.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
*
* 1. Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgment:
* "This product includes software developed by the pfSense Project
* for use in the pfSense® software distribution. (http://www.pfsense.org/).
*
* 4. The names "pfSense" and "pfSense Project" must not be used to
* endorse or promote products derived from this software without
* prior written permission. For written permission, please contact
* coreteam@pfsense.org.
*
* 5. Products derived from this software may not be called "pfSense"
* nor may "pfSense" appear in their names without prior written
* permission of the Electric Sheep Fencing, LLC.
*
* 6. Redistributions of any form whatsoever must retain the following
* acknowledgment:
*
* "This product includes software developed by the pfSense Project
* for use in the pfSense software distribution (http://www.pfsense.org/).
*
* THIS SOFTWARE IS PROVIDED BY THE pfSense PROJECT ``AS IS'' AND ANY
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE pfSense PROJECT OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
*/
##|+PRIV
##|*IDENT=page-status-ipsec
##|*NAME=Status: IPsec
##|*DESCR=Allow access to the 'Status: IPsec' page.
##|*MATCH=status_ipsec.php*
##|-PRIV
require_once("guiconfig.inc");
require_once("ipsec.inc");
global $g;
if (!is_array($config['ipsec']['phase1'])) {
$config['ipsec']['phase1'] = array();
}
// If this is just an AJAX call to update the table body, just generate the body and quit
if ($_REQUEST['ajax']) {
print_ipsec_body();
exit;
}
if ($_GET['act'] == 'connect') {
if (ctype_digit($_GET['ikeid'])) {
$ph1ent = ipsec_get_phase1($_GET['ikeid']);
if (!empty($ph1ent)) {
if (empty($ph1ent['iketype']) || $ph1ent['iketype'] == 'ikev1' || isset($ph1ent['splitconn'])) {
$ph2entries = ipsec_get_number_of_phase2($_GET['ikeid']);
for ($i = 0; $i < $ph2entries; $i++) {
$connid = escapeshellarg("con{$_GET['ikeid']}00{$i}");
mwexec_bg("/usr/local/sbin/ipsec down {$connid}");
mwexec_bg("/usr/local/sbin/ipsec up {$connid}");
}
} else {
mwexec_bg("/usr/local/sbin/ipsec down con" . escapeshellarg($_GET['ikeid']));
mwexec_bg("/usr/local/sbin/ipsec up con" . escapeshellarg($_GET['ikeid']));
}
}
}
} else if ($_GET['act'] == 'ikedisconnect') {
if (ctype_digit($_GET['ikeid'])) {
if (!empty($_GET['ikesaid']) && ctype_digit($_GET['ikesaid'])) {
mwexec_bg("/usr/local/sbin/ipsec down con" . escapeshellarg($_GET['ikeid']) . "[" . escapeshellarg($_GET['ikesaid']) . "]");
} else {
mwexec_bg("/usr/local/sbin/ipsec down con" . escapeshellarg($_GET['ikeid']));
}
}
} else if ($_GET['act'] == 'childdisconnect') {
if (ctype_digit($_GET['ikeid'])) {
if (!empty($_GET['ikesaid']) && ctype_digit($_GET['ikesaid'])) {
mwexec_bg("/usr/local/sbin/ipsec down con" . escapeshellarg($_GET['ikeid']) . "{" . escapeshellarg($_GET['ikesaid']) . "}");
}
}
}
// Table body is composed here so that it can be more easily updated via AJAX
function print_ipsec_body() {
global $config;
$a_phase1 = &$config['ipsec']['phase1'];
$status = ipsec_list_sa();
$ipsecconnected = array();
if (is_array($status)) {
foreach ($status as $ikeid => $ikesa) {
$con_id = substr($ikeid, 3);
if ($ikesa['version'] == 1) {
$ph1idx = substr($con_id, 0, strrpos(substr($con_id, 0, -1), '00'));
$ipsecconnected[$ph1idx] = $ph1idx;
} else {
$ipsecconnected[$con_id] = $ph1idx = $con_id;
}
print("\n");
print("| \n");
print(htmlspecialchars(ipsec_get_descr($ph1idx)));
print(" | \n");
print("\n");
if (!empty($ikesa['local-id'])) {
if ($ikesa['local-id'] == '%any') {
print(gettext('Any identifier'));
} else {
print(htmlspecialchars($ikesa['local-id']));
}
} else {
print(gettext("Unknown"));
}
print(" | \n");
print("\n");
if (!empty($ikesa['local-host'])) {
print(htmlspecialchars($ikesa['local-host']));
} else {
print(gettext("Unknown"));
}
/*
* XXX: local-nat-t was defined by pfSense
* When strongswan team accepted the change, they changed it to
* nat-local. Keep both for a while and remove local-nat-t in
* the future
*/
if (isset($ikesa['local-nat-t']) || isset($ikesa['nat-local'])) {
print(" NAT-T");
}
print(" | \n");
print("\n");
$identity = "";
if (!empty($ikesa['remote-id'])) {
if ($ikesa['remote-id'] == '%any') {
$identity = htmlspecialchars(gettext('Any identifier'));
} else {
$identity = htmlspecialchars($ikesa['remote-id']);
}
}
if (!empty($ikesa['remote-xauth-id'])) {
echo htmlspecialchars($ikesa['remote-xauth-id']);
echo "
{$identity}";
} elseif (!empty($ikesa['remote-eap-id'])) {
echo htmlspecialchars($ikesa['remote-eap-id']);
echo "
{$identity}";
} else {
if (empty($identity)) {
print(gettext("Unknown"));
} else {
print($identity);
}
}
print(" | \n");
print("\n");
if (!empty($ikesa['remote-host'])) {
print(htmlspecialchars($ikesa['remote-host']));
} else {
print(gettext("Unknown"));
}
/*
* XXX: remote-nat-t was defined by pfSense
* When strongswan team accepted the change, they changed it to
* nat-remote. Keep both for a while and remove remote-nat-t in
* the future
*/
if (isset($ikesa['remote-nat-t']) || isset($ikesa['nat-remote'])) {
print(" NAT-T");
}
print(" | \n");
print("\n");
print("IKEv" . htmlspecialchars($ikesa['version']));
print("
\n");
if ($ikesa['initiator'] == 'yes') {
print("initiator");
} else {
print("responder");
}
print(" | \n");
print("\n");
print(htmlspecialchars($ikesa['reauth-time']) . gettext(" seconds (") . convert_seconds_to_dhms($ikesa['reauth-time']) . ")");
print(" | \n");
print("\n");
print(htmlspecialchars($ikesa['encr-alg']));
print("
");
print(htmlspecialchars($ikesa['integ-alg']));
print("
");
print(htmlspecialchars($ikesa['prf-alg']));
print("
\n");
print(htmlspecialchars($ikesa['dh-group']));
print(" | \n");
print("\n");
if ($ikesa['state'] == 'ESTABLISHED') {
print('');
} else {
print('');
}
print(ucfirst(htmlspecialchars($ikesa['state'])));
if ($ikesa['state'] == 'ESTABLISHED') {
print("
" . htmlspecialchars($ikesa['established']) . gettext(" seconds (") . convert_seconds_to_dhms($ikesa['established']) . gettext(") ago"));
}
print("");
print(" | \n");
print("\n");
if ($ikesa['state'] != 'ESTABLISHED') {
print('');
print('');
print(gettext("Connect VPN"));
print("\n");
} else {
print('');
print('');
print(gettext("Disconnect"));
print("
\n");
}
print(" | \n");
print("
\n");
print("\n");
print("\n");
if (is_array($ikesa['child-sas']) && (count($ikesa['child-sas']) > 0)) {
print('\n");
print('');
print("\n");
print('');
print(' | ');
print(' | ');
print(' | ');
print(' | ');
print(' | ');
print(' | ');
print(' | ');
print("\n");
print(" \n");
foreach ($ikesa['child-sas'] as $childid => $childsa) {
print("");
print("\n");
if (is_array($childsa['local-ts'])) {
foreach ($childsa['local-ts'] as $lnets) {
print(htmlspecialchars(ipsec_fixup_network($lnets)) . "
");
}
} else {
print(gettext("Unknown"));
}
print(" | \n");
print("\n");
if (isset($childsa['spi-in'])) {
print(gettext("Local: ") . htmlspecialchars($childsa['spi-in']));
}
if (isset($childsa['spi-out'])) {
print('
' . gettext('Remote: ') . htmlspecialchars($childsa['spi-out']));
}
print(" | \n");
print("\n");
if (is_array($childsa['remote-ts'])) {
foreach ($childsa['remote-ts'] as $rnets) {
print(htmlspecialchars(ipsec_fixup_network($rnets)) . '
');
}
} else {
print(gettext("Unknown"));
}
print(" | \n");
print("\n");
print(gettext("Rekey: ") . htmlspecialchars($childsa['rekey-time']) . gettext(" seconds (") . convert_seconds_to_dhms($childsa['rekey-time']) . ")");
print('
' . gettext('Life: ') . htmlspecialchars($childsa['life-time']) . gettext(" seconds (") . convert_seconds_to_dhms($childsa['life-time']) . ")");
print('
' . gettext('Install: ') .htmlspecialchars($childsa['install-time']) . gettext(" seconds (") . convert_seconds_to_dhms($childsa['install-time']) . ")");
print(" | \n");
print("\n");
print(htmlspecialchars($childsa['encr-alg']) . '
');
print(htmlspecialchars($childsa['integ-alg']) . '
');
if (!empty($childsa['prf-alg'])) {
print(htmlspecialchars($childsa['prf-alg']) . '
');
}
if (!empty($childsa['dh-group'])) {
print(htmlspecialchars($childsa['dh-group']) . '
');
}
if (!empty($childsa['esn'])) {
print(htmlspecialchars($childsa['esn']) . '
');
}
print(gettext("IPComp: "));
if (!empty($childsa['cpi-in']) || !empty($childsa['cpi-out'])) {
print(htmlspecialchars($childsa['cpi-in']) . " " . htmlspecialchars($childsa['cpi-out']));
} else {
print(gettext('none'));
}
print(" | \n");
print("\n");
print(gettext("Bytes-In: ") . htmlspecialchars(number_format($childsa['bytes-in'])) . ' (' . htmlspecialchars(format_bytes($childsa['bytes-in'])) . ')
');
print(gettext("Packets-In: ") . htmlspecialchars(number_format($childsa['packets-in'])) . '
');
print(gettext("Bytes-Out: ") . htmlspecialchars(number_format($childsa['bytes-out'])) . ' (' . htmlspecialchars(format_bytes($childsa['bytes-out'])) . ')
');
print(gettext("Packets-Out: ") . htmlspecialchars(number_format($childsa['packets-out'])) . '
');
print(" | \n");
print("\n");
print('');
print('');
print(gettext("Disconnect"));
print("\n");
print(" | \n");
print(" \n");
}
print("\n");
print(" \n");
print(" | \n");
print("
\n");
}
unset($con_id);
}
}
$rgmap = array();
if (is_array($a_phase1)) {
foreach ($a_phase1 as $ph1ent) {
if (isset($ph1ent['disabled'])) {
continue;
}
$rgmap[$ph1ent['remote-gateway']] = $ph1ent['remote-gateway'];
if ($ipsecconnected[$ph1ent['ikeid']]) {
continue;
}
print("\n");
print("| \n");
print(htmlspecialchars($ph1ent['descr']));
print(" | \n");
print("\n");
list ($myid_type, $myid_data) = ipsec_find_id($ph1ent, "local");
if (empty($myid_data)) {
print(gettext("Unknown"));
} else {
print(htmlspecialchars($myid_data));
}
print(" | \n");
print("\n");
$ph1src = ipsec_get_phase1_src($ph1ent);
if (empty($ph1src)) {
print(gettext("Unknown"));
} else {
print(htmlspecialchars($ph1src));
}
print(" | \n");
print("\n");
list ($peerid_type, $peerid_data) = ipsec_find_id($ph1ent, "peer", $rgmap);
if (empty($peerid_data)) {
print(gettext("Unknown"));
} else {
print(htmlspecialchars($peerid_data));
}
print(" | \n");
print(" \n");
$ph1src = ipsec_get_phase1_dst($ph1ent);
if (empty($ph1src)) {
print(gettext("Unknown"));
} else {
print(htmlspecialchars($ph1src));
}
print(" | \n");
print("\n");
print(" | \n");
print("\n");
print(" | \n");
print("\n");
print(" | \n");
if (isset($ph1ent['mobile'])) {
print("\n");
print(gettext("Awaiting connections"));
print(" | \n");
print("\n");
print(" | \n");
print("\n");
} else {
print("\n");
print(gettext("Disconnected"));
print(" | \n");
print("\n");
print('');
print('');
print(gettext("Connect VPN"));
print("\n");
print(" | \n");
}
print("
\n");
}
}
unset($ipsecconnected, $phase1, $rgmap);
}
$pgtitle = array(gettext("Status"), gettext("IPsec"), gettext("Overview"));
$shortcut_section = "ipsec";
include("head.inc");
$tab_array = array();
$tab_array[] = array(gettext("Overview"), true, "status_ipsec.php");
$tab_array[] = array(gettext("Leases"), false, "status_ipsec_leases.php");
$tab_array[] = array(gettext("SADs"), false, "status_ipsec_sad.php");
$tab_array[] = array(gettext("SPDs"), false, "status_ipsec_spd.php");
display_top_tabs($tab_array);
?>
');
} else {
print('');
}
print_info_box(sprintf(gettext('IPsec can be configured %1$shere%2$s.'), '
', ''), 'info', false);
?>