X-Git-Url: http://git.ipfire.org/?p=ipfire-2.x.git;a=blobdiff_plain;f=html%2Fcgi-bin%2Fvpnmain.cgi;h=55566d7cfb8ffa9df59c85dd4ab615ce8a162bc3;hp=b9a73e5f24c286460f292ddc5fb4084e86f3c5fb;hb=e8b3bb0edcf5b6768326b01620f318a56aaf4814;hpb=4e156911cc45c2788bfa7e04561e2a7e550c68b8

diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi
index b9a73e5f24..55566d7cfb 100644
--- a/html/cgi-bin/vpnmain.cgi
+++ b/html/cgi-bin/vpnmain.cgi
@@ -69,6 +69,8 @@ if (&Header::orange_used() && $netsettings{'ORANGE_DEV'}) {
 	$orange_cidr = &General::ipcidr("$netsettings{'ORANGE_NETADDRESS'}/$netsettings{'ORANGE_NETMASK'}");
 }
 
+my $col="";
+
 $cgiparams{'ENABLED'} = 'off';
 $cgiparams{'EDIT_ADVANCED'} = 'off';
 $cgiparams{'ACTION'} = '';
@@ -308,67 +310,33 @@ sub writeipsecfiles {
 
 	# Algorithms
 	if ($lconfighash{$key}[18] && $lconfighash{$key}[19] && $lconfighash{$key}[20]) {
-	    print CONF "\tike=";
-	    my @encs   = split('\|', $lconfighash{$key}[18]);
-	    my @ints   = split('\|', $lconfighash{$key}[19]);
-	    my @groups = split('\|', $lconfighash{$key}[20]);
-	    my $comma = 0;
-	    foreach my $i (@encs) {
-	        foreach my $j (@ints) {
-	    	    foreach my $k (@groups) {
-		        if ($comma != 0) { print CONF ","; } else { $comma = 1; }
-
-		        my @l = split("", $k);
-		        if ($l[0] eq "e") {
-		            shift @l;
-		            print CONF "$i-$j-ecp".join("", @l);
-		        } else {
-		            print CONF "$i-$j-modp$k";
-		        }
-		    }
-	        }
-	    }
-	    if ($lconfighash{$key}[24] eq 'on') {	#only proposed algorythms?
-		print CONF "!\n";
-	    } else {
-	        print CONF "\n";
-	    }
+		my @encs   = split('\|', $lconfighash{$key}[18]);
+		my @ints   = split('\|', $lconfighash{$key}[19]);
+		my @groups = split('\|', $lconfighash{$key}[20]);
+
+		my @algos = &make_algos("ike", \@encs, \@ints, \@groups, 1);
+		print CONF "\tike=" . join(",", @algos);
+
+		if ($lconfighash{$key}[24] eq 'on') {	#only proposed algorythms?
+			print CONF "!\n";
+		} else {
+			print CONF "\n";
+		}
 	}
+
 	if ($lconfighash{$key}[21] && $lconfighash{$key}[22]) {
-	    print CONF "\tesp=";
-	    my @encs   = split('\|', $lconfighash{$key}[21]);
-	    my @ints   = split('\|', $lconfighash{$key}[22]);
-	    my @groups = split('\|', $lconfighash{$key}[20]);
-	    my $comma = 0;
-	    foreach my $i (@encs) {
-		foreach my $j (@ints) {
-			my $modp = "";
-			if ($pfs eq "on") {
-				foreach my $k (@groups) {
-				    if ($comma != 0) { print CONF ","; } else { $comma = 1; }
-				    if ($pfs eq "on") {
-					my @l = split("", $k);
-					if ($l[0] eq "e") {
-						$modp = "";
-					} else {
-						$modp = "-modp$k";
-					}
-				    } else {
-				        $modp = "";
-				    }
-				    print CONF "$i-$j$modp";
-				}
-			} else {
-				if ($comma != 0) { print CONF ","; } else { $comma = 1; }
-				print CONF "$i-$j";
-			}
+		my @encs   = split('\|', $lconfighash{$key}[21]);
+		my @ints   = split('\|', $lconfighash{$key}[22]);
+		my @groups = split('\|', $lconfighash{$key}[20]);
+
+		my @algos = &make_algos("esp", \@encs, \@ints, \@groups, ($pfs eq "on"));
+		print CONF "\tesp=" . join(",", @algos);
+
+		if ($lconfighash{$key}[24] eq 'on') {	#only proposed algorythms?
+			print CONF "!\n";
+		} else {
+			print CONF "\n";
 		}
-	    }
-	    if ($lconfighash{$key}[24] eq 'on') {	#only proposed algorythms?
-		print CONF "!\n";
-	    } else {
-		print CONF "\n";
-	    }
 	}
 
 	# IKE V1 or V2
@@ -385,9 +353,27 @@ sub writeipsecfiles {
 	print CONF "\tcompress=yes\n" if ($lconfighash{$key}[13] eq 'on');
 
 	# Dead Peer Detection
-	print CONF "\tdpddelay=$lconfighash{$key}[30]\n";
-	print CONF "\tdpdtimeout=$lconfighash{$key}[31]\n";
-	print CONF "\tdpdaction=$lconfighash{$key}[27]\n";
+	my $dpdaction = $lconfighash{$key}[27];
+	print CONF "\tdpdaction=$dpdaction\n";
+
+	# If the dead peer detection is disabled and IKEv2 is used,
+	# dpddelay must be set to zero, too.
+	if ($dpdaction eq "none") {
+		if ($lconfighash{$key}[29] eq "ikev2") {
+			print CONF "\tdpddelay=0\n";
+		}
+	} else {
+		my $dpddelay = $lconfighash{$key}[30];
+		if (!$dpddelay) {
+			$dpddelay = 30;
+		}
+		print CONF "\tdpddelay=$dpddelay\n";
+		my $dpdtimeout = $lconfighash{$key}[31];
+		if (!$dpdtimeout) {
+			$dpdtimeout = 120;
+		}
+		print CONF "\tdpdtimeout=$dpdtimeout\n";
+	}
 
 	# Build Authentication details:  LEFTid RIGHTid : PSK psk
 	my $psk_line;
@@ -415,6 +401,10 @@ sub writeipsecfiles {
 	} else {
 	    print CONF "\tauto=start\n";
 	}
+
+	# Fragmentation
+	print CONF "\tfragmentation=yes\n";
+
 	print CONF "\n";
     }#foreach key
     print SECRETS $last_secrets if ($last_secrets);
@@ -491,7 +481,7 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cg
 ###
 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'remove x509'}) {
     &Header::showhttpheaders();
-    &Header::openpage($Lang::tr{'vpn configuration main'}, 1, '');
+    &Header::openpage($Lang::tr{'ipsec'}, 1, '');
     &Header::openbigbox('100%', 'left', '', '');
     &Header::openbox('100%', 'left', $Lang::tr{'are you sure'});
     print <<END
@@ -587,7 +577,7 @@ END
 
     if ( -f "${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem") {
 	&Header::showhttpheaders();
-	&Header::openpage($Lang::tr{'vpn configuration main'}, 1, '');
+	&Header::openpage($Lang::tr{'ipsec'}, 1, '');
 	&Header::openbigbox('100%', 'left', '', '');
 	&Header::openbox('100%', 'left', "$Lang::tr{'ca certificate'}:");
 	my $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem`;
@@ -663,7 +653,7 @@ END
 	}
 	if ($assignedcerts) {
 	    &Header::showhttpheaders();
-	    &Header::openpage($Lang::tr{'vpn configuration main'}, 1, '');
+	    &Header::openpage($Lang::tr{'ipsec'}, 1, '');
 	    &Header::openbigbox('100%', 'left', '', '');
 	    &Header::openbox('100%', 'left', $Lang::tr{'are you sure'});
 	    print <<END
@@ -708,7 +698,7 @@ END
 	$cgiparams{'ACTION'} eq $Lang::tr{'show host certificate'}) {
     my $output;
     &Header::showhttpheaders();
-    &Header::openpage($Lang::tr{'vpn configuration main'}, 1, '');
+    &Header::openpage($Lang::tr{'ipsec'}, 1, '');
     &Header::openbigbox('100%', 'left', '', '');
     if ($cgiparams{'ACTION'} eq $Lang::tr{'show root certificate'}) {
 	&Header::openbox('100%', 'left', "$Lang::tr{'root certificate'}:");
@@ -941,9 +931,9 @@ END
 	if (!$errormessage) {
 	    &General::log("ipsec", "Creating cacert...");
 	    if (open(STDIN, "-|")) {
-    		my $opt  = " req -x509 -nodes -rand /proc/interrupts:/proc/net/rt_cache";
+    		my $opt  = " req -x509 -sha256 -nodes";
 		   $opt .= " -days 999999";
-		   $opt .= " -newkey rsa:2048";
+		   $opt .= " -newkey rsa:4096";
 		   $opt .= " -keyout ${General::swroot}/private/cakey.pem";
 		   $opt .= " -out ${General::swroot}/ca/cacert.pem";
 
