X-Git-Url: http://git.ipfire.org/?p=people%2Fpmueller%2Fipfire-2.x.git;a=blobdiff_plain;f=html%2Fcgi-bin%2Fvpnmain.cgi;fp=html%2Fcgi-bin%2Fvpnmain.cgi;h=e9d114b12f36a9f368c50e212adc7038b9524047;hp=24aeb6deaea1d691296d0eeb6b6e060f8d3f563a;hb=d7a3254acedb43995d6a6e769562576cc7ff8639;hpb=36e1dc20f4d763b8069a4c973ef8ff792786229e diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index 24aeb6deae..e9d114b12f 100755 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -73,17 +73,9 @@ $cgiparams{'ENABLED'} = 'off'; $cgiparams{'EDIT_ADVANCED'} = 'off'; $cgiparams{'ACTION'} = ''; $cgiparams{'CA_NAME'} = ''; -$cgiparams{'DBG_CRYPT'} = ''; -$cgiparams{'DBG_PARSING'} = ''; -$cgiparams{'DBG_EMITTING'} = ''; -$cgiparams{'DBG_CONTROL'} = ''; -$cgiparams{'DBG_KLIPS'} = ''; -$cgiparams{'DBG_DNS'} = ''; -$cgiparams{'DBG_NAT_T'} = ''; $cgiparams{'KEY'} = ''; $cgiparams{'TYPE'} = ''; $cgiparams{'ADVANCED'} = ''; -$cgiparams{'INTERFACE'} = ''; $cgiparams{'NAME'} = ''; $cgiparams{'LOCAL_SUBNET'} = ''; $cgiparams{'REMOTE_SUBNET'} = ''; @@ -254,49 +246,10 @@ sub writeipsecfiles { flock SECRETS, 2; print CONF "version 2\n\n"; print CONF "config setup\n"; - #create an ipsec Interface for each 'enabled' ones - #loop trought configuration and add physical interfaces to the list - my $interfaces = "\tinterfaces=\""; - foreach my $key (keys %lconfighash) { - next if ($lconfighash{$key}[0] ne 'on'); - $interfaces .= "%defaultroute " if ($interfaces !~ /defaultroute/ && $lconfighash{$key}[26] eq 'RED'); - $interfaces .= "$netsettings{'GREEN_DEV'} " if ($interfaces !~ /ipsec1/ && $lconfighash{$key}[26] eq 'GREEN'); - $interfaces .= "$netsettings{'BLUE_DEV'} " if ($interfaces !~ /ipsec2/ && $lconfighash{$key}[26] eq 'BLUE'); - $interfaces .= "$netsettings{'ORANGE_DEV'} " if ($interfaces !~ /ipsec3/ && $lconfighash{$key}[26] eq 'ORANGE'); - } - print CONF $interfaces . "\"\n"; - - my $plutodebug = ''; # build debug list - map ($plutodebug .= $lvpnsettings{$_} eq 'on' ? lc (substr($_,4)).' ' : '', - ('DBG_CRYPT','DBG_PARSING','DBG_EMITTING','DBG_CONTROL', - 'DBG_DNS')); - $plutodebug = 'none' if $plutodebug eq ''; # if nothing selected, use 'none'. - #print CONF "\tklipsdebug=\"none\"\n"; - print CONF "\tplutodebug=\"$plutodebug\"\n"; - # deprecated in ipsec.conf version 2 - #print CONF "\tplutoload=%search\n"; - #print CONF "\tplutostart=%search\n"; - print CONF "\tuniqueids=yes\n"; - print CONF "\tnat_traversal=yes\n"; - print CONF "\toverridemtu=$lvpnsettings{'VPN_OVERRIDE_MTU'}\n" if ($lvpnsettings{'VPN_OVERRIDE_MTU'} ne ''); - print CONF "\tvirtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16"; - print CONF ",%v4:!$green_cidr"; - if (length($netsettings{'ORANGE_DEV'}) > 2) { - print CONF ",%v4:!$orange_cidr"; - } - if (length($netsettings{'BLUE_DEV'}) > 2) { - print CONF ",%v4:!$blue_cidr"; - } - foreach my $key (keys %lconfighash) { - if ($lconfighash{$key}[3] eq 'net') { - print CONF ",%v4:!$lconfighash{$key}[11]"; - } - } - print CONF "\n\n"; + print CONF "\tcharondebug=\"dmn 0, mgr 0, ike 0, chd 0, job 0, cfg 0, knl 0, net 0, asn 0, enc 0, lib 0, esp 0, tls 0, tnc 0, imc 0, imv 0, pts 0\"\n"; + print CONF "\n"; print CONF "conn %default\n"; - print CONF "\tkeyingtries=0\n"; - #strongswan doesn't know this - #print CONF "\tdisablearrivalcheck=no\n"; + print CONF "\tkeyingtries=%forever\n"; print CONF "\n"; # Add user includes to config file @@ -329,7 +282,6 @@ sub writeipsecfiles { print CONF "conn $lconfighash{$key}[1]\n"; print CONF "\tleft=$localside\n"; - print CONF "\tleftnexthop=%defaultroute\n" if ($lconfighash{$key}[26] eq 'RED' && $lvpnsettings{'VPN_IP'} ne '%defaultroute'); my $cidr_net=&General::ipcidr($lconfighash{$key}[8]); print CONF "\tleftsubnet=$cidr_net\n"; print CONF "\tleftfirewall=yes\n"; @@ -339,7 +291,6 @@ sub writeipsecfiles { if ($lconfighash{$key}[3] eq 'net') { my $cidr_net=&General::ipcidr($lconfighash{$key}[11]); print CONF "\trightsubnet=$cidr_net\n"; - print CONF "\trightnexthop=%defaultroute\n"; } elsif ($lconfighash{$key}[10] eq '%any' && $lconfighash{$key}[14] eq 'on') { #vhost allowed for roadwarriors? print CONF "\trightsubnet=vhost:%no,%priv\n"; } @@ -354,6 +305,9 @@ sub writeipsecfiles { print CONF "\tleftid=\"$lconfighash{$key}[7]\"\n" if ($lconfighash{$key}[7]); print CONF "\trightid=\"$lconfighash{$key}[9]\"\n" if ($lconfighash{$key}[9]); + # Is PFS enabled? + my $pfs = $lconfighash{$key}[28] eq 'on' ? 'on' : 'off'; + # Algorithms if ($lconfighash{$key}[18] && $lconfighash{$key}[19] && $lconfighash{$key}[20]) { print CONF "\tike="; @@ -379,11 +333,25 @@ sub writeipsecfiles { print CONF "\tesp="; my @encs = split('\|', $lconfighash{$key}[21]); my @ints = split('\|', $lconfighash{$key}[22]); + my @groups = split('\|', $lconfighash{$key}[20]); my $comma = 0; foreach my $i (@encs) { foreach my $j (@ints) { - if ($comma != 0) { print CONF ","; } else { $comma = 1; } - print CONF "$i-$j"; + my $modp = ""; + if ($pfs eq "on") { + foreach my $k (@groups) { + if ($comma != 0) { print CONF ","; } else { $comma = 1; } + if ($pfs eq "on") { + $modp = "-modp$k"; + } else { + $modp = ""; + } + print CONF "$i-$j$modp"; + } + } else { + if ($comma != 0) { print CONF ","; } else { $comma = 1; } + print CONF "$i-$j"; + } } } if ($lconfighash{$key}[24] eq 'on') { #only proposed algorythms? @@ -392,9 +360,6 @@ sub writeipsecfiles { print CONF "\n"; } } - if ($lconfighash{$key}[23]) { - print CONF "\tpfsgroup=$lconfighash{$key}[23]\n"; - } # IKE V1 or V2 if (! $lconfighash{$key}[29]) { @@ -414,9 +379,6 @@ sub writeipsecfiles { print CONF "\tdpdtimeout=120\n"; print CONF "\tdpdaction=$lconfighash{$key}[27]\n"; - # Disable pfs ? - print CONF "\tpfs=". ($lconfighash{$key}[28] eq 'on' ? "yes\n" : "no\n"); - # Build Authentication details: LEFTid RIGHTid : PSK psk my $psk_line; if ($lconfighash{$key}[4] eq 'psk') { @@ -450,6 +412,12 @@ sub writeipsecfiles { close(SECRETS); } +# Hook to regenerate the configuration files. +if ($ENV{"REMOTE_ADDR"} eq "") { + writeipsecfiles; + exit(0); +} + ### ### Save main settings ### @@ -466,29 +434,14 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cg goto SAVE_ERROR; } - unless ($cgiparams{'VPN_OVERRIDE_MTU'} =~ /^(|[0-9]{1,5})$/ ) { #allow 0-99999 - $errormessage = $Lang::tr{'vpn mtu invalid'}; - goto SAVE_ERROR; - } - - unless ($cgiparams{'VPN_WATCH'} =~ /^(|off|on)$/ ) { - $errormessage = $Lang::tr{'invalid input'}; - goto SAVE_ERROR; - } - if ( $cgiparams{'RW_NET'} ne '' and !&General::validipandmask($cgiparams{'RW_NET'}) ) { $errormessage = $Lang::tr{'urlfilter invalid ip or mask error'}; goto SAVE_ERROR; } - map ($vpnsettings{$_} = $cgiparams{$_}, - ('ENABLED','DBG_CRYPT','DBG_PARSING','DBG_EMITTING','DBG_CONTROL', - 'DBG_DNS')); - + $vpnsettings{'ENABLED'} = $cgiparams{'ENABLED'}; $vpnsettings{'VPN_IP'} = $cgiparams{'VPN_IP'}; $vpnsettings{'VPN_DELAYED_START'} = $cgiparams{'VPN_DELAYED_START'}; - $vpnsettings{'VPN_OVERRIDE_MTU'} = $cgiparams{'VPN_OVERRIDE_MTU'}; - $vpnsettings{'VPN_WATCH'} = $cgiparams{'VPN_WATCH'}; $vpnsettings{'RW_NET'} = $cgiparams{'RW_NET'}; &General::writehash("${General::swroot}/vpn/settings", \%vpnsettings); &writeipsecfiles(); @@ -1298,7 +1251,6 @@ END $cgiparams{'REMOTE'} = $confighash{$cgiparams{'KEY'}}[10]; $cgiparams{'REMOTE_SUBNET'} = $confighash{$cgiparams{'KEY'}}[11]; $cgiparams{'REMARK'} = $confighash{$cgiparams{'KEY'}}[25]; - $cgiparams{'INTERFACE'} = $confighash{$cgiparams{'KEY'}}[26]; $cgiparams{'DPD_ACTION'} = $confighash{$cgiparams{'KEY'}}[27]; $cgiparams{'IKE_VERSION'} = $confighash{$cgiparams{'KEY'}}[29]; $cgiparams{'IKE_ENCRYPTION'} = $confighash{$cgiparams{'KEY'}}[18]; @@ -1809,7 +1761,7 @@ END $confighash{$key}[9] = $cgiparams{'REMOTE_ID'}; $confighash{$key}[10] = $cgiparams{'REMOTE'}; $confighash{$key}[25] = $cgiparams{'REMARK'}; - $confighash{$key}[26] = $cgiparams{'INTERFACE'}; + $confighash{$key}[26] = ""; # Formerly INTERFACE $confighash{$key}[27] = $cgiparams{'DPD_ACTION'}; $confighash{$key}[29] = $cgiparams{'IKE_VERSION'}; @@ -1867,28 +1819,25 @@ END $cgiparams{'DPD_ACTION'} = 'restart'; } - # Default IKE Version to V1 - if (! $cgiparams{'IKE_VERSION'}) { - $cgiparams{'IKE_VERSION'} = 'ikev1'; + # Default IKE Version to v2 + if (!$cgiparams{'IKE_VERSION'}) { + $cgiparams{'IKE_VERSION'} = 'ikev2'; } - # Default is yes for 'pfs' - $cgiparams{'PFS'} = 'on'; - # ID are empty $cgiparams{'LOCAL_ID'} = ''; $cgiparams{'REMOTE_ID'} = ''; #use default advanced value - $cgiparams{'IKE_ENCRYPTION'} = 'aes128|3des'; #[18]; - $cgiparams{'IKE_INTEGRITY'} = 'sha|md5'; #[19]; - $cgiparams{'IKE_GROUPTYPE'} = '1536|1024'; #[20]; + $cgiparams{'IKE_ENCRYPTION'} = 'aes256|aes192|aes128|3des'; #[18]; + $cgiparams{'IKE_INTEGRITY'} = 'sha2_256|sha|md5'; #[19]; + $cgiparams{'IKE_GROUPTYPE'} = '8192|6144|4096|3072|2048|1536|1024'; #[20]; $cgiparams{'IKE_LIFETIME'} = '1'; #[16]; - $cgiparams{'ESP_ENCRYPTION'} = 'aes128|3des'; #[21]; - $cgiparams{'ESP_INTEGRITY'} = 'sha1|md5'; #[22]; + $cgiparams{'ESP_ENCRYPTION'} = 'aes256|aes192|aes128|3des'; #[21]; + $cgiparams{'ESP_INTEGRITY'} = 'sha2_256|sha1|md5'; #[22]; $cgiparams{'ESP_GROUPTYPE'} = ''; #[23]; $cgiparams{'ESP_KEYLIFE'} = '8'; #[17]; - $cgiparams{'COMPRESSION'} = 'off'; #[13]; + $cgiparams{'COMPRESSION'} = 'on'; #[13]; $cgiparams{'ONLY_PROPOSED'} = 'off'; #[24]; $cgiparams{'PFS'} = 'on'; #[28]; $cgiparams{'VHOST'} = 'on'; #[14]; @@ -1911,12 +1860,6 @@ END $checked{'AUTH'}{'auth-dn'} = ''; $checked{'AUTH'}{$cgiparams{'AUTH'}} = "checked='checked'"; - $selected{'INTERFACE'}{'RED'} = ''; - $selected{'INTERFACE'}{'ORANGE'} = ''; - $selected{'INTERFACE'}{'GREEN'} = ''; - $selected{'INTERFACE'}{'BLUE'} = ''; - $selected{'INTERFACE'}{$cgiparams{'INTERFACE'}} = "selected='selected'"; - $selected{'DPD_ACTION'}{'clear'} = ''; $selected{'DPD_ACTION'}{'hold'} = ''; $selected{'DPD_ACTION'}{'restart'} = ''; @@ -1983,22 +1926,24 @@ END $blob = ""; }; - print "
$Lang::tr{'vpn watch'}:
-PLUTO DEBUG = -crypt:, -parsing:, -emitting:, -control:, -dns: