X-Git-Url: http://git.ipfire.org/?a=blobdiff_plain;f=html%2Fcgi-bin%2Fvpnmain.cgi;h=8f13cf51fa294a3d8d871ccabe51b719514be1b3;hb=016859ffe4910a0b7b3a71875d67c31aab369a1b;hp=c29c5d53d39a2c07435c1b5ef70e387d229eedf1;hpb=b01c17e9d0096c87185dfd1e04d712ec225d25aa;p=people%2Fpmueller%2Fipfire-2.x.git

diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi
index c29c5d53d3..8f13cf51fa 100644
--- a/html/cgi-bin/vpnmain.cgi
+++ b/html/cgi-bin/vpnmain.cgi
@@ -2,7 +2,7 @@
 ###############################################################################
 #                                                                             #
 # IPFire.org - A linux based firewall                                         #
-# Copyright (C) 2007-2013  IPFire Team  info@ipfire.org                       #
+# Copyright (C) 2007-2020  IPFire Team  <info@ipfire.org>                     #
 #                                                                             #
 # This program is free software: you can redistribute it and/or modify        #
 # it under the terms of the GNU General Public License as published by        #
@@ -19,11 +19,14 @@
 #                                                                             #
 ###############################################################################
 
+use Data::UUID;
+use MIME::Base64;
 use Net::DNS;
 use File::Copy;
 use File::Temp qw/ tempfile tempdir /;
 use strict;
 use Sort::Naturally;
+use Sys::Hostname;
 # enable only the following on debugging purpose
 #use warnings;
 #use CGI::Carp 'fatalsToBrowser';
@@ -54,7 +57,7 @@ my $errormessage = '';
 my %color = ();
 my %mainsettings = ();
 &General::readhash("${General::swroot}/main/settings", \%mainsettings);
-&General::readhash("/srv/web/ipfire/html/themes/".$mainsettings{'THEME'}."/include/colors.txt", \%color);
+&General::readhash("/srv/web/ipfire/html/themes/ipfire/include/colors.txt", \%color);
 
 &General::readhash("${General::swroot}/ethernet/settings", \%netsettings);
 
@@ -69,6 +72,10 @@ my %INACTIVITY_TIMEOUTS = (
 	0		=> "- $Lang::tr{'unlimited'} -",
 );
 
+# Load aliases
+my %aliases;
+&General::get_aliases(\%aliases);
+
 my $col="";
 
 $cgiparams{'ENABLED'} = 'off';
@@ -81,6 +88,7 @@ $cgiparams{'ADVANCED'} = '';
 $cgiparams{'NAME'} = '';
 $cgiparams{'LOCAL_SUBNET'} = '';
 $cgiparams{'REMOTE_SUBNET'} = '';
+$cgiparams{'LOCAL'} = '';
 $cgiparams{'REMOTE'} = '';
 $cgiparams{'LOCAL_ID'} = '';
 $cgiparams{'REMOTE_ID'} = '';
@@ -105,6 +113,7 @@ $cgiparams{'ROOTCERT_EMAIL'} = '';
 $cgiparams{'ROOTCERT_OU'} = '';
 $cgiparams{'ROOTCERT_CITY'} = '';
 $cgiparams{'ROOTCERT_STATE'} = '';
+$cgiparams{'RW_ENDPOINT'} = '';
 $cgiparams{'RW_NET'} = '';
 $cgiparams{'DPD_DELAY'} = '30';
 $cgiparams{'DPD_TIMEOUT'} = '120';
@@ -115,8 +124,38 @@ $cgiparams{'MODE'} = "tunnel";
 $cgiparams{'INTERFACE_MODE'} = "";
 $cgiparams{'INTERFACE_ADDRESS'} = "";
 $cgiparams{'INTERFACE_MTU'} = 1500;
+$cgiparams{'DNS_SERVERS'} = "";
 &Header::getcgihash(\%cgiparams, {'wantfile' => 1, 'filevar' => 'FH'});
 
+my %APPLE_CIPHERS = (
+	"aes256gcm128" => "AES-256-GCM",
+	"aes128gcm128" => "AES-128-GCM",
+	"aes256"       => "AES-256",
+	"aes128"       => "AES-128",
+	"3des"         => "3DES",
+);
+
+my %APPLE_INTEGRITIES = (
+	"sha2_512" => "SHA2-512",
+	"sha2_384" => "SHA2-384",
+	"sha2_256" => "SHA2-256",
+	"sha1"     => "SHA1-160",
+);
+
+my %APPLE_DH_GROUPS = (
+	"768" => 1,
+	"1024" => 2,
+	"1536" => 5,
+	"2048" => 14,
+	"3072" => 15,
+	"4096" => 16,
+	"6144" => 17,
+	"8192" => 18,
+	"e256" => 19,
+	"e384" => 20,
+	"e521" => 21,
+);
+
 ###
 ### Useful functions
 ###
@@ -169,10 +208,12 @@ sub newcleanssldatabase {
 		close FILE;
 	}
 	if (! -s ">${General::swroot}/certs/index.txt") {
-		system ("touch ${General::swroot}/certs/index.txt");
+		open(FILE, ">${General::swroot}/certs/index.txt");
+		close(FILE);
 	}
 	if (! -s ">${General::swroot}/certs/index.txt.attr") {
-		system ("touch ${General::swroot}/certs/index.txt.attr");
+		open(FILE, ">${General::swroot}/certs/index.txt.attr");
+		close(FILE);
 	}
 	unlink ("${General::swroot}/certs/index.txt.old");
 	unlink ("${General::swroot}/certs/index.txt.attr.old");
@@ -185,9 +226,13 @@ sub newcleanssldatabase {
 ###
 sub callssl ($) {
 	my $opt = shift;
-	my $retssl = `/usr/bin/openssl $opt 2>&1`; #redirect stderr
+
+	# Split the given argument string into single pieces and assign them to an array.
+	my @opts = split(/ /, $opt);
+
+	my @retssl = &General::system_output("/usr/bin/openssl", @opts); #redirect stderr
 	my $ret = '';
-	foreach my $line (split (/\n/, $retssl)) {
+	foreach my $line (split (/\n/, @retssl)) {
 		&General::log("ipsec", "$line") if (0); # 1 for verbose logging
 		$ret .= '<br>'.$line if ( $line =~ /error|unknown/ );
 	}
@@ -201,13 +246,21 @@ sub callssl ($) {
 ###
 sub getCNfromcert ($) {
 	#&General::log("ipsec", "Extracting name from $_[0]...");
-	my $temp = `/usr/bin/openssl x509 -text -in $_[0]`;
-	$temp =~ /Subject:.*CN = (.*)[\n]/;
-	$temp = $1;
-	$temp =~ s+/Email+, E+;
-	$temp =~ s/ ST = / S = /;
-	$temp =~ s/,//g;
-	$temp =~ s/\'//g;
+	my @temp = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "$_[0]");
+	my $temp;
+
+	foreach my $line (@temp) {
+		if ($line =~ /Subject:.*CN = (.*)[\n]/) {
+			$temp = $1;
+			$temp =~ s+/Email+, E+;
+			$temp =~ s/ ST = / S = /;
+			$temp =~ s/,//g;
+			$temp =~ s/\'//g;
+
+			last;
+		}
+	}
+
 	return $temp;
 }
 ###
@@ -215,11 +268,19 @@ sub getCNfromcert ($) {
 ###
 sub getsubjectfromcert ($) {
 	#&General::log("ipsec", "Extracting subject from $_[0]...");
-	my $temp = `/usr/bin/openssl x509 -text -in $_[0]`;
-	$temp =~ /Subject: (.*)[\n]/;
-	$temp = $1;
-	$temp =~ s+/Email+, E+;
-	$temp =~ s/ ST = / S = /;
+	my @temp = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "$_[0]");
+	my $temp;
+
+	foreach my $line (@temp) {
+		if($line =~ /Subject: (.*)[\n]/) {
+			$temp = $1;
+			$temp =~ s+/Email+, E+;
+			$temp =~ s/ ST = / S = /;
+
+			last;
+		}
+	}
+
 	return $temp;
 }
 ###
@@ -284,15 +345,16 @@ sub writeipsecfiles {
 		#remote peer is not set? => use '%any'
 		$lconfighash{$key}[10] = '%any' if ($lconfighash{$key}[10] eq '');
 
+		# Field 6 might be "off" on old installations
+		if ($lconfighash{$key}[6] eq "off") {
+			$lconfighash{$key}[6] = $lvpnsettings{"VPN_IP"};
+		}
+
 		my $localside;
-		if ($lconfighash{$key}[26] eq 'BLUE') {
-			$localside = $netsettings{'BLUE_ADDRESS'};
-		} elsif ($lconfighash{$key}[26] eq 'GREEN') {
-			$localside = $netsettings{'GREEN_ADDRESS'};
-		} elsif ($lconfighash{$key}[26] eq 'ORANGE') {
-			$localside = $netsettings{'ORANGE_ADDRESS'};
-		} else { # it is RED
-			$localside = $lvpnsettings{'VPN_IP'};
+		if ($lconfighash{$key}[6]) {
+			$localside = $lconfighash{$key}[6];
+		} else {
+			$localside = "%defaultroute";
 		}
 
 		my $interface_mode = $lconfighash{$key}[36];
@@ -301,24 +363,30 @@ sub writeipsecfiles {
 		print CONF "\tleft=$localside\n";
 
 		if ($interface_mode eq "gre") {
-			print CONF "\tleftsubnet=%dynamic[gre]\n";
+			print CONF "\tleftprotoport=gre\n";
 		} elsif ($interface_mode eq "vti") {
 			print CONF "\tleftsubnet=0.0.0.0/0\n";
 		} else {
-			print CONF "\tleftsubnet=" . &make_subnets($lconfighash{$key}[8]) . "\n";
+			print CONF "\tleftsubnet=" . &make_subnets("left", $lconfighash{$key}[8]) . "\n";
 		}
 
 		print CONF "\tleftfirewall=yes\n";
 		print CONF "\tlefthostaccess=yes\n";
+
+		# Always send the host certificate
+		if ($lconfighash{$key}[3] eq 'host') {
+			print CONF "\tleftsendcert=always\n";
+		}
+
 		print CONF "\tright=$lconfighash{$key}[10]\n";
 
 		if ($lconfighash{$key}[3] eq 'net') {
 			if ($interface_mode eq "gre") {
-				print CONF "\trightsubnet=%dynamic[gre]\n";
+				print CONF "\trightprotoport=gre\n";
 			} elsif ($interface_mode eq "vti") {
 				print CONF "\trightsubnet=0.0.0.0/0\n";
 			} else {
-				print CONF "\trightsubnet=" . &make_subnets($lconfighash{$key}[11]) . "\n";
+				print CONF "\trightsubnet=" . &make_subnets("right", $lconfighash{$key}[11]) . "\n";
 			}
 		}
 
@@ -472,6 +540,13 @@ sub writeipsecfiles {
 		# Fragmentation
 		print CONF "\tfragmentation=yes\n";
 
+		# DNS Servers for RW
+		if ($lconfighash{$key}[3] eq 'host') {
+			my @servers = split(/\|/, $lconfighash{$key}[39]);
+
+			print CONF "\trightdns=" . join(",", @servers) . "\n";
+		}
+
 		print CONF "\n";
 	} #foreach key
 
@@ -499,14 +574,8 @@ if ($ENV{"REMOTE_ADDR"} eq "") {
 if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cgiparams{'KEY'} eq '') {
 	&General::readhash("${General::swroot}/vpn/settings", \%vpnsettings);
 
-	unless (&General::validfqdn($cgiparams{'VPN_IP'}) || &General::validip($cgiparams{'VPN_IP'})
-	|| $cgiparams{'VPN_IP'} eq '%defaultroute' ) {
-		$errormessage = $Lang::tr{'invalid input for hostname'};
-		goto SAVE_ERROR;
-	}
-
-	unless ($cgiparams{'VPN_DELAYED_START'} =~ /^[0-9]{1,3}$/ ) { #allow 0-999 seconds !
-		$errormessage = $Lang::tr{'invalid time period'};
+	if ($cgiparams{'RW_ENDPOINT'} ne '' && !&General::validip($cgiparams{'RW_ENDPOINT'}) && !&General::validfqdn($cgiparams{'RW_ENDPOINT'})) {
+		$errormessage = $Lang::tr{'ipsec invalid ip address or fqdn for rw endpoint'};
 		goto SAVE_ERROR;
 	}
 
@@ -516,15 +585,14 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cg
 	}
 
 	$vpnsettings{'ENABLED'} = $cgiparams{'ENABLED'};
-	$vpnsettings{'VPN_IP'} = $cgiparams{'VPN_IP'};
-	$vpnsettings{'VPN_DELAYED_START'} = $cgiparams{'VPN_DELAYED_START'};
+	$vpnsettings{'RW_ENDPOINT'} = $cgiparams{'RW_ENDPOINT'};
 	$vpnsettings{'RW_NET'} = $cgiparams{'RW_NET'};
 	&General::writehash("${General::swroot}/vpn/settings", \%vpnsettings);
 	&writeipsecfiles();
 	if (&vpnenabled) {
-		system('/usr/local/bin/ipsecctrl', 'S');
+		&General::system('/usr/local/bin/ipsecctrl', 'S');
 	} else {
-		system('/usr/local/bin/ipsecctrl', 'D');
+		&General::system('/usr/local/bin/ipsecctrl', 'D');
 	}
 	sleep $sleepDelay;
 	SAVE_ERROR:
@@ -549,7 +617,7 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cg
 	}
 	&General::writehasharray("${General::swroot}/vpn/config", \%confighash);
 	&writeipsecfiles();
-	system('/usr/local/bin/ipsecctrl', 'R');
+	&General::system('/usr/local/bin/ipsecctrl', 'R');
 	sleep $sleepDelay;
 
 ###
@@ -611,7 +679,7 @@ END
 		}
 	}
 
-	if (ref ($cgiparams{'FH'}) ne 'Fh') {
+	unless (ref ($cgiparams{'FH'})) {
 		$errormessage = $Lang::tr{'there was no file upload'};
 		goto UPLOADCA_ERROR;
 	}
@@ -621,8 +689,8 @@ END
 		$errormessage = $!;
 		goto UPLOADCA_ERROR;
 	}
-	my $temp = `/usr/bin/openssl x509 -text -in $filename`;
-	if ($temp !~ /CA:TRUE/i) {
+	my @temp = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "$filename");
+	if (! grep(/CA:TRUE/, @temp)) {
 		$errormessage = $Lang::tr{'not a valid ca certificate'};
 		unlink ($filename);
 		goto UPLOADCA_ERROR;
@@ -640,7 +708,7 @@ END
 	$cahash{$key}[1] = &Header::cleanhtml(getsubjectfromcert ("${General::swroot}/ca/$cgiparams{'CA_NAME'}cert.pem"));
 	&General::writehasharray("${General::swroot}/vpn/caconfig", \%cahash);
 
-	system('/usr/local/bin/ipsecctrl', 'R');
+	&General::system('/usr/local/bin/ipsecctrl', 'R');
 	sleep $sleepDelay;
 
 	UPLOADCA_ERROR:
@@ -656,9 +724,9 @@ END
 		&Header::openpage($Lang::tr{'ipsec'}, 1, '');
 		&Header::openbigbox('100%', 'left', '', '');
 		&Header::openbox('100%', 'left', "$Lang::tr{'ca certificate'}:");
-		my $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem`;
-		$output = &Header::cleanhtml($output,"y");
-		print "<pre>$output</pre>\n";
+		my @output = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem");
+		@output = &Header::cleanhtml(@output,"y");
+		print "<pre>@output</pre>\n";
 		&Header::closebox();
 		print "<div align='center'><a href='/cgi-bin/vpnmain.cgi'>$Lang::tr{'back'}</a></div>";
 		&Header::closebigbox();
@@ -678,7 +746,9 @@ END
 		print "Content-Type: application/force-download\n";
 		print "Content-Type: application/octet-stream\r\n";
 		print "Content-Disposition: attachment; filename=$cahash{$cgiparams{'KEY'}}[0]cert.pem\r\n\r\n";
-		print `/usr/bin/openssl x509 -in ${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem`;
+
+		my @cert = &General::system_output("/usr/bin/openssl", "x509", "-in", "${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem");
+		print "@cert";
 		exit(0);
 	} else {
 		$errormessage = $Lang::tr{'invalid key'};
@@ -693,21 +763,21 @@ END
 
 	if ( -f "${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem" ) {
 		foreach my $key (keys %confighash) {
-			my $test = `/usr/bin/openssl verify -CAfile ${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem ${General::swroot}/certs/$confighash{$key}[1]cert.pem`;
-			if ($test =~ /: OK/) {
+			my @test = &General::system_output("/usr/bin/openssl", "verify", "-CAfile", "${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem", "${General::swroot}/certs/$confighash{$key}[1]cert.pem");
+			if (grep(/: OK/, @test)) {
 				# Delete connection
-				system('/usr/local/bin/ipsecctrl', 'D', $key) if (&vpnenabled);
 				unlink ("${General::swroot}/certs/$confighash{$key}[1]cert.pem");
 				unlink ("${General::swroot}/certs/$confighash{$key}[1].p12");
 				delete $confighash{$key};
 				&General::writehasharray("${General::swroot}/vpn/config", \%confighash);
 				&writeipsecfiles();
+				&General::system('/usr/local/bin/ipsecctrl', 'D', $key) if (&vpnenabled);
 			}
 		}
 		unlink ("${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem");
 		delete $cahash{$cgiparams{'KEY'}};
 		&General::writehasharray("${General::swroot}/vpn/caconfig", \%cahash);
-		system('/usr/local/bin/ipsecctrl', 'R');
+		&General::system('/usr/local/bin/ipsecctrl', 'R');
 		sleep $sleepDelay;
 	} else {
 		$errormessage = $Lang::tr{'invalid key'};
@@ -722,8 +792,8 @@ END
 	my $assignedcerts = 0;
 	if ( -f "${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem" ) {
 		foreach my $key (keys %confighash) {
-			my $test = `/usr/bin/openssl verify -CAfile ${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem ${General::swroot}/certs/$confighash{$key}[1]cert.pem`;
-			if ($test =~ /: OK/) {
+			my @test = &General::system_output("/usr/bin/openssl", "verify", "-CAfile", "${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem", "${General::swroot}/certs/$confighash{$key}[1]cert.pem");
+			if (grep(/: OK/, @test)) {
 				$assignedcerts++;
 			}
 		}
@@ -759,7 +829,7 @@ END
 			unlink ("${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem");
 			delete $cahash{$cgiparams{'KEY'}};
 			&General::writehasharray("${General::swroot}/vpn/caconfig", \%cahash);
-			system('/usr/local/bin/ipsecctrl', 'R');
+			&General::system('/usr/local/bin/ipsecctrl', 'R');
 			sleep $sleepDelay;
 		}
 	} else {
@@ -771,19 +841,19 @@ END
 ###
 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show root certificate'} ||
 	$cgiparams{'ACTION'} eq $Lang::tr{'show host certificate'}) {
-	my $output;
+	my @output;
 	&Header::showhttpheaders();
 	&Header::openpage($Lang::tr{'ipsec'}, 1, '');
 	&Header::openbigbox('100%', 'left', '', '');
 	if ($cgiparams{'ACTION'} eq $Lang::tr{'show root certificate'}) {
 		&Header::openbox('100%', 'left', "$Lang::tr{'root certificate'}:");
-		$output = `/usr/bin/openssl x509 -text -in ${General::swroot}/ca/cacert.pem`;
+		@output = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/ca/cacert.pem");
 	} else {
 		&Header::openbox('100%', 'left', "$Lang::tr{'host certificate'}:");
-		$output = `/usr/bin/openssl x509 -text -in ${General::swroot}/certs/hostcert.pem`;
+		@output = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/certs/hostcert.pem");
 	}
-	$output = &Header::cleanhtml($output,"y");
-	print "<pre>$output</pre>\n";
+	@output = &Header::cleanhtml(@output,"y");
+	print "<pre>@output</pre>\n";
 	&Header::closebox();
 	print "<div align='center'><a href='/cgi-bin/vpnmain.cgi'>$Lang::tr{'back'}</a></div>";
 	&Header::closebigbox();
@@ -797,7 +867,9 @@ END
 	if ( -f "${General::swroot}/ca/cacert.pem" ) {
 		print "Content-Type: application/force-download\n";
 		print "Content-Disposition: attachment; filename=cacert.pem\r\n\r\n";
-		print `/usr/bin/openssl x509 -in ${General::swroot}/ca/cacert.pem`;
+
+		my @cert = &General::system_output("/usr/bin/openssl", "x509", "-in", "${General::swroot}/ca/cacert.pem");
+		print "@cert";
 		exit(0);
 	}
 ###
@@ -807,7 +879,9 @@ END
 	if ( -f "${General::swroot}/certs/hostcert.pem" ) {
 		print "Content-Type: application/force-download\n";
 		print "Content-Disposition: attachment; filename=hostcert.pem\r\n\r\n";
-		print `/usr/bin/openssl x509 -in ${General::swroot}/certs/hostcert.pem`;
+
+		my @cert = &General::system_output("/usr/bin/openssl", "x509", "-in", "${General::swroot}/certs/hostcert.pem");
+		print "@cert";
 		exit(0);
 	}
 ###
@@ -829,15 +903,17 @@ END
 			close IPADDR;
 			chomp ($ipaddr);
 			$cgiparams{'ROOTCERT_HOSTNAME'} = (gethostbyaddr(pack("C4", split(/\./, $ipaddr)), 2))[0];
+			$cgiparams{'SUBJECTALTNAME'} = "DNS:" . $cgiparams{'ROOTCERT_HOSTNAME'};
 			if ($cgiparams{'ROOTCERT_HOSTNAME'} eq '') {
 				$cgiparams{'ROOTCERT_HOSTNAME'} = $ipaddr;
+				$cgiparams{'SUBJECTALTNAME'} = "IP:" . $cgiparams{'ROOTCERT_HOSTNAME'};
 			}
 		}
 		$cgiparams{'ROOTCERT_COUNTRY'} = $vpnsettings{'ROOTCERT_COUNTRY'} if (!$cgiparams{'ROOTCERT_COUNTRY'});
 	} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'upload p12 file'}) {
 		&General::log("ipsec", "Importing from p12...");
 
-		if (ref ($cgiparams{'FH'}) ne 'Fh') {
+		unless (ref ($cgiparams{'FH'})) {
 			$errormessage = $Lang::tr{'there was no file upload'};
 			goto ROOTCERT_ERROR;
 		}
@@ -982,6 +1058,11 @@ END
 		#	IP: an IP address
 		# example: email:franck@foo.com,IP:10.0.0.10,DNS:franck.foo.com
 
+		if ($cgiparams{'SUBJECTALTNAME'} eq '') {
+			$errormessage = $Lang::tr{'vpn subjectaltname missing'};
+			goto ROOTCERT_ERROR;
+		}
+
 		if ($cgiparams{'SUBJECTALTNAME'} ne '' && $cgiparams{'SUBJECTALTNAME'} !~ /^(email|URI|DNS|RID|IP):[a-zA-Z0-9 :\/,\.\-_@]*$/) {
 			$errormessage = $Lang::tr{'vpn altname syntax'};
 			goto VPNCONF_ERROR;
@@ -1007,7 +1088,7 @@ END
 			&General::log("ipsec", "Creating cacert...");
 			if (open(STDIN, "-|")) {
 				my $opt = " req -x509 -sha256 -nodes";
-				$opt .= " -days 999999";
+				$opt .= " -days 3650";
 				$opt .= " -newkey rsa:4096";
 				$opt .= " -keyout ${General::swroot}/private/cakey.pem";
 				$opt .= " -out ${General::swroot}/ca/cacert.pem";
@@ -1065,7 +1146,7 @@ END
 			print $fh "subjectAltName=$cgiparams{'SUBJECTALTNAME'}" if ($cgiparams{'SUBJECTALTNAME'});
 			close ($fh);
 
-			my $opt = " ca -md sha256 -days 999999";
+			my $opt = " ca -md sha256 -days 825";
 			$opt .= " -batch -notext";
 			$opt .= " -in ${General::swroot}/certs/hostreq.pem";
 			$opt .= " -out ${General::swroot}/certs/hostcert.pem";
@@ -1136,7 +1217,7 @@ END
 	}
 	print <<END
 		</select></td></tr>
-	<tr><td class='base'>$Lang::tr{'vpn subjectaltname'} (subjectAltName=email:*,URI:*,DNS:*,RID:*)</td>
+	<tr><td class='base'>$Lang::tr{'vpn subjectaltname'} (subjectAltName=email:*,URI:*,DNS:*,RID:*)&nbsp;<img src='/blob.gif' alt='*' /></td>
 	<td class='base' nowrap='nowrap'><input type='text' name='SUBJECTALTNAME' value='$cgiparams{'SUBJECTALTNAME'}' size='32' /></td></tr>
 	<tr><td>&nbsp;</td>
 		<td><br /><input type='submit' name='ACTION' value='$Lang::tr{'generate root/host certificates'}' /><br /><br /></td></tr>
@@ -1163,7 +1244,7 @@ END
 
 	ROOTCERT_SUCCESS:
 	if (&vpnenabled) {
-		system('/usr/local/bin/ipsecctrl', 'S');
+		&General::system('/usr/local/bin/ipsecctrl', 'S');
 		sleep $sleepDelay;
 	}
 	ROOTCERT_SKIP:
@@ -1175,9 +1256,279 @@ END
 	print "Content-Type: application/force-download\n";
 	print "Content-Disposition: attachment; filename=" . $confighash{$cgiparams{'KEY'}}[1] . ".p12\r\n";
 	print "Content-Type: application/octet-stream\r\n\r\n";
-	print `/bin/cat ${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1].p12`;
+
+	open(FILE, "${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1].p12");
+	my @p12 = <FILE>;
+	close(FILE);
+	print "@p12";
+
 	exit (0);
 
+# Export Apple profile to browser
+} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download apple profile'}) {
+	# Read global configuration
+	&General::readhash("${General::swroot}/vpn/settings", \%vpnsettings);
+
+	# Read connections
+	&General::readhasharray("${General::swroot}/vpn/config", \%confighash);
+	my $key = $cgiparams{'KEY'};
+
+	# Create a UUID generator
+	my $uuid = Data::UUID->new();
+
+	my $uuid1 = $uuid->create_str();
+	my $uuid2 = $uuid->create_str();
+
+	my $ca = "";
+	my $ca_uuid = $uuid->create_str();
+
+	my $cert = "";
+	my $cert_uuid = $uuid->create_str();
+
+	# Read and encode the CA & certificate
+	if ($confighash{$key}[4] eq "cert") {
+		my $ca_path = "${General::swroot}/ca/cacert.pem";
+		my $cert_path = "${General::swroot}/certs/$confighash{$key}[1].p12";
+
+		# Read the CA and encode it into Base64
+		open(CA, "<${ca_path}");
+		local($/) = undef; # slurp
+		$ca = MIME::Base64::encode_base64(<CA>);
+		close(CA);
+
+		# Read certificate and encode it into Base64
+		open(CERT, "<${cert_path}");
+		local($/) = undef; # slurp
+		$cert = MIME::Base64::encode_base64(<CERT>);
+		close(CERT);
+	}
+
+	print "Content-Type: application/octet-stream\n";
+	print "Content-Disposition: attachment; filename=" . $confighash{$key}[1] . ".mobileconfig\n";
+	print "\n"; # end headers
+
+	# Use our own FQDN if nothing else is configured
+	my $endpoint = ($vpnsettings{'RW_ENDPOINT'} ne "") ? $vpnsettings{'RW_ENDPOINT'} : &hostname();
+
+	print "<!DOCTYPE plist PUBLIC \"-//Apple//DTD PLIST 1.0//EN\" \"http://www.apple.com/DTDs/PropertyList-1.0.dtd\">\n";
+	print "<plist version=\"1.0\">\n";
+	print "	<dict>\n";
+        print "		<key>PayloadDisplayName</key>\n";
+	print "		<string>$confighash{$key}[1]</string>\n";
+	print "		<key>PayloadIdentifier</key>\n";
+	print "		<string>$confighash{$key}[1]</string>\n";
+	print "		<key>PayloadUUID</key>\n";
+	print "		<string>${uuid1}</string>\n";
+	print "		<key>PayloadType</key>\n";
+	print "		<string>Configuration</string>\n";
+	print "		<key>PayloadVersion</key>\n";
+	print "		<integer>1</integer>\n";
+	print "		<key>PayloadContent</key>\n";
+	print "		<array>\n";
+	print "			<dict>\n";
+	print "				<key>PayloadIdentifier</key>\n";
+	print "				<string>org.example.vpn1.conf1</string>\n";
+	print "				<key>PayloadUUID</key>\n";
+	print "				<string>${uuid2}</string>\n";
+	print "				<key>PayloadType</key>\n";
+	print "				<string>com.apple.vpn.managed</string>\n";
+	print "				<key>PayloadVersion</key>\n";
+	print "				<integer>1</integer>\n";
+	print "				<key>UserDefinedName</key>\n";
+	print "				<string>$confighash{$key}[1]</string>\n";
+	print "				<key>VPNType</key>\n";
+	print "				<string>IKEv2</string>\n";
+	print "				<key>IKEv2</key>\n";
+	print "				<dict>\n";
+	print "					<key>RemoteAddress</key>\n";
+	print "					<string>$endpoint</string>\n";
+
+	# PFS
+	my $pfs = $confighash{$key}[28];
+	if ($pfs eq "on") {
+		print "					<key>EnablePFS</key>\n";
+		print "					<true/>\n";
+	}
+
+	# IKE Cipher Suite
+	print "					<key>IKESecurityAssociationParameters</key>\n";
+	print "					<dict>\n";
+
+	# Encryption
+	foreach my $cipher (split(/\|/,$confighash{$key}[18])) {
+		# Skip all unsupported ciphers
+		next unless (exists $APPLE_CIPHERS{$cipher});
+
+		print "						<key>EncryptionAlgorithm</key>\n";
+		print "						<string>$APPLE_CIPHERS{$cipher}</string>\n";
+		last;
+	}
+
+	# Integrity
+	foreach my $integrity (split(/\|/,$confighash{$key}[19])) {
+		# Skip all unsupported algorithms
+		next unless (exists $APPLE_INTEGRITIES{$integrity});
+
+		print "						<key>IntegrityAlgorithm</key>\n";
+		print "						<string>$APPLE_INTEGRITIES{$integrity}</string>\n";
+		last;
+	}
+
+	# Diffie Hellman Groups
+	foreach my $group (split(/\|/,$confighash{$key}[20])) {
+		# Skip all unsupported algorithms
+		next unless (exists $APPLE_DH_GROUPS{$group});
+
+		print "						<key>DiffieHellmanGroup</key>\n";
+		print "						<string>$APPLE_DH_GROUPS{$group}</string>\n";
+		last;
+	}
+
+	# Lifetime
+	my $lifetime = $confighash{$key}[16] * 60;
+	print "						<key>LifeTimeInMinutes</key>\n";
+	print "						<integer>$lifetime</integer>\n";
+	print "					</dict>\n";
+
+	# ESP Cipher Suite
+	print "					<key>ChildSecurityAssociationParameters</key>\n";
+	print "					<dict>\n";
+
+	# Encryption
+	foreach my $cipher (split(/\|/,$confighash{$key}[21])) {
+		# Skip all unsupported ciphers
+		next unless (exists $APPLE_CIPHERS{$cipher});
+
+		print "						<key>EncryptionAlgorithm</key>\n";
+		print "						<string>$APPLE_CIPHERS{$cipher}</string>\n";
+		last;
+	}
+
+	# Integrity
+	foreach my $integrity (split(/\|/,$confighash{$key}[22])) {
+		# Skip all unsupported algorithms
+		next unless (exists $APPLE_INTEGRITIES{$integrity});
+
+		print "						<key>IntegrityAlgorithm</key>\n";
+		print "						<string>$APPLE_INTEGRITIES{$integrity}</string>\n";
+		last;
+	}
+
+	# Diffie Hellman Groups
+	foreach my $group (split(/\|/,$confighash{$key}[23])) {
+		# Skip all unsupported algorithms
+		next unless (exists $APPLE_DH_GROUPS{$group});
+
+		print "						<key>DiffieHellmanGroup</key>\n";
+		print "						<string>$APPLE_DH_GROUPS{$group}</string>\n";
+		last;
+	}
+
+	# Lifetime
+	my $lifetime = $confighash{$key}[17] * 60;
+	print "						<key>LifeTimeInMinutes</key>\n";
+	print "						<integer>$lifetime</integer>\n";
+	print "					</dict>\n";
+
+
+	# Left ID
+	if ($confighash{$key}[9]) {
+		my $leftid = $confighash{$key}[9];
+
+		# Strip leading @ from FQDNs
+		if ($leftid =~ m/^@(.*)$/) {
+			$leftid = $1;
+		}
+
+		print "					<key>LocalIdentifier</key>\n";
+		print "					<string>$leftid</string>\n";
+	}
+
+	# Right ID
+	if ($confighash{$key}[7]) {
+		my $rightid = $confighash{$key}[7];
+
+		# Strip leading @ from FQDNs
+		if ($rightid =~ m/^@(.*)$/) {
+			$rightid = $1;
+		}
+
+		print "					<key>RemoteIdentifier</key>\n";
+		print "					<string>$rightid</string>\n";
+	}
+
+	if ($confighash{$key}[4] eq "cert") {
+		print "					<key>AuthenticationMethod</key>\n";
+		print "					<string>Certificate</string>\n";
+
+		print "					<key>PayloadCertificateUUID</key>\n";
+		print "					<string>${cert_uuid}</string>\n";
+	} else {
+		print "					<key>AuthenticationMethod</key>\n";
+		print "					<string>SharedSecret</string>\n";
+		print "					<key>SharedSecret</key>\n";
+		print "					<string>$confighash{$key}[5]</string>\n";
+	}
+
+	print "					<key>ExtendedAuthEnabled</key>\n";
+	print "					<integer>0</integer>\n";
+
+	# These are not needed, but we provide some default to stop iPhone asking for credentials
+	print "					<key>AuthName</key>\n";
+	print "					<string>$confighash{$key}[1]</string>\n";
+	print "					<key>AuthPassword</key>\n";
+	print "					<string></string>\n";
+	print "				</dict>\n";
+	print "			</dict>\n";
+
+	if ($confighash{$key}[4] eq "cert") {
+		print "			<dict>\n";
+		print "				<key>PayloadIdentifier</key>\n";
+		print "				<string>org.example.vpn1.client</string>\n";
+		print "				<key>PayloadDisplayName</key>\n";
+		print "				<string>$confighash{$key}[1]</string>\n";
+		print "				<key>PayloadUUID</key>\n";
+		print "				<string>${cert_uuid}</string>\n";
+		print "				<key>PayloadType</key>\n";
+		print "				<string>com.apple.security.pkcs12</string>\n";
+		print "				<key>PayloadVersion</key>\n";
+		print "				<integer>1</integer>\n";
+		print "				<key>PayloadContent</key>\n";
+		print "				<data>\n";
+
+		foreach (split /\n/,${cert}) {
+			print "					$_\n";
+		}
+
+		print "				</data>\n";
+		print "			</dict>\n";
+
+		print "			<dict>\n";
+		print "				<key>PayloadIdentifier</key>\n";
+		print "				<string>org.example.ca</string>\n";
+		print "				<key>PayloadUUID</key>\n";
+		print "				<string>${ca_uuid}</string>\n";
+		print "				<key>PayloadType</key>\n";
+		print "				<string>com.apple.security.root</string>\n";
+		print "				<key>PayloadVersion</key>\n";
+		print "				<integer>1</integer>\n";
+		print "				<key>PayloadContent</key>\n";
+		print "				<data>\n";
+
+		foreach (split /\n/,${ca}) {
+			print "					$_\n";
+		}
+
+		print "				</data>\n";
+		print "			</dict>\n";
+	}
+
+	print "		</array>\n";
+	print "	</dict>\n";
+	print "</plist>\n";
+
+	# Done
+	exit(0);
 ###
 ### Display certificate
 ###
@@ -1189,9 +1540,9 @@ END
 		&Header::openpage($Lang::tr{'ipsec'}, 1, '');
 		&Header::openbigbox('100%', 'left', '', '');
 		&Header::openbox('100%', 'left', "$Lang::tr{'cert'}:");
-		my $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem`;
-		$output = &Header::cleanhtml($output,"y");
-		print "<pre>$output</pre>\n";
+		my @output = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem");
+		@output = &Header::cleanhtml(@output,"y");
+		print "<pre>@output</pre>\n";
 		&Header::closebox();
 		print "<div align='center'><a href='/cgi-bin/vpnmain.cgi'>$Lang::tr{'back'}</a></div>";
 		&Header::closebigbox();
@@ -1208,7 +1559,12 @@ END
 	if ( -f "${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem") {
 		print "Content-Type: application/force-download\n";
 		print "Content-Disposition: attachment; filename=" . $confighash{$cgiparams{'KEY'}}[1] . "cert.pem\n\n";
-		print `/bin/cat ${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem`;
+
+		open(FILE, "${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem");
+		my @pem = <FILE>;
+		close(FILE);
+		print "@pem";
+
 		exit (0);
 	}
 
@@ -1225,12 +1581,12 @@ END
 			$confighash{$cgiparams{'KEY'}}[0] = 'on';
 			&General::writehasharray("${General::swroot}/vpn/config", \%confighash);
 			&writeipsecfiles();
-			system('/usr/local/bin/ipsecctrl', 'S', $cgiparams{'KEY'}) if (&vpnenabled);
+			&General::system('/usr/local/bin/ipsecctrl', 'S', $cgiparams{'KEY'}) if (&vpnenabled);
 		} else {
-			system('/usr/local/bin/ipsecctrl', 'D', $cgiparams{'KEY'}) if (&vpnenabled);
 			$confighash{$cgiparams{'KEY'}}[0] = 'off';
 			&General::writehasharray("${General::swroot}/vpn/config", \%confighash);
 			&writeipsecfiles();
+			&General::system('/usr/local/bin/ipsecctrl', 'D', $cgiparams{'KEY'}) if (&vpnenabled);
 		}
 		sleep $sleepDelay;
 	} else {
@@ -1246,7 +1602,7 @@ END
 
 	if ($confighash{$cgiparams{'KEY'}}) {
 		if (&vpnenabled) {
-			system('/usr/local/bin/ipsecctrl', 'S', $cgiparams{'KEY'});
+			&General::system('/usr/local/bin/ipsecctrl', 'S', $cgiparams{'KEY'});
 			sleep $sleepDelay;
 		}
 	} else {
@@ -1261,12 +1617,12 @@ END
 	&General::readhasharray("${General::swroot}/vpn/config", \%confighash);
 
 	if ($confighash{$cgiparams{'KEY'}}) {
-		system('/usr/local/bin/ipsecctrl', 'D', $cgiparams{'KEY'}) if (&vpnenabled);
 		unlink ("${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem");
 		unlink ("${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1].p12");
 		delete $confighash{$cgiparams{'KEY'}};
 		&General::writehasharray("${General::swroot}/vpn/config", \%confighash);
 		&writeipsecfiles();
+		&General::system('/usr/local/bin/ipsecctrl', 'D', $cgiparams{'KEY'}) if (&vpnenabled);
 	} else {
 		$errormessage = $Lang::tr{'invalid key'};
 	}
@@ -1319,7 +1675,7 @@ END
 		$cgiparams{'TYPE'}				= $confighash{$cgiparams{'KEY'}}[3];
 		$cgiparams{'AUTH'}				= $confighash{$cgiparams{'KEY'}}[4];
 		$cgiparams{'PSK'}				= $confighash{$cgiparams{'KEY'}}[5];
-		#$cgiparams{'free'}				= $confighash{$cgiparams{'KEY'}}[6];
+		$cgiparams{'LOCAL'}				= $confighash{$cgiparams{'KEY'}}[6];
 		$cgiparams{'LOCAL_ID'}			= $confighash{$cgiparams{'KEY'}}[7];
 		my @local_subnets = split(",", $confighash{$cgiparams{'KEY'}}[8]);
 		$cgiparams{'LOCAL_SUBNET'} 		= join(/\|/, @local_subnets);
@@ -1347,11 +1703,13 @@ END
 		$cgiparams{'DPD_TIMEOUT'}		= $confighash{$cgiparams{'KEY'}}[30];
 		$cgiparams{'DPD_DELAY'}			= $confighash{$cgiparams{'KEY'}}[31];
 		$cgiparams{'FORCE_MOBIKE'}		= $confighash{$cgiparams{'KEY'}}[32];
+		$cgiparams{'START_ACTION'}		= $confighash{$cgiparams{'KEY'}}[33];
 		$cgiparams{'INACTIVITY_TIMEOUT'}	= $confighash{$cgiparams{'KEY'}}[34];
 		$cgiparams{'MODE'}			= $confighash{$cgiparams{'KEY'}}[35];
 		$cgiparams{'INTERFACE_MODE'}		= $confighash{$cgiparams{'KEY'}}[36];
 		$cgiparams{'INTERFACE_ADDRESS'}		= $confighash{$cgiparams{'KEY'}}[37];
 		$cgiparams{'INTERFACE_MTU'}		= $confighash{$cgiparams{'KEY'}}[38];
+		$cgiparams{'DNS_SERVERS'}		= $confighash{$cgiparams{'KEY'}}[39];
 
 		if (!$cgiparams{'DPD_DELAY'}) {
 			$cgiparams{'DPD_DELAY'} = 30;
@@ -1369,6 +1727,10 @@ END
 			$cgiparams{'MODE'} = "tunnel";
 		}
 
+		if ($cgiparams{'INTERFACE_MTU'} eq "") {
+			$cgiparams{'INTERFACE_MTU'} = 1500;
+		}
+
 	} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'save'}) {
 		$cgiparams{'REMARK'} = &Header::cleanhtml($cgiparams{'REMARK'});
 		if ($cgiparams{'TYPE'} !~ /^(host|net)$/) {
@@ -1406,6 +1768,13 @@ END
 			goto VPNCONF_ERROR;
 		}
 
+		if ($cgiparams{'LOCAL'}) {
+			if (($cgiparams{'LOCAL'} ne "") && (!&General::validip($cgiparams{'LOCAL'}))) {
+				$errormessage = $Lang::tr{'invalid input for local ip address'};
+				goto VPNCONF_ERROR;
+			}
+		}
+
 		if ($cgiparams{'REMOTE'}) {
 			if (($cgiparams{'REMOTE'} ne '%any') && (! &General::validip($cgiparams{'REMOTE'}))) {
 				if (! &General::validfqdn ($cgiparams{'REMOTE'})) {
@@ -1447,6 +1816,41 @@ END
 					goto VPNCONF_ERROR;
 				}
 			}
+
+			if ($cgiparams{'MODE'} !~ /^(tunnel|transport)$/) {
+				$errormessage = $Lang::tr{'invalid input for mode'};
+				goto VPNCONF_ERROR;
+			}
+
+			if ($cgiparams{'INTERFACE_MODE'} !~ /^(|gre|vti)$/) {
+				$errormessage = $Lang::tr{'invalid input for interface mode'};
+				goto VPNCONF_ERROR;
+			}
+
+			if (($cgiparams{'INTERFACE_MODE'} eq "vti") && ($cgiparams{'MODE'} eq "transport")) {
+				$errormessage = $Lang::tr{'transport mode does not support vti'};
+				goto VPNCONF_ERROR;
+			}
+
+			if (($cgiparams{'INTERFACE_MODE'} ne "") && !&Network::check_subnet($cgiparams{'INTERFACE_ADDRESS'})) {
+				$errormessage = $Lang::tr{'invalid input for interface address'};
+				goto VPNCONF_ERROR;
+			}
+
+			if ($cgiparams{'INTERFACE_MTU'} !~ /^\d+$/) {
+				$errormessage = $Lang::tr{'invalid input for interface mtu'};
+				goto VPNCONF_ERROR;
+			}
+		}
+
+		if ($cgiparams{'TYPE'} eq 'host') {
+			my @servers = split(",", $cgiparams{'DNS_SERVERS'});
+			foreach my $server (@servers) {
+				unless (&Network::check_ip_address($server)) {
+					$errormessage = $Lang::tr{'ipsec dns server address is invalid'};
+					goto VPNCONF_ERROR;
+				}
+			}
 		}
 
 		if ($cgiparams{'ENABLED'} !~ /^(on|off)$/) {
@@ -1501,7 +1905,7 @@ END
 			$errormessage = $Lang::tr{'cant change certificates'};
 			goto VPNCONF_ERROR;
 		}
-		if (ref ($cgiparams{'FH'}) ne 'Fh') {
+		unless (ref ($cgiparams{'FH'})) {
 			$errormessage = $Lang::tr{'there was no file upload'};
 			goto VPNCONF_ERROR;
 		}
@@ -1515,7 +1919,7 @@ END
 
 		# Sign the certificate request
 		&General::log("ipsec", "Signing your cert $cgiparams{'NAME'}...");
-		my $opt = " ca -md sha256 -days 999999";
+		my $opt = " ca -md sha256 -days 825";
 		$opt .= " -batch -notext";
 		$opt .= " -in $filename";
 		$opt .= " -out ${General::swroot}/certs/$cgiparams{'NAME'}cert.pem";
@@ -1538,7 +1942,7 @@ END
 	} elsif ($cgiparams{'AUTH'} eq 'pkcs12') {
 		&General::log("ipsec", "Importing from p12...");
 
-		if (ref ($cgiparams{'FH'}) ne 'Fh') {
+		unless (ref ($cgiparams{'FH'})) {
 			$errormessage = $Lang::tr{'there was no file upload'};
 			goto ROOTCERT_ERROR;
 		}
@@ -1586,8 +1990,8 @@ END
 				unshift (@names,$cahash{$x}[0]);
 			}
 			if ($casubject) { # a new one!
-				my $temp = `/usr/bin/openssl x509 -text -in /tmp/newcacert`;
-				if ($temp !~ /CA:TRUE/i) {
+				my @temp = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "/tmp/newcacert");
+				if (! grep(/CA:TRUE/, @temp)) {
 					$errormessage = $Lang::tr{'not a valid ca certificate'};
 				} else {
 					#compute a name for it
@@ -1602,7 +2006,7 @@ END
 						$cahash{$key}[0] = $cgiparams{'CA_NAME'};
 						$cahash{$key}[1] = $casubject;
 						&General::writehasharray("${General::swroot}/vpn/caconfig", \%cahash);
-						system('/usr/local/bin/ipsecctrl', 'R');
+						&General::system('/usr/local/bin/ipsecctrl', 'R');
 					}
 				}
 			}
@@ -1628,7 +2032,7 @@ END
 			$errormessage = $Lang::tr{'cant change certificates'};
 			goto VPNCONF_ERROR;
 		}
-		if (ref ($cgiparams{'FH'}) ne 'Fh') {
+		unless (ref ($cgiparams{'FH'})) {
 			$errormessage = $Lang::tr{'there was no file upload'};
 			goto VPNCONF_ERROR;
 		}
@@ -1642,12 +2046,12 @@ END
 		# Verify the certificate has a valid CA and move it
 		&General::log("ipsec", "Validating imported cert against our known CA...");
 		my $validca = 1; #assume ok
-		my $test = `/usr/bin/openssl verify -CAfile ${General::swroot}/ca/cacert.pem $filename`;
-		if ($test !~ /: OK/) {
+		my @test = &General::system_output("/usr/bin/openssl", "verify", "-CAfile", "${General::swroot}/ca/cacert.pem", "$filename");
+		if (! grep(/: OK/, @test)) {
 			my $validca = 0;
 			foreach my $key (keys %cahash) {
-				$test = `/usr/bin/openssl verify -CAfile ${General::swroot}/ca/$cahash{$key}[0]cert.pem $filename`;
-				if ($test =~ /: OK/) {
+				@test = &General::system_output("/usr/bin/openssl", "verify", "-CAfile", "${General::swroot}/ca/$cahash{$key}[0]cert.pem", "$filename");
+				if (grep(/: OK/, @test)) {
 					$validca = 1;
 					last;
 				}
@@ -1788,7 +2192,7 @@ END
 		print $fh "subjectAltName=$cgiparams{'SUBJECTALTNAME'}" if ($cgiparams{'SUBJECTALTNAME'});
 		close ($fh);
 
-		my $opt = " ca -md sha256 -days 999999 -batch -notext";
+		my $opt = " ca -md sha256 -days 825 -batch -notext";
 		$opt .= " -in ${General::swroot}/certs/$cgiparams{'NAME'}req.pem";
 		$opt .= " -out ${General::swroot}/certs/$cgiparams{'NAME'}cert.pem";
 		$opt .= " -extfile $v3extname";
@@ -1851,7 +2255,7 @@ END
 	my $key = $cgiparams{'KEY'};
 	if (! $key) {
 		$key = &General::findhasharraykey (\%confighash);
-		foreach my $i (0 .. 38) { $confighash{$key}[$i] = "";}
+		foreach my $i (0 .. 39) { $confighash{$key}[$i] = "";}
 	}
 	$confighash{$key}[0] = $cgiparams{'ENABLED'};
 	$confighash{$key}[1] = $cgiparams{'NAME'};
@@ -1869,6 +2273,7 @@ END
 		my @remote_subnets = split(",", $cgiparams{'REMOTE_SUBNET'});
 		$confighash{$key}[11] = join('|', @remote_subnets);
 	}
+	$confighash{$key}[6] = $cgiparams{'LOCAL'};
 	$confighash{$key}[7] = $cgiparams{'LOCAL_ID'};
 	my @local_subnets = split(",", $cgiparams{'LOCAL_SUBNET'});
 	$confighash{$key}[8] = join('|', @local_subnets);
@@ -1895,20 +2300,21 @@ END
 	$confighash{$key}[30] = $cgiparams{'DPD_TIMEOUT'};
 	$confighash{$key}[31] = $cgiparams{'DPD_DELAY'};
 	$confighash{$key}[32] = $cgiparams{'FORCE_MOBIKE'};
+	$confighash{$key}[33] = $cgiparams{'START_ACTION'};
 	$confighash{$key}[34] = $cgiparams{'INACTIVITY_TIMEOUT'};
 	$confighash{$key}[35] = $cgiparams{'MODE'};
 	$confighash{$key}[36] = $cgiparams{'INTERFACE_MODE'};
 	$confighash{$key}[37] = $cgiparams{'INTERFACE_ADDRESS'};
 	$confighash{$key}[38] = $cgiparams{'INTERFACE_MTU'};
+	$confighash{$key}[39] = join("|", split(",", $cgiparams{'DNS_SERVERS'}));
 
