Skip to content

O
OpnSense
Commit a3a46bfe authored by Ad Schellevis's avatar Ad Schellevis
Browse files
Options

(legacy) cleanup vpn_ipsec_configure in vpn.inc and fix ikev1 non mobile multiple phase2

parent 4a439011
Hide whitespace changes
Inline Side-by-side
Showing with 499 additions and 459 deletions
src/etc/inc/vpn.inc
View file @ a3a46bfe
......@@ -87,9 +87,9 @@ function vpn_ipsec_convert_to_modp($index)
return $convertion;
}
function vpn_ipsec_configure($ipchg = false)
function vpn_ipsec_configure()
{
global $config, $g, $sa, $sn, $p1_ealgos, $p2_ealgos;
global $config, $p2_ealgos;
/* get the automatic ping_hosts.sh ready */
@unlink('/var/db/ipsecpinghosts');
......@@ -102,6 +102,7 @@ function vpn_ipsec_configure($ipchg = false)
$a_phase1 = isset($config['ipsec']['phase1']) ? $config['ipsec']['phase1'] : array();
$a_phase2 = isset($config['ipsec']['phase2']) ? $config['ipsec']['phase2'] : array();
$a_client = isset($config['ipsec']['client']) ? $config['ipsec']['client'] : array();
$aggressive_psk = false ; // if one of the phase 1 entries has aggressive/psk combination, this will be set true
if (!isset($ipseccfg['enable'])) {
/* try to stop charon */
......@@ -146,7 +147,6 @@ function vpn_ipsec_configure($ipchg = false)
$ipmap = array();
$rgmap = array();
$filterdns_list = array();
unset($iflist);
if (is_array($a_phase1) && count($a_phase1)) {
$ipsecpinghosts = "";
......@@ -157,6 +157,9 @@ function vpn_ipsec_configure($ipchg = false)
$ikeid = $ph1ent['ikeid'];
if ($ph1ent['mode'] == "aggressive" && in_array($ph1ent['authentication_method'], array("pre_shared_key", "xauth_psk_server"))) {
$aggressive_psk = true;
}
$ep = ipsec_get_phase1_src($ph1ent);
if (!is_ipaddr($ep))
continue;
......@@ -199,8 +202,8 @@ function vpn_ipsec_configure($ipchg = false)
/* add an ipsec pinghosts entry */
if ($ph2ent['pinghost']) {
if (!is_array($iflist)) {
$iflist = get_configured_interface_list();
if (!isset($iflist) || !is_array($iflist)) {
$iflist = get_configured_interface_list();
}
$viplist = get_configured_vips_list();
$srcip = null;
......@@ -254,6 +257,12 @@ function vpn_ipsec_configure($ipchg = false)
}
unset($iflist);
$cnf_add_to_charon_section = "";
$cnf_add_to_charon_section .= $aggressive_psk ? "\ti_dont_care_about_security_and_use_aggressive_mode_psk=yes\n":"";
if (is_array($a_client) && isset($a_client['enable']) && isset($a_client['net_list'])) {
$cnf_add_to_charon_section .= "\tcisco_unity = yes\n";
}
$strongswan = <<<EOD
#Automatically generated please do not modify
......@@ -263,126 +272,124 @@ starter {
charon {
# number of worker threads in charon
threads = 16
ikesa_table_size = 32
ikesa_table_segments = 4
init_limit_half_open = 1000;
# XXX: There is not much choice here really users win their security!
i_dont_care_about_security_and_use_aggressive_mode_psk=yes
# And two loggers using syslog. The subsections define the facility to log
# to, currently one of: daemon, auth.
syslog {
identifier = charon
# default level to the LOG_DAEMON facility
daemon {
}
# very minimalistic IKE auditing logs to LOG_AUTHPRIV
auth {
# number of worker threads in charon
threads = 16
ikesa_table_size = 32
ikesa_table_segments = 4
init_limit_half_open = 1000;
{$cnf_add_to_charon_section}
# And two loggers using syslog. The subsections define the facility to log
# to, currently one of: daemon, auth.
syslog {
identifier = charon
# default level to the LOG_DAEMON facility
daemon {
}
# very minimalistic IKE auditing logs to LOG_AUTHPRIV
auth {
default = -1
ike = 1
ike_name = yes
}
}
}
EOD;
if (is_array($a_client) && isset($a_client['enable']) && isset($a_client['net_list']))
$strongswan .= "\tcisco_unity = yes\n";
$strongswan .= "\tplugins {\n";
if (is_array($a_client) && isset($a_client['enable'])) {
$strongswan .= "\t\tattr {\n";
if ($a_client['pool_address'] && $a_client['pool_netbits'])
$strongswan .= "\t\tsubnet = {$a_client['pool_address']}/{$a_client['pool_netbits']}\n";
$cfgservers = array();
if (!empty($a_client['dns_server1']))
$cfgservers[] = $a_client['dns_server1'];
if (!empty($a_client['dns_server2']))
$cfgservers[] = $a_client['dns_server2'];
if (!empty($a_client['dns_server3']))
$cfgservers[] = $a_client['dns_server3'];
if (!empty($a_client['dns_server4']))
$cfgservers[] = $a_client['dns_server4'];
if (!empty($cfgservers))
$strongswan .= "\t\tdns = " . implode(",", $cfgservers) . "\n";