@@ -964,8 +954,8 @@ END
 	if (!$errormessage) {
 	    &General::log("ipsec", "Creating host cert...");
 	    if (open(STDIN, "-|")) {
-    		my $opt  = " req -nodes -rand /proc/interrupts:/proc/net/rt_cache";
-		   $opt .= " -newkey rsa:1024";
+    		my $opt  = " req -sha256 -nodes";
+		   $opt .= " -newkey rsa:2048";
 		   $opt .= " -keyout ${General::swroot}/certs/hostkey.pem";
 		   $opt .= " -out ${General::swroot}/certs/hostreq.pem";
 		$errormessage = &callssl ($opt);
@@ -1000,7 +990,7 @@ END
 	    print $fh "subjectAltName=$cgiparams{'SUBJECTALTNAME'}" if ($cgiparams{'SUBJECTALTNAME'});
 	    close ($fh);
 	    
-	    my  $opt  = " ca -days 999999";
+	    my  $opt  = " ca -md sha256 -days 999999";
 		$opt .= " -batch -notext";
 		$opt .= " -in ${General::swroot}/certs/hostreq.pem";
 		$opt .= " -out ${General::swroot}/certs/hostcert.pem";
@@ -1034,7 +1024,7 @@ END
 
     ROOTCERT_ERROR:
     &Header::showhttpheaders();
-    &Header::openpage($Lang::tr{'vpn configuration main'}, 1, '');
+    &Header::openpage($Lang::tr{'ipsec'}, 1, '');
     &Header::openbigbox('100%', 'left', '', $errormessage);
     if ($errormessage) {
         &Header::openbox('100%', 'left', $Lang::tr{'error messages'});
@@ -1079,7 +1069,7 @@ END
         <b><font color='${Header::colourred}'>$Lang::tr{'capswarning'}</font></b>: 
         $Lang::tr{'generating the root and host certificates may take a long time. it can take up to several minutes on older hardware. please be patient'}
     </td></tr>
-    <tr><td colspan='2'><hr /></td></tr>
+    <tr><td colspan='2'><hr></td></tr>
     <tr><td class='base' nowrap='nowrap'>$Lang::tr{'upload p12 file'}:</td>
         <td nowrap='nowrap'><input type='file' name='FH' size='32' /></td></tr>
     <tr><td class='base'>$Lang::tr{'pkcs12 file password'}:&nbsp;<img src='/blob.gif' alt='*' /></td>
@@ -1121,7 +1111,7 @@ END
 
     if ( -f "${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem") {
 	&Header::showhttpheaders();
-	&Header::openpage($Lang::tr{'vpn configuration main'}, 1, '');
+	&Header::openpage($Lang::tr{'ipsec'}, 1, '');
 	&Header::openbigbox('100%', 'left', '', '');
 	&Header::openbox('100%', 'left', "$Lang::tr{'cert'}:");
 	my $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem`;
@@ -1205,13 +1195,13 @@ END
     } else {
 	$errormessage = $Lang::tr{'invalid key'};
     }
-
+	&General::firewall_reload();
 ###
 ### Choose between adding a host-net or net-net connection
 ###
 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'add'} && $cgiparams{'TYPE'} eq '') {
 	&Header::showhttpheaders();
-	&Header::openpage($Lang::tr{'vpn configuration main'}, 1, '');
+	&Header::openpage($Lang::tr{'ipsec'}, 1, '');
 	&Header::openbigbox('100%', 'left', '', '');
 	&Header::openbox('100%', 'left', $Lang::tr{'connection type'});
 	print <<END
@@ -1278,6 +1268,14 @@ END
 	$cgiparams{'DPD_TIMEOUT'}		= $confighash{$cgiparams{'KEY'}}[30];
 	$cgiparams{'DPD_DELAY'}		= $confighash{$cgiparams{'KEY'}}[31];
 
+	if (!$cgiparams{'DPD_DELAY'}) {
+		$cgiparams{'DPD_DELAY'} = 30;
+	}
+
+	if (!$cgiparams{'DPD_TIMEOUT'}) {
+		$cgiparams{'DPD_TIMEOUT'} = 120;
+	}
+
     } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'save'}) {
 	$cgiparams{'REMARK'} = &Header::cleanhtml($cgiparams{'REMARK'});
 	if ($cgiparams{'TYPE'} !~ /^(host|net)$/) {
@@ -1379,14 +1377,13 @@ END
 	    goto VPNCONF_ERROR;
 	}
 
-#temporary disabled (BUG 10294)
-#	if ($cgiparams{'TYPE'} eq 'net'){
-#		$errormessage=&General::checksubnets($cgiparams{'NAME'},$cgiparams{'REMOTE_SUBNET'});
-#		if ($errormessage ne ''){
-#			goto VPNCONF_ERROR;
-#		}
-#		
-#	}
+	if ($cgiparams{'TYPE'} eq 'net'){
+		$warnmessage=&General::checksubnets('',$cgiparams{'REMOTE_SUBNET'},'ipsec');
+		if ($warnmessage ne ''){
+			$warnmessage=$Lang::tr{'remote subnet'}." ($cgiparams{'REMOTE_SUBNET'}) <br>".$warnmessage;
+		}
+	}
+
 	if ($cgiparams{'AUTH'} eq 'psk') {
 	    if (! length($cgiparams{'PSK'}) ) {
 		$errormessage = $Lang::tr{'pre-shared key is too short'};
@@ -1416,7 +1413,7 @@ END
 
 	    # Sign the certificate request
 	    &General::log("ipsec", "Signing your cert $cgiparams{'NAME'}...");
-    	    my 	$opt  = " ca -days 999999";
+    	    my 	$opt  = " ca -md sha256 -days 999999";
 		$opt .= " -batch -notext";
 		$opt .= " -in $filename";
 		$opt .= " -out ${General::swroot}/certs/$cgiparams{'NAME'}cert.pem";
@@ -1646,12 +1643,12 @@ END
 	    (my $city = $cgiparams{'CERT_CITY'}) =~ s/^\s*$/\./;
 	    (my $state = $cgiparams{'CERT_STATE'}) =~ s/^\s*$/\./;
 
-	    # Create the Host certificate request
+	    # Create the Client certificate request
 	    &General::log("ipsec", "Creating a cert...");
 
 	    if (open(STDIN, "-|")) {
     		my $opt  = " req -nodes -rand /proc/interrupts:/proc/net/rt_cache";
-		   $opt .= " -newkey rsa:1024";
+		   $opt .= " -newkey rsa:2048";
 		   $opt .= " -keyout ${General::swroot}/certs/$cgiparams{'NAME'}key.pem";
 		   $opt .= " -out ${General::swroot}/certs/$cgiparams{'NAME'}req.pem";
 
@@ -1673,7 +1670,7 @@ END
 		exit (0);
 	    }
 	    
-	    # Sign the host certificate request
+	    # Sign the client certificate request
 	    &General::log("ipsec", "Signing the cert $cgiparams{'NAME'}...");
 
 	    #No easy way for specifying the contain of subjectAltName without writing a config file...
@@ -1682,13 +1679,14 @@ END
 	    basicConstraints=CA:FALSE
 	    nsComment="OpenSSL Generated Certificate"
 	    subjectKeyIdentifier=hash
+	    extendedKeyUsage=clientAuth
 	    authorityKeyIdentifier=keyid,issuer:always
 END
 ;
 	    print $fh "subjectAltName=$cgiparams{'SUBJECTALTNAME'}" if ($cgiparams{'SUBJECTALTNAME'});
 	    close ($fh);
 
-	    my $opt  = " ca -days 999999 -batch -notext";
+	    my $opt  = " ca -md sha256 -days 999999 -batch -notext";
 	       $opt .= " -in ${General::swroot}/certs/$cgiparams{'NAME'}req.pem";
 	       $opt .= " -out ${General::swroot}/certs/$cgiparams{'NAME'}cert.pem";
 	       $opt .= " -extfile $v3extname";
@@ -1828,9 +1826,17 @@ END
 
 	# choose appropriate dpd action	
 	if ($cgiparams{'TYPE'} eq 'host') {
-	    $cgiparams{'DPD_ACTION'} = 'clear';
+		$cgiparams{'DPD_ACTION'} = 'clear';
 	} else {
-	    $cgiparams{'DPD_ACTION'} = 'restart';
+		$cgiparams{'DPD_ACTION'} = 'restart';
+	}
+
+	if (!$cgiparams{'DPD_DELAY'}) {
+		$cgiparams{'DPD_DELAY'} = 30;
+	}
+
+	if (!$cgiparams{'DPD_TIMEOUT'}) {
+		$cgiparams{'DPD_TIMEOUT'} = 120;
 	}
 
