###############################################################################
# #
# IPFire.org - A linux based firewall #
-# Copyright (C) 2007-2010 IPFire Team info@ipfire.org #
+# Copyright (C) 2007-2011 IPFire Team info@ipfire.org #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
$cgiparams{'EDIT_ADVANCED'} = 'off';
$cgiparams{'ACTION'} = '';
$cgiparams{'CA_NAME'} = '';
-$cgiparams{'DBG_CRYPT'} = '';
-$cgiparams{'DBG_PARSING'} = '';
-$cgiparams{'DBG_EMITTING'} = '';
-$cgiparams{'DBG_CONTROL'} = '';
-$cgiparams{'DBG_KLIPS'} = '';
-$cgiparams{'DBG_DNS'} = '';
-$cgiparams{'DBG_NAT_T'} = '';
$cgiparams{'KEY'} = '';
$cgiparams{'TYPE'} = '';
$cgiparams{'ADVANCED'} = '';
-$cgiparams{'INTERFACE'} = '';
$cgiparams{'NAME'} = '';
$cgiparams{'LOCAL_SUBNET'} = '';
$cgiparams{'REMOTE_SUBNET'} = '';
$cgiparams{'ROOTCERT_OU'} = '';
$cgiparams{'ROOTCERT_CITY'} = '';
$cgiparams{'ROOTCERT_STATE'} = '';
+$cgiparams{'RW_NET'} = '';
&Header::getcgihash(\%cgiparams, {'wantfile' => 1, 'filevar' => 'FH'});
flock SECRETS, 2;
print CONF "version 2\n\n";
print CONF "config setup\n";
- #create an ipsec Interface for each 'enabled' ones
- #loop trought configuration and add physical interfaces to the list
- my $interfaces = "\tinterfaces=\"";
- foreach my $key (keys %lconfighash) {
- next if ($lconfighash{$key}[0] ne 'on');
- $interfaces .= "%defaultroute " if ($interfaces !~ /defaultroute/ && $lconfighash{$key}[26] eq 'RED');
- $interfaces .= "$netsettings{'GREEN_DEV'} " if ($interfaces !~ /ipsec1/ && $lconfighash{$key}[26] eq 'GREEN');
- $interfaces .= "$netsettings{'BLUE_DEV'} " if ($interfaces !~ /ipsec2/ && $lconfighash{$key}[26] eq 'BLUE');
- $interfaces .= "$netsettings{'ORANGE_DEV'} " if ($interfaces !~ /ipsec3/ && $lconfighash{$key}[26] eq 'ORANGE');
- }
- print CONF $interfaces . "\"\n";
-
- my $plutodebug = ''; # build debug list
- map ($plutodebug .= $lvpnsettings{$_} eq 'on' ? lc (substr($_,4)).' ' : '',
- ('DBG_CRYPT','DBG_PARSING','DBG_EMITTING','DBG_CONTROL',
- 'DBG_DNS'));
- $plutodebug = 'none' if $plutodebug eq ''; # if nothing selected, use 'none'.
- #print CONF "\tklipsdebug=\"none\"\n";
- print CONF "\tplutodebug=\"$plutodebug\"\n";
- # deprecated in ipsec.conf version 2
- #print CONF "\tplutoload=%search\n";
- #print CONF "\tplutostart=%search\n";
- #Disable IKEv2 deamon
- print CONF "\tcharonstart=no\n";
- print CONF "\tuniqueids=yes\n";
- print CONF "\tnat_traversal=yes\n";
- print CONF "\toverridemtu=$lvpnsettings{'VPN_OVERRIDE_MTU'}\n" if ($lvpnsettings{'VPN_OVERRIDE_MTU'} ne '');
- print CONF "\tvirtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16";
- print CONF ",%v4:!$green_cidr";
- if (length($netsettings{'ORANGE_DEV'}) > 2) {
- print CONF ",%v4:!$orange_cidr";
- }
- if (length($netsettings{'BLUE_DEV'}) > 2) {
- print CONF ",%v4:!$blue_cidr";
- }
- foreach my $key (keys %lconfighash) {
- if ($lconfighash{$key}[3] eq 'net') {
- print CONF ",%v4:!$lconfighash{$key}[11]";
- }
- }
- print CONF "\n\n";
+ print CONF "\tcharondebug=\"dmn 0, mgr 0, ike 0, chd 0, job 0, cfg 0, knl 0, net 0, asn 0, enc 0, lib 0, esp 0, tls 0, tnc 0, imc 0, imv 0, pts 0\"\n";
+ print CONF "\n";
print CONF "conn %default\n";
- print CONF "\tkeyingtries=0\n";
- #strongswan doesn't know this
- #print CONF "\tdisablearrivalcheck=no\n";
+ print CONF "\tkeyingtries=%forever\n";
print CONF "\n";
# Add user includes to config file
print CONF "conn $lconfighash{$key}[1]\n";
print CONF "\tleft=$localside\n";
- print CONF "\tleftnexthop=%defaultroute\n" if ($lconfighash{$key}[26] eq 'RED' && $lvpnsettings{'VPN_IP'} ne '%defaultroute');
my $cidr_net=&General::ipcidr($lconfighash{$key}[8]);
print CONF "\tleftsubnet=$cidr_net\n";
print CONF "\tleftfirewall=yes\n";
if ($lconfighash{$key}[3] eq 'net') {
my $cidr_net=&General::ipcidr($lconfighash{$key}[11]);
print CONF "\trightsubnet=$cidr_net\n";
- print CONF "\trightnexthop=%defaultroute\n";
} elsif ($lconfighash{$key}[10] eq '%any' && $lconfighash{$key}[14] eq 'on') { #vhost allowed for roadwarriors?
