From 3462a52903223da3bf931ab0dda9267242c4bb6c Mon Sep 17 00:00:00 2001 From: Matthew Grooms Date: Sun, 13 Jul 2008 23:28:45 +0000 Subject: Introduce a new and improved version of IPsec mobile client support. The mobile client tab is now used to configure user authentication (Xauth) and client configuration (mode-cfg) options. User authentication is currently limited to system password file entries. This will be extended to support external RADIUS and LDAP account DBs in a follow up comiit. --- usr/local/www/guiconfig.inc | 2 +- usr/local/www/vpn_ipsec.php | 19 +- usr/local/www/vpn_ipsec_ca.php | 2 +- usr/local/www/vpn_ipsec_mobile.php | 808 ++++++++++++++++++++++--------------- usr/local/www/vpn_ipsec_phase1.php | 268 +++++++----- usr/local/www/vpn_ipsec_phase2.php | 107 +++-- 6 files changed, 759 insertions(+), 447 deletions(-) (limited to 'usr/local/www') diff --git a/usr/local/www/guiconfig.inc b/usr/local/www/guiconfig.inc index 9fecc45..acb3c1f 100755 --- a/usr/local/www/guiconfig.inc +++ b/usr/local/www/guiconfig.inc @@ -228,7 +228,7 @@ function print_info_box_np($msg, $name="apply",$value="Apply changes") { echo " \n"; echo " {$msg}\n"; echo " "; - if(stristr($msg, "apply") == true || stristr($msg, "save")) { + if(stristr($msg, "apply") == true || stristr($msg, "save") || stristr($msg, "create")) { echo " "; echo " \n"; echo " "; diff --git a/usr/local/www/vpn_ipsec.php b/usr/local/www/vpn_ipsec.php index 94f4c37..d6761be 100755 --- a/usr/local/www/vpn_ipsec.php +++ b/usr/local/www/vpn_ipsec.php @@ -139,7 +139,7 @@ include("head.inc"); @@ -179,6 +179,7 @@ include("head.inc"); + " . $ph1ent['remote-gateway']; + if (!isset($ph1ent['mobile'])) + echo $if."
".$ph1ent['remote-gateway']; + else + echo $if."
Mobile Client"; ?> @@ -275,7 +279,7 @@ include("head.inc"); P2 Transforms P2 Auth Methods - + ">

@@ -296,19 +300,20 @@ include("head.inc"); $spans = $spane = ""; ?> + - + - + - + @@ -350,6 +355,7 @@ include("head.inc"); + + diff --git a/usr/local/www/vpn_ipsec_ca.php b/usr/local/www/vpn_ipsec_ca.php index b94c66d..25d0f4e 100755 --- a/usr/local/www/vpn_ipsec_ca.php +++ b/usr/local/www/vpn_ipsec_ca.php @@ -65,7 +65,7 @@ include("head.inc"); diff --git a/usr/local/www/vpn_ipsec_mobile.php b/usr/local/www/vpn_ipsec_mobile.php index 5a88b66..5d78b73 100755 --- a/usr/local/www/vpn_ipsec_mobile.php +++ b/usr/local/www/vpn_ipsec_mobile.php @@ -1,9 +1,8 @@ . + Copyright (C) 2008 Shrew Soft Inc All rights reserved. Redistribution and use in source and binary forms, with or without @@ -30,129 +29,170 @@ require("guiconfig.inc"); -if (!is_array($config['ipsec']['mobileclients'])) { - $config['ipsec']['mobileclients'] = array(); +if (!is_array($config['ipsec']['phase1'])) + $config['ipsec']['phase1'] = array(); + +$a_phase1 = &$config['ipsec']['phase1']; + +$a_client = &$config['ipsec']['client']; + +if (!is_array($config['ipsec']['client'])) + $config['ipsec']['client'] = array(); + +$a_client = &$config['ipsec']['client']; + +if (count($a_client)) { + + $pconfig['enable'] = $a_client['enable']; + + $pconfig['user_source'] = $a_client['user_source']; + $pconfig['group_source'] = $a_client['group_source']; + + $pconfig['pool_address'] = $a_client['pool_address']; + $pconfig['pool_netbits'] = $a_client['pool_netbits']; + $pconfig['net_list'] = $a_client['net_list']; + $pconfig['dns_domain'] = $a_client['dns_domain']; + $pconfig['dns_server1'] = $a_client['dns_server1']; + $pconfig['dns_server2'] = $a_client['dns_server2']; + $pconfig['dns_server3'] = $a_client['dns_server3']; + $pconfig['dns_server4'] = $a_client['dns_server4']; + $pconfig['wins_server1'] = $a_client['wins_server1']; + $pconfig['wins_server2'] = $a_client['wins_server2']; + $pconfig['pfs_group'] = $a_client['pfs_group']; + $pconfig['login_banner'] = $a_client['login_banner']; + + if (isset($pconfig['enable'])) + $pconfig['enable'] = true; + + if ($pconfig['pool_address']&&$pconfig['pool_netbits']) + $pconfig['pool_enable'] = true; + else + $pconfig['pool_netbits'] = 24; + + if (isset($pconfig['net_list'])) + $pconfig['net_list_enable'] = true; + + if ($pconfig['dns_domain']) + $pconfig['dns_domain_enable'] = true; + + if ($pconfig['dns_server1']||$pconfig['dns_server2']||$pconfig['dns_server3']||$pconfig['dns_server4']) + $pconfig['dns_server_enable'] = true; + + if ($pconfig['wins_server1']||$pconfig['wins_server2']) + $pconfig['wins_server_enable'] = true; + + if (isset($pconfig['pfs_group'])) + $pconfig['pfs_group_enable'] = true; + + if ($pconfig['login_banner']) + $pconfig['login_banner_enable'] = true; } -$a_ipsec = &$config['ipsec']['mobileclients']; - -if (count($a_ipsec) == 0) { - /* defaults */ - $pconfig['p1mode'] = "aggressive"; - $pconfig['p1myidentt'] = "myaddress"; - $pconfig['p1ealgo'] = "3des"; - $pconfig['p1halgo'] = "sha1"; - $pconfig['p1dhgroup'] = "2"; - $pconfig['p1authentication_method'] = "pre_shared_key"; - $pconfig['p2proto'] = "esp"; - $pconfig['p2ealgos'] = explode(",", "3des,blowfish,cast128,rijndael"); - $pconfig['p2halgos'] = explode(",", "hmac_sha1,hmac_md5"); - $pconfig['p2pfsgroup'] = "0"; -} else { - $pconfig['enable'] = isset($a_ipsec['enable']); - $pconfig['natt'] = isset($a_ipsec['natt']); - $pconfig['p1mode'] = $a_ipsec['p1']['mode']; - - if (isset($a_ipsec['p1']['myident']['myaddress'])) - $pconfig['p1myidentt'] = 'myaddress'; - else if (isset($a_ipsec['p1']['myident']['address'])) { - $pconfig['p1myidentt'] = 'address'; - $pconfig['p1myident'] = $a_ipsec['p1']['myident']['address']; - } else if (isset($a_ipsec['p1']['myident']['fqdn'])) { - $pconfig['p1myidentt'] = 'fqdn'; - $pconfig['p1myident'] = $a_ipsec['p1']['myident']['fqdn']; - } else if (isset($a_ipsec['p1']['myident']['ufqdn'])) { - $pconfig['p1myidentt'] = 'user_fqdn'; - $pconfig['p1myident'] = $a_ipsec['p1']['myident']['ufqdn']; - } - - $pconfig['p1ealgo'] = $a_ipsec['p1']['encryption-algorithm']; - $pconfig['p1halgo'] = $a_ipsec['p1']['hash-algorithm']; - $pconfig['p1dhgroup'] = $a_ipsec['p1']['dhgroup']; - $pconfig['p1lifetime'] = $a_ipsec['p1']['lifetime']; - $pconfig['p1authentication_method'] = $a_ipsec['p1']['authentication_method']; - $pconfig['p1cert'] = base64_decode($a_ipsec['p1']['cert']); - $pconfig['p1privatekey'] = base64_decode($a_ipsec['p1']['private-key']); - $pconfig['p2proto'] = $a_ipsec['p2']['protocol']; - $pconfig['p2ealgos'] = $a_ipsec['p2']['encryption-algorithm-option']; - $pconfig['p2halgos'] = $a_ipsec['p2']['hash-algorithm-option']; - $pconfig['p2pfsgroup'] = $a_ipsec['p2']['pfsgroup']; - $pconfig['p2lifetime'] = $a_ipsec['p2']['lifetime']; + +if ($_POST['create']) { + header("Location: vpn_ipsec_phase1.php?mobile=true"); +} + +if ($_POST['apply']) { + $retval = 0; + $retval = vpn_ipsec_configure(); + $savemsg = get_std_save_message($retval); + if ($retval == 0) + if (file_exists($d_ipsecconfdirty_path)) + unlink($d_ipsecconfdirty_path); } -if ($_POST) { +if ($_POST['submit']) { + unset($input_errors); $pconfig = $_POST; - /* input validation */ - $reqdfields = explode(" ", "p2ealgos p2halgos"); - $reqdfieldsn = explode(",", "P2 Encryption Algorithms,P2 Hash Algorithms"); - - do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); - - if ($_POST['p1authentication_method']== "rsasig") { - if (!strstr($_POST['p1cert'], "BEGIN CERTIFICATE") || !strstr($_POST['p1cert'], "END CERTIFICATE")) - $input_errors[] = "This certificate does not appear to be valid."; - if (!strstr($_POST['p1privatekey'], "BEGIN RSA PRIVATE KEY") || !strstr($_POST['p1privatekey'], "END RSA PRIVATE KEY")) - $input_errors[] = "This key does not appear to be valid."; - } + /* input consolidation */ + - if (($_POST['p1lifetime'] && !is_numeric($_POST['p1lifetime']))) { - $input_errors[] = "The P1 lifetime must be an integer."; - } - if (($_POST['p2lifetime'] && !is_numeric($_POST['p2lifetime']))) { - $input_errors[] = "The P2 lifetime must be an integer."; - } - if ((($_POST['p1myidentt'] == "address") && !is_ipaddr($_POST['p1myident']))) { - $input_errors[] = "A valid IP address for 'My identifier' must be specified."; - } - if ((($_POST['p1myidentt'] == "fqdn") && !is_domain($_POST['p1myident']))) { - $input_errors[] = "A valid domain name for 'My identifier' must be specified."; + + /* input validation */ + + $reqdfields = explode(" ", "user_source group_source"); + $reqdfieldsn = explode(",", "User Authentication Source,Group Authentication Source"); + + do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); + + if ($pconfig['pool_enable']) + if (!is_ipaddr($pconfig['pool_address'])) + $input_errors[] = "A valid IP address for 'Virtual Address Pool Network' must be specified."; + + if ($pconfig['dns_domain_enable']) + if (!is_domain($pconfig['dns_domain'])) + $input_errors[] = "A valid value for 'DNS Default Domain' must be specified."; + + if ($pconfig['dns_server_enable']) { + if (!$pconfig['dns_server1'] && !$pconfig['dns_server2'] && + !$pconfig['dns_server3'] && !$pconfig['dns_server4'] ) + $input_errors[] = "At least one DNS server must be specified to enable the DNS Server option."; + if ($pconfig['dns_server1'] && !is_ipaddr($pconfig['dns_server1'])) + $input_errors[] = "A valid IP address for 'DNS Server #1' must be specified."; + if ($pconfig['dns_server2'] && !is_ipaddr($pconfig['dns_server2'])) + $input_errors[] = "A valid IP address for 'DNS Server #2' must be specified."; + if ($pconfig['dns_server3'] && !is_ipaddr($pconfig['dns_server3'])) + $input_errors[] = "A valid IP address for 'DNS Server #3' must be specified."; + if ($pconfig['dns_server4'] && !is_ipaddr($pconfig['dns_server4'])) + $input_errors[] = "A valid IP address for 'DNS Server #4' must be specified."; } - if ($_POST['p1myidentt'] == "user_fqdn") { - $ufqdn = explode("@",$_POST['p1myident']); - if (!is_domain($ufqdn[1])) - $input_errors[] = "A valid User FQDN in the form of user@my.domain.com for 'My identifier' must be specified."; + + if ($pconfig['wins_server_enable']) { + if (!$pconfig['wins_server1'] && !$pconfig['wins_server2']) + $input_errors[] = "At least one WINS server must be specified to enable the DNS Server option."; + if ($pconfig['wins_server1'] && !is_ipaddr($pconfig['wins_server1'])) + $input_errors[] = "A valid IP address for 'WINS Server #1' must be specified."; + if ($pconfig['wins_server2'] && !is_ipaddr($pconfig['wins_server2'])) + $input_errors[] = "A valid IP address for 'WINS Server #2' must be specified."; } - - if ($_POST['p1myidentt'] == "myaddress") - $_POST['p1myident'] = ""; + + if ($pconfig['login_banner_enable']) + if (!strlen($pconfig['login_banner'])) + $input_errors[] = "A valid value for 'Login Banner' must be specified."; if (!$input_errors) { - $ipsecent = array(); - $ipsecent['enable'] = $_POST['enable'] ? true : false; - $ipsecent['p1']['mode'] = $_POST['p1mode']; - $ipsecent['natt'] = $_POST['natt'] ? true : false; + $client = array(); - $ipsecent['p1']['myident'] = array(); - switch ($_POST['p1myidentt']) { - case 'myaddress': - $ipsecent['p1']['myident']['myaddress'] = true; - break; - case 'address': - $ipsecent['p1']['myident']['address'] = $_POST['p1myident']; - break; - case 'fqdn': - $ipsecent['p1']['myident']['fqdn'] = $_POST['p1myident']; - break; - case 'user_fqdn': - $ipsecent['p1']['myident']['ufqdn'] = $_POST['p1myident']; - break; + if ($pconfig['enable']) + $client['enable'] = true; + + $client['user_source'] = $pconfig['user_source']; + $client['group_source'] = $pconfig['group_source']; + + if ($pconfig['pool_enable']) { + $client['pool_address'] = $pconfig['pool_address']; + $client['pool_netbits'] = $pconfig['pool_netbits']; } - - $ipsecent['p1']['encryption-algorithm'] = $_POST['p1ealgo']; - $ipsecent['p1']['hash-algorithm'] = $_POST['p1halgo']; - $ipsecent['p1']['dhgroup'] = $_POST['p1dhgroup']; - $ipsecent['p1']['lifetime'] = $_POST['p1lifetime']; - $ipsecent['p1']['private-key'] = base64_encode($_POST['p1privatekey']); - $ipsecent['p1']['cert'] = base64_encode($_POST['p1cert']); - $ipsecent['p1']['authentication_method'] = $_POST['p1authentication_method']; - $ipsecent['p2']['protocol'] = $_POST['p2proto']; - $ipsecent['p2']['encryption-algorithm-option'] = $_POST['p2ealgos']; - $ipsecent['p2']['hash-algorithm-option'] = $_POST['p2halgos']; - $ipsecent['p2']['pfsgroup'] = $_POST['p2pfsgroup']; - $ipsecent['p2']['lifetime'] = $_POST['p2lifetime']; - - $a_ipsec = $ipsecent; + + if ($pconfig['net_list_enable']) + $client['net_list'] = true; + + if ($pconfig['dns_domain_enable']) + $client['dns_domain'] = $pconfig['dns_domain']; + + if ($pconfig['dns_server_enable']) { + $client['dns_server1'] = $pconfig['dns_server1']; + $client['dns_server2'] = $pconfig['dns_server2']; + $client['dns_server3'] = $pconfig['dns_server3']; + $client['dns_server4'] = $pconfig['dns_server4']; + } + + if ($pconfig['wins_server_enable']) { + $client['wins_server1'] = $pconfig['wins_server1']; + $client['wins_server2'] = $pconfig['wins_server2']; + } + + if ($pconfig['pfs_group_enable']) + $client['pfs_group'] = $pconfig['pfs_group']; + + if ($pconfig['login_banner_enable']) + $client['login_banner'] = $pconfig['login_banner']; + +// $echo "login banner = {$pconfig['login_banner']}"; + + $a_client = $client; write_config(); touch($d_ipsecconfdirty_path); @@ -164,235 +204,357 @@ if ($_POST) { $pgtitle = array("VPN","IPsec","Mobile"); include("head.inc"); - ?> + + - +

- - - - + +

You must apply the changes in order for them to take effect."); + foreach ($a_phase1 as $ph1ent) + if (isset($ph1ent['mobile'])) + $ph1found = true; + if ($pconfig['enable'] && !$ph1found) + print_info_box_np("Support for IPsec Mobile clients is enabled but a Phase1 definition was not found.
Please click Create to define one.","create","Create Phase1"); ?> -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

	- > - Allow mobile clients
	- > - Enable NAT Traversal (NAT-T) - Set this option to enable the use of NAT-T (i.e. the encapsulation of ESP in UDP packets) if needed, - which can help with clients that are behind restrictive firewalls.
Phase 1 proposal - (Authentication)
Negotiation mode	- Aggressive is faster, but - less secure.
My identifier	- -
Encryption algorithm	- Must match the setting - chosen on the remote side.
Hash algorithm	- Must match the setting - chosen on the remote side.
DH key group	- 1 = 768 bit, 2 = 1024 - bit, 5 = 1536 bit - Must match the setting chosen on the remote side.
Lifetime	- - seconds
Authentication method	- Must match the setting - chosen on the remote side.
Certificate	- <?=htmlspecialchars($pconfig['p1cert']);?> - - Paste a certificate in X.509 PEM format here.
Key	- <?=htmlspecialchars($pconfig['p1privatekey']);?> - - Paste an RSA private key in PEM format here.

Phase 2 proposal - (SA/Key Exchange)
Protocol	- ESP is encryption, AH is - authentication only
Encryption algorithms	- $algoname): ?> - > - - - - - Hint: use 3DES for best compatibility or if you have a hardware - crypto accelerator card. Blowfish is usually the fastest in - software encryption.
Hash algorithms	- $algoname): ?> - > - - - -
PFS key group	- 1 = 768 bit, 2 = 1024 - bit, 5 = 1536 bit
Lifetime	- - seconds
	- -

+ + + + +

+ +

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

IKE Extensions

+ + > + Enable Support of Mobile Clients +
+

+ Extended Authentication (Xauth) +

User Authentication

+ Source: + +

Group Authentication

+ Source: + +

+ Client Configuration (mode-cfg) +

Virtual Address Pool

+ + + + + + + +

+ + onClick="pool_change()"> + Provide a vitual IP address to clients
+
+

+ Network: + + / + +

Network List

+ + > + Provide a list of accessable networks to clients
+

DNS Default Domain

+ + + + + + + +

+ + onClick="dns_domain_change()"> + Provide a default domain name to clients
+
+

+ +

DNS Servers

+ + + + + + + + + + + + + + + + +

+ + onClick="dns_server_change()"> + Provide a DNS server list to clients
+
+

+ Server #1: + +

+ Server #2: + +

+ Server #3: + +

+ Server #4: + +

WINS Servers

+ + + + + + + + + + +

+ + onClick="wins_server_change()"> + Provide a WINS server list to clients
+
+

+ Server #1: + +

+ Server #2: + +

Phase2 PFS Group

+ + + + + + + +

+ + onClick="pfs_group_change()"> + Provide the Phase2 PFS group to clients ( overrides all mobile phase2 settings )
+
+

+ Group: + +

+ + + + + + + +

+ + onClick="login_banner_change()"> + Provide a login banner to clients
+
+

+ + +

+ +

+ + + diff --git a/usr/local/www/vpn_ipsec_phase1.php b/usr/local/www/vpn_ipsec_phase1.php index 0a21362..0378105 100644 --- a/usr/local/www/vpn_ipsec_phase1.php +++ b/usr/local/www/vpn_ipsec_phase1.php @@ -58,7 +58,12 @@ if (isset($p1index) && $a_phase1[$p1index]) $pconfig['interface'] = "wan"; list($pconfig['remotenet'],$pconfig['remotebits']) = explode("/", $a_phase1[$p1index]['remote-subnet']); - $pconfig['remotegw'] = $a_phase1[$p1index]['remote-gateway']; + + if (isset($a_phase1[$p1index]['mobile'])) + $pconfig['mobile'] = 'true'; + else + $pconfig['remotegw'] = $a_phase1[$p1index]['remote-gateway']; + $pconfig['mode'] = $a_phase1[$p1index]['mode']; $pconfig['myid_type'] = $a_phase1[$p1index]['myid_type']; $pconfig['myid_data'] = $a_phase1[$p1index]['myid_data']; @@ -76,9 +81,13 @@ if (isset($p1index) && $a_phase1[$p1index]) $pconfig['descr'] = $a_phase1[$p1index]['descr']; $pconfig['nat_traversal'] = $a_phase1[$p1index]['nat_traversal']; - $pconfig['dpd_enable'] = $a_phase1[$p1index]['dpd_enable']; - $pconfig['dpd_delay'] = $a_phase1[$p1index]['dpd_delay']; - $pconfig['dpd_maxfail'] = $a_phase1[$p1index]['dpd_maxfail']; + + if ($a_phase1[$p1index]['dpd_delay'] && $a_phase1[$p1index]['dpd_maxfail']) { + $pconfig['dpd_enable'] = true; + $pconfig['dpd_delay'] = $a_phase1[$p1index]['dpd_delay']; + $pconfig['dpd_maxfail'] = $a_phase1[$p1index]['dpd_maxfail']; + } + $pconfig['pinghost'] = $a_phase1[$p1index]['pinghost']; } else @@ -96,9 +105,11 @@ else $pconfig['dhgroup'] = "2"; $pconfig['lifetime'] = "28800"; $pconfig['nat_traversal'] = "on"; - $pconfig['dpd_enable'] = 1; - $pconfig['dpd_delay'] = 10; - $pconfig['dpd_maxfail'] = 5; + $pconfig['dpd_enable'] = true; + + /* mobile client */ + if($_GET['mobile']) + $pconfig['mobile']=true; } if (isset($_GET['dup'])) @@ -109,29 +120,33 @@ if ($_POST) { $pconfig = $_POST; /* input validation */ - if ($_POST['authentication_method'] == "pre_shared_key") { - $reqdfields = explode(" ", "remotegw pskey"); - $reqdfieldsn = explode(",", "Remote gateway,Pre-Shared Key"); + + $method = $pconfig['authentication_method']; + if (($method == "pre_shared_key")||($method == "xauth_psk_server")) { + $reqdfields = explode(" ", "pskey"); + $reqdfieldsn = explode(",", "Pre-Shared Key"); } else { - $reqdfields = explode(" ", "remotegw"); - $reqdfieldsn = explode(",", "Remote gateway"); - if (!strstr($_POST['cert'], "BEGIN CERTIFICATE") || !strstr($_POST['cert'], "END CERTIFICATE")) + if (!strstr($pconfig['cert'], "BEGIN CERTIFICATE") || !strstr($pconfig['cert'], "END CERTIFICATE")) $input_errors[] = "This certificate does not appear to be valid."; - if (!strstr($_POST['privatekey'], "BEGIN RSA PRIVATE KEY") || !strstr($_POST['privatekey'], "END RSA PRIVATE KEY")) + if (!strstr($pconfig['privatekey'], "BEGIN RSA PRIVATE KEY") || !strstr($pconfig['privatekey'], "END RSA PRIVATE KEY")) $input_errors[] = "This key does not appear to be valid."; - if ($_POST['peercert']!="" && (!strstr($_POST['peercert'], "BEGIN CERTIFICATE") || !strstr($_POST['peercert'], "END CERTIFICATE"))) + if ($pconfig['peercert']!="" && (!strstr($pconfig['peercert'], "BEGIN CERTIFICATE") || !strstr($pconfig['peercert'], "END CERTIFICATE"))) $input_errors[] = "This peer certificate does not appear to be valid."; } + if (!$pconfig['mobile']) { + $reqdfields[] = "remotegw"; + $reqdfieldsn[] = "Remote gateway"; + } - do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); + do_input_validation($pconfig, $reqdfields, $reqdfieldsn, &$input_errors); - if (($_POST['lifetime'] && !is_numeric($_POST['lifetime']))) + if (($pconfig['lifetime'] && !is_numeric($pconfig['lifetime']))) $input_errors[] = "The P1 lifetime must be an integer."; - if (($_POST['remotegw'] && !is_ipaddr($_POST['remotegw']) && !is_domain($_POST['remotegw']))) + if (($pconfig['remotegw'] && !is_ipaddr($pconfig['remotegw']) && !is_domain($pconfig['remotegw']))) $input_errors[] = "A valid remote gateway address or host name must be specified."; - if (($_POST['remotegw'] && is_ipaddr($_POST['remotegw']) && !isset($_POST['disabled']) )) { + if (($pconfig['remotegw'] && is_ipaddr($pconfig['remotegw']) && !isset($pconfig['disabled']) )) { $t = 0; foreach ($a_phase1 as $ph1tmp) { if ($p1index <> $t) { @@ -146,123 +161,134 @@ if ($_POST) { /* My identity */ - if ($_POST['myid_type'] == "myaddress") - $_POST['myid_data'] = ""; + if ($pconfig['myid_type'] == "myaddress") + $pconfig['myid_data'] = ""; - if ($_POST['myid_type'] == "address" and $_POST['myid_data'] == "") + if ($pconfig['myid_type'] == "address" and $pconfig['myid_data'] == "") $input_errors[] = gettext("Please enter an address for 'My Identifier'"); - if ($_POST['myid_type'] == "keyid tag" and $_POST['myid_data'] == "") + if ($pconfig['myid_type'] == "keyid tag" and $pconfig['myid_data'] == "") $input_errors[] = gettext("Please enter a keyid tag for 'My Identifier'"); - if ($_POST['myid_type'] == "fqdn" and $_POST['myid_data'] == "") + if ($pconfig['myid_type'] == "fqdn" and $pconfig['myid_data'] == "") $input_errors[] = gettext("Please enter a fully qualified domain name for 'My Identifier'"); - if ($_POST['myid_type'] == "user_fqdn" and $_POST['myid_data'] == "") + if ($pconfig['myid_type'] == "user_fqdn" and $pconfig['myid_data'] == "") $input_errors[] = gettext("Please enter a user and fully qualified domain name for 'My Identifier'"); - if ($_POST['myid_type'] == "dyn_dns" and $_POST['myid_data'] == "") + if ($pconfig['myid_type'] == "dyn_dns" and $pconfig['myid_data'] == "") $input_errors[] = gettext("Please enter a dynamic domain name for 'My Identifier'"); - if ((($_POST['myid_type'] == "address") && !is_ipaddr($_POST['myid_data']))) + if ((($pconfig['myid_type'] == "address") && !is_ipaddr($pconfig['myid_data']))) $input_errors[] = "A valid IP address for 'My identifier' must be specified."; - if ((($_POST['myid_type'] == "fqdn") && !is_domain($_POST['myid_data']))) + if ((($pconfig['myid_type'] == "fqdn") && !is_domain($pconfig['myid_data']))) $input_errors[] = "A valid domain name for 'My identifier' must be specified."; - if ($_POST['myid_type'] == "fqdn") - if (is_domain($_POST['myid_data']) == false) + if ($pconfig['myid_type'] == "fqdn") + if (is_domain($pconfig['myid_data']) == false) $input_errors[] = "A valid FQDN for 'My identifier' must be specified."; - if ($_POST['myid_type'] == "user_fqdn") { - $user_fqdn = explode("@",$_POST['myid_data']); + if ($pconfig['myid_type'] == "user_fqdn") { + $user_fqdn = explode("@",$pconfig['myid_data']); if (is_domain($user_fqdn[1]) == false) $input_errors[] = "A valid User FQDN in the form of user@my.domain.com for 'My identifier' must be specified."; } - if ($_POST['myid_type'] == "dyn_dns") - if (is_domain($_POST['myid_data']) == false) + if ($pconfig['myid_type'] == "dyn_dns") + if (is_domain($pconfig['myid_data']) == false) $input_errors[] = "A valid Dynamic DNS address for 'My identifier' must be specified."; /* Peer identity */ - if ($_POST['peerid_type'] == "address" and $_POST['peerid_data'] == "") + if ($pconfig['myid_type'] == "peeraddress") + $pconfig['peerid_data'] = ""; + + if ($pconfig['peerid_type'] == "address" and $pconfig['peerid_data'] == "") $input_errors[] = gettext("Please enter an address for 'Peer Identifier'"); - if ($_POST['peerid_type'] == "keyid tag" and $_POST['peerid_data'] == "") + if ($pconfig['peerid_type'] == "keyid tag" and $pconfig['peerid_data'] == "") $input_errors[] = gettext("Please enter a keyid tag for 'Peer Identifier'"); - if ($_POST['peerid_type'] == "fqdn" and $_POST['peerid_data'] == "") + if ($pconfig['peerid_type'] == "fqdn" and $pconfig['peerid_data'] == "") $input_errors[] = gettext("Please enter a fully qualified domain name for 'Peer Identifier'"); - if ($_POST['peerid_type'] == "user_fqdn" and $_POST['peerid_data'] == "") + if ($pconfig['peerid_type'] == "user_fqdn" and $pconfig['peerid_data'] == "") $input_errors[] = gettext("Please enter a user and fully qualified domain name for 'Peer Identifier'"); - if ((($_POST['peerid_type'] == "address") && !is_ipaddr($_POST['peerid_data']))) + if ((($pconfig['peerid_type'] == "address") && !is_ipaddr($pconfig['peerid_data']))) $input_errors[] = "A valid IP address for 'Peer identifier' must be specified."; - if ((($_POST['peerid_type'] == "fqdn") && !is_domain($_POST['peerid_data']))) + if ((($pconfig['peerid_type'] == "fqdn") && !is_domain($pconfig['peerid_data']))) $input_errors[] = "A valid domain name for 'Peer identifier' must be specified."; - if ($_POST['peerid_type'] == "fqdn") - if (is_domain($_POST['peerid_data']) == false) + if ($pconfig['peerid_type'] == "fqdn") + if (is_domain($pconfig['peerid_data']) == false) $input_errors[] = "A valid FQDN for 'Peer identifier' must be specified."; - if ($_POST['peerid_type'] == "user_fqdn") { - $user_fqdn = explode("@",$_POST['peerid_data']); + if ($pconfig['peerid_type'] == "user_fqdn") { + $user_fqdn = explode("@",$pconfig['peerid_data']); if (is_domain($user_fqdn[1]) == false) $input_errors[] = "A valid User FQDN in the form of user@my.domain.com for 'Peer identifier' must be specified."; } - if ($_POST['dpd_enable']) { - if (!is_numeric($_POST['dpd_delay'])) + if ($pconfig['dpd_enable']) { + if (!is_numeric($pconfig['dpd_delay'])) $input_errors[] = "A numeric value must be specified for DPD delay."; - if (!is_numeric($_POST['dpd_maxfail'])) + if (!is_numeric($pconfig['dpd_maxfail'])) $input_errors[] = "A numeric value must be specified for DPD retries."; } /* build our encryption algorithms array */ $pconfig['ealgo'] = array(); $pconfig['ealgo']['name'] = $_POST['ealgo']; - if($_POST['ealgo_keylen']) + if($pconfig['ealgo_keylen']) $pconfig['ealgo']['keylen'] = $_POST['ealgo_keylen']; if (!$input_errors) { - $ph1ent['ikeid'] = $_POST['ikeid']; - $ph1ent['disabled'] = $_POST['disabled'] ? true : false; + $ph1ent['ikeid'] = $pconfig['ikeid']; + $ph1ent['disabled'] = $pconfig['disabled'] ? true : false; $ph1ent['interface'] = $pconfig['interface']; /* if the remote gateway changed and the interface is not WAN then remove route */ /* the vpn_ipsec_configure() handles adding the route */ - if ($_POST['interface'] <> "wan") { - if($ph1ent['remote-gateway'] <> $_POST['remotegw']) { + if ($pconfig['interface'] <> "wan") { + if($ph1ent['remote-gateway'] <> $pconfig['remotegw']) { mwexec("/sbin/route delete -host {$ph1ent['remote-gateway']}"); } } - $ph1ent['remote-gateway'] = $_POST['remotegw']; - $ph1ent['mode'] = $_POST['mode']; - $ph1ent['myid_type'] = $_POST['myid_type']; - $ph1ent['myid_data'] = $_POST['myid_data']; - $ph1ent['peerid_type'] = $_POST['peerid_type']; - $ph1ent['peerid_data'] = $_POST['peerid_data']; + if ($pconfig['mobile']) + $ph1ent['mobile'] = true; + else + $ph1ent['remote-gateway'] = $pconfig['remotegw']; + + $ph1ent['mode'] = $pconfig['mode']; + + $ph1ent['myid_type'] = $pconfig['myid_type']; + $ph1ent['myid_data'] = $pconfig['myid_data']; + $ph1ent['peerid_type'] = $pconfig['peerid_type']; + $ph1ent['peerid_data'] = $pconfig['peerid_data']; $ph1ent['encryption-algorithm'] = $pconfig['ealgo']; - $ph1ent['hash-algorithm'] = $_POST['halgo']; - $ph1ent['dhgroup'] = $_POST['dhgroup']; - $ph1ent['lifetime'] = $_POST['lifetime']; - $ph1ent['pre-shared-key'] = $_POST['pskey']; - $ph1ent['private-key'] = base64_encode($_POST['privatekey']); - $ph1ent['cert'] = base64_encode($_POST['cert']); - $ph1ent['peercert'] = base64_encode($_POST['peercert']); - $ph1ent['authentication_method'] = $_POST['authentication_method']; - - $ph1ent['descr'] = $_POST['descr']; - $ph1ent['nat_traversal'] = $_POST['nat_traversal']; - $ph1ent['dpd_enable'] = $_POST['dpd_enable']; - $ph1ent['dpd_delay'] = $_POST['dpd_delay']; - $ph1ent['dpd_maxfail'] = $_POST['dpd_maxfail']; - $ph1ent['pinghost'] = $_POST['pinghost']; + $ph1ent['hash-algorithm'] = $pconfig['halgo']; + $ph1ent['dhgroup'] = $pconfig['dhgroup']; + $ph1ent['lifetime'] = $pconfig['lifetime']; + $ph1ent['pre-shared-key'] = $pconfig['pskey']; + $ph1ent['private-key'] = base64_encode($pconfig['privatekey']); + $ph1ent['cert'] = base64_encode($pconfig['cert']); + $ph1ent['peercert'] = base64_encode($pconfig['peercert']); + $ph1ent['authentication_method'] = $pconfig['authentication_method']; + + $ph1ent['descr'] = $pconfig['descr']; + $ph1ent['nat_traversal'] = $pconfig['nat_traversal']; + + if (isset($pconfig['dpd_enable'])) { + $ph1ent['dpd_delay'] = $pconfig['dpd_delay']; + $ph1ent['dpd_maxfail'] = $pconfig['dpd_maxfail']; + } + + $ph1ent['pinghost'] = $pconfig['pinghost']; /* generate unique phase1 ikeid */ if ($ph1ent['ikeid'] == 0) { @@ -290,7 +316,11 @@ if ($_POST) { } } -$pgtitle = array("VPN","IPsec","Edit Phase 1"); +if ($pconfig['mobile']) + $pgtitle = array("VPN","IPsec","Edit Phase 1", "Mobile Client"); +else + $pgtitle = array("VPN","IPsec","Edit Phase 1"); + include("head.inc"); ?> @@ -299,15 +329,44 @@ include("head.inc"); @@ -394,6 +461,7 @@ function dpdchkbox_change() { Select the interface for the local endpoint of this phase1 entry. + Remote gateway @@ -402,6 +470,7 @@ function dpdchkbox_change() { Enter the public IP address or host name of the remote gateway + Description @@ -436,10 +505,10 @@ function dpdchkbox_change() { My identifier - + $id_params): ?> + @@ -449,10 +518,14 @@ function dpdchkbox_change() { Peer identifier - + $id_params): + if ($pconfig['mobile'] && !$id_params['mobile']) + continue; + ?> + @@ -523,9 +596,13 @@ function dpdchkbox_change() { Authentication method @@ -587,10 +664,10 @@ function dpdchkbox_change() { Dead Peer Detection - onClick="dpdchkbox_change()"> + onClick="dpdchkbox_change()"> Enable DPD

- + seconds
Delay between requesting peer acknowledgement.

@@ -609,11 +686,14 @@ function dpdchkbox_change() { - - + + + + + @@ -627,9 +707,13 @@ function dpdchkbox_change() { if (is_numeric($pconfig['ealgo']['keylen'])) $keyset = $pconfig['ealgo']['keylen']; ?> +myidsel_change(); +peeridsel_change(); methodsel_change(); ealgosel_change(); dpdchkbox_change(); //--> + + diff --git a/usr/local/www/vpn_ipsec_phase2.php b/usr/local/www/vpn_ipsec_phase2.php index 7a3c5ce..f32c567 100644 --- a/usr/local/www/vpn_ipsec_phase2.php +++ b/usr/local/www/vpn_ipsec_phase2.php @@ -31,6 +31,11 @@ require("guiconfig.inc"); +if (!is_array($config['ipsec']['client'])) + $config['ipsec']['client'] = array(); + +$a_client = &$config['ipsec']['client']; + if (!is_array($config['ipsec']['phase2'])) $config['ipsec']['phase2'] = array(); @@ -60,6 +65,9 @@ if (isset($p2index) && $a_phase2[$p2index]) $pconfig['halgos'] = $a_phase2[$p2index]['hash-algorithm-option']; $pconfig['pfsgroup'] = $a_phase2[$p2index]['pfsgroup']; $pconfig['lifetime'] = $a_phase2[$p2index]['lifetime']; + + if (isset($a_phase2[$p2index]['mobile'])) + $pconfig['mobile'] = true; } else { @@ -73,6 +81,10 @@ else $pconfig['halgos'] = explode(",", "hmac_sha1,hmac_md5"); $pconfig['pfsgroup'] = "0"; $pconfig['lifetime'] = "3600"; + + /* mobile client */ + if($_GET['mobile']) + $pconfig['mobile']=true; } if (isset($_GET['dup'])) @@ -83,41 +95,43 @@ if ($_POST) { unset($input_errors); $pconfig = $_POST; - $ealgos = pconfig_to_ealgos($pconfig); - $localid = pconfig_to_idinfo("local",$pconfig); - $remoteid = pconfig_to_idinfo("remote",$pconfig); - if (!isset( $_POST['ikeid'])) $input_errors[] = "A valid ikeid must be specified."; /* input validation */ - $reqdfields = explode(" ", "localid_type remoteid_type halgos"); - $reqdfieldsn = explode(",", "Local network type,Remote network type,P2 Hash Algorithms"); + $reqdfields = explode(" ", "localid_type halgos"); + $reqdfieldsn = explode(",", "Local network type,P2 Hash Algorithms"); + if (!isset($pconfig['mobile'])){ + $reqdfields[] = "remoteid_type"; + $reqdfieldsn[] = "Remote network type"; + } do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); - switch ($_POST['localid_type']) { + switch ($pconfig['localid_type']) { case "network": - if (!$_POST['localid_netbits'] || !is_numeric($_POST['localid_netbits'])) + if (!$pconfig['localid_netbits'] || !is_numeric($pconfig['localid_netbits'])) $input_errors[] = "A valid local network bit count must be specified.."; case "address": - if (!$_POST['localid_address'] || !is_ipaddr($_POST['localid_address'])) + if (!$pconfig['localid_address'] || !is_ipaddr($pconfig['localid_address'])) $input_errors[] = "A valid local network IP address must be specified."; break; } - switch ($_POST['remoteid_type']) { + switch ($pconfig['remoteid_type']) { case "network": - if (!$_POST['remoteid_netbits'] || !is_numeric($_POST['remoteid_netbits'])) + if (!$pconfig['remoteid_netbits'] || !is_numeric($pconfig['remoteid_netbits'])) $input_errors[] = "A valid remote network bit count must be specified.."; case "address": - if (!$_POST['remoteid_address'] || !is_ipaddr($_POST['remoteid_address'])) + if (!$pconfig['remoteid_address'] || !is_ipaddr($pconfig['remoteid_address'])) $input_errors[] = "A valid remote network IP address must be specified."; break; } /* TODO : Validate enabled phase2's are not duplicates */ + $ealgos = pconfig_to_ealgos($pconfig); + if (!count($ealgos)) { $input_errors[] = "At least one encryption algorithm must be selected."; } @@ -126,16 +140,22 @@ if ($_POST) { } if (!$input_errors) { - $ph2ent['ikeid'] = $_POST['ikeid']; - $ph2ent['disabled'] = $_POST['disabled'] ? true : false; - $ph2ent['localid'] = $localid; - $ph2ent['remoteid'] = $remoteid; - $ph2ent['protocol'] = $_POST['proto']; + + $ph2ent['ikeid'] = $pconfig['ikeid']; + $ph2ent['disabled'] = $pconfig['disabled'] ? true : false; + + $ph2ent['localid'] = pconfig_to_idinfo("local",$pconfig); + $ph2ent['remoteid'] = pconfig_to_idinfo("remote",$pconfig); + + $ph2ent['protocol'] = $pconfig['proto']; $ph2ent['encryption-algorithm-option'] = $ealgos; - $ph2ent['hash-algorithm-option'] = $_POST['halgos']; - $ph2ent['pfsgroup'] = $_POST['pfsgroup']; - $ph2ent['lifetime'] = $_POST['lifetime']; - $ph2ent['descr'] = $_POST['descr']; + $ph2ent['hash-algorithm-option'] = $pconfig['halgos']; + $ph2ent['pfsgroup'] = $pconfig['pfsgroup']; + $ph2ent['lifetime'] = $pconfig['lifetime']; + $ph2ent['descr'] = $pconfig['descr']; + + if (isset($pconfig['mobile'])) + $ph2ent['mobile'] = true; if (isset($p2index) && $a_phase2[$p2index]) $a_phase2[$p2index] = $ph2ent; @@ -150,7 +170,11 @@ if ($_POST) { } } -$pgtitle = array("VPN","IPsec","Edit Phase 2"); +if ($pconfig['mobile']) + $pgtitle = array("VPN","IPsec","Edit Phase 2", "Mobile Client"); +else + $pgtitle = array("VPN","IPsec","Edit Phase 2"); + include("head.inc"); ?> @@ -183,6 +207,17 @@ function typesel_change_local(bits) { break; } } + + + +function typesel_change_remote(bits) { + + document.iform.remoteid_address.disabled = 1; + document.iform.remoteid_netbits.disabled = 1; +} + + + function typesel_change_remote(bits) { if (!bits) @@ -207,6 +242,9 @@ function typesel_change_remote(bits) { break; } } + + + //--> @@ -260,6 +298,8 @@ function typesel_change_remote(bits) { + + Remote Network @@ -291,6 +331,7 @@ function typesel_change_remote(bits) {

+ Description @@ -380,6 +421,7 @@ function typesel_change_remote(bits) { PFS key group +
1 = 768 bit, 2 = 1024 bit, 5 = 1536 bit + + + +
+ Set globally in mobile client options + @@ -401,11 +451,15 @@ function typesel_change_remote(bits) { - - + + + + + + @@ -417,9 +471,13 @@ typesel_change_remote(); //--> + + + -- cgit v1.1