X-Git-Url: http://git.ipfire.org/?p=ipfire-2.x.git;a=blobdiff_plain;f=html%2Fcgi-bin%2Fvpnmain.cgi;h=4891b040a5dd4c89348db9c33c4555a6fb9c33df;hp=f1cffb88448155cc2a9f5c8ad4793e6b8c187b5e;hb=8ebe72541619278f97fc0be145057f5fc59581c6;hpb=8a1a3bf3934c8a92c605135ee13db466ea3dcbf4 diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index f1cffb8844..4891b040a5 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -58,15 +58,16 @@ my %mainsettings = (); &General::readhash("${General::swroot}/ethernet/settings", \%netsettings); -my $green_cidr = &General::ipcidr("$netsettings{'GREEN_NETADDRESS'}/$netsettings{'GREEN_NETMASK'}"); -my $blue_cidr = "# Blue not defined"; -if (&Header::blue_used() && $netsettings{'BLUE_DEV'}) { - $blue_cidr = &General::ipcidr("$netsettings{'BLUE_NETADDRESS'}/$netsettings{'BLUE_NETMASK'}"); -} -my $orange_cidr = "# Orange not defined"; -if (&Header::orange_used() && $netsettings{'ORANGE_DEV'}) { - $orange_cidr = &General::ipcidr("$netsettings{'ORANGE_NETADDRESS'}/$netsettings{'ORANGE_NETMASK'}"); -} +my %INACTIVITY_TIMEOUTS = ( + 300 => $Lang::tr{'five minutes'}, + 600 => $Lang::tr{'ten minutes'}, + 900 => $Lang::tr{'fifteen minutes'}, + 1800 => $Lang::tr{'thirty minutes'}, + 3600 => $Lang::tr{'one hour'}, + 43200 => $Lang::tr{'twelve hours'}, + 86400 => $Lang::tr{'24 hours'}, + 0 => "- $Lang::tr{'unlimited'} -", +); my $col=""; @@ -108,6 +109,10 @@ $cgiparams{'RW_NET'} = ''; $cgiparams{'DPD_DELAY'} = '30'; $cgiparams{'DPD_TIMEOUT'} = '120'; $cgiparams{'FORCE_MOBIKE'} = 'off'; +$cgiparams{'START_ACTION'} = 'route'; +$cgiparams{'INACTIVITY_TIMEOUT'} = 1800; +$cgiparams{'MODE'} = "tunnel"; +$cgiparams{'INTERFACE_MODE'} = ""; &Header::getcgihash(\%cgiparams, {'wantfile' => 1, 'filevar' => 'FH'}); ### @@ -146,7 +151,12 @@ sub cleanssldatabase { print FILE ""; close FILE; } + if (open(FILE, ">${General::swroot}/certs/index.txt.attr")) { + print FILE ""; + close FILE; + } unlink ("${General::swroot}/certs/index.txt.old"); + unlink ("${General::swroot}/certs/index.txt.attr.old"); unlink ("${General::swroot}/certs/serial.old"); unlink ("${General::swroot}/certs/01.pem"); } @@ -159,7 +169,11 @@ sub newcleanssldatabase { if (! -s ">${General::swroot}/certs/index.txt") { system ("touch ${General::swroot}/certs/index.txt"); } + if (! -s ">${General::swroot}/certs/index.txt.attr") { + system ("touch ${General::swroot}/certs/index.txt.attr"); + } unlink ("${General::swroot}/certs/index.txt.old"); + unlink ("${General::swroot}/certs/index.txt.attr.old"); unlink ("${General::swroot}/certs/serial.old"); # unlink ("${General::swroot}/certs/01.pem"); numbering evolves. Wrong place to delete } @@ -186,10 +200,10 @@ sub callssl ($) { sub getCNfromcert ($) { #&General::log("ipsec", "Extracting name from $_[0]..."); my $temp = `/usr/bin/openssl x509 -text -in $_[0]`; - $temp =~ /Subject:.*CN=(.*)[\n]/; + $temp =~ /Subject:.*CN = (.*)[\n]/; $temp = $1; $temp =~ s+/Email+, E+; - $temp =~ s/ ST=/ S=/; + $temp =~ s/ ST = / S = /; $temp =~ s/,//g; $temp =~ s/\'//g; return $temp; @@ -203,7 +217,7 @@ sub getsubjectfromcert ($) { $temp =~ /Subject: (.*)[\n]/; $temp = $1; $temp =~ s+/Email+, E+; - $temp =~ s/ ST=/ S=/; + $temp =~ s/ ST = / S = /; return $temp; } ### @@ -300,6 +314,13 @@ sub writeipsecfiles { print CONF "\tleftid=\"$lconfighash{$key}[7]\"\n" if ($lconfighash{$key}[7]); print CONF "\trightid=\"$lconfighash{$key}[9]\"\n" if ($lconfighash{$key}[9]); + # Set mode + if ($lconfighash{$key}[35] eq "transport") { + print CONF "\ttype=transport\n"; + } else { + print CONF "\ttype=tunnel\n"; + } + # Is PFS enabled? my $pfs = $lconfighash{$key}[28] eq 'on' ? 'on' : 'off'; @@ -401,12 +422,28 @@ sub writeipsecfiles { print CONF "\trightrsasigkey=%cert\n"; } + my $start_action = $lconfighash{$key}[33]; + if (!$start_action) { + $start_action = "start"; + } + + my $inactivity_timeout = $lconfighash{$key}[34]; + if ($inactivity_timeout eq "") { + $inactivity_timeout = 900; + } + # Automatically start only if a net-to-net connection if ($lconfighash{$key}[3] eq 'host') { print CONF "\tauto=add\n"; print CONF "\trightsourceip=$lvpnsettings{'RW_NET'}\n"; } else { - print CONF "\tauto=start\n"; + print CONF "\tauto=$start_action\n"; + + # If in on-demand mode, we terminate the tunnel + # after 15 min of no traffic + if ($start_action eq 'route' && $inactivity_timeout > 0) { + print CONF "\tinactivity=$inactivity_timeout\n"; + } } # Fragmentation @@ -1287,6 +1324,9 @@ END $cgiparams{'DPD_TIMEOUT'} = $confighash{$cgiparams{'KEY'}}[30]; $cgiparams{'DPD_DELAY'} = $confighash{$cgiparams{'KEY'}}[31]; $cgiparams{'FORCE_MOBIKE'} = $confighash{$cgiparams{'KEY'}}[32]; + $cgiparams{'INACTIVITY_TIMEOUT'} = $confighash{$cgiparams{'KEY'}}[34]; + $cgiparams{'MODE'} = $confighash{$cgiparams{'KEY'}}[35]; + $cgiparams{'INTERFACE_MODE'} = $confighash{$cgiparams{'KEY'}}[36]; if (!$cgiparams{'DPD_DELAY'}) { $cgiparams{'DPD_DELAY'} = 30; @@ -1296,6 +1336,14 @@ END $cgiparams{'DPD_TIMEOUT'} = 120; } + if ($cgiparams{'INACTIVITY_TIMEOUT'} eq "") { + $cgiparams{'INACTIVITY_TIMEOUT'} = 900; + } + + if ($cgiparams{'MODE'} eq "") { + $cgiparams{'MODE'} = "tunnel"; + } + } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'save'}) { $cgiparams{'REMARK'} = &Header::cleanhtml($cgiparams{'REMARK'}); if ($cgiparams{'TYPE'} !~ /^(host|net)$/) { @@ -1778,7 +1826,7 @@ END my $key = $cgiparams{'KEY'}; if (! $key) { $key = &General::findhasharraykey (\%confighash); - foreach my $i (0 .. 32) { $confighash{$key}[$i] = "";} + foreach my $i (0 .. 36) { $confighash{$key}[$i] = "";} } $confighash{$key}[0] = $cgiparams{'ENABLED'}; $confighash{$key}[1] = $cgiparams{'NAME'}; @@ -1822,6 +1870,9 @@ END $confighash{$key}[30] = $cgiparams{'DPD_TIMEOUT'}; $confighash{$key}[31] = $cgiparams{'DPD_DELAY'}; $confighash{$key}[32] = $cgiparams{'FORCE_MOBIKE'}; + $confighash{$key}[34] = $cgiparams{'INACTIVITY_TIMEOUT'}; + $confighash{$key}[35] = $cgiparams{'MODE'}; + $confighash{$key}[36] = $cgiparams{'INTERFACE_MODE'}; # free unused fields! $confighash{$key}[6] = 'off'; @@ -1884,17 +1935,20 @@ END $cgiparams{'REMOTE_ID'} = ''; #use default advanced value - $cgiparams{'IKE_ENCRYPTION'} = 'aes256gcm128|aes256gcm96|aes256gcm64|aes256|aes192gcm128|aes192gcm96|aes192gcm64|aes192|aes128gcm128|aes128gcm96|aes128gcm64|aes128'; #[18]; - $cgiparams{'IKE_INTEGRITY'} = 'sha2_512|sha2_256|sha'; #[19]; - $cgiparams{'IKE_GROUPTYPE'} = '4096|3072|2048|1536|1024'; #[20]; + $cgiparams{'IKE_ENCRYPTION'} = 'chacha20poly1305|aes256gcm128|aes256gcm96|aes256gcm64|aes256|aes192gcm128|aes192gcm96|aes192gcm64|aes192|aes128gcm128|aes128gcm96|aes128gcm64|aes128'; #[18]; + $cgiparams{'IKE_INTEGRITY'} = 'sha2_512|sha2_256'; #[19]; + $cgiparams{'IKE_GROUPTYPE'} = 'curve25519|4096|3072|2048'; #[20]; $cgiparams{'IKE_LIFETIME'} = '3'; #[16]; - $cgiparams{'ESP_ENCRYPTION'} = 'aes256gcm128|aes256gcm96|aes256gcm64|aes256|aes192gcm128|aes192gcm96|aes192gcm64|aes192|aes128gcm128|aes128gcm96|aes128gcm64|aes128'; #[21]; - $cgiparams{'ESP_INTEGRITY'} = 'sha2_512|sha2_256|sha1'; #[22]; - $cgiparams{'ESP_GROUPTYPE'} = '4096|3072|2048|1536|1024'; #[23]; + $cgiparams{'ESP_ENCRYPTION'} = 'chacha20poly1305|aes256gcm128|aes256gcm96|aes256gcm64|aes256|aes192gcm128|aes192gcm96|aes192gcm64|aes192|aes128gcm128|aes128gcm96|aes128gcm64|aes128'; #[21]; + $cgiparams{'ESP_INTEGRITY'} = 'sha2_512|sha2_256'; #[22]; + $cgiparams{'ESP_GROUPTYPE'} = 'curve25519|4096|3072|2048'; #[23]; $cgiparams{'ESP_KEYLIFE'} = '1'; #[17]; - $cgiparams{'COMPRESSION'} = 'on'; #[13]; - $cgiparams{'ONLY_PROPOSED'} = 'off'; #[24]; + $cgiparams{'COMPRESSION'} = 'off'; #[13]; + $cgiparams{'ONLY_PROPOSED'} = 'on'; #[24]; $cgiparams{'PFS'} = 'on'; #[28]; + $cgiparams{'INACTIVITY_TIMEOUT'} = 900; + $cgiparams{'MODE'} = "tunnel"; + $cgiparams{'INTERFACE_MODE'} = ""; } VPNCONF_ERROR: @@ -1950,6 +2004,9 @@ VPNCONF_ERROR: + + + END ; if ($cgiparams{'KEY'}) { @@ -2144,7 +2201,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || goto ADVANCED_ERROR; } foreach my $val (@temp) { - if ($val !~ /^(aes(256|192|128)(gcm(128|96|64))?|3des|camellia(256|192|128))$/) { + if ($val !~ /^(aes(256|192|128)(gcm(128|96|64))?|3des|chacha20poly1305|camellia(256|192|128))$/) { $errormessage = $Lang::tr{'invalid input'}; goto ADVANCED_ERROR; } @@ -2166,7 +2223,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || goto ADVANCED_ERROR; } foreach my $val (@temp) { - if ($val !~ /^(e521|e384|e256|e224|e192|e512bp|e384bp|e256bp|e224bp|1024|1536|2048|2048s256|2048s224|2048s160|3072|4096|6144|8192)$/) { + if ($val !~ /^(curve25519|e521|e384|e256|e224|e192|e512bp|e384bp|e256bp|e224bp|768|1024|1536|2048|3072|4096|6144|8192)$/) { $errormessage = $Lang::tr{'invalid input'}; goto ADVANCED_ERROR; } @@ -2185,7 +2242,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || goto ADVANCED_ERROR; } foreach my $val (@temp) { - if ($val !~ /^(aes(256|192|128)(gcm(128|96|64))?|3des|camellia(256|192|128))$/) { + if ($val !~ /^(aes(256|192|128)(gcm(128|96|64))?|3des|chacha20poly1305|camellia(256|192|128))$/) { $errormessage = $Lang::tr{'invalid input'}; goto ADVANCED_ERROR; } @@ -2207,7 +2264,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || goto ADVANCED_ERROR; } foreach my $val (@temp) { - if ($val !~ /^(e521|e384|e256|e224|e192|e512bp|e384bp|e256bp|e224bp|1024|1536|2048|2048s256|2048s224|2048s160|3072|4096|6144|8192|none)$/) { + if ($val !~ /^(curve25519|e521|e384|e256|e224|e192|e512bp|e384bp|e256bp|e224bp|768|1024|1536|2048|3072|4096|6144|8192|none)$/) { $errormessage = $Lang::tr{'invalid input'}; goto ADVANCED_ERROR; } @@ -2239,6 +2296,21 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || goto ADVANCED_ERROR; } + if ($cgiparams{'INACTIVITY_TIMEOUT'} !~ /^\d+$/) { + $errormessage = $Lang::tr{'invalid input for inactivity timeout'}; + goto ADVANCED_ERROR; + } + + if ($cgiparams{'MODE'} !~ /^(tunnel|transport)$/) { + $errormessage = $Lang::tr{'invalid input for mode'}; + goto ADVANCED_ERROR; + } + + if ($cgiparams{'INTERFACE_MODE'} !~ /^(|gre|vti)$/) { + $errormessage = $Lang::tr{'invalid input for interface mode'}; + goto ADVANCED_ERROR; + } + $confighash{$cgiparams{'KEY'}}[29] = $cgiparams{'IKE_VERSION'}; $confighash{$cgiparams{'KEY'}}[18] = $cgiparams{'IKE_ENCRYPTION'}; $confighash{$cgiparams{'KEY'}}[19] = $cgiparams{'IKE_INTEGRITY'}; @@ -2256,6 +2328,10 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || $confighash{$cgiparams{'KEY'}}[30] = $cgiparams{'DPD_TIMEOUT'}; $confighash{$cgiparams{'KEY'}}[31] = $cgiparams{'DPD_DELAY'}; $confighash{$cgiparams{'KEY'}}[32] = $cgiparams{'FORCE_MOBIKE'}; + $confighash{$cgiparams{'KEY'}}[33] = $cgiparams{'START_ACTION'}; + $confighash{$cgiparams{'KEY'}}[34] = $cgiparams{'INACTIVITY_TIMEOUT'}; + $confighash{$cgiparams{'KEY'}}[35] = $cgiparams{'MODE'}; + $confighash{$cgiparams{'KEY'}}[36] = $cgiparams{'INTERFACE_MODE'}; &General::writehasharray("${General::swroot}/vpn/config", \%confighash); &writeipsecfiles(); if (&vpnenabled) { @@ -2283,6 +2359,10 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || $cgiparams{'DPD_TIMEOUT'} = $confighash{$cgiparams{'KEY'}}[30]; $cgiparams{'DPD_DELAY'} = $confighash{$cgiparams{'KEY'}}[31]; $cgiparams{'FORCE_MOBIKE'} = $confighash{$cgiparams{'KEY'}}[32]; + $cgiparams{'START_ACTION'} = $confighash{$cgiparams{'KEY'}}[33]; + $cgiparams{'INACTIVITY_TIMEOUT'} = $confighash{$cgiparams{'KEY'}}[34]; + $cgiparams{'MODE'} = $confighash{$cgiparams{'KEY'}}[35]; + $cgiparams{'INTERFACE_MODE'} = $confighash{$cgiparams{'KEY'}}[36]; if (!$cgiparams{'DPD_DELAY'}) { $cgiparams{'DPD_DELAY'} = 30; @@ -2291,9 +2371,22 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || if (!$cgiparams{'DPD_TIMEOUT'}) { $cgiparams{'DPD_TIMEOUT'} = 120; } + + if (!$cgiparams{'START_ACTION'}) { + $cgiparams{'START_ACTION'} = "start"; + } + + if ($cgiparams{'INACTIVITY_TIMEOUT'} eq "") { + $cgiparams{'INACTIVITY_TIMEOUT'} = 900; # 15 min + } + + if ($cgiparams{'MODE'} eq "") { + $cgiparams{'MODE'} = "tunnel"; + } } ADVANCED_ERROR: + $checked{'IKE_ENCRYPTION'}{'chacha20poly1305'} = ''; $checked{'IKE_ENCRYPTION'}{'aes256'} = ''; $checked{'IKE_ENCRYPTION'}{'aes192'} = ''; $checked{'IKE_ENCRYPTION'}{'aes128'} = ''; @@ -2320,6 +2413,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || $checked{'IKE_INTEGRITY'}{'aesxcbc'} = ''; @temp = split('\|', $cgiparams{'IKE_INTEGRITY'}); foreach my $key (@temp) {$checked{'IKE_INTEGRITY'}{$key} = "selected='selected'"; } + $checked{'IKE_GROUPTYPE'}{'curve25519'} = ''; $checked{'IKE_GROUPTYPE'}{'768'} = ''; $checked{'IKE_GROUPTYPE'}{'1024'} = ''; $checked{'IKE_GROUPTYPE'}{'1536'} = ''; @@ -2331,9 +2425,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || @temp = split('\|', $cgiparams{'IKE_GROUPTYPE'}); foreach my $key (@temp) {$checked{'IKE_GROUPTYPE'}{$key} = "selected='selected'"; } - # 768 is not supported by strongswan - $checked{'IKE_GROUPTYPE'}{'768'} = ''; - + $checked{'ESP_ENCRYPTION'}{'chacha20poly1305'} = ''; $checked{'ESP_ENCRYPTION'}{'aes256'} = ''; $checked{'ESP_ENCRYPTION'}{'aes192'} = ''; $checked{'ESP_ENCRYPTION'}{'aes128'} = ''; @@ -2360,6 +2452,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || $checked{'ESP_INTEGRITY'}{'aesxcbc'} = ''; @temp = split('\|', $cgiparams{'ESP_INTEGRITY'}); foreach my $key (@temp) {$checked{'ESP_INTEGRITY'}{$key} = "selected='selected'"; } + $checked{'ESP_GROUPTYPE'}{'curve25519'} = ''; $checked{'ESP_GROUPTYPE'}{'768'} = ''; $checked{'ESP_GROUPTYPE'}{'1024'} = ''; $checked{'ESP_GROUPTYPE'}{'1536'} = ''; @@ -2387,6 +2480,26 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || $selected{'DPD_ACTION'}{'none'} = ''; $selected{'DPD_ACTION'}{$cgiparams{'DPD_ACTION'}} = "selected='selected'"; + $selected{'START_ACTION'}{'add'} = ''; + $selected{'START_ACTION'}{'route'} = ''; + $selected{'START_ACTION'}{'start'} = ''; + $selected{'START_ACTION'}{$cgiparams{'START_ACTION'}} = "selected='selected'"; + + $selected{'INACTIVITY_TIMEOUT'} = (); + foreach my $timeout (keys %INACTIVITY_TIMEOUTS) { + $selected{'INACTIVITY_TIMEOUT'}{$timeout} = ""; + } + $selected{'INACTIVITY_TIMEOUT'}{$cgiparams{'INACTIVITY_TIMEOUT'}} = "selected"; + + $selected{'MODE'}{'tunnel'} = ''; + $selected{'MODE'}{'transport'} = ''; + $selected{'MODE'}{$cgiparams{'MODE'}} = "selected='selected'"; + + $selected{'INTERFACE_MODE'}{''} = ''; + $selected{'INTERFACE_MODE'}{'gre'} = ''; + $selected{'INTERFACE_MODE'}{'vti'} = ''; + $selected{'INTERFACE_MODE'}{$cgiparams{'INTERFACE_MODE'}} = "selected='selected'"; + &Header::showhttpheaders(); &Header::openpage($Lang::tr{'ipsec'}, 1, ''); &Header::openbigbox('100%', 'left', '', $errormessage); @@ -2406,11 +2519,40 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || } &Header::openbox('100%', 'left', "$Lang::tr{'advanced'}:"); - print < + + + + + + + + + + + + +
$Lang::tr{'mode'}: + +
$Lang::tr{'interface mode'}: + +
+ +

+ +

$Lang::tr{'cryptographic settings'}

+ @@ -2434,6 +2576,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || @@ -2482,8 +2626,8 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || - - + + @@ -2510,6 +2654,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || @@ -2599,6 +2741,14 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || IKE+ESP: $Lang::tr{'use only proposed settings'} + + - - -EOF -; - - print < - - + @@ -2773,13 +2931,22 @@ END } print ""; my $col1="bgcolor='${Header::colourred}'"; - # get real state my $active = "$Lang::tr{'capsclosed'}"; + if ($confighash{$key}[33] eq "add") { + $col1="bgcolor='${Header::colourorange}'"; + $active = "$Lang::tr{'vpn wait'}"; + } foreach my $line (@status) { if (($line =~ /\"$confighash{$key}[1]\".*IPsec SA established/) || ($line =~ /$confighash{$key}[1]\{.*INSTALLED/)) { $col1="bgcolor='${Header::colourgreen}'"; $active = "$Lang::tr{'capsopen'}"; + } elsif ($line =~ /$confighash{$key}[1]\[.*CONNECTING/) { + $col1="bgcolor='${Header::colourorange}'"; + $active = "$Lang::tr{'vpn connecting'}"; + } elsif ($line =~ /$confighash{$key}[1]\{.*ROUTED/) { + $col1="bgcolor='${Header::colourorange}'"; + $active = "$Lang::tr{'vpn on-demand'}"; } } # move to blue if really down @@ -3091,6 +3258,8 @@ sub make_algos($$$$$) { if ($grp =~ m/^e(.*)$/) { push(@algo, "ecp$1"); + } elsif ($grp =~ m/curve25519/) { + push(@algo, "$grp"); } else { push(@algo, "modp$grp"); } @@ -3106,6 +3275,8 @@ sub make_algos($$$$$) { # noop } elsif ($grp =~ m/^e(.*)$/) { push(@algo, "ecp$1"); + } elsif ($grp =~ m/curve25519/) { + push(@algo, "$grp"); } else { push(@algo, "modp$grp"); }
$Lang::tr{'encryption'}
@@ -2492,8 +2636,8 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || - - + +
$Lang::tr{'grouptype'} + + +
@@ -2607,9 +2757,21 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || $Lang::tr{'pfs yes no'} + +
+
+
* $Lang::tr{'required field'} + * $Lang::tr{'required field'} $confighash{$key}[25]