&General::readhash("${General::swroot}/ethernet/settings", \%netsettings);
-my $green_cidr = &General::ipcidr("$netsettings{'GREEN_NETADDRESS'}/$netsettings{'GREEN_NETMASK'}");
-my $blue_cidr = "# Blue not defined";
-if (&Header::blue_used() && $netsettings{'BLUE_DEV'}) {
- $blue_cidr = &General::ipcidr("$netsettings{'BLUE_NETADDRESS'}/$netsettings{'BLUE_NETMASK'}");
-}
-my $orange_cidr = "# Orange not defined";
-if (&Header::orange_used() && $netsettings{'ORANGE_DEV'}) {
- $orange_cidr = &General::ipcidr("$netsettings{'ORANGE_NETADDRESS'}/$netsettings{'ORANGE_NETMASK'}");
-}
+my %INACTIVITY_TIMEOUTS = (
+ 300 => $Lang::tr{'five minutes'},
+ 600 => $Lang::tr{'ten minutes'},
+ 900 => $Lang::tr{'fifteen minutes'},
+ 1800 => $Lang::tr{'thirty minutes'},
+ 3600 => $Lang::tr{'one hour'},
+ 43200 => $Lang::tr{'twelve hours'},
+ 86400 => $Lang::tr{'24 hours'},
+ 0 => "- $Lang::tr{'unlimited'} -",
+);
my $col="";
$cgiparams{'DPD_DELAY'} = '30';
$cgiparams{'DPD_TIMEOUT'} = '120';
$cgiparams{'FORCE_MOBIKE'} = 'off';
+$cgiparams{'START_ACTION'} = 'route';
+$cgiparams{'INACTIVITY_TIMEOUT'} = 1800;
+$cgiparams{'MODE'} = "tunnel";
+$cgiparams{'INTERFACE_MODE'} = "";
+$cgiparams{'INTERFACE_ADDRESS'} = "";
+$cgiparams{'INTERFACE_MTU'} = 1500;
&Header::getcgihash(\%cgiparams, {'wantfile' => 1, 'filevar' => 'FH'});
###
print FILE "";
close FILE;
}
+ if (open(FILE, ">${General::swroot}/certs/index.txt.attr")) {
+ print FILE "";
+ close FILE;
+ }
unlink ("${General::swroot}/certs/index.txt.old");
+ unlink ("${General::swroot}/certs/index.txt.attr.old");
unlink ("${General::swroot}/certs/serial.old");
unlink ("${General::swroot}/certs/01.pem");
}
if (! -s ">${General::swroot}/certs/index.txt") {
system ("touch ${General::swroot}/certs/index.txt");
}
+ if (! -s ">${General::swroot}/certs/index.txt.attr") {
+ system ("touch ${General::swroot}/certs/index.txt.attr");
+ }
unlink ("${General::swroot}/certs/index.txt.old");
+ unlink ("${General::swroot}/certs/index.txt.attr.old");
unlink ("${General::swroot}/certs/serial.old");
# unlink ("${General::swroot}/certs/01.pem"); numbering evolves. Wrong place to delete
}
sub getCNfromcert ($) {
#&General::log("ipsec", "Extracting name from $_[0]...");
my $temp = `/usr/bin/openssl x509 -text -in $_[0]`;
- $temp =~ /Subject:.*CN=(.*)[\n]/;
+ $temp =~ /Subject:.*CN = (.*)[\n]/;
$temp = $1;
$temp =~ s+/Email+, E+;
- $temp =~ s/ ST=/ S=/;
+ $temp =~ s/ ST = / S = /;
$temp =~ s/,//g;
$temp =~ s/\'//g;
return $temp;
$temp =~ /Subject: (.*)[\n]/;
$temp = $1;
$temp =~ s+/Email+, E+;
- $temp =~ s/ ST=/ S=/;
+ $temp =~ s/ ST = / S = /;
return $temp;
}
###
$localside = $lvpnsettings{'VPN_IP'};
}
+ my $interface_mode = $lconfighash{$key}[36];
+
print CONF "conn $lconfighash{$key}[1]\n";
print CONF "\tleft=$localside\n";
- print CONF "\tleftsubnet=" . &make_subnets($lconfighash{$key}[8]) . "\n";
+
+ if ($interface_mode eq "gre") {
+ print CONF "\tleftprotoport=gre\n";
+ } elsif ($interface_mode eq "vti") {
+ print CONF "\tleftsubnet=0.0.0.0/0\n";
+ } else {
+ print CONF "\tleftsubnet=" . &make_subnets("left", $lconfighash{$key}[8]) . "\n";
+ }
+
print CONF "\tleftfirewall=yes\n";
print CONF "\tlefthostaccess=yes\n";
print CONF "\tright=$lconfighash{$key}[10]\n";
if ($lconfighash{$key}[3] eq 'net') {
- print CONF "\trightsubnet=" . &make_subnets($lconfighash{$key}[11]) . "\n";
+ if ($interface_mode eq "gre") {
+ print CONF "\trightprotoport=gre\n";
+ } elsif ($interface_mode eq "vti") {
+ print CONF "\trightsubnet=0.0.0.0/0\n";
+ } else {
+ print CONF "\trightsubnet=" . &make_subnets("right", $lconfighash{$key}[11]) . "\n";
+ }
}
# Local Cert and Remote Cert (unless auth is DN dn-auth)
print CONF "\tleftid=\"$lconfighash{$key}[7]\"\n" if ($lconfighash{$key}[7]);
print CONF "\trightid=\"$lconfighash{$key}[9]\"\n" if ($lconfighash{$key}[9]);
+ # Set mode
+ if ($lconfighash{$key}[35] eq "transport") {
+ print CONF "\ttype=transport\n";
+ } else {
+ print CONF "\ttype=tunnel\n";
+ }
+
+ # Add mark for VTI
+ if ($interface_mode eq "vti") {
+ print CONF "\tmark=$key\n";
+ }
+
# Is PFS enabled?
my $pfs = $lconfighash{$key}[28] eq 'on' ? 'on' : 'off';
print CONF "\trightrsasigkey=%cert\n";
}
+ my $start_action = $lconfighash{$key}[33];
+ if (!$start_action) {
+ $start_action = "start";
+ }
+
+ my $inactivity_timeout = $lconfighash{$key}[34];
+ if ($inactivity_timeout eq "") {
+ $inactivity_timeout = 900;
+ }
+
# Automatically start only if a net-to-net connection
if ($lconfighash{$key}[3] eq 'host') {
print CONF "\tauto=add\n";
print CONF "\trightsourceip=$lvpnsettings{'RW_NET'}\n";
} else {
- print CONF "\tauto=start\n";
+ print CONF "\tauto=$start_action\n";
+
+ # If in on-demand mode, we terminate the tunnel
+ # after 15 min of no traffic
+ if ($start_action eq 'route' && $inactivity_timeout > 0) {
+ print CONF "\tinactivity=$inactivity_timeout\n";
+ }
}
# Fragmentation
$cgiparams{'DPD_TIMEOUT'} = $confighash{$cgiparams{'KEY'}}[30];
$cgiparams{'DPD_DELAY'} = $confighash{$cgiparams{'KEY'}}[31];
$cgiparams{'FORCE_MOBIKE'} = $confighash{$cgiparams{'KEY'}}[32];
+ $cgiparams{'INACTIVITY_TIMEOUT'} = $confighash{$cgiparams{'KEY'}}[34];
+ $cgiparams{'MODE'} = $confighash{$cgiparams{'KEY'}}[35];
+ $cgiparams{'INTERFACE_MODE'} = $confighash{$cgiparams{'KEY'}}[36];
+ $cgiparams{'INTERFACE_ADDRESS'} = $confighash{$cgiparams{'KEY'}}[37];
+ $cgiparams{'INTERFACE_MTU'} = $confighash{$cgiparams{'KEY'}}[38];
if (!$cgiparams{'DPD_DELAY'}) {
$cgiparams{'DPD_DELAY'} = 30;
$cgiparams{'DPD_TIMEOUT'} = 120;
}
+ if ($cgiparams{'INACTIVITY_TIMEOUT'} eq "") {
+ $cgiparams{'INACTIVITY_TIMEOUT'} = 900;
+ }
+
+ if ($cgiparams{'MODE'} eq "") {
+ $cgiparams{'MODE'} = "tunnel";
+ }
+
} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'save'}) {
$cgiparams{'REMARK'} = &Header::cleanhtml($cgiparams{'REMARK'});
if ($cgiparams{'TYPE'} !~ /^(host|net)$/) {
goto VPNCONF_ERROR;
}
}
+
+ if ($cgiparams{'MODE'} !~ /^(tunnel|transport)$/) {
+ $errormessage = $Lang::tr{'invalid input for mode'};
+ goto VPNCONF_ERROR;
+ }
+
+ if ($cgiparams{'INTERFACE_MODE'} !~ /^(|gre|vti)$/) {
+ $errormessage = $Lang::tr{'invalid input for interface mode'};
+ goto VPNCONF_ERROR;
+ }
+
+ if (($cgiparams{'INTERFACE_MODE'} ne "") && !&Network::check_subnet($cgiparams{'INTERFACE_ADDRESS'})) {
+ $errormessage = $Lang::tr{'invalid input for interface address'};
+ goto VPNCONF_ERROR;
+ }
+
+ if ($cgiparams{'INTERFACE_MTU'} !~ /^\d+$/) {
+ $errormessage = $Lang::tr{'invalid input for interface mtu'};
+ goto VPNCONF_ERROR;
+ }
}
if ($cgiparams{'ENABLED'} !~ /^(on|off)$/) {
my $key = $cgiparams{'KEY'};
if (! $key) {
$key = &General::findhasharraykey (\%confighash);
- foreach my $i (0 .. 32) { $confighash{$key}[$i] = "";}
+ foreach my $i (0 .. 38) { $confighash{$key}[$i] = "";}
}
$confighash{$key}[0] = $cgiparams{'ENABLED'};
$confighash{$key}[1] = $cgiparams{'NAME'};
$confighash{$key}[30] = $cgiparams{'DPD_TIMEOUT'};
$confighash{$key}[31] = $cgiparams{'DPD_DELAY'};
$confighash{$key}[32] = $cgiparams{'FORCE_MOBIKE'};
+ $confighash{$key}[34] = $cgiparams{'INACTIVITY_TIMEOUT'};
+ $confighash{$key}[35] = $cgiparams{'MODE'};
+ $confighash{$key}[36] = $cgiparams{'INTERFACE_MODE'};
+ $confighash{$key}[37] = $cgiparams{'INTERFACE_ADDRESS'};
+ $confighash{$key}[38] = $cgiparams{'INTERFACE_MTU'};
