X-Git-Url: http://git.ipfire.org/?p=people%2Fteissler%2Fipfire-2.x.git;a=blobdiff_plain;f=html%2Fcgi-bin%2Fvpnmain.cgi;h=2e3ef9a5705c38e5a34b937e7a89b21823c61104;hp=831ef93bf1f8c11b59bece2644e97a7364db18b7;hb=26dfc86a7be473138c60e1a869e51b30db346a0f;hpb=4a8dc4556aed707286cf3930f57d62362d85a6f8 diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index 831ef93bf..2e3ef9a57 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -2,7 +2,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2011 IPFire Team info@ipfire.org # +# Copyright (C) 2007-2013 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -316,9 +316,16 @@ sub writeipsecfiles { foreach my $j (@ints) { foreach my $k (@groups) { if ($comma != 0) { print CONF ","; } else { $comma = 1; } - print CONF "$i-$j-modp$k"; - } + + my @l = split("", $k); + if ($l[0] eq "e") { + shift @l; + print CONF "$i-$j-ecp".join("", @l); + } else { + print CONF "$i-$j-modp$k"; + } } + } } if ($lconfighash{$key}[24] eq 'on') { #only proposed algorythms? print CONF "!\n"; @@ -339,7 +346,12 @@ sub writeipsecfiles { foreach my $k (@groups) { if ($comma != 0) { print CONF ","; } else { $comma = 1; } if ($pfs eq "on") { - $modp = "-modp$k"; + my @l = split("", $k); + if ($l[0] eq "e") { + $modp = ""; + } else { + $modp = "-modp$k"; + } } else { $modp = ""; } @@ -411,7 +423,7 @@ sub writeipsecfiles { # Hook to regenerate the configuration files. if ($ENV{"REMOTE_ADDR"} eq "") { - writeipsecfiles; + writeipsecfiles(); exit(0); } @@ -436,6 +448,7 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cg goto SAVE_ERROR; } + $vpnsettings{'ENABLED'} = $cgiparams{'ENABLED'}; $vpnsettings{'VPN_IP'} = $cgiparams{'VPN_IP'}; $vpnsettings{'VPN_DELAYED_START'} = $cgiparams{'VPN_DELAYED_START'}; $vpnsettings{'RW_NET'} = $cgiparams{'RW_NET'}; @@ -1363,6 +1376,14 @@ END goto VPNCONF_ERROR; } +#temporary disabled (BUG 10294) +# if ($cgiparams{'TYPE'} eq 'net'){ +# $errormessage=&General::checksubnets($cgiparams{'NAME'},$cgiparams{'REMOTE_SUBNET'}); +# if ($errormessage ne ''){ +# goto VPNCONF_ERROR; +# } +# +# } if ($cgiparams{'AUTH'} eq 'psk') { if (! length($cgiparams{'PSK'}) ) { $errormessage = $Lang::tr{'pre-shared key is too short'}; @@ -1817,14 +1838,14 @@ END $cgiparams{'REMOTE_ID'} = ''; #use default advanced value - $cgiparams{'IKE_ENCRYPTION'} = 'aes256|aes128|3des'; #[18]; - $cgiparams{'IKE_INTEGRITY'} = 'sha|md5'; #[19]; - $cgiparams{'IKE_GROUPTYPE'} = '2048'; #[20]; - $cgiparams{'IKE_LIFETIME'} = '1'; #[16]; - $cgiparams{'ESP_ENCRYPTION'} = 'aes256|aes128|3des'; #[21]; - $cgiparams{'ESP_INTEGRITY'} = 'sha1|md5'; #[22]; + $cgiparams{'IKE_ENCRYPTION'} = 'aes256|aes192|aes128|3des'; #[18]; + $cgiparams{'IKE_INTEGRITY'} = 'sha2_256|sha|md5'; #[19]; + $cgiparams{'IKE_GROUPTYPE'} = '8192|6144|4096|3072|2048|1536|1024'; #[20]; + $cgiparams{'IKE_LIFETIME'} = '3'; #[16]; + $cgiparams{'ESP_ENCRYPTION'} = 'aes256|aes192|aes128|3des'; #[21]; + $cgiparams{'ESP_INTEGRITY'} = 'sha2_256|sha1|md5'; #[22]; $cgiparams{'ESP_GROUPTYPE'} = ''; #[23]; - $cgiparams{'ESP_KEYLIFE'} = '8'; #[17]; + $cgiparams{'ESP_KEYLIFE'} = '1'; #[17]; $cgiparams{'COMPRESSION'} = 'on'; #[13]; $cgiparams{'ONLY_PROPOSED'} = 'off'; #[24]; $cgiparams{'PFS'} = 'on'; #[28]; @@ -1975,8 +1996,6 @@ END ; &Header::closebox(); } elsif (! $cgiparams{'KEY'}) { - my $pskdisabled = ($vpnsettings{'VPN_IP'} eq '%defaultroute') ? "disabled='disabled'" : '' ; - $cgiparams{'PSK'} = $Lang::tr{'vpn incompatible use of defaultroute'} if ($pskdisabled); my $cakeydisabled = ( ! -f "${General::swroot}/private/cakey.pem" ) ? "disabled='disabled'" : ''; $cgiparams{'CERT_NAME'} = $Lang::tr{'vpn no full pki'} if ($cakeydisabled); my $cacrtdisabled = ( ! -f "${General::swroot}/ca/cacert.pem" ) ? "disabled='disabled'" : ''; @@ -1984,9 +2003,9 @@ END &Header::openbox('100%', 'left', $Lang::tr{'authentication'}); print < - + $Lang::tr{'use a pre-shared key'} - +
$Lang::tr{'upload a certificate request'} @@ -2082,7 +2101,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || goto ADVANCED_ERROR; } foreach my $val (@temp) { - if ($val !~ /^(aes256|aes128|3des)$/) { + if ($val !~ /^(aes256|aes192|aes128|3des)$/) { $errormessage = $Lang::tr{'invalid input'}; goto ADVANCED_ERROR; } @@ -2093,7 +2112,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || goto ADVANCED_ERROR; } foreach my $val (@temp) { - if ($val !~ /^(sha2_512|sha2_256|sha|md5)$/) { + if ($val !~ /^(sha2_512|sha2_384|sha2_256|sha|md5|aesxcbc)$/) { $errormessage = $Lang::tr{'invalid input'}; goto ADVANCED_ERROR; } @@ -2104,7 +2123,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || goto ADVANCED_ERROR; } foreach my $val (@temp) { - if ($val !~ /^(1024|1536|2048|3072|4096|6144|8192)$/) { + if ($val !~ /^(e521|e384|e256|e224|e192|1024|1536|2048|3072|4096|6144|8192)$/) { $errormessage = $Lang::tr{'invalid input'}; goto ADVANCED_ERROR; } @@ -2123,7 +2142,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || goto ADVANCED_ERROR; } foreach my $val (@temp) { - if ($val !~ /^(aes256|aes128|3des)$/) { + if ($val !~ /^(aes256|aes192|aes128|3des)$/) { $errormessage = $Lang::tr{'invalid input'}; goto ADVANCED_ERROR; } @@ -2134,13 +2153,14 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || goto ADVANCED_ERROR; } foreach my $val (@temp) { - if ($val !~ /^(sha2_512|sha2_256|sha1|md5)$/) { + if ($val !~ /^(sha2_512|sha2_384|sha2_256|sha1|md5|aesxcbc)$/) { $errormessage = $Lang::tr{'invalid input'}; goto ADVANCED_ERROR; } } if ($cgiparams{'ESP_GROUPTYPE'} ne '' && - $cgiparams{'ESP_GROUPTYPE'} !~ /^modp(1024|1536|2048|3072|4096)$/) { + $cgiparams{'ESP_GROUPTYPE'} !~ /^ecp(192|224|256|384|512)$/ && + $cgiparams{'ESP_GROUPTYPE'} !~ /^modp(1024|1536|2048|3072|4096|6144|8192)$/) { $errormessage = $Lang::tr{'invalid input'}; goto ADVANCED_ERROR; } @@ -2205,14 +2225,17 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || ADVANCED_ERROR: $checked{'IKE_ENCRYPTION'}{'aes256'} = ''; + $checked{'IKE_ENCRYPTION'}{'aes192'} = ''; $checked{'IKE_ENCRYPTION'}{'aes128'} = ''; $checked{'IKE_ENCRYPTION'}{'3des'} = ''; my @temp = split('\|', $cgiparams{'IKE_ENCRYPTION'}); foreach my $key (@temp) {$checked{'IKE_ENCRYPTION'}{$key} = "selected='selected'"; } $checked{'IKE_INTEGRITY'}{'sha2_512'} = ''; + $checked{'IKE_INTEGRITY'}{'sha2_384'} = ''; $checked{'IKE_INTEGRITY'}{'sha2_256'} = ''; $checked{'IKE_INTEGRITY'}{'sha'} = ''; $checked{'IKE_INTEGRITY'}{'md5'} = ''; + $checked{'IKE_INTEGRITY'}{'aesxcbc'} = ''; @temp = split('\|', $cgiparams{'IKE_INTEGRITY'}); foreach my $key (@temp) {$checked{'IKE_INTEGRITY'}{$key} = "selected='selected'"; } $checked{'IKE_GROUPTYPE'}{'768'} = ''; @@ -2229,16 +2252,18 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || # 768 is not supported by strongswan $checked{'IKE_GROUPTYPE'}{'768'} = ''; - $checked{'ESP_ENCRYPTION'}{'aes256'} = ''; + $checked{'ESP_ENCRYPTION'}{'aes192'} = ''; $checked{'ESP_ENCRYPTION'}{'aes128'} = ''; $checked{'ESP_ENCRYPTION'}{'3des'} = ''; @temp = split('\|', $cgiparams{'ESP_ENCRYPTION'}); foreach my $key (@temp) {$checked{'ESP_ENCRYPTION'}{$key} = "selected='selected'"; } $checked{'ESP_INTEGRITY'}{'sha2_512'} = ''; + $checked{'ESP_INTEGRITY'}{'sha2_384'} = ''; $checked{'ESP_INTEGRITY'}{'sha2_256'} = ''; $checked{'ESP_INTEGRITY'}{'sha1'} = ''; $checked{'ESP_INTEGRITY'}{'md5'} = ''; + $checked{'ESP_INTEGRITY'}{'aesxcbc'} = ''; @temp = split('\|', $cgiparams{'ESP_INTEGRITY'}); foreach my $key (@temp) {$checked{'ESP_INTEGRITY'}{$key} = "selected='selected'"; } $checked{'ESP_GROUPTYPE'}{$cgiparams{'ESP_GROUPTYPE'}} = "selected='selected'"; @@ -2276,18 +2301,28 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || $Lang::tr{'ike encryption'} $Lang::tr{'ike integrity'} $Lang::tr{'ike grouptype'} + $Lang::tr{'esp integrity'} + + + $Lang::tr{'esp grouptype'}