From f6f1d6f754f3f530eb3afb2a2fcfcc54a586e20f Mon Sep 17 00:00:00 2001 From: Scott Ullrich Date: Thu, 11 Nov 2004 00:34:29 +0000 Subject: allow user to set a hidden ipsec field called "creategif" which will create gif entries which are useful for routing. --- etc/inc/vpn.inc | 244 +++++++++++++++++++++++++++++++------------------------- 1 file changed, 137 insertions(+), 107 deletions(-) (limited to 'etc/inc/vpn.inc') diff --git a/etc/inc/vpn.inc b/etc/inc/vpn.inc index b73af46..7d7d65f 100644 --- a/etc/inc/vpn.inc +++ b/etc/inc/vpn.inc @@ -2,20 +2,20 @@ /* vpn.inc part of m0n0wall (http://m0n0.ch/wall) - + Copyright (C) 2003-2004 Manuel Kasper . All rights reserved. - + Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: - + 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. - + 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. - + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE @@ -27,121 +27,151 @@ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ - + /* include all configuration functions */ require_once("functions.inc"); - + +function find_last_gif_device() { + $last_gif_found = -1; + if (!($fp = popen("/sbin/ifconfig -l", "r"))) return -1; + $ifconfig_data = fread($fp, 4096); + pclose($fp); + $ifconfig_array = split(" ", $ifconfig_data); + foreach ($ifconfig_array as $ifconfig) { + echo $ifconfig . "\n"; + ereg("gif(.)", $ifconfig, $regs); + if($regs[0]) { + if($regs[0] > $last_gif_found) + $last_gif_found = $regs[1]; + } + } + return $last_gif_found; +} + function vpn_ipsec_configure($ipchg = false) { global $config, $g; - + + $number_of_gifs = find_last_gif_device(); + for($x=0; $x<$number_of_gifs; $x++) { + mwexec("/sbin/ifconfig gif" . $x . " delete"); + } + $curwanip = get_current_wan_address(); - + $syscfg = $config['system']; $ipseccfg = $config['ipsec']; $lancfg = $config['interfaces']['lan']; $lanip = $lancfg['ipaddr']; $lansa = gen_subnet($lancfg['ipaddr'], $lancfg['subnet']); $lansn = $lancfg['subnet']; - + if ($g['booting']) { if (!isset($ipseccfg['enable'])) return 0; - + echo "Configuring IPsec VPN... "; } else { /* kill racoon */ killbypid("{$g['varrun_path']}/racoon.pid"); - + /* wait for process to die */ sleep(2); - + /* send a SIGKILL to be sure */ sigkillbypid("{$g['varrun_path']}/racoon.pid", "KILL"); } - + /* flush SPD and SAD */ mwexec("/usr/sbin/setkey -FP"); mwexec("/usr/sbin/setkey -F"); - + /* prefer old SAs only for 30 seconds, then use the new one */ mwexec("/sbin/sysctl -w net.key.preferred_oldsa=-30"); - + if (isset($ipseccfg['enable'])) { - + if (!$curwanip) { /* IP address not configured yet, exit */ if ($g['booting']) echo "done\n"; return 0; } - + if ((is_array($ipseccfg['tunnel']) && count($ipseccfg['tunnel'])) || isset($ipseccfg['mobileclients']['enable'])) { - + if (is_array($ipseccfg['tunnel']) && count($ipseccfg['tunnel'])) { - + /* generate spd.conf */ $fd = fopen("{$g['varetc_path']}/spd.conf", "w"); if (!$fd) { printf("Error: cannot open spd.conf in vpn_ipsec_configure().\n"); return 1; } - + $spdconf = ""; - + $spdconf .= "spdadd {$lansa}/{$lansn} {$lanip}/32 any -P in none;\n"; $spdconf .= "spdadd {$lanip}/32 {$lansa}/{$lansn} any -P out none;\n"; - + foreach ($ipseccfg['tunnel'] as $tunnel) { - + if (isset($tunnel['disabled'])) continue; - + $ep = vpn_endpoint_determine($tunnel, $curwanip); if (!$ep) continue; - + vpn_localnet_determine($tunnel['local-subnet'], $sa, $sn); - - $spdconf .= "spdadd {$sa}/{$sn} " . - "{$tunnel['remote-subnet']} any -P out ipsec " . + + if(isset($tunnel['creategif'])) { + $number_of_gifs = find_last_gif_device(); + $number_of_gifs++; + $curwanip = get_current_wan_address(); + mwexec("/sbin/ifconfig gif" . $number_of_gifs . " tunnel" . $curwanip . " " . $tunnel['remote-gateway']); + mwexec("/sbin/ifconfig gif" . $number_of_gifs . " {$lansa}/{$lansn} {$lanip}/32"); + } + + $spdconf .= "spdadd {$sa}/{$sn} " . + "{$tunnel['remote-subnet']} any -P out ipsec " . "{$tunnel['p2']['protocol']}/tunnel/{$ep}-" . "{$tunnel['remote-gateway']}/unique;\n"; - - $spdconf .= "spdadd {$tunnel['remote-subnet']} " . - "{$sa}/{$sn} any -P in ipsec " . + + $spdconf .= "spdadd {$tunnel['remote-subnet']} " . + "{$sa}/{$sn} any -P in ipsec " . "{$tunnel['p2']['protocol']}/tunnel/{$tunnel['remote-gateway']}-" . "{$ep}/unique;\n"; } - + fwrite($fd, $spdconf); fclose($fd); - + /* load SPD */ mwexec("/usr/sbin/setkey -c < {$g['varetc_path']}/spd.conf"); } - + /* generate racoon.conf */ $fd = fopen("{$g['varetc_path']}/racoon.conf", "w"); if (!$fd) { printf("Error: cannot open racoon.conf in vpn_ipsec_configure().\n"); return 1; } - + $racoonconf = "path pre_shared_key \"{$g['varetc_path']}/psk.txt\";\n\n"; - + if (is_array($ipseccfg['tunnel']) && count($ipseccfg['tunnel'])) foreach ($ipseccfg['tunnel'] as $tunnel) { - + if (isset($tunnel['disabled'])) continue; - + $ep = vpn_endpoint_determine($tunnel, $curwanip); if (!$ep) continue; - + vpn_localnet_determine($tunnel['local-subnet'], $sa, $sn); - + if (isset($tunnel['p1']['myident']['myaddress'])) { $myidentt = "address"; $myident = $ep; @@ -155,7 +185,7 @@ function vpn_ipsec_configure($ipchg = false) { $myidentt = "user_fqdn"; $myident = $tunnel['p1']['myident']['ufqdn']; } - + $racoonconf .= << -- cgit v1.1