print CONF "\trightsubnet=vhost:%no,%priv\n";
}
print CONF "\tleftid=\"$lconfighash{$key}[7]\"\n" if ($lconfighash{$key}[7]);
print CONF "\trightid=\"$lconfighash{$key}[9]\"\n" if ($lconfighash{$key}[9]);
+ # Is PFS enabled?
+ my $pfs = $lconfighash{$key}[28] eq 'on' ? 'on' : 'off';
+
# Algorithms
if ($lconfighash{$key}[18] && $lconfighash{$key}[19] && $lconfighash{$key}[20]) {
print CONF "\tike=";
print CONF "\tesp=";
my @encs = split('\|', $lconfighash{$key}[21]);
my @ints = split('\|', $lconfighash{$key}[22]);
+ my @groups = split('\|', $lconfighash{$key}[20]);
my $comma = 0;
foreach my $i (@encs) {
foreach my $j (@ints) {
- if ($comma != 0) { print CONF ","; } else { $comma = 1; }
- print CONF "$i-$j";
+ my $modp = "";
+ if ($pfs eq "on") {
+ foreach my $k (@groups) {
+ if ($comma != 0) { print CONF ","; } else { $comma = 1; }
+ if ($pfs eq "on") {
+ $modp = "-modp$k";
+ } else {
+ $modp = "";
+ }
+ print CONF "$i-$j$modp";
+ }
+ } else {
+ if ($comma != 0) { print CONF ","; } else { $comma = 1; }
+ print CONF "$i-$j";
+ }
}
}
if ($lconfighash{$key}[24] eq 'on') { #only proposed algorythms?
print CONF "\n";
}
}
- if ($lconfighash{$key}[23]) {
- print CONF "\tpfsgroup=$lconfighash{$key}[23]\n";
- }
- # IKE V1
- print CONF "\tkeyexchange=ikev1\n";
+ # IKE V1 or V2
+ if (! $lconfighash{$key}[29]) {
+ $lconfighash{$key}[29] = "ikev1";
+ }
+ print CONF "\tkeyexchange=$lconfighash{$key}[29]\n";
# Lifetimes
print CONF "\tikelifetime=$lconfighash{$key}[16]h\n" if ($lconfighash{$key}[16]);
print CONF "\tdpdtimeout=120\n";
print CONF "\tdpdaction=$lconfighash{$key}[27]\n";
- # Disable pfs ?
- print CONF "\tpfs=". ($lconfighash{$key}[28] eq 'on' ? "yes\n" : "no\n");
-
# Build Authentication details: LEFTid RIGHTid : PSK psk
my $psk_line;
if ($lconfighash{$key}[4] eq 'psk') {
# Automatically start only if a net-to-net connection
if ($lconfighash{$key}[3] eq 'host') {
print CONF "\tauto=add\n";
+ print CONF "\trightsourceip=$lvpnsettings{'RW_NET'}\n";
} else {
print CONF "\tauto=start\n";
}
close(SECRETS);
}
+# Hook to regenerate the configuration files.
+if ($ENV{"REMOTE_ADDR"} eq "") {
+ writeipsecfiles;
+ exit(0);
+}
+
###
### Save main settings
###
goto SAVE_ERROR;
}
- unless ($cgiparams{'VPN_OVERRIDE_MTU'} =~ /^(|[0-9]{1,5})$/ ) { #allow 0-99999
- $errormessage = $Lang::tr{'vpn mtu invalid'};
+ if ( $cgiparams{'RW_NET'} ne '' and !&General::validipandmask($cgiparams{'RW_NET'}) ) {
+ $errormessage = $Lang::tr{'urlfilter invalid ip or mask error'};
goto SAVE_ERROR;
}
- unless ($cgiparams{'VPN_WATCH'} =~ /^(|off|on)$/ ) {
- $errormessage = $Lang::tr{'invalid input'};
- goto SAVE_ERROR;
- }
-
- map ($vpnsettings{$_} = $cgiparams{$_},
- ('ENABLED','DBG_CRYPT','DBG_PARSING','DBG_EMITTING','DBG_CONTROL',
- 'DBG_DNS'));
-
+ $vpnsettings{'ENABLED'} = $cgiparams{'ENABLED'};
$vpnsettings{'VPN_IP'} = $cgiparams{'VPN_IP'};
$vpnsettings{'VPN_DELAYED_START'} = $cgiparams{'VPN_DELAYED_START'};
- $vpnsettings{'VPN_OVERRIDE_MTU'} = $cgiparams{'VPN_OVERRIDE_MTU'};
- $vpnsettings{'VPN_WATCH'} = $cgiparams{'VPN_WATCH'};
+ $vpnsettings{'RW_NET'} = $cgiparams{'RW_NET'};
&General::writehash("${General::swroot}/vpn/settings", \%vpnsettings);
&writeipsecfiles();
if (&vpnenabled) {
nsComment="OpenSSL Generated Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
+ extendedKeyUsage = serverAuth
END
;
print $fh "subjectAltName=$cgiparams{'SUBJECTALTNAME'}" if ($cgiparams{'SUBJECTALTNAME'});
$cgiparams{'REMOTE'} = $confighash{$cgiparams{'KEY'}}[10];
$cgiparams{'REMOTE_SUBNET'} = $confighash{$cgiparams{'KEY'}}[11];
$cgiparams{'REMARK'} = $confighash{$cgiparams{'KEY'}}[25];
- $cgiparams{'INTERFACE'} = $confighash{$cgiparams{'KEY'}}[26];
$cgiparams{'DPD_ACTION'} = $confighash{$cgiparams{'KEY'}}[27];
+ $cgiparams{'IKE_VERSION'} = $confighash{$cgiparams{'KEY'}}[29];
$cgiparams{'IKE_ENCRYPTION'} = $confighash{$cgiparams{'KEY'}}[18];
$cgiparams{'IKE_INTEGRITY'} = $confighash{$cgiparams{'KEY'}}[19];
$cgiparams{'IKE_GROUPTYPE'} = $confighash{$cgiparams{'KEY'}}[20];
}
if ($cgiparams{'REMOTE'}) {
- if (! &General::validip($cgiparams{'REMOTE'})) {
+ if (($cgiparams{'REMOTE'} ne '%any') && (! &General::validip($cgiparams{'REMOTE'}))) {
if (! &General::validfqdn ($cgiparams{'REMOTE'})) {
$errormessage = $Lang::tr{'invalid input for remote host/ip'};
goto VPNCONF_ERROR;
# Allow nothing or a string (DN,FDQN,) beginning with @
# with no comma but slashes between RID eg @O=FR/C=Paris/OU=myhome/CN=franck
- if ( ($cgiparams{'LOCAL_ID'} !~ /^(|[\w.-]*@[\w. =*\/-]+|\d\.\d\.\d\.\d)$/) ||
- ($cgiparams{'REMOTE_ID'} !~ /^(|[\w.-]*@[\w. =*\/-]+|\d\.\d\.\d\.\d)$/) ||
+ if ( ($cgiparams{'LOCAL_ID'} !~ /^(|[\w.-]*@[\w. =*\/-]+|\d+\.\d+\.\d+\.\d+)$/) ||
+ ($cgiparams{'REMOTE_ID'} !~ /^(|[\w.-]*@[\w. =*\/-]+|\d+\.\d+\.\d+\.\d+)$/) ||
(($cgiparams{'REMOTE_ID'} eq $cgiparams{'LOCAL_ID'}) && ($cgiparams{'LOCAL_ID'} ne ''))
) {
$errormessage = $Lang::tr{'invalid local-remote id'} . '<br />' .
'DER_ASN1_DN: @c=FR/ou=Paris/ou=Home/cn=*<br />' .
'FQDN: @ipfire.org<br />' .
'USER_FQDN: info@ipfire.org<br />' .
- 'IPV4_ADDR: @123.123.123.123';
+ 'IPV4_ADDR: 123.123.123.123';
goto VPNCONF_ERROR;
}
# If Auth is DN, verify existance of Remote ID.
goto VPNCONF_ERROR;
}
+
+ if ($cgiparams{'TYPE'} eq 'net'){
+ $errormessage=&General::checksubnets($cgiparams{'NAME'},$cgiparams{'REMOTE_SUBNET'});
+ if ($errormessage ne ''){
+ goto VPNCONF_ERROR;
+ }
+
+ }
if ($cgiparams{'AUTH'} eq 'psk') {
if (! length($cgiparams{'PSK'}) ) {
$errormessage = $Lang::tr{'pre-shared key is too short'};
$confighash{$key}[9] = $cgiparams{'REMOTE_ID'};
$confighash{$key}[10] = $cgiparams{'REMOTE'};
$confighash{$key}[25] = $cgiparams{'REMARK'};
- $confighash{$key}[26] = $cgiparams{'INTERFACE'};
+ $confighash{$key}[26] = ""; # Formerly INTERFACE
$confighash{$key}[27] = $cgiparams{'DPD_ACTION'};
+ $confighash{$key}[29] = $cgiparams{'IKE_VERSION'};
#dont forget advanced value
$confighash{$key}[18] = $cgiparams{'IKE_ENCRYPTION'};
$cgiparams{'DPD_ACTION'} = 'restart';
}
- # Default is yes for 'pfs'
- $cgiparams{'PFS'} = 'on';
-
+ # Default IKE Version to v2
+ if (!$cgiparams{'IKE_VERSION'}) {
+ $cgiparams{'IKE_VERSION'} = 'ikev2';
+ }
+
# ID are empty
$cgiparams{'LOCAL_ID'} = '';
$cgiparams{'REMOTE_ID'} = '';
#use default advanced value
- $cgiparams{'IKE_ENCRYPTION'} = 'aes128|3des'; #[18];
- $cgiparams{'IKE_INTEGRITY'} = 'sha|md5'; #[19];
- $cgiparams{'IKE_GROUPTYPE'} = '1536|1024'; #[20];
+ $cgiparams{'IKE_ENCRYPTION'} = 'aes256|aes192|aes128|3des'; #[18];
+ $cgiparams{'IKE_INTEGRITY'} = 'sha2_256|sha|md5'; #[19];
+ $cgiparams{'IKE_GROUPTYPE'} = '8192|6144|4096|3072|2048|1536|1024'; #[20];
$cgiparams{'IKE_LIFETIME'} = '1'; #[16];
- $cgiparams{'ESP_ENCRYPTION'} = 'aes128|3des'; #[21];
- $cgiparams{'ESP_INTEGRITY'} = 'sha1|md5'; #[22];
+ $cgiparams{'ESP_ENCRYPTION'} = 'aes256|aes192|aes128|3des'; #[21];
+ $cgiparams{'ESP_INTEGRITY'} = 'sha2_256|sha1|md5'; #[22];
$cgiparams{'ESP_GROUPTYPE'} = ''; #[23];
$cgiparams{'ESP_KEYLIFE'} = '8'; #[17];
- $cgiparams{'COMPRESSION'} = 'off'; #[13];
+ $cgiparams{'COMPRESSION'} = 'on'; #[13];
$cgiparams{'ONLY_PROPOSED'} = 'off'; #[24];
$cgiparams{'PFS'} = 'on'; #[28];
$cgiparams{'VHOST'} = 'on'; #[14];
$checked{'AUTH'}{'auth-dn'} = '';
$checked{'AUTH'}{$cgiparams{'AUTH'}} = "checked='checked'";
- $selected{'INTERFACE'}{'RED'} = '';
- $selected{'INTERFACE'}{'ORANGE'} = '';
- $selected{'INTERFACE'}{'GREEN'} = '';
- $selected{'INTERFACE'}{'BLUE'} = '';
- $selected{'INTERFACE'}{$cgiparams{'INTERFACE'}} = "selected='selected'";
-
$selected{'DPD_ACTION'}{'clear'} = '';
$selected{'DPD_ACTION'}{'hold'} = '';
$selected{'DPD_ACTION'}{'restart'} = '';
$selected{'DPD_ACTION'}{$cgiparams{'DPD_ACTION'}} = "selected='selected'";
+ $selected{'IKE_VERSION'}{'ikev1'} = '';
+ $selected{'IKE_VERSION'}{'ikev2'} = '';
+ $selected{'IKE_VERSION'}{$cgiparams{'IKE_VERSION'}} = "selected='selected'";
+
&Header::showhttpheaders();
