###############################################################################
# #
# IPFire.org - A linux based firewall #
-# Copyright (C) 2007-2011 IPFire Team info@ipfire.org #
+# Copyright (C) 2007-2013 IPFire Team info@ipfire.org #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
use File::Copy;
use File::Temp qw/ tempfile tempdir /;
use strict;
-
+use Sort::Naturally;
# enable only the following on debugging purpose
#use warnings;
#use CGI::Carp 'fatalsToBrowser';
my $green_cidr = &General::ipcidr("$netsettings{'GREEN_NETADDRESS'}/$netsettings{'GREEN_NETMASK'}");
my $blue_cidr = "# Blue not defined";
-if ($netsettings{'BLUE_DEV'}) {
+if (&Header::blue_used() && $netsettings{'BLUE_DEV'}) {
$blue_cidr = &General::ipcidr("$netsettings{'BLUE_NETADDRESS'}/$netsettings{'BLUE_NETMASK'}");
}
my $orange_cidr = "# Orange not defined";
-if ($netsettings{'ORANGE_DEV'}) {
+if (&Header::orange_used() && $netsettings{'ORANGE_DEV'}) {
$orange_cidr = &General::ipcidr("$netsettings{'ORANGE_NETADDRESS'}/$netsettings{'ORANGE_NETMASK'}");
}
flock CONF, 2;
flock SECRETS, 2;
print CONF "version 2\n\n";
- print CONF "config setup\n";
- print CONF "\tcharondebug=\"dmn 0, mgr 0, ike 0, chd 0, job 0, cfg 0, knl 0, net 0, asn 0, enc 0, lib 0, esp 0, tls 0, tnc 0, imc 0, imv 0, pts 0\"\n";
- print CONF "\n";
print CONF "conn %default\n";
print CONF "\tkeyingtries=%forever\n";
print CONF "\n";
foreach my $j (@ints) {
foreach my $k (@groups) {
if ($comma != 0) { print CONF ","; } else { $comma = 1; }
- print CONF "$i-$j-modp$k";
- }
+
+ my @l = split("", $k);
+ if ($l[0] eq "e") {
+ shift @l;
+ print CONF "$i-$j-ecp".join("", @l);
+ } else {
+ print CONF "$i-$j-modp$k";
+ }
}
+ }
}
if ($lconfighash{$key}[24] eq 'on') { #only proposed algorythms?
print CONF "!\n";
foreach my $k (@groups) {
if ($comma != 0) { print CONF ","; } else { $comma = 1; }
if ($pfs eq "on") {
- $modp = "-modp$k";
+ my @l = split("", $k);
+ if ($l[0] eq "e") {
+ $modp = "";
+ } else {
+ $modp = "-modp$k";
+ }
} else {
$modp = "";
}
# Hook to regenerate the configuration files.
if ($ENV{"REMOTE_ADDR"} eq "") {
- writeipsecfiles;
+ writeipsecfiles();
exit(0);
}
goto VPNCONF_ERROR;
}
+#temporary disabled (BUG 10294)
+# if ($cgiparams{'TYPE'} eq 'net'){
+# $errormessage=&General::checksubnets($cgiparams{'NAME'},$cgiparams{'REMOTE_SUBNET'});
+# if ($errormessage ne ''){
+# goto VPNCONF_ERROR;
+# }
+#
+# }
if ($cgiparams{'AUTH'} eq 'psk') {
if (! length($cgiparams{'PSK'}) ) {
$errormessage = $Lang::tr{'pre-shared key is too short'};
#use default advanced value
$cgiparams{'IKE_ENCRYPTION'} = 'aes256|aes192|aes128|3des'; #[18];
$cgiparams{'IKE_INTEGRITY'} = 'sha2_256|sha|md5'; #[19];
- $cgiparams{'IKE_GROUPTYPE'} = '8192|6144|4096|3072|2048|1536|1024'; #[20];
- $cgiparams{'IKE_LIFETIME'} = '1'; #[16];
+ $cgiparams{'IKE_GROUPTYPE'} = '4096|3072|2048|1536|1024'; #[20];
+ $cgiparams{'IKE_LIFETIME'} = '3'; #[16];
$cgiparams{'ESP_ENCRYPTION'} = 'aes256|aes192|aes128|3des'; #[21];
$cgiparams{'ESP_INTEGRITY'} = 'sha2_256|sha1|md5'; #[22];
$cgiparams{'ESP_GROUPTYPE'} = ''; #[23];
- $cgiparams{'ESP_KEYLIFE'} = '8'; #[17];
+ $cgiparams{'ESP_KEYLIFE'} = '1'; #[17];
$cgiparams{'COMPRESSION'} = 'on'; #[13];
$cgiparams{'ONLY_PROPOSED'} = 'off'; #[24];