# free unused fields!
$confighash{$key}[6] = 'off';
} else {
$cgiparams{'AUTH'} = 'certgen';
}
- $cgiparams{'LOCAL_SUBNET'} = "$netsettings{'GREEN_NETADDRESS'}/$netsettings{'GREEN_NETMASK'}";
+
+ if ($netsettings{"GREEN_NETADDRESS"} && $netsettings{"GREEN_NETMASK"}) {
+ $cgiparams{"LOCAL_SUBNET"} = $netsettings{'GREEN_NETADDRESS'} . "/" . $netsettings{'GREEN_NETMASK'};
+ } else {
+ $cgiparams{"LOCAL_SUBNET"} = "";
+ }
$cgiparams{'CERT_EMAIL'} = $vpnsettings{'ROOTCERT_EMAIL'};
$cgiparams{'CERT_OU'} = $vpnsettings{'ROOTCERT_OU'};
$cgiparams{'CERT_ORGANIZATION'} = $vpnsettings{'ROOTCERT_ORGANIZATION'};
$cgiparams{'REMOTE_ID'} = '';
#use default advanced value
- $cgiparams{'IKE_ENCRYPTION'} = 'aes256gcm128|aes256gcm96|aes256gcm64|aes256|aes192gcm128|aes192gcm96|aes192gcm64|aes192|aes128gcm128|aes128gcm96|aes128gcm64|aes128'; #[18];
- $cgiparams{'IKE_INTEGRITY'} = 'sha2_512|sha2_256|sha'; #[19];
- $cgiparams{'IKE_GROUPTYPE'} = '4096|3072|2048|1536|1024'; #[20];
+ $cgiparams{'IKE_ENCRYPTION'} = 'chacha20poly1305|aes256gcm128|aes256gcm96|aes256gcm64|aes256|aes192gcm128|aes192gcm96|aes192gcm64|aes192|aes128gcm128|aes128gcm96|aes128gcm64|aes128'; #[18];
+ $cgiparams{'IKE_INTEGRITY'} = 'sha2_512|sha2_256'; #[19];
+ $cgiparams{'IKE_GROUPTYPE'} = 'curve25519|4096|3072|2048'; #[20];
$cgiparams{'IKE_LIFETIME'} = '3'; #[16];
- $cgiparams{'ESP_ENCRYPTION'} = 'aes256gcm128|aes256gcm96|aes256gcm64|aes256|aes192gcm128|aes192gcm96|aes192gcm64|aes192|aes128gcm128|aes128gcm96|aes128gcm64|aes128'; #[21];
- $cgiparams{'ESP_INTEGRITY'} = 'sha2_512|sha2_256|sha1'; #[22];
- $cgiparams{'ESP_GROUPTYPE'} = '4096|3072|2048|1536|1024'; #[23];
+ $cgiparams{'ESP_ENCRYPTION'} = 'chacha20poly1305|aes256gcm128|aes256gcm96|aes256gcm64|aes256|aes192gcm128|aes192gcm96|aes192gcm64|aes192|aes128gcm128|aes128gcm96|aes128gcm64|aes128'; #[21];
+ $cgiparams{'ESP_INTEGRITY'} = 'sha2_512|sha2_256'; #[22];
+ $cgiparams{'ESP_GROUPTYPE'} = 'curve25519|4096|3072|2048'; #[23];
$cgiparams{'ESP_KEYLIFE'} = '1'; #[17];
- $cgiparams{'COMPRESSION'} = 'on'; #[13];
- $cgiparams{'ONLY_PROPOSED'} = 'off'; #[24];
+ $cgiparams{'COMPRESSION'} = 'off'; #[13];
+ $cgiparams{'ONLY_PROPOSED'} = 'on'; #[24];
$cgiparams{'PFS'} = 'on'; #[28];
+ $cgiparams{'INACTIVITY_TIMEOUT'} = 900;
+ $cgiparams{'MODE'} = "tunnel";
+ $cgiparams{'INTERFACE_MODE'} = "";
+ $cgiparams{'INTERFACE_ADDRESS'} = "";
+ $cgiparams{'INTERFACE_MTU'} = 1500;
}
VPNCONF_ERROR:
$checked{'AUTH'}{'auth-dn'} = '';
$checked{'AUTH'}{$cgiparams{'AUTH'}} = "checked='checked'";
+ $selected{'MODE'}{'tunnel'} = '';
+ $selected{'MODE'}{'transport'} = '';
+ $selected{'MODE'}{$cgiparams{'MODE'}} = "selected='selected'";
+
+ $selected{'INTERFACE_MODE'}{''} = '';
+ $selected{'INTERFACE_MODE'}{'gre'} = '';
+ $selected{'INTERFACE_MODE'}{'vti'} = '';
+ $selected{'INTERFACE_MODE'}{$cgiparams{'INTERFACE_MODE'}} = "selected='selected'";
+
&Header::showhttpheaders();
&Header::openpage($Lang::tr{'ipsec'}, 1, '');
&Header::openbigbox('100%', 'left', '', $errormessage);
<input type='hidden' name='DPD_DELAY' value='$cgiparams{'DPD_DELAY'}' />
<input type='hidden' name='DPD_TIMEOUT' value='$cgiparams{'DPD_TIMEOUT'}' />
<input type='hidden' name='FORCE_MOBIKE' value='$cgiparams{'FORCE_MOBIKE'}' />
+ <input type='hidden' name='INACTIVITY_TIMEOUT' value='$cgiparams{'INACTIVITY_TIMEOUT'}' />
END
;
if ($cgiparams{'KEY'}) {
print "</table>";
&Header::closebox();
+ if ($cgiparams{'TYPE'} eq 'net') {
+ &Header::openbox('100%', 'left', $Lang::tr{'ipsec settings'});
+ print <<EOF;
+ <table width='100%'>
+ <tbody>
+ <tr>
+ <td class='boldbase' width='20%'>$Lang::tr{'mode'}:</td>
+ <td width='30%'>
+ <select name='MODE'>
+ <option value='tunnel' $selected{'MODE'}{'tunnel'}>$Lang::tr{'ipsec mode tunnel'}</option>
+ <option value='transport' $selected{'MODE'}{'transport'}>$Lang::tr{'ipsec mode transport'}</option>
+ </select>
+ </td>
+ <td colspan='2'></td>
+ </tr>
+
+ <tr>
+ <td class='boldbase' width='20%'>$Lang::tr{'interface mode'}:</td>
+ <td width='30%'>
+ <select name='INTERFACE_MODE'>
+ <option value='' $selected{'INTERFACE_MODE'}{''}>$Lang::tr{'ipsec interface mode none'}</option>
+ <option value='gre' $selected{'INTERFACE_MODE'}{'gre'}>$Lang::tr{'ipsec interface mode gre'}</option>
+ <option value='vti' $selected{'INTERFACE_MODE'}{'vti'}>$Lang::tr{'ipsec interface mode vti'}</option>
+ </select>
+ </td>
+
+ <td class='boldbase' width='20%'>$Lang::tr{'ip address'}/$Lang::tr{'subnet mask'}:</td>
+ <td width='30%'>
+ <input type="text" name="INTERFACE_ADDRESS" value="$cgiparams{'INTERFACE_ADDRESS'}">
+ </td>
+ </tr>
+
+ <tr>
+ <td class='boldbase' width='20%'>$Lang::tr{'mtu'}:</td>
+ <td width='30%'>
+ <input type="number" name="INTERFACE_MTU" value="$cgiparams{'INTERFACE_MTU'}" min="576" max="9000">
+ </td>
+ <td colspan='2'></td>
+ </tr>
+ </tbody>
+ </table>
+EOF
+ &Header::closebox();
+ }
+
if ($cgiparams{'KEY'} && $cgiparams{'AUTH'} eq 'psk') {
&Header::openbox('100%', 'left', $Lang::tr{'authentication'});
print <<END
<td class='base'>$Lang::tr{'users department'}:</td>
<td class='base' nowrap='nowrap'><input type='text' name='CERT_OU' value='$cgiparams{'CERT_OU'}' size='32' $cakeydisabled /></td></tr>
<tr><td> </td>
- <td class='base'>$Lang::tr{'organization name'}:</td>
+ <td class='base'>$Lang::tr{'organization name'}: <img src='/blob.gif' alt='*' /></td>
<td class='base' nowrap='nowrap'><input type='text' name='CERT_ORGANIZATION' value='$cgiparams{'CERT_ORGANIZATION'}' size='32' $cakeydisabled /></td></tr>
<tr><td> </td>
<td class='base'>$Lang::tr{'city'}:</td>
goto ADVANCED_ERROR;
}
foreach my $val (@temp) {
- if ($val !~ /^(aes(256|192|128)(gcm(128|96|64))?|3des|camellia(256|192|128))$/) {
+ if ($val !~ /^(aes(256|192|128)(gcm(128|96|64))?|3des|chacha20poly1305|camellia(256|192|128))$/) {
$errormessage = $Lang::tr{'invalid input'};
goto ADVANCED_ERROR;
}
goto ADVANCED_ERROR;
}
foreach my $val (@temp) {
- if ($val !~ /^(e521|e384|e256|e224|e192|e512bp|e384bp|e256bp|e224bp|1024|1536|2048|2048s256|2048s224|2048s160|3072|4096|6144|8192)$/) {
+ if ($val !~ /^(curve25519|e521|e384|e256|e224|e192|e512bp|e384bp|e256bp|e224bp|768|1024|1536|2048|3072|4096|6144|8192)$/) {
$errormessage = $Lang::tr{'invalid input'};
goto ADVANCED_ERROR;
}
goto ADVANCED_ERROR;
}
foreach my $val (@temp) {
- if ($val !~ /^(aes(256|192|128)(gcm(128|96|64))?|3des|camellia(256|192|128))$/) {
+ if ($val !~ /^(aes(256|192|128)(gcm(128|96|64))?|3des|chacha20poly1305|camellia(256|192|128))$/) {
$errormessage = $Lang::tr{'invalid input'};
goto ADVANCED_ERROR;
}
goto ADVANCED_ERROR;
}
foreach my $val (@temp) {
- if ($val !~ /^(e521|e384|e256|e224|e192|e512bp|e384bp|e256bp|e224bp|1024|1536|2048|2048s256|2048s224|2048s160|3072|4096|6144|8192|none)$/) {
+ if ($val !~ /^(curve25519|e521|e384|e256|e224|e192|e512bp|e384bp|e256bp|e224bp|768|1024|1536|2048|3072|4096|6144|8192|none)$/) {
$errormessage = $Lang::tr{'invalid input'};
goto ADVANCED_ERROR;
}
goto ADVANCED_ERROR;
}
+ if ($cgiparams{'INACTIVITY_TIMEOUT'} !~ /^\d+$/) {
+ $errormessage = $Lang::tr{'invalid input for inactivity timeout'};
+ goto ADVANCED_ERROR;
+ }
+
$confighash{$cgiparams{'KEY'}}[29] = $cgiparams{'IKE_VERSION'};
$confighash{$cgiparams{'KEY'}}[18] = $cgiparams{'IKE_ENCRYPTION'};
$confighash{$cgiparams{'KEY'}}[19] = $cgiparams{'IKE_INTEGRITY'};
$confighash{$cgiparams{'KEY'}}[30] = $cgiparams{'DPD_TIMEOUT'};
$confighash{$cgiparams{'KEY'}}[31] = $cgiparams{'DPD_DELAY'};
$confighash{$cgiparams{'KEY'}}[32] = $cgiparams{'FORCE_MOBIKE'};
+ $confighash{$cgiparams{'KEY'}}[33] = $cgiparams{'START_ACTION'};
+ $confighash{$cgiparams{'KEY'}}[34] = $cgiparams{'INACTIVITY_TIMEOUT'};
&General::writehasharray("${General::swroot}/vpn/config", \%confighash);
&writeipsecfiles();
if (&vpnenabled) {
$cgiparams{'DPD_TIMEOUT'} = $confighash{$cgiparams{'KEY'}}[30];
$cgiparams{'DPD_DELAY'} = $confighash{$cgiparams{'KEY'}}[31];
$cgiparams{'FORCE_MOBIKE'} = $confighash{$cgiparams{'KEY'}}[32];
+ $cgiparams{'START_ACTION'} = $confighash{$cgiparams{'KEY'}}[33];
+ $cgiparams{'INACTIVITY_TIMEOUT'} = $confighash{$cgiparams{'KEY'}}[34];
+ $cgiparams{'MODE'} = $confighash{$cgiparams{'KEY'}}[35];
+ $cgiparams{'INTERFACE_MODE'} = $confighash{$cgiparams{'KEY'}}[36];
+ $cgiparams{'INTERFACE_ADDRESS'} = $confighash{$cgiparams{'KEY'}}[37];
+ $cgiparams{'INTERFACE_MTU'} = $confighash{$cgiparams{'KEY'}}[38];
if (!$cgiparams{'DPD_DELAY'}) {
$cgiparams{'DPD_DELAY'} = 30;
if (!$cgiparams{'DPD_TIMEOUT'}) {
$cgiparams{'DPD_TIMEOUT'} = 120;
}
+
+ if (!$cgiparams{'START_ACTION'}) {
+ $cgiparams{'START_ACTION'} = "start";
+ }
+
+ if ($cgiparams{'INACTIVITY_TIMEOUT'} eq "") {
+ $cgiparams{'INACTIVITY_TIMEOUT'} = 900; # 15 min
+ }
+
+ if ($cgiparams{'MODE'} eq "") {
+ $cgiparams{'MODE'} = "tunnel";
+ }
}
ADVANCED_ERROR:
+ $checked{'IKE_ENCRYPTION'}{'chacha20poly1305'} = '';
$checked{'IKE_ENCRYPTION'}{'aes256'} = '';
$checked{'IKE_ENCRYPTION'}{'aes192'} = '';
$checked{'IKE_ENCRYPTION'}{'aes128'} = '';
$checked{'IKE_INTEGRITY'}{'aesxcbc'} = '';
@temp = split('\|', $cgiparams{'IKE_INTEGRITY'});
foreach my $key (@temp) {$checked{'IKE_INTEGRITY'}{$key} = "selected='selected'"; }
+ $checked{'IKE_GROUPTYPE'}{'curve25519'} = '';
$checked{'IKE_GROUPTYPE'}{'768'} = '';
$checked{'IKE_GROUPTYPE'}{'1024'} = '';
$checked{'IKE_GROUPTYPE'}{'1536'} = '';
@temp = split('\|', $cgiparams{'IKE_GROUPTYPE'});
foreach my $key (@temp) {$checked{'IKE_GROUPTYPE'}{$key} = "selected='selected'"; }
- # 768 is not supported by strongswan
- $checked{'IKE_GROUPTYPE'}{'768'} = '';
-
+ $checked{'ESP_ENCRYPTION'}{'chacha20poly1305'} = '';
$checked{'ESP_ENCRYPTION'}{'aes256'} = '';
$checked{'ESP_ENCRYPTION'}{'aes192'} = '';
$checked{'ESP_ENCRYPTION'}{'aes128'} = '';
$checked{'ESP_INTEGRITY'}{'aesxcbc'} = '';
@temp = split('\|', $cgiparams{'ESP_INTEGRITY'});
foreach my $key (@temp) {$checked{'ESP_INTEGRITY'}{$key} = "selected='selected'"; }
+ $checked{'ESP_GROUPTYPE'}{'curve25519'} = '';
$checked{'ESP_GROUPTYPE'}{'768'} = '';
$checked{'ESP_GROUPTYPE'}{'1024'} = '';
$checked{'ESP_GROUPTYPE'}{'1536'} = '';
$selected{'DPD_ACTION'}{'none'} = '';
$selected{'DPD_ACTION'}{$cgiparams{'DPD_ACTION'}} = "selected='selected'";
+ $selected{'START_ACTION'}{'add'} = '';
+ $selected{'START_ACTION'}{'route'} = '';
+ $selected{'START_ACTION'}{'start'} = '';
+ $selected{'START_ACTION'}{$cgiparams{'START_ACTION'}} = "selected='selected'";
+
+ $selected{'INACTIVITY_TIMEOUT'} = ();
+ foreach my $timeout (keys %INACTIVITY_TIMEOUTS) {
+ $selected{'INACTIVITY_TIMEOUT'}{$timeout} = "";
+ }
+ $selected{'INACTIVITY_TIMEOUT'}{$cgiparams{'INACTIVITY_TIMEOUT'}} = "selected";
+
&Header::showhttpheaders();
&Header::openpage($Lang::tr{'ipsec'}, 1, '');
&Header::openbigbox('100%', 'left', '', $errormessage);
}
&Header::openbox('100%', 'left', "$Lang::tr{'advanced'}:");
- print <<EOF
+ print <<EOF;
<form method='post' enctype='multipart/form-data' action='$ENV{'SCRIPT_NAME'}'>
<input type='hidden' name='ADVANCED' value='yes' />
<input type='hidden' name='KEY' value='$cgiparams{'KEY'}' />
<td class='boldbase' width="15%">$Lang::tr{'encryption'}</td>
<td class='boldbase'>
<select name='IKE_ENCRYPTION' multiple='multiple' size='6' style='width: 100%'>
+ <option value='chacha20poly1305' $checked{'IKE_ENCRYPTION'}{'chacha20poly1305'}>256 bit ChaCha20-Poly1305/128 bit ICV</option>
<option value='aes256gcm128' $checked{'IKE_ENCRYPTION'}{'aes256gcm128'}>256 bit AES-GCM/128 bit ICV</option>
<option value='aes256gcm96' $checked{'IKE_ENCRYPTION'}{'aes256gcm96'}>256 bit AES-GCM/96 bit ICV</option>
<option value='aes256gcm64' $checked{'IKE_ENCRYPTION'}{'aes256gcm64'}>256 bit AES-GCM/64 bit ICV</option>
<option value='aes128gcm64' $checked{'IKE_ENCRYPTION'}{'aes128gcm64'}>128 bit AES-GCM/64 bit ICV</option>
<option value='aes128' $checked{'IKE_ENCRYPTION'}{'aes128'}>128 bit AES-CBC</option>
<option value='camellia128' $checked{'IKE_ENCRYPTION'}{'camellia128'}>128 bit Camellia-CBC</option>
- <option value='3des' $checked{'IKE_ENCRYPTION'}{'3des'}>168 bit 3DES-EDE-CBC</option>
+ <option value='3des' $checked{'IKE_ENCRYPTION'}{'3des'}>168 bit 3DES-EDE-CBC ($Lang::tr{'vpn weak'})</option>
</select>
</td>
<td class='boldbase'>
<select name='ESP_ENCRYPTION' multiple='multiple' size='6' style='width: 100%'>
+ <option value='chacha20poly1305' $checked{'ESP_ENCRYPTION'}{'chacha20poly1305'}>256 bit ChaCha20-Poly1305/128 bit ICV</option>
<option value='aes256gcm128' $checked{'ESP_ENCRYPTION'}{'aes256gcm128'}>256 bit AES-GCM/128 bit ICV</option>
<option value='aes256gcm96' $checked{'ESP_ENCRYPTION'}{'aes256gcm96'}>256 bit AES-GCM/96 bit ICV</option>
<option value='aes256gcm64' $checked{'ESP_ENCRYPTION'}{'aes256gcm64'}>256 bit AES-GCM/64 bit ICV</option>
<option value='aes128gcm64' $checked{'ESP_ENCRYPTION'}{'aes128gcm64'}>128 bit AES-GCM/64 bit ICV</option>
<option value='aes128' $checked{'ESP_ENCRYPTION'}{'aes128'}>128 bit AES-CBC</option>
<option value='camellia128' $checked{'ESP_ENCRYPTION'}{'camellia128'}>128 bit Camellia-CBC</option>
- <option value='3des' $checked{'ESP_ENCRYPTION'}{'3des'}>168 bit 3DES-EDE-CBC</option>
+ <option value='3des' $checked{'ESP_ENCRYPTION'}{'3des'}>168 bit 3DES-EDE-CBC ($Lang::tr{'vpn weak'})</option>
</select>
</td>
</tr>
<option value='sha2_384' $checked{'IKE_INTEGRITY'}{'sha2_384'}>SHA2 384 bit</option>
<option value='sha2_256' $checked{'IKE_INTEGRITY'}{'sha2_256'}>SHA2 256 bit</option>
<option value='aesxcbc' $checked{'IKE_INTEGRITY'}{'aesxcbc'}>AES XCBC</option>
- <option value='sha' $checked{'IKE_INTEGRITY'}{'sha'}>SHA1</option>
- <option value='md5' $checked{'IKE_INTEGRITY'}{'md5'}>MD5</option>
+ <option value='sha' $checked{'IKE_INTEGRITY'}{'sha'}>SHA1 ($Lang::tr{'vpn weak'})</option>
+ <option value='md5' $checked{'IKE_INTEGRITY'}{'md5'}>MD5 ($Lang::tr{'vpn broken'})</option>
</select>
</td>
<td class='boldbase'>
<option value='sha2_384' $checked{'ESP_INTEGRITY'}{'sha2_384'}>SHA2 384 bit</option>
<option value='sha2_256' $checked{'ESP_INTEGRITY'}{'sha2_256'}>SHA2 256 bit</option>
<option value='aesxcbc' $checked{'ESP_INTEGRITY'}{'aesxcbc'}>AES XCBC</option>
- <option value='sha1' $checked{'ESP_INTEGRITY'}{'sha1'}>SHA1</option>
- <option value='md5' $checked{'ESP_INTEGRITY'}{'md5'}>MD5</option>
+ <option value='sha1' $checked{'ESP_INTEGRITY'}{'sha1'}>SHA1 ($Lang::tr{'vpn weak'})</option>
+ <option value='md5' $checked{'ESP_INTEGRITY'}{'md5'}>MD5 ($Lang::tr{'vpn broken'})</option>
</select>
</td>
</tr>
<td class='boldbase' width="15%">$Lang::tr{'grouptype'}</td>
<td class='boldbase'>
<select name='IKE_GROUPTYPE' multiple='multiple' size='6' style='width: 100%'>
+ <option value='curve25519' $checked{'IKE_GROUPTYPE'}{'curve25519'}>Curve 25519 (256 bit)</option>
<option value='e521' $checked{'IKE_GROUPTYPE'}{'e521'}>ECP-521 (NIST)</option>
<option value='e512bp' $checked{'IKE_GROUPTYPE'}{'e512bp'}>ECP-512 (Brainpool)</option>
<option value='e384' $checked{'IKE_GROUPTYPE'}{'e384'}>ECP-384 (NIST)</option>
<option value='6144' $checked{'IKE_GROUPTYPE'}{'6144'}>MODP-6144</option>
<option value='4096' $checked{'IKE_GROUPTYPE'}{'4096'}>MODP-4096</option>
<option value='3072' $checked{'IKE_GROUPTYPE'}{'3072'}>MODP-3072</option>
- <option value='2048s256' $checked{'IKE_GROUPTYPE'}{'2048s256'}>MODP-2048/256</option>
- <option value='2048s224' $checked{'IKE_GROUPTYPE'}{'2048s224'}>MODP-2048/224</option>
- <option value='2048s160' $checked{'IKE_GROUPTYPE'}{'2048s160'}>MODP-2048/160</option>
<option value='2048' $checked{'IKE_GROUPTYPE'}{'2048'}>MODP-2048</option>
<option value='1536' $checked{'IKE_GROUPTYPE'}{'1536'}>MODP-1536</option>
- <option value='1024' $checked{'IKE_GROUPTYPE'}{'1024'}>MODP-1024</option>
+ <option value='1024' $checked{'IKE_GROUPTYPE'}{'1024'}>MODP-1024 ($Lang::tr{'vpn broken'})</option>
+ <option value='768' $checked{'IKE_GROUPTYPE'}{'768'}>MODP-768 ($Lang::tr{'vpn broken'})</option>
</select>
</td>
<td class='boldbase'>
<select name='ESP_GROUPTYPE' multiple='multiple' size='6' style='width: 100%'>
+ <option value='curve25519' $checked{'ESP_GROUPTYPE'}{'curve25519'}>Curve 25519 (256 bit)</option>
<option value='e521' $checked{'ESP_GROUPTYPE'}{'e521'}>ECP-521 (NIST)</option>
<option value='e512bp' $checked{'ESP_GROUPTYPE'}{'e512bp'}>ECP-512 (Brainpool)</option>
<option value='e384' $checked{'ESP_GROUPTYPE'}{'e384'}>ECP-384 (NIST)</option>
<option value='6144' $checked{'ESP_GROUPTYPE'}{'6144'}>MODP-6144</option>
<option value='4096' $checked{'ESP_GROUPTYPE'}{'4096'}>MODP-4096</option>
<option value='3072' $checked{'ESP_GROUPTYPE'}{'3072'}>MODP-3072</option>
- <option value='2048s256' $checked{'ESP_GROUPTYPE'}{'2048s256'}>MODP-2048/256</option>
- <option value='2048s224' $checked{'ESP_GROUPTYPE'}{'2048s224'}>MODP-2048/224</option>
- <option value='2048s160' $checked{'ESP_GROUPTYPE'}{'2048s160'}>MODP-2048/160</option>
<option value='2048' $checked{'ESP_GROUPTYPE'}{'2048'}>MODP-2048</option>
<option value='1536' $checked{'ESP_GROUPTYPE'}{'1536'}>MODP-1536</option>
- <option value='1024' $checked{'ESP_GROUPTYPE'}{'1024'}>MODP-1024</option>
+ <option value='1024' $checked{'ESP_GROUPTYPE'}{'1024'}>MODP-1024 ($Lang::tr{'vpn broken'})</option>
+ <option value='768' $checked{'ESP_GROUPTYPE'}{'768'}>MODP-768 ($Lang::tr{'vpn broken'})</option>
<option value='none' $checked{'ESP_GROUPTYPE'}{'none'}>- $Lang::tr{'none'} -</option>
</select>
</td>
IKE+ESP: $Lang::tr{'use only proposed settings'}
</label>
</td>
+ <td>
+ <label>$Lang::tr{'vpn start action'}</label>
+ <select name="START_ACTION">
+ <option value="route" $selected{'START_ACTION'}{'route'}>$Lang::tr{'vpn start action route'}</option>
+ <option value="start" $selected{'START_ACTION'}{'start'}>$Lang::tr{'vpn start action start'}</option>
+ <option value="add" $selected{'START_ACTION'}{'add'} >$Lang::tr{'vpn start action add'}</option>
+ </select>
+ </td>
</tr>
<tr>
<td>
$Lang::tr{'pfs yes no'}
</label>
</td>
+ <td>
+ <label>$Lang::tr{'vpn inactivity timeout'}</label>
+ <select name="INACTIVITY_TIMEOUT">
+EOF
+ foreach my $t (sort { $a <=> $b } keys %INACTIVITY_TIMEOUTS) {
+ print "<option value=\"$t\" $selected{'INACTIVITY_TIMEOUT'}{$t}>$INACTIVITY_TIMEOUTS{$t}</option>\n";
+ }
+
+ print <<EOF;
+
+ </select>
+ </td>
</tr>
<tr>
- <td>
+ <td colspan="2">
<label>
<input type='checkbox' name='COMPRESSION' $checked{'COMPRESSION'} />
$Lang::tr{'vpn payload compression'}
</td>
</tr>
<tr>
- <td>
+ <td colspan="2">
<label>
<input type='checkbox' name='FORCE_MOBIKE' $checked{'FORCE_MOBIKE'} />
$Lang::tr{'vpn force mobike'}
</label>
</td>
</tr>
-EOF
-;
-
- print <<EOF;
<tr>
- <td align='left'
colspan='1'><img src='/blob.gif' align='top' alt='*' /> $Lang::tr{'required field'}</td>
- <td align='right' colspan='2'>
+ <td align='left'><img src='/blob.gif' align='top' alt='*' /> $Lang::tr{'required field'}</td>
+ <td align='right'>
<input type='submit' name='ACTION' value='$Lang::tr{'save'}' />
<input type='submit' name='ACTION' value='$Lang::tr{'cancel'}' />
</td>
}
print "<td align='center' $col>$confighash{$key}[25]</td>";
my $col1="bgcolor='${Header::colourred}'";
- # get real state
my $active = "<b><font color='#FFFFFF'>$Lang::tr{'capsclosed'}</font></b>";
+ if ($confighash{$key}[33] eq "add") {
+ $col1="bgcolor='${Header::colourorange}'";
+ $active = "<b><font color='#FFFFFF'>$Lang::tr{'vpn wait'}</font></b>";
+ }
foreach my $line (@status) {
if (($line =~ /\"$confighash{$key}[1]\".*IPsec SA established/) ||
($line =~ /$confighash{$key}[1]\{.*INSTALLED/)) {
$col1="bgcolor='${Header::colourgreen}'";
$active = "<b><font color='#FFFFFF'>$Lang::tr{'capsopen'}</font></b>";
+ } elsif ($line =~ /$confighash{$key}[1]\[.*CONNECTING/) {
+ $col1="bgcolor='${Header::colourorange}'";
+ $active = "<b><font color='#FFFFFF'>$Lang::tr{'vpn connecting'}</font></b>";
+ } elsif ($line =~ /$confighash{$key}[1]\{.*ROUTED/) {
+ $col1="bgcolor='${Header::colourorange}'";
+ $active = "<b><font color='#FFFFFF'>$Lang::tr{'vpn on-demand'}</font></b>";
}
}
# move to blue if really down
if ($grp =~ m/^e(.*)$/) {
push(@algo, "ecp$1");
+ } elsif ($grp =~ m/curve25519/) {
+ push(@algo, "$grp");
} else {
push(@algo, "modp$grp");
}
# noop
} elsif ($grp =~ m/^e(.*)$/) {
push(@algo, "ecp$1");
+ } elsif ($grp =~ m/curve25519/) {
+ push(@algo, "$grp");
} else {
push(@algo, "modp$grp");
}
return &array_unique(\@algos);
}
-sub make_subnets($) {
+sub make_subnets($$) {
+ my $direction = shift;
my $subnets = shift;
my @nets = split(/\|/, $subnets);
my @cidr_nets = ();
foreach my $net (@nets) {
my $cidr_net = &General::ipcidr($net);
+
+ # Skip 0.0.0.0/0 for remote because this renders the
+ # while system inaccessible
+ next if (($direction eq "right") && ($cidr_net eq "0.0.0.0/0"));
+
push(@cidr_nets, $cidr_net);
}
projects / ipfire-2.x.git / blobdiff