&Header::openpage($Lang::tr{'vpn configuration main'}, 1, '');
&Header::openbigbox('100%', 'left', '', $errormessage);
$blob = "<img src='/blob.gif' alt='*' />";
};
- print "<tr><td>$Lang::tr{'host ip'}:</td>";
- print "<td><select name='INTERFACE'>";
- print "<option value='RED' $selected{'INTERFACE'}{'RED'}>RED ($vpnsettings{'VPN_IP'})</option>";
- print "<option value='GREEN' $selected{'INTERFACE'}{'GREEN'}>GREEN ($netsettings{'GREEN_ADDRESS'})</option>";
- print "<option value='BLUE' $selected{'INTERFACE'}{'BLUE'}>BLUE ($netsettings{'BLUE_ADDRESS'})</option>" if ($netsettings{'BLUE_DEV'} ne '');
- print "<option value='ORANGE' $selected{'INTERFACE'}{'ORANGE'}>ORANGE ($netsettings{'ORANGE_ADDRESS'})</option>" if ($netsettings{'ORANGE_DEV'} ne '');
- print "</select></td>";
print <<END
+ <tr>
<td class='boldbase'>$Lang::tr{'remote host/ip'}: $blob</td>
- <td><input type='text' name='REMOTE' value='$cgiparams{'REMOTE'}' size='30' /></td>
- </tr><tr>
- <td class='boldbase' nowrap='nowrap'>$Lang::tr{'local subnet'}</td>
- <td><input type='text' name='LOCAL_SUBNET' value='$cgiparams{'LOCAL_SUBNET'}' size='30' /></td>
+ <td>
+ <input type='text' name='REMOTE' value='$cgiparams{'REMOTE'}' size='30' />
+ </td>
<td class='boldbase' nowrap='nowrap'>$Lang::tr{'remote subnet'}</td>
- <td><input $disabled type='text' name='REMOTE_SUBNET' value='$cgiparams{'REMOTE_SUBNET'}' size='30' /></td>
- </tr><tr>
+ <td>
+ <input $disabled type='text' name='REMOTE_SUBNET' value='$cgiparams{'REMOTE_SUBNET'}' size='30' />
+ </td>
+ </tr>
+ <tr>
+ <td class='boldbase' nowrap='nowrap'>$Lang::tr{'local subnet'}</td>
+ <td colspan='3'>
+ <input type='text' name='LOCAL_SUBNET' value='$cgiparams{'LOCAL_SUBNET'}' size='30' />
+ </td>
+ </tr>
+ <tr>
<td class='boldbase'>$Lang::tr{'vpn local id'}:<br />($Lang::tr{'eg'} <tt>@xy.example.com</tt>)</td>
<td><input type='text' name='LOCAL_ID' value='$cgiparams{'LOCAL_ID'}' /></td>
<td class='boldbase'>$Lang::tr{'vpn remote id'}:</td>
<td><input type='text' name='REMOTE_ID' value='$cgiparams{'REMOTE_ID'}' /></td>
</tr><tr>
</tr><td><br /></td><tr>
+ <td>$Lang::tr{'vpn keyexchange'}:</td>
+ <td><select name='IKE_VERSION'>
+ <option value='ikev2' $selected{'IKE_VERSION'}{'ikev2'}>IKEv2</option>
+ <option value='ikev1' $selected{'IKE_VERSION'}{'ikev1'}>IKEv1</option>
+ </select>
+ </td>
<td>$Lang::tr{'dpd action'}:</td>
<td><select name='DPD_ACTION'>
<option value='clear' $selected{'DPD_ACTION'}{'clear'}>clear</option>
<option value='hold' $selected{'DPD_ACTION'}{'hold'}>hold</option>
<option value='restart' $selected{'DPD_ACTION'}{'restart'}>restart</option>
- </select> <a href='http://www.openswan.com/docs/local/README.DPD'>?</a>
+ </select>
</td>
</tr><tr>
-<!--http://www.openswan.com/docs/local/README.DPD
- http://bugs.xelerance.com/view.php?id=156
- restart = clear + reinitiate connection
--->
<td class='boldbase'>$Lang::tr{'remark title'} <img src='/blob.gif' alt='*' /></td>
<td colspan='3'><input type='text' name='REMARK' value='$cgiparams{'REMARK'}' size='55' maxlength='50' /></td>
</tr>
goto ADVANCED_ERROR;
}
foreach my $val (@temp) {
- if ($val !~ /^(sha2_512|sha2_256|sha|md5)$/) {
+ if ($val !~ /^(sha2_512|sha2_384|sha2_256|sha|md5|aesxcbc)$/) {
$errormessage = $Lang::tr{'invalid input'};
goto ADVANCED_ERROR;
}
goto ADVANCED_ERROR;
}
foreach my $val (@temp) {
- if ($val !~ /^(aes256|aes128|3des)$/) {
+ if ($val !~ /^(aes256|aes192|aes128|3des)$/) {
$errormessage = $Lang::tr{'invalid input'};
goto ADVANCED_ERROR;
}
goto ADVANCED_ERROR;
}
foreach my $val (@temp) {
- if ($val !~ /^(sha2_512|sha2_256|sha1|md5)$/) {
+ if ($val !~ /^(sha2_512|sha2_384|sha2_256|sha1|md5|aesxcbc)$/) {
$errormessage = $Lang::tr{'invalid input'};
goto ADVANCED_ERROR;
}
}
if ($cgiparams{'ESP_GROUPTYPE'} ne '' &&
- $cgiparams{'ESP_GROUPTYPE'} !~ /^modp(1024|1536|2048|3072|4096)$/) {
+ $cgiparams{'ESP_GROUPTYPE'} !~ /^modp(1024|1536|2048|3072|4096|6144|8192)$/) {
$errormessage = $Lang::tr{'invalid input'};
goto ADVANCED_ERROR;
}
ADVANCED_ERROR:
$checked{'IKE_ENCRYPTION'}{'aes256'} = '';
+ $checked{'IKE_ENCRYPTION'}{'aes192'} = '';
$checked{'IKE_ENCRYPTION'}{'aes128'} = '';
$checked{'IKE_ENCRYPTION'}{'3des'} = '';
my @temp = split('\|', $cgiparams{'IKE_ENCRYPTION'});
foreach my $key (@temp) {$checked{'IKE_ENCRYPTION'}{$key} = "selected='selected'"; }
$checked{'IKE_INTEGRITY'}{'sha2_512'} = '';
+ $checked{'IKE_INTEGRITY'}{'sha2_384'} = '';
$checked{'IKE_INTEGRITY'}{'sha2_256'} = '';
$checked{'IKE_INTEGRITY'}{'sha'} = '';
$checked{'IKE_INTEGRITY'}{'md5'} = '';
+ $checked{'IKE_INTEGRITY'}{'aesxcbc'} = '';
@temp = split('\|', $cgiparams{'IKE_INTEGRITY'});
foreach my $key (@temp) {$checked{'IKE_INTEGRITY'}{$key} = "selected='selected'"; }
$checked{'IKE_GROUPTYPE'}{'768'} = '';
# 768 is not supported by strongswan
$checked{'IKE_GROUPTYPE'}{'768'} = '';
-
$checked{'ESP_ENCRYPTION'}{'aes256'} = '';
+ $checked{'ESP_ENCRYPTION'}{'aes192'} = '';
$checked{'ESP_ENCRYPTION'}{'aes128'} = '';
$checked{'ESP_ENCRYPTION'}{'3des'} = '';
@temp = split('\|', $cgiparams{'ESP_ENCRYPTION'});
foreach my $key (@temp) {$checked{'ESP_ENCRYPTION'}{$key} = "selected='selected'"; }
$checked{'ESP_INTEGRITY'}{'sha2_512'} = '';
+ $checked{'ESP_INTEGRITY'}{'sha2_384'} = '';
$checked{'ESP_INTEGRITY'}{'sha2_256'} = '';
$checked{'ESP_INTEGRITY'}{'sha1'} = '';
$checked{'ESP_INTEGRITY'}{'md5'} = '';
+ $checked{'ESP_INTEGRITY'}{'aesxcbc'} = '';
@temp = split('\|', $cgiparams{'ESP_INTEGRITY'});
foreach my $key (@temp) {$checked{'ESP_INTEGRITY'}{$key} = "selected='selected'"; }
$checked{'ESP_GROUPTYPE'}{$cgiparams{'ESP_GROUPTYPE'}} = "selected='selected'";
<tr><td class='boldbase' align='right' valign='top'>$Lang::tr{'ike encryption'}</td><td class='boldbase' valign='top'>
<select name='IKE_ENCRYPTION' multiple='multiple' size='4'>
<option value='aes256' $checked{'IKE_ENCRYPTION'}{'aes256'}>AES (256 bit)</option>
+ <option value='aes192' $checked{'IKE_ENCRYPTION'}{'aes192'}>AES (192 bit)</option>
<option value='aes128' $checked{'IKE_ENCRYPTION'}{'aes128'}>AES (128 bit)</option>
<option value='3des' $checked{'IKE_ENCRYPTION'}{'3des'}>3DES</option>
</select></td>
<td class='boldbase' align='right' valign='top'>$Lang::tr{'ike integrity'}</td><td class='boldbase' valign='top'>
<select name='IKE_INTEGRITY' multiple='multiple' size='4'>
- <option value='sha' $checked{'IKE_INTEGRITY'}{'sha'}>SHA</option>
+ <option value='sha2_512' $checked{'IKE_INTEGRITY'}{'sha2_512'}>SHA2 512 bit</option>
+ <option value='sha2_384' $checked{'IKE_INTEGRITY'}{'sha2_384'}>SHA2 384 bit</option>
+ <option value='sha2_256' $checked{'IKE_INTEGRITY'}{'sha2_256'}>SHA2 256 bit</option>
+ <option value='sha' $checked{'IKE_INTEGRITY'}{'sha'}>SHA1</option>
<option value='md5' $checked{'IKE_INTEGRITY'}{'md5'}>MD5</option>
+ <option value='aesxcbc' $checked{'IKE_INTEGRITY'}{'aesxcbc'}>AES XCBC</option>
</select></td>
<td class='boldbase' align='right' valign='top'>$Lang::tr{'ike grouptype'}</td><td class='boldbase' valign='top'>
<td class='boldbase' align='right' valign='top'>$Lang::tr{'esp encryption'}</td><td class='boldbase' valign='top'>
<select name='ESP_ENCRYPTION' multiple='multiple' size='4'>
<option value='aes256' $checked{'ESP_ENCRYPTION'}{'aes256'}>AES (256 bit)</option>
+ <option value='aes192' $checked{'ESP_ENCRYPTION'}{'aes192'}>AES (192 bit)</option>
<option value='aes128' $checked{'ESP_ENCRYPTION'}{'aes128'}>AES (128 bit)</option>
<option value='3des' $checked{'ESP_ENCRYPTION'}{'3des'}>3DES</option>
<td class='boldbase' align='right' valign='top'>$Lang::tr{'esp integrity'}</td><td class='boldbase' valign='top'>
<select name='ESP_INTEGRITY' multiple='multiple' size='4'>
+ <option value='sha2_512' $checked{'ESP_INTEGRITY'}{'sha2_512'}>SHA2 512 bit</option>
+ <option value='sha2_384' $checked{'ESP_INTEGRITY'}{'sha2_384'}>SHA2 384 bit</option>
+ <option value='sha2_256' $checked{'ESP_INTEGRITY'}{'sha2_256'}>SHA2 256 bit</option>
<option value='sha1' $checked{'ESP_INTEGRITY'}{'sha1'}>SHA1</option>
- <option value='md5' $checked{'ESP_INTEGRITY'}{'md5'}>MD5</option></select></td>
+ <option value='md5' $checked{'ESP_INTEGRITY'}{'md5'}>MD5</option>
+ <option value='aesxcbc' $checked{'ESP_INTEGRITY'}{'aesxcbc'}>AES XCBC</option>
+ </select></td>
<td class='boldbase' align='right' valign='top'>$Lang::tr{'esp grouptype'}</td><td class='boldbase' valign='top'>
<select name='ESP_GROUPTYPE'>
&General::readhasharray("${General::swroot}/vpn/config", \%confighash);
$cgiparams{'CA_NAME'} = '';
- my @status = `/usr/local/bin/ipsecctrl I`;
+ my @status = `/usr/local/bin/ipsecctrl I 2>/dev/null`;
# suggest a default name for this side
if ($cgiparams{'VPN_IP'} eq '' && -e "${General::swroot}/red/active") {
$cgiparams{'VPN_IP'} ='%defaultroute' if ($cgiparams{'VPN_IP'} eq '');
$cgiparams{'VPN_DELAYED_START'} = 0 if (! defined ($cgiparams{'VPN_DELAYED_START'}));
- $checked{'VPN_WATCH'} = $cgiparams{'VPN_WATCH'} eq 'on' ? "checked='checked'" : '' ;
- map ($checked{$_} = $cgiparams{$_} eq 'on' ? "checked='checked'" : '',
- ('ENABLED','DBG_CRYPT','DBG_PARSING','DBG_EMITTING','DBG_CONTROL',
- 'DBG_DNS'));
-
+ $checked{'ENABLED'} = $cgiparams{'ENABLED'} eq 'on' ? "checked='checked'" : '';
&Header::showhttpheaders();
&Header::openpage($Lang::tr{'vpn configuration main'}, 1, '');
<td width='20%'><input type='text' name='VPN_IP' value='$cgiparams{'VPN_IP'}' /></td>
<td width='20%' class='base'>$Lang::tr{'enabled'}<input type='checkbox' name='ENABLED' $checked{'ENABLED'} /></td>
</tr>
-END
- ;
- print <<END
- <tr>
- <td class='base' nowrap='nowrap'>$Lang::tr{'override mtu'}: <img src='/blob.gif' alt='*' /></td>
- <td ><input type='text' name='VPN_OVERRIDE_MTU' value='$cgiparams{'VPN_OVERRIDE_MTU'}' /></td>
- </tr>
END
;
print <<END
<td class='base' nowrap='nowrap'>$Lang::tr{'vpn delayed start'}: <img src='/blob.gif' alt='*' /><img src='/blob.gif' alt='*' /></td>
<td ><input type='text' name='VPN_DELAYED_START' value='$cgiparams{'VPN_DELAYED_START'}' /></td>
</tr>
+ <tr>
+ <td class='base' nowrap='nowrap'>$Lang::tr{'host to net vpn'}: <img src='/blob.gif' alt='*' /></td>
+ <td ><input type='text' name='RW_NET' value='$cgiparams{'RW_NET'}' /></td>
+ </tr>
</table>
-<p>$Lang::tr{'vpn watch'}:<input type='checkbox' name='VPN_WATCH' $checked{'VPN_WATCH'} /></p>
-<p>PLUTO DEBUG =
-crypt:<input type='checkbox' name='DBG_CRYPT' $checked{'DBG_CRYPT'} />,
-parsing:<input type='checkbox' name='DBG_PARSING' $checked{'DBG_PARSING'} />,
-emitting:<input type='checkbox' name='DBG_EMITTING' $checked{'DBG_EMITTING'} />,
-control:<input type='checkbox' name='DBG_CONTROL' $checked{'DBG_CONTROL'} />,
-dns:<input type='checkbox' name='DBG_DNS' $checked{'DBG_DNS'} />
<hr />
<table width='100%'>
<tr>
print "<tr bgcolor='$color{'color22'}'>\n";
}
print "<td align='center' nowrap='nowrap'>$confighash{$key}[1]</td>";
- print "<td align='center' nowrap='nowrap'>" . $Lang::tr{"$confighash{$key}[3]"} . " (" . $Lang::tr{"$confighash{$key}[4]"} . ")</td>";
+ print "<td align='center' nowrap='nowrap'>" . $Lang::tr{"$confighash{$key}[3]"} . " (" . $Lang::tr{"$confighash{$key}[4]"} . ") $confighash{$key}[29]</td>";
if ($confighash{$key}[2] eq '%auth-dn') {
print "<td align='left' nowrap='nowrap'>$confighash{$key}[9]</td>";
} elsif ($confighash{$key}[4] eq 'cert') {
# get real state
my $active = "<table cellpadding='2' cellspacing='0' bgcolor='${Header::colourred}' width='100%'><tr><td align='center'><b><font color='#FFFFFF'>$Lang::tr{'capsclosed'}</font></b></td></tr></table>";
foreach my $line (@status) {
- if ($line =~ /\"$confighash{$key}[1]\".*IPsec SA established/) {
+ if (($line =~ /\"$confighash{$key}[1]\".*IPsec SA established/) ||
+ ($line =~ /$confighash{$key}[1]\{.*INSTALLED/))
+ {
$active = "<table cellpadding='2' cellspacing='0' bgcolor='${Header::colourgreen}' width='100%'><tr><td align='center'><b><font color='#FFFFFF'>$Lang::tr{'capsopen'}</font></b></td></tr></table>";
}
}
projects / people / pmueller / ipfire-2.x.git / blobdiff