Skip to content

O
OpnSense
Commit 9b8fdf53 authored by Ad Schellevis's avatar Ad Schellevis
Browse files
Options

Merge branch 'GurliGebis-eap-radius/2-try'

parents 60b48f01 78e26579
Hide whitespace changes
Inline Side-by-side
Showing with 97 additions and 21 deletions
src/etc/inc/ipsec.inc
View file @ 9b8fdf53
......@@ -64,6 +64,7 @@ $p1_authentication_methods = array(
'xauth_psk_server' => array( 'name' => 'Mutual PSK + Xauth', 'mobile' => true ),
'eap-tls' => array( 'name' => 'EAP-TLS', 'mobile' => true),
'eap-mschapv2' => array( 'name' => 'EAP-MSCHAPV2', 'mobile' => true),
'eap-radius' => array( 'name' => 'EAP-RADIUS', 'mobile' => true),
'rsasig' => array( 'name' => 'Mutual RSA', 'mobile' => false ),
'pre_shared_key' => array( 'name' => 'Mutual PSK', 'mobile' => false ),
);
......@@ -498,6 +499,7 @@ function ipsec_configure($verbose = false)
$rgmap = array();
$filterdns_list = array();
$ipsecpinghosts = "";
/* step through each phase1 entry */
foreach ($a_phase1 as $ph1ent) {
if (isset($ph1ent['disabled'])) {
......@@ -626,7 +628,7 @@ EOD;
if (isset($a_client['enable'])) {
$strongswan .= "\t\tattr {\n";
if ($a_client['pool_address'] && $a_client['pool_netbits']) {
$strongswan .= "\t\tsubnet = {$a_client['pool_address']}/{$a_client['pool_netbits']}\n";
$strongswan .= "\t\t\tsubnet = {$a_client['pool_address']}/{$a_client['pool_netbits']}\n";
}
$cfgservers = array();
foreach (array('dns_server1', 'dns_server2', 'dns_server3', 'dns_server4') as $dns_server) {
......@@ -635,7 +637,7 @@ EOD;
}
}
if (!empty($cfgservers)) {
$strongswan .= "\t\tdns = " . implode(",", $cfgservers) . "\n";
$strongswan .= "\t\t\tdns = " . implode(",", $cfgservers) . "\n";
}
unset($cfgservers);
$cfgservers = array();
......@@ -646,7 +648,7 @@ EOD;
$cfgservers[] = $a_client['wins_server2'];
}
if (!empty($cfgservers)) {
$strongswan .= "\t\tnbns = " . implode(",", $cfgservers) . "\n";
$strongswan .= "\t\t\tnbns = " . implode(",", $cfgservers) . "\n";
}
unset($cfgservers);
......@@ -667,41 +669,41 @@ EOD;
}
if (!empty($net_list)) {
$strongswan .= "\t\tsplit-include = {$net_list}\n";
$strongswan .= "\t\t\tsplit-include = {$net_list}\n";
unset($net_list);
}
}
if (!empty($a_client['dns_domain'])) {
$strongswan .= "\t\t# Search domain and default domain\n";
$strongswan .= "\t\t28674 = {$a_client['dns_domain']}\n";
$strongswan .= "\t\t\t# Search domain and default domain\n";
$strongswan .= "\t\t\t28674 = {$a_client['dns_domain']}\n";
if (empty($a_client['dns_split'])) {
$strongswan .= "\t\t28675 = {$a_client['dns_domain']}";
$strongswan .= "\t\t\t28675 = {$a_client['dns_domain']}";
}
$strongswan .= "\n";
}
if (!empty($a_client['dns_split'])) {
$strongswan .= "\t\t28675 = {$a_client['dns_split']}\n";
$strongswan .= "\t\t\t28675 = {$a_client['dns_split']}\n";
}
if (!empty($a_client['login_banner'])) {
$strongswan .= "\t\t28672 = {$a_client['login_banner']}\n";
$strongswan .= "\t\t\t28672 = {$a_client['login_banner']}\n";
}
if (isset($a_client['save_passwd'])) {
$strongswan .= "\t\t28673 = 1\n";
$strongswan .= "\t\t\t28673 = 1\n";
}
if (!empty($a_client['pfs_group'])) {
$strongswan .= "\t\t28679 = {$a_client['pfs_group']}\n";
$strongswan .= "\t\t\t28679 = {$a_client['pfs_group']}\n";
}
$strongswan .= "\t\t}\n";
if ($a_client['user_source'] != "none") {
$strongswan .= "\txauth-generic {\n";
$strongswan .= "\t\tscript = /usr/local/etc/inc/ipsec.auth-user.php\n";
$strongswan .= "\t\tauthcfg = ";
$strongswan .= "\t\txauth-generic {\n";
$strongswan .= "\t\t\tscript = /usr/local/etc/inc/ipsec.auth-user.php\n";
$strongswan .= "\t\t\tauthcfg = ";
$firstsed = 0;
$authcfgs = explode(",", $a_client['user_source']);
foreach ($authcfgs as $authcfg) {
......@@ -715,7 +717,38 @@ EOD;
$firstsed = 1;
}
$strongswan .= "\n";
$strongswan .= "\t}\n";
$strongswan .= "\t\t}\n";
}
if ($ph1ent['authentication_method'] == "eap-radius") {
$strongswan .= "\t\teap-radius {\n";
$radius_servers = "";
$radius_server_num = 1;
$radius_accounting_enabled = false;
foreach (auth_get_authserver_list() as $auth_server) {
if (in_array($auth_server['name'], explode(',', $ph1ent['authservers']))) {
$radius_servers .= "\t\t\t\tserver" . $radius_server_num . " {\n";
$radius_servers .= "\t\t\t\t\taddress = " . $auth_server['host'] . "\n";
$radius_servers .= "\t\t\t\t\tsecret = " . $auth_server['radius_secret'] . "\n";
$radius_servers .= "\t\t\t\t\tauth_port = " . $auth_server['radius_auth_port'] . "\n";
if (!empty($auth_server['radius_acct_port'])) {
$radius_servers .= "\t\t\t\t\tacct_port = " . $auth_server['radius_acct_port'] . "\n";
}
$radius_servers .= "\t\t\t\t}\n";
if (!empty($auth_server['radius_acct_port'])) {
$radius_accounting_enabled = true;
}
$radius_server_num += 1;
}
}
if ($radius_accounting_enabled) {
$strongswan .= "\t\t\taccounting = yes\n";
}
$strongswan .= "\t\t\tservers {\n";
$strongswan .= $radius_servers;
$strongswan .= "\t\t\t}\n";
$strongswan .= "\t\t}\n";
}
}
......@@ -918,7 +951,12 @@ EOD;
break;
case 'eap-mschapv2':
$authentication = "leftauth = pubkey\n\trightauth = eap-mschapv2";
$authentication .= "\n\teap_identity=%any";
$authentication .= "\n\teap_identity = %any";
break;
case 'eap-radius':
$authentication = "leftauth = pubkey\n\trightauth = eap-radius";
$authentication .= "\n\trightsendcert = never";
$authentication .= "\n\teap_identity = %any";
break;
case 'xauth_rsa_server':
$authentication = "leftauth = pubkey\n\trightauth = pubkey";
......@@ -940,7 +978,7 @@ EOD;
break;
}
if (!empty($ph1ent['certref'])) {
$authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt";
$authentication .= "\n\tleftcert = {$certpath}/cert-{$ph1ent['ikeid']}.crt";
}
if (!empty($ph1ent['caref'])) {
$ca = lookup_ca($ph1ent['caref']);
......@@ -949,7 +987,7 @@ EOD;
foreach (cert_get_subject_array($ca['crt']) as $ca_field) {
$rightca .= "{$ca_field['a']}={$ca_field['v']}/";
}
$authentication .= "\n\trightca=\"/$rightca\"";
$authentication .= "\n\trightca = \"/$rightca\"";
}
}
$left_spec = $ep;
......
src/www/vpn_ipsec_phase1.php
View file @ 9b8fdf53
......@@ -86,7 +86,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
$phase1_fields = "mode,protocol,myid_type,myid_data,peerid_type,peerid_data
,encryption-algorithm,hash-algorithm,dhgroup,lifetime,authentication_method,descr,nat_traversal
,interface,iketype,dpd_delay,dpd_maxfail,remote-gateway,pre-shared-key,certref
,caref,reauth_enable,rekey_enable,auto,tunnel_isolation";
,caref,reauth_enable,rekey_enable,auto,tunnel_isolation,authservers";
if (isset($p1index) && isset($config['ipsec']['phase1'][$p1index])) {
// 1-on-1 copy
foreach (explode(",", $phase1_fields) as $fieldname) {
......@@ -106,6 +106,11 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
}
$pconfig['disabled'] = isset($config['ipsec']['phase1'][$p1index]['disabled']);
if (!empty($config['ipsec']['phase1'][$p1index]['authservers'])) {
$pconfig['authservers'] = explode(',', $config['ipsec']['phase1'][$p1index]['authservers']);
} else {
$pconfig['authservers'] = array();
}
$pconfig['remotebits'] = null;
$pconfig['remotenet'] = null ;
if (isset($a_phase1[$p1index]['remote-subnet']) && strpos($config['ipsec']['phase1'][$p1index]['remote-subnet'],'/') !== false) {
......@@ -133,6 +138,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
$pconfig['lifetime'] = "28800";
$pconfig['nat_traversal'] = "on";
$pconfig['iketype'] = "ikev1";
$pconfig['authservers'] = array();
/* mobile client */
if (isset($_GET['mobile'])) {
......@@ -178,9 +184,13 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
switch ($method) {
case "eap-tls":
case "eap-mschapv2":
case "eap-radius":
if ($pconfig['iketype'] != 'ikev2') {
$input_errors[] = sprintf(gettext("%s can only be used with IKEv2 type VPNs."), strtoupper($method));
}
if ($method == 'eap-radius' && empty($pconfig['authservers'])) {
$input_errors[] = gettext("Please select radius servers to use.");
}
break;
case "pre_shared_key":
// If this is a mobile PSK tunnel the user PSKs go on
......@@ -343,7 +353,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
$copy_fields = "ikeid,iketype,interface,mode,protocol,myid_type,myid_data
,peerid_type,peerid_data,encryption-algorithm,hash-algorithm,dhgroup
,lifetime,pre-shared-key,certref,caref,authentication_method,descr
,nat_traversal, auto";
,nat_traversal,auto";
foreach (explode(",",$copy_fields) as $fieldname) {
$fieldname = trim($fieldname);
......@@ -351,6 +361,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
$ph1ent[$fieldname] = $pconfig[$fieldname];
}
}
$ph1ent['authservers'] = implode(',', $pconfig['authservers']);
$ph1ent['disabled'] = !empty($pconfig['disabled']) ? true : false;
$ph1ent['private-key'] =isset($pconfig['privatekey']) ? base64_encode($pconfig['privatekey']) : null;
......@@ -461,6 +472,12 @@ include("head.inc");
$(".auth_eap_tls_caref").show();
$(".auth_eap_tls_caref :input").prop( "disabled", false );
break;
case 'eap-radius':
$(".auth_eap_tls").show();
$(".auth_eap_tls :input").prop( "disabled", false );
$(".auth_eap_radius").show();
$(".auth_eap_radius :input").prop( "disabled", false );
break;
case 'pre_shared_key':
if ($("#mobile").val() == undefined) {
$(".auth_psk").show();
......@@ -472,6 +489,7 @@ include("head.inc");
$(".auth_psk :input").prop( "disabled", false );
break;
}
$(".selectpicker").selectpicker('refresh');
});
$("#authentication_method").change();
......@@ -697,7 +715,8 @@ include("head.inc");
?>
</select>
<div class="hidden" for="help_for_authmethod">
<?=gettext("Must match the setting chosen on the remote side."); ?>
<?=gettext("Must match the setting chosen on the remote side."); ?><br />
<?=sprintf(gettext("If you select EAP-RADIUS, you must define your RADIUS servers on the %sServers%s page."), '<a href="/system_authservers.php">', '</a>'); ?>
</div>
</td>
</tr>
......@@ -836,6 +855,25 @@ endforeach; ?>
</div>
</td>
</tr>
<tr class="auth_opt auth_eap_radius">
<td><a id="help_for_authservers" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Radius servers"); ?></td>
<td>
<select name="authservers[]" multiple="multiple" size="3" class="selectpicker" data-live-search="true">
<?php
foreach (auth_get_authserver_list() as $auth_server):
if ($auth_server['type'] == "radius"):?>
<option value="<?=$auth_server['name'];?>" <?=in_array($auth_server['name'],$pconfig['authservers']) ? 'selected="selected"' : "";?>>
<?=htmlspecialchars($auth_server['name']);?>
</option>
<?php
endif;
endforeach;?>
</select>
<div class="hidden" for="help_for_authservers">
<?=gettext("Select authentication servers to use."); ?>
</div>
</td>
</tr>
<tr>
<td colspan="2"><b><?=gettext("Phase 1 proposal (Algorithms)"); ?></b></td>
</tr>
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment

Technounit-GROUP 2023