From 5c7fc2970a30e2023f78c3c1d596dc55f7ee85d3 Mon Sep 17 00:00:00 2001 From: Ad Schellevis Date: Thu, 3 Sep 2015 19:02:51 +0000 Subject: [PATCH] (legacy) whitespace / style fixes vpn_ipsec_phase1.php --- src/www/vpn_ipsec_phase1.php | 1607 +++++++++++++++++----------------- 1 file changed, 803 insertions(+), 804 deletions(-) diff --git a/src/www/vpn_ipsec_phase1.php b/src/www/vpn_ipsec_phase1.php index a843602aa..1e2c75309 100644 --- a/src/www/vpn_ipsec_phase1.php +++ b/src/www/vpn_ipsec_phase1.php @@ -1,32 +1,32 @@ . - Copyright (C) 2014 Ermal Luçi - All rights reserved. + Copyright (C) 2014-2015 Deciso B.V. + Copyright (C) 2008 Shrew Soft Inc + Copyright (C) 2003-2005 Manuel Kasper . + Copyright (C) 2014 Ermal Luçi + All rights reserved. - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. */ require_once("guiconfig.inc"); require_once("vpn.inc"); @@ -40,22 +40,22 @@ require_once("interfaces.inc"); */ function ipsec_ikeid_used($ikeid) { - global $config; + global $config; - foreach ($config['ipsec']['phase1'] as $ph1ent) - if( $ikeid == $ph1ent['ikeid'] ) - return true; - - return false; + foreach ($config['ipsec']['phase1'] as $ph1ent) + if( $ikeid == $ph1ent['ikeid'] ) { + return true; + } + return false; } function ipsec_ikeid_next() { + $ikeid = 1; + while(ipsec_ikeid_used($ikeid)) { + $ikeid++; + } - $ikeid = 1; - while(ipsec_ikeid_used($ikeid)) - $ikeid++; - - return $ikeid; + return $ikeid; } @@ -72,346 +72,345 @@ if (!isset($config['ipsec']['phase2'])) { } if ($_SERVER['REQUEST_METHOD'] === 'GET') { - // fetch data - if (isset($_GET['dup']) && is_numericint($_GET['dup'])) { - $p1index = $_GET['dup']; - } elseif (isset($_GET['p1index']) && is_numericint($_GET['p1index'])) { - $p1index = $_GET['p1index']; - } - $pconfig = array(); + // fetch data + if (isset($_GET['dup']) && is_numericint($_GET['dup'])) { + $p1index = $_GET['dup']; + } elseif (isset($_GET['p1index']) && is_numericint($_GET['p1index'])) { + $p1index = $_GET['p1index']; + } + $pconfig = array(); - // generice defaults - $pconfig['interface'] = "wan"; - $pconfig['iketype'] = "ikev1"; - $phase1_fields = "mode,protocol,myid_type,myid_data,peerid_type,peerid_data - ,encryption-algorithm,hash-algorithm,dhgroup,lifetime,authentication_method,descr,nat_traversal - ,interface,iketype,dpd_delay,dpd_maxfail,remote-gateway,pre-shared-key,certref - ,caref,reauth_enable,rekey_enable"; - if (isset($p1index) && isset($config['ipsec']['phase1'][$p1index])) { - // 1-on-1 copy - foreach (explode(",", $phase1_fields) as $fieldname) { - $fieldname = trim($fieldname); - if(isset($config['ipsec']['phase1'][$p1index][$fieldname])) { - $pconfig[$fieldname] = $config['ipsec']['phase1'][$p1index][$fieldname]; - } elseif (!isset($pconfig[$fieldname])) { - // initialize element - $pconfig[$fieldname] = null; - } - } + // generice defaults + $pconfig['interface'] = "wan"; + $pconfig['iketype'] = "ikev1"; + $phase1_fields = "mode,protocol,myid_type,myid_data,peerid_type,peerid_data + ,encryption-algorithm,hash-algorithm,dhgroup,lifetime,authentication_method,descr,nat_traversal + ,interface,iketype,dpd_delay,dpd_maxfail,remote-gateway,pre-shared-key,certref + ,caref,reauth_enable,rekey_enable"; + if (isset($p1index) && isset($config['ipsec']['phase1'][$p1index])) { + // 1-on-1 copy + foreach (explode(",", $phase1_fields) as $fieldname) { + $fieldname = trim($fieldname); + if(isset($config['ipsec']['phase1'][$p1index][$fieldname])) { + $pconfig[$fieldname] = $config['ipsec']['phase1'][$p1index][$fieldname]; + } elseif (!isset($pconfig[$fieldname])) { + // initialize element + $pconfig[$fieldname] = null; + } + } - // attributes with some kind of logic behind them... - if (!isset($_GET['dup']) || !is_numericint($_GET['dup'])) { - // don't copy the ikeid on dup - $pconfig['ikeid'] = $config['ipsec']['phase1'][$p1index]['ikeid']; - } - $pconfig['disabled'] = isset($config['ipsec']['phase1'][$p1index]['disabled']); + // attributes with some kind of logic behind them... + if (!isset($_GET['dup']) || !is_numericint($_GET['dup'])) { + // don't copy the ikeid on dup + $pconfig['ikeid'] = $config['ipsec']['phase1'][$p1index]['ikeid']; + } + $pconfig['disabled'] = isset($config['ipsec']['phase1'][$p1index]['disabled']); - $pconfig['remotebits'] = null; - $pconfig['remotenet'] = null ; - if (isset($a_phase1[$p1index]['remote-subnet']) && strpos($config['ipsec']['phase1'][$p1index]['remote-subnet'],'/') !== false) { - list($pconfig['remotenet'],$pconfig['remotebits']) = explode("/", $config['ipsec']['phase1'][$p1index]['remote-subnet']); - } elseif (isset($config['ipsec']['phase1'][$p1index]['remote-subnet'])) { - $pconfig['remotenet'] = $config['ipsec']['phase1'][$p1index]['remote-subnet']; - } + $pconfig['remotebits'] = null; + $pconfig['remotenet'] = null ; + if (isset($a_phase1[$p1index]['remote-subnet']) && strpos($config['ipsec']['phase1'][$p1index]['remote-subnet'],'/') !== false) { + list($pconfig['remotenet'],$pconfig['remotebits']) = explode("/", $config['ipsec']['phase1'][$p1index]['remote-subnet']); + } elseif (isset($config['ipsec']['phase1'][$p1index]['remote-subnet'])) { + $pconfig['remotenet'] = $config['ipsec']['phase1'][$p1index]['remote-subnet']; + } - if (isset($config['ipsec']['phase1'][$p1index]['mobile'])) { - $pconfig['mobile'] = true; - } - } else { - /* defaults new */ - if (isset($config['interfaces']['lan'])) { - $pconfig['localnet'] = "lan"; - } - $pconfig['mode'] = "aggressive"; - $pconfig['protocol'] = "inet"; - $pconfig['myid_type'] = "myaddress"; - $pconfig['peerid_type'] = "peeraddress"; - $pconfig['authentication_method'] = "pre_shared_key"; - $pconfig['encryption-algorithm'] = array("name" => "3des") ; - $pconfig['hash-algorithm'] = "sha1"; - $pconfig['dhgroup'] = "2"; - $pconfig['lifetime'] = "28800"; - $pconfig['nat_traversal'] = "on"; - $pconfig['iketype'] = "ikev1"; - - /* mobile client */ - if (isset($_GET['mobile'])) { - $pconfig['mobile']=true; - } - // init empty - foreach (explode(",", $phase1_fields) as $fieldname) { - $fieldname = trim($fieldname); - if (!isset($pconfig[$fieldname])) { - $pconfig[$fieldname] = null; - } - } - - } + if (isset($config['ipsec']['phase1'][$p1index]['mobile'])) { + $pconfig['mobile'] = true; + } + } else { + /* defaults new */ + if (isset($config['interfaces']['lan'])) { + $pconfig['localnet'] = "lan"; + } + $pconfig['mode'] = "aggressive"; + $pconfig['protocol'] = "inet"; + $pconfig['myid_type'] = "myaddress"; + $pconfig['peerid_type'] = "peeraddress"; + $pconfig['authentication_method'] = "pre_shared_key"; + $pconfig['encryption-algorithm'] = array("name" => "3des") ; + $pconfig['hash-algorithm'] = "sha1"; + $pconfig['dhgroup'] = "2"; + $pconfig['lifetime'] = "28800"; + $pconfig['nat_traversal'] = "on"; + $pconfig['iketype'] = "ikev1"; + /* mobile client */ + if (isset($_GET['mobile'])) { + $pconfig['mobile']=true; + } + // init empty + foreach (explode(",", $phase1_fields) as $fieldname) { + $fieldname = trim($fieldname); + if (!isset($pconfig[$fieldname])) { + $pconfig[$fieldname] = null; + } + } + } } elseif ($_SERVER['REQUEST_METHOD'] === 'POST') { - $a_phase1 = &$config['ipsec']['phase1']; - if (isset($_POST['p1index']) && is_numericint($_POST['p1index'])) { - $p1index = $_POST['p1index']; - } - $input_errors = array(); - $pconfig = $_POST; - $old_ph1ent = $a_phase1[$p1index]; + $a_phase1 = &$config['ipsec']['phase1']; + if (isset($_POST['p1index']) && is_numericint($_POST['p1index'])) { + $p1index = $_POST['p1index']; + } + $input_errors = array(); + $pconfig = $_POST; + $old_ph1ent = $a_phase1[$p1index]; - // Preperations to kill some settings which aren't left empty by the field. - // Unset ca and cert if not required to avoid storing in config - if ($pconfig['authentication_method'] == "pre_shared_key" || $pconfig['authentication_method'] == "xauth_psk_server") { - unset($pconfig['caref']); - unset($pconfig['certref']); - } - // unset dpd on post - if (!isset($pconfig['dpd_enable'])) { - unset($pconfig['dpd_delay']); - unset($pconfig['dpd_maxfail']); - } + // Preperations to kill some settings which aren't left empty by the field. + // Unset ca and cert if not required to avoid storing in config + if ($pconfig['authentication_method'] == "pre_shared_key" || $pconfig['authentication_method'] == "xauth_psk_server") { + unset($pconfig['caref']); + unset($pconfig['certref']); + } + // unset dpd on post + if (!isset($pconfig['dpd_enable'])) { + unset($pconfig['dpd_delay']); + unset($pconfig['dpd_maxfail']); + } - /* My identity */ - if ($pconfig['myid_type'] == "myaddress") { - $pconfig['myid_data'] = ""; - } - /* Peer identity */ - if ($pconfig['myid_type'] == "peeraddress") { - $pconfig['peerid_data'] = ""; - } + /* My identity */ + if ($pconfig['myid_type'] == "myaddress") { + $pconfig['myid_data'] = ""; + } + /* Peer identity */ + if ($pconfig['myid_type'] == "peeraddress") { + $pconfig['peerid_data'] = ""; + } - /* input validation */ - $method = $pconfig['authentication_method']; + /* input validation */ + $method = $pconfig['authentication_method']; - // Only require PSK here for normal PSK tunnels (not mobile) or xauth. - // For RSA methods, require the CA/Cert. - switch ($method) { - case "eap-tls": - if ($pconfig['iketype'] != 'ikev2') { - $input_errors[] = gettext("EAP-TLS can only be used with IKEv2 type VPNs."); - } - break; - case "pre_shared_key": - // If this is a mobile PSK tunnel the user PSKs go on - // the PSK tab, not here, so skip the check. - if ($pconfig['mobile']) { - break; - } - case "xauth_psk_server": - $reqdfields = explode(" ", "pre-shared-key"); - $reqdfieldsn = array(gettext("Pre-Shared Key")); - break; - case "hybrid_rsa_server": - case "xauth_rsa_server": - case "rsasig": - $reqdfields = explode(" ", "caref certref"); - $reqdfieldsn = array(gettext("Certificate Authority"),gettext("Certificate")); - break; - } - if (empty($pconfig['mobile'])) { - $reqdfields[] = "remote-gateway"; - $reqdfieldsn[] = gettext("Remote gateway"); - } + // Only require PSK here for normal PSK tunnels (not mobile) or xauth. + // For RSA methods, require the CA/Cert. + switch ($method) { + case "eap-tls": + if ($pconfig['iketype'] != 'ikev2') { + $input_errors[] = gettext("EAP-TLS can only be used with IKEv2 type VPNs."); + } + break; + case "pre_shared_key": + // If this is a mobile PSK tunnel the user PSKs go on + // the PSK tab, not here, so skip the check. + if ($pconfig['mobile']) { + break; + } + case "xauth_psk_server": + $reqdfields = explode(" ", "pre-shared-key"); + $reqdfieldsn = array(gettext("Pre-Shared Key")); + break; + case "hybrid_rsa_server": + case "xauth_rsa_server": + case "rsasig": + $reqdfields = explode(" ", "caref certref"); + $reqdfieldsn = array(gettext("Certificate Authority"),gettext("Certificate")); + break; + } + if (empty($pconfig['mobile'])) { + $reqdfields[] = "remote-gateway"; + $reqdfieldsn[] = gettext("Remote gateway"); + } - do_input_validation($pconfig, $reqdfields, $reqdfieldsn, $input_errors); + do_input_validation($pconfig, $reqdfields, $reqdfieldsn, $input_errors); - if ((!empty($pconfig['lifetime']) && !is_numeric($pconfig['lifetime']))) { - $input_errors[] = gettext("The P1 lifetime must be an integer."); - } + if ((!empty($pconfig['lifetime']) && !is_numeric($pconfig['lifetime']))) { + $input_errors[] = gettext("The P1 lifetime must be an integer."); + } - if (!empty($pconfig['remote-gateway'])) { - if (!is_ipaddr($pconfig['remote-gateway']) && !is_domain($pconfig['remote-gateway'])) { - $input_errors[] = gettext("A valid remote gateway address or host name must be specified."); - } elseif (is_ipaddrv4($pconfig['remote-gateway']) && ($pconfig['protocol'] != "inet")) - $input_errors[] = gettext("A valid remote gateway IPv4 address must be specified or you need to change protocol to IPv6"); - elseif (is_ipaddrv6($pconfig['remote-gateway']) && ($pconfig['protocol'] != "inet6")) - $input_errors[] = gettext("A valid remote gateway IPv6 address must be specified or you need to change protocol to IPv4"); - } + if (!empty($pconfig['remote-gateway'])) { + if (!is_ipaddr($pconfig['remote-gateway']) && !is_domain($pconfig['remote-gateway'])) { + $input_errors[] = gettext("A valid remote gateway address or host name must be specified."); + } elseif (is_ipaddrv4($pconfig['remote-gateway']) && ($pconfig['protocol'] != "inet")) { + $input_errors[] = gettext("A valid remote gateway IPv4 address must be specified or you need to change protocol to IPv6"); + } elseif (is_ipaddrv6($pconfig['remote-gateway']) && ($pconfig['protocol'] != "inet6")) { + $input_errors[] = gettext("A valid remote gateway IPv6 address must be specified or you need to change protocol to IPv4"); + } + } - if ((!empty($pconfig['remote-gateway']) && is_ipaddr($pconfig['remote-gateway']) && !isset($pconfig['disabled']) )) { - $t = 0; - foreach ($a_phase1 as $ph1tmp) { - if ($p1index <> $t) { - if (isset($ph1tmp['remote-gateway']) && $ph1tmp['remote-gateway'] == $pconfig['remote-gateway'] && !isset($ph1tmp['disabled'])) { - $input_errors[] = sprintf(gettext('The remote gateway "%1$s" is already used by phase1 "%2$s".'), $pconfig['remote-gateway'], $ph1tmp['descr']); - } - } - $t++; - } - } + if ((!empty($pconfig['remote-gateway']) && is_ipaddr($pconfig['remote-gateway']) && !isset($pconfig['disabled']) )) { + $t = 0; + foreach ($a_phase1 as $ph1tmp) { + if ($p1index <> $t) { + if (isset($ph1tmp['remote-gateway']) && $ph1tmp['remote-gateway'] == $pconfig['remote-gateway'] && !isset($ph1tmp['disabled'])) { + $input_errors[] = sprintf(gettext('The remote gateway "%1$s" is already used by phase1 "%2$s".'), $pconfig['remote-gateway'], $ph1tmp['descr']); + } + } + $t++; + } + } - if (count($config['ipsec']['phase2'])) { - foreach ($config['ipsec']['phase2'] as $phase2) { - if ($phase2['ikeid'] == $pconfig['ikeid']) { - if (($pconfig['protocol'] == "inet") && ($phase2['mode'] == "tunnel6")) { - $input_errors[] = gettext("There is a Phase 2 using IPv6, you cannot use IPv4."); - break; - } - if (($pconfig['protocol'] == "inet6") && ($phase2['mode'] == "tunnel")) { - $input_errors[] = gettext("There is a Phase 2 using IPv4, you cannot use IPv6."); - break; - } - } - } - } + if (count($config['ipsec']['phase2'])) { + foreach ($config['ipsec']['phase2'] as $phase2) { + if ($phase2['ikeid'] == $pconfig['ikeid']) { + if (($pconfig['protocol'] == "inet") && ($phase2['mode'] == "tunnel6")) { + $input_errors[] = gettext("There is a Phase 2 using IPv6, you cannot use IPv4."); + break; + } + if (($pconfig['protocol'] == "inet6") && ($phase2['mode'] == "tunnel")) { + $input_errors[] = gettext("There is a Phase 2 using IPv4, you cannot use IPv6."); + break; + } + } + } + } - if ($pconfig['myid_type'] == "address" and $pconfig['myid_data'] == "") { - $input_errors[] = gettext("Please enter an address for 'My Identifier'"); - } + if ($pconfig['myid_type'] == "address" and $pconfig['myid_data'] == "") { + $input_errors[] = gettext("Please enter an address for 'My Identifier'"); + } - if ($pconfig['myid_type'] == "keyid tag" and $pconfig['myid_data'] == "") { - $input_errors[] = gettext("Please enter a keyid tag for 'My Identifier'"); - } + if ($pconfig['myid_type'] == "keyid tag" and $pconfig['myid_data'] == "") { + $input_errors[] = gettext("Please enter a keyid tag for 'My Identifier'"); + } - if ($pconfig['myid_type'] == "fqdn" and $pconfig['myid_data'] == "") { - $input_errors[] = gettext("Please enter a fully qualified domain name for 'My Identifier'"); - } + if ($pconfig['myid_type'] == "fqdn" and $pconfig['myid_data'] == "") { + $input_errors[] = gettext("Please enter a fully qualified domain name for 'My Identifier'"); + } - if ($pconfig['myid_type'] == "user_fqdn" and $pconfig['myid_data'] == "") { - $input_errors[] = gettext("Please enter a user and fully qualified domain name for 'My Identifier'"); - } + if ($pconfig['myid_type'] == "user_fqdn" and $pconfig['myid_data'] == "") { + $input_errors[] = gettext("Please enter a user and fully qualified domain name for 'My Identifier'"); + } - if ($pconfig['myid_type'] == "dyn_dns" and $pconfig['myid_data'] == "") { - $input_errors[] = gettext("Please enter a dynamic domain name for 'My Identifier'"); - } + if ($pconfig['myid_type'] == "dyn_dns" and $pconfig['myid_data'] == "") { + $input_errors[] = gettext("Please enter a dynamic domain name for 'My Identifier'"); + } - if ((($pconfig['myid_type'] == "address") && !is_ipaddr($pconfig['myid_data']))) { - $input_errors[] = gettext("A valid IP address for 'My identifier' must be specified."); - } + if ((($pconfig['myid_type'] == "address") && !is_ipaddr($pconfig['myid_data']))) { + $input_errors[] = gettext("A valid IP address for 'My identifier' must be specified."); + } - if ((($pconfig['myid_type'] == "fqdn") && !is_domain($pconfig['myid_data']))) { - $input_errors[] = gettext("A valid domain name for 'My identifier' must be specified."); - } + if ((($pconfig['myid_type'] == "fqdn") && !is_domain($pconfig['myid_data']))) { + $input_errors[] = gettext("A valid domain name for 'My identifier' must be specified."); + } - if ($pconfig['myid_type'] == "fqdn") { - if (is_domain($pconfig['myid_data']) == false) { - $input_errors[] = gettext("A valid FQDN for 'My identifier' must be specified."); - } - } + if ($pconfig['myid_type'] == "fqdn") { + if (is_domain($pconfig['myid_data']) == false) { + $input_errors[] = gettext("A valid FQDN for 'My identifier' must be specified."); + } + } - if ($pconfig['myid_type'] == "user_fqdn") { - $user_fqdn = explode("@", $pconfig['myid_data']); - if (is_domain($user_fqdn[1]) == false) { - $input_errors[] = gettext("A valid User FQDN in the form of user@my.domain.com for 'My identifier' must be specified."); - } - } + if ($pconfig['myid_type'] == "user_fqdn") { + $user_fqdn = explode("@", $pconfig['myid_data']); + if (is_domain($user_fqdn[1]) == false) { + $input_errors[] = gettext("A valid User FQDN in the form of user@my.domain.com for 'My identifier' must be specified."); + } + } - if ($pconfig['myid_type'] == "dyn_dns") { - if (is_domain($pconfig['myid_data']) == false) { - $input_errors[] = gettext("A valid Dynamic DNS address for 'My identifier' must be specified."); - } - } + if ($pconfig['myid_type'] == "dyn_dns") { + if (is_domain($pconfig['myid_data']) == false) { + $input_errors[] = gettext("A valid Dynamic DNS address for 'My identifier' must be specified."); + } + } - // Only enforce peer ID if we are not dealing with a pure-psk mobile config. - if (!(($pconfig['authentication_method'] == "pre_shared_key") && !empty($pconfig['mobile']))) { - if ($pconfig['peerid_type'] == "address" and $pconfig['peerid_data'] == "") { - $input_errors[] = gettext("Please enter an address for 'Peer Identifier'"); - } - if ($pconfig['peerid_type'] == "keyid tag" and $pconfig['peerid_data'] == "") { - $input_errors[] = gettext("Please enter a keyid tag for 'Peer Identifier'"); - } - if ($pconfig['peerid_type'] == "fqdn" and $pconfig['peerid_data'] == "") { - $input_errors[] = gettext("Please enter a fully qualified domain name for 'Peer Identifier'"); - } - if ($pconfig['peerid_type'] == "user_fqdn" and $pconfig['peerid_data'] == "") { - $input_errors[] = gettext("Please enter a user and fully qualified domain name for 'Peer Identifier'"); - } - if ((($pconfig['peerid_type'] == "address") && !is_ipaddr($pconfig['peerid_data']))) { - $input_errors[] = gettext("A valid IP address for 'Peer identifier' must be specified."); - } - if ((($pconfig['peerid_type'] == "fqdn") && !is_domain($pconfig['peerid_data']))) { - $input_errors[] = gettext("A valid domain name for 'Peer identifier' must be specified."); - } - if ($pconfig['peerid_type'] == "fqdn") { - if (is_domain($pconfig['peerid_data']) == false) { - $input_errors[] = gettext("A valid FQDN for 'Peer identifier' must be specified."); - } - } - if ($pconfig['peerid_type'] == "user_fqdn") { - $user_fqdn = explode("@", $pconfig['peerid_data']); - if (is_domain($user_fqdn[1]) == false) { - $input_errors[] = gettext("A valid User FQDN in the form of user@my.domain.com for 'Peer identifier' must be specified."); - } - } - } + // Only enforce peer ID if we are not dealing with a pure-psk mobile config. + if (!(($pconfig['authentication_method'] == "pre_shared_key") && !empty($pconfig['mobile']))) { + if ($pconfig['peerid_type'] == "address" and $pconfig['peerid_data'] == "") { + $input_errors[] = gettext("Please enter an address for 'Peer Identifier'"); + } + if ($pconfig['peerid_type'] == "keyid tag" and $pconfig['peerid_data'] == "") { + $input_errors[] = gettext("Please enter a keyid tag for 'Peer Identifier'"); + } + if ($pconfig['peerid_type'] == "fqdn" and $pconfig['peerid_data'] == "") { + $input_errors[] = gettext("Please enter a fully qualified domain name for 'Peer Identifier'"); + } + if ($pconfig['peerid_type'] == "user_fqdn" and $pconfig['peerid_data'] == "") { + $input_errors[] = gettext("Please enter a user and fully qualified domain name for 'Peer Identifier'"); + } + if ((($pconfig['peerid_type'] == "address") && !is_ipaddr($pconfig['peerid_data']))) { + $input_errors[] = gettext("A valid IP address for 'Peer identifier' must be specified."); + } + if ((($pconfig['peerid_type'] == "fqdn") && !is_domain($pconfig['peerid_data']))) { + $input_errors[] = gettext("A valid domain name for 'Peer identifier' must be specified."); + } + if ($pconfig['peerid_type'] == "fqdn") { + if (is_domain($pconfig['peerid_data']) == false) { + $input_errors[] = gettext("A valid FQDN for 'Peer identifier' must be specified."); + } + } + if ($pconfig['peerid_type'] == "user_fqdn") { + $user_fqdn = explode("@", $pconfig['peerid_data']); + if (is_domain($user_fqdn[1]) == false) { + $input_errors[] = gettext("A valid User FQDN in the form of user@my.domain.com for 'Peer identifier' must be specified."); + } + } + } - if (!empty($pconfig['dpd_enable'])) { - if (!is_numeric($pconfig['dpd_delay'])) { - $input_errors[] = gettext("A numeric value must be specified for DPD delay."); - } - if (!is_numeric($pconfig['dpd_maxfail'])) { - $input_errors[] = gettext("A numeric value must be specified for DPD retries."); - } - } + if (!empty($pconfig['dpd_enable'])) { + if (!is_numeric($pconfig['dpd_delay'])) { + $input_errors[] = gettext("A numeric value must be specified for DPD delay."); + } + if (!is_numeric($pconfig['dpd_maxfail'])) { + $input_errors[] = gettext("A numeric value must be specified for DPD retries."); + } + } - if (!empty($pconfig['iketype']) && $pconfig['iketype'] != "ikev1" && $pconfig['iketype'] != "ikev2") { - $input_errors[] = gettext("Valid arguments for IKE type is v1 or v2"); - } + if (!empty($pconfig['iketype']) && $pconfig['iketype'] != "ikev1" && $pconfig['iketype'] != "ikev2") { + $input_errors[] = gettext("Valid arguments for IKE type is v1 or v2"); + } - /* build our encryption algorithms array */ - if (!isset($pconfig['encryption-algorithm']) || !is_array($pconfig['encryption-algorithm'])) { - $pconfig['encryption-algorithm'] = array(); - } - $pconfig['encryption-algorithm']['name'] = $pconfig['ealgo']; - if (!empty($pconfig['ealgo_keylen'])) { - $pconfig['encryption-algorithm']['keylen'] = $pconfig['ealgo_keylen']; - } + /* build our encryption algorithms array */ + if (!isset($pconfig['encryption-algorithm']) || !is_array($pconfig['encryption-algorithm'])) { + $pconfig['encryption-algorithm'] = array(); + } + $pconfig['encryption-algorithm']['name'] = $pconfig['ealgo']; + if (!empty($pconfig['ealgo_keylen'])) { + $pconfig['encryption-algorithm']['keylen'] = $pconfig['ealgo_keylen']; + } - if (count($input_errors) == 0) { - $copy_fields = "ikeid,iketype,interface,mode,protocol,myid_type,myid_data - ,peerid_type,peerid_data,encryption-algorithm,hash-algorithm,dhgroup - ,lifetime,pre-shared-key,certref,caref,authentication_method,descr - ,nat_traversal"; + if (count($input_errors) == 0) { + $copy_fields = "ikeid,iketype,interface,mode,protocol,myid_type,myid_data + ,peerid_type,peerid_data,encryption-algorithm,hash-algorithm,dhgroup + ,lifetime,pre-shared-key,certref,caref,authentication_method,descr + ,nat_traversal"; - foreach (explode(",",$copy_fields) as $fieldname) { - $fieldname = trim($fieldname); - if(!empty($pconfig[$fieldname])) { - $ph1ent[$fieldname] = $pconfig[$fieldname]; - } - } + foreach (explode(",",$copy_fields) as $fieldname) { + $fieldname = trim($fieldname); + if(!empty($pconfig[$fieldname])) { + $ph1ent[$fieldname] = $pconfig[$fieldname]; + } + } - $ph1ent['disabled'] = !empty($pconfig['disabled']) ? true : false; - $ph1ent['private-key'] =isset($pconfig['privatekey']) ? base64_encode($pconfig['privatekey']) : null; - if (!empty($pconfig['mobile'])) { - $ph1ent['mobile'] = true; - } else { - $ph1ent['remote-gateway'] = $pconfig['remote-gateway']; - } - if (isset($pconfig['reauth_enable'])) { - $ph1ent['reauth_enable'] = true; - } - if (isset($pconfig['rekey_enable'])) { - $ph1ent['rekey_enable'] = true; - } + $ph1ent['disabled'] = !empty($pconfig['disabled']) ? true : false; + $ph1ent['private-key'] =isset($pconfig['privatekey']) ? base64_encode($pconfig['privatekey']) : null; + if (!empty($pconfig['mobile'])) { + $ph1ent['mobile'] = true; + } else { + $ph1ent['remote-gateway'] = $pconfig['remote-gateway']; + } + if (isset($pconfig['reauth_enable'])) { + $ph1ent['reauth_enable'] = true; + } + if (isset($pconfig['rekey_enable'])) { + $ph1ent['rekey_enable'] = true; + } - if (isset($pconfig['dpd_enable'])) { - $ph1ent['dpd_delay'] = $pconfig['dpd_delay']; - $ph1ent['dpd_maxfail'] = $pconfig['dpd_maxfail']; - } + if (isset($pconfig['dpd_enable'])) { + $ph1ent['dpd_delay'] = $pconfig['dpd_delay']; + $ph1ent['dpd_maxfail'] = $pconfig['dpd_maxfail']; + } - /* generate unique phase1 ikeid */ - if ($ph1ent['ikeid'] == 0) { - $ph1ent['ikeid'] = ipsec_ikeid_next(); - } + /* generate unique phase1 ikeid */ + if ($ph1ent['ikeid'] == 0) { + $ph1ent['ikeid'] = ipsec_ikeid_next(); + } - if (isset($p1index) && isset($a_phase1[$p1index])) { - $a_phase1[$p1index] = $ph1ent; - } else { - $a_phase1[] = $ph1ent; - } + if (isset($p1index) && isset($a_phase1[$p1index])) { + $a_phase1[$p1index] = $ph1ent; + } else { + $a_phase1[] = $ph1ent; + } - /* if the remote gateway changed and the interface is not WAN then remove route */ - /* the vpn_ipsec_configure() handles adding the route */ - if ($pconfig['interface'] <> "wan") { - if ($old_ph1ent['remote-gateway'] <> $pconfig['remote-gateway']) { - mwexec("/sbin/route delete -host {$old_ph1ent['remote-gateway']}"); - } - } + /* if the remote gateway changed and the interface is not WAN then remove route */ + /* the vpn_ipsec_configure() handles adding the route */ + if ($pconfig['interface'] <> "wan") { + if ($old_ph1ent['remote-gateway'] <> $pconfig['remote-gateway']) { + mwexec("/sbin/route delete -host {$old_ph1ent['remote-gateway']}"); + } + } - write_config(); - mark_subsystem_dirty('ipsec'); + write_config(); + mark_subsystem_dirty('ipsec'); - header("Location: vpn_ipsec.php"); - exit; - } + header("Location: vpn_ipsec.php"); + exit; + } } if (!empty($pconfig['mobile'])) { @@ -435,156 +434,156 @@ include("head.inc"); $( document ).ready(function() { - // old js code.. - myidsel_change(); - peeridsel_change(); - methodsel_change(); - ealgosel_change(); - dpdchkbox_change(); + // old js code.. + myidsel_change(); + peeridsel_change(); + methodsel_change(); + ealgosel_change(); + dpdchkbox_change(); }); function myidsel_change() { - if ($("#myid_type").val() == 'myaddress') { - $("#myid_data").removeClass('show'); - $("#myid_data").addClass('hidden'); - } else { - $("#myid_data").removeClass('hidden'); - $("#myid_data").addClass('show'); - } + if ($("#myid_type").val() == 'myaddress') { + $("#myid_data").removeClass('show'); + $("#myid_data").addClass('hidden'); + } else { + $("#myid_data").removeClass('hidden'); + $("#myid_data").addClass('show'); + } } function peeridsel_change() { - if ($("#peerid_type").val() == 'peeraddress') { - $("#peerid_data").removeClass('show'); - $("#peerid_data").addClass('hidden'); - } else { - $("#peerid_data").removeClass('hidden'); - $("#peerid_data").addClass('show'); - } + if ($("#peerid_type").val() == 'peeraddress') { + $("#peerid_data").removeClass('show'); + $("#peerid_data").addClass('hidden'); + } else { + $("#peerid_data").removeClass('hidden'); + $("#peerid_data").addClass('show'); + } } function methodsel_change() { - index = document.iform.authentication_method.selectedIndex; - value = document.iform.authentication_method.options[index].value; + index = document.iform.authentication_method.selectedIndex; + value = document.iform.authentication_method.options[index].value; - switch (value) { - case 'eap-tls': - document.getElementById('opt_psk').style.display = 'none'; - document.getElementById('opt_peerid').style.display = ''; - document.getElementById('opt_cert').style.display = ''; - document.getElementById('opt_ca').style.display = ''; - document.getElementById('opt_cert').disabled = false; - document.getElementById('opt_ca').disabled = false; - break; - case 'hybrid_rsa_server': - document.getElementById('opt_psk').style.display = 'none'; - document.getElementById('opt_peerid').style.display = ''; - document.getElementById('opt_cert').style.display = ''; - document.getElementById('opt_ca').style.display = ''; - document.getElementById('opt_cert').disabled = false; - document.getElementById('opt_ca').disabled = false; - break; - case 'xauth_rsa_server': - case 'rsasig': - document.getElementById('opt_psk').style.display = 'none'; - document.getElementById('opt_peerid').style.display = ''; - document.getElementById('opt_cert').style.display = ''; - document.getElementById('opt_ca').style.display = ''; - document.getElementById('opt_cert').disabled = false; - document.getElementById('opt_ca').disabled = false; - break; + switch (value) { + case 'eap-tls': + document.getElementById('opt_psk').style.display = 'none'; + document.getElementById('opt_peerid').style.display = ''; + document.getElementById('opt_cert').style.display = ''; + document.getElementById('opt_ca').style.display = ''; + document.getElementById('opt_cert').disabled = false; + document.getElementById('opt_ca').disabled = false; + break; + case 'hybrid_rsa_server': + document.getElementById('opt_psk').style.display = 'none'; + document.getElementById('opt_peerid').style.display = ''; + document.getElementById('opt_cert').style.display = ''; + document.getElementById('opt_ca').style.display = ''; + document.getElementById('opt_cert').disabled = false; + document.getElementById('opt_ca').disabled = false; + break; + case 'xauth_rsa_server': + case 'rsasig': + document.getElementById('opt_psk').style.display = 'none'; + document.getElementById('opt_peerid').style.display = ''; + document.getElementById('opt_cert').style.display = ''; + document.getElementById('opt_ca').style.display = ''; + document.getElementById('opt_cert').disabled = false; + document.getElementById('opt_ca').disabled = false; + break; - case 'pre_shared_key': - document.getElementById('opt_psk').style.display = 'none'; - document.getElementById('opt_peerid').style.display = 'none'; - document.getElementById('opt_cert').style.display = 'none'; - document.getElementById('opt_ca').style.display = 'none'; - document.getElementById('opt_cert').disabled = true; - document.getElementById('opt_ca').disabled = true; - break; + case 'pre_shared_key': + document.getElementById('opt_psk').style.display = 'none'; + document.getElementById('opt_peerid').style.display = 'none'; + document.getElementById('opt_cert').style.display = 'none'; + document.getElementById('opt_ca').style.display = 'none'; + document.getElementById('opt_cert').disabled = true; + document.getElementById('opt_ca').disabled = true; + break; - default: /* psk modes*/ - document.getElementById('opt_psk').style.display = ''; - document.getElementById('opt_peerid').style.display = ''; - document.getElementById('opt_cert').style.display = 'none'; - document.getElementById('opt_ca').style.display = 'none'; - document.getElementById('opt_cert').disabled = true; - document.getElementById('opt_ca').disabled = true; - break; - } + default: /* psk modes*/ + document.getElementById('opt_psk').style.display = ''; + document.getElementById('opt_peerid').style.display = ''; + document.getElementById('opt_cert').style.display = 'none'; + document.getElementById('opt_ca').style.display = 'none'; + document.getElementById('opt_cert').disabled = true; + document.getElementById('opt_ca').disabled = true; + break; + } } /* PHP generated java script for variable length keys */ function ealgosel_change(bits) { - switch (document.iform.ealgo.selectedIndex) { + switch (document.iform.ealgo.selectedIndex) { $algodata) { if (isset($algodata['keysel']) && is_array($algodata['keysel'])) { - echo " case {$i}:\n"; - echo " document.iform.ealgo_keylen.style.visibility = 'visible';\n"; - echo " document.iform.ealgo_keylen.options.length = 0;\n"; - // echo " document.iform.ealgo_keylen.options[document.iform.ealgo_keylen.options.length] = new Option( 'auto', 'auto' );\n"; + echo " case {$i}:\n"; + echo " document.iform.ealgo_keylen.style.visibility = 'visible';\n"; + echo " document.iform.ealgo_keylen.options.length = 0;\n"; + // echo " document.iform.ealgo_keylen.options[document.iform.ealgo_keylen.options.length] = new Option( 'auto', 'auto' );\n"; $key_hi = $algodata['keysel']['hi']; $key_lo = $algodata['keysel']['lo']; $key_step = $algodata['keysel']['step']; for ($keylen = $key_hi; $keylen >= $key_lo; $keylen -= $key_step) { - echo " document.iform.ealgo_keylen.options[document.iform.ealgo_keylen.options.length] = new Option( '{$keylen} bits', '{$keylen}' );\n"; + echo " document.iform.ealgo_keylen.options[document.iform.ealgo_keylen.options.length] = new Option( '{$keylen} bits', '{$keylen}' );\n"; } - echo " break;\n"; + echo " break;\n"; } else { - echo " case {$i}:\n"; - echo " document.iform.ealgo_keylen.style.visibility = 'hidden';\n"; - echo " document.iform.ealgo_keylen.options.length = 0;\n"; - echo " break;\n"; + echo " case {$i}:\n"; + echo " document.iform.ealgo_keylen.style.visibility = 'hidden';\n"; + echo " document.iform.ealgo_keylen.options.length = 0;\n"; + echo " break;\n"; } $i++; } ?> - } + } - if( bits ) - document.iform.ealgo_keylen.value = bits; + if( bits ) + document.iform.ealgo_keylen.value = bits; } function dpdchkbox_change() { - if( document.iform.dpd_enable.checked ) - document.getElementById('opt_dpd').style.display = ''; - else - document.getElementById('opt_dpd').style.display = 'none'; + if( document.iform.dpd_enable.checked ) + document.getElementById('opt_dpd').style.display = ''; + else + document.getElementById('opt_dpd').style.display = 'none'; - if (!document.iform.dpd_delay.value) - document.iform.dpd_delay.value = "10"; + if (!document.iform.dpd_delay.value) + document.iform.dpd_delay.value = "10"; - if (!document.iform.dpd_maxfail.value) - document.iform.dpd_maxfail.value = "5"; + if (!document.iform.dpd_maxfail.value) + document.iform.dpd_maxfail.value = "5"; } //]]>
-
-
+
+
0) { print_input_errors($input_errors); } ?> -
+
-
-
-
- - - - - - - -
- - -
- /> - - - - +
+
+ +
+
+
+