X-Git-Url: http://git.ipfire.org/?p=people%2Fteissler%2Fipfire-2.x.git;a=blobdiff_plain;f=html%2Fcgi-bin%2Fvpnmain.cgi;h=8324ae7714c5df77cbad657139b94b3a94320e8c;hp=2d9058d0523dad099fbd079565a4d06799f2ff9b;hb=4d81e0f3812fc272b2515a631a2e98c4ae76a42b;hpb=2e053370ab64a3f516fc7f9e4897c5b48eae580d diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index 2d9058d05..8324ae771 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -69,6 +69,8 @@ if (&Header::orange_used() && $netsettings{'ORANGE_DEV'}) { $orange_cidr = &General::ipcidr("$netsettings{'ORANGE_NETADDRESS'}/$netsettings{'ORANGE_NETMASK'}"); } +my $col=""; + $cgiparams{'ENABLED'} = 'off'; $cgiparams{'EDIT_ADVANCED'} = 'off'; $cgiparams{'ACTION'} = ''; @@ -104,7 +106,8 @@ $cgiparams{'ROOTCERT_OU'} = ''; $cgiparams{'ROOTCERT_CITY'} = ''; $cgiparams{'ROOTCERT_STATE'} = ''; $cgiparams{'RW_NET'} = ''; - +$cgiparams{'DPD_DELAY'} = '30'; +$cgiparams{'DPD_TIMEOUT'} = '120'; &Header::getcgihash(\%cgiparams, {'wantfile' => 1, 'filevar' => 'FH'}); ### @@ -384,9 +387,27 @@ sub writeipsecfiles { print CONF "\tcompress=yes\n" if ($lconfighash{$key}[13] eq 'on'); # Dead Peer Detection - print CONF "\tdpddelay=30\n"; - print CONF "\tdpdtimeout=120\n"; - print CONF "\tdpdaction=$lconfighash{$key}[27]\n"; + my $dpdaction = $lconfighash{$key}[27]; + print CONF "\tdpdaction=$dpdaction\n"; + + # If the dead peer detection is disabled and IKEv2 is used, + # dpddelay must be set to zero, too. + if ($dpdaction eq "none") { + if ($lconfighash{$key}[29] eq "ikev2") { + print CONF "\tdpddelay=0\n"; + } + } else { + my $dpddelay = $lconfighash{$key}[30]; + if (!$dpddelay) { + $dpddelay = 30; + } + print CONF "\tdpddelay=$dpddelay\n"; + my $dpdtimeout = $lconfighash{$key}[31]; + if (!$dpdtimeout) { + $dpdtimeout = 120; + } + print CONF "\tdpdtimeout=$dpdtimeout\n"; + } # Build Authentication details: LEFTid RIGHTid : PSK psk my $psk_line; @@ -490,7 +511,7 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cg ### } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'remove x509'}) { &Header::showhttpheaders(); - &Header::openpage($Lang::tr{'vpn configuration main'}, 1, ''); + &Header::openpage($Lang::tr{'ipsec'}, 1, ''); &Header::openbigbox('100%', 'left', '', ''); &Header::openbox('100%', 'left', $Lang::tr{'are you sure'}); print <$Lang::tr{'capswarning'}: $Lang::tr{'generating the root and host certificates may take a long time. it can take up to several minutes on older hardware. please be patient'} -
+
