vpn_ipsec_settings.php 11.6 KB
Newer Older
Ad Schellevis's avatar
Ad Schellevis committed
1 2
<?php
/*
3
	Copyright (C) 2014-2015 Deciso B.V.
Ad Schellevis's avatar
Ad Schellevis committed
4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28
	Copyright (C) 2014 Electric Sheep Fencing, LLC
	All rights reserved.

	Redistribution and use in source and binary forms, with or without
	modification, are permitted provided that the following conditions are met:

	1. Redistributions of source code must retain the above copyright notice,
	   this list of conditions and the following disclaimer.

	2. Redistributions in binary form must reproduce the above copyright
	   notice, this list of conditions and the following disclaimer in the
	   documentation and/or other materials provided with the distribution.

	THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
	INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
	AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
	AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
	OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
	SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
	INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
	CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
	ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
	POSSIBILITY OF SUCH DAMAGE.
*/

29
require_once("guiconfig.inc");
Ad Schellevis's avatar
Ad Schellevis committed
30 31
require_once("filter.inc");
require_once("vpn.inc");
32
require_once("services.inc");
33
require_once("pfsense-utils.inc");
34
require_once("interfaces.inc");
Ad Schellevis's avatar
Ad Schellevis committed
35

36
if (!isset($config['ipsec'])) {
37 38
        $config['ipsec'] = array();
}
39

40 41 42 43 44 45 46 47
if ($_SERVER['REQUEST_METHOD'] === 'GET') {
    // fetch form data
    $pconfig  = array();
    $pconfig['noinstalllanspd'] = isset($config['system']['noinstalllanspd']);
    $pconfig['preferoldsa_enable'] = isset($config['ipsec']['preferoldsa']);
    foreach ($ipsec_loglevels as $lkey => $ldescr) {
        if (!empty($config['ipsec']["ipsec_{$lkey}"])) {
            $pconfig["ipsec_{$lkey}"] = $config['ipsec']["ipsec_{$lkey}"];
48
        } else {
49
            $pconfig["ipsec_{$lkey}"] = null;
50
        }
51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72
    }
    $pconfig['failoverforcereload'] = isset($config['ipsec']['failoverforcereload']);
    $pconfig['maxmss_enable'] = isset($config['system']['maxmss_enable']);
    $pconfig['maxmss'] = isset($config['system']['maxmss']) ? $config['system']['maxmss'] : null;
} elseif ($_SERVER['REQUEST_METHOD'] === 'POST') {
    // save form data
    $pconfig = $_POST;
    if (isset($pconfig['noinstalllanspd']) && $pconfig['noinstalllanspd'] == "yes") {
        $config['system']['noinstalllanspd'] = true;
    } elseif (isset($config['system']['noinstalllanspd'])) {
            unset($config['system']['noinstalllanspd']);
    }
    if (isset($pconfig['preferoldsa_enable']) && $pconfig['preferoldsa_enable'] == "yes") {
        $config['ipsec']['preferoldsa'] = true;
    } elseif (isset($config['ipsec']['preferoldsa'])) {
        unset($config['ipsec']['preferoldsa']);
    }
    if (is_array($config['ipsec'])) {
        foreach ($ipsec_loglevels as $lkey => $ldescr) {
            if (empty($_POST["ipsec_{$lkey}"])) {
                if (isset($config['ipsec']["ipsec_{$lkey}"])) {
                    unset($config['ipsec']["ipsec_{$lkey}"]);
73
                }
74 75
            } else {
                $config['ipsec']["ipsec_{$lkey}"] = $_POST["ipsec_{$lkey}"];
76 77
            }
        }
78
    }
79

80 81 82 83
    if (isset($pconfig['failoverforcereload']) && $pconfig['failoverforcereload'] == "yes") {
        $config['ipsec']['failoverforcereload'] = true;
    } elseif (isset($config['ipsec']['failoverforcereload']))
        unset($config['ipsec']['failoverforcereload']);
84

85 86 87 88 89 90 91
    if (isset($pconfig['maxmss_enable']) && $pconfig['maxmss_enable'] == "yes") {
        $config['system']['maxmss_enable'] = true;
        if (!empty($pconfig['maxmss']) && is_numericint($pconfig['maxmss'])) {
            $config['system']['maxmss'] = $pconfig['maxmss'];
        }
    } else {
        if (isset($config['system']['maxmss_enable'])) {
92 93
            unset($config['system']['maxmss_enable']);
        }
94 95
        if (isset($config['system']['maxmss'])) {
            unset($config['system']['maxmss']);
96
        }
97
    }
98

99 100 101 102 103 104
    write_config();
    $retval = filter_configure();
    if (stristr($retval, "error") <> true) {
        $savemsg = get_std_save_message(gettext($retval));
    } else {
        $savemsg = gettext($retval);
105
    }
106 107 108 109

    vpn_ipsec_configure_preferoldsa();
    vpn_ipsec_configure();
    vpn_ipsec_configure_loglevels();
Ad Schellevis's avatar
Ad Schellevis committed
110 111 112 113 114 115 116 117
}

$pgtitle = array(gettext("VPN"),gettext("IPsec"),gettext("Settings"));
$shortcut_section = "ipsec";

include("head.inc");
?>

118
<body>
Ad Schellevis's avatar
Ad Schellevis committed
119 120 121 122
<?php include("fbegin.inc"); ?>

<script type="text/javascript">
//<![CDATA[
123 124 125
$( document ).ready(function() {
    maxmss_checked()
});
Ad Schellevis's avatar
Ad Schellevis committed
126 127

function maxmss_checked(obj) {
128 129 130 131 132 133 134 135 136 137
	if ($('#maxmss_enable').is(":checked")) {
    $('#maxmss').attr('disabled',false);
    $("#maxmss").addClass('show');
    $("#maxmss").removeClass('hidden');
  } else {
    $('#maxmss').attr('disabled',true);
    $("#maxmss").addClass('hidden');
    $("#maxmss").removeClass('show');
  }

Ad Schellevis's avatar
Ad Schellevis committed
138 139 140 141
}

//]]>
</script>
142
	<section class="page-content-main">
143
		<div class="container-fluid">
144
			<div class="row">
145

146 147 148 149 150 151 152 153 154
<?php
      if (isset($savemsg)) {
          print_info_box($savemsg);
      }
      if (isset($input_errors) && count($input_errors) > 0) {
          print_input_errors($input_errors);
      }
?>
        <section class="col-xs-12">
155 156
				<? $active_tab = "/vpn_ipsec_settings.php";
                include('vpn_ipsec_tabs.inc'); ?>
157
					<div class="tab-content content-box col-xs-12">
158 159
							<form action="vpn_ipsec_settings.php" method="post" name="iform" id="iform">
								<div class="table-responsive">
160 161 162 163 164 165 166 167
									<table class="table table-striped">
                    <tr>
                      <td ><strong><?=gettext("IPSec Advanced Settings"); ?></strong></td>
                      <td align="right">
                        <small><?=gettext("full help"); ?> </small>
                        <i class="fa fa-toggle-off text-danger"  style="cursor: pointer;" id="show_all_help_opnvpn_server" type="button"></i></a>
                      </td>
	                  </tr>
168
										<tr>
169 170 171 172 173 174 175 176 177
											<td><a id="help_for_noinstalllanspd" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("LAN security associsations"); ?></td>
											<td>
                        <input name="noinstalllanspd" type="checkbox" id="noinstalllanspd" value="yes" <?=!empty($pconfig['noinstalllanspd']) ? "checked=\"checked\""  : "";?> />
                        <strong><?=gettext("Do not install LAN SPD"); ?></strong>
                        <div class="hidden" for="help_for_noinstalllanspd">
                          <?=gettext("By default, if IPSec is enabled negating SPD are inserted to provide protection. " .
                                                  "This behaviour can be changed by enabling this setting which will prevent installing these SPDs."); ?>
                        </div>
                      </td>
178 179
										</tr>
										<tr>
180
											<td><a id="help_for_preferoldsa_enable" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Security Associations"); ?></td>
181
											<td width="78%" class="vtable">
182 183 184 185 186 187 188
                        <input name="preferoldsa_enable" type="checkbox" id="preferoldsa_enable" value="yes" <?= !empty($pconfig['preferoldsa_enable']) ? "checked=\"checked\"" : "";?> />
                        <strong><?=gettext("Prefer older IPsec SAs"); ?></strong>
                        <div class="hidden" for="help_for_preferoldsa_enable">
                          <?=gettext("By default, if several SAs match, the newest one is " .
                                                  "preferred if it's at least 30 seconds old. Select this " .
                                                  "option to always prefer old SAs over new ones."); ?>
                        </div>
189 190 191
											</td>
										</tr>
										<tr>
192 193 194 195 196 197
											<td><a id="help_for_ipsec_debug" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("IPsec Debug"); ?></td>
											<td>
                        <div class="hidden" for="help_for_ipsec_debug">
												              <strong><?=gettext("Start IPSec in debug mode based on sections selected"); ?></strong> <br/>
                        </div>
<?php                   foreach ($ipsec_loglevels as $lkey => $ldescr) :
198
?>
199 200 201 202 203 204 205 206 207 208 209 210 211
                        <?=$ldescr?>
                        <select name="ipsec_<?=$lkey?>" id="ipsec_<?=$lkey?>">
<?php                   foreach (array("Silent", "Audit", "Control", "Diag", "Raw", "Highest") as $lidx => $lvalue):
?>
                          <option value="<?=$lidx?>" <?= isset($pconfig["ipsec_{$lkey}"]) && $pconfig["ipsec_{$lkey}"] == $lidx ? "selected=\"selected\"" : "";?> ?>
                              <?=$lvalue?>
                          </option>
<?php
                        endforeach; ?>
												</select>
<?php
                    endforeach; ?>
                        <div class="hidden" for="help_for_ipsec_debug">
212
												<?=gettext("Launches IPSec in debug mode so that more verbose logs " .
213 214 215 216
                                                    "will be generated to aid in troubleshooting."); ?>
                        </div>
                      </td>
                    </tr>
217
										<tr>
218 219 220 221 222 223 224 225 226 227
											<td><a id="help_for_failoverforcereloadg" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("IPsec Reload on Failover"); ?></td>
											<td>
                        <input name="failoverforcereload" type="checkbox" id="failoverforcereload" value="yes" <?= !empty($pconfig['failoverforcereload']) ? "checked=\"checked\"" : "";?> />
                        <strong><?=gettext("Force IPsec Reload on Failover"); ?></strong>
                        <div class="hidden" for="help_for_failoverforcereloadg">
                          <?=gettext("In some circumstances using a gateway group as the interface for " .
                                                  "an IPsec tunnel does not function properly, and IPsec must be forcefully reloaded " .
                                                  "when a failover occurs. Because this will disrupt all IPsec tunnels, this behavior" .
                                                  " is disabled by default. Check this box to force IPsec to fully reload on failover."); ?>
                        </div>
228 229 230
											</td>
										</tr>
										<tr>
231 232 233
											<td><a id="help_for_maxmss_enable" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Maximum MSS"); ?></td>
											<td>
												<input name="maxmss_enable" type="checkbox" id="maxmss_enable" value="yes" <?= !empty($pconfig['maxmss_enable']) ? "checked=\"checked\"" : "" ;?> onclick="maxmss_checked()" />
234
												<strong><?=gettext("Enable MSS clamping on VPN traffic"); ?></strong>
235 236
												<input name="maxmss" id="maxmss" type="text" value="<?= !empty($pconfig['maxmss']) ? $pconfig['maxmss'] : "1400";?>" <?= !empty($pconfig['maxmss_enable']) ? "disabled=\"disabled\"" : "" ;?> />
                        <div class="hidden" for="help_for_maxmss_enable">
237
												<?=gettext("Enable MSS clamping on TCP flows over VPN. " .
238 239
                                                  "This helps overcome problems with PMTUD on IPsec VPN links. If left blank, the default value is 1400 bytes. "); ?>
                        </div>
240 241 242
											</td>
										</tr>
										<tr>
243 244
											<td>&nbsp;</td>
											<td>
245 246 247 248 249 250
												<input name="submit" type="submit" class="btn btn-primary" value="<?=gettext("Save"); ?>" />
											</td>
										</tr>
									</table>
								</div>
							</form>
251 252 253 254 255
					  </div>
				  </section>
			  </div>
	    </div>
    </section>
256
<?php include("foot.inc");