]> git.ipfire.org Git - ipfire-2.x.git/blobdiff - html/cgi-bin/vpnmain.cgi
projects / ipfire-2.x.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
vpnmain.cgi: Don't populate GREEN subnet when green doesn't exist
[ipfire-2.x.git] / html / cgi-bin / vpnmain.cgi
diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi
index a52b4d64d9b48d84babe8ec8d1220e4b3d4ddd01..70a70a29839e19c7b1ec6ee7fd589951dfc3273e 100644 (file)
--- a/html/cgi-bin/vpnmain.cgi
+++ b/html/cgi-bin/vpnmain.cgi
@@ -58,16 +58,6 @@ my %mainsettings = ();
 
 &General::readhash("${General::swroot}/ethernet/settings", \%netsettings);
 
-my $green_cidr = &General::ipcidr("$netsettings{'GREEN_NETADDRESS'}/$netsettings{'GREEN_NETMASK'}");
-my $blue_cidr = "# Blue not defined";
-if (&Header::blue_used() && $netsettings{'BLUE_DEV'}) {
-       $blue_cidr = &General::ipcidr("$netsettings{'BLUE_NETADDRESS'}/$netsettings{'BLUE_NETMASK'}");
-}
-my $orange_cidr = "# Orange not defined";
-if (&Header::orange_used() && $netsettings{'ORANGE_DEV'}) {
-       $orange_cidr = &General::ipcidr("$netsettings{'ORANGE_NETADDRESS'}/$netsettings{'ORANGE_NETMASK'}");
-}
-
 my %INACTIVITY_TIMEOUTS = (
        300             => $Lang::tr{'five minutes'},
        600             => $Lang::tr{'ten minutes'},
@@ -119,8 +109,12 @@ $cgiparams{'RW_NET'} = '';
 $cgiparams{'DPD_DELAY'} = '30';
 $cgiparams{'DPD_TIMEOUT'} = '120';
 $cgiparams{'FORCE_MOBIKE'} = 'off';
-$cgiparams{'START_ACTION'} = 'start';
-$cgiparams{'INACTIVITY_TIMEOUT'} = 900;
+$cgiparams{'START_ACTION'} = 'route';
+$cgiparams{'INACTIVITY_TIMEOUT'} = 1800;
+$cgiparams{'MODE'} = "tunnel";
+$cgiparams{'INTERFACE_MODE'} = "";
+$cgiparams{'INTERFACE_ADDRESS'} = "";
+$cgiparams{'INTERFACE_MTU'} = 1500;
 &Header::getcgihash(\%cgiparams, {'wantfile' => 1, 'filevar' => 'FH'});
 
 ###
@@ -159,7 +153,12 @@ sub cleanssldatabase {
                print FILE "";
                close FILE;
        }
+       if (open(FILE, ">${General::swroot}/certs/index.txt.attr")) {
+               print FILE "";
+               close FILE;
+       }
        unlink ("${General::swroot}/certs/index.txt.old");
+       unlink ("${General::swroot}/certs/index.txt.attr.old");
        unlink ("${General::swroot}/certs/serial.old");
        unlink ("${General::swroot}/certs/01.pem");
 }
@@ -172,7 +171,11 @@ sub newcleanssldatabase {
        if (! -s ">${General::swroot}/certs/index.txt") {
                system ("touch ${General::swroot}/certs/index.txt");
        }
+       if (! -s ">${General::swroot}/certs/index.txt.attr") {
+               system ("touch ${General::swroot}/certs/index.txt.attr");
+       }
        unlink ("${General::swroot}/certs/index.txt.old");
+       unlink ("${General::swroot}/certs/index.txt.attr.old");
        unlink ("${General::swroot}/certs/serial.old");
 #      unlink ("${General::swroot}/certs/01.pem");             numbering evolves. Wrong place to delete
 }
@@ -292,15 +295,31 @@ sub writeipsecfiles {
                        $localside = $lvpnsettings{'VPN_IP'};
                }
 
+               my $interface_mode = $lconfighash{$key}[36];
+
                print CONF "conn $lconfighash{$key}[1]\n";
                print CONF "\tleft=$localside\n";
-               print CONF "\tleftsubnet=" . &make_subnets($lconfighash{$key}[8]) . "\n";
+
+               if ($interface_mode eq "gre") {
+                       print CONF "\tleftprotoport=gre\n";
+               } elsif ($interface_mode eq "vti") {
+                       print CONF "\tleftsubnet=0.0.0.0/0\n";
+               } else {
+                       print CONF "\tleftsubnet=" . &make_subnets("left", $lconfighash{$key}[8]) . "\n";
+               }
+
                print CONF "\tleftfirewall=yes\n";
                print CONF "\tlefthostaccess=yes\n";
                print CONF "\tright=$lconfighash{$key}[10]\n";
 
                if ($lconfighash{$key}[3] eq 'net') {
-                       print CONF "\trightsubnet=" . &make_subnets($lconfighash{$key}[11]) . "\n";
+                       if ($interface_mode eq "gre") {
+                               print CONF "\trightprotoport=gre\n";
+                       } elsif ($interface_mode eq "vti") {
+                               print CONF "\trightsubnet=0.0.0.0/0\n";
+                       } else {
+                               print CONF "\trightsubnet=" . &make_subnets("right", $lconfighash{$key}[11]) . "\n";
+                       }
                }
 
                # Local Cert and Remote Cert (unless auth is DN dn-auth)
@@ -313,6 +332,18 @@ sub writeipsecfiles {
                print CONF "\tleftid=\"$lconfighash{$key}[7]\"\n" if ($lconfighash{$key}[7]);
                print CONF "\trightid=\"$lconfighash{$key}[9]\"\n" if ($lconfighash{$key}[9]);
 
+               # Set mode
+               if ($lconfighash{$key}[35] eq "transport") {
+                       print CONF "\ttype=transport\n";
+               } else {
+                       print CONF "\ttype=tunnel\n";
+               }
+
+               # Add mark for VTI
+               if ($interface_mode eq "vti") {
+                       print CONF "\tmark=$key\n";
+               }
+
                # Is PFS enabled?
                my $pfs = $lconfighash{$key}[28] eq 'on' ? 'on' : 'off';
 
@@ -436,12 +467,6 @@ sub writeipsecfiles {
                        if ($start_action eq 'route' && $inactivity_timeout > 0) {
                                print CONF "\tinactivity=$inactivity_timeout\n";
                        }
-
-                       # Restart the connection immediately when it has gone down
-                       # unexpectedly
-                       if ($start_action eq 'start') {
-                               print CONF "\tcloseaction=restart\n";
-                       }
                }
 
                # Fragmentation
@@ -1323,6 +1348,10 @@ END
                $cgiparams{'DPD_DELAY'}                 = $confighash{$cgiparams{'KEY'}}[31];
                $cgiparams{'FORCE_MOBIKE'}              = $confighash{$cgiparams{'KEY'}}[32];
                $cgiparams{'INACTIVITY_TIMEOUT'}        = $confighash{$cgiparams{'KEY'}}[34];
+               $cgiparams{'MODE'}                      = $confighash{$cgiparams{'KEY'}}[35];
+               $cgiparams{'INTERFACE_MODE'}            = $confighash{$cgiparams{'KEY'}}[36];
+               $cgiparams{'INTERFACE_ADDRESS'}         = $confighash{$cgiparams{'KEY'}}[37];
+               $cgiparams{'INTERFACE_MTU'}             = $confighash{$cgiparams{'KEY'}}[38];
 
                if (!$cgiparams{'DPD_DELAY'}) {
                        $cgiparams{'DPD_DELAY'} = 30;
@@ -1336,6 +1365,10 @@ END
                        $cgiparams{'INACTIVITY_TIMEOUT'} = 900;
                }
 
+               if ($cgiparams{'MODE'} eq "") {
+                       $cgiparams{'MODE'} = "tunnel";
+               }
+
        } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'save'}) {
                $cgiparams{'REMARK'} = &Header::cleanhtml($cgiparams{'REMARK'});
                if ($cgiparams{'TYPE'} !~ /^(host|net)$/) {
@@ -1414,6 +1447,26 @@ END
                                        goto VPNCONF_ERROR;
                                }
                        }
+
+                       if ($cgiparams{'MODE'} !~ /^(tunnel|transport)$/) {
+                               $errormessage = $Lang::tr{'invalid input for mode'};
+                               goto VPNCONF_ERROR;
+                       }
+
+                       if ($cgiparams{'INTERFACE_MODE'} !~ /^(|gre|vti)$/) {
+                               $errormessage = $Lang::tr{'invalid input for interface mode'};
+                               goto VPNCONF_ERROR;
+                       }
+
+                       if (($cgiparams{'INTERFACE_MODE'} ne "") && !&Network::check_subnet($cgiparams{'INTERFACE_ADDRESS'})) {
+                               $errormessage = $Lang::tr{'invalid input for interface address'};
+                               goto VPNCONF_ERROR;
+                       }
+
+                       if ($cgiparams{'INTERFACE_MTU'} !~ /^\d+$/) {
+                               $errormessage = $Lang::tr{'invalid input for interface mtu'};
+                               goto VPNCONF_ERROR;
+                       }
                }
 
                if ($cgiparams{'ENABLED'} !~ /^(on|off)$/) {
@@ -1818,7 +1871,7 @@ END
        my $key = $cgiparams{'KEY'};
        if (! $key) {
                $key = &General::findhasharraykey (\%confighash);
-               foreach my $i (0 .. 34) { $confighash{$key}[$i] = "";}
+               foreach my $i (0 .. 38) { $confighash{$key}[$i] = "";}
        }
        $confighash{$key}[0] = $cgiparams{'ENABLED'};
        $confighash{$key}[1] = $cgiparams{'NAME'};
@@ -1863,6 +1916,10 @@ END
        $confighash{$key}[31] = $cgiparams{'DPD_DELAY'};
        $confighash{$key}[32] = $cgiparams{'FORCE_MOBIKE'};
        $confighash{$key}[34] = $cgiparams{'INACTIVITY_TIMEOUT'};
+       $confighash{$key}[35] = $cgiparams{'MODE'};
+       $confighash{$key}[36] = $cgiparams{'INTERFACE_MODE'};
+       $confighash{$key}[37] = $cgiparams{'INTERFACE_ADDRESS'};
+       $confighash{$key}[38] = $cgiparams{'INTERFACE_MTU'};
 
        # free unused fields!
        $confighash{$key}[6] = 'off';
@@ -1888,7 +1945,12 @@ END
        } else {
                $cgiparams{'AUTH'} = 'certgen';
        }
-       $cgiparams{'LOCAL_SUBNET'}              = "$netsettings{'GREEN_NETADDRESS'}/$netsettings{'GREEN_NETMASK'}";
+
+       if ($netsettings{"GREEN_NETADDRESS"} && $netsettings{"GREEN_NETMASK"}) {
+               $cgiparams{"LOCAL_SUBNET"} = $netsettings{'GREEN_NETADDRESS'} . "/" . $netsettings{'GREEN_NETMASK'};
+       } else {
+               $cgiparams{"LOCAL_SUBNET"} = "";
+       }
        $cgiparams{'CERT_EMAIL'}                = $vpnsettings{'ROOTCERT_EMAIL'};
        $cgiparams{'CERT_OU'}                   = $vpnsettings{'ROOTCERT_OU'};
        $cgiparams{'CERT_ORGANIZATION'} = $vpnsettings{'ROOTCERT_ORGANIZATION'};
@@ -1925,11 +1987,11 @@ END
        $cgiparams{'REMOTE_ID'} = '';
 
        #use default advanced value
-       $cgiparams{'IKE_ENCRYPTION'}    = 'aes256gcm128|aes256gcm96|aes256gcm64|aes256|aes192gcm128|aes192gcm96|aes192gcm64|aes192|aes128gcm128|aes128gcm96|aes128gcm64|aes128'; #[18];
+       $cgiparams{'IKE_ENCRYPTION'}    = 'chacha20poly1305|aes256gcm128|aes256gcm96|aes256gcm64|aes256|aes192gcm128|aes192gcm96|aes192gcm64|aes192|aes128gcm128|aes128gcm96|aes128gcm64|aes128'; #[18];
        $cgiparams{'IKE_INTEGRITY'}             = 'sha2_512|sha2_256'; #[19];
        $cgiparams{'IKE_GROUPTYPE'}             = 'curve25519|4096|3072|2048'; #[20];
        $cgiparams{'IKE_LIFETIME'}              = '3'; #[16];
-       $cgiparams{'ESP_ENCRYPTION'}    = 'aes256gcm128|aes256gcm96|aes256gcm64|aes256|aes192gcm128|aes192gcm96|aes192gcm64|aes192|aes128gcm128|aes128gcm96|aes128gcm64|aes128'; #[21];
+       $cgiparams{'ESP_ENCRYPTION'}    = 'chacha20poly1305|aes256gcm128|aes256gcm96|aes256gcm64|aes256|aes192gcm128|aes192gcm96|aes192gcm64|aes192|aes128gcm128|aes128gcm96|aes128gcm64|aes128'; #[21];
        $cgiparams{'ESP_INTEGRITY'}             = 'sha2_512|sha2_256'; #[22];
        $cgiparams{'ESP_GROUPTYPE'}             = 'curve25519|4096|3072|2048'; #[23];
        $cgiparams{'ESP_KEYLIFE'}               = '1'; #[17];
@@ -1937,6 +1999,10 @@ END
        $cgiparams{'ONLY_PROPOSED'}             = 'on'; #[24];
        $cgiparams{'PFS'}                               = 'on'; #[28];
        $cgiparams{'INACTIVITY_TIMEOUT'}        = 900;
+       $cgiparams{'MODE'}                      = "tunnel";
+       $cgiparams{'INTERFACE_MODE'}            = "";
+       $cgiparams{'INTERFACE_ADDRESS'}         = "";
+       $cgiparams{'INTERFACE_MTU'}             = 1500;
 }
 
 VPNCONF_ERROR:
@@ -1956,6 +2022,15 @@ VPNCONF_ERROR:
        $checked{'AUTH'}{'auth-dn'} = '';
        $checked{'AUTH'}{$cgiparams{'AUTH'}} = "checked='checked'";
 
+       $selected{'MODE'}{'tunnel'} = '';
+       $selected{'MODE'}{'transport'} = '';
+       $selected{'MODE'}{$cgiparams{'MODE'}} = "selected='selected'";
+
+       $selected{'INTERFACE_MODE'}{''} = '';
+       $selected{'INTERFACE_MODE'}{'gre'} = '';
+       $selected{'INTERFACE_MODE'}{'vti'} = '';
+       $selected{'INTERFACE_MODE'}{$cgiparams{'INTERFACE_MODE'}} = "selected='selected'";
+
        &Header::showhttpheaders();
        &Header::openpage($Lang::tr{'ipsec'}, 1, '');
        &Header::openbigbox('100%', 'left', '', $errormessage);
@@ -1992,6 +2067,7 @@ VPNCONF_ERROR:
        <input type='hidden' name='DPD_DELAY' value='$cgiparams{'DPD_DELAY'}' />
        <input type='hidden' name='DPD_TIMEOUT' value='$cgiparams{'DPD_TIMEOUT'}' />
        <input type='hidden' name='FORCE_MOBIKE' value='$cgiparams{'FORCE_MOBIKE'}' />
+       <input type='hidden' name='INACTIVITY_TIMEOUT' value='$cgiparams{'INACTIVITY_TIMEOUT'}' />
 END
 ;
        if ($cgiparams{'KEY'}) {
@@ -2074,6 +2150,51 @@ END
        print "</table>";
        &Header::closebox();
 
+       if ($cgiparams{'TYPE'} eq 'net') {
+               &Header::openbox('100%', 'left', $Lang::tr{'ipsec settings'});
+               print <<EOF;
+               <table width='100%'>
+                       <tbody>
+                               <tr>
+                                       <td class='boldbase' width='20%'>$Lang::tr{'mode'}:</td>
+                                       <td width='30%'>
+                                               <select name='MODE'>
+                                                       <option value='tunnel' $selected{'MODE'}{'tunnel'}>$Lang::tr{'ipsec mode tunnel'}</option>
+                                                       <option value='transport' $selected{'MODE'}{'transport'}>$Lang::tr{'ipsec mode transport'}</option>
+                                               </select>
+                                       </td>
+                                       <td colspan='2'></td>
+                               </tr>
+
+                               <tr>
+                                       <td class='boldbase' width='20%'>$Lang::tr{'interface mode'}:</td>
+                                       <td width='30%'>
+                                               <select name='INTERFACE_MODE'>
+                                                       <option value='' $selected{'INTERFACE_MODE'}{''}>$Lang::tr{'ipsec interface mode none'}</option>
+                                                       <option value='gre' $selected{'INTERFACE_MODE'}{'gre'}>$Lang::tr{'ipsec interface mode gre'}</option>
+                                                       <option value='vti' $selected{'INTERFACE_MODE'}{'vti'}>$Lang::tr{'ipsec interface mode vti'}</option>
+                                               </select>
+                                       </td>
+
+                                       <td class='boldbase' width='20%'>$Lang::tr{'ip address'}/$Lang::tr{'subnet mask'}:</td>
+                                       <td width='30%'>
+                                               <input type="text" name="INTERFACE_ADDRESS" value="$cgiparams{'INTERFACE_ADDRESS'}">
+                                       </td>
+                               </tr>
+
+                               <tr>
+                                       <td class='boldbase' width='20%'>$Lang::tr{'mtu'}:</td>
+                                       <td width='30%'>
+                                               <input type="number" name="INTERFACE_MTU" value="$cgiparams{'INTERFACE_MTU'}" min="576" max="9000">
+                                       </td>
+                                       <td colspan='2'></td>
+                               </tr>
+                       </tbody>
+               </table>
+EOF
+               &Header::closebox();
+       }
+
        if ($cgiparams{'KEY'} && $cgiparams{'AUTH'} eq 'psk') {
                &Header::openbox('100%', 'left', $Lang::tr{'authentication'});
                print <<END
@@ -2186,7 +2307,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
                        goto ADVANCED_ERROR;
                }
                foreach my $val (@temp) {
-                       if ($val !~ /^(aes(256|192|128)(gcm(128|96|64))?|3des|camellia(256|192|128))$/) {
+                       if ($val !~ /^(aes(256|192|128)(gcm(128|96|64))?|3des|chacha20poly1305|camellia(256|192|128))$/) {
                                $errormessage = $Lang::tr{'invalid input'};
                                goto ADVANCED_ERROR;
                        }
@@ -2227,7 +2348,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
                        goto ADVANCED_ERROR;
                }
                foreach my $val (@temp) {
-                       if ($val !~ /^(aes(256|192|128)(gcm(128|96|64))?|3des|camellia(256|192|128))$/) {
+                       if ($val !~ /^(aes(256|192|128)(gcm(128|96|64))?|3des|chacha20poly1305|camellia(256|192|128))$/) {
                                $errormessage = $Lang::tr{'invalid input'};
                                goto ADVANCED_ERROR;
                        }
@@ -2334,6 +2455,10 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
                $cgiparams{'FORCE_MOBIKE'}              = $confighash{$cgiparams{'KEY'}}[32];
                $cgiparams{'START_ACTION'}              = $confighash{$cgiparams{'KEY'}}[33];
                $cgiparams{'INACTIVITY_TIMEOUT'}        = $confighash{$cgiparams{'KEY'}}[34];
+               $cgiparams{'MODE'}                      = $confighash{$cgiparams{'KEY'}}[35];
+               $cgiparams{'INTERFACE_MODE'}            = $confighash{$cgiparams{'KEY'}}[36];
+               $cgiparams{'INTERFACE_ADDRESS'}         = $confighash{$cgiparams{'KEY'}}[37];
+               $cgiparams{'INTERFACE_MTU'}             = $confighash{$cgiparams{'KEY'}}[38];
 
                if (!$cgiparams{'DPD_DELAY'}) {
                        $cgiparams{'DPD_DELAY'} = 30;
@@ -2350,9 +2475,14 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
                if ($cgiparams{'INACTIVITY_TIMEOUT'} eq "") {
                        $cgiparams{'INACTIVITY_TIMEOUT'} = 900; # 15 min
                }
+
+               if ($cgiparams{'MODE'} eq "") {
+                       $cgiparams{'MODE'} = "tunnel";
+               }
        }
 
        ADVANCED_ERROR:
+       $checked{'IKE_ENCRYPTION'}{'chacha20poly1305'} = '';
        $checked{'IKE_ENCRYPTION'}{'aes256'} = '';
        $checked{'IKE_ENCRYPTION'}{'aes192'} = '';
        $checked{'IKE_ENCRYPTION'}{'aes128'} = '';
@@ -2391,6 +2521,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
        @temp = split('\|', $cgiparams{'IKE_GROUPTYPE'});
        foreach my $key (@temp) {$checked{'IKE_GROUPTYPE'}{$key} = "selected='selected'"; }
 
+       $checked{'ESP_ENCRYPTION'}{'chacha20poly1305'} = '';
        $checked{'ESP_ENCRYPTION'}{'aes256'} = '';
        $checked{'ESP_ENCRYPTION'}{'aes192'} = '';
        $checked{'ESP_ENCRYPTION'}{'aes128'} = '';
@@ -2445,6 +2576,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
        $selected{'DPD_ACTION'}{'none'} = '';
        $selected{'DPD_ACTION'}{$cgiparams{'DPD_ACTION'}} = "selected='selected'";
 
+       $selected{'START_ACTION'}{'add'} = '';
        $selected{'START_ACTION'}{'route'} = '';
        $selected{'START_ACTION'}{'start'} = '';
        $selected{'START_ACTION'}{$cgiparams{'START_ACTION'}} = "selected='selected'";
@@ -2502,6 +2634,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
                        <td class='boldbase' width="15%">$Lang::tr{'encryption'}</td>
                        <td class='boldbase'>
                                <select name='IKE_ENCRYPTION' multiple='multiple' size='6' style='width: 100%'>
+                                       <option value='chacha20poly1305' $checked{'IKE_ENCRYPTION'}{'chacha20poly1305'}>256 bit ChaCha20-Poly1305/128 bit ICV</option>
                                        <option value='aes256gcm128' $checked{'IKE_ENCRYPTION'}{'aes256gcm128'}>256 bit AES-GCM/128 bit ICV</option>
                                        <option value='aes256gcm96' $checked{'IKE_ENCRYPTION'}{'aes256gcm96'}>256 bit AES-GCM/96 bit ICV</option>
                                        <option value='aes256gcm64' $checked{'IKE_ENCRYPTION'}{'aes256gcm64'}>256 bit AES-GCM/64 bit ICV</option>
@@ -2522,6 +2655,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
                        </td>
                        <td class='boldbase'>
                                <select name='ESP_ENCRYPTION' multiple='multiple' size='6' style='width: 100%'>
+                                       <option value='chacha20poly1305' $checked{'ESP_ENCRYPTION'}{'chacha20poly1305'}>256 bit ChaCha20-Poly1305/128 bit ICV</option>
                                        <option value='aes256gcm128' $checked{'ESP_ENCRYPTION'}{'aes256gcm128'}>256 bit AES-GCM/128 bit ICV</option>
                                        <option value='aes256gcm96' $checked{'ESP_ENCRYPTION'}{'aes256gcm96'}>256 bit AES-GCM/96 bit ICV</option>
                                        <option value='aes256gcm64' $checked{'ESP_ENCRYPTION'}{'aes256gcm64'}>256 bit AES-GCM/64 bit ICV</option>
@@ -2670,6 +2804,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
                        <select name="START_ACTION">
                                <option value="route" $selected{'START_ACTION'}{'route'}>$Lang::tr{'vpn start action route'}</option>
                                <option value="start" $selected{'START_ACTION'}{'start'}>$Lang::tr{'vpn start action start'}</option>
+                               <option value="add"   $selected{'START_ACTION'}{'add'}  >$Lang::tr{'vpn start action add'}</option>
                        </select>
                </td>
        </tr>
@@ -2854,8 +2989,11 @@ END
        }
        print "<td align='center' $col>$confighash{$key}[25]</td>";
        my $col1="bgcolor='${Header::colourred}'";
-       # get real state
        my $active = "<b><font color='#FFFFFF'>$Lang::tr{'capsclosed'}</font></b>";
+       if ($confighash{$key}[33] eq "add") {
+               $col1="bgcolor='${Header::colourorange}'";
+               $active = "<b><font color='#FFFFFF'>$Lang::tr{'vpn wait'}</font></b>";
+       }
        foreach my $line (@status) {
                if (($line =~ /\"$confighash{$key}[1]\".*IPsec SA established/) ||
                ($line =~ /$confighash{$key}[1]\{.*INSTALLED/)) {
@@ -3210,13 +3348,19 @@ sub make_algos($$$$$) {
        return &array_unique(\@algos);
 }
 
-sub make_subnets($) {
+sub make_subnets($$) {
+       my $direction = shift;
        my $subnets = shift;
 
        my @nets = split(/\|/, $subnets);
        my @cidr_nets = ();
        foreach my $net (@nets) {
                my $cidr_net = &General::ipcidr($net);
+
+               # Skip 0.0.0.0/0 for remote because this renders the
+               # while system inaccessible
+               next if (($direction eq "right") && ($cidr_net eq "0.0.0.0/0"));
+
                push(@cidr_nets, $cidr_net);
        }
 
IPFire 2.x development tree