unset($cfgservers);
$cfgservers = array();
if (!empty($a_client['wins_server1']))
$cfgservers[] = $a_client['wins_server1'];
if (!empty($a_client['wins_server2']))
$cfgservers[] = $a_client['wins_server2'];
if (!empty($cfgservers))
$strongswan .= "\t\tnbns = " . implode(",", $cfgservers) . "\n";
unset($cfgservers);
if (isset($a_client['net_list'])) {
$net_list = '';
foreach ($a_phase2 as $ph2ent) {
if (isset($ph2ent['disabled']))
continue;
$strongswan .= "\t\tattr {\n";
if ($a_client['pool_address'] && $a_client['pool_netbits']) {
$strongswan .= "\t\tsubnet = {$a_client['pool_address']}/{$a_client['pool_netbits']}\n";
}
$cfgservers = array();
foreach (array('dns_server1', 'dns_server2', 'dns_server3', 'dns_server4') as $dns_server) {
if (!empty($a_client[$dns_server])) {
$cfgservers[] = $a_client[$dns_server];
}
}
if (!empty($cfgservers)) {
$strongswan .= "\t\tdns = " . implode(",", $cfgservers) . "\n";
}
unset($cfgservers);
$cfgservers = array();
if (!empty($a_client['wins_server1'])) {
$cfgservers[] = $a_client['wins_server1'];
}
if (!empty($a_client['wins_server2'])) {
$cfgservers[] = $a_client['wins_server2'];
}
if (!empty($cfgservers)) {
$strongswan .= "\t\tnbns = " . implode(",", $cfgservers) . "\n";
}
unset($cfgservers);
if (!isset($ph2ent['mobile']))
continue;
if (isset($a_client['net_list'])) {
$net_list = '';
foreach ($a_phase2 as $ph2ent) {
if (isset($ph2ent['disabled'])) {
continue;
}
if (!isset($ph2ent['mobile'])) {
continue;
}
$localid = ipsec_idinfo_to_cidr($ph2ent['localid'], true, $ph2ent['mode']);
if (!empty($net_list)) {
$net_list .= ",";
}
$net_list .= $localid;
}
$localid = ipsec_idinfo_to_cidr($ph2ent['localid'], true, $ph2ent['mode']);
if (!empty($net_list)) {
$strongswan .= "\t\tsplit-include = {$net_list}\n";
unset($net_list);
}
}
if (!empty($net_list))
$net_list .= ",";
$net_list .= $localid;
if (!empty($a_client['dns_domain'])) {
$strongswan .= "\t\t# Search domain and default domain\n";
$strongswan .= "\t\t28674 = {$a_client['dns_domain']}\n";
if (empty($a_client['dns_split'])) {
$strongswan .= "\t\t28675 = {$a_client['dns_domain']}";
}
$strongswan .= "\n";
}
if (!empty($net_list)) {
$strongswan .= "\t\tsplit-include = {$net_list}\n";
unset($net_list);
if (!empty($a_client['dns_split'])) {
$strongswan .= "\t\t28675 = {$a_client['dns_split']}\n";
}
}
if (!empty($a_client['dns_domain'])) {
$strongswan .= "\t\t# Search domain and default domain\n";
$strongswan .= "\t\t28674 = {$a_client['dns_domain']}\n";
if (empty($a_client['dns_split']))
$strongswan .= "\t\t28675 = {$a_client['dns_domain']}";
$strongswan .= "\n";
}
if (!empty($a_client['login_banner'])) {
$strongswan .= "\t\t28672 = {$a_client['login_banner']}\n";
}
if (!empty($a_client['dns_split'])) {
$strongswan .= "\t\t28675 = {$a_client['dns_split']}\n";
}
if (isset($a_client['save_passwd'])) {
$strongswan .= "\t\t28673 = yes\n";
}
if (!empty($a_client['login_banner']))
$strongswan .= "\t\t28672 = {$a_client['login_banner']}\n";
if (isset($a_client['save_passwd']))
$strongswan .= "\t\t28673 = yes\n";
if ($a_client['pfs_group'])
$strongswan .= "\t\t28679 = {$a_client['pfs_group']}\n";
$strongswan .= "\t\t}\n";
if ($a_client['user_source'] != "none") {
$strongswan .= "\txauth-generic {\n";
$strongswan .= "\t\tscript = /usr/local/etc/inc/ipsec.auth-user.php\n";
$strongswan .= "\t\tauthcfg = ";
$firstsed = 0;
$authcfgs = explode(",", $a_client['user_source']);
foreach ($authcfgs as $authcfg) {
if ($firstsed > 0)
$strongswan .= ",";
if ($authcfg == "system")
$authcfg = "Local Database";
$strongswan .= $authcfg;
$firstsed = 1;
if (!empty($a_client['pfs_group'])) {
$strongswan .= "\t\t28679 = {$a_client['pfs_group']}\n";
}
$strongswan .= "\t\t}\n";
if ($a_client['user_source'] != "none") {
$strongswan .= "\txauth-generic {\n";
$strongswan .= "\t\tscript = /usr/local/etc/inc/ipsec.auth-user.php\n";
$strongswan .= "\t\tauthcfg = ";
$firstsed = 0;
$authcfgs = explode(",", $a_client['user_source']);
foreach ($authcfgs as $authcfg) {
if ($firstsed > 0) {
$strongswan .= ",";
}
if ($authcfg == "system") {
$authcfg = "Local Database";
}
$strongswan .= $authcfg;
$firstsed = 1;
}
$strongswan .= "\n";
$strongswan .= "\t}\n";
}
$strongswan .= "\n";
$strongswan .= "\t}\n";
}
}
$strongswan .= "\t}\n}\n";
......@@ -391,97 +398,98 @@ EOD;
/* generate CA certificates files */
if (isset($config['ca'])) {
foreach ($config['ca'] as $ca) {
