From c7fe09c6ad71f455b95ecbb98203f31a77f2dd22 Mon Sep 17 00:00:00 2001
From: Michael Tremer <michael.tremer@ipfire.org>
Date: Thu, 5 Mar 2020 13:17:03 +0000
Subject: [PATCH] vpnmain.cgi: Add field for roadwarrior endpoint

This is the IP address or FQDN which will be written into
Apple Configuration profiles as public peer address.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
 doc/language_issues.de   |  2 ++
 doc/language_issues.en   |  2 ++
 doc/language_issues.es   |  2 ++
 doc/language_issues.fr   |  2 ++
 doc/language_issues.it   |  2 ++
 doc/language_issues.nl   |  2 ++
 doc/language_issues.pl   |  2 ++
 doc/language_issues.ru   |  2 ++
 doc/language_issues.tr   |  2 ++
 doc/language_missings    | 16 ++++++++++++++++
 html/cgi-bin/vpnmain.cgi | 21 ++++++++++++++++++++-
 langs/en/cgi-bin/en.pl   |  2 ++
 12 files changed, 56 insertions(+), 1 deletion(-)

diff --git a/doc/language_issues.de b/doc/language_issues.de
index 460fe62cac..6f03e30a6f 100644
--- a/doc/language_issues.de
+++ b/doc/language_issues.de
@@ -889,6 +889,8 @@ WARNING: untranslated string: guardian logtarget_file = unknown string
 WARNING: untranslated string: guardian logtarget_syslog = unknown string
 WARNING: untranslated string: guardian no entries = unknown string
 WARNING: untranslated string: guardian service = unknown string
+WARNING: untranslated string: ipsec invalid ip address or fqdn for rw endpoint = Invalid IP address or FQDN for Host-to-Net Endpoint
+WARNING: untranslated string: ipsec roadwarrior endpoint = Host-to-Net Endpoint
 WARNING: untranslated string: netbios nameserver daemon = NetBIOS Nameserver Daemon
 WARNING: untranslated string: no entries = No entries at the moment.
 WARNING: untranslated string: optional = Optional
diff --git a/doc/language_issues.en b/doc/language_issues.en
index f093781c6e..33c4a1cfb7 100644
--- a/doc/language_issues.en
+++ b/doc/language_issues.en
@@ -1144,9 +1144,11 @@ WARNING: untranslated string: ipsec connection = IPsec Connection
 WARNING: untranslated string: ipsec interface mode gre = GRE
 WARNING: untranslated string: ipsec interface mode none = - None (Default) -
 WARNING: untranslated string: ipsec interface mode vti = VTI
+WARNING: untranslated string: ipsec invalid ip address or fqdn for rw endpoint = Invalid IP address or FQDN for Host-to-Net Endpoint
 WARNING: untranslated string: ipsec mode transport = Transport
 WARNING: untranslated string: ipsec mode tunnel = Tunnel
 WARNING: untranslated string: ipsec network = IPsec network
+WARNING: untranslated string: ipsec roadwarrior endpoint = Host-to-Net Endpoint
 WARNING: untranslated string: ipsec routing table entries = IPsec Routing Table Entries
 WARNING: untranslated string: ipsec settings = IPsec Settings
 WARNING: untranslated string: iptmangles = IPTable Mangles
diff --git a/doc/language_issues.es b/doc/language_issues.es
index 5282a66d4b..efd020c648 100644
--- a/doc/language_issues.es
+++ b/doc/language_issues.es
@@ -1227,9 +1227,11 @@ WARNING: untranslated string: ipsec connection = IPsec Connection
 WARNING: untranslated string: ipsec interface mode gre = GRE
 WARNING: untranslated string: ipsec interface mode none = - None (Default) -
 WARNING: untranslated string: ipsec interface mode vti = VTI
+WARNING: untranslated string: ipsec invalid ip address or fqdn for rw endpoint = Invalid IP address or FQDN for Host-to-Net Endpoint
 WARNING: untranslated string: ipsec mode transport = Transport
 WARNING: untranslated string: ipsec mode tunnel = Tunnel
 WARNING: untranslated string: ipsec network = IPsec network
+WARNING: untranslated string: ipsec roadwarrior endpoint = Host-to-Net Endpoint
 WARNING: untranslated string: ipsec routing table entries = IPsec Routing Table Entries
 WARNING: untranslated string: ipsec settings = IPsec Settings
 WARNING: untranslated string: itlb multihit = iTLB MultiHit
diff --git a/doc/language_issues.fr b/doc/language_issues.fr
index aa35ebd708..63dbc78fc5 100644
--- a/doc/language_issues.fr
+++ b/doc/language_issues.fr
@@ -924,6 +924,8 @@ WARNING: untranslated string: guardian logtarget_file = unknown string
 WARNING: untranslated string: guardian logtarget_syslog = unknown string
 WARNING: untranslated string: guardian no entries = unknown string
 WARNING: untranslated string: guardian service = unknown string
+WARNING: untranslated string: ipsec invalid ip address or fqdn for rw endpoint = Invalid IP address or FQDN for Host-to-Net Endpoint
+WARNING: untranslated string: ipsec roadwarrior endpoint = Host-to-Net Endpoint
 WARNING: untranslated string: pakfire ago = ago.
 WARNING: untranslated string: route config changed = unknown string
 WARNING: untranslated string: routing config added = unknown string
diff --git a/doc/language_issues.it b/doc/language_issues.it
index d26afef65c..51c5286455 100644
--- a/doc/language_issues.it
+++ b/doc/language_issues.it
@@ -1066,8 +1066,10 @@ WARNING: untranslated string: ipsec connection = IPsec Connection
 WARNING: untranslated string: ipsec interface mode gre = GRE
 WARNING: untranslated string: ipsec interface mode none = - None (Default) -
 WARNING: untranslated string: ipsec interface mode vti = VTI
+WARNING: untranslated string: ipsec invalid ip address or fqdn for rw endpoint = Invalid IP address or FQDN for Host-to-Net Endpoint
 WARNING: untranslated string: ipsec mode transport = Transport
 WARNING: untranslated string: ipsec mode tunnel = Tunnel
+WARNING: untranslated string: ipsec roadwarrior endpoint = Host-to-Net Endpoint
 WARNING: untranslated string: ipsec routing table entries = IPsec Routing Table Entries
 WARNING: untranslated string: ipsec settings = IPsec Settings
 WARNING: untranslated string: itlb multihit = iTLB MultiHit
diff --git a/doc/language_issues.nl b/doc/language_issues.nl
index 75523b52f5..3e737f8803 100644
--- a/doc/language_issues.nl
+++ b/doc/language_issues.nl
@@ -1075,8 +1075,10 @@ WARNING: untranslated string: ipsec connection = IPsec Connection
 WARNING: untranslated string: ipsec interface mode gre = GRE
 WARNING: untranslated string: ipsec interface mode none = - None (Default) -
 WARNING: untranslated string: ipsec interface mode vti = VTI
+WARNING: untranslated string: ipsec invalid ip address or fqdn for rw endpoint = Invalid IP address or FQDN for Host-to-Net Endpoint
 WARNING: untranslated string: ipsec mode transport = Transport
 WARNING: untranslated string: ipsec mode tunnel = Tunnel
+WARNING: untranslated string: ipsec roadwarrior endpoint = Host-to-Net Endpoint
 WARNING: untranslated string: ipsec routing table entries = IPsec Routing Table Entries
 WARNING: untranslated string: ipsec settings = IPsec Settings
 WARNING: untranslated string: itlb multihit = iTLB MultiHit
diff --git a/doc/language_issues.pl b/doc/language_issues.pl
index 1afab9f14a..b9429d4f4b 100644
--- a/doc/language_issues.pl
+++ b/doc/language_issues.pl
@@ -1232,9 +1232,11 @@ WARNING: untranslated string: ipsec connection = IPsec Connection
 WARNING: untranslated string: ipsec interface mode gre = GRE
 WARNING: untranslated string: ipsec interface mode none = - None (Default) -
 WARNING: untranslated string: ipsec interface mode vti = VTI
+WARNING: untranslated string: ipsec invalid ip address or fqdn for rw endpoint = Invalid IP address or FQDN for Host-to-Net Endpoint
 WARNING: untranslated string: ipsec mode transport = Transport
 WARNING: untranslated string: ipsec mode tunnel = Tunnel
 WARNING: untranslated string: ipsec network = IPsec network
+WARNING: untranslated string: ipsec roadwarrior endpoint = Host-to-Net Endpoint
 WARNING: untranslated string: ipsec routing table entries = IPsec Routing Table Entries
 WARNING: untranslated string: ipsec settings = IPsec Settings
 WARNING: untranslated string: itlb multihit = iTLB MultiHit
diff --git a/doc/language_issues.ru b/doc/language_issues.ru
index ed0e78f0ba..d2cf8bc762 100644
--- a/doc/language_issues.ru
+++ b/doc/language_issues.ru
@@ -1230,9 +1230,11 @@ WARNING: untranslated string: ipsec connection = IPsec Connection
 WARNING: untranslated string: ipsec interface mode gre = GRE
 WARNING: untranslated string: ipsec interface mode none = - None (Default) -
 WARNING: untranslated string: ipsec interface mode vti = VTI
+WARNING: untranslated string: ipsec invalid ip address or fqdn for rw endpoint = Invalid IP address or FQDN for Host-to-Net Endpoint
 WARNING: untranslated string: ipsec mode transport = Transport
 WARNING: untranslated string: ipsec mode tunnel = Tunnel
 WARNING: untranslated string: ipsec network = IPsec network
+WARNING: untranslated string: ipsec roadwarrior endpoint = Host-to-Net Endpoint
 WARNING: untranslated string: ipsec routing table entries = IPsec Routing Table Entries
 WARNING: untranslated string: ipsec settings = IPsec Settings
 WARNING: untranslated string: itlb multihit = iTLB MultiHit
diff --git a/doc/language_issues.tr b/doc/language_issues.tr
index c8aadd6f17..a574c9aafc 100644
--- a/doc/language_issues.tr
+++ b/doc/language_issues.tr
@@ -1002,8 +1002,10 @@ WARNING: untranslated string: ipsec connection = IPsec Connection
 WARNING: untranslated string: ipsec interface mode gre = GRE
 WARNING: untranslated string: ipsec interface mode none = - None (Default) -
 WARNING: untranslated string: ipsec interface mode vti = VTI
+WARNING: untranslated string: ipsec invalid ip address or fqdn for rw endpoint = Invalid IP address or FQDN for Host-to-Net Endpoint
 WARNING: untranslated string: ipsec mode transport = Transport
 WARNING: untranslated string: ipsec mode tunnel = Tunnel
+WARNING: untranslated string: ipsec roadwarrior endpoint = Host-to-Net Endpoint
 WARNING: untranslated string: ipsec routing table entries = IPsec Routing Table Entries
 WARNING: untranslated string: ipsec settings = IPsec Settings
 WARNING: untranslated string: itlb multihit = iTLB MultiHit
diff --git a/doc/language_missings b/doc/language_missings
index 70efc4ad75..f34b9d634d 100644
--- a/doc/language_missings
+++ b/doc/language_missings
@@ -40,6 +40,8 @@
 < g.dtm
 < g.lite
 < insert removable device
+< ipsec invalid ip address or fqdn for rw endpoint
+< ipsec roadwarrior endpoint
 < netbios nameserver daemon
 < no entries
 < notes
@@ -541,10 +543,12 @@
 < ipsec interface mode gre
 < ipsec interface mode none
 < ipsec interface mode vti
+< ipsec invalid ip address or fqdn for rw endpoint
 < ipsec mode transport
 < ipsec mode tunnel
 < ipsec network
 < ipsec no connections
+< ipsec roadwarrior endpoint
 < ipsec routing table entries
 < ipsec settings
 < itlb multihit
@@ -925,6 +929,8 @@
 < download apple profile
 < g.dtm
 < g.lite
+< ipsec invalid ip address or fqdn for rw endpoint
+< ipsec roadwarrior endpoint
 < upload fcdsl.o
 < zoneconf val vlan tag range error
 ############################################################################
@@ -1139,8 +1145,10 @@
 < ipsec interface mode gre
 < ipsec interface mode none
 < ipsec interface mode vti
+< ipsec invalid ip address or fqdn for rw endpoint
 < ipsec mode transport
 < ipsec mode tunnel
+< ipsec roadwarrior endpoint
 < ipsec routing table entries
 < ipsec settings
 < itlb multihit
@@ -1550,8 +1558,10 @@
 < ipsec interface mode gre
 < ipsec interface mode none
 < ipsec interface mode vti
+< ipsec invalid ip address or fqdn for rw endpoint
 < ipsec mode transport
 < ipsec mode tunnel
+< ipsec roadwarrior endpoint
 < ipsec routing table entries
 < ipsec settings
 < itlb multihit
@@ -2284,10 +2294,12 @@
 < ipsec interface mode gre
 < ipsec interface mode none
 < ipsec interface mode vti
+< ipsec invalid ip address or fqdn for rw endpoint
 < ipsec mode transport
 < ipsec mode tunnel
 < ipsec network
 < ipsec no connections
+< ipsec roadwarrior endpoint
 < ipsec routing table entries
 < ipsec settings
 < itlb multihit
@@ -3179,10 +3191,12 @@
 < ipsec interface mode gre
 < ipsec interface mode none
 < ipsec interface mode vti
+< ipsec invalid ip address or fqdn for rw endpoint
 < ipsec mode transport
 < ipsec mode tunnel
 < ipsec network
 < ipsec no connections
+< ipsec roadwarrior endpoint
 < ipsec routing table entries
 < ipsec settings
 < itlb multihit
@@ -3641,8 +3655,10 @@
 < ipsec interface mode gre
 < ipsec interface mode none
 < ipsec interface mode vti
+< ipsec invalid ip address or fqdn for rw endpoint
 < ipsec mode transport
 < ipsec mode tunnel
+< ipsec roadwarrior endpoint
 < ipsec routing table entries
 < ipsec settings
 < itlb multihit
diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi
index 601fc74927..8c6fc193ad 100644
--- a/html/cgi-bin/vpnmain.cgi
+++ b/html/cgi-bin/vpnmain.cgi
@@ -26,6 +26,7 @@ use File::Copy;
 use File::Temp qw/ tempfile tempdir /;
 use strict;
 use Sort::Naturally;
+use Sys::Hostname;
 # enable only the following on debugging purpose
 #use warnings;
 #use CGI::Carp 'fatalsToBrowser';
@@ -112,6 +113,7 @@ $cgiparams{'ROOTCERT_EMAIL'} = '';
 $cgiparams{'ROOTCERT_OU'} = '';
 $cgiparams{'ROOTCERT_CITY'} = '';
 $cgiparams{'ROOTCERT_STATE'} = '';
+$cgiparams{'RW_ENDPOINT'} = '';
 $cgiparams{'RW_NET'} = '';
 $cgiparams{'DPD_DELAY'} = '30';
 $cgiparams{'DPD_TIMEOUT'} = '120';
@@ -507,12 +509,18 @@ if ($ENV{"REMOTE_ADDR"} eq "") {
