X-Git-Url: http://git.ipfire.org/?p=people%2Fpmueller%2Fipfire-2.x.git;a=blobdiff_plain;f=html%2Fcgi-bin%2Fvpnmain.cgi;h=6af5ed451cf9cc9c53f7fd0676829cbbbc73ff5a;hp=6abfa8fac229118839bde0b12c5b11089b281642;hb=64dc6c92f1b61b54744812c7de7a324ff648cdf9;hpb=4e17adadcd3c3942e7c2222485fbf88608a4477f;ds=sidebyside diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index 6abfa8fac2..6af5ed451c 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -1,4 +1,23 @@ #!/usr/bin/perl +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2007 Michael Tremer & Christian Schmidt # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see . # +# # +############################################################################### use Net::DNS; use File::Copy; @@ -6,8 +25,8 @@ use File::Temp qw/ tempfile tempdir /; use strict; # enable only the following on debugging purpose -use warnings; -use CGI::Carp 'fatalsToBrowser'; +#use warnings; +#use CGI::Carp 'fatalsToBrowser'; require '/var/ipfire/general-functions.pl'; require "${General::swroot}/lang.pl"; @@ -229,9 +248,9 @@ sub writeipsecfiles { foreach my $key (keys %lconfighash) { next if ($lconfighash{$key}[0] ne 'on'); $interfaces .= "%defaultroute " if ($interfaces !~ /defaultroute/ && $lconfighash{$key}[26] eq 'RED'); - $interfaces .= "ipsec1=$netsettings{'GREEN_DEV'} " if ($interfaces !~ /ipsec1/ && $lconfighash{$key}[26] eq 'GREEN'); - $interfaces .= "ipsec2=$netsettings{'BLUE_DEV'} " if ($interfaces !~ /ipsec2/ && $lconfighash{$key}[26] eq 'BLUE'); - $interfaces .= "ipsec3=$netsettings{'ORANGE_DEV'} " if ($interfaces !~ /ipsec3/ && $lconfighash{$key}[26] eq 'ORANGE'); + $interfaces .= "$netsettings{'GREEN_DEV'} " if ($interfaces !~ /ipsec1/ && $lconfighash{$key}[26] eq 'GREEN'); + $interfaces .= "$netsettings{'BLUE_DEV'} " if ($interfaces !~ /ipsec2/ && $lconfighash{$key}[26] eq 'BLUE'); + $interfaces .= "$netsettings{'ORANGE_DEV'} " if ($interfaces !~ /ipsec3/ && $lconfighash{$key}[26] eq 'ORANGE'); } print CONF $interfaces . "\"\n"; @@ -245,6 +264,8 @@ sub writeipsecfiles { # deprecated in ipsec.conf version 2 #print CONF "\tplutoload=%search\n"; #print CONF "\tplutostart=%search\n"; + #Disable IKEv2 deamon + print CONF "\tcharonstart=no\n"; print CONF "\tuniqueids=yes\n"; print CONF "\tnat_traversal=yes\n"; print CONF "\toverridemtu=$lvpnsettings{'VPN_OVERRIDE_MTU'}\n" if ($lvpnsettings{'VPN_OVERRIDE_MTU'} ne ''); @@ -264,7 +285,8 @@ sub writeipsecfiles { print CONF "\n\n"; print CONF "conn %default\n"; print CONF "\tkeyingtries=0\n"; - print CONF "\tdisablearrivalcheck=no\n"; + #strongswan doesn't know this + #print CONF "\tdisablearrivalcheck=no\n"; print CONF "\n"; if (-f "${General::swroot}/certs/hostkey.pem") { @@ -293,6 +315,7 @@ sub writeipsecfiles { print CONF "\tleft=$localside\n"; print CONF "\tleftnexthop=%defaultroute\n" if ($lconfighash{$key}[26] eq 'RED' && $lvpnsettings{'VPN_IP'} ne '%defaultroute'); print CONF "\tleftsubnet=$lconfighash{$key}[8]\n"; + print CONF "\tleftfirewall=yes\n"; print CONF "\tright=$lconfighash{$key}[10]\n"; if ($lconfighash{$key}[3] eq 'net') { @@ -558,6 +581,7 @@ END $cahash{$key}[0] = $cgiparams{'CA_NAME'}; $cahash{$key}[1] = &Header::cleanhtml(getsubjectfromcert ("${General::swroot}/ca/$cgiparams{'CA_NAME'}cert.pem")); &General::writehasharray("${General::swroot}/vpn/caconfig", \%cahash); + system('/usr/local/bin/ipsecctrl', 'R'); sleep $sleepDelay; @@ -1929,10 +1953,9 @@ END $Lang::tr{'remote subnet'} - $Lang::tr{'vpn local id'}: * -
($Lang::tr{'eg'} @xy.example.com) + $Lang::tr{'vpn local id'}:
($Lang::tr{'eg'} @xy.example.com) - $Lang::tr{'vpn remote id'}: * + $Lang::tr{'vpn remote id'}:
@@ -2078,7 +2101,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || goto ADVANCED_ERROR; } foreach my $val (@temp) { - if ($val !~ /^(aes256|aes128|3des|twofish256|twofish128|serpent256|serpent128|blowfish256|blowfish128|cast128)$/) { + if ($val !~ /^(aes256|aes128|3des)$/) { $errormessage = $Lang::tr{'invalid input'}; goto ADVANCED_ERROR; } @@ -2119,7 +2142,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || goto ADVANCED_ERROR; } foreach my $val (@temp) { - if ($val !~ /^(aes256|aes128|3des|twofish256|twofish128|serpent256|serpent128|blowfish256|blowfish128)$/) { + if ($val !~ /^(aes256|aes128|3des)$/) { $errormessage = $Lang::tr{'invalid input'}; goto ADVANCED_ERROR; } @@ -2205,13 +2228,6 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || $checked{'IKE_ENCRYPTION'}{'aes256'} = ''; $checked{'IKE_ENCRYPTION'}{'aes128'} = ''; $checked{'IKE_ENCRYPTION'}{'3des'} = ''; - $checked{'IKE_ENCRYPTION'}{'twofish256'} = ''; - $checked{'IKE_ENCRYPTION'}{'twofish128'} = ''; - $checked{'IKE_ENCRYPTION'}{'serpent256'} = ''; - $checked{'IKE_ENCRYPTION'}{'serpent128'} = ''; - $checked{'IKE_ENCRYPTION'}{'blowfish256'} = ''; - $checked{'IKE_ENCRYPTION'}{'blowfish128'} = ''; - $checked{'IKE_ENCRYPTION'}{'cast128'} = ''; my @temp = split('\|', $cgiparams{'IKE_ENCRYPTION'}); foreach my $key (@temp) {$checked{'IKE_ENCRYPTION'}{$key} = "selected='selected'"; } $checked{'IKE_INTEGRITY'}{'sha2_512'} = ''; @@ -2233,12 +2249,6 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || $checked{'ESP_ENCRYPTION'}{'aes256'} = ''; $checked{'ESP_ENCRYPTION'}{'aes128'} = ''; $checked{'ESP_ENCRYPTION'}{'3des'} = ''; - $checked{'ESP_ENCRYPTION'}{'twofish256'} = ''; - $checked{'ESP_ENCRYPTION'}{'twofish128'} = ''; - $checked{'ESP_ENCRYPTION'}{'serpent256'} = ''; - $checked{'ESP_ENCRYPTION'}{'serpent128'} = ''; - $checked{'ESP_ENCRYPTION'}{'blowfish256'} = ''; - $checked{'ESP_ENCRYPTION'}{'blowfish128'} = ''; @temp = split('\|', $cgiparams{'ESP_ENCRYPTION'}); foreach my $key (@temp) {$checked{'ESP_ENCRYPTION'}{$key} = "selected='selected'"; } $checked{'ESP_INTEGRITY'}{'sha2_512'} = ''; @@ -2247,12 +2257,6 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || $checked{'ESP_INTEGRITY'}{'md5'} = ''; @temp = split('\|', $cgiparams{'ESP_INTEGRITY'}); foreach my $key (@temp) {$checked{'ESP_INTEGRITY'}{$key} = "selected='selected'"; } - $checked{'ESP_GROUPTYPE'}{'modp768'} = ''; - $checked{'ESP_GROUPTYPE'}{'modp1024'} = ''; - $checked{'ESP_GROUPTYPE'}{'modp1536'} = ''; - $checked{'ESP_GROUPTYPE'}{'modp2048'} = ''; - $checked{'ESP_GROUPTYPE'}{'modp3072'} = ''; - $checked{'ESP_GROUPTYPE'}{'modp4096'} = ''; $checked{'ESP_GROUPTYPE'}{$cgiparams{'ESP_GROUPTYPE'}} = "selected='selected'"; $checked{'AGGRMODE'} = $cgiparams{'AGGRMODE'} eq 'on' ? "checked='checked'" : '' ; @@ -2291,19 +2295,10 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || - - - - - - - $Lang::tr{'ike integrity'} @@ -2331,29 +2326,15 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || - - - - - - $Lang::tr{'esp integrity'} $Lang::tr{'esp grouptype'} + $Lang::tr{'esp keylife'} $Lang::tr{'hours'} @@ -2406,7 +2387,7 @@ EOF &General::readhasharray("${General::swroot}/vpn/config", \%confighash); $cgiparams{'CA_NAME'} = ''; - my @status = `/usr/sbin/ipsec auto --status`; + my @status = `/usr/local/bin/ipsecctrl I`; # suggest a default name for this side if ($cgiparams{'VPN_IP'} eq '' && -e "${General::swroot}/red/active") {