From 5b237745003431d487de361ca0980a467ee2f5d5 Mon Sep 17 00:00:00 2001 From: Scott Ullrich Date: Sun, 7 Nov 2004 03:06:49 +0000 Subject: Initial revision --- usr/local/www/vpn_ipsec_mobile.php | 330 +++++++++++++++++++++++++++++++++++++ 1 file changed, 330 insertions(+) create mode 100755 usr/local/www/vpn_ipsec_mobile.php (limited to 'usr/local/www/vpn_ipsec_mobile.php') diff --git a/usr/local/www/vpn_ipsec_mobile.php b/usr/local/www/vpn_ipsec_mobile.php new file mode 100755 index 0000000..3031a45 --- /dev/null +++ b/usr/local/www/vpn_ipsec_mobile.php @@ -0,0 +1,330 @@ +#!/usr/local/bin/php +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +if (!is_array($config['ipsec']['mobileclients'])) { + $config['ipsec']['mobileclients'] = array(); +} +$a_ipsec = &$config['ipsec']['mobileclients']; + +if (count($a_ipsec) == 0) { + /* defaults */ + $pconfig['p1mode'] = "aggressive"; + $pconfig['p1myidentt'] = "myaddress"; + $pconfig['p1ealgo'] = "3des"; + $pconfig['p1halgo'] = "sha1"; + $pconfig['p1dhgroup'] = "2"; + $pconfig['p2proto'] = "esp"; + $pconfig['p2ealgos'] = explode(",", "3des,blowfish,cast128,rijndael"); + $pconfig['p2halgos'] = explode(",", "hmac_sha1,hmac_md5"); + $pconfig['p2pfsgroup'] = "0"; +} else { + $pconfig['enable'] = isset($a_ipsec['enable']); + $pconfig['p1mode'] = $a_ipsec['p1']['mode']; + + if (isset($a_ipsec['p1']['myident']['myaddress'])) + $pconfig['p1myidentt'] = 'myaddress'; + else if (isset($a_ipsec['p1']['myident']['address'])) { + $pconfig['p1myidentt'] = 'address'; + $pconfig['p1myident'] = $a_ipsec['p1']['myident']['address']; + } else if (isset($a_ipsec['p1']['myident']['fqdn'])) { + $pconfig['p1myidentt'] = 'fqdn'; + $pconfig['p1myident'] = $a_ipsec['p1']['myident']['fqdn']; + } else if (isset($a_ipsec['p1']['myident']['ufqdn'])) { + $pconfig['p1myidentt'] = 'user_fqdn'; + $pconfig['p1myident'] = $a_ipsec['p1']['myident']['ufqdn']; + } + + $pconfig['p1ealgo'] = $a_ipsec['p1']['encryption-algorithm']; + $pconfig['p1halgo'] = $a_ipsec['p1']['hash-algorithm']; + $pconfig['p1dhgroup'] = $a_ipsec['p1']['dhgroup']; + $pconfig['p1lifetime'] = $a_ipsec['p1']['lifetime']; + $pconfig['p2proto'] = $a_ipsec['p2']['protocol']; + $pconfig['p2ealgos'] = $a_ipsec['p2']['encryption-algorithm-option']; + $pconfig['p2halgos'] = $a_ipsec['p2']['hash-algorithm-option']; + $pconfig['p2pfsgroup'] = $a_ipsec['p2']['pfsgroup']; + $pconfig['p2lifetime'] = $a_ipsec['p2']['lifetime']; +} + +if ($_POST) { + unset($input_errors); + $pconfig = $_POST; + + /* input validation */ + $reqdfields = explode(" ", "p2ealgos p2halgos"); + $reqdfieldsn = explode(",", "P2 Encryption Algorithms,P2 Hash Algorithms"); + + do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); + + if (($_POST['p1lifetime'] && !is_numeric($_POST['p1lifetime']))) { + $input_errors[] = "The P1 lifetime must be an integer."; + } + if (($_POST['p2lifetime'] && !is_numeric($_POST['p2lifetime']))) { + $input_errors[] = "The P2 lifetime must be an integer."; + } + if ((($_POST['p1myidentt'] == "address") && !is_ipaddr($_POST['p1myident']))) { + $input_errors[] = "A valid IP address for 'My identifier' must be specified."; + } + if ((($_POST['p1myidentt'] == "fqdn") && !is_domain($_POST['p1myident']))) { + $input_errors[] = "A valid domain name for 'My identifier' must be specified."; + } + if ($_POST['p1myidentt'] == "user_fqdn") { + $ufqdn = explode("@",$_POST['p1myident']); + if (!is_domain($ufqdn[1])) + $input_errors[] = "A valid User FQDN in the form of user@my.domain.com for 'My identifier' must be specified."; + } + + if ($_POST['p1myidentt'] == "myaddress") + $_POST['p1myident'] = ""; + + if (!$input_errors) { + $ipsecent = array(); + $ipsecent['enable'] = $_POST['enable'] ? true : false; + $ipsecent['p1']['mode'] = $_POST['p1mode']; + + $ipsecent['p1']['myident'] = array(); + switch ($_POST['p1myidentt']) { + case 'myaddress': + $ipsecent['p1']['myident']['myaddress'] = true; + break; + case 'address': + $ipsecent['p1']['myident']['address'] = $_POST['p1myident']; + break; + case 'fqdn': + $ipsecent['p1']['myident']['fqdn'] = $_POST['p1myident']; + break; + case 'user_fqdn': + $ipsecent['p1']['myident']['ufqdn'] = $_POST['p1myident']; + break; + } + + $ipsecent['p1']['encryption-algorithm'] = $_POST['p1ealgo']; + $ipsecent['p1']['hash-algorithm'] = $_POST['p1halgo']; + $ipsecent['p1']['dhgroup'] = $_POST['p1dhgroup']; + $ipsecent['p1']['lifetime'] = $_POST['p1lifetime']; + $ipsecent['p2']['protocol'] = $_POST['p2proto']; + $ipsecent['p2']['encryption-algorithm-option'] = $_POST['p2ealgos']; + $ipsecent['p2']['hash-algorithm-option'] = $_POST['p2halgos']; + $ipsecent['p2']['pfsgroup'] = $_POST['p2pfsgroup']; + $ipsecent['p2']['lifetime'] = $_POST['p2lifetime']; + + $a_ipsec = $ipsecent; + + write_config(); + touch($d_ipsecconfdirty_path); + + header("Location: vpn_ipsec_mobile.php"); + exit; + } +} +?> + + + +<?=gentitle("VPN: IPsec");?> + + + + + + +

VPN: IPsec

+
+ +

+You must apply the changes in order for them to take effect.");?>
+

+ +
+
+ + + + + +
+ +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
  + > + Allow mobile clients
Phase 1 proposal + (Authentication)
Negotiation mode +
Aggressive is faster, but + less secure.
My identifier + +
Encryption algorithm +
Must match the setting + chosen on the remote side.
Hash algorithm +
Must match the setting + chosen on the remote side.
DH key group +
1 = 768 bit, 2 = 1024 + bit, 5 = 1536 bit
+ Must match the setting chosen on the remote side.
Lifetime + + seconds
Phase 2 proposal + (SA/Key Exchange)
Protocol +
ESP is encryption, AH is + authentication only
Encryption algorithms + $algoname): ?> + > + +
+ +
+ Hint: use 3DES for best compatibility or if you have a hardware + crypto accelerator card. Blowfish is usually the fastest in + software encryption.
Hash algorithms + $algoname): ?> + > + +
+ +
PFS key group +
1 = 768 bit, 2 = 1024 + bit, 5 = 1536 bit
Lifetime + + seconds
  + +
+
+
+ + + -- cgit v1.1