 if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cgiparams{'KEY'} eq '') {
 	&General::readhash("${General::swroot}/vpn/settings", \%vpnsettings);
 
+	if ($cgiparams{'RW_ENDPOINT'} ne '' && !&General::validip($cgiparams{'RW_ENDPOINT'}) && !&General::validfqdn($cgiparams{'RW_ENDPOINT'})) {
+		$errormessage = $Lang::tr{'ipsec invalid ip address or fqdn for rw endpoint'};
+		goto SAVE_ERROR;
+	}
+
 	if ( $cgiparams{'RW_NET'} ne '' and !&General::validipandmask($cgiparams{'RW_NET'}) ) {
 		$errormessage = $Lang::tr{'urlfilter invalid ip or mask error'};
 		goto SAVE_ERROR;
 	}
 
 	$vpnsettings{'ENABLED'} = $cgiparams{'ENABLED'};
+	$vpnsettings{'RW_ENDPOINT'} = $cgiparams{'RW_ENDPOINT'};
 	$vpnsettings{'RW_NET'} = $cgiparams{'RW_NET'};
 	&General::writehash("${General::swroot}/vpn/settings", \%vpnsettings);
 	&writeipsecfiles();
@@ -1182,6 +1190,10 @@ END
 
 # Export Apple profile to browser
 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download apple profile'}) {
+	# Read global configuration
+	&General::readhash("${General::swroot}/vpn/settings", \%vpnsettings);
+
+	# Read connections
 	&General::readhasharray("${General::swroot}/vpn/config", \%confighash);
 	my $key = $cgiparams{'KEY'};
 
@@ -1209,6 +1221,9 @@ END
 	print "Content-Disposition: attachment; filename=" . $confighash{$key}[1] . ".mobileconfig\n";
 	print "\n"; # end headers
 
+	# Use our own FQDN if nothing else is configured
+	my $endpoint = ($vpnsettings{'RW_ENDPOINT'} ne "") ? $vpnsettings{'RW_ENDPOINT'} : &hostname();
+
 	print "<!DOCTYPE plist PUBLIC \"-//Apple//DTD PLIST 1.0//EN\" \"http://www.apple.com/DTDs/PropertyList-1.0.dtd\">\n";
 	print "<plist version=\"1.0\">\n";
 	print "	<dict>\n";
@@ -1240,7 +1255,7 @@ END
 	print "				<key>IKEv2</key>\n";
 	print "				<dict>\n";
 	print "					<key>RemoteAddress</key>\n";
-	print "					<string>18.206.152.26</string>\n";
+	print "					<string>$endpoint</string>\n";
 
 	# Left ID
 	if ($confighash{$key}[9]) {
@@ -3081,6 +3096,10 @@ EOF
 				<input type='checkbox' name='ENABLED' $checked{'ENABLED'} />
 			</td>
 		</tr>
+		<tr>
+			<td class='base' nowrap='nowrap' width="60%">$Lang::tr{'ipsec roadwarrior endpoint'}:</td>
+			<td width="40%"><input type='text' name='RW_ENDPOINT' value='$cgiparams{'RW_ENDPOINT'}' /></td>
+		</tr>
 		<tr>
 			<td class='base' nowrap='nowrap' width="60%">$Lang::tr{'host to net vpn'}:</td>
 			<td width="40%"><input type='text' name='RW_NET' value='$cgiparams{'RW_NET'}' /></td>
diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
index b7cbea6324..87ffd269a7 100644
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -1550,10 +1550,12 @@
 'ipsec interface mode gre' => 'GRE',
 'ipsec interface mode none' => '- None (Default) -',
 'ipsec interface mode vti' => 'VTI',
+'ipsec invalid ip address or fqdn for rw endpoint' => 'Invalid IP address or FQDN for Host-to-Net Endpoint',
 'ipsec mode transport' => 'Transport',
 'ipsec mode tunnel' => 'Tunnel',
 'ipsec network' => 'IPsec network',
 'ipsec no connections' => 'No active IPsec connections',
+'ipsec roadwarrior endpoint' => 'Host-to-Net Endpoint',
 'ipsec routing table entries' => 'IPsec Routing Table Entries',
 'ipsec settings' => 'IPsec Settings',
 'iptable rules' => 'IPTable rules',
-- 
2.39.2