if (!isset($ca['crt'])) {
log_error(sprintf(gettext("Error: Invalid certificate info for %s"), $ca['descr']));
continue;
}
$cert = base64_decode($ca['crt']);
$x509cert = openssl_x509_parse(openssl_x509_read($cert));
if (!is_array($x509cert) || !isset($x509cert['hash'])) {
log_error(sprintf(gettext("Error: Invalid certificate hash info for %s"), $ca['descr']));
continue;
}
$fname = "{$capath}/{$x509cert['hash']}.0.crt";
if (!@file_put_contents($fname, $cert)) {
log_error(sprintf(gettext("Error: Cannot write IPsec CA file for %s"), $ca['descr']));
continue;
foreach ($config['ca'] as $ca) {
if (!isset($ca['crt'])) {
log_error(sprintf(gettext("Error: Invalid certificate info for %s"), $ca['descr']));
continue;
}
$cert = base64_decode($ca['crt']);
$x509cert = openssl_x509_parse(openssl_x509_read($cert));
if (!is_array($x509cert) || !isset($x509cert['hash'])) {
log_error(sprintf(gettext("Error: Invalid certificate hash info for %s"), $ca['descr']));
continue;
}
$fname = "{$capath}/{$x509cert['hash']}.0.crt";
if (!@file_put_contents($fname, $cert)) {
log_error(sprintf(gettext("Error: Cannot write IPsec CA file for %s"), $ca['descr']));
continue;
}
unset($cert);
}
unset($cert);
}
}
$pskconf = "";
if (is_array($a_phase1) && count($a_phase1)) {
foreach ($a_phase1 as $ph1ent) {
if (isset($ph1ent['disabled']))
continue;
if (strpos($ph1ent['authentication_method'], 'rsa') || $ph1ent['authentication_method'] == 'eap-tls') {
$certline = '';
foreach ($a_phase1 as $ph1ent) {
if (isset($ph1ent['disabled'])) {
continue;
}
$ikeid = $ph1ent['ikeid'];
$cert = lookup_cert($ph1ent['certref']);
if (strpos($ph1ent['authentication_method'], 'rsa') || $ph1ent['authentication_method'] == 'eap-tls') {
$certline = '';
$ikeid = $ph1ent['ikeid'];
$cert = lookup_cert($ph1ent['certref']);
if (!$cert) {
log_error(sprintf(gettext("Error: Invalid phase1 certificate reference for %s"), $ph1ent['name']));
continue;
}
if (empty($cert)) {
log_error(sprintf(gettext("Error: Invalid phase1 certificate reference for %s"), $ph1ent['name']));
continue;
}
@chmod($certpath, 0600);
@chmod($certpath, 0600);
$ph1keyfile = "{$keypath}/cert-{$ikeid}.key";
if (!file_put_contents($ph1keyfile, base64_decode($cert['prv']))) {
log_error(sprintf(gettext("Error: Cannot write phase1 key file for %s"), $ph1ent['name']));
continue;
}
@chmod($ph1keyfile, 0600);
$ph1keyfile = "{$keypath}/cert-{$ikeid}.key";
if (!file_put_contents($ph1keyfile, base64_decode($cert['prv']))) {
log_error(sprintf(gettext("Error: Cannot write phase1 key file for %s"), $ph1ent['name']));
continue;
}
@chmod($ph1keyfile, 0600);
$ph1certfile = "{$certpath}/cert-{$ikeid}.crt";
if (!file_put_contents($ph1certfile, base64_decode($cert['crt']))) {
log_error(sprintf(gettext("Error: Cannot write phase1 certificate file for %s"), $ph1ent['name']));
@unlink($ph1keyfile);
continue;
}
@chmod($ph1certfile, 0600);
$ph1certfile = "{$certpath}/cert-{$ikeid}.crt";
if (!file_put_contents($ph1certfile, base64_decode($cert['crt']))) {
log_error(sprintf(gettext("Error: Cannot write phase1 certificate file for %s"), $ph1ent['name']));
@unlink($ph1keyfile);
continue;
}
@chmod($ph1certfile, 0600);
/* XXX" Traffic selectors? */
$pskconf .= " : RSA {$ph1keyfile}\n";
} else {
list ($myid_type, $myid_data) = ipsec_find_id($ph1ent, "local");
list ($peerid_type, $peerid_data) = ipsec_find_id($ph1ent, "peer", $rgmap);
/* XXX" Traffic selectors? */
$pskconf .= " : RSA {$ph1keyfile}\n";
} else {
list ($myid_type, $myid_data) = ipsec_find_id($ph1ent, "local");
list ($peerid_type, $peerid_data) = ipsec_find_id($ph1ent, "peer", $rgmap);
if (empty($peerid_data))
continue;
if (empty($peerid_data))
continue;
$myid = isset($ph1ent['mobile']) ? trim($myid_data) . " " : "";
$peerid = ($peerid_data != "allusers") ? trim($peerid_data) : "";
if (!empty($ph1ent['pre-shared-key']))
$pskconf .= $myid . $peerid . " : PSK \"" . trim($ph1ent['pre-shared-key']) . "\"\n";
$myid = isset($ph1ent['mobile']) ? trim($myid_data) . " " : "";
$peerid = ($peerid_data != "allusers") ? trim($peerid_data) : "";
if (!empty($ph1ent['pre-shared-key'])) {
$pskconf .= $myid . $peerid . " : PSK \"" . trim($ph1ent['pre-shared-key']) . "\"\n";
}
}
}
}
}
/* Add user PSKs */
if (is_array($config['system']) && is_array($config['system']['user'])) {
foreach ($config['system']['user'] as $user) {
if (!empty($user['ipsecpsk'])) {
$pskconf .= "{$user['name']} : PSK \"{$user['ipsecpsk']}\"\n";