$cgiparams{'PFS'} = 'on'; #[28];
;
&Header::closebox();
} elsif (! $cgiparams{'KEY'}) {
- my $pskdisabled = ($vpnsettings{'VPN_IP'} eq '%defaultroute') ? "disabled='disabled'" : '' ;
- $cgiparams{'PSK'} = $Lang::tr{'vpn incompatible use of defaultroute'} if ($pskdisabled);
my $cakeydisabled = ( ! -f "${General::swroot}/private/cakey.pem" ) ? "disabled='disabled'" : '';
$cgiparams{'CERT_NAME'} = $Lang::tr{'vpn no full pki'} if ($cakeydisabled);
my $cacrtdisabled = ( ! -f "${General::swroot}/ca/cacert.pem" ) ? "disabled='disabled'" : '';
&Header::openbox('100%', 'left', $Lang::tr{'authentication'});
print <<END
<table width='100%' cellpadding='0' cellspacing='5' border='0'>
- <tr><td width='5%'><input type='radio' name='AUTH' value='psk' $checked{'AUTH'}{'psk'} $pskdisabled/></td>
+ <tr><td width='5%'><input type='radio' name='AUTH' value='psk' $checked{'AUTH'}{'psk'} /></td>
<td class='base' width='55%'>$Lang::tr{'use a pre-shared key'}</td>
- <td class='base' width='40%'><input type='password' name='PSK' size='30' value='$cgiparams{'PSK'}' $pskdisabled/></td></tr>
+ <td class='base' width='40%'><input type='password' name='PSK' size='30' value='$cgiparams{'PSK'}' /></td></tr>
<tr><td colspan='3' bgcolor='#000000'></td></tr>
<tr><td><input type='radio' name='AUTH' value='certreq' $checked{'AUTH'}{'certreq'} $cakeydisabled /></td>
<td class='base'><hr />$Lang::tr{'upload a certificate request'}</td>
goto ADVANCED_ERROR;
}
foreach my $val (@temp) {
- if ($val !~ /^(aes256|aes128|3des)$/) {
+ if ($val !~ /^(aes256|aes192|aes128|3des)$/) {
$errormessage = $Lang::tr{'invalid input'};
goto ADVANCED_ERROR;
}
goto ADVANCED_ERROR;
}
foreach my $val (@temp) {
- if ($val !~ /^(1024|1536|2048|3072|4096|6144|8192)$/) {
+ if ($val !~ /^(e521|e384|e256|e224|e192|1024|1536|2048|3072|4096|6144|8192)$/) {
$errormessage = $Lang::tr{'invalid input'};
goto ADVANCED_ERROR;
}
}
}
if ($cgiparams{'ESP_GROUPTYPE'} ne '' &&
+ $cgiparams{'ESP_GROUPTYPE'} !~ /^ecp(192|224|256|384|512)$/ &&
$cgiparams{'ESP_GROUPTYPE'} !~ /^modp(1024|1536|2048|3072|4096|6144|8192)$/) {
$errormessage = $Lang::tr{'invalid input'};
goto ADVANCED_ERROR;
<td class='boldbase' align='right' valign='top'>$Lang::tr{'ike grouptype'}</td><td class='boldbase' valign='top'>
<select name='IKE_GROUPTYPE' multiple='multiple' size='4'>
+ <option value='e521' $checked{'IKE_GROUPTYPE'}{'e521'}>ECP-521</option>
+ <option value='e384' $checked{'IKE_GROUPTYPE'}{'e384'}>ECP-384</option>
+ <option value='e256' $checked{'IKE_GROUPTYPE'}{'e256'}>ECP-256</option>
+ <option value='e224' $checked{'IKE_GROUPTYPE'}{'e224'}>ECP-224</option>
+ <option value='e192' $checked{'IKE_GROUPTYPE'}{'e192'}>ECP-192</option>
<option value='8192' $checked{'IKE_GROUPTYPE'}{'8192'}>MODP-8192</option>
<option value='6144' $checked{'IKE_GROUPTYPE'}{'6144'}>MODP-6144</option>
<option value='4096' $checked{'IKE_GROUPTYPE'}{'4096'}>MODP-4096</option>
;
my $id = 0;
my $gif;
- foreach my $key (keys %confighash) {
+ foreach my $key (sort { ncmp ($confighash{$a}[1],$confighash{$b}[1]) } keys %confighash) {
if ($confighash{$key}[0] eq 'on') { $gif = 'on.gif'; } else { $gif = 'off.gif'; }
if ($id % 2) {
projects / people / teissler / ipfire-2.x.git / blobdiff