X-Git-Url: http://git.ipfire.org/?a=blobdiff_plain;f=html%2Fcgi-bin%2Fvpnmain.cgi;h=fb0af104f8d4071d1af55d021a79656fe810d3b3;hb=f8384fbf8de3406174dd54a4f22d0900b7fbe6dd;hp=a52b4d64d9b48d84babe8ec8d1220e4b3d4ddd01;hpb=568a227bd318c743225d90c8d93559d04ac72a8f;p=people%2Fpmueller%2Fipfire-2.x.git diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index a52b4d64d9..fb0af104f8 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -2,7 +2,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2013 IPFire Team info@ipfire.org # +# Copyright (C) 2007-2020 IPFire Team # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -19,11 +19,14 @@ # # ############################################################################### +use Data::UUID; +use MIME::Base64; use Net::DNS; use File::Copy; use File::Temp qw/ tempfile tempdir /; use strict; use Sort::Naturally; +use Sys::Hostname; # enable only the following on debugging purpose #use warnings; #use CGI::Carp 'fatalsToBrowser'; @@ -54,20 +57,10 @@ my $errormessage = ''; my %color = (); my %mainsettings = (); &General::readhash("${General::swroot}/main/settings", \%mainsettings); -&General::readhash("/srv/web/ipfire/html/themes/".$mainsettings{'THEME'}."/include/colors.txt", \%color); +&General::readhash("/srv/web/ipfire/html/themes/ipfire/include/colors.txt", \%color); &General::readhash("${General::swroot}/ethernet/settings", \%netsettings); -my $green_cidr = &General::ipcidr("$netsettings{'GREEN_NETADDRESS'}/$netsettings{'GREEN_NETMASK'}"); -my $blue_cidr = "# Blue not defined"; -if (&Header::blue_used() && $netsettings{'BLUE_DEV'}) { - $blue_cidr = &General::ipcidr("$netsettings{'BLUE_NETADDRESS'}/$netsettings{'BLUE_NETMASK'}"); -} -my $orange_cidr = "# Orange not defined"; -if (&Header::orange_used() && $netsettings{'ORANGE_DEV'}) { - $orange_cidr = &General::ipcidr("$netsettings{'ORANGE_NETADDRESS'}/$netsettings{'ORANGE_NETMASK'}"); -} - my %INACTIVITY_TIMEOUTS = ( 300 => $Lang::tr{'five minutes'}, 600 => $Lang::tr{'ten minutes'}, @@ -79,6 +72,10 @@ my %INACTIVITY_TIMEOUTS = ( 0 => "- $Lang::tr{'unlimited'} -", ); +# Load aliases +my %aliases; +&General::get_aliases(\%aliases); + my $col=""; $cgiparams{'ENABLED'} = 'off'; @@ -91,6 +88,7 @@ $cgiparams{'ADVANCED'} = ''; $cgiparams{'NAME'} = ''; $cgiparams{'LOCAL_SUBNET'} = ''; $cgiparams{'REMOTE_SUBNET'} = ''; +$cgiparams{'LOCAL'} = ''; $cgiparams{'REMOTE'} = ''; $cgiparams{'LOCAL_ID'} = ''; $cgiparams{'REMOTE_ID'} = ''; @@ -115,14 +113,49 @@ $cgiparams{'ROOTCERT_EMAIL'} = ''; $cgiparams{'ROOTCERT_OU'} = ''; $cgiparams{'ROOTCERT_CITY'} = ''; $cgiparams{'ROOTCERT_STATE'} = ''; +$cgiparams{'RW_ENDPOINT'} = ''; $cgiparams{'RW_NET'} = ''; $cgiparams{'DPD_DELAY'} = '30'; $cgiparams{'DPD_TIMEOUT'} = '120'; $cgiparams{'FORCE_MOBIKE'} = 'off'; -$cgiparams{'START_ACTION'} = 'start'; -$cgiparams{'INACTIVITY_TIMEOUT'} = 900; +$cgiparams{'START_ACTION'} = 'route'; +$cgiparams{'INACTIVITY_TIMEOUT'} = 1800; +$cgiparams{'MODE'} = "tunnel"; +$cgiparams{'INTERFACE_MODE'} = ""; +$cgiparams{'INTERFACE_ADDRESS'} = ""; +$cgiparams{'INTERFACE_MTU'} = 1500; +$cgiparams{'DNS_SERVERS'} = ""; &Header::getcgihash(\%cgiparams, {'wantfile' => 1, 'filevar' => 'FH'}); +my %APPLE_CIPHERS = ( + "aes256gcm128" => "AES-256-GCM", + "aes128gcm128" => "AES-128-GCM", + "aes256" => "AES-256", + "aes128" => "AES-128", + "3des" => "3DES", +); + +my %APPLE_INTEGRITIES = ( + "sha2_512" => "SHA2-512", + "sha2_384" => "SHA2-384", + "sha2_256" => "SHA2-256", + "sha1" => "SHA1-160", +); + +my %APPLE_DH_GROUPS = ( + "768" => 1, + "1024" => 2, + "1536" => 5, + "2048" => 14, + "3072" => 15, + "4096" => 16, + "6144" => 17, + "8192" => 18, + "e256" => 19, + "e384" => 20, + "e521" => 21, +); + ### ### Useful functions ### @@ -159,7 +192,12 @@ sub cleanssldatabase { print FILE ""; close FILE; } + if (open(FILE, ">${General::swroot}/certs/index.txt.attr")) { + print FILE ""; + close FILE; + } unlink ("${General::swroot}/certs/index.txt.old"); + unlink ("${General::swroot}/certs/index.txt.attr.old"); unlink ("${General::swroot}/certs/serial.old"); unlink ("${General::swroot}/certs/01.pem"); } @@ -170,9 +208,15 @@ sub newcleanssldatabase { close FILE; } if (! -s ">${General::swroot}/certs/index.txt") { - system ("touch ${General::swroot}/certs/index.txt"); + open(FILE, ">${General::swroot}/certs/index.txt"); + close(FILE); + } + if (! -s ">${General::swroot}/certs/index.txt.attr") { + open(FILE, ">${General::swroot}/certs/index.txt.attr"); + close(FILE); } unlink ("${General::swroot}/certs/index.txt.old"); + unlink ("${General::swroot}/certs/index.txt.attr.old"); unlink ("${General::swroot}/certs/serial.old"); # unlink ("${General::swroot}/certs/01.pem"); numbering evolves. Wrong place to delete } @@ -281,26 +325,49 @@ sub writeipsecfiles { #remote peer is not set? => use '%any' $lconfighash{$key}[10] = '%any' if ($lconfighash{$key}[10] eq ''); + # Field 6 might be "off" on old installations + if ($lconfighash{$key}[6] eq "off") { + $lconfighash{$key}[6] = $lvpnsettings{"VPN_IP"}; + } + my $localside; - if ($lconfighash{$key}[26] eq 'BLUE') { - $localside = $netsettings{'BLUE_ADDRESS'}; - } elsif ($lconfighash{$key}[26] eq 'GREEN') { - $localside = $netsettings{'GREEN_ADDRESS'}; - } elsif ($lconfighash{$key}[26] eq 'ORANGE') { - $localside = $netsettings{'ORANGE_ADDRESS'}; - } else { # it is RED - $localside = $lvpnsettings{'VPN_IP'}; + if ($lconfighash{$key}[6]) { + $localside = $lconfighash{$key}[6]; + } else { + $localside = "%defaultroute"; } + my $interface_mode = $lconfighash{$key}[36]; + print CONF "conn $lconfighash{$key}[1]\n"; print CONF "\tleft=$localside\n"; - print CONF "\tleftsubnet=" . &make_subnets($lconfighash{$key}[8]) . "\n"; + + if ($interface_mode eq "gre") { + print CONF "\tleftprotoport=gre\n"; + } elsif ($interface_mode eq "vti") { + print CONF "\tleftsubnet=0.0.0.0/0\n"; + } else { + print CONF "\tleftsubnet=" . &make_subnets("left", $lconfighash{$key}[8]) . "\n"; + } + print CONF "\tleftfirewall=yes\n"; print CONF "\tlefthostaccess=yes\n"; + + # Always send the host certificate + if ($lconfighash{$key}[3] eq 'host') { + print CONF "\tleftsendcert=always\n"; + } + print CONF "\tright=$lconfighash{$key}[10]\n"; if ($lconfighash{$key}[3] eq 'net') { - print CONF "\trightsubnet=" . &make_subnets($lconfighash{$key}[11]) . "\n"; + if ($interface_mode eq "gre") { + print CONF "\trightprotoport=gre\n"; + } elsif ($interface_mode eq "vti") { + print CONF "\trightsubnet=0.0.0.0/0\n"; + } else { + print CONF "\trightsubnet=" . &make_subnets("right", $lconfighash{$key}[11]) . "\n"; + } } # Local Cert and Remote Cert (unless auth is DN dn-auth) @@ -313,6 +380,18 @@ sub writeipsecfiles { print CONF "\tleftid=\"$lconfighash{$key}[7]\"\n" if ($lconfighash{$key}[7]); print CONF "\trightid=\"$lconfighash{$key}[9]\"\n" if ($lconfighash{$key}[9]); + # Set mode + if ($lconfighash{$key}[35] eq "transport") { + print CONF "\ttype=transport\n"; + } else { + print CONF "\ttype=tunnel\n"; + } + + # Add mark for VTI + if ($interface_mode eq "vti") { + print CONF "\tmark=$key\n"; + } + # Is PFS enabled? my $pfs = $lconfighash{$key}[28] eq 'on' ? 'on' : 'off'; @@ -436,17 +515,18 @@ sub writeipsecfiles { if ($start_action eq 'route' && $inactivity_timeout > 0) { print CONF "\tinactivity=$inactivity_timeout\n"; } - - # Restart the connection immediately when it has gone down - # unexpectedly - if ($start_action eq 'start') { - print CONF "\tcloseaction=restart\n"; - } } # Fragmentation print CONF "\tfragmentation=yes\n"; + # DNS Servers for RW + if ($lconfighash{$key}[3] eq 'host') { + my @servers = split(/\|/, $lconfighash{$key}[39]); + + print CONF "\trightdns=" . join(",", @servers) . "\n"; + } + print CONF "\n"; } #foreach key @@ -474,14 +554,8 @@ if ($ENV{"REMOTE_ADDR"} eq "") { if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cgiparams{'KEY'} eq '') { &General::readhash("${General::swroot}/vpn/settings", \%vpnsettings); - unless (&General::validfqdn($cgiparams{'VPN_IP'}) || &General::validip($cgiparams{'VPN_IP'}) - || $cgiparams{'VPN_IP'} eq '%defaultroute' ) { - $errormessage = $Lang::tr{'invalid input for hostname'}; - goto SAVE_ERROR; - } - - unless ($cgiparams{'VPN_DELAYED_START'} =~ /^[0-9]{1,3}$/ ) { #allow 0-999 seconds ! - $errormessage = $Lang::tr{'invalid time period'}; + if ($cgiparams{'RW_ENDPOINT'} ne '' && !&General::validip($cgiparams{'RW_ENDPOINT'}) && !&General::validfqdn($cgiparams{'RW_ENDPOINT'})) { + $errormessage = $Lang::tr{'ipsec invalid ip address or fqdn for rw endpoint'}; goto SAVE_ERROR; } @@ -491,15 +565,14 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cg } $vpnsettings{'ENABLED'} = $cgiparams{'ENABLED'}; - $vpnsettings{'VPN_IP'} = $cgiparams{'VPN_IP'}; - $vpnsettings{'VPN_DELAYED_START'} = $cgiparams{'VPN_DELAYED_START'}; + $vpnsettings{'RW_ENDPOINT'} = $cgiparams{'RW_ENDPOINT'}; $vpnsettings{'RW_NET'} = $cgiparams{'RW_NET'}; &General::writehash("${General::swroot}/vpn/settings", \%vpnsettings); &writeipsecfiles(); if (&vpnenabled) { - system('/usr/local/bin/ipsecctrl', 'S'); + &General::system('/usr/local/bin/ipsecctrl', 'S'); } else { - system('/usr/local/bin/ipsecctrl', 'D'); + &General::system('/usr/local/bin/ipsecctrl', 'D'); } sleep $sleepDelay; SAVE_ERROR: @@ -524,7 +597,7 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cg } &General::writehasharray("${General::swroot}/vpn/config", \%confighash); &writeipsecfiles(); - system('/usr/local/bin/ipsecctrl', 'R'); + &General::system('/usr/local/bin/ipsecctrl', 'R'); sleep $sleepDelay; ### @@ -586,7 +659,7 @@ END } } - if (ref ($cgiparams{'FH'}) ne 'Fh') { + unless (ref ($cgiparams{'FH'})) { $errormessage = $Lang::tr{'there was no file upload'}; goto UPLOADCA_ERROR; } @@ -602,8 +675,7 @@ END unlink ($filename); goto UPLOADCA_ERROR; } else { - move($filename, "${General::swroot}/ca/$cgiparams{'CA_NAME'}cert.pem"); - if ($? ne 0) { + unless(move($filename, "${General::swroot}/ca/$cgiparams{'CA_NAME'}cert.pem")) { $errormessage = "$Lang::tr{'certificate file move failed'}: $!"; unlink ($filename); goto UPLOADCA_ERROR; @@ -615,7 +687,7 @@ END $cahash{$key}[1] = &Header::cleanhtml(getsubjectfromcert ("${General::swroot}/ca/$cgiparams{'CA_NAME'}cert.pem")); &General::writehasharray("${General::swroot}/vpn/caconfig", \%cahash); - system('/usr/local/bin/ipsecctrl', 'R'); + &General::system('/usr/local/bin/ipsecctrl', 'R'); sleep $sleepDelay; UPLOADCA_ERROR: @@ -631,8 +703,8 @@ END &Header::openpage($Lang::tr{'ipsec'}, 1, ''); &Header::openbigbox('100%', 'left', '', ''); &Header::openbox('100%', 'left', "$Lang::tr{'ca certificate'}:"); - my $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem`; - $output = &Header::cleanhtml($output,"y"); + my @output = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem"); + my $output = &Header::cleanhtml(join("", @output) ,"y"); print "
$output
\n"; &Header::closebox(); print "
$Lang::tr{'back'}
"; @@ -653,7 +725,9 @@ END print "Content-Type: application/force-download\n"; print "Content-Type: application/octet-stream\r\n"; print "Content-Disposition: attachment; filename=$cahash{$cgiparams{'KEY'}}[0]cert.pem\r\n\r\n"; - print `/usr/bin/openssl x509 -in ${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem`; + + my @cert = &General::system_output("/usr/bin/openssl", "x509", "-in", "${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem"); + print "@cert"; exit(0); } else { $errormessage = $Lang::tr{'invalid key'}; @@ -668,21 +742,21 @@ END if ( -f "${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem" ) { foreach my $key (keys %confighash) { - my $test = `/usr/bin/openssl verify -CAfile ${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem ${General::swroot}/certs/$confighash{$key}[1]cert.pem`; - if ($test =~ /: OK/) { + my @test = &General::system_output("/usr/bin/openssl", "verify", "-CAfile", "${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem", "${General::swroot}/certs/$confighash{$key}[1]cert.pem"); + if (grep(/: OK/, @test)) { # Delete connection - system('/usr/local/bin/ipsecctrl', 'D', $key) if (&vpnenabled); unlink ("${General::swroot}/certs/$confighash{$key}[1]cert.pem"); unlink ("${General::swroot}/certs/$confighash{$key}[1].p12"); delete $confighash{$key}; &General::writehasharray("${General::swroot}/vpn/config", \%confighash); &writeipsecfiles(); + &General::system('/usr/local/bin/ipsecctrl', 'D', $key) if (&vpnenabled); } } unlink ("${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem"); delete $cahash{$cgiparams{'KEY'}}; &General::writehasharray("${General::swroot}/vpn/caconfig", \%cahash); - system('/usr/local/bin/ipsecctrl', 'R'); + &General::system('/usr/local/bin/ipsecctrl', 'R'); sleep $sleepDelay; } else { $errormessage = $Lang::tr{'invalid key'}; @@ -697,8 +771,8 @@ END my $assignedcerts = 0; if ( -f "${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem" ) { foreach my $key (keys %confighash) { - my $test = `/usr/bin/openssl verify -CAfile ${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem ${General::swroot}/certs/$confighash{$key}[1]cert.pem`; - if ($test =~ /: OK/) { + my @test = &General::system_output("/usr/bin/openssl", "verify", "-CAfile", "${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem", "${General::swroot}/certs/$confighash{$key}[1]cert.pem"); + if (grep(/: OK/, @test)) { $assignedcerts++; } } @@ -734,7 +808,7 @@ END unlink ("${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem"); delete $cahash{$cgiparams{'KEY'}}; &General::writehasharray("${General::swroot}/vpn/caconfig", \%cahash); - system('/usr/local/bin/ipsecctrl', 'R'); + &General::system('/usr/local/bin/ipsecctrl', 'R'); sleep $sleepDelay; } } else { @@ -746,18 +820,18 @@ END ### } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show root certificate'} || $cgiparams{'ACTION'} eq $Lang::tr{'show host certificate'}) { - my $output; + my @output; &Header::showhttpheaders(); &Header::openpage($Lang::tr{'ipsec'}, 1, ''); &Header::openbigbox('100%', 'left', '', ''); if ($cgiparams{'ACTION'} eq $Lang::tr{'show root certificate'}) { &Header::openbox('100%', 'left', "$Lang::tr{'root certificate'}:"); - $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/ca/cacert.pem`; + @output = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/ca/cacert.pem"); } else { &Header::openbox('100%', 'left', "$Lang::tr{'host certificate'}:"); - $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/certs/hostcert.pem`; + @output = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/certs/hostcert.pem"); } - $output = &Header::cleanhtml($output,"y"); + my $output = &Header::cleanhtml(join("", @output) ,"y"); print "
$output
\n"; &Header::closebox(); print "
$Lang::tr{'back'}
"; @@ -772,7 +846,9 @@ END if ( -f "${General::swroot}/ca/cacert.pem" ) { print "Content-Type: application/force-download\n"; print "Content-Disposition: attachment; filename=cacert.pem\r\n\r\n"; - print `/usr/bin/openssl x509 -in ${General::swroot}/ca/cacert.pem`; + + my @cert = &General::system_output("/usr/bin/openssl", "x509", "-in", "${General::swroot}/ca/cacert.pem"); + print join("", @cert); exit(0); } ### @@ -782,7 +858,9 @@ END if ( -f "${General::swroot}/certs/hostcert.pem" ) { print "Content-Type: application/force-download\n"; print "Content-Disposition: attachment; filename=hostcert.pem\r\n\r\n"; - print `/usr/bin/openssl x509 -in ${General::swroot}/certs/hostcert.pem`; + + my @cert = &General::system_output("/usr/bin/openssl", "x509", "-in", "${General::swroot}/certs/hostcert.pem"); + print join("", @cert); exit(0); } ### @@ -804,15 +882,17 @@ END close IPADDR; chomp ($ipaddr); $cgiparams{'ROOTCERT_HOSTNAME'} = (gethostbyaddr(pack("C4", split(/\./, $ipaddr)), 2))[0]; + $cgiparams{'SUBJECTALTNAME'} = "DNS:" . $cgiparams{'ROOTCERT_HOSTNAME'}; if ($cgiparams{'ROOTCERT_HOSTNAME'} eq '') { $cgiparams{'ROOTCERT_HOSTNAME'} = $ipaddr; + $cgiparams{'SUBJECTALTNAME'} = "IP:" . $cgiparams{'ROOTCERT_HOSTNAME'}; } } $cgiparams{'ROOTCERT_COUNTRY'} = $vpnsettings{'ROOTCERT_COUNTRY'} if (!$cgiparams{'ROOTCERT_COUNTRY'}); } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'upload p12 file'}) { &General::log("ipsec", "Importing from p12..."); - if (ref ($cgiparams{'FH'}) ne 'Fh') { + unless (ref ($cgiparams{'FH'})) { $errormessage = $Lang::tr{'there was no file upload'}; goto ROOTCERT_ERROR; } @@ -866,20 +946,23 @@ END if (!$errormessage) { &General::log("ipsec", "Moving cacert..."); - move("/tmp/newcacert", "${General::swroot}/ca/cacert.pem"); - $errormessage = "$Lang::tr{'certificate file move failed'}: $!" if ($? ne 0); + unless(move("/tmp/newcacert", "${General::swroot}/ca/cacert.pem")) { + $errormessage = "$Lang::tr{'certificate file move failed'}: $!"; + } } if (!$errormessage) { &General::log("ipsec", "Moving host cert..."); - move("/tmp/newhostcert", "${General::swroot}/certs/hostcert.pem"); - $errormessage = "$Lang::tr{'certificate file move failed'}: $!" if ($? ne 0); + unless(move("/tmp/newhostcert", "${General::swroot}/certs/hostcert.pem")) { + $errormessage = "$Lang::tr{'certificate file move failed'}: $!"; + } } if (!$errormessage) { &General::log("ipsec", "Moving private key..."); - move("/tmp/newhostkey", "${General::swroot}/certs/hostkey.pem"); - $errormessage = "$Lang::tr{'certificate file move failed'}: $!" if ($? ne 0); + unless(move("/tmp/newhostkey", "${General::swroot}/certs/hostkey.pem")) { + $errormessage = "$Lang::tr{'certificate file move failed'}: $!"; + } } #cleanup temp files @@ -957,6 +1040,11 @@ END # IP: an IP address # example: email:franck@foo.com,IP:10.0.0.10,DNS:franck.foo.com + if ($cgiparams{'SUBJECTALTNAME'} eq '') { + $errormessage = $Lang::tr{'vpn subjectaltname missing'}; + goto ROOTCERT_ERROR; + } + if ($cgiparams{'SUBJECTALTNAME'} ne '' && $cgiparams{'SUBJECTALTNAME'} !~ /^(email|URI|DNS|RID|IP):[a-zA-Z0-9 :\/,\.\-_@]*$/) { $errormessage = $Lang::tr{'vpn altname syntax'}; goto VPNCONF_ERROR; @@ -982,7 +1070,7 @@ END &General::log("ipsec", "Creating cacert..."); if (open(STDIN, "-|")) { my $opt = " req -x509 -sha256 -nodes"; - $opt .= " -days 999999"; + $opt .= " -days 3650"; $opt .= " -newkey rsa:4096"; $opt .= " -keyout ${General::swroot}/private/cakey.pem"; $opt .= " -out ${General::swroot}/ca/cacert.pem"; @@ -1040,7 +1128,7 @@ END print $fh "subjectAltName=$cgiparams{'SUBJECTALTNAME'}" if ($cgiparams{'SUBJECTALTNAME'}); close ($fh); - my $opt = " ca -md sha256 -days 999999"; + my $opt = " ca -md sha256 -days 825"; $opt .= " -batch -notext"; $opt .= " -in ${General::swroot}/certs/hostreq.pem"; $opt .= " -out ${General::swroot}/certs/hostcert.pem"; @@ -1111,7 +1199,7 @@ END } print < - $Lang::tr{'vpn subjectaltname'} (subjectAltName=email:*,URI:*,DNS:*,RID:*) + $Lang::tr{'vpn subjectaltname'} (subjectAltName=email:*,URI:*,DNS:*,RID:*) *  


