Skip to content

O
OpnSense
Commit 9b8fdf53 authored by Ad Schellevis's avatar Ad Schellevis
Browse files
Options

Merge branch 'GurliGebis-eap-radius/2-try'

parents 60b48f01 78e26579
Hide whitespace changes
Inline Side-by-side
Showing with 97 additions and 21 deletions
src/etc/inc/ipsec.inc
View file @ 9b8fdf53
...@@ -64,6 +64,7 @@ $p1_authentication_methods = array( ...@@ -64,6 +64,7 @@ $p1_authentication_methods = array(
'xauth_psk_server' => array( 'name' => 'Mutual PSK + Xauth', 'mobile' => true ), 'xauth_psk_server' => array( 'name' => 'Mutual PSK + Xauth', 'mobile' => true ),
'eap-tls' => array( 'name' => 'EAP-TLS', 'mobile' => true), 'eap-tls' => array( 'name' => 'EAP-TLS', 'mobile' => true),
'eap-mschapv2' => array( 'name' => 'EAP-MSCHAPV2', 'mobile' => true), 'eap-mschapv2' => array( 'name' => 'EAP-MSCHAPV2', 'mobile' => true),
'eap-radius' => array( 'name' => 'EAP-RADIUS', 'mobile' => true),
'rsasig' => array( 'name' => 'Mutual RSA', 'mobile' => false ), 'rsasig' => array( 'name' => 'Mutual RSA', 'mobile' => false ),
'pre_shared_key' => array( 'name' => 'Mutual PSK', 'mobile' => false ), 'pre_shared_key' => array( 'name' => 'Mutual PSK', 'mobile' => false ),
); );
...@@ -498,6 +499,7 @@ function ipsec_configure($verbose = false) ...@@ -498,6 +499,7 @@ function ipsec_configure($verbose = false)
$rgmap = array(); $rgmap = array();
$filterdns_list = array(); $filterdns_list = array();
$ipsecpinghosts = ""; $ipsecpinghosts = "";
/* step through each phase1 entry */ /* step through each phase1 entry */
foreach ($a_phase1 as $ph1ent) { foreach ($a_phase1 as $ph1ent) {
if (isset($ph1ent['disabled'])) { if (isset($ph1ent['disabled'])) {
...@@ -626,7 +628,7 @@ EOD; ...@@ -626,7 +628,7 @@ EOD;
if (isset($a_client['enable'])) { if (isset($a_client['enable'])) {
$strongswan .= "\t\tattr {\n"; $strongswan .= "\t\tattr {\n";
if ($a_client['pool_address'] && $a_client['pool_netbits']) { if ($a_client['pool_address'] && $a_client['pool_netbits']) {
$strongswan .= "\t\tsubnet = {$a_client['pool_address']}/{$a_client['pool_netbits']}\n"; $strongswan .= "\t\t\tsubnet = {$a_client['pool_address']}/{$a_client['pool_netbits']}\n";
} }
$cfgservers = array(); $cfgservers = array();
foreach (array('dns_server1', 'dns_server2', 'dns_server3', 'dns_server4') as $dns_server) { foreach (array('dns_server1', 'dns_server2', 'dns_server3', 'dns_server4') as $dns_server) {
...@@ -635,7 +637,7 @@ EOD; ...@@ -635,7 +637,7 @@ EOD;
} }
} }
if (!empty($cfgservers)) { if (!empty($cfgservers)) {
$strongswan .= "\t\tdns = " . implode(",", $cfgservers) . "\n"; $strongswan .= "\t\t\tdns = " . implode(",", $cfgservers) . "\n";
} }
unset($cfgservers); unset($cfgservers);
$cfgservers = array(); $cfgservers = array();
