Skip to content

O
OpnSense
Commit 4638d99c authored by Ad Schellevis's avatar Ad Schellevis
Browse files
Options

(ipsec) add eap-mschapv2

parent 1e2ace87
Hide whitespace changes
Inline Side-by-side
Showing with 21 additions and 11 deletions
src/etc/inc/ipsec.inc
View file @ 4638d99c
...@@ -957,6 +957,10 @@ EOD; ...@@ -957,6 +957,10 @@ EOD;
case 'rsasig': case 'rsasig':
$authentication = "leftauth = pubkey\n\trightauth = pubkey"; $authentication = "leftauth = pubkey\n\trightauth = pubkey";
break; break;
case 'eap-mschapv2':
$authentication = "leftauth = pubkey\n\trightauth = eap-mschapv2";
$authentication .= "\n\teap_identity=%any";
break;
case 'hybrid_rsa_server': case 'hybrid_rsa_server':
$authentication = "leftauth = xauth-generic\n\trightauth = pubkey"; $authentication = "leftauth = xauth-generic\n\trightauth = pubkey";
$authentication .= "\n\trightauth2 = xauth"; $authentication .= "\n\trightauth2 = xauth";
......
src/www/vpn_ipsec_phase1.php
View file @ 4638d99c
...@@ -156,12 +156,6 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') { ...@@ -156,12 +156,6 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
$pconfig = $_POST; $pconfig = $_POST;
$old_ph1ent = $a_phase1[$p1index]; $old_ph1ent = $a_phase1[$p1index];
// Preperations to kill some settings which aren't left empty by the field.
// Unset ca and cert if not required to avoid storing in config
if ($pconfig['authentication_method'] == "pre_shared_key" || $pconfig['authentication_method'] == "xauth_psk_server") {
unset($pconfig['caref']);
unset($pconfig['certref']);
}
// unset dpd on post // unset dpd on post
if (!isset($pconfig['dpd_enable'])) { if (!isset($pconfig['dpd_enable'])) {
unset($pconfig['dpd_delay']); unset($pconfig['dpd_delay']);
...@@ -184,10 +178,11 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') { ...@@ -184,10 +178,11 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
// For RSA methods, require the CA/Cert. // For RSA methods, require the CA/Cert.
switch ($method) { switch ($method) {
case "eap-tls": case "eap-tls":
if ($pconfig['iketype'] != 'ikev2') { case 'eap-mschapv2':
$input_errors[] = gettext("EAP-TLS can only be used with IKEv2 type VPNs."); if ($pconfig['iketype'] != 'ikev2') {
} $input_errors[] = sprintf(gettext("%s can only be used with IKEv2 type VPNs."), strtoupper($method));
break; }
break;
case "pre_shared_key": case "pre_shared_key":
// If this is a mobile PSK tunnel the user PSKs go on // If this is a mobile PSK tunnel the user PSKs go on
// the PSK tab, not here, so skip the check. // the PSK tab, not here, so skip the check.
...@@ -448,20 +443,30 @@ include("head.inc"); ...@@ -448,20 +443,30 @@ include("head.inc");
$("#authentication_method").change(function(){ $("#authentication_method").change(function(){
$(".auth_opt").hide(); $(".auth_opt").hide();
$(".auth_opt select,input").prop( "disabled", true );
switch ($("#authentication_method").val()) { switch ($("#authentication_method").val()) {
case 'eap-mschapv2':
$(".auth_eap_tls").show();
$(".auth_eap_tls select,input").prop( "disabled", false );
break;
case 'eap-tls': case 'eap-tls':
case 'hybrid_rsa_server': case 'hybrid_rsa_server':
case 'xauth_rsa_server': case 'xauth_rsa_server':
case 'rsasig': case 'rsasig':
$(".auth_eap_tls").show(); $(".auth_eap_tls").show();
$(".auth_eap_tls select,input").prop( "disabled", false );
$(".auth_eap_tls_caref").show();
$(".auth_eap_tls_caref select,input").prop( "disabled", false );
break; break;
case 'pre_shared_key': case 'pre_shared_key':
if ($("#mobile").val() == undefined) { if ($("#mobile").val() == undefined) {
$(".auth_psk").show(); $(".auth_psk").show();
$(".auth_psk select,input").prop( "disabled", false );
} }
break; break;
default: /* psk modes*/ default: /* psk modes*/
$(".auth_psk").show(); $(".auth_psk").show();
$(".auth_psk select,input").prop( "disabled", false );
break; break;
} }
}); });
...@@ -666,6 +671,7 @@ include("head.inc"); ...@@ -666,6 +671,7 @@ include("head.inc");
'xauth_rsa_server' => array( 'name' => 'Mutual RSA + Xauth', 'mobile' => true ), 'xauth_rsa_server' => array( 'name' => 'Mutual RSA + Xauth', 'mobile' => true ),
'xauth_psk_server' => array( 'name' => 'Mutual PSK + Xauth', 'mobile' => true ), 'xauth_psk_server' => array( 'name' => 'Mutual PSK + Xauth', 'mobile' => true ),
'eap-tls' => array( 'name' => 'EAP-TLS', 'mobile' => true), 'eap-tls' => array( 'name' => 'EAP-TLS', 'mobile' => true),
'eap-mschapv2' => array( 'name' => 'EAP-MSCHAPV2', 'mobile' => true),
'rsasig' => array( 'name' => 'Mutual RSA', 'mobile' => false ), 'rsasig' => array( 'name' => 'Mutual RSA', 'mobile' => false ),
'pre_shared_key' => array( 'name' => 'Mutual PSK', 'mobile' => false ) ); 'pre_shared_key' => array( 'name' => 'Mutual PSK', 'mobile' => false ) );
foreach ($p1_authentication_methods as $method_type => $method_params) : foreach ($p1_authentication_methods as $method_type => $method_params) :
...@@ -792,7 +798,7 @@ endforeach; ?> ...@@ -792,7 +798,7 @@ endforeach; ?>
</div> </div>
</td> </td>
</tr> </tr>
<tr class="auth_opt auth_eap_tls"> <tr class="auth_opt auth_eap_tls_caref">
<td><a id="help_for_caref" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("My Certificate Authority"); ?></td> <td><a id="help_for_caref" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("My Certificate Authority"); ?></td>
<td> <td>
<select name="caref" class="formselect"> <select name="caref" class="formselect">
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment

Technounit-GROUP 2023