X-Git-Url: http://git.ipfire.org/?p=people%2Fteissler%2Fipfire-2.x.git;a=blobdiff_plain;f=html%2Fcgi-bin%2Fvpnmain.cgi;h=b9a73e5f24c286460f292ddc5fb4084e86f3c5fb;hp=831ef93bf1f8c11b59bece2644e97a7364db18b7;hb=4e156911cc45c2788bfa7e04561e2a7e550c68b8;hpb=4503e6b7ad857ceb87b7d6fe02e1952d911634bb diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index 831ef93bf..b9a73e5f2 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -2,7 +2,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2011 IPFire Team info@ipfire.org # +# Copyright (C) 2007-2013 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -23,7 +23,7 @@ use Net::DNS; use File::Copy; use File::Temp qw/ tempfile tempdir /; use strict; - +use Sort::Naturally; # enable only the following on debugging purpose #use warnings; #use CGI::Carp 'fatalsToBrowser'; @@ -61,11 +61,11 @@ my %mainsettings = (); my $green_cidr = &General::ipcidr("$netsettings{'GREEN_NETADDRESS'}/$netsettings{'GREEN_NETMASK'}"); my $blue_cidr = "# Blue not defined"; -if ($netsettings{'BLUE_DEV'}) { +if (&Header::blue_used() && $netsettings{'BLUE_DEV'}) { $blue_cidr = &General::ipcidr("$netsettings{'BLUE_NETADDRESS'}/$netsettings{'BLUE_NETMASK'}"); } my $orange_cidr = "# Orange not defined"; -if ($netsettings{'ORANGE_DEV'}) { +if (&Header::orange_used() && $netsettings{'ORANGE_DEV'}) { $orange_cidr = &General::ipcidr("$netsettings{'ORANGE_NETADDRESS'}/$netsettings{'ORANGE_NETMASK'}"); } @@ -104,7 +104,8 @@ $cgiparams{'ROOTCERT_OU'} = ''; $cgiparams{'ROOTCERT_CITY'} = ''; $cgiparams{'ROOTCERT_STATE'} = ''; $cgiparams{'RW_NET'} = ''; - +$cgiparams{'DPD_DELAY'} = '30'; +$cgiparams{'DPD_TIMEOUT'} = '120'; &Header::getcgihash(\%cgiparams, {'wantfile' => 1, 'filevar' => 'FH'}); ### @@ -316,9 +317,16 @@ sub writeipsecfiles { foreach my $j (@ints) { foreach my $k (@groups) { if ($comma != 0) { print CONF ","; } else { $comma = 1; } - print CONF "$i-$j-modp$k"; - } + + my @l = split("", $k); + if ($l[0] eq "e") { + shift @l; + print CONF "$i-$j-ecp".join("", @l); + } else { + print CONF "$i-$j-modp$k"; + } } + } } if ($lconfighash{$key}[24] eq 'on') { #only proposed algorythms? print CONF "!\n"; @@ -339,7 +347,12 @@ sub writeipsecfiles { foreach my $k (@groups) { if ($comma != 0) { print CONF ","; } else { $comma = 1; } if ($pfs eq "on") { - $modp = "-modp$k"; + my @l = split("", $k); + if ($l[0] eq "e") { + $modp = ""; + } else { + $modp = "-modp$k"; + } } else { $modp = ""; } @@ -372,8 +385,8 @@ sub writeipsecfiles { print CONF "\tcompress=yes\n" if ($lconfighash{$key}[13] eq 'on'); # Dead Peer Detection - print CONF "\tdpddelay=30\n"; - print CONF "\tdpdtimeout=120\n"; + print CONF "\tdpddelay=$lconfighash{$key}[30]\n"; + print CONF "\tdpdtimeout=$lconfighash{$key}[31]\n"; print CONF "\tdpdaction=$lconfighash{$key}[27]\n"; # Build Authentication details: LEFTid RIGHTid : PSK psk @@ -411,7 +424,7 @@ sub writeipsecfiles { # Hook to regenerate the configuration files. if ($ENV{"REMOTE_ADDR"} eq "") { - writeipsecfiles; + writeipsecfiles(); exit(0); } @@ -436,6 +449,7 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cg goto SAVE_ERROR; } + $vpnsettings{'ENABLED'} = $cgiparams{'ENABLED'}; $vpnsettings{'VPN_IP'} = $cgiparams{'VPN_IP'}; $vpnsettings{'VPN_DELAYED_START'} = $cgiparams{'VPN_DELAYED_START'}; $vpnsettings{'RW_NET'} = $cgiparams{'RW_NET'}; @@ -1261,6 +1275,8 @@ END $cgiparams{'ONLY_PROPOSED'} = $confighash{$cgiparams{'KEY'}}[24]; $cgiparams{'PFS'} = $confighash{$cgiparams{'KEY'}}[28]; $cgiparams{'VHOST'} = $confighash{$cgiparams{'KEY'}}[14]; + $cgiparams{'DPD_TIMEOUT'} = $confighash{$cgiparams{'KEY'}}[30]; + $cgiparams{'DPD_DELAY'} = $confighash{$cgiparams{'KEY'}}[31]; } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'save'}) { $cgiparams{'REMARK'} = &Header::cleanhtml($cgiparams{'REMARK'}); @@ -1363,6 +1379,14 @@ END goto VPNCONF_ERROR; } +#temporary disabled (BUG 10294) +# if ($cgiparams{'TYPE'} eq 'net'){ +# $errormessage=&General::checksubnets($cgiparams{'NAME'},$cgiparams{'REMOTE_SUBNET'}); +# if ($errormessage ne ''){ +# goto VPNCONF_ERROR; +# } +# +# } if ($cgiparams{'AUTH'} eq 'psk') { if (! length($cgiparams{'PSK'}) ) { $errormessage = $Lang::tr{'pre-shared key is too short'}; @@ -1727,7 +1751,7 @@ END my $key = $cgiparams{'KEY'}; if (! $key) { $key = &General::findhasharraykey (\%confighash); - foreach my $i (0 .. 28) { $confighash{$key}[$i] = "";} + foreach my $i (0 .. 31) { $confighash{$key}[$i] = "";} } $confighash{$key}[0] = $cgiparams{'ENABLED'}; $confighash{$key}[1] = $cgiparams{'NAME'}; @@ -1767,6 +1791,8 @@ END $confighash{$key}[24] = $cgiparams{'ONLY_PROPOSED'}; $confighash{$key}[28] = $cgiparams{'PFS'}; $confighash{$key}[14] = $cgiparams{'VHOST'}; + $confighash{$key}[30] = $cgiparams{'DPD_TIMEOUT'}; + $confighash{$key}[31] = $cgiparams{'DPD_DELAY'}; #free unused fields! $confighash{$key}[6] = 'off'; @@ -1817,14 +1843,14 @@ END $cgiparams{'REMOTE_ID'} = ''; #use default advanced value - $cgiparams{'IKE_ENCRYPTION'} = 'aes256|aes128|3des'; #[18]; - $cgiparams{'IKE_INTEGRITY'} = 'sha|md5'; #[19]; - $cgiparams{'IKE_GROUPTYPE'} = '2048'; #[20]; - $cgiparams{'IKE_LIFETIME'} = '1'; #[16]; - $cgiparams{'ESP_ENCRYPTION'} = 'aes256|aes128|3des'; #[21]; - $cgiparams{'ESP_INTEGRITY'} = 'sha1|md5'; #[22]; + $cgiparams{'IKE_ENCRYPTION'} = 'aes256|aes192|aes128|3des'; #[18]; + $cgiparams{'IKE_INTEGRITY'} = 'sha2_256|sha|md5'; #[19]; + $cgiparams{'IKE_GROUPTYPE'} = '4096|3072|2048|1536|1024'; #[20]; + $cgiparams{'IKE_LIFETIME'} = '3'; #[16]; + $cgiparams{'ESP_ENCRYPTION'} = 'aes256|aes192|aes128|3des'; #[21]; + $cgiparams{'ESP_INTEGRITY'} = 'sha2_256|sha1|md5'; #[22]; $cgiparams{'ESP_GROUPTYPE'} = ''; #[23]; - $cgiparams{'ESP_KEYLIFE'} = '8'; #[17]; + $cgiparams{'ESP_KEYLIFE'} = '1'; #[17]; $cgiparams{'COMPRESSION'} = 'on'; #[13]; $cgiparams{'ONLY_PROPOSED'} = 'off'; #[24]; $cgiparams{'PFS'} = 'on'; #[28]; @@ -1975,8 +2001,6 @@ END ; &Header::closebox(); } elsif (! $cgiparams{'KEY'}) { - my $pskdisabled = ($vpnsettings{'VPN_IP'} eq '%defaultroute') ? "disabled='disabled'" : '' ; - $cgiparams{'PSK'} = $Lang::tr{'vpn incompatible use of defaultroute'} if ($pskdisabled); my $cakeydisabled = ( ! -f "${General::swroot}/private/cakey.pem" ) ? "disabled='disabled'" : ''; $cgiparams{'CERT_NAME'} = $Lang::tr{'vpn no full pki'} if ($cakeydisabled); my $cacrtdisabled = ( ! -f "${General::swroot}/ca/cacert.pem" ) ? "disabled='disabled'" : ''; @@ -1984,9 +2008,9 @@ END &Header::openbox('100%', 'left', $Lang::tr{'authentication'}); print < - + $Lang::tr{'use a pre-shared key'} - +
$Lang::tr{'upload a certificate request'} @@ -2082,7 +2106,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || goto ADVANCED_ERROR; } foreach my $val (@temp) { - if ($val !~ /^(aes256|aes128|3des)$/) { + if ($val !~ /^(aes256|aes192|aes128|3des|camellia256|camellia192|camellia128)$/) { $errormessage = $Lang::tr{'invalid input'}; goto ADVANCED_ERROR; } @@ -2093,7 +2117,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || goto ADVANCED_ERROR; } foreach my $val (@temp) { - if ($val !~ /^(sha2_512|sha2_256|sha|md5)$/) { + if ($val !~ /^(sha2_512|sha2_384|sha2_256|sha|md5|aesxcbc)$/) { $errormessage = $Lang::tr{'invalid input'}; goto ADVANCED_ERROR; } @@ -2104,7 +2128,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || goto ADVANCED_ERROR; } foreach my $val (@temp) { - if ($val !~ /^(1024|1536|2048|3072|4096|6144|8192)$/) { + if ($val !~ /^(e521|e384|e256|e224|e192|e512bp|e384bp|e256bp|e224bp|1024|1536|2048|2048s256|2048s224|2048s160|3072|4096|6144|8192)$/) { $errormessage = $Lang::tr{'invalid input'}; goto ADVANCED_ERROR; } @@ -2123,7 +2147,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || goto ADVANCED_ERROR; } foreach my $val (@temp) { - if ($val !~ /^(aes256|aes128|3des)$/) { + if ($val !~ /^(aes256|aes192|aes128|3des|camellia256|camellia192|camellia128)$/) { $errormessage = $Lang::tr{'invalid input'}; goto ADVANCED_ERROR; } @@ -2134,13 +2158,14 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || goto ADVANCED_ERROR; } foreach my $val (@temp) { - if ($val !~ /^(sha2_512|sha2_256|sha1|md5)$/) { + if ($val !~ /^(sha2_512|sha2_384|sha2_256|sha1|md5|aesxcbc)$/) { $errormessage = $Lang::tr{'invalid input'}; goto ADVANCED_ERROR; } } if ($cgiparams{'ESP_GROUPTYPE'} ne '' && - $cgiparams{'ESP_GROUPTYPE'} !~ /^modp(1024|1536|2048|3072|4096)$/) { + $cgiparams{'ESP_GROUPTYPE'} !~ /^ecp(192|224|256|384|512)(bp)?$/ && + $cgiparams{'ESP_GROUPTYPE'} !~ /^modp(1024|1536|2048|2048s(256|224|160)|3072|4096|6144|8192)$/) { $errormessage = $Lang::tr{'invalid input'}; goto ADVANCED_ERROR; } @@ -2177,6 +2202,8 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || $confighash{$cgiparams{'KEY'}}[24] = $cgiparams{'ONLY_PROPOSED'}; $confighash{$cgiparams{'KEY'}}[28] = $cgiparams{'PFS'}; $confighash{$cgiparams{'KEY'}}[14] = $cgiparams{'VHOST'}; + $confighash{$cgiparams{'KEY'}}[30] = $cgiparams{'DPD_TIMEOUT'}; + $confighash{$cgiparams{'KEY'}}[31] = $cgiparams{'DPD_DELAY'}; &General::writehasharray("${General::swroot}/vpn/config", \%confighash); &writeipsecfiles(); if (&vpnenabled) { @@ -2197,6 +2224,8 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || $cgiparams{'ONLY_PROPOSED'} = $confighash{$cgiparams{'KEY'}}[24]; $cgiparams{'PFS'} = $confighash{$cgiparams{'KEY'}}[28]; $cgiparams{'VHOST'} = $confighash{$cgiparams{'KEY'}}[14]; + $cgiparams{'DPD_TIMEOUT'} = $confighash{$cgiparams{'KEY'}}[30]; + $cgiparams{'DPD_DELAY'} = $confighash{$cgiparams{'KEY'}}[31]; if ($confighash{$cgiparams{'KEY'}}[3] eq 'net' || $confighash{$cgiparams{'KEY'}}[10]) { $cgiparams{'VHOST'} = 'off'; @@ -2205,14 +2234,20 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || ADVANCED_ERROR: $checked{'IKE_ENCRYPTION'}{'aes256'} = ''; + $checked{'IKE_ENCRYPTION'}{'aes192'} = ''; $checked{'IKE_ENCRYPTION'}{'aes128'} = ''; $checked{'IKE_ENCRYPTION'}{'3des'} = ''; + $checked{'IKE_ENCRYPTION'}{'camellia256'} = ''; + $checked{'IKE_ENCRYPTION'}{'camellia192'} = ''; + $checked{'IKE_ENCRYPTION'}{'camellia128'} = ''; my @temp = split('\|', $cgiparams{'IKE_ENCRYPTION'}); foreach my $key (@temp) {$checked{'IKE_ENCRYPTION'}{$key} = "selected='selected'"; } $checked{'IKE_INTEGRITY'}{'sha2_512'} = ''; + $checked{'IKE_INTEGRITY'}{'sha2_384'} = ''; $checked{'IKE_INTEGRITY'}{'sha2_256'} = ''; $checked{'IKE_INTEGRITY'}{'sha'} = ''; $checked{'IKE_INTEGRITY'}{'md5'} = ''; + $checked{'IKE_INTEGRITY'}{'aesxcbc'} = ''; @temp = split('\|', $cgiparams{'IKE_INTEGRITY'}); foreach my $key (@temp) {$checked{'IKE_INTEGRITY'}{$key} = "selected='selected'"; } $checked{'IKE_GROUPTYPE'}{'768'} = ''; @@ -2229,16 +2264,21 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || # 768 is not supported by strongswan $checked{'IKE_GROUPTYPE'}{'768'} = ''; - $checked{'ESP_ENCRYPTION'}{'aes256'} = ''; + $checked{'ESP_ENCRYPTION'}{'aes192'} = ''; $checked{'ESP_ENCRYPTION'}{'aes128'} = ''; $checked{'ESP_ENCRYPTION'}{'3des'} = ''; + $checked{'ESP_ENCRYPTION'}{'camellia256'} = ''; + $checked{'ESP_ENCRYPTION'}{'camellia192'} = ''; + $checked{'ESP_ENCRYPTION'}{'camellia128'} = ''; @temp = split('\|', $cgiparams{'ESP_ENCRYPTION'}); foreach my $key (@temp) {$checked{'ESP_ENCRYPTION'}{$key} = "selected='selected'"; } $checked{'ESP_INTEGRITY'}{'sha2_512'} = ''; + $checked{'ESP_INTEGRITY'}{'sha2_384'} = ''; $checked{'ESP_INTEGRITY'}{'sha2_256'} = ''; $checked{'ESP_INTEGRITY'}{'sha1'} = ''; $checked{'ESP_INTEGRITY'}{'md5'} = ''; + $checked{'ESP_INTEGRITY'}{'aesxcbc'} = ''; @temp = split('\|', $cgiparams{'ESP_INTEGRITY'}); foreach my $key (@temp) {$checked{'ESP_INTEGRITY'}{$key} = "selected='selected'"; } $checked{'ESP_GROUPTYPE'}{$cgiparams{'ESP_GROUPTYPE'}} = "selected='selected'"; @@ -2273,80 +2313,171 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || - - - - - - - + + + + + + + + + + + + + - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + +
$Lang::tr{'ike encryption'} - $Lang::tr{'ike integrity'} - $Lang::tr{'ike grouptype'} -
$Lang::tr{'ike lifetime'} - $Lang::tr{'hours'}
IKEESP
$Lang::tr{'encryption'} + + + +
$Lang::tr{'esp encryption'} - $Lang::tr{'esp integrity'} - $Lang::tr{'esp grouptype'} -
$Lang::tr{'esp keylife'} - $Lang::tr{'hours'}
- IKE+ESP: $Lang::tr{'use only proposed settings'}
- $Lang::tr{'pfs yes no'}
- $Lang::tr{'vpn payload compression'}
$Lang::tr{'integrity'} + + + +
$Lang::tr{'lifetime'} + $Lang::tr{'hours'} + + $Lang::tr{'hours'} +
$Lang::tr{'grouptype'} + +
+ +
+ + + + + + + + + + + + + + + + + + + + EOF ; if ($confighash{$cgiparams{'KEY'}}[3] eq 'net') { print ""; } elsif ($confighash{$cgiparams{'KEY'}}[10]) { - print ""; + print ""; } else { - print ""; + print ""; } - print "
+
+ +
+ +
+ + + +
+ + + +
"; - print " $Lang::tr{'vpn vhost'}
"; - print " $Lang::tr{'vpn vhost'}
"; + print < + + + + + + +EOF + &Header::closebox(); &Header::closebigbox(); &Header::closepage(); @@ -2450,7 +2581,7 @@ END ; my $id = 0; my $gif; - foreach my $key (keys %confighash) { + foreach my $key (sort { ncmp ($confighash{$a}[1],$confighash{$b}[1]) } keys %confighash) { if ($confighash{$key}[0] eq 'on') { $gif = 'on.gif'; } else { $gif = 'off.gif'; } if ($id % 2) {