@@ -1138,7 +1226,7 @@ END ROOTCERT_SUCCESS: if (&vpnenabled) { - system('/usr/local/bin/ipsecctrl', 'S'); + &General::system('/usr/local/bin/ipsecctrl', 'S'); sleep $sleepDelay; } ROOTCERT_SKIP: @@ -1150,9 +1238,279 @@ END print "Content-Type: application/force-download\n"; print "Content-Disposition: attachment; filename=" . $confighash{$cgiparams{'KEY'}}[1] . ".p12\r\n"; print "Content-Type: application/octet-stream\r\n\r\n"; - print `/bin/cat ${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1].p12`; + + open(FILE, "${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1].p12"); + my @p12 = ; + close(FILE); + print join("", @p12); + exit (0); +# Export Apple profile to browser +} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download apple profile'}) { + # Read global configuration + &General::readhash("${General::swroot}/vpn/settings", \%vpnsettings); + + # Read connections + &General::readhasharray("${General::swroot}/vpn/config", \%confighash); + my $key = $cgiparams{'KEY'}; + + # Create a UUID generator + my $uuid = Data::UUID->new(); + + my $uuid1 = $uuid->create_str(); + my $uuid2 = $uuid->create_str(); + + my $ca = ""; + my $ca_uuid = $uuid->create_str(); + + my $cert = ""; + my $cert_uuid = $uuid->create_str(); + + # Read and encode the CA & certificate + if ($confighash{$key}[4] eq "cert") { + my $ca_path = "${General::swroot}/ca/cacert.pem"; + my $cert_path = "${General::swroot}/certs/$confighash{$key}[1].p12"; + + # Read the CA and encode it into Base64 + open(CA, "<${ca_path}"); + local($/) = undef; # slurp + $ca = MIME::Base64::encode_base64(); + close(CA); + + # Read certificate and encode it into Base64 + open(CERT, "<${cert_path}"); + local($/) = undef; # slurp + $cert = MIME::Base64::encode_base64(); + close(CERT); + } + + print "Content-Type: application/octet-stream\n"; + print "Content-Disposition: attachment; filename=" . $confighash{$key}[1] . ".mobileconfig\n"; + print "\n"; # end headers + + # Use our own FQDN if nothing else is configured + my $endpoint = ($vpnsettings{'RW_ENDPOINT'} ne "") ? $vpnsettings{'RW_ENDPOINT'} : &hostname(); + + print "\n"; + print "\n"; + print " \n"; + print " PayloadDisplayName\n"; + print " $confighash{$key}[1]\n"; + print " PayloadIdentifier\n"; + print " $confighash{$key}[1]\n"; + print " PayloadUUID\n"; + print " ${uuid1}\n"; + print " PayloadType\n"; + print " Configuration\n"; + print " PayloadVersion\n"; + print " 1\n"; + print " PayloadContent\n"; + print " \n"; + print " \n"; + print " PayloadIdentifier\n"; + print " org.example.vpn1.conf1\n"; + print " PayloadUUID\n"; + print " ${uuid2}\n"; + print " PayloadType\n"; + print " com.apple.vpn.managed\n"; + print " PayloadVersion\n"; + print " 1\n"; + print " UserDefinedName\n"; + print " $confighash{$key}[1]\n"; + print " VPNType\n"; + print " IKEv2\n"; + print " IKEv2\n"; + print " \n"; + print " RemoteAddress\n"; + print " $endpoint\n"; + + # PFS + my $pfs = $confighash{$key}[28]; + if ($pfs eq "on") { + print " EnablePFS\n"; + print " \n"; + } + + # IKE Cipher Suite + print " IKESecurityAssociationParameters\n"; + print " \n"; + + # Encryption + foreach my $cipher (split(/\|/,$confighash{$key}[18])) { + # Skip all unsupported ciphers + next unless (exists $APPLE_CIPHERS{$cipher}); + + print " EncryptionAlgorithm\n"; + print " $APPLE_CIPHERS{$cipher}\n"; + last; + } + + # Integrity + foreach my $integrity (split(/\|/,$confighash{$key}[19])) { + # Skip all unsupported algorithms + next unless (exists $APPLE_INTEGRITIES{$integrity}); + + print " IntegrityAlgorithm\n"; + print " $APPLE_INTEGRITIES{$integrity}\n"; + last; + } + + # Diffie Hellman Groups + foreach my $group (split(/\|/,$confighash{$key}[20])) { + # Skip all unsupported algorithms + next unless (exists $APPLE_DH_GROUPS{$group}); + + print " DiffieHellmanGroup\n"; + print " $APPLE_DH_GROUPS{$group}\n"; + last; + } + + # Lifetime + my $lifetime = $confighash{$key}[16] * 60; + print " LifeTimeInMinutes\n"; + print " $lifetime\n"; + print " \n"; + + # ESP Cipher Suite + print " ChildSecurityAssociationParameters\n"; + print " \n"; + + # Encryption + foreach my $cipher (split(/\|/,$confighash{$key}[21])) { + # Skip all unsupported ciphers + next unless (exists $APPLE_CIPHERS{$cipher}); + + print " EncryptionAlgorithm\n"; + print " $APPLE_CIPHERS{$cipher}\n"; + last; + } + + # Integrity + foreach my $integrity (split(/\|/,$confighash{$key}[22])) { + # Skip all unsupported algorithms + next unless (exists $APPLE_INTEGRITIES{$integrity}); + + print " IntegrityAlgorithm\n"; + print " $APPLE_INTEGRITIES{$integrity}\n"; + last; + } + + # Diffie Hellman Groups + foreach my $group (split(/\|/,$confighash{$key}[23])) { + # Skip all unsupported algorithms + next unless (exists $APPLE_DH_GROUPS{$group}); + + print " DiffieHellmanGroup\n"; + print " $APPLE_DH_GROUPS{$group}\n"; + last; + } + + # Lifetime + my $lifetime = $confighash{$key}[17] * 60; + print " LifeTimeInMinutes\n"; + print " $lifetime\n"; + print " \n"; + + + # Left ID + if ($confighash{$key}[9]) { + my $leftid = $confighash{$key}[9]; + + # Strip leading @ from FQDNs + if ($leftid =~ m/^@(.*)$/) { + $leftid = $1; + } + + print " LocalIdentifier\n"; + print " $leftid\n"; + } + + # Right ID + if ($confighash{$key}[7]) { + my $rightid = $confighash{$key}[7]; + + # Strip leading @ from FQDNs + if ($rightid =~ m/^@(.*)$/) { + $rightid = $1; + } + + print " RemoteIdentifier\n"; + print " $rightid\n"; + } + + if ($confighash{$key}[4] eq "cert") { + print " AuthenticationMethod\n"; + print " Certificate\n"; + + print " PayloadCertificateUUID\n"; + print " ${cert_uuid}\n"; + } else { + print " AuthenticationMethod\n"; + print " SharedSecret\n"; + print " SharedSecret\n"; + print " $confighash{$key}[5]\n"; + } + + print " ExtendedAuthEnabled\n"; + print " 0\n"; + + # These are not needed, but we provide some default to stop iPhone asking for credentials + print " AuthName\n"; + print " $confighash{$key}[1]\n"; + print " AuthPassword\n"; + print " \n"; + print " \n"; + print " \n"; + + if ($confighash{$key}[4] eq "cert") { + print " \n"; + print " PayloadIdentifier\n"; + print " org.example.vpn1.client\n"; + print " PayloadDisplayName\n"; + print " $confighash{$key}[1]\n"; + print " PayloadUUID\n"; + print " ${cert_uuid}\n"; + print " PayloadType\n"; + print " com.apple.security.pkcs12\n"; + print " PayloadVersion\n"; + print " 1\n"; + print " PayloadContent\n"; + print " \n"; + + foreach (split /\n/,${cert}) { + print " $_\n"; + } + + print " \n"; + print " \n"; + + print " \n"; + print " PayloadIdentifier\n"; + print " org.example.ca\n"; + print " PayloadUUID\n"; + print " ${ca_uuid}\n"; + print " PayloadType\n"; + print " com.apple.security.root\n"; + print " PayloadVersion\n"; + print " 1\n"; + print " PayloadContent\n"; + print " \n"; + + foreach (split /\n/,${ca}) { + print " $_\n"; + } + + print " \n"; + print " \n"; + } + + print " \n"; + print " \n"; + print "\n"; + + # Done + exit(0); ### ### Display certificate ### @@ -1164,8 +1522,8 @@ END &Header::openpage($Lang::tr{'ipsec'}, 1, ''); &Header::openbigbox('100%', 'left', '', ''); &Header::openbox('100%', 'left', "$Lang::tr{'cert'}:"); - my $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem`; - $output = &Header::cleanhtml($output,"y"); + my @output = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem"); + my $output = &Header::cleanhtml(join("", @output) ,"y"); print "
$output
\n"; &Header::closebox(); print ""; @@ -1183,7 +1541,12 @@ END if ( -f "${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem") { print "Content-Type: application/force-download\n"; print "Content-Disposition: attachment; filename=" . $confighash{$cgiparams{'KEY'}}[1] . "cert.pem\n\n"; - print `/bin/cat ${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem`; + + open(FILE, "${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem"); + my @pem = ; + close(FILE); + print "@pem"; + exit (0); } @@ -1200,12 +1563,12 @@ END $confighash{$cgiparams{'KEY'}}[0] = 'on'; &General::writehasharray("${General::swroot}/vpn/config", \%confighash); &writeipsecfiles(); - system('/usr/local/bin/ipsecctrl', 'S', $cgiparams{'KEY'}) if (&vpnenabled); + &General::system('/usr/local/bin/ipsecctrl', 'S', $cgiparams{'KEY'}) if (&vpnenabled); } else { - system('/usr/local/bin/ipsecctrl', 'D', $cgiparams{'KEY'}) if (&vpnenabled); $confighash{$cgiparams{'KEY'}}[0] = 'off'; &General::writehasharray("${General::swroot}/vpn/config", \%confighash); &writeipsecfiles(); + &General::system('/usr/local/bin/ipsecctrl', 'D', $cgiparams{'KEY'}) if (&vpnenabled); } sleep $sleepDelay; } else { @@ -1221,7 +1584,7 @@ END if ($confighash{$cgiparams{'KEY'}}) { if (&vpnenabled) { - system('/usr/local/bin/ipsecctrl', 'S', $cgiparams{'KEY'}); + &General::system('/usr/local/bin/ipsecctrl', 'S', $cgiparams{'KEY'}); sleep $sleepDelay; } } else { @@ -1236,12 +1599,12 @@ END &General::readhasharray("${General::swroot}/vpn/config", \%confighash); if ($confighash{$cgiparams{'KEY'}}) { - system('/usr/local/bin/ipsecctrl', 'D', $cgiparams{'KEY'}) if (&vpnenabled); unlink ("${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem"); unlink ("${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1].p12"); delete $confighash{$cgiparams{'KEY'}}; &General::writehasharray("${General::swroot}/vpn/config", \%confighash); &writeipsecfiles(); + &General::system('/usr/local/bin/ipsecctrl', 'D', $cgiparams{'KEY'}) if (&vpnenabled); } else { $errormessage = $Lang::tr{'invalid key'}; } @@ -1294,7 +1657,7 @@ END $cgiparams{'TYPE'} = $confighash{$cgiparams{'KEY'}}[3]; $cgiparams{'AUTH'} = $confighash{$cgiparams{'KEY'}}[4]; $cgiparams{'PSK'} = $confighash{$cgiparams{'KEY'}}[5]; - #$cgiparams{'free'} = $confighash{$cgiparams{'KEY'}}[6]; + $cgiparams{'LOCAL'} = $confighash{$cgiparams{'KEY'}}[6]; $cgiparams{'LOCAL_ID'} = $confighash{$cgiparams{'KEY'}}[7]; my @local_subnets = split(",", $confighash{$cgiparams{'KEY'}}[8]); $cgiparams{'LOCAL_SUBNET'} = join(/\|/, @local_subnets); @@ -1322,7 +1685,13 @@ END $cgiparams{'DPD_TIMEOUT'} = $confighash{$cgiparams{'KEY'}}[30]; $cgiparams{'DPD_DELAY'} = $confighash{$cgiparams{'KEY'}}[31]; $cgiparams{'FORCE_MOBIKE'} = $confighash{$cgiparams{'KEY'}}[32]; + $cgiparams{'START_ACTION'} = $confighash{$cgiparams{'KEY'}}[33]; $cgiparams{'INACTIVITY_TIMEOUT'} = $confighash{$cgiparams{'KEY'}}[34]; + $cgiparams{'MODE'} = $confighash{$cgiparams{'KEY'}}[35]; + $cgiparams{'INTERFACE_MODE'} = $confighash{$cgiparams{'KEY'}}[36]; + $cgiparams{'INTERFACE_ADDRESS'} = $confighash{$cgiparams{'KEY'}}[37]; + $cgiparams{'INTERFACE_MTU'} = $confighash{$cgiparams{'KEY'}}[38]; + $cgiparams{'DNS_SERVERS'} = $confighash{$cgiparams{'KEY'}}[39]; if (!$cgiparams{'DPD_DELAY'}) { $cgiparams{'DPD_DELAY'} = 30; @@ -1336,6 +1705,14 @@ END $cgiparams{'INACTIVITY_TIMEOUT'} = 900; } + if ($cgiparams{'MODE'} eq "") { + $cgiparams{'MODE'} = "tunnel"; + } + + if ($cgiparams{'INTERFACE_MTU'} eq "") { + $cgiparams{'INTERFACE_MTU'} = 1500; + } + } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'save'}) { $cgiparams{'REMARK'} = &Header::cleanhtml($cgiparams{'REMARK'}); if ($cgiparams{'TYPE'} !~ /^(host|net)$/) { @@ -1373,6 +1750,13 @@ END goto VPNCONF_ERROR; } + if ($cgiparams{'LOCAL'}) { + if (($cgiparams{'LOCAL'} ne "") && (!&General::validip($cgiparams{'LOCAL'}))) { + $errormessage = $Lang::tr{'invalid input for local ip address'}; + goto VPNCONF_ERROR; + } + } + if ($cgiparams{'REMOTE'}) { if (($cgiparams{'REMOTE'} ne '%any') && (! &General::validip($cgiparams{'REMOTE'}))) { if (! &General::validfqdn ($cgiparams{'REMOTE'})) { @@ -1414,6 +1798,41 @@ END goto VPNCONF_ERROR; } } + + if ($cgiparams{'MODE'} !~ /^(tunnel|transport)$/) { + $errormessage = $Lang::tr{'invalid input for mode'}; + goto VPNCONF_ERROR; + } + + if ($cgiparams{'INTERFACE_MODE'} !~ /^(|gre|vti)$/) { + $errormessage = $Lang::tr{'invalid input for interface mode'}; + goto VPNCONF_ERROR; + } + + if (($cgiparams{'INTERFACE_MODE'} eq "vti") && ($cgiparams{'MODE'} eq "transport")) { + $errormessage = $Lang::tr{'transport mode does not support vti'}; + goto VPNCONF_ERROR; + } + + if (($cgiparams{'INTERFACE_MODE'} ne "") && !&Network::check_subnet($cgiparams{'INTERFACE_ADDRESS'})) { + $errormessage = $Lang::tr{'invalid input for interface address'}; + goto VPNCONF_ERROR; + } + + if ($cgiparams{'INTERFACE_MTU'} !~ /^\d+$/) { + $errormessage = $Lang::tr{'invalid input for interface mtu'}; + goto VPNCONF_ERROR; + } + } + + if ($cgiparams{'TYPE'} eq 'host') { + my @servers = split(",", $cgiparams{'DNS_SERVERS'}); + foreach my $server (@servers) { + unless (&Network::check_ip_address($server)) { + $errormessage = $Lang::tr{'ipsec dns server address is invalid'}; + goto VPNCONF_ERROR; + } + } } if ($cgiparams{'ENABLED'} !~ /^(on|off)$/) { @@ -1468,7 +1887,7 @@ END $errormessage = $Lang::tr{'cant change certificates'}; goto VPNCONF_ERROR; } - if (ref ($cgiparams{'FH'}) ne 'Fh') { + unless (ref ($cgiparams{'FH'})) { $errormessage = $Lang::tr{'there was no file upload'}; goto VPNCONF_ERROR; } @@ -1482,7 +1901,7 @@ END # Sign the certificate request &General::log("ipsec", "Signing your cert $cgiparams{'NAME'}..."); - my $opt = " ca -md sha256 -days 999999"; + my $opt = " ca -md sha256 -days 825"; $opt .= " -batch -notext"; $opt .= " -in $filename"; $opt .= " -out ${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"; @@ -1505,7 +1924,7 @@ END } elsif ($cgiparams{'AUTH'} eq 'pkcs12') { &General::log("ipsec", "Importing from p12..."); - if (ref ($cgiparams{'FH'}) ne 'Fh') { + unless (ref ($cgiparams{'FH'})) { $errormessage = $Lang::tr{'there was no file upload'}; goto ROOTCERT_ERROR; } @@ -1553,8 +1972,8 @@ END unshift (@names,$cahash{$x}[0]); } if ($casubject) { # a new one! - my $temp = `/usr/bin/openssl x509 -text -in /tmp/newcacert`; - if ($temp !~ /CA:TRUE/i) { + my @temp = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "/tmp/newcacert"); + if (! grep(/CA:TRUE/, @temp)) { $errormessage = $Lang::tr{'not a valid ca certificate'}; } else { #compute a name for it @@ -1562,22 +1981,26 @@ END while (grep(/Imported-$idx/, @names) ) {$idx++}; $cgiparams{'CA_NAME'}="Imported-$idx"; $cgiparams{'CERT_NAME'}=&Header::cleanhtml(getCNfromcert ('/tmp/newhostcert')); - move("/tmp/newcacert", "${General::swroot}/ca/$cgiparams{'CA_NAME'}cert.pem"); - $errormessage = "$Lang::tr{'certificate file move failed'}: $!" if ($? ne 0); + + unless(move("/tmp/newcacert", "${General::swroot}/ca/$cgiparams{'CA_NAME'}cert.pem")) { + $errormessage = "$Lang::tr{'certificate file move failed'}: $!"; + } + if (!$errormessage) { my $key = &General::findhasharraykey (\%cahash); $cahash{$key}[0] = $cgiparams{'CA_NAME'}; $cahash{$key}[1] = $casubject; &General::writehasharray("${General::swroot}/vpn/caconfig", \%cahash); - system('/usr/local/bin/ipsecctrl', 'R'); + &General::system('/usr/local/bin/ipsecctrl', 'R'); } } } } if (!$errormessage) { &General::log("ipsec", "Moving host cert..."); - move("/tmp/newhostcert", "${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"); - $errormessage = "$Lang::tr{'certificate file move failed'}: $!" if ($? ne 0); + unless(move("/tmp/newhostcert", "${General::swroot}/certs/$cgiparams{'NAME'}cert.pem")) { + $errormessage = "$Lang::tr{'certificate file move failed'}: $!"; + } } #cleanup temp files @@ -1595,7 +2018,7 @@ END $errormessage = $Lang::tr{'cant change certificates'}; goto VPNCONF_ERROR; } - if (ref ($cgiparams{'FH'}) ne 'Fh') { + unless (ref ($cgiparams{'FH'})) { $errormessage = $Lang::tr{'there was no file upload'}; goto VPNCONF_ERROR; } @@ -1609,12 +2032,12 @@ END # Verify the certificate has a valid CA and move it &General::log("ipsec", "Validating imported cert against our known CA..."); my $validca = 1; #assume ok - my $test = `/usr/bin/openssl verify -CAfile ${General::swroot}/ca/cacert.pem $filename`; - if ($test !~ /: OK/) { + my @test = &General::system_output("/usr/bin/openssl", "verify", "-CAfile", "${General::swroot}/ca/cacert.pem", "$filename"); + if (! grep(/: OK/, @test)) { my $validca = 0; foreach my $key (keys %cahash) { - $test = `/usr/bin/openssl verify -CAfile ${General::swroot}/ca/$cahash{$key}[0]cert.pem $filename`; - if ($test =~ /: OK/) { + @test = &General::system_output("/usr/bin/openssl", "verify", "-CAfile", "${General::swroot}/ca/$cahash{$key}[0]cert.pem", "$filename"); + if (grep(/: OK/, @test)) { $validca = 1; last; } @@ -1625,9 +2048,8 @@ END unlink ($filename); goto VPNCONF_ERROR; } else { - move($filename, "${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"); - if ($? ne 0) { - $errormessage = "$Lang::tr{'certificate file move failed'}: $!"; + unless (move($filename, "${General::swroot}/certs/$cgiparams{'NAME'}cert.pem")) { + $errormessage = "$Lang::tr{'certificate file move failed'} ($filename): $!"; unlink ($filename); goto VPNCONF_ERROR; } @@ -1755,7 +2177,7 @@ END print $fh "subjectAltName=$cgiparams{'SUBJECTALTNAME'}" if ($cgiparams{'SUBJECTALTNAME'}); close ($fh); - my $opt = " ca -md sha256 -days 999999 -batch -notext"; + my $opt = " ca -md sha256 -days 825 -batch -notext"; $opt .= " -in ${General::swroot}/certs/$cgiparams{'NAME'}req.pem"; $opt .= " -out ${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"; $opt .= " -extfile $v3extname"; @@ -1818,7 +2240,7 @@ END my $key = $cgiparams{'KEY'}; if (! $key) { $key = &General::findhasharraykey (\%confighash); - foreach my $i (0 .. 34) { $confighash{$key}[$i] = "";} + foreach my $i (0 .. 39) { $confighash{$key}[$i] = "";} } $confighash{$key}[0] = $cgiparams{'ENABLED'}; $confighash{$key}[1] = $cgiparams{'NAME'}; @@ -1836,6 +2258,7 @@ END my @remote_subnets = split(",", $cgiparams{'REMOTE_SUBNET'}); $confighash{$key}[11] = join('|', @remote_subnets); } + $confighash{$key}[6] = $cgiparams{'LOCAL'}; $confighash{$key}[7] = $cgiparams{'LOCAL_ID'}; my @local_subnets = split(",", $cgiparams{'LOCAL_SUBNET'}); $confighash{$key}[8] = join('|', @local_subnets); @@ -1862,16 +2285,21 @@ END $confighash{$key}[30] = $cgiparams{'DPD_TIMEOUT'}; $confighash{$key}[31] = $cgiparams{'DPD_DELAY'}; $confighash{$key}[32] = $cgiparams{'FORCE_MOBIKE'}; + $confighash{$key}[33] = $cgiparams{'START_ACTION'}; $confighash{$key}[34] = $cgiparams{'INACTIVITY_TIMEOUT'}; + $confighash{$key}[35] = $cgiparams{'MODE'}; + $confighash{$key}[36] = $cgiparams{'INTERFACE_MODE'}; + $confighash{$key}[37] = $cgiparams{'INTERFACE_ADDRESS'}; + $confighash{$key}[38] = $cgiparams{'INTERFACE_MTU'}; + $confighash{$key}[39] = join("|", split(",", $cgiparams{'DNS_SERVERS'})); # free unused fields! - $confighash{$key}[6] = 'off'; $confighash{$key}[15] = 'off'; &General::writehasharray("${General::swroot}/vpn/config", \%confighash); &writeipsecfiles(); if (&vpnenabled) { - system('/usr/local/bin/ipsecctrl', 'S', $key); + &General::system('/usr/local/bin/ipsecctrl', 'S', $key); sleep $sleepDelay; } if ($cgiparams{'EDIT_ADVANCED'} eq 'on') { @@ -1888,7 +2316,12 @@ END } else { $cgiparams{'AUTH'} = 'certgen'; } - $cgiparams{'LOCAL_SUBNET'} = "$netsettings{'GREEN_NETADDRESS'}/$netsettings{'GREEN_NETMASK'}"; + + if ($netsettings{"GREEN_NETADDRESS"} && $netsettings{"GREEN_NETMASK"}) { + $cgiparams{"LOCAL_SUBNET"} = $netsettings{'GREEN_NETADDRESS'} . "/" . $netsettings{'GREEN_NETMASK'}; + } else { + $cgiparams{"LOCAL_SUBNET"} = ""; + } $cgiparams{'CERT_EMAIL'} = $vpnsettings{'ROOTCERT_EMAIL'}; $cgiparams{'CERT_OU'} = $vpnsettings{'ROOTCERT_OU'}; $cgiparams{'CERT_ORGANIZATION'} = $vpnsettings{'ROOTCERT_ORGANIZATION'}; @@ -1925,18 +2358,23 @@ END $cgiparams{'REMOTE_ID'} = ''; #use default advanced value - $cgiparams{'IKE_ENCRYPTION'} = 'aes256gcm128|aes256gcm96|aes256gcm64|aes256|aes192gcm128|aes192gcm96|aes192gcm64|aes192|aes128gcm128|aes128gcm96|aes128gcm64|aes128'; #[18]; + $cgiparams{'IKE_ENCRYPTION'} = 'chacha20poly1305|aes256gcm128|aes256gcm96|aes256gcm64|aes256|aes192gcm128|aes192gcm96|aes192gcm64|aes192|aes128gcm128|aes128gcm96|aes128gcm64|aes128'; #[18]; $cgiparams{'IKE_INTEGRITY'} = 'sha2_512|sha2_256'; #[19]; - $cgiparams{'IKE_GROUPTYPE'} = 'curve25519|4096|3072|2048'; #[20]; + $cgiparams{'IKE_GROUPTYPE'} = 'curve448|curve448|4096|3072|2048'; #[20]; $cgiparams{'IKE_LIFETIME'} = '3'; #[16]; - $cgiparams{'ESP_ENCRYPTION'} = 'aes256gcm128|aes256gcm96|aes256gcm64|aes256|aes192gcm128|aes192gcm96|aes192gcm64|aes192|aes128gcm128|aes128gcm96|aes128gcm64|aes128'; #[21]; + $cgiparams{'ESP_ENCRYPTION'} = 'chacha20poly1305|aes256gcm128|aes256gcm96|aes256gcm64|aes256|aes192gcm128|aes192gcm96|aes192gcm64|aes192|aes128gcm128|aes128gcm96|aes128gcm64|aes128'; #[21]; $cgiparams{'ESP_INTEGRITY'} = 'sha2_512|sha2_256'; #[22]; - $cgiparams{'ESP_GROUPTYPE'} = 'curve25519|4096|3072|2048'; #[23]; + $cgiparams{'ESP_GROUPTYPE'} = 'curve448|curve25519|4096|3072|2048'; #[23]; $cgiparams{'ESP_KEYLIFE'} = '1'; #[17]; $cgiparams{'COMPRESSION'} = 'off'; #[13]; $cgiparams{'ONLY_PROPOSED'} = 'on'; #[24]; $cgiparams{'PFS'} = 'on'; #[28]; $cgiparams{'INACTIVITY_TIMEOUT'} = 900; + $cgiparams{'MODE'} = "tunnel"; + $cgiparams{'INTERFACE_MODE'} = ""; + $cgiparams{'INTERFACE_ADDRESS'} = ""; + $cgiparams{'INTERFACE_MTU'} = 1500; + $cgiparams{'DNS_SERVERS'} = ""; } VPNCONF_ERROR: @@ -1956,6 +2394,23 @@ VPNCONF_ERROR: $checked{'AUTH'}{'auth-dn'} = ''; $checked{'AUTH'}{$cgiparams{'AUTH'}} = "checked='checked'"; + $selected{'MODE'}{'tunnel'} = ''; + $selected{'MODE'}{'transport'} = ''; + $selected{'MODE'}{$cgiparams{'MODE'}} = "selected='selected'"; + + $selected{'INTERFACE_MODE'}{''} = ''; + $selected{'INTERFACE_MODE'}{'gre'} = ''; + $selected{'INTERFACE_MODE'}{'vti'} = ''; + $selected{'INTERFACE_MODE'}{$cgiparams{'INTERFACE_MODE'}} = "selected='selected'"; + + $selected{'LOCAL'}{''} = ''; + foreach my $alias (sort keys %aliases) { + my $address = $aliases{$alias}{'IPT'}; + + $selected{'LOCAL'}{$address} = ''; + } + $selected{'LOCAL'}{$cgiparams{'LOCAL'}} = "selected='selected'"; + &Header::showhttpheaders(); &Header::openpage($Lang::tr{'ipsec'}, 1, ''); &Header::openbigbox('100%', 'left', '', $errormessage); @@ -1992,6 +2447,8 @@ VPNCONF_ERROR: + + END ; if ($cgiparams{'KEY'}) { @@ -2014,11 +2471,8 @@ END EOF } - my $disabled; - my $blob; - if ($cgiparams{'TYPE'} eq 'host') { - $disabled = "disabled='disabled'"; - } elsif ($cgiparams{'TYPE'} eq 'net') { + my $blob = ""; + if ($cgiparams{'TYPE'} eq 'net') { $blob = "*"; }; @@ -2028,26 +2482,64 @@ EOF my @remote_subnets = split(/\|/, $cgiparams{'REMOTE_SUBNET'}); my $remote_subnets = join(",", @remote_subnets); - print < $Lang::tr{'enabled'} - $Lang::tr{'local subnet'} * - - - + + $Lang::tr{'local ip address'}: + + - $Lang::tr{'remote subnet'} $blob + + + $Lang::tr{'local subnet'} * - + +END + + if ($cgiparams{'TYPE'} eq "net") { + print <$Lang::tr{'remote subnet'} * + + + +END + + } elsif ($cgiparams{'TYPE'} eq "host") { + print <$Lang::tr{'dns servers'}: + + + +END + } + + print < $Lang::tr{'vpn local id'}: @@ -2074,6 +2566,51 @@ END print ""; &Header::closebox(); + if ($cgiparams{'TYPE'} eq 'net') { + &Header::openbox('100%', 'left', $Lang::tr{'ipsec settings'}); + print < + + + $Lang::tr{'mode'}: + + + + + + + + $Lang::tr{'interface mode'}: + + + + + $Lang::tr{'ip address'}/$Lang::tr{'subnet mask'}: + + + + + + + $Lang::tr{'mtu'}: + + + + + + + +EOF + &Header::closebox(); + } + if ($cgiparams{'KEY'} && $cgiparams{'AUTH'} eq 'psk') { &Header::openbox('100%', 'left', $Lang::tr{'authentication'}); print < 8) { - $errormessage = $Lang::tr{'ike lifetime should be between 1 and 8 hours'}; + if ($cgiparams{'IKE_LIFETIME'} < 1 || $cgiparams{'IKE_LIFETIME'} > 24) { + $errormessage = $Lang::tr{'ike lifetime should be between 1 and 24 hours'}; goto ADVANCED_ERROR; } @temp = split('\|', $cgiparams{'ESP_ENCRYPTION'}); @@ -2227,7 +2764,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || goto ADVANCED_ERROR; } foreach my $val (@temp) { - if ($val !~ /^(aes(256|192|128)(gcm(128|96|64))?|3des|camellia(256|192|128))$/) { + if ($val !~ /^(aes(256|192|128)(gcm(128|96|64))?|3des|chacha20poly1305|camellia(256|192|128))$/) { $errormessage = $Lang::tr{'invalid input'}; goto ADVANCED_ERROR; } @@ -2249,7 +2786,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || goto ADVANCED_ERROR; } foreach my $val (@temp) { - if ($val !~ /^(curve25519|e521|e384|e256|e224|e192|e512bp|e384bp|e256bp|e224bp|768|1024|1536|2048|3072|4096|6144|8192|none)$/) { + if ($val !~ /^(curve448|curve25519|e521|e384|e256|e224|e192|e512bp|e384bp|e256bp|e224bp|768|1024|1536|2048|3072|4096|6144|8192|none)$/) { $errormessage = $Lang::tr{'invalid input'}; goto ADVANCED_ERROR; } @@ -2308,7 +2845,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || &General::writehasharray("${General::swroot}/vpn/config", \%confighash); &writeipsecfiles(); if (&vpnenabled) { - system('/usr/local/bin/ipsecctrl', 'S', $cgiparams{'KEY'}); + &General::system('/usr/local/bin/ipsecctrl', 'S', $cgiparams{'KEY'}); sleep $sleepDelay; } goto ADVANCED_END; @@ -2334,6 +2871,11 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || $cgiparams{'FORCE_MOBIKE'} = $confighash{$cgiparams{'KEY'}}[32]; $cgiparams{'START_ACTION'} = $confighash{$cgiparams{'KEY'}}[33]; $cgiparams{'INACTIVITY_TIMEOUT'} = $confighash{$cgiparams{'KEY'}}[34]; + $cgiparams{'MODE'} = $confighash{$cgiparams{'KEY'}}[35]; + $cgiparams{'INTERFACE_MODE'} = $confighash{$cgiparams{'KEY'}}[36]; + $cgiparams{'INTERFACE_ADDRESS'} = $confighash{$cgiparams{'KEY'}}[37]; + $cgiparams{'INTERFACE_MTU'} = $confighash{$cgiparams{'KEY'}}[38]; + $cgiparams{'DNS_SERVERS'} = $confighash{$cgiparams{'KEY'}}[39]; if (!$cgiparams{'DPD_DELAY'}) { $cgiparams{'DPD_DELAY'} = 30; @@ -2350,9 +2892,14 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || if ($cgiparams{'INACTIVITY_TIMEOUT'} eq "") { $cgiparams{'INACTIVITY_TIMEOUT'} = 900; # 15 min } + + if ($cgiparams{'MODE'} eq "") { + $cgiparams{'MODE'} = "tunnel"; + } } ADVANCED_ERROR: + $checked{'IKE_ENCRYPTION'}{'chacha20poly1305'} = ''; $checked{'IKE_ENCRYPTION'}{'aes256'} = ''; $checked{'IKE_ENCRYPTION'}{'aes192'} = ''; $checked{'IKE_ENCRYPTION'}{'aes128'} = ''; @@ -2379,6 +2926,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || $checked{'IKE_INTEGRITY'}{'aesxcbc'} = ''; @temp = split('\|', $cgiparams{'IKE_INTEGRITY'}); foreach my $key (@temp) {$checked{'IKE_INTEGRITY'}{$key} = "selected='selected'"; } + $checked{'IKE_GROUPTYPE'}{'curve448'} = ''; $checked{'IKE_GROUPTYPE'}{'curve25519'} = ''; $checked{'IKE_GROUPTYPE'}{'768'} = ''; $checked{'IKE_GROUPTYPE'}{'1024'} = ''; @@ -2391,6 +2939,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || @temp = split('\|', $cgiparams{'IKE_GROUPTYPE'}); foreach my $key (@temp) {$checked{'IKE_GROUPTYPE'}{$key} = "selected='selected'"; } + $checked{'ESP_ENCRYPTION'}{'chacha20poly1305'} = ''; $checked{'ESP_ENCRYPTION'}{'aes256'} = ''; $checked{'ESP_ENCRYPTION'}{'aes192'} = ''; $checked{'ESP_ENCRYPTION'}{'aes128'} = ''; @@ -2417,6 +2966,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || $checked{'ESP_INTEGRITY'}{'aesxcbc'} = ''; @temp = split('\|', $cgiparams{'ESP_INTEGRITY'}); foreach my $key (@temp) {$checked{'ESP_INTEGRITY'}{$key} = "selected='selected'"; } + $checked{'ESP_GROUPTYPE'}{'curve448'} = ''; $checked{'ESP_GROUPTYPE'}{'curve25519'} = ''; $checked{'ESP_GROUPTYPE'}{'768'} = ''; $checked{'ESP_GROUPTYPE'}{'1024'} = ''; @@ -2445,6 +2995,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || $selected{'DPD_ACTION'}{'none'} = ''; $selected{'DPD_ACTION'}{$cgiparams{'DPD_ACTION'}} = "selected='selected'"; + $selected{'START_ACTION'}{'add'} = ''; $selected{'START_ACTION'}{'route'} = ''; $selected{'START_ACTION'}{'start'} = ''; $selected{'START_ACTION'}{$cgiparams{'START_ACTION'}} = "selected='selected'"; @@ -2502,6 +3053,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || $Lang::tr{'encryption'} + @@ -2578,7 +3131,8 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || $Lang::tr{'grouptype'} - + + @@ -2670,6 +3225,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || @@ -2738,24 +3294,8 @@ EOF &General::readhasharray("${General::swroot}/vpn/config", \%confighash); $cgiparams{'CA_NAME'} = ''; - my @status = `/usr/local/bin/ipsecctrl I 2>/dev/null`; + my @status = &General::system_output("/usr/local/bin/ipsecctrl", "I"); - # suggest a default name for this side - if ($cgiparams{'VPN_IP'} eq '' && -e "${General::swroot}/red/active") { - if (open(IPADDR, "${General::swroot}/red/local-ipaddress")) { - my $ipaddr = ; - close IPADDR; - chomp ($ipaddr); - $cgiparams{'VPN_IP'} = (gethostbyaddr(pack("C4", split(/\./, $ipaddr)), 2))[0]; - if ($cgiparams{'VPN_IP'} eq '') { - $cgiparams{'VPN_IP'} = $ipaddr; - } - } - } - # no IP found, use %defaultroute - $cgiparams{'VPN_IP'} ='%defaultroute' if ($cgiparams{'VPN_IP'} eq ''); - - $cgiparams{'VPN_DELAYED_START'} = 0 if (! defined ($cgiparams{'VPN_DELAYED_START'})); $checked{'ENABLED'} = $cgiparams{'ENABLED'} eq 'on' ? "checked='checked'" : ''; &Header::showhttpheaders(); @@ -2783,35 +3323,25 @@ EOF print < - - - - - -END -; -print < - - - - - - - -
$Lang::tr{'vpn red name'}: *$Lang::tr{'enabled'}
$Lang::tr{'vpn delayed start'}: **
$Lang::tr{'host to net vpn'}:
-
-
- - - - - - - - - - + + + + + + + + + + + + + + +
*$Lang::tr{'required field'}
**  $Lang::tr{'vpn delayed start help'}
+ $Lang::tr{'enabled'} + + +
$Lang::tr{'ipsec roadwarrior endpoint'}:
$Lang::tr{'host to net vpn'}:
END ; @@ -2827,7 +3357,7 @@ END $Lang::tr{'common name'} $Lang::tr{'remark'} $Lang::tr{'status'} - $Lang::tr{'action'} + $Lang::tr{'action'} END ; @@ -2854,13 +3384,17 @@ END } print "$confighash{$key}[25]"; my $col1="bgcolor='${Header::colourred}'"; - # get real state my $active = "$Lang::tr{'capsclosed'}"; + if ($confighash{$key}[33] eq "add") { + $col1="bgcolor='${Header::colourorange}'"; + $active = "$Lang::tr{'vpn wait'}"; + } foreach my $line (@status) { if (($line =~ /\"$confighash{$key}[1]\".*IPsec SA established/) || ($line =~ /$confighash{$key}[1]\{.*INSTALLED/)) { $col1="bgcolor='${Header::colourgreen}'"; $active = "$Lang::tr{'capsopen'}"; + last; } elsif ($line =~ /$confighash{$key}[1]\[.*CONNECTING/) { $col1="bgcolor='${Header::colourorange}'"; $active = "$Lang::tr{'vpn connecting'}"; @@ -2924,6 +3458,22 @@ END } else { print " "; } + + # Apple Profile + if ($confighash{$key}[3] eq 'host') { + print < +
+ + + +
+ +END + } else { + print " "; + } + print <
@@ -3178,24 +3728,24 @@ sub make_algos($$$$$) { if ($grp =~ m/^e(.*)$/) { push(@algo, "ecp$1"); - } elsif ($grp =~ m/curve25519/) { + } elsif ($grp =~ m/curve(448|25519)/) { push(@algo, "$grp"); } else { push(@algo, "modp$grp"); } - } elsif ($mode eq "esp" && $pfs) { + } elsif ($mode eq "esp") { my $is_aead = ($enc =~ m/[cg]cm/); if (!$is_aead) { push(@algo, $int); } - if ($grp eq "none") { + if (!$pfs || $grp eq "none") { # noop } elsif ($grp =~ m/^e(.*)$/) { push(@algo, "ecp$1"); - } elsif ($grp =~ m/curve25519/) { + } elsif ($grp =~ m/curve(448|25519)/) { push(@algo, "$grp"); } else { push(@algo, "modp$grp"); @@ -3210,13 +3760,19 @@ sub make_algos($$$$$) { return &array_unique(\@algos); } -sub make_subnets($) { +sub make_subnets($$) { + my $direction = shift; my $subnets = shift; my @nets = split(/\|/, $subnets); my @cidr_nets = (); foreach my $net (@nets) { my $cidr_net = &General::ipcidr($net); + + # Skip 0.0.0.0/0 for remote because this renders the + # while system inaccessible + next if (($direction eq "right") && ($cidr_net eq "0.0.0.0/0")); + push(@cidr_nets, $cidr_net); }