X-Git-Url: http://git.ipfire.org/?p=people%2Fteissler%2Fipfire-2.x.git;a=blobdiff_plain;f=html%2Fcgi-bin%2Fvpnmain.cgi;h=e1a82009452d629b0a092ac933c4a7f8946ea15d;hp=280055ebae473bde00babf9f134e06303fc1c74d;hb=86525dfc52009003a0976fb8df135ba0808ae121;hpb=d7501a96b72a4c0d2602230cf6cb7a17fa39b8fe
diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi
index 280055eba..e1a820094 100644
--- a/html/cgi-bin/vpnmain.cgi
+++ b/html/cgi-bin/vpnmain.cgi
@@ -2,7 +2,7 @@
###############################################################################
# #
# IPFire.org - A linux based firewall #
-# Copyright (C) 2007 Michael Tremer & Christian Schmidt #
+# Copyright (C) 2007-2011 IPFire Team info@ipfire.org #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
@@ -58,6 +58,17 @@ my %mainsettings = ();
&General::readhash("/srv/web/ipfire/html/themes/".$mainsettings{'THEME'}."/include/colors.txt", \%color);
&General::readhash("${General::swroot}/ethernet/settings", \%netsettings);
+
+my $green_cidr = &General::ipcidr("$netsettings{'GREEN_NETADDRESS'}/$netsettings{'GREEN_NETMASK'}");
+my $blue_cidr = "# Blue not defined";
+if ($netsettings{'BLUE_DEV'}) {
+ $blue_cidr = &General::ipcidr("$netsettings{'BLUE_NETADDRESS'}/$netsettings{'BLUE_NETMASK'}");
+}
+my $orange_cidr = "# Orange not defined";
+if ($netsettings{'ORANGE_DEV'}) {
+ $orange_cidr = &General::ipcidr("$netsettings{'ORANGE_NETADDRESS'}/$netsettings{'ORANGE_NETMASK'}");
+}
+
$cgiparams{'ENABLED'} = 'off';
$cgiparams{'EDIT_ADVANCED'} = 'off';
$cgiparams{'ACTION'} = '';
@@ -100,6 +111,7 @@ $cgiparams{'ROOTCERT_EMAIL'} = '';
$cgiparams{'ROOTCERT_OU'} = '';
$cgiparams{'ROOTCERT_CITY'} = '';
$cgiparams{'ROOTCERT_STATE'} = '';
+$cgiparams{'RW_NET'} = '';
&Header::getcgihash(\%cgiparams, {'wantfile' => 1, 'filevar' => 'FH'});
@@ -248,34 +260,32 @@ sub writeipsecfiles {
foreach my $key (keys %lconfighash) {
next if ($lconfighash{$key}[0] ne 'on');
$interfaces .= "%defaultroute " if ($interfaces !~ /defaultroute/ && $lconfighash{$key}[26] eq 'RED');
- #$interfaces .= "ipsec1=$netsettings{'GREEN_DEV'} " if ($interfaces !~ /ipsec1/ && $lconfighash{$key}[26] eq 'GREEN');
- #$interfaces .= "ipsec2=$netsettings{'BLUE_DEV'} " if ($interfaces !~ /ipsec2/ && $lconfighash{$key}[26] eq 'BLUE');
- #$interfaces .= "ipsec3=$netsettings{'ORANGE_DEV'} " if ($interfaces !~ /ipsec3/ && $lconfighash{$key}[26] eq 'ORANGE');
+ $interfaces .= "$netsettings{'GREEN_DEV'} " if ($interfaces !~ /ipsec1/ && $lconfighash{$key}[26] eq 'GREEN');
+ $interfaces .= "$netsettings{'BLUE_DEV'} " if ($interfaces !~ /ipsec2/ && $lconfighash{$key}[26] eq 'BLUE');
+ $interfaces .= "$netsettings{'ORANGE_DEV'} " if ($interfaces !~ /ipsec3/ && $lconfighash{$key}[26] eq 'ORANGE');
}
print CONF $interfaces . "\"\n";
my $plutodebug = ''; # build debug list
map ($plutodebug .= $lvpnsettings{$_} eq 'on' ? lc (substr($_,4)).' ' : '',
('DBG_CRYPT','DBG_PARSING','DBG_EMITTING','DBG_CONTROL',
- 'DBG_KLIPS','DBG_DNS','DBG_NAT_T'));
+ 'DBG_DNS'));
$plutodebug = 'none' if $plutodebug eq ''; # if nothing selected, use 'none'.
- print CONF "\tklipsdebug=\"none\"\n";
+ #print CONF "\tklipsdebug=\"none\"\n";
print CONF "\tplutodebug=\"$plutodebug\"\n";
# deprecated in ipsec.conf version 2
#print CONF "\tplutoload=%search\n";
#print CONF "\tplutostart=%search\n";
- #Disable IKEv2 deamon
- print CONF "\tcharonstart=no\n";
print CONF "\tuniqueids=yes\n";
print CONF "\tnat_traversal=yes\n";
print CONF "\toverridemtu=$lvpnsettings{'VPN_OVERRIDE_MTU'}\n" if ($lvpnsettings{'VPN_OVERRIDE_MTU'} ne '');
print CONF "\tvirtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16";
- print CONF ",%v4:!$netsettings{'GREEN_NETADDRESS'}/$netsettings{'GREEN_NETMASK'}";
+ print CONF ",%v4:!$green_cidr";
if (length($netsettings{'ORANGE_DEV'}) > 2) {
- print CONF ",%v4:!$netsettings{'ORANGE_NETADDRESS'}/$netsettings{'ORANGE_NETMASK'}";
+ print CONF ",%v4:!$orange_cidr";
}
if (length($netsettings{'BLUE_DEV'}) > 2) {
- print CONF ",%v4:!$netsettings{'BLUE_NETADDRESS'}/$netsettings{'BLUE_NETMASK'}";
+ print CONF ",%v4:!$blue_cidr";
}
foreach my $key (keys %lconfighash) {
if ($lconfighash{$key}[3] eq 'net') {
@@ -289,6 +299,12 @@ sub writeipsecfiles {
#print CONF "\tdisablearrivalcheck=no\n";
print CONF "\n";
+ # Add user includes to config file
+ print CONF "include /etc/ipsec.user.conf\n";
+ print CONF "\n";
+
+ print SECRETS "include /etc/ipsec.user.secrets\n";
+
if (-f "${General::swroot}/certs/hostkey.pem") {
print SECRETS ": RSA ${General::swroot}/certs/hostkey.pem\n"
}
@@ -314,12 +330,15 @@ sub writeipsecfiles {
print CONF "conn $lconfighash{$key}[1]\n";
print CONF "\tleft=$localside\n";
print CONF "\tleftnexthop=%defaultroute\n" if ($lconfighash{$key}[26] eq 'RED' && $lvpnsettings{'VPN_IP'} ne '%defaultroute');
- print CONF "\tleftsubnet=$lconfighash{$key}[8]\n";
+ my $cidr_net=&General::ipcidr($lconfighash{$key}[8]);
+ print CONF "\tleftsubnet=$cidr_net\n";
print CONF "\tleftfirewall=yes\n";
+ print CONF "\tlefthostaccess=yes\n";
print CONF "\tright=$lconfighash{$key}[10]\n";
if ($lconfighash{$key}[3] eq 'net') {
- print CONF "\trightsubnet=$lconfighash{$key}[11]\n";
+ my $cidr_net=&General::ipcidr($lconfighash{$key}[11]);
+ print CONF "\trightsubnet=$cidr_net\n";
print CONF "\trightnexthop=%defaultroute\n";
} elsif ($lconfighash{$key}[10] eq '%any' && $lconfighash{$key}[14] eq 'on') { #vhost allowed for roadwarriors?
print CONF "\trightsubnet=vhost:%no,%priv\n";
@@ -377,13 +396,16 @@ sub writeipsecfiles {
print CONF "\tpfsgroup=$lconfighash{$key}[23]\n";
}
+ # IKE V1 or V2
+ if (! $lconfighash{$key}[29]) {
+ $lconfighash{$key}[29] = "ikev1";
+ }
+ print CONF "\tkeyexchange=$lconfighash{$key}[29]\n";
+
# Lifetimes
print CONF "\tikelifetime=$lconfighash{$key}[16]h\n" if ($lconfighash{$key}[16]);
print CONF "\tkeylife=$lconfighash{$key}[17]h\n" if ($lconfighash{$key}[17]);
- # Aggresive mode
- print CONF "\taggrmode=yes\n" if ($lconfighash{$key}[12] eq 'on');
-
# Compression
print CONF "\tcompress=yes\n" if ($lconfighash{$key}[13] eq 'on');
@@ -417,6 +439,7 @@ sub writeipsecfiles {
# Automatically start only if a net-to-net connection
if ($lconfighash{$key}[3] eq 'host') {
print CONF "\tauto=add\n";
+ print CONF "\trightsourceip=$lvpnsettings{'RW_NET'}\n";
} else {
print CONF "\tauto=start\n";
}
@@ -453,14 +476,20 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cg
goto SAVE_ERROR;
}
+ if ( $cgiparams{'RW_NET'} ne '' and !&General::validipandmask($cgiparams{'RW_NET'}) ) {
+ $errormessage = $Lang::tr{'urlfilter invalid ip or mask error'};
+ goto SAVE_ERROR;
+ }
+
map ($vpnsettings{$_} = $cgiparams{$_},
('ENABLED','DBG_CRYPT','DBG_PARSING','DBG_EMITTING','DBG_CONTROL',
- 'DBG_KLIPS','DBG_DNS','DBG_NAT_T'));
+ 'DBG_DNS'));
$vpnsettings{'VPN_IP'} = $cgiparams{'VPN_IP'};
$vpnsettings{'VPN_DELAYED_START'} = $cgiparams{'VPN_DELAYED_START'};
$vpnsettings{'VPN_OVERRIDE_MTU'} = $cgiparams{'VPN_OVERRIDE_MTU'};
$vpnsettings{'VPN_WATCH'} = $cgiparams{'VPN_WATCH'};
+ $vpnsettings{'RW_NET'} = $cgiparams{'RW_NET'};
&General::writehash("${General::swroot}/vpn/settings", \%vpnsettings);
&writeipsecfiles();
if (&vpnenabled) {
@@ -581,6 +610,7 @@ END
$cahash{$key}[0] = $cgiparams{'CA_NAME'};
$cahash{$key}[1] = &Header::cleanhtml(getsubjectfromcert ("${General::swroot}/ca/$cgiparams{'CA_NAME'}cert.pem"));
&General::writehasharray("${General::swroot}/vpn/caconfig", \%cahash);
+
system('/usr/local/bin/ipsecctrl', 'R');
sleep $sleepDelay;
@@ -1269,6 +1299,7 @@ END
$cgiparams{'REMARK'} = $confighash{$cgiparams{'KEY'}}[25];
$cgiparams{'INTERFACE'} = $confighash{$cgiparams{'KEY'}}[26];
$cgiparams{'DPD_ACTION'} = $confighash{$cgiparams{'KEY'}}[27];
+ $cgiparams{'IKE_VERSION'} = $confighash{$cgiparams{'KEY'}}[29];
$cgiparams{'IKE_ENCRYPTION'} = $confighash{$cgiparams{'KEY'}}[18];
$cgiparams{'IKE_INTEGRITY'} = $confighash{$cgiparams{'KEY'}}[19];
$cgiparams{'IKE_GROUPTYPE'} = $confighash{$cgiparams{'KEY'}}[20];
@@ -1277,7 +1308,6 @@ END
$cgiparams{'ESP_INTEGRITY'} = $confighash{$cgiparams{'KEY'}}[22];
$cgiparams{'ESP_GROUPTYPE'} = $confighash{$cgiparams{'KEY'}}[23];
$cgiparams{'ESP_KEYLIFE'} = $confighash{$cgiparams{'KEY'}}[17];
- $cgiparams{'AGGRMODE'} = $confighash{$cgiparams{'KEY'}}[12];
$cgiparams{'COMPRESSION'} = $confighash{$cgiparams{'KEY'}}[13];
$cgiparams{'ONLY_PROPOSED'} = $confighash{$cgiparams{'KEY'}}[24];
$cgiparams{'PFS'} = $confighash{$cgiparams{'KEY'}}[28];
@@ -1365,15 +1395,15 @@ END
# Allow nothing or a string (DN,FDQN,) beginning with @
# with no comma but slashes between RID eg @O=FR/C=Paris/OU=myhome/CN=franck
- if ( ($cgiparams{'LOCAL_ID'} !~ /^(|[\w.-]*@[\w. =*\/-]+|\d\.\d\.\d\.\d)$/) ||
- ($cgiparams{'REMOTE_ID'} !~ /^(|[\w.-]*@[\w. =*\/-]+|\d\.\d\.\d\.\d)$/) ||
+ if ( ($cgiparams{'LOCAL_ID'} !~ /^(|[\w.-]*@[\w. =*\/-]+|\d+\.\d+\.\d+\.\d+)$/) ||
+ ($cgiparams{'REMOTE_ID'} !~ /^(|[\w.-]*@[\w. =*\/-]+|\d+\.\d+\.\d+\.\d+)$/) ||
(($cgiparams{'REMOTE_ID'} eq $cgiparams{'LOCAL_ID'}) && ($cgiparams{'LOCAL_ID'} ne ''))
) {
$errormessage = $Lang::tr{'invalid local-remote id'} . '
' .
'DER_ASN1_DN: @c=FR/ou=Paris/ou=Home/cn=*
' .
'FQDN: @ipfire.org
' .
'USER_FQDN: info@ipfire.org
' .
- 'IPV4_ADDR: @123.123.123.123';
+ 'IPV4_ADDR: 123.123.123.123';
goto VPNCONF_ERROR;
}
# If Auth is DN, verify existance of Remote ID.
@@ -1772,6 +1802,7 @@ END
$confighash{$key}[25] = $cgiparams{'REMARK'};
$confighash{$key}[26] = $cgiparams{'INTERFACE'};
$confighash{$key}[27] = $cgiparams{'DPD_ACTION'};
+ $confighash{$key}[29] = $cgiparams{'IKE_VERSION'};
#dont forget advanced value
$confighash{$key}[18] = $cgiparams{'IKE_ENCRYPTION'};
@@ -1782,7 +1813,7 @@ END
$confighash{$key}[22] = $cgiparams{'ESP_INTEGRITY'};
$confighash{$key}[23] = $cgiparams{'ESP_GROUPTYPE'};
$confighash{$key}[17] = $cgiparams{'ESP_KEYLIFE'};
- $confighash{$key}[12] = $cgiparams{'AGGRMODE'};
+ $confighash{$key}[12] = 'off'; # $cgiparams{'AGGRMODE'};
$confighash{$key}[13] = $cgiparams{'COMPRESSION'};
$confighash{$key}[24] = $cgiparams{'ONLY_PROPOSED'};
$confighash{$key}[28] = $cgiparams{'PFS'};
@@ -1827,6 +1858,11 @@ END
$cgiparams{'DPD_ACTION'} = 'restart';
}
+ # Default IKE Version to V1
+ if (! $cgiparams{'IKE_VERSION'}) {
+ $cgiparams{'IKE_VERSION'} = 'ikev1';
+ }
+
# Default is yes for 'pfs'
$cgiparams{'PFS'} = 'on';
@@ -1843,7 +1879,6 @@ END
$cgiparams{'ESP_INTEGRITY'} = 'sha1|md5'; #[22];
$cgiparams{'ESP_GROUPTYPE'} = ''; #[23];
$cgiparams{'ESP_KEYLIFE'} = '8'; #[17];
- $cgiparams{'AGGRMODE'} = 'off'; #[12];
$cgiparams{'COMPRESSION'} = 'off'; #[13];
$cgiparams{'ONLY_PROPOSED'} = 'off'; #[24];
$cgiparams{'PFS'} = 'on'; #[28];
@@ -1878,6 +1913,10 @@ END
$selected{'DPD_ACTION'}{'restart'} = '';
$selected{'DPD_ACTION'}{$cgiparams{'DPD_ACTION'}} = "selected='selected'";
+ $selected{'IKE_VERSION'}{'ikev1'} = '';
+ $selected{'IKE_VERSION'}{'ikev2'} = '';
+ $selected{'IKE_VERSION'}{$cgiparams{'IKE_VERSION'}} = "selected='selected'";
+
&Header::showhttpheaders();
&Header::openpage($Lang::tr{'vpn configuration main'}, 1, '');
&Header::openbigbox('100%', 'left', '', $errormessage);
@@ -1906,7 +1945,6 @@ END
-
@@ -1952,13 +1990,18 @@ END