X-Git-Url: http://git.ipfire.org/?p=people%2Fteissler%2Fipfire-2.x.git;a=blobdiff_plain;f=html%2Fcgi-bin%2Fvpnmain.cgi;h=2e3ef9a5705c38e5a34b937e7a89b21823c61104;hp=e1a82009452d629b0a092ac933c4a7f8946ea15d;hb=26dfc86a7be473138c60e1a869e51b30db346a0f;hpb=86525dfc52009003a0976fb8df135ba0808ae121 diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index e1a820094..2e3ef9a57 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -2,7 +2,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2011 IPFire Team info@ipfire.org # +# Copyright (C) 2007-2013 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -73,17 +73,9 @@ $cgiparams{'ENABLED'} = 'off'; $cgiparams{'EDIT_ADVANCED'} = 'off'; $cgiparams{'ACTION'} = ''; $cgiparams{'CA_NAME'} = ''; -$cgiparams{'DBG_CRYPT'} = ''; -$cgiparams{'DBG_PARSING'} = ''; -$cgiparams{'DBG_EMITTING'} = ''; -$cgiparams{'DBG_CONTROL'} = ''; -$cgiparams{'DBG_KLIPS'} = ''; -$cgiparams{'DBG_DNS'} = ''; -$cgiparams{'DBG_NAT_T'} = ''; $cgiparams{'KEY'} = ''; $cgiparams{'TYPE'} = ''; $cgiparams{'ADVANCED'} = ''; -$cgiparams{'INTERFACE'} = ''; $cgiparams{'NAME'} = ''; $cgiparams{'LOCAL_SUBNET'} = ''; $cgiparams{'REMOTE_SUBNET'} = ''; @@ -253,50 +245,8 @@ sub writeipsecfiles { flock CONF, 2; flock SECRETS, 2; print CONF "version 2\n\n"; - print CONF "config setup\n"; - #create an ipsec Interface for each 'enabled' ones - #loop trought configuration and add physical interfaces to the list - my $interfaces = "\tinterfaces=\""; - foreach my $key (keys %lconfighash) { - next if ($lconfighash{$key}[0] ne 'on'); - $interfaces .= "%defaultroute " if ($interfaces !~ /defaultroute/ && $lconfighash{$key}[26] eq 'RED'); - $interfaces .= "$netsettings{'GREEN_DEV'} " if ($interfaces !~ /ipsec1/ && $lconfighash{$key}[26] eq 'GREEN'); - $interfaces .= "$netsettings{'BLUE_DEV'} " if ($interfaces !~ /ipsec2/ && $lconfighash{$key}[26] eq 'BLUE'); - $interfaces .= "$netsettings{'ORANGE_DEV'} " if ($interfaces !~ /ipsec3/ && $lconfighash{$key}[26] eq 'ORANGE'); - } - print CONF $interfaces . "\"\n"; - - my $plutodebug = ''; # build debug list - map ($plutodebug .= $lvpnsettings{$_} eq 'on' ? lc (substr($_,4)).' ' : '', - ('DBG_CRYPT','DBG_PARSING','DBG_EMITTING','DBG_CONTROL', - 'DBG_DNS')); - $plutodebug = 'none' if $plutodebug eq ''; # if nothing selected, use 'none'. - #print CONF "\tklipsdebug=\"none\"\n"; - print CONF "\tplutodebug=\"$plutodebug\"\n"; - # deprecated in ipsec.conf version 2 - #print CONF "\tplutoload=%search\n"; - #print CONF "\tplutostart=%search\n"; - print CONF "\tuniqueids=yes\n"; - print CONF "\tnat_traversal=yes\n"; - print CONF "\toverridemtu=$lvpnsettings{'VPN_OVERRIDE_MTU'}\n" if ($lvpnsettings{'VPN_OVERRIDE_MTU'} ne ''); - print CONF "\tvirtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16"; - print CONF ",%v4:!