From a93e56c58af2611650d1f97190ffe54782479423 Mon Sep 17 00:00:00 2001 From: Matthew Grooms Date: Fri, 11 Jul 2008 01:55:30 +0000 Subject: Overhaul IPsec related code. Shared functions have been consolidated into a new file named /etc/ipsec.inc. Tunnel definitions have been split into phase1 and phase2. This allows any number of phase2 definitions to be created for a single phase1 definition. Several facets of configuration have also been improved. The key size for variable length algorithms can now be selected and the phase1 ID options have been extended to allow for more flexible configuration. Several NAT-T related issues have also been resolved. Please note, IPsec remote access functionality has been temporarily disabled. An improved implementation will be included in a follow up commit. --- usr/local/www/diag_ipsec.php | 236 ++++----- usr/local/www/diag_ipsec_sad.php | 174 +++---- usr/local/www/diag_ipsec_spd.php | 201 ++++---- usr/local/www/diag_logs_ipsec.php | 8 +- usr/local/www/guiconfig.inc | 19 - usr/local/www/pkg_edit.php | 2 +- usr/local/www/vpn_ipsec.php | 435 +++++++++++----- usr/local/www/vpn_ipsec_ca.php | 16 +- usr/local/www/vpn_ipsec_edit.php | 662 ------------------------- usr/local/www/vpn_ipsec_keys.php | 120 ----- usr/local/www/vpn_ipsec_keys_edit.php | 128 ----- usr/local/www/vpn_ipsec_mobile.php | 3 +- usr/local/www/vpn_ipsec_phase1.php | 635 ++++++++++++++++++++++++ usr/local/www/vpn_ipsec_phase2.php | 489 ++++++++++++++++++ usr/local/www/widgets/include/ipsec.inc | 81 --- usr/local/www/widgets/widgets/ipsec.widget.php | 26 +- 16 files changed, 1705 insertions(+), 1530 deletions(-) delete mode 100755 usr/local/www/vpn_ipsec_edit.php delete mode 100755 usr/local/www/vpn_ipsec_keys.php delete mode 100755 usr/local/www/vpn_ipsec_keys_edit.php create mode 100644 usr/local/www/vpn_ipsec_phase1.php create mode 100644 usr/local/www/vpn_ipsec_phase2.php delete mode 100644 usr/local/www/widgets/include/ipsec.inc (limited to 'usr/local/www') diff --git a/usr/local/www/diag_ipsec.php b/usr/local/www/diag_ipsec.php index 4b16fe5..a61a5a1 100644 --- a/usr/local/www/diag_ipsec.php +++ b/usr/local/www/diag_ipsec.php @@ -3,6 +3,7 @@ /* diag_ipsec.php Copyright (C) 2007 Scott Ullrich + Copyright (C) 2008 Shrew Soft Inc . All rights reserved. Parts of this code was originally based on vpn_ipsec_sad.php @@ -30,170 +31,111 @@ POSSIBILITY OF SUCH DAMAGE. */ +global $g; + $pgtitle = array("Status","IPsec"); require("guiconfig.inc"); include("head.inc"); + +if (!is_array($config['ipsec']['phase2'])) + $config['ipsec']['phase2'] = array(); + +$a_phase2 = &$config['ipsec']['phase2']; + +$spd = ipsec_dump_spd(); +$sad = ipsec_dump_sad(); + ?> ">
- - - - - - +
- -
- -
- - - - - - - - - - - - - - - - - - - - - + - -
SourceDestinationDescriptionStatus
-
- + 		+ -
- -
-

- No IPsec security associations. -

-
-

- - - - Note:
- - - You can configure your IPsec - here. - -

+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Local IPRemote IPLocal NetworkRemote NetworkDescriptionStatus
+ + + + + + + + + +
+

+ No IPsec security associations. +

+
+

+ + + Note:
 + + You can configure your IPsec + here. + +

+
+
-
- -
-"; -} - -?> diff --git a/usr/local/www/diag_ipsec_sad.php b/usr/local/www/diag_ipsec_sad.php index 5d5b738..f2a08af 100755 --- a/usr/local/www/diag_ipsec_sad.php +++ b/usr/local/www/diag_ipsec_sad.php @@ -33,30 +33,14 @@ require("guiconfig.inc"); -$pgtitle = array("Status","IPsec","SA"); +$pgtitle = array("Status","IPsec","SAD"); include("head.inc"); -?> - - - - - - - - -
- -
- /dev/null 2>&1", "w"); + $fd = @popen("/usr/local/sbin/setkey -c > /dev/null 2>&1", "w"); if ($fd) { fwrite($fd, "delete {$_GET['src']} {$_GET['dst']} {$_GET['proto']} {$_GET['spi']} ;\n"); pclose($fd); @@ -64,87 +48,79 @@ if ($_GET['act'] == "del") { } } -/* query SAD */ -$fd = @popen("/sbin/setkey -D", "r"); -$sad = array(); -if ($fd) { - while (!feof($fd)) { - $line = chop(fgets($fd)); - if (!$line) - continue; - if ($line == "No SAD entries.") - break; - if ($line[0] != "\t") { - if (is_array($cursa)) - $sad[] = $cursa; - $cursa = array(); - list($cursa['src'],$cursa['dst']) = explode(" ", $line); - $i = 0; - } else { - $linea = explode(" ", trim($line)); - if ($i == 1) { - $cursa['proto'] = $linea[0]; - $cursa['spi'] = substr($linea[2], strpos($linea[2], "x")+1, -1); - } else if ($i == 2) { - $cursa['ealgo'] = $linea[1]; - } else if ($i == 3) { - $cursa['aalgo'] = $linea[1]; - } - } - $i++; - } - if (is_array($cursa) && count($cursa)) - $sad[] = $cursa; - pclose($fd); -} ?> -
- - - - - - - - - - - - - - - - - - - - - - - - - - - -
SourceDestinationProtocolSPIEnc. alg.Auth. alg.
- - -

No IPsec security associations.

-

Note:
- You can configure your IPsec here.

-
-
-
- - + + + + + + + + + +
+ +
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SourceDestinationProtocolSPIEnc. alg.Auth. alg.
+ + + + +
+

No IPsec security associations.

+
+

+ + + Note:
 + + You can configure your IPsec here. + +

+
+
+
+ diff --git a/usr/local/www/diag_ipsec_spd.php b/usr/local/www/diag_ipsec_spd.php index dc6ee6f..d9dfe54 100755 --- a/usr/local/www/diag_ipsec_spd.php +++ b/usr/local/www/diag_ipsec_spd.php @@ -36,129 +36,104 @@ require("guiconfig.inc"); $pgtitle = array("Status","IPsec","SPD"); include("head.inc"); -?> - - - - - - -
- -
- /dev/null 2>&1", "w"); + $fd = @popen("/usr/local/sbin/setkey -c > /dev/null 2>&1", "w"); if ($fd) { - fwrite($fd, "spddelete {$_GET['src']} {$_GET['dst']} any -P {$_GET['dir']} ;\n"); + fwrite($fd, "spddelete {$_GET['srcid']} {$_GET['dstid']} any -P {$_GET['dir']} ;\n"); pclose($fd); sleep(1); } } -/* query SAD */ -$fd = @popen("/sbin/setkey -DP", "r"); -$spd = array(); -if ($fd) { - while (!feof($fd)) { - $line = chop(fgets($fd)); - if (!$line) - continue; - if ($line == "No SPD entries.") - break; - if ($line[0] != "\t") { - if (is_array($cursp)) - $spd[] = $cursp; - $cursp = array(); - $linea = explode(" ", $line); - $cursp['src'] = substr($linea[0], 0, strpos($linea[0], "[")); - $cursp['dst'] = substr($linea[1], 0, strpos($linea[1], "[")); - $i = 0; - } else if (is_array($cursp)) { - $linea = explode(" ", trim($line)); - if ($i == 1) { - if ($linea[1] == "none") /* don't show default anti-lockout rule */ - unset($cursp); - else - $cursp['dir'] = $linea[0]; - } else if ($i == 2) { - $upperspec = explode("/", $linea[0]); - $cursp['proto'] = $upperspec[0]; - list($cursp['ep_src'], $cursp['ep_dst']) = explode("-", $upperspec[2]); - } - } - $i++; - } - if (is_array($cursp) && count($cursp)) - $spd[] = $cursp; - pclose($fd); -} +$spd = ipsec_dump_spd(); ?> -
- - - - - - - - - - - - - - - - - - - - -
SourceDestinationDirectionProtocolTunnel endpoints
-
- 		- - - -
-
- - - - - - - - - - - - - - - - -
incoming (as seen by firewall)
outgoing (as seen by firewall)

No IPsec security policies.

-

Note:
- You can configure your IPsec here.

-
-
-
- + + + + + + + + + +
+ +
+
+ + + + + + + + + + + + + + + + + + + + +
SourceDestinationDirectionProtocolTunnel endpoints
+ + -> + + + + +
+
+ + + + + + + + + + + + + + + + + + +
incoming (as seen by firewall)
outgoing (as seen by firewall)
+

No IPsec security policies.

+
+

+ + + Note:
 + + You can configure your IPsec here. + +

+
+
+
+ diff --git a/usr/local/www/diag_logs_ipsec.php b/usr/local/www/diag_logs_ipsec.php index a6b8ae6..74cf757 100755 --- a/usr/local/www/diag_logs_ipsec.php +++ b/usr/local/www/diag_logs_ipsec.php @@ -38,11 +38,11 @@ $ipsec_logfile = "{$g['varlog_path']}/ipsec.log"; /* Create array with all IPsec tunnel descriptions */ $search = array(); $replace = array(); -if(is_array($config['ipsec']['tunnel'])) - foreach($config['ipsec']['tunnel'] as $tunnel) { - $gateway = "{$tunnel['remote-gateway']}"; +if(is_array($config['ipsec']['phase1'])) + foreach($config['ipsec']['phase1'] as $ph1ent) { + $gateway = "{$ph1ent['remote-gateway']}"; $search[] = "/(racoon: )([A-Z:].*?)({$gateway}\[[0-9].+\]|{$gateway})(.*)/i"; - $replace[] = "$1[{$tunnel['descr']}]: $2$3$4"; + $replace[] = "$1[{$ph1ent['descr']}]: $2$3$4"; } /* collect all our own ip addresses */ exec("/sbin/ifconfig|/usr/bin/awk '/inet / {print $2}'", $ip_address_list); diff --git a/usr/local/www/guiconfig.inc b/usr/local/www/guiconfig.inc index 1c6ab78..9fecc45 100755 --- a/usr/local/www/guiconfig.inc +++ b/usr/local/www/guiconfig.inc @@ -157,25 +157,6 @@ $medias = array("auto" => "autoselect", "100full" => "100BASE-TX full-duplex", /* platforms that support firmware updating */ $fwupplatforms = array('pfSense', 'net45xx', 'net48xx', 'generic-pc', 'embedded', 'wrap'); -/* IPsec defines */ -$my_identifier_list = array('myaddress' => 'My IP address', - 'address' => 'IP address', - 'fqdn' => 'Domain name', - 'user_fqdn' => 'User FQDN', - 'asn1dn' => 'Distinguished Name', - 'dyn_dns' => 'Dynamic DNS'); - -$p1_ealgos = array('des' => 'DES', '3des' => '3DES', 'blowfish' => 'Blowfish', - 'cast128' => 'CAST128','rijndael' => 'Rijndael (AES)', 'rijndael 256' => 'Rijndael 256'); -$p2_ealgos = array('des' => 'DES', '3des' => '3DES', 'blowfish' => 'Blowfish', - 'cast128' => 'CAST128', 'rijndael' => 'Rijndael (AES)', 'rijndael 256' => 'Rijndael 256'); - -$p1_halgos = array('sha1' => 'SHA1', 'md5' => 'MD5'); -$p1_authentication_methods = array('pre_shared_key' => 'Pre-shared key', 'rsasig' => 'RSA signature'); -$p2_halgos = array('hmac_sha1' => 'SHA1', 'hmac_md5' => 'MD5'); -$p2_protos = array('esp' => 'ESP', 'ah' => 'AH'); -$p2_pfskeygroups = array('0' => 'off', '1' => '1', '2' => '2', '5' => '5'); - function do_input_validation($postdata, $reqdfields, $reqdfieldsn, $input_errors) { /* check for bad control characters */ diff --git a/usr/local/www/pkg_edit.php b/usr/local/www/pkg_edit.php index a2a2442..64826d0 100755 --- a/usr/local/www/pkg_edit.php +++ b/usr/local/www/pkg_edit.php @@ -381,7 +381,7 @@ if ($pkg['tabs'] <> "") { print("\n
\n" . fixup_string($pkga['description']) . "\n"); } else if($pkga['type'] == "vpn_selection") { echo "\n"; diff --git a/usr/local/www/vpn_ipsec.php b/usr/local/www/vpn_ipsec.php index 4946d73..94f4c37 100755 --- a/usr/local/www/vpn_ipsec.php +++ b/usr/local/www/vpn_ipsec.php @@ -4,6 +4,7 @@ part of m0n0wall (http://m0n0.ch/wall) Copyright (C) 2003-2005 Manuel Kasper . + Copyright (C) 2008 Shrew Soft Inc All rights reserved. Redistribution and use in source and binary forms, with or without @@ -30,14 +31,18 @@ require("guiconfig.inc"); -if (!is_array($config['ipsec']['tunnel'])) { - $config['ipsec']['tunnel'] = array(); -} -$a_ipsec = &$config['ipsec']['tunnel']; +if (!is_array($config['ipsec']['phase1'])) + $config['ipsec']['phase1'] = array(); + +if (!is_array($config['ipsec']['phase2'])) + $config['ipsec']['phase2'] = array(); + +$a_phase1 = &$config['ipsec']['phase1']; +$a_phase2 = &$config['ipsec']['phase2']; + $wancfg = &$config['interfaces']['wan']; $pconfig['enable'] = isset($config['ipsec']['enable']); -$pconfig['ipcomp'] = isset($config['ipsec']['ipcomp']); if ($_POST) { @@ -53,7 +58,6 @@ if ($_POST) { $pconfig = $_POST; $config['ipsec']['enable'] = $_POST['enable'] ? true : false; - $config['ipsec']['ipcomp'] = $_POST['ipcomp'] ? true : false; write_config(); @@ -72,13 +76,41 @@ if ($_POST) { } } -if ($_GET['act'] == "del") { - if ($a_ipsec[$_GET['id']]) { +if ($_GET['act'] == "delph1") +{ + if ($a_phase1[$_GET['p1index']]) { /* remove static route if interface is not WAN */ - if($a_ipsec[$_GET['id']]['interface'] <> "wan") { - mwexec("/sbin/route delete -host {$$a_ipsec[$_GET['id']]['remote-gateway']}"); + if ($a_phase1[$_GET['p1index']]['interface'] <> "wan") { + mwexec("/sbin/route delete -host {$$a_phase1[$_GET['p1index']]['remote-gateway']}"); + } + + /* remove all phase2 entries that match the ikeid */ + $ikeid = $a_phase1[$_GET['p1index']]['ikeid']; + $p2index = 0; + foreach ($a_phase2 as $ph2tmp) { + if ($ph2tmp['ikeid'] == $ikeid) { + /* remove the phase2 entry */ + unset($a_phase2[$p2index]); + continue; + } + /* only skip if we remove an entry */ + $p2index++; } - unset($a_ipsec[$_GET['id']]); + + /* remove the phase1 entry */ + unset($a_phase1[$_GET['p1index']]); + filter_configure(); + write_config(); + header("Location: vpn_ipsec.php"); + exit; + } +} + +if ($_GET['act'] == "delph2") +{ + if ($a_phase2[$_GET['p2index']]) { + /* remove the phase2 entry */ + unset($a_phase2[$_GET['p2index']]); filter_configure(); write_config(); header("Location: vpn_ipsec.php"); @@ -95,133 +127,270 @@ include("head.inc");
- -

-You must apply the changes in order for them to take effect.");?>
- - - - -
You must apply the changes in order for them to take effect."); ?> -
-
- - - - - - - -
- > - Enable IPsec
-
- - - - - - - - - - - "; - $spane = ""; - } else { - $spans = $spane = ""; - } - ?> - - + + + + + + + + + + +
Local net
- Remote net		Interface
Remote gw		P1 modeP1 Enc. AlgoP1 Hash AlgoDescription - - - - - -
-
- +
+ +
+
+ + + + + + + +
+ > + Enable IPsec +
+ +
+ + + + + + + + + + "; + $spane = ""; + } else - echo $ipsecent['local-subnet']['address']; + $spans = $spane = ""; ?> -
- - - + + + + + + + + + + + - - - - - - - - - - - - - - -
Interface
Remote gw		P1 modeP1 Enc. AlgoP1 Hash AlgoDescription + + + + + +
+ +
+
- " . $ipsecent['remote-gateway']; +
+ + " . $ph1ent['remote-gateway']; + ?> + + + + + + + + + + + + + + + + + +   + + + + + + + + + + + + +
+ + + + + + + +
+ + + + +
+
+ + + + + + + + + + "; + $spane = ""; + } + else + $spans = $spane = ""; + ?> + + + + + + + + + +
Local NetworkRemote NetworkP2 ProtocolP2 TransformsP2 Auth Methods + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + +
+
- - - - - - -   - - - - - - - - - - -
-
- - - - - -
- 		-
-

Note:
- You can check your IPsec status at Status:IPsec.

-
-
-
+ + + + + +
+ + + +
+ 		+
+

+ + + Note:
 + + You can check your IPsec status at Status:IPsec. + +

+
+
+

diff --git a/usr/local/www/vpn_ipsec_ca.php b/usr/local/www/vpn_ipsec_ca.php index 17195ae..b94c66d 100755 --- a/usr/local/www/vpn_ipsec_ca.php +++ b/usr/local/www/vpn_ipsec_ca.php @@ -51,22 +51,22 @@ include("head.inc"); ?> -
- -

-You must apply the changes in order for them to take effect.");?>
- +You must apply the changes in order for them to take effect."); +?> diff --git a/usr/local/www/vpn_ipsec_edit.php b/usr/local/www/vpn_ipsec_edit.php deleted file mode 100755 index 74de623..0000000 --- a/usr/local/www/vpn_ipsec_edit.php +++ /dev/null @@ -1,662 +0,0 @@ -. - All rights reserved. - - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. -*/ - -require("guiconfig.inc"); - -if (!is_array($config['ipsec']['tunnel'])) { - $config['ipsec']['tunnel'] = array(); -} -$a_ipsec = &$config['ipsec']['tunnel']; - -if($config['interfaces']['lan']) - $specialsrcdst = explode(" ", "lan"); - -$id = $_GET['id']; -if (isset($_POST['id'])) - $id = $_POST['id']; - -if (isset($_GET['dup'])) { - $id = $_GET['dup']; -} - -if (isset($id) && $a_ipsec[$id]) { - $pconfig['disabled'] = isset($a_ipsec[$id]['disabled']); - $pconfig['auto'] = isset($a_ipsec[$id]['auto']); - - if (!isset($a_ipsec[$id]['local-subnet'])) { - if($config['interfaces']['lan']) - $pconfig['localnet'] = "lan"; - } else { - if($config['interfaces']['lan']) - address_to_pconfig_vpn($a_ipsec[$id]['local-subnet'], $pconfig['localnet'], $pconfig['localnetmask']); - } - - if ($a_ipsec[$id]['interface']) - $pconfig['interface'] = $a_ipsec[$id]['interface']; - else - $pconfig['interface'] = "wan"; - - list($pconfig['remotenet'],$pconfig['remotebits']) = explode("/", $a_ipsec[$id]['remote-subnet']); - $pconfig['remotegw'] = $a_ipsec[$id]['remote-gateway']; - $pconfig['p1mode'] = $a_ipsec[$id]['p1']['mode']; - - if (isset($a_ipsec[$id]['p1']['myident']['myaddress'])) - $pconfig['p1myidentt'] = 'myaddress'; - else if (isset($a_ipsec[$id]['p1']['myident']['address'])) { - $pconfig['p1myidentt'] = 'address'; - $pconfig['p1myident'] = $a_ipsec[$id]['p1']['myident']['address']; - } else if (isset($a_ipsec[$id]['p1']['myident']['fqdn'])) { - $pconfig['p1myidentt'] = 'fqdn'; - $pconfig['p1myident'] = $a_ipsec[$id]['p1']['myident']['fqdn']; - } else if (isset($a_ipsec[$id]['p1']['myident']['ufqdn'])) { - $pconfig['p1myidentt'] = 'user_fqdn'; - $pconfig['p1myident'] = $a_ipsec[$id]['p1']['myident']['ufqdn']; - } else if (isset($a_ipsec[$id]['p1']['myident']['asn1dn'])) { - $pconfig['p1myidentt'] = 'asn1dn'; - $pconfig['p1myident'] = $a_ipsec[$id]['p1']['myident']['asn1dn']; - } else if (isset($a_ipsec[$id]['p1']['myident']['dyn_dns'])) { - $pconfig['p1myidentt'] = 'dyn_dns'; - $pconfig['p1myident'] = $a_ipsec[$id]['p1']['myident']['dyn_dns']; - } - - $pconfig['p1ealgo'] = $a_ipsec[$id]['p1']['encryption-algorithm']; - $pconfig['p1halgo'] = $a_ipsec[$id]['p1']['hash-algorithm']; - $pconfig['p1dhgroup'] = $a_ipsec[$id]['p1']['dhgroup']; - $pconfig['p1lifetime'] = $a_ipsec[$id]['p1']['lifetime']; - $pconfig['p1authentication_method'] = $a_ipsec[$id]['p1']['authentication_method']; - $pconfig['p1pskey'] = $a_ipsec[$id]['p1']['pre-shared-key']; - $pconfig['p1cert'] = base64_decode($a_ipsec[$id]['p1']['cert']); - $pconfig['p1peercert'] = base64_decode($a_ipsec[$id]['p1']['peercert']); - $pconfig['p1privatekey'] = base64_decode($a_ipsec[$id]['p1']['private-key']); - $pconfig['p2proto'] = $a_ipsec[$id]['p2']['protocol']; - $pconfig['p2ealgos'] = $a_ipsec[$id]['p2']['encryption-algorithm-option']; - $pconfig['p2halgos'] = $a_ipsec[$id]['p2']['hash-algorithm-option']; - $pconfig['p2pfsgroup'] = $a_ipsec[$id]['p2']['pfsgroup']; - $pconfig['p2lifetime'] = $a_ipsec[$id]['p2']['lifetime']; - $pconfig['descr'] = $a_ipsec[$id]['descr']; - $pconfig['pinghost'] = $a_ipsec[$id]['pinghost']; - -} else { - /* defaults */ - $pconfig['interface'] = "wan"; - if($config['interfaces']['lan']) - $pconfig['localnet'] = "lan"; - $pconfig['p1mode'] = "aggressive"; - $pconfig['p1myidentt'] = "myaddress"; - $pconfig['p1authentication_method'] = "pre_shared_key"; - $pconfig['p1ealgo'] = "3des"; - $pconfig['p1halgo'] = "sha1"; - $pconfig['p1dhgroup'] = "2"; - $pconfig['p2proto'] = "esp"; - $pconfig['p2ealgos'] = explode(",", "3des,blowfish,cast128,rijndael,rijndael 256"); - $pconfig['p2halgos'] = explode(",", "hmac_sha1,hmac_md5"); - $pconfig['p2pfsgroup'] = "0"; - $pconfig['remotebits'] = 32; -} - -if (isset($_GET['dup'])) - unset($id); - -if ($_POST) { - if (is_specialnet($_POST['localnettype'])) { - $_POST['localnet'] = $_POST['localnettype']; - $_POST['localnetmask'] = 0; - } else if ($_POST['localnettype'] == "single") { - $_POST['localnetmask'] = 32; - } - - unset($input_errors); - $pconfig = $_POST; - - /* input validation */ - if ($_POST['p1authentication_method'] == "pre_shared_key") { - $reqdfields = explode(" ", "localnet remotenet remotebits remotegw p1pskey p2ealgos p2halgos"); - $reqdfieldsn = explode(",", "Local network,Remote network,Remote network bits,Remote gateway,Pre-Shared Key,P2 Encryption Algorithms,P2 Hash Algorithms"); - } - else { - $reqdfields = explode(" ", "localnet remotenet remotebits remotegw p2ealgos p2halgos"); - $reqdfieldsn = explode(",", "Local network,Remote network,Remote network bits,Remote gateway,P2 Encryption Algorithms,P2 Hash Algorithms"); - if (!strstr($_POST['p1cert'], "BEGIN CERTIFICATE") || !strstr($_POST['p1cert'], "END CERTIFICATE")) - $input_errors[] = "This certificate does not appear to be valid."; - if (!strstr($_POST['p1privatekey'], "BEGIN RSA PRIVATE KEY") || !strstr($_POST['p1privatekey'], "END RSA PRIVATE KEY")) - $input_errors[] = "This key does not appear to be valid."; - if ($_POST['p1peercert']!="" && (!strstr($_POST['p1peercert'], "BEGIN CERTIFICATE") || !strstr($_POST['p1peercert'], "END CERTIFICATE"))) - $input_errors[] = "This peer certificate does not appear to be valid."; - } - - do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); - - if (!is_specialnet($_POST['localnettype'])) { - if (($_POST['localnet'] && !is_ipaddr($_POST['localnet']))) { - $input_errors[] = "A valid local network IP address must be specified."; - } - if (($_POST['localnetmask'] && !is_numeric($_POST['localnetmask']))) { - $input_errors[] = "A valid local network bit count must be specified."; - } - } - if (($_POST['p1lifetime'] && !is_numeric($_POST['p1lifetime']))) { - $input_errors[] = "The P1 lifetime must be an integer."; - } - if (($_POST['p2lifetime'] && !is_numeric($_POST['p2lifetime']))) { - $input_errors[] = "The P2 lifetime must be an integer."; - } - if ($_POST['remotebits'] && (!is_numeric($_POST['remotebits']) || ($_POST['remotebits'] < 0) || ($_POST['remotebits'] > 32))) { - if(!$_POST['remotebits'] == "0.0.0.0") - $input_errors[] = "The remote network bits are invalid."; - } - if (($_POST['remotenet'] && !is_ipaddr($_POST['remotenet'])) or $_POST['remotenet'] == "0.0.0.0") { - /* allow 0.0.0.0 remote net usage */ - if($_POST['remotenet'] <> "0.0.0.0") - $input_errors[] = "A valid remote network address must be specified."; - } - if (($_POST['remotenet'] && is_ipaddr($_POST['remotenet']) && !isset($_POST['disabled']) )) { - $t = 0; - foreach($a_ipsec as $tunnel) { - if($id <> $t) { - $tremotecidr = $pconfig['remotenet'] ."/". $pconfig['remotebits']; - if(($tunnel['remote-subnet'] == $tremotecidr) && !isset($tunnel['disabled'])) { - $input_errors[] = "The remote network \"$tremotecidr\" is already used by tunnel \"${tunnel['descr']}\"."; - } - } - $t++; - } - } - if (($_POST['remotegw'] && !is_ipaddr($_POST['remotegw']) && !is_domain($_POST['remotegw']))) - $input_errors[] = "A valid remote gateway address or host name must be specified."; - if (($_POST['remotegw'] && is_ipaddr($_POST['remotegw']) && !isset($_POST['disabled']) )) { - $t = 0; - foreach($a_ipsec as $tunnel) { - if($id <> $t) { - $tremotegw = $pconfig['remotegw']; - if(($tunnel['remote-gateway'] == $tremotegw) && !isset($tunnel['disabled'])) { - $input_errors[] = "The remote gateway \"$tremotegw\" is already used by tunnel \"${tunnel['descr']}\"."; - } - } - $t++; - } - } - if ((($_POST['p1myidentt'] == "address") && !is_ipaddr($_POST['p1myident']))) { - $input_errors[] = "A valid IP address for 'My identifier' must be specified."; - } - if ((($_POST['p1myidentt'] == "fqdn") && !is_domain($_POST['p1myident']))) { - $input_errors[] = "A valid domain name for 'My identifier' must be specified."; - } - if ($_POST['p1myidentt'] == "user_fqdn") { - $ufqdn = explode("@",$_POST['p1myident']); - if (is_domain($ufqdn[1]) == false) - $input_errors[] = "A valid User FQDN in the form of user@my.domain.com for 'My identifier' must be specified."; - } - if ($_POST['p1myidentt'] == "dyn_dns") { - if (is_domain($_POST['p1myidentt']) == false) - $input_errors[] = "A valid Dynamic DNS address for 'My identifier' must be specified."; - } - - if($_POST['p1myidentt'] == "fqdn" and $_POST['p1myident'] == "") - $input_errors[] = gettext("Please enter a domain name for 'My Identifier'"); - - if($_POST['p1myidentt'] == "dyn_dns" and $_POST['p1myident'] == "") - $input_errors[] = gettext("Please enter a domain name for 'My Identifier'"); - - if($_POST['p1myidentt'] == "address" and $_POST['p1myident'] == "") - $input_errors[] = gettext("Please enter a domain name for 'My Identifier'"); - - if($_POST['p1myidentt'] == "user_fqdn" and $_POST['p1myident'] == "") - $input_errors[] = gettext("Please enter a domain name for 'My Identifier'"); - - if ($_POST['p1myidentt'] == "myaddress") - $_POST['p1myident'] = ""; - - if (!$input_errors) { - $ipsecent['disabled'] = $_POST['disabled'] ? true : false; - //$ipsecent['auto'] = $_POST['auto'] ? true : false; - $ipsecent['interface'] = $pconfig['interface']; - pconfig_to_address($ipsecent['local-subnet'], $_POST['localnet'], $_POST['localnetmask']); - $ipsecent['remote-subnet'] = $_POST['remotenet'] . "/" . $_POST['remotebits']; - /* if the remote gateway changed and the interface is not WAN then remove route */ - /* the vpn_ipsec_configure() handles adding the route */ - if($_POST['interface'] <> "wan") { - if($ipsecent['remote-gateway'] <> $_POST['remotegw']) { - mwexec("/sbin/route delete -host {$ipsecent['remote-gateway']}"); - } - } - $ipsecent['remote-gateway'] = $_POST['remotegw']; - $ipsecent['p1']['mode'] = $_POST['p1mode']; - - $ipsecent['p1']['myident'] = array(); - switch ($_POST['p1myidentt']) { - case 'myaddress': - $ipsecent['p1']['myident']['myaddress'] = true; - break; - case 'address': - $ipsecent['p1']['myident']['address'] = $_POST['p1myident']; - break; - case 'fqdn': - $ipsecent['p1']['myident']['fqdn'] = $_POST['p1myident']; - break; - case 'user_fqdn': - $ipsecent['p1']['myident']['ufqdn'] = $_POST['p1myident']; - break; - case 'asn1dn': - $ipsecent['p1']['myident']['asn1dn'] = $_POST['p1myident']; - break; - case 'dyn_dns': - $ipsecent['p1']['myident']['dyn_dns'] = $_POST['p1myident']; - break; - } - - $ipsecent['p1']['encryption-algorithm'] = $_POST['p1ealgo']; - $ipsecent['p1']['hash-algorithm'] = $_POST['p1halgo']; - $ipsecent['p1']['dhgroup'] = $_POST['p1dhgroup']; - $ipsecent['p1']['lifetime'] = $_POST['p1lifetime']; - $ipsecent['p1']['pre-shared-key'] = $_POST['p1pskey']; - $ipsecent['p1']['private-key'] = base64_encode($_POST['p1privatekey']); - $ipsecent['p1']['cert'] = base64_encode($_POST['p1cert']); - $ipsecent['p1']['peercert'] = base64_encode($_POST['p1peercert']); - $ipsecent['p1']['authentication_method'] = $_POST['p1authentication_method']; - $ipsecent['p2']['protocol'] = $_POST['p2proto']; - $ipsecent['p2']['encryption-algorithm-option'] = $_POST['p2ealgos']; - $ipsecent['p2']['hash-algorithm-option'] = $_POST['p2halgos']; - $ipsecent['p2']['pfsgroup'] = $_POST['p2pfsgroup']; - $ipsecent['p2']['lifetime'] = $_POST['p2lifetime']; - $ipsecent['descr'] = $_POST['descr']; - $ipsecent['pinghost'] = $_POST['pinghost']; - - if (isset($id) && $a_ipsec[$id]) - $a_ipsec[$id] = $ipsecent; - else - $a_ipsec[] = $ipsecent; - - write_config(); - touch($d_ipsecconfdirty_path); - - header("Location: vpn_ipsec.php"); - exit; - } -} - -$pgtitle = array("VPN","IPsec","Edit tunnel"); -include("head.inc"); - -?> - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Mode Tunnel
Disabled - > - Disable this tunnel
- Set this option to disable this tunnel without - removing it from the list.
Interface
- Select the interface for the local endpoint of this tunnel.
Local subnet - - - - - - - - - - - -
Type:  
Address:   - / -
Remote subnet - - / -
Remote gateway - -
- Enter the public IP address or host name of the remote gateway
Description - -
You may enter a description here - for your reference (not parsed).
Phase 1 proposal - (Authentication)
Negotiation mode -
Aggressive is faster, but - less secure.
My identifier - -
Encryption algorithm -
Must match the setting - chosen on the remote side.
Hash algorithm -
Must match the setting - chosen on the remote side.
DH key group -
1 = 768 bit, 2 = 1024 - bit, 5 = 1536 bit
- Must match the setting chosen on the remote side.
Lifetime - - seconds
Authentication method -
Must match the setting - chosen on the remote side.
Pre-Shared Key - -
Certificate - -
- Paste a certificate in X.509 PEM format here.
Key - -
- Paste an RSA private key in PEM format here.
Peer certificate - -
- Paste the peer X.509 certificate in PEM format here.
- Leave this blank if you want to use a CA certificate for identity validation.
Phase 2 proposal - (SA/Key Exchange)
Protocol -
ESP is encryption, AH is - authentication only
Encryption algorithms - $algoname): ?> - > - -
- -
- Hint: use 3DES for best compatibility or if you have a hardware - crypto accelerator card. Blowfish is usually the fastest in - software encryption.
Hash algorithms - $algoname): ?> - > - -
- -
PFS key group -
1 = 768 bit, 2 = 1024 - bit, 5 = 1536 bit
Lifetime - - seconds
Keep alive
Automatically ping host - IP address
  - - - - -
-

- - - - - diff --git a/usr/local/www/vpn_ipsec_keys.php b/usr/local/www/vpn_ipsec_keys.php deleted file mode 100755 index 49112ff..0000000 --- a/usr/local/www/vpn_ipsec_keys.php +++ /dev/null @@ -1,120 +0,0 @@ -. - All rights reserved. - - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. -*/ - -require("guiconfig.inc"); - -if (!is_array($config['ipsec']['mobilekey'])) { - $config['ipsec']['mobilekey'] = array(); -} -ipsec_mobilekey_sort(); -$a_secret = &$config['ipsec']['mobilekey']; - -if ($_GET['act'] == "del") { - if ($a_secret[$_GET['id']]) { - unset($a_secret[$_GET['id']]); - write_config(); - touch($d_ipsecconfdirty_path); - header("Location: vpn_ipsec_keys.php"); - exit; - } -} - -$pgtitle = array("VPN","IPsec","Keys"); - -include("head.inc"); - -?> - - - -
- -

-You must apply the changes in order for them to take effect.");?>
- - - - - - -
- -
-
- - - - - - - - - - - - - - - - - -
IdentifierPre-shared key - - - - - -
-
- - - - -  
- - - - - -
-
-
-
-

- - - diff --git a/usr/local/www/vpn_ipsec_keys_edit.php b/usr/local/www/vpn_ipsec_keys_edit.php deleted file mode 100755 index f612bcc..0000000 --- a/usr/local/www/vpn_ipsec_keys_edit.php +++ /dev/null @@ -1,128 +0,0 @@ -. - All rights reserved. - - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. -*/ - -require("guiconfig.inc"); - -if (!is_array($config['ipsec']['mobilekey'])) { - $config['ipsec']['mobilekey'] = array(); -} -ipsec_mobilekey_sort(); -$a_secret = &$config['ipsec']['mobilekey']; - -$id = $_GET['id']; -if (isset($_POST['id'])) - $id = $_POST['id']; - -if (isset($id) && $a_secret[$id]) { - $pconfig['ident'] = $a_secret[$id]['ident']; - $pconfig['psk'] = $a_secret[$id]['pre-shared-key']; -} - -if ($_POST) { - - unset($input_errors); - $pconfig = $_POST; - - /* input validation */ - $reqdfields = explode(" ", "ident psk"); - $reqdfieldsn = explode(",", "Identifier,Pre-shared key"); - - do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); - - if (preg_match("/[^a-zA-Z0-9@\.\-]/", $_POST['ident'])) - $input_errors[] = "The identifier contains invalid characters."; - - if (!$input_errors && !(isset($id) && $a_secret[$id])) { - /* make sure there are no dupes */ - foreach ($a_secret as $secretent) { - if ($secretent['ident'] == $_POST['ident']) { - $input_errors[] = "Another entry with the same identifier already exists."; - break; - } - } - } - - if (!$input_errors) { - - if (isset($id) && $a_secret[$id]) - $secretent = $a_secret[$id]; - - $secretent['ident'] = $_POST['ident']; - $secretent['pre-shared-key'] = $_POST['psk']; - - if (isset($id) && $a_secret[$id]) - $a_secret[$id] = $secretent; - else - $a_secret[] = $secretent; - - write_config(); - touch($d_ipsecconfdirty_path); - - header("Location: vpn_ipsec_keys.php"); - exit; - } -} - -$pgtitle = array("VPN","IPsec","Edit pre-shared key"); -include("head.inc"); - -?> - - - - -
- - - - - - - - - - - - - -
Identifier - -
-This can be either an IP address, fully qualified domain name or an e-mail address. -
Pre-shared key - -
  - - - - -
-
- diff --git a/usr/local/www/vpn_ipsec_mobile.php b/usr/local/www/vpn_ipsec_mobile.php index 6a105e3..5a88b66 100755 --- a/usr/local/www/vpn_ipsec_mobile.php +++ b/usr/local/www/vpn_ipsec_mobile.php @@ -197,8 +197,7 @@ function methodsel_change() { $tab_array = array(); $tab_array[0] = array("Tunnels", false, "vpn_ipsec.php"); $tab_array[1] = array("Mobile clients", true, "vpn_ipsec_mobile.php"); - $tab_array[2] = array("Pre-shared keys", false, "vpn_ipsec_keys.php"); - $tab_array[3] = array("CAs", false, "vpn_ipsec_ca.php"); + $tab_array[2] = array("CAs", false, "vpn_ipsec_ca.php"); display_top_tabs($tab_array); ?> diff --git a/usr/local/www/vpn_ipsec_phase1.php b/usr/local/www/vpn_ipsec_phase1.php new file mode 100644 index 0000000..0a21362 --- /dev/null +++ b/usr/local/www/vpn_ipsec_phase1.php @@ -0,0 +1,635 @@ +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +if (!is_array($config['ipsec']['phase1'])) + $config['ipsec']['phase1'] = array(); + +$a_phase1 = &$config['ipsec']['phase1']; + +if($config['interfaces']['lan']) + $specialsrcdst = explode(" ", "lan"); + +$p1index = $_GET['p1index']; +if (isset($_POST['p1index'])) + $p1index = $_POST['p1index']; + +if (isset($_GET['dup'])) { + $p1index = $_GET['dup']; +} + +if (isset($p1index) && $a_phase1[$p1index]) +{ + $pconfig['ikeid'] = $a_phase1[$p1index]['ikeid']; + $pconfig['disabled'] = isset($a_phase1[$p1index]['disabled']); + + if ($a_phase1[$p1index]['interface']) + $pconfig['interface'] = $a_phase1[$p1index]['interface']; + else + $pconfig['interface'] = "wan"; + + list($pconfig['remotenet'],$pconfig['remotebits']) = explode("/", $a_phase1[$p1index]['remote-subnet']); + $pconfig['remotegw'] = $a_phase1[$p1index]['remote-gateway']; + $pconfig['mode'] = $a_phase1[$p1index]['mode']; + $pconfig['myid_type'] = $a_phase1[$p1index]['myid_type']; + $pconfig['myid_data'] = $a_phase1[$p1index]['myid_data']; + $pconfig['peerid_type'] = $a_phase1[$p1index]['peerid_type']; + $pconfig['peerid_data'] = $a_phase1[$p1index]['peerid_data']; + $pconfig['ealgo'] = $a_phase1[$p1index]['encryption-algorithm']; + $pconfig['halgo'] = $a_phase1[$p1index]['hash-algorithm']; + $pconfig['dhgroup'] = $a_phase1[$p1index]['dhgroup']; + $pconfig['lifetime'] = $a_phase1[$p1index]['lifetime']; + $pconfig['authentication_method'] = $a_phase1[$p1index]['authentication_method']; + $pconfig['pskey'] = $a_phase1[$p1index]['pre-shared-key']; + $pconfig['cert'] = base64_decode($a_phase1[$p1index]['cert']); + $pconfig['peercert'] = base64_decode($a_phase1[$p1index]['peercert']); + $pconfig['privatekey'] = base64_decode($a_phase1[$p1index]['private-key']); + + $pconfig['descr'] = $a_phase1[$p1index]['descr']; + $pconfig['nat_traversal'] = $a_phase1[$p1index]['nat_traversal']; + $pconfig['dpd_enable'] = $a_phase1[$p1index]['dpd_enable']; + $pconfig['dpd_delay'] = $a_phase1[$p1index]['dpd_delay']; + $pconfig['dpd_maxfail'] = $a_phase1[$p1index]['dpd_maxfail']; + $pconfig['pinghost'] = $a_phase1[$p1index]['pinghost']; +} +else +{ + /* defaults */ + $pconfig['interface'] = "wan"; + if($config['interfaces']['lan']) + $pconfig['localnet'] = "lan"; + $pconfig['mode'] = "aggressive"; + $pconfig['myid_type'] = "myaddress"; + $pconfig['peerid_type'] = "peeraddress"; + $pconfig['authentication_method'] = "pre_shared_key"; + $pconfig['ealgo'] = array( name => "3des" ); + $pconfig['halgo'] = "sha1"; + $pconfig['dhgroup'] = "2"; + $pconfig['lifetime'] = "28800"; + $pconfig['nat_traversal'] = "on"; + $pconfig['dpd_enable'] = 1; + $pconfig['dpd_delay'] = 10; + $pconfig['dpd_maxfail'] = 5; +} + +if (isset($_GET['dup'])) + unset($p1index); + +if ($_POST) { + unset($input_errors); + $pconfig = $_POST; + + /* input validation */ + if ($_POST['authentication_method'] == "pre_shared_key") { + $reqdfields = explode(" ", "remotegw pskey"); + $reqdfieldsn = explode(",", "Remote gateway,Pre-Shared Key"); + } else { + $reqdfields = explode(" ", "remotegw"); + $reqdfieldsn = explode(",", "Remote gateway"); + if (!strstr($_POST['cert'], "BEGIN CERTIFICATE") || !strstr($_POST['cert'], "END CERTIFICATE")) + $input_errors[] = "This certificate does not appear to be valid."; + if (!strstr($_POST['privatekey'], "BEGIN RSA PRIVATE KEY") || !strstr($_POST['privatekey'], "END RSA PRIVATE KEY")) + $input_errors[] = "This key does not appear to be valid."; + if ($_POST['peercert']!="" && (!strstr($_POST['peercert'], "BEGIN CERTIFICATE") || !strstr($_POST['peercert'], "END CERTIFICATE"))) + $input_errors[] = "This peer certificate does not appear to be valid."; + } + + do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); + + if (($_POST['lifetime'] && !is_numeric($_POST['lifetime']))) + $input_errors[] = "The P1 lifetime must be an integer."; + + if (($_POST['remotegw'] && !is_ipaddr($_POST['remotegw']) && !is_domain($_POST['remotegw']))) + $input_errors[] = "A valid remote gateway address or host name must be specified."; + + if (($_POST['remotegw'] && is_ipaddr($_POST['remotegw']) && !isset($_POST['disabled']) )) { + $t = 0; + foreach ($a_phase1 as $ph1tmp) { + if ($p1index <> $t) { + $tremotegw = $pconfig['remotegw']; + if (($ph1tmp['remote-gateway'] == $tremotegw) && !isset($ph1tmp['disabled'])) { + $input_errors[] = "The remote gateway \"$tremotegw\" is already used by phase1 \"${ph1tmp['descr']}\"."; + } + } + $t++; + } + } + + /* My identity */ + + if ($_POST['myid_type'] == "myaddress") + $_POST['myid_data'] = ""; + + if ($_POST['myid_type'] == "address" and $_POST['myid_data'] == "") + $input_errors[] = gettext("Please enter an address for 'My Identifier'"); + + if ($_POST['myid_type'] == "keyid tag" and $_POST['myid_data'] == "") + $input_errors[] = gettext("Please enter a keyid tag for 'My Identifier'"); + + if ($_POST['myid_type'] == "fqdn" and $_POST['myid_data'] == "") + $input_errors[] = gettext("Please enter a fully qualified domain name for 'My Identifier'"); + + if ($_POST['myid_type'] == "user_fqdn" and $_POST['myid_data'] == "") + $input_errors[] = gettext("Please enter a user and fully qualified domain name for 'My Identifier'"); + + if ($_POST['myid_type'] == "dyn_dns" and $_POST['myid_data'] == "") + $input_errors[] = gettext("Please enter a dynamic domain name for 'My Identifier'"); + + if ((($_POST['myid_type'] == "address") && !is_ipaddr($_POST['myid_data']))) + $input_errors[] = "A valid IP address for 'My identifier' must be specified."; + + if ((($_POST['myid_type'] == "fqdn") && !is_domain($_POST['myid_data']))) + $input_errors[] = "A valid domain name for 'My identifier' must be specified."; + + if ($_POST['myid_type'] == "fqdn") + if (is_domain($_POST['myid_data']) == false) + $input_errors[] = "A valid FQDN for 'My identifier' must be specified."; + + if ($_POST['myid_type'] == "user_fqdn") { + $user_fqdn = explode("@",$_POST['myid_data']); + if (is_domain($user_fqdn[1]) == false) + $input_errors[] = "A valid User FQDN in the form of user@my.domain.com for 'My identifier' must be specified."; + } + + if ($_POST['myid_type'] == "dyn_dns") + if (is_domain($_POST['myid_data']) == false) + $input_errors[] = "A valid Dynamic DNS address for 'My identifier' must be specified."; + + /* Peer identity */ + + if ($_POST['peerid_type'] == "address" and $_POST['peerid_data'] == "") + $input_errors[] = gettext("Please enter an address for 'Peer Identifier'"); + + if ($_POST['peerid_type'] == "keyid tag" and $_POST['peerid_data'] == "") + $input_errors[] = gettext("Please enter a keyid tag for 'Peer Identifier'"); + + if ($_POST['peerid_type'] == "fqdn" and $_POST['peerid_data'] == "") + $input_errors[] = gettext("Please enter a fully qualified domain name for 'Peer Identifier'"); + + if ($_POST['peerid_type'] == "user_fqdn" and $_POST['peerid_data'] == "") + $input_errors[] = gettext("Please enter a user and fully qualified domain name for 'Peer Identifier'"); + + if ((($_POST['peerid_type'] == "address") && !is_ipaddr($_POST['peerid_data']))) + $input_errors[] = "A valid IP address for 'Peer identifier' must be specified."; + + if ((($_POST['peerid_type'] == "fqdn") && !is_domain($_POST['peerid_data']))) + $input_errors[] = "A valid domain name for 'Peer identifier' must be specified."; + + if ($_POST['peerid_type'] == "fqdn") + if (is_domain($_POST['peerid_data']) == false) + $input_errors[] = "A valid FQDN for 'Peer identifier' must be specified."; + + if ($_POST['peerid_type'] == "user_fqdn") { + $user_fqdn = explode("@",$_POST['peerid_data']); + if (is_domain($user_fqdn[1]) == false) + $input_errors[] = "A valid User FQDN in the form of user@my.domain.com for 'Peer identifier' must be specified."; + } + + if ($_POST['dpd_enable']) { + if (!is_numeric($_POST['dpd_delay'])) + $input_errors[] = "A numeric value must be specified for DPD delay."; + + if (!is_numeric($_POST['dpd_maxfail'])) + $input_errors[] = "A numeric value must be specified for DPD retries."; + } + + /* build our encryption algorithms array */ + $pconfig['ealgo'] = array(); + $pconfig['ealgo']['name'] = $_POST['ealgo']; + if($_POST['ealgo_keylen']) + $pconfig['ealgo']['keylen'] = $_POST['ealgo_keylen']; + + if (!$input_errors) { + $ph1ent['ikeid'] = $_POST['ikeid']; + $ph1ent['disabled'] = $_POST['disabled'] ? true : false; + $ph1ent['interface'] = $pconfig['interface']; + /* if the remote gateway changed and the interface is not WAN then remove route */ + /* the vpn_ipsec_configure() handles adding the route */ + if ($_POST['interface'] <> "wan") { + if($ph1ent['remote-gateway'] <> $_POST['remotegw']) { + mwexec("/sbin/route delete -host {$ph1ent['remote-gateway']}"); + } + } + $ph1ent['remote-gateway'] = $_POST['remotegw']; + $ph1ent['mode'] = $_POST['mode']; + + $ph1ent['myid_type'] = $_POST['myid_type']; + $ph1ent['myid_data'] = $_POST['myid_data']; + $ph1ent['peerid_type'] = $_POST['peerid_type']; + $ph1ent['peerid_data'] = $_POST['peerid_data']; + + $ph1ent['encryption-algorithm'] = $pconfig['ealgo']; + $ph1ent['hash-algorithm'] = $_POST['halgo']; + $ph1ent['dhgroup'] = $_POST['dhgroup']; + $ph1ent['lifetime'] = $_POST['lifetime']; + $ph1ent['pre-shared-key'] = $_POST['pskey']; + $ph1ent['private-key'] = base64_encode($_POST['privatekey']); + $ph1ent['cert'] = base64_encode($_POST['cert']); + $ph1ent['peercert'] = base64_encode($_POST['peercert']); + $ph1ent['authentication_method'] = $_POST['authentication_method']; + + $ph1ent['descr'] = $_POST['descr']; + $ph1ent['nat_traversal'] = $_POST['nat_traversal']; + $ph1ent['dpd_enable'] = $_POST['dpd_enable']; + $ph1ent['dpd_delay'] = $_POST['dpd_delay']; + $ph1ent['dpd_maxfail'] = $_POST['dpd_maxfail']; + $ph1ent['pinghost'] = $_POST['pinghost']; + + /* generate unique phase1 ikeid */ + if ($ph1ent['ikeid'] == 0) { + while (true) { + $ph1ent['ikeid']++; + foreach ($a_phase1 as $ph1tmp) + if( $ph1ent['ikeid'] == $ph1tmp['ikeid'] ) + break; + + if( $ph1ent['ikeid'] != $ph1tmp['ikeid'] ) + break; + } + } + + if (isset($p1index) && $a_phase1[$p1index]) + $a_phase1[$p1index] = $ph1ent; + else + $a_phase1[] = $ph1ent; + + write_config(); + touch($d_ipsecconfdirty_path); + + header("Location: vpn_ipsec.php"); + exit; + } +} + +$pgtitle = array("VPN","IPsec","Edit Phase 1"); +include("head.inc"); + +?> + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Disabled + > + Disable this phase1 entry
+ Set this option to disable this phase1 without + removing it from the list. + +
Interface +
+ Select the interface for the local endpoint of this phase1 entry. +
Remote gateway + +
+ Enter the public IP address or host name of the remote gateway +
Description + +
You may enter a description here + for your reference (not parsed). +
Phase 1 proposal + (Authentication) +
Negotiation mode +
Aggressive is more flexible, but less secure. +
My identifier + + +
Peer identifier + + +
Encryption algorithm + + +
Hash algorithm + +
+ + Must match the setting chosen on the remote side. + +
DH key group + +
+ + 1 = 768 bit, 2 = 1024 bit, 5 = 1536 bit +
+ Must match the setting chosen on the remote side. + +
Lifetime + + seconds +
Authentication method + +
+ Must match the setting chosen on the remote side. +
Pre-Shared Key + +
My Certificate + +
+ Paste a certificate in X.509 PEM format here.
My Private Key + +
+ Paste an RSA private key in PEM format here. +
Peer certificate + +
+ Paste the peer X.509 certificate in PEM format here.
+ Leave this blank if you want to use a CA certificate for identity validation. +
Advanced Options
NAT Traversal + +
+ + Set this option to enable the use of NAT-T (i.e. the encapsulation of ESP in UDP packets) if needed, + which can help with clients that are behind restrictive firewalls. + +
Dead Peer Detection + onClick="dpdchkbox_change()"> + Enable DPD
+
+ + seconds
+ Delay between requesting peer acknowledgement.
+
+ + retries
+ Number consecutive failures allowed before disconnect.
+
Automatically ping host + + IP address +
  + + + + + +
+
+ + diff --git a/usr/local/www/vpn_ipsec_phase2.php b/usr/local/www/vpn_ipsec_phase2.php new file mode 100644 index 0000000..7a3c5ce --- /dev/null +++ b/usr/local/www/vpn_ipsec_phase2.php @@ -0,0 +1,489 @@ +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +if (!is_array($config['ipsec']['phase2'])) + $config['ipsec']['phase2'] = array(); + +$a_phase2 = &$config['ipsec']['phase2']; + +if($config['interfaces']['lan']) + $specialsrcdst = explode(" ", "lan"); + +$p2index = $_GET['p2index']; +if (isset($_POST['p2index'])) + $p2index = $_POST['p2index']; + +if (isset($_GET['dup'])) + $p2index = $_GET['dup']; + +if (isset($p2index) && $a_phase2[$p2index]) +{ + $pconfig['ikeid'] = $a_phase2[$p2index]['ikeid']; + $pconfig['disabled'] = isset($a_phase2[$p2index]['disabled']); + $pconfig['descr'] = $a_phase2[$p2index]['descr']; + + idinfo_to_pconfig("local",$a_phase2[$p2index]['localid'],$pconfig); + idinfo_to_pconfig("remote",$a_phase2[$p2index]['remoteid'],$pconfig); + + $pconfig['proto'] = $a_phase2[$p2index]['protocol']; + ealgos_to_pconfig($a_phase2[$p2index]['encryption-algorithm-option'],$pconfig); + $pconfig['halgos'] = $a_phase2[$p2index]['hash-algorithm-option']; + $pconfig['pfsgroup'] = $a_phase2[$p2index]['pfsgroup']; + $pconfig['lifetime'] = $a_phase2[$p2index]['lifetime']; +} +else +{ + $pconfig['ikeid'] = $_GET['ikeid']; + + /* defaults */ + $pconfig['localid_type'] = "lan"; + $pconfig['remoteid_type'] = "network"; + $pconfig['proto'] = "esp"; + $pconfig['ealgos'] = explode(",", "3des,blowfish,cast128,aes"); + $pconfig['halgos'] = explode(",", "hmac_sha1,hmac_md5"); + $pconfig['pfsgroup'] = "0"; + $pconfig['lifetime'] = "3600"; +} + +if (isset($_GET['dup'])) + unset($p2index); + +if ($_POST) { + + unset($input_errors); + $pconfig = $_POST; + + $ealgos = pconfig_to_ealgos($pconfig); + $localid = pconfig_to_idinfo("local",$pconfig); + $remoteid = pconfig_to_idinfo("remote",$pconfig); + + if (!isset( $_POST['ikeid'])) + $input_errors[] = "A valid ikeid must be specified."; + + /* input validation */ + $reqdfields = explode(" ", "localid_type remoteid_type halgos"); + $reqdfieldsn = explode(",", "Local network type,Remote network type,P2 Hash Algorithms"); + + do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); + + switch ($_POST['localid_type']) { + case "network": + if (!$_POST['localid_netbits'] || !is_numeric($_POST['localid_netbits'])) + $input_errors[] = "A valid local network bit count must be specified.."; + case "address": + if (!$_POST['localid_address'] || !is_ipaddr($_POST['localid_address'])) + $input_errors[] = "A valid local network IP address must be specified."; + break; + } + + switch ($_POST['remoteid_type']) { + case "network": + if (!$_POST['remoteid_netbits'] || !is_numeric($_POST['remoteid_netbits'])) + $input_errors[] = "A valid remote network bit count must be specified.."; + case "address": + if (!$_POST['remoteid_address'] || !is_ipaddr($_POST['remoteid_address'])) + $input_errors[] = "A valid remote network IP address must be specified."; + break; + } + +/* TODO : Validate enabled phase2's are not duplicates */ + + if (!count($ealgos)) { + $input_errors[] = "At least one encryption algorithm must be selected."; + } + if (($_POST['lifetime'] && !is_numeric($_POST['lifetime']))) { + $input_errors[] = "The P2 lifetime must be an integer."; + } + + if (!$input_errors) { + $ph2ent['ikeid'] = $_POST['ikeid']; + $ph2ent['disabled'] = $_POST['disabled'] ? true : false; + $ph2ent['localid'] = $localid; + $ph2ent['remoteid'] = $remoteid; + $ph2ent['protocol'] = $_POST['proto']; + $ph2ent['encryption-algorithm-option'] = $ealgos; + $ph2ent['hash-algorithm-option'] = $_POST['halgos']; + $ph2ent['pfsgroup'] = $_POST['pfsgroup']; + $ph2ent['lifetime'] = $_POST['lifetime']; + $ph2ent['descr'] = $_POST['descr']; + + if (isset($p2index) && $a_phase2[$p2index]) + $a_phase2[$p2index] = $ph2ent; + else + $a_phase2[] = $ph2ent; + + write_config(); + touch($d_ipsecconfdirty_path); + + header("Location: vpn_ipsec.php"); + exit; + } +} + +$pgtitle = array("VPN","IPsec","Edit Phase 2"); +include("head.inc"); + +?> + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Mode Tunnel
Disabled + > + Disable this phase2 entry
+ Set this option to disable this phase2 entry without + removing it from the list. + +
Local Network + + + + + + + + + + + +
Type:   + +
Address:   + + / + +
+
Remote Network + + + + + + + + + + + +
Type:   + +
Address:   + + / + +
+
Description + +
You may enter a description here + for your reference (not parsed). +
Phase 2 proposal + (SA/Key Exchange) +
Protocol + +
+ ESP is encryption, AH is authentication only +
Encryption algorithms + + $algodata): + $checked = ''; + if (in_array($algo,$pconfig['ealgos'])) + $checked = " checked"; + ?> + + + + + + +
+ > + + + + +    + + +
+
+ Hint: use 3DES for best compatibility or if you have a hardware + crypto accelerator card. Blowfish is usually the fastest in + software encryption. +
Hash algorithms + $algoname): ?> + > + +
+ +
PFS key group + +
+ 1 = 768 bit, 2 = 1024 bit, 5 = 1536 bit +
Lifetime + + seconds +
  + + + + + +
+
+ + + + $algo_data) { + if (in_array($algo_name,$pconfig['ealgos'])) { + $ealg = array(); + $ealg['name'] = $algo_name; + if (is_array($algo_data['keysel'])) + $ealg['keylen'] = $_POST["keylen_".$algo_name]; + $ealgos[] = $ealg; + } + } + + return $ealgos; +} + +function ealgos_to_pconfig(& $ealgos,& $pconfig) { + + $pconfig['ealgos'] = array(); + foreach ($ealgos as $algo_data) { + $pconfig['ealgos'][] = $algo_data['name']; + if (isset($algo_data['keylen'])) + $pconfig["keylen_".$algo_data['name']] = $algo_data['keylen']; + } + + return $ealgos; +} + +function pconfig_to_idinfo($prefix,& $pconfig) { + + $type = $pconfig[$prefix."id_type"]; + $address = $pconfig[$prefix."id_address"]; + $netbits = $pconfig[$prefix."id_netbits"]; + + switch( $type ) + { + case "address": + return array('type' => $type, 'address' => $address); + case "network": + return array('type' => $type, 'address' => $address, 'netbits' => $netbits); + default: + return array('type' => $type ); + } +} + +function idinfo_to_pconfig($prefix,& $idinfo,& $pconfig) { + + switch( $idinfo['type'] ) + { + case "address": + $pconfig[$prefix."id_type"] = $idinfo['type']; + $pconfig[$prefix."id_address"] = $idinfo['address']; + break; + case "network": + $pconfig[$prefix."id_type"] = $idinfo['type']; + $pconfig[$prefix."id_address"] = $idinfo['address']; + $pconfig[$prefix."id_netbits"] = $idinfo['netbits']; + break; + default: + $pconfig[$prefix."id_type"] = $idinfo['type']; + break; + } +} + +?> diff --git a/usr/local/www/widgets/include/ipsec.inc b/usr/local/www/widgets/include/ipsec.inc deleted file mode 100644 index 5484d63..0000000 --- a/usr/local/www/widgets/include/ipsec.inc +++ /dev/null @@ -1,81 +0,0 @@ - diff --git a/usr/local/www/widgets/widgets/ipsec.widget.php b/usr/local/www/widgets/widgets/ipsec.widget.php index dd033c0..1a63029 100644 --- a/usr/local/www/widgets/widgets/ipsec.widget.php +++ b/usr/local/www/widgets/widgets/ipsec.widget.php @@ -33,9 +33,8 @@ require_once("guiconfig.inc"); require_once("pfsense-utils.inc"); require_once("functions.inc"); -require_once("/usr/local/www/widgets/include/ipsec.inc"); - if (isset($config['ipsec']['tunnel'])){?> + if (isset($config['ipsec']['phase1'])){?>
 
$tunnel['interface'], - 'dest' => $tunnel['remote-gateway'], - 'remote-subnet' => $tunnel['remote-subnet'], - 'descr' => $tunnel['descr'], + $ipsec_detail_array[] = array('src' => $ph1ent['interface'], + 'dest' => $ph1ent['remote-gateway'], + 'remote-subnet' => ipsec_idinfo_to_text($ph2ent['remoteid']), + 'descr' => $ph2ent['descr'], 'status' => $iconfn, 'disabled' => $tun_disabled); } } - if (isset($config['ipsec']['tunnel'])){ ?> + if (isset($config['ipsec']['phase2'])){ ?>
-- cgit v1.1