Skip to content

O
OpnSense
Commit 3724aecb authored by Ad Schellevis's avatar Ad Schellevis
Browse files
Options

(legacy/ipsec) simplify things a bit, trust "certref" config directive

parent 61c7ee6e
Show whitespace changes
Inline Side-by-side
Showing with 127 additions and 139 deletions
src/etc/inc/vpn.inc
View file @ 3724aecb
......@@ -132,7 +132,6 @@ function vpn_ipsec_configure()
$ipmap = array();
$rgmap = array();
$filterdns_list = array();
if (count($a_phase1)) {
$ipsecpinghosts = "";
/* step through each phase1 entry */
foreach ($a_phase1 as $ph1ent) {
......@@ -140,8 +139,6 @@ function vpn_ipsec_configure()
continue;
}
$ikeid = $ph1ent['ikeid'];
if ($ph1ent['mode'] == "aggressive" && in_array($ph1ent['authentication_method'], array("pre_shared_key", "xauth_psk_server"))) {
$aggressive_psk = true;
}
......@@ -180,14 +177,13 @@ function vpn_ipsec_configure()
}
$rgmap[$ph1ent['remote-gateway']] = $rg;
if (isset($a_phase2)) {
/* step through each phase2 entry */
foreach ($a_phase2 as $ph2ent) {
if (isset($ph2ent['disabled'])) {
continue;
}
if ($ikeid != $ph2ent['ikeid']) {
if ($ph1ent['ikeid'] != $ph2ent['ikeid']) {
continue;
}
......@@ -243,15 +239,11 @@ function vpn_ipsec_configure()
}
}
}
}
@file_put_contents('/var/db/ipsecpinghosts', $ipsecpinghosts);
unset($ipsecpinghosts);
}
unset($iflist);
$cnf_add_to_charon_section = "";
$cnf_add_to_charon_section .= $aggressive_psk ? "\ti_dont_care_about_security_and_use_aggressive_mode_psk=yes\n":"";
if (is_array($a_client) && isset($a_client['enable']) && isset($a_client['net_list'])) {
if (isset($a_client['enable']) && isset($a_client['net_list'])) {
$cnf_add_to_charon_section .= "\tcisco_unity = yes\n";
}
......@@ -288,7 +280,7 @@ EOD;
$strongswan .= "\tplugins {\n";
if (is_array($a_client) && isset($a_client['enable'])) {
if (isset($a_client['enable'])) {
$strongswan .= "\t\tattr {\n";
if ($a_client['pool_address'] && $a_client['pool_netbits']) {
$strongswan .= "\t\tsubnet = {$a_client['pool_address']}/{$a_client['pool_netbits']}\n";
......@@ -412,15 +404,12 @@ EOD;
$pskconf = "";
if (is_array($a_phase1) && count($a_phase1)) {
foreach ($a_phase1 as $ph1ent) {
if (isset($ph1ent['disabled'])) {
continue;
}
if (strpos($ph1ent['authentication_method'], 'rsa') !== false || $ph1ent['authentication_method'] == 'eap-tls') {
$certline = '';
$ikeid = $ph1ent['ikeid'];
if (!empty($ph1ent['certref'])) {
$cert = lookup_cert($ph1ent['certref']);
if (empty($cert)) {
......@@ -430,14 +419,14 @@ EOD;
@chmod($certpath, 0600);
$ph1keyfile = "{$keypath}/cert-{$ikeid}.key";
$ph1keyfile = "{$keypath}/cert-{$ph1ent['ikeid']}.key";
if (!file_put_contents($ph1keyfile, base64_decode($cert['prv']))) {
log_error(sprintf(gettext("Error: Cannot write phase1 key file for %s"), $ph1ent['name']));
continue;
}
@chmod($ph1keyfile, 0600);
$ph1certfile = "{$certpath}/cert-{$ikeid}.crt";
$ph1certfile = "{$certpath}/cert-{$ph1ent['ikeid']}.crt";
if (!file_put_contents($ph1certfile, base64_decode($cert['crt']))) {
log_error(sprintf(gettext("Error: Cannot write phase1 certificate file for %s"), $ph1ent['name']));
@unlink($ph1keyfile);
......@@ -451,8 +440,9 @@ EOD;
list ($myid_type, $myid_data) = ipsec_find_id($ph1ent, "local");
list ($peerid_type, $peerid_data) = ipsec_find_id($ph1ent, "peer", $rgmap);
if (empty($peerid_data))
if (empty($peerid_data)) {
continue;
}
$myid = isset($ph1ent['mobile']) ? trim($myid_data) . " " : "";
$peerid = ($peerid_data != "allusers") ? trim($peerid_data) : "";
......@@ -461,7 +451,6 @@ EOD;
}
}
}
}
/* Add user PSKs */
if (isset($config['system']['user']) && is_array($config['system']['user'])) {
......@@ -491,7 +480,7 @@ EOD;
$natfilterrules = false;
/* begin ipsec.conf */
$ipsecconf = "";
if (is_array($a_phase1) && count($a_phase1)) {
if (count($a_phase1)) {
$ipsecconf .= "# This file is automatically generated. Do not edit\n";
$ipsecconf .= "config setup\n\tuniqueids = yes\n";
// parse debug tags
......@@ -522,7 +511,6 @@ EOD;
continue;
}
$ikeid = $ph1ent['ikeid'];
$keyexchange = "ikev1";
$passive = "route";
if (!empty($ph1ent['iketype']) && $ph1ent['iketype'] != "ikev1") {
......@@ -640,9 +628,9 @@ EOD;
$ealgoESPsp2arr = array();
if (is_array($a_phase2) && count($a_phase2)) {
if (count($a_phase2)) {
foreach ($a_phase2 as $ph2ent) {
if ($ikeid != $ph2ent['ikeid'] || isset($ph2ent['disabled'])) {
if ($ph1ent['ikeid'] != $ph2ent['ikeid'] || isset($ph2ent['disabled'])) {
continue;
}
if (isset($ph2ent['mobile']) && !isset($a_client['enable'])){
......@@ -655,7 +643,7 @@ EOD;
$leftsubnet_data = ipsec_idinfo_to_cidr($ph2ent['localid'], false, $ph2ent['mode']);
/* Do not print localid in some cases, such as a pure-psk or psk/xauth single phase2 mobile tunnel */
if (($localid_type == "none" || $localid_type == "mobile")
&& isset($ph1ent['mobile']) && (ipsec_get_number_of_phase2($ikeid)==1)) {
&& isset($ph1ent['mobile']) && (ipsec_get_number_of_phase2($ph1ent['ikeid'])==1)) {
$left_spec = '%any';
} else {
if ($localid_type != "address") {
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment

Technounit-GROUP 2023