]> git.ipfire.org Git - ipfire-2.x.git/blobdiff - html/cgi-bin/vpnmain.cgi
projects / ipfire-2.x.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Merge remote-tracking branch 'origin/next'
[ipfire-2.x.git] / html / cgi-bin / vpnmain.cgi
diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi
index e71786243dc573a2b8fa8ed832b13d1023ca08e4..be6eb6d157930a957aef077406c05d11776f8a45 100644 (file)
--- a/html/cgi-bin/vpnmain.cgi
+++ b/html/cgi-bin/vpnmain.cgi
@@ -68,6 +68,17 @@ if (&Header::orange_used() && $netsettings{'ORANGE_DEV'}) {
        $orange_cidr = &General::ipcidr("$netsettings{'ORANGE_NETADDRESS'}/$netsettings{'ORANGE_NETMASK'}");
 }
 
+my %INACTIVITY_TIMEOUTS = (
+       300             => $Lang::tr{'five minutes'},
+       600             => $Lang::tr{'ten minutes'},
+       900             => $Lang::tr{'fifteen minutes'},
+       1800            => $Lang::tr{'thirty minutes'},
+       3600            => $Lang::tr{'one hour'},
+       43200           => $Lang::tr{'twelve hours'},
+       86400           => $Lang::tr{'24 hours'},
+       0               => "- $Lang::tr{'unlimited'} -",
+);
+
 my $col="";
 
 $cgiparams{'ENABLED'} = 'off';
@@ -108,6 +119,8 @@ $cgiparams{'RW_NET'} = '';
 $cgiparams{'DPD_DELAY'} = '30';
 $cgiparams{'DPD_TIMEOUT'} = '120';
 $cgiparams{'FORCE_MOBIKE'} = 'off';
+$cgiparams{'START_ACTION'} = 'start';
+$cgiparams{'INACTIVITY_TIMEOUT'} = 900;
 &Header::getcgihash(\%cgiparams, {'wantfile' => 1, 'filevar' => 'FH'});
 
 ###
@@ -281,15 +294,13 @@ sub writeipsecfiles {
 
                print CONF "conn $lconfighash{$key}[1]\n";
                print CONF "\tleft=$localside\n";
-               my $cidr_net=&General::ipcidr($lconfighash{$key}[8]);
-               print CONF "\tleftsubnet=$cidr_net\n";
+               print CONF "\tleftsubnet=" . &make_subnets($lconfighash{$key}[8]) . "\n";
                print CONF "\tleftfirewall=yes\n";
                print CONF "\tlefthostaccess=yes\n";
                print CONF "\tright=$lconfighash{$key}[10]\n";
 
                if ($lconfighash{$key}[3] eq 'net') {
-                       my $cidr_net=&General::ipcidr($lconfighash{$key}[11]);
-                       print CONF "\trightsubnet=$cidr_net\n";
+                       print CONF "\trightsubnet=" . &make_subnets($lconfighash{$key}[11]) . "\n";
                }
 
                # Local Cert and Remote Cert (unless auth is DN dn-auth)
@@ -403,12 +414,28 @@ sub writeipsecfiles {
                        print CONF "\trightrsasigkey=%cert\n";
                }
 
+               my $start_action = $lconfighash{$key}[33];
+               if (!$start_action) {
+                       $start_action = "start";
+               }
+
+               my $inactivity_timeout = $lconfighash{$key}[34];
+               if ($inactivity_timeout eq "") {
+                       $inactivity_timeout = 900;
+               }
+
                # Automatically start only if a net-to-net connection
                if ($lconfighash{$key}[3] eq 'host') {
                        print CONF "\tauto=add\n";
                        print CONF "\trightsourceip=$lvpnsettings{'RW_NET'}\n";
                } else {
-                       print CONF "\tauto=start\n";
+                       print CONF "\tauto=$start_action\n";
+
+                       # If in on-demand mode, we terminate the tunnel
+                       # after 15 min of no traffic
+                       if ($start_action eq 'route' && $inactivity_timeout > 0) {
+                               print CONF "\tinactivity=$inactivity_timeout\n";
+                       }
                }
 
                # Fragmentation
@@ -1263,10 +1290,12 @@ END
                $cgiparams{'PSK'}                               = $confighash{$cgiparams{'KEY'}}[5];
                #$cgiparams{'free'}                             = $confighash{$cgiparams{'KEY'}}[6];
                $cgiparams{'LOCAL_ID'}                  = $confighash{$cgiparams{'KEY'}}[7];
-               $cgiparams{'LOCAL_SUBNET'}              = $confighash{$cgiparams{'KEY'}}[8];
+               my @local_subnets = split(",", $confighash{$cgiparams{'KEY'}}[8]);
+               $cgiparams{'LOCAL_SUBNET'}              = join(/\|/, @local_subnets);
                $cgiparams{'REMOTE_ID'}                 = $confighash{$cgiparams{'KEY'}}[9];
                $cgiparams{'REMOTE'}                    = $confighash{$cgiparams{'KEY'}}[10];
-               $cgiparams{'REMOTE_SUBNET'}             = $confighash{$cgiparams{'KEY'}}[11];
+               my @remote_subnets = split(",", $confighash{$cgiparams{'KEY'}}[11]);
+               $cgiparams{'REMOTE_SUBNET'}             = join(/\|/, @remote_subnets);
                $cgiparams{'REMARK'}                    = $confighash{$cgiparams{'KEY'}}[25];
                $cgiparams{'DPD_ACTION'}                = $confighash{$cgiparams{'KEY'}}[27];
                $cgiparams{'IKE_VERSION'}               = $confighash{$cgiparams{'KEY'}}[29];
@@ -1287,6 +1316,7 @@ END
                $cgiparams{'DPD_TIMEOUT'}               = $confighash{$cgiparams{'KEY'}}[30];
                $cgiparams{'DPD_DELAY'}                 = $confighash{$cgiparams{'KEY'}}[31];
                $cgiparams{'FORCE_MOBIKE'}              = $confighash{$cgiparams{'KEY'}}[32];
+               $cgiparams{'INACTIVITY_TIMEOUT'}        = $confighash{$cgiparams{'KEY'}}[34];
 
                if (!$cgiparams{'DPD_DELAY'}) {
                        $cgiparams{'DPD_DELAY'} = 30;
@@ -1296,6 +1326,10 @@ END
                        $cgiparams{'DPD_TIMEOUT'} = 120;
                }
 
+               if ($cgiparams{'INACTIVITY_TIMEOUT'} eq "") {
+                       $cgiparams{'INACTIVITY_TIMEOUT'} = 900;
+               }
+
        } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'save'}) {
                $cgiparams{'REMARK'} = &Header::cleanhtml($cgiparams{'REMARK'});
                if ($cgiparams{'TYPE'} !~ /^(host|net)$/) {
@@ -1346,9 +1380,12 @@ END
                        }
                }
 
-               unless (&General::validipandmask($cgiparams{'LOCAL_SUBNET'})) {
-                       $errormessage = $Lang::tr{'local subnet is invalid'};
-                       goto VPNCONF_ERROR;
+               my @local_subnets = split(",", $cgiparams{'LOCAL_SUBNET'});
+               foreach my $subnet (@local_subnets) {
+                       unless (&Network::check_subnet($subnet)) {
+                               $errormessage = $Lang::tr{'local subnet is invalid'};
+                               goto VPNCONF_ERROR;
+                       }
                }
 
                # Allow only one roadwarrior/psk without remote IP-address
@@ -1362,9 +1399,15 @@ END
                                }
                        }
                }
-               if (($cgiparams{'TYPE'} eq 'net') && (! &General::validipandmask($cgiparams{'REMOTE_SUBNET'}))) {
-                       $errormessage = $Lang::tr{'remote subnet is invalid'};
-                       goto VPNCONF_ERROR;
+
+               if ($cgiparams{'TYPE'} eq 'net') {
+                       my @remote_subnets = split(",", $cgiparams{'REMOTE_SUBNET'});
+                       foreach my $subnet (@remote_subnets) {
+                               unless (&Network::check_subnet($subnet)) {
+                                       $errormessage = $Lang::tr{'remote subnet is invalid'};
+                                       goto VPNCONF_ERROR;
+                               }
+                       }
                }
 
                if ($cgiparams{'ENABLED'} !~ /^(on|off)$/) {
@@ -1769,7 +1812,7 @@ END
        my $key = $cgiparams{'KEY'};
        if (! $key) {
                $key = &General::findhasharraykey (\%confighash);
-               foreach my $i (0 .. 32) { $confighash{$key}[$i] = "";}
+               foreach my $i (0 .. 34) { $confighash{$key}[$i] = "";}
        }
        $confighash{$key}[0] = $cgiparams{'ENABLED'};
        $confighash{$key}[1] = $cgiparams{'NAME'};
@@ -1784,10 +1827,12 @@ END
                $confighash{$key}[4] = 'cert';
        }
        if ($cgiparams{'TYPE'} eq 'net') {
-               $confighash{$key}[11] = $cgiparams{'REMOTE_SUBNET'};
+               my @remote_subnets = split(",", $cgiparams{'REMOTE_SUBNET'});
+               $confighash{$key}[11] = join('|', @remote_subnets);
        }
        $confighash{$key}[7] = $cgiparams{'LOCAL_ID'};
-       $confighash{$key}[8] = $cgiparams{'LOCAL_SUBNET'};
+       my @local_subnets = split(",", $cgiparams{'LOCAL_SUBNET'});
+       $confighash{$key}[8] = join('|', @local_subnets);
        $confighash{$key}[9] = $cgiparams{'REMOTE_ID'};
        $confighash{$key}[10] = $cgiparams{'REMOTE'};
        $confighash{$key}[25] = $cgiparams{'REMARK'};
@@ -1811,6 +1856,7 @@ END
        $confighash{$key}[30] = $cgiparams{'DPD_TIMEOUT'};
        $confighash{$key}[31] = $cgiparams{'DPD_DELAY'};
        $confighash{$key}[32] = $cgiparams{'FORCE_MOBIKE'};
+       $confighash{$key}[34] = $cgiparams{'INACTIVITY_TIMEOUT'};
 
        # free unused fields!
        $confighash{$key}[6] = 'off';
@@ -1874,16 +1920,17 @@ END
 
        #use default advanced value
        $cgiparams{'IKE_ENCRYPTION'}    = 'aes256gcm128|aes256gcm96|aes256gcm64|aes256|aes192gcm128|aes192gcm96|aes192gcm64|aes192|aes128gcm128|aes128gcm96|aes128gcm64|aes128'; #[18];
-       $cgiparams{'IKE_INTEGRITY'}             = 'sha2_512|sha2_256|sha'; #[19];
-       $cgiparams{'IKE_GROUPTYPE'}             = '4096|3072|2048|1536|1024'; #[20];
+       $cgiparams{'IKE_INTEGRITY'}             = 'sha2_512|sha2_256'; #[19];
+       $cgiparams{'IKE_GROUPTYPE'}             = 'curve25519|4096|3072|2048'; #[20];
        $cgiparams{'IKE_LIFETIME'}              = '3'; #[16];
        $cgiparams{'ESP_ENCRYPTION'}    = 'aes256gcm128|aes256gcm96|aes256gcm64|aes256|aes192gcm128|aes192gcm96|aes192gcm64|aes192|aes128gcm128|aes128gcm96|aes128gcm64|aes128'; #[21];
-       $cgiparams{'ESP_INTEGRITY'}             = 'sha2_512|sha2_256|sha1'; #[22];
-       $cgiparams{'ESP_GROUPTYPE'}             = '4096|3072|2048|1536|1024'; #[23];
+       $cgiparams{'ESP_INTEGRITY'}             = 'sha2_512|sha2_256'; #[22];
+       $cgiparams{'ESP_GROUPTYPE'}             = 'curve25519|4096|3072|2048'; #[23];
        $cgiparams{'ESP_KEYLIFE'}               = '1'; #[17];
-       $cgiparams{'COMPRESSION'}               = 'on'; #[13];
-       $cgiparams{'ONLY_PROPOSED'}             = 'off'; #[24];
+       $cgiparams{'COMPRESSION'}               = 'off'; #[13];
+       $cgiparams{'ONLY_PROPOSED'}             = 'on'; #[24];
        $cgiparams{'PFS'}                               = 'on'; #[28];
+       $cgiparams{'INACTIVITY_TIMEOUT'}        = 900;
 }
 
 VPNCONF_ERROR:
@@ -1969,6 +2016,12 @@ EOF
                $blob = "<img src='/blob.gif' alt='*' />";
        };
 
+       my @local_subnets = split(/\|/, $cgiparams{'LOCAL_SUBNET'});
+       my $local_subnets = join(",", @local_subnets);
+
+       my @remote_subnets = split(/\|/, $cgiparams{'REMOTE_SUBNET'});
+       my $remote_subnets = join(",", @remote_subnets);
+
        print <<END
        <tr>
                <td width='20%'>$Lang::tr{'enabled'}</td>
@@ -1977,7 +2030,7 @@ EOF
                </td>
                <td class='boldbase' nowrap='nowrap' width='20%'>$Lang::tr{'local subnet'}&nbsp;<img src='/blob.gif' alt='*' /></td>
                <td width='30%'>
-                       <input type='text' name='LOCAL_SUBNET' value='$cgiparams{'LOCAL_SUBNET'}' size="25" />
+                       <input type='text' name='LOCAL_SUBNET' value='$local_subnets' />
                </td>
        </tr>
        <tr>
@@ -1987,7 +2040,7 @@ EOF
                </td>
                <td class='boldbase' nowrap='nowrap' width='20%'>$Lang::tr{'remote subnet'}&nbsp;$blob</td>
                <td width='30%'>
-                       <input $disabled type='text' name='REMOTE_SUBNET' value='$cgiparams{'REMOTE_SUBNET'}' size="25" />
+                       <input $disabled type='text' name='REMOTE_SUBNET' value='$remote_subnets' />
                </td>
        </tr>
        <tr>
@@ -2060,7 +2113,7 @@ END
                        <td class='base'>$Lang::tr{'users department'}:</td>
                        <td class='base' nowrap='nowrap'><input type='text' name='CERT_OU' value='$cgiparams{'CERT_OU'}' size='32' $cakeydisabled /></td></tr>
                <tr><td>&nbsp;</td>
-                       <td class='base'>$Lang::tr{'organization name'}:</td>
+                       <td class='base'>$Lang::tr{'organization name'}:&nbsp;<img src='/blob.gif' alt='*' /></td>
                        <td class='base' nowrap='nowrap'><input type='text' name='CERT_ORGANIZATION' value='$cgiparams{'CERT_ORGANIZATION'}' size='32' $cakeydisabled /></td></tr>
                <tr><td>&nbsp;</td>
                        <td class='base'>$Lang::tr{'city'}:</td>
@@ -2149,7 +2202,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
                        goto ADVANCED_ERROR;
                }
                foreach my $val (@temp) {
-                       if ($val !~ /^(e521|e384|e256|e224|e192|e512bp|e384bp|e256bp|e224bp|1024|1536|2048|2048s256|2048s224|2048s160|3072|4096|6144|8192)$/) {
+                       if ($val !~ /^(curve25519|e521|e384|e256|e224|e192|e512bp|e384bp|e256bp|e224bp|768|1024|1536|2048|3072|4096|6144|8192)$/) {
                                $errormessage = $Lang::tr{'invalid input'};
                                goto ADVANCED_ERROR;
                        }
@@ -2190,7 +2243,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
                        goto ADVANCED_ERROR;
                }
                foreach my $val (@temp) {
-                       if ($val !~ /^(e521|e384|e256|e224|e192|e512bp|e384bp|e256bp|e224bp|1024|1536|2048|2048s256|2048s224|2048s160|3072|4096|6144|8192|none)$/) {
+                       if ($val !~ /^(curve25519|e521|e384|e256|e224|e192|e512bp|e384bp|e256bp|e224bp|768|1024|1536|2048|3072|4096|6144|8192|none)$/) {
                                $errormessage = $Lang::tr{'invalid input'};
                                goto ADVANCED_ERROR;
                        }
@@ -2222,6 +2275,11 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
                        goto ADVANCED_ERROR;
                }
 
+               if ($cgiparams{'INACTIVITY_TIMEOUT'} !~ /^\d+$/) {
+                       $errormessage = $Lang::tr{'invalid input for inactivity timeout'};
+                       goto ADVANCED_ERROR;
+               }
+
                $confighash{$cgiparams{'KEY'}}[29] = $cgiparams{'IKE_VERSION'};
                $confighash{$cgiparams{'KEY'}}[18] = $cgiparams{'IKE_ENCRYPTION'};
                $confighash{$cgiparams{'KEY'}}[19] = $cgiparams{'IKE_INTEGRITY'};
@@ -2239,6 +2297,8 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
                $confighash{$cgiparams{'KEY'}}[30] = $cgiparams{'DPD_TIMEOUT'};
                $confighash{$cgiparams{'KEY'}}[31] = $cgiparams{'DPD_DELAY'};
                $confighash{$cgiparams{'KEY'}}[32] = $cgiparams{'FORCE_MOBIKE'};
+               $confighash{$cgiparams{'KEY'}}[33] = $cgiparams{'START_ACTION'};
+               $confighash{$cgiparams{'KEY'}}[34] = $cgiparams{'INACTIVITY_TIMEOUT'};
                &General::writehasharray("${General::swroot}/vpn/config", \%confighash);
                &writeipsecfiles();
                if (&vpnenabled) {
@@ -2266,6 +2326,8 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
                $cgiparams{'DPD_TIMEOUT'}               = $confighash{$cgiparams{'KEY'}}[30];
                $cgiparams{'DPD_DELAY'}                 = $confighash{$cgiparams{'KEY'}}[31];
                $cgiparams{'FORCE_MOBIKE'}              = $confighash{$cgiparams{'KEY'}}[32];
+               $cgiparams{'START_ACTION'}              = $confighash{$cgiparams{'KEY'}}[33];
+               $cgiparams{'INACTIVITY_TIMEOUT'}        = $confighash{$cgiparams{'KEY'}}[34];
 
                if (!$cgiparams{'DPD_DELAY'}) {
                        $cgiparams{'DPD_DELAY'} = 30;
@@ -2274,6 +2336,14 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
                if (!$cgiparams{'DPD_TIMEOUT'}) {
                        $cgiparams{'DPD_TIMEOUT'} = 120;
                }
+
+               if (!$cgiparams{'START_ACTION'}) {
+                       $cgiparams{'START_ACTION'} = "start";
+               }
+
+               if ($cgiparams{'INACTIVITY_TIMEOUT'} eq "") {
+                       $cgiparams{'INACTIVITY_TIMEOUT'} = 900; # 15 min
+               }
        }
 
        ADVANCED_ERROR:
@@ -2303,6 +2373,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
        $checked{'IKE_INTEGRITY'}{'aesxcbc'} = '';
        @temp = split('\|', $cgiparams{'IKE_INTEGRITY'});
        foreach my $key (@temp) {$checked{'IKE_INTEGRITY'}{$key} = "selected='selected'"; }
+       $checked{'IKE_GROUPTYPE'}{'curve25519'} = '';
        $checked{'IKE_GROUPTYPE'}{'768'} = '';
        $checked{'IKE_GROUPTYPE'}{'1024'} = '';
        $checked{'IKE_GROUPTYPE'}{'1536'} = '';
@@ -2314,9 +2385,6 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
        @temp = split('\|', $cgiparams{'IKE_GROUPTYPE'});
        foreach my $key (@temp) {$checked{'IKE_GROUPTYPE'}{$key} = "selected='selected'"; }
 
-       # 768 is not supported by strongswan
-       $checked{'IKE_GROUPTYPE'}{'768'} = '';
-
        $checked{'ESP_ENCRYPTION'}{'aes256'} = '';
        $checked{'ESP_ENCRYPTION'}{'aes192'} = '';
        $checked{'ESP_ENCRYPTION'}{'aes128'} = '';
@@ -2343,6 +2411,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
        $checked{'ESP_INTEGRITY'}{'aesxcbc'} = '';
        @temp = split('\|', $cgiparams{'ESP_INTEGRITY'});
        foreach my $key (@temp) {$checked{'ESP_INTEGRITY'}{$key} = "selected='selected'"; }
+       $checked{'ESP_GROUPTYPE'}{'curve25519'} = '';
        $checked{'ESP_GROUPTYPE'}{'768'} = '';
        $checked{'ESP_GROUPTYPE'}{'1024'} = '';
        $checked{'ESP_GROUPTYPE'}{'1536'} = '';
@@ -2370,6 +2439,16 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
        $selected{'DPD_ACTION'}{'none'} = '';
        $selected{'DPD_ACTION'}{$cgiparams{'DPD_ACTION'}} = "selected='selected'";
 
+       $selected{'START_ACTION'}{'route'} = '';
+       $selected{'START_ACTION'}{'start'} = '';
+       $selected{'START_ACTION'}{$cgiparams{'START_ACTION'}} = "selected='selected'";
+
+       $selected{'INACTIVITY_TIMEOUT'} = ();
+       foreach my $timeout (keys %INACTIVITY_TIMEOUTS) {
+               $selected{'INACTIVITY_TIMEOUT'}{$timeout} = "";
+       }
+       $selected{'INACTIVITY_TIMEOUT'}{$cgiparams{'INACTIVITY_TIMEOUT'}} = "selected";
+
        &Header::showhttpheaders();
        &Header::openpage($Lang::tr{'ipsec'}, 1, '');
        &Header::openbigbox('100%', 'left', '', $errormessage);
@@ -2389,7 +2468,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
        }
 
        &Header::openbox('100%', 'left', "$Lang::tr{'advanced'}:");
-       print <<EOF
+       print <<EOF;
        <form method='post' enctype='multipart/form-data' action='$ENV{'SCRIPT_NAME'}'>
        <input type='hidden' name='ADVANCED' value='yes' />
        <input type='hidden' name='KEY' value='$cgiparams{'KEY'}' />
@@ -2465,8 +2544,8 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
                                        <option value='sha2_384' $checked{'IKE_INTEGRITY'}{'sha2_384'}>SHA2 384 bit</option>
                                        <option value='sha2_256' $checked{'IKE_INTEGRITY'}{'sha2_256'}>SHA2 256 bit</option>
                                        <option value='aesxcbc' $checked{'IKE_INTEGRITY'}{'aesxcbc'}>AES XCBC</option>
-                                       <option value='sha' $checked{'IKE_INTEGRITY'}{'sha'}>SHA1</option>
-                                       <option value='md5' $checked{'IKE_INTEGRITY'}{'md5'}>MD5</option>
+                                       <option value='sha' $checked{'IKE_INTEGRITY'}{'sha'}>SHA1 ($Lang::tr{'vpn weak'})</option>
+                                       <option value='md5' $checked{'IKE_INTEGRITY'}{'md5'}>MD5 ($Lang::tr{'vpn broken'})</option>
                                </select>
                        </td>
                        <td class='boldbase'>
@@ -2475,8 +2554,8 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
                                        <option value='sha2_384' $checked{'ESP_INTEGRITY'}{'sha2_384'}>SHA2 384 bit</option>
                                        <option value='sha2_256' $checked{'ESP_INTEGRITY'}{'sha2_256'}>SHA2 256 bit</option>
                                        <option value='aesxcbc' $checked{'ESP_INTEGRITY'}{'aesxcbc'}>AES XCBC</option>
-                                       <option value='sha1' $checked{'ESP_INTEGRITY'}{'sha1'}>SHA1</option>
-                                       <option value='md5' $checked{'ESP_INTEGRITY'}{'md5'}>MD5</option>
+                                       <option value='sha1' $checked{'ESP_INTEGRITY'}{'sha1'}>SHA1 ($Lang::tr{'vpn weak'})</option>
+                                       <option value='md5' $checked{'ESP_INTEGRITY'}{'md5'}>MD5 ($Lang::tr{'vpn broken'})</option>
                                </select>
                        </td>
                </tr>
@@ -2493,6 +2572,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
                        <td class='boldbase' width="15%">$Lang::tr{'grouptype'}</td>
                        <td class='boldbase'>
                                <select name='IKE_GROUPTYPE' multiple='multiple' size='6' style='width: 100%'>
+                                       <option value='curve25519' $checked{'IKE_GROUPTYPE'}{'curve25519'}>Curve 25519 (256 bit)</option>
                                        <option value='e521' $checked{'IKE_GROUPTYPE'}{'e521'}>ECP-521 (NIST)</option>
                                        <option value='e512bp' $checked{'IKE_GROUPTYPE'}{'e512bp'}>ECP-512 (Brainpool)</option>
                                        <option value='e384' $checked{'IKE_GROUPTYPE'}{'e384'}>ECP-384 (NIST)</option>
@@ -2506,16 +2586,15 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
                                        <option value='6144' $checked{'IKE_GROUPTYPE'}{'6144'}>MODP-6144</option>
                                        <option value='4096' $checked{'IKE_GROUPTYPE'}{'4096'}>MODP-4096</option>
                                        <option value='3072' $checked{'IKE_GROUPTYPE'}{'3072'}>MODP-3072</option>
-                                       <option value='2048s256' $checked{'IKE_GROUPTYPE'}{'2048s256'}>MODP-2048/256</option>
-                                       <option value='2048s224' $checked{'IKE_GROUPTYPE'}{'2048s224'}>MODP-2048/224</option>
-                                       <option value='2048s160' $checked{'IKE_GROUPTYPE'}{'2048s160'}>MODP-2048/160</option>
                                        <option value='2048' $checked{'IKE_GROUPTYPE'}{'2048'}>MODP-2048</option>
                                        <option value='1536' $checked{'IKE_GROUPTYPE'}{'1536'}>MODP-1536</option>
-                                       <option value='1024' $checked{'IKE_GROUPTYPE'}{'1024'}>MODP-1024</option>
+                                       <option value='1024' $checked{'IKE_GROUPTYPE'}{'1024'}>MODP-1024 ($Lang::tr{'vpn broken'})</option>
+                                       <option value='768' $checked{'IKE_GROUPTYPE'}{'768'}>MODP-768 ($Lang::tr{'vpn broken'})</option>
                                </select>
                        </td>
                        <td class='boldbase'>
                                <select name='ESP_GROUPTYPE' multiple='multiple' size='6' style='width: 100%'>
+                                       <option value='curve25519' $checked{'ESP_GROUPTYPE'}{'curve25519'}>Curve 25519 (256 bit)</option>
                                        <option value='e521' $checked{'ESP_GROUPTYPE'}{'e521'}>ECP-521 (NIST)</option>
                                        <option value='e512bp' $checked{'ESP_GROUPTYPE'}{'e512bp'}>ECP-512 (Brainpool)</option>
                                        <option value='e384' $checked{'ESP_GROUPTYPE'}{'e384'}>ECP-384 (NIST)</option>
@@ -2529,12 +2608,10 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
                                        <option value='6144' $checked{'ESP_GROUPTYPE'}{'6144'}>MODP-6144</option>
                                        <option value='4096' $checked{'ESP_GROUPTYPE'}{'4096'}>MODP-4096</option>
                                        <option value='3072' $checked{'ESP_GROUPTYPE'}{'3072'}>MODP-3072</option>
-                                       <option value='2048s256' $checked{'ESP_GROUPTYPE'}{'2048s256'}>MODP-2048/256</option>
-                                       <option value='2048s224' $checked{'ESP_GROUPTYPE'}{'2048s224'}>MODP-2048/224</option>
-                                       <option value='2048s160' $checked{'ESP_GROUPTYPE'}{'2048s160'}>MODP-2048/160</option>
                                        <option value='2048' $checked{'ESP_GROUPTYPE'}{'2048'}>MODP-2048</option>
                                        <option value='1536' $checked{'ESP_GROUPTYPE'}{'1536'}>MODP-1536</option>
-                                       <option value='1024' $checked{'ESP_GROUPTYPE'}{'1024'}>MODP-1024</option>
+                                       <option value='1024' $checked{'ESP_GROUPTYPE'}{'1024'}>MODP-1024 ($Lang::tr{'vpn broken'})</option>
+                                       <option value='768' $checked{'ESP_GROUPTYPE'}{'768'}>MODP-768 ($Lang::tr{'vpn broken'})</option>
                                        <option value='none' $checked{'ESP_GROUPTYPE'}{'none'}>- $Lang::tr{'none'} -</option>
                                </select>
                        </td>
@@ -2582,6 +2659,13 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
                                IKE+ESP: $Lang::tr{'use only proposed settings'}
                        </label>
                </td>
+               <td>
+                       <label>$Lang::tr{'vpn start action'}</label>
+                       <select name="START_ACTION">
+                               <option value="route" $selected{'START_ACTION'}{'route'}>$Lang::tr{'vpn start action route'}</option>
+                               <option value="start" $selected{'START_ACTION'}{'start'}>$Lang::tr{'vpn start action start'}</option>
+                       </select>
+               </td>
        </tr>
        <tr>
                <td>
@@ -2590,9 +2674,21 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
                                $Lang::tr{'pfs yes no'}
                        </label>
                </td>
+               <td>
+                       <label>$Lang::tr{'vpn inactivity timeout'}</label>
+                       <select name="INACTIVITY_TIMEOUT">
+EOF
+       foreach my $t (sort { $a <=> $b } keys %INACTIVITY_TIMEOUTS) {
+               print "<option value=\"$t\" $selected{'INACTIVITY_TIMEOUT'}{$t}>$INACTIVITY_TIMEOUTS{$t}</option>\n";
+       }
+
+       print <<EOF;
+
+                       </select>
+               </td>
        </tr>
        <tr>
-               <td>
+               <td colspan="2">
                        <label>
                                <input type='checkbox' name='COMPRESSION' $checked{'COMPRESSION'} />
                                $Lang::tr{'vpn payload compression'}
@@ -2600,20 +2696,16 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
                </td>
        </tr>
        <tr>
-               <td>
+               <td colspan="2">
                        <label>
                                <input type='checkbox' name='FORCE_MOBIKE' $checked{'FORCE_MOBIKE'} />
                                $Lang::tr{'vpn force mobike'}
                        </label>
                </td>
        </tr>
-EOF
-;
-
-       print <<EOF;
        <tr>
-               <td align='left' colspan='1'><img src='/blob.gif' align='top' alt='*' />&nbsp;$Lang::tr{'required field'}</td>
-               <td align='right' colspan='2'>
+               <td align='left'><img src='/blob.gif' align='top' alt='*' />&nbsp;$Lang::tr{'required field'}</td>
+               <td align='right'>
                        <input type='submit' name='ACTION' value='$Lang::tr{'save'}' />
                        <input type='submit' name='ACTION' value='$Lang::tr{'cancel'}' />
                </td>
@@ -2763,6 +2855,12 @@ END
                ($line =~ /$confighash{$key}[1]\{.*INSTALLED/)) {
                        $col1="bgcolor='${Header::colourgreen}'";
                        $active = "<b><font color='#FFFFFF'>$Lang::tr{'capsopen'}</font></b>";
+               } elsif ($line =~ /$confighash{$key}[1]\[.*CONNECTING/) {
+                       $col1="bgcolor='${Header::colourorange}'";
+                       $active = "<b><font color='#FFFFFF'>$Lang::tr{'vpn connecting'}</font></b>";
+               } elsif ($line =~ /$confighash{$key}[1]\{.*ROUTED/) {
+                       $col1="bgcolor='${Header::colourorange}'";
+                       $active = "<b><font color='#FFFFFF'>$Lang::tr{'vpn on-demand'}</font></b>";
                }
        }
        # move to blue if really down
@@ -3074,6 +3172,8 @@ sub make_algos($$$$$) {
 
                                        if ($grp =~ m/^e(.*)$/) {
                                                push(@algo, "ecp$1");
+                                       } elsif ($grp =~ m/curve25519/) {
+                                               push(@algo, "$grp");
                                        } else {
                                                push(@algo, "modp$grp");
                                        }
@@ -3089,6 +3189,8 @@ sub make_algos($$$$$) {
                                                # noop
                                        } elsif ($grp =~ m/^e(.*)$/) {
                                                push(@algo, "ecp$1");
+                                       } elsif ($grp =~ m/curve25519/) {
+                                               push(@algo, "$grp");
                                        } else {
                                                push(@algo, "modp$grp");
                                        }
@@ -3101,3 +3203,16 @@ sub make_algos($$$$$) {
 
        return &array_unique(\@algos);
 }
+
+sub make_subnets($) {
+       my $subnets = shift;
+
+       my @nets = split(/\|/, $subnets);
+       my @cidr_nets = ();
+       foreach my $net (@nets) {
+               my $cidr_net = &General::ipcidr($net);
+               push(@cidr_nets, $cidr_net);
+       }
+
+       return join(",", @cidr_nets);
+}
IPFire 2.x development tree