['id']]['interface'] <> "wan") { - mwexec("/sbin/route delete -host {$$a_ipsec[$_GET['id']]['remote-gateway']}"); + if ($a_phase1[$_GET['p1index']]['interface'] <> "wan") { + mwexec("/sbin/route delete -host {$$a_phase1[$_GET['p1index']]['remote-gateway']}"); + } + + /* remove all phase2 entries that match the ikeid */ + $ikeid = $a_phase1[$_GET['p1index']]['ikeid']; + $p2index = 0; + foreach ($a_phase2 as $ph2tmp) { + if ($ph2tmp['ikeid'] == $ikeid) { + /* remove the phase2 entry */ + unset($a_phase2[$p2index]); + continue; + } + /* only skip if we remove an entry */ + $p2index++; } - unset($a_ipsec[$_GET['id']]); + + /* remove the phase1 entry */ + unset($a_phase1[$_GET['p1index']]); + filter_configure(); + write_config(); + header("Location: vpn_ipsec.php"); + exit; + } +} + +if ($_GET['act'] == "delph2") +{ + if ($a_phase2[$_GET['p2index']]) { + /* remove the phase2 entry */ + unset($a_phase2[$_GET['p2index']]); filter_configure(); write_config(); header("Location: vpn_ipsec.php"); @@ -95,133 +127,270 @@ include("head.inc"); <body link="#0000CC" vlink="#0000CC" alink="#0000CC"> <?php include("fbegin.inc"); ?> <form action="vpn_ipsec.php" method="post"> -<?php if ($savemsg) print_info_box($savemsg); ?> -<?php if (file_exists($d_ipsecconfdirty_path)): ?><p> -<?php if ($pconfig['enable']) - print_info_box_np("The IPsec tunnel configuration has been changed.<br>You must apply the changes in order for them to take effect.");?><br> -<?php endif; ?> -<table width="100%" border="0" cellpadding="0" cellspacing="0"> - <tr><td class="tabnavtbl"> <?php - $tab_array = array(); - $tab_array[0] = array("Tunnels", true, "vpn_ipsec.php"); - $tab_array[1] = array("Mobile clients", false, "vpn_ipsec_mobile.php"); - $tab_array[2] = array("Pre-shared keys", false, "vpn_ipsec_keys.php"); - $tab_array[3] = array("CAs", false, "vpn_ipsec_ca.php"); - display_top_tabs($tab_array); + if ($savemsg) + print_info_box($savemsg); + if ($pconfig['enable'] && file_exists($d_ipsecconfdirty_path)) + print_info_box_np("The IPsec tunnel configuration has been changed.<br>You must apply the changes in order for them to take effect."); ?> - </td></tr> - <tr> - <td> - <div id="mainarea"> - <table class="tabcont" width="100%" border="0" cellpadding="6" cellspacing="0"> - <tr> - <td class="vtable"> - <input name="enable" type="checkbox" id="enable" value="yes" <?php if ($pconfig['enable']) echo "checked";?>> - <strong>Enable IPsec</strong></td> - </tr> - <tr> - <td> <input name="submit" type="submit" class="formbtn" value="Save"> - </td> - </tr> - </table> - <table class="tabcont" width="100%" border="0" cellpadding="0" cellspacing="0"> - <tr> - <td nowrap class="listhdrr">Local net<br> - Remote net</td> - <td class="listhdrr">Interface<br>Remote gw</td> - <td class="listhdrr">P1 mode</td> - <td class="listhdrr">P1 Enc. Algo</td> - <td class="listhdrr">P1 Hash Algo</td> - <td class="listhdr">Description</td> - <td class="list" > - <table border="0" cellspacing="0" cellpadding="1"> - <tr> - <td width="17" heigth="17"></td> - <td><a href="vpn_ipsec_edit.php"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" title="add tunnel" width="17" height="17" border="0"></a></td> - </tr> - </table> - </td> - </tr> - <?php $i = 0; foreach ($a_ipsec as $ipsecent): - if (isset($ipsecent['disabled'])) { - $spans = "<span class=\"gray\">"; - $spane = "</span>"; - } else { - $spans = $spane = ""; - } - ?> - <tr valign="top"> - <td nowrap class="listlr" ondblclick="document.location='vpn_ipsec_edit.php?id=<?=$i;?>'"><?=$spans;?> - <?php if ($ipsecent['local-subnet']['network']) - echo strtoupper($ipsecent['local-subnet']['network']); +<table width="100%" border="0" cellpadding="0" cellspacing="0"> + <tr> + <td class="tabnavtbl"> + <?php + $tab_array = array(); + $tab_array[0] = array("Tunnels", true, "vpn_ipsec.php"); +// $tab_array[1] = array("Mobile clients", false, "vpn_ipsec_mobile.php"); + $tab_array[2] = array("CAs", false, "vpn_ipsec_ca.php"); + display_top_tabs($tab_array); + ?> + </td> + </tr> + <tr> + <td> + <div id="mainarea"> + <table class="tabcont" width="100%" border="0" cellpadding="6" cellspacing="0"> + <tr> + <td class="vtable"> + <input name="enable" type="checkbox" id="enable" value="yes" <?php if ($pconfig['enable']) echo "checked";?>> + <strong>Enable IPsec</strong> + </td> + </tr> + <tr> + <td> + <input name="submit" type="submit" class="formbtn" value="Save"> + </td> + </tr> + </table> + <table class="tabcont" width="100%" border="0" cellpadding="0" cellspacing="0"> + <tr> + <td class="listhdrr">Interface<br>Remote gw</td> + <td class="listhdrr">P1 mode</td> + <td class="listhdrr">P1 Enc. Algo</td> + <td class="listhdrr">P1 Hash Algo</td> + <td class="listhdr">Description</td> + <td class="list" > + <table border="0" cellspacing="0" cellpadding="o"> + <tr> + <td width="17" heigth="17"></td> + <td> + <a href="vpn_ipsec_phase1.php"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" title="add phase1 entry" width="17" height="17" border="0"></a> + </td> + </tr> + </table> + </td> + </tr> + <?php + $i = 0; + foreach ($a_phase1 as $ph1ent) { + if (isset( $ph1ent['disabled'])) { + $spans = "<span class=\"gray\">"; + $spane = "</span>"; + } else - echo $ipsecent['local-subnet']['address']; + $spans = $spane = ""; ?> - <br> - <?=$ipsecent['remote-subnet'];?> - <?=$spane;?></td> - <td class="listr" ondblclick="document.location='vpn_ipsec_edit.php?id=<?=$i;?>'"><?=$spans;?> - <?php if ($ipsecent['interface']) { - $iflabels = get_configured_interface_with_descr(); - $carpips = find_number_of_needed_carp_interfaces(); - for($j=0; $j<$carpips; $j++) { - $carpip = find_interface_ip("carp" . $j); - $iflabels['carp' . $j] = "CARP{$j} ({$carpip})"; - } - $if = htmlspecialchars($iflabels[$ipsecent['interface']]); - } else - $if = "WAN"; - - echo $if . "<br>" . $ipsecent['remote-gateway']; + <tr valign="top"> + <td class="listlr" ondblclick="document.location='vpn_ipsec_phase1.php?id=<?=$i;?>'"> + <?=$spans;?> + <?php + if ($ph1ent['interface']) { + $iflabels = get_configured_interface_with_descr(); + $carpips = find_number_of_needed_carp_interfaces(); + for( $j=0; $j<$carpips; $j++ ) { + $carpip = find_interface_ip("carp" . $j); + $iflabels['carp' . $j] = "CARP{$j} ({$carpip})"; + } + $if = htmlspecialchars($iflabels[$ph1ent['interface']]); + } + else + $if = "WAN"; + + echo $if . "<br>" . $ph1ent['remote-gateway']; + ?> + <?=$spane;?> + </td> + <td class="listr" ondblclick="document.location='vpn_ipsec_phase1.php?id=<?=$i;?>'"> + <?=$spans;?> + <?=$ph1ent['mode'];?> + <?=$spane;?> + </td> + <td class="listr" ondblclick="document.location='vpn_ipsec_phase1.php?id=<?=$i;?>'"> + <?=$spans;?> + <?=$p1_ealgos[$ph1ent['encryption-algorithm']['name']]['name'];?> + <?php + if ($ph1ent['encryption-algorithm']['keylen']) { + if ($ph1ent['encryption-algorithm']['keylen']=="auto") + echo " (auto)"; + else + echo " ({$ph1ent['encryption-algorithm']['keylen']} bits)"; + } + ?> + <?=$spane;?> + </td> + <td class="listr" ondblclick="document.location='vpn_ipsec_phase1.php?id=<?=$i;?>'"> + <?=$spans;?> + <?=$p1_halgos[$ph1ent['hash-algorithm']];?> + <?=$spane;?> + </td> + <td class="listtopic" ondblclick="document.location='vpn_ipsec_phase1.php?id=<?=$i;?>'"> + <?=$spans;?> + <font color="#FFFFFF"> + <?=htmlspecialchars($ph1ent['descr']);?> + </font> + <?=$spane;?> + </td> + <td valign="middle" nowrap class="list"> + <table border="0" cellspacing="0" cellpadding="1"> + <tr> + <td> + <a href="vpn_ipsec_phase1.php?p1index=<?=$i;?>"> + <img src="./themes/<?= $g['theme']; ?>/images/icons/icon_e.gif" title="edit phase1 entry" width="17" height="17" border="0"> + </a> + </td> + <td> + <a href="vpn_ipsec.php?act=delph1&p1index=<?=$i;?>" onclick="return confirm('Do you really want to delete this phase1 and all associated phase2 entries?')"> + <img src="./themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" title="delete phase1 entry" width="17" height="17" border="0"> + </a> + </td> + </tr> + <tr> + <td> + </td> + <td> + <a href="vpn_ipsec_phase1.php?dup=<?=$i;?>"> + <img src="./themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" title="copy phase1 entry" width="17" height="17" border="0"> + </a> + </td> + </tr> + </table> + </td> + </tr> + <tr> + <td class="listbg" colspan="5"> + <table width="100%" height="100%"border="0" cellspacing="0" cellpadding="0"> + <tr> + <td class="listhdrr">Local Network</td> + <td class="listhdrr">Remote Network</td> + <td class="listhdrr">P2 Protocol</td> + <td class="listhdrr">P2 Transforms</td> + <td class="listhdrr">P2 Auth Methods</td> + <td class ="list"> + <a href="vpn_ipsec_phase2.php?ikeid=<?=$ph1ent['ikeid'];?>"> + <img src="./themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" title="add phase2 entry" width="17" height="17" border="0"> + </a> + </td> + </tr> + <?php + $j = 0; + foreach ($a_phase2 as $ph2ent) { + if ($ph2ent['ikeid'] != $ph1ent['ikeid']) { + $j++; + continue; + } + + if (isset( $ph2ent['disabled']) || isset($ph1ent['disabled'])) { + $spans = "<span class=\"gray\">"; + $spane = "</span>"; + } + else + $spans = $spane = ""; + ?> + <tr valign="top"> + <td nowrap class="listr" ondblclick="document.location='vpn_ipsec_phase2.php?id=<?=$i;?>'"> + <?=$spans;?> + <?php echo ipsec_idinfo_to_text($ph2ent['localid']); ?> + <?=$spane;?> + </td> + <td nowrap class="listr" ondblclick="document.location='vpn_ipsec_phase2.php?id=<?=$i;?>'"> + <?=$spans;?> + <?php echo ipsec_idinfo_to_text($ph2ent['remoteid']); ?> + <?=$spane;?> + </td> + <td nowrap class="listr" ondblclick="document.location='vpn_ipsec_phase2.php?id=<?=$i;?>'"> + <?=$spans;?> + <?php echo $p2_protos[$ph2ent['protocol']]; ?> + <?=$spane;?> + </td> + <td nowrap class="listr" ondblclick="document.location='vpn_ipsec_phase2.php?id=<?=$i;?>'"> + <?=$spans;?> + <?php + $k = 0; + foreach ($ph2ent['encryption-algorithm-option'] as $ph2ea) { + if ($k++) + echo ", "; + echo $p2_ealgos[$ph2ea['name']]['name']; + if ($ph2ea['keylen']) { + if ($ph2ea['keylen']=="auto") + echo " (auto)"; + else + echo " ({$ph2ea['keylen']} bits)"; + } + } + ?> + <?=$spane;?> + </td> + <td nowrap class="listr" ondblclick="document.location='vpn_ipsec_phase2.php?id=<?=$i;?>'"> + <?=$spans;?> + <?php + $k = 0; + foreach ($ph2ent['hash-algorithm-option'] as $ph2ha) { + if ($k++) + echo ", "; + echo $p2_halgos[$ph2ha]; + } + ?> + <?=$spane;?> + </td> + <td nowrap class="list"> + <a href="vpn_ipsec_phase2.php?p2index=<?=$j;?>"> + <img src="./themes/<?= $g['theme']; ?>/images/icons/icon_e.gif" title="edit phase2 entry" width="17" height="17" border="0"> + </a> + <a href="vpn_ipsec.php?act=delph2&p2index=<?=$j;?>" onclick="return confirm('Do you really want to delete this phase2 entry?')"> + <img src="./themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" title="delete phase2 entry" width="17" height="17" border="0"> + </a> + </td> + </tr> + <?php + $j++; + } + ?> + </table> + </td> + </tr> + <?php + $i++; + } ?> - <?=$spane;?></td> - <td class="listr" ondblclick="document.location='vpn_ipsec_edit.php?id=<?=$i;?>'"><?=$spans;?> - <?=$ipsecent['p1']['mode'];?> - <?=$spane;?></td> - <td class="listr" ondblclick="document.location='vpn_ipsec_edit.php?id=<?=$i;?>'"><?=$spans;?> - <?=$p1_ealgos[$ipsecent['p1']['encryption-algorithm']];?> - <?=$spane;?></td> - <td class="listr" ondblclick="document.location='vpn_ipsec_edit.php?id=<?=$i;?>'"><?=$spans;?> - <?=$p1_halgos[$ipsecent['p1']['hash-algorithm']];?> - <?=$spane;?></td> - <td class="listbg" ondblclick="document.location='vpn_ipsec_edit.php?id=<?=$i;?>'"><?=$spans;?><font color="#FFFFFF"> - <?=htmlspecialchars($ipsecent['descr']);?> - <?=$spane;?></td> - <td valign="middle" nowrap class="list"> - <table border="0" cellspacing="0" cellpadding="1"> - <tr> - <td><a href="vpn_ipsec_edit.php?id=<?=$i;?>"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_e.gif" title="edit tunnel" width="17" height="17" border="0"></a></td> - <td><a href="vpn_ipsec.php?act=del&id=<?=$i;?>" onclick="return confirm('Do you really want to delete this tunnel?')"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" title="delete tunnel" width="17" height="17" border="0"></a></td> - </tr> - <tr> - <td></td> - <td><a href="vpn_ipsec_edit.php?dup=<?=$i;?>"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" title="add a new rule based on this one" width="17" height="17" border="0"></a></td> - </tr> - </table> - </td> - </tr> - <?php $i++; endforeach; ?> - <tr> - <td class="list" colspan="6"></td> - <td class="list"> - <table border="0" cellspacing="0" cellpadding="1"> - <tr> - <td width="17"></td> - <td><a href="vpn_ipsec_edit.php"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" title="add tunnel" width="17" height="17" border="0"></a></td> - </tr> - </table> - <td> - </tr> - <tr> - <td colspan="4"> - <p><span class="vexpl"><span class="red"><strong>Note:<br> - </strong></span>You can check your IPsec status at <a href="diag_ipsec_sad.php">Status:IPsec</a>.</span></p> - </td> - </tr> - </table> - </div> - </td> + <tr> + <td class="list" colspan="5"></td> + <td class="list"> + <table border="0" cellspacing="0" cellpadding="1"> + <tr> + <td width="17"></td> + <td> + <a href="vpn_ipsec_phase1.php"> + <img src="./themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" title="add phase1 entry" width="17" height="17" border="0"> + </a> + </td> + </tr> + </table> + <td> + </tr> + <tr> + <td colspan="4"> + <p> + <span class="vexpl"> + <span class="red"> + <strong>Note:<br></strong> + </span> + You can check your IPsec status at <a href="diag_ipsec.php">Status:IPsec</a>. + </span> + </p> + </td> + </tr> + </table> + </div> + </td> </tr> </table> </form> diff --git a/usr/local/www/vpn_ipsec_ca.php b/usr/local/www/vpn_ipsec_ca.php index 17195ae..b94c66d 100755 --- a/usr/local/www/vpn_ipsec_ca.php +++ b/usr/local/www/vpn_ipsec_ca.php @@ -51,22 +51,22 @@ include("head.inc"); ?> - <body link="#0000CC" vlink="#0000CC" alink="#0000CC"> <?php include("fbegin.inc"); ?> <form action="vpn_ipsec.php" method="post"> -<?php if ($savemsg) print_info_box($savemsg); ?> -<?php if (file_exists($d_ipsecconfdirty_path)): ?><p> -<?php print_info_box_np("The IPsec tunnel configuration has been changed.<br>You must apply the changes in order for them to take effect.");?><br> -<?php endif; ?> +<?php + if ($savemsg) + print_info_box($savemsg); + if ($pconfig['enable'] && file_exists($d_ipsecconfdirty_path)) + print_info_box_np("The IPsec tunnel configuration has been changed.<br>You must apply the changes in order for them to take effect."); +?> <table width="100%" border="0" cellpadding="0" cellspacing="0"> <tr><td> <?php $tab_array = array(); $tab_array[0] = array("Tunnels", false, "vpn_ipsec.php"); - $tab_array[1] = array("Mobile clients", false, "vpn_ipsec_mobile.php"); - $tab_array[2] = array("Pre-shared keys", false, "vpn_ipsec_keys.php"); - $tab_array[3] = array("CAs", true, "vpn_ipsec_ca.php"); +// $tab_array[1] = array("Mobile clients", false, "vpn_ipsec_mobile.php"); + $tab_array[2] = array("CAs", true, "vpn_ipsec_ca.php"); display_top_tabs($tab_array); ?> </td></tr> diff --git a/usr/local/www/vpn_ipsec_edit.php b/usr/local/www/vpn_ipsec_edit.php deleted file mode 100755 index 74de623..0000000 --- a/usr/local/www/vpn_ipsec_edit.php +++ /dev/null @@ -1,662 +0,0 @@ -<?php -/* - vpn_ipsec_edit.php - part of m0n0wall (http://m0n0.ch/wall) - - Copyright (C) 2003-2005 Manuel Kasper <mk@neon1.net>. - All rights reserved. - - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. -*/ - -require("guiconfig.inc"); - -if (!is_array($config['ipsec']['tunnel'])) { - $config['ipsec']['tunnel'] = array(); -} -$a_ipsec = &$config['ipsec']['tunnel']; - -if($config['interfaces']['lan']) - $specialsrcdst = explode(" ", "lan"); - -$id = $_GET['id']; -if (isset($_POST['id'])) - $id = $_POST['id']; - -if (isset($_GET['dup'])) { - $id = $_GET['dup']; -} - -if (isset($id) && $a_ipsec[$id]) { - $pconfig['disabled'] = isset($a_ipsec[$id]['disabled']); - $pconfig['auto'] = isset($a_ipsec[$id]['auto']); - - if (!isset($a_ipsec[$id]['local-subnet'])) { - if($config['interfaces']['lan']) - $pconfig['localnet'] = "lan"; - } else { - if($config['interfaces']['lan']) - address_to_pconfig_vpn($a_ipsec[$id]['local-subnet'], $pconfig['localnet'], $pconfig['localnetmask']); - } - - if ($a_ipsec[$id]['interface']) - $pconfig['interface'] = $a_ipsec[$id]['interface']; - else - $pconfig['interface'] = "wan"; - - list($pconfig['remotenet'],$pconfig['remotebits']) = explode("/", $a_ipsec[$id]['remote-subnet']); - $pconfig['remotegw'] = $a_ipsec[$id]['remote-gateway']; - $pconfig['p1mode'] = $a_ipsec[$id]['p1']['mode']; - - if (isset($a_ipsec[$id]['p1']['myident']['myaddress'])) - $pconfig['p1myidentt'] = 'myaddress'; - else if (isset($a_ipsec[$id]['p1']['myident']['address'])) { - $pconfig['p1myidentt'] = 'address'; - $pconfig['p1myident'] = $a_ipsec[$id]['p1']['myident']['address']; - } else if (isset($a_ipsec[$id]['p1']['myident']['fqdn'])) { - $pconfig['p1myidentt'] = 'fqdn'; - $pconfig['p1myident'] = $a_ipsec[$id]['p1']['myident']['fqdn']; - } else if (isset($a_ipsec[$id]['p1']['myident']['ufqdn'])) { - $pconfig['p1myidentt'] = 'user_fqdn'; - $pconfig['p1myident'] = $a_ipsec[$id]['p1']['myident']['ufqdn']; - } else if (isset($a_ipsec[$id]['p1']['myident']['asn1dn'])) { - $pconfig['p1myidentt'] = 'asn1dn'; - $pconfig['p1myident'] = $a_ipsec[$id]['p1']['myident']['asn1dn']; - } else if (isset($a_ipsec[$id]['p1']['myident']['dyn_dns'])) { - $pconfig['p1myidentt'] = 'dyn_dns'; - $pconfig['p1myident'] = $a_ipsec[$id]['p1']['myident']['dyn_dns']; - } - - $pconfig['p1ealgo'] = $a_ipsec[$id]['p1']['encryption-algorithm']; - $pconfig['p1halgo'] = $a_ipsec[$id]['p1']['hash-algorithm']; - $pconfig['p1dhgroup'] = $a_ipsec[$id]['p1']['dhgroup']; - $pconfig['p1lifetime'] = $a_ipsec[$id]['p1']['lifetime']; - $pconfig['p1authentication_method'] = $a_ipsec[$id]['p1']['authentication_method']; - $pconfig['p1pskey'] = $a_ipsec[$id]['p1']['pre-shared-key']; - $pconfig['p1cert'] = base64_decode($a_ipsec[$id]['p1']['cert']); - $pconfig['p1peercert'] = base64_decode($a_ipsec[$id]['p1']['peercert']); - $pconfig['p1privatekey'] = base64_decode($a_ipsec[$id]['p1']['private-key']); - $pconfig['p2proto'] = $a_ipsec[$id]['p2']['protocol']; - $pconfig['p2ealgos'] = $a_ipsec[$id]['p2']['encryption-algorithm-option']; - $pconfig['p2halgos'] = $a_ipsec[$id]['p2']['hash-algorithm-option']; - $pconfig['p2pfsgroup'] = $a_ipsec[$id]['p2']['pfsgroup']; - $pconfig['p2lifetime'] = $a_ipsec[$id]['p2']['lifetime']; - $pconfig['descr'] = $a_ipsec[$id]['descr']; - $pconfig['pinghost'] = $a_ipsec[$id]['pinghost']; - -} else { - /* defaults */ - $pconfig['interface'] = "wan"; - if($config['interfaces']['lan']) - $pconfig['localnet'] = "lan"; - $pconfig['p1mode'] = "aggressive"; - $pconfig['p1myidentt'] = "myaddress"; - $pconfig['p1authentication_method'] = "pre_shared_key"; - $pconfig['p1ealgo'] = "3des"; - $pconfig['p1halgo'] = "sha1"; - $pconfig['p1dhgroup'] = "2"; - $pconfig['p2proto'] = "esp"; - $pconfig['p2ealgos'] = explode(",", "3des,blowfish,cast128,rijndael,rijndael 256"); - $pconfig['p2halgos'] = explode(",", "hmac_sha1,hmac_md5"); - $pconfig['p2pfsgroup'] = "0"; - $pconfig['remotebits'] = 32; -} - -if (isset($_GET['dup'])) - unset($id); - -if ($_POST) { - if (is_specialnet($_POST['localnettype'])) { - $_POST['localnet'] = $_POST['localnettype']; - $_POST['localnetmask'] = 0; - } else if ($_POST['localnettype'] == "single") { - $_POST['localnetmask'] = 32; - } - - unset($input_errors); - $pconfig = $_POST; - - /* input validation */ - if ($_POST['p1authentication_method'] == "pre_shared_key") { - $reqdfields = explode(" ", "localnet remotenet remotebits remotegw p1pskey p2ealgos p2halgos"); - $reqdfieldsn = explode(",", "Local network,Remote network,Remote network bits,Remote gateway,Pre-Shared Key,P2 Encryption Algorithms,P2 Hash Algorithms"); - } - else { - $reqdfields = explode(" ", "localnet remotenet remotebits remotegw p2ealgos p2halgos"); - $reqdfieldsn = explode(",", "Local network,Remote network,Remote network bits,Remote gateway,P2 Encryption Algorithms,P2 Hash Algorithms"); - if (!strstr($_POST['p1cert'], "BEGIN CERTIFICATE") || !strstr($_POST['p1cert'], "END CERTIFICATE")) - $input_errors[] = "This certificate does not appear to be valid."; - if (!strstr($_POST['p1privatekey'], "BEGIN RSA PRIVATE KEY") || !strstr($_POST['p1privatekey'], "END RSA PRIVATE KEY")) - $input_errors[] = "This key does not appear to be valid."; - if ($_POST['p1peercert']!="" && (!strstr($_POST['p1peercert'], "BEGIN CERTIFICATE") || !strstr($_POST['p1peercert'], "END CERTIFICATE"))) - $input_errors[] = "This peer certificate does not appear to be valid."; - } - - do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); - - if (!is_specialnet($_POST['localnettype'])) { - if (($_POST['localnet'] && !is_ipaddr($_POST['localnet']))) { - $input_errors[] = "A valid local network IP address must be specified."; - } - if (($_POST['localnetmask'] && !is_numeric($_POST['localnetmask']))) { - $input_errors[] = "A valid local network bit count must be specified."; - } - } - if (($_POST['p1lifetime'] && !is_numeric($_POST['p1lifetime']))) { - $input_errors[] = "The P1 lifetime must be an integer."; - } - if (($_POST['p2lifetime'] && !is_numeric($_POST['p2lifetime']))) { - $input_errors[] = "The P2 lifetime must be an integer."; - } - if ($_POST['remotebits'] && (!is_numeric($_POST['remotebits']) || ($_POST['remotebits'] < 0) || ($_POST['remotebits'] > 32))) { - if(!$_POST['remotebits'] == "0.0.0.0") - $input_errors[] = "The remote network bits are invalid."; - } - if (($_POST['remotenet'] && !is_ipaddr($_POST['remotenet'])) or $_POST['remotenet'] == "0.0.0.0") { - /* allow 0.0.0.0 remote net usage */ - if($_POST['remotenet'] <> "0.0.0.0") - $input_errors[] = "A valid remote network address must be specified."; - } - if (($_POST['remotenet'] && is_ipaddr($_POST['remotenet']) && !isset($_POST['disabled']) )) { - $t = 0; - foreach($a_ipsec as $tunnel) { - if($id <> $t) { - $tremotecidr = $pconfig['remotenet'] ."