$Lang::tr{'upload p12 file'}: $Lang::tr{'pkcs12 file password'}: * @@ -1120,7 +1141,7 @@ END if ( -f "${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem") { &Header::showhttpheaders(); - &Header::openpage($Lang::tr{'vpn configuration main'}, 1, ''); + &Header::openpage($Lang::tr{'ipsec'}, 1, ''); &Header::openbigbox('100%', 'left', '', ''); &Header::openbox('100%', 'left', "$Lang::tr{'cert'}:"); my $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem`; @@ -1210,7 +1231,7 @@ END ### } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'add'} && $cgiparams{'TYPE'} eq '') { &Header::showhttpheaders(); - &Header::openpage($Lang::tr{'vpn configuration main'}, 1, ''); + &Header::openpage($Lang::tr{'ipsec'}, 1, ''); &Header::openbigbox('100%', 'left', '', ''); &Header::openbox('100%', 'left', $Lang::tr{'connection type'}); print <"; print< + @@ -1910,23 +1942,30 @@ END + + + END ; if ($cgiparams{'KEY'}) { print ""; + print ""; print ""; } - &Header::openbox('100%', 'left', "$Lang::tr{'connection'}:"); + &Header::openbox('100%', 'left', "$Lang::tr{'connection'}: $cgiparams{'NAME'}"); print ""; - print ""; - if ($cgiparams{'KEY'}) { - print ""; - } else { - print ""; + if (!$cgiparams{'KEY'}) { + print < + + + + +EOF } - print ""; - print ''; my $disabled; my $blob; @@ -1937,44 +1976,41 @@ END print < - - - - + + + - - + + + - - - - - - - - + + + - - + + + + - - - END ; @@ -2101,7 +2137,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || goto ADVANCED_ERROR; } foreach my $val (@temp) { - if ($val !~ /^(aes256|aes192|aes128|3des)$/) { + if ($val !~ /^(aes256|aes192|aes128|3des|camellia256|camellia192|camellia128)$/) { $errormessage = $Lang::tr{'invalid input'}; goto ADVANCED_ERROR; } @@ -2123,7 +2159,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || goto ADVANCED_ERROR; } foreach my $val (@temp) { - if ($val !~ /^(e521|e384|e256|e224|e192|1024|1536|2048|3072|4096|6144|8192)$/) { + if ($val !~ /^(e521|e384|e256|e224|e192|e512bp|e384bp|e256bp|e224bp|1024|1536|2048|2048s256|2048s224|2048s160|3072|4096|6144|8192)$/) { $errormessage = $Lang::tr{'invalid input'}; goto ADVANCED_ERROR; } @@ -2142,7 +2178,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || goto ADVANCED_ERROR; } foreach my $val (@temp) { - if ($val !~ /^(aes256|aes192|aes128|3des)$/) { + if ($val !~ /^(aes256|aes192|aes128|3des|camellia256|camellia192|camellia128)$/) { $errormessage = $Lang::tr{'invalid input'}; goto ADVANCED_ERROR; } @@ -2159,8 +2195,8 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || } } if ($cgiparams{'ESP_GROUPTYPE'} ne '' && - $cgiparams{'ESP_GROUPTYPE'} !~ /^ecp(192|224|256|384|512)$/ && - $cgiparams{'ESP_GROUPTYPE'} !~ /^modp(1024|1536|2048|3072|4096|6144|8192)$/) { + $cgiparams{'ESP_GROUPTYPE'} !~ /^ecp(192|224|256|384|512)(bp)?$/ && + $cgiparams{'ESP_GROUPTYPE'} !~ /^modp(1024|1536|2048|2048s(256|224|160)|3072|4096|6144|8192)$/) { $errormessage = $Lang::tr{'invalid input'}; goto ADVANCED_ERROR; } @@ -2184,6 +2220,17 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || goto ADVANCED_ERROR; } + if ($cgiparams{'DPD_DELAY'} !~ /^\d+$/) { + $errormessage = $Lang::tr{'invalid input for dpd delay'}; + goto ADVANCED_ERROR; + } + + if ($cgiparams{'DPD_TIMEOUT'} !~ /^\d+$/) { + $errormessage = $Lang::tr{'invalid input for dpd timeout'}; + goto ADVANCED_ERROR; + } + + $confighash{$cgiparams{'KEY'}}[29] = $cgiparams{'IKE_VERSION'}; $confighash{$cgiparams{'KEY'}}[18] = $cgiparams{'IKE_ENCRYPTION'}; $confighash{$cgiparams{'KEY'}}[19] = $cgiparams{'IKE_INTEGRITY'}; $confighash{$cgiparams{'KEY'}}[20] = $cgiparams{'IKE_GROUPTYPE'}; @@ -2197,6 +2244,9 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || $confighash{$cgiparams{'KEY'}}[24] = $cgiparams{'ONLY_PROPOSED'}; $confighash{$cgiparams{'KEY'}}[28] = $cgiparams{'PFS'}; $confighash{$cgiparams{'KEY'}}[14] = $cgiparams{'VHOST'}; + $confighash{$cgiparams{'KEY'}}[27] = $cgiparams{'DPD_ACTION'}; + $confighash{$cgiparams{'KEY'}}[30] = $cgiparams{'DPD_TIMEOUT'}; + $confighash{$cgiparams{'KEY'}}[31] = $cgiparams{'DPD_DELAY'}; &General::writehasharray("${General::swroot}/vpn/config", \%confighash); &writeipsecfiles(); if (&vpnenabled) { @@ -2205,6 +2255,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || } goto ADVANCED_END; } else { + $cgiparams{'IKE_VERSION'} = $confighash{$cgiparams{'KEY'}}[29]; $cgiparams{'IKE_ENCRYPTION'} = $confighash{$cgiparams{'KEY'}}[18]; $cgiparams{'IKE_INTEGRITY'} = $confighash{$cgiparams{'KEY'}}[19]; $cgiparams{'IKE_GROUPTYPE'} = $confighash{$cgiparams{'KEY'}}[20]; @@ -2217,6 +2268,17 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || $cgiparams{'ONLY_PROPOSED'} = $confighash{$cgiparams{'KEY'}}[24]; $cgiparams{'PFS'} = $confighash{$cgiparams{'KEY'}}[28]; $cgiparams{'VHOST'} = $confighash{$cgiparams{'KEY'}}[14]; + $cgiparams{'DPD_ACTION'} = $confighash{$cgiparams{'KEY'}}[27]; + $cgiparams{'DPD_TIMEOUT'} = $confighash{$cgiparams{'KEY'}}[30]; + $cgiparams{'DPD_DELAY'} = $confighash{$cgiparams{'KEY'}}[31]; + + if (!$cgiparams{'DPD_DELAY'}) { + $cgiparams{'DPD_DELAY'} = 30; + } + + if (!$cgiparams{'DPD_TIMEOUT'}) { + $cgiparams{'DPD_TIMEOUT'} = 120; + } if ($confighash{$cgiparams{'KEY'}}[3] eq 'net' || $confighash{$cgiparams{'KEY'}}[10]) { $cgiparams{'VHOST'} = 'off'; @@ -2228,6 +2290,9 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || $checked{'IKE_ENCRYPTION'}{'aes192'} = ''; $checked{'IKE_ENCRYPTION'}{'aes128'} = ''; $checked{'IKE_ENCRYPTION'}{'3des'} = ''; + $checked{'IKE_ENCRYPTION'}{'camellia256'} = ''; + $checked{'IKE_ENCRYPTION'}{'camellia192'} = ''; + $checked{'IKE_ENCRYPTION'}{'camellia128'} = ''; my @temp = split('\|', $cgiparams{'IKE_ENCRYPTION'}); foreach my $key (@temp) {$checked{'IKE_ENCRYPTION'}{$key} = "selected='selected'"; } $checked{'IKE_INTEGRITY'}{'sha2_512'} = ''; @@ -2256,6 +2321,9 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || $checked{'ESP_ENCRYPTION'}{'aes192'} = ''; $checked{'ESP_ENCRYPTION'}{'aes128'} = ''; $checked{'ESP_ENCRYPTION'}{'3des'} = ''; + $checked{'ESP_ENCRYPTION'}{'camellia256'} = ''; + $checked{'ESP_ENCRYPTION'}{'camellia192'} = ''; + $checked{'ESP_ENCRYPTION'}{'camellia128'} = ''; @temp = split('\|', $cgiparams{'ESP_ENCRYPTION'}); foreach my $key (@temp) {$checked{'ESP_ENCRYPTION'}{$key} = "selected='selected'"; } $checked{'ESP_INTEGRITY'}{'sha2_512'} = ''; @@ -2273,8 +2341,18 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || $checked{'PFS'} = $cgiparams{'PFS'} eq 'on' ? "checked='checked'" : '' ; $checked{'VHOST'} = $cgiparams{'VHOST'} eq 'on' ? "checked='checked'" : '' ; + $selected{'IKE_VERSION'}{'ikev1'} = ''; + $selected{'IKE_VERSION'}{'ikev2'} = ''; + $selected{'IKE_VERSION'}{$cgiparams{'IKE_VERSION'}} = "selected='selected'"; + + $selected{'DPD_ACTION'}{'clear'} = ''; + $selected{'DPD_ACTION'}{'hold'} = ''; + $selected{'DPD_ACTION'}{'restart'} = ''; + $selected{'DPD_ACTION'}{'none'} = ''; + $selected{'DPD_ACTION'}{$cgiparams{'DPD_ACTION'}} = "selected='selected'"; + &Header::showhttpheaders(); - &Header::openpage($Lang::tr{'vpn configuration main'}, 1, ''); + &Header::openpage($Lang::tr{'ipsec'}, 1, ''); &Header::openbigbox('100%', 'left', '', $errormessage); if ($errormessage) { @@ -2298,96 +2376,191 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
$Lang::tr{'name'}:$cgiparams{'NAME'}$Lang::tr{'name'}: + +
$Lang::tr{'enabled'}

$Lang::tr{'remote host/ip'}: $blob - - $Lang::tr{'remote subnet'} - + $Lang::tr{'enabled'} + + $Lang::tr{'local subnet'} +
$Lang::tr{'local subnet'} - + $Lang::tr{'remote host/ip'}: $blob + + $Lang::tr{'remote subnet'} +
$Lang::tr{'vpn local id'}:
($Lang::tr{'eg'} @xy.example.com)		$Lang::tr{'vpn remote id'}:

$Lang::tr{'vpn keyexchange'}: + $Lang::tr{'vpn local id'}: + + $Lang::tr{'vpn remote id'}: + $Lang::tr{'dpd action'}: +

$Lang::tr{'remark title'} * +
$Lang::tr{'remark title'} *
- - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
$Lang::tr{'ike encryption'} - $Lang::tr{'ike integrity'} - $Lang::tr{'ike grouptype'} -
$Lang::tr{'ike lifetime'} - $Lang::tr{'hours'}
$Lang::tr{'esp encryption'} - $Lang::tr{'esp integrity'} - $Lang::tr{'esp grouptype'} -
$Lang::tr{'esp keylife'} - $Lang::tr{'hours'}
- IKE+ESP: $Lang::tr{'use only proposed settings'}
- $Lang::tr{'pfs yes no'}
- $Lang::tr{'vpn payload compression'}
IKEESP
$Lang::tr{'vpn keyexchange'}: + +
$Lang::tr{'encryption'} + + + +
$Lang::tr{'integrity'} + + + +
$Lang::tr{'lifetime'} + $Lang::tr{'hours'} + + $Lang::tr{'hours'} +
$Lang::tr{'grouptype'} + +
+ +

+ +

$Lang::tr{'dead peer detection'}

+ + + + + + + + + + + + + + +
$Lang::tr{'dpd action'}: + +
$Lang::tr{'dpd timeout'}: + +
$Lang::tr{'dpd delay'}: + +
+ +
+ + + + + + + + + + EOF ; if ($confighash{$cgiparams{'KEY'}}[3] eq 'net') { print ""; } elsif ($confighash{$cgiparams{'KEY'}}[10]) { - print ""; + print ""; } else { - print ""; + print ""; } - print "
+ +
+ +
+ +
"; - print " $Lang::tr{'vpn vhost'}
"; - print " $Lang::tr{'vpn vhost'}
"; + print < + + + + + + +EOF + &Header::closebox(); &Header::closebigbox(); &Header::closepage(); @@ -2428,7 +2601,7 @@ EOF $checked{'ENABLED'} = $cgiparams{'ENABLED'} eq 'on' ? "checked='checked'" : ''; &Header::showhttpheaders(); - &Header::openpage($Lang::tr{'vpn configuration main'}, 1, ''); + &Header::openpage($Lang::tr{'ipsec'}, 1, ''); &Header::openbigbox('100%', 'left', '', $errormessage); if ($errormessage) { @@ -2438,6 +2611,16 @@ EOF &Header::closebox(); } + if ($warnmessage) { + &Header::openbox('100%', 'left', $Lang::tr{'warning messages'}); + print "$warnmessage
"; + print "$Lang::tr{'fwdfw warn1'}
"; + &Header::closebox(); + print"
"; + &Header::closepage(); + exit 0; + } + &Header::openbox('100%', 'left', $Lang::tr{'global settings'}); print < @@ -2458,17 +2641,18 @@ print <$Lang::tr{'host to net vpn'}: * - + +
- + - +
*$Lang::tr{'this field may be blank'}$Lang::tr{'this field may be blank'}
**  $Lang::tr{'vpn delayed start help'}
END @@ -2478,14 +2662,14 @@ END &Header::openbox('100%', 'left', $Lang::tr{'connection status and controlc'}); print < + - - - - - - + + + + + + END ; @@ -2495,36 +2679,41 @@ END if ($confighash{$key}[0] eq 'on') { $gif = 'on.gif'; } else { $gif = 'off.gif'; } if ($id % 2) { - print "\n"; + print ""; + $col="bgcolor='$color{'color20'}'"; } else { - print "\n"; + print ""; + $col="bgcolor='$color{'color22'}'"; } - print ""; - print ""; + print ""; + print ""; if ($confighash{$key}[2] eq '%auth-dn') { - print ""; + print ""; } elsif ($confighash{$key}[4] eq 'cert') { - print ""; + print ""; } else { - print ""; + print ""; } - print ""; + print ""; + my $col1="bgcolor='${Header::colourred}'"; # get real state - my $active = "
$Lang::tr{'name'}$Lang::tr{'type'}$Lang::tr{'common name'}$Lang::tr{'remark'}$Lang::tr{'status'}$Lang::tr{'action'}$Lang::tr{'name'}$Lang::tr{'type'}$Lang::tr{'common name'}$Lang::tr{'remark'}$Lang::tr{'status'}$Lang::tr{'action'}
$confighash{$key}[1]" . $Lang::tr{"$confighash{$key}[3]"} . " (" . $Lang::tr{"$confighash{$key}[4]"} . ") $confighash{$key}[29]$confighash{$key}[1]" . $Lang::tr{"$confighash{$key}[3]"} . " (" . $Lang::tr{"$confighash{$key}[4]"} . ") $confighash{$key}[29]$confighash{$key}[9]$confighash{$key}[9]$confighash{$key}[2]$confighash{$key}[2]  $confighash{$key}[25]$confighash{$key}[25]
$Lang::tr{'capsclosed'}
"; + my $active = "$Lang::tr{'capsclosed'}"; foreach my $line (@status) { if (($line =~ /\"$confighash{$key}[1]\".*IPsec SA established/) || ($line =~ /$confighash{$key}[1]\{.*INSTALLED/)) { - $active = "
$Lang::tr{'capsopen'}
"; + $col1="bgcolor='${Header::colourgreen}'"; + $active = "$Lang::tr{'capsopen'}"; } } # move to blueif really down - if ($confighash{$key}[0] eq 'off' && $active =~ /${Header::colourred}/ ) { - $active = "
$Lang::tr{'capsclosed'}
"; + if ($confighash{$key}[0] eq 'off' && $col1 =~ /${Header::colourred}/ ) { + $col1="bgcolor='${Header::colourblue}'"; + $active = "$Lang::tr{'capsclosed'}"; } print <$active - + $active +
@@ -2535,7 +2724,7 @@ END ; if (($confighash{$key}[4] eq 'cert') && ($confighash{$key}[2] ne '%auth-dn')) { print < + @@ -2544,11 +2733,11 @@ END END ; } else { - print " "; + print " "; } if ($confighash{$key}[4] eq 'cert' && -f "${General::swroot}/certs/$confighash{$key}[1].p12") { print < + @@ -2558,7 +2747,7 @@ END END ; } elsif (($confighash{$key}[4] eq 'cert') && ($confighash{$key}[2] ne '%auth-dn')) { print < + @@ -2567,10 +2756,10 @@ END END ; } else { - print " "; + print " "; } print < + @@ -2578,14 +2767,14 @@ END - +
- +
@@ -2630,7 +2819,7 @@ END print < - + @@ -2640,45 +2829,46 @@ END ; &Header::closebox(); - &Header::openbox('100%', 'left', "$Lang::tr{'certificate authorities'}:"); + &Header::openbox('100%', 'left', "$Lang::tr{'certificate authorities'}"); print < + - - - + + + EOF ; + my $col1="bgcolor='$color{'color22'}'"; + my $col2="bgcolor='$color{'color20'}'"; if (-f "${General::swroot}/ca/cacert.pem") { my $casubject = &Header::cleanhtml(getsubjectfromcert ("${General::swroot}/ca/cacert.pem")); - print < - - - + + + - - + END ; } else { # display rootcert generation buttons print < - - - + + + + END ; } @@ -2687,61 +2877,63 @@ END my $hostsubject = &Header::cleanhtml(getsubjectfromcert ("${General::swroot}/certs/hostcert.pem")); print < - - - + + + - - + END ; } else { # Nothing print < - - - + + + + END ; } - my $rowcolor = 0; - if (keys %cahash > 0) { - foreach my $key (keys %cahash) { - if ($rowcolor++ % 2) { - print "\n"; - } else { - print "\n"; - } - print "\n"; - print "\n"; + my $rowcolor = 0; + if (keys %cahash > 0) { + foreach my $key (keys %cahash) { + if ($rowcolor++ % 2) { + print ""; + $col="bgcolor='$color{'color20'}'"; + } else { + print ""; + $col="bgcolor='$color{'color22'}'"; + } + print "\n"; + print "\n"; print < + - - "; print <
$Lang::tr{'name'}$Lang::tr{'subject'}$Lang::tr{'action'}$Lang::tr{'name'}$Lang::tr{'subject'}$Lang::tr{'action'}
$Lang::tr{'root certificate'}$casubject +
$Lang::tr{'root certificate'}$casubject
+
 
 
$Lang::tr{'root certificate'}:$Lang::tr{'not present'} 
$Lang::tr{'root certificate'}:$Lang::tr{'not present'} 
$Lang::tr{'host certificate'}$hostsubject +
$Lang::tr{'host certificate'}$hostsubject
+
- - + +
 
 
$Lang::tr{'host certificate'}:$Lang::tr{'not present'} 
$Lang::tr{'host certificate'}:$Lang::tr{'not present'} 
$cahash{$key}[0]$cahash{$key}[1]
$cahash{$key}[0]$cahash{$key}[1]
+
+
@@ -2770,6 +2962,7 @@ END } my $createCA = -f "${General::swroot}/ca/cacert.pem" ? '' : "
@@ -2782,7 +2975,7 @@ END - +
$Lang::tr{'resetting the vpn configuration will remove the root ca, the host certificate and all certificate based connections'}: