Skip to content

O
OpnSense
Commit 49229ef2 authored by Ad Schellevis's avatar Ad Schellevis
Browse files
Options

(legacy) cleanup/refactor vpn_ipsec_phase1.php

parent ffb1dfd2
Hide whitespace changes
Inline Side-by-side
Showing with 698 additions and 796 deletions
src/etc/inc/ipsec.inc
View file @ 49229ef2
......@@ -55,15 +55,6 @@ $p2_ealgos = array(
'cast128' => array( 'name' => 'CAST128' ),
'des' => array( 'name' => 'DES' ));
$p1_halgos = array(
'md5' => 'MD5',
'sha1' => 'SHA1',
'sha256' => 'SHA256',
'sha384' => 'SHA384',
'sha512' => 'SHA512',
'aesxcbc' => 'AES-XCBC'
);
$p2_halgos = array(
'hmac_md5' => 'MD5',
'hmac_sha1' => 'SHA1',
......
src/www/vpn_ipsec_phase1.php
View file @ 49229ef2
......@@ -28,51 +28,12 @@
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.
*/
require_once("guiconfig.inc");
require_once("vpn.inc");
require_once("services.inc");
require_once("pfsense-utils.inc");
require_once("interfaces.inc");
$my_identifier_list = array(
'myaddress' => array( 'desc' => gettext('My IP address'), 'mobile' => true ),
'address' => array( 'desc' => gettext('IP address'), 'mobile' => true ),
'fqdn' => array( 'desc' => gettext('Distinguished name'), 'mobile' => true ),
'user_fqdn' => array( 'desc' => gettext('User distinguished name'), 'mobile' => true ),
'asn1dn' => array( 'desc' => gettext('ASN.1 distinguished Name'), 'mobile' => true ),
'keyid tag' => array( 'desc' => gettext('KeyID tag'), 'mobile' => true ),
'dyn_dns' => array( 'desc' => gettext('Dynamic DNS'), 'mobile' => true ));
$peer_identifier_list = array(
'peeraddress' => array( 'desc' => gettext('Peer IP address'), 'mobile' => false ),
'address' => array( 'desc' => gettext('IP address'), 'mobile' => false ),
'fqdn' => array( 'desc' => gettext('Distinguished name'), 'mobile' => true ),
'user_fqdn' => array( 'desc' => gettext('User distinguished name'), 'mobile' => true ),
'asn1dn' => array( 'desc' => gettext('ASN.1 distinguished Name'), 'mobile' => true ),
'keyid tag' => array( 'desc' =>gettext('KeyID tag'), 'mobile' => true ));
$p1_dhgroups = array(
1 => '1 (768 bit)',
2 => '2 (1024 bit)',
5 => '5 (1536 bit)',
14 => '14 (2048 bit)',
15 => '15 (3072 bit)',
16 => '16 (4096 bit)',
17 => '17 (6144 bit)',
18 => '18 (8192 bit)',
22 => '22 (1024(sub 160) bit)',
23 => '23 (2048(sub 224) bit)',
24 => '24 (2048(sub 256) bit)'
);
$p1_authentication_methods = array(
'hybrid_rsa_server' => array( 'name' => 'Hybrid RSA + Xauth', 'mobile' => true ),
'xauth_rsa_server' => array( 'name' => 'Mutual RSA + Xauth', 'mobile' => true ),
'xauth_psk_server' => array( 'name' => 'Mutual PSK + Xauth', 'mobile' => true ),
'eap-tls' => array( 'name' => 'EAP-TLS', 'mobile' => true),
'rsasig' => array( 'name' => 'Mutual RSA', 'mobile' => false ),
'pre_shared_key' => array( 'name' => 'Mutual PSK', 'mobile' => false ) );
/*
* ikeid management functions
......@@ -98,9 +59,8 @@ function ipsec_ikeid_next() {
}
if (!is_array($config['ipsec'])) {
$config['ipsec'] = array();
$config['ipsec'] = array();
}
if (!is_array($config['ipsec']['phase1'])) {
......@@ -114,393 +74,357 @@ if (!is_array($config['ipsec']['phase2'])) {
$a_phase1 = &$config['ipsec']['phase1'];
$a_phase2 = &$config['ipsec']['phase2'];
if (is_numericint($_GET['p1index'])) {
$p1index = $_GET['p1index'];
}
if (isset($_POST['p1index']) && is_numericint($_POST['p1index'])) {
$p1index = $_POST['p1index'];
}
if (isset($_GET['dup']) && is_numericint($_GET['dup'])) {
$p1index = $_GET['dup'];
}
if (isset($p1index) && $a_phase1[$p1index]) {
// don't copy the ikeid on dup
if (!isset($_GET['dup']) || !is_numericint($_GET['dup'])) {
$pconfig['ikeid'] = $a_phase1[$p1index]['ikeid'];
}
$old_ph1ent = $a_phase1[$p1index];
$pconfig['disabled'] = isset($a_phase1[$p1index]['disabled']);
if ($a_phase1[$p1index]['interface']) {
$pconfig['interface'] = $a_phase1[$p1index]['interface'];
} else {
$pconfig['interface'] = "wan";
}
list($pconfig['remotenet'],$pconfig['remotebits']) = explode("/", $a_phase1[$p1index]['remote-subnet']);
if (isset($a_phase1[$p1index]['mobile'])) {
$pconfig['mobile'] = 'true';
} else {
$pconfig['remotegw'] = $a_phase1[$p1index]['remote-gateway'];
}
if (empty($a_phase1[$p1index]['iketype'])) {
$pconfig['iketype'] = "ikev1";
} else {
$pconfig['iketype'] = $a_phase1[$p1index]['iketype'];
}
$pconfig['mode'] = $a_phase1[$p1index]['mode'];
$pconfig['protocol'] = $a_phase1[$p1index]['protocol'];
$pconfig['myid_type'] = $a_phase1[$p1index]['myid_type'];
$pconfig['myid_data'] = $a_phase1[$p1index]['myid_data'];
$pconfig['peerid_type'] = $a_phase1[$p1index]['peerid_type'];
$pconfig['peerid_data'] = $a_phase1[$p1index]['peerid_data'];
$pconfig['ealgo'] = $a_phase1[$p1index]['encryption-algorithm'];
$pconfig['halgo'] = $a_phase1[$p1index]['hash-algorithm'];
$pconfig['dhgroup'] = $a_phase1[$p1index]['dhgroup'];
$pconfig['lifetime'] = $a_phase1[$p1index]['lifetime'];
$pconfig['authentication_method'] = $a_phase1[$p1index]['authentication_method'];
if (($pconfig['authentication_method'] == "pre_shared_key") ||
($pconfig['authentication_method'] == "xauth_psk_server")) {
$pconfig['pskey'] = $a_phase1[$p1index]['pre-shared-key'];
} else {
$pconfig['certref'] = $a_phase1[$p1index]['certref'];
$pconfig['caref'] = $a_phase1[$p1index]['caref'];
}
$pconfig['descr'] = $a_phase1[$p1index]['descr'];
$pconfig['nat_traversal'] = $a_phase1[$p1index]['nat_traversal'];
if (!isset($a_phase1[$p1index]['reauth_enable'])) {
$pconfig['reauth_enable'] = true;
}
if (!isset($a_phase1[$p1index]['rekey_enable'])) {
$pconfig['rekey_enable'] = true;
}
if ($a_phase1[$p1index]['dpd_delay'] && $a_phase1[$p1index]['dpd_maxfail']) {
$pconfig['dpd_enable'] = true;
$pconfig['dpd_delay'] = $a_phase1[$p1index]['dpd_delay'];
$pconfig['dpd_maxfail'] = $a_phase1[$p1index]['dpd_maxfail'];
}
} else {
/* defaults */
$pconfig['interface'] = "wan";
if ($config['interfaces']['lan']) {
$pconfig['localnet'] = "lan";
}
$pconfig['mode'] = "aggressive";
$pconfig['protocol'] = "inet";
$pconfig['myid_type'] = "myaddress";
$pconfig['peerid_type'] = "peeraddress";
$pconfig['authentication_method'] = "pre_shared_key";
$pconfig['ealgo'] = array( name => "3des" );
$pconfig['halgo'] = "sha1";
$pconfig['dhgroup'] = "2";
$pconfig['lifetime'] = "28800";
$pconfig['nat_traversal'] = "on";
$pconfig['dpd_enable'] = true;
$pconfig['iketype'] = "ikev1";
/* mobile client */
if ($_GET['mobile']) {
$pconfig['mobile']=true;
}
}
if (isset($_GET['dup']) && is_numericint($_GET['dup'])) {
unset($p1index);
}
if ($_POST) {
unset($input_errors);
$pconfig = $_POST;
/* input validation */
$method = $pconfig['authentication_method'];
// Unset ca and cert if not required to avaoid storing in config
if ($method == "pre_shared_key" || $method == "xauth_psk_server") {
unset($pconfig['caref']);
unset($pconfig['certref']);
}
// Only require PSK here for normal PSK tunnels (not mobile) or xauth.
// For RSA methods, require the CA/Cert.
switch ($method) {
case "eap-tls":
if ($pconfig['iketype'] != 'ikev2') {
$input_errors[] = gettext("EAP-TLS can only be used with IKEv2 type VPNs.");
}
break;
case "pre_shared_key":
// If this is a mobile PSK tunnel the user PSKs go on
// the PSK tab, not here, so skip the check.
if ($pconfig['mobile']) {
break;
}
case "xauth_psk_server":
$reqdfields = explode(" ", "pskey");
$reqdfieldsn = array(gettext("Pre-Shared Key"));
break;
case "hybrid_rsa_server":
case "xauth_rsa_server":
case "rsasig":
$reqdfields = explode(" ", "caref certref");
$reqdfieldsn = array(gettext("Certificate Authority"),gettext("Certificate"));
break;
}
if (!$pconfig['mobile']) {
$reqdfields[] = "remotegw";
$reqdfieldsn[] = gettext("Remote gateway");
}
do_input_validation($pconfig, $reqdfields, $reqdfieldsn, $input_errors);
if (($pconfig['lifetime'] && !is_numeric($pconfig['lifetime']))) {
$input_errors[] = gettext("The P1 lifetime must be an integer.");
}
if ($pconfig['remotegw']) {
if (!is_ipaddr($pconfig['remotegw']) && !is_domain($pconfig['remotegw'])) {
$input_errors[] = gettext("A valid remote gateway address or host name must be specified.");
} elseif (is_ipaddrv4($pconfig['remotegw']) && ($pconfig['protocol'] != "inet"))
$input_errors[] = gettext("A valid remote gateway IPv4 address must be specified or you need to change protocol to IPv6");
elseif (is_ipaddrv6($pconfig['remotegw']) && ($pconfig['protocol'] != "inet6"))
$input_errors[] = gettext("A valid remote gateway IPv6 address must be specified or you need to change protocol to IPv4");
}
if (($pconfig['remotegw'] && is_ipaddr($pconfig['remotegw']) && !isset($pconfig['disabled']) )) {
$t = 0;
foreach ($a_phase1 as $ph1tmp) {
if ($p1index <> $t) {
$tremotegw = $pconfig['remotegw'];
if (($ph1tmp['remote-gateway'] == $tremotegw) && !isset($ph1tmp['disabled'])) {
$input_errors[] = sprintf(gettext('The remote gateway "%1$s" is already used by phase1 "%2$s".'), $tremotegw, $ph1tmp['descr']);
}
}
$t++;
}
}
if (is_array($a_phase2) && (count($a_phase2))) {
foreach ($a_phase2 as $phase2) {
if ($phase2['ikeid'] == $pconfig['ikeid']) {
if (($pconfig['protocol'] == "inet") && ($phase2['mode'] == "tunnel6")) {
$input_errors[] = gettext("There is a Phase 2 using IPv6, you cannot use IPv4.");
break;
}
if (($pconfig['protocol'] == "inet6") && ($phase2['mode'] == "tunnel")) {
$input_errors[] = gettext("There is a Phase 2 using IPv4, you cannot use IPv6.");
break;
}
}
}
}
/* My identity */
if ($pconfig['myid_type'] == "myaddress") {
$pconfig['myid_data'] = "";
}
if ($pconfig['myid_type'] == "address" and $pconfig['myid_data'] == "") {
$input_errors[] = gettext("Please enter an address for 'My Identifier'");
}
if ($pconfig['myid_type'] == "keyid tag" and $pconfig['myid_data'] == "") {
$input_errors[] = gettext("Please enter a keyid tag for 'My Identifier'");
}
if ($pconfig['myid_type'] == "fqdn" and $pconfig['myid_data'] == "") {
$input_errors[] = gettext("Please enter a fully qualified domain name for 'My Identifier'");
}
if ($pconfig['myid_type'] == "user_fqdn" and $pconfig['myid_data'] == "") {
$input_errors[] = gettext("Please enter a user and fully qualified domain name for 'My Identifier'");
}
if ($pconfig['myid_type'] == "dyn_dns" and $pconfig['myid_data'] == "") {
$input_errors[] = gettext("Please enter a dynamic domain name for 'My Identifier'");
}
if ((($pconfig['myid_type'] == "address") && !is_ipaddr($pconfig['myid_data']))) {
$input_errors[] = gettext("A valid IP address for 'My identifier' must be specified.");
}
if ((($pconfig['myid_type'] == "fqdn") && !is_domain($pconfig['myid_data']))) {
$input_errors[] = gettext("A valid domain name for 'My identifier' must be specified.");
}
if ($pconfig['myid_type'] == "fqdn") {
if (is_domain($pconfig['myid_data']) == false) {
$input_errors[] = gettext("A valid FQDN for 'My identifier' must be specified.");
}
}
if ($_SERVER['REQUEST_METHOD'] === 'GET') {
// fetch data
if (isset($_GET['dup']) && is_numericint($_GET['dup'])) {
$p1index = $_GET['dup'];
} elseif (isset($_GET['p1index']) && is_numericint($_GET['p1index'])) {
$p1index = $_GET['p1index'];
}
$pconfig = array();
// generice defaults
$pconfig['interface'] = "wan";
$pconfig['iketype'] = "ikev1";
$phase1_fields = "mode,protocol,myid_type,myid_data,peerid_type,peerid_data
,encryption-algorithm,halgo,dhgroup,lifetime,authentication_method,descr,nat_traversal
,interface,iketype,dpd_delay,dpd_maxfail,remote-gateway,pre-shared-key,certref
,caref,reauth_enable,rekey_enable";
if (isset($p1index) && isset($a_phase1[$p1index])) {
// 1-on-1 copy
foreach (explode(",", $phase1_fields) as $fieldname) {
$fieldname = trim($fieldname);
if(isset($a_phase1[$p1index][$fieldname])) {
$pconfig[$fieldname] = $a_phase1[$p1index][$fieldname];
} elseif (!isset($pconfig[$fieldname])) {
// initialize element
$pconfig[$fieldname] = null;
}
}
// attributes with some kind of logic behind them...
if (!isset($_GET['dup']) || !is_numericint($_GET['dup'])) {
// don't copy the ikeid on dup
$pconfig['ikeid'] = $a_phase1[$p1index]['ikeid'];
}
$pconfig['disabled'] = isset($a_phase1[$p1index]['disabled']);
$pconfig['remotebits'] = null;
$pconfig['remotenet'] = null ;
if (isset($a_phase1[$p1index]['remote-subnet']) && strpos($a_phase1[$p1index]['remote-subnet'],'/') !== false) {
list($pconfig['remotenet'],$pconfig['remotebits']) = explode("/", $a_phase1[$p1index]['remote-subnet']);
} elseif (isset($a_phase1[$p1index]['remote-subnet'])) {
$pconfig['remotenet'] = $a_phase1[$p1index]['remote-subnet'];
}
if (isset($a_phase1[$p1index]['mobile'])) {
$pconfig['mobile'] = true;
}
} else {
/* defaults new */
if (isset($config['interfaces']['lan'])) {
$pconfig['localnet'] = "lan";
}
$pconfig['mode'] = "aggressive";
$pconfig['protocol'] = "inet";
$pconfig['myid_type'] = "myaddress";
$pconfig['peerid_type'] = "peeraddress";
$pconfig['authentication_method'] = "pre_shared_key";
$pconfig['encryption-algorithm'] = array("name" => "3des") ;
$pconfig['halgo'] = "sha1";
$pconfig['dhgroup'] = "2";
$pconfig['lifetime'] = "28800";
$pconfig['nat_traversal'] = "on";
$pconfig['iketype'] = "ikev1";
/* mobile client */
if (isset($_GET['mobile'])) {
$pconfig['mobile']=true;
}
// init empty
foreach (explode(",", $phase1_fields) as $fieldname) {
$fieldname = trim($fieldname);
if (!isset($pconfig[$fieldname])) {
$pconfig[$fieldname] = null;
}
}
if ($pconfig['myid_type'] == "user_fqdn") {
$user_fqdn = explode("@", $pconfig['myid_data']);
if (is_domain($user_fqdn[1]) == false) {
$input_errors[] = gettext("A valid User FQDN in the form of user@my.domain.com for 'My identifier' must be specified.");
}
}
}
if ($pconfig['myid_type'] == "dyn_dns") {
if (is_domain($pconfig['myid_data']) == false) {
$input_errors[] = gettext("A valid Dynamic DNS address for 'My identifier' must be specified.");
}
}
} elseif ($_SERVER['REQUEST_METHOD'] === 'POST') {
if (isset($_POST['p1index']) && is_numericint($_POST['p1index'])) {
$p1index = $_POST['p1index'];
}
$input_errors = array();
$pconfig = $_POST;
$old_ph1ent = $a_phase1[$p1index];
// Preperations to kill some settings which aren't left empty by the field.
// Unset ca and cert if not required to avoid storing in config
if ($pconfig['authentication_method'] == "pre_shared_key" || $pconfig['authentication_method'] == "xauth_psk_server") {
unset($pconfig['caref']);
unset($pconfig['certref']);
}
// unset dpd on post
if (!isset($pconfig['dpd_enable'])) {
unset($pconfig['dpd_delay']);
unset($pconfig['dpd_maxfail']);
}
/* Peer identity */
/* My identity */
if ($pconfig['myid_type'] == "myaddress") {
$pconfig['myid_data'] = "";
}
/* Peer identity */
if ($pconfig['myid_type'] == "peeraddress") {
$pconfig['peerid_data'] = "";
}
if ($pconfig['myid_type'] == "peeraddress") {
$pconfig['peerid_data'] = "";
}
/* input validation */
$method = $pconfig['authentication_method'];
// Only require PSK here for normal PSK tunnels (not mobile) or xauth.
// For RSA methods, require the CA/Cert.
switch ($method) {
case "eap-tls":
if ($pconfig['iketype'] != 'ikev2') {
$input_errors[] = gettext("EAP-TLS can only be used with IKEv2 type VPNs.");
}
break;
case "pre_shared_key":
// If this is a mobile PSK tunnel the user PSKs go on
// the PSK tab, not here, so skip the check.
if ($pconfig['mobile']) {
break;
}
case "xauth_psk_server":
$reqdfields = explode(" ", "pre-shared-key");
$reqdfieldsn = array(gettext("Pre-Shared Key"));
break;
case "hybrid_rsa_server":
case "xauth_rsa_server":
case "rsasig":
$reqdfields = explode(" ", "caref certref");
$reqdfieldsn = array(gettext("Certificate Authority"),gettext("Certificate"));
break;
}
if (empty($pconfig['mobile'])) {
$reqdfields[] = "remote-gateway";
$reqdfieldsn[] = gettext("Remote gateway");
}
// Only enforce peer ID if we are not dealing with a pure-psk mobile config.
if (!(($pconfig['authentication_method'] == "pre_shared_key") && ($pconfig['mobile']))) {
if ($pconfig['peerid_type'] == "address" and $pconfig['peerid_data'] == "") {
$input_errors[] = gettext("Please enter an address for 'Peer Identifier'");
}
do_input_validation($pconfig, $reqdfields, $reqdfieldsn, $input_errors);
if ($pconfig['peerid_type'] == "keyid tag" and $pconfig['peerid_data'] == "") {
$input_errors[] = gettext("Please enter a keyid tag for 'Peer Identifier'");
}
if ((!empty($pconfig['lifetime']) && !is_numeric($pconfig['lifetime']))) {
$input_errors[] = gettext("The P1 lifetime must be an integer.");
}
if ($pconfig['peerid_type'] == "fqdn" and $pconfig['peerid_data'] == "") {
$input_errors[] = gettext("Please enter a fully qualified domain name for 'Peer Identifier'");
}
if (!empty($pconfig['remote-gateway'])) {
if (!is_ipaddr($pconfig['remote-gateway']) && !is_domain($pconfig['remote-gateway'])) {
$input_errors[] = gettext("A valid remote gateway address or host name must be specified.");
} elseif (is_ipaddrv4($pconfig['remote-gateway']) && ($pconfig['protocol'] != "inet"))
$input_errors[] = gettext("A valid remote gateway IPv4 address must be specified or you need to change protocol to IPv6");
elseif (is_ipaddrv6($pconfig['remote-gateway']) && ($pconfig['protocol'] != "inet6"))
$input_errors[] = gettext("A valid remote gateway IPv6 address must be specified or you need to change protocol to IPv4");
}
if ($pconfig['peerid_type'] == "user_fqdn" and $pconfig['peerid_data'] == "") {
$input_errors[] = gettext("Please enter a user and fully qualified domain name for 'Peer Identifier'");
}
if ((!empty($pconfig['remote-gateway']) && is_ipaddr($pconfig['remote-gateway']) && !isset($pconfig['disabled']) )) {
$t = 0;
foreach ($a_phase1 as $ph1tmp) {
if ($p1index <> $t) {
if (isset($ph1tmp['remote-gateway']) && $ph1tmp['remote-gateway'] == $pconfig['remote-gateway'] && !isset($ph1tmp['disabled'])) {
$input_errors[] = sprintf(gettext('The remote gateway "%1$s" is already used by phase1 "%2$s".'), $pconfig['remote-gateway'], $ph1tmp['descr']);
}
}
$t++;
}
}
if ((($pconfig['peerid_type'] == "address") && !is_ipaddr($pconfig['peerid_data']))) {
$input_errors[] = gettext("A valid IP address for 'Peer identifier' must be specified.");
}
if (isset($a_phase2) && (count($a_phase2))) {
foreach ($a_phase2 as $phase2) {
if ($phase2['ikeid'] == $pconfig['ikeid']) {
if (($pconfig['protocol'] == "inet") && ($phase2['mode'] == "tunnel6")) {
$input_errors[] = gettext("There is a Phase 2 using IPv6, you cannot use IPv4.");
break;
}
if (($pconfig['protocol'] == "inet6") && ($phase2['mode'] == "tunnel")) {
$input_errors[] = gettext("There is a Phase 2 using IPv4, you cannot use IPv6.");
break;
}
}
}
}
if ((($pconfig['peerid_type'] == "fqdn") && !is_domain($pconfig['peerid_data']))) {
$input_errors[] = gettext("A valid domain name for 'Peer identifier' must be specified.");
}
if ($pconfig['myid_type'] == "address" and $pconfig['myid_data'] == "") {
$input_errors[] = gettext("Please enter an address for 'My Identifier'");
}
if ($pconfig['peerid_type'] == "fqdn") {
if (is_domain($pconfig['peerid_data']) == false) {
$input_errors[] = gettext("A valid FQDN for 'Peer identifier' must be specified.");
}
}
if ($pconfig['myid_type'] == "keyid tag" and $pconfig['myid_data'] == "") {
$input_errors[] = gettext("Please enter a keyid tag for 'My Identifier'");
}
if ($pconfig['peerid_type'] == "user_fqdn") {
$user_fqdn = explode("@", $pconfig['peerid_data']);
if (is_domain($user_fqdn[1]) == false) {
$input_errors[] = gettext("A valid User FQDN in the form of user@my.domain.com for 'Peer identifier' must be specified.");
}
}
}
if ($pconfig['myid_type'] == "fqdn" and $pconfig['myid_data'] == "") {
$input_errors[] = gettext("Please enter a fully qualified domain name for 'My Identifier'");
}
if ($pconfig['dpd_enable']) {
if (!is_numeric($pconfig['dpd_delay'])) {
$input_errors[] = gettext("A numeric value must be specified for DPD delay.");
}
if ($pconfig['myid_type'] == "user_fqdn" and $pconfig['myid_data'] == "") {
$input_errors[] = gettext("Please enter a user and fully qualified domain name for 'My Identifier'");
}
if (!is_numeric($pconfig['dpd_maxfail'])) {
$input_errors[] = gettext("A numeric value must be specified for DPD retries.");
}
}
if ($pconfig['myid_type'] == "dyn_dns" and $pconfig['myid_data'] == "") {
$input_errors[] = gettext("Please enter a dynamic domain name for 'My Identifier'");
}
if (!empty($pconfig['iketype']) && $pconfig['iketype'] != "ikev1" && $pconfig['iketype'] != "ikev2") {
$input_errors[] = gettext("Valid arguments for IKE type is v1 or v2");
}
if ((($pconfig['myid_type'] == "address") && !is_ipaddr($pconfig['myid_data']))) {
$input_errors[] = gettext("A valid IP address for 'My identifier' must be specified.");
}
/* build our encryption algorithms array */
$pconfig['ealgo'] = array();
$pconfig['ealgo']['name'] = $_POST['ealgo'];
if ($pconfig['ealgo_keylen']) {
$pconfig['ealgo']['keylen'] = $_POST['ealgo_keylen'];
}
if ((($pconfig['myid_type'] == "fqdn") && !is_domain($pconfig['myid_data']))) {
$input_errors[] = gettext("A valid domain name for 'My identifier' must be specified.");
}
if (!$input_errors) {
$ph1ent['ikeid'] = $pconfig['ikeid'];
$ph1ent['iketype'] = $pconfig['iketype'];
$ph1ent['disabled'] = $pconfig['disabled'] ? true : false;
$ph1ent['interface'] = $pconfig['interface'];
/* if the remote gateway changed and the interface is not WAN then remove route */
/* the vpn_ipsec_configure() handles adding the route */
if ($pconfig['interface'] <> "wan") {
if ($old_ph1ent['remote-gateway'] <> $pconfig['remotegw']) {
mwexec("/sbin/route delete -host {$old_ph1ent['remote-gateway']}");
}
}
if ($pconfig['myid_type'] == "fqdn") {
if (is_domain($pconfig['myid_data']) == false) {
$input_errors[] = gettext("A valid FQDN for 'My identifier' must be specified.");
}
}
if ($pconfig['mobile']) {
$ph1ent['mobile'] = true;
} else {
$ph1ent['remote-gateway'] = $pconfig['remotegw'];
}
if ($pconfig['myid_type'] == "user_fqdn") {
$user_fqdn = explode("@", $pconfig['myid_data']);
if (is_domain($user_fqdn[1]) == false) {
$input_errors[] = gettext("A valid User FQDN in the form of user@my.domain.com for 'My identifier' must be specified.");
}
}
$ph1ent['mode'] = $pconfig['mode'];
$ph1ent['protocol'] = $pconfig['protocol'];
$ph1ent['myid_type'] = $pconfig['myid_type'];
$ph1ent['myid_data'] = $pconfig['myid_data'];
$ph1ent['peerid_type'] = $pconfig['peerid_type'];
$ph1ent['peerid_data'] = $pconfig['peerid_data'];
$ph1ent['encryption-algorithm'] = $pconfig['ealgo'];
$ph1ent['hash-algorithm'] = $pconfig['halgo'];
$ph1ent['dhgroup'] = $pconfig['dhgroup'];
$ph1ent['lifetime'] = $pconfig['lifetime'];
$ph1ent['pre-shared-key'] = $pconfig['pskey'];
$ph1ent['private-key'] = base64_encode($pconfig['privatekey']);
$ph1ent['certref'] = $pconfig['certref'];
$ph1ent['caref'] = $pconfig['caref'];
$ph1ent['authentication_method'] = $pconfig['authentication_method'];
$ph1ent['descr'] = $pconfig['descr'];
$ph1ent['nat_traversal'] = $pconfig['nat_traversal'];
if (isset($pconfig['reauth_enable'])) {
$ph1ent['reauth_enable'] = true;
}
if (isset($pconfig['rekey_enable'])) {
$ph1ent['rekey_enable'] = true;
}
if ($pconfig['myid_type'] == "dyn_dns") {
if (is_domain($pconfig['myid_data']) == false) {
$input_errors[] = gettext("A valid Dynamic DNS address for 'My identifier' must be specified.");
}
}
if (isset($pconfig['dpd_enable'])) {
$ph1ent['dpd_delay'] = $pconfig['dpd_delay'];
$ph1ent['dpd_maxfail'] = $pconfig['dpd_maxfail'];
}
// Only enforce peer ID if we are not dealing with a pure-psk mobile config.
if (!(($pconfig['authentication_method'] == "pre_shared_key") && !empty($pconfig['mobile']))) {
if ($pconfig['peerid_type'] == "address" and $pconfig['peerid_data'] == "") {
$input_errors[] = gettext("Please enter an address for 'Peer Identifier'");
}
if ($pconfig['peerid_type'] == "keyid tag" and $pconfig['peerid_data'] == "") {
$input_errors[] = gettext("Please enter a keyid tag for 'Peer Identifier'");
}
if ($pconfig['peerid_type'] == "fqdn" and $pconfig['peerid_data'] == "") {
$input_errors[] = gettext("Please enter a fully qualified domain name for 'Peer Identifier'");
}
if ($pconfig['peerid_type'] == "user_fqdn" and $pconfig['peerid_data'] == "") {
$input_errors[] = gettext("Please enter a user and fully qualified domain name for 'Peer Identifier'");
}
if ((($pconfig['peerid_type'] == "address") && !is_ipaddr($pconfig['peerid_data']))) {
$input_errors[] = gettext("A valid IP address for 'Peer identifier' must be specified.");
}
if ((($pconfig['peerid_type'] == "fqdn") && !is_domain($pconfig['peerid_data']))) {
$input_errors[] = gettext("A valid domain name for 'Peer identifier' must be specified.");
}
if ($pconfig['peerid_type'] == "fqdn") {
if (is_domain($pconfig['peerid_data']) == false) {
$input_errors[] = gettext("A valid FQDN for 'Peer identifier' must be specified.");
}
}
if ($pconfig['peerid_type'] == "user_fqdn") {
$user_fqdn = explode("@", $pconfig['peerid_data']);
if (is_domain($user_fqdn[1]) == false) {
$input_errors[] = gettext("A valid User FQDN in the form of user@my.domain.com for 'Peer identifier' must be specified.");
}
}
}
/* generate unique phase1 ikeid */
if ($ph1ent['ikeid'] == 0) {
$ph1ent['ikeid'] = ipsec_ikeid_next();
}
if (!empty($pconfig['dpd_enable'])) {
if (!is_numeric($pconfig['dpd_delay'])) {
$input_errors[] = gettext("A numeric value must be specified for DPD delay.");
}
if (!is_numeric($pconfig['dpd_maxfail'])) {
$input_errors[] = gettext("A numeric value must be specified for DPD retries.");
}
}
if (isset($p1index) && $a_phase1[$p1index]) {
$a_phase1[$p1index] = $ph1ent;
} else {
$a_phase1[] = $ph1ent;
}
if (!empty($pconfig['iketype']) && $pconfig['iketype'] != "ikev1" && $pconfig['iketype'] != "ikev2") {
$input_errors[] = gettext("Valid arguments for IKE type is v1 or v2");
}
write_config();
mark_subsystem_dirty('ipsec');
/* build our encryption algorithms array */
if (!isset($pconfig['encryption-algorithm']) || !is_array($pconfig['encryption-algorithm'])) {
$pconfig['encryption-algorithm'] = array();
}
$pconfig['encryption-algorithm']['name'] = $_POST['encryption-algorithm'];
if ($pconfig['ealgo_keylen']) {
$pconfig['ealgo']['keylen'] = $_POST['ealgo_keylen'];
}
header("Location: vpn_ipsec.php");
exit;
}
if (count($input_errors) == 0) {
$copy_fields = "ikeid,iketype,interface,mode,protocol,myid_type,myid_data
,peerid_type,peerid_data,encryption-algorithm,hash-algorithm,dhgroup
,lifetime,pre-shared-key,certref,caref,authentication_method,descr
,nat_traversal";
foreach (explode(",",$copy_fields) as $fieldname) {
$fieldname = trim($fieldname);
if(isset($pconfig[$fieldname])) {
$ph1ent[$fieldname] = $pconfig[$fieldname];
}
}
$ph1ent['disabled'] = !empty($pconfig['disabled']) ? true : false;
$ph1ent['private-key'] =isset($pconfig['privatekey']) ? base64_encode($pconfig['privatekey']) : null;
if (!empty($pconfig['mobile'])) {
$ph1ent['mobile'] = true;
} else {
$ph1ent['remote-gateway'] = $pconfig['remote-gateway'];
}
if (isset($pconfig['reauth_enable'])) {
$ph1ent['reauth_enable'] = true;
}
if (isset($pconfig['rekey_enable'])) {
$ph1ent['rekey_enable'] = true;
}
if (isset($pconfig['dpd_enable'])) {
$ph1ent['dpd_delay'] = $pconfig['dpd_delay'];
$ph1ent['dpd_maxfail'] = $pconfig['dpd_maxfail'];
}
/* generate unique phase1 ikeid */
if ($ph1ent['ikeid'] == 0) {
$ph1ent['ikeid'] = ipsec_ikeid_next();
}
if (isset($p1index) && $a_phase1[$p1index]) {
$a_phase1[$p1index] = $ph1ent;
} else {
$a_phase1[] = $ph1ent;
}
/* if the remote gateway changed and the interface is not WAN then remove route */
/* the vpn_ipsec_configure() handles adding the route */
if ($pconfig['interface'] <> "wan") {
if ($old_ph1ent['remote-gateway'] <> $pconfig['remote-gateway']) {
mwexec("/sbin/route delete -host {$old_ph1ent['remote-gateway']}");
}
}
write_config();
mark_subsystem_dirty('ipsec');
header("Location: vpn_ipsec.php");
exit;
}
}
if ($pconfig['mobile']) {
if (!empty($pconfig['mobile'])) {
$pgtitle = array(gettext("VPN"),gettext("IPsec"),gettext("Edit Phase 1"), gettext("Mobile Client"));
} else {
$pgtitle = array(gettext("VPN"),gettext("IPsec"),gettext("Edit Phase 1"));
}
$shortcut_section = "ipsec";
legacy_html_escape_form_data($pconfig);
include("head.inc");
......@@ -511,22 +435,43 @@ include("head.inc");
<script type="text/javascript">
//<![CDATA[
<?php
/* determine if we should init the key length */
$keyset = '';
if (isset($pconfig['ealgo']['keylen'])) {
if (is_numeric($pconfig['ealgo']['keylen'])) {
$keyset = $pconfig['ealgo']['keylen'];
}
}
?>
$( document ).ready(function() {
// old js code..
myidsel_change();
peeridsel_change();
methodsel_change();
ealgosel_change(<?=$keyset;?>);
dpdchkbox_change();
});
function myidsel_change() {
index = document.iform.myid_type.selectedIndex;
value = document.iform.myid_type.options[index].value;
if (value == 'myaddress')
document.getElementById('myid_data').style.visibility = 'hidden';
else
document.getElementById('myid_data').style.visibility = 'visible';
if ($("#myid_type").val() == 'myaddress') {
$("#myid_data").removeClass('show');
$("#myid_data").addClass('hidden');
} else {
$("#myid_data").removeClass('hidden');
$("#myid_data").addClass('show');
}
}
function peeridsel_change() {
index = document.iform.peerid_type.selectedIndex;
value = document.iform.peerid_type.options[index].value;
if (value == 'peeraddress')
document.getElementById('peerid_data').style.visibility = 'hidden';
else
document.getElementById('peerid_data').style.visibility = 'visible';
if ($("#peerid_type").val() == 'peeraddress') {
$("#peerid_data").removeClass('show');
$("#peerid_data").addClass('hidden');
} else {
$("#peerid_data").removeClass('hidden');
$("#peerid_data").addClass('show');
}
}
function methodsel_change() {
......@@ -559,7 +504,7 @@ function methodsel_change() {
document.getElementById('opt_cert').disabled = false;
document.getElementById('opt_ca').disabled = false;
break;
<?php if ($pconfig['mobile']) {
<?php if (!empty($pconfig['mobile'])) {
?>
case 'pre_shared_key':
document.getElementById('opt_psk').style.display = 'none';
......@@ -588,7 +533,7 @@ function ealgosel_change(bits) {
<?php
$i = 0;
foreach ($p1_ealgos as $algo => $algodata) {
if (is_array($algodata['keysel'])) {
if (isset($algodata['keysel']) && is_array($algodata['keysel'])) {
echo " case {$i}:\n";
echo " document.iform.ealgo_keylen.style.visibility = 'visible';\n";
echo " document.iform.ealgo_keylen.options.length = 0;\n";
......@@ -633,525 +578,491 @@ function dpdchkbox_change() {
//]]>
</script>
<section class="page-content-main">
<div class="container-fluid">
<div class="row">
<?php
if (isset($input_errors) && count($input_errors) > 0) {
print_input_errors($input_errors);
}
?>
<section class="col-xs-12">
<section class="page-content-main">
<div class="container-fluid">
<div class="row">
<?php
if (isset($input_errors) && count($input_errors) > 0) {
print_input_errors($input_errors);
}
?>
<?php
<section class="col-xs-12">
<?php
$tab_array = array();
$tab_array[0] = array(gettext("Tunnels"), true, "vpn_ipsec.php");
$tab_array[1] = array(gettext("Mobile clients"), false, "vpn_ipsec_mobile.php");
$tab_array[2] = array(gettext("Pre-Shared Keys"), false, "vpn_ipsec_keys.php");
$tab_array[3] = array(gettext("Advanced Settings"), false, "vpn_ipsec_settings.php");
display_top_tabs($tab_array);
?>
<div class="tab-content content-box col-xs-12">
<form action="vpn_ipsec_phase1.php" method="post" name="iform" id="iform">
<div class="table-responsive">
<table class="table table-striped table-sort">
<thead>
<tr>
<th colspan="2" class="listtopic"><?=gettext("General information"); ?></th>
</tr>
</thead>
<tbody>
?>
<div class="tab-content content-box col-xs-12">
<form action="vpn_ipsec_phase1.php" method="post" name="iform" id="iform">
<div class="table-responsive">
<table class="table table-striped">
<tr>
<td width="22%"><b><?=gettext("General information"); ?></b></td>
<td width="78%" align="right">
<small><?=gettext("full help"); ?> </small>
<i class="fa fa-toggle-off text-danger" style="cursor: pointer;" id="show_all_help_opnvpn_server" type="button"></i></a>
</td>
</tr>
<tr>
<td width="22%" valign="top" class="vncellreq"><?=gettext("Disabled"); ?></td>
<td width="78%" class="vtable">
<input name="disabled" type="checkbox" id="disabled" value="yes" <?php if ($pconfig['disabled']) {
echo "checked=\"checked\"";
} ?> />
<strong><?=gettext("Disable this phase1 entry"); ?></strong><br />
<span class="vexpl">
<td width="22%" valign="top"><a id="help_for_disabled" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Disabled"); ?></td>
<td>
<input name="disabled" type="checkbox" id="disabled" value="yes" <?=!empty($pconfig['disabled'])?"checked=\"checked\"":"";?> />
<div class="hidden" for="help_for_disabled">
<strong><?=gettext("Disable this phase1 entry"); ?></strong><br />
<?=gettext("Set this option to disable this phase1 without " .
"removing it from the list"); ?>.
</span>
</div>
</td>
</tr>
<tr>
<td width="22%" valign="top" class="vncellreq"><?=gettext("Key Exchange version"); ?></td>
<td width="78%" class="vtable">
<td><a id="help_for_iketype" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Key Exchange version"); ?></td>
<td>
<select name="iketype" class="formselect">
<?php
$keyexchange = array("ikev1" => "V1", "ikev2" => "V2");
foreach ($keyexchange as $kidx => $name) :
?>
<option value="<?=$kidx;?>" <?php if ($kidx == $pconfig['iketype']) {
echo "selected=\"selected\"";
} ?>>
<?=htmlspecialchars($name);?>
</option>
<?php
endforeach; ?>
</select> <br /> <span class="vexpl"><?=gettext("Select the KeyExchange Protocol version to be used. Usually known as IKEv1 or IKEv2."); ?>.</span>
<?php
$keyexchange = array("ikev1" => "V1", "ikev2" => "V2");
foreach ($keyexchange as $kidx => $name) :
?>
<option value="<?=$kidx;?>" <?= $kidx == $pconfig['iketype'] ? "selected=\"selected\"" : "";?> >
<?=$name;?>
</option>
<?php endforeach;
?>
</select>
<div class="hidden" for="help_for_iketype">
<?=gettext("Select the KeyExchange Protocol version to be used. Usually known as IKEv1 or IKEv2."); ?>.
</div>
</td>
</tr>
<tr>
<td width="22%" valign="top" class="vncellreq"><?=gettext("Internet Protocol"); ?></td>
<td width="78%" class="vtable">
<td><a id="help_for_protocol" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Internet Protocol"); ?></td>
<td>
<select name="protocol" class="formselect">
<?php
$protocols = array("inet" => "IPv4", "inet6" => "IPv6");
foreach ($protocols as $protocol => $name) :
?>
<option value="<?=$protocol;?>" <?php if ($protocol == $pconfig['protocol']) {
echo "selected=\"selected\"";
} ?>>
<?=htmlspecialchars($name);?>
</option>
<?php
endforeach; ?>
</select> <br /> <span class="vexpl"><?=gettext("Select the Internet Protocol family from this dropdown"); ?>.</span>
$protocols = array("inet" => "IPv4", "inet6" => "IPv6");
foreach ($protocols as $protocol => $name) :
?>
<option value="<?=$protocol;?>" <?=$protocol == $pconfig['protocol'] ? "selected=\"selected\"" : "";?> >
<?=$name?>
</option>
<?php endforeach;
?>
</select>
<div class="hidden" for="help_for_protocol">
<?=gettext("Select the Internet Protocol family from this dropdown"); ?>.
</div>
</td>
</tr>
<tr>
<td width="22%" valign="top" class="vncellreq"><?=gettext("Interface"); ?></td>
<td width="78%" class="vtable">
<td ><a id="help_for_interface" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Interface"); ?></td>
<td>
<select name="interface" class="formselect">
<?php
$interfaces = get_configured_interface_with_descr();
$carplist = get_configured_carp_interface_list();
foreach ($carplist as $cif => $carpip) {
$interfaces[$cif] = $carpip." (".get_vip_descr($carpip).")";
}
$aliaslist = get_configured_ip_aliases_list();
foreach ($aliaslist as $aliasip => $aliasif) {
$interfaces[$aliasip] = $aliasip." (".get_vip_descr($aliasip).")";
}
$grouplist = return_gateway_groups_array();
foreach ($grouplist as $name => $group) {
if ($group[0]['vip'] <> "") {
$vipif = $group[0]['vip'];
} else {
$vipif = $group[0]['int'];
}
$interfaces[$name] = "GW Group {$name}";
}
foreach ($interfaces as $iface => $ifacename) :
?>
<option value="<?=$iface;?>" <?php if ($iface == $pconfig['interface']) {
echo "selected=\"selected\"";
} ?>>
<?=htmlspecialchars($ifacename);?>
</option>
<?php
endforeach; ?>
<?php
$interfaces = get_configured_interface_with_descr();
$carplist = get_configured_carp_interface_list();
foreach ($carplist as $cif => $carpip) {
$interfaces[$cif] = $carpip." (".get_vip_descr($carpip).")";
}
$aliaslist = get_configured_ip_aliases_list();
foreach ($aliaslist as $aliasip => $aliasif) {
$interfaces[$aliasip] = $aliasip." (".get_vip_descr($aliasip).")";
}
$grouplist = return_gateway_groups_array();
foreach ($grouplist as $name => $group) {
if ($group[0]['vip'] <> "") {
$vipif = $group[0]['vip'];
} else {
$vipif = $group[0]['int'];
}
$interfaces[$name] = "GW Group {$name}";
}
foreach ($interfaces as $iface => $ifacename) :
?>
<option value="<?=$iface;?>" <?= $iface == $pconfig['interface'] ? "selected=\"selected\"" : "" ?> >
<?=htmlspecialchars($ifacename);?>
</option>
<?php endforeach;
?>
</select>
<br />
<span class="vexpl"><?=gettext("Select the interface for the local endpoint of this phase1 entry"); ?>.</span>
<div class="hidden" for="help_for_interface">
<?=gettext("Select the interface for the local endpoint of this phase1 entry"); ?>.
</div>
</td>
</tr>
<?php if (!$pconfig['mobile']) :
<?php if (empty($pconfig['mobile'])) :
?>
<tr>
<td width="22%" valign="top" class="vncellreq"><?=gettext("Remote gateway"); ?></td>
<td width="78%" class="vtable">
<input name="remotegw" type="text" class="formfld unknown" id="remotegw" size="28" value="<?=htmlspecialchars($pconfig['remotegw']);?>" />
<br />
<?=gettext("Enter the public IP address or host name of the remote gateway"); ?>
<td ><a id="help_for_remotegw" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Remote gateway"); ?></td>
<td>
<input name="remote-gateway" type="text" class="formfld unknown" id="remotegw" size="28" value="<?=$pconfig['remote-gateway'];?>" />
<div class="hidden" for="help_for_remotegw">
<?=gettext("Enter the public IP address or host name of the remote gateway"); ?>
</div>
</td>
</tr>
<?php
endif; ?>
<?php endif;
?>
<tr>
<td width="22%" valign="top" class="vncell"><?=gettext("Description"); ?></td>
<td width="78%" class="vtable">
<input name="descr" type="text" class="formfld unknown" id="descr" size="40" value="<?=htmlspecialchars($pconfig['descr']);?>" />
<br />
<span class="vexpl">
<td><a id="help_for_remotegw" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Description"); ?></td>
<td>
<input name="descr" type="text" id="descr" size="40" value="<?=$pconfig['descr'];?>" />
<div class="hidden" for="help_for_remotegw">
<?=gettext("You may enter a description here " .
"for your reference (not parsed)"); ?>.
</span>
</div>
</td>
</tr>
<tr>
<td colspan="2" class="list" height="12"></td>
<td colspan="2">&nbsp;</td>
</tr>
<tr>
<td colspan="2"><b><?=gettext("Phase 1 proposal (Authentication)"); ?></b></td>
</tr>
</tbody>
</table>
<table class="table table-striped table-sort">
<thead>
<tr>
<th colspan="2" class="listtopic"><?=gettext("Phase 1 proposal (Authentication)"); ?></th>
</tr>
</thead>
<tbody>
<tr>
<td width="22%" valign="top" class="vncellreq"><?=gettext("Authentication method"); ?></td>
<td width="78%" class="vtable">
<td><a id="help_for_authmethod" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Authentication method"); ?></td>
<td>
<select name="authentication_method" class="formselect" onchange="methodsel_change()">
<?php
foreach ($p1_authentication_methods as $method_type => $method_params) :
if (!$pconfig['mobile'] && $method_params['mobile']) {
continue;
}
?>
<option value="<?=$method_type;?>" <?php if ($method_type == $pconfig['authentication_method']) {
echo "selected=\"selected\"";
} ?>>
<?=htmlspecialchars($method_params['name']);?>
</option>
<?php
endforeach; ?>
<?php
$p1_authentication_methods = array(
'hybrid_rsa_server' => array( 'name' => 'Hybrid RSA + Xauth', 'mobile' => true ),
'xauth_rsa_server' => array( 'name' => 'Mutual RSA + Xauth', 'mobile' => true ),
'xauth_psk_server' => array( 'name' => 'Mutual PSK + Xauth', 'mobile' => true ),
'eap-tls' => array( 'name' => 'EAP-TLS', 'mobile' => true),
'rsasig' => array( 'name' => 'Mutual RSA', 'mobile' => false ),
'pre_shared_key' => array( 'name' => 'Mutual PSK', 'mobile' => false ) );
foreach ($p1_authentication_methods as $method_type => $method_params) :
if (empty($pconfig['mobile']) && $method_params['mobile']) {
continue;
}
?>
<option value="<?=$method_type;?>" <?= $method_type == $pconfig['authentication_method'] ? "selected=\"selected\"" : "";?> >
<?=$method_params['name'];?>
</option>
<?php endforeach;
?>
</select>
<br />
<span class="vexpl">
<div class="hidden" for="help_for_authmethod">
<?=gettext("Must match the setting chosen on the remote side"); ?>.
</span>
</div>
</td>
</tr>
<tr>
<td width="22%" valign="top" class="vncellreq"><?=gettext("Negotiation mode"); ?></td>
<td width="78%" class="vtable">
<td><a id="help_for_mode" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Negotiation mode"); ?></td>
<td>
<select name="mode" class="formselect">
<?php
$modes = array("main" => "Main", "aggressive" => "Aggressive");
foreach ($modes as $mode => $mdescr) :
?>
<option value="<?=$mode;?>" <?php if ($mode == $pconfig['mode']) {
echo "selected=\"selected\"";
} ?>>
<?=htmlspecialchars($mdescr);?>
</option>
<?php
endforeach; ?>
</select> <br /> <span class="vexpl"><?=gettext("Aggressive is more flexible, but less secure"); ?>.</span>
$modes = array("main" => "Main", "aggressive" => "Aggressive");
foreach ($modes as $mode => $mdescr) :
?>
<option value="<?=$mode;?>" <?= $mode == $pconfig['mode'] ? "selected=\"selected\"" : "" ;?> >
<?=$mdescr;?>
</option>
<?php endforeach;
?>
</select>
<div class="hidden" for="help_for_mode">
<?=gettext("Aggressive is more flexible, but less secure"); ?>.
</div>
</td>
</tr>
<tr>
<td width="22%" valign="top" class="vncellreq"><?=gettext("My identifier"); ?></td>
<td width="78%" class="vtable">
<select name="myid_type" class="formselect" onchange="myidsel_change()">
<?php foreach ($my_identifier_list as $id_type => $id_params) :
<td ><i class="fa fa-info-circle text-muted"></i> <?=gettext("My identifier"); ?></td>
<td>
<select name="myid_type" id="myid_type" class="formselect" onchange="myidsel_change()">
<?php
$my_identifier_list = array(
'myaddress' => array( 'desc' => gettext('My IP address'), 'mobile' => true ),
'address' => array( 'desc' => gettext('IP address'), 'mobile' => true ),
'fqdn' => array( 'desc' => gettext('Distinguished name'), 'mobile' => true ),
'user_fqdn' => array( 'desc' => gettext('User distinguished name'), 'mobile' => true ),
'asn1dn' => array( 'desc' => gettext('ASN.1 distinguished Name'), 'mobile' => true ),
'keyid tag' => array( 'desc' => gettext('KeyID tag'), 'mobile' => true ),
'dyn_dns' => array( 'desc' => gettext('Dynamic DNS'), 'mobile' => true ));
foreach ($my_identifier_list as $id_type => $id_params) :
?>
<option value="<?=$id_type;?>" <?php if ($id_type == $pconfig['myid_type']) {
echo "selected=\"selected\"";
} ?>>
<?=htmlspecialchars($id_params['desc']);?>
<?=$id_params['desc'];?>
</option>
<?php
endforeach; ?>
</select>
<input name="myid_data" type="text" class="formfld unknown" id="myid_data" size="30" value="<?=htmlspecialchars($pconfig['myid_data']);?>" />
<div id="myid_data">
<input name="myid_data" type="text" size="30" value="<?=$pconfig['myid_data'];?>" />
</div>
</td>
</tr>
<tr id="opt_peerid">
<td width="22%" valign="top" class="vncellreq"><?=gettext("Peer identifier"); ?></td>
<td width="78%" class="vtable">
<select name="peerid_type" class="formselect" onchange="peeridsel_change()">
<?php
foreach ($peer_identifier_list as $id_type => $id_params) :
if ($pconfig['mobile'] && !$id_params['mobile']) {
continue;
}
?>
<option value="<?=$id_type;?>" <?php if ($id_type == $pconfig['peerid_type']) {
echo "selected=\"selected\"";
} ?>>
<?=htmlspecialchars($id_params['desc']);?>
</option>
<?php
endforeach; ?>
<td ><i class="fa fa-info-circle text-muted"></i> <?=gettext("Peer identifier"); ?></td>
<td>
<select name="peerid_type" id="peerid_type" class="formselect" onchange="peeridsel_change()">
<?php
$peer_identifier_list = array(
'peeraddress' => array( 'desc' => gettext('Peer IP address'), 'mobile' => false ),
'address' => array( 'desc' => gettext('IP address'), 'mobile' => false ),
'fqdn' => array( 'desc' => gettext('Distinguished name'), 'mobile' => true ),
'user_fqdn' => array( 'desc' => gettext('User distinguished name'), 'mobile' => true ),
'asn1dn' => array( 'desc' => gettext('ASN.1 distinguished Name'), 'mobile' => true ),
'keyid tag' => array( 'desc' =>gettext('KeyID tag'), 'mobile' => true ));
foreach ($peer_identifier_list as $id_type => $id_params) :
if (!empty($pconfig['mobile']) && !$id_params['mobile']) {
continue;
}
?>
<option value="<?=$id_type;?>" <?= $id_type == $pconfig['peerid_type'] ? "selected=\"selected\"" : "";?> >
<?=$id_params['desc'];?>
</option>
<?php endforeach;
?>
</select>
<input name="peerid_data" type="text" class="formfld unknown" id="peerid_data" size="30" value="<?=htmlspecialchars($pconfig['peerid_data']);?>" />
<?php if ($pconfig['mobile']) {
<input name="peerid_data" type="text" id="peerid_data" size="30" value="<?=$pconfig['peerid_data'];?>" />
<?php if (!empty($pconfig['mobile'])) {
?>
<br /><br /><?=gettext("NOTE: This is known as the \"group\" setting on some VPN client implementations"); ?>.
<small><?=gettext("NOTE: This is known as the \"group\" setting on some VPN client implementations"); ?>.</small>
<?php
} ?>
</td>
</tr>
<tr id="opt_psk">
<td width="22%" valign="top" class="vncellreq"><?=gettext("Pre-Shared Key"); ?></td>
<td width="78%" class="vtable">
<input name="pskey" type="text" class="formfld unknown" id="pskey" size="40" value="<?=htmlspecialchars($pconfig['pskey']);?>" />
<span class="vexpl">
<br />
<td ><a id="help_for_psk" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Pre-Shared Key"); ?></td>
<td>
<input name="pre-shared-key" type="text" class="formfld unknown" id="pskey" size="40"
value="<?= $pconfig['authentication_method'] == "pre_shared_key" || $pconfig['authentication_method'] == "xauth_psk_server" ? $pconfig['pre-shared-key'] : "";?>" />
<div class="hidden" for="help_for_psk">
<?=gettext("Input your Pre-Shared Key string"); ?>.
</span>
</div>
</td>
</tr>
<tr id="opt_cert">
<td width="22%" valign="top" class="vncellreq"><?=gettext("My Certificate"); ?></td>
<td width="78%" class="vtable">
<td ><a id="help_for_certref" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("My Certificate"); ?></td>
<td>
<select name="certref" class="formselect">
<?php
if (isset($config['cert'])) :
foreach ($config['cert'] as $cert) :
$selected = "";
if ($pconfig['certref'] == $cert['refid']) {
$selected = "selected=\"selected\"";
}
?>
<option value="<?=$cert['refid'];
?>" <?=$selected;
?>><?=$cert['descr'];?></option>
<?php
endforeach;
endif; ?>
<?php
if (isset($config['cert'])) :
foreach ($config['cert'] as $cert) :
?>
<option value="<?=$cert['refid'];?>" <?= isset($pconfig['certref']) && $pconfig['certref'] == $cert['refid'] ? "selected=\"selected\"" : ""?>>
<?=$cert['descr'];?>
</option>
<?php endforeach;
endif;
?>
</select>
<br />
<span class="vexpl">
<div class="hidden" for="help_for_certref">
<?=gettext("Select a certificate previously configured in the Certificate Manager"); ?>.
</span>
</div>
</td>
</tr>
<tr id="opt_ca">
<td width="22%" valign="top" class="vncellreq"><?=gettext("My Certificate Authority"); ?></td>
<td width="78%" class="vtable">
<td><a id="help_for_caref" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("My Certificate Authority"); ?></td>
<td>
<select name="caref" class="formselect">
<?php
$config__ca = isset($config['ca']) ? $config['ca'] : array();
foreach ($config__ca as $ca) :
$selected = "";
if ($pconfig['caref'] == $ca['refid']) {
$selected = "selected=\"selected\"";
}
?>
<option value="<?=$ca['refid'];
?>" <?=$selected;
?>><?=$ca['descr'];?></option>
<?php
endforeach; ?>
$config__ca = isset($config['ca']) ? $config['ca'] : array();
foreach ($config__ca as $ca) :
$selected = "";
if ($pconfig['caref'] == $ca['refid']) {
$selected = "selected=\"selected\"";
}
?>
<option value="<?=$ca['refid'];?>" <?= isset($pconfig['caref']) && $pconfig['caref'] == $ca['refid'] ? "selected=\"selected\"":"";?>>
<?=htmlspecialchars($ca['descr']);?>
</option>
<?php endforeach;
?>
</select>
<br />
<span class="vexpl">
<div class="hidden" for="help_for_caref">
<?=gettext("Select a certificate authority previously configured in the Certificate Manager"); ?>.
</span>
</div>
</td>
</tr>
</tbody>
</table>
<table class="table table-striped table-sort">
<thead>
<tr>
<th colspan="2" class="listtopic"><?=gettext("Phase 1 proposal (Algorithms)"); ?></th>
</tr>
</thead>
<tbody>
<tr>
<td width="22%" valign="top" class="vncellreq"><?=gettext("Encryption algorithm"); ?></td>
<td width="78%" class="vtable">
<select name="ealgo" class="formselect" onchange="ealgosel_change()">
<?php
foreach ($p1_ealgos as $algo => $algodata) :
$selected = "";
if ($algo == $pconfig['ealgo']['name']) {
$selected = " selected=\"selected\"";
}
?>
<option value="<?=$algo;?>"<?=$selected?>>
<?=htmlspecialchars($algodata['name']);?>
</option>
<?php
endforeach; ?>
<td colspan="2"><b><?=gettext("Phase 1 proposal (Algorithms)"); ?></b></td>
</tr>
<tr>
<td><i class="fa fa-info-circle text-muted"></i> <?=gettext("Encryption algorithm"); ?></td>
<td>
<select name="encryption-algorithm" id="ealgo" class="formselect" onchange="ealgosel_change()">
<?php
foreach ($p1_ealgos as $algo => $algodata) :
?>
<option value="<?=$algo;?>" <?= $algo == $pconfig['encryption-algorithm']['name'] ? "selected=\"selected\"" : "" ;?>>
<?=$algodata['name'];?>
</option>
<?php
endforeach;
?>
</select>
<select name="ealgo_keylen" width="30" class="formselect">
</select>
</td>
</tr>
<tr>
<td width="22%" valign="top" class="vncellreq"><?=gettext("Hash algorithm"); ?></td>
<td width="78%" class="vtable">
<td><a id="help_for_halgo" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Hash algorithm"); ?></td>
<td>
<select name="halgo" class="formselect">
<?php foreach ($p1_halgos as $algo => $algoname) :
<?php
$p1_halgos = array(
'md5' => 'MD5',
'sha1' => 'SHA1',
'sha256' => 'SHA256',
'sha384' => 'SHA384',
'sha512' => 'SHA512',
'aesxcbc' => 'AES-XCBC'
);
foreach ($p1_halgos as $algo => $algoname) :
?>
<option value="<?=$algo;?>" <?php if ($algo == $pconfig['halgo']) {
echo "selected=\"selected\"";
} ?>>
<?=htmlspecialchars($algoname);?>
<option value="<?=$algo;?>" <?= $algo == $pconfig['halgo'] ? "selected=\"selected\"" : "";?>>
<?=$algoname;?>
</option>
<?php
endforeach; ?>
<?php endforeach;
?>
</select>
<br />
<span class="vexpl">
<div class="hidden" for="help_for_halgo">
<?=gettext("Must match the setting chosen on the remote side"); ?>.
</span>
</div>
</td>
</tr>
<tr>
<td width="22%" valign="top" class="vncellreq"><?=gettext("DH key group"); ?></td>
<td width="78%" class="vtable">
<td><a id="help_for_dhgroup" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("DH key group"); ?></td>
<td>
<select name="dhgroup" class="formselect">
<?php foreach ($p1_dhgroups as $keygroup => $keygroupname) :
<?php
$p1_dhgroups = array(
1 => '1 (768 bit)',
2 => '2 (1024 bit)',
5 => '5 (1536 bit)',
14 => '14 (2048 bit)',
15 => '15 (3072 bit)',
16 => '16 (4096 bit)',
17 => '17 (6144 bit)',
18 => '18 (8192 bit)',
22 => '22 (1024(sub 160) bit)',
23 => '23 (2048(sub 224) bit)',
24 => '24 (2048(sub 256) bit)'
);
foreach ($p1_dhgroups as $keygroup => $keygroupname) :
?>
<option value="<?=$keygroup;?>" <?php if ($keygroup == $pconfig['dhgroup']) {
echo "selected=\"selected\"";
} ?>>
<?=htmlspecialchars($keygroupname);?>
<option value="<?=$keygroup;?>" <?= $keygroup == $pconfig['dhgroup'] ? "selected=\"selected\"" : "";?>>
<?=$keygroupname;?>
</option>
<?php
endforeach; ?>
<?php endforeach;
?>
</select>
<br />
<span class="vexpl">
<div class="hidden" for="help_for_dhgroup">
<?=gettext("Must match the setting chosen on the remote side"); ?>.
</span>
</div>
</td>
</tr>
<tr>
<td width="22%" valign="top" class="vncell"><?=gettext("Lifetime"); ?></td>
<td width="78%" class="vtable">
<input name="lifetime" type="text" class="formfld unknown" id="lifetime" size="20" value="<?=htmlspecialchars($pconfig['lifetime']);?>" />
<?=gettext("seconds"); ?>
<td><a id="help_for_lifetime" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Lifetime"); ?></td>
<td>
<input name="lifetime" type="text" id="lifetime" size="20" value="<?=$pconfig['lifetime'];?>" />
<div class="hidden" for="help_for_lifetime">
<?=gettext("seconds"); ?>
</div>
</td>
</tr>
</tbody>
</table>
<table class="table table-striped table-sort">
<thead>
<tr>
<th colspan="2" class="listtopic"><?=gettext("Advanced Options"); ?></th>
</tr>
</thead>
<tbody>
<tr>
<td colspan="2"><?=gettext("Advanced Options"); ?></td>
</tr>
<tr>
<td width="22%" valign="top" class="vncell"><?=gettext("Disable Rekey");?></td>
<td width="78%" class="vtable">
<input name="rekey_enable" type="checkbox" id="rekey_enable" value="yes" <?php if (isset($pconfig['rekey_enable'])) {
echo "checked=\"checked\"";
} ?> />
<?=gettext("Whether a connection should be renegotiated when it is about to expire."); ?><br />
<td><a id="help_for_rekey_enable" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Enable Rekey");?></td>
<td>
<input name="rekey_enable" type="checkbox" id="rekey_enable" value="yes" <?=isset($pconfig['rekey_enable']) ? "checked=\"checked\"" : ""; ?> />
<div class="hidden" for="help_for_rekey_enable">
<?=gettext("Whether a connection should be renegotiated when it is about to expire."); ?>
</div>
</td>
</tr>
<tr>
<td width="22%" valign="top" class="vncell"><?=gettext("Disable Reauth");?></td>
<td width="78%" class="vtable">
<input name="reauth_enable" type="checkbox" id="reauth_enable" value="yes" <?php if (isset($pconfig['reauth_enable'])) {
echo "checked=\"checked\"";
} ?> />
<?=gettext("Whether rekeying of an IKE_SA should also reauthenticate the peer. In IKEv1, reauthentication is always done."); ?><br />
<td><a id="help_for_reauth_enable" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Enable Reauth");?></td>
<td>
<input name="reauth_enable" type="checkbox" id="reauth_enable" value="yes" <?= isset($pconfig['reauth_enable']) ? "checked=\"checked\"" : "";?> />
<div class="hidden" for="help_for_reauth_enable">
<?=gettext("Whether rekeying of an IKE_SA should also reauthenticate the peer. In IKEv1, reauthentication is always done."); ?>
</div>
</td>
</tr>
<tr>
<td width="22%" valign="top" class="vncell"><?=gettext("NAT Traversal"); ?></td>
<td width="78%" class="vtable">
<td><a id="help_for_nat_traversal" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("NAT Traversal"); ?></td>
<td>
<select name="nat_traversal" class="formselect">
<option value="off" <?php if ($pconfig['nat_traversal'] == "off") {
echo "selected=\"selected\"";
} ?>><?=gettext("Disable"); ?></option>
<option value="on" <?php if ($pconfig['nat_traversal'] == "on") {
echo "selected=\"selected\"";
} ?>><?=gettext("Enable"); ?></option>
<option value="force" <?php if ($pconfig['nat_traversal'] == "force") {
echo "selected=\"selected\"";
} ?>><?=gettext("Force"); ?></option>
<option value="off" <?= isset($pconfig['nat_traversal']) && $pconfig['nat_traversal'] == "off" ? "selected=\"selected\"" :"" ;?> >
<?=gettext("Disable"); ?>
</option>
<option value="on" <?= isset($pconfig['nat_traversal']) && $pconfig['nat_traversal'] == "on" ? "selected=\"selected\"" :"" ;?> >
<?=gettext("Enable"); ?>
</option>
<option value="force" <?= isset($pconfig['nat_traversal']) && $pconfig['nat_traversal'] == "force" ? "selected=\"selected\"" :"" ;?> >
<?=gettext("Force"); ?>
</option>
</select>
<br />
<span class="vexpl">
<?=gettext("Set this option to enable the use of NAT-T (i.e. the encapsulation of ESP in UDP packets) if needed, " .
"which can help with clients that are behind restrictive firewalls"); ?>.
</span>
<div class="hidden" for="help_for_nat_traversal">
<?=gettext("Set this option to enable the use of NAT-T (i.e. the encapsulation of ESP in UDP packets) if needed, " .
"which can help with clients that are behind restrictive firewalls"); ?>.
</div>
</td>
</tr>
<tr>
<td width="22%" valign="top" class="vncell"><?=gettext("Dead Peer Detection"); ?></td>
<td width="78%" class="vtable">
<input name="dpd_enable" type="checkbox" id="dpd_enable" value="yes" <?php if (isset($pconfig['dpd_enable'])) {
echo "checked=\"checked\"";
} ?> onclick="dpdchkbox_change()" />
<?=gettext("Enable DPD"); ?><br />
<td><a id="help_for_dpd_enable" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Dead Peer Detection"); ?></td>
<td>
<input name="dpd_enable" type="checkbox" id="dpd_enable" value="yes" <?=!empty($pconfig['dpd_delay']) && !empty($pconfig['dpd_maxfail'])?"checked=\"checked\"":"";?> onclick="dpdchkbox_change()" />
<div class="hidden" for="help_for_dpd_enable">
<?=gettext("Enable DPD"); ?>
</div>
<div id="opt_dpd">
<br />
<input name="dpd_delay" type="text" class="formfld unknown" id="dpd_delay" size="5" value="<?=htmlspecialchars($pconfig['dpd_delay']);?>" />
<?=gettext("seconds"); ?><br />
<span class="vexpl">
<input name="dpd_delay" type="text" class="formfld unknown" id="dpd_delay" size="5" value="<?=$pconfig['dpd_delay'];?>" />
<?=gettext("seconds"); ?>
<div class="hidden" for="help_for_dpd_enable">
<?=gettext("Delay between requesting peer acknowledgement"); ?>.
</span><br />
</div>
<br />
<input name="dpd_maxfail" type="text" class="formfld unknown" id="dpd_maxfail" size="5" value="<?=htmlspecialchars($pconfig['dpd_maxfail']);?>" />
<?=gettext("retries"); ?><br />
<span class="vexpl">
<input name="dpd_maxfail" type="text" class="formfld unknown" id="dpd_maxfail" size="5" value="<?=$pconfig['dpd_maxfail'];?>" />
<?=gettext("retries"); ?>
<div class="hidden" for="help_for_dpd_enable">
<?=gettext("Number of consecutive failures allowed before disconnect"); ?>.
</span>
<br />
</div>
</div>
</td>
</tr>
<tr>
<td width="22%" valign="top">&nbsp;</td>
<td width="78%">
<?php if (isset($p1index) && $a_phase1[$p1index]) :
<td>&nbsp;</td>
<td>
<?php if (isset($p1index) && isset($a_phase1[$p1index]) && !(isset($_GET['dup']) && is_numericint($_GET['dup']))) :
?>
<input name="p1index" type="hidden" value="<?=htmlspecialchars($p1index);?>" />
<input name="p1index" type="hidden" value="<?=$p1index;?>" />
<?php
endif; ?>
<?php if ($pconfig['mobile']) :
<?php if (!empty($pconfig['mobile'])) :
?>
<input name="mobile" type="hidden" value="true" />
<?php
endif; ?>
<input name="ikeid" type="hidden" value="<?=htmlspecialchars($pconfig['ikeid']);?>" />
<input name="ikeid" type="hidden" value="<?=$pconfig['ikeid'];?>" />
<input name="Submit" type="submit" class="btn btn-primary" value="<?=gettext("Save"); ?>" />
</td>
</tr>
</tbody>
</table>
</div>
</form>
</div>
</section>
</div>
</tbody>
</table>
</div>
</form>
</div>
</section>
</div>
</section>
</div>
</section>
<script type="text/javascript">
//<![CDATA[
<?php
/* determine if we should init the key length */
$keyset = '';
if (isset($pconfig['ealgo']['keylen'])) {
if (is_numeric($pconfig['ealgo']['keylen'])) {
$keyset = $pconfig['ealgo']['keylen'];
}
}
?>
myidsel_change();
peeridsel_change();
methodsel_change();
ealgosel_change(<?=$keyset;?>);
dpdchkbox_change();
//]]>
</script>
<?php include("foot.inc");
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment

Technounit-GROUP 2023