/". $pconfig['remotebits']; - if(($tunnel['remote-subnet'] == $tremotecidr) && !isset($tunnel['disabled'])) { - $input_errors[] = "The remote network \"$tremotecidr\" is already used by tunnel \"${tunnel['descr']}\"."; - } - } - $t++; - } - } - if (($_POST['remotegw'] && !is_ipaddr($_POST['remotegw']) && !is_domain($_POST['remotegw']))) - $input_errors[] = "A valid remote gateway address or host name must be specified."; - if (($_POST['remotegw'] && is_ipaddr($_POST['remotegw']) && !isset($_POST['disabled']) )) { - $t = 0; - foreach($a_ipsec as $tunnel) { - if($id <> $t) { - $tremotegw = $pconfig['remotegw']; - if(($tunnel['remote-gateway'] == $tremotegw) && !isset($tunnel['disabled'])) { - $input_errors[] = "The remote gateway \"$tremotegw\" is already used by tunnel \"${tunnel['descr']}\"."; - } - } - $t++; - } - } - if ((($_POST['p1myidentt'] == "address") && !is_ipaddr($_POST['p1myident']))) { - $input_errors[] = "A valid IP address for 'My identifier' must be specified."; - } - if ((($_POST['p1myidentt'] == "fqdn") && !is_domain($_POST['p1myident']))) { - $input_errors[] = "A valid domain name for 'My identifier' must be specified."; - } - if ($_POST['p1myidentt'] == "user_fqdn") { - $ufqdn = explode("@",$_POST['p1myident']); - if (is_domain($ufqdn[1]) == false) - $input_errors[] = "A valid User FQDN in the form of user@my.domain.com for 'My identifier' must be specified."; - } - if ($_POST['p1myidentt'] == "dyn_dns") { - if (is_domain($_POST['p1myidentt']) == false) - $input_errors[] = "A valid Dynamic DNS address for 'My identifier' must be specified."; - } - - if($_POST['p1myidentt'] == "fqdn" and $_POST['p1myident'] == "") - $input_errors[] = gettext("Please enter a domain name for 'My Identifier'"); - - if($_POST['p1myidentt'] == "dyn_dns" and $_POST['p1myident'] == "") - $input_errors[] = gettext("Please enter a domain name for 'My Identifier'"); - - if($_POST['p1myidentt'] == "address" and $_POST['p1myident'] == "") - $input_errors[] = gettext("Please enter a domain name for 'My Identifier'"); - - if($_POST['p1myidentt'] == "user_fqdn" and $_POST['p1myident'] == "") - $input_errors[] = gettext("Please enter a domain name for 'My Identifier'"); - - if ($_POST['p1myidentt'] == "myaddress") - $_POST['p1myident'] = ""; - - if (!$input_errors) { - $ipsecent['disabled'] = $_POST['disabled'] ? true : false; - //$ipsecent['auto'] = $_POST['auto'] ? true : false; - $ipsecent['interface'] = $pconfig['interface']; - pconfig_to_address($ipsecent['local-subnet'], $_POST['localnet'], $_POST['localnetmask']); - $ipsecent['remote-subnet'] = $_POST['remotenet'] . "/" . $_POST['remotebits']; - /* if the remote gateway changed and the interface is not WAN then remove route */ - /* the vpn_ipsec_configure() handles adding the route */ - if($_POST['interface'] <> "wan") { - if($ipsecent['remote-gateway'] <> $_POST['remotegw']) { - mwexec("/sbin/route delete -host {$ipsecent['remote-gateway']}"); - } - } - $ipsecent['remote-gateway'] = $_POST['remotegw']; - $ipsecent['p1']['mode'] = $_POST['p1mode']; - - $ipsecent['p1']['myident'] = array(); - switch ($_POST['p1myidentt']) { - case 'myaddress': - $ipsecent['p1']['myident']['myaddress'] = true; - break; - case 'address': - $ipsecent['p1']['myident']['address'] = $_POST['p1myident']; - break; - case 'fqdn': - $ipsecent['p1']['myident']['fqdn'] = $_POST['p1myident']; - break; - case 'user_fqdn': - $ipsecent['p1']['myident']['ufqdn'] = $_POST['p1myident']; - break; - case 'asn1dn': - $ipsecent['p1']['myident']['asn1dn'] = $_POST['p1myident']; - break; - case 'dyn_dns': - $ipsecent['p1']['myident']['dyn_dns'] = $_POST['p1myident']; - break; - } - - $ipsecent['p1']['encryption-algorithm'] = $_POST['p1ealgo']; - $ipsecent['p1']['hash-algorithm'] = $_POST['p1halgo']; - $ipsecent['p1']['dhgroup'] = $_POST['p1dhgroup']; - $ipsecent['p1']['lifetime'] = $_POST['p1lifetime']; - $ipsecent['p1']['pre-shared-key'] = $_POST['p1pskey']; - $ipsecent['p1']['private-key'] = base64_encode($_POST['p1privatekey']); - $ipsecent['p1']['cert'] = base64_encode($_POST['p1cert']); - $ipsecent['p1']['peercert'] = base64_encode($_POST['p1peercert']); - $ipsecent['p1']['authentication_method'] = $_POST['p1authentication_method']; - $ipsecent['p2']['protocol'] = $_POST['p2proto']; - $ipsecent['p2']['encryption-algorithm-option'] = $_POST['p2ealgos']; - $ipsecent['p2']['hash-algorithm-option'] = $_POST['p2halgos']; - $ipsecent['p2']['pfsgroup'] = $_POST['p2pfsgroup']; - $ipsecent['p2']['lifetime'] = $_POST['p2lifetime']; - $ipsecent['descr'] = $_POST['descr']; - $ipsecent['pinghost'] = $_POST['pinghost']; - - if (isset($id) && $a_ipsec[$id]) - $a_ipsec[$id] = $ipsecent; - else - $a_ipsec[] = $ipsecent; - - write_config(); - touch($d_ipsecconfdirty_path); - - header("Location: vpn_ipsec.php"); - exit; - } -} - -$pgtitle = array("VPN","IPsec","Edit tunnel"); -include("head.inc"); - -?> - -<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> -<?php include("fbegin.inc"); ?> -<script language="JavaScript"> -<!-- -function typesel_change() { - switch (document.iform.localnettype.selectedIndex) { - case 0: /* single */ - document.iform.localnet.disabled = 0; - document.iform.localnetmask.value = ""; - document.iform.localnetmask.disabled = 1; - break; - case 1: /* network */ - document.iform.localnet.disabled = 0; - document.iform.localnetmask.disabled = 0; - break; - default: - document.iform.localnet.value = ""; - document.iform.localnet.disabled = 1; - document.iform.localnetmask.value = ""; - document.iform.localnetmask.disabled = 1; - break; - } -} -function methodsel_change() { - switch (document.iform.p1authentication_method.selectedIndex) { - case 1: /* rsa */ - document.iform.p1pskey.disabled = 1; - document.iform.p1privatekey.disabled = 0; - document.iform.p1cert.disabled = 0; - document.iform.p1peercert.disabled = 0; - break; - default: /* pre-shared */ - document.iform.p1pskey.disabled = 0; - document.iform.p1privatekey.disabled = 1; - document.iform.p1cert.disabled = 1; - document.iform.p1peercert.disabled = 1; - break; - } -} -//--> -</script> -<?php if ($input_errors) print_input_errors($input_errors); ?> - <form action="vpn_ipsec_edit.php" method="post" name="iform" id="iform"> - <table width="100%" border="0" cellpadding="6" cellspacing="0"> - <tr> - <td width="22%" valign="top" class="vncellreq">Mode</td> - <td width="78%" class="vtable"> Tunnel</td> - </tr> - <tr> - <td width="22%" valign="top" class="vncellreq">Disabled</td> - <td width="78%" class="vtable"> - <input name="disabled" type="checkbox" id="disabled" value="yes" <?php if ($pconfig['disabled']) echo "checked"; ?>> - <strong>Disable this tunnel</strong><br> - <span class="vexpl">Set this option to disable this tunnel without - removing it from the list.</span></td> - </tr> - <tr> - <td width="22%" valign="top" class="vncellreq">Interface</td> - <td width="78%" class="vtable"><select name="interface" class="formselect"> - <?php - $interfaces = get_configured_interface_with_descr(); - $carpips = find_number_of_needed_carp_interfaces(); - for($i=0; $i<$carpips; $i++) { - $carpip = find_interface_ip("carp" . $i); - $interfaces['carp' . $i] = "CARP{$i} ({$carpip})"; - } - foreach ($interfaces as $iface => $ifacename): ?> - <option value="<?=$iface;?>" <?php if ($iface == $pconfig['interface']) echo "selected"; ?>> - <?=htmlspecialchars($ifacename);?> - </option> - <?php endforeach; ?> - </select> <br> - <span class="vexpl">Select the interface for the local endpoint of this tunnel.</span></td> - </tr> - <tr> - <td width="22%" valign="top" class="vncellreq">Local subnet</td> - <td width="78%" class="vtable"> - <table border="0" cellspacing="0" cellpadding="0"> - <tr> - <td>Type: </td> - <td></td> - <td><select name="localnettype" class="formselect" onChange="typesel_change()"> - <?php $sel = is_specialnet($pconfig['localnet']); ?> - <option value="single" <?php if (($pconfig['localnetmask'] == 32) && !$sel) { echo "selected"; $sel = 1; } ?>> - Single host</option> - <option value="network" <?php if (!$sel) echo "selected"; ?>> - Network</option> - <?php if($config['interfaces']['lan']): ?> - <option value="lan" <?php if ($pconfig['localnet'] == "lan") { echo "selected"; } ?>> - LAN subnet</option> - <?php endif; ?> - </select></td> - </tr> - <tr> - <td>Address: </td> - <td><?=$mandfldhtmlspc;?></td> - <td><input name="localnet" type="text" class="formfld unknown" id="localnet" size="20" value="<?php if (!is_specialnet($pconfig['localnet'])) echo htmlspecialchars($pconfig['localnet']);?>"> - / - <select name="localnetmask" class="formselect" id="localnetmask"> - <?php for ($i = 31; $i >= 0; $i--): ?> - <option value="<?=$i;?>" <?php if ($i == $pconfig['localnetmask']) echo "selected"; ?>> - <?=$i;?> - </option> - <?php endfor; ?> - </select> </td> - </tr> - </table></td> - </tr> - <tr> - <td width="22%" valign="top" class="vncellreq">Remote subnet</td> - <td width="78%" class="vtable"> - <?=$mandfldhtml;?><input name="remotenet" type="text" class="formfld unknown" id="remotenet" size="20" value="<?=$pconfig['remotenet'];?>"> - / - <select name="remotebits" class="formselect" id="remotebits"> - <?php for ($i = 32; $i >= 0; $i--): ?> - <option value="<?=$i;?>" <?php if ($i == $pconfig['remotebits']) echo "selected"; ?>> - <?=$i;?> - </option> - <?php endfor; ?> - </select></td> - </tr> - <tr> - <td width="22%" valign="top" class="vncellreq">Remote gateway</td> - <td width="78%" class="vtable"> - <?=$mandfldhtml;?><input name="remotegw" type="text" class="formfld unknown" id="remotegw" size="20" value="<?=$pconfig['remotegw'];?>"> - <br> - Enter the public IP address or host name of the remote gateway</td> - </tr> - <tr> - <td width="22%" valign="top" class="vncell">Description</td> - <td width="78%" class="vtable"> - <input name="descr" type="text" class="formfld unknown" id="descr" size="40" value="<?=htmlspecialchars($pconfig['descr']);?>"> - <br> <span class="vexpl">You may enter a description here - for your reference (not parsed).</span></td> - </tr> - <tr> - <td colspan="2" class="list" height="12"></td> - </tr> - <tr> - <td colspan="2" valign="top" class="listtopic">Phase 1 proposal - (Authentication)</td> - </tr> - <tr> - <td width="22%" valign="top" class="vncellreq">Negotiation mode</td> - <td width="78%" class="vtable"> - <select name="p1mode" class="formfld unknown"> - <?php $modes = explode(" ", "main aggressive"); foreach ($modes as $mode): ?> - <option value="<?=$mode;?>" <?php if ($mode == $pconfig['p1mode']) echo "selected"; ?>> - <?=htmlspecialchars($mode);?> - </option> - <?php endforeach; ?> - </select> <br> <span class="vexpl">Aggressive is faster, but - less secure.</span></td> - </tr> - <tr> - <td width="22%" valign="top" class="vncellreq">My identifier</td> - <td width="78%" class="vtable"> - <select name="p1myidentt" class="formselect"> - <?php foreach ($my_identifier_list as $mode => $modename): ?> - <option value="<?=$mode;?>" <?php if ($mode == $pconfig['p1myidentt']) echo "selected"; ?>> - <?=htmlspecialchars($modename);?> - </option> - <?php endforeach; ?> - </select> <input name="p1myident" type="text" class="formfld unknown" id="p1myident" size="30" value="<?=$pconfig['p1myident'];?>"> - </td> - </tr> - <tr> - <td width="22%" valign="top" class="vncellreq">Encryption algorithm</td> - <td width="78%" class="vtable"> - <select name="p1ealgo" class="formselect"> - <?php foreach ($p1_ealgos as $algo => $algoname): ?> - <option value="<?=$algo;?>" <?php if ($algo == $pconfig['p1ealgo']) echo "selected"; ?>> - <?=htmlspecialchars($algoname);?> - </option> - <?php endforeach; ?> - </select> <br> <span class="vexpl">Must match the setting - chosen on the remote side. </span></td> - </tr> - <tr> - <td width="22%" valign="top" class="vncellreq">Hash algorithm</td> - <td width="78%" class="vtable"> - <select name="p1halgo" class="formselect"> - <?php foreach ($p1_halgos as $algo => $algoname): ?> - <option value="<?=$algo;?>" <?php if ($algo == $pconfig['p1halgo']) echo "selected"; ?>> - <?=htmlspecialchars($algoname);?> - </option> - <?php endforeach; ?> - </select> <br> <span class="vexpl">Must match the setting - chosen on the remote side. </span></td> - </tr> - <tr> - <td width="22%" valign="top" class="vncellreq">DH key group</td> - <td width="78%" class="vtable"> - <select name="p1dhgroup" class="formselect"> - <?php $keygroups = explode(" ", "1 2 5"); foreach ($keygroups as $keygroup): ?> - <option value="<?=$keygroup;?>" <?php if ($keygroup == $pconfig['p1dhgroup']) echo "selected"; ?>> - <?=htmlspecialchars($keygroup);?> - </option> - <?php endforeach; ?> - </select> <br> <span class="vexpl"><em>1 = 768 bit, 2 = 1024 - bit, 5 = 1536 bit</em><br> - Must match the setting chosen on the remote side. </span></td> - </tr> - <tr> - <td width="22%" valign="top" class="vncell">Lifetime</td> - <td width="78%" class="vtable"> - <input name="p1lifetime" type="text" class="formfld unknown" id="p1lifetime" size="20" value="<?=$pconfig['p1lifetime'];?>"> - seconds</td> - </tr> - <tr> - <td width="22%" valign="top" class="vncellreq">Authentication method</td> - <td width="78%" class="vtable"> - <select name="p1authentication_method" class="formselect" onChange="methodsel_change()"> - <?php foreach ($p1_authentication_methods as $method => $methodname): ?> - <option value="<?=$method;?>" <?php if ($method == $pconfig['p1authentication_method']) echo "selected"; ?>> - <?=htmlspecialchars($methodname);?> - </option> - <?php endforeach; ?> - </select> <br> <span class="vexpl">Must match the setting - chosen on the remote side.</span></td> - </tr> - <tr> - <td width="22%" valign="top" class="vncellreq">Pre-Shared Key</td> - <td width="78%" class="vtable"> - <?=$mandfldhtml;?><input name="p1pskey" type="text" class="formfld unknown" id="p1pskey" size="40" value="<?=htmlspecialchars($pconfig['p1pskey']);?>"> - </td> - </tr> - <tr> - <td width="22%" valign="top" class="vncellreq">Certificate</td> - <td width="78%" class="vtable"> - <textarea name="p1cert" cols="65" rows="7" id="p1cert" class="formpre"><?=htmlspecialchars($pconfig['p1cert']);?></textarea> - <br> - Paste a certificate in X.509 PEM format here.</td> - </tr> - <tr> - <td width="22%" valign="top" class="vncellreq">Key</td> - <td width="78%" class="vtable"> - <textarea name="p1privatekey" cols="65" rows="7" id="p1privatekey" class="formpre"><?=htmlspecialchars($pconfig['p1privatekey']);?></textarea> - <br> - Paste an RSA private key in PEM format here.</td> - </tr> - <tr> - <td width="22%" valign="top" class="vncell">Peer certificate</td> - <td width="78%" class="vtable"> - <textarea name="p1peercert" cols="65" rows="7" id="p1peercert" class="formpre"><?=htmlspecialchars($pconfig['p1peercert']);?></textarea> - <br> - Paste the peer X.509 certificate in PEM format here.<br> - Leave this blank if you want to use a CA certificate for identity validation.</td> - </tr> - <tr> - <td colspan="2" class="list" height="12"></td> - </tr> - <tr> - <td colspan="2" valign="top" class="listtopic">Phase 2 proposal - (SA/Key Exchange)</td> - </tr> - <tr> - <td width="22%" valign="top" class="vncellreq">Protocol</td> - <td width="78%" class="vtable"> - <select name="p2proto" class="formselect"> - <?php foreach ($p2_protos as $proto => $protoname): ?> - <option value="<?=$proto;?>" <?php if ($proto == $pconfig['p2proto']) echo "selected"; ?>> - <?=htmlspecialchars($protoname);?> - </option> - <?php endforeach; ?> - </select> <br> <span class="vexpl">ESP is encryption, AH is - authentication only </span></td> - </tr> - <tr> - <td width="22%" valign="top" class="vncellreq">Encryption algorithms</td> - <td width="78%" class="vtable"> - <?php foreach ($p2_ealgos as $algo => $algoname): ?> - <input type="checkbox" name="p2ealgos[]" value="<?=$algo;?>" <?php if (in_array($algo, $pconfig['p2ealgos'])) echo "checked"; ?>> - <?=htmlspecialchars($algoname);?> - <br> - <?php endforeach; ?> - <br> - Hint: use 3DES for best compatibility or if you have a hardware - crypto accelerator card. Blowfish is usually the fastest in - software encryption. </td> - </tr> - <tr> - <td width="22%" valign="top" class="vncellreq">Hash algorithms</td> - <td width="78%" class="vtable"> - <?php foreach ($p2_halgos as $algo => $algoname): ?> - <input type="checkbox" name="p2halgos[]" value="<?=$algo;?>" <?php if (in_array($algo, $pconfig['p2halgos'])) echo "checked"; ?>> - <?=htmlspecialchars($algoname);?> - <br> - <?php endforeach; ?> - </td> - </tr> - <tr> - <td width="22%" valign="top" class="vncellreq">PFS key group</td> - <td width="78%" class="vtable"> - <select name="p2pfsgroup" class="formselect"> - <?php foreach ($p2_pfskeygroups as $keygroup => $keygroupname): ?> - <option value="<?=$keygroup;?>" <?php if ($keygroup == $pconfig['p2pfsgroup']) echo "selected"; ?>> - <?=htmlspecialchars($keygroupname);?> - </option> - <?php endforeach; ?> - </select> <br> <span class="vexpl"><em>1 = 768 bit, 2 = 1024 - bit, 5 = 1536 bit</em></span></td> - </tr> - <tr> - <td width="22%" valign="top" class="vncell">Lifetime</td> - <td width="78%" class="vtable"> - <input name="p2lifetime" type="text" class="formfld unknown" id="p2lifetime" size="20" value="<?=$pconfig['p2lifetime'];?>"> - seconds</td> - </tr> - <tr> - <td colspan="2" class="list" height="12"></td> - </tr> - <tr> - <td colspan="2" valign="top" class="listtopic">Keep alive</td> - </tr> - <tr> - <td width="22%" valign="top" class="vncell">Automatically ping host</td> - <td width="78%" class="vtable"> - <input name="pinghost" type="text" class="formfld unknown" id="pinghost" size="20" value="<?=$pconfig['pinghost'];?>"> IP address</td> - </tr> - <tr> - <td width="22%" valign="top"> </td> - <td width="78%"> - <input name="Submit" type="submit" class="formbtn" value="Save"> - <?php if (isset($id) && $a_ipsec[$id]): ?> - <input name="id" type="hidden" value="<?=$id;?>"> - <?php endif; ?> - </td> - </tr> - </table> -</form> -<script lannguage="JavaScript"> -<!-- -typesel_change(); -methodsel_change(); -//--> -</script> -<?php include("fend.inc"); ?> - - -<?php - -function address_to_pconfig_vpn($adr, &$padr, &$pmask) { - - if ($adr['network']) - $padr = $adr['network']; - else if ($adr['address']) { - list($padr, $pmask) = explode("/", $adr['address']); - if (is_null($pmask)) - $pmask = 32; - } -} - -?> diff --git a/usr/local/www/vpn_ipsec_keys.php b/usr/local/www/vpn_ipsec_keys.php deleted file mode 100755 index 49112ff..0000000 --- a/usr/local/www/vpn_ipsec_keys.php +++ /dev/null @@ -1,120 +0,0 @@ -<?php -/* - vpn_ipsec_keys.php - part of m0n0wall (http://m0n0.ch/wall) - - Copyright (C) 2003-2005 Manuel Kasper <mk@neon1.net>. - All rights reserved. - - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. -*/ - -require("guiconfig.inc"); - -if (!is_array($config['ipsec']['mobilekey'])) { - $config['ipsec']['mobilekey'] = array(); -} -ipsec_mobilekey_sort(); -$a_secret = &$config['ipsec']['mobilekey']; - -if ($_GET['act'] == "del") { - if ($a_secret[$_GET['id']]) { - unset($a_secret[$_GET['id']]); - write_config(); - touch($d_ipsecconfdirty_path); - header("Location: vpn_ipsec_keys.php"); - exit; - } -} - -$pgtitle = array("VPN","IPsec","Keys"); - -include("head.inc"); - -?> - -<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> -<?php include("fbegin.inc"); ?> -<form action="vpn_ipsec.php" method="post"> -<?php if ($savemsg) print_info_box($savemsg); ?> -<?php if (file_exists($d_ipsecconfdirty_path)): ?><p> -<?php print_info_box_np("The IPsec tunnel configuration has been changed.<br>You must apply the changes in order for them to take effect.");?><br> -<?php endif; ?> -<table width="100%" border="0" cellpadding="0" cellspacing="0"> - <tr><td class="tabnavtbl"> -<?php - $tab_array = array(); - $tab_array[0] = array("Tunnels", false, "vpn_ipsec.php"); - $tab_array[1] = array("Mobile clients", false, "vpn_ipsec_mobile.php"); - $tab_array[2] = array("Pre-shared keys", true, "vpn_ipsec_keys.php"); - $tab_array[3] = array("CAs", false, "vpn_ipsec_ca.php"); - display_top_tabs($tab_array); -?> - </td></tr> - <tr> - <td> - <div id="mainarea"> - <table class="tabcont" width="100%" border="0" cellpadding="0" cellspacing="0"> - <tr> - <td class="listhdrr">Identifier</td> - <td class="listhdr">Pre-shared key</td> - <td class="list"> - <table border="0" cellspacing="0" cellpadding="1"> - <tr> - <td width="20" heigth="17"></td> - <td><a href="vpn_ipsec_keys_edit.php"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" title="add key" width="17" height="17" border="0"></a></td> - </tr> - </table> - </td> - </tr> - <?php $i = 0; foreach ($a_secret as $secretent): ?> - <tr> - <td class="listlr"> - <?=htmlspecialchars($secretent['ident']);?> - </td> - <td class="listr"> - <?=htmlspecialchars($secretent['pre-shared-key']);?> - </td> - <td class="list" nowrap> <a href="vpn_ipsec_keys_edit.php?id=<?=$i;?>"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_e.gif" title="edit key" width="17" height="17" border="0"></a> - <a href="vpn_ipsec_keys.php?act=del&id=<?=$i;?>" onclick="return confirm('Do you really want to delete this pre-shared key?')"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" title="delete key" width="17" height="17" border="0"></a></td> - </tr> - <?php $i++; endforeach; ?> - <tr> - <td class="list" colspan="2"></td> - <td class="list"> - <table border="0" cellspacing="0" cellpadding="1"> - <tr> - <td width="20" heigth="17"></td> - <td><a href="vpn_ipsec_keys_edit.php"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" title="add key" width="17" height="17" border="0"></a></td> - </tr> - </table> - </td> - </tr> - </table> - </div> - </td> - </tr> -</table> -</form> -<?php include("fend.inc"); ?> -</body> -</html> diff --git a/usr/local/www/vpn_ipsec_keys_edit.php b/usr/local/www/vpn_ipsec_keys_edit.php deleted file mode 100755 index f612bcc..0000000 --- a/usr/local/www/vpn_ipsec_keys_edit.php +++ /dev/null @@ -1,128 +0,0 @@ -<?php -/* - vpn_ipsec_keys_edit.php - part of m0n0wall (http://m0n0.ch/wall) - - Copyright (C) 2003-2005 Manuel Kasper <mk@neon1.net>. - All rights reserved. - - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. -*/ - -require("guiconfig.inc"); - -if (!is_array($config['ipsec']['mobilekey'])) { - $config['ipsec']['mobilekey'] = array(); -} -ipsec_mobilekey_sort(); -$a_secret = &$config['ipsec']['mobilekey']; - -$id = $_GET['id']; -if (isset($_POST['id'])) - $id = $_POST['id']; - -if (isset($id) && $a_secret[$id]) { - $pconfig['ident'] = $a_secret[$id]['ident']; - $pconfig['psk'] = $a_secret[$id]['pre-shared-key']; -} - -if ($_POST) { - - unset($input_errors); - $pconfig = $_POST; - - /* input validation */ - $reqdfields = explode(" ", "ident psk"); - $reqdfieldsn = explode(",", "Identifier,Pre-shared key"); - - do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); - - if (preg_match("/[^a-zA-Z0-9@\.\-]/", $_POST['ident'])) - $input_errors[] = "The identifier contains invalid characters."; - - if (!$input_errors && !(isset($id) && $a_secret[$id])) { - /* make sure there are no dupes */ - foreach ($a_secret as $secretent) { - if ($secretent['ident'] == $_POST['ident']) { - $input_errors[] = "Another entry with the same identifier already exists."; - break; - } - } - } - - if (!$input_errors) { - - if (isset($id) && $a_secret[$id]) - $secretent = $a_secret[$id]; - - $secretent['ident'] = $_POST['ident']; - $secretent['pre-shared-key'] = $_POST['psk']; - - if (isset($id) && $a_secret[$id]) - $a_secret[$id] = $secretent; - else - $a_secret[] = $secretent; - - write_config(); - touch($d_ipsecconfdirty_path); - - header("Location: vpn_ipsec_keys.php"); - exit; - } -} - -$pgtitle = array("VPN","IPsec","Edit pre-shared key"); -include("head.inc"); - -?> - -<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> -<?php include("fbegin.inc"); ?> -<?php if ($input_errors) print_input_errors($input_errors); ?> - <form action="vpn_ipsec_keys_edit.php" method="post" name="iform" id="iform"> - <table width="100%" border="0" cellpadding="6" cellspacing="0"> - <tr> - <td valign="top" class="vncellreq">Identifier</td> - <td class="vtable"> - <?=$mandfldhtml;?><input name="ident" type="text" class="formfld" id="ident" size="30" value="<?=$pconfig['ident'];?>"> - <br> -This can be either an IP address, fully qualified domain name or an e-mail address. - </td> - </tr> - <tr> - <td width="22%" valign="top" class="vncellreq">Pre-shared key</td> - <td width="78%" class="vtable"> - <?=$mandfldhtml;?><input name="psk" type="text" class="formfld" id="psk" size="40" value="<?=htmlspecialchars($pconfig['psk']);?>"> - </td> - </tr> - <tr> - <td width="22%" valign="top"> </td> - <td width="78%"> - <input name="Submit" type="submit" class="formbtn" value="Save"> - <?php if (isset($id) && $a_secret[$id]): ?> - <input name="id" type="hidden" value="<?=$id;?>"> - <?php endif; ?> - </td> - </tr> - </table> -</form> -<?php include("fend.inc"); ?> diff --git a/usr/local/www/vpn_ipsec_mobile.php b/usr/local/www/vpn_ipsec_mobile.php index 6a105e3..5a88b66 100755 --- a/usr/local/www/vpn_ipsec_mobile.php +++ b/usr/local/www/vpn_ipsec_mobile.php @@ -197,8 +197,7 @@ function methodsel_change() { $tab_array = array(); $tab_array[0] = array("Tunnels", false, "vpn_ipsec.php"); $tab_array[1] = array("Mobile clients", true, "vpn_ipsec_mobile.php"); - $tab_array[2] = array("Pre-shared keys", false, "vpn_ipsec_keys.php"); - $tab_array[3] = array("CAs", false, "vpn_ipsec_ca.php"); + $tab_array[2] = array("CAs", false, "vpn_ipsec_ca.php"); display_top_tabs($tab_array); ?> </td></tr> diff --git a/usr/local/www/vpn_ipsec_phase1.php b/usr/local/www/vpn_ipsec_phase1.php new file mode 100644 index 0000000..0a21362 --- /dev/null +++ b/usr/local/www/vpn_ipsec_phase1.php @@ -0,0 +1,635 @@ +<?php +/* + vpn_ipsec_phase1.php + part of m0n0wall (http://m0n0.ch/wall) + + Copyright (C) 2008 Shrew Soft Inc + Copyright (C) 2003-2005 Manuel Kasper <mk@neon1.net>. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +if (!is_array($config['ipsec']['phase1'])) + $config['ipsec']['phase1'] = array(); + +$a_phase1 = &$config['ipsec']['phase1']; + +if($config['interfaces']['lan']) + $specialsrcdst = explode(" ", "lan"); + +$p1index = $_GET['p1index']; +if (isset($_POST['p1index'])) + $p1index = $_POST['p1index']; + +if (isset($_GET['dup'])) { + $p1index = $_GET['dup']; +} + +if (isset($p1index) && $a_phase1[$p1index]) +{ + $pconfig['ikeid'] = $a_phase1[$p1index]['ikeid']; + $pconfig['disabled'] = isset($a_phase1[$p1index]['disabled']); + + if ($a_phase1[$p1index]['interface']) + $pconfig['interface'] = $a_phase1[$p1index]['interface']; + else + $pconfig['interface'] = "wan"; + + list($pconfig['remotenet'],$pconfig['remotebits']) = explode("/", $a_phase1[$p1index]['remote-subnet']); + $pconfig['remotegw'] = $a_phase1[$p1index]['remote-gateway']; + $pconfig['mode'] = $a_phase1[$p1index]['mode']; + $pconfig['myid_type'] = $a_phase1[$p1index]['myid_type']; + $pconfig['myid_data'] = $a_phase1[$p1index]['myid_data']; + $pconfig['peerid_type'] = $a_phase1[$p1index]['peerid_type']; + $pconfig['peerid_data'] = $a_phase1[$p1index]['peerid_data']; + $pconfig['ealgo'] = $a_phase1[$p1index]['encryption-algorithm']; + $pconfig['halgo'] = $a_phase1[$p1index]['hash-algorithm']; + $pconfig['dhgroup'] = $a_phase1[$p1index]['dhgroup']; + $pconfig['lifetime'] = $a_phase1[$p1index]['lifetime']; + $pconfig['authentication_method'] = $a_phase1[$p1index]['authentication_method']; + $pconfig['pskey'] = $a_phase1[$p1index]['pre-shared-key']; + $pconfig['cert'] = base64_decode($a_phase1[$p1index]['cert']); + $pconfig['peercert'] = base64_decode($a_phase1[$p1index]['peercert']); + $pconfig['privatekey'] = base64_decode($a_phase1[$p1index]['private-key']); + + $pconfig['descr'] = $a_phase1[$p1index]['descr']; + $pconfig['nat_traversal'] = $a_phase1[$p1index]['nat_traversal']; + $pconfig['dpd_enable'] = $a_phase1[$p1index]['dpd_enable']; + $pconfig['dpd_delay'] = $a_phase1[$p1index]['dpd_delay']; + $pconfig['dpd_maxfail'] = $a_phase1[$p1index]['dpd_maxfail']; + $pconfig['pinghost'] = $a_phase1[$p1index]['pinghost']; +} +else +{ + /* defaults */ + $pconfig['interface'] = "wan"; + if($config['interfaces']['lan']) + $pconfig['localnet'] = "lan"; + $pconfig['mode'] = "aggressive"; + $pconfig['myid_type'] = "myaddress"; + $pconfig['peerid_type'] = "peeraddress"; + $pconfig['authentication_method'] = "pre_shared_key"; + $pconfig['ealgo'] = array( name => "3des" ); + $pconfig['halgo'] = "sha1"; + $pconfig['dhgroup'] = "2"; + $pconfig['lifetime'] = "28800"; + $pconfig['nat_traversal'] = "on"; + $pconfig['dpd_enable'] = 1; + $pconfig['dpd_delay'] = 10; + $pconfig['dpd_maxfail'] = 5; +} + +if (isset($_GET['dup'])) + unset($p1index); + +if ($_POST) { + unset($input_errors); + $pconfig = $_POST; + + /* input validation */ + if ($_POST['authentication_method'] == "pre_shared_key") { + $reqdfields = explode(" ", "remotegw pskey"); + $reqdfieldsn = explode(",", "Remote gateway,Pre-Shared Key"); + } else { + $reqdfields = explode(" ", "remotegw"); + $reqdfieldsn = explode(",", "Remote gateway"); + if (!strstr($_POST['cert'], "BEGIN CERTIFICATE") || !strstr($_POST['cert'], "END CERTIFICATE")) + $input_errors[] = "This certificate does not appear to be valid."; + if (!strstr($_POST['privatekey'], "BEGIN RSA PRIVATE KEY") || !strstr($_POST['privatekey'], "END RSA PRIVATE KEY")) + $input_errors[] = "This key does not appear to be valid."; + if ($_POST['peercert']!="" && (!strstr($_POST['peercert'], "BEGIN CERTIFICATE") || !strstr($_POST['peercert'], "END CERTIFICATE"))) + $input_errors[] = "This peer certificate does not appear to be valid."; + } + + do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); + + if (($_POST['lifetime'] && !is_numeric($_POST['lifetime']))) + $input_errors[] = "The P1 lifetime must be an integer."; + + if (($_POST['remotegw'] && !is_ipaddr($_POST['remotegw']) && !is_domain($_POST['remotegw']))) + $input_errors[] = "A valid remote gateway address or host name must be specified."; + + if (($_POST['remotegw'] && is_ipaddr($_POST['remotegw']) && !isset($_POST['disabled']) )) { + $t = 0; + foreach ($a_phase1 as $ph1tmp) { + if ($p1index <> $t) { + $tremotegw = $pconfig['remotegw']; + if (($ph1tmp['remote-gateway'] == $tremotegw) && !isset($ph1tmp['disabled'])) { + $input_errors[] = "The remote gateway \"$tremotegw\" is already used by phase1 \"${ph1tmp['descr']}\"."; + } + } + $t++; + } + } + + /* My identity */ + + if ($_POST['myid_type'] == "myaddress") + $_POST['myid_data'] = ""; + + if ($_POST['myid_type'] == "address" and $_POST['myid_data'] == "") + $input_errors[] = gettext("Please enter an address for 'My Identifier'"); + + if ($_POST['myid_type'] == "keyid tag" and $_POST['myid_data'] == "") + $input_errors[] = gettext("Please enter a keyid tag for 'My Identifier'"); + + if ($_POST['myid_type'] == "fqdn" and $_POST['myid_data'] == "") + $input_errors[] = gettext("Please enter a fully qualified domain name for 'My Identifier'"); + + if ($_POST['myid_type'] == "user_fqdn" and $_POST['myid_data'] == "") + $input_errors[] = gettext("Please enter a user and fully qualified domain name for 'My Identifier'"); + + if ($_POST['myid_type'] == "dyn_dns" and $_POST['myid_data'] == "") + $input_errors[] = gettext("Please enter a dynamic domain name for 'My Identifier'"); + + if ((($_POST['myid_type'] == "address") && !is_ipaddr($_POST['myid_data']))) + $input_errors[] = "A valid IP address for 'My identifier' must be specified."; + + if ((($_POST['myid_type'] == "fqdn") && !is_domain($_POST['myid_data']))) + $input_errors[] = "A valid domain name for 'My identifier' must be specified."; + + if ($_POST['myid_type'] == "fqdn") + if (is_domain($_POST['myid_data']) == false) + $input_errors[] = "A valid FQDN for 'My identifier' must be specified."; + + if ($_POST['myid_type'] == "user_fqdn") { + $user_fqdn = explode("@",$_POST['myid_data']); + if (is_domain($user_fqdn[1]) == false) + $input_errors[] = "A valid User FQDN in the form of user@my.domain.com for 'My identifier' must be specified."; + } + + if ($_POST['myid_type'] == "dyn_dns") + if (is_domain($_POST['myid_data']) == false) + $input_errors[] = "A valid Dynamic DNS address for 'My identifier' must be specified."; + + /* Peer identity */ + + if ($_POST['peerid_type'] == "address" and $_POST['peerid_data'] == "") + $input_errors[] = gettext("Please enter an address for 'Peer Identifier'"); + + if ($_POST['peerid_type'] == "keyid tag" and $_POST['peerid_data'] == "") + $input_errors[] = gettext("Please enter a keyid tag for 'Peer Identifier'"); + + if ($_POST['peerid_type'] == "fqdn" and $_POST['peerid_data'] == "") + $input_errors[] = gettext("Please enter a fully qualified domain name for 'Peer Identifier'"); + + if ($_POST['peerid_type'] == "user_fqdn" and $_POST['peerid_data'] == "") + $input_errors[] = gettext("Please enter a user and fully qualified domain name for 'Peer Identifier'"); + + if ((($_POST['peerid_type'] == "address") && !is_ipaddr($_POST['peerid_data']))) + $input_errors[] = "A valid IP address for 'Peer identifier' must be specified."; + + if ((($_POST['peerid_type'] == "fqdn") && !is_domain($_POST['peerid_data']))) + $input_errors[] = "A valid domain name for 'Peer identifier' must be specified."; + + if ($_POST['peerid_type'] == "fqdn") + if (is_domain($_POST['peerid_data']) == false) + $input_errors[] = "A valid FQDN for 'Peer identifier' must be specified."; + + if ($_POST['peerid_type'] == "user_fqdn") { + $user_fqdn = explode("@",$_POST['peerid_data']); + if (is_domain($user_fqdn[1]) == false) + $input_errors[] = "A valid User FQDN in the form of user@my.domain.com for 'Peer identifier' must be specified."; + } + + if ($_POST['dpd_enable']) { + if (!is_numeric($_POST['dpd_delay'])) + $input_errors[] = "A numeric value must be specified for DPD delay."; + + if (!is_numeric($_POST['dpd_maxfail'])) + $input_errors[] = "A numeric value must be specified for DPD retries."; + } + + /* build our encryption algorithms array */ + $pconfig['ealgo'] = array(); + $pconfig['ealgo']['name'] = $_POST['ealgo']; + if($_POST['ealgo_keylen']) + $pconfig['ealgo']['keylen'] = $_POST['ealgo_keylen']; + + if (!$input_errors) { + $ph1ent['ikeid'] = $_POST['ikeid']; + $ph1ent['disabled'] = $_POST['disabled'] ? true : false; + $ph1ent['interface'] = $pconfig['interface']; + /* if the remote gateway changed and the interface is not WAN then remove route */ + /* the vpn_ipsec_configure() handles adding the route */ + if ($_POST['interface'] <> "wan") { + if($ph1ent['remote-gateway'] <> $_POST['remotegw']) { + mwexec("/sbin/route delete -host {$ph1ent['remote-gateway']}"); + } + } + $ph1ent['remote-gateway'] = $_POST['remotegw']; + $ph1ent['mode'] = $_POST['mode']; + + $ph1ent['myid_type'] = $_POST['myid_type']; + $ph1ent['myid_data'] = $_POST['myid_data']; + $ph1ent['peerid_type'] = $_POST['peerid_type']; + $ph1ent['peerid_data'] = $_POST['peerid_data']; + + $ph1ent['encryption-algorithm'] = $pconfig['ealgo']; + $ph1ent['hash-algorithm'] = $_POST['halgo']; + $ph1ent['dhgroup'] = $_POST['dhgroup']; + $ph1ent['lifetime'] = $_POST['lifetime']; + $ph1ent['pre-shared-key'] = $_POST['pskey']; + $ph1ent['private-key'] = base64_encode($_POST['privatekey']); + $ph1ent['cert'] = base64_encode($_POST['cert']); + $ph1ent['peercert'] = base64_encode($_POST['peercert']); + $ph1ent['authentication_method'] = $_POST['authentication_method']; + + $ph1ent['descr'] = $_POST['descr']; + $ph1ent['nat_traversal'] = $_POST['nat_traversal']; + $ph1ent['dpd_enable'] = $_POST['dpd_enable']; + $ph1ent['dpd_delay'] = $_POST['dpd_delay']; + $ph1ent['dpd_maxfail'] = $_POST['dpd_maxfail']; + $ph1ent['pinghost'] = $_POST['pinghost']; + + /* generate unique phase1 ikeid */ + if ($ph1ent['ikeid'] == 0) { + while (true) { + $ph1ent['ikeid']++; + foreach ($a_phase1 as $ph1tmp) + if( $ph1ent['ikeid'] == $ph1tmp['ikeid'] ) + break; + + if( $ph1ent['ikeid'] != $ph1tmp['ikeid'] ) + break; + } + } + + if (isset($p1index) && $a_phase1[$p1index]) + $a_phase1[$p1index] = $ph1ent; + else + $a_phase1[] = $ph1ent; + + write_config(); + touch($d_ipsecconfdirty_path); + + header("Location: vpn_ipsec.php"); + exit; + } +} + +$pgtitle = array("VPN","IPsec","Edit Phase 1"); +include("head.inc"); + +?> + +<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> +<?php include("fbegin.inc"); ?> +<script language="JavaScript"> +<!-- +function methodsel_change() { + switch (document.iform.authentication_method.selectedIndex) { + case 1: /* rsa */ + document.iform.pskey.disabled = 1; + document.iform.privatekey.disabled = 0; + document.iform.cert.disabled = 0; + document.iform.peercert.disabled = 0; + break; + default: /* pre-shared */ + document.iform.pskey.disabled = 0; + document.iform.privatekey.disabled = 1; + document.iform.cert.disabled = 1; + document.iform.peercert.disabled = 1; + break; + } +} + +/* PHP generated java script for variable length keys */ +function ealgosel_change(bits) { + switch (document.iform.ealgo.selectedIndex) { +<?php + $i = 0; + foreach ($p1_ealgos as $algo => $algodata) { + if (is_array($algodata['keysel'])) { + echo " case {$i}:\n"; + echo " document.iform.ealgo_keylen.style.visibility = 'visible';\n"; + echo " document.iform.ealgo_keylen.options.length = 0;\n"; +// echo " document.iform.ealgo_keylen.options[document.iform.ealgo_keylen.options.length] = new Option( 'auto', 'auto' );\n"; + + $key_hi = $algodata['keysel']['hi']; + $key_lo = $algodata['keysel']['lo']; + $key_step = $algodata['keysel']['step']; + + for ($keylen = $key_hi; $keylen >= $key_lo; $keylen -= $key_step) + echo " document.iform.ealgo_keylen.options[document.iform.ealgo_keylen.options.length] = new Option( '{$keylen} bits', '{$keylen}' );\n"; + echo " break;\n"; + } else { + echo " case {$i}:\n"; + echo " document.iform.ealgo_keylen.style.visibility = 'hidden';\n"; + echo " document.iform.ealgo_keylen.options.length = 0;\n"; + echo " break;\n"; + } + $i++; + } +?> + } + + if( bits ) + document.iform.ealgo_keylen.value = bits; +} +function dpdchkbox_change() { + if( document.iform.dpd_enable.checked ) { + document.iform.dpd_delay.disabled = 0; + document.iform.dpd_maxfail.disabled = 0; + } else { + document.iform.dpd_delay.disabled = 1; + document.iform.dpd_maxfail.disabled = 1; + } +} +//--> +</script> +<?php if ($input_errors) print_input_errors($input_errors); ?> + <form action="vpn_ipsec_phase1.php" method="post" name="iform" id="iform"> + <table width="100%" border="0" cellpadding="6" cellspacing="0"> + <tr> + <td width="22%" valign="top" class="vncellreq">Disabled</td> + <td width="78%" class="vtable"> + <input name="disabled" type="checkbox" id="disabled" value="yes" <?php if ($pconfig['disabled']) echo "checked"; ?>> + <strong>Disable this phase1 entry</strong><br> + <span class="vexpl">Set this option to disable this phase1 without + removing it from the list. + </span> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncellreq">Interface</td> + <td width="78%" class="vtable"> + <select name="interface" class="formselect"> + <?php + $interfaces = get_configured_interface_with_descr(); + $carpips = find_number_of_needed_carp_interfaces(); + for ($i=0; $i<$carpips; $i++) { + $carpip = find_interface_ip("carp" . $i); + $interfaces['carp' . $i] = "CARP{$i} ({$carpip})"; + } + foreach ($interfaces as $iface => $ifacename): + ?> + <option value="<?=$iface;?>" <?php if ($iface == $pconfig['interface']) echo "selected"; ?>> + <?=htmlspecialchars($ifacename);?> + </option> + <?php endforeach; ?> + </select> <br> + <span class="vexpl">Select the interface for the local endpoint of this phase1 entry.</span> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncellreq">Remote gateway</td> + <td width="78%" class="vtable"> + <?=$mandfldhtml;?><input name="remotegw" type="text" class="formfld unknown" id="remotegw" size="20" value="<?=$pconfig['remotegw'];?>"> + <br> + Enter the public IP address or host name of the remote gateway + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell">Description</td> + <td width="78%" class="vtable"> + <input name="descr" type="text" class="formfld unknown" id="descr" size="40" value="<?=htmlspecialchars($pconfig['descr']);?>"> + <br> <span class="vexpl">You may enter a description here + for your reference (not parsed).</span> + </td> + </tr> + <tr> + <td colspan="2" class="list" height="12"></td> + </tr> + <tr> + <td colspan="2" valign="top" class="listtopic">Phase 1 proposal + (Authentication) + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncellreq">Negotiation mode</td> + <td width="78%" class="vtable"> + <select name="mode" class="formselect"> + <?php + $modes = explode(" ", "main aggressive"); + foreach ($modes as $mode): + ?> + <option value="<?=$mode;?>" <?php if ($mode == $pconfig['mode']) echo "selected"; ?>> + <?=htmlspecialchars($mode);?> + </option> + <?php endforeach; ?> + </select> <br> <span class="vexpl">Aggressive is more flexible, but less secure.</span> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncellreq">My identifier</td> + <td width="78%" class="vtable"> + <select name="myid_type" class="formselect"> + <?php foreach ($my_identifier_list as $mode => $modename): ?> + <option value="<?=$mode;?>" <?php if ($mode == $pconfig['myid_type']) echo "selected"; ?>> + <?=htmlspecialchars($modename);?> + </option> + <?php endforeach; ?> + </select> + <input name="myid_data" type="text" class="formfld unknown" id="myid_data" size="30" value="<?=$pconfig['myid_data'];?>"> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncellreq">Peer identifier</td> + <td width="78%" class="vtable"> + <select name="peerid_type" class="formselect"> + <?php foreach ($peer_identifier_list as $mode => $modename): ?> + <option value="<?=$mode;?>" <?php if ($mode == $pconfig['peerid_type']) echo "selected"; ?>> + <?=htmlspecialchars($modename);?> + </option> + <?php endforeach; ?> + </select> + <input name="peerid_data" type="text" class="formfld unknown" id="peerid_data" size="30" value="<?=$pconfig['peerid_data'];?>"> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncellreq">Encryption algorithm</td> + <td width="78%" class="vtable"> + <select name="ealgo" class="formselect" onChange="ealgosel_change()"> + <?php + foreach ($p1_ealgos as $algo => $algodata): + $selected = ''; + if ($algo == $pconfig['ealgo']['name']) + $selected = ' selected'; + ?> + <option value="<?=$algo;?>"<?=$selected?>> + <?=htmlspecialchars($algodata['name']);?> + </option> + <?php endforeach; ?> + </select> + <select name="ealgo_keylen" width="30" class="formselect"> + </select> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncellreq">Hash algorithm</td> + <td width="78%" class="vtable"> + <select name="halgo" class="formselect"> + <?php foreach ($p1_halgos as $algo => $algoname): ?> + <option value="<?=$algo;?>" <?php if ($algo == $pconfig['halgo']) echo "selected"; ?>> + <?=htmlspecialchars($algoname);?> + </option> + <?php endforeach; ?> + </select> + <br> + <span class="vexpl"> + Must match the setting chosen on the remote side. + </span> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncellreq">DH key group</td> + <td width="78%" class="vtable"> + <select name="dhgroup" class="formselect"> + <?php $keygroups = explode(" ", "1 2 5"); foreach ($keygroups as $keygroup): ?> + <option value="<?=$keygroup;?>" <?php if ($keygroup == $pconfig['dhgroup']) echo "selected"; ?>> + <?=htmlspecialchars($keygroup);?> + </option> + <?php endforeach; ?> + </select> + <br> + <span class="vexpl"> + <em>1 = 768 bit, 2 = 1024 bit, 5 = 1536 bit</em> + <br> + Must match the setting chosen on the remote side. + </span> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell">Lifetime</td> + <td width="78%" class="vtable"> + <input name="lifetime" type="text" class="formfld unknown" id="lifetime" size="20" value="<?=$pconfig['lifetime'];?>"> + seconds + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncellreq">Authentication method</td> + <td width="78%" class="vtable"> + <select name="authentication_method" class="formselect" onChange="methodsel_change()"> + <?php foreach ($p1_authentication_methods as $method => $methodname): ?> + <option value="<?=$method;?>" <?php if ($method == $pconfig['authentication_method']) echo "selected"; ?>> + <?=htmlspecialchars($methodname);?> + </option> + <?php endforeach; ?> + </select> + <br> + <span class="vexpl">Must match the setting chosen on the remote side.</span> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncellreq">Pre-Shared Key</td> + <td width="78%" class="vtable"> + <?=$mandfldhtml;?><input name="pskey" type="text" class="formfld unknown" id="pskey" size="40" value="<?=htmlspecialchars($pconfig['pskey']);?>"> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncellreq">My Certificate</td> + <td width="78%" class="vtable"> + <textarea name="cert" cols="65" rows="7" id="cert" class="formpre"><?=htmlspecialchars($pconfig['cert']);?></textarea> + <br> + Paste a certificate in X.509 PEM format here.</td> + </tr> + <tr> + <td width="22%" valign="top" class="vncellreq">My Private Key</td> + <td width="78%" class="vtable"> + <textarea name="privatekey" cols="65" rows="7" id="privatekey" class="formpre"><?=htmlspecialchars($pconfig['privatekey']);?></textarea> + <br> + Paste an RSA private key in PEM format here. + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell">Peer certificate</td> + <td width="78%" class="vtable"> + <textarea name="peercert" cols="65" rows="7" id="peercert" class="formpre"><?=htmlspecialchars($pconfig['peercert']);?></textarea> + <br> + Paste the peer X.509 certificate in PEM format here.<br> + Leave this blank if you want to use a CA certificate for identity validation. + </td> + </tr> + <tr> + <td colspan="2" class="list" height="12"></td> + </tr> + <tr> + <td colspan="2" valign="top" class="listtopic">Advanced Options</td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell">NAT Traversal</td> + <td width="78%" class="vtable"> + <select name="nat_traversal" class="formselect"> + <option value="off" <?php if ($pconfig['nat_traversal'] == "off") echo "selected"; ?>>Disable</option> + <option value="on" <?php if ($pconfig['nat_traversal'] == "on") echo "selected"; ?>>Enable</option> + <option value="force" <?php if ($pconfig['nat_traversal'] == "force") echo "selected"; ?>>Force</option> + </select> + <br/> + <span class="vexpl"> + Set this option to enable the use of NAT-T (i.e. the encapsulation of ESP in UDP packets) if needed, + which can help with clients that are behind restrictive firewalls. + </span> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell">Dead Peer Detection</td> + <td width="78%" class="vtable"> + <input name="dpd_enable" type="checkbox" id="dpd_enable" value="yes" <?php if ($pconfig['dpd_enable']) echo "checked"; ?> onClick="dpdchkbox_change()"> + Enable DPD<br> + <br> + <input name="dpd_delay" type="text" class="formfld unknown" id="dpd_delay" size="5" value="<?=$pconfig['dpd_delay'];?>"> + seconds<br> + <span class="vexpl">Delay between requesting peer acknowledgement.</span><br> + <br> + <input name="dpd_maxfail" type="text" class="formfld unknown" id="dpd_maxfail" size="5" value="<?=$pconfig['dpd_maxfail'];?>"> + retries<br> + <span class="vexpl">Number consecutive failures allowed before disconnect.</span><br> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell">Automatically ping host</td> + <td width="78%" class="vtable"> + <input name="pinghost" type="text" class="formfld unknown" id="pinghost" size="20" value="<?=$pconfig['pinghost'];?>"> + IP address + </td> + </tr> + <tr> + <td width="22%" valign="top"> </td> + <td width="78%"> + <input name="Submit" type="submit" class="formbtn" value="Save"> + <input name="ikeid" type="hidden" value="<?=$pconfig['ikeid'];?>"> + <?php if (isset($p1index) && $a_phase1[$p1index]): ?> + <input name="p1index" type="hidden" value="<?=$p1index;?>"> + <?php endif; ?> + </td> + </tr> + </table> +</form> +<script lannguage="JavaScript"> +<!-- +<?php + /* determine if we should init the key length */ + $keyset = ''; + if (isset($pconfig['ealgo']['keylen'])) + if (is_numeric($pconfig['ealgo']['keylen'])) + $keyset = $pconfig['ealgo']['keylen']; +?> +methodsel_change(); +ealgosel_change(<?=$keyset;?>); +dpdchkbox_change(); +//--> +</script> +<?php include("fend.inc"); ?> diff --git a/usr/local/www/vpn_ipsec_phase2.php b/usr/local/www/vpn_ipsec_phase2.php new file mode 100644 index 0000000..7a3c5ce --- /dev/null +++ b/usr/local/www/vpn_ipsec_phase2.php @@ -0,0 +1,489 @@ +<?php +/* + vpn_ipsec_phase2.php + part of m0n0wall (http://m0n0.ch/wall) + + Copyright (C) 2008 Shrew Soft Inc + Copyright (C) 2003-2005 Manuel Kasper <mk@neon1.net>. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +if (!is_array($config['ipsec']['phase2'])) + $config['ipsec']['phase2'] = array(); + +$a_phase2 = &$config['ipsec']['phase2']; + +if($config['interfaces']['lan']) + $specialsrcdst = explode(" ", "lan"); + +$p2index = $_GET['p2index']; +if (isset($_POST['p2index'])) + $p2index = $_POST['p2index']; + +if (isset($_GET['dup'])) + $p2index = $_GET['dup']; + +if (isset($p2index) && $a_phase2[$p2index]) +{ + $pconfig['ikeid'] = $a_phase2[$p2index]['ikeid']; + $pconfig['disabled'] = isset($a_phase2[$p2index]['disabled']); + $pconfig['descr'] = $a_phase2[$p2index]['descr']; + + idinfo_to_pconfig("local",$a_phase2[$p2index]['localid'],$pconfig); + idinfo_to_pconfig("remote",$a_phase2[$p2index]['remoteid'],$pconfig); + + $pconfig['proto'] = $a_phase2[$p2index]['protocol']; + ealgos_to_pconfig($a_phase2[$p2index]['encryption-algorithm-option'],$pconfig); + $pconfig['halgos'] = $a_phase2[$p2index]['hash-algorithm-option']; + $pconfig['pfsgroup'] = $a_phase2[$p2index]['pfsgroup']; + $pconfig['lifetime'] = $a_phase2[$p2index]['lifetime']; +} +else +{ + $pconfig['ikeid'] = $_GET['ikeid']; + + /* defaults */ + $pconfig['localid_type'] = "lan"; + $pconfig['remoteid_type'] = "network"; + $pconfig['proto'] = "esp"; + $pconfig['ealgos'] = explode(",", "3des,blowfish,cast128,aes"); + $pconfig['halgos'] = explode(",", "hmac_sha1,hmac_md5"); + $pconfig['pfsgroup'] = "0"; + $pconfig['lifetime'] = "3600"; +} + +if (isset($_GET['dup'])) + unset($p2index); + +if ($_POST) { + + unset($input_errors); + $pconfig = $_POST; + + $ealgos = pconfig_to_ealgos($pconfig); + $localid = pconfig_to_idinfo("local",$pconfig); + $remoteid = pconfig_to_idinfo("remote",$pconfig); + + if (!isset( $_POST['ikeid'])) + $input_errors[] = "A valid ikeid must be specified."; + + /* input validation */ + $reqdfields = explode(" ", "localid_type remoteid_type halgos"); + $reqdfieldsn = explode(",", "Local network type,Remote network type,P2 Hash Algorithms"); + + do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); + + switch ($_POST['localid_type']) { + case "network": + if (!$_POST['localid_netbits'] || !is_numeric($_POST['localid_netbits'])) + $input_errors[] = "A valid local network bit count must be specified.."; + case "address": + if (!$_POST['localid_address'] || !is_ipaddr($_POST['localid_address'])) + $input_errors[] = "A valid local network IP address must be specified."; + break; + } + + switch ($_POST['remoteid_type']) { + case "network": + if (!$_POST['remoteid_netbits'] || !is_numeric($_POST['remoteid_netbits'])) + $input_errors[] = "A valid remote network bit count must be specified.."; + case "address": + if (!$_POST['remoteid_address'] || !is_ipaddr($_POST['remoteid_address'])) + $input_errors[] = "A valid remote network IP address must be specified."; + break; + } + +/* TODO : Validate enabled phase2's are not duplicates */ + + if (!count($ealgos)) { + $input_errors[] = "At least one encryption algorithm must be selected."; + } + if (($_POST['lifetime'] && !is_numeric($_POST['lifetime']))) { + $input_errors[] = "The P2 lifetime must be an integer."; + } + + if (!$input_errors) { + $ph2ent['ikeid'] = $_POST['ikeid']; + $ph2ent['disabled'] = $_POST['disabled'] ? true : false; + $ph2ent['localid'] = $localid; + $ph2ent['remoteid'] = $remoteid; + $ph2ent['protocol'] = $_POST['proto']; + $ph2ent['encryption-algorithm-option'] = $ealgos; + $ph2ent['hash-algorithm-option'] = $_POST['halgos']; + $ph2ent['pfsgroup'] = $_POST['pfsgroup']; + $ph2ent['lifetime'] = $_POST['lifetime']; + $ph2ent['descr'] = $_POST['descr']; + + if (isset($p2index) && $a_phase2[$p2index]) + $a_phase2[$p2index] = $ph2ent; + else + $a_phase2[] = $ph2ent; + + write_config(); + touch($d_ipsecconfdirty_path); + + header("Location: vpn_ipsec.php"); + exit; + } +} + +$pgtitle = array("VPN","IPsec","Edit Phase 2"); +include("head.inc"); + +?> + +<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> +<?php include("fbegin.inc"); ?> +<script language="JavaScript"> +<!-- +function typesel_change_local(bits) { + + if (!bits) + bits = 24; + + switch (document.iform.localid_type.selectedIndex) { + case 0: /* single */ + document.iform.localid_address.disabled = 0; + document.iform.localid_netbits.value = 0; + document.iform.localid_netbits.disabled = 1; + break; + case 1: /* network */ + document.iform.localid_address.disabled = 0; + document.iform.localid_netbits.value = bits; + document.iform.localid_netbits.disabled = 0; + break; + default: + document.iform.localid_address.value = ""; + document.iform.localid_address.disabled = 1; + document.iform.localid_netbits.value = 0; + document.iform.localid_netbits.disabled = 1; + break; + } +} +function typesel_change_remote(bits) { + + if (!bits) + bits = 24; + + switch (document.iform.remoteid_type.selectedIndex) { + case 0: /* single */ + document.iform.remoteid_address.disabled = 0; + document.iform.remoteid_netbits.value = 0; + document.iform.remoteid_netbits.disabled = 1; + break; + case 1: /* network */ + document.iform.remoteid_address.disabled = 0; + document.iform.remoteid_netbits.value = bits; + document.iform.remoteid_netbits.disabled = 0; + break; + default: + document.iform.remoteid_address.value = ""; + document.iform.remoteid_address.disabled = 1; + document.iform.remoteid_netbits.value = 0; + document.iform.remoteid_netbits.disabled = 1; + break; + } +} +//--> + +</script> +<?php if ($input_errors) print_input_errors($input_errors); ?> + <form action="vpn_ipsec_phase2.php" method="post" name="iform" id="iform"> + <table width="100%" border="0" cellpadding="6" cellspacing="0"> + <tr> + <td width="22%" valign="top" class="vncellreq">Mode</td> + <td width="78%" class="vtable"> Tunnel</td> + </tr> + <tr> + <td width="22%" valign="top" class="vncellreq">Disabled</td> + <td width="78%" class="vtable"> + <input name="disabled" type="checkbox" id="disabled" value="yes" <?php if ($pconfig['disabled']) echo "checked"; ?>> + <strong>Disable this phase2 entry</strong><br> + <span class="vexpl">Set this option to disable this phase2 entry without + removing it from the list. + </span> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncellreq">Local Network</td> + <td width="78%" class="vtable"> + <table border="0" cellspacing="0" cellpadding="0"> + <tr> + <td>Type: </td> + <td></td> + <td> + <select name="localid_type" class="formselect" onChange="typesel_change_local()"> + <option value="address" <?php if ($pconfig['localid_type'] == "address") echo "selected";?>>Address</option> + <option value="network" <?php if ($pconfig['localid_type'] == "network") echo "selected";?>>Network</option> + <option value="lan" <?php if ($pconfig['localid_type'] == "lan" ) echo "selected";?>>LAN subnet</option> + </select> + </td> + </tr> + <tr> + <td>Address: </td> + <td><?=$mandfldhtmlspc;?></td> + <td> + <input name="localid_address" type="text" class="formfld unknown" id="localid_address" size="20" value="<?=$pconfig['localid_address'];?>"> + / + <select name="localid_netbits" class="formselect" id="localid_netbits"> + <?php for ($i = 32; $i >= 0; $i--): ?> + <option value="<?=$i;?>" <?php if ($i == $pconfig['localid_netbits']) echo "selected"; ?>> + <?=$i;?> + </option> + <?php endfor; ?> + </select> + </td> + </tr> + </table> + </td> + </tr> + <td width="22%" valign="top" class="vncellreq">Remote Network</td> + <td width="78%" class="vtable"> + <table border="0" cellspacing="0" cellpadding="0"> + <tr> + <td>Type: </td> + <td></td> + <td> + <select name="remoteid_type" class="formselect" onChange="typesel_change_remote()"> + <option value="address" <?php if ($pconfig['remoteid_type'] == "address") echo "selected"; ?>>Address</option> + <option value="network" <?php if ($pconfig['remoteid_type'] == "network") echo "selected"; ?>>Network</option> + </select> + </td> + </tr> + <tr> + <td>Address: </td> + <td><?=$mandfldhtmlspc;?></td> + <td> + <input name="remoteid_address" type="text" class="formfld unknown" id="remoteid_address" size="20" value="<?=$pconfig['remoteid_address'];?>"> + / + <select name="remoteid_netbits" class="formselect" id="remoteid_netbits"> + <?php for ($i = 32; $i >= 0; $i--): ?> + <option value="<?=$i;?>" <?php if ($i == $pconfig['remoteid_netbits']) echo "selected"; ?>> + <?=$i;?> + </option> + <?php endfor; ?> + </select> + </td> + </tr> + </table> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell">Description</td> + <td width="78%" class="vtable"> + <input name="descr" type="text" class="formfld unknown" id="descr" size="40" value="<?=htmlspecialchars($pconfig['descr']);?>"> + <br> <span class="vexpl">You may enter a description here + for your reference (not parsed).</span> + </td> + </tr> + <tr> + <td colspan="2" class="list" height="12"></td> + </tr> + <tr> + <td colspan="2" valign="top" class="listtopic">Phase 2 proposal + (SA/Key Exchange) + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncellreq">Protocol</td> + <td width="78%" class="vtable"> + <select name="proto" class="formselect"> + <?php foreach ($p2_protos as $proto => $protoname): ?> + <option value="<?=$proto;?>" <?php if ($proto == $pconfig['proto']) echo "selected"; ?>> + <?=htmlspecialchars($protoname);?> + </option> + <?php endforeach; ?> + </select> + <br> + <span class="vexpl">ESP is encryption, AH is authentication only </span> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncellreq">Encryption algorithms</td> + <td width="78%" class="vtable"> + <table border="0" cellspacing="0" cellpadding="0"> + <?php + foreach ($p2_ealgos as $algo => $algodata): + $checked = ''; + if (in_array($algo,$pconfig['ealgos'])) + $checked = " checked"; + ?> + <tr> + <td> + <input type="checkbox" name="ealgos[]?>" value="<?=$algo;?>"<?=$checked?>> + </td> + <td> + <?=htmlspecialchars($algodata['name']);?> + </td> + <td> + <?php if(is_array($algodata['keysel'])): ?> + + <select name="keylen_<?=$algo;?>" class="formselect"> + <option value="auto">auto</option> + <?php + $key_hi = $algodata['keysel']['hi']; + $key_lo = $algodata['keysel']['lo']; + $key_step = $algodata['keysel']['step']; + for ($keylen = $key_hi; $keylen >= $key_lo; $keylen -= $key_step): + $selected = ''; +// if ($checked && in_array("keylen_".$algo,$pconfig)) + if ($keylen == $pconfig["keylen_".$algo]) + $selected = " selected"; + ?> + <option value="<?=$keylen;?>"<?=$selected;?>><?=$keylen;?> bits</option> + <?php endfor; ?> + </select> + <?php endif; ?> + </td> + </tr> + <?php endforeach; ?> + </table> + <br> + Hint: use 3DES for best compatibility or if you have a hardware + crypto accelerator card. Blowfish is usually the fastest in + software encryption. + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncellreq">Hash algorithms</td> + <td width="78%" class="vtable"> + <?php foreach ($p2_halgos as $algo => $algoname): ?> + <input type="checkbox" name="halgos[]" value="<?=$algo;?>" <?php if (in_array($algo, $pconfig['halgos'])) echo "checked"; ?>> + <?=htmlspecialchars($algoname);?> + <br> + <?php endforeach; ?> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncellreq">PFS key group</td> + <td width="78%" class="vtable"> + <select name="pfsgroup" class="formselect"> + <?php foreach ($p2_pfskeygroups as $keygroup => $keygroupname): ?> + <option value="<?=$keygroup;?>" <?php if ($keygroup == $pconfig['pfsgroup']) echo "selected"; ?>> + <?=htmlspecialchars($keygroupname);?> + </option> + <?php endforeach; ?> + </select> + <br> + <span class="vexpl"><em>1 = 768 bit, 2 = 1024 bit, 5 = 1536 bit</em></span> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell">Lifetime</td> + <td width="78%" class="vtable"> + <input name="lifetime" type="text" class="formfld unknown" id="lifetime" size="20" value="<?=$pconfig['lifetime'];?>"> + seconds + </td> + </tr> + <tr> + <td width="22%" valign="top"> </td> + <td width="78%"> + <input name="Submit" type="submit" class="formbtn" value="Save"> + <input name="ikeid" type="hidden" value="<?=$pconfig['ikeid'];?>"> + <?php if (isset($p2index) && $a_phase2[$p2index]): ?> + <input name="p2index" type="hidden" value="<?=$p2index;?>"> + <?php endif; ?> + </td> + </tr> + </table> +</form> +<script lannguage="JavaScript"> +<!-- +typesel_change_local(<?=$pconfig['localid_netbits']?>); +typesel_change_remote(<?=$pconfig['remoteid_netbits']?>); +//--> +</script> +<?php include("fend.inc"); ?> + +<?php + +function pconfig_to_ealgos(& $pconfig) { + + global $p2_ealgos; + + $ealgos = array(); + foreach ($p2_ealgos as $algo_name => $algo_data) { + if (in_array($algo_name,$pconfig['ealgos'])) { + $ealg = array(); + $ealg['name'] = $algo_name; + if (is_array($algo_data['keysel'])) + $ealg['keylen'] = $_POST["keylen_".$algo_name]; + $ealgos[] = $ealg; + } + } + + return $ealgos; +} + +function ealgos_to_pconfig(& $ealgos,& $pconfig) { + + $pconfig['ealgos'] = array(); + foreach ($ealgos as $algo_data) { + $pconfig['ealgos'][] = $algo_data['name']; + if (isset($algo_data['keylen'])) + $pconfig["keylen_".$algo_data['name']] = $algo_data['keylen']; + } + + return $ealgos; +} + +function pconfig_to_idinfo($prefix,& $pconfig) { + + $type = $pconfig[$prefix."id_type"]; + $address = $pconfig[$prefix."id_address"]; + $netbits = $pconfig[$prefix."id_netbits"]; + + switch( $type ) + { + case "address": + return array('type' => $type, 'address' => $address); + case "network": + return array('type' => $type, 'address' => $address, 'netbits' => $netbits); + default: + return array('type' => $type ); + } +} + +function idinfo_to_pconfig($prefix,& $idinfo,& $pconfig) { + + switch( $idinfo['type'] ) + { + case "address": + $pconfig[$prefix."id_type"] = $idinfo['type']; + $pconfig[$prefix."id_address"] = $idinfo['address']; + break; + case "network": + $pconfig[$prefix."id_type"] = $idinfo['type']; + $pconfig[$prefix."id_address"] = $idinfo['address']; + $pconfig[$prefix."id_netbits"] = $idinfo['netbits']; + break; + default: + $pconfig[$prefix."id_type"] = $idinfo['type']; + break; + } +} + +?> diff --git a/usr/local/www/widgets/include/ipsec.inc b/usr/local/www/widgets/include/ipsec.inc deleted file mode 100644 index 5484d63..0000000 --- a/usr/local/www/widgets/include/ipsec.inc +++ /dev/null @@ -1,81 +0,0 @@ -<?php -//set variable for custom title -$ipsec_title = "IPsec"; - -function get_ipsec_tunnel_sad() { - /* query SAD */ - $fd = @popen("/usr/local/sbin/setkey -D", "r"); - $sad = array(); - if ($fd) { - while (!feof($fd)) { - $line = chop(fgets($fd)); - if (!$line) - continue; - if ($line == "No SAD entries.") - break; - if ($line[0] != "\t") { - if (is_array($cursa)) - $sad[] = $cursa; - $cursa = array(); - list($cursa['src'],$cursa['dst']) = explode(" ", $line); - $i = 0; - } else { - $linea = explode(" ", trim($line)); - if ($i == 1) { - $cursa['proto'] = $linea[0]; - $cursa['spi'] = substr($linea[2], strpos($linea[2], "x")+1, -1); - } else if ($i == 2) { - $cursa['ealgo'] = $linea[1]; - } else if ($i == 3) { - $cursa['aalgo'] = $linea[1]; - } - } - $i++; - } - if (is_array($cursa) && count($cursa)) - $sad[] = $cursa; - pclose($fd); - } - return($sad); -} - -function get_ipsec_tunnel_src($tunnel) { - global $g, $config, $sad; - $if = "WAN"; - if ($tunnel['interface']) { - $if = $tunnel['interface']; - $realinterface = convert_friendly_interface_to_real_interface_name($if); - $interfaceip = find_interface_ip($realinterface); - } - return $interfaceip; -} - -function output_ipsec_tunnel_status($tunnel) { - global $g, $config, $sad; - $if = "WAN"; - $interfaceip = get_ipsec_tunnel_src($tunnel); - $foundsrc = false; - $founddst = false; - - if(!is_array($sad)) { - /* we have no sad array, bail */ - return(false); - } - foreach($sad as $sa) { - if($sa['src'] == $interfaceip) - $foundsrc = true; - if($sa['dst'] == $tunnel['remote-gateway']) - $founddst = true; - } - if($foundsrc && $founddst) { - /* tunnel is up */ - $iconfn = "pass"; - return(true); - } else { - /* tunnel is down */ - $iconfn = "reject"; - return(false); - } -} - -?> diff --git a/usr/local/www/widgets/widgets/ipsec.widget.php b/usr/local/www/widgets/widgets/ipsec.widget.php index dd033c0..1a63029 100644 --- a/usr/local/www/widgets/widgets/ipsec.widget.php +++ b/usr/local/www/widgets/widgets/ipsec.widget.php @@ -33,9 +33,8 @@ require_once("guiconfig.inc"); require_once("pfsense-utils.inc"); require_once("functions.inc"); -require_once("/usr/local/www/widgets/include/ipsec.inc"); - if (isset($config['ipsec']['tunnel'])){?> + if (isset($config['ipsec']['phase1'])){?> <div> </div> <?php $tab_array = array(); @@ -43,26 +42,27 @@ require_once("/usr/local/www/widgets/include/ipsec.inc"); $tab_array[1] = array("Tunnel Status", false, "ipsec-tunnel"); display_widget_tabs($tab_array); - $sad = array(); - $sad = get_ipsec_tunnel_sad(); + $spd = ipsec_dump_spd(); + $sad = ipsec_dump_sad(); $activecounter = 0; $inactivecounter = 0; $ipsec_detail_array = array(); - foreach ($config['ipsec']['tunnel'] as $tunnel){ + foreach ($config['ipsec']['phase2'] as $ph2ent){ + ipsec_lookup_phase1($ph2ent,$ph1ent); $ipsecstatus = false; $tun_disabled = "false"; $foundsrc = false; $founddst = false; - if (isset($tunnel['disabled'])) { + if (isset($ph1ent['disabled']) || isset($ph2ent['disabled'])) { $tun_disabled = "true"; continue; - } + } - if(output_ipsec_tunnel_status($tunnel)) { + if(ipsec_phase2_status($spd,$sad,$ph1ent,$ph2ent)) { /* tunnel is up */ $iconfn = "true"; $activecounter++; @@ -72,16 +72,16 @@ require_once("/usr/local/www/widgets/include/ipsec.inc"); $inactivecounter++; } - $ipsec_detail_array[] = array('src' => $tunnel['interface'], - 'dest' => $tunnel['remote-gateway'], - 'remote-subnet' => $tunnel['remote-subnet'], - 'descr' => $tunnel['descr'], + $ipsec_detail_array[] = array('src' => $ph1ent['interface'], + 'dest' => $ph1ent['remote-gateway'], + 'remote-subnet' => ipsec_idinfo_to_text($ph2ent['remoteid']), + 'descr' => $ph2ent['descr'], 'status' => $iconfn, 'disabled' => $tun_disabled); } } - if (isset($config['ipsec']['tunnel'])){ ?> + if (isset($config['ipsec']['phase2'])){ ?> <div id="ipsec-Overview" style="display:block;background-color:#EEEEEE;"> <div> |
