&General::readhash("/srv/web/ipfire/html/themes/".$mainsettings{'THEME'}."/include/colors.txt", \%color);
&General::readhash("${General::swroot}/ethernet/settings", \%netsettings);
+
+my $green_cidr = &General::ipcidr("$netsettings{'GREEN_NETADDRESS'}/$netsettings{'GREEN_NETMASK'}");
+my $blue_cidr = "# Blue not defined";
+if ($netsettings{'BLUE_DEV'}) {
+ $blue_cidr = &General::ipcidr("$netsettings{'BLUE_NETADDRESS'}/$netsettings{'BLUE_NETMASK'}");
+}
+my $orange_cidr = "# Orange not defined";
+if ($netsettings{'ORANGE_DEV'}) {
+ $orange_cidr = &General::ipcidr("$netsettings{'ORANGE_NETADDRESS'}/$netsettings{'ORANGE_NETMASK'}");
+}
+
$cgiparams{'ENABLED'} = 'off';
$cgiparams{'EDIT_ADVANCED'} = 'off';
$cgiparams{'ACTION'} = '';
my $plutodebug = ''; # build debug list
map ($plutodebug .= $lvpnsettings{$_} eq 'on' ? lc (substr($_,4)).' ' : '',
('DBG_CRYPT','DBG_PARSING','DBG_EMITTING','DBG_CONTROL',
- 'DBG_KLIPS','DBG_DNS','DBG_NAT_T'));
+ 'DBG_DNS'));
$plutodebug = 'none' if $plutodebug eq ''; # if nothing selected, use 'none'.
- print CONF "\tklipsdebug=\"none\"\n";
+ #print CONF "\tklipsdebug=\"none\"\n";
print CONF "\tplutodebug=\"$plutodebug\"\n";
# deprecated in ipsec.conf version 2
#print CONF "\tplutoload=%search\n";
print CONF "\tnat_traversal=yes\n";
print CONF "\toverridemtu=$lvpnsettings{'VPN_OVERRIDE_MTU'}\n" if ($lvpnsettings{'VPN_OVERRIDE_MTU'} ne '');
print CONF "\tvirtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16";
- print CONF ",%v4:!$netsettings{'GREEN_NETADDRESS'}/$netsettings{'GREEN_NETMASK'}";
+ print CONF ",%v4:!$green_cidr";
if (length($netsettings{'ORANGE_DEV'}) > 2) {
- print CONF ",%v4:!$netsettings{'ORANGE_NETADDRESS'}/$netsettings{'ORANGE_NETMASK'}";
+ print CONF ",%v4:!$orange_cidr";
}
if (length($netsettings{'BLUE_DEV'}) > 2) {
- print CONF ",%v4:!$netsettings{'BLUE_NETADDRESS'}/$netsettings{'BLUE_NETMASK'}";
+ print CONF ",%v4:!$blue_cidr";
}
foreach my $key (keys %lconfighash) {
if ($lconfighash{$key}[3] eq 'net') {
#print CONF "\tdisablearrivalcheck=no\n";
print CONF "\n";
+ # Add user includes to config file
+ print CONF "include /etc/ipsec.user.conf\n";
+ print CONF "\n";
+
+ print SECRETS "include /etc/ipsec.user.secrets\n";
+
if (-f "${General::swroot}/certs/hostkey.pem") {
print SECRETS ": RSA ${General::swroot}/certs/hostkey.pem\n"
}
print CONF "conn $lconfighash{$key}[1]\n";
print CONF "\tleft=$localside\n";
print CONF "\tleftnexthop=%defaultroute\n" if ($lconfighash{$key}[26] eq 'RED' && $lvpnsettings{'VPN_IP'} ne '%defaultroute');
- print CONF "\tleftsubnet=$lconfighash{$key}[8]\n";
+ my $cidr_net=&General::ipcidr($lconfighash{$key}[8]);
+ print CONF "\tleftsubnet=$cidr_net\n";
print CONF "\tleftfirewall=yes\n";
+ print CONF "\tlefthostaccess=yes\n";
print CONF "\tright=$lconfighash{$key}[10]\n";
if ($lconfighash{$key}[3] eq 'net') {
- print CONF "\trightsubnet=$lconfighash{$key}[11]\n";
+ my $cidr_net=&General::ipcidr($lconfighash{$key}[11]);
+ print CONF "\trightsubnet=$cidr_net\n";
print CONF "\trightnexthop=%defaultroute\n";
} elsif ($lconfighash{$key}[10] eq '%any' && $lconfighash{$key}[14] eq 'on') { #vhost allowed for roadwarriors?
print CONF "\trightsubnet=vhost:%no,%priv\n";
print CONF "\tpfsgroup=$lconfighash{$key}[23]\n";
}
+ # IKE V1
+ print CONF "\tkeyexchange=ikev1\n";
+
# Lifetimes
print CONF "\tikelifetime=$lconfighash{$key}[16]h\n" if ($lconfighash{$key}[16]);
print CONF "\tkeylife=$lconfighash{$key}[17]h\n" if ($lconfighash{$key}[17]);
map ($vpnsettings{$_} = $cgiparams{$_},
('ENABLED','DBG_CRYPT','DBG_PARSING','DBG_EMITTING','DBG_CONTROL',
- 'DBG_KLIPS','DBG_DNS','DBG_NAT_T'));
+ 'DBG_DNS'));
$vpnsettings{'VPN_IP'} = $cgiparams{'VPN_IP'};
$vpnsettings{'VPN_DELAYED_START'} = $cgiparams{'VPN_DELAYED_START'};
print <<END
<table width='100%' cellpadding='0' cellspacing='5' border='0'>
<tr><td class='base' width='50%'>$Lang::tr{'use a pre-shared key'}</td>
- <td class='base' width='50%'><input type='text' name='PSK' size='30' value='$cgiparams{'PSK'}' /></td>
+ <td class='base' width='50%'><input type='password' name='PSK' size='30' value='$cgiparams{'PSK'}' /></td>
</tr>
</table>
END
<table width='100%' cellpadding='0' cellspacing='5' border='0'>
<tr><td width='5%'><input type='radio' name='AUTH' value='psk' $checked{'AUTH'}{'psk'} $pskdisabled/></td>
<td class='base' width='55%'>$Lang::tr{'use a pre-shared key'}</td>
- <td class='base' width='40%'><input type='text' name='PSK' size='30' value='$cgiparams{'PSK'}' $pskdisabled/></td></tr>
+ <td class='base' width='40%'><input type='password' name='PSK' size='30' value='$cgiparams{'PSK'}' $pskdisabled/></td></tr>
<tr><td colspan='3' bgcolor='#000000'></td></tr>
<tr><td><input type='radio' name='AUTH' value='certreq' $checked{'AUTH'}{'certreq'} $cakeydisabled /></td>
<td class='base'><hr />$Lang::tr{'upload a certificate request'}</td>
goto ADVANCED_ERROR;
}
foreach my $val (@temp) {
- if ($val !~ /^(768|1024|1536|2048|3072|4096|6144|8192)$/) {
+ if ($val !~ /^(1024|1536|2048|3072|4096|6144|8192)$/) {
$errormessage = $Lang::tr{'invalid input'};
goto ADVANCED_ERROR;
}
}
}
if ($cgiparams{'ESP_GROUPTYPE'} ne '' &&
- $cgiparams{'ESP_GROUPTYPE'} !~ /^modp(768|1024|1536|2048|3072|4096)$/) {
+ $cgiparams{'ESP_GROUPTYPE'} !~ /^modp(1024|1536|2048|3072|4096)$/) {
$errormessage = $Lang::tr{'invalid input'};
goto ADVANCED_ERROR;
}
$checked{'IKE_GROUPTYPE'}{'8192'} = '';
@temp = split('\|', $cgiparams{'IKE_GROUPTYPE'});
foreach my $key (@temp) {$checked{'IKE_GROUPTYPE'}{$key} = "selected='selected'"; }
+
+ # 768 is not supported by strongswan
+ $checked{'IKE_GROUPTYPE'}{'768'} = '';
+
+
$checked{'ESP_ENCRYPTION'}{'aes256'} = '';
$checked{'ESP_ENCRYPTION'}{'aes128'} = '';
$checked{'ESP_ENCRYPTION'}{'3des'} = '';
<option value='2048' $checked{'IKE_GROUPTYPE'}{'2048'}>MODP-2048</option>
<option value='1536' $checked{'IKE_GROUPTYPE'}{'1536'}>MODP-1536</option>
<option value='1024' $checked{'IKE_GROUPTYPE'}{'1024'}>MODP-1024</option>
- <option value='768' $checked{'IKE_GROUPTYPE'}{'768'}>MODP-768</option>
</select></td>
</tr><tr>
<td class='boldbase' align='right' valign='top'>$Lang::tr{'ike lifetime'}</td><td class='boldbase' valign='top'>
$checked{'VPN_WATCH'} = $cgiparams{'VPN_WATCH'} eq 'on' ? "checked='checked'" : '' ;
map ($checked{$_} = $cgiparams{$_} eq 'on' ? "checked='checked'" : '',
('ENABLED','DBG_CRYPT','DBG_PARSING','DBG_EMITTING','DBG_CONTROL',
- 'DBG_KLIPS','DBG_DNS','DBG_NAT_T'));
+ 'DBG_DNS'));
&Header::showhttpheaders();
parsing:<input type='checkbox' name='DBG_PARSING' $checked{'DBG_PARSING'} />,
emitting:<input type='checkbox' name='DBG_EMITTING' $checked{'DBG_EMITTING'} />,
control:<input type='checkbox' name='DBG_CONTROL' $checked{'DBG_CONTROL'} />,
-klips:<input type='checkbox' name='DBG_KLIPS' $checked{'DBG_KLIPS'} />,
-dns:<input type='checkbox' name='DBG_DNS' $checked{'DBG_DNS'} />,
-nat_t:<input type='checkbox' name='DBG_NAT_T' $checked{'DBG_NAT_T'} /></p>
-
+dns:<input type='checkbox' name='DBG_DNS' $checked{'DBG_DNS'} />
<hr />
<table width='100%'>
<tr>