From: Michael Tremer Date: Mon, 25 Feb 2019 00:48:08 +0000 (+0000) Subject: Merge branch 'ipsec' into next X-Git-Tag: v2.23-core131~197 X-Git-Url: http://git.ipfire.org/?p=ipfire-2.x.git;a=commitdiff_plain;h=50d1bbf0f56b76148f10bbe2195df45ad3b60cb3;hp=b5ef99df2c34d9e9f614c0b3d57d32a8890139c0 Merge branch 'ipsec' into next --- diff --git a/config/firewall/firewall-lib.pl b/config/firewall/firewall-lib.pl index 2820eea655..118744fd6e 100644 --- a/config/firewall/firewall-lib.pl +++ b/config/firewall/firewall-lib.pl @@ -169,6 +169,15 @@ sub get_ipsec_host_ip } } } +sub get_ipsec_id { + my $val = shift; + + foreach my $key (keys %ipsecconf) { + if ($ipsecconf{$key}[1] eq $val) { + return $key; + } + } +} sub get_ovpn_n2n_ip { my $val=shift; @@ -399,10 +408,16 @@ sub get_address my @parts = split(/\|/, $value); push(@ret, [$parts[1], ""]); }else{ - my $network_address = &get_ipsec_net_ip($value, 11); - my @nets = split(/\|/, $network_address); - foreach my $net (@nets) { - push(@ret, [$net, ""]); + my $interface_mode = &get_ipsec_net_ip($value, 36); + if ($interface_mode ~~ ["gre", "vti"]) { + my $id = &get_ipsec_id($value); + push(@ret, ["0.0.0.0/0", "${interface_mode}${id}"]); + } else { + my $network_address = &get_ipsec_net_ip($value, 11); + my @nets = split(/\|/, $network_address); + foreach my $net (@nets) { + push(@ret, [$net, ""]); + } } } diff --git a/config/firewall/ipsec-block b/config/firewall/ipsec-policy similarity index 65% rename from config/firewall/ipsec-block rename to config/firewall/ipsec-policy index 96682b8943..1ad4de6501 100644 --- a/config/firewall/ipsec-block +++ b/config/firewall/ipsec-policy @@ -21,6 +21,15 @@ VPN_CONFIG="/var/ipfire/vpn/config" +eval $(/usr/local/bin/readhash /var/ipfire/vpn/settings) + +VARS=( + id status name lefthost type ctype psk local local_id leftsubnets + remote_id remote rightsubnets x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 + x13 x14 x15 x16 x17 x18 x19 proto x20 x21 x22 + route x23 mode interface_mode interface_address interface_mtu rest +) + block_subnet() { local subnet="${1}" local action="${2}" @@ -45,27 +54,55 @@ block_subnet() { return 0 } -block_ipsec() { - # Flush all exists rules +install_policy() { + # Flush existing rules + iptables -F IPSECINPUT + iptables -F IPSECOUTPUT iptables -F IPSECBLOCK - local action + # We are done when IPsec is not enabled + [ "${ENABLED}" = "on" ] || exit 0 - local vars="id status name lefthost type ctype x1 x2 x3 leftsubnets" - vars="${vars} x4 righthost rightsubnets x5 x6 x7 x8 x9 x10 x11 x12" - vars="${vars} x13 x14 x15 x16 x17 x18 x19 x20 x21 proto x22 x23 x24" - vars="${vars} route rest" + # IKE + iptables -A IPSECINPUT -p udp --dport 500 -j ACCEPT + iptables -A IPSECOUTPUT -p udp --dport 500 -j ACCEPT + + # IKE NAT + iptables -A IPSECINPUT -p udp --dport 4500 -j ACCEPT + iptables -A IPSECOUTPUT -p udp --dport 4500 -j ACCEPT # Register local variables - local ${vars} + local "${VARS[@]}" + local action - while IFS="," read -r ${vars}; do + while IFS="," read -r "${VARS[@]}"; do # Check if the connection is enabled [ "${status}" = "on" ] || continue # Check if this a net-to-net connection [ "${type}" = "net" ] || continue + # Default local to 0.0.0.0/0 + if [ "${local}" = "" -o "${local}" = "off" ]; then + local="0.0.0.0/0" + fi + + # Install permissions for GRE traffic + case "${interface_mode}" in + gre) + if [ -n "${remote}" ]; then + iptables -A IPSECINPUT -p gre \ + -s "${remote}" -d "${local}" -j ACCEPT + + iptables -A IPSECOUTPUT -p gre \ + -s "${local}" -d "${remote}" -j ACCEPT + fi + ;; + esac + + # Install firewall rules only for interfaces without interface + [ -n "${interface_mode}" ] && continue + # Split multiple subnets rightsubnets="${rightsubnets//\|/ }" @@ -85,4 +122,4 @@ block_ipsec() { done < "${VPN_CONFIG}" } -block_ipsec || exit $? +install_policy || exit $? diff --git a/config/rootfiles/common/aarch64/stage2 b/config/rootfiles/common/aarch64/stage2 index 110114c478..c6d19a5f66 100644 --- a/config/rootfiles/common/aarch64/stage2 +++ b/config/rootfiles/common/aarch64/stage2 @@ -76,7 +76,7 @@ usr/bin/captive-cleanup #usr/lib usr/lib/firewall usr/lib/firewall/firewall-lib.pl -usr/lib/firewall/ipsec-block +usr/lib/firewall/ipsec-policy usr/lib/firewall/rules.pl #usr/lib/libgcc_s.so usr/lib/libgcc_s.so.1 @@ -93,6 +93,7 @@ usr/local/bin/connscheduler usr/local/bin/consort.sh usr/local/bin/convert-ovpn usr/local/bin/hddshutdown +usr/local/bin/ipsec-interfaces usr/local/bin/makegraphs usr/local/bin/qosd usr/local/bin/readhash diff --git a/config/rootfiles/common/stage2 b/config/rootfiles/common/stage2 index 5665f23012..ea941cdbe0 100644 --- a/config/rootfiles/common/stage2 +++ b/config/rootfiles/common/stage2 @@ -75,7 +75,7 @@ usr/bin/captive-cleanup #usr/lib usr/lib/firewall usr/lib/firewall/firewall-lib.pl -usr/lib/firewall/ipsec-block +usr/lib/firewall/ipsec-policy usr/lib/firewall/rules.pl #usr/lib/libgcc_s.so usr/lib/libgcc_s.so.1 @@ -91,6 +91,7 @@ usr/local/bin/connscheduler usr/local/bin/consort.sh usr/local/bin/convert-ovpn usr/local/bin/hddshutdown +usr/local/bin/ipsec-interfaces usr/local/bin/makegraphs usr/local/bin/qosd usr/local/bin/readhash diff --git a/config/rootfiles/common/x86_64/stage2 b/config/rootfiles/common/x86_64/stage2 index 110114c478..c6d19a5f66 100644 --- a/config/rootfiles/common/x86_64/stage2 +++ b/config/rootfiles/common/x86_64/stage2 @@ -76,7 +76,7 @@ usr/bin/captive-cleanup #usr/lib usr/lib/firewall usr/lib/firewall/firewall-lib.pl -usr/lib/firewall/ipsec-block +usr/lib/firewall/ipsec-policy usr/lib/firewall/rules.pl #usr/lib/libgcc_s.so usr/lib/libgcc_s.so.1 @@ -93,6 +93,7 @@ usr/local/bin/connscheduler usr/local/bin/consort.sh usr/local/bin/convert-ovpn usr/local/bin/hddshutdown +usr/local/bin/ipsec-interfaces usr/local/bin/makegraphs usr/local/bin/qosd usr/local/bin/readhash diff --git a/config/strongswan/charon.conf b/config/strongswan/charon.conf index a5ff0bee51..05dab0b9ae 100644 --- a/config/strongswan/charon.conf +++ b/config/strongswan/charon.conf @@ -86,7 +86,7 @@ charon { # Install routes into a separate routing table for established IPsec # tunnels. - # install_routes = yes + install_routes = no # Install virtual IP addresses. # install_virtual_ip = yes diff --git a/doc/language_issues.de b/doc/language_issues.de index c5dad0168a..d84b7d3480 100644 --- a/doc/language_issues.de +++ b/doc/language_issues.de @@ -417,7 +417,6 @@ WARNING: translation string unused: messages logging WARNING: translation string unused: min size WARNING: translation string unused: missing dat WARNING: translation string unused: missing gz -WARNING: translation string unused: mode WARNING: translation string unused: modem on com1 WARNING: translation string unused: modem on com2 WARNING: translation string unused: modem on com3 @@ -713,11 +712,14 @@ WARNING: translation string unused: use dov WARNING: translation string unused: use ibod WARNING: translation string unused: view log WARNING: translation string unused: vpn aggrmode +WARNING: translation string unused: vpn delayed start +WARNING: translation string unused: vpn delayed start help WARNING: translation string unused: vpn incompatible use of defaultroute WARNING: translation string unused: vpn mtu invalid WARNING: translation string unused: vpn on blue WARNING: translation string unused: vpn on green WARNING: translation string unused: vpn on orange +WARNING: translation string unused: vpn red name WARNING: translation string unused: vpn watch WARNING: translation string unused: warn when traffic reaches WARNING: translation string unused: web proxy configuration @@ -734,6 +736,7 @@ WARNING: untranslated string: addons = Addons WARNING: untranslated string: bytes = unknown string WARNING: untranslated string: community rules = Snort/VRT GPLv2 Community Rules WARNING: untranslated string: dead peer detection = Dead Peer Detection +WARNING: untranslated string: default IP address = Default IP Address WARNING: untranslated string: emerging rules = Emergingthreats.net Community Rules WARNING: untranslated string: fwhost cust geoipgrp = unknown string WARNING: untranslated string: fwhost err hostip = unknown string @@ -775,6 +778,21 @@ WARNING: untranslated string: guardian service = unknown string WARNING: untranslated string: guardian watch snort alertfile = unknown string WARNING: untranslated string: ike lifetime should be between 1 and 8 hours = unknown string WARNING: untranslated string: info messages = unknown string +WARNING: untranslated string: interface mode = Interface +WARNING: untranslated string: invalid input for interface address = Invalid input for interface address +WARNING: untranslated string: invalid input for interface mode = Invalid input for interface mode +WARNING: untranslated string: invalid input for interface mtu = Invalid input to interface MTU +WARNING: untranslated string: invalid input for local ip address = Invalid input for local IP address +WARNING: untranslated string: invalid input for mode = Invalid input for mode +WARNING: untranslated string: ipsec connection = IPsec Connection +WARNING: untranslated string: ipsec interface mode gre = GRE +WARNING: untranslated string: ipsec interface mode none = - None (Default) - +WARNING: untranslated string: ipsec interface mode vti = VTI +WARNING: untranslated string: ipsec mode transport = Transport +WARNING: untranslated string: ipsec mode tunnel = Tunnel +WARNING: untranslated string: ipsec settings = IPsec Settings +WARNING: untranslated string: local ip address = Local IP Address +WARNING: untranslated string: mtu = MTU WARNING: untranslated string: no data = unknown string WARNING: untranslated string: none = none WARNING: untranslated string: qos add subclass = Add subclass @@ -783,5 +801,7 @@ WARNING: untranslated string: routing config added = unknown string WARNING: untranslated string: routing config changed = unknown string WARNING: untranslated string: routing table = unknown string WARNING: untranslated string: show tls-auth key = Show tls-auth key +WARNING: untranslated string: subnet mask = Subnet Mask +WARNING: untranslated string: transport mode does not support vti = VTI is not support in transport mode WARNING: untranslated string: vpn force mobike = Force using MOBIKE (only IKEv2) WARNING: untranslated string: vpn statistics n2n = unknown string diff --git a/doc/language_issues.en b/doc/language_issues.en index 3e16e21808..4af86025ff 100644 --- a/doc/language_issues.en +++ b/doc/language_issues.en @@ -529,6 +529,7 @@ WARNING: untranslated string: dead peer detection = Dead Peer Detection WARNING: untranslated string: december = December WARNING: untranslated string: def lease time = Default Lease Time WARNING: untranslated string: default = Default +WARNING: untranslated string: default IP address = Default IP Address WARNING: untranslated string: default lease time = Default lease time (mins): WARNING: untranslated string: default renewal time = Default Renewal Time WARNING: untranslated string: delete = Delete @@ -1051,6 +1052,7 @@ WARNING: untranslated string: install = Install WARNING: untranslated string: instant update = Instant Update WARNING: untranslated string: integrity = Integrity: WARNING: untranslated string: interface = Interface +WARNING: untranslated string: interface mode = Interface WARNING: untranslated string: interfaces = Interfaces WARNING: untranslated string: internet = INTERNET WARNING: untranslated string: intrusion detection = Intrusion Detection @@ -1079,10 +1081,15 @@ WARNING: untranslated string: invalid input for esp keylife = Invalid input for WARNING: untranslated string: invalid input for hostname = Invalid input for hostname. WARNING: untranslated string: invalid input for ike lifetime = Invalid input for IKE lifetime WARNING: untranslated string: invalid input for inactivity timeout = Invalid input for Inactivity Timeout +WARNING: untranslated string: invalid input for interface address = Invalid input for interface address +WARNING: untranslated string: invalid input for interface mode = Invalid input for interface mode +WARNING: untranslated string: invalid input for interface mtu = Invalid input to interface MTU WARNING: untranslated string: invalid input for keepalive 1 = Invalid input for Keepalive ping WARNING: untranslated string: invalid input for keepalive 1:2 = Invalid input for Keepalive use at least a ratio of 1:2 WARNING: untranslated string: invalid input for keepalive 2 = Invalid input for Keepalive ping-restart +WARNING: untranslated string: invalid input for local ip address = Invalid input for local IP address WARNING: untranslated string: invalid input for max clients = Invalid input for Max Clients +WARNING: untranslated string: invalid input for mode = Invalid input for mode WARNING: untranslated string: invalid input for name = Invalid input for user's full name or system hostname WARNING: untranslated string: invalid input for oink code = Invalid input for Oink code WARNING: untranslated string: invalid input for organization = Invalid input for organization @@ -1126,7 +1133,14 @@ WARNING: untranslated string: ipfire side is invalid = IPFire side is invalid. WARNING: untranslated string: ipfires hostname = IPFire's Hostname WARNING: untranslated string: ipinfo = IP info WARNING: untranslated string: ipsec = IPsec +WARNING: untranslated string: ipsec connection = IPsec Connection +WARNING: untranslated string: ipsec interface mode gre = GRE +WARNING: untranslated string: ipsec interface mode none = - None (Default) - +WARNING: untranslated string: ipsec interface mode vti = VTI +WARNING: untranslated string: ipsec mode transport = Transport +WARNING: untranslated string: ipsec mode tunnel = Tunnel WARNING: untranslated string: ipsec network = IPsec network +WARNING: untranslated string: ipsec settings = IPsec Settings WARNING: untranslated string: iptmangles = IPTable Mangles WARNING: untranslated string: iptnats = IPTable Network Address Translation WARNING: untranslated string: ipts = iptables @@ -1145,6 +1159,7 @@ WARNING: untranslated string: legend = Legend WARNING: untranslated string: lifetime = Lifetime: WARNING: untranslated string: linkq = Link Quality WARNING: untranslated string: load printer = Load Printer +WARNING: untranslated string: local ip address = Local IP Address WARNING: untranslated string: local master = Local Master WARNING: untranslated string: local ntp server specified but not enabled = Local NTP server specified but not enabled WARNING: untranslated string: local subnet = Local subnet: @@ -1230,6 +1245,7 @@ WARNING: untranslated string: minimum = Minimum WARNING: untranslated string: minute = Minute WARNING: untranslated string: minutes = Minutes WARNING: untranslated string: misc-options = Miscellaneous options +WARNING: untranslated string: mode = Mode WARNING: untranslated string: model = Model WARNING: untranslated string: modem = Modem WARNING: untranslated string: modem configuration = Modem configuration @@ -1262,6 +1278,7 @@ WARNING: untranslated string: mpfire scanning = Scan for new files WARNING: untranslated string: mpfire search = MPFire Search WARNING: untranslated string: mpfire songs = MPFire songlist WARNING: untranslated string: mpfire webradio = MPFire Webradio +WARNING: untranslated string: mtu = MTU WARNING: untranslated string: my new share = My new share WARNING: untranslated string: name = Name WARNING: untranslated string: name is invalid = Name is invalid @@ -1630,6 +1647,7 @@ WARNING: untranslated string: stop = Stop WARNING: untranslated string: stop ovpn server = Stop OpenVPN Server WARNING: untranslated string: stopped = STOPPED WARNING: untranslated string: subject = Subject +WARNING: untranslated string: subnet mask = Subnet Mask WARNING: untranslated string: subscripted user rules = Sourcefire VRT rules with subscription WARNING: untranslated string: summaries kept = Keep summaries for WARNING: untranslated string: sunday = Sunday @@ -1711,6 +1729,7 @@ WARNING: untranslated string: tor use exit nodes = Use only these exit nodes (on WARNING: untranslated string: total hits for log section = Total hits for log section WARNING: untranslated string: traffic on = Traffic on WARNING: untranslated string: traffics = Utilization-overview +WARNING: untranslated string: transport mode does not support vti = VTI is not support in transport mode WARNING: untranslated string: tuesday = Tuesday WARNING: untranslated string: twelve hours = 12 Hours WARNING: untranslated string: two weeks = Two Weeks @@ -2033,8 +2052,6 @@ WARNING: untranslated string: vpn altname syntax = SubjectAltName is a comma sep WARNING: untranslated string: vpn auth-dn = Peer is identified by either IPV4_ADDR, FQDN, USER_FQDN or DER_ASN1_DN string in remote ID field WARNING: untranslated string: vpn broken = Broken WARNING: untranslated string: vpn connecting = CONNECTING -WARNING: untranslated string: vpn delayed start = Delay before launching VPN (seconds) -WARNING: untranslated string: vpn delayed start help = If required, this delay can be used to allow dynamic DNS updates to propagate properly. 60 is a common value when RED is a dynamic IP. WARNING: untranslated string: vpn force mobike = Force using MOBIKE (only IKEv2) WARNING: untranslated string: vpn inactivity timeout = Inactivity Timeout WARNING: untranslated string: vpn keyexchange = Keyexchange @@ -2043,14 +2060,13 @@ WARNING: untranslated string: vpn missing remote id = You must specify a correct WARNING: untranslated string: vpn no full pki = missing private key to generate cert WARNING: untranslated string: vpn on-demand = ON-DEMAND WARNING: untranslated string: vpn payload compression = Negotiate payload compression -WARNING: untranslated string: vpn red name = Public IP or FQDN for RED interface or <%defaultroute> WARNING: untranslated string: vpn remote id = Remote ID WARNING: untranslated string: vpn start action = Start Action WARNING: untranslated string: vpn start action add = Wait for connection initiation WARNING: untranslated string: vpn start action route = On Demand WARNING: untranslated string: vpn start action start = Always On -WARNING: untranslated string: vpn statistic n2n = OpenVPN Net-to-Net Statistics -WARNING: untranslated string: vpn statistic rw = OpenVPN Roadwarrior Statistics +WARNING: untranslated string: vpn statistic n2n = VPN: Net-to-Net Statistics +WARNING: untranslated string: vpn statistic rw = VPN: Roadwarrior Statistics WARNING: untranslated string: vpn statistics n2n = unknown string WARNING: untranslated string: vpn subjectaltname = Subject Alt Name WARNING: untranslated string: vpn wait = WAITING diff --git a/doc/language_issues.es b/doc/language_issues.es index 236248d55e..d1a5935661 100644 --- a/doc/language_issues.es +++ b/doc/language_issues.es @@ -365,7 +365,6 @@ WARNING: translation string unused: messages logging WARNING: translation string unused: min size WARNING: translation string unused: missing dat WARNING: translation string unused: missing gz -WARNING: translation string unused: mode WARNING: translation string unused: modem on com1 WARNING: translation string unused: modem on com2 WARNING: translation string unused: modem on com3 @@ -634,11 +633,14 @@ WARNING: translation string unused: use ibod WARNING: translation string unused: view log WARNING: translation string unused: vpn aggrmode WARNING: translation string unused: vpn configuration main +WARNING: translation string unused: vpn delayed start +WARNING: translation string unused: vpn delayed start help WARNING: translation string unused: vpn incompatible use of defaultroute WARNING: translation string unused: vpn mtu invalid WARNING: translation string unused: vpn on blue WARNING: translation string unused: vpn on green WARNING: translation string unused: vpn on orange +WARNING: translation string unused: vpn red name WARNING: translation string unused: vpn watch WARNING: translation string unused: warn when traffic reaches WARNING: translation string unused: web proxy configuration @@ -761,6 +763,7 @@ WARNING: untranslated string: crypto error = Cryptographic error WARNING: untranslated string: crypto warning = Cryptographic warning WARNING: untranslated string: dead peer detection = Dead Peer Detection WARNING: untranslated string: default = Default +WARNING: untranslated string: default IP address = Default IP Address WARNING: untranslated string: deprecated fs warn = Deprecated filesystem! Newer kernel drop the support. Backup and reformat! WARNING: untranslated string: details = Details WARNING: untranslated string: dh = Diffie-Hellman parameters @@ -1050,17 +1053,31 @@ WARNING: untranslated string: incoming firewall access = Incoming Firewall Acces WARNING: untranslated string: incoming overhead in bytes per second = Incoming Overhead WARNING: untranslated string: info messages = unknown string WARNING: untranslated string: integrity = Integrity: +WARNING: untranslated string: interface mode = Interface WARNING: untranslated string: invalid input for dpd delay = Invalid input for DPD delay WARNING: untranslated string: invalid input for dpd timeout = Invalid input for DPD timeout WARNING: untranslated string: invalid input for inactivity timeout = Invalid input for Inactivity Timeout +WARNING: untranslated string: invalid input for interface address = Invalid input for interface address +WARNING: untranslated string: invalid input for interface mode = Invalid input for interface mode +WARNING: untranslated string: invalid input for interface mtu = Invalid input to interface MTU +WARNING: untranslated string: invalid input for local ip address = Invalid input for local IP address +WARNING: untranslated string: invalid input for mode = Invalid input for mode WARNING: untranslated string: invalid input for valid till days = Invalid input for Valid till (days). WARNING: untranslated string: invalid ip or hostname = Invalid IP Address or Hostname WARNING: untranslated string: invalid logserver protocol = Invalid syslogd server protocol WARNING: untranslated string: ipsec = IPsec +WARNING: untranslated string: ipsec connection = IPsec Connection +WARNING: untranslated string: ipsec interface mode gre = GRE +WARNING: untranslated string: ipsec interface mode none = - None (Default) - +WARNING: untranslated string: ipsec interface mode vti = VTI +WARNING: untranslated string: ipsec mode transport = Transport +WARNING: untranslated string: ipsec mode tunnel = Tunnel WARNING: untranslated string: ipsec network = IPsec network +WARNING: untranslated string: ipsec settings = IPsec Settings WARNING: untranslated string: last = Last WARNING: untranslated string: least preferred = least preferred WARNING: untranslated string: lifetime = Lifetime: +WARNING: untranslated string: local ip address = Local IP Address WARNING: untranslated string: log server protocol = protocol: WARNING: untranslated string: mac filter = MAC filter WARNING: untranslated string: masquerade blue = Masquerade BLUE @@ -1088,6 +1105,7 @@ WARNING: untranslated string: modem sim information = SIM Information WARNING: untranslated string: modem status = Modem Status WARNING: untranslated string: monitor interface = Monitor Interface WARNING: untranslated string: most preferred = most preferred +WARNING: untranslated string: mtu = MTU WARNING: untranslated string: nameserver = Nameserver WARNING: untranslated string: no data = unknown string WARNING: untranslated string: none = none @@ -1166,6 +1184,7 @@ WARNING: untranslated string: ssh login time = Logged in since WARNING: untranslated string: ssh no active logins = No active logins WARNING: untranslated string: ssh username = Username WARNING: untranslated string: static routes = Static Routes +WARNING: untranslated string: subnet mask = Subnet Mask WARNING: untranslated string: support donation = Support the IPFire project with your donation WARNING: untranslated string: system has rdrand = This system has support for Intel(R) RDRAND. WARNING: untranslated string: system information = System Information @@ -1221,6 +1240,7 @@ WARNING: untranslated string: tor traffic limit hard = Traffic limit has been re WARNING: untranslated string: tor traffic limit soft = Traffic limit almost reached. Not accepting any new connections. WARNING: untranslated string: tor traffic read written = Total traffic (read/written) WARNING: untranslated string: tor use exit nodes = Use only these exit nodes (one per line) +WARNING: untranslated string: transport mode does not support vti = VTI is not support in transport mode WARNING: untranslated string: twelve hours = 12 Hours WARNING: untranslated string: two weeks = Two Weeks WARNING: untranslated string: udp less overhead = UDP (less overhead) @@ -1245,8 +1265,8 @@ WARNING: untranslated string: vpn start action = Start Action WARNING: untranslated string: vpn start action add = Wait for connection initiation WARNING: untranslated string: vpn start action route = On Demand WARNING: untranslated string: vpn start action start = Always On -WARNING: untranslated string: vpn statistic n2n = OpenVPN Net-to-Net Statistics -WARNING: untranslated string: vpn statistic rw = OpenVPN Roadwarrior Statistics +WARNING: untranslated string: vpn statistic n2n = VPN: Net-to-Net Statistics +WARNING: untranslated string: vpn statistic rw = VPN: Roadwarrior Statistics WARNING: untranslated string: vpn statistics n2n = unknown string WARNING: untranslated string: vpn wait = WAITING WARNING: untranslated string: vpn weak = Weak diff --git a/doc/language_issues.fr b/doc/language_issues.fr index e2f20eb5c8..df98339d5a 100644 --- a/doc/language_issues.fr +++ b/doc/language_issues.fr @@ -445,7 +445,6 @@ WARNING: translation string unused: messages logging WARNING: translation string unused: min size WARNING: translation string unused: missing dat WARNING: translation string unused: missing gz -WARNING: translation string unused: mode WARNING: translation string unused: modem on com1 WARNING: translation string unused: modem on com2 WARNING: translation string unused: modem on com3 @@ -751,11 +750,14 @@ WARNING: translation string unused: use ibod WARNING: translation string unused: view log WARNING: translation string unused: vpn aggrmode WARNING: translation string unused: vpn configuration main +WARNING: translation string unused: vpn delayed start +WARNING: translation string unused: vpn delayed start help WARNING: translation string unused: vpn incompatible use of defaultroute WARNING: translation string unused: vpn mtu invalid WARNING: translation string unused: vpn on blue WARNING: translation string unused: vpn on green WARNING: translation string unused: vpn on orange +WARNING: translation string unused: vpn red name WARNING: translation string unused: vpn watch WARNING: translation string unused: warn when traffic reaches WARNING: translation string unused: web proxy configuration @@ -770,6 +772,7 @@ WARNING: translation string unused: yearly firewallhits WARNING: untranslated string: Captive clients = unknown string WARNING: untranslated string: Scan for Songs = unknown string WARNING: untranslated string: bytes = unknown string +WARNING: untranslated string: default IP address = Default IP Address WARNING: untranslated string: dnsforward forward_servers = Nameservers WARNING: untranslated string: fwhost cust geoipgrp = unknown string WARNING: untranslated string: fwhost err hostip = unknown string @@ -810,11 +813,28 @@ WARNING: untranslated string: guardian service = unknown string WARNING: untranslated string: guardian watch snort alertfile = unknown string WARNING: untranslated string: ike lifetime should be between 1 and 8 hours = unknown string WARNING: untranslated string: info messages = unknown string +WARNING: untranslated string: interface mode = Interface +WARNING: untranslated string: invalid input for interface address = Invalid input for interface address +WARNING: untranslated string: invalid input for interface mode = Invalid input for interface mode +WARNING: untranslated string: invalid input for interface mtu = Invalid input to interface MTU +WARNING: untranslated string: invalid input for local ip address = Invalid input for local IP address +WARNING: untranslated string: invalid input for mode = Invalid input for mode WARNING: untranslated string: invalid ip or hostname = Invalid IP Address or Hostname +WARNING: untranslated string: ipsec connection = IPsec Connection +WARNING: untranslated string: ipsec interface mode gre = GRE +WARNING: untranslated string: ipsec interface mode none = - None (Default) - +WARNING: untranslated string: ipsec interface mode vti = VTI +WARNING: untranslated string: ipsec mode transport = Transport +WARNING: untranslated string: ipsec mode tunnel = Tunnel +WARNING: untranslated string: ipsec settings = IPsec Settings +WARNING: untranslated string: local ip address = Local IP Address +WARNING: untranslated string: mtu = MTU WARNING: untranslated string: no data = unknown string WARNING: untranslated string: pakfire ago = ago. WARNING: untranslated string: route config changed = unknown string WARNING: untranslated string: routing config added = unknown string WARNING: untranslated string: routing config changed = unknown string WARNING: untranslated string: routing table = unknown string +WARNING: untranslated string: subnet mask = Subnet Mask +WARNING: untranslated string: transport mode does not support vti = VTI is not support in transport mode WARNING: untranslated string: vpn statistics n2n = unknown string diff --git a/doc/language_issues.it b/doc/language_issues.it index 5500eedc94..7c465aae6e 100644 --- a/doc/language_issues.it +++ b/doc/language_issues.it @@ -417,7 +417,6 @@ WARNING: translation string unused: messages logging WARNING: translation string unused: min size WARNING: translation string unused: missing dat WARNING: translation string unused: missing gz -WARNING: translation string unused: mode WARNING: translation string unused: modem on com1 WARNING: translation string unused: modem on com2 WARNING: translation string unused: modem on com3 @@ -723,11 +722,14 @@ WARNING: translation string unused: use ibod WARNING: translation string unused: view log WARNING: translation string unused: vpn aggrmode WARNING: translation string unused: vpn configuration main +WARNING: translation string unused: vpn delayed start +WARNING: translation string unused: vpn delayed start help WARNING: translation string unused: vpn incompatible use of defaultroute WARNING: translation string unused: vpn mtu invalid WARNING: translation string unused: vpn on blue WARNING: translation string unused: vpn on green WARNING: translation string unused: vpn on orange +WARNING: translation string unused: vpn red name WARNING: translation string unused: vpn watch WARNING: translation string unused: warn when traffic reaches WARNING: translation string unused: web proxy configuration @@ -789,6 +791,7 @@ WARNING: untranslated string: bytes = unknown string WARNING: untranslated string: check all = Check all WARNING: untranslated string: crypto error = Cryptographic error WARNING: untranslated string: crypto warning = Cryptographic warning +WARNING: untranslated string: default IP address = Default IP Address WARNING: untranslated string: dhcp dns enable update = Enable DNS Update (RFC2136): WARNING: untranslated string: dhcp dns key name = Key Name: WARNING: untranslated string: dhcp dns update = DNS Update @@ -884,10 +887,24 @@ WARNING: untranslated string: ike lifetime should be between 1 and 8 hours = unk WARNING: untranslated string: incoming compression in bytes per second = Incoming Compression WARNING: untranslated string: incoming overhead in bytes per second = Incoming Overhead WARNING: untranslated string: info messages = unknown string +WARNING: untranslated string: interface mode = Interface WARNING: untranslated string: invalid input for inactivity timeout = Invalid input for Inactivity Timeout +WARNING: untranslated string: invalid input for interface address = Invalid input for interface address +WARNING: untranslated string: invalid input for interface mode = Invalid input for interface mode +WARNING: untranslated string: invalid input for interface mtu = Invalid input to interface MTU +WARNING: untranslated string: invalid input for local ip address = Invalid input for local IP address +WARNING: untranslated string: invalid input for mode = Invalid input for mode WARNING: untranslated string: invalid input for valid till days = Invalid input for Valid till (days). WARNING: untranslated string: invalid ip or hostname = Invalid IP Address or Hostname WARNING: untranslated string: invalid logserver protocol = Invalid syslogd server protocol +WARNING: untranslated string: ipsec connection = IPsec Connection +WARNING: untranslated string: ipsec interface mode gre = GRE +WARNING: untranslated string: ipsec interface mode none = - None (Default) - +WARNING: untranslated string: ipsec interface mode vti = VTI +WARNING: untranslated string: ipsec mode transport = Transport +WARNING: untranslated string: ipsec mode tunnel = Tunnel +WARNING: untranslated string: ipsec settings = IPsec Settings +WARNING: untranslated string: local ip address = Local IP Address WARNING: untranslated string: log server protocol = protocol: WARNING: untranslated string: masquerade blue = Masquerade BLUE WARNING: untranslated string: masquerade green = Masquerade GREEN @@ -896,6 +913,7 @@ WARNING: untranslated string: masquerading = Masquerading WARNING: untranslated string: masquerading disabled = Masquerading disabled WARNING: untranslated string: masquerading enabled = Masquerading enabled WARNING: untranslated string: messages = Messages +WARNING: untranslated string: mtu = MTU WARNING: untranslated string: no data = unknown string WARNING: untranslated string: none = none WARNING: untranslated string: one hour = One Hour @@ -924,9 +942,11 @@ WARNING: untranslated string: ssh active sessions = Active logins WARNING: untranslated string: ssh login time = Logged in since WARNING: untranslated string: ssh no active logins = No active logins WARNING: untranslated string: ssh username = Username +WARNING: untranslated string: subnet mask = Subnet Mask WARNING: untranslated string: tcp more reliable = TCP (more reliable) WARNING: untranslated string: ten minutes = 10 Minutes WARNING: untranslated string: thirty minutes = 30 Minutes +WARNING: untranslated string: transport mode does not support vti = VTI is not support in transport mode WARNING: untranslated string: twelve hours = 12 Hours WARNING: untranslated string: two weeks = Two Weeks WARNING: untranslated string: udp less overhead = UDP (less overhead) @@ -944,8 +964,8 @@ WARNING: untranslated string: vpn start action = Start Action WARNING: untranslated string: vpn start action add = Wait for connection initiation WARNING: untranslated string: vpn start action route = On Demand WARNING: untranslated string: vpn start action start = Always On -WARNING: untranslated string: vpn statistic n2n = OpenVPN Net-to-Net Statistics -WARNING: untranslated string: vpn statistic rw = OpenVPN Roadwarrior Statistics +WARNING: untranslated string: vpn statistic n2n = VPN: Net-to-Net Statistics +WARNING: untranslated string: vpn statistic rw = VPN: Roadwarrior Statistics WARNING: untranslated string: vpn statistics n2n = unknown string WARNING: untranslated string: vpn wait = WAITING WARNING: untranslated string: vpn weak = Weak diff --git a/doc/language_issues.nl b/doc/language_issues.nl index 64778ffd7b..2ed6e3d85d 100644 --- a/doc/language_issues.nl +++ b/doc/language_issues.nl @@ -415,7 +415,6 @@ WARNING: translation string unused: messages logging WARNING: translation string unused: min size WARNING: translation string unused: missing dat WARNING: translation string unused: missing gz -WARNING: translation string unused: mode WARNING: translation string unused: modem on com1 WARNING: translation string unused: modem on com2 WARNING: translation string unused: modem on com3 @@ -718,11 +717,14 @@ WARNING: translation string unused: use ibod WARNING: translation string unused: view log WARNING: translation string unused: vpn aggrmode WARNING: translation string unused: vpn configuration main +WARNING: translation string unused: vpn delayed start +WARNING: translation string unused: vpn delayed start help WARNING: translation string unused: vpn incompatible use of defaultroute WARNING: translation string unused: vpn mtu invalid WARNING: translation string unused: vpn on blue WARNING: translation string unused: vpn on green WARNING: translation string unused: vpn on orange +WARNING: translation string unused: vpn red name WARNING: translation string unused: vpn watch WARNING: translation string unused: warn when traffic reaches WARNING: translation string unused: web proxy configuration @@ -787,6 +789,7 @@ WARNING: untranslated string: check all = Check all WARNING: untranslated string: crypto error = Cryptographic error WARNING: untranslated string: crypto warning = Cryptographic warning WARNING: untranslated string: default = Default +WARNING: untranslated string: default IP address = Default IP Address WARNING: untranslated string: dh = Diffie-Hellman parameters WARNING: untranslated string: dh key move failed = Diffie-Hellman parameters move failed. WARNING: untranslated string: dh key warn = Creating DH-parameters with a length of 2048 bits takes up to several minutes. Lengths of 3072 or 4096 bits might needs several hours. Please be patient. @@ -898,10 +901,24 @@ WARNING: untranslated string: imsi = IMSI WARNING: untranslated string: incoming compression in bytes per second = Incoming Compression WARNING: untranslated string: incoming overhead in bytes per second = Incoming Overhead WARNING: untranslated string: info messages = unknown string +WARNING: untranslated string: interface mode = Interface WARNING: untranslated string: invalid input for inactivity timeout = Invalid input for Inactivity Timeout +WARNING: untranslated string: invalid input for interface address = Invalid input for interface address +WARNING: untranslated string: invalid input for interface mode = Invalid input for interface mode +WARNING: untranslated string: invalid input for interface mtu = Invalid input to interface MTU +WARNING: untranslated string: invalid input for local ip address = Invalid input for local IP address +WARNING: untranslated string: invalid input for mode = Invalid input for mode WARNING: untranslated string: invalid input for valid till days = Invalid input for Valid till (days). WARNING: untranslated string: invalid ip or hostname = Invalid IP Address or Hostname WARNING: untranslated string: invalid logserver protocol = Invalid syslogd server protocol +WARNING: untranslated string: ipsec connection = IPsec Connection +WARNING: untranslated string: ipsec interface mode gre = GRE +WARNING: untranslated string: ipsec interface mode none = - None (Default) - +WARNING: untranslated string: ipsec interface mode vti = VTI +WARNING: untranslated string: ipsec mode transport = Transport +WARNING: untranslated string: ipsec mode tunnel = Tunnel +WARNING: untranslated string: ipsec settings = IPsec Settings +WARNING: untranslated string: local ip address = Local IP Address WARNING: untranslated string: log server protocol = protocol: WARNING: untranslated string: masquerade blue = Masquerade BLUE WARNING: untranslated string: masquerade green = Masquerade GREEN @@ -924,6 +941,7 @@ WARNING: untranslated string: modem no connection message = No connection to the WARNING: untranslated string: modem sim information = SIM Information WARNING: untranslated string: modem status = Modem Status WARNING: untranslated string: monitor interface = Monitor Interface +WARNING: untranslated string: mtu = MTU WARNING: untranslated string: nameserver = Nameserver WARNING: untranslated string: no data = unknown string WARNING: untranslated string: none = none @@ -967,10 +985,12 @@ WARNING: untranslated string: ssh active sessions = Active logins WARNING: untranslated string: ssh login time = Logged in since WARNING: untranslated string: ssh no active logins = No active logins WARNING: untranslated string: ssh username = Username +WARNING: untranslated string: subnet mask = Subnet Mask WARNING: untranslated string: ta key = TLS-Authentification-Key WARNING: untranslated string: tcp more reliable = TCP (more reliable) WARNING: untranslated string: ten minutes = 10 Minutes WARNING: untranslated string: thirty minutes = 30 Minutes +WARNING: untranslated string: transport mode does not support vti = VTI is not support in transport mode WARNING: untranslated string: twelve hours = 12 Hours WARNING: untranslated string: two weeks = Two Weeks WARNING: untranslated string: udp less overhead = UDP (less overhead) @@ -990,8 +1010,8 @@ WARNING: untranslated string: vpn start action = Start Action WARNING: untranslated string: vpn start action add = Wait for connection initiation WARNING: untranslated string: vpn start action route = On Demand WARNING: untranslated string: vpn start action start = Always On -WARNING: untranslated string: vpn statistic n2n = OpenVPN Net-to-Net Statistics -WARNING: untranslated string: vpn statistic rw = OpenVPN Roadwarrior Statistics +WARNING: untranslated string: vpn statistic n2n = VPN: Net-to-Net Statistics +WARNING: untranslated string: vpn statistic rw = VPN: Roadwarrior Statistics WARNING: untranslated string: vpn statistics n2n = unknown string WARNING: untranslated string: vpn wait = WAITING WARNING: untranslated string: vpn weak = Weak diff --git a/doc/language_issues.pl b/doc/language_issues.pl index 236248d55e..d1a5935661 100644 --- a/doc/language_issues.pl +++ b/doc/language_issues.pl @@ -365,7 +365,6 @@ WARNING: translation string unused: messages logging WARNING: translation string unused: min size WARNING: translation string unused: missing dat WARNING: translation string unused: missing gz -WARNING: translation string unused: mode WARNING: translation string unused: modem on com1 WARNING: translation string unused: modem on com2 WARNING: translation string unused: modem on com3 @@ -634,11 +633,14 @@ WARNING: translation string unused: use ibod WARNING: translation string unused: view log WARNING: translation string unused: vpn aggrmode WARNING: translation string unused: vpn configuration main +WARNING: translation string unused: vpn delayed start +WARNING: translation string unused: vpn delayed start help WARNING: translation string unused: vpn incompatible use of defaultroute WARNING: translation string unused: vpn mtu invalid WARNING: translation string unused: vpn on blue WARNING: translation string unused: vpn on green WARNING: translation string unused: vpn on orange +WARNING: translation string unused: vpn red name WARNING: translation string unused: vpn watch WARNING: translation string unused: warn when traffic reaches WARNING: translation string unused: web proxy configuration @@ -761,6 +763,7 @@ WARNING: untranslated string: crypto error = Cryptographic error WARNING: untranslated string: crypto warning = Cryptographic warning WARNING: untranslated string: dead peer detection = Dead Peer Detection WARNING: untranslated string: default = Default +WARNING: untranslated string: default IP address = Default IP Address WARNING: untranslated string: deprecated fs warn = Deprecated filesystem! Newer kernel drop the support. Backup and reformat! WARNING: untranslated string: details = Details WARNING: untranslated string: dh = Diffie-Hellman parameters @@ -1050,17 +1053,31 @@ WARNING: untranslated string: incoming firewall access = Incoming Firewall Acces WARNING: untranslated string: incoming overhead in bytes per second = Incoming Overhead WARNING: untranslated string: info messages = unknown string WARNING: untranslated string: integrity = Integrity: +WARNING: untranslated string: interface mode = Interface WARNING: untranslated string: invalid input for dpd delay = Invalid input for DPD delay WARNING: untranslated string: invalid input for dpd timeout = Invalid input for DPD timeout WARNING: untranslated string: invalid input for inactivity timeout = Invalid input for Inactivity Timeout +WARNING: untranslated string: invalid input for interface address = Invalid input for interface address +WARNING: untranslated string: invalid input for interface mode = Invalid input for interface mode +WARNING: untranslated string: invalid input for interface mtu = Invalid input to interface MTU +WARNING: untranslated string: invalid input for local ip address = Invalid input for local IP address +WARNING: untranslated string: invalid input for mode = Invalid input for mode WARNING: untranslated string: invalid input for valid till days = Invalid input for Valid till (days). WARNING: untranslated string: invalid ip or hostname = Invalid IP Address or Hostname WARNING: untranslated string: invalid logserver protocol = Invalid syslogd server protocol WARNING: untranslated string: ipsec = IPsec +WARNING: untranslated string: ipsec connection = IPsec Connection +WARNING: untranslated string: ipsec interface mode gre = GRE +WARNING: untranslated string: ipsec interface mode none = - None (Default) - +WARNING: untranslated string: ipsec interface mode vti = VTI +WARNING: untranslated string: ipsec mode transport = Transport +WARNING: untranslated string: ipsec mode tunnel = Tunnel WARNING: untranslated string: ipsec network = IPsec network +WARNING: untranslated string: ipsec settings = IPsec Settings WARNING: untranslated string: last = Last WARNING: untranslated string: least preferred = least preferred WARNING: untranslated string: lifetime = Lifetime: +WARNING: untranslated string: local ip address = Local IP Address WARNING: untranslated string: log server protocol = protocol: WARNING: untranslated string: mac filter = MAC filter WARNING: untranslated string: masquerade blue = Masquerade BLUE @@ -1088,6 +1105,7 @@ WARNING: untranslated string: modem sim information = SIM Information WARNING: untranslated string: modem status = Modem Status WARNING: untranslated string: monitor interface = Monitor Interface WARNING: untranslated string: most preferred = most preferred +WARNING: untranslated string: mtu = MTU WARNING: untranslated string: nameserver = Nameserver WARNING: untranslated string: no data = unknown string WARNING: untranslated string: none = none @@ -1166,6 +1184,7 @@ WARNING: untranslated string: ssh login time = Logged in since WARNING: untranslated string: ssh no active logins = No active logins WARNING: untranslated string: ssh username = Username WARNING: untranslated string: static routes = Static Routes +WARNING: untranslated string: subnet mask = Subnet Mask WARNING: untranslated string: support donation = Support the IPFire project with your donation WARNING: untranslated string: system has rdrand = This system has support for Intel(R) RDRAND. WARNING: untranslated string: system information = System Information @@ -1221,6 +1240,7 @@ WARNING: untranslated string: tor traffic limit hard = Traffic limit has been re WARNING: untranslated string: tor traffic limit soft = Traffic limit almost reached. Not accepting any new connections. WARNING: untranslated string: tor traffic read written = Total traffic (read/written) WARNING: untranslated string: tor use exit nodes = Use only these exit nodes (one per line) +WARNING: untranslated string: transport mode does not support vti = VTI is not support in transport mode WARNING: untranslated string: twelve hours = 12 Hours WARNING: untranslated string: two weeks = Two Weeks WARNING: untranslated string: udp less overhead = UDP (less overhead) @@ -1245,8 +1265,8 @@ WARNING: untranslated string: vpn start action = Start Action WARNING: untranslated string: vpn start action add = Wait for connection initiation WARNING: untranslated string: vpn start action route = On Demand WARNING: untranslated string: vpn start action start = Always On -WARNING: untranslated string: vpn statistic n2n = OpenVPN Net-to-Net Statistics -WARNING: untranslated string: vpn statistic rw = OpenVPN Roadwarrior Statistics +WARNING: untranslated string: vpn statistic n2n = VPN: Net-to-Net Statistics +WARNING: untranslated string: vpn statistic rw = VPN: Roadwarrior Statistics WARNING: untranslated string: vpn statistics n2n = unknown string WARNING: untranslated string: vpn wait = WAITING WARNING: untranslated string: vpn weak = Weak diff --git a/doc/language_issues.ru b/doc/language_issues.ru index 810b16f502..2f0b4d9e8b 100644 --- a/doc/language_issues.ru +++ b/doc/language_issues.ru @@ -358,7 +358,6 @@ WARNING: translation string unused: messages logging WARNING: translation string unused: min size WARNING: translation string unused: missing dat WARNING: translation string unused: missing gz -WARNING: translation string unused: mode WARNING: translation string unused: modem on com1 WARNING: translation string unused: modem on com2 WARNING: translation string unused: modem on com3 @@ -637,11 +636,14 @@ WARNING: translation string unused: use ibod WARNING: translation string unused: view log WARNING: translation string unused: vpn aggrmode WARNING: translation string unused: vpn configuration main +WARNING: translation string unused: vpn delayed start +WARNING: translation string unused: vpn delayed start help WARNING: translation string unused: vpn incompatible use of defaultroute WARNING: translation string unused: vpn mtu invalid WARNING: translation string unused: vpn on blue WARNING: translation string unused: vpn on green WARNING: translation string unused: vpn on orange +WARNING: translation string unused: vpn red name WARNING: translation string unused: vpn watch WARNING: translation string unused: warn when traffic reaches WARNING: translation string unused: web proxy configuration @@ -764,6 +766,7 @@ WARNING: untranslated string: crypto error = Cryptographic error WARNING: untranslated string: crypto warning = Cryptographic warning WARNING: untranslated string: dead peer detection = Dead Peer Detection WARNING: untranslated string: default = Default +WARNING: untranslated string: default IP address = Default IP Address WARNING: untranslated string: deprecated fs warn = Deprecated filesystem! Newer kernel drop the support. Backup and reformat! WARNING: untranslated string: details = Details WARNING: untranslated string: dh = Diffie-Hellman parameters @@ -1052,17 +1055,31 @@ WARNING: untranslated string: incoming overhead in bytes per second = Incoming O WARNING: untranslated string: incoming traffic in bytes per second = Incoming Traffic WARNING: untranslated string: info messages = unknown string WARNING: untranslated string: integrity = Integrity: +WARNING: untranslated string: interface mode = Interface WARNING: untranslated string: invalid input for dpd delay = Invalid input for DPD delay WARNING: untranslated string: invalid input for dpd timeout = Invalid input for DPD timeout WARNING: untranslated string: invalid input for inactivity timeout = Invalid input for Inactivity Timeout +WARNING: untranslated string: invalid input for interface address = Invalid input for interface address +WARNING: untranslated string: invalid input for interface mode = Invalid input for interface mode +WARNING: untranslated string: invalid input for interface mtu = Invalid input to interface MTU +WARNING: untranslated string: invalid input for local ip address = Invalid input for local IP address +WARNING: untranslated string: invalid input for mode = Invalid input for mode WARNING: untranslated string: invalid input for valid till days = Invalid input for Valid till (days). WARNING: untranslated string: invalid ip or hostname = Invalid IP Address or Hostname WARNING: untranslated string: invalid logserver protocol = Invalid syslogd server protocol WARNING: untranslated string: ipsec = IPsec +WARNING: untranslated string: ipsec connection = IPsec Connection +WARNING: untranslated string: ipsec interface mode gre = GRE +WARNING: untranslated string: ipsec interface mode none = - None (Default) - +WARNING: untranslated string: ipsec interface mode vti = VTI +WARNING: untranslated string: ipsec mode transport = Transport +WARNING: untranslated string: ipsec mode tunnel = Tunnel WARNING: untranslated string: ipsec network = IPsec network +WARNING: untranslated string: ipsec settings = IPsec Settings WARNING: untranslated string: last = Last WARNING: untranslated string: least preferred = least preferred WARNING: untranslated string: lifetime = Lifetime: +WARNING: untranslated string: local ip address = Local IP Address WARNING: untranslated string: log server protocol = protocol: WARNING: untranslated string: mac filter = MAC filter WARNING: untranslated string: masquerade blue = Masquerade BLUE @@ -1090,6 +1107,7 @@ WARNING: untranslated string: modem sim information = SIM Information WARNING: untranslated string: modem status = Modem Status WARNING: untranslated string: monitor interface = Monitor Interface WARNING: untranslated string: most preferred = most preferred +WARNING: untranslated string: mtu = MTU WARNING: untranslated string: nameserver = Nameserver WARNING: untranslated string: no data = unknown string WARNING: untranslated string: none = none @@ -1162,6 +1180,7 @@ WARNING: untranslated string: ssh login time = Logged in since WARNING: untranslated string: ssh no active logins = No active logins WARNING: untranslated string: ssh username = Username WARNING: untranslated string: static routes = Static Routes +WARNING: untranslated string: subnet mask = Subnet Mask WARNING: untranslated string: support donation = Support the IPFire project with your donation WARNING: untranslated string: system has rdrand = This system has support for Intel(R) RDRAND. WARNING: untranslated string: ta key = TLS-Authentification-Key @@ -1216,6 +1235,7 @@ WARNING: untranslated string: tor traffic limit hard = Traffic limit has been re WARNING: untranslated string: tor traffic limit soft = Traffic limit almost reached. Not accepting any new connections. WARNING: untranslated string: tor traffic read written = Total traffic (read/written) WARNING: untranslated string: tor use exit nodes = Use only these exit nodes (one per line) +WARNING: untranslated string: transport mode does not support vti = VTI is not support in transport mode WARNING: untranslated string: twelve hours = 12 Hours WARNING: untranslated string: two weeks = Two Weeks WARNING: untranslated string: udp less overhead = UDP (less overhead) @@ -1240,8 +1260,8 @@ WARNING: untranslated string: vpn start action = Start Action WARNING: untranslated string: vpn start action add = Wait for connection initiation WARNING: untranslated string: vpn start action route = On Demand WARNING: untranslated string: vpn start action start = Always On -WARNING: untranslated string: vpn statistic n2n = OpenVPN Net-to-Net Statistics -WARNING: untranslated string: vpn statistic rw = OpenVPN Roadwarrior Statistics +WARNING: untranslated string: vpn statistic n2n = VPN: Net-to-Net Statistics +WARNING: untranslated string: vpn statistic rw = VPN: Roadwarrior Statistics WARNING: untranslated string: vpn statistics n2n = unknown string WARNING: untranslated string: vpn wait = WAITING WARNING: untranslated string: vpn weak = Weak diff --git a/doc/language_issues.tr b/doc/language_issues.tr index 1406583464..c6fb9f2558 100644 --- a/doc/language_issues.tr +++ b/doc/language_issues.tr @@ -445,7 +445,6 @@ WARNING: translation string unused: messages logging WARNING: translation string unused: min size WARNING: translation string unused: missing dat WARNING: translation string unused: missing gz -WARNING: translation string unused: mode WARNING: translation string unused: modem on com1 WARNING: translation string unused: modem on com2 WARNING: translation string unused: modem on com3 @@ -751,11 +750,14 @@ WARNING: translation string unused: use ibod WARNING: translation string unused: view log WARNING: translation string unused: vpn aggrmode WARNING: translation string unused: vpn configuration main +WARNING: translation string unused: vpn delayed start +WARNING: translation string unused: vpn delayed start help WARNING: translation string unused: vpn incompatible use of defaultroute WARNING: translation string unused: vpn mtu invalid WARNING: translation string unused: vpn on blue WARNING: translation string unused: vpn on green WARNING: translation string unused: vpn on orange +WARNING: translation string unused: vpn red name WARNING: translation string unused: vpn watch WARNING: translation string unused: warn when traffic reaches WARNING: translation string unused: web proxy configuration @@ -772,6 +774,7 @@ WARNING: untranslated string: Scan for Songs = unknown string WARNING: untranslated string: bytes = unknown string WARNING: untranslated string: crypto error = Cryptographic error WARNING: untranslated string: crypto warning = Cryptographic warning +WARNING: untranslated string: default IP address = Default IP Address WARNING: untranslated string: dnsforward forward_servers = Nameservers WARNING: untranslated string: fwdfw all subnets = All subnets WARNING: untranslated string: fwhost cust geoipgrp = unknown string @@ -813,7 +816,22 @@ WARNING: untranslated string: guardian service = unknown string WARNING: untranslated string: guardian watch snort alertfile = unknown string WARNING: untranslated string: ike lifetime should be between 1 and 8 hours = unknown string WARNING: untranslated string: info messages = unknown string +WARNING: untranslated string: interface mode = Interface +WARNING: untranslated string: invalid input for interface address = Invalid input for interface address +WARNING: untranslated string: invalid input for interface mode = Invalid input for interface mode +WARNING: untranslated string: invalid input for interface mtu = Invalid input to interface MTU +WARNING: untranslated string: invalid input for local ip address = Invalid input for local IP address +WARNING: untranslated string: invalid input for mode = Invalid input for mode WARNING: untranslated string: invalid ip or hostname = Invalid IP Address or Hostname +WARNING: untranslated string: ipsec connection = IPsec Connection +WARNING: untranslated string: ipsec interface mode gre = GRE +WARNING: untranslated string: ipsec interface mode none = - None (Default) - +WARNING: untranslated string: ipsec interface mode vti = VTI +WARNING: untranslated string: ipsec mode transport = Transport +WARNING: untranslated string: ipsec mode tunnel = Tunnel +WARNING: untranslated string: ipsec settings = IPsec Settings +WARNING: untranslated string: local ip address = Local IP Address +WARNING: untranslated string: mtu = MTU WARNING: untranslated string: no data = unknown string WARNING: untranslated string: ovpn error dh = The Diffie-Hellman parameter needs to be in minimum 2048 bit!
Please generate or upload a new Diffie-Hellman parameter, this can be made below in the section "Diffie-Hellman parameters options".
WARNING: untranslated string: ovpn error md5 = You host certificate uses MD5 for the signature which is not accepted anymore.
Please update to the latest IPFire version and generate a new root and host certificate.

All OpenVPN clients needs then to be renewed!
@@ -826,6 +844,8 @@ WARNING: untranslated string: ssh active sessions = Active logins WARNING: untranslated string: ssh login time = Logged in since WARNING: untranslated string: ssh no active logins = No active logins WARNING: untranslated string: ssh username = Username +WARNING: untranslated string: subnet mask = Subnet Mask +WARNING: untranslated string: transport mode does not support vti = VTI is not support in transport mode WARNING: untranslated string: vpn start action add = Wait for connection initiation WARNING: untranslated string: vpn statistics n2n = unknown string WARNING: untranslated string: vpn wait = WAITING diff --git a/doc/language_missings b/doc/language_missings index 938a9551ea..853a5f65ad 100644 --- a/doc/language_missings +++ b/doc/language_missings @@ -28,7 +28,9 @@ < choose media < community rules < could not connect to www ipfire org +< cryptographic settings < dead peer detection +< default IP address < dhcp server disabled on blue interface < dhcp server enabled on blue interface < dh name is invalid @@ -38,6 +40,21 @@ < g.lite < guardian < insert removable device +< interface mode +< invalid input for interface address +< invalid input for interface mode +< invalid input for interface mtu +< invalid input for local ip address +< invalid input for mode +< ipsec connection +< ipsec interface mode gre +< ipsec interface mode none +< ipsec interface mode vti +< ipsec mode transport +< ipsec mode tunnel +< ipsec settings +< local ip address +< mtu < none < notes < qos add subclass @@ -46,9 +63,11 @@ < show areas < show lines < show tls-auth key +< subnet mask < teovpn_fragment < tor bridge enabled < tor errmsg invalid node id +< transport mode does not support vti < updxlrtr used by < upload fcdsl.o < vpn configuration main @@ -186,10 +205,12 @@ < countrycode < country codes and flags < crypto error +< cryptographic settings < crypto warning < dead peer detection < default < default ip +< default IP address < deprecated fs warn < details < dh @@ -490,18 +511,32 @@ < incoming firewall access < incoming overhead in bytes per second < integrity +< interface mode < invalid input for dpd delay < invalid input for dpd timeout < invalid input for inactivity timeout +< invalid input for interface address +< invalid input for interface mode +< invalid input for interface mtu +< invalid input for local ip address +< invalid input for mode < invalid input for valid till days < invalid ip or hostname < invalid logserver protocol < ipsec +< ipsec connection +< ipsec interface mode gre +< ipsec interface mode none +< ipsec interface mode vti +< ipsec mode transport +< ipsec mode tunnel < ipsec network < ipsec no connections +< ipsec settings < last < least preferred < lifetime +< local ip address < log server protocol < mac filter < masquerade blue @@ -531,6 +566,7 @@ < modem status < monitor interface < most preferred +< mtu < MTU settings < nameserver < never @@ -632,6 +668,7 @@ < ssh no active logins < ssh username < static routes +< subnet mask < support donation < system has hwrng < system has rdrand @@ -696,6 +733,7 @@ < tor traffic limit soft < tor traffic read written < tor use exit nodes +< transport mode does not support vti < twelve hours < two weeks < udp less overhead @@ -782,8 +820,27 @@ ############################################################################ # Checking cgi-bin translations for language: fr # ############################################################################ +< cryptographic settings +< default IP address < dnsforward forward_servers +< interface mode +< invalid input for interface address +< invalid input for interface mode +< invalid input for interface mtu +< invalid input for local ip address +< invalid input for mode < invalid ip or hostname +< ipsec connection +< ipsec interface mode gre +< ipsec interface mode none +< ipsec interface mode vti +< ipsec mode transport +< ipsec mode tunnel +< ipsec settings +< local ip address +< mtu +< subnet mask +< transport mode does not support vti ############################################################################ # Checking cgi-bin translations for language: it # ############################################################################ @@ -853,7 +910,9 @@ < Captive wrong ext < check all < crypto error +< cryptographic settings < crypto warning +< default IP address < dhcp dns enable update < dhcp dns key name < dhcp dns update @@ -918,10 +977,24 @@ < guardian < incoming compression in bytes per second < incoming overhead in bytes per second +< interface mode < invalid input for inactivity timeout +< invalid input for interface address +< invalid input for interface mode +< invalid input for interface mtu +< invalid input for local ip address +< invalid input for mode < invalid input for valid till days < invalid ip or hostname < invalid logserver protocol +< ipsec connection +< ipsec interface mode gre +< ipsec interface mode none +< ipsec interface mode vti +< ipsec mode transport +< ipsec mode tunnel +< ipsec settings +< local ip address < log server protocol < masquerade blue < masquerade green @@ -930,6 +1003,7 @@ < masquerading disabled < masquerading enabled < messages +< mtu < MTU settings < none < Number of Countries for the pie chart @@ -955,9 +1029,11 @@ < ssh login time < ssh no active logins < ssh username +< subnet mask < tcp more reliable < ten minutes < thirty minutes +< transport mode does not support vti < twelve hours < two weeks < udp less overhead @@ -1070,8 +1146,10 @@ < Captive wrong ext < check all < crypto error +< cryptographic settings < crypto warning < default +< default IP address < dh < dhcp dns enable update < dhcp dns key name @@ -1154,10 +1232,24 @@ < imsi < incoming compression in bytes per second < incoming overhead in bytes per second +< interface mode < invalid input for inactivity timeout +< invalid input for interface address +< invalid input for interface mode +< invalid input for interface mtu +< invalid input for local ip address +< invalid input for mode < invalid input for valid till days < invalid ip or hostname < invalid logserver protocol +< ipsec connection +< ipsec interface mode gre +< ipsec interface mode none +< ipsec interface mode vti +< ipsec mode transport +< ipsec mode tunnel +< ipsec settings +< local ip address < log server protocol < masquerade blue < masquerade green @@ -1180,6 +1272,7 @@ < modem sim information < modem status < monitor interface +< mtu < MTU settings < nameserver < never @@ -1223,11 +1316,13 @@ < ssh login time < ssh no active logins < ssh username +< subnet mask < ta key < tcp more reliable < ten minutes < teovpn_fragment < thirty minutes +< transport mode does not support vti < twelve hours < two weeks < udp less overhead @@ -1403,10 +1498,12 @@ < countrycode < country codes and flags < crypto error +< cryptographic settings < crypto warning < dead peer detection < default < default ip +< default IP address < deprecated fs warn < details < dh @@ -1709,18 +1806,32 @@ < incoming firewall access < incoming overhead in bytes per second < integrity +< interface mode < invalid input for dpd delay < invalid input for dpd timeout < invalid input for inactivity timeout +< invalid input for interface address +< invalid input for interface mode +< invalid input for interface mtu +< invalid input for local ip address +< invalid input for mode < invalid input for valid till days < invalid ip or hostname < invalid logserver protocol < ipsec +< ipsec connection +< ipsec interface mode gre +< ipsec interface mode none +< ipsec interface mode vti +< ipsec mode transport +< ipsec mode tunnel < ipsec network < ipsec no connections +< ipsec settings < last < least preferred < lifetime +< local ip address < log server protocol < mac filter < masquerade blue @@ -1750,6 +1861,7 @@ < modem status < monitor interface < most preferred +< mtu < MTU settings < nameserver < never @@ -1836,6 +1948,7 @@ < ssh no active logins < ssh username < static routes +< subnet mask < support donation < system has hwrng < system has rdrand @@ -1899,6 +2012,7 @@ < tor traffic limit soft < tor traffic read written < tor use exit nodes +< transport mode does not support vti < twelve hours < two weeks < udp less overhead @@ -2116,11 +2230,13 @@ < countrycode < country codes and flags < crypto error +< cryptographic settings < crypto warning < day-graph < dead peer detection < default < default ip +< default IP address < deprecated fs warn < details < dh @@ -2428,18 +2544,32 @@ < incoming overhead in bytes per second < incoming traffic in bytes per second < integrity +< interface mode < invalid input for dpd delay < invalid input for dpd timeout < invalid input for inactivity timeout +< invalid input for interface address +< invalid input for interface mode +< invalid input for interface mtu +< invalid input for local ip address +< invalid input for mode < invalid input for valid till days < invalid ip or hostname < invalid logserver protocol < ipsec +< ipsec connection +< ipsec interface mode gre +< ipsec interface mode none +< ipsec interface mode vti +< ipsec mode transport +< ipsec mode tunnel < ipsec network < ipsec no connections +< ipsec settings < last < least preferred < lifetime +< local ip address < log server protocol < mac filter < masquerade blue @@ -2470,6 +2600,7 @@ < monitor interface < month-graph < most preferred +< mtu < MTU settings < nameserver < never @@ -2553,6 +2684,7 @@ < ssh no active logins < ssh username < static routes +< subnet mask < support donation < system has hwrng < system has rdrand @@ -2616,6 +2748,7 @@ < tor traffic limit soft < tor traffic read written < tor use exit nodes +< transport mode does not support vti < twelve hours < two weeks < udp less overhead @@ -2705,10 +2838,27 @@ # Checking cgi-bin translations for language: tr # ############################################################################ < crypto error +< cryptographic settings < crypto warning +< default IP address < dnsforward forward_servers < fwdfw all subnets +< interface mode +< invalid input for interface address +< invalid input for interface mode +< invalid input for interface mtu +< invalid input for local ip address +< invalid input for mode < invalid ip or hostname +< ipsec connection +< ipsec interface mode gre +< ipsec interface mode none +< ipsec interface mode vti +< ipsec mode transport +< ipsec mode tunnel +< ipsec settings +< local ip address +< mtu < ovpn error dh < ovpn error md5 < ovpn warning rfc3280 @@ -2716,6 +2866,8 @@ < ssh login time < ssh no active logins < ssh username +< subnet mask +< transport mode does not support vti < vpn start action add < vpn wait < wlanap neighbor scan diff --git a/html/cgi-bin/index.cgi b/html/cgi-bin/index.cgi index 03dc3574d0..c7bf9f3232 100644 --- a/html/cgi-bin/index.cgi +++ b/html/cgi-bin/index.cgi @@ -367,13 +367,12 @@ END } #check if IPSEC is running if ( $vpnsettings{'ENABLED'} eq 'on' || $vpnsettings{'ENABLED_BLUE'} eq 'on' ) { - my $ipsecip = $vpnsettings{'VPN_IP'}; print< $Lang::tr{'ipsec'} - $ipsecip + Online END diff --git a/html/cgi-bin/netovpnsrv.cgi b/html/cgi-bin/netovpnsrv.cgi index ddf41771a5..77c69cddb1 100755 --- a/html/cgi-bin/netovpnsrv.cgi +++ b/html/cgi-bin/netovpnsrv.cgi @@ -35,8 +35,20 @@ my %mainsettings = (); &General::readhash("${General::swroot}/main/settings", \%mainsettings); &General::readhash("/srv/web/ipfire/html/themes/".$mainsettings{'THEME'}."/include/colors.txt", \%color); +my %vpnsettings = (); +&General::readhasharray("${General::swroot}/vpn/config", \%vpnsettings); + my @vpns=(); +# Make list of all IPsec graphs +my %ipsecgraphs = (); +foreach my $key (sort {$vpnsettings{$a}[1] <=> $vpnsettings{$b}[1]} keys %vpnsettings) { + my $interface_mode = $vpnsettings{$key}[36]; + next unless ($interface_mode); + + $ipsecgraphs{$vpnsettings{$key}[1]} = "${interface_mode}${key}"; +} + my @querry = split(/\?/,$ENV{'QUERY_STRING'}); $querry[0] = '' unless defined $querry[0]; $querry[1] = 'week' unless defined $querry[1]; @@ -44,7 +56,11 @@ $querry[1] = 'week' unless defined $querry[1]; if ( $querry[0] ne ""){ print "Content-type: image/png\n\n"; binmode(STDOUT); - &Graphs::updatevpnn2ngraph($querry[0],$querry[1]); + if (grep { $_ eq $querry[0] } values %ipsecgraphs) { + &Graphs::updateifgraph($querry[0],$querry[1]); + } else { + &Graphs::updatevpnn2ngraph($querry[0],$querry[1]); + } }else{ &Header::showhttpheaders(); &Header::openpage($Lang::tr{'vpn statistic n2n'}, 1, ''); @@ -56,7 +72,13 @@ if ( $querry[0] ne ""){ push(@vpns,$2); } } - if (@vpns){ + if (@vpns || %ipsecgraphs) { + foreach my $name (sort keys %ipsecgraphs) { + &Header::openbox('100%', 'center', "$Lang::tr{'ipsec connection'}: $name"); + &Graphs::makegraphbox("netovpnsrv.cgi", $ipsecgraphs{$name}, "day"); + &Header::closebox(); + } + foreach (@vpns) { &Header::openbox('100%', 'center', "$_ $Lang::tr{'graph'}"); &Graphs::makegraphbox("netovpnsrv.cgi",$_, "day"); diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index a5d27c8d83..c84884239a 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -69,6 +69,10 @@ my %INACTIVITY_TIMEOUTS = ( 0 => "- $Lang::tr{'unlimited'} -", ); +# Load aliases +my %aliases; +&General::get_aliases(\%aliases); + my $col=""; $cgiparams{'ENABLED'} = 'off'; @@ -81,6 +85,7 @@ $cgiparams{'ADVANCED'} = ''; $cgiparams{'NAME'} = ''; $cgiparams{'LOCAL_SUBNET'} = ''; $cgiparams{'REMOTE_SUBNET'} = ''; +$cgiparams{'LOCAL'} = ''; $cgiparams{'REMOTE'} = ''; $cgiparams{'LOCAL_ID'} = ''; $cgiparams{'REMOTE_ID'} = ''; @@ -109,8 +114,12 @@ $cgiparams{'RW_NET'} = ''; $cgiparams{'DPD_DELAY'} = '30'; $cgiparams{'DPD_TIMEOUT'} = '120'; $cgiparams{'FORCE_MOBIKE'} = 'off'; -$cgiparams{'START_ACTION'} = 'start'; -$cgiparams{'INACTIVITY_TIMEOUT'} = 900; +$cgiparams{'START_ACTION'} = 'route'; +$cgiparams{'INACTIVITY_TIMEOUT'} = 1800; +$cgiparams{'MODE'} = "tunnel"; +$cgiparams{'INTERFACE_MODE'} = ""; +$cgiparams{'INTERFACE_ADDRESS'} = ""; +$cgiparams{'INTERFACE_MTU'} = 1500; &Header::getcgihash(\%cgiparams, {'wantfile' => 1, 'filevar' => 'FH'}); ### @@ -280,26 +289,43 @@ sub writeipsecfiles { #remote peer is not set? => use '%any' $lconfighash{$key}[10] = '%any' if ($lconfighash{$key}[10] eq ''); + # Field 6 might be "off" on old installations + if ($lconfighash{$key}[6] eq "off") { + $lconfighash{$key}[6] = $lvpnsettings{"VPN_IP"}; + } + my $localside; - if ($lconfighash{$key}[26] eq 'BLUE') { - $localside = $netsettings{'BLUE_ADDRESS'}; - } elsif ($lconfighash{$key}[26] eq 'GREEN') { - $localside = $netsettings{'GREEN_ADDRESS'}; - } elsif ($lconfighash{$key}[26] eq 'ORANGE') { - $localside = $netsettings{'ORANGE_ADDRESS'}; - } else { # it is RED - $localside = $lvpnsettings{'VPN_IP'}; + if ($lconfighash{$key}[6]) { + $localside = $lconfighash{$key}[6]; + } else { + $localside = "%defaultroute"; } + my $interface_mode = $lconfighash{$key}[36]; + print CONF "conn $lconfighash{$key}[1]\n"; print CONF "\tleft=$localside\n"; - print CONF "\tleftsubnet=" . &make_subnets($lconfighash{$key}[8]) . "\n"; + + if ($interface_mode eq "gre") { + print CONF "\tleftprotoport=gre\n"; + } elsif ($interface_mode eq "vti") { + print CONF "\tleftsubnet=0.0.0.0/0\n"; + } else { + print CONF "\tleftsubnet=" . &make_subnets("left", $lconfighash{$key}[8]) . "\n"; + } + print CONF "\tleftfirewall=yes\n"; print CONF "\tlefthostaccess=yes\n"; print CONF "\tright=$lconfighash{$key}[10]\n"; if ($lconfighash{$key}[3] eq 'net') { - print CONF "\trightsubnet=" . &make_subnets($lconfighash{$key}[11]) . "\n"; + if ($interface_mode eq "gre") { + print CONF "\trightprotoport=gre\n"; + } elsif ($interface_mode eq "vti") { + print CONF "\trightsubnet=0.0.0.0/0\n"; + } else { + print CONF "\trightsubnet=" . &make_subnets("right", $lconfighash{$key}[11]) . "\n"; + } } # Local Cert and Remote Cert (unless auth is DN dn-auth) @@ -312,6 +338,18 @@ sub writeipsecfiles { print CONF "\tleftid=\"$lconfighash{$key}[7]\"\n" if ($lconfighash{$key}[7]); print CONF "\trightid=\"$lconfighash{$key}[9]\"\n" if ($lconfighash{$key}[9]); + # Set mode + if ($lconfighash{$key}[35] eq "transport") { + print CONF "\ttype=transport\n"; + } else { + print CONF "\ttype=tunnel\n"; + } + + # Add mark for VTI + if ($interface_mode eq "vti") { + print CONF "\tmark=$key\n"; + } + # Is PFS enabled? my $pfs = $lconfighash{$key}[28] eq 'on' ? 'on' : 'off'; @@ -467,25 +505,12 @@ if ($ENV{"REMOTE_ADDR"} eq "") { if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cgiparams{'KEY'} eq '') { &General::readhash("${General::swroot}/vpn/settings", \%vpnsettings); - unless (&General::validfqdn($cgiparams{'VPN_IP'}) || &General::validip($cgiparams{'VPN_IP'}) - || $cgiparams{'VPN_IP'} eq '%defaultroute' ) { - $errormessage = $Lang::tr{'invalid input for hostname'}; - goto SAVE_ERROR; - } - - unless ($cgiparams{'VPN_DELAYED_START'} =~ /^[0-9]{1,3}$/ ) { #allow 0-999 seconds ! - $errormessage = $Lang::tr{'invalid time period'}; - goto SAVE_ERROR; - } - if ( $cgiparams{'RW_NET'} ne '' and !&General::validipandmask($cgiparams{'RW_NET'}) ) { $errormessage = $Lang::tr{'urlfilter invalid ip or mask error'}; goto SAVE_ERROR; } $vpnsettings{'ENABLED'} = $cgiparams{'ENABLED'}; - $vpnsettings{'VPN_IP'} = $cgiparams{'VPN_IP'}; - $vpnsettings{'VPN_DELAYED_START'} = $cgiparams{'VPN_DELAYED_START'}; $vpnsettings{'RW_NET'} = $cgiparams{'RW_NET'}; &General::writehash("${General::swroot}/vpn/settings", \%vpnsettings); &writeipsecfiles(); @@ -1287,7 +1312,7 @@ END $cgiparams{'TYPE'} = $confighash{$cgiparams{'KEY'}}[3]; $cgiparams{'AUTH'} = $confighash{$cgiparams{'KEY'}}[4]; $cgiparams{'PSK'} = $confighash{$cgiparams{'KEY'}}[5]; - #$cgiparams{'free'} = $confighash{$cgiparams{'KEY'}}[6]; + $cgiparams{'LOCAL'} = $confighash{$cgiparams{'KEY'}}[6]; $cgiparams{'LOCAL_ID'} = $confighash{$cgiparams{'KEY'}}[7]; my @local_subnets = split(",", $confighash{$cgiparams{'KEY'}}[8]); $cgiparams{'LOCAL_SUBNET'} = join(/\|/, @local_subnets); @@ -1316,6 +1341,10 @@ END $cgiparams{'DPD_DELAY'} = $confighash{$cgiparams{'KEY'}}[31]; $cgiparams{'FORCE_MOBIKE'} = $confighash{$cgiparams{'KEY'}}[32]; $cgiparams{'INACTIVITY_TIMEOUT'} = $confighash{$cgiparams{'KEY'}}[34]; + $cgiparams{'MODE'} = $confighash{$cgiparams{'KEY'}}[35]; + $cgiparams{'INTERFACE_MODE'} = $confighash{$cgiparams{'KEY'}}[36]; + $cgiparams{'INTERFACE_ADDRESS'} = $confighash{$cgiparams{'KEY'}}[37]; + $cgiparams{'INTERFACE_MTU'} = $confighash{$cgiparams{'KEY'}}[38]; if (!$cgiparams{'DPD_DELAY'}) { $cgiparams{'DPD_DELAY'} = 30; @@ -1329,6 +1358,10 @@ END $cgiparams{'INACTIVITY_TIMEOUT'} = 900; } + if ($cgiparams{'MODE'} eq "") { + $cgiparams{'MODE'} = "tunnel"; + } + } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'save'}) { $cgiparams{'REMARK'} = &Header::cleanhtml($cgiparams{'REMARK'}); if ($cgiparams{'TYPE'} !~ /^(host|net)$/) { @@ -1366,6 +1399,13 @@ END goto VPNCONF_ERROR; } + if ($cgiparams{'LOCAL'}) { + if (($cgiparams{'LOCAL'} ne "") && (!&General::validip($cgiparams{'LOCAL'}))) { + $errormessage = $Lang::tr{'invalid input for local ip address'}; + goto VPNCONF_ERROR; + } + } + if ($cgiparams{'REMOTE'}) { if (($cgiparams{'REMOTE'} ne '%any') && (! &General::validip($cgiparams{'REMOTE'}))) { if (! &General::validfqdn ($cgiparams{'REMOTE'})) { @@ -1407,6 +1447,31 @@ END goto VPNCONF_ERROR; } } + + if ($cgiparams{'MODE'} !~ /^(tunnel|transport)$/) { + $errormessage = $Lang::tr{'invalid input for mode'}; + goto VPNCONF_ERROR; + } + + if ($cgiparams{'INTERFACE_MODE'} !~ /^(|gre|vti)$/) { + $errormessage = $Lang::tr{'invalid input for interface mode'}; + goto VPNCONF_ERROR; + } + + if (($cgiparams{'INTERFACE_MODE'} eq "vti") && ($cgiparams{'MODE'} eq "transport")) { + $errormessage = $Lang::tr{'transport mode does not support vti'}; + goto VPNCONF_ERROR; + } + + if (($cgiparams{'INTERFACE_MODE'} ne "") && !&Network::check_subnet($cgiparams{'INTERFACE_ADDRESS'})) { + $errormessage = $Lang::tr{'invalid input for interface address'}; + goto VPNCONF_ERROR; + } + + if ($cgiparams{'INTERFACE_MTU'} !~ /^\d+$/) { + $errormessage = $Lang::tr{'invalid input for interface mtu'}; + goto VPNCONF_ERROR; + } } if ($cgiparams{'ENABLED'} !~ /^(on|off)$/) { @@ -1811,7 +1876,7 @@ END my $key = $cgiparams{'KEY'}; if (! $key) { $key = &General::findhasharraykey (\%confighash); - foreach my $i (0 .. 34) { $confighash{$key}[$i] = "";} + foreach my $i (0 .. 38) { $confighash{$key}[$i] = "";} } $confighash{$key}[0] = $cgiparams{'ENABLED'}; $confighash{$key}[1] = $cgiparams{'NAME'}; @@ -1829,6 +1894,7 @@ END my @remote_subnets = split(",", $cgiparams{'REMOTE_SUBNET'}); $confighash{$key}[11] = join('|', @remote_subnets); } + $confighash{$key}[6] = $cgiparams{'LOCAL'}; $confighash{$key}[7] = $cgiparams{'LOCAL_ID'}; my @local_subnets = split(",", $cgiparams{'LOCAL_SUBNET'}); $confighash{$key}[8] = join('|', @local_subnets); @@ -1856,9 +1922,12 @@ END $confighash{$key}[31] = $cgiparams{'DPD_DELAY'}; $confighash{$key}[32] = $cgiparams{'FORCE_MOBIKE'}; $confighash{$key}[34] = $cgiparams{'INACTIVITY_TIMEOUT'}; + $confighash{$key}[35] = $cgiparams{'MODE'}; + $confighash{$key}[36] = $cgiparams{'INTERFACE_MODE'}; + $confighash{$key}[37] = $cgiparams{'INTERFACE_ADDRESS'}; + $confighash{$key}[38] = $cgiparams{'INTERFACE_MTU'}; # free unused fields! - $confighash{$key}[6] = 'off'; $confighash{$key}[15] = 'off'; &General::writehasharray("${General::swroot}/vpn/config", \%confighash); @@ -1881,7 +1950,12 @@ END } else { $cgiparams{'AUTH'} = 'certgen'; } - $cgiparams{'LOCAL_SUBNET'} = "$netsettings{'GREEN_NETADDRESS'}/$netsettings{'GREEN_NETMASK'}"; + + if ($netsettings{"GREEN_NETADDRESS"} && $netsettings{"GREEN_NETMASK"}) { + $cgiparams{"LOCAL_SUBNET"} = $netsettings{'GREEN_NETADDRESS'} . "/" . $netsettings{'GREEN_NETMASK'}; + } else { + $cgiparams{"LOCAL_SUBNET"} = ""; + } $cgiparams{'CERT_EMAIL'} = $vpnsettings{'ROOTCERT_EMAIL'}; $cgiparams{'CERT_OU'} = $vpnsettings{'ROOTCERT_OU'}; $cgiparams{'CERT_ORGANIZATION'} = $vpnsettings{'ROOTCERT_ORGANIZATION'}; @@ -1930,6 +2004,10 @@ END $cgiparams{'ONLY_PROPOSED'} = 'on'; #[24]; $cgiparams{'PFS'} = 'on'; #[28]; $cgiparams{'INACTIVITY_TIMEOUT'} = 900; + $cgiparams{'MODE'} = "tunnel"; + $cgiparams{'INTERFACE_MODE'} = ""; + $cgiparams{'INTERFACE_ADDRESS'} = ""; + $cgiparams{'INTERFACE_MTU'} = 1500; } VPNCONF_ERROR: @@ -1949,6 +2027,23 @@ VPNCONF_ERROR: $checked{'AUTH'}{'auth-dn'} = ''; $checked{'AUTH'}{$cgiparams{'AUTH'}} = "checked='checked'"; + $selected{'MODE'}{'tunnel'} = ''; + $selected{'MODE'}{'transport'} = ''; + $selected{'MODE'}{$cgiparams{'MODE'}} = "selected='selected'"; + + $selected{'INTERFACE_MODE'}{''} = ''; + $selected{'INTERFACE_MODE'}{'gre'} = ''; + $selected{'INTERFACE_MODE'}{'vti'} = ''; + $selected{'INTERFACE_MODE'}{$cgiparams{'INTERFACE_MODE'}} = "selected='selected'"; + + $selected{'LOCAL'}{''} = ''; + foreach my $alias (sort keys %aliases) { + my $address = $aliases{$alias}{'IPT'}; + + $selected{'LOCAL'}{$address} = ''; + } + $selected{'LOCAL'}{$cgiparams{'LOCAL'}} = "selected='selected'"; + &Header::showhttpheaders(); &Header::openpage($Lang::tr{'ipsec'}, 1, ''); &Header::openbigbox('100%', 'left', '', $errormessage); @@ -1985,6 +2080,7 @@ VPNCONF_ERROR: + END ; if ($cgiparams{'KEY'}) { @@ -2021,25 +2117,44 @@ EOF my @remote_subnets = split(/\|/, $cgiparams{'REMOTE_SUBNET'}); my $remote_subnets = join(",", @remote_subnets); - print < $Lang::tr{'enabled'} - $Lang::tr{'local subnet'} * - - - + + $Lang::tr{'local ip address'}: + + + + + $Lang::tr{'local subnet'} * + + + $Lang::tr{'remote subnet'} $blob - + @@ -2067,6 +2182,51 @@ END print ""; &Header::closebox(); + if ($cgiparams{'TYPE'} eq 'net') { + &Header::openbox('100%', 'left', $Lang::tr{'ipsec settings'}); + print < + + + $Lang::tr{'mode'}: + + + + + + + + $Lang::tr{'interface mode'}: + + + + + $Lang::tr{'ip address'}/$Lang::tr{'subnet mask'}: + + + + + + + $Lang::tr{'mtu'}: + + + + + + + +EOF + &Header::closebox(); + } + if ($cgiparams{'KEY'} && $cgiparams{'AUTH'} eq 'psk') { &Header::openbox('100%', 'left', $Lang::tr{'authentication'}); print </dev/null`; - # suggest a default name for this side - if ($cgiparams{'VPN_IP'} eq '' && -e "${General::swroot}/red/active") { - if (open(IPADDR, "${General::swroot}/red/local-ipaddress")) { - my $ipaddr = ; - close IPADDR; - chomp ($ipaddr); - $cgiparams{'VPN_IP'} = (gethostbyaddr(pack("C4", split(/\./, $ipaddr)), 2))[0]; - if ($cgiparams{'VPN_IP'} eq '') { - $cgiparams{'VPN_IP'} = $ipaddr; - } - } - } - # no IP found, use %defaultroute - $cgiparams{'VPN_IP'} ='%defaultroute' if ($cgiparams{'VPN_IP'} eq ''); - - $cgiparams{'VPN_DELAYED_START'} = 0 if (! defined ($cgiparams{'VPN_DELAYED_START'})); $checked{'ENABLED'} = $cgiparams{'ENABLED'} eq 'on' ? "checked='checked'" : ''; &Header::showhttpheaders(); @@ -2782,35 +2934,21 @@ EOF print < - - - - - -END -; -print < - - - - - - - -
$Lang::tr{'vpn red name'}: *$Lang::tr{'enabled'}
$Lang::tr{'vpn delayed start'}: **
$Lang::tr{'host to net vpn'}:
-
-
- - - - - - - - - - + + + + + + + + + + +
*$Lang::tr{'required field'}
**  $Lang::tr{'vpn delayed start help'}
+ $Lang::tr{'enabled'} + + +
$Lang::tr{'host to net vpn'}:
END ; @@ -3212,13 +3350,19 @@ sub make_algos($$$$$) { return &array_unique(\@algos); } -sub make_subnets($) { +sub make_subnets($$) { + my $direction = shift; my $subnets = shift; my @nets = split(/\|/, $subnets); my @cidr_nets = (); foreach my $net (@nets) { my $cidr_net = &General::ipcidr($net); + + # Skip 0.0.0.0/0 for remote because this renders the + # while system inaccessible + next if (($direction eq "right") && ($cidr_net eq "0.0.0.0/0")); + push(@cidr_nets, $cidr_net); } diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index 2f3ed41bc4..cbb09ef595 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -2717,8 +2717,8 @@ 'vpn start action add' => 'Auf Verbindungseingang warten', 'vpn start action route' => 'Bei Bedarf', 'vpn start action start' => 'Immer An', -'vpn statistic n2n' => 'OpenVPN-Netz-zu-Netz-Statistik', -'vpn statistic rw' => 'OpenVPN-Roadwarrior-Statistik', +'vpn statistic n2n' => 'VPN: Netz-zu-Netz-Statistik', +'vpn statistic rw' => 'VPN: Roadwarrior-Statistik', 'vpn subjectaltname' => 'Subjekt Alternativer Name', 'vpn wait' => 'WARTE', 'vpn watch' => 'Netz-zu-Netz VPN neu starten, wenn sich Remote-IP ändert (DynDNS).', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 258176970f..4f4b4d9c1b 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -684,6 +684,7 @@ 'cron server' => 'CRON Server', 'crypto error' => 'Cryptographic error', 'crypto warning' => 'Cryptographic warning', +'cryptographic settings' => 'Cryptographic Settings', 'current' => 'Current', 'current aliases' => 'Current aliases', 'current class' => 'Current class', @@ -725,6 +726,7 @@ 'deep scan directories' => 'Scan recursive', 'def lease time' => 'Default Lease Time', 'default' => 'Default', +'default IP address' => 'Default IP Address', 'default ip' => 'Default IP address', 'default lease time' => 'Default lease time (mins):', 'default networks' => 'Default networks', @@ -1392,6 +1394,7 @@ 'instant update' => 'Instant Update', 'integrity' => 'Integrity:', 'interface' => 'Interface', +'interface mode' => 'Interface', 'interfaces' => 'Interfaces', 'internet' => 'INTERNET', 'intrusion detection' => 'Intrusion Detection', @@ -1425,10 +1428,15 @@ 'invalid input for hostname' => 'Invalid input for hostname.', 'invalid input for ike lifetime' => 'Invalid input for IKE lifetime', 'invalid input for inactivity timeout' => 'Invalid input for Inactivity Timeout', +'invalid input for interface address' => 'Invalid input for interface address', +'invalid input for interface mode' => 'Invalid input for interface mode', +'invalid input for interface mtu' => 'Invalid input to interface MTU', 'invalid input for keepalive 1' => 'Invalid input for Keepalive ping', 'invalid input for keepalive 1:2' => 'Invalid input for Keepalive use at least a ratio of 1:2', 'invalid input for keepalive 2' => 'Invalid input for Keepalive ping-restart', +'invalid input for local ip address' => 'Invalid input for local IP address', 'invalid input for max clients' => 'Invalid input for Max Clients', +'invalid input for mode' => 'Invalid input for mode', 'invalid input for name' => 'Invalid input for user\'s full name or system hostname', 'invalid input for oink code' => 'Invalid input for Oink code', 'invalid input for organization' => 'Invalid input for organization', @@ -1481,8 +1489,15 @@ 'ipfires hostname' => 'IPFire\'s Hostname', 'ipinfo' => 'IP info', 'ipsec' => 'IPsec', +'ipsec connection' => 'IPsec Connection', +'ipsec interface mode gre' => 'GRE', +'ipsec interface mode none' => '- None (Default) -', +'ipsec interface mode vti' => 'VTI', +'ipsec mode transport' => 'Transport', +'ipsec mode tunnel' => 'Tunnel', 'ipsec network' => 'IPsec network', 'ipsec no connections' => 'No active IPsec connections', +'ipsec settings' => 'IPsec Settings', 'iptable rules' => 'IPTable rules', 'iptmangles' => 'IPTable Mangles', 'iptnats' => 'IPTable Network Address Translation', @@ -1518,6 +1533,7 @@ 'load printer' => 'Load Printer', 'loaded modules' => 'Loaded modules:', 'local hard disk' => 'Hard disk', +'local ip address' => 'Local IP Address', 'local master' => 'Local Master', 'local ntp server specified but not enabled' => 'Local NTP server specified but not enabled', 'local subnet' => 'Local subnet:', @@ -1684,6 +1700,7 @@ 'mpfire search' => 'MPFire Search', 'mpfire songs' => 'MPFire songlist', 'mpfire webradio' => 'MPFire Webradio', +'mtu' => 'MTU', 'mtu QoS' => 'This does not change the global MTU, it only sets MTU for QoS.', 'my new share' => 'My new share', 'name' => 'Name', @@ -2239,6 +2256,7 @@ 'subject warn' => 'Warning - warnlevel reached', 'subnet' => 'Subnet', 'subnet is invalid' => 'Netmask is invalid', +'subnet mask' => 'Subnet Mask', 'subscripted user rules' => 'Sourcefire VRT rules with subscription', 'successfully refreshed updates list' => 'Successfully refreshed updates list.', 'summaries kept' => 'Keep summaries for', @@ -2371,6 +2389,7 @@ 'trafficto' => 'To', 'transfer limits' => 'Transfer limits', 'transparent on' => 'Transparent on', +'transport mode does not support vti' => 'VTI is not support in transport mode', 'tripwire' => 'Tripwire', 'tripwire cronjob' => 'tripwire cronjob', 'tripwire functions' => 'tripwire functions', @@ -2762,8 +2781,8 @@ 'vpn start action add' => 'Wait for connection initiation', 'vpn start action route' => 'On Demand', 'vpn start action start' => 'Always On', -'vpn statistic n2n' => 'OpenVPN Net-to-Net Statistics', -'vpn statistic rw' => 'OpenVPN Roadwarrior Statistics', +'vpn statistic n2n' => 'VPN: Net-to-Net Statistics', +'vpn statistic rw' => 'VPN: Roadwarrior Statistics', 'vpn subjectaltname' => 'Subject Alt Name', 'vpn wait' => 'WAITING', 'vpn watch' => 'Restart net-to-net vpn when remote peer IP changes (dyndns).', diff --git a/langs/fr/cgi-bin/fr.pl b/langs/fr/cgi-bin/fr.pl index b89254b591..3fa686994c 100644 --- a/langs/fr/cgi-bin/fr.pl +++ b/langs/fr/cgi-bin/fr.pl @@ -2761,8 +2761,8 @@ 'vpn start action add' => 'Attendre l\'initialisation de la connexion', 'vpn start action route' => 'A la demande', 'vpn start action start' => 'Toujours démarré', -'vpn statistic n2n' => 'Stats OpenVPN (site-à-site)', -'vpn statistic rw' => 'Stats OpenVPN (client nomade)', +'vpn statistic n2n' => 'Stats VPN (site-à-site)', +'vpn statistic rw' => 'Stats VPN (client nomade)', 'vpn subjectaltname' => 'Subject Alt Name', 'vpn wait' => 'ATTENTE', 'vpn watch' => 'Redémarrer le VPN site-à-site si l\'IP hôte distant change (dyndns).', diff --git a/langs/tr/cgi-bin/tr.pl b/langs/tr/cgi-bin/tr.pl index 53f0afc7af..114d0a2976 100644 --- a/langs/tr/cgi-bin/tr.pl +++ b/langs/tr/cgi-bin/tr.pl @@ -2750,8 +2750,8 @@ 'vpn start action' => 'Hareketi Başlat', 'vpn start action route' => 'İstek Üzerine', 'vpn start action start' => 'Her Zaman', -'vpn statistic n2n' => 'Ağdan Ağa OpenVPN İstatistiği', -'vpn statistic rw' => 'Roadwarrior OpenVPN İstatistiği', +'vpn statistic n2n' => 'Ağdan Ağa VPN İstatistiği', +'vpn statistic rw' => 'Roadwarrior VPN İstatistiği', 'vpn subjectaltname' => 'Alternatif konu adı', 'vpn watch' => 'Karşı eş IP değiştirdiğinde (dyndns) ağdan-ağa VPN bağlantısını yeniden başlat. Bu DPD ye yardımcı olur.', 'vpn weak' => 'Hafta', diff --git a/lfs/configroot b/lfs/configroot index 3cdd780fc7..4e6751eeef 100644 --- a/lfs/configroot +++ b/lfs/configroot @@ -111,7 +111,6 @@ $(TARGET) : cp $(DIR_SRC)/config/fwhosts/customservices $(CONFIG_ROOT)/fwhosts/customservices.default # Oneliner configfiles echo "ENABLED=off" > $(CONFIG_ROOT)/vpn/settings - echo "VPN_DELAYED_START=0" >>$(CONFIG_ROOT)/vpn/settings echo "01" > $(CONFIG_ROOT)/certs/serial echo "nameserver 1.2.3.4" > $(CONFIG_ROOT)/ppp/fake-resolv.conf echo "DROPNEWNOTSYN=on" >> $(CONFIG_ROOT)/optionsfw/settings diff --git a/lfs/stage2 b/lfs/stage2 index 7e8dfe3169..4b8f0bc811 100644 --- a/lfs/stage2 +++ b/lfs/stage2 @@ -115,8 +115,8 @@ endif /usr/lib/firewall/rules.pl install -m 644 $(DIR_SRC)/config/firewall/firewall-lib.pl \ /usr/lib/firewall/firewall-lib.pl - install -m 755 $(DIR_SRC)/config/firewall/ipsec-block \ - /usr/lib/firewall/ipsec-block + install -m 755 $(DIR_SRC)/config/firewall/ipsec-policy \ + /usr/lib/firewall/ipsec-policy # Nobody user -mkdir -p /home/nobody diff --git a/lfs/strongswan b/lfs/strongswan index 99261ce934..4174f78fe5 100644 --- a/lfs/strongswan +++ b/lfs/strongswan @@ -72,6 +72,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE) cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-disable-ipv6.patch cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-ipfire.patch + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-ipfire-interfaces.patch cd $(DIR_APP) && ./configure \ --prefix="/usr" \ diff --git a/src/initscripts/networking/red.up/50-ipsec b/src/initscripts/networking/red.up/50-ipsec index 99abf45923..c5e043f21c 100644 --- a/src/initscripts/networking/red.up/50-ipsec +++ b/src/initscripts/networking/red.up/50-ipsec @@ -1,7 +1,3 @@ #!/bin/bash -eval $(/usr/local/bin/readhash /var/ipfire/vpn/settings) - -sleep $VPN_DELAYED_START && /usr/local/bin/ipsecctrl S & - -exit 0 +exec /usr/local/bin/ipsecctrl S diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall index b9dd3485e0..2739a68343 100644 --- a/src/initscripts/system/firewall +++ b/src/initscripts/system/firewall @@ -360,8 +360,8 @@ iptables_init() { iptables -t nat -N REDNAT iptables -t nat -A POSTROUTING -j REDNAT - # Populate IPsec block chain - /usr/lib/firewall/ipsec-block + # Populate IPsec chains + /usr/lib/firewall/ipsec-policy # Apply OpenVPN firewall rules /usr/local/bin/openvpnctrl --firewall-rules diff --git a/src/initscripts/system/network b/src/initscripts/system/network index b29ca2ca5b..6e7120885f 100644 --- a/src/initscripts/system/network +++ b/src/initscripts/system/network @@ -63,6 +63,9 @@ case "${DO}" in fi fi + # Create IPsec interfaces + /usr/local/bin/ipsec-interfaces + /etc/rc.d/init.d/static-routes start ;; diff --git a/src/misc-progs/ipsecctrl.c b/src/misc-progs/ipsecctrl.c index 9afc409ca9..2a64775f02 100644 --- a/src/misc-progs/ipsecctrl.c +++ b/src/misc-progs/ipsecctrl.c @@ -52,42 +52,6 @@ static void ipsec_reload() { safe_system("/usr/sbin/ipsec reload >/dev/null 2>&1"); } -/* - ACCEPT the ipsec protocol ah, esp & udp (for nat traversal) on the specified interface -*/ -void open_physical (char *interface, int nat_traversal_port) { - char str[STRING_SIZE]; - - // IKE - sprintf(str, "/sbin/iptables --wait -D IPSECINPUT -p udp -i %s --dport 500 -j ACCEPT >/dev/null 2>&1", interface); - safe_system(str); - sprintf(str, "/sbin/iptables --wait -A IPSECINPUT -p udp -i %s --dport 500 -j ACCEPT", interface); - safe_system(str); - sprintf(str, "/sbin/iptables --wait -D IPSECOUTPUT -p udp -o %s --dport 500 -j ACCEPT >/dev/null 2>&1", interface); - safe_system(str); - sprintf(str, "/sbin/iptables --wait -A IPSECOUTPUT -p udp -o %s --dport 500 -j ACCEPT", interface); - safe_system(str); - - if (! nat_traversal_port) - return; - - sprintf(str, "/sbin/iptables --wait -D IPSECINPUT -p udp -i %s --dport %i -j ACCEPT >/dev/null 2>&1", interface, nat_traversal_port); - safe_system(str); - sprintf(str, "/sbin/iptables --wait -A IPSECINPUT -p udp -i %s --dport %i -j ACCEPT", interface, nat_traversal_port); - safe_system(str); - sprintf(str, "/sbin/iptables --wait -D IPSECOUTPUT -p udp -o %s --dport %i -j ACCEPT >/dev/null 2>&1", interface, nat_traversal_port); - safe_system(str); - sprintf(str, "/sbin/iptables --wait -A IPSECOUTPUT -p udp -o %s --dport %i -j ACCEPT", interface, nat_traversal_port); - safe_system(str); -} - -void ipsec_norules() { - /* clear input rules */ - safe_system("/sbin/iptables --wait -F IPSECINPUT"); - safe_system("/sbin/iptables --wait -F IPSECFORWARD"); - safe_system("/sbin/iptables --wait -F IPSECOUTPUT"); -} - /* return values from the vpn config file or false if not 'on' */ @@ -152,15 +116,18 @@ void turn_connection_on(char *name, char *type) { "/usr/sbin/ipsec down %s >/dev/null", name); safe_system(command); - // Reload the IPsec block chain - safe_system("/usr/lib/firewall/ipsec-block >/dev/null"); + // Reload the IPsec firewall policy + safe_system("/usr/lib/firewall/ipsec-policy >/dev/null"); + + // Create or destroy interfaces + safe_system("/usr/local/bin/ipsec-interfaces >/dev/null"); // Reload the configuration into the daemon (#10339). ipsec_reload(); // Bring the connection up again. snprintf(command, STRING_SIZE - 1, - "/usr/sbin/ipsec up %s >/dev/null", name); + "/usr/sbin/ipsec stroke up-nb %s >/dev/null", name); safe_system(command); } @@ -182,13 +149,14 @@ void turn_connection_off (char *name) { // Reload, so the connection is dropped. ipsec_reload(); - // Reload the IPsec block chain - safe_system("/usr/lib/firewall/ipsec-block >/dev/null"); + // Reload the IPsec firewall policy + safe_system("/usr/lib/firewall/ipsec-policy >/dev/null"); + + // Create or destroy interfaces + safe_system("/usr/local/bin/ipsec-interfaces >/dev/null"); } int main(int argc, char *argv[]) { - char configtype[STRING_SIZE]; - char redtype[STRING_SIZE] = ""; struct keyvalue *kv = NULL; if (argc < 2) { @@ -197,9 +165,8 @@ int main(int argc, char *argv[]) { } if (!(initsetuid())) exit(1); - - FILE *file = NULL; - + + FILE *file = NULL; if (strcmp(argv[1], "I") == 0) { safe_system("/usr/sbin/ipsec status"); @@ -219,7 +186,8 @@ int main(int argc, char *argv[]) { if (argc == 2) { if (strcmp(argv[1], "D") == 0) { safe_system("/usr/sbin/ipsec stop >/dev/null 2>&1"); - ipsec_norules(); + safe_system("/usr/lib/firewall/ipsec-policy >/dev/null"); + safe_system("/usr/local/bin/ipsec-interfaces >/dev/null"); exit(0); } } @@ -241,82 +209,12 @@ int main(int argc, char *argv[]) { exit(0); } - /* read interface settings */ - kv=initkeyvalues(); - if (!readkeyvalues(kv, CONFIG_ROOT "/ethernet/settings")) - { - fprintf(stderr, "Cannot read ethernet settings\n"); - exit(1); - } - if (!findkey(kv, "CONFIG_TYPE", configtype)) - { - fprintf(stderr, "Cannot read CONFIG_TYPE\n"); - exit(1); - } - findkey(kv, "RED_TYPE", redtype); - - - /* Loop through the config file to find physical interface that will accept IPSEC */ - int enable_red=0; // states 0: not used - int enable_green=0; // 1: error condition - int enable_orange=0; // 2: good - int enable_blue=0; - char if_red[STRING_SIZE] = ""; - char if_green[STRING_SIZE] = ""; - char if_orange[STRING_SIZE] = ""; - char if_blue[STRING_SIZE] = ""; char s[STRING_SIZE]; - // when RED is up, find interface name in special file - FILE *ifacefile = NULL; - if ((ifacefile = fopen(CONFIG_ROOT "/red/iface", "r"))) { - if (fgets(if_red, STRING_SIZE, ifacefile)) { - if (if_red[strlen(if_red) - 1] == '\n') - if_red[strlen(if_red) - 1] = '\0'; - } - fclose (ifacefile); - - if (VALID_DEVICE(if_red)) - enable_red++; - } - - // Check if GREEN is enabled. - findkey(kv, "GREEN_DEV", if_green); - if (VALID_DEVICE(if_green)) - enable_green++; - - // Check if ORANGE is enabled. - findkey(kv, "ORANGE_DEV", if_orange); - if (VALID_DEVICE(if_orange)) - enable_orange++; - - // Check if BLUE is enabled. - findkey(kv, "BLUE_DEV", if_blue); - if (VALID_DEVICE(if_blue)) - enable_blue++; - - freekeyvalues(kv); - - // exit if nothing to do - if ((enable_red+enable_green+enable_orange+enable_blue) == 0) - exit(0); - - // open needed ports - if (enable_red > 0) - open_physical(if_red, 4500); - - if (enable_green > 0) - open_physical(if_green, 4500); - - if (enable_orange > 0) - open_physical(if_orange, 4500); - - if (enable_blue > 0) - open_physical(if_blue, 4500); - - // start the system + // start the system if ((argc == 2) && strcmp(argv[1], "S") == 0) { - safe_system("/usr/lib/firewall/ipsec-block >/dev/null"); + safe_system("/usr/lib/firewall/ipsec-policy >/dev/null"); + safe_system("/usr/local/bin/ipsec-interfaces >/dev/null"); safe_system("/usr/sbin/ipsec restart >/dev/null"); exit(0); } diff --git a/src/patches/strongswan-ipfire-interfaces.patch b/src/patches/strongswan-ipfire-interfaces.patch new file mode 100644 index 0000000000..5ec96a48a2 --- /dev/null +++ b/src/patches/strongswan-ipfire-interfaces.patch @@ -0,0 +1,72 @@ +--- strongswan-5.7.0/src/_updown/_updown.in.bak 2019-02-06 18:19:25.723893992 +0000 ++++ strongswan-5.7.0/src/_updown/_updown.in 2019-02-06 18:28:21.520560665 +0000 +@@ -130,6 +130,13 @@ + # address family. + # + ++VARS=( ++ id status name lefthost type ctype psk local local_id leftsubnets ++ remote_id remote rightsubnets x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 ++ x13 x14 x15 x16 x17 x18 x19 proto x20 x21 x22 ++ route x23 mode interface_mode interface_address interface_mtu rest ++) ++ + function ip_encode() { + local IFS=. + +@@ -319,6 +326,13 @@ + fi + ;; + up-client:iptables) ++ # Read IPsec configuration ++ while IFS="," read -r "${VARS[@]}"; do ++ if [ "${PLUTO_CONNECTION}" = "${name}" ]; then ++ break ++ fi ++ done < /var/ipfire/vpn/config ++ + # connection to client subnet, with (left/right)firewall=yes, coming up + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. +@@ -383,23 +397,25 @@ + "tunnel+ $PLUTO_PEER -- $PLUTO_ME" + fi + +- # Add source nat so also the gateway can access the other nets +- eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings) +- for _src in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do +- ip_in_subnet "${_src}" "${PLUTO_MY_CLIENT}" +- if [ $? -eq 0 ]; then +- src=${_src} +- break ++ if [ -z "${interface_mode}" ]; then ++ # Add source nat so also the gateway can access the other nets ++ eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings) ++ for _src in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do ++ ip_in_subnet "${_src}" "${PLUTO_MY_CLIENT}" ++ if [ $? -eq 0 ]; then ++ src=${_src} ++ break ++ fi ++ done ++ ++ if [ -n "${src}" ]; then ++ iptables --wait -t nat -A IPSECNAT -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src ++ logger -t $TAG -p $FAC_PRIO \ ++ "snat+ $PLUTO_INTERFACE-$PLUTO_ME : $PLUTO_PEER_CLIENT - $src" ++ else ++ logger -t $TAG -p $FAC_PRIO \ ++ "Cannot create NAT rule because no IP of the IPFire does match the subnet. $PLUTO_MY_CLIENT" + fi +- done +- +- if [ -n "${src}" ]; then +- iptables --wait -t nat -A IPSECNAT -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src +- logger -t $TAG -p $FAC_PRIO \ +- "snat+ $PLUTO_INTERFACE-$PLUTO_ME : $PLUTO_PEER_CLIENT - $src" +- else +- logger -t $TAG -p $FAC_PRIO \ +- "Cannot create NAT rule because no IP of the IPFire does match the subnet. $PLUTO_MY_CLIENT" + fi + + # Flush routing cache diff --git a/src/scripts/ipsec-interfaces b/src/scripts/ipsec-interfaces new file mode 100644 index 0000000000..0e43fccbc8 --- /dev/null +++ b/src/scripts/ipsec-interfaces @@ -0,0 +1,172 @@ +#!/bin/bash +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2015 IPFire Team # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see . # +# # +############################################################################### + +shopt -s nullglob + +VPN_CONFIG="/var/ipfire/vpn/config" + +eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings) +eval $(/usr/local/bin/readhash /var/ipfire/vpn/settings) + +VARS=( + id status name lefthost type ctype psk local local_id leftsubnets + remote_id remote rightsubnets x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 + x13 x14 x15 x16 x17 x18 x19 proto x20 x21 x22 + route x23 mode interface_mode interface_address interface_mtu rest +) + +log() { + logger -t ipsec "$@" +} + +resolve_hostname() { + local hostname="${1}" + + dig +short A "${hostname}" | tail -n1 +} + +main() { + # Register local variables + local "${VARS[@]}" + local action + + local interfaces=() + + # We are done when IPsec is not enabled + if [ "${ENABLED}" = "on" ]; then + while IFS="," read -r "${VARS[@]}"; do + # Check if the connection is enabled + [ "${status}" = "on" ] || continue + + # Check if this a net-to-net connection + [ "${type}" = "net" ] || continue + + # Determine the interface name + case "${interface_mode}" in + gre|vti) + local intf="${interface_mode}${id}" + ;; + *) + continue + ;; + esac + + # Add the interface to the list of all interfaces + interfaces+=( "${intf}" ) + + # Compat for older connections + if [ "${local}" = "off" ]; then + if [ "${VPN_IP}" = "%defaultroute" ]; then + local="" + else + local="${VPN_IP}" + fi + fi + + # Handle %defaultroute + if [ -z "${local}" ]; then + if [ -r "/var/ipfire/red/local-ipaddress" ]; then + local="$(/dev/null + + # Create a new interface and bring it up + else + log "Creating interface ${intf}" + if ! ip link add name "${intf}" type "${interface_mode}" "${args[@]}"; then + log "Could not create interface ${intf}" + continue + fi + fi + + # Add an IP address + ip addr flush dev "${intf}" + ip addr add "${interface_address}" dev "${intf}" + + # Set MTU + ip link set dev "${intf}" mtu "${interface_mtu}" + + # Bring up the interface + ip link set dev "${intf}" up + done < "${VPN_CONFIG}" + fi + + # Delete all other interfaces + local intf + for intf in /sys/class/net/gre[0-9]* /sys/class/net/vti[0-9]*; do + intf="$(basename "${intf}")" + + # Ignore a couple of interfaces that cannot be deleted + case "${intf}" in + gre0|gretap0) + continue + ;; + esac + + # Check if interface is on the list + local i found="false" + for i in ${interfaces[@]}; do + if [ "${intf}" = "${i}" ]; then + found="true" + break + fi + done + + # Nothing to do if interface was found + ${found} && continue + + # Delete the interface + log "Deleting interface ${intf}" + ip link del "${intf}" &>/dev/null + done +} + +main || exit $?