summaryrefslogtreecommitdiffstats
path: root/usr
diff options
context:
space:
mode:
Diffstat (limited to 'usr')
-rw-r--r--usr/local/www/diag_ipsec.php236
-rwxr-xr-xusr/local/www/diag_ipsec_sad.php174
-rwxr-xr-xusr/local/www/diag_ipsec_spd.php201
-rwxr-xr-xusr/local/www/diag_logs_ipsec.php8
-rwxr-xr-xusr/local/www/guiconfig.inc19
-rwxr-xr-xusr/local/www/pkg_edit.php2
-rwxr-xr-xusr/local/www/vpn_ipsec.php435
-rwxr-xr-xusr/local/www/vpn_ipsec_ca.php16
-rwxr-xr-xusr/local/www/vpn_ipsec_edit.php662
-rwxr-xr-xusr/local/www/vpn_ipsec_keys.php120
-rwxr-xr-xusr/local/www/vpn_ipsec_keys_edit.php128
-rwxr-xr-xusr/local/www/vpn_ipsec_mobile.php3
-rw-r--r--usr/local/www/vpn_ipsec_phase1.php635
-rw-r--r--usr/local/www/vpn_ipsec_phase2.php489
-rw-r--r--usr/local/www/widgets/include/ipsec.inc81
-rw-r--r--usr/local/www/widgets/widgets/ipsec.widget.php26
16 files changed, 1705 insertions, 1530 deletions
diff --git a/usr/local/www/diag_ipsec.php b/usr/local/www/diag_ipsec.php
index 4b16fe5..a61a5a1 100644
--- a/usr/local/www/diag_ipsec.php
+++ b/usr/local/www/diag_ipsec.php
@@ -3,6 +3,7 @@
/*
diag_ipsec.php
Copyright (C) 2007 Scott Ullrich
+ Copyright (C) 2008 Shrew Soft Inc <mgrooms@shrew.net>.
All rights reserved.
Parts of this code was originally based on vpn_ipsec_sad.php
@@ -30,170 +31,111 @@
POSSIBILITY OF SUCH DAMAGE.
*/
+global $g;
+
$pgtitle = array("Status","IPsec");
require("guiconfig.inc");
include("head.inc");
+
+if (!is_array($config['ipsec']['phase2']))
+ $config['ipsec']['phase2'] = array();
+
+$a_phase2 = &$config['ipsec']['phase2'];
+
+$spd = ipsec_dump_spd();
+$sad = ipsec_dump_sad();
+
?>
<body link="#0000CC" vlink="#0000CC" alink="#0000CC" onload="<?= $jsevents["body"]["onload"] ?>">
<?php include("fbegin.inc"); ?>
<div id="inputerrors"></div>
<table width="100%" border="0" cellpadding="0" cellspacing="0">
- <tr>
- <td>
-<?php
- $tab_array = array();
- $tab_array[0] = array("Overview", true, "diag_ipsec.php");
- $tab_array[1] = array("SAD", false, "diag_ipsec_sad.php");
- $tab_array[2] = array("SPD", false, "diag_ipsec_spd.php");
- display_top_tabs($tab_array);
-?>
- </td>
- </tr>
- <tr>
- <td>
-<?php
-
-if (!is_array($config['ipsec']['tunnel'])) {
- $config['ipsec']['tunnel'] = array();
-}
-
-/* query SAD */
-$fd = @popen("/sbin/setkey -D", "r");
-$sad = array();
-if ($fd) {
- while (!feof($fd)) {
- $line = chop(fgets($fd));
- if (!$line)
- continue;
- if ($line == "No SAD entries.")
- break;
- if ($line[0] != "\t") {
- if (is_array($cursa))
- $sad[] = $cursa;
- $cursa = array();
- list($cursa['src'],$cursa['dst']) = explode(" ", $line);
- $i = 0;
- } else {
- $linea = explode(" ", trim($line));
- if ($i == 1) {
- $cursa['proto'] = $linea[0];
- $cursa['spi'] = substr($linea[2], strpos($linea[2], "x")+1, -1);
- } else if ($i == 2) {
- $cursa['ealgo'] = $linea[1];
- } else if ($i == 3) {
- $cursa['aalgo'] = $linea[1];
- }
- }
- $i++;
- }
- if (is_array($cursa) && count($cursa))
- $sad[] = $cursa;
- pclose($fd);
-}
-?>
- <div id="mainarea">
- <table class="tabcont" width="100%" border="0" cellpadding="6" cellspacing="0">
-<?php if (count($sad)): ?>
- <tr>
- <td nowrap class="listhdrr">Source</td>
- <td nowrap class="listhdrr">Destination</a></td>
- <td nowrap class="listhdrr">Description</a></td>
- <td nowrap class="listhdrr">Status</td>
- </tr>
-<?php
-foreach ($config['ipsec']['tunnel'] as $ipsec) {
- if(! isset($ipsec['disabled'])) {
-?>
<tr>
- <td class="listlr"><?=htmlspecialchars(get_ipsec_tunnel_src($ipsec));?>
- <br/>
- <?php if ($ipsec['local-subnet']['network'])
- echo strtoupper($ipsecent['local-subnet']['network']);
- else
- echo $ipsec['local-subnet']['address'];
- ?>
+ <td>
+ <?php
+ $tab_array = array();
+ $tab_array[0] = array("Overview", true, "diag_ipsec.php");
+ $tab_array[1] = array("SAD", false, "diag_ipsec_sad.php");
+ $tab_array[2] = array("SPD", false, "diag_ipsec_spd.php");
+ display_top_tabs($tab_array);
+ ?>
</td>
- <td class="listr"><?=htmlspecialchars($ipsec['remote-gateway']);?>
- <br/>
- <?=$ipsec['remote-subnet'];?>
- </td>
- <td class="listr"><?=htmlspecialchars($ipsec['descr']);?></td>
- <td class="listr"><?php echo output_ipsec_tunnel_status($ipsec); ?></td>
</tr>
-<?php
- }
-}
-?>
-<?php else: ?>
- <tr>
- <td>
- <p>
- <strong>No IPsec security associations.</strong>
- </p>
- </td>
- </tr>
-<?php endif; ?>
- <tr>
- <td colspan="4">
- <p>
- <span class="vexpl">
- <span class="red">
- <strong>
- Note:<br />
- </strong>
- </span>
- You can configure your IPsec
- <a href="vpn_ipsec.php">here</a>.
- </span>
- </p>
+ <tr>
+ <td>
+ <div id="mainarea">
+ <table class="tabcont" width="100%" border="0" cellpadding="6" cellspacing="0">
+ <?php if (count($sad)): ?>
+ <tr>
+ <td nowrap class="listhdrr">Local IP</td>
+ <td nowrap class="listhdrr">Remote IP</a></td>
+ <td nowrap class="listhdrr">Local Network</td>
+ <td nowrap class="listhdrr">Remote Network</a></td>
+ <td nowrap class="listhdrr">Description</a></td>
+ <td nowrap class="listhdrr">Status</td>
+ </tr>
+ <?php
+ foreach ($a_phase2 as $ph2ent) {
+ if (!isset($ph2ent['disabled'])) {
+ ipsec_lookup_phase1($ph2ent,$ph1ent);
+ if(ipsec_phase2_status($spd,$sad,$ph1ent,$ph2ent))
+ $icon = "pass";
+ else
+ $icon = "reject";
+ ?>
+ <tr>
+ <td class="listlr">
+ <?=htmlspecialchars(ipsec_get_phase1_src($ph1ent));?>
+ </td>
+ <td class="listr">
+ <?=htmlspecialchars($ph1ent['remote-gateway']);?>
+ </td>
+ <td class="listr">
+ <?php echo ipsec_idinfo_to_text($ph2ent['localid']); ?>
+ </td>
+ <td class="listr">
+ <?php echo ipsec_idinfo_to_text($ph2ent['remoteid']); ?>
+ </td>
+ <td class="listr"><?=htmlspecialchars($ph2ent['descr']);?></td>
+ <td class="listr">
+ <img src ="/themes/<?=$g['theme']?>/images/icons/icon_<?=$icon?>.gif">
+ </td>
+ </tr>
+ <?php
+ }
+ }
+ ?>
+ <?php else: ?>
+ <tr>
+ <td>
+ <p>
+ <strong>No IPsec security associations.</strong>
+ </p>
+ </td>
+ </tr>
+ <?php endif; ?>
+ <tr>
+ <td colspan="4">
+ <p>
+ <span class="vexpl">
+ <span class="red">
+ <strong>Note:<br /></strong>
+ </span>
+ You can configure your IPsec
+ <a href="vpn_ipsec.php">here</a>.
+ </span>
+ </p>
+ </td>
+ </tr>
+ </table>
+ </div>
</td>
- </tr>
-</table>
-</div>
-
-</td></tr>
-
+ </tr>
</table>
<?php include("fend.inc"); ?>
</body>
</html>
-<?php
-
-function get_ipsec_tunnel_src($tunnel) {
- global $g, $config, $sad;
- $if = "WAN";
- if ($tunnel['interface']) {
- $if = $tunnel['interface'];
- $realinterface = convert_friendly_interface_to_real_interface_name($if);
- $interfaceip = find_interface_ip($realinterface);
- }
- return $interfaceip;
-}
-
-function output_ipsec_tunnel_status($tunnel) {
- global $g, $config, $sad;
- $if = "WAN";
- $interfaceip = get_ipsec_tunnel_src($tunnel);
- $foundsrc = false;
- $founddst = false;
- foreach($sad as $sa) {
- if($sa['src'] == $interfaceip)
- $foundsrc = true;
- if($sa['dst'] == $tunnel['remote-gateway'])
- $founddst = true;
- }
- if($foundsrc && $founddst) {
- /* tunnel is up */
- $iconfn = "pass";
- } else {
- /* tunnel is down */
- $iconfn = "reject";
- }
- echo "<img src ='/themes/{$g['theme']}/images/icons/icon_{$iconfn}.gif'>";
-}
-
-?>
diff --git a/usr/local/www/diag_ipsec_sad.php b/usr/local/www/diag_ipsec_sad.php
index 5d5b738..f2a08af 100755
--- a/usr/local/www/diag_ipsec_sad.php
+++ b/usr/local/www/diag_ipsec_sad.php
@@ -33,30 +33,14 @@
require("guiconfig.inc");
-$pgtitle = array("Status","IPsec","SA");
+$pgtitle = array("Status","IPsec","SAD");
include("head.inc");
-?>
-
-<body link="#0000CC" vlink="#0000CC" alink="#0000CC">
-<?php include("fbegin.inc"); ?>
-<table width="100%" border="0" cellpadding="0" cellspacing="0">
- <tr><td>
-<?php
- $tab_array = array();
- $tab_array[0] = array("Overview", false, "diag_ipsec.php");
- $tab_array[1] = array("SAD", true, "diag_ipsec_sad.php");
- $tab_array[2] = array("SPD", false, "diag_ipsec_spd.php");
- display_top_tabs($tab_array);
-?>
- </td></tr>
- <tr>
- <td>
-<?php
+$sad = ipsec_dump_sad();
/* delete any SA? */
if ($_GET['act'] == "del") {
- $fd = @popen("/sbin/setkey -c > /dev/null 2>&1", "w");
+ $fd = @popen("/usr/local/sbin/setkey -c > /dev/null 2>&1", "w");
if ($fd) {
fwrite($fd, "delete {$_GET['src']} {$_GET['dst']} {$_GET['proto']} {$_GET['spi']} ;\n");
pclose($fd);
@@ -64,87 +48,79 @@ if ($_GET['act'] == "del") {
}
}
-/* query SAD */
-$fd = @popen("/sbin/setkey -D", "r");
-$sad = array();
-if ($fd) {
- while (!feof($fd)) {
- $line = chop(fgets($fd));
- if (!$line)
- continue;
- if ($line == "No SAD entries.")
- break;
- if ($line[0] != "\t") {
- if (is_array($cursa))
- $sad[] = $cursa;
- $cursa = array();
- list($cursa['src'],$cursa['dst']) = explode(" ", $line);
- $i = 0;
- } else {
- $linea = explode(" ", trim($line));
- if ($i == 1) {
- $cursa['proto'] = $linea[0];
- $cursa['spi'] = substr($linea[2], strpos($linea[2], "x")+1, -1);
- } else if ($i == 2) {
- $cursa['ealgo'] = $linea[1];
- } else if ($i == 3) {
- $cursa['aalgo'] = $linea[1];
- }
- }
- $i++;
- }
- if (is_array($cursa) && count($cursa))
- $sad[] = $cursa;
- pclose($fd);
-}
?>
- <div id="mainarea">
- <table class="tabcont" width="100%" border="0" cellpadding="6" cellspacing="0">
-<?php if (count($sad)): ?>
- <tr>
- <td nowrap class="listhdrr">Source</td>
- <td nowrap class="listhdrr">Destination</a></td>
- <td nowrap class="listhdrr">Protocol</td>
- <td nowrap class="listhdrr">SPI</td>
- <td nowrap class="listhdrr">Enc. alg.</td>
- <td nowrap class="listhdr">Auth. alg.</td>
- <td nowrap class="list"></td>
- </tr>
-<?php
-foreach ($sad as $sa): ?>
- <tr>
- <td class="listlr"><?=htmlspecialchars($sa['src']);?></td>
- <td class="listr"><?=htmlspecialchars($sa['dst']);?></td>
- <td class="listr"><?=htmlspecialchars(strtoupper($sa['proto']));?></td>
- <td class="listr"><?=htmlspecialchars($sa['spi']);?></td>
- <td class="listr"><?=htmlspecialchars($sa['ealgo']);?></td>
- <td class="listr"><?=htmlspecialchars($sa['aalgo']);?></td>
- <td class="list" nowrap>
- <?php
- $args = "src=" . rawurlencode($sa['src']);
- $args .= "&dst=" . rawurlencode($sa['dst']);
- $args .= "&proto=" . rawurlencode($sa['proto']);
- $args .= "&spi=" . rawurlencode("0x" . $sa['spi']);
- ?>
- <a href="diag_ipsec_sad.php?act=del&<?=$args;?>" onclick="return confirm('Do you really want to delete this security association?')"><img src="/themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" width="17" height="17" border="0"></a>
- </td>
-
- </tr>
-<?php endforeach; ?>
-<?php else: ?>
-<tr><td><p><strong>No IPsec security associations.</strong></p></td></tr>
-<?php endif; ?>
-<td colspan="4">
- <p><span class="vexpl"><span class="red"><strong>Note:<br>
- </strong></span>You can configure your IPsec <a href="vpn_ipsec.php">here</a>.</span></p>
- </td>
-</table>
-</div>
-</td></tr>
-
-</table>
-
-<?php include("fend.inc"); ?>
+<body link="#0000CC" vlink="#0000CC" alink="#0000CC">
+ <?php include("fbegin.inc"); ?>
+ <table width="100%" border="0" cellpadding="0" cellspacing="0">
+ <tr>
+ <td>
+ <?php
+ $tab_array = array();
+ $tab_array[0] = array("Overview", false, "diag_ipsec.php");
+ $tab_array[1] = array("SAD", true, "diag_ipsec_sad.php");
+ $tab_array[2] = array("SPD", false, "diag_ipsec_spd.php");
+ display_top_tabs($tab_array);
+ ?>
+ </td>
+ </tr>
+ <tr>
+ <td>
+ <div id="mainarea">
+ <table class="tabcont" width="100%" border="0" cellpadding="6" cellspacing="0">
+ <?php if (count($sad)): ?>
+ <tr>
+ <td nowrap class="listhdrr">Source</td>
+ <td nowrap class="listhdrr">Destination</a></td>
+ <td nowrap class="listhdrr">Protocol</td>
+ <td nowrap class="listhdrr">SPI</td>
+ <td nowrap class="listhdrr">Enc. alg.</td>
+ <td nowrap class="listhdr">Auth. alg.</td>
+ <td nowrap class="list"></td>
+ </tr>
+ <?php foreach ($sad as $sa): ?>
+ <tr>
+ <td class="listlr"><?=htmlspecialchars($sa['src']);?></td>
+ <td class="listr"><?=htmlspecialchars($sa['dst']);?></td>
+ <td class="listr"><?=htmlspecialchars(strtoupper($sa['proto']));?></td>
+ <td class="listr"><?=htmlspecialchars($sa['spi']);?></td>
+ <td class="listr"><?=htmlspecialchars($sa['ealgo']);?></td>
+ <td class="listr"><?=htmlspecialchars($sa['aalgo']);?></td>
+ <td class="list" nowrap>
+ <?php
+ $args = "src=" . rawurlencode($sa['src']);
+ $args .= "&dst=" . rawurlencode($sa['dst']);
+ $args .= "&proto=" . rawurlencode($sa['proto']);
+ $args .= "&spi=" . rawurlencode("0x" . $sa['spi']);
+ ?>
+ <a href="diag_ipsec_sad.php?act=del&<?=$args;?>" onclick="return confirm('Do you really want to delete this security association?')">
+ <img src="/themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" width="17" height="17" border="0">
+ </a>
+ </td>
+ </tr>
+ <?php endforeach; ?>
+ <?php else: ?>
+ <tr>
+ <td>
+ <p><strong>No IPsec security associations.</strong></p>
+ </td>
+ </tr>
+ <?php endif; ?>
+ <td colspan="4">
+ <p>
+ <span class="vexpl">
+ <span class="red">
+ <strong>Note:<br></strong>
+ </span>
+ You can configure your IPsec <a href="vpn_ipsec.php">here</a>.
