From f6529a04a398643edeea679f79b15912f8a6fc94 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Thu, 10 Sep 2015 13:35:24 +0100 Subject: [PATCH] IPsec: Add option to force using MOBIKE Some peers that are behind a NAT router that fails to properly forward IKE packets on UDP port 500 cannot establish an IPsec connection. MOBIKE tries to solve that by sending these packets to UDP port 4500 instead. Signed-off-by: Michael Tremer --- config/rootfiles/core/94/filelists/files | 1 + doc/language_issues.de | 1 + doc/language_issues.es | 1 + doc/language_issues.fr | 1 + doc/language_issues.it | 1 + doc/language_issues.nl | 1 + doc/language_issues.pl | 1 + doc/language_issues.ru | 1 + doc/language_issues.tr | 1 + html/cgi-bin/vpnmain.cgi | 27 +++++++++++++++++++++++- langs/en/cgi-bin/en.pl | 1 + 11 files changed, 36 insertions(+), 1 deletion(-) diff --git a/config/rootfiles/core/94/filelists/files b/config/rootfiles/core/94/filelists/files index 625b017822..9b08114065 100644 --- a/config/rootfiles/core/94/filelists/files +++ b/config/rootfiles/core/94/filelists/files @@ -3,6 +3,7 @@ etc/issue etc/rc.d/init.d/sshd srv/web/ipfire/cgi-bin/logs.cgi/log.dat srv/web/ipfire/cgi-bin/mail.cgi +srv/web/ipfire/cgi-bin/vpnmain.cgi var/ipfire/langs var/ipfire/menu.d/40-services.menu var/ipfire/network-functions.pl diff --git a/doc/language_issues.de b/doc/language_issues.de index 0d86987569..dd1a4c1556 100644 --- a/doc/language_issues.de +++ b/doc/language_issues.de @@ -651,4 +651,5 @@ WARNING: untranslated string: routing config added WARNING: untranslated string: routing config changed WARNING: untranslated string: routing table WARNING: untranslated string: show tls-auth key +WARNING: untranslated string: vpn force mobike WARNING: untranslated string: vpn statistics n2n diff --git a/doc/language_issues.es b/doc/language_issues.es index 2a502006b9..866c556be0 100644 --- a/doc/language_issues.es +++ b/doc/language_issues.es @@ -1047,6 +1047,7 @@ WARNING: untranslated string: uptime load average WARNING: untranslated string: urlfilter redirect template WARNING: untranslated string: vendor WARNING: untranslated string: visit us at +WARNING: untranslated string: vpn force mobike WARNING: untranslated string: vpn keyexchange WARNING: untranslated string: vpn statistic n2n WARNING: untranslated string: vpn statistic rw diff --git a/doc/language_issues.fr b/doc/language_issues.fr index aa4951d80e..2dbe26b579 100644 --- a/doc/language_issues.fr +++ b/doc/language_issues.fr @@ -1062,6 +1062,7 @@ WARNING: untranslated string: urlfilter mode block WARNING: untranslated string: urlfilter redirect template WARNING: untranslated string: vendor WARNING: untranslated string: visit us at +WARNING: untranslated string: vpn force mobike WARNING: untranslated string: vpn keyexchange WARNING: untranslated string: vpn statistic n2n WARNING: untranslated string: vpn statistic rw diff --git a/doc/language_issues.it b/doc/language_issues.it index 1669e79f6d..88f816f009 100644 --- a/doc/language_issues.it +++ b/doc/language_issues.it @@ -720,6 +720,7 @@ WARNING: untranslated string: samba join a domain WARNING: untranslated string: samba join domain WARNING: untranslated string: search WARNING: untranslated string: uncheck all +WARNING: untranslated string: vpn force mobike WARNING: untranslated string: vpn statistic n2n WARNING: untranslated string: vpn statistic rw WARNING: untranslated string: vpn statistics n2n diff --git a/doc/language_issues.nl b/doc/language_issues.nl index 11d76577bb..7f857f1f5f 100644 --- a/doc/language_issues.nl +++ b/doc/language_issues.nl @@ -769,6 +769,7 @@ WARNING: untranslated string: ta key WARNING: untranslated string: uncheck all WARNING: untranslated string: upload dh key WARNING: untranslated string: vendor +WARNING: untranslated string: vpn force mobike WARNING: untranslated string: vpn statistic n2n WARNING: untranslated string: vpn statistic rw WARNING: untranslated string: vpn statistics n2n diff --git a/doc/language_issues.pl b/doc/language_issues.pl index 2a502006b9..866c556be0 100644 --- a/doc/language_issues.pl +++ b/doc/language_issues.pl @@ -1047,6 +1047,7 @@ WARNING: untranslated string: uptime load average WARNING: untranslated string: urlfilter redirect template WARNING: untranslated string: vendor WARNING: untranslated string: visit us at +WARNING: untranslated string: vpn force mobike WARNING: untranslated string: vpn keyexchange WARNING: untranslated string: vpn statistic n2n WARNING: untranslated string: vpn statistic rw diff --git a/doc/language_issues.ru b/doc/language_issues.ru index d2215b6df4..74dca5477e 100644 --- a/doc/language_issues.ru +++ b/doc/language_issues.ru @@ -1040,6 +1040,7 @@ WARNING: untranslated string: uptime load average WARNING: untranslated string: urlfilter redirect template WARNING: untranslated string: vendor WARNING: untranslated string: visit us at +WARNING: untranslated string: vpn force mobike WARNING: untranslated string: vpn keyexchange WARNING: untranslated string: vpn statistic n2n WARNING: untranslated string: vpn statistic rw diff --git a/doc/language_issues.tr b/doc/language_issues.tr index a9d633273b..1dcc1db400 100644 --- a/doc/language_issues.tr +++ b/doc/language_issues.tr @@ -697,6 +697,7 @@ WARNING: untranslated string: routing config changed WARNING: untranslated string: routing table WARNING: untranslated string: search WARNING: untranslated string: uncheck all +WARNING: untranslated string: vpn force mobike WARNING: untranslated string: vpn statistic n2n WARNING: untranslated string: vpn statistic rw WARNING: untranslated string: vpn statistics n2n diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index 8c44b7e93a..9f3c645e1a 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -108,6 +108,7 @@ $cgiparams{'ROOTCERT_STATE'} = ''; $cgiparams{'RW_NET'} = ''; $cgiparams{'DPD_DELAY'} = '30'; $cgiparams{'DPD_TIMEOUT'} = '120'; +$cgiparams{'FORCE_MOBIKE'} = 'off'; &Header::getcgihash(\%cgiparams, {'wantfile' => 1, 'filevar' => 'FH'}); ### @@ -360,6 +361,11 @@ sub writeipsecfiles { # Compression print CONF "\tcompress=yes\n" if ($lconfighash{$key}[13] eq 'on'); + # Force MOBIKE? + if (($lconfighash{$key}[29] eq "ikev2") && ($lconfighash{$key}[32] eq 'on')) { + print CONF "\tmobike=yes\n"; + } + # Dead Peer Detection my $dpdaction = $lconfighash{$key}[27]; print CONF "\tdpdaction=$dpdaction\n"; @@ -1286,6 +1292,7 @@ END $cgiparams{'VHOST'} = $confighash{$cgiparams{'KEY'}}[14]; $cgiparams{'DPD_TIMEOUT'} = $confighash{$cgiparams{'KEY'}}[30]; $cgiparams{'DPD_DELAY'} = $confighash{$cgiparams{'KEY'}}[31]; + $cgiparams{'FORCE_MOBIKE'} = $confighash{$cgiparams{'KEY'}}[32]; if (!$cgiparams{'DPD_DELAY'}) { $cgiparams{'DPD_DELAY'} = 30; @@ -1768,7 +1775,7 @@ END my $key = $cgiparams{'KEY'}; if (! $key) { $key = &General::findhasharraykey (\%confighash); - foreach my $i (0 .. 31) { $confighash{$key}[$i] = "";} + foreach my $i (0 .. 32) { $confighash{$key}[$i] = "";} } $confighash{$key}[0] = $cgiparams{'ENABLED'}; $confighash{$key}[1] = $cgiparams{'NAME'}; @@ -1810,6 +1817,7 @@ END $confighash{$key}[14] = $cgiparams{'VHOST'}; $confighash{$key}[30] = $cgiparams{'DPD_TIMEOUT'}; $confighash{$key}[31] = $cgiparams{'DPD_DELAY'}; + $confighash{$key}[32] = $cgiparams{'FORCE_MOBIKE'}; #free unused fields! $confighash{$key}[6] = 'off'; @@ -1858,6 +1866,10 @@ END $cgiparams{'DPD_TIMEOUT'} = 120; } + if (!$cgiparams{'FORCE_MOBIKE'}) { + $cgiparams{'FORCE_MOBIKE'} = 'no'; + } + # Default IKE Version to v2 if (!$cgiparams{'IKE_VERSION'}) { $cgiparams{'IKE_VERSION'} = 'ikev2'; @@ -1935,6 +1947,7 @@ END + END ; if ($cgiparams{'KEY'}) { @@ -2206,6 +2219,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || if ( ($cgiparams{'COMPRESSION'} !~ /^(|on|off)$/) || + ($cgiparams{'FORCE_MOBIKE'} !~ /^(|on|off)$/) || ($cgiparams{'ONLY_PROPOSED'} !~ /^(|on|off)$/) || ($cgiparams{'PFS'} !~ /^(|on|off)$/) || ($cgiparams{'VHOST'} !~ /^(|on|off)$/) @@ -2241,6 +2255,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || $confighash{$cgiparams{'KEY'}}[27] = $cgiparams{'DPD_ACTION'}; $confighash{$cgiparams{'KEY'}}[30] = $cgiparams{'DPD_TIMEOUT'}; $confighash{$cgiparams{'KEY'}}[31] = $cgiparams{'DPD_DELAY'}; + $confighash{$cgiparams{'KEY'}}[32] = $cgiparams{'FORCE_MOBIKE'}; &General::writehasharray("${General::swroot}/vpn/config", \%confighash); &writeipsecfiles(); if (&vpnenabled) { @@ -2268,6 +2283,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || $cgiparams{'DPD_ACTION'} = $confighash{$cgiparams{'KEY'}}[27]; $cgiparams{'DPD_TIMEOUT'} = $confighash{$cgiparams{'KEY'}}[30]; $cgiparams{'DPD_DELAY'} = $confighash{$cgiparams{'KEY'}}[31]; + $cgiparams{'FORCE_MOBIKE'} = $confighash{$cgiparams{'KEY'}}[32]; if (!$cgiparams{'DPD_DELAY'}) { $cgiparams{'DPD_DELAY'} = 30; @@ -2362,6 +2378,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || foreach my $key (@temp) {$checked{'ESP_GROUPTYPE'}{$key} = "selected='selected'"; } $checked{'COMPRESSION'} = $cgiparams{'COMPRESSION'} eq 'on' ? "checked='checked'" : '' ; + $checked{'FORCE_MOBIKE'} = $cgiparams{'FORCE_MOBIKE'} eq 'on' ? "checked='checked'" : '' ; $checked{'ONLY_PROPOSED'} = $cgiparams{'ONLY_PROPOSED'} eq 'on' ? "checked='checked'" : '' ; $checked{'PFS'} = $cgiparams{'PFS'} eq 'on' ? "checked='checked'" : '' ; $checked{'VHOST'} = $cgiparams{'VHOST'} eq 'on' ? "checked='checked'" : '' ; @@ -2605,6 +2622,14 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || + + + + + EOF ; if ($confighash{$cgiparams{'KEY'}}[3] eq 'net') { diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index ef5f50b3e9..c770402507 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -2648,6 +2648,7 @@ 'vpn configuration main' => 'VPN Configuration', 'vpn delayed start' => 'Delay before launching VPN (seconds)', 'vpn delayed start help' => 'If required, this delay can be used to allow dynamic DNS updates to propagate properly. 60 is a common value when RED is a dynamic IP.', +'vpn force mobike' => 'Force using MOBIKE (only IKEv2)', 'vpn incompatible use of defaultroute' => 'hostname=%defaultroute not allowed', 'vpn keyexchange' => 'Keyexchange', 'vpn local id' => 'Local ID', -- 2.39.2