From 29f5e0e2b9e0f3996ade9d9ba5a8834ae8480f28 Mon Sep 17 00:00:00 2001
From: Michael Tremer <michael.tremer@ipfire.org>
Date: Tue, 27 Nov 2018 18:38:51 +0000
Subject: [PATCH] IPsec: Add selection for transport/tunnel mode

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
 doc/language_issues.de   |  5 ++++-
 doc/language_issues.en   |  5 +++++
 doc/language_issues.es   |  5 ++++-
 doc/language_issues.fr   |  5 ++++-
 doc/language_issues.it   |  5 ++++-
 doc/language_issues.nl   |  5 ++++-
 doc/language_issues.pl   |  5 ++++-
 doc/language_issues.ru   |  5 ++++-
 doc/language_issues.tr   |  5 ++++-
 doc/language_missings    | 32 +++++++++++++++++++++++++++++
 html/cgi-bin/vpnmain.cgi | 44 +++++++++++++++++++++++++++++++++++++++-
 langs/en/cgi-bin/en.pl   |  4 ++++
 12 files changed, 116 insertions(+), 9 deletions(-)

diff --git a/doc/language_issues.de b/doc/language_issues.de
index c5dad0168a..6d793fd1a1 100644
--- a/doc/language_issues.de
+++ b/doc/language_issues.de
@@ -417,7 +417,6 @@ WARNING: translation string unused: messages logging
 WARNING: translation string unused: min size
 WARNING: translation string unused: missing dat
 WARNING: translation string unused: missing gz
-WARNING: translation string unused: mode
 WARNING: translation string unused: modem on com1
 WARNING: translation string unused: modem on com2
 WARNING: translation string unused: modem on com3
@@ -733,6 +732,7 @@ WARNING: untranslated string: Scan for Songs = unknown string
 WARNING: untranslated string: addons = Addons
 WARNING: untranslated string: bytes = unknown string
 WARNING: untranslated string: community rules = Snort/VRT GPLv2 Community Rules
+WARNING: untranslated string: cryptographic settings = Cryptographic Settings
 WARNING: untranslated string: dead peer detection = Dead Peer Detection
 WARNING: untranslated string: emerging rules = Emergingthreats.net Community Rules
 WARNING: untranslated string: fwhost cust geoipgrp = unknown string
@@ -775,6 +775,9 @@ WARNING: untranslated string: guardian service = unknown string
 WARNING: untranslated string: guardian watch snort alertfile = unknown string
 WARNING: untranslated string: ike lifetime should be between 1 and 8 hours = unknown string
 WARNING: untranslated string: info messages = unknown string
+WARNING: untranslated string: invalid input for mode = Invalid input for mode
+WARNING: untranslated string: ipsec mode transport = Transport
+WARNING: untranslated string: ipsec mode tunnel = Tunnel
 WARNING: untranslated string: no data = unknown string
 WARNING: untranslated string: none = none
 WARNING: untranslated string: qos add subclass = Add subclass
diff --git a/doc/language_issues.en b/doc/language_issues.en
index 3e16e21808..eead5113d1 100644
--- a/doc/language_issues.en
+++ b/doc/language_issues.en
@@ -505,6 +505,7 @@ WARNING: untranslated string: crl = Certificate Revocation List
 WARNING: untranslated string: cron server = CRON Server
 WARNING: untranslated string: crypto error = Cryptographic error
 WARNING: untranslated string: crypto warning = Cryptographic warning
+WARNING: untranslated string: cryptographic settings = Cryptographic Settings
 WARNING: untranslated string: current = Current
 WARNING: untranslated string: current aliases = Current aliases
 WARNING: untranslated string: current class = Current class
@@ -1083,6 +1084,7 @@ WARNING: untranslated string: invalid input for keepalive 1 = Invalid input for
 WARNING: untranslated string: invalid input for keepalive 1:2 = Invalid input for Keepalive use at least a ratio of 1:2
 WARNING: untranslated string: invalid input for keepalive 2 = Invalid input for Keepalive ping-restart
 WARNING: untranslated string: invalid input for max clients = Invalid input for Max Clients
+WARNING: untranslated string: invalid input for mode = Invalid input for mode
 WARNING: untranslated string: invalid input for name = Invalid input for user's full name or system hostname
 WARNING: untranslated string: invalid input for oink code = Invalid input for Oink code
 WARNING: untranslated string: invalid input for organization = Invalid input for organization
@@ -1126,6 +1128,8 @@ WARNING: untranslated string: ipfire side is invalid = IPFire side is invalid.
 WARNING: untranslated string: ipfires hostname = IPFire's Hostname
 WARNING: untranslated string: ipinfo = IP info
 WARNING: untranslated string: ipsec = IPsec
+WARNING: untranslated string: ipsec mode transport = Transport
+WARNING: untranslated string: ipsec mode tunnel = Tunnel
 WARNING: untranslated string: ipsec network = IPsec network
 WARNING: untranslated string: iptmangles = IPTable Mangles
 WARNING: untranslated string: iptnats = IPTable Network Address Translation
@@ -1230,6 +1234,7 @@ WARNING: untranslated string: minimum = Minimum
 WARNING: untranslated string: minute = Minute
 WARNING: untranslated string: minutes = Minutes
 WARNING: untranslated string: misc-options = Miscellaneous options
+WARNING: untranslated string: mode = Mode
 WARNING: untranslated string: model = Model
 WARNING: untranslated string: modem = Modem
 WARNING: untranslated string: modem configuration = Modem configuration
diff --git a/doc/language_issues.es b/doc/language_issues.es
index 236248d55e..1545fa5308 100644
--- a/doc/language_issues.es
+++ b/doc/language_issues.es
@@ -365,7 +365,6 @@ WARNING: translation string unused: messages logging
 WARNING: translation string unused: min size
 WARNING: translation string unused: missing dat
 WARNING: translation string unused: missing gz
-WARNING: translation string unused: mode
 WARNING: translation string unused: modem on com1
 WARNING: translation string unused: modem on com2
 WARNING: translation string unused: modem on com3
@@ -759,6 +758,7 @@ WARNING: untranslated string: country codes and flags = Country Codes and Flags:
 WARNING: untranslated string: countrycode = Code
 WARNING: untranslated string: crypto error = Cryptographic error
 WARNING: untranslated string: crypto warning = Cryptographic warning
+WARNING: untranslated string: cryptographic settings = Cryptographic Settings
 WARNING: untranslated string: dead peer detection = Dead Peer Detection
 WARNING: untranslated string: default = Default
 WARNING: untranslated string: deprecated fs warn = Deprecated filesystem! Newer kernel drop the support. Backup and reformat!
@@ -1053,10 +1053,13 @@ WARNING: untranslated string: integrity = Integrity:
 WARNING: untranslated string: invalid input for dpd delay = Invalid input for DPD delay
 WARNING: untranslated string: invalid input for dpd timeout = Invalid input for DPD timeout
 WARNING: untranslated string: invalid input for inactivity timeout = Invalid input for Inactivity Timeout
+WARNING: untranslated string: invalid input for mode = Invalid input for mode
 WARNING: untranslated string: invalid input for valid till days = Invalid input for Valid till (days).
 WARNING: untranslated string: invalid ip or hostname = Invalid IP Address or Hostname
 WARNING: untranslated string: invalid logserver protocol = Invalid syslogd server protocol
 WARNING: untranslated string: ipsec = IPsec
+WARNING: untranslated string: ipsec mode transport = Transport
+WARNING: untranslated string: ipsec mode tunnel = Tunnel
 WARNING: untranslated string: ipsec network = IPsec network
 WARNING: untranslated string: last = Last
 WARNING: untranslated string: least preferred = least preferred
diff --git a/doc/language_issues.fr b/doc/language_issues.fr
index e2f20eb5c8..45bb87da79 100644
--- a/doc/language_issues.fr
+++ b/doc/language_issues.fr
@@ -445,7 +445,6 @@ WARNING: translation string unused: messages logging
 WARNING: translation string unused: min size
 WARNING: translation string unused: missing dat
 WARNING: translation string unused: missing gz
-WARNING: translation string unused: mode
 WARNING: translation string unused: modem on com1
 WARNING: translation string unused: modem on com2
 WARNING: translation string unused: modem on com3
@@ -770,6 +769,7 @@ WARNING: translation string unused: yearly firewallhits
 WARNING: untranslated string: Captive clients = unknown string
 WARNING: untranslated string: Scan for Songs = unknown string
 WARNING: untranslated string: bytes = unknown string
+WARNING: untranslated string: cryptographic settings = Cryptographic Settings
 WARNING: untranslated string: dnsforward forward_servers = Nameservers
 WARNING: untranslated string: fwhost cust geoipgrp = unknown string
 WARNING: untranslated string: fwhost err hostip = unknown string
@@ -810,7 +810,10 @@ WARNING: untranslated string: guardian service = unknown string
 WARNING: untranslated string: guardian watch snort alertfile = unknown string
 WARNING: untranslated string: ike lifetime should be between 1 and 8 hours = unknown string
 WARNING: untranslated string: info messages = unknown string
+WARNING: untranslated string: invalid input for mode = Invalid input for mode
 WARNING: untranslated string: invalid ip or hostname = Invalid IP Address or Hostname
+WARNING: untranslated string: ipsec mode transport = Transport
+WARNING: untranslated string: ipsec mode tunnel = Tunnel
 WARNING: untranslated string: no data = unknown string
 WARNING: untranslated string: pakfire ago = ago.
 WARNING: untranslated string: route config changed = unknown string
diff --git a/doc/language_issues.it b/doc/language_issues.it
index 5500eedc94..ed32fdb040 100644
--- a/doc/language_issues.it
+++ b/doc/language_issues.it
@@ -417,7 +417,6 @@ WARNING: translation string unused: messages logging
 WARNING: translation string unused: min size
 WARNING: translation string unused: missing dat
 WARNING: translation string unused: missing gz
-WARNING: translation string unused: mode
 WARNING: translation string unused: modem on com1
 WARNING: translation string unused: modem on com2
 WARNING: translation string unused: modem on com3
@@ -789,6 +788,7 @@ WARNING: untranslated string: bytes = unknown string
 WARNING: untranslated string: check all = Check all
 WARNING: untranslated string: crypto error = Cryptographic error
 WARNING: untranslated string: crypto warning = Cryptographic warning
+WARNING: untranslated string: cryptographic settings = Cryptographic Settings
 WARNING: untranslated string: dhcp dns enable update = Enable DNS Update (RFC2136):
 WARNING: untranslated string: dhcp dns key name = Key Name:
 WARNING: untranslated string: dhcp dns update = DNS Update
@@ -885,9 +885,12 @@ WARNING: untranslated string: incoming compression in bytes per second = Incomin
 WARNING: untranslated string: incoming overhead in bytes per second = Incoming Overhead
 WARNING: untranslated string: info messages = unknown string
 WARNING: untranslated string: invalid input for inactivity timeout = Invalid input for Inactivity Timeout
+WARNING: untranslated string: invalid input for mode = Invalid input for mode
 WARNING: untranslated string: invalid input for valid till days = Invalid input for Valid till (days).
 WARNING: untranslated string: invalid ip or hostname = Invalid IP Address or Hostname
 WARNING: untranslated string: invalid logserver protocol = Invalid syslogd server protocol
+WARNING: untranslated string: ipsec mode transport = Transport
+WARNING: untranslated string: ipsec mode tunnel = Tunnel
 WARNING: untranslated string: log server protocol = protocol:
 WARNING: untranslated string: masquerade blue = Masquerade BLUE
 WARNING: untranslated string: masquerade green = Masquerade GREEN
diff --git a/doc/language_issues.nl b/doc/language_issues.nl
index 64778ffd7b..13bd9408d0 100644
--- a/doc/language_issues.nl
+++ b/doc/language_issues.nl
@@ -415,7 +415,6 @@ WARNING: translation string unused: messages logging
 WARNING: translation string unused: min size
 WARNING: translation string unused: missing dat
 WARNING: translation string unused: missing gz
-WARNING: translation string unused: mode
 WARNING: translation string unused: modem on com1
 WARNING: translation string unused: modem on com2
 WARNING: translation string unused: modem on com3
@@ -786,6 +785,7 @@ WARNING: untranslated string: capabilities = Capabilities
 WARNING: untranslated string: check all = Check all
 WARNING: untranslated string: crypto error = Cryptographic error
 WARNING: untranslated string: crypto warning = Cryptographic warning
+WARNING: untranslated string: cryptographic settings = Cryptographic Settings
 WARNING: untranslated string: default = Default
 WARNING: untranslated string: dh = Diffie-Hellman parameters
 WARNING: untranslated string: dh key move failed = Diffie-Hellman parameters move failed.
@@ -899,9 +899,12 @@ WARNING: untranslated string: incoming compression in bytes per second = Incomin
 WARNING: untranslated string: incoming overhead in bytes per second = Incoming Overhead
 WARNING: untranslated string: info messages = unknown string
 WARNING: untranslated string: invalid input for inactivity timeout = Invalid input for Inactivity Timeout
+WARNING: untranslated string: invalid input for mode = Invalid input for mode
 WARNING: untranslated string: invalid input for valid till days = Invalid input for Valid till (days).
 WARNING: untranslated string: invalid ip or hostname = Invalid IP Address or Hostname
 WARNING: untranslated string: invalid logserver protocol = Invalid syslogd server protocol
+WARNING: untranslated string: ipsec mode transport = Transport
+WARNING: untranslated string: ipsec mode tunnel = Tunnel
 WARNING: untranslated string: log server protocol = protocol:
 WARNING: untranslated string: masquerade blue = Masquerade BLUE
 WARNING: untranslated string: masquerade green = Masquerade GREEN
diff --git a/doc/language_issues.pl b/doc/language_issues.pl
index 236248d55e..1545fa5308 100644
--- a/doc/language_issues.pl
+++ b/doc/language_issues.pl
@@ -365,7 +365,6 @@ WARNING: translation string unused: messages logging
 WARNING: translation string unused: min size
 WARNING: translation string unused: missing dat
 WARNING: translation string unused: missing gz
-WARNING: translation string unused: mode
 WARNING: translation string unused: modem on com1
 WARNING: translation string unused: modem on com2
 WARNING: translation string unused: modem on com3
@@ -759,6 +758,7 @@ WARNING: untranslated string: country codes and flags = Country Codes and Flags:
 WARNING: untranslated string: countrycode = Code
 WARNING: untranslated string: crypto error = Cryptographic error
 WARNING: untranslated string: crypto warning = Cryptographic warning
+WARNING: untranslated string: cryptographic settings = Cryptographic Settings
 WARNING: untranslated string: dead peer detection = Dead Peer Detection
 WARNING: untranslated string: default = Default
 WARNING: untranslated string: deprecated fs warn = Deprecated filesystem! Newer kernel drop the support. Backup and reformat!
@@ -1053,10 +1053,13 @@ WARNING: untranslated string: integrity = Integrity:
 WARNING: untranslated string: invalid input for dpd delay = Invalid input for DPD delay
 WARNING: untranslated string: invalid input for dpd timeout = Invalid input for DPD timeout
 WARNING: untranslated string: invalid input for inactivity timeout = Invalid input for Inactivity Timeout
+WARNING: untranslated string: invalid input for mode = Invalid input for mode
 WARNING: untranslated string: invalid input for valid till days = Invalid input for Valid till (days).
 WARNING: untranslated string: invalid ip or hostname = Invalid IP Address or Hostname
 WARNING: untranslated string: invalid logserver protocol = Invalid syslogd server protocol
 WARNING: untranslated string: ipsec = IPsec
+WARNING: untranslated string: ipsec mode transport = Transport
+WARNING: untranslated string: ipsec mode tunnel = Tunnel
 WARNING: untranslated string: ipsec network = IPsec network
 WARNING: untranslated string: last = Last
 WARNING: untranslated string: least preferred = least preferred
diff --git a/doc/language_issues.ru b/doc/language_issues.ru
index 810b16f502..526c137548 100644
--- a/doc/language_issues.ru
+++ b/doc/language_issues.ru
@@ -358,7 +358,6 @@ WARNING: translation string unused: messages logging
 WARNING: translation string unused: min size
 WARNING: translation string unused: missing dat
 WARNING: translation string unused: missing gz
-WARNING: translation string unused: mode
 WARNING: translation string unused: modem on com1
 WARNING: translation string unused: modem on com2
 WARNING: translation string unused: modem on com3
@@ -762,6 +761,7 @@ WARNING: untranslated string: country codes and flags = Country Codes and Flags:
 WARNING: untranslated string: countrycode = Code
 WARNING: untranslated string: crypto error = Cryptographic error
 WARNING: untranslated string: crypto warning = Cryptographic warning
+WARNING: untranslated string: cryptographic settings = Cryptographic Settings
 WARNING: untranslated string: dead peer detection = Dead Peer Detection
 WARNING: untranslated string: default = Default
 WARNING: untranslated string: deprecated fs warn = Deprecated filesystem! Newer kernel drop the support. Backup and reformat!
@@ -1055,10 +1055,13 @@ WARNING: untranslated string: integrity = Integrity:
 WARNING: untranslated string: invalid input for dpd delay = Invalid input for DPD delay
 WARNING: untranslated string: invalid input for dpd timeout = Invalid input for DPD timeout
 WARNING: untranslated string: invalid input for inactivity timeout = Invalid input for Inactivity Timeout
+WARNING: untranslated string: invalid input for mode = Invalid input for mode
 WARNING: untranslated string: invalid input for valid till days = Invalid input for Valid till (days).
 WARNING: untranslated string: invalid ip or hostname = Invalid IP Address or Hostname
 WARNING: untranslated string: invalid logserver protocol = Invalid syslogd server protocol
 WARNING: untranslated string: ipsec = IPsec
+WARNING: untranslated string: ipsec mode transport = Transport
+WARNING: untranslated string: ipsec mode tunnel = Tunnel
 WARNING: untranslated string: ipsec network = IPsec network
 WARNING: untranslated string: last = Last
 WARNING: untranslated string: least preferred = least preferred
diff --git a/doc/language_issues.tr b/doc/language_issues.tr
index 1406583464..41546bb322 100644
--- a/doc/language_issues.tr
+++ b/doc/language_issues.tr
@@ -445,7 +445,6 @@ WARNING: translation string unused: messages logging
 WARNING: translation string unused: min size
 WARNING: translation string unused: missing dat
 WARNING: translation string unused: missing gz
-WARNING: translation string unused: mode
 WARNING: translation string unused: modem on com1
 WARNING: translation string unused: modem on com2
 WARNING: translation string unused: modem on com3
@@ -772,6 +771,7 @@ WARNING: untranslated string: Scan for Songs = unknown string
 WARNING: untranslated string: bytes = unknown string
 WARNING: untranslated string: crypto error = Cryptographic error
 WARNING: untranslated string: crypto warning = Cryptographic warning
+WARNING: untranslated string: cryptographic settings = Cryptographic Settings
 WARNING: untranslated string: dnsforward forward_servers = Nameservers
 WARNING: untranslated string: fwdfw all subnets = All subnets
 WARNING: untranslated string: fwhost cust geoipgrp = unknown string
@@ -813,7 +813,10 @@ WARNING: untranslated string: guardian service = unknown string
 WARNING: untranslated string: guardian watch snort alertfile = unknown string
 WARNING: untranslated string: ike lifetime should be between 1 and 8 hours = unknown string
 WARNING: untranslated string: info messages = unknown string
+WARNING: untranslated string: invalid input for mode = Invalid input for mode
 WARNING: untranslated string: invalid ip or hostname = Invalid IP Address or Hostname
+WARNING: untranslated string: ipsec mode transport = Transport
+WARNING: untranslated string: ipsec mode tunnel = Tunnel
 WARNING: untranslated string: no data = unknown string
 WARNING: untranslated string: ovpn error dh = The Diffie-Hellman parameter needs to be in minimum 2048 bit! <br>Please generate or upload a new Diffie-Hellman parameter, this can be made below in the section "Diffie-Hellman parameters options".</br>
 WARNING: untranslated string: ovpn error md5 = You host certificate uses MD5 for the signature which is not accepted anymore. <br>Please update to the latest IPFire version and generate a new root and host certificate.</br><br>All OpenVPN clients needs then to be renewed!</br>
diff --git a/doc/language_missings b/doc/language_missings
index 938a9551ea..8c9c68e977 100644
--- a/doc/language_missings
+++ b/doc/language_missings
@@ -28,6 +28,7 @@
 < choose media
 < community rules
 < could not connect to www ipfire org
+< cryptographic settings
 < dead peer detection
 < dhcp server disabled on blue interface
 < dhcp server enabled on blue interface
@@ -38,6 +39,9 @@
 < g.lite
 < guardian
 < insert removable device
+< invalid input for mode
+< ipsec mode transport
+< ipsec mode tunnel
 < none
 < notes
 < qos add subclass
@@ -186,6 +190,7 @@
 < countrycode
 < country codes and flags
 < crypto error
+< cryptographic settings
 < crypto warning
 < dead peer detection
 < default
@@ -493,10 +498,13 @@
 < invalid input for dpd delay
 < invalid input for dpd timeout
 < invalid input for inactivity timeout
+< invalid input for mode
 < invalid input for valid till days
 < invalid ip or hostname
 < invalid logserver protocol
 < ipsec
+< ipsec mode transport
+< ipsec mode tunnel
 < ipsec network
 < ipsec no connections
 < last
@@ -782,8 +790,12 @@
 ############################################################################
 # Checking cgi-bin translations for language: fr                           #
 ############################################################################
+< cryptographic settings
 < dnsforward forward_servers
+< invalid input for mode
 < invalid ip or hostname
+< ipsec mode transport
+< ipsec mode tunnel
 ############################################################################
 # Checking cgi-bin translations for language: it                           #
 ############################################################################
@@ -853,6 +865,7 @@
 < Captive wrong ext
 < check all
 < crypto error
+< cryptographic settings
 < crypto warning
 < dhcp dns enable update
 < dhcp dns key name
@@ -919,9 +932,12 @@
 < incoming compression in bytes per second
 < incoming overhead in bytes per second
 < invalid input for inactivity timeout
+< invalid input for mode
 < invalid input for valid till days
 < invalid ip or hostname
 < invalid logserver protocol
+< ipsec mode transport
+< ipsec mode tunnel
 < log server protocol
 < masquerade blue
 < masquerade green
@@ -1070,6 +1086,7 @@
 < Captive wrong ext
 < check all
 < crypto error
+< cryptographic settings
 < crypto warning
 < default
 < dh
@@ -1155,9 +1172,12 @@
 < incoming compression in bytes per second
 < incoming overhead in bytes per second
 < invalid input for inactivity timeout
+< invalid input for mode
 < invalid input for valid till days
 < invalid ip or hostname
 < invalid logserver protocol
+< ipsec mode transport
+< ipsec mode tunnel
 < log server protocol
 < masquerade blue
 < masquerade green
@@ -1403,6 +1423,7 @@
 < countrycode
 < country codes and flags
 < crypto error
+< cryptographic settings
 < crypto warning
 < dead peer detection
 < default
@@ -1712,10 +1733,13 @@
 < invalid input for dpd delay
 < invalid input for dpd timeout
 < invalid input for inactivity timeout
+< invalid input for mode
 < invalid input for valid till days
 < invalid ip or hostname
 < invalid logserver protocol
 < ipsec
+< ipsec mode transport
+< ipsec mode tunnel
 < ipsec network
 < ipsec no connections
 < last
@@ -2116,6 +2140,7 @@
 < countrycode
 < country codes and flags
 < crypto error
+< cryptographic settings
 < crypto warning
 < day-graph
 < dead peer detection
@@ -2431,10 +2456,13 @@
 < invalid input for dpd delay
 < invalid input for dpd timeout
 < invalid input for inactivity timeout
+< invalid input for mode
 < invalid input for valid till days
 < invalid ip or hostname
 < invalid logserver protocol
 < ipsec
+< ipsec mode transport
+< ipsec mode tunnel
 < ipsec network
 < ipsec no connections
 < last
@@ -2705,10 +2733,14 @@
 # Checking cgi-bin translations for language: tr                           #
 ############################################################################
 < crypto error
+< cryptographic settings
 < crypto warning
 < dnsforward forward_servers
 < fwdfw all subnets
+< invalid input for mode
 < invalid ip or hostname
+< ipsec mode transport
+< ipsec mode tunnel
 < ovpn error dh
 < ovpn error md5
 < ovpn warning rfc3280
diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi
index a5d27c8d83..f7a1c5e52d 100644
--- a/html/cgi-bin/vpnmain.cgi
+++ b/html/cgi-bin/vpnmain.cgi
@@ -111,6 +111,7 @@ $cgiparams{'DPD_TIMEOUT'} = '120';
 $cgiparams{'FORCE_MOBIKE'} = 'off';
 $cgiparams{'START_ACTION'} = 'start';
 $cgiparams{'INACTIVITY_TIMEOUT'} = 900;
+$cgiparams{'MODE'} = "tunnel";
 &Header::getcgihash(\%cgiparams, {'wantfile' => 1, 'filevar' => 'FH'});
 
 ###
@@ -1316,6 +1317,7 @@ END
 		$cgiparams{'DPD_DELAY'}			= $confighash{$cgiparams{'KEY'}}[31];
 		$cgiparams{'FORCE_MOBIKE'}		= $confighash{$cgiparams{'KEY'}}[32];
 		$cgiparams{'INACTIVITY_TIMEOUT'}	= $confighash{$cgiparams{'KEY'}}[34];
+		$cgiparams{'MODE'}			= $confighash{$cgiparams{'KEY'}}[35];
 
 		if (!$cgiparams{'DPD_DELAY'}) {
 			$cgiparams{'DPD_DELAY'} = 30;
@@ -1329,6 +1331,10 @@ END
 			$cgiparams{'INACTIVITY_TIMEOUT'} = 900;
 		}
 
+		if ($cgiparams{'MODE'} eq "") {
+			$cgiparams{'MODE'} = "tunnel";
+		}
+
 	} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'save'}) {
 		$cgiparams{'REMARK'} = &Header::cleanhtml($cgiparams{'REMARK'});
 		if ($cgiparams{'TYPE'} !~ /^(host|net)$/) {
@@ -1811,7 +1817,7 @@ END
 	my $key = $cgiparams{'KEY'};
 	if (! $key) {
 		$key = &General::findhasharraykey (\%confighash);
-		foreach my $i (0 .. 34) { $confighash{$key}[$i] = "";}
+		foreach my $i (0 .. 35) { $confighash{$key}[$i] = "";}
 	}
 	$confighash{$key}[0] = $cgiparams{'ENABLED'};
 	$confighash{$key}[1] = $cgiparams{'NAME'};
@@ -1856,6 +1862,7 @@ END
 	$confighash{$key}[31] = $cgiparams{'DPD_DELAY'};
 	$confighash{$key}[32] = $cgiparams{'FORCE_MOBIKE'};
 	$confighash{$key}[34] = $cgiparams{'INACTIVITY_TIMEOUT'};
+	$confighash{$key}[35] = $cgiparams{'MODE'};
 
 	# free unused fields!
 	$confighash{$key}[6] = 'off';
@@ -1930,6 +1937,7 @@ END
 	$cgiparams{'ONLY_PROPOSED'}		= 'on'; #[24];
 	$cgiparams{'PFS'}				= 'on'; #[28];
 	$cgiparams{'INACTIVITY_TIMEOUT'}        = 900;
+	$cgiparams{'MODE'}        		= "tunnel";
 }
 
 VPNCONF_ERROR:
@@ -1985,6 +1993,7 @@ VPNCONF_ERROR:
 	<input type='hidden' name='DPD_DELAY' value='$cgiparams{'DPD_DELAY'}' />
 	<input type='hidden' name='DPD_TIMEOUT' value='$cgiparams{'DPD_TIMEOUT'}' />
 	<input type='hidden' name='FORCE_MOBIKE' value='$cgiparams{'FORCE_MOBIKE'}' />
+	<input type='hidden' name='MODE' value='$cgiparams{'MODE'}' />
 END
 ;
 	if ($cgiparams{'KEY'}) {
@@ -2279,6 +2288,11 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
 			goto ADVANCED_ERROR;
 		}
 
+		if ($cgiparams{'MODE'} !~ /^(tunnel|transport)$/) {
+			$errormessage = $Lang::tr{'invalid input for mode'};
+			goto ADVANCED_ERROR;
+		}
+
 		$confighash{$cgiparams{'KEY'}}[29] = $cgiparams{'IKE_VERSION'};
 		$confighash{$cgiparams{'KEY'}}[18] = $cgiparams{'IKE_ENCRYPTION'};
 		$confighash{$cgiparams{'KEY'}}[19] = $cgiparams{'IKE_INTEGRITY'};
@@ -2298,6 +2312,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
 		$confighash{$cgiparams{'KEY'}}[32] = $cgiparams{'FORCE_MOBIKE'};
 		$confighash{$cgiparams{'KEY'}}[33] = $cgiparams{'START_ACTION'};
 		$confighash{$cgiparams{'KEY'}}[34] = $cgiparams{'INACTIVITY_TIMEOUT'};
+		$confighash{$cgiparams{'KEY'}}[35] = $cgiparams{'MODE'};
 		&General::writehasharray("${General::swroot}/vpn/config", \%confighash);
 		&writeipsecfiles();
 		if (&vpnenabled) {
@@ -2327,6 +2342,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
 		$cgiparams{'FORCE_MOBIKE'}		= $confighash{$cgiparams{'KEY'}}[32];
 		$cgiparams{'START_ACTION'}		= $confighash{$cgiparams{'KEY'}}[33];
 		$cgiparams{'INACTIVITY_TIMEOUT'}	= $confighash{$cgiparams{'KEY'}}[34];
+		$cgiparams{'MODE'}			= $confighash{$cgiparams{'KEY'}}[35];
 
 		if (!$cgiparams{'DPD_DELAY'}) {
 			$cgiparams{'DPD_DELAY'} = 30;
@@ -2343,6 +2359,10 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
 		if ($cgiparams{'INACTIVITY_TIMEOUT'} eq "") {
 			$cgiparams{'INACTIVITY_TIMEOUT'} = 900; # 15 min
 		}
+
+		if ($cgiparams{'MODE'} eq "") {
+			$cgiparams{'MODE'} = "tunnel";
+		}
 	}
 
 	ADVANCED_ERROR:
@@ -2451,6 +2471,10 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
 	}
 	$selected{'INACTIVITY_TIMEOUT'}{$cgiparams{'INACTIVITY_TIMEOUT'}} = "selected";
 
+	$selected{'MODE'}{'tunnel'} = '';
+	$selected{'MODE'}{'transport'} = '';
+	$selected{'MODE'}{$cgiparams{'MODE'}} = "selected='selected'";
+
 	&Header::showhttpheaders();
 	&Header::openpage($Lang::tr{'ipsec'}, 1, '');
 	&Header::openbigbox('100%', 'left', '', $errormessage);
@@ -2475,6 +2499,24 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
 	<input type='hidden' name='ADVANCED' value='yes' />
 	<input type='hidden' name='KEY' value='$cgiparams{'KEY'}' />
 
+	<table width="100%">
+		<tbody>
+			<tr>
+				<td width="15%">$Lang::tr{'mode'}:</td>
+				<td>
+					<select name='MODE'>
+						<option value='tunnel' $selected{'MODE'}{'tunnel'}>$Lang::tr{'ipsec mode tunnel'}</option>
+						<option value='transport' $selected{'MODE'}{'transport'}>$Lang::tr{'ipsec mode transport'}</option>
+					</select>
+				</td>
+			</tr>
+		</tbody>
+	</table>
+
+	<br><br>
+
+	<h2>$Lang::tr{'cryptographic settings'}</h2>
+
 	<table width='100%'>
 	<thead>
 		<tr>
diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
index 258176970f..93b857808e 100644
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -684,6 +684,7 @@
 'cron server' => 'CRON Server',
 'crypto error' => 'Cryptographic error',
 'crypto warning' => 'Cryptographic warning',
+'cryptographic settings' => 'Cryptographic Settings',
 'current' => 'Current',
 'current aliases' => 'Current aliases',
 'current class' => 'Current class',
@@ -1429,6 +1430,7 @@
 'invalid input for keepalive 1:2' => 'Invalid input for Keepalive use at least a ratio of 1:2',
 'invalid input for keepalive 2' => 'Invalid input for Keepalive ping-restart',
 'invalid input for max clients' => 'Invalid input for Max Clients',
+'invalid input for mode' => 'Invalid input for mode',
 'invalid input for name' => 'Invalid input for user\'s full name or system hostname',
 'invalid input for oink code' => 'Invalid input for Oink code',
 'invalid input for organization' => 'Invalid input for organization',
@@ -1481,6 +1483,8 @@
 'ipfires hostname' => 'IPFire\'s Hostname',
 'ipinfo' => 'IP info',
 'ipsec' => 'IPsec',
+'ipsec mode transport' => 'Transport',
+'ipsec mode tunnel' => 'Tunnel',
 'ipsec network' => 'IPsec network',
 'ipsec no connections' => 'No active IPsec connections',
 'iptable rules' => 'IPTable rules',
-- 
2.39.2