+ </span>
+ </p>
+ </td>
+ </table>
+ </div>
+ </td>
+ </tr>
+ </table>
+ <?php include("fend.inc"); ?>
</body>
</html>
diff --git a/usr/local/www/diag_ipsec_spd.php b/usr/local/www/diag_ipsec_spd.php
index dc6ee6f..d9dfe54 100755
--- a/usr/local/www/diag_ipsec_spd.php
+++ b/usr/local/www/diag_ipsec_spd.php
@@ -36,129 +36,104 @@ require("guiconfig.inc");
$pgtitle = array("Status","IPsec","SPD");
include("head.inc");
-?>
-
-<body link="#0000CC" vlink="#0000CC" alink="#0000CC">
-<?php include("fbegin.inc"); ?>
-<table width="100%" border="0" cellpadding="0" cellspacing="0">
- <tr><td>
-<?php
- $tab_array = array();
- $tab_array[0] = array("Overview", false, "diag_ipsec.php");
- $tab_array[1] = array("SAD", false, "diag_ipsec_sad.php");
- $tab_array[2] = array("SPD", true, "diag_ipsec_spd.php");
- display_top_tabs($tab_array);
-?>
- </td></tr>
- <tr>
- <td>
-<?php
-
/* delete any SP? */
if ($_GET['act'] == "del") {
- $fd = @popen("/sbin/setkey -c > /dev/null 2>&1", "w");
+ $fd = @popen("/usr/local/sbin/setkey -c > /dev/null 2>&1", "w");
if ($fd) {
- fwrite($fd, "spddelete {$_GET['src']} {$_GET['dst']} any -P {$_GET['dir']} ;\n");
+ fwrite($fd, "spddelete {$_GET['srcid']} {$_GET['dstid']} any -P {$_GET['dir']} ;\n");
pclose($fd);
sleep(1);
}
}
-/* query SAD */
-$fd = @popen("/sbin/setkey -DP", "r");
-$spd = array();
-if ($fd) {
- while (!feof($fd)) {
- $line = chop(fgets($fd));
- if (!$line)
- continue;
- if ($line == "No SPD entries.")
- break;
- if ($line[0] != "\t") {
- if (is_array($cursp))
- $spd[] = $cursp;
- $cursp = array();
- $linea = explode(" ", $line);
- $cursp['src'] = substr($linea[0], 0, strpos($linea[0], "["));
- $cursp['dst'] = substr($linea[1], 0, strpos($linea[1], "["));
- $i = 0;
- } else if (is_array($cursp)) {
- $linea = explode(" ", trim($line));
- if ($i == 1) {
- if ($linea[1] == "none") /* don't show default anti-lockout rule */
- unset($cursp);
- else
- $cursp['dir'] = $linea[0];
- } else if ($i == 2) {
- $upperspec = explode("/", $linea[0]);
- $cursp['proto'] = $upperspec[0];
- list($cursp['ep_src'], $cursp['ep_dst']) = explode("-", $upperspec[2]);
- }
- }
- $i++;
- }
- if (is_array($cursp) && count($cursp))
- $spd[] = $cursp;
- pclose($fd);
-}
+$spd = ipsec_dump_spd();
?>
-<div id="mainarea" style="background:#eeeeee">
- <table class="tabcont" width="100%" border="0" cellpadding="6" cellspacing="0">
-<?php if (count($spd)): ?>
- <tr>
- <td nowrap class="listhdrr">Source</td>
- <td nowrap class="listhdrr">Destination</a></td>
- <td nowrap class="listhdrr">Direction</td>
- <td nowrap class="listhdrr">Protocol</td>
- <td nowrap class="listhdrr">Tunnel endpoints</td>
- <td nowrap class="list"></td>
- </tr>
-<?php
-foreach ($spd as $sp): ?>
- <tr>
- <td class="listlr" valign="top"><?=htmlspecialchars($sp['src']);?></td>
- <td class="listr" valign="top"><?=htmlspecialchars($sp['dst']);?></td>
- <td class="listr" valign="top"><img src="/themes/<?= $g['theme']; ?>/images/icons/icon_<?=$sp['dir'];?>.gif" width="11" height="11" style="margin-top: 2px"></td>
- <td class="listr" valign="top"><?=htmlspecialchars(strtoupper($sp['proto']));?></td>
- <td class="listr" valign="top"><?=htmlspecialchars($sp['ep_src']);?> - <br>
- <?=htmlspecialchars($sp['ep_dst']);?></td>
- <td class="list" nowrap>
- <?php
- $args = "src=" . rawurlencode($sp['src']);
- $args .= "&dst=" . rawurlencode($sp['dst']);
- $args .= "&dir=" . rawurlencode($sp['dir']);
- ?>
- <a href="diag_ipsec_spd.php?act=del&<?=$args;?>" onclick="return confirm('Do you really want to delete this security policy?')">
- <img src="/themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" width="17" height="17" border="0"></a>
- </td>
- </tr>
-<?php endforeach; ?>
-</table>
-<br>
-<table class="tabcont" border="0" cellspacing="0" cellpadding="6">
- <tr>
- <td width="16"><img src="/themes/<?= $g['theme']; ?>/images/icons/icon_in.gif" width="11" height="11"></td>
- <td>incoming (as seen by firewall)</td>
- </tr>
- <tr>
- <td colspan="5" height="4"></td>
- </tr>
- <tr>
- <td><img src="/themes/<?= $g['theme']; ?>/images/icons/icon_out.gif" width="11" height="11"></td>
- <td>outgoing (as seen by firewall)</td>
- </tr>
-<?php else: ?>
-<tr><td><p><strong>No IPsec security policies.</strong></p></td></tr>
-<?php endif; ?>
-<td colspan="4">
- <p><span class="vexpl"><span class="red"><strong>Note:<br>
- </strong></span>You can configure your IPsec <a href="vpn_ipsec.php">here</a>.</span></p>
- </td>
-</table>
-</div>
-</td></tr></table>
-<?php include("fend.inc"); ?>
+<body link="#0000CC" vlink="#0000CC" alink="#0000CC">
+ <?php include("fbegin.inc"); ?>
+ <table width="100%" border="0" cellpadding="0" cellspacing="0">
+ <tr>
+ <td>
+ <?php
+ $tab_array = array();
+ $tab_array[0] = array("Overview", false, "diag_ipsec.php");
+ $tab_array[1] = array("SAD", false, "diag_ipsec_sad.php");
+ $tab_array[2] = array("SPD", true, "diag_ipsec_spd.php");
+ display_top_tabs($tab_array);
+ ?>
+ </td>
+ </tr>
+ <tr>
+ <td>
+ <div id="mainarea" style="background:#eeeeee">
+ <table class="tabcont" width="100%" border="0" cellpadding="6" cellspacing="0">
+ <?php if (count($spd)): ?>
+ <tr>
+ <td nowrap class="listhdrr">Source</td>
+ <td nowrap class="listhdrr">Destination</td>
+ <td nowrap class="listhdrr">Direction</td>
+ <td nowrap class="listhdrr">Protocol</td>
+ <td nowrap class="listhdrr">Tunnel endpoints</td>
+ <td nowrap class="list"></td>
+ </tr>
+ <?php foreach ($spd as $sp): ?>
+ <tr>
+ <td class="listlr" valign="top"><?=htmlspecialchars($sp['srcid']);?></td>
+ <td class="listr" valign="top"><?=htmlspecialchars($sp['dstid']);?></td>
+ <td class="listr" valign="top">
+ <img src="/themes/<?= $g['theme']; ?>/images/icons/icon_<?=$sp['dir'];?>.gif" width="11" height="11" style="margin-top: 2px">
+ </td>
+ <td class="listr" valign="top"><?=htmlspecialchars(strtoupper($sp['proto']));?></td>
+ <td class="listr" valign="top"><?=htmlspecialchars($sp['src']);?> -> <?=htmlspecialchars($sp['dst']);?></td>
+ <td class="list" nowrap>
+ <?php
+ $args = "srcid=".rawurlencode($sp['srcid']);
+ $args .= "&dstid=".rawurlencode($sp['dstid']);
+ $args .= "&dir=".rawurlencode($sp['dir']);
+ ?>
+ <a href="diag_ipsec_spd.php?act=del&<?=$args;?>" onclick="return confirm('Do you really want to delete this security policy?')">
+ <img src="/themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" width="17" height="17" border="0">
+ </a>
+ </td>
+ </tr>
+ <?php endforeach; ?>
+ </table>
+ <br>
+ <table class="tabcont" border="0" cellspacing="0" cellpadding="6">
+ <tr>
+ <td width="16"><img src="/themes/<?= $g['theme']; ?>/images/icons/icon_in.gif" width="11" height="11"></td>
+ <td>incoming (as seen by firewall)</td>
+ </tr>
+ <tr>
+ <td colspan="5" height="4"></td>
+ </tr>
+ <tr>
+ <td><img src="/themes/<?= $g['theme']; ?>/images/icons/icon_out.gif" width="11" height="11"></td>
+ <td>outgoing (as seen by firewall)</td>
+ </tr>
+ <?php else: ?>
+ <tr>
+ <td>
+ <p><strong>No IPsec security policies.</strong></p>
+ </td>
+ </tr>
+ <?php endif; ?>
+ <td colspan="4">
+ <p>
+ <span class="vexpl">
+ <span class="red">
+ <strong>Note:<br></strong>
+ </span>
+ You can configure your IPsec <a href="vpn_ipsec.php">here</a>.
+ </span>
+ </p>
+ </td>
+ </table>
+ </div>
+ </td>
+ </tr>
+ </table>
+ <?php include("fend.inc"); ?>
</body>
</html>
diff --git a/usr/local/www/diag_logs_ipsec.php b/usr/local/www/diag_logs_ipsec.php
index a6b8ae6..74cf757 100755
--- a/usr/local/www/diag_logs_ipsec.php
+++ b/usr/local/www/diag_logs_ipsec.php
@@ -38,11 +38,11 @@ $ipsec_logfile = "{$g['varlog_path']}/ipsec.log";
/* Create array with all IPsec tunnel descriptions */
$search = array();
$replace = array();
-if(is_array($config['ipsec']['tunnel']))
- foreach($config['ipsec']['tunnel'] as $tunnel) {
- $gateway = "{$tunnel['remote-gateway']}";
+if(is_array($config['ipsec']['phase1']))
+ foreach($config['ipsec']['phase1'] as $ph1ent) {
+ $gateway = "{$ph1ent['remote-gateway']}";
$search[] = "/(racoon: )([A-Z:].*?)({$gateway}\[[0-9].+\]|{$gateway})(.*)/i";
- $replace[] = "$1<strong>[{$tunnel['descr']}]</strong>: $2$3$4";
+ $replace[] = "$1<strong>[{$ph1ent['descr']}]</strong>: $2$3$4";
}
/* collect all our own ip addresses */
exec("/sbin/ifconfig|/usr/bin/awk '/inet / {print $2}'", $ip_address_list);
diff --git a/usr/local/www/guiconfig.inc b/usr/local/www/guiconfig.inc
index 1c6ab78..9fecc45 100755
--- a/usr/local/www/guiconfig.inc
+++ b/usr/local/www/guiconfig.inc
@@ -157,25 +157,6 @@ $medias = array("auto" => "autoselect", "100full" => "100BASE-TX full-duplex",
/* platforms that support firmware updating */
$fwupplatforms = array('pfSense', 'net45xx', 'net48xx', 'generic-pc', 'embedded', 'wrap');
-/* IPsec defines */
-$my_identifier_list = array('myaddress' => 'My IP address',
- 'address' => 'IP address',
- 'fqdn' => 'Domain name',
- 'user_fqdn' => 'User FQDN',
- 'asn1dn' => 'Distinguished Name',
- 'dyn_dns' => 'Dynamic DNS');
-
-$p1_ealgos = array('des' => 'DES', '3des' => '3DES', 'blowfish' => 'Blowfish',
- 'cast128' => 'CAST128','rijndael' => 'Rijndael (AES)', 'rijndael 256' => 'Rijndael 256');
-$p2_ealgos = array('des' => 'DES', '3des' => '3DES', 'blowfish' => 'Blowfish',
- 'cast128' => 'CAST128', 'rijndael' => 'Rijndael (AES)', 'rijndael 256' => 'Rijndael 256');
-
-$p1_halgos = array('sha1' => 'SHA1', 'md5' => 'MD5');
-$p1_authentication_methods = array('pre_shared_key' => 'Pre-shared key', 'rsasig' => 'RSA signature');
-$p2_halgos = array('hmac_sha1' => 'SHA1', 'hmac_md5' => 'MD5');
-$p2_protos = array('esp' => 'ESP', 'ah' => 'AH');
-$p2_pfskeygroups = array('0' => 'off', '1' => '1', '2' => '2', '5' => '5');
-
function do_input_validation($postdata, $reqdfields, $reqdfieldsn, $input_errors) {
/* check for bad control characters */
diff --git a/usr/local/www/pkg_edit.php b/usr/local/www/pkg_edit.php
index a2a2442..64826d0 100755
--- a/usr/local/www/pkg_edit.php
+++ b/usr/local/www/pkg_edit.php
@@ -381,7 +381,7 @@ if ($pkg['tabs'] <> "") {
print("</select>\n<br />\n" . fixup_string($pkga['description']) . "\n");
} else if($pkga['type'] == "vpn_selection") {
echo "<select id='" . $pkga['fieldname'] . "' name='" . $vpn['name'] . "'>\n";
- foreach ($config['ipsec']['tunnel'] as $vpn) {
+ foreach ($config['ipsec']['phase1'] as $vpn) {
echo "\t<option value=\"" . $vpn['descr'] . "\">" . $vpn['descr'] . "</option>\n";
}
echo "</select>\n";
diff --git a/usr/local/www/vpn_ipsec.php b/usr/local/www/vpn_ipsec.php
index 4946d73..94f4c37 100755
--- a/usr/local/www/vpn_ipsec.php
+++ b/usr/local/www/vpn_ipsec.php
@@ -4,6 +4,7 @@
part of m0n0wall (http://m0n0.ch/wall)
Copyright (C) 2003-2005 Manuel Kasper <mk@neon1.net>.
+ Copyright (C) 2008 Shrew Soft Inc
All rights reserved.
Redistribution and use in source and binary forms, with or without
@@ -30,14 +31,18 @@
require("guiconfig.inc");
-if (!is_array($config['ipsec']['tunnel'])) {
- $config['ipsec']['tunnel'] = array();
-}
-$a_ipsec = &$config['ipsec']['tunnel'];
+if (!is_array($config['ipsec']['phase1']))
+ $config['ipsec']['phase1'] = array();
+
+if (!is_array($config['ipsec']['phase2']))
+ $config['ipsec']['phase2'] = array();
+
+$a_phase1 = &$config['ipsec']['phase1'];
+$a_phase2 = &$config['ipsec']['phase2'];
+
$wancfg = &$config['interfaces']['wan'];
$pconfig['enable'] = isset($config['ipsec']['enable']);
-$pconfig['ipcomp'] = isset($config['ipsec']['ipcomp']);
if ($_POST) {
@@ -53,7 +58,6 @@ if ($_POST) {
$pconfig = $_POST;
$config['ipsec']['enable'] = $_POST['enable'] ? true : false;
- $config['ipsec']['ipcomp'] = $_POST['ipcomp'] ? true : false;
write_config();
@@ -72,13 +76,41 @@ if ($_POST) {
}
}
-if ($_GET['act'] == "del") {
- if ($a_ipsec[$_GET['id']]) {
+if ($_GET['act'] == "delph1")
+{
+ if ($a_phase1[$_GET['p1index']]) {
/* remove static route if interface is not WAN */
- if($a_ipsec[$_GET['id']]['interface'] <> "wan") {
- mwexec("/sbin/route delete -host {$$a_ipsec[$_GET['id']]['remote-gateway']}");
+ if ($a_phase1[$_GET['p1index']]['interface'] <> "wan") {
+ mwexec("/sbin/route delete -host {$$a_phase1[$_GET['p1index']]['remote-gateway']}");
+ }
+
+ /* remove all phase2 entries that match the ikeid */
+ $ikeid = $a_phase1[$_GET['p1index']]['ikeid'];
+ $p2index = 0;
+ foreach ($a_phase2 as $ph2tmp) {
+ if ($ph2tmp['ikeid'] == $ikeid) {
+ /* remove the phase2 entry */
+ unset($a_phase2[$p2index]);
+ continue;
+ }
+ /* only skip if we remove an entry */
+ $p2index++;
}
- unset($a_ipsec[$_GET['id']]);
+
+ /* remove the phase1 entry */
+ unset($a_phase1[$_GET['p1index']]);
+ filter_configure();
+ write_config();
+ header("Location: vpn_ipsec.php");
+ exit;
+ }
+}
+
+if ($_GET['act'] == "delph2")
+{
+ if ($a_phase2[$_GET['p2index']]) {
+ /* remove the phase2 entry */
+ unset($a_phase2[$_GET['p2index']]);
filter_configure();
write_config();
header("Location: vpn_ipsec.php");
@@ -95,133 +127,270 @@ include("head.inc");
<body link="#0000CC" vlink="#0000CC" alink="#0000CC">
<?php include("fbegin.inc"); ?>
<form action="vpn_ipsec.php" method="post">
-<?php if ($savemsg) print_info_box($savemsg); ?>
-<?php if (file_exists($d_ipsecconfdirty_path)): ?><p>
-<?php if ($pconfig['enable'])
- print_info_box_np("The IPsec tunnel configuration has been changed.<br>You must apply the changes in order for them to take effect.");?><br>
-<?php endif; ?>
-<table width="100%" border="0" cellpadding="0" cellspacing="0">
- <tr><td class="tabnavtbl">
<?php
- $tab_array = array();
- $tab_array[0] = array("Tunnels", true, "vpn_ipsec.php");
- $tab_array[1] = array("Mobile clients", false, "vpn_ipsec_mobile.php");
- $tab_array[2] = array("Pre-shared keys", false, "vpn_ipsec_keys.php");
- $tab_array[3] = array("CAs", false, "vpn_ipsec_ca.php");
- display_top_tabs($tab_array);
+ if ($savemsg)
+ print_info_box($savemsg);
+ if ($pconfig['enable'] && file_exists($d_ipsecconfdirty_path))
+ print_info_box_np("The IPsec tunnel configuration has been changed.<br>You must apply the changes in order for them to take effect.");
?>
- </td></tr>
- <tr>
- <td>
- <div id="mainarea">
- <table class="tabcont" width="100%" border="0" cellpadding="6" cellspacing="0">
- <tr>
- <td class="vtable">
- <input name="enable" type="checkbox" id="enable" value="yes" <?php if ($pconfig['enable']) echo "checked";?>>
- <strong>Enable IPsec</strong></td>
- </tr>
- <tr>
- <td> <input name="submit" type="submit" class="formbtn" value="Save">
- </td>
- </tr>
- </table>
- <table class="tabcont" width="100%" border="0" cellpadding="0" cellspacing="0">
- <tr>
- <td nowrap class="listhdrr">Local net<br>
- Remote net</td>
- <td class="listhdrr">Interface<br>Remote gw</td>
- <td class="listhdrr">P1 mode</td>
- <td class="listhdrr">P1 Enc. Algo</td>
- <td class="listhdrr">P1 Hash Algo</td>
- <td class="listhdr">Description</td>
- <td class="list" >
- <table border="0" cellspacing="0" cellpadding="1">
- <tr>
- <td width="17" heigth="17"></td>
- <td><a href="vpn_ipsec_edit.php"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" title="add tunnel" width="17" height="17" border="0"></a></td>
- </tr>
- </table>
- </td>
- </tr>
- <?php $i = 0; foreach ($a_ipsec as $ipsecent):
- if (isset($ipsecent['disabled'])) {
- $spans = "<span class=\"gray\">";
- $spane = "</span>";
- } else {
- $spans = $spane = "";
- }
- ?>
- <tr valign="top">
- <td nowrap class="listlr" ondblclick="document.location='vpn_ipsec_edit.php?id=<?=$i;?>'"><?=$spans;?>
- <?php if ($ipsecent['local-subnet']['network'])
- echo strtoupper($ipsecent['local-subnet']['network']);
+<table width="100%" border="0" cellpadding="0" cellspacing="0">
+ <tr>
+ <td class="tabnavtbl">
+ <?php
+ $tab_array = array();
+ $tab_array[0] = array("Tunnels", true, "vpn_ipsec.php");
+// $tab_array[1] = array("Mobile clients", false, "vpn_ipsec_mobile.php");
+ $tab_array[2] = array("CAs", false, "vpn_ipsec_ca.php");
+ display_top_tabs($tab_array);
+ ?>
+ </td>
+ </tr>
+ <tr>
+ <td>
+ <div id="mainarea">
+ <table class="tabcont" width="100%" border="0" cellpadding="6" cellspacing="0">
+ <tr>
+ <td class="vtable">
+ <input name="enable" type="checkbox" id="enable" value="yes" <?php if ($pconfig['enable']) echo "checked";?>>
+ <strong>Enable IPsec</strong>
+ </td>
+ </tr>
+ <tr>
+ <td>
+ <input name="submit" type="submit" class="formbtn" value="Save">
+ </td>
+ </tr>
+ </table>
+ <table class="tabcont" width="100%" border="0" cellpadding="0" cellspacing="0">
+ <tr>
+ <td class="listhdrr">Interface<br>Remote gw</td>
+ <td class="listhdrr">P1 mode</td>
+ <td class="listhdrr">P1 Enc. Algo</td>
+ <td class="listhdrr">P1 Hash Algo</td>
+ <td class="listhdr">Description</td>
+ <td class="list" >
+ <table border="0" cellspacing="0" cellpadding="o">
+ <tr>
+ <td width="17" heigth="17"></td>
+ <td>
+ <a href="vpn_ipsec_phase1.php"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" title="add phase1 entry" width="17" height="17" border="0"></a>
+ </td>
+ </tr>
+ </table>
+ </td>
+ </tr>
+ <?php
+ $i = 0;
+ foreach ($a_phase1 as $ph1ent) {
+ if (isset( $ph1ent['disabled'])) {
+ $spans = "<span class=\"gray\">";
+ $spane = "</span>";
+ }
else
- echo $ipsecent['local-subnet']['address'];
+ $spans = $spane = "";
?>
- <br>
- <?=$ipsecent['remote-subnet'];?>
- <?=$spane;?></td>
- <td class="listr" ondblclick="document.location='vpn_ipsec_edit.php?id=<?=$i;?>'"><?=$spans;?>
- <?php if ($ipsecent['interface']) {
- $iflabels = get_configured_interface_with_descr();
- $carpips = find_number_of_needed_carp_interfaces();
- for($j=0; $j<$carpips; $j++) {
- $carpip = find_interface_ip("carp" . $j);
- $iflabels['carp' . $j] = "CARP{$j} ({$carpip})";
- }
- $if = htmlspecialchars($iflabels[$ipsecent['interface']]);
- } else
- $if = "WAN";
-
- echo $if . "<br>" . $ipsecent['remote-gateway'];
+ <tr valign="top">
+ <td class="listlr" ondblclick="document.location='vpn_ipsec_phase1.php?id=<?=$i;?>'">
+ <?=$spans;?>
+ <?php
+ if ($ph1ent['interface']) {
+ $iflabels = get_configured_interface_with_descr();
+ $carpips = find_number_of_needed_carp_interfaces();
+ for( $j=0; $j<$carpips; $j++ ) {
+ $carpip = find_interface_ip("carp" . $j);
+ $iflabels['carp' . $j] = "CARP{$j} ({$carpip})";
+ }
+ $if = htmlspecialchars($iflabels[$ph1ent['interface']]);
+ }
+ else
+ $if = "WAN";
+
+ echo $if . "<br>" . $ph1ent['remote-gateway'];
+ ?>
+ <?=$spane;?>
+ </td>
+ <td class="listr" ondblclick="document.location='vpn_ipsec_phase1.php?id=<?=$i;?>'">
+ <?=$spans;?>
+ <?=$ph1ent['mode'];?>
+ <?=$spane;?>
+ </td>
+ <td class="listr" ondblclick="document.location='vpn_ipsec_phase1.php?id=<?=$i;?>'">
+ <?=$spans;?>
+ <?=$p1_ealgos[$ph1ent['encryption-algorithm']['name']]['name'];?>
+ <?php
+ if ($ph1ent['encryption-algorithm']['keylen']) {
+ if ($ph1ent['encryption-algorithm']['keylen']=="auto")
+ echo " (auto)";
+ else
+ echo " ({$ph1ent['encryption-algorithm']['keylen']} bits)";
+ }
+ ?>
+ <?=$spane;?>
+ </td>
+ <td class="listr" ondblclick="document.location='vpn_ipsec_phase1.php?id=<?=$i;?>'">
+ <?=$spans;?>
+ <?=$p1_halgos[$ph1ent['hash-algorithm']];?>
+ <?=$spane;?>
+ </td>
+ <td class="listtopic" ondblclick="document.location='vpn_ipsec_phase1.php?id=<?=$i;?>'">
+ <?=$spans;?>
+ <font color="#FFFFFF">
+ <?=htmlspecialchars($ph1ent['descr']);?>&nbsp;
+ </font>
+ <?=$spane;?>
+ </td>
+ <td valign="middle" nowrap class="list">
+ <table border="0" cellspacing="0" cellpadding="1">
+ <tr>
+ <td>
+ <a href="vpn_ipsec_phase1.php?p1index=<?=$i;?>">
+ <img src="./themes/<?= $g['theme']; ?>/images/icons/icon_e.gif" title="edit phase1 entry" width="17" height="17" border="0">
+ </a>
+ </td>
+ <td>
+ <a href="vpn_ipsec.php?act=delph1&p1index=<?=$i;?>" onclick="return confirm('Do you really want to delete this phase1 and all associated phase2 entries?')">
+ <img src="./themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" title="delete phase1 entry" width="17" height="17" border="0">
+ </a>
+ </td>
+ </tr>
+ <tr>
+ <td>
+ </td>
+ <td>
+ <a href="vpn_ipsec_phase1.php?dup=<?=$i;?>">
+ <img src="./themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" title="copy phase1 entry" width="17" height="17" border="0">
+ </a>
+ </td>
+ </tr>
+ </table>
+ </td>
+ </tr>
+ <tr>
+ <td class="listbg" colspan="5">
+ <table width="100%" height="100%"border="0" cellspacing="0" cellpadding="0">
+ <tr>
+ <td class="listhdrr">Local Network</td>
+ <td class="listhdrr">Remote Network</td>
+ <td class="listhdrr">P2 Protocol</td>
+ <td class="listhdrr">P2 Transforms</td>
+ <td class="listhdrr">P2 Auth Methods</td>
+ <td class ="list">
+ <a href="vpn_ipsec_phase2.php?ikeid=<?=$ph1ent['ikeid'];?>">
+ <img src="./themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" title="add phase2 entry" width="17" height="17" border="0">
+ </a>
+ </td>
+ </tr>
+ <?php
+ $j = 0;
+ foreach ($a_phase2 as $ph2ent) {
+ if ($ph2ent['ikeid'] != $ph1ent['ikeid']) {
+ $j++;
+ continue;
+ }
+
+ if (isset( $ph2ent['disabled']) || isset($ph1ent['disabled'])) {
+ $spans = "<span class=\"gray\">";
+ $spane = "</span>";
+ }
+ else
+ $spans = $spane = "";
+ ?>
+ <tr valign="top">
+ <td nowrap class="listr" ondblclick="document.location='vpn_ipsec_phase2.php?id=<?=$i;?>'">
+ <?=$spans;?>
+ <?php echo ipsec_idinfo_to_text($ph2ent['localid']); ?>
+ <?=$spane;?>
+ </td>
+ <td nowrap class="listr" ondblclick="document.location='vpn_ipsec_phase2.php?id=<?=$i;?>'">
+ <?=$spans;?>
+ <?php echo ipsec_idinfo_to_text($ph2ent['remoteid']); ?>
+ <?=$spane;?>
+ </td>
+ <td nowrap class="listr" ondblclick="document.location='vpn_ipsec_phase2.php?id=<?=$i;?>'">
+ <?=$spans;?>
+ <?php echo $p2_protos[$ph2ent['protocol']]; ?>
+ <?=$spane;?>
+ </td>
+ <td nowrap class="listr" ondblclick="document.location='vpn_ipsec_phase2.php?id=<?=$i;?>'">
+ <?=$spans;?>
+ <?php
+ $k = 0;
+ foreach ($ph2ent['encryption-algorithm-option'] as $ph2ea) {
+ if ($k++)
+ echo ", ";
+ echo $p2_ealgos[$ph2ea['name']]['name'];
+ if ($ph2ea['keylen']) {
+ if ($ph2ea['keylen']=="auto")
+ echo " (auto)";
+ else
+ echo " ({$ph2ea['keylen']} bits)";
+ }
+ }
+ ?>
+ <?=$spane;?>
+ </td>
+ <td nowrap class="listr" ondblclick="document.location='vpn_ipsec_phase2.php?id=<?=$i;?>'">
+ <?=$spans;?>
+ <?php
+ $k = 0;
+ foreach ($ph2ent['hash-algorithm-option'] as $ph2ha) {
+ if ($k++)
+ echo ", ";
+ echo $p2_halgos[$ph2ha];
+ }
+ ?>
+ <?=$spane;?>
+ </td>
+ <td nowrap class="list">
+ <a href="vpn_ipsec_phase2.php?p2index=<?=$j;?>">
+ <img src="./themes/<?= $g['theme']; ?>/images/icons/icon_e.gif" title="edit phase2 entry" width="17" height="17" border="0">
+ </a>
+ <a href="vpn_ipsec.php?act=delph2&p2index=<?=$j;?>" onclick="return confirm('Do you really want to delete this phase2 entry?')">
+ <img src="./themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" title="delete phase2 entry" width="17" height="17" border="0">
+ </a>
+ </td>
+ </tr>
+ <?php
+ $j++;
+ }
+ ?>
+ </table>
+ </td>
+ </tr>
+ <?php
+ $i++;
+ }
?>
- <?=$spane;?></td>
- <td class="listr" ondblclick="document.location='vpn_ipsec_edit.php?id=<?=$i;?>'"><?=$spans;?>
- <?=$ipsecent['p1']['mode'];?>
- <?=$spane;?></td>
- <td class="listr" ondblclick="document.location='vpn_ipsec_edit.php?id=<?=$i;?>'"><?=$spans;?>
- <?=$p1_ealgos[$ipsecent['p1']['encryption-algorithm']];?>
- <?=$spane;?></td>
- <td class="listr" ondblclick="document.location='vpn_ipsec_edit.php?id=<?=$i;?>'"><?=$spans;?>
- <?=$p1_halgos[$ipsecent['p1']['hash-algorithm']];?>
- <?=$spane;?></td>
- <td class="listbg" ondblclick="document.location='vpn_ipsec_edit.php?id=<?=$i;?>'"><?=$spans;?><font color="#FFFFFF">
- <?=htmlspecialchars($ipsecent['descr']);?>&nbsp;
- <?=$spane;?></td>
- <td valign="middle" nowrap class="list">
- <table border="0" cellspacing="0" cellpadding="1">
- <tr>
- <td><a href="vpn_ipsec_edit.php?id=<?=$i;?>"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_e.gif" title="edit tunnel" width="17" height="17" border="0"></a></td>
- <td><a href="vpn_ipsec.php?act=del&id=<?=$i;?>" onclick="return confirm('Do you really want to delete this tunnel?')"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" title="delete tunnel" width="17" height="17" border="0"></a></td>
- </tr>
- <tr>
- <td></td>
- <td><a href="vpn_ipsec_edit.php?dup=<?=$i;?>"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" title="add a new rule based on this one" width="17" height="17" border="0"></a></td>
- </tr>
- </table>
- </td>
- </tr>
- <?php $i++; endforeach; ?>
- <tr>
- <td class="list" colspan="6"></td>
- <td class="list">
- <table border="0" cellspacing="0" cellpadding="1">
- <tr>
- <td width="17"></td>
- <td><a href="vpn_ipsec_edit.php"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" title="add tunnel" width="17" height="17" border="0"></a></td>
- </tr>
- </table>
- <td>
- </tr>
- <tr>
- <td colspan="4">
- <p><span class="vexpl"><span class="red"><strong>Note:<br>
- </strong></span>You can check your IPsec status at <a href="diag_ipsec_sad.php">Status:IPsec</a>.</span></p>
- </td>
- </tr>
- </table>
- </div>
- </td>
+ <tr>
+ <td class="list" colspan="5"></td>
+ <td class="list">
+ <table border="0" cellspacing="0" cellpadding="1">
+ <tr>
+ <td width="17"></td>
+ <td>
+ <a href="vpn_ipsec_phase1.php">
+ <img src="./themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" title="add phase1 entry" width="17" height="17" border="0">
+ </a>
+ </td>
+ </tr>
+ </table>
+ <td>
+ </tr>
+ <tr>
+ <td colspan="4">
+ <p>
+ <span class="vexpl">
+ <span class="red">
+ <strong>Note:<br></strong>
+ </span>
+ You can check your IPsec status at <a href="diag_ipsec.php">Status:IPsec</a>.
+ </span>
+ </p>
+ </td>
+ </tr>
+ </table>
+ </div>
+ </td>
</tr>
</table>
</form>
diff --git a/usr/local/www/vpn_ipsec_ca.php b/usr/local/www/vpn_ipsec_ca.php
index 17195ae..b94c66d 100755
--- a/usr/local/www/vpn_ipsec_ca.php
+++ b/usr/local/www/vpn_ipsec_ca.php
@@ -51,22 +51,22 @@ include("head.inc");
?>
-
<body link="#0000CC" vlink="#0000CC" alink="#0000CC">
<?php include("fbegin.inc"); ?>
<form action="vpn_ipsec.php" method="post">
-<?php if ($savemsg) print_info_box($savemsg); ?>
-<?php if (file_exists($d_ipsecconfdirty_path)): ?><p>
-<?php print_info_box_np("The IPsec tunnel configuration has been changed.<br>You must apply the changes in order for them to take effect.");?><br>
-<?php endif; ?>
+<?php
+ if ($savemsg)
+ print_info_box($savemsg);
+ if ($pconfig['enable'] && file_exists($d_ipsecconfdirty_path))
+ print_info_box_np("The IPsec tunnel configuration has been changed.<br>You must apply the changes in order for them to take effect.");
+?>
<table width="100%" border="0" cellpadding="0" cellspacing="0">
<tr><td>
<?php
$tab_array = array();
$tab_array[0] = array("Tunnels", false, "vpn_ipsec.php");
- $tab_array[1] = array("Mobile clients", false, "vpn_ipsec_mobile.php");
- $tab_array[2] = array("Pre-shared keys", false, "vpn_ipsec_keys.php");
- $tab_array[3] = array("CAs", true, "vpn_ipsec_ca.php");
+// $tab_array[1] = array("Mobile clients", false, "vpn_ipsec_mobile.php");
+ $tab_array[2] = array("CAs", true, "vpn_ipsec_ca.php");
display_top_tabs($tab_array);
?>
</td></tr>
diff --git a/usr/local/www/vpn_ipsec_edit.php b/usr/local/www/vpn_ipsec_edit.php
deleted file mode 100755
index 74de623..0000000
--- a/usr/local/www/vpn_ipsec_edit.php
+++ /dev/null
@@ -1,662 +0,0 @@
-<?php
-/*
- vpn_ipsec_edit.php
- part of m0n0wall (http://m0n0.ch/wall)
-
- Copyright (C) 2003-2005 Manuel Kasper <mk@neon1.net>.
- All rights reserved.
-
- Redistribution and use in source and binary forms, with or without
- modification, are permitted provided that the following conditions are met:
-
- 1. Redistributions of source code must retain the above copyright notice,
- this list of conditions and the following disclaimer.
-
- 2. Redistributions in binary form must reproduce the above copyright
- notice, this list of conditions and the following disclaimer in the
- documentation and/or other materials provided with the distribution.
-
- THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- POSSIBILITY OF SUCH DAMAGE.
-*/
-
-require("guiconfig.inc");
-
-if (!is_array($config['ipsec']['tunnel'])) {
- $config['ipsec']['tunnel'] = array();
-}
-$a_ipsec = &$config['ipsec']['tunnel'];
-
-if($config['interfaces']['lan'])
- $specialsrcdst = explode(" ", "lan");
-
-$id = $_GET['id'];
-if (isset($_POST['id']))
- $id = $_POST['id'];
-
-if (isset($_GET['dup'])) {
- $id = $_GET['dup'];
-}
-
-if (isset($id) && $a_ipsec[$id]) {
- $pconfig['disabled'] = isset($a_ipsec[$id]['disabled']);
- $pconfig['auto'] = isset($a_ipsec[$id]['auto']);
-
- if (!isset($a_ipsec[$id]['local-subnet'])) {
- if($config['interfaces']['lan'])
- $pconfig['localnet'] = "lan";
- } else {
- if($config['interfaces']['lan'])
- address_to_pconfig_vpn($a_ipsec[$id]['local-subnet'], $pconfig['localnet'], $pconfig['localnetmask']);
- }
-
- if ($a_ipsec[$id]['interface'])
- $pconfig['interface'] = $a_ipsec[$id]['interface'];
- else
- $pconfig['interface'] = "wan";
-
- list($pconfig['remotenet'],$pconfig['remotebits']) = explode("/", $a_ipsec[$id]['remote-subnet']);
- $pconfig['remotegw'] = $a_ipsec[$id]['remote-gateway'];
- $pconfig['p1mode'] = $a_ipsec[$id]['p1']['mode'];
-
- if (isset($a_ipsec[$id]['p1']['myident']['myaddress']))
- $pconfig['p1myidentt'] = 'myaddress';
- else if (isset($a_ipsec[$id]['p1']['myident']['address'])) {
- $pconfig['p1myidentt'] = 'address';
- $pconfig['p1myident'] = $a_ipsec[$id]['p1']['myident']['address'];
- } else if (isset($a_ipsec[$id]['p1']['myident']['fqdn'])) {
- $pconfig['p1myidentt'] = 'fqdn';
- $pconfig['p1myident'] = $a_ipsec[$id]['p1']['myident']['fqdn'];
- } else if (isset($a_ipsec[$id]['p1']['myident']['ufqdn'])) {
- $pconfig['p1myidentt'] = 'user_fqdn';
- $pconfig['p1myident'] = $a_ipsec[$id]['p1']['myident']['ufqdn'];
- } else if (isset($a_ipsec[$id]['p1']['myident']['asn1dn'])) {
- $pconfig['p1myidentt'] = 'asn1dn';
- $pconfig['p1myident'] = $a_ipsec[$id]['p1']['myident']['asn1dn'];
- } else if (isset($a_ipsec[$id]['p1']['myident']['dyn_dns'])) {
- $pconfig['p1myidentt'] = 'dyn_dns';
- $pconfig['p1myident'] = $a_ipsec[$id]['p1']['myident']['dyn_dns'];
- }
-
- $pconfig['p1ealgo'] = $a_ipsec[$id]['p1']['encryption-algorithm'];
- $pconfig['p1halgo'] = $a_ipsec[$id]['p1']['hash-algorithm'];
- $pconfig['p1dhgroup'] = $a_ipsec[$id]['p1']['dhgroup'];
- $pconfig['p1lifetime'] = $a_ipsec[$id]['p1']['lifetime'];
- $pconfig['p1authentication_method'] = $a_ipsec[$id]['p1']['authentication_method'];
- $pconfig['p1pskey'] = $a_ipsec[$id]['p1']['pre-shared-key'];
- $pconfig['p1cert'] = base64_decode($a_ipsec[$id]['p1']['cert']);
- $pconfig['p1peercert'] = base64_decode($a_ipsec[$id]['p1']['peercert']);
- $pconfig['p1privatekey'] = base64_decode($a_ipsec[$id]['p1']['private-key']);
- $pconfig['p2proto'] = $a_ipsec[$id]['p2']['protocol'];
- $pconfig['p2ealgos'] = $a_ipsec[$id]['p2']['encryption-algorithm-option'];
- $pconfig['p2halgos'] = $a_ipsec[$id]['p2']['hash-algorithm-option'];
- $pconfig['p2pfsgroup'] = $a_ipsec[$id]['p2']['pfsgroup'];
- $pconfig['p2lifetime'] = $a_ipsec[$id]['p2']['lifetime'];
- $pconfig['descr'] = $a_ipsec[$id]['descr'];
- $pconfig['pinghost'] = $a_ipsec[$id]['pinghost'];
-
-} else {
- /* defaults */
- $pconfig['interface'] = "wan";
- if($config['interfaces']['lan'])
- $pconfig['localnet'] = "lan";
- $pconfig['p1mode'] = "aggressive";
- $pconfig['p1myidentt'] = "myaddress";
- $pconfig['p1authentication_method'] = "pre_shared_key";
- $pconfig['p1ealgo'] = "3des";
- $pconfig['p1halgo'] = "sha1";
- $pconfig['p1dhgroup'] = "2";
- $pconfig['p2proto'] = "esp";
- $pconfig['p2ealgos'] = explode(",", "3des,blowfish,cast128,rijndael,rijndael 256");
- $pconfig['p2halgos'] = explode(",", "hmac_sha1,hmac_md5");
- $pconfig['p2pfsgroup'] = "0";
- $pconfig['remotebits'] = 32;
-}
-
-if (isset($_GET['dup']))
- unset($id);
-
-if ($_POST) {
- if (is_specialnet($_POST['localnettype'])) {
- $_POST['localnet'] = $_POST['localnettype'];
- $_POST['localnetmask'] = 0;
- } else if ($_POST['localnettype'] == "single") {
- $_POST['localnetmask'] = 32;
- }
-
- unset($input_errors);
- $pconfig = $_POST;
-
- /* input validation */
- if ($_POST['p1authentication_method'] == "pre_shared_key") {
- $reqdfields = explode(" ", "localnet remotenet remotebits remotegw p1pskey p2ealgos p2halgos");
- $reqdfieldsn = explode(",", "Local network,Remote network,Remote network bits,Remote gateway,Pre-Shared Key,P2 Encryption Algorithms,P2 Hash Algorithms");
- }
- else {
- $reqdfields = explode(" ", "localnet remotenet remotebits remotegw p2ealgos p2halgos");
- $reqdfieldsn = explode(",", "Local network,Remote network,Remote network bits,Remote gateway,P2 Encryption Algorithms,P2 Hash Algorithms");
- if (!strstr($_POST['p1cert'], "BEGIN CERTIFICATE") || !strstr($_POST['p1cert'], "END CERTIFICATE"))
- $input_errors[] = "This certificate does not appear to be valid.";
- if (!strstr($_POST['p1privatekey'], "BEGIN RSA PRIVATE KEY") || !strstr($_POST['p1privatekey'], "END RSA PRIVATE KEY"))
- $input_errors[] = "This key does not appear to be valid.";
- if ($_POST['p1peercert']!="" && (!strstr($_POST['p1peercert'], "BEGIN CERTIFICATE") || !strstr($_POST['p1peercert'], "END CERTIFICATE")))
- $input_errors[] = "This peer certificate does not appear to be valid.";
- }
-
- do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors);
-
- if (!is_specialnet($_POST['localnettype'])) {
- if (($_POST['localnet'] && !is_ipaddr($_POST['localnet']))) {
- $input_errors[] = "A valid local network IP address must be specified.";
- }
- if (($_POST['localnetmask'] && !is_numeric($_POST['localnetmask']))) {
- $input_errors[] = "A valid local network bit count must be specified.";
- }
- }
- if (($_POST['p1lifetime'] && !is_numeric($_POST['p1lifetime']))) {
- $input_errors[] = "The P1 lifetime must be an integer.";
- }
- if (($_POST['p2lifetime'] && !is_numeric($_POST['p2lifetime']))) {
- $input_errors[] = "The P2 lifetime must be an integer.";
- }
- if ($_POST['remotebits'] && (!is_numeric($_POST['remotebits']) || ($_POST['remotebits'] < 0) || ($_POST['remotebits'] > 32))) {
- if(!$_POST['remotebits'] == "0.0.0.0")
- $input_errors[] = "The remote network bits are invalid.";
- }
- if (($_POST['remotenet'] && !is_ipaddr($_POST['remotenet'])) or $_POST['remotenet'] == "0.0.0.0") {
- /* allow 0.0.0.0 remote net usage */
- if($_POST['remotenet'] <> "0.0.0.0")
- $input_errors[] = "A valid remote network address must be specified.";
- }
- if (($_POST['remotenet'] && is_ipaddr($_POST['remotenet']) && !isset($_POST['disabled']) )) {
- $t = 0;
- foreach($a_ipsec as $tunnel) {
- if($id <> $t) {
- $tremotecidr = $pconfig['remotenet'] ."/". $pconfig['remotebits'];
- if(($tunnel['remote-subnet'] == $tremotecidr) && !isset($tunnel['disabled'])) {
- $input_errors[] = "The remote network \"$tremotecidr\" is already used by tunnel \"${tunnel['descr']}\".";
- }
- }
- $t++;
- }
- }
- if (($_POST['remotegw'] && !is_ipaddr($_POST['remotegw']) && !is_domain($_POST['remotegw'])))
- $input_errors[] = "A valid remote gateway address or host name must be specified.";
- if (($_POST['remotegw'] && is_ipaddr($_POST['remotegw']) && !isset($_POST['disabled']) )) {
- $t = 0;
- foreach($a_ipsec as $tunnel) {
- if($id <> $t) {
- $tremotegw = $pconfig['remotegw'];
- if(($tunnel['remote-gateway'] == $tremotegw) && !isset($tunnel['disabled'])) {
- $input_errors[] = "The remote gateway \"$tremotegw\" is already used by tunnel \"${tunnel['descr']}\".";
- }
- }
- $t++;
- }
- }
- if ((($_POST['p1myidentt'] == "address") && !is_ipaddr($_POST['p1myident']))) {
- $input_errors[] = "A valid IP address for 'My identifier' must be specified.";
- }
- if ((($_POST['p1myidentt'] == "fqdn") && !is_domain($_POST['p1myident']))) {
- $input_errors[] = "A valid domain name for 'My identifier' must be specified.";
- }
- if ($_POST['p1myidentt'] == "user_fqdn") {
- $ufqdn = explode("@",$_POST['p1myident']);
- if (is_domain($ufqdn[1]) == false)
- $input_errors[] = "A valid User FQDN in the form of user@my.domain.com for 'My identifier' must be specified.";
- }
- if ($_POST['p1myidentt'] == "dyn_dns") {
- if (is_domain($_POST['p1myidentt']) == false)
- $input_errors[] = "A valid Dynamic DNS address for 'My identifier' must be specified.";
- }
-
- if($_POST['p1myidentt'] == "fqdn" and $_POST['p1myident'] == "")
- $input_errors[] = gettext("Please enter a domain name for 'My Identifier'");
-
- if($_POST['p1myidentt'] == "dyn_dns" and $_POST['p1myident'] == "")
- $input_errors[] = gettext("Please enter a domain name for 'My Identifier'");
-
- if($_POST['p1myidentt'] == "address" and $_POST['p1myident'] == "")
- $input_errors[] = gettext("Please enter a domain name for 'My Identifier'");
-
- if($_POST['p1myidentt'] == "user_fqdn" and $_POST['p1myident'] == "")
- $input_errors[] = gettext("Please enter a domain name for 'My Identifier'");
-
- if ($_POST['p1myidentt'] == "myaddress")
- $_POST['p1myident'] = "";
-
- if (!$input_errors) {
- $ipsecent['disabled'] = $_POST['disabled'] ? true : false;
- //$ipsecent['auto'] = $_POST['auto'] ? true : false;
- $ipsecent['interface'] = $pconfig['interface'];
- pconfig_to_address($ipsecent['local-subnet'], $_POST['localnet'], $_POST['localnetmask']);
- $ipsecent['remote-subnet'] = $_POST['remotenet'] . "/" . $_POST['remotebits'];
- /* if the remote gateway changed and the interface is not WAN then remove route */
- /* the vpn_ipsec_configure() handles adding the route */
- if($_POST['interface'] <> "wan") {
- if($ipsecent['remote-gateway'] <> $_POST['remotegw']) {
- mwexec("/sbin/route delete -host {$ipsecent['remote-gateway']}");
- }
- }
- $ipsecent['remote-gateway'] = $_POST['remotegw'];
- $ipsecent['p1']['mode'] = $_POST['p1mode'];
-
- $ipsecent['p1']['myident'] = array();
- switch ($_POST['p1myidentt']) {
- case 'myaddress':
- $ipsecent['p1']['myident']['myaddress'] = true;
- break;
- case 'address':
- $ipsecent['p1']['myident']['address'] = $_POST['p1myident'];
- break;
- case 'fqdn':
- $ipsecent['p1']['myident']['fqdn'] = $_POST['p1myident'];
- break;
- case 'user_fqdn':
- $ipsecent['p1']['myident']['ufqdn'] = $_POST['p1myident'];
- break;
- case 'asn1dn':
- $ipsecent['p1']['myident']['asn1dn'] = $_POST['p1myident'];
- break;
- case 'dyn_dns':
- $ipsecent['p1']['myident']['dyn_dns'] = $_POST['p1myident'];
- break;
- }
-
- $ipsecent['p1']['encryption-algorithm'] = $_POST['p1ealgo'];
- $ipsecent['p1']['hash-algorithm'] = $_POST['p1halgo'];
- $ipsecent['p1']['dhgroup'] = $_POST['p1dhgroup'];
- $ipsecent['p1']['lifetime'] = $_POST['p1lifetime'];
- $ipsecent['p1']['pre-shared-key'] = $_POST['p1pskey'];
- $ipsecent['p1']['private-key'] = base64_encode($_POST['p1privatekey']);
- $ipsecent['p1']['cert'] = base64_encode($_POST['p1cert']);
- $ipsecent['p1']['peercert'] = base64_encode($_POST['p1peercert']);
- $ipsecent['p1']['authentication_method'] = $_POST['p1authentication_method'];
- $ipsecent['p2']['protocol'] = $_POST['p2proto'];
- $ipsecent['p2']['encryption-algorithm-option'] = $_POST['p2ealgos'];
- $ipsecent['p2']['hash-algorithm-option'] = $_POST['p2halgos'];
- $ipsecent['p2']['pfsgroup'] = $_POST['p2pfsgroup'];
- $ipsecent['p2']['lifetime'] = $_POST['p2lifetime'];
- $ipsecent['descr'] = $_POST['descr'];
- $ipsecent['pinghost'] = $_POST['pinghost'];
-
- if (isset($id) && $a_ipsec[$id])
- $a_ipsec[$id] = $ipsecent;
- else
- $a_ipsec[] = $ipsecent;
-
- write_config();
- touch($d_ipsecconfdirty_path);
-
- header("Location: vpn_ipsec.php");
- exit;
- }
-}
-
-$pgtitle = array("VPN","IPsec","Edit tunnel");
-include("head.inc");
-
-?>
-
-<body link="#0000CC" vlink="#0000CC" alink="#0000CC">
-<?php include("fbegin.inc"); ?>
-<script language="JavaScript">
-<!--
-function typesel_change() {
- switch (document.iform.localnettype.selectedIndex) {
- case 0: /* single */
- document.iform.localnet.disabled = 0;
- document.iform.localnetmask.value = "";
- document.iform.localnetmask.disabled = 1;
- break;
- case 1: /* network */
- document.iform.localnet.disabled = 0;
- document.iform.localnetmask.disabled = 0;
- break;
- default:
- document.iform.localnet.value = "";
- document.iform.localnet.disabled = 1;
- document.iform.localnetmask.value = "";
- document.iform.localnetmask.disabled = 1;
- break;
- }
-}
-function methodsel_change() {
- switch (document.iform.p1authentication_method.selectedIndex) {
- case 1: /* rsa */
- document.iform.p1pskey.disabled = 1;
- document.iform.p1privatekey.disabled = 0;
- document.iform.p1cert.disabled = 0;
- document.iform.p1peercert.disabled = 0;
- break;
- default: /* pre-shared */
- document.iform.p1pskey.disabled = 0;
- document.iform.p1privatekey.disabled = 1;
- document.iform.p1cert.disabled = 1;
- document.iform.p1peercert.disabled = 1;
- break;
- }
-}
-//-->
-</script>
-<?php if ($input_errors) print_input_errors($input_errors); ?>
- <form action="vpn_ipsec_edit.php" method="post" name="iform" id="iform">
- <table width="100%" border="0" cellpadding="6" cellspacing="0">
- <tr>
- <td width="22%" valign="top" class="vncellreq">Mode</td>
- <td width="78%" class="vtable"> Tunnel</td>
- </tr>
- <tr>
- <td width="22%" valign="top" class="vncellreq">Disabled</td>
- <td width="78%" class="vtable">
- <input name="disabled" type="checkbox" id="disabled" value="yes" <?php if ($pconfig['disabled']) echo "checked"; ?>>
- <strong>Disable this tunnel</strong><br>
- <span class="vexpl">Set this option to disable this tunnel without
- removing it from the list.</span></td>
- </tr>
- <tr>
- <td width="22%" valign="top" class="vncellreq">Interface</td>
- <td width="78%" class="vtable"><select name="interface" class="formselect">
- <?php
- $interfaces = get_configured_interface_with_descr();
- $carpips = find_number_of_needed_carp_interfaces();
- for($i=0; $i<$carpips; $i++) {
- $carpip = find_interface_ip("carp" . $i);
- $interfaces['carp' . $i] = "CARP{$i} ({$carpip})";
- }
- foreach ($interfaces as $iface => $ifacename): ?>
- <option value="<?=$iface;?>" <?php if ($iface == $pconfig['interface']) echo "selected"; ?>>
- <?=htmlspecialchars($ifacename);?>
- </option>
- <?php endforeach; ?>
- </select> <br>
- <span class="vexpl">Select the interface for the local endpoint of this tunnel.</span></td>
- </tr>
- <tr>
- <td width="22%" valign="top" class="vncellreq">Local subnet</td>
- <td width="78%" class="vtable">
- <table border="0" cellspacing="0" cellpadding="0">
- <tr>
- <td>Type:&nbsp;&nbsp;</td>
- <td></td>
- <td><select name="localnettype" class="formselect" onChange="typesel_change()">
- <?php $sel = is_specialnet($pconfig['localnet']); ?>
- <option value="single" <?php if (($pconfig['localnetmask'] == 32) && !$sel) { echo "selected"; $sel = 1; } ?>>
- Single host</option>
- <option value="network" <?php if (!$sel) echo "selected"; ?>>
- Network</option>
- <?php if($config['interfaces']['lan']): ?>
- <option value="lan" <?php if ($pconfig['localnet'] == "lan") { echo "selected"; } ?>>
- LAN subnet</option>
- <?php endif; ?>
- </select></td>
- </tr>
- <tr>
- <td>Address:&nbsp;&nbsp;</td>
- <td><?=$mandfldhtmlspc;?></td>
- <td><input name="localnet" type="text" class="formfld unknown" id="localnet" size="20" value="<?php if (!is_specialnet($pconfig['localnet'])) echo htmlspecialchars($pconfig['localnet']);?>">
- /
- <select name="localnetmask" class="formselect" id="localnetmask">
- <?php for ($i = 31; $i >= 0; $i--): ?>
- <option value="<?=$i;?>" <?php if ($i == $pconfig['localnetmask']) echo "selected"; ?>>
- <?=$i;?>
- </option>
- <?php endfor; ?>
- </select> </td>
- </tr>
- </table></td>
- </tr>
- <tr>
- <td width="22%" valign="top" class="vncellreq">Remote subnet</td>
- <td width="78%" class="vtable">
- <?=$mandfldhtml;?><input name="remotenet" type="text" class="formfld unknown" id="remotenet" size="20" value="<?=$pconfig['remotenet'];?>">
- /
- <select name="remotebits" class="formselect" id="remotebits">
- <?php for ($i = 32; $i >= 0; $i--): ?>
- <option value="<?=$i;?>" <?php if ($i == $pconfig['remotebits']) echo "selected"; ?>>
- <?=$i;?>
- </option>
- <?php endfor; ?>
- </select></td>
- </tr>
- <tr>
- <td width="22%" valign="top" class="vncellreq">Remote gateway</td>
- <td width="78%" class="vtable">
- <?=$mandfldhtml;?><input name="remotegw" type="text" class="formfld unknown" id="remotegw" size="20" value="<?=$pconfig['remotegw'];?>">
- <br>
- Enter the public IP address or host name of the remote gateway</td>
- </tr>
- <tr>
- <td width="22%" valign="top" class="vncell">Description</td>
- <td width="78%" class="vtable">
- <input name="descr" type="text" class="formfld unknown" id="descr" size="40" value="<?=htmlspecialchars($pconfig['descr']);?>">
- <br> <span class="vexpl">You may enter a description here
- for your reference (not parsed).</span></td>
- </tr>
- <tr>
- <td colspan="2" class="list" height="12"></td>
- </tr>
- <tr>
- <td colspan="2" valign="top" class="listtopic">Phase 1 proposal
- (Authentication)</td>
- </tr>
- <tr>
- <td width="22%" valign="top" class="vncellreq">Negotiation mode</td>
- <td width="78%" class="vtable">
- <select name="p1mode" class="formfld unknown">
- <?php $modes = explode(" ", "main aggressive"); foreach ($modes as $mode): ?>
- <option value="<?=$mode;?>" <?php if ($mode == $pconfig['p1mode']) echo "selected"; ?>>
- <?=htmlspecialchars($mode);?>
- </option>
- <?php endforeach; ?>
- </select> <br> <span class="vexpl">Aggressive is faster, but
- less secure.</span></td>
- </tr>
- <tr>
- <td width="22%" valign="top" class="vncellreq">My identifier</td>
- <td width="78%" class="vtable">
- <select name="p1myidentt" class="formselect">
- <?php foreach ($my_identifier_list as $mode => $modename): ?>
- <option value="<?=$mode;?>" <?php if ($mode == $pconfig['p1myidentt']) echo "selected"; ?>>
- <?=htmlspecialchars($modename);?>
- </option>
- <?php endforeach; ?>
- </select> <input name="p1myident" type="text" class="formfld unknown" id="p1myident" size="30" value="<?=$pconfig['p1myident'];?>">
- </td>
- </tr>
- <tr>
- <td width="22%" valign="top" class="vncellreq">Encryption algorithm</td>
- <td width="78%" class="vtable">
- <select name="p1ealgo" class="formselect">
- <?php foreach ($p1_ealgos as $algo => $algoname): ?>
- <option value="<?=$algo;?>" <?php if ($algo == $pconfig['p1ealgo']) echo "selected"; ?>>
- <?=htmlspecialchars($algoname);?>
- </option>
- <?php endforeach; ?>
- </select> <br> <span class="vexpl">Must match the setting
- chosen on the remote side. </span></td>
- </tr>
- <tr>
- <td width="22%" valign="top" class="vncellreq">Hash algorithm</td>
- <td width="78%" class="vtable">
- <select name="p1halgo" class="formselect">
- <?php foreach ($p1_halgos as $algo => $algoname): ?>
- <option value="<?=$algo;?>" <?php if ($algo == $pconfig['p1halgo']) echo "selected"; ?>>
- <?=htmlspecialchars($algoname);?>
- </option>
- <?php endforeach; ?>
- </select> <br> <span class="vexpl">Must match the setting
- chosen on the remote side. </span></td>
- </tr>
- <tr>
- <td width="22%" valign="top" class="vncellreq">DH key group</td>
- <td width="78%" class="vtable">
- <select name="p1dhgroup" class="formselect">
- <?php $keygroups = explode(" ", "1 2 5"); foreach ($keygroups as $keygroup): ?>
- <option value="<?=$keygroup;?>" <?php if ($keygroup == $pconfig['p1dhgroup']) echo "selected"; ?>>
- <?=htmlspecialchars($keygroup);?>
- </option>
- <?php endforeach; ?>
- </select> <br> <span class="vexpl"><em>1 = 768 bit, 2 = 1024
- bit, 5 = 1536 bit</em><br>
- Must match the setting chosen on the remote side. </span></td>
- </tr>
- <tr>
- <td width="22%" valign="top" class="vncell">Lifetime</td>
- <td width="78%" class="vtable">
- <input name="p1lifetime" type="text" class="formfld unknown" id="p1lifetime" size="20" value="<?=$pconfig['p1lifetime'];?>">
- seconds</td>
- </tr>
- <tr>
- <td width="22%" valign="top" class="vncellreq">Authentication method</td>
- <td width="78%" class="vtable">
- <select name="p1authentication_method" class="formselect" onChange="methodsel_change()">
- <?php foreach ($p1_authentication_methods as $method => $methodname): ?>
- <option value="<?=$method;?>" <?php if ($method == $pconfig['p1authentication_method']) echo "selected"; ?>>
- <?=htmlspecialchars($methodname);?>
- </option>
- <?php endforeach; ?>
- </select> <br> <span class="vexpl">Must match the setting
- chosen on the remote side.</span></td>
- </tr>
- <tr>
- <td width="22%" valign="top" class="vncellreq">Pre-Shared Key</td>
- <td width="78%" class="vtable">
- <?=$mandfldhtml;?><input name="p1pskey" type="text" class="formfld unknown" id="p1pskey" size="40" value="<?=htmlspecialchars($pconfig['p1pskey']);?>">
- </td>
- </tr>
- <tr>
- <td width="22%" valign="top" class="vncellreq">Certificate</td>
- <td width="78%" class="vtable">
- <textarea name="p1cert" cols="65" rows="7" id="p1cert" class="formpre"><?=htmlspecialchars($pconfig['p1cert']);?></textarea>
- <br>
- Paste a certificate in X.509 PEM format here.</td>
- </tr>
- <tr>
- <td width="22%" valign="top" class="vncellreq">Key</td>
- <td width="78%" class="vtable">
- <textarea name="p1privatekey" cols="65" rows="7" id="p1privatekey" class="formpre"><?=htmlspecialchars($pconfig['p1privatekey']);?></textarea>
- <br>
- Paste an RSA private key in PEM format here.</td>
- </tr>
- <tr>
- <td width="22%" valign="top" class="vncell">Peer certificate</td>
- <td width="78%" class="vtable">
- <textarea name="p1peercert" cols="65" rows="7" id="p1peercert" class="formpre"><?=htmlspecialchars($pconfig['p1peercert']);?></textarea>
- <br>
- Paste the peer X.509 certificate in PEM format here.<br>
- Leave this blank if you want to use a CA certificate for identity validation.</td>
- </tr>
- <tr>
- <td colspan="2" class="list" height="12"></td>
- </tr>
- <tr>
- <td colspan="2" valign="top" class="listtopic">Phase 2 proposal
- (SA/Key Exchange)</td>
- </tr>
- <tr>
- <td width="22%" valign="top" class="vncellreq">Protocol</td>
- <td width="78%" class="vtable">
- <select name="p2proto" class="formselect">
- <?php foreach ($p2_protos as $proto => $protoname): ?>
- <option value="<?=$proto;?>" <?php if ($proto == $pconfig['p2proto']) echo "selected"; ?>>
- <?=htmlspecialchars($protoname);?>
- </option>
- <?php endforeach; ?>
- </select> <br> <span class="vexpl">ESP is encryption, AH is
- authentication only </span></td>
- </tr>
- <tr>
- <td width="22%" valign="top" class="vncellreq">Encryption algorithms</td>
- <td width="78%" class="vtable">
- <?php foreach ($p2_ealgos as $algo => $algoname): ?>
- <input type="checkbox" name="p2ealgos[]" value="<?=$algo;?>" <?php if (in_array($algo, $pconfig['p2ealgos'])) echo "checked"; ?>>
- <?=htmlspecialchars($algoname);?>
- <br>
- <?php endforeach; ?>
- <br>
- Hint: use 3DES for best compatibility or if you have a hardware
- crypto accelerator card. Blowfish is usually the fastest in
- software encryption. </td>
- </tr>
- <tr>
- <td width="22%" valign="top" class="vncellreq">Hash algorithms</td>
- <td width="78%" class="vtable">
- <?php foreach ($p2_halgos as $algo => $algoname): ?>
- <input type="checkbox" name="p2halgos[]" value="<?=$algo;?>" <?php if (in_array($algo, $pconfig['p2halgos'])) echo "checked"; ?>>
- <?=htmlspecialchars($algoname);?>
- <br>
- <?php endforeach; ?>
- </td>
- </tr>
- <tr>
- <td width="22%" valign="top" class="vncellreq">PFS key group</td>
- <td width="78%" class="vtable">
- <select name="p2pfsgroup" class="formselect">
- <?php foreach ($p2_pfskeygroups as $keygroup => $keygroupname): ?>
- <option value="<?=$keygroup;?>" <?php if ($keygroup == $pconfig['p2pfsgroup']) echo "selected"; ?>>
- <?=htmlspecialchars($keygroupname);?>
- </option>
- <?php endforeach; ?>
- </select> <br> <span class="vexpl"><em>1 = 768 bit, 2 = 1024
- bit, 5 = 1536 bit</em></span></td>
- </tr>
- <tr>
- <td width="22%" valign="top" class="vncell">Lifetime</td>
- <td width="78%" class="vtable">
- <input name="p2lifetime" type="text" class="formfld unknown" id="p2lifetime" size="20" value="<?=$pconfig['p2lifetime'];?>">
- seconds</td>
- </tr>
- <tr>
- <td colspan="2" class="list" height="12"></td>
- </tr>
- <tr>
- <td colspan="2" valign="top" class="listtopic">Keep alive</td>
- </tr>
- <tr>
- <td width="22%" valign="top" class="vncell">Automatically ping host</td>
- <td width="78%" class="vtable">
- <input name="pinghost" type="text" class="formfld unknown" id="pinghost" size="20" value="<?=$pconfig['pinghost'];?>"> IP address</td>
- </tr>
- <tr>
- <td width="22%" valign="top">&nbsp;</td>
- <td width="78%">
- <input name="Submit" type="submit" class="formbtn" value="Save">
- <?php if (isset($id) && $a_ipsec[$id]): ?>
- <input name="id" type="hidden" value="<?=$id;?>">
- <?php endif; ?>
- </td>
- </tr>
- </table>
-</form>
-<script lannguage="JavaScript">
-<!--
-typesel_change();
-methodsel_change();
-//-->
-</script>
-<?php include("fend.inc"); ?>
-
-
-<?php
-
-function address_to_pconfig_vpn($adr, &$padr, &$pmask) {
-
- if ($adr['network'])
- $padr = $adr['network'];
- else if ($adr['address']) {
- list($padr, $pmask) = explode("/", $adr['address']);
- if (is_null($pmask))
- $pmask = 32;
- }
-}
-
-?>
diff --git a/usr/local/www/vpn_ipsec_keys.php b/usr/local/www/vpn_ipsec_keys.php
deleted file mode 100755
index 49112ff..0000000
--- a/usr/local/www/vpn_ipsec_keys.php
+++ /dev/null
@@ -1,120 +0,0 @@
-<?php
-/*
- vpn_ipsec_keys.php
- part of m0n0wall (http://m0n0.ch/wall)
-
- Copyright (C) 2003-2005 Manuel Kasper <mk@neon1.net>.
- All rights reserved.
-
- Redistribution and use in source and binary forms, with or without
- modification, are permitted provided that the following conditions are met:
-
- 1. Redistributions of source code must retain the above copyright notice,
- this list of conditions and the following disclaimer.
-
- 2. Redistributions in binary form must reproduce the above copyright
- notice, this list of conditions and the following disclaimer in the
- documentation and/or other materials provided with the distribution.
-
- THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- POSSIBILITY OF SUCH DAMAGE.
-*/
-
-require("guiconfig.inc");
-
-if (!is_array($config['ipsec']['mobilekey'])) {
- $config['ipsec']['mobilekey'] = array();
-}
-ipsec_mobilekey_sort();
-$a_secret = &$config['ipsec']['mobilekey'];
-
-if ($_GET['act'] == "del") {
- if ($a_secret[$_GET['id']]) {
- unset($a_secret[$_GET['id']]);
- write_config();
- touch($d_ipsecconfdirty_path);
- header("Location: vpn_ipsec_keys.php");
- exit;
- }
-}
-
-$pgtitle = array("VPN","IPsec","Keys");
-
-include("head.inc");
-
-?>
-
-<body link="#0000CC" vlink="#0000CC" alink="#0000CC">
-<?php include("fbegin.inc"); ?>
-<form action="vpn_ipsec.php" method="post">
-<?php if ($savemsg) print_info_box($savemsg); ?>
-<?php if (file_exists($d_ipsecconfdirty_path)): ?><p>
-<?php print_info_box_np("The IPsec tunnel configuration has been changed.<br>You must apply the changes in order for them to take effect.");?><br>
-<?php endif; ?>
-<table width="100%" border="0" cellpadding="0" cellspacing="0">
- <tr><td class="tabnavtbl">
-<?php
- $tab_array = array();
- $tab_array[0] = array("Tunnels", false, "vpn_ipsec.php");
- $tab_array[1] = array("Mobile clients", false, "vpn_ipsec_mobile.php");
- $tab_array[2] = array("Pre-shared keys", true, "vpn_ipsec_keys.php");
- $tab_array[3] = array("CAs", false, "vpn_ipsec_ca.php");
- display_top_tabs($tab_array);
-?>
- </td></tr>
- <tr>
- <td>
- <div id="mainarea">
- <table class="tabcont" width="100%" border="0" cellpadding="0" cellspacing="0">
- <tr>
- <td class="listhdrr">Identifier</td>
- <td class="listhdr">Pre-shared key</td>
- <td class="list">
- <table border="0" cellspacing="0" cellpadding="1">
- <tr>
- <td width="20" heigth="17"></td>
- <td><a href="vpn_ipsec_keys_edit.php"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" title="add key" width="17" height="17" border="0"></a></td>
- </tr>
- </table>
- </td>
- </tr>
- <?php $i = 0; foreach ($a_secret as $secretent): ?>
- <tr>
- <td class="listlr">
- <?=htmlspecialchars($secretent['ident']);?>
- </td>
- <td class="listr">
- <?=htmlspecialchars($secretent['pre-shared-key']);?>
- </td>
- <td class="list" nowrap> <a href="vpn_ipsec_keys_edit.php?id=<?=$i;?>"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_e.gif" title="edit key" width="17" height="17" border="0"></a>
- &nbsp;<a href="vpn_ipsec_keys.php?act=del&id=<?=$i;?>" onclick="return confirm('Do you really want to delete this pre-shared key?')"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" title="delete key" width="17" height="17" border="0"></a></td>
- </tr>
- <?php $i++; endforeach; ?>
- <tr>
- <td class="list" colspan="2"></td>
- <td class="list">
- <table border="0" cellspacing="0" cellpadding="1">
- <tr>
- <td width="20" heigth="17"></td>
- <td><a href="vpn_ipsec_keys_edit.php"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" title="add key" width="17" height="17" border="0"></a></td>
- </tr>
- </table>
- </td>
- </tr>
- </table>
- </div>
- </td>
- </tr>
-</table>
-</form>
-<?php include("fend.inc"); ?>
-</body>
-</html>
diff --git a/usr/local/www/vpn_ipsec_keys_edit.php b/usr/local/www/vpn_ipsec_keys_edit.php
deleted file mode 100755
index f612bcc..0000000
--- a/usr/local/www/vpn_ipsec_keys_edit.php
+++ /dev/null
@@ -1,128 +0,0 @@
-<?php
-/*
- vpn_ipsec_keys_edit.php
- part of m0n0wall (http://m0n0.ch/wall)
-
- Copyright (C) 2003-2005 Manuel Kasper <mk@neon1.net>.
- All rights reserved.
-
- Redistribution and use in source and binary forms, with or without
- modification, are permitted provided that the following conditions are met:
-
- 1. Redistributions of source code must retain the above copyright notice,
- this list of conditions and the following disclaimer.
-
- 2. Redistributions in binary form must reproduce the above copyright
- notice, this list of conditions and the following disclaimer in the
- documentation and/or other materials provided with the distribution.
-
- THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- POSSIBILITY OF SUCH DAMAGE.
-*/
-
-require("guiconfig.inc");
-
-if (!is_array($config['ipsec']['mobilekey'])) {
- $config['ipsec']['mobilekey'] = array();
-}
-ipsec_mobilekey_sort();
-$a_secret = &$config['ipsec']['mobilekey'];
-
-$id = $_GET['id'];
-if (isset($_POST['id']))
- $id = $_POST['id'];
-
-if (isset($id) && $a_secret[$id]) {
- $pconfig['ident'] = $a_secret[$id]['ident'];
- $pconfig['psk'] = $a_secret[$id]['pre-shared-key'];
-}
-
-if ($_POST) {
-
- unset($input_errors);
- $pconfig = $_POST;
-
- /* input validation */
- $reqdfields = explode(" ", "ident psk");
- $reqdfieldsn = explode(",", "Identifier,Pre-shared key");
-
- do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors);
-
- if (preg_match("/[^a-zA-Z0-9@\.\-]/", $_POST['ident']))
- $input_errors[] = "The identifier contains invalid characters.";
-
- if (!$input_errors && !(isset($id) && $a_secret[$id])) {
- /* make sure there are no dupes */
- foreach ($a_secret as $secretent) {
- if ($secretent['ident'] == $_POST['ident']) {
- $input_errors[] = "Another entry with the same identifier already exists.";
- break;
- }
- }
- }
-
- if (!$input_errors) {
-
- if (isset($id) && $a_secret[$id])
- $secretent = $a_secret[$id];
-
- $secretent['ident'] = $_POST['ident'];
- $secretent['pre-shared-key'] = $_POST['psk'];
-
- if (isset($id) && $a_secret[$id])
- $a_secret[$id] = $secretent;
- else
- $a_secret[] = $secretent;
-
- write_config();
- touch($d_ipsecconfdirty_path);
-
- header("Location: vpn_ipsec_keys.php");
- exit;
- }
-}
-
-$pgtitle = array("VPN","IPsec","Edit pre-shared key");
-include("head.inc");
-
-?>
-
-<body link="#0000CC" vlink="#0000CC" alink="#0000CC">
-<?php include("fbegin.inc"); ?>
-<?php if ($input_errors) print_input_errors($input_errors); ?>
- <form action="vpn_ipsec_keys_edit.php" method="post" name="iform" id="iform">
- <table width="100%" border="0" cellpadding="6" cellspacing="0">
- <tr>
- <td valign="top" class="vncellreq">Identifier</td>
- <td class="vtable">
- <?=$mandfldhtml;?><input name="ident" type="text" class="formfld" id="ident" size="30" value="<?=$pconfig['ident'];?>">
- <br>
-This can be either an IP address, fully qualified domain name or an e-mail address.
- </td>
- </tr>
- <tr>
- <td width="22%" valign="top" class="vncellreq">Pre-shared key</td>
- <td width="78%" class="vtable">
- <?=$mandfldhtml;?><input name="psk" type="text" class="formfld" id="psk" size="40" value="<?=htmlspecialchars($pconfig['psk']);?>">
- </td>
- </tr>
- <tr>
- <td width="22%" valign="top">&nbsp;</td>
- <td width="78%">
- <input name="Submit" type="submit" class="formbtn" value="Save">
- <?php if (isset($id) && $a_secret[$id]): ?>
- <input name="id" type="hidden" value="<?=$id;?>">
- <?php endif; ?>
- </td>
- </tr>
- </table>
-</form>
-<?php include("fend.inc"); ?>
diff --git a/usr/local/www/vpn_ipsec_mobile.php b/usr/local/www/vpn_ipsec_mobile.php
index 6a105e3..5a88b66 100755
--- a/usr/local/www/vpn_ipsec_mobile.php
+++ b/usr/local/www/vpn_ipsec_mobile.php
@@ -197,8 +197,7 @@ function methodsel_change() {
$tab_array = array();
$tab_array[0] = array("Tunnels", false, "vpn_ipsec.php");
$tab_array[1] = array("Mobile clients", true, "vpn_ipsec_mobile.php");
- $tab_array[2] = array("Pre-shared keys", false, "vpn_ipsec_keys.php");
- $tab_array[3] = array("CAs", false, "vpn_ipsec_ca.php");
+ $tab_array[2] = array("CAs", false, "vpn_ipsec_ca.php");
display_top_tabs($tab_array);
?>
</td></tr>
diff --git a/usr/local/www/vpn_ipsec_phase1.php b/usr/local/www/vpn_ipsec_phase1.php
new file mode 100644
index 0000000..0a21362
--- /dev/null
+++ b/usr/local/www/vpn_ipsec_phase1.php
@@ -0,0 +1,635 @@
+<?php
+/*
+ vpn_ipsec_phase1.php
+ part of m0n0wall (http://m0n0.ch/wall)
+
+ Copyright (C) 2008 Shrew Soft Inc
+ Copyright (C) 2003-2005 Manuel Kasper <mk@neon1.net>.
+ All rights reserved.
+
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are met:
+
+ 1. Redistributions of source code must retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+
+ THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ POSSIBILITY OF SUCH DAMAGE.
+*/
+
+require("guiconfig.inc");
+
+if (!is_array($config['ipsec']['phase1']))
+ $config['ipsec']['phase1'] = array();
+
+$a_phase1 = &$config['ipsec']['phase1'];
+
+if($config['interfaces']['lan'])
+ $specialsrcdst = explode(" ", "lan");
+
+$p1index = $_GET['p1index'];
+if (isset($_POST['p1index']))
+ $p1index = $_POST['p1index'];
+
+if (isset($_GET['dup'])) {
+ $p1index = $_GET['dup'];
+}
+
+if (isset($p1index) && $a_phase1[$p1index])
+{
+ $pconfig['ikeid'] = $a_phase1[$p1index]['ikeid'];
+ $pconfig['disabled'] = isset($a_phase1[$p1index]['disabled']);
+
+ if ($a_phase1[$p1index]['interface'])
+ $pconfig['interface'] = $a_phase1[$p1index]['interface'];
+ else
+ $pconfig['interface'] = "wan";
+
+ list($pconfig['remotenet'],$pconfig['remotebits']) = explode("/", $a_phase1[$p1index]['remote-subnet']);
+ $pconfig['remotegw'] = $a_phase1[$p1index]['remote-gateway'];
+ $pconfig['mode'] = $a_phase1[$p1index]['mode'];
+ $pconfig['myid_type'] = $a_phase1[$p1index]['myid_type'];
+ $pconfig['myid_data'] = $a_phase1[$p1index]['myid_data'];
+ $pconfig['peerid_type'] = $a_phase1[$p1index]['peerid_type'];
+ $pconfig['peerid_data'] = $a_phase1[$p1index]['peerid_data'];
+ $pconfig['ealgo'] = $a_phase1[$p1index]['encryption-algorithm'];
+ $pconfig['halgo'] = $a_phase1[$p1index]['hash-algorithm'];
+ $pconfig['dhgroup'] = $a_phase1[$p1index]['dhgroup'];
+ $pconfig['lifetime'] = $a_phase1[$p1index]['lifetime'];
+ $pconfig['authentication_method'] = $a_phase1[$p1index]['authentication_method'];
+ $pconfig['pskey'] = $a_phase1[$p1index]['pre-shared-key'];
+ $pconfig['cert'] = base64_decode($a_phase1[$p1index]['cert']);
+ $pconfig['peercert'] = base64_decode($a_phase1[$p1index]['peercert']);
+ $pconfig['privatekey'] = base64_decode($a_phase1[$p1index]['private-key']);
+
+ $pconfig['descr'] = $a_phase1[$p1index]['descr'];
+ $pconfig['nat_traversal'] = $a_phase1[$p1index]['nat_traversal'];
+ $pconfig['dpd_enable'] = $a_phase1[$p1index]['dpd_enable'];
+ $pconfig['dpd_delay'] = $a_phase1[$p1index]['dpd_delay'];
+ $pconfig['dpd_maxfail'] = $a_phase1[$p1index]['dpd_maxfail'];
+ $pconfig['pinghost'] = $a_phase1[$p1index]['pinghost'];
+}
+else
+{
+ /* defaults */
+ $pconfig['interface'] = "wan";
+ if($config['interfaces']['lan'])
+ $pconfig['localnet'] = "lan";
+ $pconfig['mode'] = "aggressive";
+ $pconfig['myid_type'] = "myaddress";
+ $pconfig['peerid_type'] = "peeraddress";
+ $pconfig['authentication_method'] = "pre_shared_key";
+ $pconfig['ealgo'] = array( name => "3des" );
+ $pconfig['halgo'] = "sha1";
+ $pconfig['dhgroup'] = "2";
+ $pconfig['lifetime'] = "28800";
+ $pconfig['nat_traversal'] = "on";
+ $pconfig['dpd_enable'] = 1;
+ $pconfig['dpd_delay'] = 10;
+ $pconfig['dpd_maxfail'] = 5;
+}
+
+if (isset($_GET['dup']))
+ unset($p1index);
+
+if ($_POST) {
+ unset($input_errors);
+ $pconfig = $_POST;
+
+ /* input validation */
+ if ($_POST['authentication_method'] == "pre_shared_key") {
+ $reqdfields = explode(" ", "remotegw pskey");
+ $reqdfieldsn = explode(",", "Remote gateway,Pre-Shared Key");
+ } else {
+ $reqdfields = explode(" ", "remotegw");
+ $reqdfieldsn = explode(",", "Remote gateway");
+ if (!strstr($_POST['cert'], "BEGIN CERTIFICATE") || !strstr($_POST['cert'], "END CERTIFICATE"))
+ $input_errors[] = "This certificate does not appear to be valid.";
+ if (!strstr($_POST['privatekey'], "BEGIN RSA PRIVATE KEY") || !strstr($_POST['privatekey'], "END RSA PRIVATE KEY"))
+ $input_errors[] = "This key does not appear to be valid.";
+ if ($_POST['peercert']!="" && (!strstr($_POST['peercert'], "BEGIN CERTIFICATE") || !strstr($_POST['peercert'], "END CERTIFICATE")))
+ $input_errors[] = "This peer certificate does not appear to be valid.";
+ }
+
+ do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors);
+
+ if (($_POST['lifetime'] && !is_numeric($_POST['lifetime'])))
+ $input_errors[] = "The P1 lifetime must be an integer.";
+
+ if (($_POST['remotegw'] && !is_ipaddr($_POST['remotegw']) && !is_domain($_POST['remotegw'])))
+ $input_errors[] = "A valid remote gateway address or host name must be specified.";
+
+ if (($_POST['remotegw'] && is_ipaddr($_POST['remotegw']) && !isset($_POST['disabled']) )) {
+ $t = 0;
+ foreach ($a_phase1 as $ph1tmp) {
+ if ($p1index <> $t) {
+ $tremotegw = $pconfig['remotegw'];
+ if (($ph1tmp['remote-gateway'] == $tremotegw) && !isset($ph1tmp['disabled'])) {
+ $input_errors[] = "The remote gateway \"$tremotegw\" is already used by phase1 \"${ph1tmp['descr']}\".";
+ }
+ }
+ $t++;
+ }
+ }
+
+ /* My identity */
+
+ if ($_POST['myid_type'] == "myaddress")
+ $_POST['myid_data'] = "";
+
+ if ($_POST['myid_type'] == "address" and $_POST['myid_data'] == "")
+ $input_errors[] = gettext("Please enter an address for 'My Identifier'");
+
+ if ($_POST['myid_type'] == "keyid tag" and $_POST['myid_data'] == "")
+ $input_errors[] = gettext("Please enter a keyid tag for 'My Identifier'");
+
+ if ($_POST['myid_type'] == "fqdn" and $_POST['myid_data'] == "")
+ $input_errors[] = gettext("Please enter a fully qualified domain name for 'My Identifier'");
+
+ if ($_POST['myid_type'] == "user_fqdn" and $_POST['myid_data'] == "")
+ $input_errors[] = gettext("Please enter a user and fully qualified domain name for 'My Identifier'");
+
+ if ($_POST['myid_type'] == "dyn_dns" and $_POST['myid_data'] == "")
+ $input_errors[] = gettext("Please enter a dynamic domain name for 'My Identifier'");
+
+ if ((($_POST['myid_type'] == "address") && !is_ipaddr($_POST['myid_data'])))
+ $input_errors[] = "A valid IP address for 'My identifier' must be specified.";
+
+ if ((($_POST['myid_type'] == "fqdn") && !is_domain($_POST['myid_data'])))
+ $input_errors[] = "A valid domain name for 'My identifier' must be specified.";
+
+ if ($_POST['myid_type'] == "fqdn")
+ if (is_domain($_POST['myid_data']) == false)
+ $input_errors[] = "A valid FQDN for 'My identifier' must be specified.";
+
+ if ($_POST['myid_type'] == "user_fqdn") {
+ $user_fqdn = explode("@",$_POST['myid_data']);
+ if (is_domain($user_fqdn[1]) == false)
+ $input_errors[] = "A valid User FQDN in the form of user@my.domain.com for 'My identifier' must be specified.";
+ }
+
+ if ($_POST['myid_type'] == "dyn_dns")
+ if (is_domain($_POST['myid_data']) == false)
+ $input_errors[] = "A valid Dynamic DNS address for 'My identifier' must be specified.";
+
+ /* Peer identity */
+
+ if ($_POST['peerid_type'] == "address" and $_POST['peerid_data'] == "")
+ $input_errors[] = gettext("Please enter an address for 'Peer Identifier'");
+
+ if ($_POST['peerid_type'] == "keyid tag" and $_POST['peerid_data'] == "")
+ $input_errors[] = gettext("Please enter a keyid tag for 'Peer Identifier'");
+
+ if ($_POST['peerid_type'] == "fqdn" and $_POST['peerid_data'] == "")
+ $input_errors[] = gettext("Please enter a fully qualified domain name for 'Peer Identifier'");
+
+ if ($_POST['peerid_type'] == "user_fqdn" and $_POST['peerid_data'] == "")
+ $input_errors[] = gettext("Please enter a user and fully qualified domain name for 'Peer Identifier'");
+
+ if ((($_POST['peerid_type'] == "address") && !is_ipaddr($_POST['peerid_data'])))
+ $input_errors[] = "A valid IP address for 'Peer identifier' must be specified.";
+
+ if ((($_POST['peerid_type'] == "fqdn") && !is_domain($_POST['peerid_data'])))
+ $input_errors[] = "A valid domain name for 'Peer identifier' must be specified.";
+
+ if ($_POST['peerid_type'] == "fqdn")
+ if (is_domain($_POST['peerid_data']) == false)
+ $input_errors[] = "A valid FQDN for 'Peer identifier' must be specified.";
+
+ if ($_POST['peerid_type'] == "user_fqdn") {
+ $user_fqdn = explode("@",$_POST['peerid_data']);
+ if (is_domain($user_fqdn[1]) == false)
+ $input_errors[] = "A valid User FQDN in the form of user@my.domain.com for 'Peer identifier' must be specified.";
+ }
+
+ if ($_POST['dpd_enable']) {
+ if (!is_numeric($_POST['dpd_delay']))
+ $input_errors[] = "A numeric value must be specified for DPD delay.";
+
+ if (!is_numeric($_POST['dpd_maxfail']))
+ $input_errors[] = "A numeric value must be specified for DPD retries.";
+ }
+
+ /* build our encryption algorithms array */
+ $pconfig['ealgo'] = array();
+ $pconfig['ealgo']['name'] = $_POST['ealgo'];
+ if($_POST['ealgo_keylen'])
+ $pconfig['ealgo']['keylen'] = $_POST['ealgo_keylen'];
+
+ if (!$input_errors) {
+ $ph1ent['ikeid'] = $_POST['ikeid'];
+ $ph1ent['disabled'] = $_POST['disabled'] ? true : false;
+ $ph1ent['interface'] = $pconfig['interface'];
+ /* if the remote gateway changed and the interface is not WAN then remove route */
+ /* the vpn_ipsec_configure() handles adding the route */
+ if ($_POST['interface'] <> "wan") {
+ if($ph1ent['remote-gateway'] <> $_POST['remotegw']) {
+ mwexec("/sbin/route delete -host {$ph1ent['remote-gateway']}");
+ }
+ }
+ $ph1ent['remote-gateway'] = $_POST['remotegw'];
+ $ph1ent['mode'] = $_POST['mode'];
+
+ $ph1ent['myid_type'] = $_POST['myid_type'];
+ $ph1ent['myid_data'] = $_POST['myid_data'];
+ $ph1ent['peerid_type'] = $_POST['peerid_type'];
+ $ph1ent['peerid_data'] = $_POST['peerid_data'];
+
+ $ph1ent['encryption-algorithm'] = $pconfig['ealgo'];
+ $ph1ent['hash-algorithm'] = $_POST['halgo'];
+ $ph1ent['dhgroup'] = $_POST['dhgroup'];
+ $ph1ent['lifetime'] = $_POST['lifetime'];
+ $ph1ent['pre-shared-key'] = $_POST['pskey'];
+ $ph1ent['private-key'] = base64_encode($_POST['privatekey']);
+ $ph1ent['cert'] = base64_encode($_POST['cert']);
+ $ph1ent['peercert'] = base64_encode($_POST['peercert']);
+ $ph1ent['authentication_method'] = $_POST['authentication_method'];
+
+ $ph1ent['descr'] = $_POST['descr'];
+ $ph1ent['nat_traversal'] = $_POST['nat_traversal'];
+ $ph1ent['dpd_enable'] = $_POST['dpd_enable'];
+ $ph1ent['dpd_delay'] = $_POST['dpd_delay'];
+ $ph1ent['dpd_maxfail'] = $_POST['dpd_maxfail'];
+ $ph1ent['pinghost'] = $_POST['pinghost'];
+
+ /* generate unique phase1 ikeid */
+ if ($ph1ent['ikeid'] == 0) {
+ while (true) {
+ $ph1ent['ikeid']++;
+ foreach ($a_phase1 as $ph1tmp)
+ if( $ph1ent['ikeid'] == $ph1tmp['ikeid'] )
+ break;
+
+ if( $ph1ent['ikeid'] != $ph1tmp['ikeid'] )
+ break;
+ }
+ }
+
+ if (isset($p1index) && $a_phase1[$p1index])
+ $a_phase1[$p1index] = $ph1ent;
+ else
+ $a_phase1[] = $ph1ent;
+
+ write_config();
+ touch($d_ipsecconfdirty_path);
+
+ header("Location: vpn_ipsec.php");
+ exit;
+ }
+}
+
+$pgtitle = array("VPN","IPsec","Edit Phase 1");
+include("head.inc");
+
+?>
+
+<body link="#0000CC" vlink="#0000CC" alink="#0000CC">
+<?php include("fbegin.inc"); ?>
+<script language="JavaScript">
+<!--
+function methodsel_change() {
+ switch (document.iform.authentication_method.selectedIndex) {
+ case 1: /* rsa */
+ document.iform.pskey.disabled = 1;
+ document.iform.privatekey.disabled = 0;
+ document.iform.cert.disabled = 0;
+ document.iform.peercert.disabled = 0;
+ break;
+ default: /* pre-shared */
+ document.iform.pskey.disabled = 0;
+ document.iform.privatekey.disabled = 1;
+ document.iform.cert.disabled = 1;
+ document.iform.peercert.disabled = 1;
+ break;
+ }
+}
+
+/* PHP generated java script for variable length keys */
+function ealgosel_change(bits) {
+ switch (document.iform.ealgo.selectedIndex) {
+<?php
+ $i = 0;
+ foreach ($p1_ealgos as $algo => $algodata) {
+ if (is_array($algodata['keysel'])) {
+ echo " case {$i}:\n";
+ echo " document.iform.ealgo_keylen.style.visibility = 'visible';\n";
+ echo " document.iform.ealgo_keylen.options.length = 0;\n";
+// echo " document.iform.ealgo_keylen.options[document.iform.ealgo_keylen.options.length] = new Option( 'auto', 'auto' );\n";
+
+ $key_hi = $algodata['keysel']['hi'];
+ $key_lo = $algodata['keysel']['lo'];
+ $key_step = $algodata['keysel']['step'];
+
+ for ($keylen = $key_hi; $keylen >= $key_lo; $keylen -= $key_step)
+ echo " document.iform.ealgo_keylen.options[document.iform.ealgo_keylen.options.length] = new Option( '{$keylen} bits', '{$keylen}' );\n";
+ echo " break;\n";
+ } else {
+ echo " case {$i}:\n";
+ echo " document.iform.ealgo_keylen.style.visibility = 'hidden';\n";
+ echo " document.iform.ealgo_keylen.options.length = 0;\n";
+ echo " break;\n";
+ }
+ $i++;
+ }
+?>
+ }
+
+ if( bits )
+ document.iform.ealgo_keylen.value = bits;
+}
+function dpdchkbox_change() {
+ if( document.iform.dpd_enable.checked ) {
+ document.iform.dpd_delay.disabled = 0;
+ document.iform.dpd_maxfail.disabled = 0;
+ } else {
+ document.iform.dpd_delay.disabled = 1;
+ document.iform.dpd_maxfail.disabled = 1;
+ }
+}
+//-->
+</script>
+<?php if ($input_errors) print_input_errors($input_errors); ?>
+ <form action="vpn_ipsec_phase1.php" method="post" name="iform" id="iform">
+ <table width="100%" border="0" cellpadding="6" cellspacing="0">
+ <tr>
+ <td width="22%" valign="top" class="vncellreq">Disabled</td>
+ <td width="78%" class="vtable">
+ <input name="disabled" type="checkbox" id="disabled" value="yes" <?php if ($pconfig['disabled']) echo "checked"; ?>>
+ <strong>Disable this phase1 entry</strong><br>
+ <span class="vexpl">Set this option to disable this phase1 without
+ removing it from the list.
+ </span>
+ </td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncellreq">Interface</td>
+ <td width="78%" class="vtable">
+ <select name="interface" class="formselect">
+ <?php
+ $interfaces = get_configured_interface_with_descr();
+ $carpips = find_number_of_needed_carp_interfaces();
+ for ($i=0; $i<$carpips; $i++) {
+ $carpip = find_interface_ip("carp" . $i);
+ $interfaces['carp' . $i] = "CARP{$i} ({$carpip})";
+ }
+ foreach ($interfaces as $iface => $ifacename):
+ ?>
+ <option value="<?=$iface;?>" <?php if ($iface == $pconfig['interface']) echo "selected"; ?>>
+ <?=htmlspecialchars($ifacename);?>
+ </option>
+ <?php endforeach; ?>
+ </select> <br>
+ <span class="vexpl">Select the interface for the local endpoint of this phase1 entry.</span>
+ </td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncellreq">Remote gateway</td>
+ <td width="78%" class="vtable">
+ <?=$mandfldhtml;?><input name="remotegw" type="text" class="formfld unknown" id="remotegw" size="20" value="<?=$pconfig['remotegw'];?>">
+ <br>
+ Enter the public IP address or host name of the remote gateway
+ </td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncell">Description</td>
+ <td width="78%" class="vtable">
+ <input name="descr" type="text" class="formfld unknown" id="descr" size="40" value="<?=htmlspecialchars($pconfig['descr']);?>">
+ <br> <span class="vexpl">You may enter a description here
+ for your reference (not parsed).</span>
+ </td>
+ </tr>
+ <tr>
+ <td colspan="2" class="list" height="12"></td>
+ </tr>
+ <tr>
+ <td colspan="2" valign="top" class="listtopic">Phase 1 proposal
+ (Authentication)
+ </td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncellreq">Negotiation mode</td>
+ <td width="78%" class="vtable">
+ <select name="mode" class="formselect">
+ <?php
+ $modes = explode(" ", "main aggressive");
+ foreach ($modes as $mode):
+ ?>
+ <option value="<?=$mode;?>" <?php if ($mode == $pconfig['mode']) echo "selected"; ?>>
+ <?=htmlspecialchars($mode);?>
+ </option>
+ <?php endforeach; ?>
+ </select> <br> <span class="vexpl">Aggressive is more flexible, but less secure.</span>
+ </td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncellreq">My identifier</td>
+ <td width="78%" class="vtable">
+ <select name="myid_type" class="formselect">
+ <?php foreach ($my_identifier_list as $mode => $modename): ?>
+ <option value="<?=$mode;?>" <?php if ($mode == $pconfig['myid_type']) echo "selected"; ?>>
+ <?=htmlspecialchars($modename);?>
+ </option>
+ <?php endforeach; ?>
+ </select>
+ <input name="myid_data" type="text" class="formfld unknown" id="myid_data" size="30" value="<?=$pconfig['myid_data'];?>">
+ </td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncellreq">Peer identifier</td>
+ <td width="78%" class="vtable">
+ <select name="peerid_type" class="formselect">
+ <?php foreach ($peer_identifier_list as $mode => $modename): ?>
+ <option value="<?=$mode;?>" <?php if ($mode == $pconfig['peerid_type']) echo "selected"; ?>>
+ <?=htmlspecialchars($modename);?>
+ </option>
+ <?php endforeach; ?>
+ </select>
+ <input name="peerid_data" type="text" class="formfld unknown" id="peerid_data" size="30" value="<?=$pconfig['peerid_data'];?>">
+ </td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncellreq">Encryption algorithm</td>
+ <td width="78%" class="vtable">
+ <select name="ealgo" class="formselect" onChange="ealgosel_change()">
+ <?php
+ foreach ($p1_ealgos as $algo => $algodata):
+ $selected = '';
+ if ($algo == $pconfig['ealgo']['name'])
+ $selected = ' selected';
+ ?>
+ <option value="<?=$algo;?>"<?=$selected?>>
+ <?=htmlspecialchars($algodata['name']);?>
+ </option>
+ <?php endforeach; ?>
+ </select>
+ <select name="ealgo_keylen" width="30" class="formselect">
+ </select>
+ </td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncellreq">Hash algorithm</td>
+ <td width="78%" class="vtable">
+ <select name="halgo" class="formselect">
+ <?php foreach ($p1_halgos as $algo => $algoname): ?>
+ <option value="<?=$algo;?>" <?php if ($algo == $pconfig['halgo']) echo "selected"; ?>>
+ <?=htmlspecialchars($algoname);?>
+ </option>
+ <?php endforeach; ?>
+ </select>
+ <br>
+ <span class="vexpl">
+ Must match the setting chosen on the remote side.
+ </span>
+ </td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncellreq">DH key group</td>
+ <td width="78%" class="vtable">
+ <select name="dhgroup" class="formselect">
+ <?php $keygroups = explode(" ", "1 2 5"); foreach ($keygroups as $keygroup): ?>
+ <option value="<?=$keygroup;?>" <?php if ($keygroup == $pconfig['dhgroup']) echo "selected"; ?>>
+ <?=htmlspecialchars($keygroup);?>
+ </option>
+ <?php endforeach; ?>
+ </select>
+ <br>
+ <span class="vexpl">
+ <em>1 = 768 bit, 2 = 1024 bit, 5 = 1536 bit</em>
+ <br>
+ Must match the setting chosen on the remote side.
+ </span>
+ </td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncell">Lifetime</td>
+ <td width="78%" class="vtable">
+ <input name="lifetime" type="text" class="formfld unknown" id="lifetime" size="20" value="<?=$pconfig['lifetime'];?>">
+ seconds
+ </td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncellreq">Authentication method</td>
+ <td width="78%" class="vtable">
+ <select name="authentication_method" class="formselect" onChange="methodsel_change()">
+ <?php foreach ($p1_authentication_methods as $method => $methodname): ?>
+ <option value="<?=$method;?>" <?php if ($method == $pconfig['authentication_method']) echo "selected"; ?>>
+ <?=htmlspecialchars($methodname);?>
+ </option>
+ <?php endforeach; ?>
+ </select>
+ <br>
+ <span class="vexpl">Must match the setting chosen on the remote side.</span>
+ </td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncellreq">Pre-Shared Key</td>
+ <td width="78%" class="vtable">
+ <?=$mandfldhtml;?><input name="pskey" type="text" class="formfld unknown" id="pskey" size="40" value="<?=htmlspecialchars($pconfig['pskey']);?>">
+ </td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncellreq">My Certificate</td>
+ <td width="78%" class="vtable">
+ <textarea name="cert" cols="65" rows="7" id="cert" class="formpre"><?=htmlspecialchars($pconfig['cert']);?></textarea>
+ <br>
+ Paste a certificate in X.509 PEM format here.</td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncellreq">My Private Key</td>
+ <td width="78%" class="vtable">
+ <textarea name="privatekey" cols="65" rows="7" id="privatekey" class="formpre"><?=htmlspecialchars($pconfig['privatekey']);?></textarea>
+ <br>
+ Paste an RSA private key in PEM format here.
+ </td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncell">Peer certificate</td>
+ <td width="78%" class="vtable">
+ <textarea name="peercert" cols="65" rows="7" id="peercert" class="formpre"><?=htmlspecialchars($pconfig['peercert']);?></textarea>
+ <br>
+ Paste the peer X.509 certificate in PEM format here.<br>
+ Leave this blank if you want to use a CA certificate for identity validation.
+ </td>
+ </tr>
+ <tr>
+ <td colspan="2" class="list" height="12"></td>
+ </tr>
+ <tr>
+ <td colspan="2" valign="top" class="listtopic">Advanced Options</td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncell">NAT Traversal</td>
+ <td width="78%" class="vtable">
+ <select name="nat_traversal" class="formselect">
+ <option value="off" <?php if ($pconfig['nat_traversal'] == "off") echo "selected"; ?>>Disable</option>
+ <option value="on" <?php if ($pconfig['nat_traversal'] == "on") echo "selected"; ?>>Enable</option>
+ <option value="force" <?php if ($pconfig['nat_traversal'] == "force") echo "selected"; ?>>Force</option>
+ </select>
+ <br/>
+ <span class="vexpl">
+ Set this option to enable the use of NAT-T (i.e. the encapsulation of ESP in UDP packets) if needed,
+ which can help with clients that are behind restrictive firewalls.
+ </span>
+ </td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncell">Dead Peer Detection</td>
+ <td width="78%" class="vtable">
+ <input name="dpd_enable" type="checkbox" id="dpd_enable" value="yes" <?php if ($pconfig['dpd_enable']) echo "checked"; ?> onClick="dpdchkbox_change()">
+ Enable DPD<br>
+ <br>
+ <input name="dpd_delay" type="text" class="formfld unknown" id="dpd_delay" size="5" value="<?=$pconfig['dpd_delay'];?>">
+ seconds<br>
+ <span class="vexpl">Delay between requesting peer acknowledgement.</span><br>
+ <br>
+ <input name="dpd_maxfail" type="text" class="formfld unknown" id="dpd_maxfail" size="5" value="<?=$pconfig['dpd_maxfail'];?>">
+ retries<br>
+ <span class="vexpl">Number consecutive failures allowed before disconnect.</span><br>
+ </td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncell">Automatically ping host</td>
+ <td width="78%" class="vtable">
+ <input name="pinghost" type="text" class="formfld unknown" id="pinghost" size="20" value="<?=$pconfig['pinghost'];?>">
+ IP address
+ </td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top">&nbsp;</td>
+ <td width="78%">
+ <input name="Submit" type="submit" class="formbtn" value="Save">
+ <input name="ikeid" type="hidden" value="<?=$pconfig['ikeid'];?>">
+ <?php if (isset($p1index) && $a_phase1[$p1index]): ?>
+ <input name="p1index" type="hidden" value="<?=$p1index;?>">
+ <?php endif; ?>
+ </td>
+ </tr>
+ </table>
+</form>
+<script lannguage="JavaScript">
+<!--
+<?php
+ /* determine if we should init the key length */
+ $keyset = '';
+ if (isset($pconfig['ealgo']['keylen']))
+ if (is_numeric($pconfig['ealgo']['keylen']))
+ $keyset = $pconfig['ealgo']['keylen'];
+?>
+methodsel_change();
+ealgosel_change(<?=$keyset;?>);
+dpdchkbox_change();
+//-->
+</script>
+<?php include("fend.inc"); ?>
diff --git a/usr/local/www/vpn_ipsec_phase2.php b/usr/local/www/vpn_ipsec_phase2.php
new file mode 100644
index 0000000..7a3c5ce
--- /dev/null
+++ b/usr/local/www/vpn_ipsec_phase2.php
@@ -0,0 +1,489 @@
+<?php
+/*
+ vpn_ipsec_phase2.php
+ part of m0n0wall (http://m0n0.ch/wall)
+
+ Copyright (C) 2008 Shrew Soft Inc
+ Copyright (C) 2003-2005 Manuel Kasper <mk@neon1.net>.
+ All rights reserved.
+
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are met:
+
+ 1. Redistributions of source code must retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+
+ THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ POSSIBILITY OF SUCH DAMAGE.
+*/
+
+require("guiconfig.inc");
+
+if (!is_array($config['ipsec']['phase2']))
+ $config['ipsec']['phase2'] = array();
+
+$a_phase2 = &$config['ipsec']['phase2'];
+
+if($config['interfaces']['lan'])
+ $specialsrcdst = explode(" ", "lan");
+
+$p2index = $_GET['p2index'];
+if (isset($_POST['p2index']))
+ $p2index = $_POST['p2index'];
+
+if (isset($_GET['dup']))
+ $p2index = $_GET['dup'];
+
+if (isset($p2index) && $a_phase2[$p2index])
+{
+ $pconfig['ikeid'] = $a_phase2[$p2index]['ikeid'];
+ $pconfig['disabled'] = isset($a_phase2[$p2index]['disabled']);
+ $pconfig['descr'] = $a_phase2[$p2index]['descr'];
+
+ idinfo_to_pconfig("local",$a_phase2[$p2index]['localid'],$pconfig);
+ idinfo_to_pconfig("remote",$a_phase2[$p2index]['remoteid'],$pconfig);
+
+ $pconfig['proto'] = $a_phase2[$p2index]['protocol'];
+ ealgos_to_pconfig($a_phase2[$p2index]['encryption-algorithm-option'],$pconfig);
+ $pconfig['halgos'] = $a_phase2[$p2index]['hash-algorithm-option'];
+ $pconfig['pfsgroup'] = $a_phase2[$p2index]['pfsgroup'];
+ $pconfig['lifetime'] = $a_phase2[$p2index]['lifetime'];
+}
+else
+{
+ $pconfig['ikeid'] = $_GET['ikeid'];
+
+ /* defaults */
+ $pconfig['localid_type'] = "lan";
+ $pconfig['remoteid_type'] = "network";
+ $pconfig['proto'] = "esp";
+ $pconfig['ealgos'] = explode(",", "3des,blowfish,cast128,aes");
+ $pconfig['halgos'] = explode(",", "hmac_sha1,hmac_md5");
+ $pconfig['pfsgroup'] = "0";
+ $pconfig['lifetime'] = "3600";
+}
+
+if (isset($_GET['dup']))
+ unset($p2index);
+
+if ($_POST) {
+
+ unset($input_errors);
+ $pconfig = $_POST;
+
+ $ealgos = pconfig_to_ealgos($pconfig);
+ $localid = pconfig_to_idinfo("local",$pconfig);
+ $remoteid = pconfig_to_idinfo("remote",$pconfig);
+
+ if (!isset( $_POST['ikeid']))
+ $input_errors[] = "A valid ikeid must be specified.";
+
+ /* input validation */
+ $reqdfields = explode(" ", "localid_type remoteid_type halgos");
+ $reqdfieldsn = explode(",", "Local network type,Remote network type,P2 Hash Algorithms");
+
+ do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors);
+
+ switch ($_POST['localid_type']) {
+ case "network":
+ if (!$_POST['localid_netbits'] || !is_numeric($_POST['localid_netbits']))
+ $input_errors[] = "A valid local network bit count must be specified..";
+ case "address":
+ if (!$_POST['localid_address'] || !is_ipaddr($_POST['localid_address']))
+ $input_errors[] = "A valid local network IP address must be specified.";
+ break;
+ }
+
+ switch ($_POST['remoteid_type']) {
+ case "network":
+ if (!$_POST['remoteid_netbits'] || !is_numeric($_POST['remoteid_netbits']))
+ $input_errors[] = "A valid remote network bit count must be specified..";
+ case "address":
+ if (!$_POST['remoteid_address'] || !is_ipaddr($_POST['remoteid_address']))
+ $input_errors[] = "A valid remote network IP address must be specified.";
+ break;
+ }
+
+/* TODO : Validate enabled phase2's are not duplicates */
+
+ if (!count($ealgos)) {
+ $input_errors[] = "At least one encryption algorithm must be selected.";
+ }
+ if (($_POST['lifetime'] && !is_numeric($_POST['lifetime']))) {
+ $input_errors[] = "The P2 lifetime must be an integer.";
+ }
+
+ if (!$input_errors) {
+ $ph2ent['ikeid'] = $_POST['ikeid'];
+ $ph2ent['disabled'] = $_POST['disabled'] ? true : false;
+ $ph2ent['localid'] = $localid;
+ $ph2ent['remoteid'] = $remoteid;
+ $ph2ent['protocol'] = $_POST['proto'];
+ $ph2ent['encryption-algorithm-option'] = $ealgos;
+ $ph2ent['hash-algorithm-option'] = $_POST['halgos'];
+ $ph2ent['pfsgroup'] = $_POST['pfsgroup'];
+ $ph2ent['lifetime'] = $_POST['lifetime'];
+ $ph2ent['descr'] = $_POST['descr'];
+
+ if (isset($p2index) && $a_phase2[$p2index])
+ $a_phase2[$p2index] = $ph2ent;
+ else
+ $a_phase2[] = $ph2ent;
+
+ write_config();
+ touch($d_ipsecconfdirty_path);
+
+ header("Location: vpn_ipsec.php");
+ exit;
+ }
+}
+
+$pgtitle = array("VPN","IPsec","Edit Phase 2");
+include("head.inc");
+
+?>
+
+<body link="#0000CC" vlink="#0000CC" alink="#0000CC">
+<?php include("fbegin.inc"); ?>
+<script language="JavaScript">
+<!--
+function typesel_change_local(bits) {
+
+ if (!bits)
+ bits = 24;
+
+ switch (document.iform.localid_type.selectedIndex) {
+ case 0: /* single */
+ document.iform.localid_address.disabled = 0;
+ document.iform.localid_netbits.value = 0;
+ document.iform.localid_netbits.disabled = 1;
+ break;
+ case 1: /* network */
+ document.iform.localid_address.disabled = 0;
+ document.iform.localid_netbits.value = bits;
+ document.iform.localid_netbits.disabled = 0;
+ break;
+ default:
+ document.iform.localid_address.value = "";
+ document.iform.localid_address.disabled = 1;
+ document.iform.localid_netbits.value = 0;
+ document.iform.localid_netbits.disabled = 1;
+ break;
+ }
+}
+function typesel_change_remote(bits) {
+
+ if (!bits)
+ bits = 24;
+
+ switch (document.iform.remoteid_type.selectedIndex) {
+ case 0: /* single */
+ document.iform.remoteid_address.disabled = 0;
+ document.iform.remoteid_netbits.value = 0;
+ document.iform.remoteid_netbits.disabled = 1;
+ break;
+ case 1: /* network */
+ document.iform.remoteid_address.disabled = 0;
+ document.iform.remoteid_netbits.value = bits;
+ document.iform.remoteid_netbits.disabled = 0;
+ break;
+ default:
+ document.iform.remoteid_address.value = "";
+ document.iform.remoteid_address.disabled = 1;
+ document.iform.remoteid_netbits.value = 0;
+ document.iform.remoteid_netbits.disabled = 1;
+ break;
+ }
+}
+//-->
+
+</script>
+<?php if ($input_errors) print_input_errors($input_errors); ?>
+ <form action="vpn_ipsec_phase2.php" method="post" name="iform" id="iform">
+ <table width="100%" border="0" cellpadding="6" cellspacing="0">
+ <tr>
+ <td width="22%" valign="top" class="vncellreq">Mode</td>
+ <td width="78%" class="vtable"> Tunnel</td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncellreq">Disabled</td>
+ <td width="78%" class="vtable">
+ <input name="disabled" type="checkbox" id="disabled" value="yes" <?php if ($pconfig['disabled']) echo "checked"; ?>>
+ <strong>Disable this phase2 entry</strong><br>
+ <span class="vexpl">Set this option to disable this phase2 entry without
+ removing it from the list.
+ </span>
+ </td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncellreq">Local Network</td>
+ <td width="78%" class="vtable">
+ <table border="0" cellspacing="0" cellpadding="0">
+ <tr>
+ <td>Type:&nbsp;&nbsp;</td>
+ <td></td>
+ <td>
+ <select name="localid_type" class="formselect" onChange="typesel_change_local()">
+ <option value="address" <?php if ($pconfig['localid_type'] == "address") echo "selected";?>>Address</option>
+ <option value="network" <?php if ($pconfig['localid_type'] == "network") echo "selected";?>>Network</option>
+ <option value="lan" <?php if ($pconfig['localid_type'] == "lan" ) echo "selected";?>>LAN subnet</option>
+ </select>
+ </td>
+ </tr>
+ <tr>
+ <td>Address:&nbsp;&nbsp;</td>
+ <td><?=$mandfldhtmlspc;?></td>
+ <td>
+ <input name="localid_address" type="text" class="formfld unknown" id="localid_address" size="20" value="<?=$pconfig['localid_address'];?>">
+ /
+ <select name="localid_netbits" class="formselect" id="localid_netbits">
+ <?php for ($i = 32; $i >= 0; $i--): ?>
+ <option value="<?=$i;?>" <?php if ($i == $pconfig['localid_netbits']) echo "selected"; ?>>
+ <?=$i;?>
+ </option>
+ <?php endfor; ?>
+ </select>
+ </td>
+ </tr>
+ </table>
+ </td>
+ </tr>
+ <td width="22%" valign="top" class="vncellreq">Remote Network</td>
+ <td width="78%" class="vtable">
+ <table border="0" cellspacing="0" cellpadding="0">
+ <tr>
+ <td>Type:&nbsp;&nbsp;</td>
+ <td></td>
+ <td>
+ <select name="remoteid_type" class="formselect" onChange="typesel_change_remote()">
+ <option value="address" <?php if ($pconfig['remoteid_type'] == "address") echo "selected"; ?>>Address</option>
+ <option value="network" <?php if ($pconfig['remoteid_type'] == "network") echo "selected"; ?>>Network</option>
+ </select>
+ </td>
+ </tr>
+ <tr>
+ <td>Address:&nbsp;&nbsp;</td>
+ <td><?=$mandfldhtmlspc;?></td>
+ <td>
+ <input name="remoteid_address" type="text" class="formfld unknown" id="remoteid_address" size="20" value="<?=$pconfig['remoteid_address'];?>">
+ /
+ <select name="remoteid_netbits" class="formselect" id="remoteid_netbits">
+ <?php for ($i = 32; $i >= 0; $i--): ?>
+ <option value="<?=$i;?>" <?php if ($i == $pconfig['remoteid_netbits']) echo "selected"; ?>>
+ <?=$i;?>
+ </option>
+ <?php endfor; ?>
+ </select>
+ </td>
+ </tr>
+ </table>
+ </td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncell">Description</td>
+ <td width="78%" class="vtable">
+ <input name="descr" type="text" class="formfld unknown" id="descr" size="40" value="<?=htmlspecialchars($pconfig['descr']);?>">
+ <br> <span class="vexpl">You may enter a description here
+ for your reference (not parsed).</span>
+ </td>
+ </tr>
+ <tr>
+ <td colspan="2" class="list" height="12"></td>
+ </tr>
+ <tr>
+ <td colspan="2" valign="top" class="listtopic">Phase 2 proposal
+ (SA/Key Exchange)
+ </td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncellreq">Protocol</td>
+ <td width="78%" class="vtable">
+ <select name="proto" class="formselect">
+ <?php foreach ($p2_protos as $proto => $protoname): ?>
+ <option value="<?=$proto;?>" <?php if ($proto == $pconfig['proto']) echo "selected"; ?>>
+ <?=htmlspecialchars($protoname);?>
+ </option>
+ <?php endforeach; ?>
+ </select>
+ <br>
+ <span class="vexpl">ESP is encryption, AH is authentication only </span>
+ </td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncellreq">Encryption algorithms</td>
+ <td width="78%" class="vtable">
+ <table border="0" cellspacing="0" cellpadding="0">
+ <?php
+ foreach ($p2_ealgos as $algo => $algodata):
+ $checked = '';
+ if (in_array($algo,$pconfig['ealgos']))
+ $checked = " checked";
+ ?>
+ <tr>
+ <td>
+ <input type="checkbox" name="ealgos[]?>" value="<?=$algo;?>"<?=$checked?>>
+ </td>
+ <td>
+ <?=htmlspecialchars($algodata['name']);?>
+ </td>
+ <td>
+ <?php if(is_array($algodata['keysel'])): ?>
+ &nbsp;&nbsp;
+ <select name="keylen_<?=$algo;?>" class="formselect">
+ <option value="auto">auto</option>
+ <?php
+ $key_hi = $algodata['keysel']['hi'];
+ $key_lo = $algodata['keysel']['lo'];
+ $key_step = $algodata['keysel']['step'];
+ for ($keylen = $key_hi; $keylen >= $key_lo; $keylen -= $key_step):
+ $selected = '';
+// if ($checked && in_array("keylen_".$algo,$pconfig))
+ if ($keylen == $pconfig["keylen_".$algo])
+ $selected = " selected";
+ ?>
+ <option value="<?=$keylen;?>"<?=$selected;?>><?=$keylen;?> bits</option>
+ <?php endfor; ?>
+ </select>
+ <?php endif; ?>
+ </td>
+ </tr>
+ <?php endforeach; ?>
+ </table>
+ <br>
+ Hint: use 3DES for best compatibility or if you have a hardware
+ crypto accelerator card. Blowfish is usually the fastest in
+ software encryption.
+ </td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncellreq">Hash algorithms</td>
+ <td width="78%" class="vtable">
+ <?php foreach ($p2_halgos as $algo => $algoname): ?>
+ <input type="checkbox" name="halgos[]" value="<?=$algo;?>" <?php if (in_array($algo, $pconfig['halgos'])) echo "checked"; ?>>
+ <?=htmlspecialchars($algoname);?>
+ <br>
+ <?php endforeach; ?>
+ </td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncellreq">PFS key group</td>
+ <td width="78%" class="vtable">
+ <select name="pfsgroup" class="formselect">
+ <?php foreach ($p2_pfskeygroups as $keygroup => $keygroupname): ?>
+ <option value="<?=$keygroup;?>" <?php if ($keygroup == $pconfig['pfsgroup']) echo "selected"; ?>>
+ <?=htmlspecialchars($keygroupname);?>
+ </option>
+ <?php endforeach; ?>
+ </select>
+ <br>
+ <span class="vexpl"><em>1 = 768 bit, 2 = 1024 bit, 5 = 1536 bit</em></span>
+ </td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncell">Lifetime</td>
+ <td width="78%" class="vtable">
+ <input name="lifetime" type="text" class="formfld unknown" id="lifetime" size="20" value="<?=$pconfig['lifetime'];?>">
+ seconds
+ </td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top">&nbsp;</td>
+ <td width="78%">
+ <input name="Submit" type="submit" class="formbtn" value="Save">
+ <input name="ikeid" type="hidden" value="<?=$pconfig['ikeid'];?>">
+ <?php if (isset($p2index) && $a_phase2[$p2index]): ?>
+ <input name="p2index" type="hidden" value="<?=$p2index;?>">
+ <?php endif; ?>
+ </td>
+ </tr>
+ </table>
+</form>
+<script lannguage="JavaScript">
+<!--
+typesel_change_local(<?=$pconfig['localid_netbits']?>);
+typesel_change_remote(<?=$pconfig['remoteid_netbits']?>);
+//-->
+</script>
+<?php include("fend.inc"); ?>
+
+<?php
+
+function pconfig_to_ealgos(& $pconfig) {
+
+ global $p2_ealgos;
+
+ $ealgos = array();
+ foreach ($p2_ealgos as $algo_name => $algo_data) {
+ if (in_array($algo_name,$pconfig['ealgos'])) {
+ $ealg = array();
+ $ealg['name'] = $algo_name;
+ if (is_array($algo_data['keysel']))
+ $ealg['keylen'] = $_POST["keylen_".$algo_name];
+ $ealgos[] = $ealg;
+ }
+ }
+
+ return $ealgos;
+}
+
+function ealgos_to_pconfig(& $ealgos,& $pconfig) {
+
+ $pconfig['ealgos'] = array();
+ foreach ($ealgos as $algo_data) {
+ $pconfig['ealgos'][] = $algo_data['name'];
+ if (isset($algo_data['keylen']))
+ $pconfig["keylen_".$algo_data['name']] = $algo_data['keylen'];
+ }
+
+ return $ealgos;
+}
+
+function pconfig_to_idinfo($prefix,& $pconfig) {
+
+ $type = $pconfig[$prefix."id_type"];
+ $address = $pconfig[$prefix."id_address"];
+ $netbits = $pconfig[$prefix."id_netbits"];
+
+ switch( $type )
+ {
+ case "address":
+ return array('type' => $type, 'address' => $address);
+ case "network":
+ return array('type' => $type, 'address' => $address, 'netbits' => $netbits);
+ default:
+ return array('type' => $type );
+ }
+}
+
+function idinfo_to_pconfig($prefix,& $idinfo,& $pconfig) {
+
+ switch( $idinfo['type'] )
+ {
+ case "address":
+ $pconfig[$prefix."id_type"] = $idinfo['type'];
+ $pconfig[$prefix."id_address"] = $idinfo['address'];
+ break;
+ case "network":
+ $pconfig[$prefix."id_type"] = $idinfo['type'];
+ $pconfig[$prefix."id_address"] = $idinfo['address'];
+ $pconfig[$prefix."id_netbits"] = $idinfo['netbits'];
+ break;
+ default:
+ $pconfig[$prefix."id_type"] = $idinfo['type'];
+ break;
+ }
+}
+
+?>
diff --git a/usr/local/www/widgets/include/ipsec.inc b/usr/local/www/widgets/include/ipsec.inc
deleted file mode 100644
index 5484d63..0000000
--- a/usr/local/www/widgets/include/ipsec.inc
+++ /dev/null
@@ -1,81 +0,0 @@
-<?php
-//set variable for custom title
-$ipsec_title = "IPsec";
-
-function get_ipsec_tunnel_sad() {
- /* query SAD */
- $fd = @popen("/usr/local/sbin/setkey -D", "r");
- $sad = array();
- if ($fd) {
- while (!feof($fd)) {
- $line = chop(fgets($fd));
- if (!$line)
- continue;
- if ($line == "No SAD entries.")
- break;
- if ($line[0] != "\t") {
- if (is_array($cursa))
- $sad[] = $cursa;
- $cursa = array();
- list($cursa['src'],$cursa['dst']) = explode(" ", $line);
- $i = 0;
- } else {
- $linea = explode(" ", trim($line));
- if ($i == 1) {
- $cursa['proto'] = $linea[0];
- $cursa['spi'] = substr($linea[2], strpos($linea[2], "x")+1, -1);
- } else if ($i == 2) {
- $cursa['ealgo'] = $linea[1];
- } else if ($i == 3) {
- $cursa['aalgo'] = $linea[1];
- }
- }
- $i++;
- }
- if (is_array($cursa) && count($cursa))
- $sad[] = $cursa;
- pclose($fd);
- }
- return($sad);
-}
-
-function get_ipsec_tunnel_src($tunnel) {
- global $g, $config, $sad;
- $if = "WAN";
- if ($tunnel['interface']) {
- $if = $tunnel['interface'];
- $realinterface = convert_friendly_interface_to_real_interface_name($if);
- $interfaceip = find_interface_ip($realinterface);
- }
- return $interfaceip;
-}
-
-function output_ipsec_tunnel_status($tunnel) {
- global $g, $config, $sad;
- $if = "WAN";
- $interfaceip = get_ipsec_tunnel_src($tunnel);
- $foundsrc = false;
- $founddst = false;
-
- if(!is_array($sad)) {
- /* we have no sad array, bail */
- return(false);
- }
- foreach($sad as $sa) {
- if($sa['src'] == $interfaceip)
- $foundsrc = true;
- if($sa['dst'] == $tunnel['remote-gateway'])
- $founddst = true;
- }
- if($foundsrc && $founddst) {
- /* tunnel is up */
- $iconfn = "pass";
- return(true);
- } else {
- /* tunnel is down */
- $iconfn = "reject";
- return(false);
- }
-}
-
-?>
diff --git a/usr/local/www/widgets/widgets/ipsec.widget.php b/usr/local/www/widgets/widgets/ipsec.widget.php
index dd033c0..1a63029 100644
--- a/usr/local/www/widgets/widgets/ipsec.widget.php
+++ b/usr/local/www/widgets/widgets/ipsec.widget.php
@@ -33,9 +33,8 @@
require_once("guiconfig.inc");
require_once("pfsense-utils.inc");
require_once("functions.inc");
-require_once("/usr/local/www/widgets/include/ipsec.inc");
- if (isset($config['ipsec']['tunnel'])){?>
+ if (isset($config['ipsec']['phase1'])){?>
<div>&nbsp;</div>
<?php
$tab_array = array();
@@ -43,26 +42,27 @@ require_once("/usr/local/www/widgets/include/ipsec.inc");
$tab_array[1] = array("Tunnel Status", false, "ipsec-tunnel");
display_widget_tabs($tab_array);
- $sad = array();
- $sad = get_ipsec_tunnel_sad();
+ $spd = ipsec_dump_spd();
+ $sad = ipsec_dump_sad();
$activecounter = 0;
$inactivecounter = 0;
$ipsec_detail_array = array();
- foreach ($config['ipsec']['tunnel'] as $tunnel){
+ foreach ($config['ipsec']['phase2'] as $ph2ent){
+ ipsec_lookup_phase1($ph2ent,$ph1ent);
$ipsecstatus = false;
$tun_disabled = "false";
$foundsrc = false;
$founddst = false;
- if (isset($tunnel['disabled'])) {
+ if (isset($ph1ent['disabled']) || isset($ph2ent['disabled'])) {
$tun_disabled = "true";
continue;
- }
+ }
- if(output_ipsec_tunnel_status($tunnel)) {
+ if(ipsec_phase2_status($spd,$sad,$ph1ent,$ph2ent)) {
/* tunnel is up */
$iconfn = "true";
$activecounter++;
@@ -72,16 +72,16 @@ require_once("/usr/local/www/widgets/include/ipsec.inc");
$inactivecounter++;
}
- $ipsec_detail_array[] = array('src' => $tunnel['interface'],
- 'dest' => $tunnel['remote-gateway'],
- 'remote-subnet' => $tunnel['remote-subnet'],
- 'descr' => $tunnel['descr'],
+ $ipsec_detail_array[] = array('src' => $ph1ent['interface'],
+ 'dest' => $ph1ent['remote-gateway'],
+ 'remote-subnet' => ipsec_idinfo_to_text($ph2ent['remoteid']),
+ 'descr' => $ph2ent['descr'],
'status' => $iconfn,
'disabled' => $tun_disabled);
}
}
- if (isset($config['ipsec']['tunnel'])){ ?>
+ if (isset($config['ipsec']['phase2'])){ ?>
<div id="ipsec-Overview" style="display:block;background-color:#EEEEEE;">
<div>
OpenPOWER on IntegriCloud