$green_cidr"; - if (length($netsettings{'ORANGE_DEV'}) > 2) { - print CONF ",%v4:!$orange_cidr"; - } - if (length($netsettings{'BLUE_DEV'}) > 2) { - print CONF ",%v4:!$blue_cidr"; - } - foreach my $key (keys %lconfighash) { - if ($lconfighash{$key}[3] eq 'net') { - print CONF ",%v4:!$lconfighash{$key}[11]"; - } - } - print CONF "\n\n"; print CONF "conn %default\n"; - print CONF "\tkeyingtries=0\n"; - #strongswan doesn't know this - #print CONF "\tdisablearrivalcheck=no\n"; + print CONF "\tkeyingtries=%forever\n"; print CONF "\n"; # Add user includes to config file @@ -329,7 +279,6 @@ sub writeipsecfiles { print CONF "conn $lconfighash{$key}[1]\n"; print CONF "\tleft=$localside\n"; - print CONF "\tleftnexthop=%defaultroute\n" if ($lconfighash{$key}[26] eq 'RED' && $lvpnsettings{'VPN_IP'} ne '%defaultroute'); my $cidr_net=&General::ipcidr($lconfighash{$key}[8]); print CONF "\tleftsubnet=$cidr_net\n"; print CONF "\tleftfirewall=yes\n"; @@ -339,7 +288,6 @@ sub writeipsecfiles { if ($lconfighash{$key}[3] eq 'net') { my $cidr_net=&General::ipcidr($lconfighash{$key}[11]); print CONF "\trightsubnet=$cidr_net\n"; - print CONF "\trightnexthop=%defaultroute\n"; } elsif ($lconfighash{$key}[10] eq '%any' && $lconfighash{$key}[14] eq 'on') { #vhost allowed for roadwarriors? print CONF "\trightsubnet=vhost:%no,%priv\n"; } @@ -354,6 +302,9 @@ sub writeipsecfiles { print CONF "\tleftid=\"$lconfighash{$key}[7]\"\n" if ($lconfighash{$key}[7]); print CONF "\trightid=\"$lconfighash{$key}[9]\"\n" if ($lconfighash{$key}[9]); + # Is PFS enabled? + my $pfs = $lconfighash{$key}[28] eq 'on' ? 'on' : 'off'; + # Algorithms if ($lconfighash{$key}[18] && $lconfighash{$key}[19] && $lconfighash{$key}[20]) { print CONF "\tike="; @@ -365,9 +316,16 @@ sub writeipsecfiles { foreach my $j (@ints) { foreach my $k (@groups) { if ($comma != 0) { print CONF ","; } else { $comma = 1; } - print CONF "$i-$j-modp$k"; - } + + my @l = split("", $k); + if ($l[0] eq "e") { + shift @l; + print CONF "$i-$j-ecp".join("", @l); + } else { + print CONF "$i-$j-modp$k"; + } } + } } if ($lconfighash{$key}[24] eq 'on') { #only proposed algorythms? print CONF "!\n"; @@ -379,11 +337,30 @@ sub writeipsecfiles { print CONF "\tesp="; my @encs = split('\|', $lconfighash{$key}[21]); my @ints = split('\|', $lconfighash{$key}[22]); + my @groups = split('\|', $lconfighash{$key}[20]); my $comma = 0; foreach my $i (@encs) { foreach my $j (@ints) { - if ($comma != 0) { print CONF ","; } else { $comma = 1; } - print CONF "$i-$j"; + my $modp = ""; + if ($pfs eq "on") { + foreach my $k (@groups) { + if ($comma != 0) { print CONF ","; } else { $comma = 1; } + if ($pfs eq "on") { + my @l = split("", $k); + if ($l[0] eq "e") { + $modp = ""; + } else { + $modp = "-modp$k"; + } + } else { + $modp = ""; + } + print CONF "$i-$j$modp"; + } + } else { + if ($comma != 0) { print CONF ","; } else { $comma = 1; } + print CONF "$i-$j"; + } } } if ($lconfighash{$key}[24] eq 'on') { #only proposed algorythms? @@ -392,9 +369,6 @@ sub writeipsecfiles { print CONF "\n"; } } - if ($lconfighash{$key}[23]) { - print CONF "\tpfsgroup=$lconfighash{$key}[23]\n"; - } # IKE V1 or V2 if (! $lconfighash{$key}[29]) { @@ -414,9 +388,6 @@ sub writeipsecfiles { print CONF "\tdpdtimeout=120\n"; print CONF "\tdpdaction=$lconfighash{$key}[27]\n"; - # Disable pfs ? - print CONF "\tpfs=". ($lconfighash{$key}[28] eq 'on' ? "yes\n" : "no\n"); - # Build Authentication details: LEFTid RIGHTid : PSK psk my $psk_line; if ($lconfighash{$key}[4] eq 'psk') { @@ -450,6 +421,12 @@ sub writeipsecfiles { close(SECRETS); } +# Hook to regenerate the configuration files. +if ($ENV{"REMOTE_ADDR"} eq "") { + writeipsecfiles(); + exit(0); +} + ### ### Save main settings ### @@ -466,29 +443,14 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cg goto SAVE_ERROR; } - unless ($cgiparams{'VPN_OVERRIDE_MTU'} =~ /^(|[0-9]{1,5})$/ ) { #allow 0-99999 - $errormessage = $Lang::tr{'vpn mtu invalid'}; - goto SAVE_ERROR; - } - - unless ($cgiparams{'VPN_WATCH'} =~ /^(|off|on)$/ ) { - $errormessage = $Lang::tr{'invalid input'}; - goto SAVE_ERROR; - } - if ( $cgiparams{'RW_NET'} ne '' and !&General::validipandmask($cgiparams{'RW_NET'}) ) { $errormessage = $Lang::tr{'urlfilter invalid ip or mask error'}; goto SAVE_ERROR; } - map ($vpnsettings{$_} = $cgiparams{$_}, - ('ENABLED','DBG_CRYPT','DBG_PARSING','DBG_EMITTING','DBG_CONTROL', - 'DBG_DNS')); - + $vpnsettings{'ENABLED'} = $cgiparams{'ENABLED'}; $vpnsettings{'VPN_IP'} = $cgiparams{'VPN_IP'}; $vpnsettings{'VPN_DELAYED_START'} = $cgiparams{'VPN_DELAYED_START'}; - $vpnsettings{'VPN_OVERRIDE_MTU'} = $cgiparams{'VPN_OVERRIDE_MTU'}; - $vpnsettings{'VPN_WATCH'} = $cgiparams{'VPN_WATCH'}; $vpnsettings{'RW_NET'} = $cgiparams{'RW_NET'}; &General::writehash("${General::swroot}/vpn/settings", \%vpnsettings); &writeipsecfiles(); @@ -1031,6 +993,7 @@ END nsComment="OpenSSL Generated Certificate" subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer:always + extendedKeyUsage = serverAuth END ; print $fh "subjectAltName=$cgiparams{'SUBJECTALTNAME'}" if ($cgiparams{'SUBJECTALTNAME'}); @@ -1297,7 +1260,6 @@ END $cgiparams{'REMOTE'} = $confighash{$cgiparams{'KEY'}}[10]; $cgiparams{'REMOTE_SUBNET'} = $confighash{$cgiparams{'KEY'}}[11]; $cgiparams{'REMARK'} = $confighash{$cgiparams{'KEY'}}[25]; - $cgiparams{'INTERFACE'} = $confighash{$cgiparams{'KEY'}}[26]; $cgiparams{'DPD_ACTION'} = $confighash{$cgiparams{'KEY'}}[27]; $cgiparams{'IKE_VERSION'} = $confighash{$cgiparams{'KEY'}}[29]; $cgiparams{'IKE_ENCRYPTION'} = $confighash{$cgiparams{'KEY'}}[18]; @@ -1351,7 +1313,7 @@ END } if ($cgiparams{'REMOTE'}) { - if (! &General::validip($cgiparams{'REMOTE'})) { + if (($cgiparams{'REMOTE'} ne '%any') && (! &General::validip($cgiparams{'REMOTE'}))) { if (! &General::validfqdn ($cgiparams{'REMOTE'})) { $errormessage = $Lang::tr{'invalid input for remote host/ip'}; goto VPNCONF_ERROR; @@ -1414,6 +1376,14 @@ END goto VPNCONF_ERROR; } +#temporary disabled (BUG 10294) +# if ($cgiparams{'TYPE'} eq 'net'){ +# $errormessage=&General::checksubnets($cgiparams{'NAME'},$cgiparams{'REMOTE_SUBNET'}); +# if ($errormessage ne ''){ +# goto VPNCONF_ERROR; +# } +# +# } if ($cgiparams{'AUTH'} eq 'psk') { if (! length($cgiparams{'PSK'}) ) { $errormessage = $Lang::tr{'pre-shared key is too short'}; @@ -1800,7 +1770,7 @@ END $confighash{$key}[9] = $cgiparams{'REMOTE_ID'}; $confighash{$key}[10] = $cgiparams{'REMOTE'}; $confighash{$key}[25] = $cgiparams{'REMARK'}; - $confighash{$key}[26] = $cgiparams{'INTERFACE'}; + $confighash{$key}[26] = ""; # Formerly INTERFACE $confighash{$key}[27] = $cgiparams{'DPD_ACTION'}; $confighash{$key}[29] = $cgiparams{'IKE_VERSION'}; @@ -1858,28 +1828,25 @@ END $cgiparams{'DPD_ACTION'} = 'restart'; } - # Default IKE Version to V1 - if (! $cgiparams{'IKE_VERSION'}) { - $cgiparams{'IKE_VERSION'} = 'ikev1'; + # Default IKE Version to v2 + if (!$cgiparams{'IKE_VERSION'}) { + $cgiparams{'IKE_VERSION'} = 'ikev2'; } - # Default is yes for 'pfs' - $cgiparams{'PFS'} = 'on'; - # ID are empty $cgiparams{'LOCAL_ID'} = ''; $cgiparams{'REMOTE_ID'} = ''; #use default advanced value - $cgiparams{'IKE_ENCRYPTION'} = 'aes128|3des'; #[18]; - $cgiparams{'IKE_INTEGRITY'} = 'sha|md5'; #[19]; - $cgiparams{'IKE_GROUPTYPE'} = '1536|1024'; #[20]; - $cgiparams{'IKE_LIFETIME'} = '1'; #[16]; - $cgiparams{'ESP_ENCRYPTION'} = 'aes128|3des'; #[21]; - $cgiparams{'ESP_INTEGRITY'} = 'sha1|md5'; #[22]; + $cgiparams{'IKE_ENCRYPTION'} = 'aes256|aes192|aes128|3des'; #[18]; + $cgiparams{'IKE_INTEGRITY'} = 'sha2_256|sha|md5'; #[19]; + $cgiparams{'IKE_GROUPTYPE'} = '8192|6144|4096|3072|2048|1536|1024'; #[20]; + $cgiparams{'IKE_LIFETIME'} = '3'; #[16]; + $cgiparams{'ESP_ENCRYPTION'} = 'aes256|aes192|aes128|3des'; #[21]; + $cgiparams{'ESP_INTEGRITY'} = 'sha2_256|sha1|md5'; #[22]; $cgiparams{'ESP_GROUPTYPE'} = ''; #[23]; - $cgiparams{'ESP_KEYLIFE'} = '8'; #[17]; - $cgiparams{'COMPRESSION'} = 'off'; #[13]; + $cgiparams{'ESP_KEYLIFE'} = '1'; #[17]; + $cgiparams{'COMPRESSION'} = 'on'; #[13]; $cgiparams{'ONLY_PROPOSED'} = 'off'; #[24]; $cgiparams{'PFS'} = 'on'; #[28]; $cgiparams{'VHOST'} = 'on'; #[14]; @@ -1902,12 +1869,6 @@ END $checked{'AUTH'}{'auth-dn'} = ''; $checked{'AUTH'}{$cgiparams{'AUTH'}} = "checked='checked'"; - $selected{'INTERFACE'}{'RED'} = ''; - $selected{'INTERFACE'}{'ORANGE'} = ''; - $selected{'INTERFACE'}{'GREEN'} = ''; - $selected{'INTERFACE'}{'BLUE'} = ''; - $selected{'INTERFACE'}{$cgiparams{'INTERFACE'}} = "selected='selected'"; - $selected{'DPD_ACTION'}{'clear'} = ''; $selected{'DPD_ACTION'}{'hold'} = ''; $selected{'DPD_ACTION'}{'restart'} = ''; @@ -1974,22 +1935,24 @@ END $blob = "*"; }; - print "$Lang::tr{'host ip'}:"; - print ""; print < $Lang::tr{'remote host/ip'}: $blob - - - $Lang::tr{'local subnet'} - + + + $Lang::tr{'remote subnet'} - - + + + + + + $Lang::tr{'local subnet'} + + + + + $Lang::tr{'vpn local id'}:
($Lang::tr{'eg'} @xy.example.com) $Lang::tr{'vpn remote id'}: @@ -1998,22 +1961,18 @@ END
$Lang::tr{'vpn keyexchange'}: + + $Lang::tr{'dpd action'}:   ? + - $Lang::tr{'remark title'} * @@ -2037,8 +1996,6 @@ END ; &Header::closebox(); } elsif (! $cgiparams{'KEY'}) { - my $pskdisabled = ($vpnsettings{'VPN_IP'} eq '%defaultroute') ? "disabled='disabled'" : '' ; - $cgiparams{'PSK'} = $Lang::tr{'vpn incompatible use of defaultroute'} if ($pskdisabled); my $cakeydisabled = ( ! -f "${General::swroot}/private/cakey.pem" ) ? "disabled='disabled'" : ''; $cgiparams{'CERT_NAME'} = $Lang::tr{'vpn no full pki'} if ($cakeydisabled); my $cacrtdisabled = ( ! -f "${General::swroot}/ca/cacert.pem" ) ? "disabled='disabled'" : ''; @@ -2046,9 +2003,9 @@ END &Header::openbox('100%', 'left', $Lang::tr{'authentication'}); print < - + $Lang::tr{'use a pre-shared key'} - +
$Lang::tr{'upload a certificate request'} @@ -2144,7 +2101,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || goto ADVANCED_ERROR; } foreach my $val (@temp) { - if ($val !~ /^(aes256|aes128|3des)$/) { + if ($val !~ /^(aes256|aes192|aes128|3des)$/) { $errormessage = $Lang::tr{'invalid input'}; goto ADVANCED_ERROR; } @@ -2155,7 +2112,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || goto ADVANCED_ERROR; } foreach my $val (@temp) { - if ($val !~ /^(sha2_512|sha2_256|sha|md5)$/) { + if ($val !~ /^(sha2_512|sha2_384|sha2_256|sha|md5|aesxcbc)$/) { $errormessage = $Lang::tr{'invalid input'}; goto ADVANCED_ERROR; } @@ -2166,7 +2123,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || goto ADVANCED_ERROR; } foreach my $val (@temp) { - if ($val !~ /^(1024|1536|2048|3072|4096|6144|8192)$/) { + if ($val !~ /^(e521|e384|e256|e224|e192|1024|1536|2048|3072|4096|6144|8192)$/) { $errormessage = $Lang::tr{'invalid input'}; goto ADVANCED_ERROR; } @@ -2185,7 +2142,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || goto ADVANCED_ERROR; } foreach my $val (@temp) { - if ($val !~ /^(aes256|aes128|3des)$/) { + if ($val !~ /^(aes256|aes192|aes128|3des)$/) { $errormessage = $Lang::tr{'invalid input'}; goto ADVANCED_ERROR; } @@ -2196,13 +2153,14 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || goto ADVANCED_ERROR; } foreach my $val (@temp) { - if ($val !