# Algorithms
if ($lconfighash{$key}[18] && $lconfighash{$key}[19] && $lconfighash{$key}[20]) {
- print CONF "\tike=";
- my @encs = split('\|', $lconfighash{$key}[18]);
- my @ints = split('\|', $lconfighash{$key}[19]);
- my @groups = split('\|', $lconfighash{$key}[20]);
- my $comma = 0;
- foreach my $i (@encs) {
- foreach my $j (@ints) {
- foreach my $k (@groups) {
- if ($comma != 0) { print CONF ","; } else { $comma = 1; }
-
- my @l = split("", $k);
- if ($l[0] eq "e") {
- shift @l;
- print CONF "$i-$j-ecp".join("", @l);
- } else {
- print CONF "$i-$j-modp$k";
- }
- }
- }
- }
- if ($lconfighash{$key}[24] eq 'on') { #only proposed algorythms?
- print CONF "!\n";
- } else {
- print CONF "\n";
- }
+ my @encs = split('\|', $lconfighash{$key}[18]);
+ my @ints = split('\|', $lconfighash{$key}[19]);
+ my @groups = split('\|', $lconfighash{$key}[20]);
+
+ my @algos = &make_algos("ike", \@encs, \@ints, \@groups, 1);
+ print CONF "\tike=" . join(",", @algos);
+
+ if ($lconfighash{$key}[24] eq 'on') { #only proposed algorythms?
+ print CONF "!\n";
+ } else {
+ print CONF "\n";
+ }
}
+
if ($lconfighash{$key}[21] && $lconfighash{$key}[22]) {
- print CONF "\tesp=";
- my @encs = split('\|', $lconfighash{$key}[21]);
- my @ints = split('\|', $lconfighash{$key}[22]);
- my @groups = split('\|', $lconfighash{$key}[20]);
- my $comma = 0;
- foreach my $i (@encs) {
- foreach my $j (@ints) {
- my $modp = "";
- if ($pfs eq "on") {
- foreach my $k (@groups) {
- if ($comma != 0) { print CONF ","; } else { $comma = 1; }
- if ($pfs eq "on") {
- my @l = split("", $k);
- if ($l[0] eq "e") {
- $modp = "";
- } else {
- $modp = "-modp$k";
- }
- } else {
- $modp = "";
- }
- print CONF "$i-$j$modp";
- }
- } else {
- if ($comma != 0) { print CONF ","; } else { $comma = 1; }
- print CONF "$i-$j";
- }
+ my @encs = split('\|', $lconfighash{$key}[21]);
+ my @ints = split('\|', $lconfighash{$key}[22]);
+ my @groups = split('\|', $lconfighash{$key}[20]);
+
+ my @algos = &make_algos("esp", \@encs, \@ints, \@groups, ($pfs eq "on"));
+ print CONF "\tesp=" . join(",", @algos);
+
+ if ($lconfighash{$key}[24] eq 'on') { #only proposed algorythms?
+ print CONF "!\n";
+ } else {
+ print CONF "\n";
}
- }
- if ($lconfighash{$key}[24] eq 'on') { #only proposed algorythms?
- print CONF "!\n";
- } else {
- print CONF "\n";
- }
}
# IKE V1 or V2
} else {
print CONF "\tauto=start\n";
}
+
+ # Fragmentation
+ print CONF "\tfragmentation=yes\n";
+
print CONF "\n";
}#foreach key
print SECRETS $last_secrets if ($last_secrets);
if (!$errormessage) {
&General::log("ipsec", "Creating cacert...");
if (open(STDIN, "-|")) {
- my $opt = " req -x509 -nodes -rand /proc/interrupts:/proc/net/rt_cache";
+ my $opt = " req -x509 -sha256 -nodes";
$opt .= " -days 999999";
- $opt .= " -newkey rsa:2048";
+ $opt .= " -newkey rsa:4096";
$opt .= " -keyout ${General::swroot}/private/cakey.pem";
$opt .= " -out ${General::swroot}/ca/cacert.pem";
if (!$errormessage) {
&General::log("ipsec", "Creating host cert...");
if (open(STDIN, "-|")) {
- my $opt = " req -nodes -rand /proc/interrupts:/proc/net/rt_cache";
- $opt .= " -newkey rsa:1024";
+ my $opt = " req -sha256 -nodes";
+ $opt .= " -newkey rsa:2048";
$opt .= " -keyout ${General::swroot}/certs/hostkey.pem";
$opt .= " -out ${General::swroot}/certs/hostreq.pem";
$errormessage = &callssl ($opt);
print $fh "subjectAltName=$cgiparams{'SUBJECTALTNAME'}" if ($cgiparams{'SUBJECTALTNAME'});
close ($fh);
- my $opt = " ca -days 999999";
+ my $opt = " ca -md sha256 -days 999999";
$opt .= " -batch -notext";
$opt .= " -in ${General::swroot}/certs/hostreq.pem";
$opt .= " -out ${General::swroot}/certs/hostcert.pem";
} else {
$errormessage = $Lang::tr{'invalid key'};
}
-
+ &General::firewall_reload();
###
### Choose between adding a host-net or net-net connection
###
goto VPNCONF_ERROR;
}
-#temporary disabled (BUG 10294)
-# if ($cgiparams{'TYPE'} eq 'net'){
-# $errormessage=&General::checksubnets($cgiparams{'NAME'},$cgiparams{'REMOTE_SUBNET'});
-# if ($errormessage ne ''){
-# goto VPNCONF_ERROR;
-# }
-#
-# }
+ if ($cgiparams{'TYPE'} eq 'net'){
+ $warnmessage=&General::checksubnets('',$cgiparams{'REMOTE_SUBNET'},'ipsec');
+ if ($warnmessage ne ''){
+ $warnmessage=$Lang::tr{'remote subnet'}." ($cgiparams{'REMOTE_SUBNET'}) <br>".$warnmessage;
+ }
+ }
+
if ($cgiparams{'AUTH'} eq 'psk') {
if (! length($cgiparams{'PSK'}) ) {
$errormessage = $Lang::tr{'pre-shared key is too short'};
# Sign the certificate request
&General::log("ipsec", "Signing your cert $cgiparams{'NAME'}...");
- my $opt = " ca -days 999999";
+ my $opt = " ca -md sha256 -days 999999";
$opt .= " -batch -notext";
$opt .= " -in $filename";
$opt .= " -out ${General::swroot}/certs/$cgiparams{'NAME'}cert.pem";
(my $city = $cgiparams{'CERT_CITY'}) =~ s/^\s*$/\./;
(my $state = $cgiparams{'CERT_STATE'}) =~ s/^\s*$/\./;
- # Create the Host certificate request
+ # Create the Client certificate request
&General::log("ipsec", "Creating a cert...");
if (open(STDIN, "-|")) {
my $opt = " req -nodes -rand /proc/interrupts:/proc/net/rt_cache";
- $opt .= " -newkey rsa:1024";
+ $opt .= " -newkey rsa:2048";
$opt .= " -keyout ${General::swroot}/certs/$cgiparams{'NAME'}key.pem";
$opt .= " -out ${General::swroot}/certs/$cgiparams{'NAME'}req.pem";
exit (0);
}
- # Sign the host certificate request
+ # Sign the client certificate request
&General::log("ipsec", "Signing the cert $cgiparams{'NAME'}...");
#No easy way for specifying the contain of subjectAltName without writing a config file...
basicConstraints=CA:FALSE
nsComment="OpenSSL Generated Certificate"
subjectKeyIdentifier=hash
+ extendedKeyUsage=clientAuth
authorityKeyIdentifier=keyid,issuer:always
END
;
print $fh "subjectAltName=$cgiparams{'SUBJECTALTNAME'}" if ($cgiparams{'SUBJECTALTNAME'});
close ($fh);
- my $opt = " ca -days 999999 -batch -notext";
+ my $opt = " ca -md sha256 -days 999999 -batch -notext";
$opt .= " -in ${General::swroot}/certs/$cgiparams{'NAME'}req.pem";
$opt .= " -out ${General::swroot}/certs/$cgiparams{'NAME'}cert.pem";
$opt .= " -extfile $v3extname";
$cgiparams{'REMOTE_ID'} = '';
#use default advanced value
- $cgiparams{'IKE_ENCRYPTION'} = 'aes256|aes192|aes128|3des'; #[18];
- $cgiparams{'IKE_INTEGRITY'} = 'sha2_256|sha|md5'; #[19];
+ $cgiparams{'IKE_ENCRYPTION'} = 'aes256|aes192|aes128|aes256gcm128|aes192gcm128|aes128gcm128|aes256gcm96|aes192gcm96|aes128gcm96|aes256gcm64|aes192gcm64|aes128gcm64'; #[18];
+ $cgiparams{'IKE_INTEGRITY'} = 'sha2_512|sha2_256|sha'; #[19];
$cgiparams{'IKE_GROUPTYPE'} = '4096|3072|2048|1536|1024'; #[20];
$cgiparams{'IKE_LIFETIME'} = '3'; #[16];
- $cgiparams{'ESP_ENCRYPTION'} = 'aes256|aes192|aes128|3des'; #[21];
- $cgiparams{'ESP_INTEGRITY'} = 'sha2_256|sha1|md5'; #[22];
+ $cgiparams{'ESP_ENCRYPTION'} = 'aes256|aes192|aes128|aes256gcm128|aes192gcm128|aes128gcm128|aes256gcm96|aes192gcm96|aes128gcm96|aes256gcm64|aes192gcm64|aes128gcm64'; #[21];
+ $cgiparams{'ESP_INTEGRITY'} = 'sha2_512|sha2_256|sha1'; #[22];
$cgiparams{'ESP_GROUPTYPE'} = ''; #[23];
$cgiparams{'ESP_KEYLIFE'} = '1'; #[17];
$cgiparams{'COMPRESSION'} = 'on'; #[13];
goto ADVANCED_ERROR;
}
foreach my $val (@temp) {
- if ($val !~ /^(aes256|aes192|aes128|3des|camellia256|camellia192|camellia128)$/) {
+ if ($val !~ /^(aes(256|192|128)(gcm(128|96|64))?|3des|camellia(256|192|128))$/) {
$errormessage = $Lang::tr{'invalid input'};
goto ADVANCED_ERROR;
}
goto ADVANCED_ERROR;
}
foreach my $val (@temp) {
- if ($val !~ /^(sha2_512|sha2_384|sha2_256|sha|md5|aesxcbc)$/) {
+ if ($val !~ /^(sha2_(512|384|256)|sha|md5|aesxcbc)$/) {
$errormessage = $Lang::tr{'invalid input'};
goto ADVANCED_ERROR;
}
goto ADVANCED_ERROR;
}
foreach my $val (@temp) {
- if ($val !~ /^(aes256|aes192|aes128|3des|camellia256|camellia192|camellia128)$/) {
+ if ($val !~ /^(aes(256|192|128)(gcm(128|96|64))?|3des|camellia(256|192|128))$/) {
$errormessage = $Lang::tr{'invalid input'};
goto ADVANCED_ERROR;
}
goto ADVANCED_ERROR;
}
foreach my $val (@temp) {
- if ($val !~ /^(sha2_512|sha2_384|sha2_256|sha1|md5|aesxcbc)$/) {
+ if ($val !~ /^(sha2_(512|384|256)|sha1|md5|aesxcbc)$/) {
$errormessage = $Lang::tr{'invalid input'};
goto ADVANCED_ERROR;
}
$checked{'IKE_ENCRYPTION'}{'aes256'} = '';
$checked{'IKE_ENCRYPTION'}{'aes192'} = '';
$checked{'IKE_ENCRYPTION'}{'aes128'} = '';
+ $checked{'IKE_ENCRYPTION'}{'aes256gcm128'} = '';
+ $checked{'IKE_ENCRYPTION'}{'aes192gcm128'} = '';
+ $checked{'IKE_ENCRYPTION'}{'aes128gcm128'} = '';
+ $checked{'IKE_ENCRYPTION'}{'aes256gcm96'} = '';
+ $checked{'IKE_ENCRYPTION'}{'aes192gcm96'} = '';
+ $checked{'IKE_ENCRYPTION'}{'aes128gcm96'} = '';
+ $checked{'IKE_ENCRYPTION'}{'aes256gcm64'} = '';
+ $checked{'IKE_ENCRYPTION'}{'aes192gcm64'} = '';
+ $checked{'IKE_ENCRYPTION'}{'aes128gcm64'} = '';
$checked{'IKE_ENCRYPTION'}{'3des'} = '';
$checked{'IKE_ENCRYPTION'}{'camellia256'} = '';
$checked{'IKE_ENCRYPTION'}{'camellia192'} = '';
$checked{'ESP_ENCRYPTION'}{'aes256'} = '';
$checked{'ESP_ENCRYPTION'}{'aes192'} = '';
$checked{'ESP_ENCRYPTION'}{'aes128'} = '';
+ $checked{'ESP_ENCRYPTION'}{'aes256gcm128'} = '';
+ $checked{'ESP_ENCRYPTION'}{'aes192gcm128'} = '';
+ $checked{'ESP_ENCRYPTION'}{'aes128gcm128'} = '';
+ $checked{'ESP_ENCRYPTION'}{'aes256gcm96'} = '';
+ $checked{'ESP_ENCRYPTION'}{'aes192gcm96'} = '';
+ $checked{'ESP_ENCRYPTION'}{'aes128gcm96'} = '';
+ $checked{'ESP_ENCRYPTION'}{'aes256gcm64'} = '';
+ $checked{'ESP_ENCRYPTION'}{'aes192gcm64'} = '';
+ $checked{'ESP_ENCRYPTION'}{'aes128gcm64'} = '';
$checked{'ESP_ENCRYPTION'}{'3des'} = '';
$checked{'ESP_ENCRYPTION'}{'camellia256'} = '';
$checked{'ESP_ENCRYPTION'}{'camellia192'} = '';
<td class='boldbase' width="15%">$Lang::tr{'encryption'}</td>
<td class='boldbase'>
<select name='IKE_ENCRYPTION' multiple='multiple' size='6' style='width: 100%'>
- <option value='aes256' $checked{'IKE_ENCRYPTION'}{'aes256'}>AES (256 bit)</option>
- <option value='aes192' $checked{'IKE_ENCRYPTION'}{'aes192'}>AES (192 bit)</option>
- <option value='aes128' $checked{'IKE_ENCRYPTION'}{'aes128'}>AES (128 bit)</option>
- <option value='3des' $checked{'IKE_ENCRYPTION'}{'3des'}>3DES</option>
- <option value='camellia256' $checked{'IKE_ENCRYPTION'}{'camellia256'}>Camellia (256 bit)</option>
- <option value='camellia192' $checked{'IKE_ENCRYPTION'}{'camellia192'}>Camellia (192 bit)</option>
- <option value='camellia128' $checked{'IKE_ENCRYPTION'}{'camellia128'}>Camellia (128 bit)</option>
+ <option value='aes256' $checked{'IKE_ENCRYPTION'}{'aes256'}>256 bit AES-CBC</option>
+ <option value='aes192' $checked{'IKE_ENCRYPTION'}{'aes192'}>192 bit AES-CBC</option>
+ <option value='aes128' $checked{'IKE_ENCRYPTION'}{'aes128'}>128 bit AES-CBC</option>
+ <option value='aes256gcm128' $checked{'IKE_ENCRYPTION'}{'aes256gcm128'}>256 bit AES-GCM/128 bit ICV</option>
+ <option value='aes192gcm128' $checked{'IKE_ENCRYPTION'}{'aes192gcm128'}>192 bit AES-GCM/128 bit ICV</option>
+ <option value='aes128gcm128' $checked{'IKE_ENCRYPTION'}{'aes128gcm128'}>128 bit AES-GCM/128 bit ICV</option>
+ <option value='aes256gcm96' $checked{'IKE_ENCRYPTION'}{'aes256gcm96'}>256 bit AES-GCM/96 bit ICV</option>
+ <option value='aes192gcm96' $checked{'IKE_ENCRYPTION'}{'aes192gcm96'}>192 bit AES-GCM/96 bit ICV</option>
+ <option value='aes128gcm96' $checked{'IKE_ENCRYPTION'}{'aes128gcm96'}>128 bit AES-GCM/96 bit ICV</option>
+ <option value='aes256gcm64' $checked{'IKE_ENCRYPTION'}{'aes256gcm64'}>256 bit AES-GCM/64 bit ICV</option>
+ <option value='aes192gcm64' $checked{'IKE_ENCRYPTION'}{'aes192gcm64'}>192 bit AES-GCM/64 bit ICV</option>
+ <option value='aes128gcm64' $checked{'IKE_ENCRYPTION'}{'aes128gcm64'}>128 bit AES-GCM/64 bit ICV</option>
+ <option value='3des' $checked{'IKE_ENCRYPTION'}{'3des'}>168 bit 3DES-EDE-CBC</option>
+ <option value='camellia256' $checked{'IKE_ENCRYPTION'}{'camellia256'}>256 bit Camellia-CBC</option>
+ <option value='camellia192' $checked{'IKE_ENCRYPTION'}{'camellia192'}>192 bit Camellia-CBC</option>
+ <option value='camellia128' $checked{'IKE_ENCRYPTION'}{'camellia128'}>128 bit Camellia-CBC</option>
</select>
</td>
<td class='boldbase'>
<select name='ESP_ENCRYPTION' multiple='multiple' size='6' style='width: 100%'>
- <option value='aes256' $checked{'ESP_ENCRYPTION'}{'aes256'}>AES (256 bit)</option>
- <option value='aes192' $checked{'ESP_ENCRYPTION'}{'aes192'}>AES (192 bit)</option>
- <option value='aes128' $checked{'ESP_ENCRYPTION'}{'aes128'}>AES (128 bit)</option>
- <option value='3des' $checked{'ESP_ENCRYPTION'}{'3des'}>3DES</option>
- <option value='camellia256' $checked{'ESP_ENCRYPTION'}{'camellia256'}>Camellia (256 bit)</option>
- <option value='camellia192' $checked{'ESP_ENCRYPTION'}{'camellia192'}>Camellia (192 bit)</option>
- <option value='camellia128' $checked{'ESP_ENCRYPTION'}{'camellia128'}>Camellia (128 bit)</option>
+ <option value='aes256' $checked{'ESP_ENCRYPTION'}{'aes256'}>256 bit AES-CBC</option>
+ <option value='aes192' $checked{'ESP_ENCRYPTION'}{'aes192'}>192 bit AES-CBC</option>
+ <option value='aes128' $checked{'ESP_ENCRYPTION'}{'aes128'}>128 bit AES-CBC</option>
+ <option value='aes256gcm128' $checked{'ESP_ENCRYPTION'}{'aes256gcm128'}>256 bit AES-GCM/128 bit ICV</option>
+ <option value='aes192gcm128' $checked{'ESP_ENCRYPTION'}{'aes192gcm128'}>192 bit AES-GCM/128 bit ICV</option>
+ <option value='aes128gcm128' $checked{'ESP_ENCRYPTION'}{'aes128gcm128'}>128 bit AES-GCM/128 bit ICV</option>
+ <option value='aes256gcm96' $checked{'ESP_ENCRYPTION'}{'aes256gcm96'}>256 bit AES-GCM/96 bit ICV</option>
+ <option value='aes192gcm96' $checked{'ESP_ENCRYPTION'}{'aes192gcm96'}>192 bit AES-GCM/96 bit ICV</option>
+ <option value='aes128gcm96' $checked{'ESP_ENCRYPTION'}{'aes128gcm96'}>128 bit AES-GCM/96 bit ICV</option>
+ <option value='aes256gcm64' $checked{'ESP_ENCRYPTION'}{'aes256gcm64'}>256 bit AES-GCM/64 bit ICV</option>
+ <option value='aes192gcm64' $checked{'ESP_ENCRYPTION'}{'aes192gcm64'}>192 bit AES-GCM/64 bit ICV</option>
+ <option value='aes128gcm64' $checked{'ESP_ENCRYPTION'}{'aes128gcm64'}>128 bit AES-GCM/64 bit ICV</option>
+ <option value='3des' $checked{'ESP_ENCRYPTION'}{'3des'}>168 bit 3DES-EDE-CBC</option>
+ <option value='camellia256' $checked{'ESP_ENCRYPTION'}{'camellia256'}>256 bit Camellia-CBC</option>
+ <option value='camellia192' $checked{'ESP_ENCRYPTION'}{'camellia192'}>192 bit Camellia-CBC</option>
+ <option value='camellia128' $checked{'ESP_ENCRYPTION'}{'camellia128'}>128 bit Camellia-CBC</option>
</select>
</td>
</tr>
&Header::closebox();
}
+ if ($warnmessage) {
+ &Header::openbox('100%', 'left', $Lang::tr{'warning messages'});
+ print "$warnmessage<br>";
+ print "$Lang::tr{'fwdfw warn1'}<br>";
+ &Header::closebox();
+ print"<center><form method='post'><input type='submit' name='ACTION' value='$Lang::tr{'ok'}' style='width: 5em;'></form>";
+ &Header::closepage();
+ exit 0;
+ }
+
&Header::openbox('100%', 'left', $Lang::tr{'global settings'});
print <<END
<form method='post' action='$ENV{'SCRIPT_NAME'}'>
&Header::closebox();
&Header::closebigbox();
&Header::closepage();
+
+sub array_unique($) {
+ my $array = shift;
+ my @unique = ();
+
+ my %seen = ();
+ foreach my $e (@$array) {
+ next if $seen{$e}++;
+ push(@unique, $e);
+ }
+
+ return @unique;
+}
+
+sub make_algos($$$$$) {
+ my ($mode, $encs, $ints, $grps, $pfs) = @_;
+ my @algos = ();
+
+ foreach my $enc (@$encs) {
+ foreach my $int (@$ints) {
+ foreach my $grp (@$grps) {
+ my @algo = ($enc);
+
+ my $is_aead = ($enc =~ m/[cg]cm/);
+ if (!$is_aead) {
+ push(@algo, $int);
+ }
+
+ if ($mode eq "ike") {
+ if ($grp =~ m/^e(\d+)/) {
+ push(@algo, "ecp$1");
+ } else {
+ push(@algo, "modp$grp");
+ }
+ }
+
+ if ($mode eq "esp" && $pfs) {
+ if ($grp =~ m/^e\d+/) {
+ push(@algo, $grp);
+ } else {
+ push(@algo, "modp$grp");
+ }
+ }
+
+ push(@algos, join("-", @algo));
+ }
+ }
+ }
+
+ return &array_unique(\@algos);
+}
projects / ipfire-2.x.git / blobdiff