###############################################################################
# #
# IPFire.org - A linux based firewall #
-# Copyright (C) 2007-2013 IPFire Team info@ipfire.org #
+# Copyright (C) 2007-2020 IPFire Team <info@ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
# #
###############################################################################
+use Data::UUID;
+use MIME::Base64;
use Net::DNS;
use File::Copy;
use File::Temp qw/ tempfile tempdir /;
use strict;
use Sort::Naturally;
+use Sys::Hostname;
# enable only the following on debugging purpose
#use warnings;
#use CGI::Carp 'fatalsToBrowser';
my %color = ();
my %mainsettings = ();
&General::readhash("${General::swroot}/main/settings", \%mainsettings);
-&General::readhash("/srv/web/ipfire/html/themes/".$mainsettings{'THEME'}."/include/colors.txt", \%color);
+&General::readhash("/srv/web/ipfire/html/themes/ipfire/include/colors.txt", \%color);
&General::readhash("${General::swroot}/ethernet/settings", \%netsettings);
-my $green_cidr = &General::ipcidr("$netsettings{'GREEN_NETADDRESS'}/$netsettings{'GREEN_NETMASK'}");
-my $blue_cidr = "# Blue not defined";
-if (&Header::blue_used() && $netsettings{'BLUE_DEV'}) {
- $blue_cidr = &General::ipcidr("$netsettings{'BLUE_NETADDRESS'}/$netsettings{'BLUE_NETMASK'}");
-}
-my $orange_cidr = "# Orange not defined";
-if (&Header::orange_used() && $netsettings{'ORANGE_DEV'}) {
- $orange_cidr = &General::ipcidr("$netsettings{'ORANGE_NETADDRESS'}/$netsettings{'ORANGE_NETMASK'}");
-}
-
my %INACTIVITY_TIMEOUTS = (
300 => $Lang::tr{'five minutes'},
600 => $Lang::tr{'ten minutes'},
0 => "- $Lang::tr{'unlimited'} -",
);
+# Load aliases
+my %aliases;
+&General::get_aliases(\%aliases);
+
my $col="";
$cgiparams{'ENABLED'} = 'off';
$cgiparams{'NAME'} = '';
$cgiparams{'LOCAL_SUBNET'} = '';
$cgiparams{'REMOTE_SUBNET'} = '';
+$cgiparams{'LOCAL'} = '';
$cgiparams{'REMOTE'} = '';
$cgiparams{'LOCAL_ID'} = '';
$cgiparams{'REMOTE_ID'} = '';
$cgiparams{'ROOTCERT_OU'} = '';
$cgiparams{'ROOTCERT_CITY'} = '';
$cgiparams{'ROOTCERT_STATE'} = '';
+$cgiparams{'RW_ENDPOINT'} = '';
$cgiparams{'RW_NET'} = '';
$cgiparams{'DPD_DELAY'} = '30';
$cgiparams{'DPD_TIMEOUT'} = '120';
$cgiparams{'FORCE_MOBIKE'} = 'off';
-$cgiparams{'START_ACTION'} = 'start';
-$cgiparams{'INACTIVITY_TIMEOUT'} = 900;
+$cgiparams{'START_ACTION'} = 'route';
+$cgiparams{'INACTIVITY_TIMEOUT'} = 1800;
+$cgiparams{'MODE'} = "tunnel";
+$cgiparams{'INTERFACE_MODE'} = "";
+$cgiparams{'INTERFACE_ADDRESS'} = "";
+$cgiparams{'INTERFACE_MTU'} = 1500;
+$cgiparams{'DNS_SERVERS'} = "";
&Header::getcgihash(\%cgiparams, {'wantfile' => 1, 'filevar' => 'FH'});
+my %APPLE_CIPHERS = (
+ "aes256gcm128" => "AES-256-GCM",
+ "aes128gcm128" => "AES-128-GCM",
+ "aes256" => "AES-256",
+ "aes128" => "AES-128",
+ "3des" => "3DES",
+);
+
+my %APPLE_INTEGRITIES = (
+ "sha2_512" => "SHA2-512",
+ "sha2_384" => "SHA2-384",
+ "sha2_256" => "SHA2-256",
+ "sha1" => "SHA1-160",
+);
+
+my %APPLE_DH_GROUPS = (
+ "768" => 1,
+ "1024" => 2,
+ "1536" => 5,
+ "2048" => 14,
+ "3072" => 15,
+ "4096" => 16,
+ "6144" => 17,
+ "8192" => 18,
+ "e256" => 19,
+ "e384" => 20,
+ "e521" => 21,
+);
+
###
### Useful functions
###
print FILE "";
close FILE;
}
+ if (open(FILE, ">${General::swroot}/certs/index.txt.attr")) {
+ print FILE "";
+ close FILE;
+ }
unlink ("${General::swroot}/certs/index.txt.old");
+ unlink ("${General::swroot}/certs/index.txt.attr.old");
unlink ("${General::swroot}/certs/serial.old");
unlink ("${General::swroot}/certs/01.pem");
}
if (! -s ">${General::swroot}/certs/index.txt") {
system ("touch ${General::swroot}/certs/index.txt");
}
+ if (! -s ">${General::swroot}/certs/index.txt.attr") {
+ system ("touch ${General::swroot}/certs/index.txt.attr");
+ }
unlink ("${General::swroot}/certs/index.txt.old");
+ unlink ("${General::swroot}/certs/index.txt.attr.old");
unlink ("${General::swroot}/certs/serial.old");
# unlink ("${General::swroot}/certs/01.pem"); numbering evolves. Wrong place to delete
}
sub getCNfromcert ($) {
#&General::log("ipsec", "Extracting name from $_[0]...");
my $temp = `/usr/bin/openssl x509 -text -in $_[0]`;
- $temp =~ /Subject:.*CN=(.*)[\n]/;
+ $temp =~ /Subject:.*CN = (.*)[\n]/;
$temp = $1;
$temp =~ s+/Email+, E+;
- $temp =~ s/ ST=/ S=/;
+ $temp =~ s/ ST = / S = /;
$temp =~ s/,//g;
$temp =~ s/\'//g;
return $temp;
$temp =~ /Subject: (.*)[\n]/;
$temp = $1;
$temp =~ s+/Email+, E+;
- $temp =~ s/ ST=/ S=/;
+ $temp =~ s/ ST = / S = /;
return $temp;
}
###
#remote peer is not set? => use '%any'
$lconfighash{$key}[10] = '%any' if ($lconfighash{$key}[10] eq '');
+ # Field 6 might be "off" on old installations
+ if ($lconfighash{$key}[6] eq "off") {
+ $lconfighash{$key}[6] = $lvpnsettings{"VPN_IP"};
+ }
+
my $localside;
- if ($lconfighash{$key}[26] eq 'BLUE') {
- $localside = $netsettings{'BLUE_ADDRESS'};
- } elsif ($lconfighash{$key}[26] eq 'GREEN') {
- $localside = $netsettings{'GREEN_ADDRESS'};
- } elsif ($lconfighash{$key}[26] eq 'ORANGE') {
- $localside = $netsettings{'ORANGE_ADDRESS'};
- } else { # it is RED
- $localside = $lvpnsettings{'VPN_IP'};
+ if ($lconfighash{$key}[6]) {
+ $localside = $lconfighash{$key}[6];
+ } else {
+ $localside = "%defaultroute";
}
+ my $interface_mode = $lconfighash{$key}[36];
+
print CONF "conn $lconfighash{$key}[1]\n";
print CONF "\tleft=$localside\n";
- print CONF "\tleftsubnet=" . &make_subnets($lconfighash{$key}[8]) . "\n";
+
+ if ($interface_mode eq "gre") {
+ print CONF "\tleftprotoport=gre\n";
+ } elsif ($interface_mode eq "vti") {
+ print CONF "\tleftsubnet=0.0.0.0/0\n";
+ } else {
+ print CONF "\tleftsubnet=" . &make_subnets("left", $lconfighash{$key}[8]) . "\n";
+ }
+
print CONF "\tleftfirewall=yes\n";
print CONF "\tlefthostaccess=yes\n";
print CONF "\tright=$lconfighash{$key}[10]\n";
if ($lconfighash{$key}[3] eq 'net') {
- print CONF "\trightsubnet=" . &make_subnets($lconfighash{$key}[11]) . "\n";
+ if ($interface_mode eq "gre") {
+ print CONF "\trightprotoport=gre\n";
+ } elsif ($interface_mode eq "vti") {
+ print CONF "\trightsubnet=0.0.0.0/0\n";
+ } else {
+ print CONF "\trightsubnet=" . &make_subnets("right", $lconfighash{$key}[11]) . "\n";
+ }
}
# Local Cert and Remote Cert (unless auth is DN dn-auth)
print CONF "\tleftid=\"$lconfighash{$key}[7]\"\n" if ($lconfighash{$key}[7]);
print CONF "\trightid=\"$lconfighash{$key}[9]\"\n" if ($lconfighash{$key}[9]);
+ # Set mode
+ if ($lconfighash{$key}[35] eq "transport") {
+ print CONF "\ttype=transport\n";
+ } else {
+ print CONF "\ttype=tunnel\n";
+ }
+
+ # Add mark for VTI
+ if ($interface_mode eq "vti") {
+ print CONF "\tmark=$key\n";
+ }
+
# Is PFS enabled?
my $pfs = $lconfighash{$key}[28] eq 'on' ? 'on' : 'off';
if ($start_action eq 'route' && $inactivity_timeout > 0) {
print CONF "\tinactivity=$inactivity_timeout\n";
}
-
- # Restart the connection immediately when it has gone down
- # unexpectedly
- if ($start_action eq 'start') {
- print CONF "\tcloseaction=restart\n";
- }
}
# Fragmentation
print CONF "\tfragmentation=yes\n";
+ # DNS Servers for RW
+ if ($lconfighash{$key}[3] eq 'host') {
+ my @servers = split(/\|/, $lconfighash{$key}[39]);
+
+ print CONF "\trightdns=" . join(",", @servers) . "\n";
+ }
+
print CONF "\n";
} #foreach key
if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cgiparams{'KEY'} eq '') {
&General::readhash("${General::swroot}/vpn/settings", \%vpnsettings);
- unless (&General::validfqdn($cgiparams{'VPN_IP'}) || &General::validip($cgiparams{'VPN_IP'})
- || $cgiparams{'VPN_IP'} eq '%defaultroute' ) {
- $errormessage = $Lang::tr{'invalid input for hostname'};
- goto SAVE_ERROR;
- }
-
- unless ($cgiparams{'VPN_DELAYED_START'} =~ /^[0-9]{1,3}$/ ) { #allow 0-999 seconds !
- $errormessage = $Lang::tr{'invalid time period'};
+ if ($cgiparams{'RW_ENDPOINT'} ne '' && !&General::validip($cgiparams{'RW_ENDPOINT'}) && !&General::validfqdn($cgiparams{'RW_ENDPOINT'})) {
+ $errormessage = $Lang::tr{'ipsec invalid ip address or fqdn for rw endpoint'};
goto SAVE_ERROR;
}
}
$vpnsettings{'ENABLED'} = $cgiparams{'ENABLED'};
- $vpnsettings{'VPN_IP'} = $cgiparams{'VPN_IP'};
- $vpnsettings{'VPN_DELAYED_START'} = $cgiparams{'VPN_DELAYED_START'};
+ $vpnsettings{'RW_ENDPOINT'} = $cgiparams{'RW_ENDPOINT'};
$vpnsettings{'RW_NET'} = $cgiparams{'RW_NET'};
&General::writehash("${General::swroot}/vpn/settings", \%vpnsettings);
&writeipsecfiles();
}
}
- if (ref ($cgiparams{'FH'}) ne 'Fh') {
+ unless (ref ($cgiparams{'FH'})) {
$errormessage = $Lang::tr{'there was no file upload'};
goto UPLOADCA_ERROR;
}
my $test = `/usr/bin/openssl verify -CAfile ${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem ${General::swroot}/certs/$confighash{$key}[1]cert.pem`;
if ($test =~ /: OK/) {
# Delete connection
- system('/usr/local/bin/ipsecctrl', 'D', $key) if (&vpnenabled);
unlink ("${General::swroot}/certs/$confighash{$key}[1]cert.pem");
unlink ("${General::swroot}/certs/$confighash{$key}[1].p12");
delete $confighash{$key};
&General::writehasharray("${General::swroot}/vpn/config", \%confighash);
&writeipsecfiles();
+ system('/usr/local/bin/ipsecctrl', 'D', $key) if (&vpnenabled);
}
}
unlink ("${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem");
close IPADDR;
chomp ($ipaddr);
$cgiparams{'ROOTCERT_HOSTNAME'} = (gethostbyaddr(pack("C4", split(/\./, $ipaddr)), 2))[0];
+ $cgiparams{'SUBJECTALTNAME'} = "DNS:" . $cgiparams{'ROOTCERT_HOSTNAME'};
if ($cgiparams{'ROOTCERT_HOSTNAME'} eq '') {
$cgiparams{'ROOTCERT_HOSTNAME'} = $ipaddr;
+ $cgiparams{'SUBJECTALTNAME'} = "IP:" . $cgiparams{'ROOTCERT_HOSTNAME'};
}
}
$cgiparams{'ROOTCERT_COUNTRY'} = $vpnsettings{'ROOTCERT_COUNTRY'} if (!$cgiparams{'ROOTCERT_COUNTRY'});
} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'upload p12 file'}) {
&General::log("ipsec", "Importing from p12...");
- if (ref ($cgiparams{'FH'}) ne 'Fh') {
+ unless (ref ($cgiparams{'FH'})) {
$errormessage = $Lang::tr{'there was no file upload'};
goto ROOTCERT_ERROR;
}
# IP: an IP address
# example: email:franck@foo.com,IP:10.0.0.10,DNS:franck.foo.com
+ if ($cgiparams{'SUBJECTALTNAME'} eq '') {
+ $errormessage = $Lang::tr{'vpn subjectaltname missing'};
+ goto ROOTCERT_ERROR;
+ }
+
if ($cgiparams{'SUBJECTALTNAME'} ne '' && $cgiparams{'SUBJECTALTNAME'} !~ /^(email|URI|DNS|RID|IP):[a-zA-Z0-9 :\/,\.\-_@]*$/) {
$errormessage = $Lang::tr{'vpn altname syntax'};
goto VPNCONF_ERROR;
&General::log("ipsec", "Creating cacert...");
if (open(STDIN, "-|")) {
my $opt = " req -x509 -sha256 -nodes";
- $opt .= " -days 999999";
+ $opt .= " -days 3650";
$opt .= " -newkey rsa:4096";
$opt .= " -keyout ${General::swroot}/private/cakey.pem";
$opt .= " -out ${General::swroot}/ca/cacert.pem";
print $fh "subjectAltName=$cgiparams{'SUBJECTALTNAME'}" if ($cgiparams{'SUBJECTALTNAME'});
close ($fh);
- my $opt = " ca -md sha256 -days 999999";
+ my $opt = " ca -md sha256 -days 825";
$opt .= " -batch -notext";
$opt .= " -in ${General::swroot}/certs/hostreq.pem";
$opt .= " -out ${General::swroot}/certs/hostcert.pem";
}
print <<END
</select></td></tr>
- <tr><td class='base'>$Lang::tr{'vpn subjectaltname'} (subjectAltName=email:*,URI:*,DNS:*,RID:*)</td>
+ <tr><td class='base'>$Lang::tr{'vpn subjectaltname'} (subjectAltName=email:*,URI:*,DNS:*,RID:*) <img src='/blob.gif' alt='*' /></td>
<td class='base' nowrap='nowrap'><input type='text' name='SUBJECTALTNAME' value='$cgiparams{'SUBJECTALTNAME'}' size='32' /></td></tr>
<tr><td> </td>
<td><br /><input type='submit' name='ACTION' value='$Lang::tr{'generate root/host certificates'}' /><br /><br /></td></tr>
print `/bin/cat ${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1].p12`;
exit (0);
+# Export Apple profile to browser
+} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download apple profile'}) {
+ # Read global configuration
+ &General::readhash("${General::swroot}/vpn/settings", \%vpnsettings);
+
+ # Read connections
+ &General::readhasharray("${General::swroot}/vpn/config", \%confighash);
+ my $key = $cgiparams{'KEY'};
+
+ # Create a UUID generator
+ my $uuid = Data::UUID->new();
+
+ my $uuid1 = $uuid->create_str();
+ my $uuid2 = $uuid->create_str();
+
+ my $cert = "";
+ my $cert_uuid = $uuid->create_str();
+
+ # Read and encode certificate
+ if ($confighash{$key}[4] eq "cert") {
+ my $cert_path = "${General::swroot}/certs/$confighash{$key}[1].p12";
+
+ # Read certificate and encode it into Base64
+ open(CERT, "<${cert_path}");
+ local($/) = undef; # slurp
+ $cert = MIME::Base64::encode_base64(<CERT>);
+ close(CERT);
+ }
+
+ print "Content-Type: application/octet-stream\n";
+ print "Content-Disposition: attachment; filename=" . $confighash{$key}[1] . ".mobileconfig\n";
+ print "\n"; # end headers
+
+ # Use our own FQDN if nothing else is configured
+ my $endpoint = ($vpnsettings{'RW_ENDPOINT'} ne "") ? $vpnsettings{'RW_ENDPOINT'} : &hostname();
+
+ print "<!DOCTYPE plist PUBLIC \"-//Apple//DTD PLIST 1.0//EN\" \"http://www.apple.com/DTDs/PropertyList-1.0.dtd\">\n";
+ print "<plist version=\"1.0\">\n";
+ print " <dict>\n";
+ print " <key>PayloadDisplayName</key>\n";
+ print " <string>$confighash{$key}[1]</string>\n";
+ print " <key>PayloadIdentifier</key>\n";
+ print " <string>$confighash{$key}[1]</string>\n";
+ print " <key>PayloadUUID</key>\n";
+ print " <string>${uuid1}</string>\n";
+ print " <key>PayloadType</key>\n";
+ print " <string>Configuration</string>\n";
+ print " <key>PayloadVersion</key>\n";
+ print " <integer>1</integer>\n";
+ print " <key>PayloadContent</key>\n";
+ print " <array>\n";
+ print " <dict>\n";
+ print " <key>PayloadIdentifier</key>\n";
+ print " <string>org.example.vpn1.conf1</string>\n";
+ print " <key>PayloadUUID</key>\n";
+ print " <string>${uuid2}</string>\n";
+ print " <key>PayloadType</key>\n";
+ print " <string>com.apple.vpn.managed</string>\n";
+ print " <key>PayloadVersion</key>\n";
+ print " <integer>1</integer>\n";
+ print " <key>UserDefinedName</key>\n";
+ print " <string>$confighash{$key}[1]</string>\n";
+ print " <key>VPNType</key>\n";
+ print " <string>IKEv2</string>\n";
+ print " <key>IKEv2</key>\n";
+ print " <dict>\n";
+ print " <key>RemoteAddress</key>\n";
+ print " <string>$endpoint</string>\n";
+
+ # PFS
+ my $pfs = $confighash{$key}[28];
+ if ($pfs eq "on") {
+ print " <key>EnablePFS</key>\n";
+ print " <true/>\n";
+ }
+
+ # IKE Cipher Suite
+ print " <key>IKESecurityAssociationParameters</key>\n";
+ print " <dict>\n";
+
+ # Encryption
+ foreach my $cipher (split(/\|/,$confighash{$key}[18])) {
+ # Skip all unsupported ciphers
+ next unless (exists $APPLE_CIPHERS{$cipher});
+
+ print " <key>EncryptionAlgorithm</key>\n";
+ print " <string>$APPLE_CIPHERS{$cipher}</string>\n";
+ last;
+ }
+
+ # Integrity
+ foreach my $integrity (split(/\|/,$confighash{$key}[19])) {
+ # Skip all unsupported algorithms
+ next unless (exists $APPLE_INTEGRITIES{$integrity});
+
+ print " <key>IntegrityAlgorithm</key>\n";
+ print " <string>$APPLE_INTEGRITIES{$integrity}</string>\n";
+ last;
+ }
+
+ # Diffie Hellman Groups
+ foreach my $group (split(/\|/,$confighash{$key}[20])) {
+ # Skip all unsupported algorithms
+ next unless (exists $APPLE_DH_GROUPS{$group});
+
+ print " <key>DiffieHellmanGroup</key>\n";
+ print " <string>$APPLE_DH_GROUPS{$group}</string>\n";
+ last;
+ }
+
+ # Lifetime
+ my $lifetime = $confighash{$key}[16] * 60;
+ print " <key>LifeTimeInMinutes</key>\n";
+ print " <integer>$lifetime</integer>\n";
+ print " </dict>\n";
+
+ # ESP Cipher Suite
+ print " <key>ChildSecurityAssociationParameters</key>\n";
+ print " <dict>\n";
+
+ # Encryption
+ foreach my $cipher (split(/\|/,$confighash{$key}[21])) {
+ # Skip all unsupported ciphers
+ next unless (exists $APPLE_CIPHERS{$cipher});
+
+ print " <key>EncryptionAlgorithm</key>\n";
+ print " <string>$APPLE_CIPHERS{$cipher}</string>\n";
+ last;
+ }
+
+ # Integrity
+ foreach my $integrity (split(/\|/,$confighash{$key}[22])) {
+ # Skip all unsupported algorithms
+ next unless (exists $APPLE_INTEGRITIES{$integrity});
+
+ print " <key>IntegrityAlgorithm</key>\n";
+ print " <string>$APPLE_INTEGRITIES{$integrity}</string>\n";
+ last;
+ }
+
+ # Diffie Hellman Groups
+ foreach my $group (split(/\|/,$confighash{$key}[23])) {
+ # Skip all unsupported algorithms
+ next unless (exists $APPLE_DH_GROUPS{$group});
+
+ print " <key>DiffieHellmanGroup</key>\n";
+ print " <string>$APPLE_DH_GROUPS{$group}</string>\n";
+ last;
+ }
+
+ # Lifetime
+ my $lifetime = $confighash{$key}[17] * 60;
+ print " <key>LifeTimeInMinutes</key>\n";
+ print " <integer>$lifetime</integer>\n";
+ print " </dict>\n";
+
+
+ # Left ID
+ if ($confighash{$key}[9]) {
+ print " <key>LocalIdentifier</key>\n";
+ print " <string>$confighash{$key}[9]</string>\n";
+ }
+
+ # Right ID
+ if ($confighash{$key}[7]) {
+ print " <key>RemoteIdentifier</key>\n";
+ print " <string>$confighash{$key}[7]</string>\n";
+ }
+
+ if ($confighash{$key}[4] eq "cert") {
+ print " <key>AuthenticationMethod</key>\n";
+ print " <string>Certificate</string>\n";
+
+ print " <key>PayloadCertificateUUID</key>\n";
+ print " <string>${cert_uuid}</string>\n";
+ } else {
+ print " <key>AuthenticationMethod</key>\n";
+ print " <string>SharedSecret</string>\n";
+ print " <key>SharedSecret</key>\n";
+ print " <string>$confighash{$key}[5]</string>\n";
+ }
+
+ print " <key>ExtendedAuthEnabled</key>\n";
+ print " <integer>0</integer>\n";
+
+ # These are not needed, but we provide some default to stop iPhone asking for credentials
+ print " <key>AuthName</key>\n";
+ print " <string>$confighash{$key}[1]</string>\n";
+ print " <key>AuthPassword</key>\n";
+ print " <string></string>\n";
+ print " </dict>\n";
+ print " </dict>\n";
+
+ if ($confighash{$key}[4] eq "cert") {
+ print " <dict>\n";
+ print " <key>PayloadIdentifier</key>\n";
+ print " <string>org.example.vpn1.client</string>\n";
+ print " <key>PayloadUUID</key>\n";
+ print " <string>${cert_uuid}</string>\n";
+ print " <key>PayloadType</key>\n";
+ print " <string>com.apple.security.pkcs12</string>\n";
+ print " <key>PayloadVersion</key>\n";
+ print " <integer>1</integer>\n";
+ print " <key>PayloadContent</key>\n";
+ print " <data>\n";
+
+ foreach (split /\n/,${cert}) {
+ print " $_\n";
+ }
+
+ print " </data>\n";
+ print " </dict>\n";
+ }
+
+ print " </array>\n";
+ print " </dict>\n";
+ print "</plist>\n";
+
+ # Done
+ exit(0);
###
### Display certificate
###
&writeipsecfiles();
system('/usr/local/bin/ipsecctrl', 'S', $cgiparams{'KEY'}) if (&vpnenabled);
} else {
- system('/usr/local/bin/ipsecctrl', 'D', $cgiparams{'KEY'}) if (&vpnenabled);
$confighash{$cgiparams{'KEY'}}[0] = 'off';
&General::writehasharray("${General::swroot}/vpn/config", \%confighash);
&writeipsecfiles();
+ system('/usr/local/bin/ipsecctrl', 'D', $cgiparams{'KEY'}) if (&vpnenabled);
}
sleep $sleepDelay;
} else {
&General::readhasharray("${General::swroot}/vpn/config", \%confighash);
if ($confighash{$cgiparams{'KEY'}}) {
- system('/usr/local/bin/ipsecctrl', 'D', $cgiparams{'KEY'}) if (&vpnenabled);
unlink ("${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem");
unlink ("${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1].p12");
delete $confighash{$cgiparams{'KEY'}};
&General::writehasharray("${General::swroot}/vpn/config", \%confighash);
&writeipsecfiles();
+ system('/usr/local/bin/ipsecctrl', 'D', $cgiparams{'KEY'}) if (&vpnenabled);
} else {
$errormessage = $Lang::tr{'invalid key'};
}
$cgiparams{'TYPE'} = $confighash{$cgiparams{'KEY'}}[3];
$cgiparams{'AUTH'} = $confighash{$cgiparams{'KEY'}}[4];
$cgiparams{'PSK'} = $confighash{$cgiparams{'KEY'}}[5];
- #$cgiparams{'free'} = $confighash{$cgiparams{'KEY'}}[6];
+ $cgiparams{'LOCAL'} = $confighash{$cgiparams{'KEY'}}[6];
$cgiparams{'LOCAL_ID'} = $confighash{$cgiparams{'KEY'}}[7];
my @local_subnets = split(",", $confighash{$cgiparams{'KEY'}}[8]);
$cgiparams{'LOCAL_SUBNET'} = join(/\|/, @local_subnets);
$cgiparams{'DPD_TIMEOUT'} = $confighash{$cgiparams{'KEY'}}[30];
$cgiparams{'DPD_DELAY'} = $confighash{$cgiparams{'KEY'}}[31];
$cgiparams{'FORCE_MOBIKE'} = $confighash{$cgiparams{'KEY'}}[32];
+ $cgiparams{'START_ACTION'} = $confighash{$cgiparams{'KEY'}}[33];
$cgiparams{'INACTIVITY_TIMEOUT'} = $confighash{$cgiparams{'KEY'}}[34];
+ $cgiparams{'MODE'} = $confighash{$cgiparams{'KEY'}}[35];
+ $cgiparams{'INTERFACE_MODE'} = $confighash{$cgiparams{'KEY'}}[36];
+ $cgiparams{'INTERFACE_ADDRESS'} = $confighash{$cgiparams{'KEY'}}[37];
+ $cgiparams{'INTERFACE_MTU'} = $confighash{$cgiparams{'KEY'}}[38];
+ $cgiparams{'DNS_SERVERS'} = $confighash{$cgiparams{'KEY'}}[39];
if (!$cgiparams{'DPD_DELAY'}) {
$cgiparams{'DPD_DELAY'} = 30;
$cgiparams{'INACTIVITY_TIMEOUT'} = 900;
}
+ if ($cgiparams{'MODE'} eq "") {
+ $cgiparams{'MODE'} = "tunnel";
+ }
+
+ if ($cgiparams{'INTERFACE_MTU'} eq "") {
+ $cgiparams{'INTERFACE_MTU'} = 1500;
+ }
+
} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'save'}) {
$cgiparams{'REMARK'} = &Header::cleanhtml($cgiparams{'REMARK'});
if ($cgiparams{'TYPE'} !~ /^(host|net)$/) {
goto VPNCONF_ERROR;
}
+ if ($cgiparams{'LOCAL'}) {
+ if (($cgiparams{'LOCAL'} ne "") && (!&General::validip($cgiparams{'LOCAL'}))) {
+ $errormessage = $Lang::tr{'invalid input for local ip address'};
+ goto VPNCONF_ERROR;
+ }
+ }
+
if ($cgiparams{'REMOTE'}) {
if (($cgiparams{'REMOTE'} ne '%any') && (! &General::validip($cgiparams{'REMOTE'}))) {
if (! &General::validfqdn ($cgiparams{'REMOTE'})) {
goto VPNCONF_ERROR;
}
}
+
+ if ($cgiparams{'MODE'} !~ /^(tunnel|transport)$/) {
+ $errormessage = $Lang::tr{'invalid input for mode'};
+ goto VPNCONF_ERROR;
+ }
+
+ if ($cgiparams{'INTERFACE_MODE'} !~ /^(|gre|vti)$/) {
+ $errormessage = $Lang::tr{'invalid input for interface mode'};
+ goto VPNCONF_ERROR;
+ }
+
+ if (($cgiparams{'INTERFACE_MODE'} eq "vti") && ($cgiparams{'MODE'} eq "transport")) {
+ $errormessage = $Lang::tr{'transport mode does not support vti'};
+ goto VPNCONF_ERROR;
+ }
+
+ if (($cgiparams{'INTERFACE_MODE'} ne "") && !&Network::check_subnet($cgiparams{'INTERFACE_ADDRESS'})) {
+ $errormessage = $Lang::tr{'invalid input for interface address'};
+ goto VPNCONF_ERROR;
+ }
+
+ if ($cgiparams{'INTERFACE_MTU'} !~ /^\d+$/) {
+ $errormessage = $Lang::tr{'invalid input for interface mtu'};
+ goto VPNCONF_ERROR;
+ }
+ }
+
+ if ($cgiparams{'TYPE'} eq 'host') {
+ my @servers = split(",", $cgiparams{'DNS_SERVERS'});
+ foreach my $server (@servers) {
+ unless (&Network::check_ip_address($server)) {
+ $errormessage = $Lang::tr{'ipsec dns server address is invalid'};
+ goto VPNCONF_ERROR;
+ }
+ }
}
if ($cgiparams{'ENABLED'} !~ /^(on|off)$/) {
$errormessage = $Lang::tr{'cant change certificates'};
goto VPNCONF_ERROR;
}
- if (ref ($cgiparams{'FH'}) ne 'Fh') {
+ unless (ref ($cgiparams{'FH'})) {
$errormessage = $Lang::tr{'there was no file upload'};
goto VPNCONF_ERROR;
}
# Sign the certificate request
&General::log("ipsec", "Signing your cert $cgiparams{'NAME'}...");
- my $opt = " ca -md sha256 -days 999999";
+ my $opt = " ca -md sha256 -days 825";
$opt .= " -batch -notext";
$opt .= " -in $filename";
$opt .= " -out ${General::swroot}/certs/$cgiparams{'NAME'}cert.pem";
} elsif ($cgiparams{'AUTH'} eq 'pkcs12') {
&General::log("ipsec", "Importing from p12...");
- if (ref ($cgiparams{'FH'}) ne 'Fh') {
+ unless (ref ($cgiparams{'FH'})) {
$errormessage = $Lang::tr{'there was no file upload'};
goto ROOTCERT_ERROR;
}
$errormessage = $Lang::tr{'cant change certificates'};
goto VPNCONF_ERROR;
}
- if (ref ($cgiparams{'FH'}) ne 'Fh') {
+ unless (ref ($cgiparams{'FH'})) {
$errormessage = $Lang::tr{'there was no file upload'};
goto VPNCONF_ERROR;
}
print $fh "subjectAltName=$cgiparams{'SUBJECTALTNAME'}" if ($cgiparams{'SUBJECTALTNAME'});
close ($fh);
- my $opt = " ca -md sha256 -days 999999 -batch -notext";
+ my $opt = " ca -md sha256 -days 825 -batch -notext";
$opt .= " -in ${General::swroot}/certs/$cgiparams{'NAME'}req.pem";
$opt .= " -out ${General::swroot}/certs/$cgiparams{'NAME'}cert.pem";
$opt .= " -extfile $v3extname";
my $key = $cgiparams{'KEY'};
if (! $key) {
$key = &General::findhasharraykey (\%confighash);
- foreach my $i (0 .. 34) { $confighash{$key}[$i] = "";}
+ foreach my $i (0 .. 39) { $confighash{$key}[$i] = "";}
}
$confighash{$key}[0] = $cgiparams{'ENABLED'};
$confighash{$key}[1] = $cgiparams{'NAME'};
my @remote_subnets = split(",", $cgiparams{'REMOTE_SUBNET'});
$confighash{$key}[11] = join('|', @remote_subnets);
}
+ $confighash{$key}[6] = $cgiparams{'LOCAL'};
$confighash{$key}[7] = $cgiparams{'LOCAL_ID'};
my @local_subnets = split(",", $cgiparams{'LOCAL_SUBNET'});
$confighash{$key}[8] = join('|', @local_subnets);
$confighash{$key}[30] = $cgiparams{'DPD_TIMEOUT'};
$confighash{$key}[31] = $cgiparams{'DPD_DELAY'};
$confighash{$key}[32] = $cgiparams{'FORCE_MOBIKE'};
+ $confighash{$key}[33] = $cgiparams{'START_ACTION'};
$confighash{$key}[34] = $cgiparams{'INACTIVITY_TIMEOUT'};
+ $confighash{$key}[35] = $cgiparams{'MODE'};
+ $confighash{$key}[36] = $cgiparams{'INTERFACE_MODE'};
+ $confighash{$key}[37] = $cgiparams{'INTERFACE_ADDRESS'};
+ $confighash{$key}[38] = $cgiparams{'INTERFACE_MTU'};
+ $confighash{$key}[39] = join("|", split(",", $cgiparams{'DNS_SERVERS'}));
# free unused fields!
- $confighash{$key}[6] = 'off';
$confighash{$key}[15] = 'off';
&General::writehasharray("${General::swroot}/vpn/config", \%confighash);
} else {
$cgiparams{'AUTH'} = 'certgen';
}
- $cgiparams{'LOCAL_SUBNET'} = "$netsettings{'GREEN_NETADDRESS'}/$netsettings{'GREEN_NETMASK'}";
+
+ if ($netsettings{"GREEN_NETADDRESS"} && $netsettings{"GREEN_NETMASK"}) {
+ $cgiparams{"LOCAL_SUBNET"} = $netsettings{'GREEN_NETADDRESS'} . "/" . $netsettings{'GREEN_NETMASK'};
+ } else {
+ $cgiparams{"LOCAL_SUBNET"} = "";
+ }
$cgiparams{'CERT_EMAIL'} = $vpnsettings{'ROOTCERT_EMAIL'};
$cgiparams{'CERT_OU'} = $vpnsettings{'ROOTCERT_OU'};
$cgiparams{'CERT_ORGANIZATION'} = $vpnsettings{'ROOTCERT_ORGANIZATION'};
$cgiparams{'REMOTE_ID'} = '';
#use default advanced value
- $cgiparams{'IKE_ENCRYPTION'} = 'aes256gcm128|aes256gcm96|aes256gcm64|aes256|aes192gcm128|aes192gcm96|aes192gcm64|aes192|aes128gcm128|aes128gcm96|aes128gcm64|aes128'; #[18];
+ $cgiparams{'IKE_ENCRYPTION'} = 'chacha20poly1305|aes256gcm128|aes256gcm96|aes256gcm64|aes256|aes192gcm128|aes192gcm96|aes192gcm64|aes192|aes128gcm128|aes128gcm96|aes128gcm64|aes128'; #[18];
$cgiparams{'IKE_INTEGRITY'} = 'sha2_512|sha2_256'; #[19];
- $cgiparams{'IKE_GROUPTYPE'} = 'curve25519|4096|3072|2048'; #[20];
+ $cgiparams{'IKE_GROUPTYPE'} = 'curve25519|curve448|4096|3072|2048'; #[20];
$cgiparams{'IKE_LIFETIME'} = '3'; #[16];
- $cgiparams{'ESP_ENCRYPTION'} = 'aes256gcm128|aes256gcm96|aes256gcm64|aes256|aes192gcm128|aes192gcm96|aes192gcm64|aes192|aes128gcm128|aes128gcm96|aes128gcm64|aes128'; #[21];
+ $cgiparams{'ESP_ENCRYPTION'} = 'chacha20poly1305|aes256gcm128|aes256gcm96|aes256gcm64|aes256|aes192gcm128|aes192gcm96|aes192gcm64|aes192|aes128gcm128|aes128gcm96|aes128gcm64|aes128'; #[21];
$cgiparams{'ESP_INTEGRITY'} = 'sha2_512|sha2_256'; #[22];
- $cgiparams{'ESP_GROUPTYPE'} = 'curve25519|4096|3072|2048'; #[23];
+ $cgiparams{'ESP_GROUPTYPE'} = 'curve25519|curve448|4096|3072|2048'; #[23];
$cgiparams{'ESP_KEYLIFE'} = '1'; #[17];
$cgiparams{'COMPRESSION'} = 'off'; #[13];
$cgiparams{'ONLY_PROPOSED'} = 'on'; #[24];
$cgiparams{'PFS'} = 'on'; #[28];
$cgiparams{'INACTIVITY_TIMEOUT'} = 900;
+ $cgiparams{'MODE'} = "tunnel";
+ $cgiparams{'INTERFACE_MODE'} = "";
+ $cgiparams{'INTERFACE_ADDRESS'} = "";
+ $cgiparams{'INTERFACE_MTU'} = 1500;
+ $cgiparams{'DNS_SERVERS'} = "";
}
VPNCONF_ERROR:
$checked{'AUTH'}{'auth-dn'} = '';
$checked{'AUTH'}{$cgiparams{'AUTH'}} = "checked='checked'";
+ $selected{'MODE'}{'tunnel'} = '';
+ $selected{'MODE'}{'transport'} = '';
+ $selected{'MODE'}{$cgiparams{'MODE'}} = "selected='selected'";
+
+ $selected{'INTERFACE_MODE'}{''} = '';
+ $selected{'INTERFACE_MODE'}{'gre'} = '';
+ $selected{'INTERFACE_MODE'}{'vti'} = '';
+ $selected{'INTERFACE_MODE'}{$cgiparams{'INTERFACE_MODE'}} = "selected='selected'";
+
+ $selected{'LOCAL'}{''} = '';
+ foreach my $alias (sort keys %aliases) {
+ my $address = $aliases{$alias}{'IPT'};
+
+ $selected{'LOCAL'}{$address} = '';
+ }
+ $selected{'LOCAL'}{$cgiparams{'LOCAL'}} = "selected='selected'";
+
&Header::showhttpheaders();
&Header::openpage($Lang::tr{'ipsec'}, 1, '');
&Header::openbigbox('100%', 'left', '', $errormessage);
<input type='hidden' name='DPD_DELAY' value='$cgiparams{'DPD_DELAY'}' />
<input type='hidden' name='DPD_TIMEOUT' value='$cgiparams{'DPD_TIMEOUT'}' />
<input type='hidden' name='FORCE_MOBIKE' value='$cgiparams{'FORCE_MOBIKE'}' />
+ <input type='hidden' name='START_ACTION' value='$cgiparams{'START_ACTION'}' />
+ <input type='hidden' name='INACTIVITY_TIMEOUT' value='$cgiparams{'INACTIVITY_TIMEOUT'}' />
END
;
if ($cgiparams{'KEY'}) {
EOF
}
- my $disabled;
- my $blob;
- if ($cgiparams{'TYPE'} eq 'host') {
- $disabled = "disabled='disabled'";
- } elsif ($cgiparams{'TYPE'} eq 'net') {
+ my $blob = "";
+ if ($cgiparams{'TYPE'} eq 'net') {
$blob = "<img src='/blob.gif' alt='*' />";
};
my @remote_subnets = split(/\|/, $cgiparams{'REMOTE_SUBNET'});
my $remote_subnets = join(",", @remote_subnets);
- print <<END
+ my @dns_servers = split(/\|/, $cgiparams{'DNS_SERVERS'});
+ my $dns_servers = join(",", @dns_servers);
+
+ print <<END;
<tr>
<td width='20%'>$Lang::tr{'enabled'}</td>
<td width='30%'>
<input type='checkbox' name='ENABLED' $checked{'ENABLED'}{'on'} />
</td>
- <td class='boldbase' nowrap='nowrap' width='20%'>$Lang::tr{'local subnet'} <img src='/blob.gif' alt='*' /></td>
- <td width='30%'>
- <input type='text' name='LOCAL_SUBNET' value='$local_subnets' />
- </td>
+ <td colspan="2"></td>
</tr>
<tr>
+ <td class='boldbase' width='20%'>$Lang::tr{'local ip address'}:</td>
+ <td width='30%'>
+ <select name="LOCAL">
+ <option value="" $selected{'LOCAL'}{''}>- $Lang::tr{'default IP address'} -</option>
+END
+
+ foreach my $alias (sort keys %aliases) {
+ my $address = $aliases{$alias}{'IPT'};
+ print <<END;
+ <option value="$address" $selected{'LOCAL'}{$address}>$alias ($address)</option>
+END
+ }
+
+ print <<END;
+ </select>
+ </td>
<td class='boldbase' width='20%'>$Lang::tr{'remote host/ip'}: $blob</td>
<td width='30%'>
<input type='text' name='REMOTE' value='$cgiparams{'REMOTE'}' size="25" />
</td>
- <td class='boldbase' nowrap='nowrap' width='20%'>$Lang::tr{'remote subnet'} $blob</td>
+ </tr>
+ <tr>
+ <td class='boldbase' nowrap='nowrap' width='20%'>$Lang::tr{'local subnet'} <img src='/blob.gif' alt='*' /></td>
<td width='30%'>
- <input $disabled type='text' name='REMOTE_SUBNET' value='$remote_subnets' />
+ <input type='text' name='LOCAL_SUBNET' value='$local_subnets' size="25" />
</td>
+END
+
+ if ($cgiparams{'TYPE'} eq "net") {
+ print <<END;
+ <td class='boldbase' nowrap='nowrap' width='20%'>$Lang::tr{'remote subnet'} <img src='/blob.gif' alt='*' /></td>
+ <td width='30%'>
+ <input type='text' name='REMOTE_SUBNET' value='$remote_subnets' size="25" />
+ </td>
+END
+
+ } elsif ($cgiparams{'TYPE'} eq "host") {
+ print <<END;
+ <td class='boldbase' nowrap='nowrap' width='20%'>$Lang::tr{'dns servers'}:</td>
+ <td width='30%'>
+ <input type='text' name='DNS_SERVERS' value='$dns_servers' size="25" />
+ </td>
+END
+ }
+
+ print <<END;
</tr>
<tr>
<td class='boldbase' width='20%'>$Lang::tr{'vpn local id'}:</td>
print "</table>";
&Header::closebox();
+ if ($cgiparams{'TYPE'} eq 'net') {
+ &Header::openbox('100%', 'left', $Lang::tr{'ipsec settings'});
+ print <<EOF;
+ <table width='100%'>
+ <tbody>
+ <tr>
+ <td class='boldbase' width='20%'>$Lang::tr{'mode'}:</td>
+ <td width='30%'>
+ <select name='MODE'>
+ <option value='tunnel' $selected{'MODE'}{'tunnel'}>$Lang::tr{'ipsec mode tunnel'}</option>
+ <option value='transport' $selected{'MODE'}{'transport'}>$Lang::tr{'ipsec mode transport'}</option>
+ </select>
+ </td>
+ <td colspan='2'></td>
+ </tr>
+
+ <tr>
+ <td class='boldbase' width='20%'>$Lang::tr{'interface mode'}:</td>
+ <td width='30%'>
+ <select name='INTERFACE_MODE'>
+ <option value='' $selected{'INTERFACE_MODE'}{''}>$Lang::tr{'ipsec interface mode none'}</option>
+ <option value='gre' $selected{'INTERFACE_MODE'}{'gre'}>$Lang::tr{'ipsec interface mode gre'}</option>
+ <option value='vti' $selected{'INTERFACE_MODE'}{'vti'}>$Lang::tr{'ipsec interface mode vti'}</option>
+ </select>
+ </td>
+
+ <td class='boldbase' width='20%'>$Lang::tr{'ip address'}/$Lang::tr{'subnet mask'}:</td>
+ <td width='30%'>
+ <input type="text" name="INTERFACE_ADDRESS" value="$cgiparams{'INTERFACE_ADDRESS'}">
+ </td>
+ </tr>
+
+ <tr>
+ <td class='boldbase' width='20%'>$Lang::tr{'mtu'}:</td>
+ <td width='30%'>
+ <input type="number" name="INTERFACE_MTU" value="$cgiparams{'INTERFACE_MTU'}" min="576" max="9000">
+ </td>
+ <td colspan='2'></td>
+ </tr>
+ </tbody>
+ </table>
+EOF
+ &Header::closebox();
+ }
+
if ($cgiparams{'KEY'} && $cgiparams{'AUTH'} eq 'psk') {
&Header::openbox('100%', 'left', $Lang::tr{'authentication'});
print <<END
goto ADVANCED_ERROR;
}
foreach my $val (@temp) {
- if ($val !~ /^(aes(256|192|128)(gcm(128|96|64))?|3des|camellia(256|192|128))$/) {
+ if ($val !~ /^(aes(256|192|128)(gcm(128|96|64))?|3des|chacha20poly1305|camellia(256|192|128))$/) {
$errormessage = $Lang::tr{'invalid input'};
goto ADVANCED_ERROR;
}
goto ADVANCED_ERROR;
}
foreach my $val (@temp) {
- if ($val !~ /^(curve25519|e521|e384|e256|e224|e192|e512bp|e384bp|e256bp|e224bp|768|1024|1536|2048|3072|4096|6144|8192)$/) {
+ if ($val !~ /^(curve25519|curve448|e521|e384|e256|e224|e192|e512bp|e384bp|e256bp|e224bp|768|1024|1536|2048|3072|4096|6144|8192)$/) {
$errormessage = $Lang::tr{'invalid input'};
goto ADVANCED_ERROR;
}
$errormessage = $Lang::tr{'invalid input for ike lifetime'};
goto ADVANCED_ERROR;
}
- if ($cgiparams{'IKE_LIFETIME'} < 1 || $cgiparams{'IKE_LIFETIME'} > 8) {
- $errormessage = $Lang::tr{'ike lifetime should be between 1 and 8 hours'};
+ if ($cgiparams{'IKE_LIFETIME'} < 1 || $cgiparams{'IKE_LIFETIME'} > 24) {
+ $errormessage = $Lang::tr{'ike lifetime should be between 1 and 24 hours'};
goto ADVANCED_ERROR;
}
@temp = split('\|', $cgiparams{'ESP_ENCRYPTION'});
goto ADVANCED_ERROR;
}
foreach my $val (@temp) {
- if ($val !~ /^(aes(256|192|128)(gcm(128|96|64))?|3des|camellia(256|192|128))$/) {
+ if ($val !~ /^(aes(256|192|128)(gcm(128|96|64))?|3des|chacha20poly1305|camellia(256|192|128))$/) {
$errormessage = $Lang::tr{'invalid input'};
goto ADVANCED_ERROR;
}
goto ADVANCED_ERROR;
}
foreach my $val (@temp) {
- if ($val !~ /^(curve25519|e521|e384|e256|e224|e192|e512bp|e384bp|e256bp|e224bp|768|1024|1536|2048|3072|4096|6144|8192|none)$/) {
+ if ($val !~ /^(curve25519|curve448|e521|e384|e256|e224|e192|e512bp|e384bp|e256bp|e224bp|768|1024|1536|2048|3072|4096|6144|8192|none)$/) {
$errormessage = $Lang::tr{'invalid input'};
goto ADVANCED_ERROR;
}
$cgiparams{'FORCE_MOBIKE'} = $confighash{$cgiparams{'KEY'}}[32];
$cgiparams{'START_ACTION'} = $confighash{$cgiparams{'KEY'}}[33];
$cgiparams{'INACTIVITY_TIMEOUT'} = $confighash{$cgiparams{'KEY'}}[34];
+ $cgiparams{'MODE'} = $confighash{$cgiparams{'KEY'}}[35];
+ $cgiparams{'INTERFACE_MODE'} = $confighash{$cgiparams{'KEY'}}[36];
+ $cgiparams{'INTERFACE_ADDRESS'} = $confighash{$cgiparams{'KEY'}}[37];
+ $cgiparams{'INTERFACE_MTU'} = $confighash{$cgiparams{'KEY'}}[38];
+ $cgiparams{'DNS_SERVERS'} = $confighash{$cgiparams{'KEY'}}[39];
if (!$cgiparams{'DPD_DELAY'}) {
$cgiparams{'DPD_DELAY'} = 30;
if ($cgiparams{'INACTIVITY_TIMEOUT'} eq "") {
$cgiparams{'INACTIVITY_TIMEOUT'} = 900; # 15 min
}
+
+ if ($cgiparams{'MODE'} eq "") {
+ $cgiparams{'MODE'} = "tunnel";
+ }
}
ADVANCED_ERROR:
+ $checked{'IKE_ENCRYPTION'}{'chacha20poly1305'} = '';
$checked{'IKE_ENCRYPTION'}{'aes256'} = '';
$checked{'IKE_ENCRYPTION'}{'aes192'} = '';
$checked{'IKE_ENCRYPTION'}{'aes128'} = '';
@temp = split('\|', $cgiparams{'IKE_INTEGRITY'});
foreach my $key (@temp) {$checked{'IKE_INTEGRITY'}{$key} = "selected='selected'"; }
$checked{'IKE_GROUPTYPE'}{'curve25519'} = '';
+ $checked{'IKE_GROUPTYPE'}{'curve448'} = '';
$checked{'IKE_GROUPTYPE'}{'768'} = '';
$checked{'IKE_GROUPTYPE'}{'1024'} = '';
$checked{'IKE_GROUPTYPE'}{'1536'} = '';
@temp = split('\|', $cgiparams{'IKE_GROUPTYPE'});
foreach my $key (@temp) {$checked{'IKE_GROUPTYPE'}{$key} = "selected='selected'"; }
+ $checked{'ESP_ENCRYPTION'}{'chacha20poly1305'} = '';
$checked{'ESP_ENCRYPTION'}{'aes256'} = '';
$checked{'ESP_ENCRYPTION'}{'aes192'} = '';
$checked{'ESP_ENCRYPTION'}{'aes128'} = '';
@temp = split('\|', $cgiparams{'ESP_INTEGRITY'});
foreach my $key (@temp) {$checked{'ESP_INTEGRITY'}{$key} = "selected='selected'"; }
$checked{'ESP_GROUPTYPE'}{'curve25519'} = '';
+ $checked{'ESP_GROUPTYPE'}{'curve448'} = '';
$checked{'ESP_GROUPTYPE'}{'768'} = '';
$checked{'ESP_GROUPTYPE'}{'1024'} = '';
$checked{'ESP_GROUPTYPE'}{'1536'} = '';
$selected{'DPD_ACTION'}{'none'} = '';
$selected{'DPD_ACTION'}{$cgiparams{'DPD_ACTION'}} = "selected='selected'";
+ $selected{'START_ACTION'}{'add'} = '';
$selected{'START_ACTION'}{'route'} = '';
$selected{'START_ACTION'}{'start'} = '';
$selected{'START_ACTION'}{$cgiparams{'START_ACTION'}} = "selected='selected'";
<td class='boldbase' width="15%">$Lang::tr{'encryption'}</td>
<td class='boldbase'>
<select name='IKE_ENCRYPTION' multiple='multiple' size='6' style='width: 100%'>
+ <option value='chacha20poly1305' $checked{'IKE_ENCRYPTION'}{'chacha20poly1305'}>256 bit ChaCha20-Poly1305/128 bit ICV</option>
<option value='aes256gcm128' $checked{'IKE_ENCRYPTION'}{'aes256gcm128'}>256 bit AES-GCM/128 bit ICV</option>
<option value='aes256gcm96' $checked{'IKE_ENCRYPTION'}{'aes256gcm96'}>256 bit AES-GCM/96 bit ICV</option>
<option value='aes256gcm64' $checked{'IKE_ENCRYPTION'}{'aes256gcm64'}>256 bit AES-GCM/64 bit ICV</option>
</td>
<td class='boldbase'>
<select name='ESP_ENCRYPTION' multiple='multiple' size='6' style='width: 100%'>
+ <option value='chacha20poly1305' $checked{'ESP_ENCRYPTION'}{'chacha20poly1305'}>256 bit ChaCha20-Poly1305/128 bit ICV</option>
<option value='aes256gcm128' $checked{'ESP_ENCRYPTION'}{'aes256gcm128'}>256 bit AES-GCM/128 bit ICV</option>
<option value='aes256gcm96' $checked{'ESP_ENCRYPTION'}{'aes256gcm96'}>256 bit AES-GCM/96 bit ICV</option>
<option value='aes256gcm64' $checked{'ESP_ENCRYPTION'}{'aes256gcm64'}>256 bit AES-GCM/64 bit ICV</option>
<td class='boldbase'>
<select name='IKE_GROUPTYPE' multiple='multiple' size='6' style='width: 100%'>
<option value='curve25519' $checked{'IKE_GROUPTYPE'}{'curve25519'}>Curve 25519 (256 bit)</option>
+ <option value='curve448' $checked{'IKE_GROUPTYPE'}{'curve448'}>Curve 448 (224 bit)</option>
<option value='e521' $checked{'IKE_GROUPTYPE'}{'e521'}>ECP-521 (NIST)</option>
<option value='e512bp' $checked{'IKE_GROUPTYPE'}{'e512bp'}>ECP-512 (Brainpool)</option>
<option value='e384' $checked{'IKE_GROUPTYPE'}{'e384'}>ECP-384 (NIST)</option>
<td class='boldbase'>
<select name='ESP_GROUPTYPE' multiple='multiple' size='6' style='width: 100%'>
<option value='curve25519' $checked{'ESP_GROUPTYPE'}{'curve25519'}>Curve 25519 (256 bit)</option>
+ <option value='curve448' $checked{'ESP_GROUPTYPE'}{'curve448'}>Curve 448 (224 bit)</option>
<option value='e521' $checked{'ESP_GROUPTYPE'}{'e521'}>ECP-521 (NIST)</option>
<option value='e512bp' $checked{'ESP_GROUPTYPE'}{'e512bp'}>ECP-512 (Brainpool)</option>
<option value='e384' $checked{'ESP_GROUPTYPE'}{'e384'}>ECP-384 (NIST)</option>
<select name="START_ACTION">
<option value="route" $selected{'START_ACTION'}{'route'}>$Lang::tr{'vpn start action route'}</option>
<option value="start" $selected{'START_ACTION'}{'start'}>$Lang::tr{'vpn start action start'}</option>
+ <option value="add" $selected{'START_ACTION'}{'add'} >$Lang::tr{'vpn start action add'}</option>
</select>
</td>
</tr>
my @status = `/usr/local/bin/ipsecctrl I 2>/dev/null`;
- # suggest a default name for this side
- if ($cgiparams{'VPN_IP'} eq '' && -e "${General::swroot}/red/active") {
- if (open(IPADDR, "${General::swroot}/red/local-ipaddress")) {
- my $ipaddr = <IPADDR>;
- close IPADDR;
- chomp ($ipaddr);
- $cgiparams{'VPN_IP'} = (gethostbyaddr(pack("C4", split(/\./, $ipaddr)), 2))[0];
- if ($cgiparams{'VPN_IP'} eq '') {
- $cgiparams{'VPN_IP'} = $ipaddr;
- }
- }
- }
- # no IP found, use %defaultroute
- $cgiparams{'VPN_IP'} ='%defaultroute' if ($cgiparams{'VPN_IP'} eq '');
-
- $cgiparams{'VPN_DELAYED_START'} = 0 if (! defined ($cgiparams{'VPN_DELAYED_START'}));
$checked{'ENABLED'} = $cgiparams{'ENABLED'} eq 'on' ? "checked='checked'" : '';
&Header::showhttpheaders();
print <<END
<form method='post' action='$ENV{'SCRIPT_NAME'}'>
<table width='100%'>
- <tr>
- <td width='20%' class='base' nowrap='nowrap'>$Lang::tr{'vpn red name'}: <img src='/blob.gif' alt='*' /></td>
- <td width='20%'><input type='text' name='VPN_IP' value='$cgiparams{'VPN_IP'}' /></td>
- <td width='20%' class='base'>$Lang::tr{'enabled'}<input type='checkbox' name='ENABLED' $checked{'ENABLED'} /></td>
- </tr>
-END
-;
-print <<END
- <tr>
- <td class='base' nowrap='nowrap'>$Lang::tr{'vpn delayed start'}: <img src='/blob.gif' alt='*' /><img src='/blob.gif' alt='*' /></td>
- <td ><input type='text' name='VPN_DELAYED_START' value='$cgiparams{'VPN_DELAYED_START'}' /></td>
- </tr>
- <tr>
- <td class='base' nowrap='nowrap'>$Lang::tr{'host to net vpn'}:</td>
- <td ><input type='text' name='RW_NET' value='$cgiparams{'RW_NET'}' /></td>
- </tr>
-</table>
-<br>
-<hr />
-<table width='100%'>
-<tr>
- <td class='base' valign='top'><img src='/blob.gif' alt='*' /></td>
- <td width='70%' class='base' valign='top'>$Lang::tr{'required field'}</td><td width='30%' align='right' class='base'><input type='submit' name='ACTION' value='$Lang::tr{'save'}' /></td>
-</tr>
-<tr>
- <td class='base' valign='top' nowrap='nowrap'><img src='/blob.gif' alt='*' /><img src='/blob.gif' alt='*' /> </td>
- <td class='base'> <font class='base'>$Lang::tr{'vpn delayed start help'}</font></td>
- <td></td>
-</tr>
+ <tr>
+ <td width='60%' class='base'>
+ $Lang::tr{'enabled'}
+ </td>
+ <td width="40%">
+ <input type='checkbox' name='ENABLED' $checked{'ENABLED'} />
+ </td>
+ </tr>
+ <tr>
+ <td class='base' nowrap='nowrap' width="60%">$Lang::tr{'ipsec roadwarrior endpoint'}:</td>
+ <td width="40%"><input type='text' name='RW_ENDPOINT' value='$cgiparams{'RW_ENDPOINT'}' /></td>
+ </tr>
+ <tr>
+ <td class='base' nowrap='nowrap' width="60%">$Lang::tr{'host to net vpn'}:</td>
+ <td width="40%"><input type='text' name='RW_NET' value='$cgiparams{'RW_NET'}' /></td>
+ </tr>
+ <tr>
+ <td width='100%' colspan="2" align='right' class='base'><input type='submit' name='ACTION' value='$Lang::tr{'save'}' /></td>
+ </tr>
</table>
END
;
<th width='23%' class='boldbase' align='center'><b>$Lang::tr{'common name'}</b></th>
<th width='30%' class='boldbase' align='center'><b>$Lang::tr{'remark'}</b></th>
<th width='10%' class='boldbase' align='center'><b>$Lang::tr{'status'}</b></th>
- <th class='boldbase' align='center' colspan='6'><b>$Lang::tr{'action'}</b></th>
+ <th class='boldbase' align='center' colspan='7'><b>$Lang::tr{'action'}</b></th>
</tr>
END
;
}
print "<td align='center' $col>$confighash{$key}[25]</td>";
my $col1="bgcolor='${Header::colourred}'";
- # get real state
my $active = "<b><font color='#FFFFFF'>$Lang::tr{'capsclosed'}</font></b>";
+ if ($confighash{$key}[33] eq "add") {
+ $col1="bgcolor='${Header::colourorange}'";
+ $active = "<b><font color='#FFFFFF'>$Lang::tr{'vpn wait'}</font></b>";
+ }
foreach my $line (@status) {
if (($line =~ /\"$confighash{$key}[1]\".*IPsec SA established/) ||
($line =~ /$confighash{$key}[1]\{.*INSTALLED/)) {
$col1="bgcolor='${Header::colourgreen}'";
$active = "<b><font color='#FFFFFF'>$Lang::tr{'capsopen'}</font></b>";
+ last;
} elsif ($line =~ /$confighash{$key}[1]\[.*CONNECTING/) {
$col1="bgcolor='${Header::colourorange}'";
$active = "<b><font color='#FFFFFF'>$Lang::tr{'vpn connecting'}</font></b>";
} else {
print "<td width='2%' $col> </td>";
}
+
+ # Apple Profile
+ if ($confighash{$key}[3] eq 'host') {
+ print <<END;
+ <td align='center' $col>
+ <form method='post' action='$ENV{'SCRIPT_NAME'}'>
+ <input type='image' name='$Lang::tr{'download apple profile'}' src='/images/apple.png' alt='$Lang::tr{'download apple profile'}' title='$Lang::tr{'download apple profile'}' />
+ <input type='hidden' name='ACTION' value='$Lang::tr{'download apple profile'}' />
+ <input type='hidden' name='KEY' value='$key' />
+ </form>
+ </td>
+END
+ } else {
+ print "<td width='2%' $col> </td>";
+ }
+
print <<END
<td align='center' $col>
<form method='post' action='$ENV{'SCRIPT_NAME'}'>
if ($grp =~ m/^e(.*)$/) {
push(@algo, "ecp$1");
- } elsif ($grp =~ m/curve25519/) {
+ } elsif ($grp =~ m/curve(25519|448)/) {
push(@algo, "$grp");
} else {
push(@algo, "modp$grp");
}
- } elsif ($mode eq "esp" && $pfs) {
+ } elsif ($mode eq "esp") {
my $is_aead = ($enc =~ m/[cg]cm/);
if (!$is_aead) {
push(@algo, $int);
}
- if ($grp eq "none") {
+ if (!$pfs || $grp eq "none") {
# noop
} elsif ($grp =~ m/^e(.*)$/) {
push(@algo, "ecp$1");
- } elsif ($grp =~ m/curve25519/) {
+ } elsif ($grp =~ m/curve(25519|448)/) {
push(@algo, "$grp");
} else {
push(@algo, "modp$grp");
return &array_unique(\@algos);
}
-sub make_subnets($) {
+sub make_subnets($$) {
+ my $direction = shift;
my $subnets = shift;
my @nets = split(/\|/, $subnets);
my @cidr_nets = ();
foreach my $net (@nets) {
my $cidr_net = &General::ipcidr($net);
+
+ # Skip 0.0.0.0/0 for remote because this renders the
+ # while system inaccessible
+ next if (($direction eq "right") && ($cidr_net eq "0.0.0.0/0"));
+
push(@cidr_nets, $cidr_net);
}
projects / people / pmueller / ipfire-2.x.git / blobdiff