X-Git-Url: http://git.ipfire.org/?a=blobdiff_plain;f=html%2Fcgi-bin%2Fvpnmain.cgi;h=43d574ce5c95c0b9207aa7525956853ce93e2c0a;hb=cbb3a8f91e2e7aa220b5bc9e9773fa4547f0ce85;hp=91c12492eb7b05a22e7e04fc11eca017685e52ec;hpb=225140ae8fc9f3cedfb32729169f6d98875820ce;p=people%2Fteissler%2Fipfire-2.x.git
diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi
index 91c12492e..43d574ce5 100644
--- a/html/cgi-bin/vpnmain.cgi
+++ b/html/cgi-bin/vpnmain.cgi
@@ -2,7 +2,7 @@
###############################################################################
# #
# IPFire.org - A linux based firewall #
-# Copyright (C) 2007-2011 IPFire Team info@ipfire.org #
+# Copyright (C) 2007-2013 IPFire Team info@ipfire.org #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
@@ -23,7 +23,7 @@ use Net::DNS;
use File::Copy;
use File::Temp qw/ tempfile tempdir /;
use strict;
-
+use Sort::Naturally;
# enable only the following on debugging purpose
#use warnings;
#use CGI::Carp 'fatalsToBrowser';
@@ -61,11 +61,11 @@ my %mainsettings = ();
my $green_cidr = &General::ipcidr("$netsettings{'GREEN_NETADDRESS'}/$netsettings{'GREEN_NETMASK'}");
my $blue_cidr = "# Blue not defined";
-if ($netsettings{'BLUE_DEV'}) {
+if (&Header::blue_used() && $netsettings{'BLUE_DEV'}) {
$blue_cidr = &General::ipcidr("$netsettings{'BLUE_NETADDRESS'}/$netsettings{'BLUE_NETMASK'}");
}
my $orange_cidr = "# Orange not defined";
-if ($netsettings{'ORANGE_DEV'}) {
+if (&Header::orange_used() && $netsettings{'ORANGE_DEV'}) {
$orange_cidr = &General::ipcidr("$netsettings{'ORANGE_NETADDRESS'}/$netsettings{'ORANGE_NETMASK'}");
}
@@ -104,7 +104,8 @@ $cgiparams{'ROOTCERT_OU'} = '';
$cgiparams{'ROOTCERT_CITY'} = '';
$cgiparams{'ROOTCERT_STATE'} = '';
$cgiparams{'RW_NET'} = '';
-
+$cgiparams{'DPD_DELAY'} = '30';
+$cgiparams{'DPD_TIMEOUT'} = '120';
&Header::getcgihash(\%cgiparams, {'wantfile' => 1, 'filevar' => 'FH'});
###
@@ -316,9 +317,16 @@ sub writeipsecfiles {
foreach my $j (@ints) {
foreach my $k (@groups) {
if ($comma != 0) { print CONF ","; } else { $comma = 1; }
- print CONF "$i-$j-modp$k";
- }
+
+ my @l = split("", $k);
+ if ($l[0] eq "e") {
+ shift @l;
+ print CONF "$i-$j-ecp".join("", @l);
+ } else {
+ print CONF "$i-$j-modp$k";
+ }
}
+ }
}
if ($lconfighash{$key}[24] eq 'on') { #only proposed algorythms?
print CONF "!\n";
@@ -339,7 +347,12 @@ sub writeipsecfiles {
foreach my $k (@groups) {
if ($comma != 0) { print CONF ","; } else { $comma = 1; }
if ($pfs eq "on") {
- $modp = "-modp$k";
+ my @l = split("", $k);
+ if ($l[0] eq "e") {
+ $modp = "";
+ } else {
+ $modp = "-modp$k";
+ }
} else {
$modp = "";
}
@@ -372,10 +385,19 @@ sub writeipsecfiles {
print CONF "\tcompress=yes\n" if ($lconfighash{$key}[13] eq 'on');
# Dead Peer Detection
- print CONF "\tdpddelay=30\n";
- print CONF "\tdpdtimeout=120\n";
print CONF "\tdpdaction=$lconfighash{$key}[27]\n";
+ my $dpddelay = $lconfighash{$key}[30];
+ if (!$dpddelay) {
+ $dpddelay = 30;
+ }
+ print CONF "\tdpddelay=$dpddelay\n";
+ my $dpdtimeout = $lconfighash{$key}[31];
+ if (!$dpdtimeout) {
+ $dpdtimeout = 120;
+ }
+ print CONF "\tdpdtimeout=$dpdtimeout\n";
+
# Build Authentication details: LEFTid RIGHTid : PSK psk
my $psk_line;
if ($lconfighash{$key}[4] eq 'psk') {
@@ -411,7 +433,7 @@ sub writeipsecfiles {
# Hook to regenerate the configuration files.
if ($ENV{"REMOTE_ADDR"} eq "") {
- writeipsecfiles;
+ writeipsecfiles();
exit(0);
}
@@ -1262,6 +1284,16 @@ END
$cgiparams{'ONLY_PROPOSED'} = $confighash{$cgiparams{'KEY'}}[24];
$cgiparams{'PFS'} = $confighash{$cgiparams{'KEY'}}[28];
$cgiparams{'VHOST'} = $confighash{$cgiparams{'KEY'}}[14];
+ $cgiparams{'DPD_TIMEOUT'} = $confighash{$cgiparams{'KEY'}}[30];
+ $cgiparams{'DPD_DELAY'} = $confighash{$cgiparams{'KEY'}}[31];
+
+ if (!$cgiparams{'DPD_DELAY'}) {
+ $cgiparams{'DPD_DELAY'} = 30;
+ }
+
+ if (!$cgiparams{'DPD_TIMEOUT'}) {
+ $cgiparams{'DPD_TIMEOUT'} = 120;
+ }
} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'save'}) {
$cgiparams{'REMARK'} = &Header::cleanhtml($cgiparams{'REMARK'});
@@ -1364,6 +1396,14 @@ END
goto VPNCONF_ERROR;
}
+#temporary disabled (BUG 10294)
+# if ($cgiparams{'TYPE'} eq 'net'){
+# $errormessage=&General::checksubnets($cgiparams{'NAME'},$cgiparams{'REMOTE_SUBNET'});
+# if ($errormessage ne ''){
+# goto VPNCONF_ERROR;
+# }
+#
+# }
if ($cgiparams{'AUTH'} eq 'psk') {
if (! length($cgiparams{'PSK'}) ) {
$errormessage = $Lang::tr{'pre-shared key is too short'};
@@ -1728,7 +1768,7 @@ END
my $key = $cgiparams{'KEY'};
if (! $key) {
$key = &General::findhasharraykey (\%confighash);
- foreach my $i (0 .. 28) { $confighash{$key}[$i] = "";}
+ foreach my $i (0 .. 31) { $confighash{$key}[$i] = "";}
}
$confighash{$key}[0] = $cgiparams{'ENABLED'};
$confighash{$key}[1] = $cgiparams{'NAME'};
@@ -1768,6 +1808,8 @@ END
$confighash{$key}[24] = $cgiparams{'ONLY_PROPOSED'};
$confighash{$key}[28] = $cgiparams{'PFS'};
$confighash{$key}[14] = $cgiparams{'VHOST'};
+ $confighash{$key}[30] = $cgiparams{'DPD_TIMEOUT'};
+ $confighash{$key}[31] = $cgiparams{'DPD_DELAY'};
#free unused fields!
$confighash{$key}[6] = 'off';
@@ -1808,6 +1850,14 @@ END
$cgiparams{'DPD_ACTION'} = 'restart';
}
+ if (!$cgiparams{'DPD_DELAY'}) {
+ $cgiparams{'DPD_DELAY'} = 30;
+ }
+
+ if (!$cgiparams{'DPD_TIMEOUT'}) {
+ $cgiparams{'DPD_TIMEOUT'} = 120;
+ }
+
# Default IKE Version to v2
if (!$cgiparams{'IKE_VERSION'}) {
$cgiparams{'IKE_VERSION'} = 'ikev2';
@@ -1820,12 +1870,12 @@ END
#use default advanced value
$cgiparams{'IKE_ENCRYPTION'} = 'aes256|aes192|aes128|3des'; #[18];
$cgiparams{'IKE_INTEGRITY'} = 'sha2_256|sha|md5'; #[19];
- $cgiparams{'IKE_GROUPTYPE'} = '8192|6144|4096|3072|2048|1536|1024'; #[20];
- $cgiparams{'IKE_LIFETIME'} = '1'; #[16];
+ $cgiparams{'IKE_GROUPTYPE'} = '4096|3072|2048|1536|1024'; #[20];
+ $cgiparams{'IKE_LIFETIME'} = '3'; #[16];
$cgiparams{'ESP_ENCRYPTION'} = 'aes256|aes192|aes128|3des'; #[21];
$cgiparams{'ESP_INTEGRITY'} = 'sha2_256|sha1|md5'; #[22];
$cgiparams{'ESP_GROUPTYPE'} = ''; #[23];
- $cgiparams{'ESP_KEYLIFE'} = '8'; #[17];
+ $cgiparams{'ESP_KEYLIFE'} = '1'; #[17];
$cgiparams{'COMPRESSION'} = 'on'; #[13];
$cgiparams{'ONLY_PROPOSED'} = 'off'; #[24];
$cgiparams{'PFS'} = 'on'; #[28];
@@ -1849,11 +1899,6 @@ END
$checked{'AUTH'}{'auth-dn'} = '';
$checked{'AUTH'}{$cgiparams{'AUTH'}} = "checked='checked'";
- $selected{'DPD_ACTION'}{'clear'} = '';
- $selected{'DPD_ACTION'}{'hold'} = '';
- $selected{'DPD_ACTION'}{'restart'} = '';
- $selected{'DPD_ACTION'}{$cgiparams{'DPD_ACTION'}} = "selected='selected'";
-
$selected{'IKE_VERSION'}{'ikev1'} = '';
$selected{'IKE_VERSION'}{'ikev2'} = '';
$selected{'IKE_VERSION'}{$cgiparams{'IKE_VERSION'}} = "selected='selected'";
@@ -1890,6 +1935,9 @@ END
+
+
+
END
;
if ($cgiparams{'KEY'}) {
@@ -1945,13 +1993,7 @@ END
-
$Lang::tr{'dpd action'}: |
-
- |
+ |
$Lang::tr{'remark title'} |
|
@@ -1976,8 +2018,6 @@ END
;
&Header::closebox();
} elsif (! $cgiparams{'KEY'}) {
- my $pskdisabled = ($vpnsettings{'VPN_IP'} eq '%defaultroute') ? "disabled='disabled'" : '' ;
- $cgiparams{'PSK'} = $Lang::tr{'vpn incompatible use of defaultroute'} if ($pskdisabled);
my $cakeydisabled = ( ! -f "${General::swroot}/private/cakey.pem" ) ? "disabled='disabled'" : '';
$cgiparams{'CERT_NAME'} = $Lang::tr{'vpn no full pki'} if ($cakeydisabled);
my $cacrtdisabled = ( ! -f "${General::swroot}/ca/cacert.pem" ) ? "disabled='disabled'" : '';
@@ -1985,9 +2025,9 @@ END
&Header::openbox('100%', 'left', $Lang::tr{'authentication'});
print <
- |
+
|
$Lang::tr{'use a pre-shared key'} |
- |
+ |
|
|
$Lang::tr{'upload a certificate request'} |
@@ -2083,7 +2123,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
goto ADVANCED_ERROR;
}
foreach my $val (@temp) {
- if ($val !~ /^(aes256|aes128|3des)$/) {
+ if ($val !~ /^(aes256|aes192|aes128|3des|camellia256|camellia192|camellia128)$/) {
$errormessage = $Lang::tr{'invalid input'};
goto ADVANCED_ERROR;
}
@@ -2105,7 +2145,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
goto ADVANCED_ERROR;
}
foreach my $val (@temp) {
- if ($val !~ /^(1024|1536|2048|3072|4096|6144|8192)$/) {
+ if ($val !~ /^(e521|e384|e256|e224|e192|e512bp|e384bp|e256bp|e224bp|1024|1536|2048|2048s256|2048s224|2048s160|3072|4096|6144|8192)$/) {
$errormessage = $Lang::tr{'invalid input'};
goto ADVANCED_ERROR;
}
@@ -2124,7 +2164,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
goto ADVANCED_ERROR;
}
foreach my $val (@temp) {
- if ($val !~ /^(aes256|aes192|aes128|3des)$/) {
+ if ($val !~ /^(aes256|aes192|aes128|3des|camellia256|camellia192|camellia128)$/) {
$errormessage = $Lang::tr{'invalid input'};
goto ADVANCED_ERROR;
}
@@ -2141,7 +2181,8 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
}
}
if ($cgiparams{'ESP_GROUPTYPE'} ne '' &&
- $cgiparams{'ESP_GROUPTYPE'} !~ /^modp(1024|1536|2048|3072|4096|6144|8192)$/) {
+ $cgiparams{'ESP_GROUPTYPE'} !~ /^ecp(192|224|256|384|512)(bp)?$/ &&
+ $cgiparams{'ESP_GROUPTYPE'} !~ /^modp(1024|1536|2048|2048s(256|224|160)|3072|4096|6144|8192)$/) {
$errormessage = $Lang::tr{'invalid input'};
goto ADVANCED_ERROR;
}
@@ -2165,6 +2206,16 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
goto ADVANCED_ERROR;
}
+ if ($cgiparams{'DPD_DELAY'} !~ /^\d+$/) {
+ $errormessage = $Lang::tr{'invalid input for dpd delay'};
+ goto ADVANCED_ERROR;
+ }
+
+ if ($cgiparams{'DPD_TIMEOUT'} !~ /^\d+$/) {
+ $errormessage = $Lang::tr{'invalid input for dpd timeout'};
+ goto ADVANCED_ERROR;
+ }
+
$confighash{$cgiparams{'KEY'}}[18] = $cgiparams{'IKE_ENCRYPTION'};
$confighash{$cgiparams{'KEY'}}[19] = $cgiparams{'IKE_INTEGRITY'};
$confighash{$cgiparams{'KEY'}}[20] = $cgiparams{'IKE_GROUPTYPE'};
@@ -2178,6 +2229,8 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
$confighash{$cgiparams{'KEY'}}[24] = $cgiparams{'ONLY_PROPOSED'};
$confighash{$cgiparams{'KEY'}}[28] = $cgiparams{'PFS'};
$confighash{$cgiparams{'KEY'}}[14] = $cgiparams{'VHOST'};
+ $confighash{$cgiparams{'KEY'}}[30] = $cgiparams{'DPD_TIMEOUT'};
+ $confighash{$cgiparams{'KEY'}}[31] = $cgiparams{'DPD_DELAY'};
&General::writehasharray("${General::swroot}/vpn/config", \%confighash);
&writeipsecfiles();
if (&vpnenabled) {
@@ -2198,6 +2251,16 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
$cgiparams{'ONLY_PROPOSED'} = $confighash{$cgiparams{'KEY'}}[24];
$cgiparams{'PFS'} = $confighash{$cgiparams{'KEY'}}[28];
$cgiparams{'VHOST'} = $confighash{$cgiparams{'KEY'}}[14];
+ $cgiparams{'DPD_TIMEOUT'} = $confighash{$cgiparams{'KEY'}}[30];
+ $cgiparams{'DPD_DELAY'} = $confighash{$cgiparams{'KEY'}}[31];
+
+ if (!$cgiparams{'DPD_DELAY'}) {
+ $cgiparams{'DPD_DELAY'} = 30;
+ }
+
+ if (!$cgiparams{'DPD_TIMEOUT'}) {
+ $cgiparams{'DPD_TIMEOUT'} = 120;
+ }
if ($confighash{$cgiparams{'KEY'}}[3] eq 'net' || $confighash{$cgiparams{'KEY'}}[10]) {
$cgiparams{'VHOST'} = 'off';
@@ -2209,6 +2272,9 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
$checked{'IKE_ENCRYPTION'}{'aes192'} = '';
$checked{'IKE_ENCRYPTION'}{'aes128'} = '';
$checked{'IKE_ENCRYPTION'}{'3des'} = '';
+ $checked{'IKE_ENCRYPTION'}{'camellia256'} = '';
+ $checked{'IKE_ENCRYPTION'}{'camellia192'} = '';
+ $checked{'IKE_ENCRYPTION'}{'camellia128'} = '';
my @temp = split('\|', $cgiparams{'IKE_ENCRYPTION'});
foreach my $key (@temp) {$checked{'IKE_ENCRYPTION'}{$key} = "selected='selected'"; }
$checked{'IKE_INTEGRITY'}{'sha2_512'} = '';
@@ -2237,6 +2303,9 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
$checked{'ESP_ENCRYPTION'}{'aes192'} = '';
$checked{'ESP_ENCRYPTION'}{'aes128'} = '';
$checked{'ESP_ENCRYPTION'}{'3des'} = '';
+ $checked{'ESP_ENCRYPTION'}{'camellia256'} = '';
+ $checked{'ESP_ENCRYPTION'}{'camellia192'} = '';
+ $checked{'ESP_ENCRYPTION'}{'camellia128'} = '';
@temp = split('\|', $cgiparams{'ESP_ENCRYPTION'});
foreach my $key (@temp) {$checked{'ESP_ENCRYPTION'}{$key} = "selected='selected'"; }
$checked{'ESP_INTEGRITY'}{'sha2_512'} = '';
@@ -2254,6 +2323,11 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
$checked{'PFS'} = $cgiparams{'PFS'} eq 'on' ? "checked='checked'" : '' ;
$checked{'VHOST'} = $cgiparams{'VHOST'} eq 'on' ? "checked='checked'" : '' ;
+ $selected{'DPD_ACTION'}{'clear'} = '';
+ $selected{'DPD_ACTION'}{'hold'} = '';
+ $selected{'DPD_ACTION'}{'restart'} = '';
+ $selected{'DPD_ACTION'}{$cgiparams{'DPD_ACTION'}} = "selected='selected'";
+
&Header::showhttpheaders();
&Header::openpage($Lang::tr{'vpn configuration main'}, 1, '');
&Header::openbigbox('100%', 'left', '', $errormessage);
@@ -2279,91 +2353,180 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
+
+
+
+ $Lang::tr{'dead peer detection'}
+
+
+
+
+
+ ";
+ print <
+
+
+
+ |
+
+
+EOF
+
&Header::closebox();
&Header::closebigbox();
&Header::closepage();
@@ -2467,7 +2630,7 @@ END
;
my $id = 0;
my $gif;
- foreach my $key (keys %confighash) {
+ foreach my $key (sort { ncmp ($confighash{$a}[1],$confighash{$b}[1]) } keys %confighash) {
if ($confighash{$key}[0] eq 'on') { $gif = 'on.gif'; } else { $gif = 'off.gif'; }
if ($id % 2) {