 	# Default IKE Version to v2
@@ -1843,12 +1849,12 @@ END
 	$cgiparams{'REMOTE_ID'} = '';
 
 	#use default advanced value
-	$cgiparams{'IKE_ENCRYPTION'} = 'aes256|aes192|aes128|3des';	#[18];
-	$cgiparams{'IKE_INTEGRITY'}  = 'sha2_256|sha|md5';	#[19];
+	$cgiparams{'IKE_ENCRYPTION'} = 'aes256|aes192|aes128|aes256gcm128|aes192gcm128|aes128gcm128|aes256gcm96|aes192gcm96|aes128gcm96|aes256gcm64|aes192gcm64|aes128gcm64';	#[18];
+	$cgiparams{'IKE_INTEGRITY'}  = 'sha2_512|sha2_256|sha';	#[19];
 	$cgiparams{'IKE_GROUPTYPE'}  = '4096|3072|2048|1536|1024';		#[20];
 	$cgiparams{'IKE_LIFETIME'}   = '3';		#[16];
-	$cgiparams{'ESP_ENCRYPTION'} = 'aes256|aes192|aes128|3des';	#[21];
-	$cgiparams{'ESP_INTEGRITY'}  = 'sha2_256|sha1|md5';	#[22];
+	$cgiparams{'ESP_ENCRYPTION'} = 'aes256|aes192|aes128|aes256gcm128|aes192gcm128|aes128gcm128|aes256gcm96|aes192gcm96|aes128gcm96|aes256gcm64|aes192gcm64|aes128gcm64';	#[21];
+	$cgiparams{'ESP_INTEGRITY'}  = 'sha2_512|sha2_256|sha1';	#[22];
 	$cgiparams{'ESP_GROUPTYPE'}  = '';		#[23];
 	$cgiparams{'ESP_KEYLIFE'}    = '1';		#[17];
 	$cgiparams{'COMPRESSION'}    = 'on';		#[13];
@@ -1874,17 +1880,8 @@ END
     $checked{'AUTH'}{'auth-dn'} = '';
     $checked{'AUTH'}{$cgiparams{'AUTH'}} = "checked='checked'";
 
-    $selected{'DPD_ACTION'}{'clear'} = '';
-    $selected{'DPD_ACTION'}{'hold'} = '';
-    $selected{'DPD_ACTION'}{'restart'} = '';
-    $selected{'DPD_ACTION'}{$cgiparams{'DPD_ACTION'}} = "selected='selected'";
-
-    $selected{'IKE_VERSION'}{'ikev1'} = '';
-    $selected{'IKE_VERSION'}{'ikev2'} = '';
-    $selected{'IKE_VERSION'}{$cgiparams{'IKE_VERSION'}} = "selected='selected'";
-
     &Header::showhttpheaders();
-    &Header::openpage($Lang::tr{'vpn configuration main'}, 1, '');
+    &Header::openpage($Lang::tr{'ipsec'}, 1, '');
     &Header::openbigbox('100%', 'left', '', $errormessage);
     if ($errormessage) {
 	&Header::openbox('100%', 'left', $Lang::tr{'error messages'});
@@ -1903,6 +1900,7 @@ END
     print "<form method='post' enctype='multipart/form-data' action='$ENV{'SCRIPT_NAME'}'>";
     print<<END
 	<input type='hidden' name='TYPE' value='$cgiparams{'TYPE'}' />
+	<input type='hidden' name='IKE_VERSION' value='$cgiparams{'IKE_VERSION'}' />
 	<input type='hidden' name='IKE_ENCRYPTION' value='$cgiparams{'IKE_ENCRYPTION'}' />
 	<input type='hidden' name='IKE_INTEGRITY' value='$cgiparams{'IKE_INTEGRITY'}' />
 	<input type='hidden' name='IKE_GROUPTYPE' value='$cgiparams{'IKE_GROUPTYPE'}' />
@@ -1915,23 +1913,30 @@ END
 	<input type='hidden' name='ONLY_PROPOSED' value='$cgiparams{'ONLY_PROPOSED'}' />
 	<input type='hidden' name='PFS' value='$cgiparams{'PFS'}' />
 	<input type='hidden' name='VHOST' value='$cgiparams{'VHOST'}' />
+	<input type='hidden' name='DPD_ACTION' value='$cgiparams{'DPD_ACTION'}' />
+	<input type='hidden' name='DPD_DELAY' value='$cgiparams{'DPD_DELAY'}' />
+	<input type='hidden' name='DPD_TIMEOUT' value='$cgiparams{'DPD_TIMEOUT'}' />
 END
     ;
     if ($cgiparams{'KEY'}) {
 	print "<input type='hidden' name='KEY' value='$cgiparams{'KEY'}' />";
+	print "<input type='hidden' name='NAME' value='$cgiparams{'NAME'}' />";
 	print "<input type='hidden' name='AUTH' value='$cgiparams{'AUTH'}' />";
     }
 
-    &Header::openbox('100%', 'left', "$Lang::tr{'connection'}:");
+    &Header::openbox('100%', 'left', "$Lang::tr{'connection'}: $cgiparams{'NAME'}");
     print "<table width='100%'>";
-    print "<tr><td width='25%' class='boldbase'>$Lang::tr{'name'}:</td>";
-    if ($cgiparams{'KEY'}) {
-	print "<td width='25%' class='base'><input type='hidden' name='NAME' value='$cgiparams{'NAME'}' /><b>$cgiparams{'NAME'}</b></td>";
-    } else {
-	print "<td width='25%'><input type='text' name='NAME' value='$cgiparams{'NAME'}' size='30' /></td>";
+    if (!$cgiparams{'KEY'}) {
+    	print <<EOF;
+    		<tr>
+    			<td width='20%'>$Lang::tr{'name'}:</td>
+    			<td width='30%'>
+    				<input type='text' name='NAME' value='$cgiparams{'NAME'}' size='25' />
+    			</td>
+    			<td colspan="2"></td>
+    		</tr>
+EOF
     }
-    print "<td>$Lang::tr{'enabled'}</td><td><input type='checkbox' name='ENABLED' $checked{'ENABLED'}{'on'} /></td></tr>";
-    print '</tr><td><br /></td><tr>';
 
     my $disabled;
     my $blob;
@@ -1942,44 +1947,41 @@ END
 
     print <<END
 	<tr>
-	    <td class='boldbase'>$Lang::tr{'remote host/ip'}:&nbsp;$blob</td>
-	    <td>
-	        <input type='text' name='REMOTE' value='$cgiparams{'REMOTE'}' size='30' />
-	    </td>
-	    <td class='boldbase' nowrap='nowrap'>$Lang::tr{'remote subnet'}</td>
-	    <td>
-	        <input $disabled type='text' name='REMOTE_SUBNET' value='$cgiparams{'REMOTE_SUBNET'}' size='30' />
+		<td width='20%'>$Lang::tr{'enabled'}</td>
+		<td width='30%'>
+			<input type='checkbox' name='ENABLED' $checked{'ENABLED'}{'on'} />
+		</td>
+	    <td class='boldbase' nowrap='nowrap' width='20%'>$Lang::tr{'local subnet'}</td>
+	    <td width='30%'>
+	        <input type='text' name='LOCAL_SUBNET' value='$cgiparams{'LOCAL_SUBNET'}' size="25" />
 	    </td>
 	</tr>
 	<tr>
-	    <td class='boldbase' nowrap='nowrap'>$Lang::tr{'local subnet'}</td>
-	    <td colspan='3'>
-	        <input type='text' name='LOCAL_SUBNET' value='$cgiparams{'LOCAL_SUBNET'}' size='30' />
+	    <td class='boldbase' width='20%'>$Lang::tr{'remote host/ip'}:&nbsp;$blob</td>
+	    <td width='30%'>
+	        <input type='text' name='REMOTE' value='$cgiparams{'REMOTE'}' size="25" />
+	    </td>
+	    <td class='boldbase' nowrap='nowrap' width='20%'>$Lang::tr{'remote subnet'}</td>
+	    <td width='30%'>
+	        <input $disabled type='text' name='REMOTE_SUBNET' value='$cgiparams{'REMOTE_SUBNET'}' size="25" />
 	    </td>
 	</tr>
 	<tr>
-	    <td class='boldbase'>$Lang::tr{'vpn local id'}:<br />($Lang::tr{'eg'} <tt>&#64;xy.example.com</tt>)</td>
-	    <td><input type='text' name='LOCAL_ID' value='$cgiparams{'LOCAL_ID'}' /></td>
-	    <td class='boldbase'>$Lang::tr{'vpn remote id'}:</td>
-	    <td><input type='text' name='REMOTE_ID' value='$cgiparams{'REMOTE_ID'}' /></td>
-	</tr><tr>
-	</tr><td><br /></td><tr>
-	    <td>$Lang::tr{'vpn keyexchange'}:</td>
-	    <td><select name='IKE_VERSION'>
-    		<option value='ikev2' $selected{'IKE_VERSION'}{'ikev2'}>IKEv2</option>
-    		<option value='ikev1' $selected{'IKE_VERSION'}{'ikev1'}>IKEv1</option>
-    		</select>
+	    <td class='boldbase' width='20%'>$Lang::tr{'vpn local id'}:</td>
+	    <td width='30%'>
+	    	<input type='text' name='LOCAL_ID' value='$cgiparams{'LOCAL_ID'}' size="25" />
 	    </td>
-	    <td>$Lang::tr{'dpd action'}:</td>
-	    <td><select name='DPD_ACTION'>
-    		<option value='clear' $selected{'DPD_ACTION'}{'clear'}>clear</option>
-    		<option value='hold' $selected{'DPD_ACTION'}{'hold'}>hold</option>
-    		<option value='restart' $selected{'DPD_ACTION'}{'restart'}>restart</option>
-		</select>
+	    <td class='boldbase' width='20%'>$Lang::tr{'vpn remote id'}:</td>
+	    <td width='30%'>
+	    	<input type='text' name='REMOTE_ID' value='$cgiparams{'REMOTE_ID'}' size="25" />
+	    </td>
+	</tr>
+	<tr><td colspan="4"><br /></td></tr>
+	<tr>
+	    <td class='boldbase' width='20%'>$Lang::tr{'remark title'}&nbsp;<img src='/blob.gif' alt='*' /></td>
+	    <td colspan='3'>
+	    	<input type='text' name='REMARK' value='$cgiparams{'REMARK'}' maxlength='50' size="73" />
 	    </td>
-	</tr><tr>
-	    <td class='boldbase'>$Lang::tr{'remark title'}&nbsp;<img src='/blob.gif' alt='*' /></td>
-	    <td colspan='3'><input type='text' name='REMARK' value='$cgiparams{'REMARK'}' size='55' maxlength='50' /></td>
 	</tr>
 END
     ;
@@ -2106,7 +2108,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
 	    goto ADVANCED_ERROR;
 	}
 	foreach my $val (@temp) {
-	    if ($val !~ /^(aes256|aes192|aes128|3des|camellia256|camellia192|camellia128)$/) {
+	    if ($val !~ /^(aes(256|192|128)(gcm(128|96|64))?|3des|camellia(256|192|128))$/) {
 		$errormessage = $Lang::tr{'invalid input'};
 		goto ADVANCED_ERROR;
 	    }
@@ -2117,7 +2119,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
 	    goto ADVANCED_ERROR;
 	}
 	foreach my $val (@temp) {
-	    if ($val !~ /^(sha2_512|sha2_384|sha2_256|sha|md5|aesxcbc)$/) {
+	    if ($val !~ /^(sha2_(512|384|256)|sha|md5|aesxcbc)$/) {
 		$errormessage = $Lang::tr{'invalid input'};
 		goto ADVANCED_ERROR;
 	    }
@@ -2147,7 +2149,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
 	    goto ADVANCED_ERROR;
 	}
 	foreach my $val (@temp) {
-	    if ($val !~ /^(aes256|aes192|aes128|3des|camellia256|camellia192|camellia128)$/) {
+	    if ($val !~ /^(aes(256|192|128)(gcm(128|96|64))?|3des|camellia(256|192|128))$/) {
 		$errormessage = $Lang::tr{'invalid input'};
 		goto ADVANCED_ERROR;
 	    }
@@ -2158,7 +2160,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
 	    goto ADVANCED_ERROR;
 	}
 	foreach my $val (@temp) {
-	    if ($val !~ /^(sha2_512|sha2_384|sha2_256|sha1|md5|aesxcbc)$/) {
+	    if ($val !~ /^(sha2_(512|384|256)|sha1|md5|aesxcbc)$/) {
 		$errormessage = $Lang::tr{'invalid input'};
 		goto ADVANCED_ERROR;
 	    }
@@ -2189,6 +2191,17 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
 	    goto ADVANCED_ERROR;
 	}
 
+	if ($cgiparams{'DPD_DELAY'} !~ /^\d+$/) {
+	    $errormessage = $Lang::tr{'invalid input for dpd delay'};
+	    goto ADVANCED_ERROR;
+	}
+
+	if ($cgiparams{'DPD_TIMEOUT'} !~ /^\d+$/) {
+	    $errormessage = $Lang::tr{'invalid input for dpd timeout'};
+	    goto ADVANCED_ERROR;
+	}
+
+	$confighash{$cgiparams{'KEY'}}[29] = $cgiparams{'IKE_VERSION'};
 	$confighash{$cgiparams{'KEY'}}[18] = $cgiparams{'IKE_ENCRYPTION'};
 	$confighash{$cgiparams{'KEY'}}[19] = $cgiparams{'IKE_INTEGRITY'};
 	$confighash{$cgiparams{'KEY'}}[20] = $cgiparams{'IKE_GROUPTYPE'};
@@ -2202,6 +2215,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
 	$confighash{$cgiparams{'KEY'}}[24] = $cgiparams{'ONLY_PROPOSED'};
 	$confighash{$cgiparams{'KEY'}}[28] = $cgiparams{'PFS'};
 	$confighash{$cgiparams{'KEY'}}[14] = $cgiparams{'VHOST'};
+	$confighash{$cgiparams{'KEY'}}[27] = $cgiparams{'DPD_ACTION'};
 	$confighash{$cgiparams{'KEY'}}[30] = $cgiparams{'DPD_TIMEOUT'};
 	$confighash{$cgiparams{'KEY'}}[31] = $cgiparams{'DPD_DELAY'};
 	&General::writehasharray("${General::swroot}/vpn/config", \%confighash);
@@ -2212,6 +2226,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
 	}
 	goto ADVANCED_END;
     } else {
+    $cgiparams{'IKE_VERSION'}    = $confighash{$cgiparams{'KEY'}}[29];
 	$cgiparams{'IKE_ENCRYPTION'} = $confighash{$cgiparams{'KEY'}}[18];
 	$cgiparams{'IKE_INTEGRITY'}  = $confighash{$cgiparams{'KEY'}}[19];
 	$cgiparams{'IKE_GROUPTYPE'}  = $confighash{$cgiparams{'KEY'}}[20];
@@ -2224,9 +2239,18 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
 	$cgiparams{'ONLY_PROPOSED'}  = $confighash{$cgiparams{'KEY'}}[24];
 	$cgiparams{'PFS'}  	     = $confighash{$cgiparams{'KEY'}}[28];
 	$cgiparams{'VHOST'}          = $confighash{$cgiparams{'KEY'}}[14];
+	$cgiparams{'DPD_ACTION'}     = $confighash{$cgiparams{'KEY'}}[27];
 	$cgiparams{'DPD_TIMEOUT'}    = $confighash{$cgiparams{'KEY'}}[30];
 	$cgiparams{'DPD_DELAY'}      = $confighash{$cgiparams{'KEY'}}[31];
 
+	if (!$cgiparams{'DPD_DELAY'}) {
+		$cgiparams{'DPD_DELAY'} = 30;
+	}
+
+	if (!$cgiparams{'DPD_TIMEOUT'}) {
+		$cgiparams{'DPD_TIMEOUT'} = 120;
+	}
+
 	if ($confighash{$cgiparams{'KEY'}}[3] eq 'net' || $confighash{$cgiparams{'KEY'}}[10]) {
 	    $cgiparams{'VHOST'}            = 'off';
 	}
@@ -2236,6 +2260,15 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
     $checked{'IKE_ENCRYPTION'}{'aes256'} = '';
     $checked{'IKE_ENCRYPTION'}{'aes192'} = '';
     $checked{'IKE_ENCRYPTION'}{'aes128'} = '';
+    $checked{'IKE_ENCRYPTION'}{'aes256gcm128'} = '';
+    $checked{'IKE_ENCRYPTION'}{'aes192gcm128'} = '';
+    $checked{'IKE_ENCRYPTION'}{'aes128gcm128'} = '';
+    $checked{'IKE_ENCRYPTION'}{'aes256gcm96'} = '';
+    $checked{'IKE_ENCRYPTION'}{'aes192gcm96'} = '';
+    $checked{'IKE_ENCRYPTION'}{'aes128gcm96'} = '';
+    $checked{'IKE_ENCRYPTION'}{'aes256gcm64'} = '';
+    $checked{'IKE_ENCRYPTION'}{'aes192gcm64'} = '';
+    $checked{'IKE_ENCRYPTION'}{'aes128gcm64'} = '';
     $checked{'IKE_ENCRYPTION'}{'3des'} = '';
     $checked{'IKE_ENCRYPTION'}{'camellia256'} = '';
     $checked{'IKE_ENCRYPTION'}{'camellia192'} = '';
@@ -2267,6 +2300,15 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
     $checked{'ESP_ENCRYPTION'}{'aes256'} = '';
     $checked{'ESP_ENCRYPTION'}{'aes192'} = '';
     $checked{'ESP_ENCRYPTION'}{'aes128'} = '';
+    $checked{'ESP_ENCRYPTION'}{'aes256gcm128'} = '';
+    $checked{'ESP_ENCRYPTION'}{'aes192gcm128'} = '';
+    $checked{'ESP_ENCRYPTION'}{'aes128gcm128'} = '';
+    $checked{'ESP_ENCRYPTION'}{'aes256gcm96'} = '';
+    $checked{'ESP_ENCRYPTION'}{'aes192gcm96'} = '';
+    $checked{'ESP_ENCRYPTION'}{'aes128gcm96'} = '';
+    $checked{'ESP_ENCRYPTION'}{'aes256gcm64'} = '';
+    $checked{'ESP_ENCRYPTION'}{'aes192gcm64'} = '';
+    $checked{'ESP_ENCRYPTION'}{'aes128gcm64'} = '';
     $checked{'ESP_ENCRYPTION'}{'3des'} = '';
     $checked{'ESP_ENCRYPTION'}{'camellia256'} = '';
     $checked{'ESP_ENCRYPTION'}{'camellia192'} = '';
@@ -2288,8 +2330,18 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
     $checked{'PFS'} = $cgiparams{'PFS'} eq 'on' ? "checked='checked'" : '' ;
     $checked{'VHOST'} = $cgiparams{'VHOST'} eq 'on' ? "checked='checked'" : '' ;
 
+    $selected{'IKE_VERSION'}{'ikev1'} = '';
+    $selected{'IKE_VERSION'}{'ikev2'} = '';
+    $selected{'IKE_VERSION'}{$cgiparams{'IKE_VERSION'}} = "selected='selected'";
+
+    $selected{'DPD_ACTION'}{'clear'} = '';
+    $selected{'DPD_ACTION'}{'hold'} = '';
+    $selected{'DPD_ACTION'}{'restart'} = '';
+    $selected{'DPD_ACTION'}{'none'} = '';
+    $selected{'DPD_ACTION'}{$cgiparams{'DPD_ACTION'}} = "selected='selected'";
+
     &Header::showhttpheaders();
-    &Header::openpage($Lang::tr{'vpn configuration main'}, 1, '');
+    &Header::openpage($Lang::tr{'ipsec'}, 1, '');
     &Header::openbigbox('100%', 'left', '', $errormessage);
 
     if ($errormessage) {
@@ -2315,40 +2367,68 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
     <table width='100%'>
 	<thead>
 		<tr>
-			<th></th>
+			<th width="15%"></th>
 			<th>IKE</th>
 			<th>ESP</th>
 		</tr>
 	</thead>
 	<tbody>
 		<tr>
-			<td class='boldbase'>$Lang::tr{'encryption'}</td>
+			<td>$Lang::tr{'vpn keyexchange'}:</td>
+			<td>
+				<select name='IKE_VERSION'>
+					<option value='ikev2' $selected{'IKE_VERSION'}{'ikev2'}>IKEv2</option>
+					<option value='ikev1' $selected{'IKE_VERSION'}{'ikev1'}>IKEv1</option>
+				</select>
+			</td>
+			<td></td>
+		</tr>
+		<tr>
+			<td class='boldbase' width="15%">$Lang::tr{'encryption'}</td>
 			<td class='boldbase'>
 				<select name='IKE_ENCRYPTION' multiple='multiple' size='6' style='width: 100%'>
-					<option value='aes256' $checked{'IKE_ENCRYPTION'}{'aes256'}>AES (256 bit)</option>
-					<option value='aes192' $checked{'IKE_ENCRYPTION'}{'aes192'}>AES (192 bit)</option>
-					<option value='aes128' $checked{'IKE_ENCRYPTION'}{'aes128'}>AES (128 bit)</option>
-					<option value='3des' $checked{'IKE_ENCRYPTION'}{'3des'}>3DES</option>
-					<option value='camellia256' $checked{'IKE_ENCRYPTION'}{'camellia256'}>Camellia (256 bit)</option>
-					<option value='camellia192' $checked{'IKE_ENCRYPTION'}{'camellia192'}>Camellia (192 bit)</option>
-					<option value='camellia128' $checked{'IKE_ENCRYPTION'}{'camellia128'}>Camellia (128 bit)</option>
+					<option value='aes256' $checked{'IKE_ENCRYPTION'}{'aes256'}>256 bit AES-CBC</option>
+					<option value='aes192' $checked{'IKE_ENCRYPTION'}{'aes192'}>192 bit AES-CBC</option>
+					<option value='aes128' $checked{'IKE_ENCRYPTION'}{'aes128'}>128 bit AES-CBC</option>
+					<option value='aes256gcm128' $checked{'IKE_ENCRYPTION'}{'aes256gcm128'}>256 bit AES-GCM/128 bit ICV</option>
+					<option value='aes192gcm128' $checked{'IKE_ENCRYPTION'}{'aes192gcm128'}>192 bit AES-GCM/128 bit ICV</option>
+					<option value='aes128gcm128' $checked{'IKE_ENCRYPTION'}{'aes128gcm128'}>128 bit AES-GCM/128 bit ICV</option>
+					<option value='aes256gcm96' $checked{'IKE_ENCRYPTION'}{'aes256gcm96'}>256 bit AES-GCM/96 bit ICV</option>
+					<option value='aes192gcm96' $checked{'IKE_ENCRYPTION'}{'aes192gcm96'}>192 bit AES-GCM/96 bit ICV</option>
+					<option value='aes128gcm96' $checked{'IKE_ENCRYPTION'}{'aes128gcm96'}>128 bit AES-GCM/96 bit ICV</option>
+					<option value='aes256gcm64' $checked{'IKE_ENCRYPTION'}{'aes256gcm64'}>256 bit AES-GCM/64 bit ICV</option>
+					<option value='aes192gcm64' $checked{'IKE_ENCRYPTION'}{'aes192gcm64'}>192 bit AES-GCM/64 bit ICV</option>
+					<option value='aes128gcm64' $checked{'IKE_ENCRYPTION'}{'aes128gcm64'}>128 bit AES-GCM/64 bit ICV</option>
+					<option value='3des' $checked{'IKE_ENCRYPTION'}{'3des'}>168 bit 3DES-EDE-CBC</option>
+					<option value='camellia256' $checked{'IKE_ENCRYPTION'}{'camellia256'}>256 bit Camellia-CBC</option>
+					<option value='camellia192' $checked{'IKE_ENCRYPTION'}{'camellia192'}>192 bit Camellia-CBC</option>
+					<option value='camellia128' $checked{'IKE_ENCRYPTION'}{'camellia128'}>128 bit Camellia-CBC</option>
 				</select>
 			</td>
 			<td class='boldbase'>
 				<select name='ESP_ENCRYPTION' multiple='multiple' size='6' style='width: 100%'>
-					<option value='aes256' $checked{'ESP_ENCRYPTION'}{'aes256'}>AES (256 bit)</option>
-					<option value='aes192' $checked{'ESP_ENCRYPTION'}{'aes192'}>AES (192 bit)</option>
-					<option value='aes128' $checked{'ESP_ENCRYPTION'}{'aes128'}>AES (128 bit)</option>
-					<option value='3des' $checked{'ESP_ENCRYPTION'}{'3des'}>3DES</option>
-					<option value='camellia256' $checked{'ESP_ENCRYPTION'}{'camellia256'}>Camellia (256 bit)</option>
-					<option value='camellia192' $checked{'ESP_ENCRYPTION'}{'camellia192'}>Camellia (192 bit)</option>
-					<option value='camellia128' $checked{'ESP_ENCRYPTION'}{'camellia128'}>Camellia (128 bit)</option>
+					<option value='aes256' $checked{'ESP_ENCRYPTION'}{'aes256'}>256 bit AES-CBC</option>
+					<option value='aes192' $checked{'ESP_ENCRYPTION'}{'aes192'}>192 bit AES-CBC</option>
+					<option value='aes128' $checked{'ESP_ENCRYPTION'}{'aes128'}>128 bit AES-CBC</option>
+					<option value='aes256gcm128' $checked{'ESP_ENCRYPTION'}{'aes256gcm128'}>256 bit AES-GCM/128 bit ICV</option>
+					<option value='aes192gcm128' $checked{'ESP_ENCRYPTION'}{'aes192gcm128'}>192 bit AES-GCM/128 bit ICV</option>
+					<option value='aes128gcm128' $checked{'ESP_ENCRYPTION'}{'aes128gcm128'}>128 bit AES-GCM/128 bit ICV</option>
+					<option value='aes256gcm96' $checked{'ESP_ENCRYPTION'}{'aes256gcm96'}>256 bit AES-GCM/96 bit ICV</option>
+					<option value='aes192gcm96' $checked{'ESP_ENCRYPTION'}{'aes192gcm96'}>192 bit AES-GCM/96 bit ICV</option>
+					<option value='aes128gcm96' $checked{'ESP_ENCRYPTION'}{'aes128gcm96'}>128 bit AES-GCM/96 bit ICV</option>
+					<option value='aes256gcm64' $checked{'ESP_ENCRYPTION'}{'aes256gcm64'}>256 bit AES-GCM/64 bit ICV</option>
+					<option value='aes192gcm64' $checked{'ESP_ENCRYPTION'}{'aes192gcm64'}>192 bit AES-GCM/64 bit ICV</option>
+					<option value='aes128gcm64' $checked{'ESP_ENCRYPTION'}{'aes128gcm64'}>128 bit AES-GCM/64 bit ICV</option>
+					<option value='3des' $checked{'ESP_ENCRYPTION'}{'3des'}>168 bit 3DES-EDE-CBC</option>
+					<option value='camellia256' $checked{'ESP_ENCRYPTION'}{'camellia256'}>256 bit Camellia-CBC</option>
+					<option value='camellia192' $checked{'ESP_ENCRYPTION'}{'camellia192'}>192 bit Camellia-CBC</option>
+					<option value='camellia128' $checked{'ESP_ENCRYPTION'}{'camellia128'}>128 bit Camellia-CBC</option>
 				</select>
 			</td>
 		</tr>
 
