lucaspalomodevelop/core
1
0
Fork 0
mirror of https://github.com/lucaspalomodevelop/core.git synced 2026-03-15 09:04:39 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #788 from opnsense/plugins

Browse Source 
vpn: split off PPTP, L2TP and PPPoE servers
This commit is contained in:
Ad Schellevis 2016-02-22 10:09:18 +01:00
commit eda621c577
45 changed files with 1885 additions and 1720 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/etc/inc/interfaces.inc
View File

@ -1183,7 +1183,7 @@ function interfaces_configure()
system_routing_configure();
/* reload IPsec tunnels */
vpn_ipsec_configure();
ipsec_configure();
/* reload dhcpd (interface enabled/disabled status may have changed) */
services_dhcpd_configure();
@ -3164,7 +3164,7 @@ function interface_configure($interface = 'wan', $reloadall = false, $linkupeven
system_routing_configure($interface);
/* reload ipsec tunnels */
vpn_ipsec_configure();
ipsec_configure();
/* restart dnsmasq or unbound */
if (isset($config['dnsmasq']['enable'])) {

930
src/etc/inc/ipsec.inc
View File

@ -1,8 +1,9 @@
<?php
/*
Copyright (C) 2007 Scott Ullrich
Copyright (C) 2008 Shrew Soft Inc
Copyright (C) 2008 Ermal Luçi
Copyright (C) 2004-2007 Scott Ullrich
Copyright (C) 2003-2004 Manuel Kasper
All rights reserved.
@ -397,4 +398,929 @@ function ipsec_find_id(& $ph1ent, $side = "local", $rgmap = array()) {
}
return array($thisid_type, $thisid_data);
}
?>
/* include all configuration functions */
function ipsec_convert_to_modp($index)
{
$convertion = "";
switch ($index) {
case '1':
$convertion = "modp768";
break;
case '2':
$convertion = "modp1024";
break;
case '5':
$convertion = "modp1536";
break;
case '14':
$convertion = "modp2048";
break;
case '15':
$convertion = "modp3072";
break;
case '16':
$convertion = "modp4096";
break;
case '17':
$convertion = "modp6144";
break;
case '18':
$convertion = "modp8192";
break;
}
return $convertion;
}
function ipsec_configure()
{
global $config, $p2_ealgos, $ipsec_loglevels;
/* get the automatic ping_hosts.sh ready */
@unlink('/var/db/ipsecpinghosts');
touch('/var/db/ipsecpinghosts');
// Prefer older IPsec SAs (advanced setting)
if (isset($config['ipsec']['preferoldsa'])) {
set_single_sysctl("net.key.preferred_oldsa", "-30");
} else {
set_single_sysctl("net.key.preferred_oldsa", "0");
}
$syscfg = $config['system'];
$ipseccfg = $config['ipsec'];
$a_phase1 = isset($config['ipsec']['phase1']) ? $config['ipsec']['phase1'] : array();
$a_phase2 = isset($config['ipsec']['phase2']) ? $config['ipsec']['phase2'] : array();
$a_client = isset($config['ipsec']['client']) ? $config['ipsec']['client'] : array();
$aggressive_psk = false ; // if one of the phase 1 entries has aggressive/psk combination, this will be set true
if (!isset($ipseccfg['enable'])) {
/* try to stop charon */
mwexec('/usr/local/sbin/ipsec stop');
/* Stop dynamic monitoring */
killbypid('/var/run/filterdns-ipsec.pid');
/* wait for process to die */
sleep(2);
/* disallow IPSEC, it is off */
mwexec("/sbin/ifconfig enc0 down");
set_single_sysctl("net.inet.ip.ipsec_in_use", "0");
return 0;
} else {
$certpath = "/usr/local/etc/ipsec.d/certs";
$capath = "/usr/local/etc/ipsec.d/cacerts";
$keypath = "/usr/local/etc/ipsec.d/private";
mwexec("/sbin/ifconfig enc0 up");
set_single_sysctl("net.inet.ip.ipsec_in_use", "1");
/* needed directories for config files */
@mkdir($capath);
@mkdir($keypath);
@mkdir($certpath);
@mkdir('/usr/local/etc/ipsec.d');
@mkdir('/usr/local/etc/ipsec.d/crls');
@mkdir('/usr/local/etc/ipsec.d/aacerts');
@mkdir('/usr/local/etc/ipsec.d/acerts');
@mkdir('/usr/local/etc/ipsec.d/ocspcerts');
@mkdir('/usr/local/etc/ipsec.d/reqs');
if (file_exists("/var/run/booting")) {
echo gettext("Configuring IPsec VPN... ");
}
/* fastforwarding is not compatible with ipsec tunnels */
set_single_sysctl("net.inet.ip.fastforwarding", "0");
/* resolve all local, peer addresses and setup pings */
$ipmap = array();
$rgmap = array();
$filterdns_list = array();
$ipsecpinghosts = "";
/* step through each phase1 entry */
foreach ($a_phase1 as $ph1ent) {
if (isset($ph1ent['disabled'])) {
continue;
}
if ($ph1ent['mode'] == "aggressive" && in_array($ph1ent['authentication_method'], array("pre_shared_key", "xauth_psk_server"))) {
$aggressive_psk = true;
}
$ep = ipsec_get_phase1_src($ph1ent);
if (!is_ipaddr($ep)) {
continue;
}
if(!in_array($ep,$ipmap)) {
$ipmap[] = $ep;
}
/* see if this tunnel has a hostname for the remote-gateway. If so,
try to resolve it now and add it to the list for filterdns */
if (isset ($ph1ent['mobile'])) {
continue;
}
$rg = $ph1ent['remote-gateway'];
if (!is_ipaddr($rg)) {
$filterdns_list[] = "{$rg}";
add_hostname_to_watch($rg);
if(! file_exists("/var/run/booting")) {
$rg = resolve_retry($rg);
}
if (!is_ipaddr($rg)) {
continue;
}
}
if(array_search($rg, $rgmap)) {
log_error("The remote gateway {$rg} already exists on another phase 1 entry");
continue;
}
$rgmap[$ph1ent['remote-gateway']] = $rg;
/* step through each phase2 entry */
foreach ($a_phase2 as $ph2ent) {
if (isset($ph2ent['disabled'])) {
continue;
}
if ($ph1ent['ikeid'] != $ph2ent['ikeid']) {
continue;
}
/* add an ipsec pinghosts entry */
if ($ph2ent['pinghost']) {
if (!isset($iflist) || !is_array($iflist)) {
$iflist = get_configured_interface_list();
}
$viplist = get_configured_vips_list();
$srcip = null;
$local_subnet = ipsec_idinfo_to_cidr($ph2ent['localid'], true, $ph2ent['mode']);
if(is_ipaddrv6($ph2ent['pinghost'])) {
foreach ($iflist as $ifent => $ifname) {
$interface_ip = get_interface_ipv6($ifent);
if (!is_ipaddrv6($interface_ip)) {
continue;
}
if (ip_in_subnet($interface_ip, $local_subnet)) {
$srcip = $interface_ip;
break;
}
}
} else {
foreach ($iflist as $ifent => $ifname) {
$interface_ip = get_interface_ip($ifent);
if (!is_ipaddrv4($interface_ip)) {
continue;
}
if ($local_subnet == "0.0.0.0/0" || ip_in_subnet($interface_ip, $local_subnet)) {
$srcip = $interface_ip;
break;
}
}
}
/* if no valid src IP was found in configured interfaces, try the vips */
if (is_null($srcip)) {
foreach ($viplist as $vip) {
if (ip_in_subnet($vip['ipaddr'], $local_subnet)) {
$srcip = $vip['ipaddr'];
break;
}
}
}
$dstip = $ph2ent['pinghost'];
if(is_ipaddrv6($dstip)) {
$family = "inet6";
} else {
$family = "inet";
}
if (is_ipaddr($srcip)) {
$ipsecpinghosts[] = "{$srcip}|{$dstip}|3|||||{$family}|\n";
}
}
}
}
@file_put_contents('/var/db/ipsecpinghosts', $ipsecpinghosts);
$cnf_add_to_charon_section = "";
$cnf_add_to_charon_section .= $aggressive_psk ? "\ti_dont_care_about_security_and_use_aggressive_mode_psk=yes\n":"";
if (isset($a_client['enable']) && isset($a_client['net_list'])) {
$cnf_add_to_charon_section .= "\tcisco_unity = yes\n";
}
$strongswan = <<<EOD
#Automatically generated please do not modify
starter {
load_warning = no
}
charon {
# number of worker threads in charon
threads = 16
ikesa_table_size = 32
ikesa_table_segments = 4
init_limit_half_open = 1000;
{$cnf_add_to_charon_section}
# And two loggers using syslog. The subsections define the facility to log
# to, currently one of: daemon, auth.
syslog {
identifier = charon
# default level to the LOG_DAEMON facility
daemon {
}
# very minimalistic IKE auditing logs to LOG_AUTHPRIV
auth {
default = -1
ike = 1
ike_name = yes
}
}
EOD;
$strongswan .= "\tplugins {\n";
if (isset($a_client['enable'])) {
$strongswan .= "\t\tattr {\n";
if ($a_client['pool_address'] && $a_client['pool_netbits']) {
$strongswan .= "\t\tsubnet = {$a_client['pool_address']}/{$a_client['pool_netbits']}\n";
}
$cfgservers = array();
foreach (array('dns_server1', 'dns_server2', 'dns_server3', 'dns_server4') as $dns_server) {
if (!empty($a_client[$dns_server])) {
$cfgservers[] = $a_client[$dns_server];
}
}
if (!empty($cfgservers)) {
$strongswan .= "\t\tdns = " . implode(",", $cfgservers) . "\n";
}
unset($cfgservers);
$cfgservers = array();
if (!empty($a_client['wins_server1'])) {
$cfgservers[] = $a_client['wins_server1'];
}
if (!empty($a_client['wins_server2'])) {
$cfgservers[] = $a_client['wins_server2'];
}
if (!empty($cfgservers)) {
$strongswan .= "\t\tnbns = " . implode(",", $cfgservers) . "\n";
}
unset($cfgservers);
if (isset($a_client['net_list'])) {
$net_list = '';
foreach ($a_phase2 as $ph2ent) {
if (isset($ph2ent['disabled'])) {
continue;
}
if (!isset($ph2ent['mobile'])) {
continue;
}
$localid = ipsec_idinfo_to_cidr($ph2ent['localid'], true, $ph2ent['mode']);
if (!empty($net_list)) {
$net_list .= ",";
}
$net_list .= $localid;
}
if (!empty($net_list)) {
$strongswan .= "\t\tsplit-include = {$net_list}\n";
unset($net_list);
}
}
if (!empty($a_client['dns_domain'])) {
$strongswan .= "\t\t# Search domain and default domain\n";
$strongswan .= "\t\t28674 = {$a_client['dns_domain']}\n";
if (empty($a_client['dns_split'])) {
$strongswan .= "\t\t28675 = {$a_client['dns_domain']}";
}
$strongswan .= "\n";
}
if (!empty($a_client['dns_split'])) {
$strongswan .= "\t\t28675 = {$a_client['dns_split']}\n";
}
if (!empty($a_client['login_banner'])) {
$strongswan .= "\t\t28672 = {$a_client['login_banner']}\n";
}
if (isset($a_client['save_passwd'])) {
$strongswan .= "\t\t28673 = yes\n";
}
if (!empty($a_client['pfs_group'])) {
$strongswan .= "\t\t28679 = {$a_client['pfs_group']}\n";
}
$strongswan .= "\t\t}\n";
if ($a_client['user_source'] != "none") {
$strongswan .= "\txauth-generic {\n";
$strongswan .= "\t\tscript = /usr/local/etc/inc/ipsec.auth-user.php\n";
$strongswan .= "\t\tauthcfg = ";
$firstsed = 0;
$authcfgs = explode(",", $a_client['user_source']);
foreach ($authcfgs as $authcfg) {
if ($firstsed > 0) {
$strongswan .= ",";
}
if ($authcfg == "system") {
$authcfg = "Local Database";
}
$strongswan .= $authcfg;
$firstsed = 1;
}
$strongswan .= "\n";
$strongswan .= "\t}\n";
}
}
$strongswan .= "\t}\n}\n";
@file_put_contents("/usr/local/etc/strongswan.conf", $strongswan);
unset($strongswan);
/* generate CA certificates files */
if (isset($config['ca'])) {
foreach ($config['ca'] as $ca) {
if (!isset($ca['crt'])) {
log_error(sprintf(gettext("Error: Invalid certificate info for %s"), $ca['descr']));
continue;
}
$cert = base64_decode($ca['crt']);
$x509cert = openssl_x509_parse(openssl_x509_read($cert));
if (!is_array($x509cert) || !isset($x509cert['hash'])) {
log_error(sprintf(gettext("Error: Invalid certificate hash info for %s"), $ca['descr']));
continue;
}
$fname = "{$capath}/{$x509cert['hash']}.0.crt";
if (!@file_put_contents($fname, $cert)) {
log_error(sprintf(gettext("Error: Cannot write IPsec CA file for %s"), $ca['descr']));
continue;
}
unset($cert);
}
}
$pskconf = "";
foreach ($a_phase1 as $ph1ent) {
if (isset($ph1ent['disabled'])) {
continue;
}
if (!empty($ph1ent['certref'])) {
$cert = lookup_cert($ph1ent['certref']);
if (empty($cert)) {
log_error(sprintf(gettext("Error: Invalid phase1 certificate reference for %s"), $ph1ent['name']));
continue;
}
@chmod($certpath, 0600);
$ph1keyfile = "{$keypath}/cert-{$ph1ent['ikeid']}.key";
if (!file_put_contents($ph1keyfile, base64_decode($cert['prv']))) {
log_error(sprintf(gettext("Error: Cannot write phase1 key file for %s"), $ph1ent['name']));
continue;
}
@chmod($ph1keyfile, 0600);
$ph1certfile = "{$certpath}/cert-{$ph1ent['ikeid']}.crt";
if (!file_put_contents($ph1certfile, base64_decode($cert['crt']))) {
log_error(sprintf(gettext("Error: Cannot write phase1 certificate file for %s"), $ph1ent['name']));
@unlink($ph1keyfile);
continue;
}
@chmod($ph1certfile, 0600);
/* XXX" Traffic selectors? */
$pskconf .= " : RSA {$ph1keyfile}\n";
} else {
list ($myid_type, $myid_data) = ipsec_find_id($ph1ent, "local");
list ($peerid_type, $peerid_data) = ipsec_find_id($ph1ent, "peer", $rgmap);
if (empty($peerid_data)) {
continue;
}
$myid = isset($ph1ent['mobile']) ? trim($myid_data) . " " : "";
$peerid = ($peerid_data != "allusers") ? trim($peerid_data) : "";
if (!empty($ph1ent['pre-shared-key'])) {
$pskconf .= $myid . $peerid . " : PSK \"" . trim($ph1ent['pre-shared-key']) . "\"\n";
}
}
}
/* Add user PSKs */
if (isset($config['system']['user']) && is_array($config['system']['user'])) {
foreach ($config['system']['user'] as $user) {
if (!empty($user['ipsecpsk'])) {
$pskconf .= "{$user['name']} : PSK \"{$user['ipsecpsk']}\"\n";
}
}
unset($user);
}
/* add PSKs for mobile clients */
if (isset($ipseccfg['mobilekey'])) {
foreach ($ipseccfg['mobilekey'] as $key) {
if ($key['ident'] == "allusers") {
$key['ident'] = '';
}
$pskconf .= "{$key['ident']} : PSK \"{$key['pre-shared-key']}\"\n";
}
unset($key);
}
@file_put_contents("/usr/local/etc/ipsec.secrets", $pskconf);
chmod("/usr/local/etc/ipsec.secrets", 0600);
unset($pskconf);
$natfilterrules = false;
/* begin ipsec.conf */
$ipsecconf = "";
if (count($a_phase1)) {
$ipsecconf .= "# This file is automatically generated. Do not edit\n";
$ipsecconf .= "config setup\n\tuniqueids = yes\n";
// parse debug tags
$cfg_loglevels = array();
if (isset($ipsec_loglevels)) {
foreach ($ipsec_loglevels as $lkey => $ldescr) {
if (isset($config['ipsec']["ipsec_{$lkey}"]) && is_numeric($config['ipsec']["ipsec_{$lkey}"]) &&
intval($config['ipsec']["ipsec_{$lkey}"]) >= 1 && intval($config['ipsec']["ipsec_{$lkey}"]) <= 5) {
$cfg_loglevels[] = "${lkey} " . (intval($config['ipsec']["ipsec_{$lkey}"]) - 1) ;
}
}
}
$ipsecconf .= "\tcharondebug=\"" .implode(',', $cfg_loglevels) . "\"\n";
foreach ($a_phase1 as $ph1ent) {
if (isset($ph1ent['disabled'])) {
continue;
}
if ($ph1ent['mode'] == "aggressive") {
$aggressive = "yes";
} else {
$aggressive = "no";
}
$ep = ipsec_get_phase1_src($ph1ent);
if (empty($ep)) {
continue;
}
$keyexchange = "ikev1";
if (!empty($ph1ent['iketype']) && $ph1ent['iketype'] != "ikev1") {
$keyexchange = "ikev2";
}
if (isset($ph1ent['mobile'])) {
$right_spec = "%any";
} else {
$right_spec = $ph1ent['remote-gateway'];
}
if (!empty($ph1ent['auto'])) {
$conn_auto = $ph1ent['auto'];
} elseif (isset($ph1ent['mobile'])) {
$conn_auto = 'add';
} else {
$conn_auto = 'route';
}
list ($myid_type, $myid_data) = ipsec_find_id($ph1ent, "local");
list ($peerid_type, $peerid_data) = ipsec_find_id($ph1ent, "peer", $rgmap);
/* Only specify peer ID if we are not dealing with a mobile PSK-only tunnel */
$peerid_spec = '';
if (!isset($ph1ent['mobile'])) {
$peerid_spec = $peerid_data;
}
if (!empty($ph1ent['encryption-algorithm']['name']) && !empty($ph1ent['hash-algorithm'])) {
$ealg_id = $ph1ent['encryption-algorithm']['name'];
if (isset($ph1ent['encryption-algorithm']['keylen'])){
$ealgosp1 = "ike = {$ealg_id}{$ph1ent['encryption-algorithm']['keylen']}-{$ph1ent['hash-algorithm']}";
} else {
$ealgosp1 = "ike = {$ealg_id}-{$ph1ent['hash-algorithm']}";
}
$modp = ipsec_convert_to_modp($ph1ent['dhgroup']);
if (!empty($modp)) {
$ealgosp1 .= "-{$modp}";
}
$ealgosp1 .= "!";
}
if (!empty($ph1ent['dpd_delay']) && !empty($ph1ent['dpd_maxfail'])) {
if ($conn_auto == "route") {
$dpdline = "dpdaction = restart";
} else {
$dpdline = "dpdaction = clear";
}
$dpdline .= "\n\tdpddelay = {$ph1ent['dpd_delay']}s";
$dpdtimeout = $ph1ent['dpd_delay'] * ($ph1ent['dpd_maxfail'] + 1);
$dpdline .= "\n\tdpdtimeout = {$dpdtimeout}s";
} else {
$dpdline = "dpdaction = none";
}
if (!empty($ph1ent['lifetime'])) {
$ikelifeline = "ikelifetime = {$ph1ent['lifetime']}s";
} else {
$ikelifeline = '';
}
$rightsourceip = NULL;
if (!empty($a_client['pool_address']) && isset($ph1ent['mobile']) ) {
$rightsourceip = "\trightsourceip = {$a_client['pool_address']}/{$a_client['pool_netbits']}\n";
}
$authentication = "";
switch ($ph1ent['authentication_method']) {
case 'eap-tls':
$authentication = "leftauth=eap-tls\n\trightauth=eap-tls";
break;
case 'xauth_rsa_server':
$authentication = "leftauth = pubkey\n\trightauth = pubkey";
$authentication .= "\n\trightauth2 = xauth-generic";
break;
case 'xauth_psk_server':
$authentication = "leftauth = psk\n\trightauth = psk";
$authentication .= "\n\trightauth2 = xauth-generic";
break;
case 'pre_shared_key':
$authentication = "leftauth = psk\n\trightauth = psk";
break;
case 'rsasig':
$authentication = "leftauth = pubkey\n\trightauth = pubkey";
break;
case 'hybrid_rsa_server':
$authentication = "leftauth = xauth-generic\n\trightauth = pubkey";
$authentication .= "\n\trightauth2 = xauth";
break;
}
if (!empty($ph1ent['certref'])) {
$authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt";
}
if (!empty($ph1ent['caref'])) {
$ca = lookup_ca($ph1ent['caref']);;
if (!empty($ca)) {
$rightca = "";
foreach (cert_get_subject_array($ca['crt']) as $ca_field) {
$rightca .= "{$ca_field['a']}={$ca_field['v']}/";
}
$authentication .= "\n\trightca=\"/$rightca\"";
}
}
$left_spec = $ep;
if (isset($ph1ent['reauth_enable'])) {
$reauth = "reauth = no";
} else {
$reauth = "reauth = yes";
}
if (isset($ph1ent['rekey_enable'])) {
$rekey = "rekey = no";
} else {
$rekey = "rekey = yes";
}
$forceencaps = 'forceencaps = no' ;
if (!empty($ph1ent['nat_traversal']) && $ph1ent['nat_traversal'] == 'force') {
$forceencaps = 'forceencaps = yes';
}
$ipseclifetime = 0;
$rightsubnet_spec = array();
$leftsubnet_spec = array();
$ealgoAHsp2arr = array();
$ealgoESPsp2arr = array();
if (count($a_phase2)) {
foreach ($a_phase2 as $ph2ent) {
if ($ph1ent['ikeid'] != $ph2ent['ikeid'] || isset($ph2ent['disabled'])) {
continue;
}
if (isset($ph2ent['mobile']) && !isset($a_client['enable'])){
continue;
}
if (($ph2ent['mode'] == 'tunnel') or ($ph2ent['mode'] == 'tunnel6')) {
$tunneltype = "type = tunnel";
$localid_type = $ph2ent['localid']['type'];
$leftsubnet_data = ipsec_idinfo_to_cidr($ph2ent['localid'], false, $ph2ent['mode']);
/* Do not print localid in some cases, such as a pure-psk or psk/xauth single phase2 mobile tunnel */
if (($localid_type == "none" || $localid_type == "mobile")
&& isset($ph1ent['mobile']) && (ipsec_get_number_of_phase2($ph1ent['ikeid'])==1)) {
$left_spec = '%any';
} else {
if ($localid_type != "address") {
$localid_type = "subnet";
}
// Don't let an empty subnet into config, it can cause parse errors. Ticket #2201.
if (!is_ipaddr($leftsubnet_data) && !is_subnet($leftsubnet_data) && ($leftsubnet_data != "0.0.0.0/0")) {
log_error("Invalid IPsec Phase 2 \"{$ph2ent['descr']}\" - {$ph2ent['localid']['type']} has no subnet.");
continue;
}
if (!empty($ph2ent['natlocalid'])) {
$natfilterrules = true;
}
}
$leftsubnet_spec[] = $leftsubnet_data;
if (!isset($ph2ent['mobile'])) {
$tmpsubnet = ipsec_idinfo_to_cidr($ph2ent['remoteid'], false, $ph2ent['mode']);
$rightsubnet_spec[] = $tmpsubnet;
} else if (!empty($a_client['pool_address'])) {
$rightsubnet_spec[] = "{$a_client['pool_address']}/{$a_client['pool_netbits']}";
}
} else {
$tunneltype = "type = transport";
if ((($ph1ent['authentication_method'] == "xauth_psk_server") ||
($ph1ent['authentication_method'] == "pre_shared_key")) && isset($ph1ent['mobile'])) {
$left_spec = "%any";
} else {
$tmpsubnet = ipsec_get_phase1_src($ph1ent);
$leftsubnet_spec[] = $tmpsubnet;
}
if (!isset($ph2ent['mobile'])) {
$rightsubnet_spec[] = $right_spec;
}
}
if (isset($a_client['pfs_group'])) {
$ph2ent['pfsgroup'] = $a_client['pfs_group'];
}
if (isset($ph2ent['protocol']) && $ph2ent['protocol'] == 'esp') {
$ealgoESPsp2arr_details = array();
if (is_array($ph2ent['encryption-algorithm-option'])) {
foreach ($ph2ent['encryption-algorithm-option'] as $ealg) {
$ealg_id = $ealg['name'];
if (isset($ealg['keylen'])) {
$ealg_kl = $ealg['keylen'];
} else {
$ealg_kl = null;
}
if ($ealg_kl == "auto") {
$key_hi = $p2_ealgos[$ealg_id]['keysel']['hi'];
$key_lo = $p2_ealgos[$ealg_id]['keysel']['lo'];
$key_step = $p2_ealgos[$ealg_id]['keysel']['step'];
/* XXX: in some cases where include ordering is suspect these variables
* are somehow 0 and we enter this loop forever and timeout after 900
* seconds wrecking bootup */
if ($key_hi != 0 and $key_lo !=0 and $key_step !=0) {
for ($keylen = $key_hi; $keylen >= $key_lo; $keylen -= $key_step) {
if (!empty($ph2ent['hash-algorithm-option']) && is_array($ph2ent['hash-algorithm-option'])) {
foreach ($ph2ent['hash-algorithm-option'] as $halgo) {
$halgo = str_replace('hmac_', '', $halgo);
$tmpealgo = "{$ealg_id}{$keylen}-{$halgo}";
$modp = ipsec_convert_to_modp($ph2ent['pfsgroup']);
if (!empty($modp)) {
$tmpealgo .= "-{$modp}";
}
$ealgoESPsp2arr_details[] = $tmpealgo;
}
} else {
$tmpealgo = "{$ealg_id}{$keylen}";
$modp = ipsec_convert_to_modp($ph2ent['pfsgroup']);
if (!empty($modp)) {
$tmpealgo .= "-{$modp}";
}
$ealgoESPsp2arr_details[] = $tmpealgo;
}
}
}
} else {
if (!empty($ph2ent['hash-algorithm-option']) && is_array($ph2ent['hash-algorithm-option'])) {
foreach ($ph2ent['hash-algorithm-option'] as $halgo) {
$halgo = str_replace('hmac_', '', $halgo);
$tmpealgo = "{$ealg_id}{$ealg_kl}-{$halgo}";
$modp = ipsec_convert_to_modp($ph2ent['pfsgroup']);
if (!empty($modp)) {
$tmpealgo .= "-{$modp}";
}
$ealgoESPsp2arr_details[] = $tmpealgo;
}
} else {
$tmpealgo = "{$ealg_id}{$ealg_kl}";
$modp = ipsec_convert_to_modp($ph2ent['pfsgroup']);
if (!empty($modp)) {
$tmpealgo .= "-{$modp}";
}
$ealgoESPsp2arr_details[] = $tmpealgo;
}
}
}
}
$ealgoESPsp2arr[] = $ealgoESPsp2arr_details;
} else if (isset($ph2ent['protocol']) && $ph2ent['protocol'] == 'ah') {
$ealgoAHsp2arr_details = array();
if (!empty($ph2ent['hash-algorithm-option']) && is_array($ph2ent['hash-algorithm-option'])) {
$modp = ipsec_convert_to_modp($ph2ent['pfsgroup']);
foreach ($ph2ent['hash-algorithm-option'] as $tmpAHalgo) {
$tmpAHalgo = str_replace('hmac_', '', $tmpAHalgo);
if (!empty($modp)) {
$tmpAHalgo = "-{$modp}";
}
$ealgoAHsp2arr_details[] = $tmpAHalgo;
}
}
$ealgoAHsp2arr[] = $ealgoAHsp2arr_details;
}
if (!empty($ph2ent['lifetime'])) {
if ($ipseclifetime == 0 || intval($ipseclifetime) > intval($ph2ent['lifetime'])) {
$ipseclifetime = intval($ph2ent['lifetime']);
}
}
}
}
$connEntry =<<<EOD
conn con<<connectionId>>
aggressive = {$aggressive}
fragmentation = yes
keyexchange = {$keyexchange}
{$reauth}
{$rekey}
{$forceencaps}
installpolicy = yes
{$tunneltype}
{$dpdline}
auto = {$conn_auto}
left = {$left_spec}
right = {$right_spec}
leftid = {$myid_data}
{$ikelifeline}
EOD;
if ($ipseclifetime > 0) {
$connEntry .= "\tlifetime = {$ipseclifetime}s\n";
}
if (!empty($rightsourceip)) {
$connEntry .= "{$rightsourceip}";
}
if (!empty($ealgosp1)) {
$connEntry .= "\t{$ealgosp1}\n";
}
if (!empty($authentication)) {
$connEntry .= "\t{$authentication}\n";
}
if (!empty($peerid_spec)) {
$connEntry .= "\trightid = {$peerid_spec}\n";
}
// append ipsec connections
if (!isset($ph1ent['mobile']) && $keyexchange == 'ikev1') {
// ikev1 not mobile
for ($idx = 0 ; $idx < count($leftsubnet_spec) ; ++$idx) {
if (count($leftsubnet_spec) == 1) {
$tmpconf = str_replace('<<connectionId>>', "{$ph1ent['ikeid']}", $connEntry);
} else {
// suffix connection with sequence number
$tmpconf = str_replace('<<connectionId>>', "{$ph1ent['ikeid']}-00{$idx}", $connEntry);
}
$tmpconf .= "\trightsubnet =" . $rightsubnet_spec[$idx]. "\n" ;
$tmpconf .= "\tleftsubnet = " . $leftsubnet_spec[$idx] . "\n";
if (!empty($ealgoESPsp2arr[$idx])) {
$tmpconf .= "\tesp = " . join(',', $ealgoESPsp2arr[$idx]) . "!\n";
}
if (!empty($ealgoAHsp2arr[$idx])) {
$connEntry .= "\tah = " . join(',', $ealgoAHsp2arr[$idx]) . "!\n";
}
$ipsecconf .= $tmpconf;
}
} else {
// mobile and ikev2
$tmpconf = str_replace('<<connectionId>>', "{$ph1ent['ikeid']}", $connEntry);
if (!empty($rightsubnet_spec)) {
$tmpconf .= "\trightsubnet = " . join(",", $rightsubnet_spec) . "\n";
}
if (!empty($leftsubnet_spec)) {
$tmpconf .= "\tleftsubnet = " . join(",", $leftsubnet_spec) . "\n";
}
// merge esp phase 2 arrays.
$esp_content = array();
foreach ($ealgoESPsp2arr as $ealgoESPsp2arr_details) {
foreach ($ealgoESPsp2arr_details as $esp_item) {
if (!in_array($esp_item, $esp_content)) {
$esp_content[] = $esp_item;
}
}
}
// merge ah phase 2 arrays.
$ah_content = array();
foreach ($ealgoAHsp2arr as $ealgoAHsp2arr_details) {
foreach ($ealgoAHsp2arr_details as $ah_item) {
if (!in_array($ah_item, $ah_content)) {
$ah_content[] = $ah_item;
}
}
}
if (!empty($esp_content)) {
$tmpconf .= "\tesp = " . join(',', $esp_content) . "!\n";
}
if (!empty($ah_content)) {
$tmpconf .= "\tah = " . join(',', $ah_content) . "!\n";
}
$ipsecconf .= $tmpconf;
}
}
}
}
// dump file, replace tabs for 2 spaces
@file_put_contents("/usr/local/etc/ipsec.conf", str_replace("\t",' ', $ipsecconf));
unset($ipsecconf);
/* end ipsec.conf */
/* mange process */
if (isvalidpid('/var/run/charon.pid')) {
/* Read secrets */
mwexec('/usr/local/sbin/ipsec rereadall', false);
/* Update configuration changes */
mwexec('/usr/local/sbin/ipsec reload', false);
} else {
mwexec("/usr/local/sbin/ipsec start", false);
}
if ($natfilterrules == true) {
filter_configure();
}
/* start filterdns, if necessary */
if (count($filterdns_list) > 0) {
$interval = 60;
if (!empty($ipseccfg['dns-interval']) && is_numeric($ipseccfg['dns-interval'])) {
$interval = $ipseccfg['dns-interval'];
}
$hostnames = "";
array_unique($filterdns_list);
foreach ($filterdns_list as $hostname) {
$hostnames .= "cmd {$hostname} '/usr/local/opnsense/service/configd_ctl.py ipsecdns reload'\n";
}
file_put_contents("/usr/local/etc/filterdns-ipsec.hosts", $hostnames);
unset($hostnames);
if (isvalidpid('/var/run/filterdns-ipsec.pid')) {
killbypid('/var/run/filterdns-ipsec.pid', 'HUP');
} else {
mwexec("/usr/local/sbin/filterdns -p /var/run/filterdns-ipsec.pid -i {$interval} -c /usr/local/etc/filterdns-ipsec.hosts -d 1");
}
} else {
killbypid('/var/run/filterdns-ipsec.pid');
}
if (file_exists("/var/run/booting")) {
echo "done\n";
}
return count($filterdns_list);
}
/*
* Forcefully restart IPsec
* This is required for when dynamic interfaces reload
* For all other occasions the normal ipsec_configure()
* will gracefully reload the settings without restarting
*/
function ipsec_force_reload($interface = '')
{
global $config;
$ipseccfg = $config['ipsec'];
if (!empty($interface) && isset($ipseccfg['phase1']) && is_array($ipseccfg['phase1'])) {
$found = false;
foreach ($ipseccfg['phase1'] as $ipsec) {
if (!isset($ipsec['disabled']) && ($ipsec['interface'] == $interface)) {
$found = true;
break;
}
}
if (!$found) {
log_error(sprintf(gettext("Ignoring IPsec reload since there are no tunnels on interface %s"), $interface));
return;
}
}
/* if ipsec is enabled, start up again */
if (isset($ipseccfg['enable'])) {
log_error(gettext("Forcefully reloading IPsec"));
ipsec_configure();
}
}

82
src/etc/inc/plugins.inc Normal file
View File

@ -0,0 +1,82 @@
<?php
/*
* Copyright (C) 2016 Franco Fichtner <franco@opnsense.org>
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
*
* 1. Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
* INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
* AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
* OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/
function plugin_scan()
{
$path = '/usr/local/etc/inc/plugins.inc.d/';
$ext = '.inc';
$ret = array();
$plugins = glob($path . '*' . $ext);
if (!is_array($plugins)) {
return $ret;
}
sort($plugins);
foreach ($plugins as $plugin) {
$name = preg_replace('/' . preg_quote($path, '/') . '/', '', $plugin);
$name = preg_replace('/' . preg_quote($ext, '/') . '/', '', $name);
$ret[$name] = $plugin;
}
return $ret;
}
function plugins_services()
{
$services = array();
foreach (plugin_scan() as $name => $path) {
require_once $path;
$func = sprintf('%s_services', $name);
if (function_exists($func)) {
$workers = $func();
foreach ($workers as $work) {
$services[] = $work;
}
}
}
return $services;
}
function plugins_configure()
{
foreach (plugin_scan() as $name => $path) {
require_once $path;
$func = sprintf('%s_configure', $name);
if (function_exists($func)) {
$workers = $func();
foreach ($workers as $worker) {
$worker();
}
}
}
}

765
src/etc/inc/plugins.inc.d/vpn.inc Normal file
View File

@ -0,0 +1,765 @@
<?php
/*
* Coypright (C) 2016 Franco Fichtner <franco@opnsense.org>
* Copyright (C) 2008 Shrew Soft Inc
* Copyright (C) 2008 Ermal Luçi
* Copyright (C) 2004 Scott Ullrich
* Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
*
* 1. Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
* INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
* AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
* OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/
function vpn_configure()
{
return array(
'vpn_pptpd_configure',
'vpn_pppoes_configure',
'vpn_l2tp_configure'
);
}
function vpn_services()
{
global $config;
$services = array();
if (isset($config['pptpd']['mode']) && $config['pptpd']['mode'] != 'off') {
$services[] = array(
'description' => gettext('PPTP Server'),
'pidfile' => '/var/run/pptp-vpn.pid',
'php' => array(
'restart' => array('vpn_pptpd_configure'),
'start' => array('vpn_pptpd_configure'),
),
'name' => 'pptpd',
);
}
if (isset($config['l2tp']['mode']) && $config['l2tp']['mode'] != 'off') {
$services[] = array(
'description' => gettext('L2TP Server'),
'pidfile' => '/var/run/l2tp-vpn.pid',
'php' => array(
'restart' => array('vpn_l2tp_configure'),
'start' => array('vpn_l2tp_configure'),
),
'name' => 'l2tpd',
);
}
if (isset($config['pppoes']['pppoe'])) {
foreach ($config['pppoes']['pppoe'] as $pppoecfg) {
if (isset($pppoecfg['mode']) || $pppoecfg['mode'] != 'off') {
$services[] = array(
'description' => gettext('PPPoE Server') . ': ' . htmlspecialchars($pppoecfg['descr']),
'php' => array(
'restart' => array('vpn_pppoe_configure_by_id'),
'start' => array('vpn_pppoe_configure_by_id'),
'args' => array('pppoeid'),
),
'pidfile' => "/var/run/pppoe{$pppoecfg['pppoeid']}-vpn.pid",
'pppoeid' => $pppoecfg['pppoeid'],
'name' => 'pppoed',
);
}
}
}
return $services;
}
function vpn_netgraph_support() {
$iflist = get_configured_interface_list();
foreach ($iflist as $iface) {
$realif = get_real_interface($iface);
/* Get support for netgraph(4) from the nic */
$ifinfo = pfSense_get_interface_addresses($realif);
if (!empty($ifinfo) && in_array($ifinfo['iftype'], array("ether", "vlan", "bridge"))) {
pfSense_ngctl_attach(".", $realif);
}
}
}
function vpn_pptpd_configure() {
global $config;
$syscfg = $config['system'];
$pptpdcfg = $config['pptpd'];
if (file_exists("/var/run/booting")) {
if (!$pptpdcfg['mode'] || ($pptpdcfg['mode'] == "off"))
return 0;
echo gettext("Configuring PPTP VPN service... ");
} else {
/* kill mpd */
killbypid('/var/run/pptp-vpn.pid');
/* wait for process to die */
sleep(3);
if (is_process_running("mpd -b")) {
killbypid('/var/run/pptp-vpn.pid');
log_error(gettext("Could not kill mpd within 3 seconds. Trying again."));
}
/* remove mpd.conf, if it exists */
@unlink('/var/etc/pptp-vpn/mpd.conf');
@unlink('/var/etc/pptp-vpn/mpd.links');
@unlink('/var/etc/pptp-vpn/mpd.secret');
}
if (empty($pptpdcfg['n_pptp_units'])) {
log_error("Something wrong in the PPTPd configuration. Preventing starting the daemon because issues would arise.");
return;
}
/* make sure pptp-vpn directory exists */
@mkdir('/var/etc/pptp-vpn');
switch ($pptpdcfg['mode']) {
case 'server' :
/* write mpd.conf */
$fd = fopen('/var/etc/pptp-vpn/mpd.conf', 'w');
if (!$fd) {
printf(gettext("Error: cannot open mpd.conf in vpn_pptpd_configure().") . "\n");
return 1;
}
$mpdconf = <<<EOD
pptps:
EOD;
for ($i = 0; $i < $pptpdcfg['n_pptp_units']; $i++) {
$mpdconf .= " load pt{$i}\n";
}
for ($i = 0; $i < $pptpdcfg['n_pptp_units']; $i++) {
$clientip = long2ip32(ip2long($pptpdcfg['remoteip']) + $i);
$mpdconf .= <<<EOD
pt{$i}:
new -i pptpd{$i} pt{$i} pt{$i}
set ipcp ranges {$pptpdcfg['localip']}/32 {$clientip}/32
load pts
EOD;
}
$mpdconf .=<<<EOD
pts:
set iface disable on-demand
set iface enable proxy-arp
set iface enable tcpmssfix
set iface idle 1800
set iface up-script /usr/local/sbin/vpn-linkup
set iface down-script /usr/local/sbin/vpn-linkdown
set bundle enable multilink
set bundle enable crypt-reqd
set link yes acfcomp protocomp
set link no pap chap
set link enable chap-msv2
set link mtu 1460
set link keep-alive 10 60
set ipcp yes vjcomp
set bundle enable compression
set ccp yes mppc
set ccp yes mpp-e128
set ccp yes mpp-stateless
EOD;
if (!isset ($pptpdcfg['req128'])) {
$mpdconf .=<<<EOD
set ccp yes mpp-e40
set ccp yes mpp-e56
EOD;
}
if (isset($pptpdcfg["wins"]) && $pptpdcfg['wins'] != "")
$mpdconf .= " set ipcp nbns {$pptpdcfg['wins']}\n";
if (!empty($pptpdcfg['dns1'])) {
$mpdconf .= " set ipcp dns " . $pptpdcfg['dns1'];
if (!empty($pptpdcfg['dns2']))
$mpdconf .= " " . $pptpdcfg['dns2'];
$mpdconf .= "\n";
} elseif (isset ($config['dnsmasq']['enable'])) {
$mpdconf .= " set ipcp dns " . get_interface_ip("lan");
if ($syscfg['dnsserver'][0])
$mpdconf .= " " . $syscfg['dnsserver'][0];
$mpdconf .= "\n";
} elseif (isset($config['unbound']['enable'])) {
$mpdconf .= " set ipcp dns " . get_interface_ip("lan");
if ($syscfg['dnsserver'][0])
$mpdconf .= " " . $syscfg['dnsserver'][0];
$mpdconf .= "\n";
} elseif (is_array($syscfg['dnsserver']) && ($syscfg['dnsserver'][0])) {
$mpdconf .= " set ipcp dns " . join(" ", $syscfg['dnsserver']) . "\n";
}
if (isset ($pptpdcfg['radius']['server']['enable'])) {
$authport = (isset($pptpdcfg['radius']['server']['port']) && strlen($pptpdcfg['radius']['server']['port']) > 1) ? $pptpdcfg['radius']['server']['port'] : 1812;
$acctport = $authport + 1;
$mpdconf .=<<<EOD
set radius server {$pptpdcfg['radius']['server']['ip']} "{$pptpdcfg['radius']['server']['secret']}" {$authport} {$acctport}
EOD;
if (isset ($pptpdcfg['radius']['server2']['enable'])) {
$authport = (isset($pptpdcfg['radius']['server2']['port']) && strlen($pptpdcfg['radius']['server2']['port']) > 1) ? $pptpdcfg['radius']['server2']['port'] : 1812;
$acctport = $authport + 1;
$mpdconf .=<<<EOD
set radius server {$pptpdcfg['radius']['server2']['ip']} "{$pptpdcfg['radius']['server2']['secret2']}" {$authport} {$acctport}
EOD;
}
$mpdconf .=<<<EOD
set radius retries 3
set radius timeout 10
set auth enable radius-auth
EOD;
if (isset ($pptpdcfg['radius']['accounting'])) {
$mpdconf .=<<<EOD
set auth enable radius-acct
set radius acct-update 300
EOD;
}
}
fwrite($fd, $mpdconf);
fclose($fd);
unset($mpdconf);
/* write mpd.links */
$fd = fopen('/var/etc/pptp-vpn/mpd.links', 'w');
if (!$fd) {
printf(gettext("Error: cannot open mpd.links in vpn_pptpd_configure().") . "\n");
return 1;
}
$mpdlinks = "";
for ($i = 0; $i < $pptpdcfg['n_pptp_units']; $i++) {
$mpdlinks .=<<<EOD
pt{$i}:
set link type pptp
set pptp enable incoming
set pptp disable originate
set pptp disable windowing
EOD;
}
fwrite($fd, $mpdlinks);
fclose($fd);
unset($mpdlinks);
/* write mpd.secret */
$fd = fopen('/var/etc/pptp-vpn/mpd.secret', 'w');
if (!$fd) {
printf(gettext("Error: cannot open mpd.secret in vpn_pptpd_configure().") . "\n");
return 1;
}
$mpdsecret = "";
if (is_array($pptpdcfg['user'])) {
foreach ($pptpdcfg['user'] as $user) {
$pass = str_replace('\\', '\\\\', $user['password']);
$pass = str_replace('"', '\"', $pass);
$mpdsecret .= "{$user['name']} \"{$pass}\" {$user['ip']}\n";
}
}
fwrite($fd, $mpdsecret);
fclose($fd);
unset($mpdsecret);
chmod('/var/etc/pptp-vpn/mpd.secret', 0600);
vpn_netgraph_support();
/* fire up mpd */
mwexec('/usr/local/sbin/mpd4 -b -d /var/etc/pptp-vpn -p /var/run/pptp-vpn.pid -s pptps pptps');
break;
case 'redir' :
break;
}
if (file_exists("/var/run/booting"))
echo "done\n";
return 0;
}
function vpn_pppoes_configure()
{
global $config;
if (isset($config['pppoes']['pppoe'])) {
foreach ($config['pppoes']['pppoe'] as $pppoe) {
vpn_pppoe_configure($pppoe);
}
}
}
function vpn_pppoe_configure_by_id($id)
{
global $config;
$found = null;
if (isset($config['pppoes']['pppoe'])) {
foreach ($config['pppoes']['pppoe'] as $pppoe) {
if (!isset($pppoe['mode']) || $pppoe['mode'] == 'off') {
continue;
}
if ($id != 0 && $id == $pppoe['pppoeid']) {
$found = $pppoe;
break;
}
}
}
if ($found == null) {
return;
}
vpn_pppoe_configure($found);
}
function vpn_pppoe_configure(&$pppoecfg)
{
global $config;
$syscfg = $config['system'];
/* create directory if it does not exist */
@mkdir("/var/etc/pppoe{$pppoecfg['pppoeid']}-vpn");
if (file_exists("/var/run/booting")) {
if (!$pppoecfg['mode'] || ($pppoecfg['mode'] == "off"))
return 0;
echo gettext("Configuring PPPoE VPN service... ");
} else {
/* kill mpd */
killbypid("/var/run/pppoe{$pppoecfg['pppoeid']}-vpn.pid");
/* wait for process to die */
sleep(2);
}
switch ($pppoecfg['mode']) {
case 'server' :
$pppoe_interface = get_real_interface($pppoecfg['interface']);
if ($pppoecfg['paporchap'] == "chap")
$paporchap = "set link enable chap";
else
$paporchap = "set link enable pap";
/* write mpd.conf */
$fd = fopen("/var/etc/pppoe{$pppoecfg['pppoeid']}-vpn/mpd.conf", "w");
if (!$fd) {
printf(gettext("Error: cannot open mpd.conf in vpn_pppoe_configure().") . "\n");
return 1;
}
$mpdconf = "\n\n";
$mpdconf .= "poes:\n";
for ($i = 0; $i < $pppoecfg['n_pppoe_units']; $i++) {
$mpdconf .= " load poes{$pppoecfg['pppoeid']}{$i}\n";
}
for ($i = 0; $i < $pppoecfg['n_pppoe_units']; $i++) {
$clientip = long2ip32(ip2long($pppoecfg['remoteip']) + $i);
if (isset($pppoecfg['radius']['radiusissueips']) && isset($pppoecfg['radius']['server']['enable'])) {
$isssue_ip_type = "set ipcp ranges {$pppoecfg['localip']}/32 0.0.0.0/0";
} else {
$isssue_ip_type = "set ipcp ranges {$pppoecfg['localip']}/32 {$clientip}/32";
}
$mpdconf .=<<<EOD
poes{$pppoecfg['pppoeid']}{$i}:
new -i poes{$pppoecfg['pppoeid']}{$i} poes{$pppoecfg['pppoeid']}{$i} poes{$pppoecfg['pppoeid']}{$i}
{$isssue_ip_type}
load pppoe_standard
EOD;
}
$mpdconf .=<<<EOD
pppoe_standard:
set bundle no multilink
set bundle enable compression
set auth max-logins 1
set iface up-script /usr/local/sbin/vpn-linkup
set iface down-script /usr/local/sbin/vpn-linkdown
set iface idle 0
set iface disable on-demand
set iface disable proxy-arp
set iface enable tcpmssfix
set iface mtu 1500
set link no pap chap
{$paporchap}
set link keep-alive 60 180
set ipcp yes vjcomp
set ipcp no vjcomp
set link max-redial -1
set link mtu 1492
set link mru 1492
set ccp yes mpp-e40
set ccp yes mpp-e128
set ccp yes mpp-stateless
set link latency 1
#set ipcp dns 10.10.1.3
#set bundle accept encryption
EOD;
if (!empty($pppoecfg['dns1'])) {
$mpdconf .= " set ipcp dns " . $pppoecfg['dns1'];
if (!empty($pppoecfg['dns2']))
$mpdconf .= " " . $pppoecfg['dns2'];
$mpdconf .= "\n";
} elseif (isset ($config['dnsmasq']['enable'])) {
$mpdconf .= " set ipcp dns " . get_interface_ip("lan");
if ($syscfg['dnsserver'][0])
$mpdconf .= " " . $syscfg['dnsserver'][0];
$mpdconf .= "\n";
} elseif (isset ($config['unbound']['enable'])) {
$mpdconf .= " set ipcp dns " . get_interface_ip("lan");
if ($syscfg['dnsserver'][0])
$mpdconf .= " " . $syscfg['dnsserver'][0];
$mpdconf .= "\n";
} elseif (is_array($syscfg['dnsserver']) && ($syscfg['dnsserver'][0])) {
$mpdconf .= " set ipcp dns " . join(" ", $syscfg['dnsserver']) . "\n";
}
if (isset ($pppoecfg['radius']['server']['enable'])) {
$radiusport = "";
$radiusacctport = "";
if (isset($pppoecfg['radius']['server']['port']))
$radiusport = $pppoecfg['radius']['server']['port'];
if (isset($pppoecfg['radius']['server']['acctport']))
$radiusacctport = $pppoecfg['radius']['server']['acctport'];
$mpdconf .=<<<EOD
set radius server {$pppoecfg['radius']['server']['ip']} "{$pppoecfg['radius']['server']['secret']}" {$radiusport} {$radiusacctport}
set radius retries 3
set radius timeout 10
set auth enable radius-auth
EOD;
if (isset ($pppoecfg['radius']['accounting'])) {
$mpdconf .=<<<EOD
set auth enable radius-acct
EOD;
}
}
fwrite($fd, $mpdconf);
fclose($fd);
unset($mpdconf);
/* write mpd.links */
$fd = fopen("/var/etc/pppoe{$pppoecfg['pppoeid']}-vpn/mpd.links", "w");
if (!$fd) {
printf(gettext("Error: cannot open mpd.links in vpn_pppoe_configure().") . "\n");
return 1;
}
$mpdlinks = "";
for ($i = 0; $i < $pppoecfg['n_pppoe_units']; $i++) {
$mpdlinks .=<<<EOD
poes{$pppoecfg['pppoeid']}{$i}:
set phys type pppoe
set pppoe iface {$pppoe_interface}
set pppoe service "*"
set pppoe disable originate
set pppoe enable incoming
EOD;
}
fwrite($fd, $mpdlinks);
fclose($fd);
unset($mpdlinks);
if ($pppoecfg['username']) {
/* write mpd.secret */
$fd = fopen("/var/etc/pppoe{$pppoecfg['pppoeid']}-vpn/mpd.secret", "w");
if (!$fd) {
printf(gettext("Error: cannot open mpd.secret in vpn_pppoe_configure().") . "\n");
return 1;
}
$mpdsecret = "\n\n";
if (!empty($pppoecfg['username'])) {
$item = explode(" ", $pppoecfg['username']);
foreach($item as $userdata) {
$data = explode(":", $userdata);
$mpdsecret .= "{$data[0]} \"" . base64_decode($data[1]) . "\" {$data[2]}\n";
}
}
fwrite($fd, $mpdsecret);
fclose($fd);
unset($mpdsecret);
chmod("/var/etc/pppoe{$pppoecfg['pppoeid']}-vpn/mpd.secret", 0600);
}
/* Check if previous instance is still up */
killbypid("/var/run/pppoe{$pppoecfg['pppoeid']}-vpn.pid");
/* Get support for netgraph(4) from the nic */
pfSense_ngctl_attach(".", $pppoe_interface);
/* fire up mpd */
mwexec("/usr/local/sbin/mpd4 -b -d /var/etc/pppoe{$pppoecfg['pppoeid']}-vpn -p /var/run/pppoe{$pppoecfg['pppoeid']}-vpn.pid -s poes poes");
break;
}
if (file_exists("/var/run/booting"))
echo gettext("done") . "\n";
return 0;
}
function vpn_l2tp_configure()
{
global $config;
$syscfg = $config['system'];
if (isset($config['l2tp'])) {
$l2tpcfg = $config['l2tp'];
} else {
return 0;
}
if (file_exists("/var/run/booting")) {
if (!isset($l2tpcfg['mode']) || $l2tpcfg['mode'] == "off")
return 0;
echo gettext("Configuring l2tp VPN service... ");
} else {
while (isvalidpid('/var/run/l2tp-vpn.pid')) {
killbypid('/var/run/l2tp-vpn.pid');
usleep(250 * 1000);
}
}
@mkdir('/var/etc/l2tp-vpn');
switch (isset($l2tpcfg['mode'])?$l2tpcfg['mode']:null) {
case 'server' :
if ($l2tpcfg['paporchap'] == "chap")
$paporchap = "set link enable chap";
else
$paporchap = "set link enable pap";
/* write mpd.conf */
$fd = fopen("/var/etc/l2tp-vpn/mpd.conf", "w");
if (!$fd) {
printf(gettext("Error: cannot open mpd.conf in vpn_l2tp_configure().") . "\n");
return 1;
}
$mpdconf = "\n\n";
$mpdconf .=<<<EOD
l2tps:
EOD;
for ($i = 0; $i < $l2tpcfg['n_l2tp_units']; $i++) {
$mpdconf .= " load l2tp{$i}\n";
}
for ($i = 0; $i < $l2tpcfg['n_l2tp_units']; $i++) {
$clientip = long2ip32(ip2long($l2tpcfg['remoteip']) + $i);
if (isset ($l2tpcfg['radius']['radiusissueips']) && isset ($l2tpcfg['radius']['enable'])) {
$isssue_ip_type = "set ipcp ranges {$l2tpcfg['localip']}/32 0.0.0.0/0";
} else {
$isssue_ip_type = "set ipcp ranges {$l2tpcfg['localip']}/32 {$clientip}/32";
}
$mpdconf .=<<<EOD
l2tp{$i}:
new -i l2tp{$i} l2tp{$i} l2tp{$i}
{$isssue_ip_type}
load l2tp_standard
EOD;
}
$mpdconf .=<<<EOD
l2tp_standard:
set bundle disable multilink
set bundle enable compression
set bundle yes crypt-reqd
set ipcp yes vjcomp
# set ipcp ranges 131.188.69.161/32 131.188.69.170/28
set ccp yes mppc
set iface disable on-demand
set iface enable proxy-arp
set iface up-script /usr/local/sbin/vpn-linkup
set iface down-script /usr/local/sbin/vpn-linkdown
set link yes acfcomp protocomp
set link no pap chap
set link enable chap
set link keep-alive 10 180
EOD;
if (is_ipaddr($l2tpcfg['wins'])) {
$mpdconf .= " set ipcp nbns {$l2tpcfg['wins']}\n";
}
if (is_ipaddr($l2tpcfg['dns1'])) {
$mpdconf .= " set ipcp dns " . $l2tpcfg['dns1'];
if (is_ipaddr($l2tpcfg['dns2']))
$mpdconf .= " " . $l2tpcfg['dns2'];
$mpdconf .= "\n";
} elseif (isset ($config['dnsmasq']['enable'])) {
$mpdconf .= " set ipcp dns " . get_interface_ip("lan");
if ($syscfg['dnsserver'][0])
$mpdconf .= " " . $syscfg['dnsserver'][0];
$mpdconf .= "\n";
} elseif (isset ($config['unbound']['enable'])) {
$mpdconf .= " set ipcp dns " . get_interface_ip("lan");
if ($syscfg['dnsserver'][0])
$mpdconf .= " " . $syscfg['dnsserver'][0];
$mpdconf .= "\n";
} elseif (is_array($syscfg['dnsserver']) && ($syscfg['dnsserver'][0])) {
$mpdconf .= " set ipcp dns " . join(" ", $syscfg['dnsserver']) . "\n";
}
if (isset ($l2tpcfg['radius']['enable'])) {
$mpdconf .=<<<EOD
set radius server {$l2tpcfg['radius']['server']} "{$l2tpcfg['radius']['secret']}"
set radius retries 3
set radius timeout 10
set auth enable radius-auth
EOD;
if (isset ($l2tpcfg['radius']['accounting'])) {
$mpdconf .=<<<EOD
set auth enable radius-acct
EOD;
}
}
fwrite($fd, $mpdconf);
fclose($fd);
unset($mpdconf);
/* write mpd.links */
$fd = fopen("/var/etc/l2tp-vpn/mpd.links", "w");
if (!$fd) {
printf(gettext("Error: cannot open mpd.links in vpn_l2tp_configure().") . "\n");
return 1;
}
$mpdlinks = "";
for ($i = 0; $i < $l2tpcfg['n_l2tp_units']; $i++) {
$mpdlinks .=<<<EOD
l2tp{$i}:
set link type l2tp
set l2tp enable incoming
set l2tp disable originate
EOD;
if (!empty($l2tpcfg['secret']))
$mpdlinks .= "set l2tp secret {$l2tpcfg['secret']}\n";
}
fwrite($fd, $mpdlinks);
fclose($fd);
unset($mpdlinks);
/* write mpd.secret */
$fd = fopen("/var/etc/l2tp-vpn/mpd.secret", "w");
if (!$fd) {
printf(gettext("Error: cannot open mpd.secret in vpn_l2tp_configure().") . "\n");
return 1;
}
$mpdsecret = "\n\n";
if (is_array($l2tpcfg['user'])) {
foreach ($l2tpcfg['user'] as $user)
$mpdsecret .= "{$user['name']} \"{$user['password']}\" {$user['ip']}\n";
}
fwrite($fd, $mpdsecret);
fclose($fd);
unset($mpdsecret);
chmod('/var/etc/l2tp-vpn/mpd.secret', 0600);
vpn_netgraph_support();
/* fire up mpd */
mwexec('/usr/local/sbin/mpd4 -b -d /var/etc/l2tp-vpn -p /var/run/l2tp-vpn.pid -s l2tps l2tps');
break;
case 'redir' :
break;
}
if (file_exists("/var/run/booting"))
echo "done\n";
return 0;
}

7
src/etc/inc/services.inc
View File

@ -2736,6 +2736,13 @@ function services_get()
'name' => 'configd',
);
if (function_exists('plugins_services')) {
/* only pull plugins if plugins.inc was included before */
foreach (plugins_services() as $service) {
$services[] = $service;
}
}
return $services;
}

1618
src/etc/inc/vpn.inc
View File

File diff suppressed because it is too large Load Diff

2
src/etc/inc/xmlrpc/legacy.inc
View File

@ -256,7 +256,7 @@ function restore_config_section_xmlrpc($new_config)
}
if (isset($old_config['ipsec']['enable']) !== isset($config['ipsec']['enable'])) {
vpn_ipsec_configure();
ipsec_configure();
}
unset($old_config);

12
src/etc/rc.bootup
View File

@ -150,7 +150,9 @@ require_once("vslb.inc");
echo ".";
require_once("filter.inc");
echo ".";
require_once("vpn.inc");
require_once("plugins.inc");
echo ".";
require_once("ipsec.inc");
echo ".";
require_once("openvpn.inc");
echo ".";
@ -313,11 +315,11 @@ configd_run("dyndns reload");
/* Run a filter configure now that most all services have started */
filter_configure_sync();
/* setup pppoe and pptp */
vpn_setup();
/* Run all registered plugins */
plugins_configure();
/* start IPsec tunnels */
$ipsec_dynamic_hosts = vpn_ipsec_configure();
$ipsec_dynamic_hosts = ipsec_configure();
/* start SNMP service */
services_snmpd_configure();
@ -358,7 +360,7 @@ system_syslogd_start();
/* If there are ipsec dynamic hosts try again to reload the tunnels as rc.newipsecdns does */
if ($ipsec_dynamic_hosts) {
vpn_ipsec_configure();
ipsec_configure();
filter_configure();
}

3
src/etc/rc.filter_configure_sync
View File

@ -30,11 +30,10 @@
require_once("config.inc");
require_once("util.inc");
require_once("filter.inc");
require_once("vpn.inc");
require_once("ipsec.inc");
require_once("system.inc");
require_once("pfsense-utils.inc");
require_once("interfaces.inc");
require_once("services.inc");
filter_configure_sync();

2
src/etc/rc.initial.setlanip
View File

@ -32,7 +32,7 @@ require_once("config.inc");
require_once("interfaces.inc");
require_once("openvpn.inc");
require_once("util.inc");
require_once("vpn.inc");
require_once("ipsec.inc");
require_once("filter.inc");
require_once("rrd.inc");
require_once("util.inc");

2
src/etc/rc.initial.setports
View File

@ -32,7 +32,7 @@ require_once("config.inc");
require_once("config.console.inc");
require_once("filter.inc");
require_once("util.inc");
require_once("vpn.inc");
require_once("ipsec.inc");
require_once("rrd.inc");
require_once("system.inc");
require_once("services.inc");

2
src/etc/rc.linkup
View File

@ -31,6 +31,7 @@
require_once("config.inc");
require_once("filter.inc");
require_once("interfaces.inc");
require_once('ipsec.inc');
require_once('openvpn.inc');
require_once("util.inc");
require_once("system.inc");
@ -72,7 +73,6 @@ function handle_argument_group($iface, $argument2) {
case "start":
log_error("DEVD Ethernet attached event for {$iface}");
log_error("HOTPLUG: Configuring interface {$iface}");
require_once("vpn.inc");
// Do not try to readd to bridge otherwise em(4) has problems
interface_configure($iface, true, true);
break;

9
src/etc/rc.newipsecdns
View File

@ -32,7 +32,7 @@
require_once("util.inc");
require_once("config.inc");
require_once("filter.inc");
require_once("vpn.inc");
require_once('ipsec.inc');
require_once("pfsense-utils.inc");
require_once("interfaces.inc");
@ -49,9 +49,10 @@ if (isset($config['ipsec']['enable'])) {
$ipseclck = lock('ipsecdns', LOCK_EX);
vpn_ipsec_configure();
ipsec_configure();
if (isset($config['ipsec']['failoverforcereload']))
vpn_ipsec_force_reload();
if (isset($config['ipsec']['failoverforcereload'])) {
ipsec_force_reload();
}
unlock($ipseclck);

4
src/etc/rc.newwanip
View File

@ -31,7 +31,7 @@
/* parse the configuration and include all functions used below */
require_once("config.inc");
require_once("filter.inc");
require_once("vpn.inc");
require_once('ipsec.inc');
require_once("openvpn.inc");
require_once("rrd.inc");
require_once("util.inc");
@ -200,7 +200,7 @@ if (!is_ipaddr($oldip) || $curwanip != $oldip || !is_ipaddrv4($config['interface
services_dyndns_configure($interface);
/* reconfigure IPsec tunnels */
vpn_ipsec_force_reload($interface);
ipsec_force_reload($interface);
/* start OpenVPN server & clients */
if (substr($interface_real, 0, 4) != "ovpn") {

6
src/etc/rc.newwanipv6
View File

@ -32,7 +32,7 @@
require_once("config.inc");
require_once("interfaces.inc");
require_once("filter.inc");
require_once("vpn.inc");
require_once('ipsec.inc');
require_once("openvpn.inc");
require_once("services.inc");
require_once("rrd.inc");
@ -126,7 +126,7 @@ if (is_ipaddrv6($oldipv6)) {
// Still need to sync VPNs on PPPoE and such, as even with the same IP the VPN software is unhappy with the IP disappearing.
if (in_array($config['interfaces'][$interface]['ipaddrv6'], array('pppoe', 'pptp', 'ppp'))) {
/* reconfigure IPsec tunnels */
vpn_ipsec_force_reload($interface);
ipsec_force_reload($interface);
/* start OpenVPN server & clients */
if (substr($interface_real, 0, 4) != "ovpn")
@ -146,7 +146,7 @@ services_dnsupdate_process($interface);
services_dyndns_configure($interface);
/* reconfigure IPsec tunnels */
vpn_ipsec_force_reload($interface);
ipsec_force_reload($interface);
/* start OpenVPN server & clients */
if (substr($interface_real, 0, 4) != "ovpn")

2
src/etc/rc.reload_all
View File

@ -31,7 +31,7 @@ require_once("config.inc");
require_once("interfaces.inc");
require_once("openvpn.inc");
require_once("filter.inc");
require_once("vpn.inc");
require_once('ipsec.inc');
require_once("util.inc");
require_once("system.inc");
require_once("pfsense-utils.inc");

3
src/etc/rc.reload_interfaces
View File

@ -31,10 +31,9 @@ require_once("config.inc");
require_once("filter.inc");
require_once("util.inc");
require_once("openvpn.inc");
require_once("vpn.inc");
require_once('ipsec.inc');
require_once("system.inc");
require_once("interfaces.inc");
require_once("openvpn.inc");
require_once("pfsense-utils.inc");
require_once("services.inc");
require_once("unbound.inc");

2
src/www/diag_ipsec_leases.php
View File

@ -28,7 +28,7 @@
*/
require_once("guiconfig.inc");
require_once("vpn.inc");
require_once("ipsec.inc");
require_once("services.inc");
require_once("interfaces.inc");

2
src/www/diag_ipsec_sad.php
View File

@ -29,7 +29,7 @@
*/
require_once("guiconfig.inc");
require_once("vpn.inc");
require_once("ipsec.inc");
require_once("services.inc");
require_once("interfaces.inc");

2
src/www/diag_ipsec_spd.php
View File

@ -29,7 +29,7 @@
*/
require_once("guiconfig.inc");
require_once("vpn.inc");
require_once("ipsec.inc");
require_once("services.inc");
require_once("interfaces.inc");

2
src/www/diag_logs_l2tp.php
View File

@ -19,4 +19,6 @@ $tab_array = array();
$tab_array[] = array(gettext("L2TP Logins"), $mode != "raw", "/diag_logs_l2tp.php");
$tab_array[] = array(gettext("L2TP Raw"), $mode == "raw", "/diag_logs_l2tp.php?mode=raw");
$service_hook = 'l2tpd';
require_once 'diag_logs_vpn.inc';

2
src/www/diag_logs_pptp.php
View File

@ -19,4 +19,6 @@ $tab_array = array();
$tab_array[] = array(gettext("PPTP Logins"), $mode != "raw", "/diag_logs_pptp.php");
$tab_array[] = array(gettext("PPTP Raw"), $mode == "raw", "/diag_logs_pptp.php?mode=raw");
$service_hook = 'pptpd';
require_once 'diag_logs_vpn.inc';

3
src/www/diag_logs_vpn.inc
View File

@ -28,8 +28,9 @@
*/
require_once("guiconfig.inc");
require_once("vpn.inc");
require_once("system.inc");
require_once('services.inc');
require_once('plugins.inc');
require_once("interfaces.inc");
if (empty($config['syslog']['nentries'])) {

4
src/www/guiconfig.inc
View File

@ -273,8 +273,8 @@ function print_service_banner($service)
}
}
function get_std_save_message() {
global $d_sysrebootreqd_path;
function get_std_save_message()
{
$filter_related = false;
$filter_pages = array("nat", "filter");
$to_return = gettext("The changes have been applied successfully.");

3
src/www/interfaces.php
View File

@ -32,12 +32,11 @@
*/
require_once("guiconfig.inc");
require_once("vpn.inc");
require_once("filter.inc");
require_once("rrd.inc");
require_once("vpn.inc");
require_once("system.inc");
require_once("interfaces.inc");
require_once("ipsec.inc");
require_once("openvpn.inc");
require_once("pfsense-utils.inc");
require_once("services.inc");

2
src/www/interfaces_assign.php
View File

@ -30,10 +30,10 @@
require_once("guiconfig.inc");
require_once("filter.inc");
require_once("vpn.inc");
require_once("rrd.inc");
require_once("system.inc");
require_once("interfaces.inc");
require_once("ipsec.inc");
require_once("openvpn.inc");
require_once("pfsense-utils.inc");
require_once("services.inc");

3
src/www/status_services.php
View File

@ -30,13 +30,14 @@
require_once("guiconfig.inc");
require_once("services.inc");
require_once('plugins.inc');
require_once("vslb.inc");
require_once("system.inc");
require_once("unbound.inc");
require_once("pfsense-utils.inc");
require_once("openvpn.inc");
require_once("filter.inc");
require_once("vpn.inc");
require_once("ipsec.inc");
require_once("interfaces.inc");
require_once("rrd.inc");

3
src/www/system_advanced_misc.php
View File

@ -31,14 +31,13 @@
require_once("guiconfig.inc");
require_once("filter.inc");
require_once("vpn.inc");
require_once("ipsec.inc");
require_once("vslb.inc");
require_once("system.inc");
require_once("pfsense-utils.inc");
require_once("services.inc");
require_once("interfaces.inc");
$crypto_modules = array('glxsb' => gettext("AMD Geode LX Security Block"),
'aesni' => gettext("AES-NI CPU-based Acceleration")
);

2
src/www/system_gateway_groups_edit.php
View File

@ -28,7 +28,7 @@
*/
require_once("guiconfig.inc");
require_once("vpn.inc");
require_once("ipsec.inc");
require_once("services.inc");
require_once("interfaces.inc");

6
src/www/vpn_ipsec.php
View File

@ -30,7 +30,7 @@
require_once("guiconfig.inc");
require_once("filter.inc");
require_once("vpn.inc");
require_once("ipsec.inc");
require_once("services.inc");
require_once("pfsense-utils.inc");
require_once("interfaces.inc");
@ -78,7 +78,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST') {
$a_phase1 = &$config['ipsec']['phase1'];
$a_phase2 = &$config['ipsec']['phase2'];
if (isset($_POST['apply'])) {
$retval = vpn_ipsec_configure();
$retval = ipsec_configure();
/* reload the filter in the background */
filter_configure();
$savemsg = get_std_save_message();
@ -90,7 +90,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST') {
} elseif (isset($_POST['save'])) {
$config['ipsec']['enable'] = !empty($_POST['enable']) ? true : false;
write_config();
vpn_ipsec_configure();
ipsec_configure();
header("Location: vpn_ipsec.php");
exit;
} elseif (!empty($_POST['act']) && $_POST['act'] == "delphase1" ) {

9
src/www/vpn_ipsec_keys.php
View File

@ -28,7 +28,7 @@
*/
require_once("guiconfig.inc");
require_once("vpn.inc");
require_once("ipsec.inc");
require_once("filter.inc");
require_once("services.inc");
require_once("pfsense-utils.inc");
@ -56,13 +56,10 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST') {
}
} elseif (isset($_POST['apply'])) {
// apply changes
$retval = vpn_ipsec_configure();
/* reload the filter in the background */
ipsec_configure();
filter_configure();
$savemsg = get_std_save_message();
if (is_subsystem_dirty('ipsec')) {
clear_subsystem_dirty('ipsec');
}
clear_subsystem_dirty('ipsec');
} else {
// nothing to post, redirect
header("Location: vpn_ipsec_keys.php");

2
src/www/vpn_ipsec_keys_edit.php
View File

@ -29,7 +29,7 @@
require_once("interfaces.inc");
require_once("guiconfig.inc");
require_once("vpn.inc");
require_once("ipsec.inc");
require_once("services.inc");
if (!isset($config['ipsec']) || !is_array($config['ipsec'])) {

11
src/www/vpn_ipsec_mobile.php
View File

@ -30,7 +30,7 @@
require_once("interfaces.inc");
require_once("guiconfig.inc");
require_once("filter.inc");
require_once("vpn.inc");
require_once("ipsec.inc");
require_once("services.inc");
require_once("pfsense-utils.inc");
@ -89,14 +89,9 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
exit;
} elseif (isset($_POST['apply'])) {
// apply changes
$retval = 0;
$retval = vpn_ipsec_configure();
ipsec_configure();
$savemsg = get_std_save_message();
if ($retval >= 0) {
if (is_subsystem_dirty('ipsec')) {
clear_subsystem_dirty('ipsec');
}
}
clear_subsystem_dirty('ipsec');
header("Location: vpn_ipsec_mobile.php?savemsg=".$savemsg);
exit;
} elseif (isset($_POST['submit'])) {

4
src/www/vpn_ipsec_phase1.php
View File

@ -31,7 +31,7 @@
require_once("guiconfig.inc");
require_once("filter.inc");
require_once("vpn.inc");
require_once("ipsec.inc");
require_once("services.inc");
require_once("pfsense-utils.inc");
require_once("interfaces.inc");
@ -399,7 +399,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
}
/* if the remote gateway changed and the interface is not WAN then remove route */
/* the vpn_ipsec_configure() handles adding the route */
/* the ipsec_configure() handles adding the route */
if ($pconfig['interface'] <> "wan") {
if ($old_ph1ent['remote-gateway'] <> $pconfig['remote-gateway']) {
mwexec("/sbin/route delete -host {$old_ph1ent['remote-gateway']}");

2
src/www/vpn_ipsec_phase2.php
View File

@ -30,7 +30,7 @@
require_once("guiconfig.inc");
require_once("interfaces.inc");
require_once("vpn.inc");
require_once("ipsec.inc");
require_once("services.inc");
/**

5
src/www/vpn_ipsec_settings.php
View File

@ -29,7 +29,7 @@
require_once("guiconfig.inc");
require_once("filter.inc");
require_once("vpn.inc");
require_once("ipsec.inc");
require_once("services.inc");
require_once("pfsense-utils.inc");
require_once("interfaces.inc");
@ -99,9 +99,8 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
write_config();
$savemsg = get_std_save_message();
filter_configure();
vpn_ipsec_configure();
ipsec_configure();
}
$service_hook = 'ipsec';

6
src/www/vpn_l2tp.php
View File

@ -28,9 +28,11 @@
*/
require_once("guiconfig.inc");
require_once("vpn.inc");
require_once("pfsense-utils.inc");
require_once("interfaces.inc");
require_once("services.inc");
require_once("plugins.inc");
require_once("plugins.inc.d/vpn.inc");
if (!isset($config['l2tp']['radius']) || !is_array($config['l2tp']['radius'])) {
$config['l2tp']['radius'] = array();
@ -164,6 +166,8 @@ if ($_POST) {
}
}
$service_hook = 'l2tpd';
include("head.inc");
?>

17
src/www/vpn_l2tp_users.php
View File

@ -28,7 +28,9 @@
*/
require_once("guiconfig.inc");
require_once("vpn.inc");
require_once("services.inc");
require_once("plugins.inc");
require_once("plugins.inc.d/vpn.inc");
if (!isset($config['l2tp']['user'])) {
$config['l2tp']['user'] = array();
@ -39,16 +41,9 @@ if ($_POST) {
$pconfig = $_POST;
if ($_POST['apply']) {
$retval = 0;
if (!is_subsystem_dirty('rebootreq')) {
$retval = vpn_l2tp_configure();
}
vpn_l2tp_configure();
$savemsg = get_std_save_message();
if ($retval == 0) {
if (is_subsystem_dirty('l2tpusers')) {
clear_subsystem_dirty('l2tpusers');
}
}
clear_subsystem_dirty('l2tpusers');
}
}
@ -62,6 +57,8 @@ if ($_GET['act'] == "del") {
}
}
$service_hook = 'l2tpd';
include("head.inc");

12
src/www/vpn_l2tp_users_edit.php
View File

@ -44,7 +44,9 @@ function l2tp_users_sort()
}
require_once("guiconfig.inc");
require_once("vpn.inc");
require_once("services.inc");
require_once("plugins.inc");
require_once("plugins.inc.d/vpn.inc");
$referer = (isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : '/vpn_l2tp_users.php');
@ -122,18 +124,18 @@ if ($_POST) {
} else {
$a_secret[] = $secretent;
}
l2tp_users_sort();
write_config();
$retval = vpn_l2tp_configure();
vpn_l2tp_configure();
header("Location: vpn_l2tp_users.php");
exit;
}
}
$service_hook = 'l2tpd';
include("head.inc");
?>

2
src/www/vpn_pppoe.php
View File

@ -29,7 +29,7 @@
require_once("guiconfig.inc");
require_once("filter.inc");
require_once("vpn.inc");
require_once("plugins.inc.d/vpn.inc");
require_once("interfaces.inc");
if (!is_array($config['pppoes'])) {

1
src/www/vpn_pppoe_edit.php
View File

@ -29,7 +29,6 @@
*/
require_once("guiconfig.inc");
require_once("vpn.inc");
require_once("interfaces.inc");
function vpn_pppoe_get_id()

11
src/www/vpn_pptp.php
View File

@ -30,8 +30,10 @@
require_once('guiconfig.inc');
require_once('interfaces.inc');
require_once('filter.inc');
require_once('vpn.inc');
require_once('services.inc');
require_once("plugins.inc");
require_once("pfsense-utils.inc");
require_once('plugins.inc.d/vpn.inc');
if (!is_array($config['pptpd']['radius'])) {
$config['pptpd']['radius'] = array();
@ -187,15 +189,14 @@ if ($_POST) {
}
write_config();
$retval = 0;
$retval = vpn_pptpd_configure();
$savemsg = get_std_save_message();
vpn_pptpd_configure();
filter_configure();
}
}
$service_hook = 'pptpd';
include("head.inc");
?>

15
src/www/vpn_pptp_users.php
View File

@ -28,7 +28,9 @@
*/
require_once('guiconfig.inc');
require_once('vpn.inc');
require_once('services.inc');
require_once("plugins.inc");
require_once('plugins.inc.d/vpn.inc');
if (!is_array($config['pptpd']['user'])) {
$config['pptpd']['user'] = array();
@ -39,14 +41,9 @@ if ($_POST) {
$pconfig = $_POST;
if ($_POST['apply']) {
$retval = 0;
$retval = vpn_setup();
vpn_pptpd_configure();
$savemsg = get_std_save_message();
if ($retval == 0) {
if (is_subsystem_dirty('pptpusers')) {
clear_subsystem_dirty('pptpusers');
}
}
clear_subsystem_dirty('pptpusers');
}
}
@ -60,6 +57,8 @@ if ($_GET['act'] == "del") {
}
}
$service_hook = 'pptpd';
include("head.inc");
$main_buttons = array(

14
src/www/vpn_pptp_users_edit.php
View File

@ -34,17 +34,19 @@ function pptpusercmp($a, $b)
function pptpd_users_sort()
{
global $config;
global $config;
if (!is_array($config['ppptpd']['user'])) {
return;
}
usort($config['pptpd']['user'], "pptpusercmp");
usort($config['pptpd']['user'], "pptpusercmp");
}
require_once('guiconfig.inc');
require_once('vpn.inc');
require_once('services.inc');
require_once("plugins.inc");
require_once('plugins.inc.d/vpn.inc');
if (!is_array($config['pptpd']['user'])) {
$config['pptpd']['user'] = array();
@ -124,16 +126,18 @@ if ($_POST) {
} else {
$a_secret[] = $secretent;
}
pptpd_users_sort();
pptpd_users_sort();
write_config();
mark_subsystem_dirty('pptpusers');
vpn_pptpd_configure();
header("Location: vpn_pptp_users.php");
exit;
}
}
$service_hook = 'pptpd';
include("head.inc");
?>

5
src/www/widgets/widgets/services_status.widget.php
View File

@ -33,9 +33,10 @@ $nocsrf = true;
require_once("guiconfig.inc");
require_once("services.inc");
require_once("vpn.inc");
require_once("widgets/include/services_status.inc");
require_once('plugins.inc');
require_once("ipsec.inc");
require_once("interfaces.inc");
require_once("widgets/include/services_status.inc");
$services = services_get();