X-Git-Url: http://git.ipfire.org/?a=blobdiff_plain;f=html%2Fcgi-bin%2Fvpnmain.cgi;h=177cdf4c27a798754f0f04326796c2723fcf09ea;hb=47a83092b5a6f2fa13d1c95de75b7bea4eb90da2;hp=c9c73274e7a395a620bb75e4e7e71d118dadc165;hpb=0c74362ec6004a33b44e502ff936757b2f688c3b;p=people%2Fteissler%2Fipfire-2.x.git diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index c9c73274e..2d9058d05 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -2,7 +2,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007 Michael Tremer & Christian Schmidt # +# Copyright (C) 2007-2013 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -23,7 +23,7 @@ use Net::DNS; use File::Copy; use File::Temp qw/ tempfile tempdir /; use strict; - +use Sort::Naturally; # enable only the following on debugging purpose #use warnings; #use CGI::Carp 'fatalsToBrowser'; @@ -58,21 +58,24 @@ my %mainsettings = (); &General::readhash("/srv/web/ipfire/html/themes/".$mainsettings{'THEME'}."/include/colors.txt", \%color); &General::readhash("${General::swroot}/ethernet/settings", \%netsettings); + +my $green_cidr = &General::ipcidr("$netsettings{'GREEN_NETADDRESS'}/$netsettings{'GREEN_NETMASK'}"); +my $blue_cidr = "# Blue not defined"; +if (&Header::blue_used() && $netsettings{'BLUE_DEV'}) { + $blue_cidr = &General::ipcidr("$netsettings{'BLUE_NETADDRESS'}/$netsettings{'BLUE_NETMASK'}"); +} +my $orange_cidr = "# Orange not defined"; +if (&Header::orange_used() && $netsettings{'ORANGE_DEV'}) { + $orange_cidr = &General::ipcidr("$netsettings{'ORANGE_NETADDRESS'}/$netsettings{'ORANGE_NETMASK'}"); +} + $cgiparams{'ENABLED'} = 'off'; $cgiparams{'EDIT_ADVANCED'} = 'off'; $cgiparams{'ACTION'} = ''; $cgiparams{'CA_NAME'} = ''; -$cgiparams{'DBG_CRYPT'} = ''; -$cgiparams{'DBG_PARSING'} = ''; -$cgiparams{'DBG_EMITTING'} = ''; -$cgiparams{'DBG_CONTROL'} = ''; -$cgiparams{'DBG_KLIPS'} = ''; -$cgiparams{'DBG_DNS'} = ''; -$cgiparams{'DBG_NAT_T'} = ''; $cgiparams{'KEY'} = ''; $cgiparams{'TYPE'} = ''; $cgiparams{'ADVANCED'} = ''; -$cgiparams{'INTERFACE'} = ''; $cgiparams{'NAME'} = ''; $cgiparams{'LOCAL_SUBNET'} = ''; $cgiparams{'REMOTE_SUBNET'} = ''; @@ -100,6 +103,7 @@ $cgiparams{'ROOTCERT_EMAIL'} = ''; $cgiparams{'ROOTCERT_OU'} = ''; $cgiparams{'ROOTCERT_CITY'} = ''; $cgiparams{'ROOTCERT_STATE'} = ''; +$cgiparams{'RW_NET'} = ''; &Header::getcgihash(\%cgiparams, {'wantfile' => 1, 'filevar' => 'FH'}); @@ -241,51 +245,16 @@ sub writeipsecfiles { flock CONF, 2; flock SECRETS, 2; print CONF "version 2\n\n"; - print CONF "config setup\n"; - #create an ipsec Interface for each 'enabled' ones - #loop trought configuration and add physical interfaces to the list - my $interfaces = "\tinterfaces=\""; - foreach my $key (keys %lconfighash) { - next if ($lconfighash{$key}[0] ne 'on'); - $interfaces .= "%defaultroute " if ($interfaces !~ /defaultroute/ && $lconfighash{$key}[26] eq 'RED'); - $interfaces .= "ipsec1=$netsettings{'GREEN_DEV'} " if ($interfaces !~ /ipsec1/ && $lconfighash{$key}[26] eq 'GREEN'); - $interfaces .= "ipsec2=$netsettings{'BLUE_DEV'} " if ($interfaces !~ /ipsec2/ && $lconfighash{$key}[26] eq 'BLUE'); - $interfaces .= "ipsec3=$netsettings{'ORANGE_DEV'} " if ($interfaces !~ /ipsec3/ && $lconfighash{$key}[26] eq 'ORANGE'); - } - print CONF $interfaces . "\"\n"; - - my $plutodebug = ''; # build debug list - map ($plutodebug .= $lvpnsettings{$_} eq 'on' ? lc (substr($_,4)).' ' : '', - ('DBG_CRYPT','DBG_PARSING','DBG_EMITTING','DBG_CONTROL', - 'DBG_KLIPS','DBG_DNS','DBG_NAT_T')); - $plutodebug = 'none' if $plutodebug eq ''; # if nothing selected, use 'none'. - print CONF "\tklipsdebug=\"none\"\n"; - print CONF "\tplutodebug=\"$plutodebug\"\n"; - # deprecated in ipsec.conf version 2 - #print CONF "\tplutoload=%search\n"; - #print CONF "\tplutostart=%search\n"; - print CONF "\tuniqueids=yes\n"; - print CONF "\tnat_traversal=yes\n"; - print CONF "\toverridemtu=$lvpnsettings{'VPN_OVERRIDE_MTU'}\n" if ($lvpnsettings{'VPN_OVERRIDE_MTU'} ne ''); - print CONF "\tvirtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16"; - print CONF ",%v4:!$netsettings{'GREEN_NETADDRESS'}/$netsettings{'GREEN_NETMASK'}"; - if (length($netsettings{'ORANGE_DEV'}) > 2) { - print CONF ",%v4:!$netsettings{'ORANGE_NETADDRESS'}/$netsettings{'ORANGE_NETMASK'}"; - } - if (length($netsettings{'BLUE_DEV'}) > 2) { - print CONF ",%v4:!$netsettings{'BLUE_NETADDRESS'}/$netsettings{'BLUE_NETMASK'}"; - } - foreach my $key (keys %lconfighash) { - if ($lconfighash{$key}[3] eq 'net') { - print CONF ",%v4:!$lconfighash{$key}[11]"; - } - } - print CONF "\n\n"; print CONF "conn %default\n"; - print CONF "\tkeyingtries=0\n"; - print CONF "\tdisablearrivalcheck=no\n"; + print CONF "\tkeyingtries=%forever\n"; + print CONF "\n"; + + # Add user includes to config file + print CONF "include /etc/ipsec.user.conf\n"; print CONF "\n"; + print SECRETS "include /etc/ipsec.user.secrets\n"; + if (-f "${General::swroot}/certs/hostkey.pem") { print SECRETS ": RSA ${General::swroot}/certs/hostkey.pem\n" } @@ -310,13 +279,15 @@ sub writeipsecfiles { print CONF "conn $lconfighash{$key}[1]\n"; print CONF "\tleft=$localside\n"; - print CONF "\tleftnexthop=%defaultroute\n" if ($lconfighash{$key}[26] eq 'RED' && $lvpnsettings{'VPN_IP'} ne '%defaultroute'); - print CONF "\tleftsubnet=$lconfighash{$key}[8]\n"; + my $cidr_net=&General::ipcidr($lconfighash{$key}[8]); + print CONF "\tleftsubnet=$cidr_net\n"; + print CONF "\tleftfirewall=yes\n"; + print CONF "\tlefthostaccess=yes\n"; print CONF "\tright=$lconfighash{$key}[10]\n"; if ($lconfighash{$key}[3] eq 'net') { - print CONF "\trightsubnet=$lconfighash{$key}[11]\n"; - print CONF "\trightnexthop=%defaultroute\n"; + my $cidr_net=&General::ipcidr($lconfighash{$key}[11]); + print CONF "\trightsubnet=$cidr_net\n"; } elsif ($lconfighash{$key}[10] eq '%any' && $lconfighash{$key}[14] eq 'on') { #vhost allowed for roadwarriors? print CONF "\trightsubnet=vhost:%no,%priv\n"; } @@ -331,6 +302,9 @@ sub writeipsecfiles { print CONF "\tleftid=\"$lconfighash{$key}[7]\"\n" if ($lconfighash{$key}[7]); print CONF "\trightid=\"$lconfighash{$key}[9]\"\n" if ($lconfighash{$key}[9]); + # Is PFS enabled? + my $pfs = $lconfighash{$key}[28] eq 'on' ? 'on' : 'off'; + # Algorithms if ($lconfighash{$key}[18] && $lconfighash{$key}[19] && $lconfighash{$key}[20]) { print CONF "\tike="; @@ -342,9 +316,16 @@ sub writeipsecfiles { foreach my $j (@ints) { foreach my $k (@groups) { if ($comma != 0) { print CONF ","; } else { $comma = 1; } - print CONF "$i-$j-modp$k"; - } + + my @l = split("", $k); + if ($l[0] eq "e") { + shift @l; + print CONF "$i-$j-ecp".join("", @l); + } else { + print CONF "$i-$j-modp$k"; + } } + } } if ($lconfighash{$key}[24] eq 'on') { #only proposed algorythms? print CONF "!\n"; @@ -356,11 +337,30 @@ sub writeipsecfiles { print CONF "\tesp="; my @encs = split('\|', $lconfighash{$key}[21]); my @ints = split('\|', $lconfighash{$key}[22]); + my @groups = split('\|', $lconfighash{$key}[20]); my $comma = 0; foreach my $i (@encs) { foreach my $j (@ints) { - if ($comma != 0) { print CONF ","; } else { $comma = 1; } - print CONF "$i-$j"; + my $modp = ""; + if ($pfs eq "on") { + foreach my $k (@groups) { + if ($comma != 0) { print CONF ","; } else { $comma = 1; } + if ($pfs eq "on") { + my @l = split("", $k); + if ($l[0] eq "e") { + $modp = ""; + } else { + $modp = "-modp$k"; + } + } else { + $modp = ""; + } + print CONF "$i-$j$modp"; + } + } else { + if ($comma != 0) { print CONF ","; } else { $comma = 1; } + print CONF "$i-$j"; + } } } if ($lconfighash{$key}[24] eq 'on') { #only proposed algorythms? @@ -369,17 +369,17 @@ sub writeipsecfiles { print CONF "\n"; } } - if ($lconfighash{$key}[23]) { - print CONF "\tpfsgroup=$lconfighash{$key}[23]\n"; + + # IKE V1 or V2 + if (! $lconfighash{$key}[29]) { + $lconfighash{$key}[29] = "ikev1"; } + print CONF "\tkeyexchange=$lconfighash{$key}[29]\n"; # Lifetimes print CONF "\tikelifetime=$lconfighash{$key}[16]h\n" if ($lconfighash{$key}[16]); print CONF "\tkeylife=$lconfighash{$key}[17]h\n" if ($lconfighash{$key}[17]); - # Aggresive mode - print CONF "\taggrmode=yes\n" if ($lconfighash{$key}[12] eq 'on'); - # Compression print CONF "\tcompress=yes\n" if ($lconfighash{$key}[13] eq 'on'); @@ -388,9 +388,6 @@ sub writeipsecfiles { print CONF "\tdpdtimeout=120\n"; print CONF "\tdpdaction=$lconfighash{$key}[27]\n"; - # Disable pfs ? - print CONF "\tpfs=". ($lconfighash{$key}[28] eq 'on' ? "yes\n" : "no\n"); - # Build Authentication details: LEFTid RIGHTid : PSK psk my $psk_line; if ($lconfighash{$key}[4] eq 'psk') { @@ -413,6 +410,7 @@ sub writeipsecfiles { # Automatically start only if a net-to-net connection if ($lconfighash{$key}[3] eq 'host') { print CONF "\tauto=add\n"; + print CONF "\trightsourceip=$lvpnsettings{'RW_NET'}\n"; } else { print CONF "\tauto=start\n"; } @@ -423,6 +421,12 @@ sub writeipsecfiles { close(SECRETS); } +# Hook to regenerate the configuration files. +if ($ENV{"REMOTE_ADDR"} eq "") { + writeipsecfiles(); + exit(0); +} + ### ### Save main settings ### @@ -439,24 +443,15 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cg goto SAVE_ERROR; } - unless ($cgiparams{'VPN_OVERRIDE_MTU'} =~ /^(|[0-9]{1,5})$/ ) { #allow 0-99999 - $errormessage = $Lang::tr{'vpn mtu invalid'}; - goto SAVE_ERROR; - } - - unless ($cgiparams{'VPN_WATCH'} =~ /^(|off|on)$/ ) { - $errormessage = $Lang::tr{'invalid input'}; + if ( $cgiparams{'RW_NET'} ne '' and !&General::validipandmask($cgiparams{'RW_NET'}) ) { + $errormessage = $Lang::tr{'urlfilter invalid ip or mask error'}; goto SAVE_ERROR; } - map ($vpnsettings{$_} = $cgiparams{$_}, - ('ENABLED','DBG_CRYPT','DBG_PARSING','DBG_EMITTING','DBG_CONTROL', - 'DBG_KLIPS','DBG_DNS','DBG_NAT_T')); - + $vpnsettings{'ENABLED'} = $cgiparams{'ENABLED'}; $vpnsettings{'VPN_IP'} = $cgiparams{'VPN_IP'}; $vpnsettings{'VPN_DELAYED_START'} = $cgiparams{'VPN_DELAYED_START'}; - $vpnsettings{'VPN_OVERRIDE_MTU'} = $cgiparams{'VPN_OVERRIDE_MTU'}; - $vpnsettings{'VPN_WATCH'} = $cgiparams{'VPN_WATCH'}; + $vpnsettings{'RW_NET'} = $cgiparams{'RW_NET'}; &General::writehash("${General::swroot}/vpn/settings", \%vpnsettings); &writeipsecfiles(); if (&vpnenabled) { @@ -577,6 +572,7 @@ END $cahash{$key}[0] = $cgiparams{'CA_NAME'}; $cahash{$key}[1] = &Header::cleanhtml(getsubjectfromcert ("${General::swroot}/ca/$cgiparams{'CA_NAME'}cert.pem")); &General::writehasharray("${General::swroot}/vpn/caconfig", \%cahash); + system('/usr/local/bin/ipsecctrl', 'R'); sleep $sleepDelay; @@ -997,6 +993,7 @@ END nsComment="OpenSSL Generated Certificate" subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer:always + extendedKeyUsage = serverAuth END ; print $fh "subjectAltName=$cgiparams{'SUBJECTALTNAME'}" if ($cgiparams{'SUBJECTALTNAME'}); @@ -1263,8 +1260,8 @@ END $cgiparams{'REMOTE'} = $confighash{$cgiparams{'KEY'}}[10]; $cgiparams{'REMOTE_SUBNET'} = $confighash{$cgiparams{'KEY'}}[11]; $cgiparams{'REMARK'} = $confighash{$cgiparams{'KEY'}}[25]; - $cgiparams{'INTERFACE'} = $confighash{$cgiparams{'KEY'}}[26]; $cgiparams{'DPD_ACTION'} = $confighash{$cgiparams{'KEY'}}[27]; + $cgiparams{'IKE_VERSION'} = $confighash{$cgiparams{'KEY'}}[29]; $cgiparams{'IKE_ENCRYPTION'} = $confighash{$cgiparams{'KEY'}}[18]; $cgiparams{'IKE_INTEGRITY'} = $confighash{$cgiparams{'KEY'}}[19]; $cgiparams{'IKE_GROUPTYPE'} = $confighash{$cgiparams{'KEY'}}[20]; @@ -1273,7 +1270,6 @@ END $cgiparams{'ESP_INTEGRITY'} = $confighash{$cgiparams{'KEY'}}[22]; $cgiparams{'ESP_GROUPTYPE'} = $confighash{$cgiparams{'KEY'}}[23]; $cgiparams{'ESP_KEYLIFE'} = $confighash{$cgiparams{'KEY'}}[17]; - $cgiparams{'AGGRMODE'} = $confighash{$cgiparams{'KEY'}}[12]; $cgiparams{'COMPRESSION'} = $confighash{$cgiparams{'KEY'}}[13]; $cgiparams{'ONLY_PROPOSED'} = $confighash{$cgiparams{'KEY'}}[24]; $cgiparams{'PFS'} = $confighash{$cgiparams{'KEY'}}[28]; @@ -1317,7 +1313,7 @@ END } if ($cgiparams{'REMOTE'}) { - if (! &General::validip($cgiparams{'REMOTE'})) { + if (($cgiparams{'REMOTE'} ne '%any') && (! &General::validip($cgiparams{'REMOTE'}))) { if (! &General::validfqdn ($cgiparams{'REMOTE'})) { $errormessage = $Lang::tr{'invalid input for remote host/ip'}; goto VPNCONF_ERROR; @@ -1361,15 +1357,15 @@ END # Allow nothing or a string (DN,FDQN,) beginning with @ # with no comma but slashes between RID eg @O=FR/C=Paris/OU=myhome/CN=franck - if ( ($cgiparams{'LOCAL_ID'} !~ /^(|[\w.-]*@[\w. =*\/-]+|\d\.\d\.\d\.\d)$/) || - ($cgiparams{'REMOTE_ID'} !~ /^(|[\w.-]*@[\w. =*\/-]+|\d\.\d\.\d\.\d)$/) || + if ( ($cgiparams{'LOCAL_ID'} !~ /^(|[\w.-]*@[\w. =*\/-]+|\d+\.\d+\.\d+\.\d+)$/) || + ($cgiparams{'REMOTE_ID'} !~ /^(|[\w.-]*@[\w. =*\/-]+|\d+\.\d+\.\d+\.\d+)$/) || (($cgiparams{'REMOTE_ID'} eq $cgiparams{'LOCAL_ID'}) && ($cgiparams{'LOCAL_ID'} ne '')) ) { $errormessage = $Lang::tr{'invalid local-remote id'} . '
' . 'DER_ASN1_DN: @c=FR/ou=Paris/ou=Home/cn=*
' . 'FQDN: @ipfire.org
' . 'USER_FQDN: info@ipfire.org
' . - 'IPV4_ADDR: @123.123.123.123'; + 'IPV4_ADDR: 123.123.123.123'; goto VPNCONF_ERROR; } # If Auth is DN, verify existance of Remote ID. @@ -1380,6 +1376,14 @@ END goto VPNCONF_ERROR; } +#temporary disabled (BUG 10294) +# if ($cgiparams{'TYPE'} eq 'net'){ +# $errormessage=&General::checksubnets($cgiparams{'NAME'},$cgiparams{'REMOTE_SUBNET'}); +# if ($errormessage ne ''){ +# goto VPNCONF_ERROR; +# } +# +# } if ($cgiparams{'AUTH'} eq 'psk') { if (! length($cgiparams{'PSK'}) ) { $errormessage = $Lang::tr{'pre-shared key is too short'}; @@ -1766,8 +1770,9 @@ END $confighash{$key}[9] = $cgiparams{'REMOTE_ID'}; $confighash{$key}[10] = $cgiparams{'REMOTE'}; $confighash{$key}[25] = $cgiparams{'REMARK'}; - $confighash{$key}[26] = $cgiparams{'INTERFACE'}; + $confighash{$key}[26] = ""; # Formerly INTERFACE $confighash{$key}[27] = $cgiparams{'DPD_ACTION'}; + $confighash{$key}[29] = $cgiparams{'IKE_VERSION'}; #dont forget advanced value $confighash{$key}[18] = $cgiparams{'IKE_ENCRYPTION'}; @@ -1778,7 +1783,7 @@ END $confighash{$key}[22] = $cgiparams{'ESP_INTEGRITY'}; $confighash{$key}[23] = $cgiparams{'ESP_GROUPTYPE'}; $confighash{$key}[17] = $cgiparams{'ESP_KEYLIFE'}; - $confighash{$key}[12] = $cgiparams{'AGGRMODE'}; + $confighash{$key}[12] = 'off'; # $cgiparams{'AGGRMODE'}; $confighash{$key}[13] = $cgiparams{'COMPRESSION'}; $confighash{$key}[24] = $cgiparams{'ONLY_PROPOSED'}; $confighash{$key}[28] = $cgiparams{'PFS'}; @@ -1823,24 +1828,25 @@ END $cgiparams{'DPD_ACTION'} = 'restart'; } - # Default is yes for 'pfs' - $cgiparams{'PFS'} = 'on'; - + # Default IKE Version to v2 + if (!$cgiparams{'IKE_VERSION'}) { + $cgiparams{'IKE_VERSION'} = 'ikev2'; + } + # ID are empty $cgiparams{'LOCAL_ID'} = ''; $cgiparams{'REMOTE_ID'} = ''; #use default advanced value - $cgiparams{'IKE_ENCRYPTION'} = 'aes128|3des'; #[18]; - $cgiparams{'IKE_INTEGRITY'} = 'sha|md5'; #[19]; - $cgiparams{'IKE_GROUPTYPE'} = '1536|1024'; #[20]; - $cgiparams{'IKE_LIFETIME'} = '1'; #[16]; - $cgiparams{'ESP_ENCRYPTION'} = 'aes128|3des'; #[21]; - $cgiparams{'ESP_INTEGRITY'} = 'sha1|md5'; #[22]; + $cgiparams{'IKE_ENCRYPTION'} = 'aes256|aes192|aes128|3des'; #[18]; + $cgiparams{'IKE_INTEGRITY'} = 'sha2_256|sha|md5'; #[19]; + $cgiparams{'IKE_GROUPTYPE'} = '4096|3072|2048|1536|1024'; #[20]; + $cgiparams{'IKE_LIFETIME'} = '3'; #[16]; + $cgiparams{'ESP_ENCRYPTION'} = 'aes256|aes192|aes128|3des'; #[21]; + $cgiparams{'ESP_INTEGRITY'} = 'sha2_256|sha1|md5'; #[22]; $cgiparams{'ESP_GROUPTYPE'} = ''; #[23]; - $cgiparams{'ESP_KEYLIFE'} = '8'; #[17]; - $cgiparams{'AGGRMODE'} = 'off'; #[12]; - $cgiparams{'COMPRESSION'} = 'off'; #[13]; + $cgiparams{'ESP_KEYLIFE'} = '1'; #[17]; + $cgiparams{'COMPRESSION'} = 'on'; #[13]; $cgiparams{'ONLY_PROPOSED'} = 'off'; #[24]; $cgiparams{'PFS'} = 'on'; #[28]; $cgiparams{'VHOST'} = 'on'; #[14]; @@ -1863,17 +1869,15 @@ END $checked{'AUTH'}{'auth-dn'} = ''; $checked{'AUTH'}{$cgiparams{'AUTH'}} = "checked='checked'"; - $selected{'INTERFACE'}{'RED'} = ''; - $selected{'INTERFACE'}{'ORANGE'} = ''; - $selected{'INTERFACE'}{'GREEN'} = ''; - $selected{'INTERFACE'}{'BLUE'} = ''; - $selected{'INTERFACE'}{$cgiparams{'INTERFACE'}} = "selected='selected'"; - $selected{'DPD_ACTION'}{'clear'} = ''; $selected{'DPD_ACTION'}{'hold'} = ''; $selected{'DPD_ACTION'}{'restart'} = ''; $selected{'DPD_ACTION'}{$cgiparams{'DPD_ACTION'}} = "selected='selected'"; + $selected{'IKE_VERSION'}{'ikev1'} = ''; + $selected{'IKE_VERSION'}{'ikev2'} = ''; + $selected{'IKE_VERSION'}{$cgiparams{'IKE_VERSION'}} = "selected='selected'"; + &Header::showhttpheaders(); &Header::openpage($Lang::tr{'vpn configuration main'}, 1, ''); &Header::openbigbox('100%', 'left', '', $errormessage); @@ -1902,7 +1906,6 @@ END - @@ -1932,41 +1935,44 @@ END $blob = "*"; }; - print "$Lang::tr{'host ip'}:"; - print ""; print < $Lang::tr{'remote host/ip'}: $blob - - - $Lang::tr{'local subnet'} - + + + $Lang::tr{'remote subnet'} - - - $Lang::tr{'vpn local id'}: * -
($Lang::tr{'eg'} @xy.example.com) + + + + + + $Lang::tr{'local subnet'} + + + + + + $Lang::tr{'vpn local id'}:
($Lang::tr{'eg'} @xy.example.com) - $Lang::tr{'vpn remote id'}: * + $Lang::tr{'vpn remote id'}:
+ $Lang::tr{'vpn keyexchange'}: + + $Lang::tr{'dpd action'}:   ? + - $Lang::tr{'remark title'} * @@ -1983,15 +1989,13 @@ END print < $Lang::tr{'use a pre-shared key'} - + END ; &Header::closebox(); } elsif (! $cgiparams{'KEY'}) { - my $pskdisabled = ($vpnsettings{'VPN_IP'} eq '%defaultroute') ? "disabled='disabled'" : '' ; - $cgiparams{'PSK'} = $Lang::tr{'vpn incompatible use of defaultroute'} if ($pskdisabled); my $cakeydisabled = ( ! -f "${General::swroot}/private/cakey.pem" ) ? "disabled='disabled'" : ''; $cgiparams{'CERT_NAME'} = $Lang::tr{'vpn no full pki'} if ($cakeydisabled); my $cacrtdisabled = ( ! -f "${General::swroot}/ca/cacert.pem" ) ? "disabled='disabled'" : ''; @@ -1999,9 +2003,9 @@ END &Header::openbox('100%', 'left', $Lang::tr{'authentication'}); print < - + $Lang::tr{'use a pre-shared key'} - +
$Lang::tr{'upload a certificate request'} @@ -2097,7 +2101,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || goto ADVANCED_ERROR; } foreach my $val (@temp) { - if ($val !~ /^(aes256|aes128|3des|twofish256|twofish128|serpent256|serpent128|blowfish256|blowfish128|cast128)$/) { + if ($val !~ /^(aes256|aes192|aes128|3des)$/) { $errormessage = $Lang::tr{'invalid input'}; goto ADVANCED_ERROR; } @@ -2108,7 +2112,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || goto ADVANCED_ERROR; } foreach my $val (@temp) { - if ($val !~ /^(sha2_512|sha2_256|sha|md5)$/) { + if ($val !~ /^(sha2_512|sha2_384|sha2_256|sha|md5|aesxcbc)$/) { $errormessage = $Lang::tr{'invalid input'}; goto ADVANCED_ERROR; } @@ -2119,7 +2123,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || goto ADVANCED_ERROR; } foreach my $val (@temp) { - if ($val !~ /^(768|1024|1536|2048|3072|4096|6144|8192)$/) { + if ($val !~ /^(e521|e384|e256|e224|e192|1024|1536|2048|3072|4096|6144|8192)$/) { $errormessage = $Lang::tr{'invalid input'}; goto ADVANCED_ERROR; } @@ -2138,7 +2142,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || goto ADVANCED_ERROR; } foreach my $val (@temp) { - if ($val !~ /^(aes256|aes128|3des|twofish256|twofish128|serpent256|serpent128|blowfish256|blowfish128)$/) { + if ($val !~ /^(aes256|aes192|aes128|3des)$/) { $errormessage = $Lang::tr{'invalid input'}; goto ADVANCED_ERROR; } @@ -2149,13 +2153,14 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || goto ADVANCED_ERROR; } foreach my $val (@temp) { - if ($val !~ /^(sha2_512|sha2_256|sha1|md5)$/) { + if ($val !~ /^(sha2_512|sha2_384|sha2_256|sha1|md5|aesxcbc)$/) { $errormessage = $Lang::tr{'invalid input'}; goto ADVANCED_ERROR; } } if ($cgiparams{'ESP_GROUPTYPE'} ne '' && - $cgiparams{'ESP_GROUPTYPE'} !~ /^modp(768|1024|1536|2048|3072|4096)$/) { + $cgiparams{'ESP_GROUPTYPE'} !~ /^ecp(192|224|256|384|512)$/ && + $cgiparams{'ESP_GROUPTYPE'} !~ /^modp(1024|1536|2048|3072|4096|6144|8192)$/) { $errormessage = $Lang::tr{'invalid input'}; goto ADVANCED_ERROR; } @@ -2170,7 +2175,6 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || } if ( - ($cgiparams{'AGGRMODE'} !~ /^(|on|off)$/) || ($cgiparams{'COMPRESSION'} !~ /^(|on|off)$/) || ($cgiparams{'ONLY_PROPOSED'} !~ /^(|on|off)$/) || ($cgiparams{'PFS'} !~ /^(|on|off)$/) || @@ -2188,7 +2192,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || $confighash{$cgiparams{'KEY'}}[22] = $cgiparams{'ESP_INTEGRITY'}; $confighash{$cgiparams{'KEY'}}[23] = $cgiparams{'ESP_GROUPTYPE'}; $confighash{$cgiparams{'KEY'}}[17] = $cgiparams{'ESP_KEYLIFE'}; - $confighash{$cgiparams{'KEY'}}[12] = $cgiparams{'AGGRMODE'}; + $confighash{$cgiparams{'KEY'}}[12] = 'off'; #$cgiparams{'AGGRMODE'}; $confighash{$cgiparams{'KEY'}}[13] = $cgiparams{'COMPRESSION'}; $confighash{$cgiparams{'KEY'}}[24] = $cgiparams{'ONLY_PROPOSED'}; $confighash{$cgiparams{'KEY'}}[28] = $cgiparams{'PFS'}; @@ -2209,7 +2213,6 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || $cgiparams{'ESP_INTEGRITY'} = $confighash{$cgiparams{'KEY'}}[22]; $cgiparams{'ESP_GROUPTYPE'} = $confighash{$cgiparams{'KEY'}}[23]; $cgiparams{'ESP_KEYLIFE'} = $confighash{$cgiparams{'KEY'}}[17]; - $cgiparams{'AGGRMODE'} = $confighash{$cgiparams{'KEY'}}[12]; $cgiparams{'COMPRESSION'} = $confighash{$cgiparams{'KEY'}}[13]; $cgiparams{'ONLY_PROPOSED'} = $confighash{$cgiparams{'KEY'}}[24]; $cgiparams{'PFS'} = $confighash{$cgiparams{'KEY'}}[28]; @@ -2222,21 +2225,17 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || ADVANCED_ERROR: $checked{'IKE_ENCRYPTION'}{'aes256'} = ''; + $checked{'IKE_ENCRYPTION'}{'aes192'} = ''; $checked{'IKE_ENCRYPTION'}{'aes128'} = ''; $checked{'IKE_ENCRYPTION'}{'3des'} = ''; - $checked{'IKE_ENCRYPTION'}{'twofish256'} = ''; - $checked{'IKE_ENCRYPTION'}{'twofish128'} = ''; - $checked{'IKE_ENCRYPTION'}{'serpent256'} = ''; - $checked{'IKE_ENCRYPTION'}{'serpent128'} = ''; - $checked{'IKE_ENCRYPTION'}{'blowfish256'} = ''; - $checked{'IKE_ENCRYPTION'}{'blowfish128'} = ''; - $checked{'IKE_ENCRYPTION'}{'cast128'} = ''; my @temp = split('\|', $cgiparams{'IKE_ENCRYPTION'}); foreach my $key (@temp) {$checked{'IKE_ENCRYPTION'}{$key} = "selected='selected'"; } $checked{'IKE_INTEGRITY'}{'sha2_512'} = ''; + $checked{'IKE_INTEGRITY'}{'sha2_384'} = ''; $checked{'IKE_INTEGRITY'}{'sha2_256'} = ''; $checked{'IKE_INTEGRITY'}{'sha'} = ''; $checked{'IKE_INTEGRITY'}{'md5'} = ''; + $checked{'IKE_INTEGRITY'}{'aesxcbc'} = ''; @temp = split('\|', $cgiparams{'IKE_INTEGRITY'}); foreach my $key (@temp) {$checked{'IKE_INTEGRITY'}{$key} = "selected='selected'"; } $checked{'IKE_GROUPTYPE'}{'768'} = ''; @@ -2249,32 +2248,26 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || $checked{'IKE_GROUPTYPE'}{'8192'} = ''; @temp = split('\|', $cgiparams{'IKE_GROUPTYPE'}); foreach my $key (@temp) {$checked{'IKE_GROUPTYPE'}{$key} = "selected='selected'"; } + + # 768 is not supported by strongswan + $checked{'IKE_GROUPTYPE'}{'768'} = ''; + $checked{'ESP_ENCRYPTION'}{'aes256'} = ''; + $checked{'ESP_ENCRYPTION'}{'aes192'} = ''; $checked{'ESP_ENCRYPTION'}{'aes128'} = ''; $checked{'ESP_ENCRYPTION'}{'3des'} = ''; - $checked{'ESP_ENCRYPTION'}{'twofish256'} = ''; - $checked{'ESP_ENCRYPTION'}{'twofish128'} = ''; - $checked{'ESP_ENCRYPTION'}{'serpent256'} = ''; - $checked{'ESP_ENCRYPTION'}{'serpent128'} = ''; - $checked{'ESP_ENCRYPTION'}{'blowfish256'} = ''; - $checked{'ESP_ENCRYPTION'}{'blowfish128'} = ''; @temp = split('\|', $cgiparams{'ESP_ENCRYPTION'}); foreach my $key (@temp) {$checked{'ESP_ENCRYPTION'}{$key} = "selected='selected'"; } $checked{'ESP_INTEGRITY'}{'sha2_512'} = ''; + $checked{'ESP_INTEGRITY'}{'sha2_384'} = ''; $checked{'ESP_INTEGRITY'}{'sha2_256'} = ''; $checked{'ESP_INTEGRITY'}{'sha1'} = ''; $checked{'ESP_INTEGRITY'}{'md5'} = ''; + $checked{'ESP_INTEGRITY'}{'aesxcbc'} = ''; @temp = split('\|', $cgiparams{'ESP_INTEGRITY'}); foreach my $key (@temp) {$checked{'ESP_INTEGRITY'}{$key} = "selected='selected'"; } - $checked{'ESP_GROUPTYPE'}{'modp768'} = ''; - $checked{'ESP_GROUPTYPE'}{'modp1024'} = ''; - $checked{'ESP_GROUPTYPE'}{'modp1536'} = ''; - $checked{'ESP_GROUPTYPE'}{'modp2048'} = ''; - $checked{'ESP_GROUPTYPE'}{'modp3072'} = ''; - $checked{'ESP_GROUPTYPE'}{'modp4096'} = ''; $checked{'ESP_GROUPTYPE'}{$cgiparams{'ESP_GROUPTYPE'}} = "selected='selected'"; - $checked{'AGGRMODE'} = $cgiparams{'AGGRMODE'} eq 'on' ? "checked='checked'" : '' ; $checked{'COMPRESSION'} = $cgiparams{'COMPRESSION'} eq 'on' ? "checked='checked'" : '' ; $checked{'ONLY_PROPOSED'} = $cgiparams{'ONLY_PROPOSED'} eq 'on' ? "checked='checked'" : '' ; $checked{'PFS'} = $cgiparams{'PFS'} eq 'on' ? "checked='checked'" : '' ; @@ -2308,25 +2301,28 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || $Lang::tr{'ike encryption'} $Lang::tr{'ike integrity'} $Lang::tr{'ike grouptype'} $Lang::tr{'ike lifetime'} @@ -2346,19 +2341,19 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || $Lang::tr{'esp encryption'} $Lang::tr{'esp integrity'} + + + $Lang::tr{'esp grouptype'} IKE+ESP: $Lang::tr{'use only proposed settings'} - - - $Lang::tr{'vpn aggrmode'} $Lang::tr{'pfs yes no'} @@ -2415,7 +2407,7 @@ EOF &General::readhasharray("${General::swroot}/vpn/config", \%confighash); $cgiparams{'CA_NAME'} = ''; - my @status = `/usr/sbin/ipsec auto --status`; + my @status = `/usr/local/bin/ipsecctrl I 2>/dev/null`; # suggest a default name for this side if ($cgiparams{'VPN_IP'} eq '' && -e "${General::swroot}/red/active") { @@ -2433,11 +2425,7 @@ EOF $cgiparams{'VPN_IP'} ='%defaultroute' if ($cgiparams{'VPN_IP'} eq ''); $cgiparams{'VPN_DELAYED_START'} = 0 if (! defined ($cgiparams{'VPN_DELAYED_START'})); - $checked{'VPN_WATCH'} = $cgiparams{'VPN_WATCH'} eq 'on' ? "checked='checked'" : '' ; - map ($checked{$_} = $cgiparams{$_} eq 'on' ? "checked='checked'" : '', - ('ENABLED','DBG_CRYPT','DBG_PARSING','DBG_EMITTING','DBG_CONTROL', - 'DBG_KLIPS','DBG_DNS','DBG_NAT_T')); - + $checked{'ENABLED'} = $cgiparams{'ENABLED'} eq 'on' ? "checked='checked'" : ''; &Header::showhttpheaders(); &Header::openpage($Lang::tr{'vpn configuration main'}, 1, ''); @@ -2459,13 +2447,6 @@ EOF $Lang::tr{'enabled'} -END - ; - print < - $Lang::tr{'override mtu'}: * - - END ; print <$Lang::tr{'vpn delayed start'}: ** + + $Lang::tr{'host to net vpn'}: * + + -

$Lang::tr{'vpn watch'}:

-

PLUTO DEBUG = -crypt:,  -parsing:,  -emitting:,  -control:,  -klips:,  -dns:,  -nat_t:

-
@@ -2516,7 +2491,7 @@ END ; my $id = 0; my $gif; - foreach my $key (keys %confighash) { + foreach my $key (sort { ncmp ($confighash{$a}[1],$confighash{$b}[1]) } keys %confighash) { if ($confighash{$key}[0] eq 'on') { $gif = 'on.gif'; } else { $gif = 'off.gif'; } if ($id % 2) { @@ -2525,7 +2500,7 @@ END print "\n"; } print ""; - print ""; + print ""; if ($confighash{$key}[2] eq '%auth-dn') { print ""; } elsif ($confighash{$key}[4] eq 'cert') { @@ -2537,7 +2512,9 @@ END # get real state my $active = "
$confighash{$key}[1]" . $Lang::tr{"$confighash{$key}[3]"} . " (" . $Lang::tr{"$confighash{$key}[4]"} . ")" . $Lang::tr{"$confighash{$key}[3]"} . " (" . $Lang::tr{"$confighash{$key}[4]"} . ") $confighash{$key}[29]$confighash{$key}[9]
$Lang::tr{'capsclosed'}
"; foreach my $line (@status) { - if ($line =~ /\"$confighash{$key}[1]\".*IPsec SA established/) { + if (($line =~ /\"$confighash{$key}[1]\".*IPsec SA established/) || + ($line =~ /$confighash{$key}[1]\{.*INSTALLED/)) + { $active = "
$Lang::tr{'capsopen'}
"; } }