Skip to content

O
OpnSense
Commit 3724aecb authored by Ad Schellevis's avatar Ad Schellevis
Browse files
Options

(legacy/ipsec) simplify things a bit, trust "certref" config directive

parent 61c7ee6e
Hide whitespace changes
Inline Side-by-side
Showing with 127 additions and 139 deletions
src/etc/inc/vpn.inc
View file @ 3724aecb
...@@ -132,126 +132,118 @@ function vpn_ipsec_configure() ...@@ -132,126 +132,118 @@ function vpn_ipsec_configure()
$ipmap = array(); $ipmap = array();
$rgmap = array(); $rgmap = array();
$filterdns_list = array(); $filterdns_list = array();
if (count($a_phase1)) { $ipsecpinghosts = "";
$ipsecpinghosts = ""; /* step through each phase1 entry */
/* step through each phase1 entry */ foreach ($a_phase1 as $ph1ent) {
foreach ($a_phase1 as $ph1ent) { if (isset($ph1ent['disabled'])) {
if (isset($ph1ent['disabled'])) { continue;
continue; }
}
$ikeid = $ph1ent['ikeid'];
if ($ph1ent['mode'] == "aggressive" && in_array($ph1ent['authentication_method'], array("pre_shared_key", "xauth_psk_server"))) { if ($ph1ent['mode'] == "aggressive" && in_array($ph1ent['authentication_method'], array("pre_shared_key", "xauth_psk_server"))) {
$aggressive_psk = true; $aggressive_psk = true;
} }
$ep = ipsec_get_phase1_src($ph1ent); $ep = ipsec_get_phase1_src($ph1ent);
if (!is_ipaddr($ep)) { if (!is_ipaddr($ep)) {
continue; continue;
} }
if(!in_array($ep,$ipmap)) { if(!in_array($ep,$ipmap)) {
$ipmap[] = $ep; $ipmap[] = $ep;
} }
/* see if this tunnel has a hostname for the remote-gateway. If so, /* see if this tunnel has a hostname for the remote-gateway. If so,
try to resolve it now and add it to the list for filterdns */ try to resolve it now and add it to the list for filterdns */
if (isset ($ph1ent['mobile'])) { if (isset ($ph1ent['mobile'])) {
continue; continue;
} }
$rg = $ph1ent['remote-gateway']; $rg = $ph1ent['remote-gateway'];
if (!is_ipaddr($rg)) { if (!is_ipaddr($rg)) {
$filterdns_list[] = "{$rg}"; $filterdns_list[] = "{$rg}";
add_hostname_to_watch($rg); add_hostname_to_watch($rg);
if(! file_exists("/var/run/booting")) { if(! file_exists("/var/run/booting")) {
$rg = resolve_retry($rg); $rg = resolve_retry($rg);
}
if (!is_ipaddr($rg)) {
continue;
}
} }
if(array_search($rg, $rgmap)) { if (!is_ipaddr($rg)) {
log_error("The remote gateway {$rg} already exists on another phase 1 entry");
continue; continue;
} }
$rgmap[$ph1ent['remote-gateway']] = $rg; }
if(array_search($rg, $rgmap)) {
log_error("The remote gateway {$rg} already exists on another phase 1 entry");
continue;
}
$rgmap[$ph1ent['remote-gateway']] = $rg;
if (isset($a_phase2)) { /* step through each phase2 entry */
/* step through each phase2 entry */ foreach ($a_phase2 as $ph2ent) {
foreach ($a_phase2 as $ph2ent) { if (isset($ph2ent['disabled'])) {
if (isset($ph2ent['disabled'])) { continue;
continue; }
}
if ($ikeid != $ph2ent['ikeid']) { if ($ph1ent['ikeid'] != $ph2ent['ikeid']) {
continue; continue;
} }
/* add an ipsec pinghosts entry */ /* add an ipsec pinghosts entry */
if ($ph2ent['pinghost']) { if ($ph2ent['pinghost']) {
if (!isset($iflist) || !is_array($iflist)) { if (!isset($iflist) || !is_array($iflist)) {
$iflist = get_configured_interface_list(); $iflist = get_configured_interface_list();
}
$viplist = get_configured_vips_list();
$srcip = null;
$local_subnet = ipsec_idinfo_to_cidr($ph2ent['localid'], true, $ph2ent['mode']);
if(is_ipaddrv6($ph2ent['pinghost'])) {
foreach ($iflist as $ifent => $ifname) {
$interface_ip = get_interface_ipv6($ifent);
if (!is_ipaddrv6($interface_ip)) {
continue;
} }
$viplist = get_configured_vips_list(); if (ip_in_subnet($interface_ip, $local_subnet)) {
$srcip = null; $srcip = $interface_ip;
$local_subnet = ipsec_idinfo_to_cidr($ph2ent['localid'], true, $ph2ent['mode']); break;
if(is_ipaddrv6($ph2ent['pinghost'])) {
foreach ($iflist as $ifent => $ifname) {
$interface_ip = get_interface_ipv6($ifent);
if (!is_ipaddrv6($interface_ip)) {
continue;
}
if (ip_in_subnet($interface_ip, $local_subnet)) {
$srcip = $interface_ip;
break;
}
}
} else {
foreach ($iflist as $ifent => $ifname) {
$interface_ip = get_interface_ip($ifent);
if (!is_ipaddrv4($interface_ip)) {
continue;
}
if ($local_subnet == "0.0.0.0/0" || ip_in_subnet($interface_ip, $local_subnet)) {
$srcip = $interface_ip;
break;
}
}
} }
/* if no valid src IP was found in configured interfaces, try the vips */ }
if (is_null($srcip)) { } else {
foreach ($viplist as $vip) { foreach ($iflist as $ifent => $ifname) {
if (ip_in_subnet($vip['ipaddr'], $local_subnet)) { $interface_ip = get_interface_ip($ifent);
$srcip = $vip['ipaddr']; if (!is_ipaddrv4($interface_ip)) {
break; continue;
}
}
} }
$dstip = $ph2ent['pinghost']; if ($local_subnet == "0.0.0.0/0" || ip_in_subnet($interface_ip, $local_subnet)) {
if(is_ipaddrv6($dstip)) { $srcip = $interface_ip;
$family = "inet6"; break;
} else {
$family = "inet";
} }
if (is_ipaddr($srcip)) { }
$ipsecpinghosts[] = "{$srcip}|{$dstip}|3|||||{$family}|\n"; }
/* if no valid src IP was found in configured interfaces, try the vips */
if (is_null($srcip)) {
foreach ($viplist as $vip) {
if (ip_in_subnet($vip['ipaddr'], $local_subnet)) {
$srcip = $vip['ipaddr'];
break;
} }
} }
} }
$dstip = $ph2ent['pinghost'];
if(is_ipaddrv6($dstip)) {
$family = "inet6";
} else {
$family = "inet";
}
if (is_ipaddr($srcip)) {
$ipsecpinghosts[] = "{$srcip}|{$dstip}|3|||||{$family}|\n";
}
} }
} }
@file_put_contents('/var/db/ipsecpinghosts', $ipsecpinghosts);
unset($ipsecpinghosts);
} }
unset($iflist); @file_put_contents('/var/db/ipsecpinghosts', $ipsecpinghosts);
$cnf_add_to_charon_section = ""; $cnf_add_to_charon_section = "";
$cnf_add_to_charon_section .= $aggressive_psk ? "\ti_dont_care_about_security_and_use_aggressive_mode_psk=yes\n":""; $cnf_add_to_charon_section .= $aggressive_psk ? "\ti_dont_care_about_security_and_use_aggressive_mode_psk=yes\n":"";
if (is_array($a_client) && isset($a_client['enable']) && isset($a_client['net_list'])) { if (isset($a_client['enable']) && isset($a_client['net_list'])) {
$cnf_add_to_charon_section .= "\tcisco_unity = yes\n"; $cnf_add_to_charon_section .= "\tcisco_unity = yes\n";
} }
...@@ -288,7 +280,7 @@ EOD; ...@@ -288,7 +280,7 @@ EOD;
$strongswan .= "\tplugins {\n"; $strongswan .= "\tplugins {\n";
if (is_array($a_client) && isset($a_client['enable'])) { if (isset($a_client['enable'])) {
$strongswan .= "\t\tattr {\n"; $strongswan .= "\t\tattr {\n";
if ($a_client['pool_address'] && $a_client['pool_netbits']) { if ($a_client['pool_address'] && $a_client['pool_netbits']) {
$strongswan .= "\t\tsubnet = {$a_client['pool_address']}/{$a_client['pool_netbits']}\n"; $strongswan .= "\t\tsubnet = {$a_client['pool_address']}/{$a_client['pool_netbits']}\n";
...@@ -412,53 +404,50 @@ EOD; ...@@ -412,53 +404,50 @@ EOD;
$pskconf = ""; $pskconf = "";
if (is_array($a_phase1) && count($a_phase1)) { foreach ($a_phase1 as $ph1ent) {
foreach ($a_phase1 as $ph1ent) { if (isset($ph1ent['disabled'])) {
if (isset($ph1ent['disabled'])) { continue;
continue; }
}
if (strpos($ph1ent['authentication_method'], 'rsa') !== false || $ph1ent['authentication_method'] == 'eap-tls') { if (!empty($ph1ent['certref'])) {
$certline = ''; $cert = lookup_cert($ph1ent['certref']);
$ikeid = $ph1ent['ikeid'];
$cert = lookup_cert($ph1ent['certref']);
if (empty($cert)) { if (empty($cert)) {
log_error(sprintf(gettext("Error: Invalid phase1 certificate reference for %s"), $ph1ent['name'])); log_error(sprintf(gettext("Error: Invalid phase1 certificate reference for %s"), $ph1ent['name']));
continue; continue;
} }
@chmod($certpath, 0600); @chmod($certpath, 0600);
$ph1keyfile = "{$keypath}/cert-{$ikeid}.key"; $ph1keyfile = "{$keypath}/cert-{$ph1ent['ikeid']}.key";
if (!file_put_contents($ph1keyfile, base64_decode($cert['prv']))) { if (!file_put_contents($ph1keyfile, base64_decode($cert['prv']))) {
log_error(sprintf(gettext("Error: Cannot write phase1 key file for %s"), $ph1ent['name'])); log_error(sprintf(gettext("Error: Cannot write phase1 key file for %s"), $ph1ent['name']));
continue; continue;
} }
@chmod($ph1keyfile, 0600); @chmod($ph1keyfile, 0600);
$ph1certfile = "{$certpath}/cert-{$ikeid}.crt"; $ph1certfile = "{$certpath}/cert-{$ph1ent['ikeid']}.crt";
if (!file_put_contents($ph1certfile, base64_decode($cert['crt']))) { if (!file_put_contents($ph1certfile, base64_decode($cert['crt']))) {
log_error(sprintf(gettext("Error: Cannot write phase1 certificate file for %s"), $ph1ent['name'])); log_error(sprintf(gettext("Error: Cannot write phase1 certificate file for %s"), $ph1ent['name']));
@unlink($ph1keyfile); @unlink($ph1keyfile);
continue; continue;
} }
@chmod($ph1certfile, 0600); @chmod($ph1certfile, 0600);
/* XXX" Traffic selectors? */ /* XXX" Traffic selectors? */
$pskconf .= " : RSA {$ph1keyfile}\n"; $pskconf .= " : RSA {$ph1keyfile}\n";
} else { } else {
list ($myid_type, $myid_data) = ipsec_find_id($ph1ent, "local"); list ($myid_type, $myid_data) = ipsec_find_id($ph1ent, "local");
list ($peerid_type, $peerid_data) = ipsec_find_id($ph1ent, "peer", $rgmap); list ($peerid_type, $peerid_data) = ipsec_find_id($ph1ent, "peer", $rgmap);
if (empty($peerid_data)) if (empty($peerid_data)) {
continue; continue;
}
$myid = isset($ph1ent['mobile']) ? trim($myid_data) . " " : ""; $myid = isset($ph1ent['mobile']) ? trim($myid_data) . " " : "";
$peerid = ($peerid_data != "allusers") ? trim($peerid_data) : ""; $peerid = ($peerid_data != "allusers") ? trim($peerid_data) : "";
if (!empty($ph1ent['pre-shared-key'])) { if (!empty($ph1ent['pre-shared-key'])) {
$pskconf .= $myid . $peerid . " : PSK \"" . trim($ph1ent['pre-shared-key']) . "\"\n"; $pskconf .= $myid . $peerid . " : PSK \"" . trim($ph1ent['pre-shared-key']) . "\"\n";
}
} }
} }
} }
...@@ -491,7 +480,7 @@ EOD; ...@@ -491,7 +480,7 @@ EOD;
$natfilterrules = false; $natfilterrules = false;
/* begin ipsec.conf */ /* begin ipsec.conf */
$ipsecconf = ""; $ipsecconf = "";
if (is_array($a_phase1) && count($a_phase1)) { if (count($a_phase1)) {
$ipsecconf .= "# This file is automatically generated. Do not edit\n"; $ipsecconf .= "# This file is automatically generated. Do not edit\n";
$ipsecconf .= "config setup\n\tuniqueids = yes\n"; $ipsecconf .= "config setup\n\tuniqueids = yes\n";
// parse debug tags // parse debug tags
...@@ -522,7 +511,6 @@ EOD; ...@@ -522,7 +511,6 @@ EOD;
continue; continue;
} }
$ikeid = $ph1ent['ikeid'];
$keyexchange = "ikev1"; $keyexchange = "ikev1";
$passive = "route"; $passive = "route";
if (!empty($ph1ent['iketype']) && $ph1ent['iketype'] != "ikev1") { if (!empty($ph1ent['iketype']) && $ph1ent['iketype'] != "ikev1") {
...@@ -640,9 +628,9 @@ EOD; ...@@ -640,9 +628,9 @@ EOD;
$ealgoESPsp2arr = array(); $ealgoESPsp2arr = array();
if (is_array($a_phase2) && count($a_phase2)) { if (count($a_phase2)) {
foreach ($a_phase2 as $ph2ent) { foreach ($a_phase2 as $ph2ent) {
if ($ikeid != $ph2ent['ikeid'] || isset($ph2ent['disabled'])) { if ($ph1ent['ikeid'] != $ph2ent['ikeid'] || isset($ph2ent['disabled'])) {
continue; continue;
} }
if (isset($ph2ent['mobile']) && !isset($a_client['enable'])){ if (isset($ph2ent['mobile']) && !isset($a_client['enable'])){
...@@ -655,7 +643,7 @@ EOD; ...@@ -655,7 +643,7 @@ EOD;
$leftsubnet_data = ipsec_idinfo_to_cidr($ph2ent['localid'], false, $ph2ent['mode']); $leftsubnet_data = ipsec_idinfo_to_cidr($ph2ent['localid'], false, $ph2ent['mode']);
/* Do not print localid in some cases, such as a pure-psk or psk/xauth single phase2 mobile tunnel */ /* Do not print localid in some cases, such as a pure-psk or psk/xauth single phase2 mobile tunnel */
if (($localid_type == "none" || $localid_type == "mobile") if (($localid_type == "none" || $localid_type == "mobile")
&& isset($ph1ent['mobile']) && (ipsec_get_number_of_phase2($ikeid)==1)) { && isset($ph1ent['mobile']) && (ipsec_get_number_of_phase2($ph1ent['ikeid'])==1)) {
$left_spec = '%any'; $left_spec = '%any';
} else { } else {
if ($localid_type != "address") { if ($localid_type != "address") {
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment

Technounit-GROUP 2023