Commit 3724aecb authored by Ad Schellevis's avatar Ad Schellevis

(legacy/ipsec) simplify things a bit, trust "certref" config directive

parent 61c7ee6e
...@@ -132,7 +132,6 @@ function vpn_ipsec_configure() ...@@ -132,7 +132,6 @@ function vpn_ipsec_configure()
$ipmap = array(); $ipmap = array();
$rgmap = array(); $rgmap = array();
$filterdns_list = array(); $filterdns_list = array();
if (count($a_phase1)) {
$ipsecpinghosts = ""; $ipsecpinghosts = "";
/* step through each phase1 entry */ /* step through each phase1 entry */
foreach ($a_phase1 as $ph1ent) { foreach ($a_phase1 as $ph1ent) {
...@@ -140,8 +139,6 @@ function vpn_ipsec_configure() ...@@ -140,8 +139,6 @@ function vpn_ipsec_configure()
continue; continue;
} }
$ikeid = $ph1ent['ikeid'];
if ($ph1ent['mode'] == "aggressive" && in_array($ph1ent['authentication_method'], array("pre_shared_key", "xauth_psk_server"))) { if ($ph1ent['mode'] == "aggressive" && in_array($ph1ent['authentication_method'], array("pre_shared_key", "xauth_psk_server"))) {
$aggressive_psk = true; $aggressive_psk = true;
} }
...@@ -180,14 +177,13 @@ function vpn_ipsec_configure() ...@@ -180,14 +177,13 @@ function vpn_ipsec_configure()
} }
$rgmap[$ph1ent['remote-gateway']] = $rg; $rgmap[$ph1ent['remote-gateway']] = $rg;
if (isset($a_phase2)) {
/* step through each phase2 entry */ /* step through each phase2 entry */
foreach ($a_phase2 as $ph2ent) { foreach ($a_phase2 as $ph2ent) {
if (isset($ph2ent['disabled'])) { if (isset($ph2ent['disabled'])) {
continue; continue;
} }
if ($ikeid != $ph2ent['ikeid']) { if ($ph1ent['ikeid'] != $ph2ent['ikeid']) {
continue; continue;
} }
...@@ -243,15 +239,11 @@ function vpn_ipsec_configure() ...@@ -243,15 +239,11 @@ function vpn_ipsec_configure()
} }
} }
} }
}
@file_put_contents('/var/db/ipsecpinghosts', $ipsecpinghosts); @file_put_contents('/var/db/ipsecpinghosts', $ipsecpinghosts);
unset($ipsecpinghosts);
}
unset($iflist);
$cnf_add_to_charon_section = ""; $cnf_add_to_charon_section = "";
$cnf_add_to_charon_section .= $aggressive_psk ? "\ti_dont_care_about_security_and_use_aggressive_mode_psk=yes\n":""; $cnf_add_to_charon_section .= $aggressive_psk ? "\ti_dont_care_about_security_and_use_aggressive_mode_psk=yes\n":"";
if (is_array($a_client) && isset($a_client['enable']) && isset($a_client['net_list'])) { if (isset($a_client['enable']) && isset($a_client['net_list'])) {
$cnf_add_to_charon_section .= "\tcisco_unity = yes\n"; $cnf_add_to_charon_section .= "\tcisco_unity = yes\n";
} }
...@@ -288,7 +280,7 @@ EOD; ...@@ -288,7 +280,7 @@ EOD;
$strongswan .= "\tplugins {\n"; $strongswan .= "\tplugins {\n";
if (is_array($a_client) && isset($a_client['enable'])) { if (isset($a_client['enable'])) {
$strongswan .= "\t\tattr {\n"; $strongswan .= "\t\tattr {\n";
if ($a_client['pool_address'] && $a_client['pool_netbits']) { if ($a_client['pool_address'] && $a_client['pool_netbits']) {
$strongswan .= "\t\tsubnet = {$a_client['pool_address']}/{$a_client['pool_netbits']}\n"; $strongswan .= "\t\tsubnet = {$a_client['pool_address']}/{$a_client['pool_netbits']}\n";
...@@ -412,15 +404,12 @@ EOD; ...@@ -412,15 +404,12 @@ EOD;
$pskconf = ""; $pskconf = "";
if (is_array($a_phase1) && count($a_phase1)) {
foreach ($a_phase1 as $ph1ent) { foreach ($a_phase1 as $ph1ent) {
if (isset($ph1ent['disabled'])) { if (isset($ph1ent['disabled'])) {
continue; continue;
} }
if (strpos($ph1ent['authentication_method'], 'rsa') !== false || $ph1ent['authentication_method'] == 'eap-tls') { if (!empty($ph1ent['certref'])) {
$certline = '';
$ikeid = $ph1ent['ikeid'];
$cert = lookup_cert($ph1ent['certref']); $cert = lookup_cert($ph1ent['certref']);
if (empty($cert)) { if (empty($cert)) {
...@@ -430,14 +419,14 @@ EOD; ...@@ -430,14 +419,14 @@ EOD;
@chmod($certpath, 0600); @chmod($certpath, 0600);
$ph1keyfile = "{$keypath}/cert-{$ikeid}.key"; $ph1keyfile = "{$keypath}/cert-{$ph1ent['ikeid']}.key";
if (!file_put_contents($ph1keyfile, base64_decode($cert['prv']))) { if (!file_put_contents($ph1keyfile, base64_decode($cert['prv']))) {
log_error(sprintf(gettext("Error: Cannot write phase1 key file for %s"), $ph1ent['name'])); log_error(sprintf(gettext("Error: Cannot write phase1 key file for %s"), $ph1ent['name']));
continue; continue;
} }
@chmod($ph1keyfile, 0600); @chmod($ph1keyfile, 0600);
$ph1certfile = "{$certpath}/cert-{$ikeid}.crt"; $ph1certfile = "{$certpath}/cert-{$ph1ent['ikeid']}.crt";
if (!file_put_contents($ph1certfile, base64_decode($cert['crt']))) { if (!file_put_contents($ph1certfile, base64_decode($cert['crt']))) {
log_error(sprintf(gettext("Error: Cannot write phase1 certificate file for %s"), $ph1ent['name'])); log_error(sprintf(gettext("Error: Cannot write phase1 certificate file for %s"), $ph1ent['name']));
@unlink($ph1keyfile); @unlink($ph1keyfile);
...@@ -451,8 +440,9 @@ EOD; ...@@ -451,8 +440,9 @@ EOD;
list ($myid_type, $myid_data) = ipsec_find_id($ph1ent, "local"); list ($myid_type, $myid_data) = ipsec_find_id($ph1ent, "local");
list ($peerid_type, $peerid_data) = ipsec_find_id($ph1ent, "peer", $rgmap); list ($peerid_type, $peerid_data) = ipsec_find_id($ph1ent, "peer", $rgmap);
if (empty($peerid_data)) if (empty($peerid_data)) {
continue; continue;
}
$myid = isset($ph1ent['mobile']) ? trim($myid_data) . " " : ""; $myid = isset($ph1ent['mobile']) ? trim($myid_data) . " " : "";
$peerid = ($peerid_data != "allusers") ? trim($peerid_data) : ""; $peerid = ($peerid_data != "allusers") ? trim($peerid_data) : "";
...@@ -461,7 +451,6 @@ EOD; ...@@ -461,7 +451,6 @@ EOD;
} }
} }
} }
}
/* Add user PSKs */ /* Add user PSKs */
if (isset($config['system']['user']) && is_array($config['system']['user'])) { if (isset($config['system']['user']) && is_array($config['system']['user'])) {
...@@ -491,7 +480,7 @@ EOD; ...@@ -491,7 +480,7 @@ EOD;
$natfilterrules = false; $natfilterrules = false;
/* begin ipsec.conf */ /* begin ipsec.conf */
$ipsecconf = ""; $ipsecconf = "";
if (is_array($a_phase1) && count($a_phase1)) { if (count($a_phase1)) {
$ipsecconf .= "# This file is automatically generated. Do not edit\n"; $ipsecconf .= "# This file is automatically generated. Do not edit\n";
$ipsecconf .= "config setup\n\tuniqueids = yes\n"; $ipsecconf .= "config setup\n\tuniqueids = yes\n";
// parse debug tags // parse debug tags
...@@ -522,7 +511,6 @@ EOD; ...@@ -522,7 +511,6 @@ EOD;
continue; continue;
} }
$ikeid = $ph1ent['ikeid'];
$keyexchange = "ikev1"; $keyexchange = "ikev1";
$passive = "route"; $passive = "route";
if (!empty($ph1ent['iketype']) && $ph1ent['iketype'] != "ikev1") { if (!empty($ph1ent['iketype']) && $ph1ent['iketype'] != "ikev1") {
...@@ -640,9 +628,9 @@ EOD; ...@@ -640,9 +628,9 @@ EOD;
$ealgoESPsp2arr = array(); $ealgoESPsp2arr = array();
if (is_array($a_phase2) && count($a_phase2)) { if (count($a_phase2)) {
foreach ($a_phase2 as $ph2ent) { foreach ($a_phase2 as $ph2ent) {
if ($ikeid != $ph2ent['ikeid'] || isset($ph2ent['disabled'])) { if ($ph1ent['ikeid'] != $ph2ent['ikeid'] || isset($ph2ent['disabled'])) {
continue; continue;
} }
if (isset($ph2ent['mobile']) && !isset($a_client['enable'])){ if (isset($ph2ent['mobile']) && !isset($a_client['enable'])){
...@@ -655,7 +643,7 @@ EOD; ...@@ -655,7 +643,7 @@ EOD;
$leftsubnet_data = ipsec_idinfo_to_cidr($ph2ent['localid'], false, $ph2ent['mode']); $leftsubnet_data = ipsec_idinfo_to_cidr($ph2ent['localid'], false, $ph2ent['mode']);
/* Do not print localid in some cases, such as a pure-psk or psk/xauth single phase2 mobile tunnel */ /* Do not print localid in some cases, such as a pure-psk or psk/xauth single phase2 mobile tunnel */
if (($localid_type == "none" || $localid_type == "mobile") if (($localid_type == "none" || $localid_type == "mobile")
&& isset($ph1ent['mobile']) && (ipsec_get_number_of_phase2($ikeid)==1)) { && isset($ph1ent['mobile']) && (ipsec_get_number_of_phase2($ph1ent['ikeid'])==1)) {
$left_spec = '%any'; $left_spec = '%any';
} else { } else {
if ($localid_type != "address") { if ($localid_type != "address") {
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment