Skip to content

O
OpnSense
Commit a3a46bfe authored by Ad Schellevis's avatar Ad Schellevis
Browse files
Options

(legacy) cleanup vpn_ipsec_configure in vpn.inc and fix ikev1 non mobile multiple phase2

parent 4a439011
Show whitespace changes
Inline Side-by-side
Showing with 499 additions and 459 deletions
src/etc/inc/vpn.inc
View file @ a3a46bfe
...@@ -87,9 +87,9 @@ function vpn_ipsec_convert_to_modp($index) ...@@ -87,9 +87,9 @@ function vpn_ipsec_convert_to_modp($index)
return $convertion; return $convertion;
} }
function vpn_ipsec_configure($ipchg = false) function vpn_ipsec_configure()
{ {
global $config, $g, $sa, $sn, $p1_ealgos, $p2_ealgos; global $config, $p2_ealgos;
/* get the automatic ping_hosts.sh ready */ /* get the automatic ping_hosts.sh ready */
@unlink('/var/db/ipsecpinghosts'); @unlink('/var/db/ipsecpinghosts');
...@@ -102,6 +102,7 @@ function vpn_ipsec_configure($ipchg = false) ...@@ -102,6 +102,7 @@ function vpn_ipsec_configure($ipchg = false)
$a_phase1 = isset($config['ipsec']['phase1']) ? $config['ipsec']['phase1'] : array(); $a_phase1 = isset($config['ipsec']['phase1']) ? $config['ipsec']['phase1'] : array();
$a_phase2 = isset($config['ipsec']['phase2']) ? $config['ipsec']['phase2'] : array(); $a_phase2 = isset($config['ipsec']['phase2']) ? $config['ipsec']['phase2'] : array();
$a_client = isset($config['ipsec']['client']) ? $config['ipsec']['client'] : array(); $a_client = isset($config['ipsec']['client']) ? $config['ipsec']['client'] : array();
$aggressive_psk = false ; // if one of the phase 1 entries has aggressive/psk combination, this will be set true
if (!isset($ipseccfg['enable'])) { if (!isset($ipseccfg['enable'])) {
/* try to stop charon */ /* try to stop charon */
...@@ -146,7 +147,6 @@ function vpn_ipsec_configure($ipchg = false) ...@@ -146,7 +147,6 @@ function vpn_ipsec_configure($ipchg = false)
$ipmap = array(); $ipmap = array();
$rgmap = array(); $rgmap = array();
$filterdns_list = array(); $filterdns_list = array();
unset($iflist);
if (is_array($a_phase1) && count($a_phase1)) { if (is_array($a_phase1) && count($a_phase1)) {
$ipsecpinghosts = ""; $ipsecpinghosts = "";
...@@ -157,6 +157,9 @@ function vpn_ipsec_configure($ipchg = false) ...@@ -157,6 +157,9 @@ function vpn_ipsec_configure($ipchg = false)
$ikeid = $ph1ent['ikeid']; $ikeid = $ph1ent['ikeid'];
if ($ph1ent['mode'] == "aggressive" && in_array($ph1ent['authentication_method'], array("pre_shared_key", "xauth_psk_server"))) {
$aggressive_psk = true;
}
$ep = ipsec_get_phase1_src($ph1ent); $ep = ipsec_get_phase1_src($ph1ent);
if (!is_ipaddr($ep)) if (!is_ipaddr($ep))
continue; continue;
...@@ -199,7 +202,7 @@ function vpn_ipsec_configure($ipchg = false) ...@@ -199,7 +202,7 @@ function vpn_ipsec_configure($ipchg = false)
/* add an ipsec pinghosts entry */ /* add an ipsec pinghosts entry */
if ($ph2ent['pinghost']) { if ($ph2ent['pinghost']) {
if (!is_array($iflist)) { if (!isset($iflist) || !is_array($iflist)) {
$iflist = get_configured_interface_list(); $iflist = get_configured_interface_list();
} }
$viplist = get_configured_vips_list(); $viplist = get_configured_vips_list();
...@@ -254,6 +257,12 @@ function vpn_ipsec_configure($ipchg = false) ...@@ -254,6 +257,12 @@ function vpn_ipsec_configure($ipchg = false)
} }
unset($iflist); unset($iflist);
$cnf_add_to_charon_section = "";
$cnf_add_to_charon_section .= $aggressive_psk ? "\ti_dont_care_about_security_and_use_aggressive_mode_psk=yes\n":"";
if (is_array($a_client) && isset($a_client['enable']) && isset($a_client['net_list'])) {
$cnf_add_to_charon_section .= "\tcisco_unity = yes\n";
}
$strongswan = <<<EOD $strongswan = <<<EOD
#Automatically generated please do not modify #Automatically generated please do not modify
...@@ -268,14 +277,10 @@ charon { ...@@ -268,14 +277,10 @@ charon {
ikesa_table_size = 32 ikesa_table_size = 32
ikesa_table_segments = 4 ikesa_table_segments = 4
init_limit_half_open = 1000; init_limit_half_open = 1000;
{$cnf_add_to_charon_section}
# XXX: There is not much choice here really users win their security!
i_dont_care_about_security_and_use_aggressive_mode_psk=yes
# And two loggers using syslog. The subsections define the facility to log # And two loggers using syslog. The subsections define the facility to log
# to, currently one of: daemon, auth. # to, currently one of: daemon, auth.
syslog { syslog {
identifier = charon identifier = charon
# default level to the LOG_DAEMON facility # default level to the LOG_DAEMON facility
daemon { daemon {
...@@ -287,54 +292,50 @@ charon { ...@@ -287,54 +292,50 @@ charon {
ike_name = yes ike_name = yes
} }
} }
EOD; EOD;
if (is_array($a_client) && isset($a_client['enable']) && isset($a_client['net_list']))
$strongswan .= "\tcisco_unity = yes\n";
$strongswan .= "\tplugins {\n"; $strongswan .= "\tplugins {\n";
if (is_array($a_client) && isset($a_client['enable'])) { if (is_array($a_client) && isset($a_client['enable'])) {
$strongswan .= "\t\tattr {\n"; $strongswan .= "\t\tattr {\n";
if ($a_client['pool_address'] && $a_client['pool_netbits']) if ($a_client['pool_address'] && $a_client['pool_netbits']) {
$strongswan .= "\t\tsubnet = {$a_client['pool_address']}/{$a_client['pool_netbits']}\n"; $strongswan .= "\t\tsubnet = {$a_client['pool_address']}/{$a_client['pool_netbits']}\n";
}
$cfgservers = array(); $cfgservers = array();
if (!empty($a_client['dns_server1'])) foreach (array('dns_server1', 'dns_server2', 'dns_server3', 'dns_server4') as $dns_server) {
$cfgservers[] = $a_client['dns_server1']; if (!empty($a_client[$dns_server])) {
if (!empty($a_client['dns_server2'])) $cfgservers[] = $a_client[$dns_server];
$cfgservers[] = $a_client['dns_server2']; }
if (!empty($a_client['dns_server3'])) }
$cfgservers[] = $a_client['dns_server3']; if (!empty($cfgservers)) {
if (!empty($a_client['dns_server4']))
$cfgservers[] = $a_client['dns_server4'];
if (!empty($cfgservers))
$strongswan .= "\t\tdns = " . implode(",", $cfgservers) . "\n"; $strongswan .= "\t\tdns = " . implode(",", $cfgservers) . "\n";
}
unset($cfgservers); unset($cfgservers);
$cfgservers = array(); $cfgservers = array();
if (!empty($a_client['wins_server1'])) if (!empty($a_client['wins_server1'])) {
$cfgservers[] = $a_client['wins_server1']; $cfgservers[] = $a_client['wins_server1'];
if (!empty($a_client['wins_server2'])) }
if (!empty($a_client['wins_server2'])) {
$cfgservers[] = $a_client['wins_server2']; $cfgservers[] = $a_client['wins_server2'];
if (!empty($cfgservers)) }
if (!empty($cfgservers)) {
$strongswan .= "\t\tnbns = " . implode(",", $cfgservers) . "\n"; $strongswan .= "\t\tnbns = " . implode(",", $cfgservers) . "\n";
}
unset($cfgservers); unset($cfgservers);
if (isset($a_client['net_list'])) { if (isset($a_client['net_list'])) {
$net_list = ''; $net_list = '';
foreach ($a_phase2 as $ph2ent) { foreach ($a_phase2 as $ph2ent) {
if (isset($ph2ent['disabled'])) if (isset($ph2ent['disabled'])) {
continue; continue;
}
if (!isset($ph2ent['mobile'])) if (!isset($ph2ent['mobile'])) {
continue; continue;
}
$localid = ipsec_idinfo_to_cidr($ph2ent['localid'], true, $ph2ent['mode']); $localid = ipsec_idinfo_to_cidr($ph2ent['localid'], true, $ph2ent['mode']);
if (!empty($net_list)) {
if (!empty($net_list))
$net_list .= ","; $net_list .= ",";
}
$net_list .= $localid; $net_list .= $localid;
} }
...@@ -347,8 +348,9 @@ EOD; ...@@ -347,8 +348,9 @@ EOD;
if (!empty($a_client['dns_domain'])) { if (!empty($a_client['dns_domain'])) {
$strongswan .= "\t\t# Search domain and default domain\n"; $strongswan .= "\t\t# Search domain and default domain\n";
$strongswan .= "\t\t28674 = {$a_client['dns_domain']}\n"; $strongswan .= "\t\t28674 = {$a_client['dns_domain']}\n";
if (empty($a_client['dns_split'])) if (empty($a_client['dns_split'])) {
$strongswan .= "\t\t28675 = {$a_client['dns_domain']}"; $strongswan .= "\t\t28675 = {$a_client['dns_domain']}";
}
$strongswan .= "\n"; $strongswan .= "\n";
} }
...@@ -356,14 +358,17 @@ EOD; ...@@ -356,14 +358,17 @@ EOD;
$strongswan .= "\t\t28675 = {$a_client['dns_split']}\n"; $strongswan .= "\t\t28675 = {$a_client['dns_split']}\n";
} }
if (!empty($a_client['login_banner'])) if (!empty($a_client['login_banner'])) {
$strongswan .= "\t\t28672 = {$a_client['login_banner']}\n"; $strongswan .= "\t\t28672 = {$a_client['login_banner']}\n";
}
if (isset($a_client['save_passwd'])) if (isset($a_client['save_passwd'])) {
$strongswan .= "\t\t28673 = yes\n"; $strongswan .= "\t\t28673 = yes\n";
}
if ($a_client['pfs_group']) if (!empty($a_client['pfs_group'])) {
$strongswan .= "\t\t28679 = {$a_client['pfs_group']}\n"; $strongswan .= "\t\t28679 = {$a_client['pfs_group']}\n";
}
$strongswan .= "\t\t}\n"; $strongswan .= "\t\t}\n";
if ($a_client['user_source'] != "none") { if ($a_client['user_source'] != "none") {
...@@ -373,10 +378,12 @@ EOD; ...@@ -373,10 +378,12 @@ EOD;
$firstsed = 0; $firstsed = 0;
$authcfgs = explode(",", $a_client['user_source']); $authcfgs = explode(",", $a_client['user_source']);
foreach ($authcfgs as $authcfg) { foreach ($authcfgs as $authcfg) {
if ($firstsed > 0) if ($firstsed > 0) {
$strongswan .= ","; $strongswan .= ",";
if ($authcfg == "system") }
if ($authcfg == "system") {
$authcfg = "Local Database"; $authcfg = "Local Database";
}
$strongswan .= $authcfg; $strongswan .= $authcfg;
$firstsed = 1; $firstsed = 1;
} }
...@@ -415,17 +422,16 @@ EOD; ...@@ -415,17 +422,16 @@ EOD;
if (is_array($a_phase1) && count($a_phase1)) { if (is_array($a_phase1) && count($a_phase1)) {
foreach ($a_phase1 as $ph1ent) { foreach ($a_phase1 as $ph1ent) {
if (isset($ph1ent['disabled'])) {
if (isset($ph1ent['disabled']))
continue; continue;
}
if (strpos($ph1ent['authentication_method'], 'rsa') || $ph1ent['authentication_method'] == 'eap-tls') { if (strpos($ph1ent['authentication_method'], 'rsa') || $ph1ent['authentication_method'] == 'eap-tls') {
$certline = ''; $certline = '';
$ikeid = $ph1ent['ikeid']; $ikeid = $ph1ent['ikeid'];
$cert = lookup_cert($ph1ent['certref']); $cert = lookup_cert($ph1ent['certref']);
if (!$cert) { if (empty($cert)) {
log_error(sprintf(gettext("Error: Invalid phase1 certificate reference for %s"), $ph1ent['name'])); log_error(sprintf(gettext("Error: Invalid phase1 certificate reference for %s"), $ph1ent['name']));
continue; continue;
} }
...@@ -458,14 +464,15 @@ EOD; ...@@ -458,14 +464,15 @@ EOD;
$myid = isset($ph1ent['mobile']) ? trim($myid_data) . " " : ""; $myid = isset($ph1ent['mobile']) ? trim($myid_data) . " " : "";
$peerid = ($peerid_data != "allusers") ? trim($peerid_data) : ""; $peerid = ($peerid_data != "allusers") ? trim($peerid_data) : "";
if (!empty($ph1ent['pre-shared-key'])) if (!empty($ph1ent['pre-shared-key'])) {
$pskconf .= $myid . $peerid . " : PSK \"" . trim($ph1ent['pre-shared-key']) . "\"\n"; $pskconf .= $myid . $peerid . " : PSK \"" . trim($ph1ent['pre-shared-key']) . "\"\n";
} }
} }
} }
}
/* Add user PSKs */ /* Add user PSKs */
if (is_array($config['system']) && is_array($config['system']['user'])) { if (isset($config['system']['user']) && is_array($config['system']['user'])) {
foreach ($config['system']['user'] as $user) { foreach ($config['system']['user'] as $user) {
if (!empty($user['ipsecpsk'])) { if (!empty($user['ipsecpsk'])) {
