sub checksubnets
{
- my %ccdconfhash=();
- my @ccdconf=();
- my $ccdname=$_[0];
- my $ccdnet=$_[1];
+ my %ccdconfhash=();
+ my %ovpnconfhash=();
+ my %vpnconf=();
+ my %ipsecconf=();
+ my %ownnet=();
+ my %ovpnconf=();
+ my @ccdconf=();
+ my $ccdname=$_[0];
+ my $ccdnet=$_[1];
+ my $ownnet=$_[2];
my $errormessage;
my ($ip,$cidr)=split(/\//,$ccdnet);
$cidr=&iporsubtocidr($cidr);
+
#get OVPN-Subnet (dynamic range)
- my %ovpnconf=();
&readhash("${General::swroot}/ovpn/settings", \%ovpnconf);
my ($ovpnip,$ovpncidr)= split (/\//,$ovpnconf{'DOVPN_SUBNET'});
$ovpncidr=&iporsubtocidr($ovpncidr);
+
#check if we try to use same network as ovpn server
if ("$ip/$cidr" eq "$ovpnip/$ovpncidr") {
$errormessage=$errormessage.$Lang::tr{'ccd err isovpnnet'}."<br>";
return $errormessage;
}
- #check if we use a network-name/subnet that already exists
+
+ #check if we try to use same network as another ovpn N2N
+ if($ownnet ne 'ovpn'){
+ &readhasharray("${General::swroot}/ovpn/ovpnconfig", \%ovpnconfhash);
+ foreach my $key (keys %ovpnconfhash) {
+ if ($ovpnconfhash{$key}[3] eq 'net'){
+ my @ovpnnet=split (/\//,$ovpnconfhash{$key}[11]);
+ if (&IpInSubnet($ip,$ovpnnet[0],&iporsubtodec($ovpnnet[1]))){
+ $errormessage=$errormessage.$Lang::tr{'ccd err isovpnn2n'}." $ovpnconfhash{$key}[1] <br>";
+ return $errormessage;
+ }
+ }
+ }
+ }
+
+ #check if we use a network-name/subnet (static-ovpn) that already exists
&readhasharray("${General::swroot}/ovpn/ccd.conf", \%ccdconfhash);
foreach my $key (keys %ccdconfhash) {
@ccdconf=split(/\//,$ccdconfhash{$key}[1]);
my ($newip,$newsub) = split(/\//,$ccdnet);
if (&IpInSubnet($newip,$ccdconf[0],&iporsubtodec($ccdconf[1])))
{
- $errormessage=$errormessage.$Lang::tr{'ccd err issubnet'}."<br>";
+ $errormessage=$errormessage.$Lang::tr{'ccd err issubnet'}." $ccdconfhash{$key}[0]<br>";
return $errormessage;
}
}
+
#check if we use a ipsec right network which is already defined
- my %ipsecconf=();
- &General::readhasharray("${General::swroot}/vpn/config", \%ipsecconf);
- foreach my $key (keys %ipsecconf){
- if ($ipsecconf{$key}[11] ne ''){
- my ($ipsecip,$ipsecsub) = split (/\//, $ipsecconf{$key}[11]);
- $ipsecsub=&iporsubtodec($ipsecsub);
- if($ipsecconf{$key}[1] ne $ccdname){
- if ( &IpInSubnet ($ip,$ipsecip,$ipsecsub) ){
- $errormessage=$Lang::tr{'ccd err isipsecnet'}." Name: $ipsecconf{$key}[1]";
- return $errormessage;
+ if($ownnet ne 'ipsec'){
+ &General::readhasharray("${General::swroot}/vpn/config", \%ipsecconf);
+ foreach my $key (keys %ipsecconf){
+ if ($ipsecconf{$key}[11] ne ''){
+ my ($ipsecip,$ipsecsub) = split (/\//, $ipsecconf{$key}[11]);
+ $ipsecsub=&iporsubtodec($ipsecsub);
+ if($ipsecconf{$key}[1] ne $ccdname){
+ if ( &IpInSubnet ($ip,$ipsecip,$ipsecsub) ){
+ $errormessage=$Lang::tr{'ccd err isipsecnet'}." Name: $ipsecconf{$key}[1]";
+ return $errormessage;
+ }
}
}
}
}
+
+ #check if we use the ipsec RW Network (if defined)
+ &readhash("${General::swroot}/vpn/settings", \%vpnconf);
+ if ($vpnconf{'RW_NET'} ne ''){
+ my ($ipsecrwnet,$ipsecrwsub)=split (/\//, $vpnconf{'RW_NET'});
+ if (&IpInSubnet($ip,$ipsecrwnet,&iporsubtodec($ipsecrwsub)))
+ {
+ $errormessage=$errormessage.$Lang::tr{'ccd err isipsecrw'}."<br>";
+ return $errormessage;
+ }
+ }
+
#check if we use one of ipfire's networks (green,orange,blue)
- my %ownnet=();
&readhash("${General::swroot}/ethernet/settings", \%ownnet);
- if (($ownnet{'GREEN_NETADDRESS'} ne '' && $ownnet{'GREEN_NETADDRESS'} ne '0.0.0.0') && &IpInSubnet($ownnet{'GREEN_NETADDRESS'},$ip,&iporsubtodec($cidr))){ $errormessage=$Lang::tr{'ccd err green'};return $errormessage;}
- if (($ownnet{'ORANGE_NETADDRESS'} ne '' && $ownnet{'ORANGE_NETADDRESS'} ne '0.0.0.0') && &IpInSubnet($ownnet{'ORANGE_NETADDRESS'},$ip,&iporsubtodec($cidr))){ $errormessage=$Lang::tr{'ccd err orange'};return $errormessage;}
- if (($ownnet{'BLUE_NETADDRESS'} ne '' && $ownnet{'BLUE_NETADDRESS'} ne '0.0.0.0') && &IpInSubnet($ownnet{'BLUE_NETADDRESS'},$ip,&iporsubtodec($cidr))){ $errormessage=$Lang::tr{'ccd err blue'};return $errormessage;}
- if (($ownnet{'RED_NETADDRESS'} ne '' && $ownnet{'RED_NETADDRESS'} ne '0.0.0.0') && &IpInSubnet($ownnet{'RED_NETADDRESS'},$ip,&iporsubtodec($cidr))){ $errormessage=$Lang::tr{'ccd err red'};return $errormessage;}
+ if (($ownnet{'GREEN_NETADDRESS'} ne '' && $ownnet{'GREEN_NETADDRESS'} ne '0.0.0.0') && &IpInSubnet($ip,$ownnet{'GREEN_NETADDRESS'},&iporsubtodec($ownnet{'GREEN_NETMASK'}))){ $errormessage=$Lang::tr{'ccd err green'};return $errormessage;}
+ if (($ownnet{'ORANGE_NETADDRESS'} ne '' && $ownnet{'ORANGE_NETADDRESS'} ne '0.0.0.0') && &IpInSubnet($ip,$ownnet{'ORANGE_NETADDRESS'},&iporsubtodec($ownnet{'ORANGE_NETMASK'}))){ $errormessage=$Lang::tr{'ccd err orange'};return $errormessage;}
+ if (($ownnet{'BLUE_NETADDRESS'} ne '' && $ownnet{'BLUE_NETADDRESS'} ne '0.0.0.0') && &IpInSubnet($ip,$ownnet{'BLUE_NETADDRESS'},&iporsubtodec($ownnet{'BLUE_NETMASK'}))){ $errormessage=$Lang::tr{'ccd err blue'};return $errormessage;}
+ if (($ownnet{'RED_NETADDRESS'} ne '' && $ownnet{'RED_NETADDRESS'} ne '0.0.0.0') && &IpInSubnet($ip,$ownnet{'RED_NETADDRESS'},&iporsubtodec($ownnet{'RED_NETMASK'}))){ $errormessage=$Lang::tr{'ccd err red'};return $errormessage;}
}
unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
goto VPNCONF_ERROR;
- }
-
+ }
+ #Check if remote subnet is used elsewhere
+ my ($n2nip,$n2nsub)=split("/",$cgiparams{'REMOTE_SUBNET'});
+ $warnmessage=&General::checksubnets('',$n2nip,'ovpn');
+ if ($warnmessage){
+ $warnmessage=$Lang::tr{'remote subnet'}." ($cgiparams{'REMOTE_SUBNET'}) <br>".$warnmessage;
+ }
}
# if (($cgiparams{'TYPE'} eq 'net') && ($cgiparams{'SIDE'} !~ /^(left|right)$/)) {
&Header::closebox();
}
+ if ($warnmessage) {
+ &Header::openbox('100%', 'LEFT', $Lang::tr{'warning messages'});
+ print "$warnmessage<br>";
+ print "$Lang::tr{'fwdfw warn1'}<br>";
+ &Header::closebox();
+ print"<center><form method='post'><input type='submit' name='ACTION' value='ok' style='width: 5em;'></form>";
+ &Header::closepage();
+ exit 0;
+ }
+
my $sactive = "<table cellpadding='2' cellspacing='0' bgcolor='${Header::colourred}' width='50%'><tr><td align='center'><b><font color='#FFFFFF'>$Lang::tr{'stopped'}</font></b></td></tr></table>";
my $srunning = "no";
my $activeonrun = "";
} else {
$errormessage = $Lang::tr{'invalid key'};
}
- &General::firewall_reload();
+
###
### Choose between adding a host-net or net-net connection
###
goto VPNCONF_ERROR;
}
-#temporary disabled (BUG 10294)
-# if ($cgiparams{'TYPE'} eq 'net'){
-# $errormessage=&General::checksubnets($cgiparams{'NAME'},$cgiparams{'REMOTE_SUBNET'});
-# if ($errormessage ne ''){
-# goto VPNCONF_ERROR;
-# }
-#
-# }
+ if ($cgiparams{'TYPE'} eq 'net'){
+ $warnmessage=&General::checksubnets('',$cgiparams{'REMOTE_SUBNET'},'ipsec');
+ if ($warnmessage ne ''){
+ $warnmessage=$Lang::tr{'remote subnet'}." ($cgiparams{'REMOTE_SUBNET'}) ".$warnmessage;
+ }
+ }
+
if ($cgiparams{'AUTH'} eq 'psk') {
if (! length($cgiparams{'PSK'}) ) {
$errormessage = $Lang::tr{'pre-shared key is too short'};
&Header::closebox();
}
+ if ($warnmessage) {
+ &Header::openbox('100%', 'left', $Lang::tr{'warning messages'});
+ print "$warnmessage<br>";
+ print "$Lang::tr{'fwdfw warn1'}<br>";
+ &Header::closebox();
+ print"<center><form method='post'><input type='submit' name='ACTION' value='ok' style='width: 5em;'></form>";
+ &Header::closepage();
+ exit 0;
+ }
+
&Header::openbox('100%', 'left', $Lang::tr{'global settings'});
print <<END
<form method='post' action='$ENV{'SCRIPT_NAME'}'>
'ccd err iroute' => 'Netzadresse für Route ungültig.',
'ccd err irouteexist' => 'Diese Route wird bereits verwendet.',
'ccd err isipsecnet' => 'Diese Subnetzadresse wird bereits für ein IPsec-Netzwerk verwendet.',
+'ccd err isipsecrw' => 'Diese Subnetzadresse wird bereits für das IPsec-RW Netz verwendet.',
'ccd err isovpnnet' => 'Subnetzadresse wird für bereits für den OpenVPN-Server verwendet!',
+'ccd err isovpnn2n' => 'Subnetzadresse wird für bereits für ein OpenVPN N2N verwendet.',
'ccd err issubnet' => 'Subnetzadresse wird bereits verwendet.',
'ccd err name' => 'Es muss ein Name angegeben werden.',
'ccd err nameexist' => 'Name existiert bereits.',
'fwdfw use srcport' => 'Quellport:',
'fwdfw use srv' => 'Zielport:',
'fwdfw useless rule' => 'Diese Regel ist nicht sinnvoll.',
+'fwdfw warn1' => 'Dies kann dazu führen, dass Firewallregeln auf Netze angewendet werden, für die sie nicht gedacht sind.',
'fwdfw wd_fri' => 'Fr',
'fwdfw wd_mon' => 'Mo',
'fwdfw wd_sat' => 'Sa',
'ccd err invalidnet' => 'Invalid IP address. Format: 192.168.0.0/24 or 192.168.0.0/255.255.255.0.',
'ccd err iroute' => 'Network address for route is invalid.',
'ccd err irouteexist' => 'This route is already in use.',
-'ccd err isipsecnet' => 'The given subnet address already used by an IPsec network.',
+'ccd err isipsecnet' => 'The given subnet address is already used by an IPsec network.',
+'ccd err isipsecrw' => 'The given subnet address is already used by the IPsec rw network.',
'ccd err isovpnnet' => 'Subnet address already in use for OpenVPN Server.',
+'ccd err isovpnn2n' => 'Subnet address already in use for an OpenVPN N2N.',
'ccd err issubnet' => 'Subnet address already in use.',
'ccd err name' => 'Please choose a name.',
'ccd err nameexist' => 'Name already exists.',
'fwdfw use srcport' => 'Source port:',
'fwdfw use srv' => 'Destination port:',
'fwdfw useless rule' => 'This rule is useless.',
+'fwdfw warn1' => 'This might lead to firewallrules which are applied to networks for which they are not intended to be.',
'fwdfw wd_fri' => 'Fri',
'fwdfw wd_mon' => 'Mon',
'fwdfw wd_sat' => 'Sat',