 	# free unused fields!
-	$confighash{$key}[6] = 'off';
 	$confighash{$key}[15] = 'off';
 
 	&General::writehasharray("${General::swroot}/vpn/config", \%confighash);
 	&writeipsecfiles();
 	if (&vpnenabled) {
-		system('/usr/local/bin/ipsecctrl', 'S', $key);
+		&General::system('/usr/local/bin/ipsecctrl', 'S', $key);
 		sleep $sleepDelay;
 	}
 	if ($cgiparams{'EDIT_ADVANCED'} eq 'on') {
@@ -1925,7 +2331,12 @@ END
 	} else {
 		$cgiparams{'AUTH'} = 'certgen';
 	}
-	$cgiparams{'LOCAL_SUBNET'}		= "$netsettings{'GREEN_NETADDRESS'}/$netsettings{'GREEN_NETMASK'}";
+
+	if ($netsettings{"GREEN_NETADDRESS"} && $netsettings{"GREEN_NETMASK"}) {
+		$cgiparams{"LOCAL_SUBNET"} = $netsettings{'GREEN_NETADDRESS'} . "/" . $netsettings{'GREEN_NETMASK'};
+	} else {
+		$cgiparams{"LOCAL_SUBNET"} = "";
+	}
 	$cgiparams{'CERT_EMAIL'}		= $vpnsettings{'ROOTCERT_EMAIL'};
 	$cgiparams{'CERT_OU'}			= $vpnsettings{'ROOTCERT_OU'};
 	$cgiparams{'CERT_ORGANIZATION'}	= $vpnsettings{'ROOTCERT_ORGANIZATION'};
@@ -1964,11 +2375,11 @@ END
 	#use default advanced value
 	$cgiparams{'IKE_ENCRYPTION'}	= 'chacha20poly1305|aes256gcm128|aes256gcm96|aes256gcm64|aes256|aes192gcm128|aes192gcm96|aes192gcm64|aes192|aes128gcm128|aes128gcm96|aes128gcm64|aes128'; #[18];
 	$cgiparams{'IKE_INTEGRITY'}		= 'sha2_512|sha2_256'; #[19];
-	$cgiparams{'IKE_GROUPTYPE'}		= 'curve25519|4096|3072|2048'; #[20];
+	$cgiparams{'IKE_GROUPTYPE'}		= 'curve448|curve25519|4096|3072|2048'; #[20];
 	$cgiparams{'IKE_LIFETIME'}		= '3'; #[16];
 	$cgiparams{'ESP_ENCRYPTION'}	= 'chacha20poly1305|aes256gcm128|aes256gcm96|aes256gcm64|aes256|aes192gcm128|aes192gcm96|aes192gcm64|aes192|aes128gcm128|aes128gcm96|aes128gcm64|aes128'; #[21];
 	$cgiparams{'ESP_INTEGRITY'}		= 'sha2_512|sha2_256'; #[22];
-	$cgiparams{'ESP_GROUPTYPE'}		= 'curve25519|4096|3072|2048'; #[23];
+	$cgiparams{'ESP_GROUPTYPE'}		= 'curve448|curve25519|4096|3072|2048'; #[23];
 	$cgiparams{'ESP_KEYLIFE'}		= '1'; #[17];
 	$cgiparams{'COMPRESSION'}		= 'off'; #[13];
 	$cgiparams{'ONLY_PROPOSED'}		= 'on'; #[24];
@@ -1978,6 +2389,7 @@ END
 	$cgiparams{'INTERFACE_MODE'}        	= "";
 	$cgiparams{'INTERFACE_ADDRESS'}        	= "";
 	$cgiparams{'INTERFACE_MTU'}        	= 1500;
+	$cgiparams{'DNS_SERVERS'}        	= "";
 }
 
 VPNCONF_ERROR:
@@ -1997,6 +2409,23 @@ VPNCONF_ERROR:
 	$checked{'AUTH'}{'auth-dn'} = '';
 	$checked{'AUTH'}{$cgiparams{'AUTH'}} = "checked='checked'";
 
+	$selected{'MODE'}{'tunnel'} = '';
+	$selected{'MODE'}{'transport'} = '';
+	$selected{'MODE'}{$cgiparams{'MODE'}} = "selected='selected'";
+
+	$selected{'INTERFACE_MODE'}{''} = '';
+	$selected{'INTERFACE_MODE'}{'gre'} = '';
+	$selected{'INTERFACE_MODE'}{'vti'} = '';
+	$selected{'INTERFACE_MODE'}{$cgiparams{'INTERFACE_MODE'}} = "selected='selected'";
+
+	$selected{'LOCAL'}{''} = '';
+	foreach my $alias (sort keys %aliases) {
+		my $address = $aliases{$alias}{'IPT'};
+
+		$selected{'LOCAL'}{$address} = '';
+	}
+	$selected{'LOCAL'}{$cgiparams{'LOCAL'}} = "selected='selected'";
+
 	&Header::showhttpheaders();
 	&Header::openpage($Lang::tr{'ipsec'}, 1, '');
 	&Header::openbigbox('100%', 'left', '', $errormessage);
@@ -2033,11 +2462,8 @@ VPNCONF_ERROR:
 	<input type='hidden' name='DPD_DELAY' value='$cgiparams{'DPD_DELAY'}' />
 	<input type='hidden' name='DPD_TIMEOUT' value='$cgiparams{'DPD_TIMEOUT'}' />
 	<input type='hidden' name='FORCE_MOBIKE' value='$cgiparams{'FORCE_MOBIKE'}' />
+	<input type='hidden' name='START_ACTION' value='$cgiparams{'START_ACTION'}' />
 	<input type='hidden' name='INACTIVITY_TIMEOUT' value='$cgiparams{'INACTIVITY_TIMEOUT'}' />
-	<input type='hidden' name='MODE' value='$cgiparams{'MODE'}' />
-	<input type='hidden' name='INTERFACE_MODE' value='$cgiparams{'INTERFACE_MODE'}' />
-	<input type='hidden' name='INTERFACE_ADDRESS' value='$cgiparams{'INTERFACE_ADDRESS'}' />
-	<input type='hidden' name='INTERFACE_MTU' value='$cgiparams{'INTERFACE_MTU'}' />
 END
 ;
 	if ($cgiparams{'KEY'}) {
@@ -2060,11 +2486,8 @@ END
 EOF
 	}
 
-	my $disabled;
-	my $blob;
-	if ($cgiparams{'TYPE'} eq 'host') {
-		$disabled = "disabled='disabled'";
-	} elsif ($cgiparams{'TYPE'} eq 'net') {
+	my $blob = "";
+	if ($cgiparams{'TYPE'} eq 'net') {
 		$blob = "<img src='/blob.gif' alt='*' />";
 	};
 
@@ -2074,26 +2497,64 @@ EOF
 	my @remote_subnets = split(/\|/, $cgiparams{'REMOTE_SUBNET'});
 	my $remote_subnets = join(",", @remote_subnets);
 
-	print <<END
+	my @dns_servers = split(/\|/, $cgiparams{'DNS_SERVERS'});
+	my $dns_servers = join(",", @dns_servers);
+
+	print <<END;
 	<tr>
 		<td width='20%'>$Lang::tr{'enabled'}</td>
 		<td width='30%'>
 			<input type='checkbox' name='ENABLED' $checked{'ENABLED'}{'on'} />
 		</td>
-		<td class='boldbase' nowrap='nowrap' width='20%'>$Lang::tr{'local subnet'}&nbsp;<img src='/blob.gif' alt='*' /></td>
-		<td width='30%'>
-			<input type='text' name='LOCAL_SUBNET' value='$local_subnets' />
-		</td>
+		<td colspan="2"></td>
 	</tr>
 	<tr>
+		<td class='boldbase' width='20%'>$Lang::tr{'local ip address'}:</td>
+		<td width='30%'>
+			<select name="LOCAL">
+				<option value="" $selected{'LOCAL'}{''}>- $Lang::tr{'default IP address'} -</option>
+END
+
+				foreach my $alias (sort keys %aliases) {
+					my $address = $aliases{$alias}{'IPT'};
+					print <<END;
+						<option value="$address" $selected{'LOCAL'}{$address}>$alias ($address)</option>
+END
+				}
+
+	print <<END;
+			</select>
+		</td>
 		<td class='boldbase' width='20%'>$Lang::tr{'remote host/ip'}:&nbsp;$blob</td>
 		<td width='30%'>
 			<input type='text' name='REMOTE' value='$cgiparams{'REMOTE'}' size="25" />
 		</td>
-		<td class='boldbase' nowrap='nowrap' width='20%'>$Lang::tr{'remote subnet'}&nbsp;$blob</td>
+	</tr>
+	<tr>
+		<td class='boldbase' nowrap='nowrap' width='20%'>$Lang::tr{'local subnet'}&nbsp;<img src='/blob.gif' alt='*' /></td>
 		<td width='30%'>
-			<input $disabled type='text' name='REMOTE_SUBNET' value='$remote_subnets' />
+			<input type='text' name='LOCAL_SUBNET' value='$local_subnets' size="25" />
 		</td>
+END
+
+	if ($cgiparams{'TYPE'} eq "net") {
+		print <<END;
+		<td class='boldbase' nowrap='nowrap' width='20%'>$Lang::tr{'remote subnet'}&nbsp;<img src='/blob.gif' alt='*' /></td>
+		<td width='30%'>
+			<input type='text' name='REMOTE_SUBNET' value='$remote_subnets' size="25" />
+		</td>
+END
+
+	} elsif ($cgiparams{'TYPE'} eq "host") {
+		print <<END;
+		<td class='boldbase' nowrap='nowrap' width='20%'>$Lang::tr{'dns servers'}:</td>
+		<td width='30%'>
+			<input type='text' name='DNS_SERVERS' value='$dns_servers' size="25" />
+		</td>
+END
+	}
+
+	print <<END;
 	</tr>
 	<tr>
 		<td class='boldbase' width='20%'>$Lang::tr{'vpn local id'}:</td>
@@ -2120,6 +2581,51 @@ END
 	print "</table>";
 	&Header::closebox();
 
