}
}
}
+sub get_ipsec_id {
+ my $val = shift;
+
+ foreach my $key (keys %ipsecconf) {
+ if ($ipsecconf{$key}[1] eq $val) {
+ return $key;
+ }
+ }
+}
sub get_ovpn_n2n_ip
{
my $val=shift;
my @parts = split(/\|/, $value);
push(@ret, [$parts[1], ""]);
}else{
- my $network_address = &get_ipsec_net_ip($value, 11);
- my @nets = split(/\|/, $network_address);
- foreach my $net (@nets) {
- push(@ret, [$net, ""]);
+ my $interface_mode = &get_ipsec_net_ip($value, 36);
+ if ($interface_mode ~~ ["gre", "vti"]) {
+ my $id = &get_ipsec_id($value);
+ push(@ret, ["0.0.0.0/0", "${interface_mode}${id}"]);
+ } else {
+ my $network_address = &get_ipsec_net_ip($value, 11);
+ my @nets = split(/\|/, $network_address);
+ foreach my $net (@nets) {
+ push(@ret, [$net, ""]);
+ }
}
}
VPN_CONFIG="/var/ipfire/vpn/config"
+eval $(/usr/local/bin/readhash /var/ipfire/vpn/settings)
+
+VARS=(
+ id status name lefthost type ctype psk local local_id leftsubnets
+ remote_id remote rightsubnets x3 x4 x5 x6 x7 x8 x9 x10 x11 x12
+ x13 x14 x15 x16 x17 x18 x19 proto x20 x21 x22
+ route x23 mode interface_mode interface_address interface_mtu rest
+)
+
block_subnet() {
local subnet="${1}"
local action="${2}"
return 0
}
-block_ipsec() {
- # Flush all exists rules
+install_policy() {
+ # Flush existing rules
+ iptables -F IPSECINPUT
+ iptables -F IPSECOUTPUT
iptables -F IPSECBLOCK
- local action
+ # We are done when IPsec is not enabled
+ [ "${ENABLED}" = "on" ] || exit 0
- local vars="id status name lefthost type ctype x1 x2 x3 leftsubnets"
- vars="${vars} x4 righthost rightsubnets x5 x6 x7 x8 x9 x10 x11 x12"
- vars="${vars} x13 x14 x15 x16 x17 x18 x19 x20 x21 proto x22 x23 x24"
- vars="${vars} route rest"
+ # IKE
+ iptables -A IPSECINPUT -p udp --dport 500 -j ACCEPT
+ iptables -A IPSECOUTPUT -p udp --dport 500 -j ACCEPT
+
+ # IKE NAT
+ iptables -A IPSECINPUT -p udp --dport 4500 -j ACCEPT
+ iptables -A IPSECOUTPUT -p udp --dport 4500 -j ACCEPT
# Register local variables
- local ${vars}
+ local "${VARS[@]}"
+ local action
- while IFS="," read -r ${vars}; do
+ while IFS="," read -r "${VARS[@]}"; do
# Check if the connection is enabled
[ "${status}" = "on" ] || continue
# Check if this a net-to-net connection
[ "${type}" = "net" ] || continue
+ # Default local to 0.0.0.0/0
+ if [ "${local}" = "" -o "${local}" = "off" ]; then
+ local="0.0.0.0/0"
+ fi
+
+ # Install permissions for GRE traffic
+ case "${interface_mode}" in
+ gre)
+ if [ -n "${remote}" ]; then
+ iptables -A IPSECINPUT -p gre \
+ -s "${remote}" -d "${local}" -j ACCEPT
+
+ iptables -A IPSECOUTPUT -p gre \
+ -s "${local}" -d "${remote}" -j ACCEPT
+ fi
+ ;;
+ esac
+
+ # Install firewall rules only for interfaces without interface
+ [ -n "${interface_mode}" ] && continue
+
# Split multiple subnets
rightsubnets="${rightsubnets//\|/ }"
done < "${VPN_CONFIG}"
}
-block_ipsec || exit $?
+install_policy || exit $?
#usr/lib
usr/lib/firewall
usr/lib/firewall/firewall-lib.pl
-usr/lib/firewall/ipsec-block
+usr/lib/firewall/ipsec-policy
usr/lib/firewall/rules.pl
#usr/lib/libgcc_s.so
usr/lib/libgcc_s.so.1
usr/local/bin/consort.sh
usr/local/bin/convert-ovpn
usr/local/bin/hddshutdown
+usr/local/bin/ipsec-interfaces
usr/local/bin/makegraphs
usr/local/bin/qosd
usr/local/bin/readhash
#usr/lib
usr/lib/firewall
usr/lib/firewall/firewall-lib.pl
-usr/lib/firewall/ipsec-block
+usr/lib/firewall/ipsec-policy
usr/lib/firewall/rules.pl
#usr/lib/libgcc_s.so
usr/lib/libgcc_s.so.1
usr/local/bin/consort.sh
usr/local/bin/convert-ovpn
usr/local/bin/hddshutdown
+usr/local/bin/ipsec-interfaces
usr/local/bin/makegraphs
usr/local/bin/qosd
usr/local/bin/readhash
#usr/lib
usr/lib/firewall
usr/lib/firewall/firewall-lib.pl
-usr/lib/firewall/ipsec-block
+usr/lib/firewall/ipsec-policy
usr/lib/firewall/rules.pl
#usr/lib/libgcc_s.so
usr/lib/libgcc_s.so.1
usr/local/bin/consort.sh
usr/local/bin/convert-ovpn
usr/local/bin/hddshutdown
+usr/local/bin/ipsec-interfaces
usr/local/bin/makegraphs
usr/local/bin/qosd
usr/local/bin/readhash
# Install routes into a separate routing table for established IPsec
# tunnels.
- # install_routes = yes
+ install_routes = no
# Install virtual IP addresses.
# install_virtual_ip = yes
WARNING: translation string unused: min size
WARNING: translation string unused: missing dat
WARNING: translation string unused: missing gz
-WARNING: translation string unused: mode
WARNING: translation string unused: modem on com1
WARNING: translation string unused: modem on com2
WARNING: translation string unused: modem on com3
WARNING: translation string unused: use ibod
WARNING: translation string unused: view log
WARNING: translation string unused: vpn aggrmode
+WARNING: translation string unused: vpn delayed start
+WARNING: translation string unused: vpn delayed start help
WARNING: translation string unused: vpn incompatible use of defaultroute
WARNING: translation string unused: vpn mtu invalid
WARNING: translation string unused: vpn on blue
WARNING: translation string unused: vpn on green
WARNING: translation string unused: vpn on orange
+WARNING: translation string unused: vpn red name
WARNING: translation string unused: vpn watch
WARNING: translation string unused: warn when traffic reaches
WARNING: translation string unused: web proxy configuration
WARNING: untranslated string: bytes = unknown string
WARNING: untranslated string: community rules = Snort/VRT GPLv2 Community Rules
WARNING: untranslated string: dead peer detection = Dead Peer Detection
+WARNING: untranslated string: default IP address = Default IP Address
WARNING: untranslated string: emerging rules = Emergingthreats.net Community Rules
WARNING: untranslated string: fwhost cust geoipgrp = unknown string
WARNING: untranslated string: fwhost err hostip = unknown string
WARNING: untranslated string: guardian watch snort alertfile = unknown string
WARNING: untranslated string: ike lifetime should be between 1 and 8 hours = unknown string
WARNING: untranslated string: info messages = unknown string
+WARNING: untranslated string: interface mode = Interface
+WARNING: untranslated string: invalid input for interface address = Invalid input for interface address
+WARNING: untranslated string: invalid input for interface mode = Invalid input for interface mode
+WARNING: untranslated string: invalid input for interface mtu = Invalid input to interface MTU
+WARNING: untranslated string: invalid input for local ip address = Invalid input for local IP address
+WARNING: untranslated string: invalid input for mode = Invalid input for mode
+WARNING: untranslated string: ipsec connection = IPsec Connection
+WARNING: untranslated string: ipsec interface mode gre = GRE
+WARNING: untranslated string: ipsec interface mode none = - None (Default) -
+WARNING: untranslated string: ipsec interface mode vti = VTI
+WARNING: untranslated string: ipsec mode transport = Transport
+WARNING: untranslated string: ipsec mode tunnel = Tunnel
+WARNING: untranslated string: ipsec settings = IPsec Settings
+WARNING: untranslated string: local ip address = Local IP Address
+WARNING: untranslated string: mtu = MTU
WARNING: untranslated string: no data = unknown string
WARNING: untranslated string: none = none
WARNING: untranslated string: qos add subclass = Add subclass
WARNING: untranslated string: routing config changed = unknown string
WARNING: untranslated string: routing table = unknown string
WARNING: untranslated string: show tls-auth key = Show tls-auth key
+WARNING: untranslated string: subnet mask = Subnet Mask
+WARNING: untranslated string: transport mode does not support vti = VTI is not support in transport mode
WARNING: untranslated string: vpn force mobike = Force using MOBIKE (only IKEv2)
WARNING: untranslated string: vpn statistics n2n = unknown string
WARNING: untranslated string: december = December
WARNING: untranslated string: def lease time = Default Lease Time
WARNING: untranslated string: default = Default
+WARNING: untranslated string: default IP address = Default IP Address
WARNING: untranslated string: default lease time = Default lease time (mins):
WARNING: untranslated string: default renewal time = Default Renewal Time
WARNING: untranslated string: delete = Delete
WARNING: untranslated string: instant update = Instant Update
WARNING: untranslated string: integrity = Integrity:
WARNING: untranslated string: interface = Interface
+WARNING: untranslated string: interface mode = Interface
WARNING: untranslated string: interfaces = Interfaces
WARNING: untranslated string: internet = INTERNET
WARNING: untranslated string: intrusion detection = Intrusion Detection
WARNING: untranslated string: invalid input for hostname = Invalid input for hostname.
WARNING: untranslated string: invalid input for ike lifetime = Invalid input for IKE lifetime
WARNING: untranslated string: invalid input for inactivity timeout = Invalid input for Inactivity Timeout
+WARNING: untranslated string: invalid input for interface address = Invalid input for interface address
+WARNING: untranslated string: invalid input for interface mode = Invalid input for interface mode
+WARNING: untranslated string: invalid input for interface mtu = Invalid input to interface MTU
WARNING: untranslated string: invalid input for keepalive 1 = Invalid input for Keepalive ping
WARNING: untranslated string: invalid input for keepalive 1:2 = Invalid input for Keepalive use at least a ratio of 1:2
WARNING: untranslated string: invalid input for keepalive 2 = Invalid input for Keepalive ping-restart
+WARNING: untranslated string: invalid input for local ip address = Invalid input for local IP address
WARNING: untranslated string: invalid input for max clients = Invalid input for Max Clients
+WARNING: untranslated string: invalid input for mode = Invalid input for mode
WARNING: untranslated string: invalid input for name = Invalid input for user's full name or system hostname
WARNING: untranslated string: invalid input for oink code = Invalid input for Oink code
WARNING: untranslated string: invalid input for organization = Invalid input for organization
WARNING: untranslated string: ipfires hostname = IPFire's Hostname
WARNING: untranslated string: ipinfo = IP info
WARNING: untranslated string: ipsec = IPsec
+WARNING: untranslated string: ipsec connection = IPsec Connection
+WARNING: untranslated string: ipsec interface mode gre = GRE
+WARNING: untranslated string: ipsec interface mode none = - None (Default) -
+WARNING: untranslated string: ipsec interface mode vti = VTI
+WARNING: untranslated string: ipsec mode transport = Transport
+WARNING: untranslated string: ipsec mode tunnel = Tunnel
WARNING: untranslated string: ipsec network = IPsec network
+WARNING: untranslated string: ipsec settings = IPsec Settings
WARNING: untranslated string: iptmangles = IPTable Mangles
WARNING: untranslated string: iptnats = IPTable Network Address Translation
WARNING: untranslated string: ipts = iptables
WARNING: untranslated string: lifetime = Lifetime:
WARNING: untranslated string: linkq = Link Quality
WARNING: untranslated string: load printer = Load Printer
+WARNING: untranslated string: local ip address = Local IP Address
WARNING: untranslated string: local master = Local Master
WARNING: untranslated string: local ntp server specified but not enabled = Local NTP server specified but not enabled
WARNING: untranslated string: local subnet = Local subnet:
WARNING: untranslated string: minute = Minute
WARNING: untranslated string: minutes = Minutes
WARNING: untranslated string: misc-options = Miscellaneous options
+WARNING: untranslated string: mode = Mode
WARNING: untranslated string: model = Model
WARNING: untranslated string: modem = Modem
WARNING: untranslated string: modem configuration = Modem configuration
WARNING: untranslated string: mpfire search = MPFire Search
WARNING: untranslated string: mpfire songs = MPFire songlist
WARNING: untranslated string: mpfire webradio = MPFire Webradio
+WARNING: untranslated string: mtu = MTU
WARNING: untranslated string: my new share = My new share
WARNING: untranslated string: name = Name
WARNING: untranslated string: name is invalid = Name is invalid
WARNING: untranslated string: stop ovpn server = Stop OpenVPN Server
WARNING: untranslated string: stopped = STOPPED
WARNING: untranslated string: subject = Subject
+WARNING: untranslated string: subnet mask = Subnet Mask
WARNING: untranslated string: subscripted user rules = Sourcefire VRT rules with subscription
WARNING: untranslated string: summaries kept = Keep summaries for
WARNING: untranslated string: sunday = Sunday
WARNING: untranslated string: total hits for log section = Total hits for log section
WARNING: untranslated string: traffic on = Traffic on
WARNING: untranslated string: traffics = Utilization-overview
+WARNING: untranslated string: transport mode does not support vti = VTI is not support in transport mode
WARNING: untranslated string: tuesday = Tuesday
WARNING: untranslated string: twelve hours = 12 Hours
WARNING: untranslated string: two weeks = Two Weeks
WARNING: untranslated string: vpn auth-dn = Peer is identified by either IPV4_ADDR, FQDN, USER_FQDN or DER_ASN1_DN string in remote ID field
WARNING: untranslated string: vpn broken = Broken
WARNING: untranslated string: vpn connecting = CONNECTING
-WARNING: untranslated string: vpn delayed start = Delay before launching VPN (seconds)
-WARNING: untranslated string: vpn delayed start help = If required, this delay can be used to allow dynamic DNS updates to propagate properly. 60 is a common value when RED is a dynamic IP.
WARNING: untranslated string: vpn force mobike = Force using MOBIKE (only IKEv2)
WARNING: untranslated string: vpn inactivity timeout = Inactivity Timeout
WARNING: untranslated string: vpn keyexchange = Keyexchange
WARNING: untranslated string: vpn no full pki = missing private key to generate cert
WARNING: untranslated string: vpn on-demand = ON-DEMAND
WARNING: untranslated string: vpn payload compression = Negotiate payload compression
-WARNING: untranslated string: vpn red name = Public IP or FQDN for RED interface or <%defaultroute>
WARNING: untranslated string: vpn remote id = Remote ID
WARNING: untranslated string: vpn start action = Start Action
WARNING: untranslated string: vpn start action add = Wait for connection initiation
WARNING: untranslated string: vpn start action route = On Demand
WARNING: untranslated string: vpn start action start = Always On
-WARNING: untranslated string: vpn statistic n2n = OpenVPN Net-to-Net Statistics
-WARNING: untranslated string: vpn statistic rw = OpenVPN Roadwarrior Statistics
+WARNING: untranslated string: vpn statistic n2n = VPN: Net-to-Net Statistics
+WARNING: untranslated string: vpn statistic rw = VPN: Roadwarrior Statistics
WARNING: untranslated string: vpn statistics n2n = unknown string
WARNING: untranslated string: vpn subjectaltname = Subject Alt Name
WARNING: untranslated string: vpn wait = WAITING
WARNING: translation string unused: min size
WARNING: translation string unused: missing dat
WARNING: translation string unused: missing gz
-WARNING: translation string unused: mode
WARNING: translation string unused: modem on com1
WARNING: translation string unused: modem on com2
WARNING: translation string unused: modem on com3
WARNING: translation string unused: view log
WARNING: translation string unused: vpn aggrmode
WARNING: translation string unused: vpn configuration main
+WARNING: translation string unused: vpn delayed start
+WARNING: translation string unused: vpn delayed start help
WARNING: translation string unused: vpn incompatible use of defaultroute
WARNING: translation string unused: vpn mtu invalid
WARNING: translation string unused: vpn on blue
WARNING: translation string unused: vpn on green
WARNING: translation string unused: vpn on orange
+WARNING: translation string unused: vpn red name
WARNING: translation string unused: vpn watch
WARNING: translation string unused: warn when traffic reaches
WARNING: translation string unused: web proxy configuration
WARNING: untranslated string: crypto warning = Cryptographic warning
WARNING: untranslated string: dead peer detection = Dead Peer Detection
WARNING: untranslated string: default = Default
+WARNING: untranslated string: default IP address = Default IP Address
WARNING: untranslated string: deprecated fs warn = Deprecated filesystem! Newer kernel drop the support. Backup and reformat!
WARNING: untranslated string: details = Details
WARNING: untranslated string: dh = Diffie-Hellman parameters
WARNING: untranslated string: incoming overhead in bytes per second = Incoming Overhead
WARNING: untranslated string: info messages = unknown string
WARNING: untranslated string: integrity = Integrity:
+WARNING: untranslated string: interface mode = Interface
WARNING: untranslated string: invalid input for dpd delay = Invalid input for DPD delay
WARNING: untranslated string: invalid input for dpd timeout = Invalid input for DPD timeout
WARNING: untranslated string: invalid input for inactivity timeout = Invalid input for Inactivity Timeout
+WARNING: untranslated string: invalid input for interface address = Invalid input for interface address
+WARNING: untranslated string: invalid input for interface mode = Invalid input for interface mode
+WARNING: untranslated string: invalid input for interface mtu = Invalid input to interface MTU
+WARNING: untranslated string: invalid input for local ip address = Invalid input for local IP address
+WARNING: untranslated string: invalid input for mode = Invalid input for mode
WARNING: untranslated string: invalid input for valid till days = Invalid input for Valid till (days).
WARNING: untranslated string: invalid ip or hostname = Invalid IP Address or Hostname
WARNING: untranslated string: invalid logserver protocol = Invalid syslogd server protocol
WARNING: untranslated string: ipsec = IPsec
+WARNING: untranslated string: ipsec connection = IPsec Connection
+WARNING: untranslated string: ipsec interface mode gre = GRE
+WARNING: untranslated string: ipsec interface mode none = - None (Default) -
+WARNING: untranslated string: ipsec interface mode vti = VTI
+WARNING: untranslated string: ipsec mode transport = Transport
+WARNING: untranslated string: ipsec mode tunnel = Tunnel
WARNING: untranslated string: ipsec network = IPsec network
+WARNING: untranslated string: ipsec settings = IPsec Settings
WARNING: untranslated string: last = Last
WARNING: untranslated string: least preferred = least preferred
WARNING: untranslated string: lifetime = Lifetime:
+WARNING: untranslated string: local ip address = Local IP Address
WARNING: untranslated string: log server protocol = protocol:
WARNING: untranslated string: mac filter = MAC filter
WARNING: untranslated string: masquerade blue = Masquerade BLUE
WARNING: untranslated string: modem status = Modem Status
WARNING: untranslated string: monitor interface = Monitor Interface
WARNING: untranslated string: most preferred = most preferred
+WARNING: untranslated string: mtu = MTU
WARNING: untranslated string: nameserver = Nameserver
WARNING: untranslated string: no data = unknown string
WARNING: untranslated string: none = none
WARNING: untranslated string: ssh no active logins = No active logins
WARNING: untranslated string: ssh username = Username
WARNING: untranslated string: static routes = Static Routes
+WARNING: untranslated string: subnet mask = Subnet Mask
WARNING: untranslated string: support donation = Support the IPFire project with your donation
WARNING: untranslated string: system has rdrand = This system has support for Intel(R) RDRAND.
WARNING: untranslated string: system information = System Information
WARNING: untranslated string: tor traffic limit soft = Traffic limit almost reached. Not accepting any new connections.
WARNING: untranslated string: tor traffic read written = Total traffic (read/written)
WARNING: untranslated string: tor use exit nodes = Use only these exit nodes (one per line)
+WARNING: untranslated string: transport mode does not support vti = VTI is not support in transport mode
WARNING: untranslated string: twelve hours = 12 Hours
WARNING: untranslated string: two weeks = Two Weeks
WARNING: untranslated string: udp less overhead = UDP (less overhead)
WARNING: untranslated string: vpn start action add = Wait for connection initiation
WARNING: untranslated string: vpn start action route = On Demand
WARNING: untranslated string: vpn start action start = Always On
-WARNING: untranslated string: vpn statistic n2n = OpenVPN Net-to-Net Statistics
-WARNING: untranslated string: vpn statistic rw = OpenVPN Roadwarrior Statistics
+WARNING: untranslated string: vpn statistic n2n = VPN: Net-to-Net Statistics
+WARNING: untranslated string: vpn statistic rw = VPN: Roadwarrior Statistics
WARNING: untranslated string: vpn statistics n2n = unknown string
WARNING: untranslated string: vpn wait = WAITING
WARNING: untranslated string: vpn weak = Weak
WARNING: translation string unused: min size
WARNING: translation string unused: missing dat
WARNING: translation string unused: missing gz
-WARNING: translation string unused: mode
WARNING: translation string unused: modem on com1
WARNING: translation string unused: modem on com2
WARNING: translation string unused: modem on com3
WARNING: translation string unused: view log
WARNING: translation string unused: vpn aggrmode
WARNING: translation string unused: vpn configuration main
+WARNING: translation string unused: vpn delayed start
+WARNING: translation string unused: vpn delayed start help
WARNING: translation string unused: vpn incompatible use of defaultroute
WARNING: translation string unused: vpn mtu invalid
WARNING: translation string unused: vpn on blue
WARNING: translation string unused: vpn on green
WARNING: translation string unused: vpn on orange
+WARNING: translation string unused: vpn red name
WARNING: translation string unused: vpn watch
WARNING: translation string unused: warn when traffic reaches
WARNING: translation string unused: web proxy configuration
WARNING: untranslated string: Captive clients = unknown string
WARNING: untranslated string: Scan for Songs = unknown string
WARNING: untranslated string: bytes = unknown string
+WARNING: untranslated string: default IP address = Default IP Address
WARNING: untranslated string: dnsforward forward_servers = Nameservers
WARNING: untranslated string: fwhost cust geoipgrp = unknown string
WARNING: untranslated string: fwhost err hostip = unknown string
WARNING: untranslated string: guardian watch snort alertfile = unknown string
WARNING: untranslated string: ike lifetime should be between 1 and 8 hours = unknown string
WARNING: untranslated string: info messages = unknown string
+WARNING: untranslated string: interface mode = Interface
+WARNING: untranslated string: invalid input for interface address = Invalid input for interface address
+WARNING: untranslated string: invalid input for interface mode = Invalid input for interface mode
+WARNING: untranslated string: invalid input for interface mtu = Invalid input to interface MTU
+WARNING: untranslated string: invalid input for local ip address = Invalid input for local IP address
+WARNING: untranslated string: invalid input for mode = Invalid input for mode
WARNING: untranslated string: invalid ip or hostname = Invalid IP Address or Hostname
+WARNING: untranslated string: ipsec connection = IPsec Connection
+WARNING: untranslated string: ipsec interface mode gre = GRE
+WARNING: untranslated string: ipsec interface mode none = - None (Default) -
+WARNING: untranslated string: ipsec interface mode vti = VTI
+WARNING: untranslated string: ipsec mode transport = Transport
+WARNING: untranslated string: ipsec mode tunnel = Tunnel
+WARNING: untranslated string: ipsec settings = IPsec Settings
+WARNING: untranslated string: local ip address = Local IP Address
+WARNING: untranslated string: mtu = MTU
WARNING: untranslated string: no data = unknown string
WARNING: untranslated string: pakfire ago = ago.
WARNING: untranslated string: route config changed = unknown string
WARNING: untranslated string: routing config added = unknown string
WARNING: untranslated string: routing config changed = unknown string
WARNING: untranslated string: routing table = unknown string
+WARNING: untranslated string: subnet mask = Subnet Mask
+WARNING: untranslated string: transport mode does not support vti = VTI is not support in transport mode
WARNING: untranslated string: vpn statistics n2n = unknown string
WARNING: translation string unused: min size
WARNING: translation string unused: missing dat
WARNING: translation string unused: missing gz
-WARNING: translation string unused: mode
WARNING: translation string unused: modem on com1
WARNING: translation string unused: modem on com2
WARNING: translation string unused: modem on com3
WARNING: translation string unused: view log
WARNING: translation string unused: vpn aggrmode
WARNING: translation string unused: vpn configuration main
+WARNING: translation string unused: vpn delayed start
+WARNING: translation string unused: vpn delayed start help
WARNING: translation string unused: vpn incompatible use of defaultroute
WARNING: translation string unused: vpn mtu invalid
WARNING: translation string unused: vpn on blue
WARNING: translation string unused: vpn on green
WARNING: translation string unused: vpn on orange
+WARNING: translation string unused: vpn red name
WARNING: translation string unused: vpn watch
WARNING: translation string unused: warn when traffic reaches
WARNING: translation string unused: web proxy configuration
WARNING: untranslated string: check all = Check all
WARNING: untranslated string: crypto error = Cryptographic error
WARNING: untranslated string: crypto warning = Cryptographic warning
+WARNING: untranslated string: default IP address = Default IP Address
WARNING: untranslated string: dhcp dns enable update = Enable DNS Update (RFC2136):
WARNING: untranslated string: dhcp dns key name = Key Name:
WARNING: untranslated string: dhcp dns update = DNS Update
WARNING: untranslated string: incoming compression in bytes per second = Incoming Compression
WARNING: untranslated string: incoming overhead in bytes per second = Incoming Overhead
WARNING: untranslated string: info messages = unknown string
+WARNING: untranslated string: interface mode = Interface
WARNING: untranslated string: invalid input for inactivity timeout = Invalid input for Inactivity Timeout
+WARNING: untranslated string: invalid input for interface address = Invalid input for interface address
+WARNING: untranslated string: invalid input for interface mode = Invalid input for interface mode
+WARNING: untranslated string: invalid input for interface mtu = Invalid input to interface MTU
+WARNING: untranslated string: invalid input for local ip address = Invalid input for local IP address
+WARNING: untranslated string: invalid input for mode = Invalid input for mode
WARNING: untranslated string: invalid input for valid till days = Invalid input for Valid till (days).
WARNING: untranslated string: invalid ip or hostname = Invalid IP Address or Hostname
WARNING: untranslated string: invalid logserver protocol = Invalid syslogd server protocol
+WARNING: untranslated string: ipsec connection = IPsec Connection
+WARNING: untranslated string: ipsec interface mode gre = GRE
+WARNING: untranslated string: ipsec interface mode none = - None (Default) -
+WARNING: untranslated string: ipsec interface mode vti = VTI
+WARNING: untranslated string: ipsec mode transport = Transport
+WARNING: untranslated string: ipsec mode tunnel = Tunnel
+WARNING: untranslated string: ipsec settings = IPsec Settings
+WARNING: untranslated string: local ip address = Local IP Address
WARNING: untranslated string: log server protocol = protocol:
WARNING: untranslated string: masquerade blue = Masquerade BLUE
WARNING: untranslated string: masquerade green = Masquerade GREEN
WARNING: untranslated string: masquerading disabled = Masquerading disabled
WARNING: untranslated string: masquerading enabled = Masquerading enabled
WARNING: untranslated string: messages = Messages
+WARNING: untranslated string: mtu = MTU
WARNING: untranslated string: no data = unknown string
WARNING: untranslated string: none = none
WARNING: untranslated string: one hour = One Hour
WARNING: untranslated string: ssh login time = Logged in since
WARNING: untranslated string: ssh no active logins = No active logins
WARNING: untranslated string: ssh username = Username
+WARNING: untranslated string: subnet mask = Subnet Mask
WARNING: untranslated string: tcp more reliable = TCP (more reliable)
WARNING: untranslated string: ten minutes = 10 Minutes
WARNING: untranslated string: thirty minutes = 30 Minutes
+WARNING: untranslated string: transport mode does not support vti = VTI is not support in transport mode
WARNING: untranslated string: twelve hours = 12 Hours
WARNING: untranslated string: two weeks = Two Weeks
WARNING: untranslated string: udp less overhead = UDP (less overhead)
WARNING: untranslated string: vpn start action add = Wait for connection initiation
WARNING: untranslated string: vpn start action route = On Demand
WARNING: untranslated string: vpn start action start = Always On
-WARNING: untranslated string: vpn statistic n2n = OpenVPN Net-to-Net Statistics
-WARNING: untranslated string: vpn statistic rw = OpenVPN Roadwarrior Statistics
+WARNING: untranslated string: vpn statistic n2n = VPN: Net-to-Net Statistics
+WARNING: untranslated string: vpn statistic rw = VPN: Roadwarrior Statistics
WARNING: untranslated string: vpn statistics n2n = unknown string
WARNING: untranslated string: vpn wait = WAITING
WARNING: untranslated string: vpn weak = Weak
WARNING: translation string unused: min size
WARNING: translation string unused: missing dat
WARNING: translation string unused: missing gz
-WARNING: translation string unused: mode
WARNING: translation string unused: modem on com1
WARNING: translation string unused: modem on com2
WARNING: translation string unused: modem on com3
WARNING: translation string unused: view log
WARNING: translation string unused: vpn aggrmode
WARNING: translation string unused: vpn configuration main
+WARNING: translation string unused: vpn delayed start
+WARNING: translation string unused: vpn delayed start help
WARNING: translation string unused: vpn incompatible use of defaultroute
WARNING: translation string unused: vpn mtu invalid
WARNING: translation string unused: vpn on blue
WARNING: translation string unused: vpn on green
WARNING: translation string unused: vpn on orange
+WARNING: translation string unused: vpn red name
WARNING: translation string unused: vpn watch
WARNING: translation string unused: warn when traffic reaches
WARNING: translation string unused: web proxy configuration
WARNING: untranslated string: crypto error = Cryptographic error
WARNING: untranslated string: crypto warning = Cryptographic warning
WARNING: untranslated string: default = Default
+WARNING: untranslated string: default IP address = Default IP Address
WARNING: untranslated string: dh = Diffie-Hellman parameters
WARNING: untranslated string: dh key move failed = Diffie-Hellman parameters move failed.
WARNING: untranslated string: dh key warn = Creating DH-parameters with a length of 2048 bits takes up to several minutes. Lengths of 3072 or 4096 bits might needs several hours. Please be patient.
WARNING: untranslated string: incoming compression in bytes per second = Incoming Compression
WARNING: untranslated string: incoming overhead in bytes per second = Incoming Overhead
WARNING: untranslated string: info messages = unknown string
+WARNING: untranslated string: interface mode = Interface
WARNING: untranslated string: invalid input for inactivity timeout = Invalid input for Inactivity Timeout
+WARNING: untranslated string: invalid input for interface address = Invalid input for interface address
+WARNING: untranslated string: invalid input for interface mode = Invalid input for interface mode
+WARNING: untranslated string: invalid input for interface mtu = Invalid input to interface MTU
+WARNING: untranslated string: invalid input for local ip address = Invalid input for local IP address
+WARNING: untranslated string: invalid input for mode = Invalid input for mode
WARNING: untranslated string: invalid input for valid till days = Invalid input for Valid till (days).
WARNING: untranslated string: invalid ip or hostname = Invalid IP Address or Hostname
WARNING: untranslated string: invalid logserver protocol = Invalid syslogd server protocol
+WARNING: untranslated string: ipsec connection = IPsec Connection
+WARNING: untranslated string: ipsec interface mode gre = GRE
+WARNING: untranslated string: ipsec interface mode none = - None (Default) -
+WARNING: untranslated string: ipsec interface mode vti = VTI
+WARNING: untranslated string: ipsec mode transport = Transport
+WARNING: untranslated string: ipsec mode tunnel = Tunnel
+WARNING: untranslated string: ipsec settings = IPsec Settings
+WARNING: untranslated string: local ip address = Local IP Address
WARNING: untranslated string: log server protocol = protocol:
WARNING: untranslated string: masquerade blue = Masquerade BLUE
WARNING: untranslated string: masquerade green = Masquerade GREEN
WARNING: untranslated string: modem sim information = SIM Information
WARNING: untranslated string: modem status = Modem Status
WARNING: untranslated string: monitor interface = Monitor Interface
+WARNING: untranslated string: mtu = MTU
WARNING: untranslated string: nameserver = Nameserver
WARNING: untranslated string: no data = unknown string
WARNING: untranslated string: none = none
WARNING: untranslated string: ssh login time = Logged in since
WARNING: untranslated string: ssh no active logins = No active logins
WARNING: untranslated string: ssh username = Username
+WARNING: untranslated string: subnet mask = Subnet Mask
WARNING: untranslated string: ta key = TLS-Authentification-Key
WARNING: untranslated string: tcp more reliable = TCP (more reliable)
WARNING: untranslated string: ten minutes = 10 Minutes
WARNING: untranslated string: thirty minutes = 30 Minutes
+WARNING: untranslated string: transport mode does not support vti = VTI is not support in transport mode
WARNING: untranslated string: twelve hours = 12 Hours
WARNING: untranslated string: two weeks = Two Weeks
WARNING: untranslated string: udp less overhead = UDP (less overhead)
WARNING: untranslated string: vpn start action add = Wait for connection initiation
WARNING: untranslated string: vpn start action route = On Demand
WARNING: untranslated string: vpn start action start = Always On
-WARNING: untranslated string: vpn statistic n2n = OpenVPN Net-to-Net Statistics
-WARNING: untranslated string: vpn statistic rw = OpenVPN Roadwarrior Statistics
+WARNING: untranslated string: vpn statistic n2n = VPN: Net-to-Net Statistics
+WARNING: untranslated string: vpn statistic rw = VPN: Roadwarrior Statistics
WARNING: untranslated string: vpn statistics n2n = unknown string
WARNING: untranslated string: vpn wait = WAITING
WARNING: untranslated string: vpn weak = Weak
WARNING: translation string unused: min size
WARNING: translation string unused: missing dat
WARNING: translation string unused: missing gz
-WARNING: translation string unused: mode
WARNING: translation string unused: modem on com1
WARNING: translation string unused: modem on com2
WARNING: translation string unused: modem on com3
WARNING: translation string unused: view log
WARNING: translation string unused: vpn aggrmode
WARNING: translation string unused: vpn configuration main
+WARNING: translation string unused: vpn delayed start
+WARNING: translation string unused: vpn delayed start help
WARNING: translation string unused: vpn incompatible use of defaultroute
WARNING: translation string unused: vpn mtu invalid
WARNING: translation string unused: vpn on blue
WARNING: translation string unused: vpn on green
WARNING: translation string unused: vpn on orange
+WARNING: translation string unused: vpn red name
WARNING: translation string unused: vpn watch
WARNING: translation string unused: warn when traffic reaches
WARNING: translation string unused: web proxy configuration
WARNING: untranslated string: crypto warning = Cryptographic warning
WARNING: untranslated string: dead peer detection = Dead Peer Detection
WARNING: untranslated string: default = Default
+WARNING: untranslated string: default IP address = Default IP Address
WARNING: untranslated string: deprecated fs warn = Deprecated filesystem! Newer kernel drop the support. Backup and reformat!
WARNING: untranslated string: details = Details
WARNING: untranslated string: dh = Diffie-Hellman parameters
WARNING: untranslated string: incoming overhead in bytes per second = Incoming Overhead
WARNING: untranslated string: info messages = unknown string
WARNING: untranslated string: integrity = Integrity:
+WARNING: untranslated string: interface mode = Interface
WARNING: untranslated string: invalid input for dpd delay = Invalid input for DPD delay
WARNING: untranslated string: invalid input for dpd timeout = Invalid input for DPD timeout
WARNING: untranslated string: invalid input for inactivity timeout = Invalid input for Inactivity Timeout
+WARNING: untranslated string: invalid input for interface address = Invalid input for interface address
+WARNING: untranslated string: invalid input for interface mode = Invalid input for interface mode
+WARNING: untranslated string: invalid input for interface mtu = Invalid input to interface MTU
+WARNING: untranslated string: invalid input for local ip address = Invalid input for local IP address
+WARNING: untranslated string: invalid input for mode = Invalid input for mode
WARNING: untranslated string: invalid input for valid till days = Invalid input for Valid till (days).
WARNING: untranslated string: invalid ip or hostname = Invalid IP Address or Hostname
WARNING: untranslated string: invalid logserver protocol = Invalid syslogd server protocol
WARNING: untranslated string: ipsec = IPsec
+WARNING: untranslated string: ipsec connection = IPsec Connection
+WARNING: untranslated string: ipsec interface mode gre = GRE
+WARNING: untranslated string: ipsec interface mode none = - None (Default) -
+WARNING: untranslated string: ipsec interface mode vti = VTI
+WARNING: untranslated string: ipsec mode transport = Transport
+WARNING: untranslated string: ipsec mode tunnel = Tunnel
WARNING: untranslated string: ipsec network = IPsec network
+WARNING: untranslated string: ipsec settings = IPsec Settings
WARNING: untranslated string: last = Last
WARNING: untranslated string: least preferred = least preferred
WARNING: untranslated string: lifetime = Lifetime:
+WARNING: untranslated string: local ip address = Local IP Address
WARNING: untranslated string: log server protocol = protocol:
WARNING: untranslated string: mac filter = MAC filter
WARNING: untranslated string: masquerade blue = Masquerade BLUE
WARNING: untranslated string: modem status = Modem Status
WARNING: untranslated string: monitor interface = Monitor Interface
WARNING: untranslated string: most preferred = most preferred
+WARNING: untranslated string: mtu = MTU
WARNING: untranslated string: nameserver = Nameserver
WARNING: untranslated string: no data = unknown string
WARNING: untranslated string: none = none
WARNING: untranslated string: ssh no active logins = No active logins
WARNING: untranslated string: ssh username = Username
WARNING: untranslated string: static routes = Static Routes
+WARNING: untranslated string: subnet mask = Subnet Mask
WARNING: untranslated string: support donation = Support the IPFire project with your donation
WARNING: untranslated string: system has rdrand = This system has support for Intel(R) RDRAND.
WARNING: untranslated string: system information = System Information
WARNING: untranslated string: tor traffic limit soft = Traffic limit almost reached. Not accepting any new connections.
WARNING: untranslated string: tor traffic read written = Total traffic (read/written)
WARNING: untranslated string: tor use exit nodes = Use only these exit nodes (one per line)
+WARNING: untranslated string: transport mode does not support vti = VTI is not support in transport mode
WARNING: untranslated string: twelve hours = 12 Hours
WARNING: untranslated string: two weeks = Two Weeks
WARNING: untranslated string: udp less overhead = UDP (less overhead)
WARNING: untranslated string: vpn start action add = Wait for connection initiation
WARNING: untranslated string: vpn start action route = On Demand
WARNING: untranslated string: vpn start action start = Always On
-WARNING: untranslated string: vpn statistic n2n = OpenVPN Net-to-Net Statistics
-WARNING: untranslated string: vpn statistic rw = OpenVPN Roadwarrior Statistics
+WARNING: untranslated string: vpn statistic n2n = VPN: Net-to-Net Statistics
+WARNING: untranslated string: vpn statistic rw = VPN: Roadwarrior Statistics
WARNING: untranslated string: vpn statistics n2n = unknown string
WARNING: untranslated string: vpn wait = WAITING
WARNING: untranslated string: vpn weak = Weak
WARNING: translation string unused: min size
WARNING: translation string unused: missing dat
WARNING: translation string unused: missing gz
-WARNING: translation string unused: mode
WARNING: translation string unused: modem on com1
WARNING: translation string unused: modem on com2
WARNING: translation string unused: modem on com3
WARNING: translation string unused: view log
WARNING: translation string unused: vpn aggrmode
WARNING: translation string unused: vpn configuration main
+WARNING: translation string unused: vpn delayed start
+WARNING: translation string unused: vpn delayed start help
WARNING: translation string unused: vpn incompatible use of defaultroute
WARNING: translation string unused: vpn mtu invalid
WARNING: translation string unused: vpn on blue
WARNING: translation string unused: vpn on green
WARNING: translation string unused: vpn on orange
+WARNING: translation string unused: vpn red name
WARNING: translation string unused: vpn watch
WARNING: translation string unused: warn when traffic reaches
WARNING: translation string unused: web proxy configuration
WARNING: untranslated string: crypto warning = Cryptographic warning
WARNING: untranslated string: dead peer detection = Dead Peer Detection
WARNING: untranslated string: default = Default
+WARNING: untranslated string: default IP address = Default IP Address
WARNING: untranslated string: deprecated fs warn = Deprecated filesystem! Newer kernel drop the support. Backup and reformat!
WARNING: untranslated string: details = Details
WARNING: untranslated string: dh = Diffie-Hellman parameters
WARNING: untranslated string: incoming traffic in bytes per second = Incoming Traffic
WARNING: untranslated string: info messages = unknown string
WARNING: untranslated string: integrity = Integrity:
+WARNING: untranslated string: interface mode = Interface
WARNING: untranslated string: invalid input for dpd delay = Invalid input for DPD delay
WARNING: untranslated string: invalid input for dpd timeout = Invalid input for DPD timeout
WARNING: untranslated string: invalid input for inactivity timeout = Invalid input for Inactivity Timeout
+WARNING: untranslated string: invalid input for interface address = Invalid input for interface address
+WARNING: untranslated string: invalid input for interface mode = Invalid input for interface mode
+WARNING: untranslated string: invalid input for interface mtu = Invalid input to interface MTU
+WARNING: untranslated string: invalid input for local ip address = Invalid input for local IP address
+WARNING: untranslated string: invalid input for mode = Invalid input for mode
WARNING: untranslated string: invalid input for valid till days = Invalid input for Valid till (days).
WARNING: untranslated string: invalid ip or hostname = Invalid IP Address or Hostname
WARNING: untranslated string: invalid logserver protocol = Invalid syslogd server protocol
WARNING: untranslated string: ipsec = IPsec
+WARNING: untranslated string: ipsec connection = IPsec Connection
+WARNING: untranslated string: ipsec interface mode gre = GRE
+WARNING: untranslated string: ipsec interface mode none = - None (Default) -
+WARNING: untranslated string: ipsec interface mode vti = VTI
+WARNING: untranslated string: ipsec mode transport = Transport
+WARNING: untranslated string: ipsec mode tunnel = Tunnel
WARNING: untranslated string: ipsec network = IPsec network
+WARNING: untranslated string: ipsec settings = IPsec Settings
WARNING: untranslated string: last = Last
WARNING: untranslated string: least preferred = least preferred
WARNING: untranslated string: lifetime = Lifetime:
+WARNING: untranslated string: local ip address = Local IP Address
WARNING: untranslated string: log server protocol = protocol:
WARNING: untranslated string: mac filter = MAC filter
WARNING: untranslated string: masquerade blue = Masquerade BLUE
WARNING: untranslated string: modem status = Modem Status
WARNING: untranslated string: monitor interface = Monitor Interface
WARNING: untranslated string: most preferred = most preferred
+WARNING: untranslated string: mtu = MTU
WARNING: untranslated string: nameserver = Nameserver
WARNING: untranslated string: no data = unknown string
WARNING: untranslated string: none = none
WARNING: untranslated string: ssh no active logins = No active logins
WARNING: untranslated string: ssh username = Username
WARNING: untranslated string: static routes = Static Routes
+WARNING: untranslated string: subnet mask = Subnet Mask
WARNING: untranslated string: support donation = Support the IPFire project with your donation
WARNING: untranslated string: system has rdrand = This system has support for Intel(R) RDRAND.
WARNING: untranslated string: ta key = TLS-Authentification-Key
WARNING: untranslated string: tor traffic limit soft = Traffic limit almost reached. Not accepting any new connections.
WARNING: untranslated string: tor traffic read written = Total traffic (read/written)
WARNING: untranslated string: tor use exit nodes = Use only these exit nodes (one per line)
+WARNING: untranslated string: transport mode does not support vti = VTI is not support in transport mode
WARNING: untranslated string: twelve hours = 12 Hours
WARNING: untranslated string: two weeks = Two Weeks
WARNING: untranslated string: udp less overhead = UDP (less overhead)
WARNING: untranslated string: vpn start action add = Wait for connection initiation
WARNING: untranslated string: vpn start action route = On Demand
WARNING: untranslated string: vpn start action start = Always On
-WARNING: untranslated string: vpn statistic n2n = OpenVPN Net-to-Net Statistics
-WARNING: untranslated string: vpn statistic rw = OpenVPN Roadwarrior Statistics
+WARNING: untranslated string: vpn statistic n2n = VPN: Net-to-Net Statistics
+WARNING: untranslated string: vpn statistic rw = VPN: Roadwarrior Statistics
WARNING: untranslated string: vpn statistics n2n = unknown string
WARNING: untranslated string: vpn wait = WAITING
WARNING: untranslated string: vpn weak = Weak
WARNING: translation string unused: min size
WARNING: translation string unused: missing dat
WARNING: translation string unused: missing gz
-WARNING: translation string unused: mode
WARNING: translation string unused: modem on com1
WARNING: translation string unused: modem on com2
WARNING: translation string unused: modem on com3
WARNING: translation string unused: view log
WARNING: translation string unused: vpn aggrmode
WARNING: translation string unused: vpn configuration main
+WARNING: translation string unused: vpn delayed start
+WARNING: translation string unused: vpn delayed start help
WARNING: translation string unused: vpn incompatible use of defaultroute
WARNING: translation string unused: vpn mtu invalid
WARNING: translation string unused: vpn on blue
WARNING: translation string unused: vpn on green
WARNING: translation string unused: vpn on orange
+WARNING: translation string unused: vpn red name
WARNING: translation string unused: vpn watch
WARNING: translation string unused: warn when traffic reaches
WARNING: translation string unused: web proxy configuration
WARNING: untranslated string: bytes = unknown string
WARNING: untranslated string: crypto error = Cryptographic error
WARNING: untranslated string: crypto warning = Cryptographic warning
+WARNING: untranslated string: default IP address = Default IP Address
WARNING: untranslated string: dnsforward forward_servers = Nameservers
WARNING: untranslated string: fwdfw all subnets = All subnets
WARNING: untranslated string: fwhost cust geoipgrp = unknown string
WARNING: untranslated string: guardian watch snort alertfile = unknown string
WARNING: untranslated string: ike lifetime should be between 1 and 8 hours = unknown string
WARNING: untranslated string: info messages = unknown string
+WARNING: untranslated string: interface mode = Interface
+WARNING: untranslated string: invalid input for interface address = Invalid input for interface address
+WARNING: untranslated string: invalid input for interface mode = Invalid input for interface mode
+WARNING: untranslated string: invalid input for interface mtu = Invalid input to interface MTU
+WARNING: untranslated string: invalid input for local ip address = Invalid input for local IP address
+WARNING: untranslated string: invalid input for mode = Invalid input for mode
WARNING: untranslated string: invalid ip or hostname = Invalid IP Address or Hostname
+WARNING: untranslated string: ipsec connection = IPsec Connection
+WARNING: untranslated string: ipsec interface mode gre = GRE
+WARNING: untranslated string: ipsec interface mode none = - None (Default) -
+WARNING: untranslated string: ipsec interface mode vti = VTI
+WARNING: untranslated string: ipsec mode transport = Transport
+WARNING: untranslated string: ipsec mode tunnel = Tunnel
+WARNING: untranslated string: ipsec settings = IPsec Settings
+WARNING: untranslated string: local ip address = Local IP Address
+WARNING: untranslated string: mtu = MTU
WARNING: untranslated string: no data = unknown string
WARNING: untranslated string: ovpn error dh = The Diffie-Hellman parameter needs to be in minimum 2048 bit! <br>Please generate or upload a new Diffie-Hellman parameter, this can be made below in the section "Diffie-Hellman parameters options".</br>
WARNING: untranslated string: ovpn error md5 = You host certificate uses MD5 for the signature which is not accepted anymore. <br>Please update to the latest IPFire version and generate a new root and host certificate.</br><br>All OpenVPN clients needs then to be renewed!</br>
WARNING: untranslated string: ssh login time = Logged in since
WARNING: untranslated string: ssh no active logins = No active logins
WARNING: untranslated string: ssh username = Username
+WARNING: untranslated string: subnet mask = Subnet Mask
+WARNING: untranslated string: transport mode does not support vti = VTI is not support in transport mode
WARNING: untranslated string: vpn start action add = Wait for connection initiation
WARNING: untranslated string: vpn statistics n2n = unknown string
WARNING: untranslated string: vpn wait = WAITING
< choose media
< community rules
< could not connect to www ipfire org
+< cryptographic settings
< dead peer detection
+< default IP address
< dhcp server disabled on blue interface
< dhcp server enabled on blue interface
< dh name is invalid
< g.lite
< guardian
< insert removable device
+< interface mode
+< invalid input for interface address
+< invalid input for interface mode
+< invalid input for interface mtu
+< invalid input for local ip address
+< invalid input for mode
+< ipsec connection
+< ipsec interface mode gre
+< ipsec interface mode none
+< ipsec interface mode vti
+< ipsec mode transport
+< ipsec mode tunnel
+< ipsec settings
+< local ip address
+< mtu
< none
< notes
< qos add subclass
< show areas
< show lines
< show tls-auth key
+< subnet mask
< teovpn_fragment
< tor bridge enabled
< tor errmsg invalid node id
+< transport mode does not support vti
< updxlrtr used by
< upload fcdsl.o
< vpn configuration main
< countrycode
< country codes and flags
< crypto error
+< cryptographic settings
< crypto warning
< dead peer detection
< default
< default ip
+< default IP address
< deprecated fs warn
< details
< dh
< incoming firewall access
< incoming overhead in bytes per second
< integrity
+< interface mode
< invalid input for dpd delay
< invalid input for dpd timeout
< invalid input for inactivity timeout
+< invalid input for interface address
+< invalid input for interface mode
+< invalid input for interface mtu
+< invalid input for local ip address
+< invalid input for mode
< invalid input for valid till days
< invalid ip or hostname
< invalid logserver protocol
< ipsec
+< ipsec connection
+< ipsec interface mode gre
+< ipsec interface mode none
+< ipsec interface mode vti
+< ipsec mode transport
+< ipsec mode tunnel
< ipsec network
< ipsec no connections
+< ipsec settings
< last
< least preferred
< lifetime
+< local ip address
< log server protocol
< mac filter
< masquerade blue
< modem status
< monitor interface
< most preferred
+< mtu
< MTU settings
< nameserver
< never
< ssh no active logins
< ssh username
< static routes
+< subnet mask
< support donation
< system has hwrng
< system has rdrand
< tor traffic limit soft
< tor traffic read written
< tor use exit nodes
+< transport mode does not support vti
< twelve hours
< two weeks
< udp less overhead
############################################################################
# Checking cgi-bin translations for language: fr #
############################################################################
+< cryptographic settings
+< default IP address
< dnsforward forward_servers
+< interface mode
+< invalid input for interface address
+< invalid input for interface mode
+< invalid input for interface mtu
+< invalid input for local ip address
+< invalid input for mode
< invalid ip or hostname
+< ipsec connection
+< ipsec interface mode gre
+< ipsec interface mode none
+< ipsec interface mode vti
+< ipsec mode transport
+< ipsec mode tunnel
+< ipsec settings
+< local ip address
+< mtu
+< subnet mask
+< transport mode does not support vti
############################################################################
# Checking cgi-bin translations for language: it #
############################################################################
< Captive wrong ext
< check all
< crypto error
+< cryptographic settings
< crypto warning
+< default IP address
< dhcp dns enable update
< dhcp dns key name
< dhcp dns update
< guardian
< incoming compression in bytes per second
< incoming overhead in bytes per second
+< interface mode
< invalid input for inactivity timeout
+< invalid input for interface address
+< invalid input for interface mode
+< invalid input for interface mtu
+< invalid input for local ip address
+< invalid input for mode
< invalid input for valid till days
< invalid ip or hostname
< invalid logserver protocol
+< ipsec connection
+< ipsec interface mode gre
+< ipsec interface mode none
+< ipsec interface mode vti
+< ipsec mode transport
+< ipsec mode tunnel
+< ipsec settings
+< local ip address
< log server protocol
< masquerade blue
< masquerade green
< masquerading disabled
< masquerading enabled
< messages
+< mtu
< MTU settings
< none
< Number of Countries for the pie chart
< ssh login time
< ssh no active logins
< ssh username
+< subnet mask
< tcp more reliable
< ten minutes
< thirty minutes
+< transport mode does not support vti
< twelve hours
< two weeks
< udp less overhead
< Captive wrong ext
< check all
< crypto error
+< cryptographic settings
< crypto warning
< default
+< default IP address
< dh
< dhcp dns enable update
< dhcp dns key name
< imsi
< incoming compression in bytes per second
< incoming overhead in bytes per second
+< interface mode
< invalid input for inactivity timeout
+< invalid input for interface address
+< invalid input for interface mode
+< invalid input for interface mtu
+< invalid input for local ip address
+< invalid input for mode
< invalid input for valid till days
< invalid ip or hostname
< invalid logserver protocol
+< ipsec connection
+< ipsec interface mode gre
+< ipsec interface mode none
+< ipsec interface mode vti
+< ipsec mode transport
+< ipsec mode tunnel
+< ipsec settings
+< local ip address
< log server protocol
< masquerade blue
< masquerade green
< modem sim information
< modem status
< monitor interface
+< mtu
< MTU settings
< nameserver
< never
< ssh login time
< ssh no active logins
< ssh username
+< subnet mask
< ta key
< tcp more reliable
< ten minutes
< teovpn_fragment
< thirty minutes
+< transport mode does not support vti
< twelve hours
< two weeks
< udp less overhead
< countrycode
< country codes and flags
< crypto error
+< cryptographic settings
< crypto warning
< dead peer detection
< default
< default ip
+< default IP address
< deprecated fs warn
< details
< dh
< incoming firewall access
< incoming overhead in bytes per second
< integrity
+< interface mode
< invalid input for dpd delay
< invalid input for dpd timeout
< invalid input for inactivity timeout
+< invalid input for interface address
+< invalid input for interface mode
+< invalid input for interface mtu
+< invalid input for local ip address
+< invalid input for mode
< invalid input for valid till days
< invalid ip or hostname
< invalid logserver protocol
< ipsec
+< ipsec connection
+< ipsec interface mode gre
+< ipsec interface mode none
+< ipsec interface mode vti
+< ipsec mode transport
+< ipsec mode tunnel
< ipsec network
< ipsec no connections
+< ipsec settings
< last
< least preferred
< lifetime
+< local ip address
< log server protocol
< mac filter
< masquerade blue
< modem status
< monitor interface
< most preferred
+< mtu
< MTU settings
< nameserver
< never
< ssh no active logins
< ssh username
< static routes
+< subnet mask
< support donation
< system has hwrng
< system has rdrand
< tor traffic limit soft
< tor traffic read written
< tor use exit nodes
+< transport mode does not support vti
< twelve hours
< two weeks
< udp less overhead
< countrycode
< country codes and flags
< crypto error
+< cryptographic settings
< crypto warning
< day-graph
< dead peer detection
< default
< default ip
+< default IP address
< deprecated fs warn
< details
< dh
< incoming overhead in bytes per second
< incoming traffic in bytes per second
< integrity
+< interface mode
< invalid input for dpd delay
< invalid input for dpd timeout
< invalid input for inactivity timeout
+< invalid input for interface address
+< invalid input for interface mode
+< invalid input for interface mtu
+< invalid input for local ip address
+< invalid input for mode
< invalid input for valid till days
< invalid ip or hostname
< invalid logserver protocol
< ipsec
+< ipsec connection
+< ipsec interface mode gre
+< ipsec interface mode none
+< ipsec interface mode vti
+< ipsec mode transport
+< ipsec mode tunnel
< ipsec network
< ipsec no connections
+< ipsec settings
< last
< least preferred
< lifetime
+< local ip address
< log server protocol
< mac filter
< masquerade blue
< monitor interface
< month-graph
< most preferred
+< mtu
< MTU settings
< nameserver
< never
< ssh no active logins
< ssh username
< static routes
+< subnet mask
< support donation
< system has hwrng
< system has rdrand
< tor traffic limit soft
< tor traffic read written
< tor use exit nodes
+< transport mode does not support vti
< twelve hours
< two weeks
< udp less overhead
# Checking cgi-bin translations for language: tr #
############################################################################
< crypto error
+< cryptographic settings
< crypto warning
+< default IP address
< dnsforward forward_servers
< fwdfw all subnets
+< interface mode
+< invalid input for interface address
+< invalid input for interface mode
+< invalid input for interface mtu
+< invalid input for local ip address
+< invalid input for mode
< invalid ip or hostname
+< ipsec connection
+< ipsec interface mode gre
+< ipsec interface mode none
+< ipsec interface mode vti
+< ipsec mode transport
+< ipsec mode tunnel
+< ipsec settings
+< local ip address
+< mtu
< ovpn error dh
< ovpn error md5
< ovpn warning rfc3280
< ssh login time
< ssh no active logins
< ssh username
+< subnet mask
+< transport mode does not support vti
< vpn start action add
< vpn wait
< wlanap neighbor scan
}
#check if IPSEC is running
if ( $vpnsettings{'ENABLED'} eq 'on' || $vpnsettings{'ENABLED_BLUE'} eq 'on' ) {
- my $ipsecip = $vpnsettings{'VPN_IP'};
print<<END;
<tr>
<td style='width:25%; text-align:center; background-color:$Header::colourvpn;'>
<a href='/cgi-bin/vpnmain.cgi' style='color:white'><b>$Lang::tr{'ipsec'}</b></a>
</td>
- <td style='width:30%; text-align:center;'>$ipsecip</td>
+ <td style='width:30%; text-align:center;'></td>
<td style='width:45%; text-align:center; color:$Header::colourgreen;'>Online</td>
</tr>
END
&General::readhash("${General::swroot}/main/settings", \%mainsettings);
&General::readhash("/srv/web/ipfire/html/themes/".$mainsettings{'THEME'}."/include/colors.txt", \%color);
+my %vpnsettings = ();
+&General::readhasharray("${General::swroot}/vpn/config", \%vpnsettings);
+
my @vpns=();
+# Make list of all IPsec graphs
+my %ipsecgraphs = ();
+foreach my $key (sort {$vpnsettings{$a}[1] <=> $vpnsettings{$b}[1]} keys %vpnsettings) {
+ my $interface_mode = $vpnsettings{$key}[36];
+ next unless ($interface_mode);
+
+ $ipsecgraphs{$vpnsettings{$key}[1]} = "${interface_mode}${key}";
+}
+
my @querry = split(/\?/,$ENV{'QUERY_STRING'});
$querry[0] = '' unless defined $querry[0];
$querry[1] = 'week' unless defined $querry[1];
if ( $querry[0] ne ""){
print "Content-type: image/png\n\n";
binmode(STDOUT);
- &Graphs::updatevpnn2ngraph($querry[0],$querry[1]);
+ if (grep { $_ eq $querry[0] } values %ipsecgraphs) {
+ &Graphs::updateifgraph($querry[0],$querry[1]);
+ } else {
+ &Graphs::updatevpnn2ngraph($querry[0],$querry[1]);
+ }
}else{
&Header::showhttpheaders();
&Header::openpage($Lang::tr{'vpn statistic n2n'}, 1, '');
push(@vpns,$2);
}
}
- if (@vpns){
+ if (@vpns || %ipsecgraphs) {
+ foreach my $name (sort keys %ipsecgraphs) {
+ &Header::openbox('100%', 'center', "$Lang::tr{'ipsec connection'}: $name");
+ &Graphs::makegraphbox("netovpnsrv.cgi", $ipsecgraphs{$name}, "day");
+ &Header::closebox();
+ }
+
foreach (@vpns) {
&Header::openbox('100%', 'center', "$_ $Lang::tr{'graph'}");
&Graphs::makegraphbox("netovpnsrv.cgi",$_, "day");
0 => "- $Lang::tr{'unlimited'} -",
);
+# Load aliases
+my %aliases;
+&General::get_aliases(\%aliases);
+
my $col="";
$cgiparams{'ENABLED'} = 'off';
$cgiparams{'NAME'} = '';
$cgiparams{'LOCAL_SUBNET'} = '';
$cgiparams{'REMOTE_SUBNET'} = '';
+$cgiparams{'LOCAL'} = '';
$cgiparams{'REMOTE'} = '';
$cgiparams{'LOCAL_ID'} = '';
$cgiparams{'REMOTE_ID'} = '';
$cgiparams{'DPD_DELAY'} = '30';
$cgiparams{'DPD_TIMEOUT'} = '120';
$cgiparams{'FORCE_MOBIKE'} = 'off';
-$cgiparams{'START_ACTION'} = 'start';
-$cgiparams{'INACTIVITY_TIMEOUT'} = 900;
+$cgiparams{'START_ACTION'} = 'route';
+$cgiparams{'INACTIVITY_TIMEOUT'} = 1800;
+$cgiparams{'MODE'} = "tunnel";
+$cgiparams{'INTERFACE_MODE'} = "";
+$cgiparams{'INTERFACE_ADDRESS'} = "";
+$cgiparams{'INTERFACE_MTU'} = 1500;
&Header::getcgihash(\%cgiparams, {'wantfile' => 1, 'filevar' => 'FH'});
###
#remote peer is not set? => use '%any'
$lconfighash{$key}[10] = '%any' if ($lconfighash{$key}[10] eq '');
+ # Field 6 might be "off" on old installations
+ if ($lconfighash{$key}[6] eq "off") {
+ $lconfighash{$key}[6] = $lvpnsettings{"VPN_IP"};
+ }
+
my $localside;
- if ($lconfighash{$key}[26] eq 'BLUE') {
- $localside = $netsettings{'BLUE_ADDRESS'};
- } elsif ($lconfighash{$key}[26] eq 'GREEN') {
- $localside = $netsettings{'GREEN_ADDRESS'};
- } elsif ($lconfighash{$key}[26] eq 'ORANGE') {
- $localside = $netsettings{'ORANGE_ADDRESS'};
- } else { # it is RED
- $localside = $lvpnsettings{'VPN_IP'};
+ if ($lconfighash{$key}[6]) {
+ $localside = $lconfighash{$key}[6];
+ } else {
+ $localside = "%defaultroute";
}
+ my $interface_mode = $lconfighash{$key}[36];
+
print CONF "conn $lconfighash{$key}[1]\n";
print CONF "\tleft=$localside\n";
- print CONF "\tleftsubnet=" . &make_subnets($lconfighash{$key}[8]) . "\n";
+
+ if ($interface_mode eq "gre") {
+ print CONF "\tleftprotoport=gre\n";
+ } elsif ($interface_mode eq "vti") {
+ print CONF "\tleftsubnet=0.0.0.0/0\n";
+ } else {
+ print CONF "\tleftsubnet=" . &make_subnets("left", $lconfighash{$key}[8]) . "\n";
+ }
+
print CONF "\tleftfirewall=yes\n";
print CONF "\tlefthostaccess=yes\n";
print CONF "\tright=$lconfighash{$key}[10]\n";
if ($lconfighash{$key}[3] eq 'net') {
- print CONF "\trightsubnet=" . &make_subnets($lconfighash{$key}[11]) . "\n";
+ if ($interface_mode eq "gre") {
+ print CONF "\trightprotoport=gre\n";
+ } elsif ($interface_mode eq "vti") {
+ print CONF "\trightsubnet=0.0.0.0/0\n";
+ } else {
+ print CONF "\trightsubnet=" . &make_subnets("right", $lconfighash{$key}[11]) . "\n";
+ }
}
# Local Cert and Remote Cert (unless auth is DN dn-auth)
print CONF "\tleftid=\"$lconfighash{$key}[7]\"\n" if ($lconfighash{$key}[7]);
print CONF "\trightid=\"$lconfighash{$key}[9]\"\n" if ($lconfighash{$key}[9]);
+ # Set mode
+ if ($lconfighash{$key}[35] eq "transport") {
+ print CONF "\ttype=transport\n";
+ } else {
+ print CONF "\ttype=tunnel\n";
+ }
+
+ # Add mark for VTI
+ if ($interface_mode eq "vti") {
+ print CONF "\tmark=$key\n";
+ }
+
# Is PFS enabled?
my $pfs = $lconfighash{$key}[28] eq 'on' ? 'on' : 'off';
if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cgiparams{'KEY'} eq '') {
&General::readhash("${General::swroot}/vpn/settings", \%vpnsettings);
- unless (&General::validfqdn($cgiparams{'VPN_IP'}) || &General::validip($cgiparams{'VPN_IP'})
- || $cgiparams{'VPN_IP'} eq '%defaultroute' ) {
- $errormessage = $Lang::tr{'invalid input for hostname'};
- goto SAVE_ERROR;
- }
-
- unless ($cgiparams{'VPN_DELAYED_START'} =~ /^[0-9]{1,3}$/ ) { #allow 0-999 seconds !
- $errormessage = $Lang::tr{'invalid time period'};
- goto SAVE_ERROR;
- }
-
if ( $cgiparams{'RW_NET'} ne '' and !&General::validipandmask($cgiparams{'RW_NET'}) ) {
$errormessage = $Lang::tr{'urlfilter invalid ip or mask error'};
goto SAVE_ERROR;
}
$vpnsettings{'ENABLED'} = $cgiparams{'ENABLED'};
- $vpnsettings{'VPN_IP'} = $cgiparams{'VPN_IP'};
- $vpnsettings{'VPN_DELAYED_START'} = $cgiparams{'VPN_DELAYED_START'};
$vpnsettings{'RW_NET'} = $cgiparams{'RW_NET'};
&General::writehash("${General::swroot}/vpn/settings", \%vpnsettings);
&writeipsecfiles();
$cgiparams{'TYPE'} = $confighash{$cgiparams{'KEY'}}[3];
$cgiparams{'AUTH'} = $confighash{$cgiparams{'KEY'}}[4];
$cgiparams{'PSK'} = $confighash{$cgiparams{'KEY'}}[5];
- #$cgiparams{'free'} = $confighash{$cgiparams{'KEY'}}[6];
+ $cgiparams{'LOCAL'} = $confighash{$cgiparams{'KEY'}}[6];
$cgiparams{'LOCAL_ID'} = $confighash{$cgiparams{'KEY'}}[7];
my @local_subnets = split(",", $confighash{$cgiparams{'KEY'}}[8]);
$cgiparams{'LOCAL_SUBNET'} = join(/\|/, @local_subnets);
$cgiparams{'DPD_DELAY'} = $confighash{$cgiparams{'KEY'}}[31];
$cgiparams{'FORCE_MOBIKE'} = $confighash{$cgiparams{'KEY'}}[32];
$cgiparams{'INACTIVITY_TIMEOUT'} = $confighash{$cgiparams{'KEY'}}[34];
+ $cgiparams{'MODE'} = $confighash{$cgiparams{'KEY'}}[35];
+ $cgiparams{'INTERFACE_MODE'} = $confighash{$cgiparams{'KEY'}}[36];
+ $cgiparams{'INTERFACE_ADDRESS'} = $confighash{$cgiparams{'KEY'}}[37];
+ $cgiparams{'INTERFACE_MTU'} = $confighash{$cgiparams{'KEY'}}[38];
if (!$cgiparams{'DPD_DELAY'}) {
$cgiparams{'DPD_DELAY'} = 30;
$cgiparams{'INACTIVITY_TIMEOUT'} = 900;
}
+ if ($cgiparams{'MODE'} eq "") {
+ $cgiparams{'MODE'} = "tunnel";
+ }
+
} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'save'}) {
$cgiparams{'REMARK'} = &Header::cleanhtml($cgiparams{'REMARK'});
if ($cgiparams{'TYPE'} !~ /^(host|net)$/) {
goto VPNCONF_ERROR;
}
+ if ($cgiparams{'LOCAL'}) {
+ if (($cgiparams{'LOCAL'} ne "") && (!&General::validip($cgiparams{'LOCAL'}))) {
+ $errormessage = $Lang::tr{'invalid input for local ip address'};
+ goto VPNCONF_ERROR;
+ }
+ }
+
if ($cgiparams{'REMOTE'}) {
if (($cgiparams{'REMOTE'} ne '%any') && (! &General::validip($cgiparams{'REMOTE'}))) {
if (! &General::validfqdn ($cgiparams{'REMOTE'})) {
goto VPNCONF_ERROR;
}
}
+
+ if ($cgiparams{'MODE'} !~ /^(tunnel|transport)$/) {
+ $errormessage = $Lang::tr{'invalid input for mode'};
+ goto VPNCONF_ERROR;
+ }
+
+ if ($cgiparams{'INTERFACE_MODE'} !~ /^(|gre|vti)$/) {
+ $errormessage = $Lang::tr{'invalid input for interface mode'};
+ goto VPNCONF_ERROR;
+ }
+
+ if (($cgiparams{'INTERFACE_MODE'} eq "vti") && ($cgiparams{'MODE'} eq "transport")) {
+ $errormessage = $Lang::tr{'transport mode does not support vti'};
+ goto VPNCONF_ERROR;
+ }
+
+ if (($cgiparams{'INTERFACE_MODE'} ne "") && !&Network::check_subnet($cgiparams{'INTERFACE_ADDRESS'})) {
+ $errormessage = $Lang::tr{'invalid input for interface address'};
+ goto VPNCONF_ERROR;
+ }
+
+ if ($cgiparams{'INTERFACE_MTU'} !~ /^\d+$/) {
+ $errormessage = $Lang::tr{'invalid input for interface mtu'};
+ goto VPNCONF_ERROR;
+ }
}
if ($cgiparams{'ENABLED'} !~ /^(on|off)$/) {
my $key = $cgiparams{'KEY'};
if (! $key) {
$key = &General::findhasharraykey (\%confighash);
- foreach my $i (0 .. 34) { $confighash{$key}[$i] = "";}
+ foreach my $i (0 .. 38) { $confighash{$key}[$i] = "";}
}
$confighash{$key}[0] = $cgiparams{'ENABLED'};
$confighash{$key}[1] = $cgiparams{'NAME'};
my @remote_subnets = split(",", $cgiparams{'REMOTE_SUBNET'});
$confighash{$key}[11] = join('|', @remote_subnets);
}
+ $confighash{$key}[6] = $cgiparams{'LOCAL'};
$confighash{$key}[7] = $cgiparams{'LOCAL_ID'};
my @local_subnets = split(",", $cgiparams{'LOCAL_SUBNET'});
$confighash{$key}[8] = join('|', @local_subnets);
$confighash{$key}[31] = $cgiparams{'DPD_DELAY'};
$confighash{$key}[32] = $cgiparams{'FORCE_MOBIKE'};
$confighash{$key}[34] = $cgiparams{'INACTIVITY_TIMEOUT'};
+ $confighash{$key}[35] = $cgiparams{'MODE'};
+ $confighash{$key}[36] = $cgiparams{'INTERFACE_MODE'};
+ $confighash{$key}[37] = $cgiparams{'INTERFACE_ADDRESS'};
+ $confighash{$key}[38] = $cgiparams{'INTERFACE_MTU'};
# free unused fields!
- $confighash{$key}[6] = 'off';
$confighash{$key}[15] = 'off';
&General::writehasharray("${General::swroot}/vpn/config", \%confighash);
} else {
$cgiparams{'AUTH'} = 'certgen';
}
- $cgiparams{'LOCAL_SUBNET'} = "$netsettings{'GREEN_NETADDRESS'}/$netsettings{'GREEN_NETMASK'}";
+
+ if ($netsettings{"GREEN_NETADDRESS"} && $netsettings{"GREEN_NETMASK"}) {
+ $cgiparams{"LOCAL_SUBNET"} = $netsettings{'GREEN_NETADDRESS'} . "/" . $netsettings{'GREEN_NETMASK'};
+ } else {
+ $cgiparams{"LOCAL_SUBNET"} = "";
+ }
$cgiparams{'CERT_EMAIL'} = $vpnsettings{'ROOTCERT_EMAIL'};
$cgiparams{'CERT_OU'} = $vpnsettings{'ROOTCERT_OU'};
$cgiparams{'CERT_ORGANIZATION'} = $vpnsettings{'ROOTCERT_ORGANIZATION'};
$cgiparams{'ONLY_PROPOSED'} = 'on'; #[24];
$cgiparams{'PFS'} = 'on'; #[28];
$cgiparams{'INACTIVITY_TIMEOUT'} = 900;
+ $cgiparams{'MODE'} = "tunnel";
+ $cgiparams{'INTERFACE_MODE'} = "";
+ $cgiparams{'INTERFACE_ADDRESS'} = "";
+ $cgiparams{'INTERFACE_MTU'} = 1500;
}
VPNCONF_ERROR:
$checked{'AUTH'}{'auth-dn'} = '';
$checked{'AUTH'}{$cgiparams{'AUTH'}} = "checked='checked'";
+ $selected{'MODE'}{'tunnel'} = '';
+ $selected{'MODE'}{'transport'} = '';
+ $selected{'MODE'}{$cgiparams{'MODE'}} = "selected='selected'";
+
+ $selected{'INTERFACE_MODE'}{''} = '';
+ $selected{'INTERFACE_MODE'}{'gre'} = '';
+ $selected{'INTERFACE_MODE'}{'vti'} = '';
+ $selected{'INTERFACE_MODE'}{$cgiparams{'INTERFACE_MODE'}} = "selected='selected'";
+
+ $selected{'LOCAL'}{''} = '';
+ foreach my $alias (sort keys %aliases) {
+ my $address = $aliases{$alias}{'IPT'};
+
+ $selected{'LOCAL'}{$address} = '';
+ }
+ $selected{'LOCAL'}{$cgiparams{'LOCAL'}} = "selected='selected'";
+
&Header::showhttpheaders();
&Header::openpage($Lang::tr{'ipsec'}, 1, '');
&Header::openbigbox('100%', 'left', '', $errormessage);
<input type='hidden' name='DPD_DELAY' value='$cgiparams{'DPD_DELAY'}' />
<input type='hidden' name='DPD_TIMEOUT' value='$cgiparams{'DPD_TIMEOUT'}' />
<input type='hidden' name='FORCE_MOBIKE' value='$cgiparams{'FORCE_MOBIKE'}' />
+ <input type='hidden' name='INACTIVITY_TIMEOUT' value='$cgiparams{'INACTIVITY_TIMEOUT'}' />
END
;
if ($cgiparams{'KEY'}) {
my @remote_subnets = split(/\|/, $cgiparams{'REMOTE_SUBNET'});
my $remote_subnets = join(",", @remote_subnets);
- print <<END
+ print <<END;
<tr>
<td width='20%'>$Lang::tr{'enabled'}</td>
<td width='30%'>
<input type='checkbox' name='ENABLED' $checked{'ENABLED'}{'on'} />
</td>
- <td class='boldbase' nowrap='nowrap' width='20%'>$Lang::tr{'local subnet'} <img src='/blob.gif' alt='*' /></td>
- <td width='30%'>
- <input type='text' name='LOCAL_SUBNET' value='$local_subnets' />
- </td>
+ <td colspan="2"></td>
</tr>
<tr>
+ <td class='boldbase' width='20%'>$Lang::tr{'local ip address'}:</td>
+ <td width='30%'>
+ <select name="LOCAL">
+ <option value="" $selected{'LOCAL'}{''}>- $Lang::tr{'default IP address'} -</option>
+END
+
+ foreach my $alias (sort keys %aliases) {
+ my $address = $aliases{$alias}{'IPT'};
+ print <<END;
+ <option value="$address" $selected{'LOCAL'}{$address}>$alias ($address)</option>
+END
+ }
+
+ print <<END;
+ </select>
+ </td>
<td class='boldbase' width='20%'>$Lang::tr{'remote host/ip'}: $blob</td>
<td width='30%'>
<input type='text' name='REMOTE' value='$cgiparams{'REMOTE'}' size="25" />
</td>
+ </tr>
+ <tr>
+ <td class='boldbase' nowrap='nowrap' width='20%'>$Lang::tr{'local subnet'} <img src='/blob.gif' alt='*' /></td>
+ <td width='30%'>
+ <input type='text' name='LOCAL_SUBNET' value='$local_subnets' size="25" />
+ </td>
<td class='boldbase' nowrap='nowrap' width='20%'>$Lang::tr{'remote subnet'} $blob</td>
<td width='30%'>
- <input $disabled type='text' name='REMOTE_SUBNET' value='$remote_subnets' />
+ <input $disabled type='text' name='REMOTE_SUBNET' value='$remote_subnets' size="25" />
</td>
</tr>
<tr>
print "</table>";
&Header::closebox();
+ if ($cgiparams{'TYPE'} eq 'net') {
+ &Header::openbox('100%', 'left', $Lang::tr{'ipsec settings'});
+ print <<EOF;
+ <table width='100%'>
+ <tbody>
+ <tr>
+ <td class='boldbase' width='20%'>$Lang::tr{'mode'}:</td>
+ <td width='30%'>
+ <select name='MODE'>
+ <option value='tunnel' $selected{'MODE'}{'tunnel'}>$Lang::tr{'ipsec mode tunnel'}</option>
+ <option value='transport' $selected{'MODE'}{'transport'}>$Lang::tr{'ipsec mode transport'}</option>
+ </select>
+ </td>
+ <td colspan='2'></td>
+ </tr>
+
+ <tr>
+ <td class='boldbase' width='20%'>$Lang::tr{'interface mode'}:</td>
+ <td width='30%'>
+ <select name='INTERFACE_MODE'>
+ <option value='' $selected{'INTERFACE_MODE'}{''}>$Lang::tr{'ipsec interface mode none'}</option>
+ <option value='gre' $selected{'INTERFACE_MODE'}{'gre'}>$Lang::tr{'ipsec interface mode gre'}</option>
+ <option value='vti' $selected{'INTERFACE_MODE'}{'vti'}>$Lang::tr{'ipsec interface mode vti'}</option>
+ </select>
+ </td>
+
+ <td class='boldbase' width='20%'>$Lang::tr{'ip address'}/$Lang::tr{'subnet mask'}:</td>
+ <td width='30%'>
+ <input type="text" name="INTERFACE_ADDRESS" value="$cgiparams{'INTERFACE_ADDRESS'}">
+ </td>
+ </tr>
+
+ <tr>
+ <td class='boldbase' width='20%'>$Lang::tr{'mtu'}:</td>
+ <td width='30%'>
+ <input type="number" name="INTERFACE_MTU" value="$cgiparams{'INTERFACE_MTU'}" min="576" max="9000">
+ </td>
+ <td colspan='2'></td>
+ </tr>
+ </tbody>
+ </table>
+EOF
+ &Header::closebox();
+ }
+
if ($cgiparams{'KEY'} && $cgiparams{'AUTH'} eq 'psk') {
&Header::openbox('100%', 'left', $Lang::tr{'authentication'});
print <<END
$cgiparams{'FORCE_MOBIKE'} = $confighash{$cgiparams{'KEY'}}[32];
$cgiparams{'START_ACTION'} = $confighash{$cgiparams{'KEY'}}[33];
$cgiparams{'INACTIVITY_TIMEOUT'} = $confighash{$cgiparams{'KEY'}}[34];
+ $cgiparams{'MODE'} = $confighash{$cgiparams{'KEY'}}[35];
+ $cgiparams{'INTERFACE_MODE'} = $confighash{$cgiparams{'KEY'}}[36];
+ $cgiparams{'INTERFACE_ADDRESS'} = $confighash{$cgiparams{'KEY'}}[37];
+ $cgiparams{'INTERFACE_MTU'} = $confighash{$cgiparams{'KEY'}}[38];
if (!$cgiparams{'DPD_DELAY'}) {
$cgiparams{'DPD_DELAY'} = 30;
if ($cgiparams{'INACTIVITY_TIMEOUT'} eq "") {
$cgiparams{'INACTIVITY_TIMEOUT'} = 900; # 15 min
}
+
+ if ($cgiparams{'MODE'} eq "") {
+ $cgiparams{'MODE'} = "tunnel";
+ }
}
ADVANCED_ERROR:
my @status = `/usr/local/bin/ipsecctrl I 2>/dev/null`;
- # suggest a default name for this side
- if ($cgiparams{'VPN_IP'} eq '' && -e "${General::swroot}/red/active") {
- if (open(IPADDR, "${General::swroot}/red/local-ipaddress")) {
- my $ipaddr = <IPADDR>;
- close IPADDR;
- chomp ($ipaddr);
- $cgiparams{'VPN_IP'} = (gethostbyaddr(pack("C4", split(/\./, $ipaddr)), 2))[0];
- if ($cgiparams{'VPN_IP'} eq '') {
- $cgiparams{'VPN_IP'} = $ipaddr;
- }
- }
- }
- # no IP found, use %defaultroute
- $cgiparams{'VPN_IP'} ='%defaultroute' if ($cgiparams{'VPN_IP'} eq '');
-
- $cgiparams{'VPN_DELAYED_START'} = 0 if (! defined ($cgiparams{'VPN_DELAYED_START'}));
$checked{'ENABLED'} = $cgiparams{'ENABLED'} eq 'on' ? "checked='checked'" : '';
&Header::showhttpheaders();
print <<END
<form method='post' action='$ENV{'SCRIPT_NAME'}'>
<table width='100%'>
- <tr>
- <td width='20%' class='base' nowrap='nowrap'>$Lang::tr{'vpn red name'}: <img src='/blob.gif' alt='*' /></td>
- <td width='20%'><input type='text' name='VPN_IP' value='$cgiparams{'VPN_IP'}' /></td>
- <td width='20%' class='base'>$Lang::tr{'enabled'}<input type='checkbox' name='ENABLED' $checked{'ENABLED'} /></td>
- </tr>
-END
-;
-print <<END
- <tr>
- <td class='base' nowrap='nowrap'>$Lang::tr{'vpn delayed start'}: <img src='/blob.gif' alt='*' /><img src='/blob.gif' alt='*' /></td>
- <td ><input type='text' name='VPN_DELAYED_START' value='$cgiparams{'VPN_DELAYED_START'}' /></td>
- </tr>
- <tr>
- <td class='base' nowrap='nowrap'>$Lang::tr{'host to net vpn'}:</td>
- <td ><input type='text' name='RW_NET' value='$cgiparams{'RW_NET'}' /></td>
- </tr>
-</table>
-<br>
-<hr />
-<table width='100%'>
-<tr>
- <td class='base' valign='top'><img src='/blob.gif' alt='*' /></td>
- <td width='70%' class='base' valign='top'>$Lang::tr{'required field'}</td><td width='30%' align='right' class='base'><input type='submit' name='ACTION' value='$Lang::tr{'save'}' /></td>
-</tr>
-<tr>
- <td class='base' valign='top' nowrap='nowrap'><img src='/blob.gif' alt='*' /><img src='/blob.gif' alt='*' /> </td>
- <td class='base'> <font class='base'>$Lang::tr{'vpn delayed start help'}</font></td>
- <td></td>
-</tr>
+ <tr>
+ <td width='60%' class='base'>
+ $Lang::tr{'enabled'}
+ </td>
+ <td width="40%">
+ <input type='checkbox' name='ENABLED' $checked{'ENABLED'} />
+ </td>
+ </tr>
+ <tr>
+ <td class='base' nowrap='nowrap' width="60%">$Lang::tr{'host to net vpn'}:</td>
+ <td width="40%"><input type='text' name='RW_NET' value='$cgiparams{'RW_NET'}' /></td>
+ </tr>
+ <tr>
+ <td width='100%' colspan="2" align='right' class='base'><input type='submit' name='ACTION' value='$Lang::tr{'save'}' /></td>
+ </tr>
</table>
END
;
return &array_unique(\@algos);
}
-sub make_subnets($) {
+sub make_subnets($$) {
+ my $direction = shift;
my $subnets = shift;
my @nets = split(/\|/, $subnets);
my @cidr_nets = ();
foreach my $net (@nets) {
my $cidr_net = &General::ipcidr($net);
+
+ # Skip 0.0.0.0/0 for remote because this renders the
+ # while system inaccessible
+ next if (($direction eq "right") && ($cidr_net eq "0.0.0.0/0"));
+
push(@cidr_nets, $cidr_net);
}
'vpn start action add' => 'Auf Verbindungseingang warten',
'vpn start action route' => 'Bei Bedarf',
'vpn start action start' => 'Immer An',
-'vpn statistic n2n' => 'OpenVPN-Netz-zu-Netz-Statistik',
-'vpn statistic rw' => 'OpenVPN-Roadwarrior-Statistik',
+'vpn statistic n2n' => 'VPN: Netz-zu-Netz-Statistik',
+'vpn statistic rw' => 'VPN: Roadwarrior-Statistik',
'vpn subjectaltname' => 'Subjekt Alternativer Name',
'vpn wait' => 'WARTE',
'vpn watch' => 'Netz-zu-Netz VPN neu starten, wenn sich Remote-IP ändert (DynDNS).',
'cron server' => 'CRON Server',
'crypto error' => 'Cryptographic error',
'crypto warning' => 'Cryptographic warning',
+'cryptographic settings' => 'Cryptographic Settings',
'current' => 'Current',
'current aliases' => 'Current aliases',
'current class' => 'Current class',
'deep scan directories' => 'Scan recursive',
'def lease time' => 'Default Lease Time',
'default' => 'Default',
+'default IP address' => 'Default IP Address',
'default ip' => 'Default IP address',
'default lease time' => 'Default lease time (mins):',
'default networks' => 'Default networks',
'instant update' => 'Instant Update',
'integrity' => 'Integrity:',
'interface' => 'Interface',
+'interface mode' => 'Interface',
'interfaces' => 'Interfaces',
'internet' => 'INTERNET',
'intrusion detection' => 'Intrusion Detection',
'invalid input for hostname' => 'Invalid input for hostname.',
'invalid input for ike lifetime' => 'Invalid input for IKE lifetime',
'invalid input for inactivity timeout' => 'Invalid input for Inactivity Timeout',
+'invalid input for interface address' => 'Invalid input for interface address',
+'invalid input for interface mode' => 'Invalid input for interface mode',
+'invalid input for interface mtu' => 'Invalid input to interface MTU',
'invalid input for keepalive 1' => 'Invalid input for Keepalive ping',
'invalid input for keepalive 1:2' => 'Invalid input for Keepalive use at least a ratio of 1:2',
'invalid input for keepalive 2' => 'Invalid input for Keepalive ping-restart',
+'invalid input for local ip address' => 'Invalid input for local IP address',
'invalid input for max clients' => 'Invalid input for Max Clients',
+'invalid input for mode' => 'Invalid input for mode',
'invalid input for name' => 'Invalid input for user\'s full name or system hostname',
'invalid input for oink code' => 'Invalid input for Oink code',
'invalid input for organization' => 'Invalid input for organization',
'ipfires hostname' => 'IPFire\'s Hostname',
'ipinfo' => 'IP info',
'ipsec' => 'IPsec',
+'ipsec connection' => 'IPsec Connection',
+'ipsec interface mode gre' => 'GRE',
+'ipsec interface mode none' => '- None (Default) -',
+'ipsec interface mode vti' => 'VTI',
+'ipsec mode transport' => 'Transport',
+'ipsec mode tunnel' => 'Tunnel',
'ipsec network' => 'IPsec network',
'ipsec no connections' => 'No active IPsec connections',
+'ipsec settings' => 'IPsec Settings',
'iptable rules' => 'IPTable rules',
'iptmangles' => 'IPTable Mangles',
'iptnats' => 'IPTable Network Address Translation',
'load printer' => 'Load Printer',
'loaded modules' => 'Loaded modules:',
'local hard disk' => 'Hard disk',
+'local ip address' => 'Local IP Address',
'local master' => 'Local Master',
'local ntp server specified but not enabled' => 'Local NTP server specified but not enabled',
'local subnet' => 'Local subnet:',
'mpfire search' => 'MPFire Search',
'mpfire songs' => 'MPFire songlist',
'mpfire webradio' => 'MPFire Webradio',
+'mtu' => 'MTU',
'mtu QoS' => 'This does not change the global MTU, it only sets MTU for QoS.',
'my new share' => 'My new share',
'name' => 'Name',
'subject warn' => 'Warning - warnlevel reached',
'subnet' => 'Subnet',
'subnet is invalid' => 'Netmask is invalid',
+'subnet mask' => 'Subnet Mask',
'subscripted user rules' => 'Sourcefire VRT rules with subscription',
'successfully refreshed updates list' => 'Successfully refreshed updates list.',
'summaries kept' => 'Keep summaries for',
'trafficto' => 'To',
'transfer limits' => 'Transfer limits',
'transparent on' => 'Transparent on',
+'transport mode does not support vti' => 'VTI is not support in transport mode',
'tripwire' => 'Tripwire',
'tripwire cronjob' => 'tripwire cronjob',
'tripwire functions' => 'tripwire functions',
'vpn start action add' => 'Wait for connection initiation',
'vpn start action route' => 'On Demand',
'vpn start action start' => 'Always On',
-'vpn statistic n2n' => 'OpenVPN Net-to-Net Statistics',
-'vpn statistic rw' => 'OpenVPN Roadwarrior Statistics',
+'vpn statistic n2n' => 'VPN: Net-to-Net Statistics',
+'vpn statistic rw' => 'VPN: Roadwarrior Statistics',
'vpn subjectaltname' => 'Subject Alt Name',
'vpn wait' => 'WAITING',
'vpn watch' => 'Restart net-to-net vpn when remote peer IP changes (dyndns).',
'vpn start action add' => 'Attendre l\'initialisation de la connexion',
'vpn start action route' => 'A la demande',
'vpn start action start' => 'Toujours démarré',
-'vpn statistic n2n' => 'Stats OpenVPN (site-Ã -site)',
-'vpn statistic rw' => 'Stats OpenVPN (client nomade)',
+'vpn statistic n2n' => 'Stats VPN (site-Ã -site)',
+'vpn statistic rw' => 'Stats VPN (client nomade)',
'vpn subjectaltname' => 'Subject Alt Name',
'vpn wait' => 'ATTENTE',
'vpn watch' => 'Redémarrer le VPN site-à -site si l\'IP hôte distant change (dyndns).',
'vpn start action' => 'Hareketi BaÅŸlat',
'vpn start action route' => 'Ä°stek Ãœzerine',
'vpn start action start' => 'Her Zaman',
-'vpn statistic n2n' => 'AÄŸdan AÄŸa OpenVPN Ä°statistiÄŸi',
-'vpn statistic rw' => 'Roadwarrior OpenVPN Ä°statistiÄŸi',
+'vpn statistic n2n' => 'AÄŸdan AÄŸa VPN Ä°statistiÄŸi',
+'vpn statistic rw' => 'Roadwarrior VPN Ä°statistiÄŸi',
'vpn subjectaltname' => 'Alternatif konu adı',
'vpn watch' => 'Karşı eş IP değiştirdiğinde (dyndns) ağdan-ağa VPN bağlantısını yeniden başlat. Bu DPD ye yardımcı olur.',
'vpn weak' => 'Hafta',
cp $(DIR_SRC)/config/fwhosts/customservices $(CONFIG_ROOT)/fwhosts/customservices.default
# Oneliner configfiles
echo "ENABLED=off" > $(CONFIG_ROOT)/vpn/settings
- echo "VPN_DELAYED_START=0" >>$(CONFIG_ROOT)/vpn/settings
echo "01" > $(CONFIG_ROOT)/certs/serial
echo "nameserver 1.2.3.4" > $(CONFIG_ROOT)/ppp/fake-resolv.conf
echo "DROPNEWNOTSYN=on" >> $(CONFIG_ROOT)/optionsfw/settings
/usr/lib/firewall/rules.pl
install -m 644 $(DIR_SRC)/config/firewall/firewall-lib.pl \
/usr/lib/firewall/firewall-lib.pl
- install -m 755 $(DIR_SRC)/config/firewall/ipsec-block \
- /usr/lib/firewall/ipsec-block
+ install -m 755 $(DIR_SRC)/config/firewall/ipsec-policy \
+ /usr/lib/firewall/ipsec-policy
# Nobody user
-mkdir -p /home/nobody
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-disable-ipv6.patch
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-ipfire.patch
+ cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-ipfire-interfaces.patch
cd $(DIR_APP) && ./configure \
--prefix="/usr" \
#!/bin/bash
-eval $(/usr/local/bin/readhash /var/ipfire/vpn/settings)
-
-sleep $VPN_DELAYED_START && /usr/local/bin/ipsecctrl S &
-
-exit 0
+exec /usr/local/bin/ipsecctrl S
iptables -t nat -N REDNAT
iptables -t nat -A POSTROUTING -j REDNAT
- # Populate IPsec block chain
- /usr/lib/firewall/ipsec-block
+ # Populate IPsec chains
+ /usr/lib/firewall/ipsec-policy
# Apply OpenVPN firewall rules
/usr/local/bin/openvpnctrl --firewall-rules
fi
fi
+ # Create IPsec interfaces
+ /usr/local/bin/ipsec-interfaces
+
/etc/rc.d/init.d/static-routes start
;;
safe_system("/usr/sbin/ipsec reload >/dev/null 2>&1");
}
-/*
- ACCEPT the ipsec protocol ah, esp & udp (for nat traversal) on the specified interface
-*/
-void open_physical (char *interface, int nat_traversal_port) {
- char str[STRING_SIZE];
-
- // IKE
- sprintf(str, "/sbin/iptables --wait -D IPSECINPUT -p udp -i %s --dport 500 -j ACCEPT >/dev/null 2>&1", interface);
- safe_system(str);
- sprintf(str, "/sbin/iptables --wait -A IPSECINPUT -p udp -i %s --dport 500 -j ACCEPT", interface);
- safe_system(str);
- sprintf(str, "/sbin/iptables --wait -D IPSECOUTPUT -p udp -o %s --dport 500 -j ACCEPT >/dev/null 2>&1", interface);
- safe_system(str);
- sprintf(str, "/sbin/iptables --wait -A IPSECOUTPUT -p udp -o %s --dport 500 -j ACCEPT", interface);
- safe_system(str);
-
- if (! nat_traversal_port)
- return;
-
- sprintf(str, "/sbin/iptables --wait -D IPSECINPUT -p udp -i %s --dport %i -j ACCEPT >/dev/null 2>&1", interface, nat_traversal_port);
- safe_system(str);
- sprintf(str, "/sbin/iptables --wait -A IPSECINPUT -p udp -i %s --dport %i -j ACCEPT", interface, nat_traversal_port);
- safe_system(str);
- sprintf(str, "/sbin/iptables --wait -D IPSECOUTPUT -p udp -o %s --dport %i -j ACCEPT >/dev/null 2>&1", interface, nat_traversal_port);
- safe_system(str);
- sprintf(str, "/sbin/iptables --wait -A IPSECOUTPUT -p udp -o %s --dport %i -j ACCEPT", interface, nat_traversal_port);
- safe_system(str);
-}
-
-void ipsec_norules() {
- /* clear input rules */
- safe_system("/sbin/iptables --wait -F IPSECINPUT");
- safe_system("/sbin/iptables --wait -F IPSECFORWARD");
- safe_system("/sbin/iptables --wait -F IPSECOUTPUT");
-}
-
/*
return values from the vpn config file or false if not 'on'
*/
"/usr/sbin/ipsec down %s >/dev/null", name);
safe_system(command);
- // Reload the IPsec block chain
- safe_system("/usr/lib/firewall/ipsec-block >/dev/null");
+ // Reload the IPsec firewall policy
+ safe_system("/usr/lib/firewall/ipsec-policy >/dev/null");
+
+ // Create or destroy interfaces
+ safe_system("/usr/local/bin/ipsec-interfaces >/dev/null");
// Reload the configuration into the daemon (#10339).
ipsec_reload();
// Bring the connection up again.
snprintf(command, STRING_SIZE - 1,
- "/usr/sbin/ipsec up %s >/dev/null", name);
+ "/usr/sbin/ipsec stroke up-nb %s >/dev/null", name);
safe_system(command);
}
// Reload, so the connection is dropped.
ipsec_reload();
- // Reload the IPsec block chain
- safe_system("/usr/lib/firewall/ipsec-block >/dev/null");
+ // Reload the IPsec firewall policy
+ safe_system("/usr/lib/firewall/ipsec-policy >/dev/null");
+
+ // Create or destroy interfaces
+ safe_system("/usr/local/bin/ipsec-interfaces >/dev/null");
}
int main(int argc, char *argv[]) {
- char configtype[STRING_SIZE];
- char redtype[STRING_SIZE] = "";
struct keyvalue *kv = NULL;
if (argc < 2) {
}
if (!(initsetuid()))
exit(1);
-
- FILE *file = NULL;
-
+
+ FILE *file = NULL;
if (strcmp(argv[1], "I") == 0) {
safe_system("/usr/sbin/ipsec status");
if (argc == 2) {
if (strcmp(argv[1], "D") == 0) {
safe_system("/usr/sbin/ipsec stop >/dev/null 2>&1");
- ipsec_norules();
+ safe_system("/usr/lib/firewall/ipsec-policy >/dev/null");
+ safe_system("/usr/local/bin/ipsec-interfaces >/dev/null");
exit(0);
}
}
exit(0);
}
- /* read interface settings */
- kv=initkeyvalues();
- if (!readkeyvalues(kv, CONFIG_ROOT "/ethernet/settings"))
- {
- fprintf(stderr, "Cannot read ethernet settings\n");
- exit(1);
- }
- if (!findkey(kv, "CONFIG_TYPE", configtype))
- {
- fprintf(stderr, "Cannot read CONFIG_TYPE\n");
- exit(1);
- }
- findkey(kv, "RED_TYPE", redtype);
-
-
- /* Loop through the config file to find physical interface that will accept IPSEC */
- int enable_red=0; // states 0: not used
- int enable_green=0; // 1: error condition
- int enable_orange=0; // 2: good
- int enable_blue=0;
- char if_red[STRING_SIZE] = "";
- char if_green[STRING_SIZE] = "";
- char if_orange[STRING_SIZE] = "";
- char if_blue[STRING_SIZE] = "";
char s[STRING_SIZE];
- // when RED is up, find interface name in special file
- FILE *ifacefile = NULL;
- if ((ifacefile = fopen(CONFIG_ROOT "/red/iface", "r"))) {
- if (fgets(if_red, STRING_SIZE, ifacefile)) {
- if (if_red[strlen(if_red) - 1] == '\n')
- if_red[strlen(if_red) - 1] = '\0';
- }
- fclose (ifacefile);
-
- if (VALID_DEVICE(if_red))
- enable_red++;
- }
-
- // Check if GREEN is enabled.
- findkey(kv, "GREEN_DEV", if_green);
- if (VALID_DEVICE(if_green))
- enable_green++;
-
- // Check if ORANGE is enabled.
- findkey(kv, "ORANGE_DEV", if_orange);
- if (VALID_DEVICE(if_orange))
- enable_orange++;
-
- // Check if BLUE is enabled.
- findkey(kv, "BLUE_DEV", if_blue);
- if (VALID_DEVICE(if_blue))
- enable_blue++;
-
- freekeyvalues(kv);
-
- // exit if nothing to do
- if ((enable_red+enable_green+enable_orange+enable_blue) == 0)
- exit(0);
-
- // open needed ports
- if (enable_red > 0)
- open_physical(if_red, 4500);
-
- if (enable_green > 0)
- open_physical(if_green, 4500);
-
- if (enable_orange > 0)
- open_physical(if_orange, 4500);
-
- if (enable_blue > 0)
- open_physical(if_blue, 4500);
-
- // start the system
+ // start the system
if ((argc == 2) && strcmp(argv[1], "S") == 0) {
- safe_system("/usr/lib/firewall/ipsec-block >/dev/null");
+ safe_system("/usr/lib/firewall/ipsec-policy >/dev/null");
+ safe_system("/usr/local/bin/ipsec-interfaces >/dev/null");
safe_system("/usr/sbin/ipsec restart >/dev/null");
exit(0);
}
--- /dev/null
+--- strongswan-5.7.0/src/_updown/_updown.in.bak 2019-02-06 18:19:25.723893992 +0000
++++ strongswan-5.7.0/src/_updown/_updown.in 2019-02-06 18:28:21.520560665 +0000
+@@ -130,6 +130,13 @@
+ # address family.
+ #
+
++VARS=(
++ id status name lefthost type ctype psk local local_id leftsubnets
++ remote_id remote rightsubnets x3 x4 x5 x6 x7 x8 x9 x10 x11 x12
++ x13 x14 x15 x16 x17 x18 x19 proto x20 x21 x22
++ route x23 mode interface_mode interface_address interface_mtu rest
++)
++
+ function ip_encode() {
+ local IFS=.
+
+@@ -319,6 +326,13 @@
+ fi
+ ;;
+ up-client:iptables)
++ # Read IPsec configuration
++ while IFS="," read -r "${VARS[@]}"; do
++ if [ "${PLUTO_CONNECTION}" = "${name}" ]; then
++ break
++ fi
++ done < /var/ipfire/vpn/config
++
+ # connection to client subnet, with (left/right)firewall=yes, coming up
+ # This is used only by the default updown script, not by your custom
+ # ones, so do not mess with it; see CAUTION comment up at top.
+@@ -383,23 +397,25 @@
+ "tunnel+ $PLUTO_PEER -- $PLUTO_ME"
+ fi
+
+- # Add source nat so also the gateway can access the other nets
+- eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
+- for _src in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do
+- ip_in_subnet "${_src}" "${PLUTO_MY_CLIENT}"
+- if [ $? -eq 0 ]; then
+- src=${_src}
+- break
++ if [ -z "${interface_mode}" ]; then
++ # Add source nat so also the gateway can access the other nets
++ eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
++ for _src in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do
++ ip_in_subnet "${_src}" "${PLUTO_MY_CLIENT}"
++ if [ $? -eq 0 ]; then
++ src=${_src}
++ break
++ fi
++ done
++
++ if [ -n "${src}" ]; then
++ iptables --wait -t nat -A IPSECNAT -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src
++ logger -t $TAG -p $FAC_PRIO \
++ "snat+ $PLUTO_INTERFACE-$PLUTO_ME : $PLUTO_PEER_CLIENT - $src"
++ else
++ logger -t $TAG -p $FAC_PRIO \
++ "Cannot create NAT rule because no IP of the IPFire does match the subnet. $PLUTO_MY_CLIENT"
+ fi
+- done
+-
+- if [ -n "${src}" ]; then
+- iptables --wait -t nat -A IPSECNAT -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src
+- logger -t $TAG -p $FAC_PRIO \
+- "snat+ $PLUTO_INTERFACE-$PLUTO_ME : $PLUTO_PEER_CLIENT - $src"
+- else
+- logger -t $TAG -p $FAC_PRIO \
+- "Cannot create NAT rule because no IP of the IPFire does match the subnet. $PLUTO_MY_CLIENT"
+ fi
+
+ # Flush routing cache
--- /dev/null
+#!/bin/bash
+###############################################################################
+# #
+# IPFire.org - A linux based firewall #
+# Copyright (C) 2015 IPFire Team #
+# #
+# This program is free software: you can redistribute it and/or modify #
+# it under the terms of the GNU General Public License as published by #
+# the Free Software Foundation, either version 3 of the License, or #
+# (at your option) any later version. #
+# #
+# This program is distributed in the hope that it will be useful, #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
+# GNU General Public License for more details. #
+# #
+# You should have received a copy of the GNU General Public License #
+# along with this program. If not, see <http://www.gnu.org/licenses/>. #
+# #
+###############################################################################
+
+shopt -s nullglob
+
+VPN_CONFIG="/var/ipfire/vpn/config"
+
+eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
+eval $(/usr/local/bin/readhash /var/ipfire/vpn/settings)
+
+VARS=(
+ id status name lefthost type ctype psk local local_id leftsubnets
+ remote_id remote rightsubnets x3 x4 x5 x6 x7 x8 x9 x10 x11 x12
+ x13 x14 x15 x16 x17 x18 x19 proto x20 x21 x22
+ route x23 mode interface_mode interface_address interface_mtu rest
+)
+
+log() {
+ logger -t ipsec "$@"
+}
+
+resolve_hostname() {
+ local hostname="${1}"
+
+ dig +short A "${hostname}" | tail -n1
+}
+
+main() {
+ # Register local variables
+ local "${VARS[@]}"
+ local action
+
+ local interfaces=()
+
+ # We are done when IPsec is not enabled
+ if [ "${ENABLED}" = "on" ]; then
+ while IFS="," read -r "${VARS[@]}"; do
+ # Check if the connection is enabled
+ [ "${status}" = "on" ] || continue
+
+ # Check if this a net-to-net connection
+ [ "${type}" = "net" ] || continue
+
+ # Determine the interface name
+ case "${interface_mode}" in
+ gre|vti)
+ local intf="${interface_mode}${id}"
+ ;;
+ *)
+ continue
+ ;;
+ esac
+
+ # Add the interface to the list of all interfaces
+ interfaces+=( "${intf}" )
+
+ # Compat for older connections
+ if [ "${local}" = "off" ]; then
+ if [ "${VPN_IP}" = "%defaultroute" ]; then
+ local=""
+ else
+ local="${VPN_IP}"
+ fi
+ fi
+
+ # Handle %defaultroute
+ if [ -z "${local}" ]; then
+ if [ -r "/var/ipfire/red/local-ipaddress" ]; then
+ local="$(</var/ipfire/red/local-ipaddress)"
+
+ elif [ "${RED_TYPE}" = "STATIC" -a -n "${RED_ADDRESS}" ]; then
+ local="${RED_ADDRESS}"
+ fi
+ fi
+
+ # Resolve any hostnames
+ if [[ ! ${remote} =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
+ remote="$(resolve_hostname "${remote}")"
+ fi
+
+ local args=(
+ "local" "${local}"
+ "remote" "${remote}"
+ )
+
+ case "${interface_mode}" in
+ gre)
+ # Add TTL
+ args+=( "ttl" "255" )
+ ;;
+
+ vti)
+ # Add key for VTI
+ args+=( "key" "${id}" )
+ ;;
+ esac
+
+ # Update the settings when the interface already exists
+ if [ -d "/sys/class/net/${intf}" ]; then
+ ip link change dev "${intf}" \
+ type "${interface_mode}" "${args[@]}" &>/dev/null
+
+ # Create a new interface and bring it up
+ else
+ log "Creating interface ${intf}"
+ if ! ip link add name "${intf}" type "${interface_mode}" "${args[@]}"; then
+ log "Could not create interface ${intf}"
+ continue
+ fi
+ fi
+
+ # Add an IP address
+ ip addr flush dev "${intf}"
+ ip addr add "${interface_address}" dev "${intf}"
+
+ # Set MTU
+ ip link set dev "${intf}" mtu "${interface_mtu}"
+
+ # Bring up the interface
+ ip link set dev "${intf}" up
+ done < "${VPN_CONFIG}"
+ fi
+
+ # Delete all other interfaces
+ local intf
+ for intf in /sys/class/net/gre[0-9]* /sys/class/net/vti[0-9]*; do
+ intf="$(basename "${intf}")"
+
+ # Ignore a couple of interfaces that cannot be deleted
+ case "${intf}" in
+ gre0|gretap0)
+ continue
+ ;;
+ esac
+
+ # Check if interface is on the list
+ local i found="false"
+ for i in ${interfaces[@]}; do
+ if [ "${intf}" = "${i}" ]; then
+ found="true"
+ break
+ fi
+ done
+
+ # Nothing to do if interface was found
+ ${found} && continue
+
+ # Delete the interface
+ log "Deleting interface ${intf}"
+ ip link del "${intf}" &>/dev/null
+ done
+}
+
+main || exit $?