X-Git-Url: http://git.ipfire.org/?p=ipfire-2.x.git;a=blobdiff_plain;f=html%2Fcgi-bin%2Fvpnmain.cgi;h=ecf860d85b5ab90ab4036547677f5d4c1b19b59a;hp=be6eb6d157930a957aef077406c05d11776f8a45;hb=ab79dc43bf66f66b0c34a10158d46e4727d4df6a;hpb=2723ef8721862b9d9565346bae8115773123e53e diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index be6eb6d157..ecf860d85b 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -58,16 +58,6 @@ my %mainsettings = (); &General::readhash("${General::swroot}/ethernet/settings", \%netsettings); -my $green_cidr = &General::ipcidr("$netsettings{'GREEN_NETADDRESS'}/$netsettings{'GREEN_NETMASK'}"); -my $blue_cidr = "# Blue not defined"; -if (&Header::blue_used() && $netsettings{'BLUE_DEV'}) { - $blue_cidr = &General::ipcidr("$netsettings{'BLUE_NETADDRESS'}/$netsettings{'BLUE_NETMASK'}"); -} -my $orange_cidr = "# Orange not defined"; -if (&Header::orange_used() && $netsettings{'ORANGE_DEV'}) { - $orange_cidr = &General::ipcidr("$netsettings{'ORANGE_NETADDRESS'}/$netsettings{'ORANGE_NETMASK'}"); -} - my %INACTIVITY_TIMEOUTS = ( 300 => $Lang::tr{'five minutes'}, 600 => $Lang::tr{'ten minutes'}, @@ -79,6 +69,10 @@ my %INACTIVITY_TIMEOUTS = ( 0 => "- $Lang::tr{'unlimited'} -", ); +# Load aliases +my %aliases; +&General::get_aliases(\%aliases); + my $col=""; $cgiparams{'ENABLED'} = 'off'; @@ -91,6 +85,7 @@ $cgiparams{'ADVANCED'} = ''; $cgiparams{'NAME'} = ''; $cgiparams{'LOCAL_SUBNET'} = ''; $cgiparams{'REMOTE_SUBNET'} = ''; +$cgiparams{'LOCAL'} = ''; $cgiparams{'REMOTE'} = ''; $cgiparams{'LOCAL_ID'} = ''; $cgiparams{'REMOTE_ID'} = ''; @@ -119,8 +114,12 @@ $cgiparams{'RW_NET'} = ''; $cgiparams{'DPD_DELAY'} = '30'; $cgiparams{'DPD_TIMEOUT'} = '120'; $cgiparams{'FORCE_MOBIKE'} = 'off'; -$cgiparams{'START_ACTION'} = 'start'; -$cgiparams{'INACTIVITY_TIMEOUT'} = 900; +$cgiparams{'START_ACTION'} = 'route'; +$cgiparams{'INACTIVITY_TIMEOUT'} = 1800; +$cgiparams{'MODE'} = "tunnel"; +$cgiparams{'INTERFACE_MODE'} = ""; +$cgiparams{'INTERFACE_ADDRESS'} = ""; +$cgiparams{'INTERFACE_MTU'} = 1500; &Header::getcgihash(\%cgiparams, {'wantfile' => 1, 'filevar' => 'FH'}); ### @@ -159,7 +158,12 @@ sub cleanssldatabase { print FILE ""; close FILE; } + if (open(FILE, ">${General::swroot}/certs/index.txt.attr")) { + print FILE ""; + close FILE; + } unlink ("${General::swroot}/certs/index.txt.old"); + unlink ("${General::swroot}/certs/index.txt.attr.old"); unlink ("${General::swroot}/certs/serial.old"); unlink ("${General::swroot}/certs/01.pem"); } @@ -172,7 +176,11 @@ sub newcleanssldatabase { if (! -s ">${General::swroot}/certs/index.txt") { system ("touch ${General::swroot}/certs/index.txt"); } + if (! -s ">${General::swroot}/certs/index.txt.attr") { + system ("touch ${General::swroot}/certs/index.txt.attr"); + } unlink ("${General::swroot}/certs/index.txt.old"); + unlink ("${General::swroot}/certs/index.txt.attr.old"); unlink ("${General::swroot}/certs/serial.old"); # unlink ("${General::swroot}/certs/01.pem"); numbering evolves. Wrong place to delete } @@ -199,10 +207,10 @@ sub callssl ($) { sub getCNfromcert ($) { #&General::log("ipsec", "Extracting name from $_[0]..."); my $temp = `/usr/bin/openssl x509 -text -in $_[0]`; - $temp =~ /Subject:.*CN=(.*)[\n]/; + $temp =~ /Subject:.*CN = (.*)[\n]/; $temp = $1; $temp =~ s+/Email+, E+; - $temp =~ s/ ST=/ S=/; + $temp =~ s/ ST = / S = /; $temp =~ s/,//g; $temp =~ s/\'//g; return $temp; @@ -216,7 +224,7 @@ sub getsubjectfromcert ($) { $temp =~ /Subject: (.*)[\n]/; $temp = $1; $temp =~ s+/Email+, E+; - $temp =~ s/ ST=/ S=/; + $temp =~ s/ ST = / S = /; return $temp; } ### @@ -281,26 +289,43 @@ sub writeipsecfiles { #remote peer is not set? => use '%any' $lconfighash{$key}[10] = '%any' if ($lconfighash{$key}[10] eq ''); + # Field 6 might be "off" on old installations + if ($lconfighash{$key}[6] eq "off") { + $lconfighash{$key}[6] = $lvpnsettings{"VPN_IP"}; + } + my $localside; - if ($lconfighash{$key}[26] eq 'BLUE') { - $localside = $netsettings{'BLUE_ADDRESS'}; - } elsif ($lconfighash{$key}[26] eq 'GREEN') { - $localside = $netsettings{'GREEN_ADDRESS'}; - } elsif ($lconfighash{$key}[26] eq 'ORANGE') { - $localside = $netsettings{'ORANGE_ADDRESS'}; - } else { # it is RED - $localside = $lvpnsettings{'VPN_IP'}; + if ($lconfighash{$key}[6]) { + $localside = $lconfighash{$key}[6]; + } else { + $localside = "%defaultroute"; } + my $interface_mode = $lconfighash{$key}[36]; + print CONF "conn $lconfighash{$key}[1]\n"; print CONF "\tleft=$localside\n"; - print CONF "\tleftsubnet=" . &make_subnets($lconfighash{$key}[8]) . "\n"; + + if ($interface_mode eq "gre") { + print CONF "\tleftprotoport=gre\n"; + } elsif ($interface_mode eq "vti") { + print CONF "\tleftsubnet=0.0.0.0/0\n"; + } else { + print CONF "\tleftsubnet=" . &make_subnets("left", $lconfighash{$key}[8]) . "\n"; + } + print CONF "\tleftfirewall=yes\n"; print CONF "\tlefthostaccess=yes\n"; print CONF "\tright=$lconfighash{$key}[10]\n"; if ($lconfighash{$key}[3] eq 'net') { - print CONF "\trightsubnet=" . &make_subnets($lconfighash{$key}[11]) . "\n"; + if ($interface_mode eq "gre") { + print CONF "\trightprotoport=gre\n"; + } elsif ($interface_mode eq "vti") { + print CONF "\trightsubnet=0.0.0.0/0\n"; + } else { + print CONF "\trightsubnet=" . &make_subnets("right", $lconfighash{$key}[11]) . "\n"; + } } # Local Cert and Remote Cert (unless auth is DN dn-auth) @@ -313,6 +338,18 @@ sub writeipsecfiles { print CONF "\tleftid=\"$lconfighash{$key}[7]\"\n" if ($lconfighash{$key}[7]); print CONF "\trightid=\"$lconfighash{$key}[9]\"\n" if ($lconfighash{$key}[9]); + # Set mode + if ($lconfighash{$key}[35] eq "transport") { + print CONF "\ttype=transport\n"; + } else { + print CONF "\ttype=tunnel\n"; + } + + # Add mark for VTI + if ($interface_mode eq "vti") { + print CONF "\tmark=$key\n"; + } + # Is PFS enabled? my $pfs = $lconfighash{$key}[28] eq 'on' ? 'on' : 'off'; @@ -468,25 +505,12 @@ if ($ENV{"REMOTE_ADDR"} eq "") { if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cgiparams{'KEY'} eq '') { &General::readhash("${General::swroot}/vpn/settings", \%vpnsettings); - unless (&General::validfqdn($cgiparams{'VPN_IP'}) || &General::validip($cgiparams{'VPN_IP'}) - || $cgiparams{'VPN_IP'} eq '%defaultroute' ) { - $errormessage = $Lang::tr{'invalid input for hostname'}; - goto SAVE_ERROR; - } - - unless ($cgiparams{'VPN_DELAYED_START'} =~ /^[0-9]{1,3}$/ ) { #allow 0-999 seconds ! - $errormessage = $Lang::tr{'invalid time period'}; - goto SAVE_ERROR; - } - if ( $cgiparams{'RW_NET'} ne '' and !&General::validipandmask($cgiparams{'RW_NET'}) ) { $errormessage = $Lang::tr{'urlfilter invalid ip or mask error'}; goto SAVE_ERROR; } $vpnsettings{'ENABLED'} = $cgiparams{'ENABLED'}; - $vpnsettings{'VPN_IP'} = $cgiparams{'VPN_IP'}; - $vpnsettings{'VPN_DELAYED_START'} = $cgiparams{'VPN_DELAYED_START'}; $vpnsettings{'RW_NET'} = $cgiparams{'RW_NET'}; &General::writehash("${General::swroot}/vpn/settings", \%vpnsettings); &writeipsecfiles(); @@ -1288,7 +1312,7 @@ END $cgiparams{'TYPE'} = $confighash{$cgiparams{'KEY'}}[3]; $cgiparams{'AUTH'} = $confighash{$cgiparams{'KEY'}}[4]; $cgiparams{'PSK'} = $confighash{$cgiparams{'KEY'}}[5]; - #$cgiparams{'free'} = $confighash{$cgiparams{'KEY'}}[6]; + $cgiparams{'LOCAL'} = $confighash{$cgiparams{'KEY'}}[6]; $cgiparams{'LOCAL_ID'} = $confighash{$cgiparams{'KEY'}}[7]; my @local_subnets = split(",", $confighash{$cgiparams{'KEY'}}[8]); $cgiparams{'LOCAL_SUBNET'} = join(/\|/, @local_subnets); @@ -1316,7 +1340,12 @@ END $cgiparams{'DPD_TIMEOUT'} = $confighash{$cgiparams{'KEY'}}[30]; $cgiparams{'DPD_DELAY'} = $confighash{$cgiparams{'KEY'}}[31]; $cgiparams{'FORCE_MOBIKE'} = $confighash{$cgiparams{'KEY'}}[32]; + $cgiparams{'START_ACTION'} = $confighash{$cgiparams{'KEY'}}[33]; $cgiparams{'INACTIVITY_TIMEOUT'} = $confighash{$cgiparams{'KEY'}}[34]; + $cgiparams{'MODE'} = $confighash{$cgiparams{'KEY'}}[35]; + $cgiparams{'INTERFACE_MODE'} = $confighash{$cgiparams{'KEY'}}[36]; + $cgiparams{'INTERFACE_ADDRESS'} = $confighash{$cgiparams{'KEY'}}[37]; + $cgiparams{'INTERFACE_MTU'} = $confighash{$cgiparams{'KEY'}}[38]; if (!$cgiparams{'DPD_DELAY'}) { $cgiparams{'DPD_DELAY'} = 30; @@ -1330,6 +1359,14 @@ END $cgiparams{'INACTIVITY_TIMEOUT'} = 900; } + if ($cgiparams{'MODE'} eq "") { + $cgiparams{'MODE'} = "tunnel"; + } + + if ($cgiparams{'INTERFACE_MTU'} eq "") { + $cgiparams{'INTERFACE_MTU'} = 1500; + } + } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'save'}) { $cgiparams{'REMARK'} = &Header::cleanhtml($cgiparams{'REMARK'}); if ($cgiparams{'TYPE'} !~ /^(host|net)$/) { @@ -1367,6 +1404,13 @@ END goto VPNCONF_ERROR; } + if ($cgiparams{'LOCAL'}) { + if (($cgiparams{'LOCAL'} ne "") && (!&General::validip($cgiparams{'LOCAL'}))) { + $errormessage = $Lang::tr{'invalid input for local ip address'}; + goto VPNCONF_ERROR; + } + } + if ($cgiparams{'REMOTE'}) { if (($cgiparams{'REMOTE'} ne '%any') && (! &General::validip($cgiparams{'REMOTE'}))) { if (! &General::validfqdn ($cgiparams{'REMOTE'})) { @@ -1408,6 +1452,31 @@ END goto VPNCONF_ERROR; } } + + if ($cgiparams{'MODE'} !~ /^(tunnel|transport)$/) { + $errormessage = $Lang::tr{'invalid input for mode'}; + goto VPNCONF_ERROR; + } + + if ($cgiparams{'INTERFACE_MODE'} !~ /^(|gre|vti)$/) { + $errormessage = $Lang::tr{'invalid input for interface mode'}; + goto VPNCONF_ERROR; + } + + if (($cgiparams{'INTERFACE_MODE'} eq "vti") && ($cgiparams{'MODE'} eq "transport")) { + $errormessage = $Lang::tr{'transport mode does not support vti'}; + goto VPNCONF_ERROR; + } + + if (($cgiparams{'INTERFACE_MODE'} ne "") && !&Network::check_subnet($cgiparams{'INTERFACE_ADDRESS'})) { + $errormessage = $Lang::tr{'invalid input for interface address'}; + goto VPNCONF_ERROR; + } + + if ($cgiparams{'INTERFACE_MTU'} !~ /^\d+$/) { + $errormessage = $Lang::tr{'invalid input for interface mtu'}; + goto VPNCONF_ERROR; + } } if ($cgiparams{'ENABLED'} !~ /^(on|off)$/) { @@ -1812,7 +1881,7 @@ END my $key = $cgiparams{'KEY'}; if (! $key) { $key = &General::findhasharraykey (\%confighash); - foreach my $i (0 .. 34) { $confighash{$key}[$i] = "";} + foreach my $i (0 .. 38) { $confighash{$key}[$i] = "";} } $confighash{$key}[0] = $cgiparams{'ENABLED'}; $confighash{$key}[1] = $cgiparams{'NAME'}; @@ -1830,6 +1899,7 @@ END my @remote_subnets = split(",", $cgiparams{'REMOTE_SUBNET'}); $confighash{$key}[11] = join('|', @remote_subnets); } + $confighash{$key}[6] = $cgiparams{'LOCAL'}; $confighash{$key}[7] = $cgiparams{'LOCAL_ID'}; my @local_subnets = split(",", $cgiparams{'LOCAL_SUBNET'}); $confighash{$key}[8] = join('|', @local_subnets); @@ -1856,10 +1926,14 @@ END $confighash{$key}[30] = $cgiparams{'DPD_TIMEOUT'}; $confighash{$key}[31] = $cgiparams{'DPD_DELAY'}; $confighash{$key}[32] = $cgiparams{'FORCE_MOBIKE'}; + $confighash{$key}[33] = $cgiparams{'START_ACTION'}; $confighash{$key}[34] = $cgiparams{'INACTIVITY_TIMEOUT'}; + $confighash{$key}[35] = $cgiparams{'MODE'}; + $confighash{$key}[36] = $cgiparams{'INTERFACE_MODE'}; + $confighash{$key}[37] = $cgiparams{'INTERFACE_ADDRESS'}; + $confighash{$key}[38] = $cgiparams{'INTERFACE_MTU'}; # free unused fields! - $confighash{$key}[6] = 'off'; $confighash{$key}[15] = 'off'; &General::writehasharray("${General::swroot}/vpn/config", \%confighash); @@ -1882,7 +1956,12 @@ END } else { $cgiparams{'AUTH'} = 'certgen'; } - $cgiparams{'LOCAL_SUBNET'} = "$netsettings{'GREEN_NETADDRESS'}/$netsettings{'GREEN_NETMASK'}"; + + if ($netsettings{"GREEN_NETADDRESS"} && $netsettings{"GREEN_NETMASK"}) { + $cgiparams{"LOCAL_SUBNET"} = $netsettings{'GREEN_NETADDRESS'} . "/" . $netsettings{'GREEN_NETMASK'}; + } else { + $cgiparams{"LOCAL_SUBNET"} = ""; + } $cgiparams{'CERT_EMAIL'} = $vpnsettings{'ROOTCERT_EMAIL'}; $cgiparams{'CERT_OU'} = $vpnsettings{'ROOTCERT_OU'}; $cgiparams{'CERT_ORGANIZATION'} = $vpnsettings{'ROOTCERT_ORGANIZATION'}; @@ -1919,11 +1998,11 @@ END $cgiparams{'REMOTE_ID'} = ''; #use default advanced value - $cgiparams{'IKE_ENCRYPTION'} = 'aes256gcm128|aes256gcm96|aes256gcm64|aes256|aes192gcm128|aes192gcm96|aes192gcm64|aes192|aes128gcm128|aes128gcm96|aes128gcm64|aes128'; #[18]; + $cgiparams{'IKE_ENCRYPTION'} = 'chacha20poly1305|aes256gcm128|aes256gcm96|aes256gcm64|aes256|aes192gcm128|aes192gcm96|aes192gcm64|aes192|aes128gcm128|aes128gcm96|aes128gcm64|aes128'; #[18]; $cgiparams{'IKE_INTEGRITY'} = 'sha2_512|sha2_256'; #[19]; $cgiparams{'IKE_GROUPTYPE'} = 'curve25519|4096|3072|2048'; #[20]; $cgiparams{'IKE_LIFETIME'} = '3'; #[16]; - $cgiparams{'ESP_ENCRYPTION'} = 'aes256gcm128|aes256gcm96|aes256gcm64|aes256|aes192gcm128|aes192gcm96|aes192gcm64|aes192|aes128gcm128|aes128gcm96|aes128gcm64|aes128'; #[21]; + $cgiparams{'ESP_ENCRYPTION'} = 'chacha20poly1305|aes256gcm128|aes256gcm96|aes256gcm64|aes256|aes192gcm128|aes192gcm96|aes192gcm64|aes192|aes128gcm128|aes128gcm96|aes128gcm64|aes128'; #[21]; $cgiparams{'ESP_INTEGRITY'} = 'sha2_512|sha2_256'; #[22]; $cgiparams{'ESP_GROUPTYPE'} = 'curve25519|4096|3072|2048'; #[23]; $cgiparams{'ESP_KEYLIFE'} = '1'; #[17]; @@ -1931,6 +2010,10 @@ END $cgiparams{'ONLY_PROPOSED'} = 'on'; #[24]; $cgiparams{'PFS'} = 'on'; #[28]; $cgiparams{'INACTIVITY_TIMEOUT'} = 900; + $cgiparams{'MODE'} = "tunnel"; + $cgiparams{'INTERFACE_MODE'} = ""; + $cgiparams{'INTERFACE_ADDRESS'} = ""; + $cgiparams{'INTERFACE_MTU'} = 1500; } VPNCONF_ERROR: @@ -1950,6 +2033,23 @@ VPNCONF_ERROR: $checked{'AUTH'}{'auth-dn'} = ''; $checked{'AUTH'}{$cgiparams{'AUTH'}} = "checked='checked'"; + $selected{'MODE'}{'tunnel'} = ''; + $selected{'MODE'}{'transport'} = ''; + $selected{'MODE'}{$cgiparams{'MODE'}} = "selected='selected'"; + + $selected{'INTERFACE_MODE'}{''} = ''; + $selected{'INTERFACE_MODE'}{'gre'} = ''; + $selected{'INTERFACE_MODE'}{'vti'} = ''; + $selected{'INTERFACE_MODE'}{$cgiparams{'INTERFACE_MODE'}} = "selected='selected'"; + + $selected{'LOCAL'}{''} = ''; + foreach my $alias (sort keys %aliases) { + my $address = $aliases{$alias}{'IPT'}; + + $selected{'LOCAL'}{$address} = ''; + } + $selected{'LOCAL'}{$cgiparams{'LOCAL'}} = "selected='selected'"; + &Header::showhttpheaders(); &Header::openpage($Lang::tr{'ipsec'}, 1, ''); &Header::openbigbox('100%', 'left', '', $errormessage); @@ -1986,6 +2086,8 @@ VPNCONF_ERROR: + + END ; if ($cgiparams{'KEY'}) { @@ -2022,25 +2124,44 @@ EOF my @remote_subnets = split(/\|/, $cgiparams{'REMOTE_SUBNET'}); my $remote_subnets = join(",", @remote_subnets); - print < $Lang::tr{'enabled'} - $Lang::tr{'local subnet'} * - - - + + $Lang::tr{'local ip address'}: + + + + + $Lang::tr{'local subnet'} * + + + $Lang::tr{'remote subnet'} $blob - + @@ -2068,6 +2189,51 @@ END print ""; &Header::closebox(); + if ($cgiparams{'TYPE'} eq 'net') { + &Header::openbox('100%', 'left', $Lang::tr{'ipsec settings'}); + print < + + + $Lang::tr{'mode'}: + + + + + + + + $Lang::tr{'interface mode'}: + + + + + $Lang::tr{'ip address'}/$Lang::tr{'subnet mask'}: + + + + + + + $Lang::tr{'mtu'}: + + + + + + + +EOF + &Header::closebox(); + } + if ($cgiparams{'KEY'} && $cgiparams{'AUTH'} eq 'psk') { &Header::openbox('100%', 'left', $Lang::tr{'authentication'}); print <$Lang::tr{'encryption'} @@ -2664,6 +2843,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || @@ -2734,22 +2914,6 @@ EOF my @status = `/usr/local/bin/ipsecctrl I 2>/dev/null`; - # suggest a default name for this side - if ($cgiparams{'VPN_IP'} eq '' && -e "${General::swroot}/red/active") { - if (open(IPADDR, "${General::swroot}/red/local-ipaddress")) { - my $ipaddr = ; - close IPADDR; - chomp ($ipaddr); - $cgiparams{'VPN_IP'} = (gethostbyaddr(pack("C4", split(/\./, $ipaddr)), 2))[0]; - if ($cgiparams{'VPN_IP'} eq '') { - $cgiparams{'VPN_IP'} = $ipaddr; - } - } - } - # no IP found, use %defaultroute - $cgiparams{'VPN_IP'} ='%defaultroute' if ($cgiparams{'VPN_IP'} eq ''); - - $cgiparams{'VPN_DELAYED_START'} = 0 if (! defined ($cgiparams{'VPN_DELAYED_START'})); $checked{'ENABLED'} = $cgiparams{'ENABLED'} eq 'on' ? "checked='checked'" : ''; &Header::showhttpheaders(); @@ -2777,35 +2941,21 @@ EOF print < - - - - - -END -; -print < - - - - - - - -
$Lang::tr{'vpn red name'}: *$Lang::tr{'enabled'}
$Lang::tr{'vpn delayed start'}: **
$Lang::tr{'host to net vpn'}:
-
-
- - - - - - - - - - + + + + + + + + + + +
*$Lang::tr{'required field'}
**  $Lang::tr{'vpn delayed start help'}
+ $Lang::tr{'enabled'} + + +
$Lang::tr{'host to net vpn'}:
END ; @@ -2848,8 +2998,11 @@ END } print "$confighash{$key}[25]"; my $col1="bgcolor='${Header::colourred}'"; - # get real state my $active = "$Lang::tr{'capsclosed'}"; + if ($confighash{$key}[33] eq "add") { + $col1="bgcolor='${Header::colourorange}'"; + $active = "$Lang::tr{'vpn wait'}"; + } foreach my $line (@status) { if (($line =~ /\"$confighash{$key}[1]\".*IPsec SA established/) || ($line =~ /$confighash{$key}[1]\{.*INSTALLED/)) { @@ -3204,13 +3357,19 @@ sub make_algos($$$$$) { return &array_unique(\@algos); } -sub make_subnets($) { +sub make_subnets($$) { + my $direction = shift; my $subnets = shift; my @nets = split(/\|/, $subnets); my @cidr_nets = (); foreach my $net (@nets) { my $cidr_net = &General::ipcidr($net); + + # Skip 0.0.0.0/0 for remote because this renders the + # while system inaccessible + next if (($direction eq "right") && ($cidr_net eq "0.0.0.0/0")); + push(@cidr_nets, $cidr_net); }