if (isset($config['system']['user']) && is_array($config['system']['user'])) {
foreach ($config['system']['user'] as $user) {
if (!empty($user['ipsecpsk'])) {
$pskconf .= "{$user['name']} : PSK \"{$user['ipsecpsk']}\"\n";
}
}
}
unset($user);
unset($user);
}
/* add PSKs for mobile clients */
if (isset($ipseccfg['mobilekey'])) {
foreach ($ipseccfg['mobilekey'] as $key) {
if ($key['ident'] == "allusers")
$key['ident'] = '';
$pskconf .= "{$key['ident']} : PSK \"{$key['pre-shared-key']}\"\n";
}
unset($key);
foreach ($ipseccfg['mobilekey'] as $key) {
if ($key['ident'] == "allusers") {
$key['ident'] = '';
}
$pskconf .= "{$key['ident']} : PSK \"{$key['pre-shared-key']}\"\n";
}
unset($key);
}
@file_put_contents("/usr/local/etc/ipsec.secrets", $pskconf);
......@@ -492,281 +500,287 @@ EOD;
/* begin ipsec.conf */
$ipsecconf = "";
if (is_array($a_phase1) && count($a_phase1)) {
$ipsecconf .= "# This file is automatically generated. Do not edit\n";
$ipsecconf .= "config setup\n\tuniqueids = yes\n";
$ipsecconf .= "\tcharondebug=\"" . vpn_ipsec_configure_loglevels(true) . "\"\n";
$ipsecconf .= "# This file is automatically generated. Do not edit\n";
$ipsecconf .= "config setup\n\tuniqueids = yes\n";
$ipsecconf .= "\tcharondebug=\"" . vpn_ipsec_configure_loglevels(true) . "\"\n";
foreach ($a_phase1 as $ph1ent) {
if (isset($ph1ent['disabled']))
continue;
if ($ph1ent['mode'] == "aggressive")
$aggressive = "yes";
else
$aggressive = "no";
$ep = ipsec_get_phase1_src($ph1ent);
if (!$ep)
continue;
$ikeid = $ph1ent['ikeid'];
$keyexchange = "ikev1";
$passive = "route";
if (!empty($ph1ent['iketype']) && $ph1ent['iketype'] != "ikev1") {
$keyexchange = "ikev2";
//$passive = "start";
} else
$passive = "route";
if (isset($ph1ent['mobile'])) {
$right_spec = "%any";
$passive = 'add';
} else
$right_spec = $ph1ent['remote-gateway'];
list ($myid_type, $myid_data) = ipsec_find_id($ph1ent, "local");
list ($peerid_type, $peerid_data) = ipsec_find_id($ph1ent, "peer", $rgmap);
/* Only specify peer ID if we are not dealing with a mobile PSK-only tunnel */
$peerid_spec = '';
if (!isset($ph1ent['mobile']))
$peerid_spec = $peerid_data;
if (!empty($ph1ent['encryption-algorithm']['name']) && !empty($ph1ent['hash-algorithm'])) {
$ealgosp1 = '';
$ealg_id = $ph1ent['encryption-algorithm']['name'];
if (isset($ph1ent['encryption-algorithm']['keylen'])){
$ealgosp1 = "ike = {$ealg_id}{$ph1ent['encryption-algorithm']['keylen']}-{$ph1ent['hash-algorithm']}";
} else {
$ealgosp1 = "ike = {$ealg_id}-{$ph1ent['hash-algorithm']}";
}
foreach ($a_phase1 as $ph1ent) {
if (isset($ph1ent['disabled'])) {
continue;
}
if ($ph1ent['mode'] == "aggressive") {
$aggressive = "yes";
} else {
$aggressive = "no";
}
$modp = vpn_ipsec_convert_to_modp($ph1ent['dhgroup']);
if (!empty($modp))
$ealgosp1 .= "-{$modp}";
$ep = ipsec_get_phase1_src($ph1ent);
if (empty($ep)) {
continue;
}
$ealgosp1 .= "!";
}
$ikeid = $ph1ent['ikeid'];
$keyexchange = "ikev1";
$passive = "route";
if (!empty($ph1ent['iketype']) && $ph1ent['iketype'] != "ikev1") {
$keyexchange = "ikev2";
//$passive = "start";
} else {
$passive = "route";
}
if ($ph1ent['dpd_delay'] && $ph1ent['dpd_maxfail']) {
if ($passive == "route")
$dpdline = "dpdaction = restart";
else
$dpdline = "dpdaction = clear";
$dpdline .= "\n\tdpddelay = {$ph1ent['dpd_delay']}s";
$dpdtimeout = $ph1ent['dpd_delay'] * ($ph1ent['dpd_maxfail'] + 1);
$dpdline .= "\n\tdpdtimeout = {$dpdtimeout}s";
} else
$dpdline = "dpdaction = none";
$ikelifeline = '';
if ($ph1ent['lifetime'])
$ikelifeline = "ikelifetime = {$ph1ent['lifetime']}s";
$rightsourceip = NULL;
if (!empty($a_client['pool_address']))
$rightsourceip = "\trightsourceip = {$a_client['pool_address']}/{$a_client['pool_netbits']}\n";
$authentication = "";
switch ($ph1ent['authentication_method']) {
case 'eap-tls':
$authentication = "leftauth=eap-tls\n\trightauth=eap-tls";
if (!empty($ph1ent['certref']))
$authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt";
break;
case 'xauth_rsa_server':
$authentication = "leftauth = pubkey\n\trightauth = pubkey";
$authentication .= "\n\trightauth2 = xauth-generic";
break;
case 'xauth_psk_server':
$authentication = "leftauth = psk\n\trightauth = psk";
$authentication .= "\n\trightauth2 = xauth-generic";
break;
case 'pre_shared_key':
$authentication = "leftauth = psk\n\trightauth = psk";
break;
case 'rsasig':
$authentication = "leftauth = pubkey\n\trightauth = pubkey";
break;
case 'hybrid_rsa_server':
$authentication = "leftauth = xauth-generic\n\trightauth = pubkey";
$authentication .= "\n\trightauth2 = xauth";
break;
}
$left_spec = $ep;
if (isset($ph1ent['reauth_enable']))
$reauth = "reauth = no";
else
$reauth = "reauth = yes";
if (isset($ph1ent['rekey_enable']))
$rekey = "rekey = no";
else
$rekey = "rekey = yes";
$ipseclifetime = 0;
$rightsubnet_spec = array();
$leftsubnet_spec = array();
$ealgoAHsp2arr = array();
$ealgoESPsp2arr = array();
if (is_array($a_phase2) && count($a_phase2)) {
foreach ($a_phase2 as $ph2ent) {
if ($ikeid != $ph2ent['ikeid'])
continue;
if (isset($ph1ent['mobile'])) {
$right_spec = "%any";
$passive = 'add';
} else {
$right_spec = $ph1ent['remote-gateway'];
}
if (isset($ph2ent['disabled']))
continue;
list ($myid_type, $myid_data) = ipsec_find_id($ph1ent, "local");
list ($peerid_type, $peerid_data) = ipsec_find_id($ph1ent, "peer", $rgmap);
if (isset($ph2ent['mobile']) && !isset($a_client['enable']))
continue;
/* Only specify peer ID if we are not dealing with a mobile PSK-only tunnel */
$peerid_spec = '';
if (!isset($ph1ent['mobile'])) {
$peerid_spec = $peerid_data;
}
if (($ph2ent['mode'] == 'tunnel') or ($ph2ent['mode'] == 'tunnel6')) {
$tunneltype = "type = tunnel";
if (!empty($ph1ent['encryption-algorithm']['name']) && !empty($ph1ent['hash-algorithm'])) {
$ealg_id = $ph1ent['encryption-algorithm']['name'];
if (isset($ph1ent['encryption-algorithm']['keylen'])){
$ealgosp1 = "ike = {$ealg_id}{$ph1ent['encryption-algorithm']['keylen']}-{$ph1ent['hash-algorithm']}";
} else {
$ealgosp1 = "ike = {$ealg_id}-{$ph1ent['hash-algorithm']}";
}
$modp = vpn_ipsec_convert_to_modp($ph1ent['dhgroup']);
if (!empty($modp)) {
$ealgosp1 .= "-{$modp}";
}
$ealgosp1 .= "!";
}
$localid_type = $ph2ent['localid']['type'];
$leftsubnet_data = ipsec_idinfo_to_cidr($ph2ent['localid'], false, $ph2ent['mode']);
/* Do not print localid in some cases, such as a pure-psk or psk/xauth single phase2 mobile tunnel */
if (($localid_type == "none" || $localid_type == "mobile")
&& isset($ph1ent['mobile']) && (ipsec_get_number_of_phase2($ikeid)==1)) {
$left_spec = '%any';
} else {
if ($localid_type != "address") {
$localid_type = "subnet";
}
// Don't let an empty subnet into config, it can cause parse errors. Ticket #2201.
if (!is_ipaddr($leftsubnet_data) && !is_subnet($leftsubnet_data) && ($leftsubnet_data != "0.0.0.0/0")) {
log_error("Invalid IPsec Phase 2 \"{$ph2ent['descr']}\" - {$ph2ent['localid']['type']} has no subnet.");
continue;
}
if (!empty($ph2ent['natlocalid'])) {
$natleftsubnet_data = ipsec_idinfo_to_cidr($ph2ent['natlocalid'], false, $ph2ent['mode']);
if ($ph2ent['natlocalid']['type'] != "address") {
if (is_subnet($natleftsubnet_data))
$leftsubnet_data = "{$natleftsubnet_data}|{$leftsubnet_data}";
if (!empty($ph1ent['dpd_delay']) && !empty($ph1ent['dpd_maxfail'])) {
if ($passive == "route") {
$dpdline = "dpdaction = restart";
} else {
if (is_ipaddr($natleftsubnet_data))
$leftsubnet_data = "{$natleftsubnet_data}|{$leftsubnet_data}";
$dpdline = "dpdaction = clear";
}
$natfilterrules = true;
}
$dpdline .= "\n\tdpddelay = {$ph1ent['dpd_delay']}s";
$dpdtimeout = $ph1ent['dpd_delay'] * ($ph1ent['dpd_maxfail'] + 1);
$dpdline .= "\n\tdpdtimeout = {$dpdtimeout}s";
} else {
$dpdline = "dpdaction = none";
}
if (empty($leftsubnet_spec[$leftsubnet_data]))
$leftsubnet_spec[$leftsubnet_data] = $leftsubnet_data;
if (!empty($ph1ent['lifetime'])) {
$ikelifeline = "ikelifetime = {$ph1ent['lifetime']}s";
} else {
$ikelifeline = '';
}
if (!isset($ph2ent['mobile'])) {
$tmpsubnet = ipsec_idinfo_to_cidr($ph2ent['remoteid'], false, $ph2ent['mode']);
if (empty($rightsubnet_spec[$tmpsubnet]))
$rightsubnet_spec[$tmpsubnet] = $tmpsubnet;
} else if (!empty($a_client['pool_address'])) {
if (empty($rightsubnet_spec["{$a_client['pool_address']}/{$a_client['pool_netbits']}"]))
$rightsubnet_spec["{$a_client['pool_address']}/{$a_client['pool_netbits']}"] = "{$a_client['pool_address']}/{$a_client['pool_netbits']}";
$rightsourceip = NULL;
if (!empty($a_client['pool_address'])) {
$rightsourceip = "\trightsourceip = {$a_client['pool_address']}/{$a_client['pool_netbits']}\n";
}
} else {
$tunneltype = "type = transport";
if ((($ph1ent['authentication_method'] == "xauth_psk_server") ||
($ph1ent['authentication_method'] == "pre_shared_key")) && isset($ph1ent['mobile'])) {
$left_spec = "%any";
$authentication = "";
switch ($ph1ent['authentication_method']) {
case 'eap-tls':
$authentication = "leftauth=eap-tls\n\trightauth=eap-tls";
if (!empty($ph1ent['certref'])) {
$authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt";
}
break;
case 'xauth_rsa_server':
$authentication = "leftauth = pubkey\n\trightauth = pubkey";
$authentication .= "\n\trightauth2 = xauth-generic";
break;
case 'xauth_psk_server':
$authentication = "leftauth = psk\n\trightauth = psk";
$authentication .= "\n\trightauth2 = xauth-generic";
break;
case 'pre_shared_key':
$authentication = "leftauth = psk\n\trightauth = psk";
break;
case 'rsasig':
$authentication = "leftauth = pubkey\n\trightauth = pubkey";
break;
case 'hybrid_rsa_server':
$authentication = "leftauth = xauth-generic\n\trightauth = pubkey";
$authentication .= "\n\trightauth2 = xauth";
break;
}
$left_spec = $ep;
if (isset($ph1ent['reauth_enable'])) {
$reauth = "reauth = no";
} else {
$tmpsubnet = ipsec_get_phase1_src($ph1ent);
if ($leftsubnet_spec[$tmpsubnet])
$leftsubnet_spec[$tmpsubnet] = $tmpsubnet;
$reauth = "reauth = yes";
}
if (!isset($ph2ent['mobile'])) {
if (empty($rightsubnet_spec[$right_spec]))
$rightsubnet_spec[$right_spec] = $right_spec;
if (isset($ph1ent['rekey_enable'])) {
$rekey = "rekey = no";
} else {
$rekey = "rekey = yes";
}
}
if (isset($a_client['pfs_group']))
$ph2ent['pfsgroup'] = $a_client['pfs_group'];
$ipseclifetime = 0;
$rightsubnet_spec = array();
$leftsubnet_spec = array();
$ealgoAHsp2arr = array();
$ealgoESPsp2arr = array();
if ($ph2ent['protocol'] == 'esp') {
if (is_array($ph2ent['encryption-algorithm-option'])) {
foreach ($ph2ent['encryption-algorithm-option'] as $ealg) {
$ealg_id = $ealg['name'];
if (isset($ealg['keylen'])) {
$ealg_kl = $ealg['keylen'];
} else {
$ealg_kl = null;
}
if (is_array($a_phase2) && count($a_phase2)) {
foreach ($a_phase2 as $ph2ent) {
if ($ikeid != $ph2ent['ikeid'] || isset($ph2ent['disabled'])) {
continue;
}
if (isset($ph2ent['mobile']) && !isset($a_client['enable'])){
continue;
}
if (($ph2ent['mode'] == 'tunnel') or ($ph2ent['mode'] == 'tunnel6')) {
$tunneltype = "type = tunnel";
$localid_type = $ph2ent['localid']['type'];
$leftsubnet_data = ipsec_idinfo_to_cidr($ph2ent['localid'], false, $ph2ent['mode']);
/* Do not print localid in some cases, such as a pure-psk or psk/xauth single phase2 mobile tunnel */
if (($localid_type == "none" || $localid_type == "mobile")
&& isset($ph1ent['mobile']) && (ipsec_get_number_of_phase2($ikeid)==1)) {
$left_spec = '%any';
} else {
if ($localid_type != "address") {
$localid_type = "subnet";
}
// Don't let an empty subnet into config, it can cause parse errors. Ticket #2201.
if (!is_ipaddr($leftsubnet_data) && !is_subnet($leftsubnet_data) && ($leftsubnet_data != "0.0.0.0/0")) {
log_error("Invalid IPsec Phase 2 \"{$ph2ent['descr']}\" - {$ph2ent['localid']['type']} has no subnet.");
continue;
}
if (!empty($ph2ent['natlocalid'])) {
$natleftsubnet_data = ipsec_idinfo_to_cidr($ph2ent['natlocalid'], false, $ph2ent['mode']);
if ($ph2ent['natlocalid']['type'] != "address") {
if (is_subnet($natleftsubnet_data))
$leftsubnet_data = "{$natleftsubnet_data}|{$leftsubnet_data}";
} else {
if (is_ipaddr($natleftsubnet_data))
$leftsubnet_data = "{$natleftsubnet_data}|{$leftsubnet_data}";
}
$natfilterrules = true;
}
}
$leftsubnet_spec[] = $leftsubnet_data;
if (!empty($ealg_kl) && $ealg_kl == "auto") {
$key_hi = $p2_ealgos[$ealg_id]['keysel']['hi'];
$key_lo = $p2_ealgos[$ealg_id]['keysel']['lo'];
$key_step = $p2_ealgos[$ealg_id]['keysel']['step'];
/* XXX: in some cases where include ordering is suspect these variables
* are somehow 0 and we enter this loop forever and timeout after 900
* seconds wrecking bootup */
if ($key_hi != 0 and $key_lo !=0 and $key_step !=0) {
for ($keylen = $key_hi; $keylen >= $key_lo; $keylen -= $key_step) {
if (!empty($ph2ent['hash-algorithm-option']) && is_array($ph2ent['hash-algorithm-option'])) {
foreach ($ph2ent['hash-algorithm-option'] as $halgo) {
$halgo = str_replace('hmac_', '', $halgo);
$tmpealgo = "{$ealg_id}{$keylen}-{$halgo}";
$modp = vpn_ipsec_convert_to_modp($ph2ent['pfsgroup']);
if (!empty($modp))
$tmpealgo .= "-{$modp}";
$ealgoESPsp2arr[] = $tmpealgo;
if (!isset($ph2ent['mobile'])) {
$tmpsubnet = ipsec_idinfo_to_cidr($ph2ent['remoteid'], false, $ph2ent['mode']);
$rightsubnet_spec[] = $tmpsubnet;
} else if (!empty($a_client['pool_address'])) {
$rightsubnet_spec[] = "{$a_client['pool_address']}/{$a_client['pool_netbits']}";
}
} else {
$tunneltype = "type = transport";
if ((($ph1ent['authentication_method'] == "xauth_psk_server") ||
($ph1ent['authentication_method'] == "pre_shared_key")) && isset($ph1ent['mobile'])) {
$left_spec = "%any";
} else {
$tmpsubnet = ipsec_get_phase1_src($ph1ent);
$leftsubnet_spec[] = $tmpsubnet;
}
if (!isset($ph2ent['mobile'])) {
$rightsubnet_spec[] = $right_spec;
}
} else {
$tmpealgo = "{$ealg_id}{$keylen}";
$modp = vpn_ipsec_convert_to_modp($ph2ent['pfsgroup']);
if (!empty($modp))
$tmpealgo .= "-{$modp}";
$ealgoESPsp2arr[] = $tmpealgo;
}
}
}
} else {
if (!empty($ph2ent['hash-algorithm-option']) && is_array($ph2ent['hash-algorithm-option'])) {
foreach ($ph2ent['hash-algorithm-option'] as $halgo) {
$halgo = str_replace('hmac_', '', $halgo);
$tmpealgo = "{$ealg_id}{$ealg_kl}-{$halgo}";
$modp = vpn_ipsec_convert_to_modp($ph2ent['pfsgroup']);
if (!empty($modp))
$tmpealgo .= "-{$modp}";
$ealgoESPsp2arr[] = $tmpealgo;
if (isset($a_client['pfs_group'])) {
$ph2ent['pfsgroup'] = $a_client['pfs_group'];
}
if (isset($ph2ent['protocol']) && $ph2ent['protocol'] == 'esp') {
if (is_array($ph2ent['encryption-algorithm-option'])) {
foreach ($ph2ent['encryption-algorithm-option'] as $ealg) {
$ealg_id = $ealg['name'];
if (isset($ealg['keylen'])) {
$ealg_kl = $ealg['keylen'];
} else {
$ealg_kl = null;
}
if (!empty($ealg_kl) && $ealg_kl == "auto") {
$key_hi = $p2_ealgos[$ealg_id]['keysel']['hi'];
$key_lo = $p2_ealgos[$ealg_id]['keysel']['lo'];
$key_step = $p2_ealgos[$ealg_id]['keysel']['step'];
/* XXX: in some cases where include ordering is suspect these variables
* are somehow 0 and we enter this loop forever and timeout after 900
* seconds wrecking bootup */
if ($key_hi != 0 and $key_lo !=0 and $key_step !=0) {
for ($keylen = $key_hi; $keylen >= $key_lo; $keylen -= $key_step) {
if (!empty($ph2ent['hash-algorithm-option']) && is_array($ph2ent['hash-algorithm-option'])) {
foreach ($ph2ent['hash-algorithm-option'] as $halgo) {
$halgo = str_replace('hmac_', '', $halgo);
$tmpealgo = "{$ealg_id}{$keylen}-{$halgo}";
$modp = vpn_ipsec_convert_to_modp($ph2ent['pfsgroup']);
if (!empty($modp)) {
$tmpealgo .= "-{$modp}";
}
$ealgoESPsp2arr[] = $tmpealgo;
}
} else {
$tmpealgo = "{$ealg_id}{$keylen}";
$modp = vpn_ipsec_convert_to_modp($ph2ent['pfsgroup']);
if (!empty($modp)) {
$tmpealgo .= "-{$modp}";
}
$ealgoESPsp2arr[] = $tmpealgo;
}
}
}
} else {
if (!empty($ph2ent['hash-algorithm-option']) && is_array($ph2ent['hash-algorithm-option'])) {
foreach ($ph2ent['hash-algorithm-option'] as $halgo) {
$halgo = str_replace('hmac_', '', $halgo);
$tmpealgo = "{$ealg_id}{$ealg_kl}-{$halgo}";
$modp = vpn_ipsec_convert_to_modp($ph2ent['pfsgroup']);
if (!empty($modp)) {
$tmpealgo .= "-{$modp}";
}
$ealgoESPsp2arr[] = $tmpealgo;
}
} else {
$tmpealgo = "{$ealg_id}{$ealg_kl}";
$modp = vpn_ipsec_convert_to_modp($ph2ent['pfsgroup']);
if (!empty($modp)) {
$tmpealgo .= "-{$modp}";
}
$ealgoESPsp2arr[] = $tmpealgo;
}
}
}
}
} else if (isset($ph2ent['protocol']) && $ph2ent['protocol'] == 'ah') {
if (!empty($ph2ent['hash-algorithm-option']) && is_array($ph2ent['hash-algorithm-option'])) {
$modp = vpn_ipsec_convert_to_modp($ph2ent['pfsgroup']);
foreach ($ph2ent['hash-algorithm-option'] as $tmpAHalgo) {
$tmpAHalgo = str_replace('hmac_', '', $tmpAHalgo);
if (!empty($modp)) {
$tmpAHalgo = "-{$modp}";
}
$ealgoAHsp2arr[] = $tmpAHalgo;
}
}
}
if (!empty($ph2ent['lifetime'])) {
if ($ipseclifetime == 0 || intval($ipseclifetime) > intval($ph2ent['lifetime'])) {
$ipseclifetime = intval($ph2ent['lifetime']);
}
}
} else {
$tmpealgo = "{$ealg_id}{$ealg_kl}";
$modp = vpn_ipsec_convert_to_modp($ph2ent['pfsgroup']);
if (!empty($modp))
$tmpealgo .= "-{$modp}";
$ealgoESPsp2arr[] = $tmpealgo;
}
}
}
}
} else if ($ph2ent['protocol'] == 'ah') {
if (!empty($ph2ent['hash-algorithm-option']) && is_array($ph2ent['hash-algorithm-option'])) {
$modp = vpn_ipsec_convert_to_modp($ph2ent['pfsgroup']);
foreach ($ph2ent['hash-algorithm-option'] as $tmpAHalgo) {
$tmpAHalgo = str_replace('hmac_', '', $tmpAHalgo);
if (!empty($modp))
$tmpAHalgo = "-{$modp}";
$ealgoAHsp2arr[] = $tmpAHalgo;
}
}
}
$connEntry =<<<EOD
if (!empty($ph2ent['lifetime'])) {
if ($ipseclifetime == 0 || intval($ipseclifetime) > intval($ph2ent['lifetime']))
$ipseclifetime = intval($ph2ent['lifetime']);
}
}
}
$ipsecconf .=<<<EOD
conn con{$ph1ent['ikeid']}
conn con<<connectionId>>
aggressive = {$aggressive}
fragmentation = yes
keyexchange = {$keyexchange}
......@@ -780,34 +794,57 @@ conn con{$ph1ent['ikeid']}
left = {$left_spec}
right = {$right_spec}
leftid = {$myid_data}
{$ikelifeline}
EOD;
if (!empty($ikelifeline))
$ipsecconf .= "\t{$ikelifeline}\n";
if ($ipseclifetime > 0)
$ipsecconf .= "\tlifetime = {$ipseclifetime}s\n";
if (!empty($rightsourceip))
$ipsecconf .= "{$rightsourceip}";
if (!empty($rightsubnet_spec))
$ipsecconf .= "\trightsubnet = " . join(",", $rightsubnet_spec) . "\n";
if (!empty($leftsubnet_spec))
$ipsecconf .= "\tleftsubnet = " . join(",", $leftsubnet_spec) . "\n";
if (!empty($ealgosp1))
$ipsecconf .= "\t{$ealgosp1}\n";
if (!empty($ealgoAHsp2arr))
$ipsecconf .= "\tah = " . join(',', $ealgoAHsp2arr) . "!\n";
if (!empty($ealgoESPsp2arr)) {
$ipsecconf .= "\tesp = " . join(',', $ealgoESPsp2arr) . "!\n";
if ($ipseclifetime > 0) {
$connEntry .= "\tlifetime = {$ipseclifetime}s\n";
}
if (!empty($rightsourceip)) {
$connEntry .= "{$rightsourceip}";
}
if (!empty($ealgosp1)) {
$connEntry .= "\t{$ealgosp1}\n";
}
if (!empty($ealgoAHsp2arr)) {
$connEntry .= "\tah = " . join(',', $ealgoAHsp2arr) . "!\n";
}
if (!empty($ealgoESPsp2arr)) {
$connEntry .= "\tesp = " . join(',', $ealgoESPsp2arr) . "!\n";
}
if (!empty($authentication)) {
$connEntry .= "\t{$authentication}\n";
}
if (!empty($peerid_spec)) {
$connEntry .= "\trightid = {$peerid_spec}\n";
}
// append ipsec connections
if (!isset($ph1ent['mobile']) && $keyexchange == 'ikev1') {
// ikev1 not mobile
for ($idx = 0 ; $idx < count($leftsubnet_spec) ; ++$idx) {
$tmpconf = str_replace('<<connectionId>>', "{$ph1ent['ikeid']}-00{$idx}", $connEntry);
$tmpconf .= "\trightsubnet =" . $rightsubnet_spec[$idx]. "\n" ;
$tmpconf .= "\tleftsubnet = " . $leftsubnet_spec[$idx] . "\n";
$ipsecconf .= $tmpconf;
}
} else {
// mobile and ikev2
$tmpconf = str_replace('<<connectionId>>', "{$ph1ent['ikeid']}-00{$idx}", $connEntry);
if (!empty($rightsubnet_spec)) {
$tmpconf .= "\trightsubnet = " . join(",", $rightsubnet_spec) . "\n";
}
if (!empty($leftsubnet_spec)) {
$tmpconf .= "\tleftsubnet = " . join(",", $leftsubnet_spec) . "\n";
}
$ipsecconf .= $tmpconf;
}
}
if (!empty($authentication))
$ipsecconf .= "\t{$authentication}\n";
if (!empty($peerid_spec))
$ipsecconf .= "\trightid = {$peerid_spec}\n";
}
}
}
@file_put_contents("/usr/local/etc/ipsec.conf", $ipsecconf);
// dump file, replace tabs for 2 spaces
@file_put_contents("/usr/local/etc/ipsec.conf", str_replace("\t",' ', $ipsecconf));
unset($ipsecconf);
/* end ipsec.conf */
......@@ -822,33 +859,36 @@ EOD;
}
if ($natfilterrules == true) {
filter_configure();
filter_configure();
}
/* start filterdns, if necessary */
if (count($filterdns_list) > 0) {
$interval = 60;
if (!empty($ipseccfg['dns-interval']) && is_numeric($ipseccfg['dns-interval']))
$interval = $ipseccfg['dns-interval'];
$hostnames = "";
array_unique($filterdns_list);
foreach ($filterdns_list as $hostname)
$hostnames .= "cmd {$hostname} '/usr/local/opnsense/service/configd_ctl.py ipsecdns reload'\n";
file_put_contents("/usr/local/etc/filterdns-ipsec.hosts", $hostnames);
unset($hostnames);
if (isvalidpid('/var/run/filterdns-ipsec.pid')) {
killbypid('/var/run/filterdns-ipsec.pid', 'HUP');
} else {
mwexec("/usr/local/sbin/filterdns -p /var/run/filterdns-ipsec.pid -i {$interval} -c /usr/local/etc/filterdns-ipsec.hosts -d 1");
}
$interval = 60;
if (!empty($ipseccfg['dns-interval']) && is_numeric($ipseccfg['dns-interval'])) {
$interval = $ipseccfg['dns-interval'];
}
$hostnames = "";
array_unique($filterdns_list);
foreach ($filterdns_list as $hostname) {
$hostnames .= "cmd {$hostname} '/usr/local/opnsense/service/configd_ctl.py ipsecdns reload'\n";
}
file_put_contents("/usr/local/etc/filterdns-ipsec.hosts", $hostnames);
unset($hostnames);
if (isvalidpid('/var/run/filterdns-ipsec.pid')) {
killbypid('/var/run/filterdns-ipsec.pid', 'HUP');
} else {
mwexec("/usr/local/sbin/filterdns -p /var/run/filterdns-ipsec.pid -i {$interval} -c /usr/local/etc/filterdns-ipsec.hosts -d 1");
}
} else {
killbypid('/var/run/filterdns-ipsec.pid');
killbypid('/var/run/filterdns-ipsec.pid');
}
if (file_exists("/var/run/booting"))
echo "done\n";
if (file_exists("/var/run/booting")) {
echo "done\n";
}
return count($filterdns_list);
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment

Technounit-GROUP 2023