+	if ($cgiparams{'TYPE'} eq 'net') {
+		&Header::openbox('100%', 'left', $Lang::tr{'ipsec settings'});
+		print <<EOF;
+		<table width='100%'>
+			<tbody>
+				<tr>
+					<td class='boldbase' width='20%'>$Lang::tr{'mode'}:</td>
+					<td width='30%'>
+						<select name='MODE'>
+							<option value='tunnel' $selected{'MODE'}{'tunnel'}>$Lang::tr{'ipsec mode tunnel'}</option>
+							<option value='transport' $selected{'MODE'}{'transport'}>$Lang::tr{'ipsec mode transport'}</option>
+						</select>
+					</td>
+					<td colspan='2'></td>
+				</tr>
+
+				<tr>
+					<td class='boldbase' width='20%'>$Lang::tr{'interface mode'}:</td>
+					<td width='30%'>
+						<select name='INTERFACE_MODE'>
+							<option value='' $selected{'INTERFACE_MODE'}{''}>$Lang::tr{'ipsec interface mode none'}</option>
+							<option value='gre' $selected{'INTERFACE_MODE'}{'gre'}>$Lang::tr{'ipsec interface mode gre'}</option>
+							<option value='vti' $selected{'INTERFACE_MODE'}{'vti'}>$Lang::tr{'ipsec interface mode vti'}</option>
+						</select>
+					</td>
+
+					<td class='boldbase' width='20%'>$Lang::tr{'ip address'}/$Lang::tr{'subnet mask'}:</td>
+					<td width='30%'>
+						<input type="text" name="INTERFACE_ADDRESS" value="$cgiparams{'INTERFACE_ADDRESS'}">
+					</td>
+				</tr>
+
+				<tr>
+					<td class='boldbase' width='20%'>$Lang::tr{'mtu'}:</td>
+					<td width='30%'>
+						<input type="number" name="INTERFACE_MTU" value="$cgiparams{'INTERFACE_MTU'}" min="576" max="9000">
+					</td>
+					<td colspan='2'></td>
+				</tr>
+			</tbody>
+		</table>
+EOF
+		&Header::closebox();
+	}
+
 	if ($cgiparams{'KEY'} && $cgiparams{'AUTH'} eq 'psk') {
 		&Header::openbox('100%', 'left', $Lang::tr{'authentication'});
 		print <<END
@@ -2254,7 +2760,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
 			goto ADVANCED_ERROR;
 		}
 		foreach my $val (@temp) {
-			if ($val !~ /^(curve25519|e521|e384|e256|e224|e192|e512bp|e384bp|e256bp|e224bp|768|1024|1536|2048|3072|4096|6144|8192)$/) {
+			if ($val !~ /^(curve448|curve25519|e521|e384|e256|e224|e192|e512bp|e384bp|e256bp|e224bp|768|1024|1536|2048|3072|4096|6144|8192)$/) {
 				$errormessage = $Lang::tr{'invalid input'};
 				goto ADVANCED_ERROR;
 			}
@@ -2263,8 +2769,8 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
 			$errormessage = $Lang::tr{'invalid input for ike lifetime'};
 			goto ADVANCED_ERROR;
 		}
-		if ($cgiparams{'IKE_LIFETIME'} < 1 || $cgiparams{'IKE_LIFETIME'} > 8) {
-			$errormessage = $Lang::tr{'ike lifetime should be between 1 and 8 hours'};
+		if ($cgiparams{'IKE_LIFETIME'} < 1 || $cgiparams{'IKE_LIFETIME'} > 24) {
+			$errormessage = $Lang::tr{'ike lifetime should be between 1 and 24 hours'};
 			goto ADVANCED_ERROR;
 		}
 		@temp = split('\|', $cgiparams{'ESP_ENCRYPTION'});
@@ -2295,7 +2801,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
 			goto ADVANCED_ERROR;
 		}
 		foreach my $val (@temp) {
-			if ($val !~ /^(curve25519|e521|e384|e256|e224|e192|e512bp|e384bp|e256bp|e224bp|768|1024|1536|2048|3072|4096|6144|8192|none)$/) {
+			if ($val !~ /^(curve448|curve25519|e521|e384|e256|e224|e192|e512bp|e384bp|e256bp|e224bp|768|1024|1536|2048|3072|4096|6144|8192|none)$/) {
 				$errormessage = $Lang::tr{'invalid input'};
 				goto ADVANCED_ERROR;
 			}
@@ -2332,26 +2838,6 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
 			goto ADVANCED_ERROR;
 		}
 
-		if ($cgiparams{'MODE'} !~ /^(tunnel|transport)$/) {
-			$errormessage = $Lang::tr{'invalid input for mode'};
-			goto ADVANCED_ERROR;
-		}
-
-		if ($cgiparams{'INTERFACE_MODE'} !~ /^(|gre|vti)$/) {
-			$errormessage = $Lang::tr{'invalid input for interface mode'};
-			goto ADVANCED_ERROR;
-		}
-
-		if (($cgiparams{'INTERFACE_MODE'} ne "") && !&Network::check_subnet($cgiparams{'INTERFACE_ADDRESS'})) {
-			$errormessage = $Lang::tr{'invalid input for interface address'};
-			goto ADVANCED_ERROR;
-		}
-
-		if ($cgiparams{'INTERFACE_MTU'} !~ /^\d+$/) {
-			$errormessage = $Lang::tr{'invalid input for interface mtu'};
-			goto ADVANCED_ERROR;
-		}
-
 		$confighash{$cgiparams{'KEY'}}[29] = $cgiparams{'IKE_VERSION'};
 		$confighash{$cgiparams{'KEY'}}[18] = $cgiparams{'IKE_ENCRYPTION'};
 		$confighash{$cgiparams{'KEY'}}[19] = $cgiparams{'IKE_INTEGRITY'};
@@ -2371,14 +2857,10 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
 		$confighash{$cgiparams{'KEY'}}[32] = $cgiparams{'FORCE_MOBIKE'};
 		$confighash{$cgiparams{'KEY'}}[33] = $cgiparams{'START_ACTION'};
 		$confighash{$cgiparams{'KEY'}}[34] = $cgiparams{'INACTIVITY_TIMEOUT'};
-		$confighash{$cgiparams{'KEY'}}[35] = $cgiparams{'MODE'};
-		$confighash{$cgiparams{'KEY'}}[36] = $cgiparams{'INTERFACE_MODE'};
-		$confighash{$cgiparams{'KEY'}}[37] = $cgiparams{'INTERFACE_ADDRESS'};
-		$confighash{$cgiparams{'KEY'}}[38] = $cgiparams{'INTERFACE_MTU'};
 		&General::writehasharray("${General::swroot}/vpn/config", \%confighash);
 		&writeipsecfiles();
 		if (&vpnenabled) {
-			system('/usr/local/bin/ipsecctrl', 'S', $cgiparams{'KEY'});
+			&General::system('/usr/local/bin/ipsecctrl', 'S', $cgiparams{'KEY'});
 			sleep $sleepDelay;
 		}
 		goto ADVANCED_END;
@@ -2408,6 +2890,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
 		$cgiparams{'INTERFACE_MODE'}		= $confighash{$cgiparams{'KEY'}}[36];
 		$cgiparams{'INTERFACE_ADDRESS'}		= $confighash{$cgiparams{'KEY'}}[37];
 		$cgiparams{'INTERFACE_MTU'}		= $confighash{$cgiparams{'KEY'}}[38];
+		$cgiparams{'DNS_SERVERS'}		= $confighash{$cgiparams{'KEY'}}[39];
 
 		if (!$cgiparams{'DPD_DELAY'}) {
 			$cgiparams{'DPD_DELAY'} = 30;
@@ -2458,6 +2941,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
 	$checked{'IKE_INTEGRITY'}{'aesxcbc'} = '';
 	@temp = split('\|', $cgiparams{'IKE_INTEGRITY'});
 	foreach my $key (@temp) {$checked{'IKE_INTEGRITY'}{$key} = "selected='selected'"; }
+	$checked{'IKE_GROUPTYPE'}{'curve448'} = '';
 	$checked{'IKE_GROUPTYPE'}{'curve25519'} = '';
 	$checked{'IKE_GROUPTYPE'}{'768'} = '';
 	$checked{'IKE_GROUPTYPE'}{'1024'} = '';
@@ -2497,6 +2981,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
 	$checked{'ESP_INTEGRITY'}{'aesxcbc'} = '';
 	@temp = split('\|', $cgiparams{'ESP_INTEGRITY'});
 	foreach my $key (@temp) {$checked{'ESP_INTEGRITY'}{$key} = "selected='selected'"; }
+	$checked{'ESP_GROUPTYPE'}{'curve448'} = '';
 	$checked{'ESP_GROUPTYPE'}{'curve25519'} = '';
 	$checked{'ESP_GROUPTYPE'}{'768'} = '';
 	$checked{'ESP_GROUPTYPE'}{'1024'} = '';
@@ -2536,15 +3021,6 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
 	}
 	$selected{'INACTIVITY_TIMEOUT'}{$cgiparams{'INACTIVITY_TIMEOUT'}} = "selected";
 
-	$selected{'MODE'}{'tunnel'} = '';
-	$selected{'MODE'}{'transport'} = '';
-	$selected{'MODE'}{$cgiparams{'MODE'}} = "selected='selected'";
-
-	$selected{'INTERFACE_MODE'}{''} = '';
-	$selected{'INTERFACE_MODE'}{'gre'} = '';
-	$selected{'INTERFACE_MODE'}{'vti'} = '';
-	$selected{'INTERFACE_MODE'}{$cgiparams{'INTERFACE_MODE'}} = "selected='selected'";
-
 	&Header::showhttpheaders();
 	&Header::openpage($Lang::tr{'ipsec'}, 1, '');
 	&Header::openbigbox('100%', 'left', '', $errormessage);
@@ -2569,45 +3045,6 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
 	<input type='hidden' name='ADVANCED' value='yes' />
 	<input type='hidden' name='KEY' value='$cgiparams{'KEY'}' />
 
-	<table width="100%">
-		<tbody>
-			<tr>
-				<td width="15%">$Lang::tr{'mode'}:</td>
-				<td>
-					<select name='MODE'>
-						<option value='tunnel' $selected{'MODE'}{'tunnel'}>$Lang::tr{'ipsec mode tunnel'}</option>
-						<option value='transport' $selected{'MODE'}{'transport'}>$Lang::tr{'ipsec mode transport'}</option>
-					</select>
-				</td>
-				<td></td>
-			</tr>
-
-			<tr>
-				<td width="15%">$Lang::tr{'interface mode'}:</td>
-				<td>
-					<label></label>
-					<select name='INTERFACE_MODE'>
-						<option value='' $selected{'INTERFACE_MODE'}{''}>$Lang::tr{'ipsec interface mode none'}</option>
-						<option value='gre' $selected{'INTERFACE_MODE'}{'gre'}>$Lang::tr{'ipsec interface mode gre'}</option>
-						<option value='vti' $selected{'INTERFACE_MODE'}{'vti'}>$Lang::tr{'ipsec interface mode vti'}</option>
-					</select>
-				</td>
-				<td>
-					<label>$Lang::tr{'ip address'}/$Lang::tr{'subnet mask'}</label>
-					<input type="text" name="INTERFACE_ADDRESS" value="$cgiparams{'INTERFACE_ADDRESS'}">
-				</td>
-				<td>
-					<label>$Lang::tr{'mtu'}</label>
-					<input type="number" name="INTERFACE_MTU" value="$cgiparams{'INTERFACE_MTU'}" min="576" max="9000">
-				</td>
-			</tr>
-		</tbody>
-	</table>
-
-	<br><br>
-
-	<h2>$Lang::tr{'cryptographic settings'}</h2>
-
 	<table width='100%'>
 	<thead>
 		<tr>
@@ -2709,7 +3146,8 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
 			<td class='boldbase' width="15%">$Lang::tr{'grouptype'}</td>
 			<td class='boldbase'>
 				<select name='IKE_GROUPTYPE' multiple='multiple' size='6' style='width: 100%'>
-					<option value='curve25519' $checked{'IKE_GROUPTYPE'}{'curve25519'}>Curve 25519 (256 bit)</option>
+					<option value='curve448' $checked{'IKE_GROUPTYPE'}{'curve448'}>Curve 448 (224 bit)</option>
+					<option value='curve25519' $checked{'IKE_GROUPTYPE'}{'curve25519'}>Curve 25519 (128 bit)</option>
 					<option value='e521' $checked{'IKE_GROUPTYPE'}{'e521'}>ECP-521 (NIST)</option>
 					<option value='e512bp' $checked{'IKE_GROUPTYPE'}{'e512bp'}>ECP-512 (Brainpool)</option>
 					<option value='e384' $checked{'IKE_GROUPTYPE'}{'e384'}>ECP-384 (NIST)</option>
@@ -2731,7 +3169,8 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
 			</td>
 			<td class='boldbase'>
 				<select name='ESP_GROUPTYPE' multiple='multiple' size='6' style='width: 100%'>
-					<option value='curve25519' $checked{'ESP_GROUPTYPE'}{'curve25519'}>Curve 25519 (256 bit)</option>
+					<option value='curve448' $checked{'ESP_GROUPTYPE'}{'curve448'}>Curve 448 (224 bit)</option>
+					<option value='curve25519' $checked{'ESP_GROUPTYPE'}{'curve25519'}>Curve 25519 (128 bit)</option>
 					<option value='e521' $checked{'ESP_GROUPTYPE'}{'e521'}>ECP-521 (NIST)</option>
 					<option value='e512bp' $checked{'ESP_GROUPTYPE'}{'e512bp'}>ECP-512 (Brainpool)</option>
 					<option value='e384' $checked{'ESP_GROUPTYPE'}{'e384'}>ECP-384 (NIST)</option>
@@ -2870,24 +3309,8 @@ EOF
 	&General::readhasharray("${General::swroot}/vpn/config", \%confighash);
 	$cgiparams{'CA_NAME'} = '';
 
-	my @status = `/usr/local/bin/ipsecctrl I 2>/dev/null`;
-
-	# suggest a default name for this side
-	if ($cgiparams{'VPN_IP'} eq '' && -e "${General::swroot}/red/active") {
-		if (open(IPADDR, "${General::swroot}/red/local-ipaddress")) {
-			my $ipaddr = <IPADDR>;
-			close IPADDR;
-			chomp ($ipaddr);
-			$cgiparams{'VPN_IP'} = (gethostbyaddr(pack("C4", split(/\./, $ipaddr)), 2))[0];
-			if ($cgiparams{'VPN_IP'} eq '') {
-				$cgiparams{'VPN_IP'} = $ipaddr;
-			}
-		}
-	}
-	# no IP found, use %defaultroute
-	$cgiparams{'VPN_IP'} ='%defaultroute' if ($cgiparams{'VPN_IP'} eq '');
+	my @status = &General::system_output("/usr/local/bin/ipsecctrl", "I");
 
-	$cgiparams{'VPN_DELAYED_START'} = 0 if (! defined ($cgiparams{'VPN_DELAYED_START'}));
 	$checked{'ENABLED'} = $cgiparams{'ENABLED'} eq 'on' ? "checked='checked'" : '';
 
 	&Header::showhttpheaders();
@@ -2915,35 +3338,25 @@ EOF
 	print <<END
 	<form method='post' action='$ENV{'SCRIPT_NAME'}'>
 	<table width='100%'>
-	<tr>
-	<td width='20%' class='base' nowrap='nowrap'>$Lang::tr{'vpn red name'}:&nbsp;<img src='/blob.gif' alt='*' /></td>
-	<td width='20%'><input type='text' name='VPN_IP' value='$cgiparams{'VPN_IP'}' /></td>
-	<td width='20%' class='base'>$Lang::tr{'enabled'}<input type='checkbox' name='ENABLED' $checked{'ENABLED'} /></td>
-	</tr>
-END
-;
-print <<END
-	<tr>
-	<td class='base' nowrap='nowrap'>$Lang::tr{'vpn delayed start'}:&nbsp;<img src='/blob.gif' alt='*' /><img src='/blob.gif' alt='*' /></td>
-	<td ><input type='text' name='VPN_DELAYED_START' value='$cgiparams{'VPN_DELAYED_START'}' /></td>
-	</tr>
-	<tr>
-	<td class='base' nowrap='nowrap'>$Lang::tr{'host to net vpn'}:</td>
-	<td ><input type='text' name='RW_NET' value='$cgiparams{'RW_NET'}' /></td>
-	</tr>
-</table>
-<br>
-<hr />
-<table width='100%'>
-<tr>
-	<td class='base' valign='top'><img src='/blob.gif' alt='*' /></td>
-	<td width='70%' class='base' valign='top'>$Lang::tr{'required field'}</td><td width='30%' align='right' class='base'><input type='submit' name='ACTION' value='$Lang::tr{'save'}' /></td>
-</tr>
-<tr>
-	<td class='base' valign='top' nowrap='nowrap'><img src='/blob.gif' alt='*' /><img src='/blob.gif' alt='*' />&nbsp;</td>
-	<td class='base'>	<font class='base'>$Lang::tr{'vpn delayed start help'}</font></td>
-	<td></td>
-</tr>
+		<tr>
+			<td width='60%' class='base'>
+				$Lang::tr{'enabled'}
+			</td>
+			<td width="40%">
+				<input type='checkbox' name='ENABLED' $checked{'ENABLED'} />
+			</td>
+		</tr>
+		<tr>
+			<td class='base' nowrap='nowrap' width="60%">$Lang::tr{'ipsec roadwarrior endpoint'}:</td>
+			<td width="40%"><input type='text' name='RW_ENDPOINT' value='$cgiparams{'RW_ENDPOINT'}' /></td>
+		</tr>
+		<tr>
+			<td class='base' nowrap='nowrap' width="60%">$Lang::tr{'host to net vpn'}:</td>
+			<td width="40%"><input type='text' name='RW_NET' value='$cgiparams{'RW_NET'}' /></td>
+		</tr>
+		<tr>
+			<td width='100%' colspan="2" align='right' class='base'><input type='submit' name='ACTION' value='$Lang::tr{'save'}' /></td>
+		</tr>
 </table>
 END
 ;
@@ -2959,7 +3372,7 @@ END
 	<th width='23%' class='boldbase' align='center'><b>$Lang::tr{'common name'}</b></th>
 	<th width='30%' class='boldbase' align='center'><b>$Lang::tr{'remark'}</b></th>
 	<th width='10%' class='boldbase' align='center'><b>$Lang::tr{'status'}</b></th>
-	<th class='boldbase' align='center' colspan='6'><b>$Lang::tr{'action'}</b></th>
+	<th class='boldbase' align='center' colspan='7'><b>$Lang::tr{'action'}</b></th>
 	</tr>
 END
 ;
@@ -2996,6 +3409,7 @@ END
 		($line =~ /$confighash{$key}[1]\{.*INSTALLED/)) {
 			$col1="bgcolor='${Header::colourgreen}'";
 			$active = "<b><font color='#FFFFFF'>$Lang::tr{'capsopen'}</font></b>";
+			last;
 		} elsif ($line =~ /$confighash{$key}[1]\[.*CONNECTING/) {
 			$col1="bgcolor='${Header::colourorange}'";
 			$active = "<b><font color='#FFFFFF'>$Lang::tr{'vpn connecting'}</font></b>";
@@ -3059,6 +3473,22 @@ END
 	} else {
 		print "<td width='2%' $col>&nbsp;</td>";
 	}
+
+	# Apple Profile
+	if ($confighash{$key}[3] eq 'host') {
+		print <<END;
+		<td align='center' $col>
+			<form method='post' action='$ENV{'SCRIPT_NAME'}'>
+			<input type='image' name='$Lang::tr{'download apple profile'}' src='/images/apple.png' alt='$Lang::tr{'download apple profile'}' title='$Lang::tr{'download apple profile'}' />
+			<input type='hidden' name='ACTION' value='$Lang::tr{'download apple profile'}' />
+			<input type='hidden' name='KEY' value='$key' />
+			</form>
+		</td>
+END
+	} else {
+		print "<td width='2%' $col>&nbsp;</td>";
+	}
+
 	print <<END
 	<td align='center' $col>
 		<form method='post' action='$ENV{'SCRIPT_NAME'}'>
@@ -3313,24 +3743,24 @@ sub make_algos($$$$$) {
 
 					if ($grp =~ m/^e(.*)$/) {
 						push(@algo, "ecp$1");
-					} elsif ($grp =~ m/curve25519/) {
+					} elsif ($grp =~ m/curve(448|25519)/) {
 						push(@algo, "$grp");
 					} else {
 						push(@algo, "modp$grp");
 					}
 
-				} elsif ($mode eq "esp" && $pfs) {
+				} elsif ($mode eq "esp") {
 					my $is_aead = ($enc =~ m/[cg]cm/);
 
 					if (!$is_aead) {
 						push(@algo, $int);
 					}
 
-					if ($grp eq "none") {
+					if (!$pfs || $grp eq "none") {
 						# noop
 					} elsif ($grp =~ m/^e(.*)$/) {
 						push(@algo, "ecp$1");
-					} elsif ($grp =~ m/curve25519/) {
+					} elsif ($grp =~ m/curve(448|25519)/) {
 						push(@algo, "$grp");
 					} else {
 						push(@algo, "modp$grp");
@@ -3345,13 +3775,19 @@ sub make_algos($$$$$) {
 	return &array_unique(\@algos);
 }
 
-sub make_subnets($) {
+sub make_subnets($$) {
+	my $direction = shift;
 	my $subnets = shift;
 
 	my @nets = split(/\|/, $subnets);
 	my @cidr_nets = ();
 	foreach my $net (@nets) {
 		my $cidr_net = &General::ipcidr($net);
+
+		# Skip 0.0.0.0/0 for remote because this renders the
+		# while system inaccessible
+		next if (($direction eq "right") && ($cidr_net eq "0.0.0.0/0"));
+
 		push(@cidr_nets, $cidr_net);
 	}