--- /dev/null
+#usr/lib/perl5/site_perl/5.32.1/xxxMACHINExxx-linux-thread-multi/Data
+usr/lib/perl5/site_perl/5.32.1/xxxMACHINExxx-linux-thread-multi/Data/UUID.pm
+#usr/lib/perl5/site_perl/5.32.1/xxxMACHINExxx-linux-thread-multi/auto/Data
+#usr/lib/perl5/site_perl/5.32.1/xxxMACHINExxx-linux-thread-multi/auto/Data/UUID
+#usr/lib/perl5/site_perl/5.32.1/xxxMACHINExxx-linux-thread-multi/auto/Data/UUID/.packlist
+usr/lib/perl5/site_perl/5.32.1/xxxMACHINExxx-linux-thread-multi/auto/Data/UUID/UUID.so
+#usr/share/man/man3/Data::UUID.3
srv/web/ipfire/html/images/addblue.gif
srv/web/ipfire/html/images/addgreen.gif
srv/web/ipfire/html/images/address-book-new.png
+srv/web/ipfire/html/images/apple.png
srv/web/ipfire/html/images/application-certificate.png
srv/web/ipfire/html/images/application-x-executable.png
srv/web/ipfire/html/images/applications-accessories.png
WARNING: translation string unused: zoneconf val zoneslave amount error
WARNING: untranslated string: desired = Desired
WARNING: untranslated string: disable = Disable
+WARNING: untranslated string: download apple profile = Download Apple Configuration Profile
WARNING: untranslated string: enable = Enable
WARNING: untranslated string: error the to date has to be later than the from date = The to date has to be later than the from date!
WARNING: untranslated string: fwhost cust locationgrp = unknown string
WARNING: untranslated string: guardian logtarget_syslog = unknown string
WARNING: untranslated string: guardian no entries = unknown string
WARNING: untranslated string: guardian service = unknown string
+WARNING: untranslated string: ipsec dns server address is invalid = Invalid DNS server IP address(es)
+WARNING: untranslated string: ipsec invalid ip address or fqdn for rw endpoint = Invalid IP address or FQDN for Host-to-Net Endpoint
+WARNING: untranslated string: ipsec roadwarrior endpoint = Host-to-Net Endpoint
WARNING: untranslated string: netbios nameserver daemon = NetBIOS Nameserver Daemon
WARNING: untranslated string: no entries = No entries at the moment.
WARNING: untranslated string: optional = Optional
WARNING: untranslated string: downlink speed = Downlink speed (kbit/sec)
WARNING: untranslated string: downlink std class = downlink standard class
WARNING: untranslated string: download = download
+WARNING: untranslated string: download apple profile = Download Apple Configuration Profile
WARNING: untranslated string: download ca certificate = Download CA certificate
WARNING: untranslated string: download certificate = Download file
WARNING: untranslated string: download host certificate = Download host certificate
WARNING: untranslated string: ipinfo = IP info
WARNING: untranslated string: ipsec = IPsec
WARNING: untranslated string: ipsec connection = IPsec Connection
+WARNING: untranslated string: ipsec dns server address is invalid = Invalid DNS server IP address(es)
WARNING: untranslated string: ipsec interface mode gre = GRE
WARNING: untranslated string: ipsec interface mode none = - None (Default) -
WARNING: untranslated string: ipsec interface mode vti = VTI
+WARNING: untranslated string: ipsec invalid ip address or fqdn for rw endpoint = Invalid IP address or FQDN for Host-to-Net Endpoint
WARNING: untranslated string: ipsec mode transport = Transport
WARNING: untranslated string: ipsec mode tunnel = Tunnel
WARNING: untranslated string: ipsec network = IPsec network
+WARNING: untranslated string: ipsec roadwarrior endpoint = Host-to-Net Endpoint
WARNING: untranslated string: ipsec routing table entries = IPsec Routing Table Entries
WARNING: untranslated string: ipsec settings = IPsec Settings
WARNING: untranslated string: iptmangles = IPTable Mangles
WARNING: untranslated string: dnssec not supported = DNSSEC Not supported
WARNING: untranslated string: dnssec validating = DNSSEC Validating
WARNING: untranslated string: downlink = Downlink
+WARNING: untranslated string: download apple profile = Download Apple Configuration Profile
WARNING: untranslated string: download tls-auth key = Download tls-auth key
WARNING: untranslated string: dpd delay = Delay
WARNING: untranslated string: dpd timeout = Timeout
WARNING: untranslated string: ip info for = IP information for
WARNING: untranslated string: ipsec = IPsec
WARNING: untranslated string: ipsec connection = IPsec Connection
+WARNING: untranslated string: ipsec dns server address is invalid = Invalid DNS server IP address(es)
WARNING: untranslated string: ipsec interface mode gre = GRE
WARNING: untranslated string: ipsec interface mode none = - None (Default) -
WARNING: untranslated string: ipsec interface mode vti = VTI
+WARNING: untranslated string: ipsec invalid ip address or fqdn for rw endpoint = Invalid IP address or FQDN for Host-to-Net Endpoint
WARNING: untranslated string: ipsec mode transport = Transport
WARNING: untranslated string: ipsec mode tunnel = Tunnel
WARNING: untranslated string: ipsec network = IPsec network
+WARNING: untranslated string: ipsec roadwarrior endpoint = Host-to-Net Endpoint
WARNING: untranslated string: ipsec routing table entries = IPsec Routing Table Entries
WARNING: untranslated string: ipsec settings = IPsec Settings
WARNING: untranslated string: itlb multihit = iTLB MultiHit
WARNING: translation string unused: zoneconf val vlan amount assignment error
WARNING: translation string unused: zoneconf val vlan tag assignment error
WARNING: translation string unused: zoneconf val zoneslave amount error
+WARNING: untranslated string: download apple profile = Download Apple Configuration Profile
WARNING: untranslated string: fwhost cust locationgrp = unknown string
WARNING: untranslated string: fwhost err hostip = unknown string
WARNING: untranslated string: guardian block a host = unknown string
WARNING: untranslated string: guardian logtarget_syslog = unknown string
WARNING: untranslated string: guardian no entries = unknown string
WARNING: untranslated string: guardian service = unknown string
+WARNING: untranslated string: ipsec dns server address is invalid = Invalid DNS server IP address(es)
+WARNING: untranslated string: ipsec invalid ip address or fqdn for rw endpoint = Invalid IP address or FQDN for Host-to-Net Endpoint
+WARNING: untranslated string: ipsec roadwarrior endpoint = Host-to-Net Endpoint
WARNING: untranslated string: pakfire ago = ago.
WARNING: untranslated string: route config changed = unknown string
WARNING: untranslated string: routing config added = unknown string
WARNING: untranslated string: dnsforward dnssec disabled = DNSSEC Validation is disabled
WARNING: untranslated string: dnsforward forward_servers = Nameservers
WARNING: untranslated string: dnssec disabled warning = WARNING: DNSSEC has been disabled
+WARNING: untranslated string: download apple profile = Download Apple Configuration Profile
WARNING: untranslated string: duration = Duration
WARNING: untranslated string: eight hours = 8 Hours
WARNING: untranslated string: email config = Configuration
WARNING: untranslated string: ip basic info = Basic IP information
WARNING: untranslated string: ip info for = IP information for
WARNING: untranslated string: ipsec connection = IPsec Connection
+WARNING: untranslated string: ipsec dns server address is invalid = Invalid DNS server IP address(es)
WARNING: untranslated string: ipsec interface mode gre = GRE
WARNING: untranslated string: ipsec interface mode none = - None (Default) -
WARNING: untranslated string: ipsec interface mode vti = VTI
+WARNING: untranslated string: ipsec invalid ip address or fqdn for rw endpoint = Invalid IP address or FQDN for Host-to-Net Endpoint
WARNING: untranslated string: ipsec mode transport = Transport
WARNING: untranslated string: ipsec mode tunnel = Tunnel
+WARNING: untranslated string: ipsec roadwarrior endpoint = Host-to-Net Endpoint
WARNING: untranslated string: ipsec routing table entries = IPsec Routing Table Entries
WARNING: untranslated string: ipsec settings = IPsec Settings
WARNING: untranslated string: itlb multihit = iTLB MultiHit
WARNING: untranslated string: dnssec disabled warning = WARNING: DNSSEC has been disabled
WARNING: untranslated string: dnssec not supported = DNSSEC Not supported
WARNING: untranslated string: dnssec validating = DNSSEC Validating
+WARNING: untranslated string: download apple profile = Download Apple Configuration Profile
WARNING: untranslated string: download tls-auth key = Download tls-auth key
WARNING: untranslated string: drop outgoing = Log dropped outgoing packets
WARNING: untranslated string: duration = Duration
WARNING: untranslated string: ip basic info = Basic IP information
WARNING: untranslated string: ip info for = IP information for
WARNING: untranslated string: ipsec connection = IPsec Connection
+WARNING: untranslated string: ipsec dns server address is invalid = Invalid DNS server IP address(es)
WARNING: untranslated string: ipsec interface mode gre = GRE
WARNING: untranslated string: ipsec interface mode none = - None (Default) -
WARNING: untranslated string: ipsec interface mode vti = VTI
+WARNING: untranslated string: ipsec invalid ip address or fqdn for rw endpoint = Invalid IP address or FQDN for Host-to-Net Endpoint
WARNING: untranslated string: ipsec mode transport = Transport
WARNING: untranslated string: ipsec mode tunnel = Tunnel
+WARNING: untranslated string: ipsec roadwarrior endpoint = Host-to-Net Endpoint
WARNING: untranslated string: ipsec routing table entries = IPsec Routing Table Entries
WARNING: untranslated string: ipsec settings = IPsec Settings
WARNING: untranslated string: itlb multihit = iTLB MultiHit
WARNING: untranslated string: dnssec not supported = DNSSEC Not supported
WARNING: untranslated string: dnssec validating = DNSSEC Validating
WARNING: untranslated string: downlink = Downlink
+WARNING: untranslated string: download apple profile = Download Apple Configuration Profile
WARNING: untranslated string: download tls-auth key = Download tls-auth key
WARNING: untranslated string: dpd delay = Delay
WARNING: untranslated string: dpd timeout = Timeout
WARNING: untranslated string: ip info for = IP information for
WARNING: untranslated string: ipsec = IPsec
WARNING: untranslated string: ipsec connection = IPsec Connection
+WARNING: untranslated string: ipsec dns server address is invalid = Invalid DNS server IP address(es)
WARNING: untranslated string: ipsec interface mode gre = GRE
WARNING: untranslated string: ipsec interface mode none = - None (Default) -
WARNING: untranslated string: ipsec interface mode vti = VTI
+WARNING: untranslated string: ipsec invalid ip address or fqdn for rw endpoint = Invalid IP address or FQDN for Host-to-Net Endpoint
WARNING: untranslated string: ipsec mode transport = Transport
WARNING: untranslated string: ipsec mode tunnel = Tunnel
WARNING: untranslated string: ipsec network = IPsec network
+WARNING: untranslated string: ipsec roadwarrior endpoint = Host-to-Net Endpoint
WARNING: untranslated string: ipsec routing table entries = IPsec Routing Table Entries
WARNING: untranslated string: ipsec settings = IPsec Settings
WARNING: untranslated string: itlb multihit = iTLB MultiHit
WARNING: untranslated string: dnssec not supported = DNSSEC Not supported
WARNING: untranslated string: dnssec validating = DNSSEC Validating
WARNING: untranslated string: downlink = Downlink
+WARNING: untranslated string: download apple profile = Download Apple Configuration Profile
WARNING: untranslated string: download tls-auth key = Download tls-auth key
WARNING: untranslated string: dpd delay = Delay
WARNING: untranslated string: dpd timeout = Timeout
WARNING: untranslated string: ip info for = IP information for
WARNING: untranslated string: ipsec = IPsec
WARNING: untranslated string: ipsec connection = IPsec Connection
+WARNING: untranslated string: ipsec dns server address is invalid = Invalid DNS server IP address(es)
WARNING: untranslated string: ipsec interface mode gre = GRE
WARNING: untranslated string: ipsec interface mode none = - None (Default) -
WARNING: untranslated string: ipsec interface mode vti = VTI
+WARNING: untranslated string: ipsec invalid ip address or fqdn for rw endpoint = Invalid IP address or FQDN for Host-to-Net Endpoint
WARNING: untranslated string: ipsec mode transport = Transport
WARNING: untranslated string: ipsec mode tunnel = Tunnel
WARNING: untranslated string: ipsec network = IPsec network
+WARNING: untranslated string: ipsec roadwarrior endpoint = Host-to-Net Endpoint
WARNING: untranslated string: ipsec routing table entries = IPsec Routing Table Entries
WARNING: untranslated string: ipsec settings = IPsec Settings
WARNING: untranslated string: itlb multihit = iTLB MultiHit
WARNING: untranslated string: dns use protocol for dns queries = Protocol for DNS queries
WARNING: untranslated string: dnsforward dnssec disabled = DNSSEC Validation is disabled
WARNING: untranslated string: dnsforward forward_servers = Nameservers
+WARNING: untranslated string: download apple profile = Download Apple Configuration Profile
WARNING: untranslated string: duration = Duration
WARNING: untranslated string: email tls explicit = explicit (STARTTLS)
WARNING: untranslated string: email tls implicit = implicit (TLS)
WARNING: untranslated string: ip basic info = Basic IP information
WARNING: untranslated string: ip info for = IP information for
WARNING: untranslated string: ipsec connection = IPsec Connection
+WARNING: untranslated string: ipsec dns server address is invalid = Invalid DNS server IP address(es)
WARNING: untranslated string: ipsec interface mode gre = GRE
WARNING: untranslated string: ipsec interface mode none = - None (Default) -
WARNING: untranslated string: ipsec interface mode vti = VTI
+WARNING: untranslated string: ipsec invalid ip address or fqdn for rw endpoint = Invalid IP address or FQDN for Host-to-Net Endpoint
WARNING: untranslated string: ipsec mode transport = Transport
WARNING: untranslated string: ipsec mode tunnel = Tunnel
+WARNING: untranslated string: ipsec roadwarrior endpoint = Host-to-Net Endpoint
WARNING: untranslated string: ipsec routing table entries = IPsec Routing Table Entries
WARNING: untranslated string: ipsec settings = IPsec Settings
WARNING: untranslated string: itlb multihit = iTLB MultiHit
< disable
< dns could not add server
< done
+< download apple profile
< enable
< error the to date has to be later than the from date
< g.dtm
< g.lite
< insert removable device
+< ipsec dns server address is invalid
+< ipsec invalid ip address or fqdn for rw endpoint
+< ipsec roadwarrior endpoint
< netbios nameserver daemon
< no entries
< notes
< dns use isp assigned nameservers
< dns use protocol for dns queries
< downlink
+< download apple profile
< download dh parameter
< download tls-auth key
< dpd delay
< ip info for
< ipsec
< ipsec connection
+< ipsec dns server address is invalid
< ipsec interface mode gre
< ipsec interface mode none
< ipsec interface mode vti
+< ipsec invalid ip address or fqdn for rw endpoint
< ipsec mode transport
< ipsec mode tunnel
< ipsec network
< ipsec no connections
+< ipsec roadwarrior endpoint
< ipsec routing table entries
< ipsec settings
< itlb multihit
< ansi t1.483
< bewan adsl pci st
< bewan adsl usb
+< download apple profile
< g.dtm
< g.lite
+< ipsec dns server address is invalid
+< ipsec invalid ip address or fqdn for rw endpoint
+< ipsec roadwarrior endpoint
< upload fcdsl.o
< zoneconf val vlan tag range error
############################################################################
< dns tls hostname
< dns use isp assigned nameservers
< dns use protocol for dns queries
+< download apple profile
< duration
< eight hours
< email config
< ip basic info
< ip info for
< ipsec connection
+< ipsec dns server address is invalid
< ipsec interface mode gre
< ipsec interface mode none
< ipsec interface mode vti
+< ipsec invalid ip address or fqdn for rw endpoint
< ipsec mode transport
< ipsec mode tunnel
+< ipsec roadwarrior endpoint
< ipsec routing table entries
< ipsec settings
< itlb multihit
< dns tls hostname
< dns use isp assigned nameservers
< dns use protocol for dns queries
+< download apple profile
< download dh parameter
< download tls-auth key
< drop outgoing
< ip basic info
< ip info for
< ipsec connection
+< ipsec dns server address is invalid
< ipsec interface mode gre
< ipsec interface mode none
< ipsec interface mode vti
+< ipsec invalid ip address or fqdn for rw endpoint
< ipsec mode transport
< ipsec mode tunnel
+< ipsec roadwarrior endpoint
< ipsec routing table entries
< ipsec settings
< itlb multihit
< dns use isp assigned nameservers
< dns use protocol for dns queries
< downlink
+< download apple profile
< download dh parameter
< download tls-auth key
< dpd delay
< ip info for
< ipsec
< ipsec connection
+< ipsec dns server address is invalid
< ipsec interface mode gre
< ipsec interface mode none
< ipsec interface mode vti
+< ipsec invalid ip address or fqdn for rw endpoint
< ipsec mode transport
< ipsec mode tunnel
< ipsec network
< ipsec no connections
+< ipsec roadwarrior endpoint
< ipsec routing table entries
< ipsec settings
< itlb multihit
< dns use isp assigned nameservers
< dns use protocol for dns queries
< downlink
+< download apple profile
< download dh parameter
< download tls-auth key
< dpd delay
< ip info for
< ipsec
< ipsec connection
+< ipsec dns server address is invalid
< ipsec interface mode gre
< ipsec interface mode none
< ipsec interface mode vti
+< ipsec invalid ip address or fqdn for rw endpoint
< ipsec mode transport
< ipsec mode tunnel
< ipsec network
< ipsec no connections
+< ipsec roadwarrior endpoint
< ipsec routing table entries
< ipsec settings
< itlb multihit
< dns tls hostname
< dns use isp assigned nameservers
< dns use protocol for dns queries
+< download apple profile
< duration
< email tls explicit
< email tls implicit
< ip basic info
< ip info for
< ipsec connection
+< ipsec dns server address is invalid
< ipsec interface mode gre
< ipsec interface mode none
< ipsec interface mode vti
+< ipsec invalid ip address or fqdn for rw endpoint
< ipsec mode transport
< ipsec mode tunnel
+< ipsec roadwarrior endpoint
< ipsec routing table entries
< ipsec settings
< itlb multihit
# #
###############################################################################
+use Data::UUID;
+use MIME::Base64;
use Net::DNS;
use File::Copy;
use File::Temp qw/ tempfile tempdir /;
use strict;
use Sort::Naturally;
+use Sys::Hostname;
# enable only the following on debugging purpose
#use warnings;
#use CGI::Carp 'fatalsToBrowser';
$cgiparams{'ROOTCERT_OU'} = '';
$cgiparams{'ROOTCERT_CITY'} = '';
$cgiparams{'ROOTCERT_STATE'} = '';
+$cgiparams{'RW_ENDPOINT'} = '';
$cgiparams{'RW_NET'} = '';
$cgiparams{'DPD_DELAY'} = '30';
$cgiparams{'DPD_TIMEOUT'} = '120';
$cgiparams{'INTERFACE_MODE'} = "";
$cgiparams{'INTERFACE_ADDRESS'} = "";
$cgiparams{'INTERFACE_MTU'} = 1500;
+$cgiparams{'DNS_SERVERS'} = "";
&Header::getcgihash(\%cgiparams, {'wantfile' => 1, 'filevar' => 'FH'});
+my %APPLE_CIPHERS = (
+ "aes256gcm128" => "AES-256-GCM",
+ "aes128gcm128" => "AES-128-GCM",
+ "aes256" => "AES-256",
+ "aes128" => "AES-128",
+ "3des" => "3DES",
+);
+
+my %APPLE_INTEGRITIES = (
+ "sha2_512" => "SHA2-512",
+ "sha2_384" => "SHA2-384",
+ "sha2_256" => "SHA2-256",
+ "sha1" => "SHA1-160",
+);
+
+my %APPLE_DH_GROUPS = (
+ "768" => 1,
+ "1024" => 2,
+ "1536" => 5,
+ "2048" => 14,
+ "3072" => 15,
+ "4096" => 16,
+ "6144" => 17,
+ "8192" => 18,
+ "e256" => 19,
+ "e384" => 20,
+ "e521" => 21,
+);
+
###
### Useful functions
###
print CONF "\tleftfirewall=yes\n";
print CONF "\tlefthostaccess=yes\n";
+
+ # Always send the host certificate
+ if ($lconfighash{$key}[3] eq 'host') {
+ print CONF "\tleftsendcert=always\n";
+ }
+
print CONF "\tright=$lconfighash{$key}[10]\n";
if ($lconfighash{$key}[3] eq 'net') {
# Fragmentation
print CONF "\tfragmentation=yes\n";
+ # DNS Servers for RW
+ if ($lconfighash{$key}[3] eq 'host') {
+ my @servers = split(/\|/, $lconfighash{$key}[39]);
+
+ print CONF "\trightdns=" . join(",", @servers) . "\n";
+ }
+
print CONF "\n";
} #foreach key
if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cgiparams{'KEY'} eq '') {
&General::readhash("${General::swroot}/vpn/settings", \%vpnsettings);
+ if ($cgiparams{'RW_ENDPOINT'} ne '' && !&General::validip($cgiparams{'RW_ENDPOINT'}) && !&General::validfqdn($cgiparams{'RW_ENDPOINT'})) {
+ $errormessage = $Lang::tr{'ipsec invalid ip address or fqdn for rw endpoint'};
+ goto SAVE_ERROR;
+ }
+
if ( $cgiparams{'RW_NET'} ne '' and !&General::validipandmask($cgiparams{'RW_NET'}) ) {
$errormessage = $Lang::tr{'urlfilter invalid ip or mask error'};
goto SAVE_ERROR;
}
$vpnsettings{'ENABLED'} = $cgiparams{'ENABLED'};
+ $vpnsettings{'RW_ENDPOINT'} = $cgiparams{'RW_ENDPOINT'};
$vpnsettings{'RW_NET'} = $cgiparams{'RW_NET'};
&General::writehash("${General::swroot}/vpn/settings", \%vpnsettings);
&writeipsecfiles();
&General::log("ipsec", "Creating cacert...");
if (open(STDIN, "-|")) {
my $opt = " req -x509 -sha256 -nodes";
- $opt .= " -days 999999";
+ $opt .= " -days 3650";
$opt .= " -newkey rsa:4096";
$opt .= " -keyout ${General::swroot}/private/cakey.pem";
$opt .= " -out ${General::swroot}/ca/cacert.pem";
print $fh "subjectAltName=$cgiparams{'SUBJECTALTNAME'}" if ($cgiparams{'SUBJECTALTNAME'});
close ($fh);
- my $opt = " ca -md sha256 -days 999999";
+ my $opt = " ca -md sha256 -days 825";
$opt .= " -batch -notext";
$opt .= " -in ${General::swroot}/certs/hostreq.pem";
$opt .= " -out ${General::swroot}/certs/hostcert.pem";
print `/bin/cat ${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1].p12`;
exit (0);
+# Export Apple profile to browser
+} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download apple profile'}) {
+ # Read global configuration
+ &General::readhash("${General::swroot}/vpn/settings", \%vpnsettings);
+
+ # Read connections
+ &General::readhasharray("${General::swroot}/vpn/config", \%confighash);
+ my $key = $cgiparams{'KEY'};
+
+ # Create a UUID generator
+ my $uuid = Data::UUID->new();
+
+ my $uuid1 = $uuid->create_str();
+ my $uuid2 = $uuid->create_str();
+
+ my $ca = "";
+ my $ca_uuid = $uuid->create_str();
+
+ my $cert = "";
+ my $cert_uuid = $uuid->create_str();
+
+ # Read and encode the CA & certificate
+ if ($confighash{$key}[4] eq "cert") {
+ my $ca_path = "${General::swroot}/ca/cacert.pem";
+ my $cert_path = "${General::swroot}/certs/$confighash{$key}[1].p12";
+
+ # Read the CA and encode it into Base64
+ open(CA, "<${ca_path}");
+ local($/) = undef; # slurp
+ $ca = MIME::Base64::encode_base64(<CA>);
+ close(CA);
+
+ # Read certificate and encode it into Base64
+ open(CERT, "<${cert_path}");
+ local($/) = undef; # slurp
+ $cert = MIME::Base64::encode_base64(<CERT>);
+ close(CERT);
+ }
+
+ print "Content-Type: application/octet-stream\n";
+ print "Content-Disposition: attachment; filename=" . $confighash{$key}[1] . ".mobileconfig\n";
+ print "\n"; # end headers
+
+ # Use our own FQDN if nothing else is configured
+ my $endpoint = ($vpnsettings{'RW_ENDPOINT'} ne "") ? $vpnsettings{'RW_ENDPOINT'} : &hostname();
+
+ print "<!DOCTYPE plist PUBLIC \"-//Apple//DTD PLIST 1.0//EN\" \"http://www.apple.com/DTDs/PropertyList-1.0.dtd\">\n";
+ print "<plist version=\"1.0\">\n";
+ print " <dict>\n";
+ print " <key>PayloadDisplayName</key>\n";
+ print " <string>$confighash{$key}[1]</string>\n";
+ print " <key>PayloadIdentifier</key>\n";
+ print " <string>$confighash{$key}[1]</string>\n";
+ print " <key>PayloadUUID</key>\n";
+ print " <string>${uuid1}</string>\n";
+ print " <key>PayloadType</key>\n";
+ print " <string>Configuration</string>\n";
+ print " <key>PayloadVersion</key>\n";
+ print " <integer>1</integer>\n";
+ print " <key>PayloadContent</key>\n";
+ print " <array>\n";
+ print " <dict>\n";
+ print " <key>PayloadIdentifier</key>\n";
+ print " <string>org.example.vpn1.conf1</string>\n";
+ print " <key>PayloadUUID</key>\n";
+ print " <string>${uuid2}</string>\n";
+ print " <key>PayloadType</key>\n";
+ print " <string>com.apple.vpn.managed</string>\n";
+ print " <key>PayloadVersion</key>\n";
+ print " <integer>1</integer>\n";
+ print " <key>UserDefinedName</key>\n";
+ print " <string>$confighash{$key}[1]</string>\n";
+ print " <key>VPNType</key>\n";
+ print " <string>IKEv2</string>\n";
+ print " <key>IKEv2</key>\n";
+ print " <dict>\n";
+ print " <key>RemoteAddress</key>\n";
+ print " <string>$endpoint</string>\n";
+
+ # PFS
+ my $pfs = $confighash{$key}[28];
+ if ($pfs eq "on") {
+ print " <key>EnablePFS</key>\n";
+ print " <true/>\n";
+ }
+
+ # IKE Cipher Suite
+ print " <key>IKESecurityAssociationParameters</key>\n";
+ print " <dict>\n";
+
+ # Encryption
+ foreach my $cipher (split(/\|/,$confighash{$key}[18])) {
+ # Skip all unsupported ciphers
+ next unless (exists $APPLE_CIPHERS{$cipher});
+
+ print " <key>EncryptionAlgorithm</key>\n";
+ print " <string>$APPLE_CIPHERS{$cipher}</string>\n";
+ last;
+ }
+
+ # Integrity
+ foreach my $integrity (split(/\|/,$confighash{$key}[19])) {
+ # Skip all unsupported algorithms
+ next unless (exists $APPLE_INTEGRITIES{$integrity});
+
+ print " <key>IntegrityAlgorithm</key>\n";
+ print " <string>$APPLE_INTEGRITIES{$integrity}</string>\n";
+ last;
+ }
+
+ # Diffie Hellman Groups
+ foreach my $group (split(/\|/,$confighash{$key}[20])) {
+ # Skip all unsupported algorithms
+ next unless (exists $APPLE_DH_GROUPS{$group});
+
+ print " <key>DiffieHellmanGroup</key>\n";
+ print " <string>$APPLE_DH_GROUPS{$group}</string>\n";
+ last;
+ }
+
+ # Lifetime
+ my $lifetime = $confighash{$key}[16] * 60;
+ print " <key>LifeTimeInMinutes</key>\n";
+ print " <integer>$lifetime</integer>\n";
+ print " </dict>\n";
+
+ # ESP Cipher Suite
+ print " <key>ChildSecurityAssociationParameters</key>\n";
+ print " <dict>\n";
+
+ # Encryption
+ foreach my $cipher (split(/\|/,$confighash{$key}[21])) {
+ # Skip all unsupported ciphers
+ next unless (exists $APPLE_CIPHERS{$cipher});
+
+ print " <key>EncryptionAlgorithm</key>\n";
+ print " <string>$APPLE_CIPHERS{$cipher}</string>\n";
+ last;
+ }
+
+ # Integrity
+ foreach my $integrity (split(/\|/,$confighash{$key}[22])) {
+ # Skip all unsupported algorithms
+ next unless (exists $APPLE_INTEGRITIES{$integrity});
+
+ print " <key>IntegrityAlgorithm</key>\n";
+ print " <string>$APPLE_INTEGRITIES{$integrity}</string>\n";
+ last;
+ }
+
+ # Diffie Hellman Groups
+ foreach my $group (split(/\|/,$confighash{$key}[23])) {
+ # Skip all unsupported algorithms
+ next unless (exists $APPLE_DH_GROUPS{$group});
+
+ print " <key>DiffieHellmanGroup</key>\n";
+ print " <string>$APPLE_DH_GROUPS{$group}</string>\n";
+ last;
+ }
+
+ # Lifetime
+ my $lifetime = $confighash{$key}[17] * 60;
+ print " <key>LifeTimeInMinutes</key>\n";
+ print " <integer>$lifetime</integer>\n";
+ print " </dict>\n";
+
+
+ # Left ID
+ if ($confighash{$key}[9]) {
+ my $leftid = $confighash{$key}[9];
+
+ # Strip leading @ from FQDNs
+ if ($leftid =~ m/^@(.*)$/) {
+ $leftid = $1;
+ }
+
+ print " <key>LocalIdentifier</key>\n";
+ print " <string>$leftid</string>\n";
+ }
+
+ # Right ID
+ if ($confighash{$key}[7]) {
+ my $rightid = $confighash{$key}[7];
+
+ # Strip leading @ from FQDNs
+ if ($rightid =~ m/^@(.*)$/) {
+ $rightid = $1;
+ }
+
+ print " <key>RemoteIdentifier</key>\n";
+ print " <string>$rightid</string>\n";
+ }
+
+ if ($confighash{$key}[4] eq "cert") {
+ print " <key>AuthenticationMethod</key>\n";
+ print " <string>Certificate</string>\n";
+
+ print " <key>PayloadCertificateUUID</key>\n";
+ print " <string>${cert_uuid}</string>\n";
+ } else {
+ print " <key>AuthenticationMethod</key>\n";
+ print " <string>SharedSecret</string>\n";
+ print " <key>SharedSecret</key>\n";
+ print " <string>$confighash{$key}[5]</string>\n";
+ }
+
+ print " <key>ExtendedAuthEnabled</key>\n";
+ print " <integer>0</integer>\n";
+
+ # Connect the VPN automatically
+ print " <key>OnDemandEnabled</key>\n";
+ print " <integer>1</integer>\n";
+ print " <key>OnDemandRules</key>\n";
+ print " <array>\n";
+ print " <dict>\n";
+ print " <key>Action</key>\n";
+ print " <string>Connect</string>\n";
+ print " </dict>\n";
+ print " </array>\n";
+
+ print " </dict>\n";
+ print " </dict>\n";
+
+ if ($confighash{$key}[4] eq "cert") {
+ print " <dict>\n";
+ print " <key>PayloadIdentifier</key>\n";
+ print " <string>org.example.vpn1.client</string>\n";
+ print " <key>PayloadDisplayName</key>\n";
+ print " <string>$confighash{$key}[1]</string>\n";
+ print " <key>PayloadUUID</key>\n";
+ print " <string>${cert_uuid}</string>\n";
+ print " <key>PayloadType</key>\n";
+ print " <string>com.apple.security.pkcs12</string>\n";
+ print " <key>PayloadVersion</key>\n";
+ print " <integer>1</integer>\n";
+ print " <key>PayloadContent</key>\n";
+ print " <data>\n";
+
+ foreach (split /\n/,${cert}) {
+ print " $_\n";
+ }
+
+ print " </data>\n";
+ print " </dict>\n";
+
+ print " <dict>\n";
+ print " <key>PayloadIdentifier</key>\n";
+ print " <string>org.example.ca</string>\n";
+ print " <key>PayloadUUID</key>\n";
+ print " <string>${ca_uuid}</string>\n";
+ print " <key>PayloadType</key>\n";
+ print " <string>com.apple.security.root</string>\n";
+ print " <key>PayloadVersion</key>\n";
+ print " <integer>1</integer>\n";
+ print " <key>PayloadContent</key>\n";
+ print " <data>\n";
+
+ foreach (split /\n/,${ca}) {
+ print " $_\n";
+ }
+
+ print " </data>\n";
+ print " </dict>\n";
+ }
+
+ print " </array>\n";
+ print " </dict>\n";
+ print "</plist>\n";
+
+ # Done
+ exit(0);
###
### Display certificate
###
$cgiparams{'INTERFACE_MODE'} = $confighash{$cgiparams{'KEY'}}[36];
$cgiparams{'INTERFACE_ADDRESS'} = $confighash{$cgiparams{'KEY'}}[37];
$cgiparams{'INTERFACE_MTU'} = $confighash{$cgiparams{'KEY'}}[38];
+ $cgiparams{'DNS_SERVERS'} = $confighash{$cgiparams{'KEY'}}[39];
if (!$cgiparams{'DPD_DELAY'}) {
$cgiparams{'DPD_DELAY'} = 30;
}
}
+ if ($cgiparams{'TYPE'} eq 'host') {
+ my @servers = split(",", $cgiparams{'DNS_SERVERS'});
+ foreach my $server (@servers) {
+ unless (&Network::check_ip_address($server)) {
+ $errormessage = $Lang::tr{'ipsec dns server address is invalid'};
+ goto VPNCONF_ERROR;
+ }
+ }
+ }
+
if ($cgiparams{'ENABLED'} !~ /^(on|off)$/) {
$errormessage = $Lang::tr{'invalid input'};
goto VPNCONF_ERROR;
# Sign the certificate request
&General::log("ipsec", "Signing your cert $cgiparams{'NAME'}...");
- my $opt = " ca -md sha256 -days 999999";
+ my $opt = " ca -md sha256 -days 825";
$opt .= " -batch -notext";
$opt .= " -in $filename";
$opt .= " -out ${General::swroot}/certs/$cgiparams{'NAME'}cert.pem";
print $fh "subjectAltName=$cgiparams{'SUBJECTALTNAME'}" if ($cgiparams{'SUBJECTALTNAME'});
close ($fh);
- my $opt = " ca -md sha256 -days 999999 -batch -notext";
+ my $opt = " ca -md sha256 -days 825 -batch -notext";
$opt .= " -in ${General::swroot}/certs/$cgiparams{'NAME'}req.pem";
$opt .= " -out ${General::swroot}/certs/$cgiparams{'NAME'}cert.pem";
$opt .= " -extfile $v3extname";
my $key = $cgiparams{'KEY'};
if (! $key) {
$key = &General::findhasharraykey (\%confighash);
- foreach my $i (0 .. 38) { $confighash{$key}[$i] = "";}
+ foreach my $i (0 .. 39) { $confighash{$key}[$i] = "";}
}
$confighash{$key}[0] = $cgiparams{'ENABLED'};
$confighash{$key}[1] = $cgiparams{'NAME'};
$confighash{$key}[36] = $cgiparams{'INTERFACE_MODE'};
$confighash{$key}[37] = $cgiparams{'INTERFACE_ADDRESS'};
$confighash{$key}[38] = $cgiparams{'INTERFACE_MTU'};
+ $confighash{$key}[39] = join("|", split(",", $cgiparams{'DNS_SERVERS'}));
# free unused fields!
$confighash{$key}[15] = 'off';
$cgiparams{'INTERFACE_MODE'} = "";
$cgiparams{'INTERFACE_ADDRESS'} = "";
$cgiparams{'INTERFACE_MTU'} = 1500;
+ $cgiparams{'DNS_SERVERS'} = "";
}
VPNCONF_ERROR:
EOF
}
- my $disabled;
- my $blob;
- if ($cgiparams{'TYPE'} eq 'host') {
- $disabled = "disabled='disabled'";
- } elsif ($cgiparams{'TYPE'} eq 'net') {
+ my $blob = "";
+ if ($cgiparams{'TYPE'} eq 'net') {
$blob = "<img src='/blob.gif' alt='*' />";
};
my @remote_subnets = split(/\|/, $cgiparams{'REMOTE_SUBNET'});
my $remote_subnets = join(",", @remote_subnets);
+ my @dns_servers = split(/\|/, $cgiparams{'DNS_SERVERS'});
+ my $dns_servers = join(",", @dns_servers);
+
print <<END;
<tr>
<td width='20%'>$Lang::tr{'enabled'}</td>
<td width='30%'>
<input type='text' name='LOCAL_SUBNET' value='$local_subnets' size="25" />
</td>
- <td class='boldbase' nowrap='nowrap' width='20%'>$Lang::tr{'remote subnet'} $blob</td>
+END
+
+ if ($cgiparams{'TYPE'} eq "net") {
+ print <<END;
+ <td class='boldbase' nowrap='nowrap' width='20%'>$Lang::tr{'remote subnet'} <img src='/blob.gif' alt='*' /></td>
<td width='30%'>
- <input $disabled type='text' name='REMOTE_SUBNET' value='$remote_subnets' size="25" />
+ <input type='text' name='REMOTE_SUBNET' value='$remote_subnets' size="25" />
</td>
+END
+
+ } elsif ($cgiparams{'TYPE'} eq "host") {
+ print <<END;
+ <td class='boldbase' nowrap='nowrap' width='20%'>$Lang::tr{'dns servers'}:</td>
+ <td width='30%'>
+ <input type='text' name='DNS_SERVERS' value='$dns_servers' size="25" />
+ </td>
+END
+ }
+
+ print <<END;
</tr>
<tr>
<td class='boldbase' width='20%'>$Lang::tr{'vpn local id'}:</td>
$cgiparams{'INTERFACE_MODE'} = $confighash{$cgiparams{'KEY'}}[36];
$cgiparams{'INTERFACE_ADDRESS'} = $confighash{$cgiparams{'KEY'}}[37];
$cgiparams{'INTERFACE_MTU'} = $confighash{$cgiparams{'KEY'}}[38];
+ $cgiparams{'DNS_SERVERS'} = $confighash{$cgiparams{'KEY'}}[39];
if (!$cgiparams{'DPD_DELAY'}) {
$cgiparams{'DPD_DELAY'} = 30;
<input type='checkbox' name='ENABLED' $checked{'ENABLED'} />
</td>
</tr>
+ <tr>
+ <td class='base' nowrap='nowrap' width="60%">$Lang::tr{'ipsec roadwarrior endpoint'}:</td>
+ <td width="40%"><input type='text' name='RW_ENDPOINT' value='$cgiparams{'RW_ENDPOINT'}' /></td>
+ </tr>
<tr>
<td class='base' nowrap='nowrap' width="60%">$Lang::tr{'host to net vpn'}:</td>
<td width="40%"><input type='text' name='RW_NET' value='$cgiparams{'RW_NET'}' /></td>
<th width='23%' class='boldbase' align='center'><b>$Lang::tr{'common name'}</b></th>
<th width='30%' class='boldbase' align='center'><b>$Lang::tr{'remark'}</b></th>
<th width='10%' class='boldbase' align='center'><b>$Lang::tr{'status'}</b></th>
- <th class='boldbase' align='center' colspan='6'><b>$Lang::tr{'action'}</b></th>
+ <th class='boldbase' align='center' colspan='7'><b>$Lang::tr{'action'}</b></th>
</tr>
END
;
} else {
print "<td width='2%' $col> </td>";
}
+
+ # Apple Profile
+ if ($confighash{$key}[3] eq 'host') {
+ print <<END;
+ <td align='center' $col>
+ <form method='post' action='$ENV{'SCRIPT_NAME'}'>
+ <input type='image' name='$Lang::tr{'download apple profile'}' src='/images/apple.png' alt='$Lang::tr{'download apple profile'}' title='$Lang::tr{'download apple profile'}' />
+ <input type='hidden' name='ACTION' value='$Lang::tr{'download apple profile'}' />
+ <input type='hidden' name='KEY' value='$key' />
+ </form>
+ </td>
+END
+ } else {
+ print "<td width='2%' $col> </td>";
+ }
+
print <<END
<td align='center' $col>
<form method='post' action='$ENV{'SCRIPT_NAME'}'>
'downlink speed' => 'Downlink speed (kbit/sec)',
'downlink std class' => 'downlink standard class',
'download' => 'download',
+'download apple profile' => 'Download Apple Configuration Profile',
'download ca certificate' => 'Download CA certificate',
'download certificate' => 'Download file',
'download dh parameter' => 'Download Diffie-Hellman parameters',
'ipinfo' => 'IP info',
'ipsec' => 'IPsec',
'ipsec connection' => 'IPsec Connection',
+'ipsec dns server address is invalid' => 'Invalid DNS server IP address(es)',
'ipsec interface mode gre' => 'GRE',
'ipsec interface mode none' => '- None (Default) -',
'ipsec interface mode vti' => 'VTI',
+'ipsec invalid ip address or fqdn for rw endpoint' => 'Invalid IP address or FQDN for Host-to-Net Endpoint',
'ipsec mode transport' => 'Transport',
'ipsec mode tunnel' => 'Tunnel',
'ipsec network' => 'IPsec network',
'ipsec no connections' => 'No active IPsec connections',
+'ipsec roadwarrior endpoint' => 'Host-to-Net Endpoint',
'ipsec routing table entries' => 'IPsec Routing Table Entries',
'ipsec settings' => 'IPsec Settings',
'iptable rules' => 'IPTable rules',
--- /dev/null
+###############################################################################
+# #
+# IPFire.org - A linux based firewall #
+# Copyright (C) 2007-2018 IPFire Team <info@ipfire.org> #
+# #
+# This program is free software: you can redistribute it and/or modify #
+# it under the terms of the GNU General Public License as published by #
+# the Free Software Foundation, either version 3 of the License, or #
+# (at your option) any later version. #
+# #
+# This program is distributed in the hope that it will be useful, #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
+# GNU General Public License for more details. #
+# #
+# You should have received a copy of the GNU General Public License #
+# along with this program. If not, see <http://www.gnu.org/licenses/>. #
+# #
+###############################################################################
+
+###############################################################################
+# Definitions
+###############################################################################
+
+include Config
+
+VER = 1.224
+
+THISAPP = Data-UUID-$(VER)
+DL_FILE = $(THISAPP).tar.gz
+DL_FROM = $(URL_IPFIRE)
+DIR_APP = $(DIR_SRC)/$(THISAPP)
+TARGET = $(DIR_INFO)/$(THISAPP)
+
+###############################################################################
+# Top-level Rules
+###############################################################################
+
+objects = $(DL_FILE)
+
+$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
+
+$(DL_FILE)_MD5 = 71510bbcce760c394591fca83a9b5e6d
+
+install : $(TARGET)
+
+check : $(patsubst %,$(DIR_CHK)/%,$(objects))
+
+download :$(patsubst %,$(DIR_DL)/%,$(objects))
+
+md5 : $(subst %,%_MD5,$(objects))
+
+###############################################################################
+# Downloading, checking, md5sum
+###############################################################################
+
+$(patsubst %,$(DIR_CHK)/%,$(objects)) :
+ @$(CHECK)
+
+$(patsubst %,$(DIR_DL)/%,$(objects)) :
+ @$(LOAD)
+
+$(subst %,%_MD5,$(objects)) :
+ @$(MD5)
+
+###############################################################################
+# Installation Details
+###############################################################################
+
+$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
+ @$(PREBUILD)
+ @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
+ cd $(DIR_APP) && perl Makefile.PL
+ cd $(DIR_APP) && make $(MAKETUNING)
+ cd $(DIR_APP) && make install
+ @rm -rf $(DIR_APP)
+ @$(POSTBUILD)
lfsmake2 perl-Device-Modem
lfsmake2 perl-Apache-Htpasswd
lfsmake2 perl-Parse-Yapp
+ lfsmake2 perl-Data-UUID
lfsmake2 gnupg
lfsmake2 hdparm
lfsmake2 sdparm
projects / people / mfischer / ipfire-2.x.git / commitdiff
