diff --git a/src/etc/inc/ipsec.inc b/src/etc/inc/ipsec.inc index bc57773fb..d1b868768 100644 --- a/src/etc/inc/ipsec.inc +++ b/src/etc/inc/ipsec.inc @@ -55,15 +55,6 @@ $p2_ealgos = array( 'cast128' => array( 'name' => 'CAST128' ), 'des' => array( 'name' => 'DES' )); -$p1_halgos = array( - 'md5' => 'MD5', - 'sha1' => 'SHA1', - 'sha256' => 'SHA256', - 'sha384' => 'SHA384', - 'sha512' => 'SHA512', - 'aesxcbc' => 'AES-XCBC' -); - $p2_halgos = array( 'hmac_md5' => 'MD5', 'hmac_sha1' => 'SHA1', diff --git a/src/www/vpn_ipsec_phase1.php b/src/www/vpn_ipsec_phase1.php index 63eb842b1..b07c54e2a 100644 --- a/src/www/vpn_ipsec_phase1.php +++ b/src/www/vpn_ipsec_phase1.php @@ -28,51 +28,12 @@ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ - require_once("guiconfig.inc"); require_once("vpn.inc"); require_once("services.inc"); require_once("pfsense-utils.inc"); require_once("interfaces.inc"); -$my_identifier_list = array( - 'myaddress' => array( 'desc' => gettext('My IP address'), 'mobile' => true ), - 'address' => array( 'desc' => gettext('IP address'), 'mobile' => true ), - 'fqdn' => array( 'desc' => gettext('Distinguished name'), 'mobile' => true ), - 'user_fqdn' => array( 'desc' => gettext('User distinguished name'), 'mobile' => true ), - 'asn1dn' => array( 'desc' => gettext('ASN.1 distinguished Name'), 'mobile' => true ), - 'keyid tag' => array( 'desc' => gettext('KeyID tag'), 'mobile' => true ), - 'dyn_dns' => array( 'desc' => gettext('Dynamic DNS'), 'mobile' => true )); - -$peer_identifier_list = array( - 'peeraddress' => array( 'desc' => gettext('Peer IP address'), 'mobile' => false ), - 'address' => array( 'desc' => gettext('IP address'), 'mobile' => false ), - 'fqdn' => array( 'desc' => gettext('Distinguished name'), 'mobile' => true ), - 'user_fqdn' => array( 'desc' => gettext('User distinguished name'), 'mobile' => true ), - 'asn1dn' => array( 'desc' => gettext('ASN.1 distinguished Name'), 'mobile' => true ), - 'keyid tag' => array( 'desc' =>gettext('KeyID tag'), 'mobile' => true )); - -$p1_dhgroups = array( - 1 => '1 (768 bit)', - 2 => '2 (1024 bit)', - 5 => '5 (1536 bit)', - 14 => '14 (2048 bit)', - 15 => '15 (3072 bit)', - 16 => '16 (4096 bit)', - 17 => '17 (6144 bit)', - 18 => '18 (8192 bit)', - 22 => '22 (1024(sub 160) bit)', - 23 => '23 (2048(sub 224) bit)', - 24 => '24 (2048(sub 256) bit)' -); - -$p1_authentication_methods = array( - 'hybrid_rsa_server' => array( 'name' => 'Hybrid RSA + Xauth', 'mobile' => true ), - 'xauth_rsa_server' => array( 'name' => 'Mutual RSA + Xauth', 'mobile' => true ), - 'xauth_psk_server' => array( 'name' => 'Mutual PSK + Xauth', 'mobile' => true ), - 'eap-tls' => array( 'name' => 'EAP-TLS', 'mobile' => true), - 'rsasig' => array( 'name' => 'Mutual RSA', 'mobile' => false ), - 'pre_shared_key' => array( 'name' => 'Mutual PSK', 'mobile' => false ) ); /* * ikeid management functions @@ -98,9 +59,8 @@ function ipsec_ikeid_next() { } - if (!is_array($config['ipsec'])) { - $config['ipsec'] = array(); + $config['ipsec'] = array(); } if (!is_array($config['ipsec']['phase1'])) { @@ -114,393 +74,357 @@ if (!is_array($config['ipsec']['phase2'])) { $a_phase1 = &$config['ipsec']['phase1']; $a_phase2 = &$config['ipsec']['phase2']; -if (is_numericint($_GET['p1index'])) { - $p1index = $_GET['p1index']; -} -if (isset($_POST['p1index']) && is_numericint($_POST['p1index'])) { - $p1index = $_POST['p1index']; + +if ($_SERVER['REQUEST_METHOD'] === 'GET') { + // fetch data + if (isset($_GET['dup']) && is_numericint($_GET['dup'])) { + $p1index = $_GET['dup']; + } elseif (isset($_GET['p1index']) && is_numericint($_GET['p1index'])) { + $p1index = $_GET['p1index']; + } + $pconfig = array(); + + // generice defaults + $pconfig['interface'] = "wan"; + $pconfig['iketype'] = "ikev1"; + $phase1_fields = "mode,protocol,myid_type,myid_data,peerid_type,peerid_data + ,encryption-algorithm,halgo,dhgroup,lifetime,authentication_method,descr,nat_traversal + ,interface,iketype,dpd_delay,dpd_maxfail,remote-gateway,pre-shared-key,certref + ,caref,reauth_enable,rekey_enable"; + if (isset($p1index) && isset($a_phase1[$p1index])) { + // 1-on-1 copy + foreach (explode(",", $phase1_fields) as $fieldname) { + $fieldname = trim($fieldname); + if(isset($a_phase1[$p1index][$fieldname])) { + $pconfig[$fieldname] = $a_phase1[$p1index][$fieldname]; + } elseif (!isset($pconfig[$fieldname])) { + // initialize element + $pconfig[$fieldname] = null; + } + } + + // attributes with some kind of logic behind them... + if (!isset($_GET['dup']) || !is_numericint($_GET['dup'])) { + // don't copy the ikeid on dup + $pconfig['ikeid'] = $a_phase1[$p1index]['ikeid']; + } + $pconfig['disabled'] = isset($a_phase1[$p1index]['disabled']); + + $pconfig['remotebits'] = null; + $pconfig['remotenet'] = null ; + if (isset($a_phase1[$p1index]['remote-subnet']) && strpos($a_phase1[$p1index]['remote-subnet'],'/') !== false) { + list($pconfig['remotenet'],$pconfig['remotebits']) = explode("/", $a_phase1[$p1index]['remote-subnet']); + } elseif (isset($a_phase1[$p1index]['remote-subnet'])) { + $pconfig['remotenet'] = $a_phase1[$p1index]['remote-subnet']; + } + + if (isset($a_phase1[$p1index]['mobile'])) { + $pconfig['mobile'] = true; + } + } else { + /* defaults new */ + if (isset($config['interfaces']['lan'])) { + $pconfig['localnet'] = "lan"; + } + $pconfig['mode'] = "aggressive"; + $pconfig['protocol'] = "inet"; + $pconfig['myid_type'] = "myaddress"; + $pconfig['peerid_type'] = "peeraddress"; + $pconfig['authentication_method'] = "pre_shared_key"; + $pconfig['encryption-algorithm'] = array("name" => "3des") ; + $pconfig['halgo'] = "sha1"; + $pconfig['dhgroup'] = "2"; + $pconfig['lifetime'] = "28800"; + $pconfig['nat_traversal'] = "on"; + $pconfig['iketype'] = "ikev1"; + + /* mobile client */ + if (isset($_GET['mobile'])) { + $pconfig['mobile']=true; + } + // init empty + foreach (explode(",", $phase1_fields) as $fieldname) { + $fieldname = trim($fieldname); + if (!isset($pconfig[$fieldname])) { + $pconfig[$fieldname] = null; + } + } + + } + +} elseif ($_SERVER['REQUEST_METHOD'] === 'POST') { + if (isset($_POST['p1index']) && is_numericint($_POST['p1index'])) { + $p1index = $_POST['p1index']; + } + $input_errors = array(); + $pconfig = $_POST; + $old_ph1ent = $a_phase1[$p1index]; + + // Preperations to kill some settings which aren't left empty by the field. + // Unset ca and cert if not required to avoid storing in config + if ($pconfig['authentication_method'] == "pre_shared_key" || $pconfig['authentication_method'] == "xauth_psk_server") { + unset($pconfig['caref']); + unset($pconfig['certref']); + } + // unset dpd on post + if (!isset($pconfig['dpd_enable'])) { + unset($pconfig['dpd_delay']); + unset($pconfig['dpd_maxfail']); + } + + /* My identity */ + if ($pconfig['myid_type'] == "myaddress") { + $pconfig['myid_data'] = ""; + } + /* Peer identity */ + if ($pconfig['myid_type'] == "peeraddress") { + $pconfig['peerid_data'] = ""; + } + + /* input validation */ + $method = $pconfig['authentication_method']; + + // Only require PSK here for normal PSK tunnels (not mobile) or xauth. + // For RSA methods, require the CA/Cert. + switch ($method) { + case "eap-tls": + if ($pconfig['iketype'] != 'ikev2') { + $input_errors[] = gettext("EAP-TLS can only be used with IKEv2 type VPNs."); + } + break; + case "pre_shared_key": + // If this is a mobile PSK tunnel the user PSKs go on + // the PSK tab, not here, so skip the check. + if ($pconfig['mobile']) { + break; + } + case "xauth_psk_server": + $reqdfields = explode(" ", "pre-shared-key"); + $reqdfieldsn = array(gettext("Pre-Shared Key")); + break; + case "hybrid_rsa_server": + case "xauth_rsa_server": + case "rsasig": + $reqdfields = explode(" ", "caref certref"); + $reqdfieldsn = array(gettext("Certificate Authority"),gettext("Certificate")); + break; + } + if (empty($pconfig['mobile'])) { + $reqdfields[] = "remote-gateway"; + $reqdfieldsn[] = gettext("Remote gateway"); + } + + do_input_validation($pconfig, $reqdfields, $reqdfieldsn, $input_errors); + + if ((!empty($pconfig['lifetime']) && !is_numeric($pconfig['lifetime']))) { + $input_errors[] = gettext("The P1 lifetime must be an integer."); + } + + if (!empty($pconfig['remote-gateway'])) { + if (!is_ipaddr($pconfig['remote-gateway']) && !is_domain($pconfig['remote-gateway'])) { + $input_errors[] = gettext("A valid remote gateway address or host name must be specified."); + } elseif (is_ipaddrv4($pconfig['remote-gateway']) && ($pconfig['protocol'] != "inet")) + $input_errors[] = gettext("A valid remote gateway IPv4 address must be specified or you need to change protocol to IPv6"); + elseif (is_ipaddrv6($pconfig['remote-gateway']) && ($pconfig['protocol'] != "inet6")) + $input_errors[] = gettext("A valid remote gateway IPv6 address must be specified or you need to change protocol to IPv4"); + } + + if ((!empty($pconfig['remote-gateway']) && is_ipaddr($pconfig['remote-gateway']) && !isset($pconfig['disabled']) )) { + $t = 0; + foreach ($a_phase1 as $ph1tmp) { + if ($p1index <> $t) { + if (isset($ph1tmp['remote-gateway']) && $ph1tmp['remote-gateway'] == $pconfig['remote-gateway'] && !isset($ph1tmp['disabled'])) { + $input_errors[] = sprintf(gettext('The remote gateway "%1$s" is already used by phase1 "%2$s".'), $pconfig['remote-gateway'], $ph1tmp['descr']); + } + } + $t++; + } + } + + if (isset($a_phase2) && (count($a_phase2))) { + foreach ($a_phase2 as $phase2) { + if ($phase2['ikeid'] == $pconfig['ikeid']) { + if (($pconfig['protocol'] == "inet") && ($phase2['mode'] == "tunnel6")) { + $input_errors[] = gettext("There is a Phase 2 using IPv6, you cannot use IPv4."); + break; + } + if (($pconfig['protocol'] == "inet6") && ($phase2['mode'] == "tunnel")) { + $input_errors[] = gettext("There is a Phase 2 using IPv4, you cannot use IPv6."); + break; + } + } + } + } + + if ($pconfig['myid_type'] == "address" and $pconfig['myid_data'] == "") { + $input_errors[] = gettext("Please enter an address for 'My Identifier'"); + } + + if ($pconfig['myid_type'] == "keyid tag" and $pconfig['myid_data'] == "") { + $input_errors[] = gettext("Please enter a keyid tag for 'My Identifier'"); + } + + if ($pconfig['myid_type'] == "fqdn" and $pconfig['myid_data'] == "") { + $input_errors[] = gettext("Please enter a fully qualified domain name for 'My Identifier'"); + } + + if ($pconfig['myid_type'] == "user_fqdn" and $pconfig['myid_data'] == "") { + $input_errors[] = gettext("Please enter a user and fully qualified domain name for 'My Identifier'"); + } + + if ($pconfig['myid_type'] == "dyn_dns" and $pconfig['myid_data'] == "") { + $input_errors[] = gettext("Please enter a dynamic domain name for 'My Identifier'"); + } + + if ((($pconfig['myid_type'] == "address") && !is_ipaddr($pconfig['myid_data']))) { + $input_errors[] = gettext("A valid IP address for 'My identifier' must be specified."); + } + + if ((($pconfig['myid_type'] == "fqdn") && !is_domain($pconfig['myid_data']))) { + $input_errors[] = gettext("A valid domain name for 'My identifier' must be specified."); + } + + if ($pconfig['myid_type'] == "fqdn") { + if (is_domain($pconfig['myid_data']) == false) { + $input_errors[] = gettext("A valid FQDN for 'My identifier' must be specified."); + } + } + + if ($pconfig['myid_type'] == "user_fqdn") { + $user_fqdn = explode("@", $pconfig['myid_data']); + if (is_domain($user_fqdn[1]) == false) { + $input_errors[] = gettext("A valid User FQDN in the form of user@my.domain.com for 'My identifier' must be specified."); + } + } + + if ($pconfig['myid_type'] == "dyn_dns") { + if (is_domain($pconfig['myid_data']) == false) { + $input_errors[] = gettext("A valid Dynamic DNS address for 'My identifier' must be specified."); + } + } + + // Only enforce peer ID if we are not dealing with a pure-psk mobile config. + if (!(($pconfig['authentication_method'] == "pre_shared_key") && !empty($pconfig['mobile']))) { + if ($pconfig['peerid_type'] == "address" and $pconfig['peerid_data'] == "") { + $input_errors[] = gettext("Please enter an address for 'Peer Identifier'"); + } + if ($pconfig['peerid_type'] == "keyid tag" and $pconfig['peerid_data'] == "") { + $input_errors[] = gettext("Please enter a keyid tag for 'Peer Identifier'"); + } + if ($pconfig['peerid_type'] == "fqdn" and $pconfig['peerid_data'] == "") { + $input_errors[] = gettext("Please enter a fully qualified domain name for 'Peer Identifier'"); + } + if ($pconfig['peerid_type'] == "user_fqdn" and $pconfig['peerid_data'] == "") { + $input_errors[] = gettext("Please enter a user and fully qualified domain name for 'Peer Identifier'"); + } + if ((($pconfig['peerid_type'] == "address") && !is_ipaddr($pconfig['peerid_data']))) { + $input_errors[] = gettext("A valid IP address for 'Peer identifier' must be specified."); + } + if ((($pconfig['peerid_type'] == "fqdn") && !is_domain($pconfig['peerid_data']))) { + $input_errors[] = gettext("A valid domain name for 'Peer identifier' must be specified."); + } + if ($pconfig['peerid_type'] == "fqdn") { + if (is_domain($pconfig['peerid_data']) == false) { + $input_errors[] = gettext("A valid FQDN for 'Peer identifier' must be specified."); + } + } + if ($pconfig['peerid_type'] == "user_fqdn") { + $user_fqdn = explode("@", $pconfig['peerid_data']); + if (is_domain($user_fqdn[1]) == false) { + $input_errors[] = gettext("A valid User FQDN in the form of user@my.domain.com for 'Peer identifier' must be specified."); + } + } + } + + if (!empty($pconfig['dpd_enable'])) { + if (!is_numeric($pconfig['dpd_delay'])) { + $input_errors[] = gettext("A numeric value must be specified for DPD delay."); + } + if (!is_numeric($pconfig['dpd_maxfail'])) { + $input_errors[] = gettext("A numeric value must be specified for DPD retries."); + } + } + + if (!empty($pconfig['iketype']) && $pconfig['iketype'] != "ikev1" && $pconfig['iketype'] != "ikev2") { + $input_errors[] = gettext("Valid arguments for IKE type is v1 or v2"); + } + + /* build our encryption algorithms array */ + if (!isset($pconfig['encryption-algorithm']) || !is_array($pconfig['encryption-algorithm'])) { + $pconfig['encryption-algorithm'] = array(); + } + $pconfig['encryption-algorithm']['name'] = $_POST['encryption-algorithm']; + if ($pconfig['ealgo_keylen']) { + $pconfig['ealgo']['keylen'] = $_POST['ealgo_keylen']; + } + + if (count($input_errors) == 0) { + $copy_fields = "ikeid,iketype,interface,mode,protocol,myid_type,myid_data + ,peerid_type,peerid_data,encryption-algorithm,hash-algorithm,dhgroup + ,lifetime,pre-shared-key,certref,caref,authentication_method,descr + ,nat_traversal"; + + foreach (explode(",",$copy_fields) as $fieldname) { + $fieldname = trim($fieldname); + if(isset($pconfig[$fieldname])) { + $ph1ent[$fieldname] = $pconfig[$fieldname]; + } + } + + $ph1ent['disabled'] = !empty($pconfig['disabled']) ? true : false; + $ph1ent['private-key'] =isset($pconfig['privatekey']) ? base64_encode($pconfig['privatekey']) : null; + if (!empty($pconfig['mobile'])) { + $ph1ent['mobile'] = true; + } else { + $ph1ent['remote-gateway'] = $pconfig['remote-gateway']; + } + if (isset($pconfig['reauth_enable'])) { + $ph1ent['reauth_enable'] = true; + } + if (isset($pconfig['rekey_enable'])) { + $ph1ent['rekey_enable'] = true; + } + + if (isset($pconfig['dpd_enable'])) { + $ph1ent['dpd_delay'] = $pconfig['dpd_delay']; + $ph1ent['dpd_maxfail'] = $pconfig['dpd_maxfail']; + } + + /* generate unique phase1 ikeid */ + if ($ph1ent['ikeid'] == 0) { + $ph1ent['ikeid'] = ipsec_ikeid_next(); + } + + if (isset($p1index) && $a_phase1[$p1index]) { + $a_phase1[$p1index] = $ph1ent; + } else { + $a_phase1[] = $ph1ent; + } + + /* if the remote gateway changed and the interface is not WAN then remove route */ + /* the vpn_ipsec_configure() handles adding the route */ + if ($pconfig['interface'] <> "wan") { + if ($old_ph1ent['remote-gateway'] <> $pconfig['remote-gateway']) { + mwexec("/sbin/route delete -host {$old_ph1ent['remote-gateway']}"); + } + } + + write_config(); + mark_subsystem_dirty('ipsec'); + + header("Location: vpn_ipsec.php"); + exit; + } } -if (isset($_GET['dup']) && is_numericint($_GET['dup'])) { - $p1index = $_GET['dup']; -} - -if (isset($p1index) && $a_phase1[$p1index]) { - // don't copy the ikeid on dup - if (!isset($_GET['dup']) || !is_numericint($_GET['dup'])) { - $pconfig['ikeid'] = $a_phase1[$p1index]['ikeid']; - } - - $old_ph1ent = $a_phase1[$p1index]; - - $pconfig['disabled'] = isset($a_phase1[$p1index]['disabled']); - - if ($a_phase1[$p1index]['interface']) { - $pconfig['interface'] = $a_phase1[$p1index]['interface']; - } else { - $pconfig['interface'] = "wan"; - } - - list($pconfig['remotenet'],$pconfig['remotebits']) = explode("/", $a_phase1[$p1index]['remote-subnet']); - - if (isset($a_phase1[$p1index]['mobile'])) { - $pconfig['mobile'] = 'true'; - } else { - $pconfig['remotegw'] = $a_phase1[$p1index]['remote-gateway']; - } - - if (empty($a_phase1[$p1index]['iketype'])) { - $pconfig['iketype'] = "ikev1"; - } else { - $pconfig['iketype'] = $a_phase1[$p1index]['iketype']; - } - $pconfig['mode'] = $a_phase1[$p1index]['mode']; - $pconfig['protocol'] = $a_phase1[$p1index]['protocol']; - $pconfig['myid_type'] = $a_phase1[$p1index]['myid_type']; - $pconfig['myid_data'] = $a_phase1[$p1index]['myid_data']; - $pconfig['peerid_type'] = $a_phase1[$p1index]['peerid_type']; - $pconfig['peerid_data'] = $a_phase1[$p1index]['peerid_data']; - $pconfig['ealgo'] = $a_phase1[$p1index]['encryption-algorithm']; - $pconfig['halgo'] = $a_phase1[$p1index]['hash-algorithm']; - $pconfig['dhgroup'] = $a_phase1[$p1index]['dhgroup']; - $pconfig['lifetime'] = $a_phase1[$p1index]['lifetime']; - $pconfig['authentication_method'] = $a_phase1[$p1index]['authentication_method']; - - if (($pconfig['authentication_method'] == "pre_shared_key") || - ($pconfig['authentication_method'] == "xauth_psk_server")) { - $pconfig['pskey'] = $a_phase1[$p1index]['pre-shared-key']; - } else { - $pconfig['certref'] = $a_phase1[$p1index]['certref']; - $pconfig['caref'] = $a_phase1[$p1index]['caref']; - } - - $pconfig['descr'] = $a_phase1[$p1index]['descr']; - $pconfig['nat_traversal'] = $a_phase1[$p1index]['nat_traversal']; - - if (!isset($a_phase1[$p1index]['reauth_enable'])) { - $pconfig['reauth_enable'] = true; - } - if (!isset($a_phase1[$p1index]['rekey_enable'])) { - $pconfig['rekey_enable'] = true; - } - - if ($a_phase1[$p1index]['dpd_delay'] && $a_phase1[$p1index]['dpd_maxfail']) { - $pconfig['dpd_enable'] = true; - $pconfig['dpd_delay'] = $a_phase1[$p1index]['dpd_delay']; - $pconfig['dpd_maxfail'] = $a_phase1[$p1index]['dpd_maxfail']; - } -} else { - /* defaults */ - $pconfig['interface'] = "wan"; - if ($config['interfaces']['lan']) { - $pconfig['localnet'] = "lan"; - } - $pconfig['mode'] = "aggressive"; - $pconfig['protocol'] = "inet"; - $pconfig['myid_type'] = "myaddress"; - $pconfig['peerid_type'] = "peeraddress"; - $pconfig['authentication_method'] = "pre_shared_key"; - $pconfig['ealgo'] = array( name => "3des" ); - $pconfig['halgo'] = "sha1"; - $pconfig['dhgroup'] = "2"; - $pconfig['lifetime'] = "28800"; - $pconfig['nat_traversal'] = "on"; - $pconfig['dpd_enable'] = true; - $pconfig['iketype'] = "ikev1"; - - /* mobile client */ - if ($_GET['mobile']) { - $pconfig['mobile']=true; - } -} - -if (isset($_GET['dup']) && is_numericint($_GET['dup'])) { - unset($p1index); -} - -if ($_POST) { - unset($input_errors); - $pconfig = $_POST; - - /* input validation */ - - $method = $pconfig['authentication_method']; - // Unset ca and cert if not required to avaoid storing in config - if ($method == "pre_shared_key" || $method == "xauth_psk_server") { - unset($pconfig['caref']); - unset($pconfig['certref']); - } - - // Only require PSK here for normal PSK tunnels (not mobile) or xauth. - // For RSA methods, require the CA/Cert. - switch ($method) { - case "eap-tls": - if ($pconfig['iketype'] != 'ikev2') { - $input_errors[] = gettext("EAP-TLS can only be used with IKEv2 type VPNs."); - } - break; - case "pre_shared_key": - // If this is a mobile PSK tunnel the user PSKs go on - // the PSK tab, not here, so skip the check. - if ($pconfig['mobile']) { - break; - } - case "xauth_psk_server": - $reqdfields = explode(" ", "pskey"); - $reqdfieldsn = array(gettext("Pre-Shared Key")); - break; - case "hybrid_rsa_server": - case "xauth_rsa_server": - case "rsasig": - $reqdfields = explode(" ", "caref certref"); - $reqdfieldsn = array(gettext("Certificate Authority"),gettext("Certificate")); - break; - } - if (!$pconfig['mobile']) { - $reqdfields[] = "remotegw"; - $reqdfieldsn[] = gettext("Remote gateway"); - } - - do_input_validation($pconfig, $reqdfields, $reqdfieldsn, $input_errors); - - if (($pconfig['lifetime'] && !is_numeric($pconfig['lifetime']))) { - $input_errors[] = gettext("The P1 lifetime must be an integer."); - } - - if ($pconfig['remotegw']) { - if (!is_ipaddr($pconfig['remotegw']) && !is_domain($pconfig['remotegw'])) { - $input_errors[] = gettext("A valid remote gateway address or host name must be specified."); - } elseif (is_ipaddrv4($pconfig['remotegw']) && ($pconfig['protocol'] != "inet")) - $input_errors[] = gettext("A valid remote gateway IPv4 address must be specified or you need to change protocol to IPv6"); - elseif (is_ipaddrv6($pconfig['remotegw']) && ($pconfig['protocol'] != "inet6")) - $input_errors[] = gettext("A valid remote gateway IPv6 address must be specified or you need to change protocol to IPv4"); - } - - if (($pconfig['remotegw'] && is_ipaddr($pconfig['remotegw']) && !isset($pconfig['disabled']) )) { - $t = 0; - foreach ($a_phase1 as $ph1tmp) { - if ($p1index <> $t) { - $tremotegw = $pconfig['remotegw']; - if (($ph1tmp['remote-gateway'] == $tremotegw) && !isset($ph1tmp['disabled'])) { - $input_errors[] = sprintf(gettext('The remote gateway "%1$s" is already used by phase1 "%2$s".'), $tremotegw, $ph1tmp['descr']); - } - } - $t++; - } - } - - if (is_array($a_phase2) && (count($a_phase2))) { - foreach ($a_phase2 as $phase2) { - if ($phase2['ikeid'] == $pconfig['ikeid']) { - if (($pconfig['protocol'] == "inet") && ($phase2['mode'] == "tunnel6")) { - $input_errors[] = gettext("There is a Phase 2 using IPv6, you cannot use IPv4."); - break; - } - if (($pconfig['protocol'] == "inet6") && ($phase2['mode'] == "tunnel")) { - $input_errors[] = gettext("There is a Phase 2 using IPv4, you cannot use IPv6."); - break; - } - } - } - } - - /* My identity */ - - if ($pconfig['myid_type'] == "myaddress") { - $pconfig['myid_data'] = ""; - } - - if ($pconfig['myid_type'] == "address" and $pconfig['myid_data'] == "") { - $input_errors[] = gettext("Please enter an address for 'My Identifier'"); - } - - if ($pconfig['myid_type'] == "keyid tag" and $pconfig['myid_data'] == "") { - $input_errors[] = gettext("Please enter a keyid tag for 'My Identifier'"); - } - - if ($pconfig['myid_type'] == "fqdn" and $pconfig['myid_data'] == "") { - $input_errors[] = gettext("Please enter a fully qualified domain name for 'My Identifier'"); - } - - if ($pconfig['myid_type'] == "user_fqdn" and $pconfig['myid_data'] == "") { - $input_errors[] = gettext("Please enter a user and fully qualified domain name for 'My Identifier'"); - } - - if ($pconfig['myid_type'] == "dyn_dns" and $pconfig['myid_data'] == "") { - $input_errors[] = gettext("Please enter a dynamic domain name for 'My Identifier'"); - } - - if ((($pconfig['myid_type'] == "address") && !is_ipaddr($pconfig['myid_data']))) { - $input_errors[] = gettext("A valid IP address for 'My identifier' must be specified."); - } - - if ((($pconfig['myid_type'] == "fqdn") && !is_domain($pconfig['myid_data']))) { - $input_errors[] = gettext("A valid domain name for 'My identifier' must be specified."); - } - - if ($pconfig['myid_type'] == "fqdn") { - if (is_domain($pconfig['myid_data']) == false) { - $input_errors[] = gettext("A valid FQDN for 'My identifier' must be specified."); - } - } - - if ($pconfig['myid_type'] == "user_fqdn") { - $user_fqdn = explode("@", $pconfig['myid_data']); - if (is_domain($user_fqdn[1]) == false) { - $input_errors[] = gettext("A valid User FQDN in the form of user@my.domain.com for 'My identifier' must be specified."); - } - } - - if ($pconfig['myid_type'] == "dyn_dns") { - if (is_domain($pconfig['myid_data']) == false) { - $input_errors[] = gettext("A valid Dynamic DNS address for 'My identifier' must be specified."); - } - } - - /* Peer identity */ - - if ($pconfig['myid_type'] == "peeraddress") { - $pconfig['peerid_data'] = ""; - } - - // Only enforce peer ID if we are not dealing with a pure-psk mobile config. - if (!(($pconfig['authentication_method'] == "pre_shared_key") && ($pconfig['mobile']))) { - if ($pconfig['peerid_type'] == "address" and $pconfig['peerid_data'] == "") { - $input_errors[] = gettext("Please enter an address for 'Peer Identifier'"); - } - - if ($pconfig['peerid_type'] == "keyid tag" and $pconfig['peerid_data'] == "") { - $input_errors[] = gettext("Please enter a keyid tag for 'Peer Identifier'"); - } - - if ($pconfig['peerid_type'] == "fqdn" and $pconfig['peerid_data'] == "") { - $input_errors[] = gettext("Please enter a fully qualified domain name for 'Peer Identifier'"); - } - - if ($pconfig['peerid_type'] == "user_fqdn" and $pconfig['peerid_data'] == "") { - $input_errors[] = gettext("Please enter a user and fully qualified domain name for 'Peer Identifier'"); - } - - if ((($pconfig['peerid_type'] == "address") && !is_ipaddr($pconfig['peerid_data']))) { - $input_errors[] = gettext("A valid IP address for 'Peer identifier' must be specified."); - } - - if ((($pconfig['peerid_type'] == "fqdn") && !is_domain($pconfig['peerid_data']))) { - $input_errors[] = gettext("A valid domain name for 'Peer identifier' must be specified."); - } - - if ($pconfig['peerid_type'] == "fqdn") { - if (is_domain($pconfig['peerid_data']) == false) { - $input_errors[] = gettext("A valid FQDN for 'Peer identifier' must be specified."); - } - } - - if ($pconfig['peerid_type'] == "user_fqdn") { - $user_fqdn = explode("@", $pconfig['peerid_data']); - if (is_domain($user_fqdn[1]) == false) { - $input_errors[] = gettext("A valid User FQDN in the form of user@my.domain.com for 'Peer identifier' must be specified."); - } - } - } - - if ($pconfig['dpd_enable']) { - if (!is_numeric($pconfig['dpd_delay'])) { - $input_errors[] = gettext("A numeric value must be specified for DPD delay."); - } - - if (!is_numeric($pconfig['dpd_maxfail'])) { - $input_errors[] = gettext("A numeric value must be specified for DPD retries."); - } - } - - if (!empty($pconfig['iketype']) && $pconfig['iketype'] != "ikev1" && $pconfig['iketype'] != "ikev2") { - $input_errors[] = gettext("Valid arguments for IKE type is v1 or v2"); - } - - /* build our encryption algorithms array */ - $pconfig['ealgo'] = array(); - $pconfig['ealgo']['name'] = $_POST['ealgo']; - if ($pconfig['ealgo_keylen']) { - $pconfig['ealgo']['keylen'] = $_POST['ealgo_keylen']; - } - - if (!$input_errors) { - $ph1ent['ikeid'] = $pconfig['ikeid']; - $ph1ent['iketype'] = $pconfig['iketype']; - $ph1ent['disabled'] = $pconfig['disabled'] ? true : false; - $ph1ent['interface'] = $pconfig['interface']; - /* if the remote gateway changed and the interface is not WAN then remove route */ - /* the vpn_ipsec_configure() handles adding the route */ - if ($pconfig['interface'] <> "wan") { - if ($old_ph1ent['remote-gateway'] <> $pconfig['remotegw']) { - mwexec("/sbin/route delete -host {$old_ph1ent['remote-gateway']}"); - } - } - - if ($pconfig['mobile']) { - $ph1ent['mobile'] = true; - } else { - $ph1ent['remote-gateway'] = $pconfig['remotegw']; - } - - $ph1ent['mode'] = $pconfig['mode']; - $ph1ent['protocol'] = $pconfig['protocol']; - - $ph1ent['myid_type'] = $pconfig['myid_type']; - $ph1ent['myid_data'] = $pconfig['myid_data']; - $ph1ent['peerid_type'] = $pconfig['peerid_type']; - $ph1ent['peerid_data'] = $pconfig['peerid_data']; - - $ph1ent['encryption-algorithm'] = $pconfig['ealgo']; - $ph1ent['hash-algorithm'] = $pconfig['halgo']; - $ph1ent['dhgroup'] = $pconfig['dhgroup']; - $ph1ent['lifetime'] = $pconfig['lifetime']; - $ph1ent['pre-shared-key'] = $pconfig['pskey']; - $ph1ent['private-key'] = base64_encode($pconfig['privatekey']); - $ph1ent['certref'] = $pconfig['certref']; - $ph1ent['caref'] = $pconfig['caref']; - $ph1ent['authentication_method'] = $pconfig['authentication_method']; - $ph1ent['descr'] = $pconfig['descr']; - $ph1ent['nat_traversal'] = $pconfig['nat_traversal']; - - if (isset($pconfig['reauth_enable'])) { - $ph1ent['reauth_enable'] = true; - } - if (isset($pconfig['rekey_enable'])) { - $ph1ent['rekey_enable'] = true; - } - - if (isset($pconfig['dpd_enable'])) { - $ph1ent['dpd_delay'] = $pconfig['dpd_delay']; - $ph1ent['dpd_maxfail'] = $pconfig['dpd_maxfail']; - } - - /* generate unique phase1 ikeid */ - if ($ph1ent['ikeid'] == 0) { - $ph1ent['ikeid'] = ipsec_ikeid_next(); - } - - if (isset($p1index) && $a_phase1[$p1index]) { - $a_phase1[$p1index] = $ph1ent; - } else { - $a_phase1[] = $ph1ent; - } - - write_config(); - mark_subsystem_dirty('ipsec'); - - header("Location: vpn_ipsec.php"); - exit; - } -} - -if ($pconfig['mobile']) { +if (!empty($pconfig['mobile'])) { $pgtitle = array(gettext("VPN"),gettext("IPsec"),gettext("Edit Phase 1"), gettext("Mobile Client")); } else { $pgtitle = array(gettext("VPN"),gettext("IPsec"),gettext("Edit Phase 1")); } $shortcut_section = "ipsec"; +legacy_html_escape_form_data($pconfig); include("head.inc"); @@ -511,22 +435,43 @@ include("head.inc"); -
-
-
- 0) { - print_input_errors($input_errors); - } - ?> +
+
+
+ 0) { + print_input_errors($input_errors); + } +?> -
- - + - -
- -
- -
- - - - - - - - - +?> +
+ +
+
- - + + + + + - - + - - + - - + - - - - + - - - + - - + - + - -
- /> -
- + 		+ + +
+ /> +
+ +
. + "V1", "ikev2" => "V2"); + foreach ($keyexchange as $kidx => $name) : + ?> + + + +
+
. + $protocols = array("inet" => "IPv4", "inet6" => "IPv6"); + foreach ($protocols as $protocol => $name) : + ?> + + + +
+ -
- . +
- -
- + 		+ +
- -
- + 		+ +
 
- - - - - - - - - - - - - + + + + - - + - - + - - + - - + - - + - - + - -
+
-
- +
+
. + $modes = array("main" => "Main", "aggressive" => "Aggressive"); + foreach ($modes as $mode => $mdescr) : +?> + + + +
- + - +
+ +
- - - + + + + .
- - - -
+ 		+ " /> +
+ -
- +
+ -
- +
- - - - - - - - - - - - - + + + + - - + - - - - - - - - - - -
-
+
+ -
- - . - -
- -
- +
- - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + - -
- /> -
-
- /> -
-
- -
- - . - -
- onclick="dpdchkbox_change()" /> -
-
-
- -
- - . -
-
- -
- - . - -
  - + + + + + +
+ + +
+ /> + +
+ /> + +
+ + +
+ onclick="dpdchkbox_change()" /> + +
+
+ + + +
+ + + +
+
  + + - - + " />
-
-
- -
-
-
+ + +
+ +
+
- + + - -