...@@ -646,7 +648,7 @@ EOD; ...@@ -646,7 +648,7 @@ EOD;
$cfgservers[] = $a_client['wins_server2']; $cfgservers[] = $a_client['wins_server2'];
} }
if (!empty($cfgservers)) { if (!empty($cfgservers)) {
$strongswan .= "\t\tnbns = " . implode(",", $cfgservers) . "\n"; $strongswan .= "\t\t\tnbns = " . implode(",", $cfgservers) . "\n";
} }
unset($cfgservers); unset($cfgservers);
...@@ -667,41 +669,41 @@ EOD; ...@@ -667,41 +669,41 @@ EOD;
} }
if (!empty($net_list)) { if (!empty($net_list)) {
$strongswan .= "\t\tsplit-include = {$net_list}\n"; $strongswan .= "\t\t\tsplit-include = {$net_list}\n";
unset($net_list); unset($net_list);
} }
} }
if (!empty($a_client['dns_domain'])) { if (!empty($a_client['dns_domain'])) {
$strongswan .= "\t\t# Search domain and default domain\n"; $strongswan .= "\t\t\t# Search domain and default domain\n";
$strongswan .= "\t\t28674 = {$a_client['dns_domain']}\n"; $strongswan .= "\t\t\t28674 = {$a_client['dns_domain']}\n";
if (empty($a_client['dns_split'])) { if (empty($a_client['dns_split'])) {
$strongswan .= "\t\t28675 = {$a_client['dns_domain']}"; $strongswan .= "\t\t\t28675 = {$a_client['dns_domain']}";
} }
$strongswan .= "\n"; $strongswan .= "\n";
} }
if (!empty($a_client['dns_split'])) { if (!empty($a_client['dns_split'])) {
$strongswan .= "\t\t28675 = {$a_client['dns_split']}\n"; $strongswan .= "\t\t\t28675 = {$a_client['dns_split']}\n";
} }
if (!empty($a_client['login_banner'])) { if (!empty($a_client['login_banner'])) {
$strongswan .= "\t\t28672 = {$a_client['login_banner']}\n"; $strongswan .= "\t\t\t28672 = {$a_client['login_banner']}\n";
} }
if (isset($a_client['save_passwd'])) { if (isset($a_client['save_passwd'])) {
$strongswan .= "\t\t28673 = 1\n"; $strongswan .= "\t\t\t28673 = 1\n";
} }
if (!empty($a_client['pfs_group'])) { if (!empty($a_client['pfs_group'])) {
$strongswan .= "\t\t28679 = {$a_client['pfs_group']}\n"; $strongswan .= "\t\t\t28679 = {$a_client['pfs_group']}\n";
} }
$strongswan .= "\t\t}\n"; $strongswan .= "\t\t}\n";
if ($a_client['user_source'] != "none") { if ($a_client['user_source'] != "none") {
$strongswan .= "\txauth-generic {\n"; $strongswan .= "\t\txauth-generic {\n";
$strongswan .= "\t\tscript = /usr/local/etc/inc/ipsec.auth-user.php\n"; $strongswan .= "\t\t\tscript = /usr/local/etc/inc/ipsec.auth-user.php\n";
$strongswan .= "\t\tauthcfg = "; $strongswan .= "\t\t\tauthcfg = ";
$firstsed = 0; $firstsed = 0;
$authcfgs = explode(",", $a_client['user_source']); $authcfgs = explode(",", $a_client['user_source']);
foreach ($authcfgs as $authcfg) { foreach ($authcfgs as $authcfg) {
...@@ -715,7 +717,38 @@ EOD; ...@@ -715,7 +717,38 @@ EOD;
$firstsed = 1; $firstsed = 1;
} }
$strongswan .= "\n"; $strongswan .= "\n";
$strongswan .= "\t}\n"; $strongswan .= "\t\t}\n";
}
if ($ph1ent['authentication_method'] == "eap-radius") {
$strongswan .= "\t\teap-radius {\n";
$radius_servers = "";
$radius_server_num = 1;
$radius_accounting_enabled = false;
foreach (auth_get_authserver_list() as $auth_server) {
if (in_array($auth_server['name'], explode(',', $ph1ent['authservers']))) {
$radius_servers .= "\t\t\t\tserver" . $radius_server_num . " {\n";
$radius_servers .= "\t\t\t\t\taddress = " . $auth_server['host'] . "\n";
$radius_servers .= "\t\t\t\t\tsecret = " . $auth_server['radius_secret'] . "\n";
$radius_servers .= "\t\t\t\t\tauth_port = " . $auth_server['radius_auth_port'] . "\n";
if (!empty($auth_server['radius_acct_port'])) {
$radius_servers .= "\t\t\t\t\tacct_port = " . $auth_server['radius_acct_port'] . "\n";
}
$radius_servers .= "\t\t\t\t}\n";
if (!empty($auth_server['radius_acct_port'])) {
$radius_accounting_enabled = true;
}
$radius_server_num += 1;
}
}
if ($radius_accounting_enabled) {
$strongswan .= "\t\t\taccounting = yes\n";
}
$strongswan .= "\t\t\tservers {\n";
$strongswan .= $radius_servers;
$strongswan .= "\t\t\t}\n";
$strongswan .= "\t\t}\n";
} }
} }
...@@ -918,7 +951,12 @@ EOD; ...@@ -918,7 +951,12 @@ EOD;
break; break;
case 'eap-mschapv2': case 'eap-mschapv2':
$authentication = "leftauth = pubkey\n\trightauth = eap-mschapv2"; $authentication = "leftauth = pubkey\n\trightauth = eap-mschapv2";
$authentication .= "\n\teap_identity=%any"; $authentication .= "\n\teap_identity = %any";
break;
case 'eap-radius':
$authentication = "leftauth = pubkey\n\trightauth = eap-radius";
$authentication .= "\n\trightsendcert = never";
$authentication .= "\n\teap_identity = %any";
break; break;
case 'xauth_rsa_server': case 'xauth_rsa_server':
$authentication = "leftauth = pubkey\n\trightauth = pubkey"; $authentication = "leftauth = pubkey\n\trightauth = pubkey";
...@@ -940,7 +978,7 @@ EOD; ...@@ -940,7 +978,7 @@ EOD;
break; break;
} }
if (!empty($ph1ent['certref'])) { if (!empty($ph1ent['certref'])) {
$authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt"; $authentication .= "\n\tleftcert = {$certpath}/cert-{$ph1ent['ikeid']}.crt";
} }
if (!empty($ph1ent['caref'])) { if (!empty($ph1ent['caref'])) {
$ca = lookup_ca($ph1ent['caref']); $ca = lookup_ca($ph1ent['caref']);
...@@ -949,7 +987,7 @@ EOD; ...@@ -949,7 +987,7 @@ EOD;
foreach (cert_get_subject_array($ca['crt']) as $ca_field) { foreach (cert_get_subject_array($ca['crt']) as $ca_field) {
$rightca .= "{$ca_field['a']}={$ca_field['v']}/"; $rightca .= "{$ca_field['a']}={$ca_field['v']}/";
} }
$authentication .= "\n\trightca=\"/$rightca\""; $authentication .= "\n\trightca = \"/$rightca\"";
} }
} }
$left_spec = $ep; $left_spec = $ep;
......
src/www/vpn_ipsec_phase1.php
View file @ 9b8fdf53
...@@ -86,7 +86,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') { ...@@ -86,7 +86,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
$phase1_fields = "mode,protocol,myid_type,myid_data,peerid_type,peerid_data $phase1_fields = "mode,protocol,myid_type,myid_data,peerid_type,peerid_data
,encryption-algorithm,hash-algorithm,dhgroup,lifetime,authentication_method,descr,nat_traversal ,encryption-algorithm,hash-algorithm,dhgroup,lifetime,authentication_method,descr,nat_traversal
,interface,iketype,dpd_delay,dpd_maxfail,remote-gateway,pre-shared-key,certref ,interface,iketype,dpd_delay,dpd_maxfail,remote-gateway,pre-shared-key,certref
,caref,reauth_enable,rekey_enable,auto,tunnel_isolation"; ,caref,reauth_enable,rekey_enable,auto,tunnel_isolation,authservers";
if (isset($p1index) && isset($config['ipsec']['phase1'][$p1index])) { if (isset($p1index) && isset($config['ipsec']['phase1'][$p1index])) {
// 1-on-1 copy // 1-on-1 copy
foreach (explode(",", $phase1_fields) as $fieldname) { foreach (explode(",", $phase1_fields) as $fieldname) {
...@@ -106,6 +106,11 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') { ...@@ -106,6 +106,11 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
} }
$pconfig['disabled'] = isset($config['ipsec']['phase1'][$p1index]['disabled']); $pconfig['disabled'] = isset($config['ipsec']['phase1'][$p1index]['disabled']);
if (!empty($config['ipsec']['phase1'][$p1index]['authservers'])) {
$pconfig['authservers'] = explode(',', $config['ipsec']['phase1'][$p1index]['authservers']);
} else {
$pconfig['authservers'] = array();
}
$pconfig['remotebits'] = null; $pconfig['remotebits'] = null;
$pconfig['remotenet'] = null ; $pconfig['remotenet'] = null ;
if (isset($a_phase1[$p1index]['remote-subnet']) && strpos($config['ipsec']['phase1'][$p1index]['remote-subnet'],'/') !== false) { if (isset($a_phase1[$p1index]['remote-subnet']) && strpos($config['ipsec']['phase1'][$p1index]['remote-subnet'],'/') !== false) {
...@@ -133,6 +138,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') { ...@@ -133,6 +138,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
$pconfig['lifetime'] = "28800"; $pconfig['lifetime'] = "28800";
$pconfig['nat_traversal'] = "on"; $pconfig['nat_traversal'] = "on";
$pconfig['iketype'] = "ikev1"; $pconfig['iketype'] = "ikev1";
$pconfig['authservers'] = array();
/* mobile client */ /* mobile client */
if (isset($_GET['mobile'])) { if (isset($_GET['mobile'])) {
...@@ -178,9 +184,13 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') { ...@@ -178,9 +184,13 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
switch ($method) { switch ($method) {
case "eap-tls": case "eap-tls":
case "eap-mschapv2": case "eap-mschapv2":
case "eap-radius":
if ($pconfig['iketype'] != 'ikev2') { if ($pconfig['iketype'] != 'ikev2') {
$input_errors[] = sprintf(gettext("%s can only be used with IKEv2 type VPNs."), strtoupper($method)); $input_errors[] = sprintf(gettext("%s can only be used with IKEv2 type VPNs."), strtoupper($method));
} }
if ($method == 'eap-radius' && empty($pconfig['authservers'])) {
$input_errors[] = gettext("Please select radius servers to use.");
}
break; break;
case "pre_shared_key": case "pre_shared_key":
// If this is a mobile PSK tunnel the user PSKs go on // If this is a mobile PSK tunnel the user PSKs go on
...@@ -343,7 +353,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') { ...@@ -343,7 +353,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
$copy_fields = "ikeid,iketype,interface,mode,protocol,myid_type,myid_data $copy_fields = "ikeid,iketype,interface,mode,protocol,myid_type,myid_data
,peerid_type,peerid_data,encryption-algorithm,hash-algorithm,dhgroup ,peerid_type,peerid_data,encryption-algorithm,hash-algorithm,dhgroup
,lifetime,pre-shared-key,certref,caref,authentication_method,descr ,lifetime,pre-shared-key,certref,caref,authentication_method,descr
,nat_traversal, auto"; ,nat_traversal,auto";
foreach (explode(",",$copy_fields) as $fieldname) { foreach (explode(",",$copy_fields) as $fieldname) {
$fieldname = trim($fieldname); $fieldname = trim($fieldname);
...@@ -351,6 +361,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') { ...@@ -351,6 +361,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
$ph1ent[$fieldname] = $pconfig[$fieldname]; $ph1ent[$fieldname] = $pconfig[$fieldname];
} }
} }
$ph1ent['authservers'] = implode(',', $pconfig['authservers']);
$ph1ent['disabled'] = !empty($pconfig['disabled']) ? true : false; $ph1ent['disabled'] = !empty($pconfig['disabled']) ? true : false;
$ph1ent['private-key'] =isset($pconfig['privatekey']) ? base64_encode($pconfig['privatekey']) : null; $ph1ent['private-key'] =isset($pconfig['privatekey']) ? base64_encode($pconfig['privatekey']) : null;
...@@ -461,6 +472,12 @@ include("head.inc"); ...@@ -461,6 +472,12 @@ include("head.inc");
$(".auth_eap_tls_caref").show(); $(".auth_eap_tls_caref").show();
$(".auth_eap_tls_caref :input").prop( "disabled", false ); $(".auth_eap_tls_caref :input").prop( "disabled", false );
break; break;
case 'eap-radius':
$(".auth_eap_tls").show();
$(".auth_eap_tls :input").prop( "disabled", false );
$(".auth_eap_radius").show();
$(".auth_eap_radius :input").prop( "disabled", false );
break;
case 'pre_shared_key': case 'pre_shared_key':
if ($("#mobile").val() == undefined) { if ($("#mobile").val() == undefined) {
$(".auth_psk").show(); $(".auth_psk").show();
...@@ -472,6 +489,7 @@ include("head.inc"); ...@@ -472,6 +489,7 @@ include("head.inc");
$(".auth_psk :input").prop( "disabled", false ); $(".auth_psk :input").prop( "disabled", false );
break; break;
} }
$(".selectpicker").selectpicker('refresh');
}); });
$("#authentication_method").change(); $("#authentication_method").change();
...@@ -697,7 +715,8 @@ include("head.inc"); ...@@ -697,7 +715,8 @@ include("head.inc");
?> ?>
</select> </select>
<div class="hidden" for="help_for_authmethod"> <div class="hidden" for="help_for_authmethod">
<?=gettext("Must match the setting chosen on the remote side."); ?> <?=gettext("Must match the setting chosen on the remote side."); ?><br />
<?=sprintf(gettext("If you select EAP-RADIUS, you must define your RADIUS servers on the %sServers%s page."), '<a href="/system_authservers.php">', '</a>'); ?>
</div> </div>
</td> </td>
</tr> </tr>
...@@ -836,6 +855,25 @@ endforeach; ?> ...@@ -836,6 +855,25 @@ endforeach; ?>
</div> </div>
</td> </td>
</tr> </tr>
<tr class="auth_opt auth_eap_radius">
<td><a id="help_for_authservers" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Radius servers"); ?></td>
<td>
<select name="authservers[]" multiple="multiple" size="3" class="selectpicker" data-live-search="true">
<?php
foreach (auth_get_authserver_list() as $auth_server):
if ($auth_server['type'] == "radius"):?>
<option value="<?=$auth_server['name'];?>" <?=in_array($auth_server['name'],$pconfig['authservers']) ? 'selected="selected"' : "";?>>
<?=htmlspecialchars($auth_server['name']);?>
</option>
<?php
endif;
endforeach;?>
</select>
<div class="hidden" for="help_for_authservers">
<?=gettext("Select authentication servers to use."); ?>
</div>
</td>
</tr>
<tr> <tr>
<td colspan="2"><b><?=gettext("Phase 1 proposal (Algorithms)"); ?></b></td> <td colspan="2"><b><?=gettext("Phase 1 proposal (Algorithms)"); ?></b></td>
</tr> </tr>
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment

Technounit-GROUP 2023