~ /^(sha2_512|sha2_256|sha1|md5)$/) { + if ($val !~ /^(sha2_512|sha2_384|sha2_256|sha1|md5|aesxcbc)$/) { $errormessage = $Lang::tr{'invalid input'}; goto ADVANCED_ERROR; } } if ($cgiparams{'ESP_GROUPTYPE'} ne '' && - $cgiparams{'ESP_GROUPTYPE'} !~ /^modp(1024|1536|2048|3072|4096)$/) { + $cgiparams{'ESP_GROUPTYPE'} !~ /^ecp(192|224|256|384|512)$/ && + $cgiparams{'ESP_GROUPTYPE'} !~ /^modp(1024|1536|2048|3072|4096|6144|8192)$/) { $errormessage = $Lang::tr{'invalid input'}; goto ADVANCED_ERROR; } @@ -2267,14 +2225,17 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || ADVANCED_ERROR: $checked{'IKE_ENCRYPTION'}{'aes256'} = ''; + $checked{'IKE_ENCRYPTION'}{'aes192'} = ''; $checked{'IKE_ENCRYPTION'}{'aes128'} = ''; $checked{'IKE_ENCRYPTION'}{'3des'} = ''; my @temp = split('\|', $cgiparams{'IKE_ENCRYPTION'}); foreach my $key (@temp) {$checked{'IKE_ENCRYPTION'}{$key} = "selected='selected'"; } $checked{'IKE_INTEGRITY'}{'sha2_512'} = ''; + $checked{'IKE_INTEGRITY'}{'sha2_384'} = ''; $checked{'IKE_INTEGRITY'}{'sha2_256'} = ''; $checked{'IKE_INTEGRITY'}{'sha'} = ''; $checked{'IKE_INTEGRITY'}{'md5'} = ''; + $checked{'IKE_INTEGRITY'}{'aesxcbc'} = ''; @temp = split('\|', $cgiparams{'IKE_INTEGRITY'}); foreach my $key (@temp) {$checked{'IKE_INTEGRITY'}{$key} = "selected='selected'"; } $checked{'IKE_GROUPTYPE'}{'768'} = ''; @@ -2291,16 +2252,18 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || # 768 is not supported by strongswan $checked{'IKE_GROUPTYPE'}{'768'} = ''; - $checked{'ESP_ENCRYPTION'}{'aes256'} = ''; + $checked{'ESP_ENCRYPTION'}{'aes192'} = ''; $checked{'ESP_ENCRYPTION'}{'aes128'} = ''; $checked{'ESP_ENCRYPTION'}{'3des'} = ''; @temp = split('\|', $cgiparams{'ESP_ENCRYPTION'}); foreach my $key (@temp) {$checked{'ESP_ENCRYPTION'}{$key} = "selected='selected'"; } $checked{'ESP_INTEGRITY'}{'sha2_512'} = ''; + $checked{'ESP_INTEGRITY'}{'sha2_384'} = ''; $checked{'ESP_INTEGRITY'}{'sha2_256'} = ''; $checked{'ESP_INTEGRITY'}{'sha1'} = ''; $checked{'ESP_INTEGRITY'}{'md5'} = ''; + $checked{'ESP_INTEGRITY'}{'aesxcbc'} = ''; @temp = split('\|', $cgiparams{'ESP_INTEGRITY'}); foreach my $key (@temp) {$checked{'ESP_INTEGRITY'}{$key} = "selected='selected'"; } $checked{'ESP_GROUPTYPE'}{$cgiparams{'ESP_GROUPTYPE'}} = "selected='selected'"; @@ -2338,18 +2301,28 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || $Lang::tr{'ike encryption'} $Lang::tr{'ike integrity'} $Lang::tr{'ike grouptype'} + $Lang::tr{'esp integrity'} + + + $Lang::tr{'esp grouptype'} $Lang::tr{'enabled'} -END - ; - print < - $Lang::tr{'override mtu'}: * - - END ; print < -

$Lang::tr{'vpn watch'}:

-

PLUTO DEBUG = -crypt:,  -parsing:,  -emitting:,  -control:,  -dns: