.
* All rights reserved.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
##|+PRIV
##|*IDENT=page-status-ipsec
##|*NAME=Status: IPsec
##|*DESCR=Allow access to the 'Status: IPsec' page.
##|*MATCH=status_ipsec.php*
##|-PRIV
require_once("guiconfig.inc");
require_once("ipsec.inc");
global $g;
if (!is_array($config['ipsec']['phase1'])) {
$config['ipsec']['phase1'] = array();
}
// If this is just an AJAX call to update the table body, just generate the body and quit
if ($_REQUEST['ajax']) {
print_ipsec_body();
exit;
}
if ($_POST['act'] == 'connect') {
if (ctype_digit($_POST['ikeid'])) {
$ph1ent = ipsec_get_phase1($_POST['ikeid']);
if (!empty($ph1ent)) {
if (empty($ph1ent['iketype']) || $ph1ent['iketype'] == 'ikev1' || isset($ph1ent['splitconn'])) {
$ph2entries = ipsec_get_number_of_phase2($_POST['ikeid']);
for ($i = 0; $i < $ph2entries; $i++) {
$connid = escapeshellarg("con{$_POST['ikeid']}00{$i}");
mwexec_bg("/usr/local/sbin/ipsec down {$connid}");
mwexec_bg("/usr/local/sbin/ipsec up {$connid}");
}
} else {
mwexec_bg("/usr/local/sbin/ipsec down con" . escapeshellarg($_POST['ikeid']));
mwexec_bg("/usr/local/sbin/ipsec up con" . escapeshellarg($_POST['ikeid']));
}
}
}
} else if ($_POST['act'] == 'ikedisconnect') {
if (ctype_digit($_POST['ikeid'])) {
if (!empty($_POST['ikesaid']) && ctype_digit($_POST['ikesaid'])) {
mwexec_bg("/usr/local/sbin/ipsec down con" . escapeshellarg($_POST['ikeid']) . "[" . escapeshellarg($_POST['ikesaid']) . "]");
} else {
mwexec_bg("/usr/local/sbin/ipsec down con" . escapeshellarg($_POST['ikeid']));
}
}
} else if ($_POST['act'] == 'childdisconnect') {
if (ctype_digit($_POST['ikeid'])) {
if (!empty($_POST['ikesaid']) && ctype_digit($_POST['ikesaid'])) {
mwexec_bg("/usr/local/sbin/ipsec down con" . escapeshellarg($_POST['ikeid']) . "{" . escapeshellarg($_POST['ikesaid']) . "}");
}
}
}
// Table body is composed here so that it can be more easily updated via AJAX
function print_ipsec_body() {
global $config;
$a_phase1 = &$config['ipsec']['phase1'];
$status = ipsec_list_sa();
$ipsecconnected = array();
if (is_array($status)) {
foreach ($status as $ikeid => $ikesa) {
$con_id = substr($ikeid, 3);
if ($ikesa['version'] == 1) {
$ph1idx = substr($con_id, 0, strrpos(substr($con_id, 0, -1), '00'));
$ipsecconnected[$ph1idx] = $ph1idx;
} else {
if (!ipsec_ikeid_used($con_id)) {
// probably a v2 with split connection then
$ph1idx = substr($con_id, 0, strrpos(substr($con_id, 0, -1), '00'));
$ipsecconnected[$ph1idx] = $ph1idx;
} else {
$ipsecconnected[$con_id] = $ph1idx = $con_id;
}
}
print("\n");
print("| \n");
print(htmlspecialchars(ipsec_get_descr($ph1idx)));
print(" | \n");
print("\n");
if (!empty($ikesa['local-id'])) {
if ($ikesa['local-id'] == '%any') {
print(gettext('Any identifier'));
} else {
print(htmlspecialchars($ikesa['local-id']));
}
} else {
print(gettext("Unknown"));
}
print(" | \n");
print("\n");
if (!empty($ikesa['local-host'])) {
print(htmlspecialchars($ikesa['local-host']));
} else {
print(gettext("Unknown"));
}
/*
* XXX: local-nat-t was defined by pfSense
* When strongswan team accepted the change, they changed it to
* nat-local. Keep both for a while and remove local-nat-t in
* the future
*/
if (isset($ikesa['local-nat-t']) || isset($ikesa['nat-local'])) {
print(" NAT-T");
}
print(" | \n");
print("\n");
$identity = "";
if (!empty($ikesa['remote-id'])) {
if ($ikesa['remote-id'] == '%any') {
$identity = htmlspecialchars(gettext('Any identifier'));
} else {
$identity = htmlspecialchars($ikesa['remote-id']);
}
}
if (!empty($ikesa['remote-xauth-id'])) {
echo htmlspecialchars($ikesa['remote-xauth-id']);
echo "
{$identity}";
} elseif (!empty($ikesa['remote-eap-id'])) {
echo htmlspecialchars($ikesa['remote-eap-id']);
echo "
{$identity}";
} else {
if (empty($identity)) {
print(gettext("Unknown"));
} else {
print($identity);
}
}
print(" | \n");
print("\n");
if (!empty($ikesa['remote-host'])) {
print(htmlspecialchars($ikesa['remote-host']));
} else {
print(gettext("Unknown"));
}
/*
* XXX: remote-nat-t was defined by pfSense
* When strongswan team accepted the change, they changed it to
* nat-remote. Keep both for a while and remove remote-nat-t in
* the future
*/
if (isset($ikesa['remote-nat-t']) || isset($ikesa['nat-remote'])) {
print(" NAT-T");
}
print(" | \n");
print("\n");
print("IKEv" . htmlspecialchars($ikesa['version']));
print("
\n");
if ($ikesa['initiator'] == 'yes') {
print("initiator");
} else {
print("responder");
}
print(" | \n");
print("\n");
print(htmlspecialchars($ikesa['reauth-time']) . gettext(" seconds (") . convert_seconds_to_dhms($ikesa['reauth-time']) . ")");
print(" | \n");
print("\n");
print(htmlspecialchars($ikesa['encr-alg']));
print("
");
print(htmlspecialchars($ikesa['integ-alg']));
print("
");
print(htmlspecialchars($ikesa['prf-alg']));
print("
\n");
print(htmlspecialchars($ikesa['dh-group']));
print(" | \n");
print("\n");
if ($ikesa['state'] == 'ESTABLISHED') {
print('');
} else {
print('');
}
print(ucfirst(htmlspecialchars($ikesa['state'])));
if ($ikesa['state'] == 'ESTABLISHED') {
print("
");
printf(gettext('%1$s seconds (%2$s) ago'), htmlspecialchars($ikesa['established']), convert_seconds_to_dhms($ikesa['established']));
}
print("");
print(" | \n");
print("\n");
if ($ikesa['state'] != 'ESTABLISHED') {
print('');
print('');
print(gettext("Connect VPN"));
print("\n");
} else {
print('');
print('');
print(gettext("Disconnect"));
print("
\n");
}
print(" | \n");
print("
\n");
print("\n");
print("\n");
if (is_array($ikesa['child-sas']) && (count($ikesa['child-sas']) > 0)) {
print('\n");
print('');
print("\n");
print('');
print(' | ');
print(' | ');
print(' | ');
print(' | ');
print(' | ');
print(' | ');
print(' | ');
print("\n");
print(" \n");
foreach ($ikesa['child-sas'] as $childid => $childsa) {
print("");
print("\n");
if (is_array($childsa['local-ts'])) {
foreach ($childsa['local-ts'] as $lnets) {
print(htmlspecialchars(ipsec_fixup_network($lnets)) . "
");
}
} else {
print(gettext("Unknown"));
}
print(" | \n");
print("\n");
if (isset($childsa['spi-in'])) {
print(gettext("Local: ") . htmlspecialchars($childsa['spi-in']));
}
if (isset($childsa['spi-out'])) {
print('
' . gettext('Remote: ') . htmlspecialchars($childsa['spi-out']));
}
print(" | \n");
print("\n");
if (is_array($childsa['remote-ts'])) {
foreach ($childsa['remote-ts'] as $rnets) {
print(htmlspecialchars(ipsec_fixup_network($rnets)) . '
');
}
} else {
print(gettext("Unknown"));
}
print(" | \n");
print("\n");
printf(gettext('Rekey: %1$s seconds (%2$s)'), htmlspecialchars($childsa['rekey-time']), convert_seconds_to_dhms($childsa['rekey-time']));
print('
');
printf(gettext('Life: %1$s seconds (%2$s)'), htmlspecialchars($childsa['life-time']), convert_seconds_to_dhms($childsa['life-time']));
print('
');
printf(gettext('Install: %1$s seconds (%2$s)'), htmlspecialchars($childsa['install-time']), convert_seconds_to_dhms($childsa['install-time']));
print(" | \n");
print("\n");
print(htmlspecialchars($childsa['encr-alg']) . '
');
print(htmlspecialchars($childsa['integ-alg']) . '
');
if (!empty($childsa['prf-alg'])) {
print(htmlspecialchars($childsa['prf-alg']) . '
');
}
if (!empty($childsa['dh-group'])) {
print(htmlspecialchars($childsa['dh-group']) . '
');
}
if (!empty($childsa['esn'])) {
print(htmlspecialchars($childsa['esn']) . '
');
}
print(gettext("IPComp: "));
if (!empty($childsa['cpi-in']) || !empty($childsa['cpi-out'])) {
print(htmlspecialchars($childsa['cpi-in']) . " " . htmlspecialchars($childsa['cpi-out']));
} else {
print(gettext('none'));
}
print(" | \n");
print("\n");
print(gettext("Bytes-In: ") . htmlspecialchars(number_format($childsa['bytes-in'])) . ' (' . htmlspecialchars(format_bytes($childsa['bytes-in'])) . ')
');
print(gettext("Packets-In: ") . htmlspecialchars(number_format($childsa['packets-in'])) . '
');
print(gettext("Bytes-Out: ") . htmlspecialchars(number_format($childsa['bytes-out'])) . ' (' . htmlspecialchars(format_bytes($childsa['bytes-out'])) . ')
');
print(gettext("Packets-Out: ") . htmlspecialchars(number_format($childsa['packets-out'])) . '
');
print(" | \n");
print("\n");
print('');
print('');
print(gettext("Disconnect"));
print("\n");
print(" | \n");
print(" \n");
}
print("\n");
print(" \n");
print(" | \n");
print("
\n");
}
unset($con_id);
}
}
$rgmap = array();
if (is_array($a_phase1)) {
foreach ($a_phase1 as $ph1ent) {
if (isset($ph1ent['disabled'])) {
continue;
}
$rgmap[$ph1ent['remote-gateway']] = $ph1ent['remote-gateway'];
if ($ipsecconnected[$ph1ent['ikeid']]) {
continue;
}
print("\n");
print("| \n");
print(htmlspecialchars($ph1ent['descr']));
print(" | \n");
print("\n");
list ($myid_type, $myid_data) = ipsec_find_id($ph1ent, "local");
if (empty($myid_data)) {
print(gettext("Unknown"));
} else {
print(htmlspecialchars($myid_data));
}
print(" | \n");
print("\n");
$ph1src = ipsec_get_phase1_src($ph1ent);
if (empty($ph1src)) {
print(gettext("Unknown"));
} else {
print(htmlspecialchars($ph1src));
}
print(" | \n");
print("\n");
list ($peerid_type, $peerid_data) = ipsec_find_id($ph1ent, "peer", $rgmap);
if (empty($peerid_data)) {
print(gettext("Unknown"));
} else {
print(htmlspecialchars($peerid_data));
}
print(" | \n");
print(" \n");
$ph1src = ipsec_get_phase1_dst($ph1ent);
if (empty($ph1src)) {
print(gettext("Unknown"));
} else {
print(htmlspecialchars($ph1src));
}
print(" | \n");
print("\n");
print(" | \n");
print("\n");
print(" | \n");
print("\n");
print(" | \n");
if (isset($ph1ent['mobile'])) {
print("\n");
print(gettext("Awaiting connections"));
print(" | \n");
print("\n");
print(" | \n");
print("\n");
} else {
print("\n");
print(gettext("Disconnected"));
print(" | \n");
print("\n");
print('');
print('');
print(gettext("Connect VPN"));
print("\n");
print(" | \n");
}
print("
\n");
}
}
unset($ipsecconnected, $phase1, $rgmap);
}
$pgtitle = array(gettext("Status"), gettext("IPsec"), gettext("Overview"));
$pglinks = array("", "@self", "@self");
$shortcut_section = "ipsec";
include("head.inc");
$tab_array = array();
$tab_array[] = array(gettext("Overview"), true, "status_ipsec.php");
$tab_array[] = array(gettext("Leases"), false, "status_ipsec_leases.php");
$tab_array[] = array(gettext("SADs"), false, "status_ipsec_sad.php");
$tab_array[] = array(gettext("SPDs"), false, "status_ipsec_spd.php");
display_top_tabs($tab_array);
?>
');
} else {
print('');
}
print_info_box(sprintf(gettext('IPsec can be configured %1$shere%2$s.'), '
', ''), 'info', false);
?>