ipsec, support manually defined spd entries, for https://github.com/opnsense/core/issues/440

2026-03-13 00:07:27 +00:00 · 2017-07-29 14:58:10 +02:00 · 2017-07-29 14:58:10 +02:00 · 814d18ac37
commit 814d18ac37
parent 9351e45d59
2 changed files with 60 additions and 2 deletions
--- a/src/etc/inc/plugins.inc.d/ipsec.inc
+++ b/src/etc/inc/plugins.inc.d/ipsec.inc
@ -536,6 +536,36 @@ function ipsec_convert_to_modp($index)
    return $convertion;
 }

+/**
+ * load manual defined spd entries using setkey
+ */
+function load_manual_spd()
+{
+    global $config;
+    $spd_entries = array();
+    if (!empty($config['ipsec']['phase1']) && !empty($config['ipsec']['phase2'])) {
+        foreach ($config['ipsec']['phase1'] as $ph1ent) {
+            foreach ($config['ipsec']['phase2'] as $ph2ent) {
+                if (!isset($ph2ent['disabled']) && $ph1ent['ikeid'] == $ph2ent['ikeid'] && !empty($ph2ent['spd'])) {
+                    $myid_data = ipsec_find_id($ph1ent, "local");
+                    $peerid_spec = ipsec_find_id($ph1ent, "peer");
+                    foreach (explode(',', $ph2ent['spd']) as $local_net) {
+                        $proto = $ph2ent['mode'] == "tunnel" ? "4" : "6";
+                        $remote_net = ipsec_idinfo_to_cidr($ph2ent['remoteid'], false, $ph2ent['mode']);
+                        $spd_entries[] = sprintf("spdadd -%s %s %s any -P out ipsec %s/tunnel/%s-%s/require;",
+                                             $proto, trim($local_net), $remote_net, $ph2ent['protocol'],
+                                             $myid_data, $peerid_spec);
+                    }
+                }
+            }
+        }
+        $tmpfname = tempnam("/tmp", "setkey");
+        file_put_contents($tmpfname, implode("\n", $spd_entries) . "\n");
+        mwexec("/sbin/setkey -f ". $tmpfname, true);
+        unlink($tmpfname);
+    }
+}
+
 function ipsec_configure_do($verbose = false, $interface = '')
 {
    global $config, $p2_ealgos, $ipsec_loglevels;
@ -1432,6 +1462,8 @@ EOD;
    } else {
        killbypid('/var/run/filterdns-ipsec.pid');
    }
+    // load manually defined SPD entries
+    load_manual_spd();

    if ($verbose) {
        echo "done.\n";
--- a/src/www/vpn_ipsec_phase2.php
+++ b/src/www/vpn_ipsec_phase2.php
@ -145,7 +145,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
    // initialize form data
    $pconfig = array();

-    $phase2_fields = "ikeid,mode,descr,uniqid,proto,hash-algorithm-option,pfsgroup,pfsgroup,lifetime,pinghost,protocol";
+    $phase2_fields = "ikeid,mode,descr,uniqid,proto,hash-algorithm-option,pfsgroup,pfsgroup,lifetime,pinghost,protocol,spd";
    if ($p2index !== null) {
        // 1-on-1 copy
        foreach (explode(",", $phase2_fields) as $fieldname) {
@ -344,9 +344,18 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
        $input_errors[] = gettext("The P2 lifetime must be an integer.");
    }

+    if (!empty($pconfig['spd'])) {
+        foreach (explode(',', $pconfig['spd']) as $spd_entry) {
+            if (($pconfig['mode'] == "tunnel" && !is_subnetv4(trim($spd_entry))) ||
+              ($pconfig['mode'] == "tunnel6" && !is_subnetv6(trim($spd_entry)))) {
+                $input_errors[] = sprintf(gettext('SPD "%s" is not a valid network, it should match the tunnel type (IPv4/IPv6).'), $spd_entry) ;
+            }
+        }
+    }
+
    if (count($input_errors) == 0) {
        $ph2ent = array();
-        $copy_fields = "ikeid,uniqid,mode,pfsgroup,lifetime,pinghost,descr,protocol";
+        $copy_fields = "ikeid,uniqid,mode,pfsgroup,lifetime,pinghost,descr,protocol,spd";

        // 1-on-1 copy
        foreach (explode(",", $copy_fields) as $fieldname) {
@ -704,6 +713,23 @@ endif; ?>
                    </div>
                  </td>
                </tr>
+<?php
+                if (!isset($pconfig['mobile'])):?>
+                <tr class="opt_localid">
+                  <td><a id="help_for_spd" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Manual SPD entries"); ?></td>
+                  <td>
+                    <input name="spd" type="text" id="spd" value="<?= $pconfig['spd'];?>" />
+                    <div class="hidden" for="help_for_spd">
+                        <strong><?=gettext("Register additional Security Policy Database entries"); ?></strong><br/>
+                        <?=gettext("Strongswan automatically creates SPD policies for the networks defined in this phase2. ".
+                                   "If you need to allow other networks to use this ipsec tunnel, you can add them here as a comma seperated list.".
+                                   "When configured, you can use network address translation to push packets through this tunnel from these networks."); ?><br/>
+                        <small><?=gettext("e.g. 192.168.1.0/24, 192.168.2.0/24"); ?></small>
+                    </div>
+                  </td>
+                </tr>
+<?php
+                endif; ?>
                <tr>
                  <td>&nbsp;</td>
                  <td width="78%">