Commit cee1af97 authored by Franco Fichtner's avatar Franco Fichtner

vpn: merge nine IPsec changes from master

Same same, but different. (See previous commit for details.)

o Human-readable format of authentication method in overview
o Refine behaviour of enable / apply on main IPsec page
o Dedup leftsubnet/rightsubnet for meshed IKEv2
o More elegant interface and service plugging
o Tunnel isolation mode for IKEv2 (unmashed)
o Cleanup pass over backend code
o Allow Camellia for IKEv2
o Allow %any in phase 1
o Allow EAP-MSCHAPV2
parent efb06220
...@@ -1552,7 +1552,7 @@ function filter_nat_rules_generate(&$FilterIflist) ...@@ -1552,7 +1552,7 @@ function filter_nat_rules_generate(&$FilterIflist)
} }
/* ipsec nat */ /* ipsec nat */
if (isset($config['ipsec']) && is_array($config['ipsec']) && isset($config['ipsec']['enable'])) { if (isset($config['ipsec']['enable'])) {
if (isset($config['ipsec']['phase2'])) { if (isset($config['ipsec']['phase2'])) {
foreach ($config['ipsec']['phase2'] as $ph2ent) { foreach ($config['ipsec']['phase2'] as $ph2ent) {
if ($ph2ent['mode'] != 'transport' && !empty($ph2ent['natlocalid']) && !isset($ph2ent['disabled'])) { if ($ph2ent['mode'] != 'transport' && !empty($ph2ent['natlocalid']) && !isset($ph2ent['disabled'])) {
...@@ -2784,6 +2784,7 @@ pass in {$log['pass']} on \$loopback inet all label "pass IPv4 loopback" ...@@ -2784,6 +2784,7 @@ pass in {$log['pass']} on \$loopback inet all label "pass IPv4 loopback"
pass out {$log['pass']} on \$loopback inet all label "pass IPv4 loopback" pass out {$log['pass']} on \$loopback inet all label "pass IPv4 loopback"
pass in {$log['pass']} on \$loopback inet6 all label "pass IPv6 loopback" pass in {$log['pass']} on \$loopback inet6 all label "pass IPv6 loopback"
pass out {$log['pass']} on \$loopback inet6 all label "pass IPv6 loopback" pass out {$log['pass']} on \$loopback inet6 all label "pass IPv6 loopback"
# let out anything from the firewall host itself and decrypted IPsec traffic # let out anything from the firewall host itself and decrypted IPsec traffic
pass out {$log['pass']} inet all keep state allow-opts label "let out anything IPv4 from firewall host itself" pass out {$log['pass']} inet all keep state allow-opts label "let out anything IPv4 from firewall host itself"
pass out {$log['pass']} inet6 all keep state allow-opts label "let out anything IPv6 from firewall host itself" pass out {$log['pass']} inet6 all keep state allow-opts label "let out anything IPv6 from firewall host itself"
...@@ -2821,10 +2822,9 @@ EOD; ...@@ -2821,10 +2822,9 @@ EOD;
} }
} }
/* add ipsec interfaces */ /* add ipsec interfaces */
if (isset($config['ipsec']['enable']) || isset($config['ipsec']['client']['enable'])) { if (!empty($FilterIflist['enc0']['descr'])) {
$ipfrules .= "pass out {$log['pass']} on \$IPsec all keep state label \"IPsec internal host to host\"\n"; $ipfrules .= "pass out {$log['pass']} on \${$FilterIflist['enc0']['descr']} all keep state label \"IPsec internal host to host\"\n";
} }
if (is_array($config['system']['webgui']) && !isset($config['system']['webgui']['noantilockout'])) { if (is_array($config['system']['webgui']) && !isset($config['system']['webgui']['noantilockout'])) {
...@@ -2836,6 +2836,7 @@ EOD; ...@@ -2836,6 +2836,7 @@ EOD;
*/ */
$lanif = $FilterIflist['lan']['if']; $lanif = $FilterIflist['lan']['if'];
$ipfrules .= <<<EOD $ipfrules .= <<<EOD
# make sure the user cannot lock himself out of the webConfigurator or SSH # make sure the user cannot lock himself out of the webConfigurator or SSH
pass in {$log['pass']} quick on {$lanif} proto tcp from any to ({$lanif}) port { {$alports} } keep state label "anti-lockout rule" pass in {$log['pass']} quick on {$lanif} proto tcp from any to ({$lanif}) port { {$alports} } keep state label "anti-lockout rule"
...@@ -2844,6 +2845,7 @@ EOD; ...@@ -2844,6 +2845,7 @@ EOD;
/* single-interface deployment, add to WAN */ /* single-interface deployment, add to WAN */
$wanif = $FilterIflist["wan"]['if']; $wanif = $FilterIflist["wan"]['if'];
$ipfrules .= <<<EOD $ipfrules .= <<<EOD
# make sure the user cannot lock himself out of the webConfigurator or SSH # make sure the user cannot lock himself out of the webConfigurator or SSH
pass in {$log['pass']} quick on {$wanif} proto tcp from any to ({$wanif}) port { {$alports} } keep state label "anti-lockout rule" pass in {$log['pass']} quick on {$wanif} proto tcp from any to ({$wanif}) port { {$alports} } keep state label "anti-lockout rule"
...@@ -3189,10 +3191,8 @@ function filter_generate_ipsec_rules(&$FilterIflist, $log = array()) ...@@ -3189,10 +3191,8 @@ function filter_generate_ipsec_rules(&$FilterIflist, $log = array())
return "\n# VPN Rules not added disabled in System->Advanced.\n"; return "\n# VPN Rules not added disabled in System->Advanced.\n";
} }
$ipfrules = "\n# VPN Rules\n"; $ipfrules = "\n# VPN Rules\n";
if (isset($config['ipsec']['enable']) && if (isset($config['ipsec']['enable']) && isset($config['ipsec']['phase1'])) {
is_array($config['ipsec']['phase1'])) {
/* step through all phase1 entries */ /* step through all phase1 entries */
foreach ($config['ipsec']['phase1'] as $ph1ent) { foreach ($config['ipsec']['phase1'] as $ph1ent) {
if (isset ($ph1ent['disabled'])) { if (isset ($ph1ent['disabled'])) {
......
This diff is collapsed.
...@@ -44,7 +44,7 @@ function if_ipsec_services() ...@@ -44,7 +44,7 @@ function if_ipsec_services()
$services = array(); $services = array();
if (isset($config['ipsec']['enable'])) { if (isset($config['ipsec']['enable']) || isset($config['ipsec']['client']['enable'])) {
$pconfig = array(); $pconfig = array();
$pconfig['name'] = 'ipsec'; $pconfig['name'] = 'ipsec';
$pconfig['description'] = gettext('IPsec VPN'); $pconfig['description'] = gettext('IPsec VPN');
...@@ -64,15 +64,33 @@ function if_ipsec_interfaces() ...@@ -64,15 +64,33 @@ function if_ipsec_interfaces()
$interfaces = array(); $interfaces = array();
/* add ipsec interfaces */ if (isset($config['ipsec']['phase1']) && isset($config['ipsec']['phase2'])) {
if (isset($config['ipsec']['enable']) || isset($config['ipsec']['client']['enable'])) { foreach ($config['ipsec']['phase1'] as $ph1ent) {
$oic = array("enable" => true); if (isset($ph1ent['disabled'])) {
continue;
}
foreach ($config['ipsec']['phase2'] as $ph2ent) {
if (isset($ph2ent['disabled']) || $ph1ent['ikeid'] != $ph2ent['ikeid']) {
continue;
}
if ((isset($ph2ent['mobile']) && !isset($config['ipsec']['client']['enable'])) ||
!isset($config['ipsec']['enable'])) {
continue;
}
$oic = array('enable' => true);
$oic['if'] = 'enc0'; $oic['if'] = 'enc0';
$oic['descr'] = 'IPsec'; $oic['descr'] = 'IPsec';
$oic['type'] = "none"; $oic['type'] = 'none';
$oic['virtual'] = true; $oic['virtual'] = true;
$oic['networks'] = array(); $oic['networks'] = array();
$interfaces['enc0'] = $oic; $interfaces['enc0'] = $oic;
break 2;
}
}
} }
return $interfaces; return $interfaces;
......