 		<tr>
-			<td class='boldbase'>$Lang::tr{'integrity'}</td>
+			<td class='boldbase' width="15%">$Lang::tr{'integrity'}</td>
 			<td class='boldbase'>
 				<select name='IKE_INTEGRITY' multiple='multiple' size='6' style='width: 100%'>
 					<option value='sha2_512' $checked{'IKE_INTEGRITY'}{'sha2_512'}>SHA2 512 bit</option>
@@ -2371,7 +2451,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
 			</td>
 		</tr>
 		<tr>
-			<td class='boldbase'>$Lang::tr{'lifetime'}</td>
+			<td class='boldbase' width="15%">$Lang::tr{'lifetime'}</td>
 			<td class='boldbase'>
 				<input type='text' name='IKE_LIFETIME' value='$cgiparams{'IKE_LIFETIME'}' size='5' /> $Lang::tr{'hours'}
 			</td>
@@ -2380,7 +2460,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
 			</td>
 		</tr>
 		<tr>
-			<td class='boldbase'>$Lang::tr{'grouptype'}</td>
+			<td class='boldbase' width="15%">$Lang::tr{'grouptype'}</td>
 			<td class='boldbase'>
 				<select name='IKE_GROUPTYPE' multiple='multiple' size='6' style='width: 100%'>
 					<option value='e521' $checked{'IKE_GROUPTYPE'}{'e521'}>ECP-521 (NIST)</option>
@@ -2409,52 +2489,62 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
 	</tbody>
     </table>
 
-    <hr>
+	<br><br>
+
+	<h2>$Lang::tr{'dead peer detection'}</h2>
 
     <table width="100%">
+    <tr>
+		<td width="15%">$Lang::tr{'dpd action'}:</td>
+		<td>
+			<select name='DPD_ACTION'>
+				<option value='none' $selected{'DPD_ACTION'}{'none'}>- $Lang::tr{'disabled'} -</option>
+				<option value='clear' $selected{'DPD_ACTION'}{'clear'}>clear</option>
+				<option value='hold' $selected{'DPD_ACTION'}{'hold'}>hold</option>
+				<option value='restart' $selected{'DPD_ACTION'}{'restart'}>restart</option>
+			</select>
+		</td>
+	</tr>
 	<tr>
-		<td colspan='2'>
-			<label>
-				<input type='checkbox' name='ONLY_PROPOSED' $checked{'ONLY_PROPOSED'} />
-				IKE+ESP: $Lang::tr{'use only proposed settings'}</td>
-			</label>
+		<td width="15%">$Lang::tr{'dpd timeout'}:</td>
+		<td>
+			<input type='text' name='DPD_TIMEOUT' size='5' value='$cgiparams{'DPD_TIMEOUT'}' />
 		</td>
 	</tr>
 	<tr>
-		<td colspan='2'>
-			<label>
-				<input type='checkbox' name='PFS' $checked{'PFS'} />
-				$Lang::tr{'pfs yes no'}
-			</label>
+		<td width="15%">$Lang::tr{'dpd delay'}:</td>
+		<td>
+			<input type='text' name='DPD_DELAY' size='5' value='$cgiparams{'DPD_DELAY'}' />
 		</td>
 	</tr>
+    </table>
+
+    <hr>
+
+    <table width="100%">
 	<tr>
-		<td colspan='2'>
+		<td>
 			<label>
-				<input type='checkbox' name='COMPRESSION' $checked{'COMPRESSION'} />
-				$Lang::tr{'vpn payload compression'}
+				<input type='checkbox' name='ONLY_PROPOSED' $checked{'ONLY_PROPOSED'} />
+				IKE+ESP: $Lang::tr{'use only proposed settings'}
 			</label>
 		</td>
 	</tr>
 	<tr>
-		<td width='20%'>
+		<td>
 			<label>
-				$Lang::tr{'dpd timeout'}
+				<input type='checkbox' name='PFS' $checked{'PFS'} />
+				$Lang::tr{'pfs yes no'}
 			</label>
 		</td>
-		<td>
-			<input type='text' name='DPD_TIMEOUT' size='5' value='$cgiparams{'DPD_TIMEOUT'}' />
-		</td>
 	</tr>
 	<tr>
-		<td width='20%'>
+		<td>
 			<label>
-				$Lang::tr{'dpd delay'}
+				<input type='checkbox' name='COMPRESSION' $checked{'COMPRESSION'} />
+				$Lang::tr{'vpn payload compression'}
 			</label>
 		</td>
-		<td>
-			<input type='text' name='DPD_DELAY' size='5' value='$cgiparams{'DPD_DELAY'}' />
-		</td>
 	</tr>
 EOF
     ;
@@ -2518,7 +2608,7 @@ EOF
     $checked{'ENABLED'} = $cgiparams{'ENABLED'} eq 'on' ? "checked='checked'" : '';
 
     &Header::showhttpheaders();
-    &Header::openpage($Lang::tr{'vpn configuration main'}, 1, '');
+    &Header::openpage($Lang::tr{'ipsec'}, 1, '');
     &Header::openbigbox('100%', 'left', '', $errormessage);
 
     if ($errormessage) {
@@ -2528,6 +2618,16 @@ EOF
 	&Header::closebox();
     }
 
+	if ($warnmessage) {
+		&Header::openbox('100%', 'left', $Lang::tr{'warning messages'});
+		print "$warnmessage<br>";
+		print "$Lang::tr{'fwdfw warn1'}<br>";
+		&Header::closebox();
+		print"<center><form method='post'><input type='submit' name='ACTION' value='$Lang::tr{'ok'}' style='width: 5em;'></form>";
+		&Header::closepage();
+		exit 0;
+	}
+
     &Header::openbox('100%', 'left', $Lang::tr{'global settings'});
     print <<END
     <form method='post' action='$ENV{'SCRIPT_NAME'}'>
@@ -2548,17 +2648,18 @@ print <<END
 	<td  class='base' nowrap='nowrap'>$Lang::tr{'host to net vpn'}:&nbsp;<img src='/blob.gif' alt='*' /></td>
 	<td ><input type='text' name='RW_NET' value='$cgiparams{'RW_NET'}' /></td>
     </tr>
- </table>
+</table>
+<br>
 <hr />
 <table width='100%'>
 <tr>
     <td class='base' valign='top'><img src='/blob.gif' alt='*' /></td>
-    <td width='70%' class='base' valign='top'>$Lang::tr{'this field may be blank'}</td>
+    <td width='70%' class='base' valign='top'>$Lang::tr{'this field may be blank'}</td><td width='30%' align='right' class='base'><input type='submit' name='ACTION' value='$Lang::tr{'save'}' /></td>
 </tr>
 <tr>
     <td class='base' valign='top' nowrap='nowrap'><img src='/blob.gif' alt='*' /><img src='/blob.gif' alt='*' />&nbsp;</td>
     <td class='base'>	<font class='base'>$Lang::tr{'vpn delayed start help'}</font></td>
-    <td width='30%' align='center' class='base'><input type='submit' name='ACTION' value='$Lang::tr{'save'}' /></td>
+    <td></td>
 </tr>
 </table>
 END
@@ -2568,14 +2669,14 @@ END
 
     &Header::openbox('100%', 'left', $Lang::tr{'connection status and controlc'});
     print <<END
-    <table width='100%' border='0' cellspacing='1' cellpadding='0'>
+    <table width='100%' cellspacing='1' cellpadding='0' class='tbl'>
     <tr>
-	<td width='10%' class='boldbase' align='center'><b>$Lang::tr{'name'}</b></td>
-	<td width='22%' class='boldbase' align='center'><b>$Lang::tr{'type'}</b></td>
-	<td width='23%' class='boldbase' align='center'><b>$Lang::tr{'common name'}</b></td>
-	<td width='30%' class='boldbase' align='center'><b>$Lang::tr{'remark'}</b></td>
-	<td width='10%' class='boldbase' align='center'><b>$Lang::tr{'status'}</b></td>
-	<td class='boldbase' align='center' colspan='6'><b>$Lang::tr{'action'}</b></td>
+	<th width='10%' class='boldbase' align='center'><b>$Lang::tr{'name'}</b></th>
+	<th width='22%' class='boldbase' align='center'><b>$Lang::tr{'type'}</b></th>
+	<th width='23%' class='boldbase' align='center'><b>$Lang::tr{'common name'}</b></th>
+	<th width='30%' class='boldbase' align='center'><b>$Lang::tr{'remark'}</b></th>
+	<th width='10%' class='boldbase' align='center'><b>$Lang::tr{'status'}</b></th>
+	<th class='boldbase' align='center' colspan='6'><b>$Lang::tr{'action'}</b></th>
     </tr>
 END
     ;
@@ -2585,36 +2686,41 @@ END
 	if ($confighash{$key}[0] eq 'on') { $gif = 'on.gif'; } else { $gif = 'off.gif'; }
 
 	if ($id % 2) {
-	    print "<tr bgcolor='$color{'color20'}'>\n";
+		print "<tr>";
+		$col="bgcolor='$color{'color20'}'";
 	} else {
-	    print "<tr bgcolor='$color{'color22'}'>\n";
+		print "<tr>";
+		$col="bgcolor='$color{'color22'}'";
 	}
-	print "<td align='center' nowrap='nowrap'>$confighash{$key}[1]</td>";
-	print "<td align='center' nowrap='nowrap'>" . $Lang::tr{"$confighash{$key}[3]"} . " (" . $Lang::tr{"$confighash{$key}[4]"} . ") $confighash{$key}[29]</td>";
+	print "<td align='center' nowrap='nowrap' $col>$confighash{$key}[1]</td>";
+	print "<td align='center' nowrap='nowrap' $col>" . $Lang::tr{"$confighash{$key}[3]"} . " (" . $Lang::tr{"$confighash{$key}[4]"} . ") $confighash{$key}[29]</td>";
 	if ($confighash{$key}[2] eq '%auth-dn') {
-	    print "<td align='left' nowrap='nowrap'>$confighash{$key}[9]</td>";
+	    print "<td align='left' nowrap='nowrap' $col>$confighash{$key}[9]</td>";
 	} elsif ($confighash{$key}[4] eq 'cert') {
-	    print "<td align='left' nowrap='nowrap'>$confighash{$key}[2]</td>";
+	    print "<td align='left' nowrap='nowrap' $col>$confighash{$key}[2]</td>";
 	} else {
-	    print "<td align='left'>&nbsp;</td>";
+	    print "<td align='left' $col>&nbsp;</td>";
 	}
-	print "<td align='center'>$confighash{$key}[25]</td>";
+	print "<td align='center' $col>$confighash{$key}[25]</td>";
+	my $col1="bgcolor='${Header::colourred}'";
 	# get real state
-	my $active = "<table cellpadding='2' cellspacing='0' bgcolor='${Header::colourred}' width='100%'><tr><td align='center'><b><font color='#FFFFFF'>$Lang::tr{'capsclosed'}</font></b></td></tr></table>";
+	my $active = "<b><font color='#FFFFFF'>$Lang::tr{'capsclosed'}</font></b>";
 	foreach my $line (@status) {
 	    if (($line =~ /\"$confighash{$key}[1]\".*IPsec SA established/) ||
 	       ($line =~ /$confighash{$key}[1]\{.*INSTALLED/))
 	    {
-		$active = "<table cellpadding='2' cellspacing='0' bgcolor='${Header::colourgreen}' width='100%'><tr><td align='center'><b><font color='#FFFFFF'>$Lang::tr{'capsopen'}</font></b></td></tr></table>";
+		$col1="bgcolor='${Header::colourgreen}'";
+		$active = "<b><font color='#FFFFFF'>$Lang::tr{'capsopen'}</font></b>";
 	    }
 	}
 	# move to blueif really down
-	if ($confighash{$key}[0] eq 'off' && $active =~ /${Header::colourred}/ ) {
-	    $active = "<table cellpadding='2' cellspacing='0' bgcolor='${Header::colourblue}' width='100%'><tr><td align='center'><b><font color='#FFFFFF'>$Lang::tr{'capsclosed'}</font></b></td></tr></table>";
+	if ($confighash{$key}[0] eq 'off' && $col1 =~ /${Header::colourred}/ ) {
+		$col1="bgcolor='${Header::colourblue}'";
+	    $active = "<b><font color='#FFFFFF'>$Lang::tr{'capsclosed'}</font></b>";
 	}
 	print <<END
-	<td align='center'>$active</td>
-	<td align='center'>
+	<td align='center' $col1>$active</td>
+	<td align='center' $col>
 	    <form method='post' action='$ENV{'SCRIPT_NAME'}'>
 	    <input type='image'  name='$Lang::tr{'restart'}' src='/images/reload.gif' alt='$Lang::tr{'restart'}' title='$Lang::tr{'restart'}' />
 	    <input type='hidden' name='ACTION' value='$Lang::tr{'restart'}' />
@@ -2625,7 +2731,7 @@ END
 	;
 	if (($confighash{$key}[4] eq 'cert') && ($confighash{$key}[2] ne '%auth-dn')) {
 	    print <<END
-	    <td align='center'>
+	    <td align='center' $col>
 	    <form method='post' action='$ENV{'SCRIPT_NAME'}'>
 		<input type='image' name='$Lang::tr{'show certificate'}' src='/images/info.gif' alt='$Lang::tr{'show certificate'}' title='$Lang::tr{'show certificate'}' />
 		<input type='hidden' name='ACTION' value='$Lang::tr{'show certificate'}' />
@@ -2634,11 +2740,11 @@ END
 	    </td>
 END
 	; } else {
-	    print "<td width='2%'>&nbsp;</td>";
+	    print "<td width='2%' $col>&nbsp;</td>";
 	}
 	if ($confighash{$key}[4] eq 'cert' && -f "${General::swroot}/certs/$confighash{$key}[1].p12") { 
 	    print <<END
-	    <td align='center'>
+	    <td align='center' $col>
 	    <form method='post' action='$ENV{'SCRIPT_NAME'}'>
 		<input type='image' name='$Lang::tr{'download pkcs12 file'}' src='/images/floppy.gif' alt='$Lang::tr{'download pkcs12 file'}' title='$Lang::tr{'download pkcs12 file'}' />
 		<input type='hidden' name='ACTION' value='$Lang::tr{'download pkcs12 file'}' />
@@ -2648,7 +2754,7 @@ END
 END
 	; } elsif (($confighash{$key}[4] eq 'cert') && ($confighash{$key}[2] ne '%auth-dn')) {
 	    print <<END
-	    <td align='center'>
+	    <td align='center' $col>
 	    <form method='post' action='$ENV{'SCRIPT_NAME'}'>
 		<input type='image' name='$Lang::tr{'download certificate'}' src='/images/floppy.gif' alt='$Lang::tr{'download certificate'}' title='$Lang::tr{'download certificate'}' />
 		<input type='hidden' name='ACTION' value='$Lang::tr{'download certificate'}' />
@@ -2657,10 +2763,10 @@ END
 	</td>
 END
 	; } else {
-	    print "<td width='2%'>&nbsp;</td>";
+	    print "<td width='2%' $col>&nbsp;</td>";
 	}
 	print <<END
-	<td align='center'>
+	<td align='center' $col>
 	    <form method='post' action='$ENV{'SCRIPT_NAME'}'>
 	    <input type='image' name='$Lang::tr{'toggle enable disable'}' src='/images/$gif' alt='$Lang::tr{'toggle enable disable'}' title='$Lang::tr{'toggle enable disable'}' />
 	    <input type='hidden' name='ACTION' value='$Lang::tr{'toggle enable disable'}' />
@@ -2668,14 +2774,14 @@ END
 	    </form>
 	</td>
 
-	<td align='center'>
+	<td align='center' $col>
 	    <form method='post' action='$ENV{'SCRIPT_NAME'}'>
 	    <input type='hidden' name='ACTION' value='$Lang::tr{'edit'}' />
 	    <input type='image' name='$Lang::tr{'edit'}' src='/images/edit.gif' alt='$Lang::tr{'edit'}' title='$Lang::tr{'edit'}' />
 	    <input type='hidden' name='KEY' value='$key' />
 	    </form>
 	</td>
-	<td align='center' >
+	<td align='center' $col>
 	    <form method='post' action='$ENV{'SCRIPT_NAME'}'>
 	    <input type='hidden' name='ACTION' value='$Lang::tr{'remove'}' />
 	    <input type='image'  name='$Lang::tr{'remove'}' src='/images/delete.gif' alt='$Lang::tr{'remove'}' title='$Lang::tr{'remove'}' />
@@ -2720,7 +2826,7 @@ END
 
     print <<END
     <table width='100%'>
-    <tr><td align='center' colspan='9'>
+    <tr><td align='right' colspan='9'>
 	<form method='post' action='$ENV{'SCRIPT_NAME'}'>
 	<input type='submit' name='ACTION' value='$Lang::tr{'add'}' />
 	</form>
@@ -2730,45 +2836,46 @@ END
     ;
     &Header::closebox();
 
-    &Header::openbox('100%', 'left', "$Lang::tr{'certificate authorities'}:");
+    &Header::openbox('100%', 'left', "$Lang::tr{'certificate authorities'}");
     print <<EOF
-    <table width='100%' border='0' cellspacing='1' cellpadding='0'>
+    <table width='100%' cellspacing='1' cellpadding='0' class='tbl'>
     <tr>
-	<td width='25%' class='boldbase' align='center'><b>$Lang::tr{'name'}</b></td>
-	<td width='65%' class='boldbase' align='center'><b>$Lang::tr{'subject'}</b></td>
-	<td width='10%' class='boldbase' colspan='3' align='center'><b>$Lang::tr{'action'}</b></td>
+	<th width='25%' class='boldbase' align='center'><b>$Lang::tr{'name'}</b></th>
+	<th width='65%' class='boldbase' align='center'><b>$Lang::tr{'subject'}</b></th>
+	<th width='10%' class='boldbase' colspan='3' align='center'><b>$Lang::tr{'action'}</b></th>
     </tr>
 EOF
     ;
+    my $col1="bgcolor='$color{'color22'}'";
+	my $col2="bgcolor='$color{'color20'}'";
     if (-f "${General::swroot}/ca/cacert.pem") {
 	my $casubject = &Header::cleanhtml(getsubjectfromcert ("${General::swroot}/ca/cacert.pem"));
-
 	print <<END
-	<tr bgcolor='$color{'color22'}'>
-	<td class='base'>$Lang::tr{'root certificate'}</td>
-	<td class='base'>$casubject</td>
-	<td width='3%' align='center'>
+	<tr>
+	<td class='base' $col1>$Lang::tr{'root certificate'}</td>
+	<td class='base' $col1>$casubject</td>
+	<td width='3%' align='center' $col1>
 	    <form method='post' action='$ENV{'SCRIPT_NAME'}'>
 	    <input type='hidden' name='ACTION' value='$Lang::tr{'show root certificate'}' />
 	    <input type='image' name='$Lang::tr{'edit'}' src='/images/info.gif' alt='$Lang::tr{'show root certificate'}' title='$Lang::tr{'show root certificate'}' />
 	    </form>
 	</td>
-	<td width='3%' align='center'>
+	<td width='3%' align='center' $col1>
 	    <form method='post' action='$ENV{'SCRIPT_NAME'}'>
 	    <input type='image' name='$Lang::tr{'download root certificate'}' src='/images/floppy.gif' alt='$Lang::tr{'download root certificate'}' title='$Lang::tr{'download root certificate'}' />
 	    <input type='hidden' name='ACTION' value='$Lang::tr{'download root certificate'}' />
 	    </form>
 	</td>
-	<td width='4%'>&nbsp;</td></tr>
+	<td width='4%' $col1>&nbsp;</td></tr>
 END
 	;
     } else {
 	# display rootcert generation buttons
 	print <<END
-	<tr bgcolor='$color{'color22'}'>
-	<td class='base'>$Lang::tr{'root certificate'}:</td>
-	<td class='base'>$Lang::tr{'not present'}</td>
-	<td colspan='3'>&nbsp;</td></tr>
+	<tr>
+	<td class='base' $col1>$Lang::tr{'root certificate'}:</td>
+	<td class='base' $col1>$Lang::tr{'not present'}</td>
+	<td colspan='3' $col1>&nbsp;</td></tr>
 END
 	;
     }
@@ -2777,61 +2884,63 @@ END
 	my $hostsubject = &Header::cleanhtml(getsubjectfromcert ("${General::swroot}/certs/hostcert.pem"));
 
 	print <<END
-	<tr bgcolor='$color{'color20'}'>
-	<td class='base'>$Lang::tr{'host certificate'}</td>
-	<td class='base'>$hostsubject</td>
-	<td width='3%' align='center'>
+	<tr>
+	<td class='base' $col2>$Lang::tr{'host certificate'}</td>
+	<td class='base' $col2>$hostsubject</td>
+	<td width='3%' align='center' $col2>
 	    <form method='post' action='$ENV{'SCRIPT_NAME'}'>
 	    <input type='hidden' name='ACTION' value='$Lang::tr{'show host certificate'}' />
 	    <input type='image' name='$Lang::tr{'show host certificate'}' src='/images/info.gif' alt='$Lang::tr{'show host certificate'}' title='$Lang::tr{'show host certificate'}' />
 	    </form>
 	</td>
-	<td width='3%' align='center'>
+	<td width='3%' align='center' $col2>
 	    <form method='post' action='$ENV{'SCRIPT_NAME'}'>
-	    <input type='image' name='$Lang::tr{'download host certificate'}' src='/images/floppy.gif' alt='$Lang::tr{'download host certificate'}' title='$Lang::tr{'download host certificate'}' />
-	    <input type='hidden' name='ACTION' value='$Lang::tr{'download host certificate'}' />
+	    <input type='image' name="$Lang::tr{'download host certificate'}" src='/images/floppy.gif' alt="$Lang::tr{'download host certificate'}" title="$Lang::tr{'download host certificate'}" />
+	    <input type='hidden' name='ACTION' value="$Lang::tr{'download host certificate'}" />
 	    </form>
 	</td>
-	<td width='4%'>&nbsp;</td></tr>
+	<td width='4%' $col2>&nbsp;</td></tr>
 END
 	;
     } else {
 	# Nothing
 	print <<END
-	<tr bgcolor='$color{'color20'}'>
-	<td width='25%' class='base'>$Lang::tr{'host certificate'}:</td>
-	<td class='base'>$Lang::tr{'not present'}</td>
-	<td colspan='3'>&nbsp;</td></tr>
+	<tr>
+	<td width='25%' class='base' $col2>$Lang::tr{'host certificate'}:</td>
+	<td class='base' $col2>$Lang::tr{'not present'}</td>
+	<td colspan='3' $col2>&nbsp;</td></tr>
 END
 	;
     }
  
-    my $rowcolor = 0;
-    if (keys %cahash > 0) {
-   foreach my $key (keys %cahash) {
-       if ($rowcolor++ % 2) {
-      print "<tr bgcolor='$color{'color20'}'>\n";
-       } else {
-      print "<tr bgcolor='$color{'color22'}'>\n";
-       }
-	    print "<td class='base'>$cahash{$key}[0]</td>\n";
-	    print "<td class='base'>$cahash{$key}[1]</td>\n";
+	my $rowcolor = 0;
+	if (keys %cahash > 0) {
+		foreach my $key (keys %cahash) {
+			if ($rowcolor++ % 2) {
+				print "<tr>";
+				$col="bgcolor='$color{'color20'}'";
+			} else {
+				print "<tr>";
+				$col="bgcolor='$color{'color22'}'";
+			}
+	    print "<td class='base' $col>$cahash{$key}[0]</td>\n";
+	    print "<td class='base' $col>$cahash{$key}[1]</td>\n";
 	    print <<END
-	    <td align='center'>
+	    <td align='center' $col>
 		<form method='post' name='cafrm${key}a' action='$ENV{'SCRIPT_NAME'}'>
 		<input type='image' name='$Lang::tr{'show ca certificate'}' src='/images/info.gif' alt='$Lang::tr{'show ca certificate'}' title='$Lang::tr{'show ca certificate'}' />
 		<input type='hidden' name='ACTION' value='$Lang::tr{'show ca certificate'}' />
 		<input type='hidden' name='KEY' value='$key' />
 		</form>
 	    </td>
-	    <td align='center'>
+	    <td align='center' $col>
 		<form method='post' name='cafrm${key}b' action='$ENV{'SCRIPT_NAME'}'>
 		<input type='image' name='$Lang::tr{'download ca certificate'}' src='/images/floppy.gif' alt='$Lang::tr{'download ca certificate'}' title='$Lang::tr{'download ca certificate'}' />
 		<input type='hidden' name='ACTION' value='$Lang::tr{'download ca certificate'}' />
 		<input type='hidden' name='KEY' value='$key' />
 		</form>
 	    </td>
-	    <td align='center'>
+	    <td align='center' $col>
 		<form method='post' name='cafrm${key}c' action='$ENV{'SCRIPT_NAME'}'>
 		<input type='hidden' name='ACTION' value='$Lang::tr{'remove ca certificate'}' />
 		<input type='image'  name='$Lang::tr{'remove ca certificate'}' src='/images/delete.gif' alt='$Lang::tr{'remove ca certificate'}' title='$Lang::tr{'remove ca certificate'}' />
@@ -2860,6 +2969,7 @@ END
     }
     my $createCA = -f "${General::swroot}/ca/cacert.pem" ? '' : "<tr><td colspan='3'></td><td><input type='submit' name='ACTION' value='$Lang::tr{'generate root/host certificates'}' /></td></tr>";
     print <<END
+    <br>
     <hr />
     <form method='post' enctype='multipart/form-data' action='$ENV{'SCRIPT_NAME'}'>
     <table width='100%' border='0' cellspacing='1' cellpadding='0'>
@@ -2872,7 +2982,7 @@ END
     </tr>
     <tr>
 	<td colspan='3'>$Lang::tr{'resetting the vpn configuration will remove the root ca, the host certificate and all certificate based connections'}:</td>
-	<td><input type='submit' name='ACTION' value='$Lang::tr{'remove x509'}' /></td>
+	<td align='right'><input type='submit' name='ACTION' value='$Lang::tr{'remove x509'}' /></td>
     </tr>
     </table>
     </form>
@@ -2881,3 +2991,54 @@ END
     &Header::closebox();
     &Header::closebigbox();
     &Header::closepage();
+
+sub array_unique($) {
+	my $array = shift;
+	my @unique = ();
+
+	my %seen = ();
+	foreach my $e (@$array) {
+		next if $seen{$e}++;
+		push(@unique, $e);
+	}
+
+	return @unique;
+}
+
+sub make_algos($$$$$) {
+	my ($mode, $encs, $ints, $grps, $pfs) = @_;
+	my @algos = ();
+
+	foreach my $enc (@$encs) {
+		foreach my $int (@$ints) {
+			foreach my $grp (@$grps) {
+				my @algo = ($enc);
+
+				my $is_aead = ($enc =~ m/[cg]cm/);
+				if (!$is_aead) {
+					push(@algo, $int);
+				}
+
+				if ($mode eq "ike") {
+					if ($grp =~ m/^e(\d+)/) {
+						push(@algo, "ecp$1");
+					} else {
+						push(@algo, "modp$grp");
+					}
+				}
+
+				if ($mode eq "esp" && $pfs) {
+					if ($grp =~ m/^e\d+/) {
+						push(@algo, $grp);
+					} else {
+						push(@algo, "modp$grp");
+					}
+				}
+
+				push(@algos, join("-", @algo));
+			}
+		}
+	}
+
+	return &array_unique(\@algos);
+}