$pskconf .= "{$user['name']} : PSK \"{$user['ipsecpsk']}\"\n"; $pskconf .= "{$user['name']} : PSK \"{$user['ipsecpsk']}\"\n";
...@@ -477,8 +484,9 @@ EOD; ...@@ -477,8 +484,9 @@ EOD;
/* add PSKs for mobile clients */ /* add PSKs for mobile clients */
if (isset($ipseccfg['mobilekey'])) { if (isset($ipseccfg['mobilekey'])) {
foreach ($ipseccfg['mobilekey'] as $key) { foreach ($ipseccfg['mobilekey'] as $key) {
if ($key['ident'] == "allusers") if ($key['ident'] == "allusers") {
$key['ident'] = ''; $key['ident'] = '';
}
$pskconf .= "{$key['ident']} : PSK \"{$key['pre-shared-key']}\"\n"; $pskconf .= "{$key['ident']} : PSK \"{$key['pre-shared-key']}\"\n";
} }
unset($key); unset($key);
...@@ -492,23 +500,25 @@ EOD; ...@@ -492,23 +500,25 @@ EOD;
/* begin ipsec.conf */ /* begin ipsec.conf */
$ipsecconf = ""; $ipsecconf = "";
if (is_array($a_phase1) && count($a_phase1)) { if (is_array($a_phase1) && count($a_phase1)) {
$ipsecconf .= "# This file is automatically generated. Do not edit\n"; $ipsecconf .= "# This file is automatically generated. Do not edit\n";
$ipsecconf .= "config setup\n\tuniqueids = yes\n"; $ipsecconf .= "config setup\n\tuniqueids = yes\n";
$ipsecconf .= "\tcharondebug=\"" . vpn_ipsec_configure_loglevels(true) . "\"\n"; $ipsecconf .= "\tcharondebug=\"" . vpn_ipsec_configure_loglevels(true) . "\"\n";
foreach ($a_phase1 as $ph1ent) { foreach ($a_phase1 as $ph1ent) {
if (isset($ph1ent['disabled'])) if (isset($ph1ent['disabled'])) {
continue; continue;
}
if ($ph1ent['mode'] == "aggressive") if ($ph1ent['mode'] == "aggressive") {
$aggressive = "yes"; $aggressive = "yes";
else } else {
$aggressive = "no"; $aggressive = "no";
}
$ep = ipsec_get_phase1_src($ph1ent); $ep = ipsec_get_phase1_src($ph1ent);
if (!$ep) if (empty($ep)) {
continue; continue;
}
$ikeid = $ph1ent['ikeid']; $ikeid = $ph1ent['ikeid'];
$keyexchange = "ikev1"; $keyexchange = "ikev1";
...@@ -516,65 +526,72 @@ EOD; ...@@ -516,65 +526,72 @@ EOD;
if (!empty($ph1ent['iketype']) && $ph1ent['iketype'] != "ikev1") { if (!empty($ph1ent['iketype']) && $ph1ent['iketype'] != "ikev1") {
$keyexchange = "ikev2"; $keyexchange = "ikev2";
//$passive = "start"; //$passive = "start";
} else } else {
$passive = "route"; $passive = "route";
}
if (isset($ph1ent['mobile'])) { if (isset($ph1ent['mobile'])) {
$right_spec = "%any"; $right_spec = "%any";
$passive = 'add'; $passive = 'add';
} else } else {
$right_spec = $ph1ent['remote-gateway']; $right_spec = $ph1ent['remote-gateway'];
}
list ($myid_type, $myid_data) = ipsec_find_id($ph1ent, "local"); list ($myid_type, $myid_data) = ipsec_find_id($ph1ent, "local");
list ($peerid_type, $peerid_data) = ipsec_find_id($ph1ent, "peer", $rgmap); list ($peerid_type, $peerid_data) = ipsec_find_id($ph1ent, "peer", $rgmap);
/* Only specify peer ID if we are not dealing with a mobile PSK-only tunnel */ /* Only specify peer ID if we are not dealing with a mobile PSK-only tunnel */
$peerid_spec = ''; $peerid_spec = '';
if (!isset($ph1ent['mobile'])) if (!isset($ph1ent['mobile'])) {
$peerid_spec = $peerid_data; $peerid_spec = $peerid_data;
}
if (!empty($ph1ent['encryption-algorithm']['name']) && !empty($ph1ent['hash-algorithm'])) { if (!empty($ph1ent['encryption-algorithm']['name']) && !empty($ph1ent['hash-algorithm'])) {
$ealgosp1 = '';
$ealg_id = $ph1ent['encryption-algorithm']['name']; $ealg_id = $ph1ent['encryption-algorithm']['name'];
if (isset($ph1ent['encryption-algorithm']['keylen'])){ if (isset($ph1ent['encryption-algorithm']['keylen'])){
$ealgosp1 = "ike = {$ealg_id}{$ph1ent['encryption-algorithm']['keylen']}-{$ph1ent['hash-algorithm']}"; $ealgosp1 = "ike = {$ealg_id}{$ph1ent['encryption-algorithm']['keylen']}-{$ph1ent['hash-algorithm']}";
} else { } else {
$ealgosp1 = "ike = {$ealg_id}-{$ph1ent['hash-algorithm']}"; $ealgosp1 = "ike = {$ealg_id}-{$ph1ent['hash-algorithm']}";
} }
$modp = vpn_ipsec_convert_to_modp($ph1ent['dhgroup']); $modp = vpn_ipsec_convert_to_modp($ph1ent['dhgroup']);
if (!empty($modp)) if (!empty($modp)) {
$ealgosp1 .= "-{$modp}"; $ealgosp1 .= "-{$modp}";
}
$ealgosp1 .= "!"; $ealgosp1 .= "!";
} }
if ($ph1ent['dpd_delay'] && $ph1ent['dpd_maxfail']) { if (!empty($ph1ent['dpd_delay']) && !empty($ph1ent['dpd_maxfail'])) {
if ($passive == "route") if ($passive == "route") {
$dpdline = "dpdaction = restart"; $dpdline = "dpdaction = restart";
else } else {
$dpdline = "dpdaction = clear"; $dpdline = "dpdaction = clear";
}
$dpdline .= "\n\tdpddelay = {$ph1ent['dpd_delay']}s"; $dpdline .= "\n\tdpddelay = {$ph1ent['dpd_delay']}s";
$dpdtimeout = $ph1ent['dpd_delay'] * ($ph1ent['dpd_maxfail'] + 1); $dpdtimeout = $ph1ent['dpd_delay'] * ($ph1ent['dpd_maxfail'] + 1);
$dpdline .= "\n\tdpdtimeout = {$dpdtimeout}s"; $dpdline .= "\n\tdpdtimeout = {$dpdtimeout}s";
} else } else {
$dpdline = "dpdaction = none"; $dpdline = "dpdaction = none";
}
$ikelifeline = ''; if (!empty($ph1ent['lifetime'])) {
if ($ph1ent['lifetime'])
$ikelifeline = "ikelifetime = {$ph1ent['lifetime']}s"; $ikelifeline = "ikelifetime = {$ph1ent['lifetime']}s";
} else {
$ikelifeline = '';
}
$rightsourceip = NULL; $rightsourceip = NULL;
if (!empty($a_client['pool_address'])) if (!empty($a_client['pool_address'])) {
$rightsourceip = "\trightsourceip = {$a_client['pool_address']}/{$a_client['pool_netbits']}\n"; $rightsourceip = "\trightsourceip = {$a_client['pool_address']}/{$a_client['pool_netbits']}\n";
}
$authentication = ""; $authentication = "";
switch ($ph1ent['authentication_method']) { switch ($ph1ent['authentication_method']) {
case 'eap-tls': case 'eap-tls':
$authentication = "leftauth=eap-tls\n\trightauth=eap-tls"; $authentication = "leftauth=eap-tls\n\trightauth=eap-tls";
if (!empty($ph1ent['certref'])) if (!empty($ph1ent['certref'])) {
$authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt"; $authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt";
}
break; break;
case 'xauth_rsa_server': case 'xauth_rsa_server':
$authentication = "leftauth = pubkey\n\trightauth = pubkey"; $authentication = "leftauth = pubkey\n\trightauth = pubkey";
...@@ -595,37 +612,38 @@ EOD; ...@@ -595,37 +612,38 @@ EOD;
$authentication .= "\n\trightauth2 = xauth"; $authentication .= "\n\trightauth2 = xauth";
break; break;
} }
$left_spec = $ep; $left_spec = $ep;
if (isset($ph1ent['reauth_enable'])) if (isset($ph1ent['reauth_enable'])) {
$reauth = "reauth = no"; $reauth = "reauth = no";
else } else {
$reauth = "reauth = yes"; $reauth = "reauth = yes";
if (isset($ph1ent['rekey_enable'])) }
if (isset($ph1ent['rekey_enable'])) {
$rekey = "rekey = no"; $rekey = "rekey = no";
else } else {
$rekey = "rekey = yes"; $rekey = "rekey = yes";
}
$ipseclifetime = 0; $ipseclifetime = 0;
$rightsubnet_spec = array(); $rightsubnet_spec = array();
$leftsubnet_spec = array(); $leftsubnet_spec = array();
$ealgoAHsp2arr = array(); $ealgoAHsp2arr = array();
$ealgoESPsp2arr = array(); $ealgoESPsp2arr = array();
if (is_array($a_phase2) && count($a_phase2)) { if (is_array($a_phase2) && count($a_phase2)) {
foreach ($a_phase2 as $ph2ent) { foreach ($a_phase2 as $ph2ent) {
if ($ikeid != $ph2ent['ikeid']) if ($ikeid != $ph2ent['ikeid'] || isset($ph2ent['disabled'])) {
continue;
if (isset($ph2ent['disabled']))
continue; continue;
}
if (isset($ph2ent['mobile']) && !isset($a_client['enable'])) if (isset($ph2ent['mobile']) && !isset($a_client['enable'])){
continue; continue;
}
if (($ph2ent['mode'] == 'tunnel') or ($ph2ent['mode'] == 'tunnel6')) { if (($ph2ent['mode'] == 'tunnel') or ($ph2ent['mode'] == 'tunnel6')) {
$tunneltype = "type = tunnel"; $tunneltype = "type = tunnel";
$localid_type = $ph2ent['localid']['type']; $localid_type = $ph2ent['localid']['type'];
$leftsubnet_data = ipsec_idinfo_to_cidr($ph2ent['localid'], false, $ph2ent['mode']); $leftsubnet_data = ipsec_idinfo_to_cidr($ph2ent['localid'], false, $ph2ent['mode']);
/* Do not print localid in some cases, such as a pure-psk or psk/xauth single phase2 mobile tunnel */ /* Do not print localid in some cases, such as a pure-psk or psk/xauth single phase2 mobile tunnel */
...@@ -654,39 +672,31 @@ EOD; ...@@ -654,39 +672,31 @@ EOD;
} }
} }
if (empty($leftsubnet_spec[$leftsubnet_data])) $leftsubnet_spec[] = $leftsubnet_data;
$leftsubnet_spec[$leftsubnet_data] = $leftsubnet_data;
if (!isset($ph2ent['mobile'])) { if (!isset($ph2ent['mobile'])) {
$tmpsubnet = ipsec_idinfo_to_cidr($ph2ent['remoteid'], false, $ph2ent['mode']); $tmpsubnet = ipsec_idinfo_to_cidr($ph2ent['remoteid'], false, $ph2ent['mode']);
if (empty($rightsubnet_spec[$tmpsubnet])) $rightsubnet_spec[] = $tmpsubnet;
$rightsubnet_spec[$tmpsubnet] = $tmpsubnet;
} else if (!empty($a_client['pool_address'])) { } else if (!empty($a_client['pool_address'])) {
if (empty($rightsubnet_spec["{$a_client['pool_address']}/{$a_client['pool_netbits']}"])) $rightsubnet_spec[] = "{$a_client['pool_address']}/{$a_client['pool_netbits']}";
$rightsubnet_spec["{$a_client['pool_address']}/{$a_client['pool_netbits']}"] = "{$a_client['pool_address']}/{$a_client['pool_netbits']}";
} }
} else { } else {
$tunneltype = "type = transport"; $tunneltype = "type = transport";
if ((($ph1ent['authentication_method'] == "xauth_psk_server") || if ((($ph1ent['authentication_method'] == "xauth_psk_server") ||
($ph1ent['authentication_method'] == "pre_shared_key")) && isset($ph1ent['mobile'])) { ($ph1ent['authentication_method'] == "pre_shared_key")) && isset($ph1ent['mobile'])) {
$left_spec = "%any"; $left_spec = "%any";
} else { } else {
$tmpsubnet = ipsec_get_phase1_src($ph1ent); $tmpsubnet = ipsec_get_phase1_src($ph1ent);
if ($leftsubnet_spec[$tmpsubnet]) $leftsubnet_spec[] = $tmpsubnet;
$leftsubnet_spec[$tmpsubnet] = $tmpsubnet;
} }
if (!isset($ph2ent['mobile'])) { if (!isset($ph2ent['mobile'])) {
if (empty($rightsubnet_spec[$right_spec])) $rightsubnet_spec[] = $right_spec;
$rightsubnet_spec[$right_spec] = $right_spec;
} }
} }
if (isset($a_client['pfs_group'])) {
if (isset($a_client['pfs_group']))
$ph2ent['pfsgroup'] = $a_client['pfs_group']; $ph2ent['pfsgroup'] = $a_client['pfs_group'];
}
if ($ph2ent['protocol'] == 'esp') { if (isset($ph2ent['protocol']) && $ph2ent['protocol'] == 'esp') {
if (is_array($ph2ent['encryption-algorithm-option'])) { if (is_array($ph2ent['encryption-algorithm-option'])) {
foreach ($ph2ent['encryption-algorithm-option'] as $ealg) { foreach ($ph2ent['encryption-algorithm-option'] as $ealg) {
$ealg_id = $ealg['name']; $ealg_id = $ealg['name'];
...@@ -696,7 +706,6 @@ EOD; ...@@ -696,7 +706,6 @@ EOD;
$ealg_kl = null; $ealg_kl = null;
} }
if (!empty($ealg_kl) && $ealg_kl == "auto") { if (!empty($ealg_kl) && $ealg_kl == "auto") {
$key_hi = $p2_ealgos[$ealg_id]['keysel']['hi']; $key_hi = $p2_ealgos[$ealg_id]['keysel']['hi'];
$key_lo = $p2_ealgos[$ealg_id]['keysel']['lo']; $key_lo = $p2_ealgos[$ealg_id]['keysel']['lo'];
...@@ -711,15 +720,17 @@ EOD; ...@@ -711,15 +720,17 @@ EOD;
$halgo = str_replace('hmac_', '', $halgo); $halgo = str_replace('hmac_', '', $halgo);
$tmpealgo = "{$ealg_id}{$keylen}-{$halgo}"; $tmpealgo = "{$ealg_id}{$keylen}-{$halgo}";
$modp = vpn_ipsec_convert_to_modp($ph2ent['pfsgroup']); $modp = vpn_ipsec_convert_to_modp($ph2ent['pfsgroup']);
if (!empty($modp)) if (!empty($modp)) {
$tmpealgo .= "-{$modp}"; $tmpealgo .= "-{$modp}";
}
$ealgoESPsp2arr[] = $tmpealgo; $ealgoESPsp2arr[] = $tmpealgo;
} }
} else { } else {
$tmpealgo = "{$ealg_id}{$keylen}"; $tmpealgo = "{$ealg_id}{$keylen}";
$modp = vpn_ipsec_convert_to_modp($ph2ent['pfsgroup']); $modp = vpn_ipsec_convert_to_modp($ph2ent['pfsgroup']);
if (!empty($modp)) if (!empty($modp)) {
$tmpealgo .= "-{$modp}"; $tmpealgo .= "-{$modp}";
}
$ealgoESPsp2arr[] = $tmpealgo; $ealgoESPsp2arr[] = $tmpealgo;
} }
} }
...@@ -730,43 +741,46 @@ EOD; ...@@ -730,43 +741,46 @@ EOD;
$halgo = str_replace('hmac_', '', $halgo); $halgo = str_replace('hmac_', '', $halgo);
$tmpealgo = "{$ealg_id}{$ealg_kl}-{$halgo}"; $tmpealgo = "{$ealg_id}{$ealg_kl}-{$halgo}";
$modp = vpn_ipsec_convert_to_modp($ph2ent['pfsgroup']); $modp = vpn_ipsec_convert_to_modp($ph2ent['pfsgroup']);
if (!empty($modp)) if (!empty($modp)) {
$tmpealgo .= "-{$modp}"; $tmpealgo .= "-{$modp}";
}
$ealgoESPsp2arr[] = $tmpealgo; $ealgoESPsp2arr[] = $tmpealgo;
} }
} else { } else {
$tmpealgo = "{$ealg_id}{$ealg_kl}"; $tmpealgo = "{$ealg_id}{$ealg_kl}";
$modp = vpn_ipsec_convert_to_modp($ph2ent['pfsgroup']); $modp = vpn_ipsec_convert_to_modp($ph2ent['pfsgroup']);
if (!empty($modp)) if (!empty($modp)) {
$tmpealgo .= "-{$modp}"; $tmpealgo .= "-{$modp}";
}
$ealgoESPsp2arr[] = $tmpealgo; $ealgoESPsp2arr[] = $tmpealgo;
} }
} }
} }
} }
} else if ($ph2ent['protocol'] == 'ah') { } else if (isset($ph2ent['protocol']) && $ph2ent['protocol'] == 'ah') {
if (!empty($ph2ent['hash-algorithm-option']) && is_array($ph2ent['hash-algorithm-option'])) { if (!empty($ph2ent['hash-algorithm-option']) && is_array($ph2ent['hash-algorithm-option'])) {
$modp = vpn_ipsec_convert_to_modp($ph2ent['pfsgroup']); $modp = vpn_ipsec_convert_to_modp($ph2ent['pfsgroup']);
foreach ($ph2ent['hash-algorithm-option'] as $tmpAHalgo) { foreach ($ph2ent['hash-algorithm-option'] as $tmpAHalgo) {
$tmpAHalgo = str_replace('hmac_', '', $tmpAHalgo); $tmpAHalgo = str_replace('hmac_', '', $tmpAHalgo);
if (!empty($modp)) if (!empty($modp)) {
$tmpAHalgo = "-{$modp}"; $tmpAHalgo = "-{$modp}";
}
$ealgoAHsp2arr[] = $tmpAHalgo; $ealgoAHsp2arr[] = $tmpAHalgo;
} }
} }
} }
if (!empty($ph2ent['lifetime'])) { if (!empty($ph2ent['lifetime'])) {
if ($ipseclifetime == 0 || intval($ipseclifetime) > intval($ph2ent['lifetime'])) if ($ipseclifetime == 0 || intval($ipseclifetime) > intval($ph2ent['lifetime'])) {
$ipseclifetime = intval($ph2ent['lifetime']); $ipseclifetime = intval($ph2ent['lifetime']);
} }
} }
} }
}
$ipsecconf .=<<<EOD $connEntry =<<<EOD
conn con{$ph1ent['ikeid']} conn con<<connectionId>>
aggressive = {$aggressive} aggressive = {$aggressive}
fragmentation = yes fragmentation = yes
keyexchange = {$keyexchange} keyexchange = {$keyexchange}
...@@ -780,34 +794,57 @@ conn con{$ph1ent['ikeid']} ...@@ -780,34 +794,57 @@ conn con{$ph1ent['ikeid']}
left = {$left_spec} left = {$left_spec}
right = {$right_spec} right = {$right_spec}
leftid = {$myid_data} leftid = {$myid_data}
{$ikelifeline}
EOD; EOD;
if (!empty($ikelifeline)) if ($ipseclifetime > 0) {
$ipsecconf .= "\t{$ikelifeline}\n"; $connEntry .= "\tlifetime = {$ipseclifetime}s\n";
if ($ipseclifetime > 0) }
$ipsecconf .= "\tlifetime = {$ipseclifetime}s\n"; if (!empty($rightsourceip)) {
if (!empty($rightsourceip)) $connEntry .= "{$rightsourceip}";
$ipsecconf .= "{$rightsourceip}"; }
if (!empty($rightsubnet_spec)) if (!empty($ealgosp1)) {
$ipsecconf .= "\trightsubnet = " . join(",", $rightsubnet_spec) . "\n"; $connEntry .= "\t{$ealgosp1}\n";
if (!empty($leftsubnet_spec)) }
$ipsecconf .= "\tleftsubnet = " . join(",", $leftsubnet_spec) . "\n"; if (!empty($ealgoAHsp2arr)) {
if (!empty($ealgosp1)) $connEntry .= "\tah = " . join(',', $ealgoAHsp2arr) . "!\n";
$ipsecconf .= "\t{$ealgosp1}\n"; }
if (!empty($ealgoAHsp2arr))
$ipsecconf .= "\tah = " . join(',', $ealgoAHsp2arr) . "!\n";
if (!empty($ealgoESPsp2arr)) { if (!empty($ealgoESPsp2arr)) {
$ipsecconf .= "\tesp = " . join(',', $ealgoESPsp2arr) . "!\n"; $connEntry .= "\tesp = " . join(',', $ealgoESPsp2arr) . "!\n";
}
if (!empty($authentication)) {
$connEntry .= "\t{$authentication}\n";
}
if (!empty($peerid_spec)) {
$connEntry .= "\trightid = {$peerid_spec}\n";
}
// append ipsec connections
if (!isset($ph1ent['mobile']) && $keyexchange == 'ikev1') {
// ikev1 not mobile
for ($idx = 0 ; $idx < count($leftsubnet_spec) ; ++$idx) {
$tmpconf = str_replace('<<connectionId>>', "{$ph1ent['ikeid']}-00{$idx}", $connEntry);
$tmpconf .= "\trightsubnet =" . $rightsubnet_spec[$idx]. "\n" ;
$tmpconf .= "\tleftsubnet = " . $leftsubnet_spec[$idx] . "\n";
$ipsecconf .= $tmpconf;
}
} else {
// mobile and ikev2
$tmpconf = str_replace('<<connectionId>>', "{$ph1ent['ikeid']}-00{$idx}", $connEntry);
if (!empty($rightsubnet_spec)) {
$tmpconf .= "\trightsubnet = " . join(",", $rightsubnet_spec) . "\n";
} }
if (!empty($authentication)) if (!empty($leftsubnet_spec)) {
$ipsecconf .= "\t{$authentication}\n"; $tmpconf .= "\tleftsubnet = " . join(",", $leftsubnet_spec) . "\n";
if (!empty($peerid_spec))
$ipsecconf .= "\trightid = {$peerid_spec}\n";
} }
$ipsecconf .= $tmpconf;
} }
} }
@file_put_contents("/usr/local/etc/ipsec.conf", $ipsecconf); }
}
// dump file, replace tabs for 2 spaces
@file_put_contents("/usr/local/etc/ipsec.conf", str_replace("\t",' ', $ipsecconf));
unset($ipsecconf); unset($ipsecconf);
/* end ipsec.conf */ /* end ipsec.conf */
...@@ -828,13 +865,15 @@ EOD; ...@@ -828,13 +865,15 @@ EOD;
/* start filterdns, if necessary */ /* start filterdns, if necessary */
if (count($filterdns_list) > 0) { if (count($filterdns_list) > 0) {
$interval = 60; $interval = 60;
if (!empty($ipseccfg['dns-interval']) && is_numeric($ipseccfg['dns-interval'])) if (!empty($ipseccfg['dns-interval']) && is_numeric($ipseccfg['dns-interval'])) {
$interval = $ipseccfg['dns-interval']; $interval = $ipseccfg['dns-interval'];
}
$hostnames = ""; $hostnames = "";
array_unique($filterdns_list); array_unique($filterdns_list);
foreach ($filterdns_list as $hostname) foreach ($filterdns_list as $hostname) {
$hostnames .= "cmd {$hostname} '/usr/local/opnsense/service/configd_ctl.py ipsecdns reload'\n"; $hostnames .= "cmd {$hostname} '/usr/local/opnsense/service/configd_ctl.py ipsecdns reload'\n";
}
file_put_contents("/usr/local/etc/filterdns-ipsec.hosts", $hostnames); file_put_contents("/usr/local/etc/filterdns-ipsec.hosts", $hostnames);
unset($hostnames); unset($hostnames);
...@@ -847,8 +886,9 @@ EOD; ...@@ -847,8 +886,9 @@ EOD;
killbypid('/var/run/filterdns-ipsec.pid'); killbypid('/var/run/filterdns-ipsec.pid');
} }
if (file_exists("/var/run/booting")) if (file_exists("/var/run/booting")) {
echo "done\n"; echo "done\n";
}
return count($filterdns_list); return count($filterdns_list);
} }
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment

Technounit-GROUP 2023