...@@ -79,14 +79,19 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST') { ...@@ -79,14 +79,19 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST') {
$a_phase2 = &$config['ipsec']['phase2']; $a_phase2 = &$config['ipsec']['phase2'];
if (isset($_POST['apply'])) { if (isset($_POST['apply'])) {
ipsec_configure(); ipsec_configure();
/* reload the filter in the background */
filter_configure(); filter_configure();
$savemsg = get_std_save_message(); $savemsg = get_std_save_message();
clear_subsystem_dirty('ipsec'); clear_subsystem_dirty('ipsec');
} elseif (isset($_POST['save'])) { } elseif (isset($_POST['save'])) {
$config['ipsec']['enable'] = !empty($_POST['enable']) ? true : false; if (!empty($_POST['enable'])) {
$config['ipsec']['enable'] = true;
} elseif (isset($config['ipsec']['enable'])) {
unset($config['ipsec']['enable']);
}
write_config(); write_config();
ipsec_configure(); ipsec_configure();
filter_configure();
clear_subsystem_dirty('ipsec');
header("Location: vpn_ipsec.php"); header("Location: vpn_ipsec.php");
exit; exit;
} elseif (!empty($_POST['act']) && $_POST['act'] == "delphase1" ) { } elseif (!empty($_POST['act']) && $_POST['act'] == "delphase1" ) {
...@@ -311,7 +316,7 @@ $( document ).ready(function() { ...@@ -311,7 +316,7 @@ $( document ).ready(function() {
if (isset($savemsg)) { if (isset($savemsg)) {
print_info_box($savemsg); print_info_box($savemsg);
} }
if ($pconfig['enable'] && is_subsystem_dirty('ipsec')) { if (is_subsystem_dirty('ipsec')) {
print_info_box_apply(gettext("The IPsec tunnel configuration has been changed.") . "<br />" . gettext("You must apply the changes in order for them to take effect.")); print_info_box_apply(gettext("The IPsec tunnel configuration has been changed.") . "<br />" . gettext("You must apply the changes in order for them to take effect."));
}?> }?>
<section class="col-xs-12"> <section class="col-xs-12">
...@@ -423,7 +428,7 @@ $( document ).ready(function() { ...@@ -423,7 +428,7 @@ $( document ).ready(function() {
<?=gettext("DH Group"); ?>&nbsp;<?=$p1_dhgroups[$ph1ent['dhgroup']];?> <?=gettext("DH Group"); ?>&nbsp;<?=$p1_dhgroups[$ph1ent['dhgroup']];?>
</td> </td>
<td class="hidden-xs"> <td class="hidden-xs">
<?=str_replace('_', ' ', $ph1ent['authentication_method']);?> <?= html_safe($p1_authentication_methods[$ph1ent['authentication_method']]['name']) ?>
</td> </td>
<td> <td>
<?=$ph1ent['descr'];?>&nbsp; <?=$ph1ent['descr'];?>&nbsp;
......
...@@ -132,14 +132,13 @@ if (is_subsystem_dirty('ipsec')) { ...@@ -132,14 +132,13 @@ if (is_subsystem_dirty('ipsec')) {
foreach ($config['system']['user'] as $id => $user) { foreach ($config['system']['user'] as $id => $user) {
if (!empty($user['ipsecpsk'])) { if (!empty($user['ipsecpsk'])) {
$userkeys[] = array('ident' => $user['name'], 'pre-shared-key' => $user['ipsecpsk'], 'id' => $id); $userkeys[] = array('ident' => $user['name'], 'pre-shared-key' => $user['ipsecpsk'], 'id' => $id);
;
} }
} }
foreach ($userkeys as $secretent) : foreach ($userkeys as $secretent) :
?> ?>
<tr> <tr>
<td> <td>
<?=$secretent['ident'] == 'allusers' ? gettext("ANY USER") : htmlspecialchars($secretent['ident']) ;?> <?=htmlspecialchars($secretent['ident']) ;?>
</td> </td>
<td> <td>
<?=htmlspecialchars($secretent['pre-shared-key']);?> <?=htmlspecialchars($secretent['pre-shared-key']);?>
......
...@@ -172,7 +172,6 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') { ...@@ -172,7 +172,6 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
write_config(); write_config();
mark_subsystem_dirty('ipsec'); mark_subsystem_dirty('ipsec');
header(url_safe('Location: vpn_ipsec_mobile.php')); header(url_safe('Location: vpn_ipsec_mobile.php'));
exit; exit;
} }
......
...@@ -87,7 +87,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') { ...@@ -87,7 +87,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
$phase1_fields = "mode,protocol,myid_type,myid_data,peerid_type,peerid_data $phase1_fields = "mode,protocol,myid_type,myid_data,peerid_type,peerid_data
,encryption-algorithm,hash-algorithm,dhgroup,lifetime,authentication_method,descr,nat_traversal ,encryption-algorithm,hash-algorithm,dhgroup,lifetime,authentication_method,descr,nat_traversal
,interface,iketype,dpd_delay,dpd_maxfail,remote-gateway,pre-shared-key,certref ,interface,iketype,dpd_delay,dpd_maxfail,remote-gateway,pre-shared-key,certref
,caref,reauth_enable,rekey_enable, auto"; ,caref,reauth_enable,rekey_enable,auto,tunnel_isolation";
if (isset($p1index) && isset($config['ipsec']['phase1'][$p1index])) { if (isset($p1index) && isset($config['ipsec']['phase1'][$p1index])) {
// 1-on-1 copy // 1-on-1 copy
foreach (explode(",", $phase1_fields) as $fieldname) { foreach (explode(",", $phase1_fields) as $fieldname) {
...@@ -178,6 +178,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') { ...@@ -178,6 +178,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
// For RSA methods, require the CA/Cert. // For RSA methods, require the CA/Cert.
switch ($method) { switch ($method) {
case "eap-tls": case "eap-tls":
case "eap-mschapv2":
if ($pconfig['iketype'] != 'ikev2') { if ($pconfig['iketype'] != 'ikev2') {
$input_errors[] = sprintf(gettext("%s can only be used with IKEv2 type VPNs."), strtoupper($method)); $input_errors[] = sprintf(gettext("%s can only be used with IKEv2 type VPNs."), strtoupper($method));
} }
...@@ -199,6 +200,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') { ...@@ -199,6 +200,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
$reqdfieldsn = array(gettext("Certificate Authority"),gettext("Certificate")); $reqdfieldsn = array(gettext("Certificate Authority"),gettext("Certificate"));
break; break;
} }
if (empty($pconfig['mobile'])) { if (empty($pconfig['mobile'])) {
$reqdfields[] = "remote-gateway"; $reqdfields[] = "remote-gateway";
$reqdfieldsn[] = gettext("Remote gateway"); $reqdfieldsn[] = gettext("Remote gateway");
...@@ -247,48 +249,30 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') { ...@@ -247,48 +249,30 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
} }
} }
if ($pconfig['myid_type'] == "address" and $pconfig['myid_data'] == "") { if ($pconfig['interface'] == 'any' && $pconfig['myid_type'] == "myaddress") {
$input_errors[] = gettext("Please select an identifier (My Identifier) other then 'any' when selecting 'Any' interface");
} elseif ($pconfig['myid_type'] == "address" && $pconfig['myid_data'] == "") {
$input_errors[] = gettext("Please enter an address for 'My Identifier'"); $input_errors[] = gettext("Please enter an address for 'My Identifier'");
} } elseif ($pconfig['myid_type'] == "keyid tag" && $pconfig['myid_data'] == "") {
if ($pconfig['myid_type'] == "keyid tag" and $pconfig['myid_data'] == "") {
$input_errors[] = gettext("Please enter a keyid tag for 'My Identifier'"); $input_errors[] = gettext("Please enter a keyid tag for 'My Identifier'");
} } elseif ($pconfig['myid_type'] == "fqdn" && $pconfig['myid_data'] == "") {
if ($pconfig['myid_type'] == "fqdn" and $pconfig['myid_data'] == "") {
$input_errors[] = gettext("Please enter a fully qualified domain name for 'My Identifier'"); $input_errors[] = gettext("Please enter a fully qualified domain name for 'My Identifier'");
} } elseif ($pconfig['myid_type'] == "user_fqdn" && $pconfig['myid_data'] == "") {
if ($pconfig['myid_type'] == "user_fqdn" and $pconfig['myid_data'] == "") {
$input_errors[] = gettext("Please enter a user and fully qualified domain name for 'My Identifier'"); $input_errors[] = gettext("Please enter a user and fully qualified domain name for 'My Identifier'");
} } elseif ($pconfig['myid_type'] == "dyn_dns" && $pconfig['myid_data'] == "") {
if ($pconfig['myid_type'] == "dyn_dns" and $pconfig['myid_data'] == "") {
$input_errors[] = gettext("Please enter a dynamic domain name for 'My Identifier'"); $input_errors[] = gettext("Please enter a dynamic domain name for 'My Identifier'");
} } elseif ((($pconfig['myid_type'] == "address") && !is_ipaddr($pconfig['myid_data']))) {
if ((($pconfig['myid_type'] == "address") && !is_ipaddr($pconfig['myid_data']))) {
$input_errors[] = gettext("A valid IP address for 'My identifier' must be specified."); $input_errors[] = gettext("A valid IP address for 'My identifier' must be specified.");
} } elseif ((($pconfig['myid_type'] == "fqdn") && !is_domain($pconfig['myid_data']))) {
if ((($pconfig['myid_type'] == "fqdn") && !is_domain($pconfig['myid_data']))) {
$input_errors[] = gettext("A valid domain name for 'My identifier' must be specified."); $input_errors[] = gettext("A valid domain name for 'My identifier' must be specified.");
} } elseif ($pconfig['myid_type'] == "fqdn" && !is_domain($pconfig['myid_data'])) {
if ($pconfig['myid_type'] == "fqdn") {
if (is_domain($pconfig['myid_data']) == false) {
$input_errors[] = gettext("A valid FQDN for 'My identifier' must be specified."); $input_errors[] = gettext("A valid FQDN for 'My identifier' must be specified.");
} } elseif ($pconfig['myid_type'] == "user_fqdn") {
}
if ($pconfig['myid_type'] == "user_fqdn") {
$user_fqdn = explode("@", $pconfig['myid_data']); $user_fqdn = explode("@", $pconfig['myid_data']);
if (is_domain($user_fqdn[1]) == false) { if (is_domain($user_fqdn[1]) == false) {
$input_errors[] = gettext("A valid User FQDN in the form of user@my.domain.com for 'My identifier' must be specified."); $input_errors[] = gettext("A valid User FQDN in the form of user@my.domain.com for 'My identifier' must be specified.");
} }
} } elseif ($pconfig['myid_type'] == "dyn_dns") {
if ($pconfig['myid_type'] == "dyn_dns") {
if (is_domain($pconfig['myid_data']) == false) { if (is_domain($pconfig['myid_data']) == false) {
$input_errors[] = gettext("A valid Dynamic DNS address for 'My identifier' must be specified."); $input_errors[] = gettext("A valid Dynamic DNS address for 'My identifier' must be specified.");
} }
...@@ -349,6 +333,13 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') { ...@@ -349,6 +333,13 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
$pconfig['encryption-algorithm']['keylen'] = $pconfig['ealgo_keylen']; $pconfig['encryption-algorithm']['keylen'] = $pconfig['ealgo_keylen'];
} }
foreach ($p1_ealgos as $algo => $algodata) {
if (!empty($pconfig['iketype']) && !empty($pconfig['encryption-algorithm']['name']) && !empty($algodata['iketype'])
&& $pconfig['iketype'] != $algodata['iketype'] && $pconfig['encryption-algorithm']['name'] == $algo) {
$input_errors[] = sprintf(gettext("%s can only be used with IKEv2 type VPNs."), $algodata['name']);
}
}
if (count($input_errors) == 0) { if (count($input_errors) == 0) {
$copy_fields = "ikeid,iketype,interface,mode,protocol,myid_type,myid_data $copy_fields = "ikeid,iketype,interface,mode,protocol,myid_type,myid_data
,peerid_type,peerid_data,encryption-algorithm,hash-algorithm,dhgroup ,peerid_type,peerid_data,encryption-algorithm,hash-algorithm,dhgroup
...@@ -376,6 +367,10 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') { ...@@ -376,6 +367,10 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
$ph1ent['rekey_enable'] = true; $ph1ent['rekey_enable'] = true;
} }
if (isset($pconfig['tunnel_isolation'])) {
$ph1ent['tunnel_isolation'] = true;
}
if (isset($pconfig['dpd_enable'])) { if (isset($pconfig['dpd_enable'])) {
$ph1ent['dpd_delay'] = $pconfig['dpd_delay']; $ph1ent['dpd_delay'] = $pconfig['dpd_delay'];
$ph1ent['dpd_maxfail'] = $pconfig['dpd_maxfail']; $ph1ent['dpd_maxfail'] = $pconfig['dpd_maxfail'];
...@@ -402,7 +397,6 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') { ...@@ -402,7 +397,6 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
write_config(); write_config();
mark_subsystem_dirty('ipsec'); mark_subsystem_dirty('ipsec');
header("Location: vpn_ipsec.php"); header("Location: vpn_ipsec.php");
exit; exit;
} }
...@@ -448,6 +442,7 @@ include("head.inc"); ...@@ -448,6 +442,7 @@ include("head.inc");
case 'hybrid_rsa_server': case 'hybrid_rsa_server':
case 'xauth_rsa_server': case 'xauth_rsa_server':
case 'rsasig': case 'rsasig':
case 'eap-mschapv2':
$(".auth_eap_tls").show(); $(".auth_eap_tls").show();
$(".auth_eap_tls :input").prop( "disabled", false ); $(".auth_eap_tls :input").prop( "disabled", false );
$(".auth_eap_tls_caref").show(); $(".auth_eap_tls_caref").show();
...@@ -620,6 +615,9 @@ include("head.inc"); ...@@ -620,6 +615,9 @@ include("head.inc");
</option> </option>
<?php endforeach; <?php endforeach;
?> ?>
<option value="any" <?= $pconfig['interface'] == "any" ? "selected=\"selected\"" : "" ?>>
<?=gettext("Any");?>
</option>
</select> </select>
<div class="hidden" for="help_for_interface"> <div class="hidden" for="help_for_interface">
<?=gettext("Select the interface for the local endpoint of this phase1 entry."); ?> <?=gettext("Select the interface for the local endpoint of this phase1 entry."); ?>
...@@ -661,13 +659,6 @@ include("head.inc"); ...@@ -661,13 +659,6 @@ include("head.inc");
<td> <td>
<select name="authentication_method" id="authentication_method" class="formselect"> <select name="authentication_method" id="authentication_method" class="formselect">
<?php <?php
$p1_authentication_methods = array(
'hybrid_rsa_server' => array( 'name' => 'Hybrid RSA + Xauth', 'mobile' => true ),
'xauth_rsa_server' => array( 'name' => 'Mutual RSA + Xauth', 'mobile' => true ),
'xauth_psk_server' => array( 'name' => 'Mutual PSK + Xauth', 'mobile' => true ),
'eap-tls' => array( 'name' => 'EAP-TLS', 'mobile' => true),
'rsasig' => array( 'name' => 'Mutual RSA', 'mobile' => false ),
'pre_shared_key' => array( 'name' => 'Mutual PSK', 'mobile' => false ) );
foreach ($p1_authentication_methods as $method_type => $method_params) : foreach ($p1_authentication_methods as $method_type => $method_params) :
if (empty($pconfig['mobile']) && $method_params['mobile']) { if (empty($pconfig['mobile']) && $method_params['mobile']) {
continue; continue;
...@@ -731,6 +722,8 @@ endforeach; ?> ...@@ -731,6 +722,8 @@ endforeach; ?>
</div> </div>
</td> </td>
</tr> </tr>
<?php
if (empty($pconfig['mobile'])):?>
<tr class="auth_opt auth_eap_tls auth_psk"> <tr class="auth_opt auth_eap_tls auth_psk">
<td ><i class="fa fa-info-circle text-muted"></i> <?=gettext("Peer identifier"); ?></td> <td ><i class="fa fa-info-circle text-muted"></i> <?=gettext("Peer identifier"); ?></td>
<td> <td>
...@@ -762,6 +755,8 @@ endforeach; ?> ...@@ -762,6 +755,8 @@ endforeach; ?>
} ?> } ?>
</td> </td>
</tr> </tr>
<?php
endif;?>
<tr class="auth_opt auth_psk"> <tr class="auth_opt auth_psk">
<td ><a id="help_for_psk" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Pre-Shared Key"); ?></td> <td ><a id="help_for_psk" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Pre-Shared Key"); ?></td>
<td> <td>
...@@ -928,6 +923,15 @@ endforeach; ?> ...@@ -928,6 +923,15 @@ endforeach; ?>
</div> </div>
</td> </td>
</tr> </tr>
<tr>
<td><a id="help_for_tunnel_isolation" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext('Tunnel Isolation') ?></td>
<td>
<input name="tunnel_isolation" type="checkbox" id="tunnel_isolation" value="yes" <?= !empty($pconfig['tunnel_isolation']) ? 'checked="checked"' : '' ?>/>
<div class="hidden" for="help_for_tunnel_isolation">
<?= gettext('This option will create a tunnel for each phase 2 entry for IKEv2 interoperability with e.g. FortiGate devices.') ?>
</div>
</td>
</tr>
<tr> <tr>
<td><a id="help_for_nat_traversal" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("NAT Traversal"); ?></td> <td><a id="help_for_nat_traversal" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("NAT Traversal"); ?></td>
<td> <td>
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment