1 |
5b237745
|
Scott Ullrich
|
<?php
|
2 |
979cd6db
|
Scott Ullrich
|
|
3 |
5b237745
|
Scott Ullrich
|
/*
|
4 |
|
|
vpn.inc
|
5 |
979cd6db
|
Scott Ullrich
|
Copyright (C) 2004 Scott Ullrich
|
6 |
a93e56c5
|
Matthew Grooms
|
Copyright (C) 2008 Shrew Soft Inc
|
7 |
5debd85f
|
caseyr232
|
Copyright (C) 2008 Ermal Lu�i
|
8 |
cfc707f7
|
Scott Ullrich
|
All rights reserved.
|
9 |
17da6c79
|
Scott Ullrich
|
|
10 |
|
|
originally part of m0n0wall (http://m0n0.ch/wall)
|
11 |
|
|
Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>.
|
12 |
|
|
All rights reserved.
|
13 |
|
|
|
14 |
5b237745
|
Scott Ullrich
|
Redistribution and use in source and binary forms, with or without
|
15 |
|
|
modification, are permitted provided that the following conditions are met:
|
16 |
17da6c79
|
Scott Ullrich
|
|
17 |
5b237745
|
Scott Ullrich
|
1. Redistributions of source code must retain the above copyright notice,
|
18 |
|
|
this list of conditions and the following disclaimer.
|
19 |
17da6c79
|
Scott Ullrich
|
|
20 |
5b237745
|
Scott Ullrich
|
2. Redistributions in binary form must reproduce the above copyright
|
21 |
|
|
notice, this list of conditions and the following disclaimer in the
|
22 |
|
|
documentation and/or other materials provided with the distribution.
|
23 |
17da6c79
|
Scott Ullrich
|
|
24 |
5b237745
|
Scott Ullrich
|
THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
|
25 |
|
|
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
|
26 |
|
|
AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
|
27 |
|
|
AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
|
28 |
|
|
OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
|
29 |
|
|
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
|
30 |
|
|
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
|
31 |
|
|
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
32 |
|
|
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
33 |
|
|
POSSIBILITY OF SUCH DAMAGE.
|
34 |
|
|
*/
|
35 |
8f67a8e1
|
Scott Ullrich
|
|
36 |
523855b0
|
Scott Ullrich
|
/*
|
37 |
9e5dfe47
|
Ermal
|
pfSense_BUILDER_BINARIES: /sbin/ifconfig /sbin/sysctl
|
38 |
6c576b27
|
Ermal
|
pfSense_BUILDER_BINARIES: /usr/local/sbin/ipsec /usr/local/libexec/ipsec/charon /usr/local/libexec/ipsec/starter
|
39 |
09628a07
|
Renato Botelho
|
pfSense_BUILDER_BINARIES: /usr/local/sbin/filterdns /usr/local/sbin/mpd4
|
40 |
523855b0
|
Scott Ullrich
|
pfSense_MODULE: vpn
|
41 |
|
|
*/
|
42 |
|
|
|
43 |
50813d24
|
jim-p
|
require_once("ipsec.inc");
|
44 |
|
|
|
45 |
9abaa8f7
|
Ermal
|
function vpn_ipsec_configure_loglevels($forconfig = false)
|
46 |
c6efc8fd
|
Ermal
|
{
|
47 |
b305f795
|
Ermal
|
global $config, $ipsec_loglevels;
|
48 |
c6efc8fd
|
Ermal
|
|
49 |
9abaa8f7
|
Ermal
|
$cfgtext = array();
|
50 |
c6efc8fd
|
Ermal
|
foreach ($ipsec_loglevels as $lkey => $ldescr) {
|
51 |
9abaa8f7
|
Ermal
|
if (!isset($config['ipsec']["ipsec_{$lkey}"]))
|
52 |
|
|
$forconfig ? $cfgtext[] = "{$lkey} = -1" : mwexec("/usr/local/sbin/ipsec stroke loglevel {$lkey} -1", false);
|
53 |
c6efc8fd
|
Ermal
|
else if (is_numeric($config['ipsec']["ipsec_{$lkey}"]) &&
|
54 |
6ae8b844
|
Ermal
|
intval($config['ipsec']["ipsec_{$lkey}"]) >= 1 && intval($config['ipsec']["ipsec_{$lkey}"]) <= 5)
|
55 |
9abaa8f7
|
Ermal
|
$forconfig ? $cfgtext[] = "${lkey} = " . (intval($config['ipsec']["ipsec_{$lkey}"]) - 1) :
|
56 |
|
|
mwexec("/usr/local/sbin/ipsec stroke loglevel {$lkey} " . (intval($config['ipsec']["ipsec_{$lkey}"]) - 1) , false);
|
57 |
c6efc8fd
|
Ermal
|
}
|
58 |
9abaa8f7
|
Ermal
|
if ($forconfig)
|
59 |
|
|
return implode(',', $cfgtext);
|
60 |
c6efc8fd
|
Ermal
|
}
|
61 |
|
|
|
62 |
5b237745
|
Scott Ullrich
|
/* include all configuration functions */
|
63 |
496acde1
|
Ermal
|
function vpn_ipsec_convert_to_modp($index)
|
64 |
|
|
{
|
65 |
8f67a8e1
|
Scott Ullrich
|
|
66 |
496acde1
|
Ermal
|
$convertion = "";
|
67 |
|
|
switch ($index) {
|
68 |
|
|
case '1':
|
69 |
|
|
$convertion = "modp768";
|
70 |
|
|
break;
|
71 |
|
|
case '2':
|
72 |
|
|
$convertion = "modp1024";
|
73 |
|
|
break;
|
74 |
|
|
case '5':
|
75 |
|
|
$convertion = "modp1536";
|
76 |
|
|
break;
|
77 |
|
|
case '14':
|
78 |
|
|
$convertion = "modp2048";
|
79 |
|
|
break;
|
80 |
|
|
case '15':
|
81 |
|
|
$convertion = "modp3072";
|
82 |
|
|
break;
|
83 |
|
|
case '16':
|
84 |
|
|
$convertion = "modp4096";
|
85 |
|
|
break;
|
86 |
|
|
case '17':
|
87 |
|
|
$convertion = "modp6144";
|
88 |
|
|
break;
|
89 |
|
|
case '18':
|
90 |
|
|
$convertion = "modp8192";
|
91 |
|
|
break;
|
92 |
920af30f
|
Ermal Lu?i
|
}
|
93 |
496acde1
|
Ermal
|
|
94 |
|
|
return $convertion;
|
95 |
600dd4e0
|
Scott Ullrich
|
}
|
96 |
8f67a8e1
|
Scott Ullrich
|
|
97 |
a93e56c5
|
Matthew Grooms
|
function vpn_ipsec_configure($ipchg = false)
|
98 |
|
|
{
|
99 |
|
|
global $config, $g, $sa, $sn, $p1_ealgos, $p2_ealgos;
|
100 |
17da6c79
|
Scott Ullrich
|
|
101 |
7734aea6
|
Andrew Thompson
|
if ($g['platform'] == 'jail')
|
102 |
|
|
return;
|
103 |
52c9f9fa
|
Ermal
|
|
104 |
f41c9fd5
|
Ermal Lu?i
|
/* get the automatic ping_hosts.sh ready */
|
105 |
cdd5b2ce
|
Ermal Lu?i
|
unlink_if_exists("{$g['vardb_path']}/ipsecpinghosts");
|
106 |
|
|
touch("{$g['vardb_path']}/ipsecpinghosts");
|
107 |
c1f5a46b
|
Scott Ullrich
|
|
108 |
7b2fdac4
|
jim-p
|
vpn_ipsec_configure_preferoldsa();
|
109 |
8f67a8e1
|
Scott Ullrich
|
|
110 |
|
|
$syscfg = $config['system'];
|
111 |
5b237745
|
Scott Ullrich
|
$ipseccfg = $config['ipsec'];
|
112 |
a93e56c5
|
Matthew Grooms
|
$a_phase1 = $config['ipsec']['phase1'];
|
113 |
|
|
$a_phase2 = $config['ipsec']['phase2'];
|
114 |
3462a529
|
Matthew Grooms
|
$a_client = $config['ipsec']['client'];
|
115 |
8f67a8e1
|
Scott Ullrich
|
|
116 |
2f1e0311
|
Seth Mos
|
if (!isset($ipseccfg['enable'])) {
|
117 |
6c576b27
|
Ermal
|
/* try to stop charon */
|
118 |
|
|
mwexec("/usr/local/sbin/ipsec stop");
|
119 |
52c9f9fa
|
Ermal
|
/* Stop dynamic monitoring */
|
120 |
f8c10a18
|
Ermal
|
killbypid("{$g['varrun_path']}/filterdns-ipsec.pid");
|
121 |
98c02cac
|
Ermal
|
|
122 |
6c576b27
|
Ermal
|
/* wait for process to die */
|
123 |
8f67a8e1
|
Scott Ullrich
|
sleep(2);
|
124 |
|
|
|
125 |
84fa0d60
|
Scott Ullrich
|
/* disallow IPSEC, it is off */
|
126 |
52c9f9fa
|
Ermal
|
mwexec("/sbin/ifconfig enc0 down");
|
127 |
79eea0c1
|
Ermal
|
exec("/sbin/sysctl net.inet.ip.ipsec_in_use=0");
|
128 |
2f1e0311
|
Seth Mos
|
|
129 |
6a781df6
|
Ermal
|
return 0;
|
130 |
04b46591
|
Ermal Lu?i
|
} else {
|
131 |
3bb6bfd2
|
Ermal
|
mwexec("/sbin/ifconfig enc0 up");
|
132 |
6706a83a
|
Ermal
|
mwexec("/sbin/sysctl net.inet.ip.ipsec_in_use=1");
|
133 |
52c9f9fa
|
Ermal
|
/* needed for config files */
|
134 |
|
|
if (!is_dir("{$g['varetc_path']}/ipsec"))
|
135 |
|
|
mkdir("{$g['varetc_path']}/ipsec");
|
136 |
3ad5fd27
|
Ermal
|
if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d"))
|
137 |
|
|
mkdir("{$g['varetc_path']}/ipsec/ipsec.d");
|
138 |
|
|
if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d/cacerts"))
|
139 |
|
|
mkdir("{$g['varetc_path']}/ipsec/ipsec.d/cacerts");
|
140 |
|
|
if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d/private"))
|
141 |
|
|
mkdir("{$g['varetc_path']}/ipsec/ipsec.d/private");
|
142 |
|
|
if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d/crls"))
|
143 |
|
|
mkdir("{$g['varetc_path']}/ipsec/ipsec.d/crls");
|
144 |
|
|
if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d/certs"))
|
145 |
|
|
mkdir("{$g['varetc_path']}/ipsec/ipsec.d/certs");
|
146 |
|
|
if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d/aacerts"))
|
147 |
|
|
mkdir("{$g['varetc_path']}/ipsec/ipsec.d/aacerts");
|
148 |
|
|
if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d/acerts"))
|
149 |
|
|
mkdir("{$g['varetc_path']}/ipsec/ipsec.d/acerts");
|
150 |
4a4fc162
|
Ermal
|
if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d/ocspcerts"))
|
151 |
|
|
mkdir("{$g['varetc_path']}/ipsec/ipsec.d/ocspcerts");
|
152 |
3ad5fd27
|
Ermal
|
if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d/reqs"))
|
153 |
|
|
mkdir("{$g['varetc_path']}/ipsec/ipsec.d/reqs");
|
154 |
496acde1
|
Ermal
|
|
155 |
3bb6bfd2
|
Ermal
|
|
156 |
924876a8
|
Ermal Lu?i
|
if ($g['booting'])
|
157 |
89ceb4ba
|
Renato Botelho
|
echo gettext("Configuring IPsec VPN... ");
|
158 |
924876a8
|
Ermal Lu?i
|
|
159 |
8f67a8e1
|
Scott Ullrich
|
/* fastforwarding is not compatible with ipsec tunnels */
|
160 |
979cd6db
|
Scott Ullrich
|
mwexec("/sbin/sysctl net.inet.ip.fastforwarding=0");
|
161 |
8f67a8e1
|
Scott Ullrich
|
|
162 |
a93e56c5
|
Matthew Grooms
|
/* resolve all local, peer addresses and setup pings */
|
163 |
|
|
$ipmap = array();
|
164 |
|
|
$rgmap = array();
|
165 |
f8c10a18
|
Ermal
|
$filterdns_list = array();
|
166 |
496acde1
|
Ermal
|
$listeniflist = array();
|
167 |
b0bf6bd0
|
Ermal
|
unset($iflist);
|
168 |
a93e56c5
|
Matthew Grooms
|
if (is_array($a_phase1) && count($a_phase1)) {
|
169 |
87e07f52
|
mgrooms
|
|
170 |
ac463c00
|
smos
|
$ipsecpinghosts = "";
|
171 |
87e07f52
|
mgrooms
|
/* step through each phase1 entry */
|
172 |
a93e56c5
|
Matthew Grooms
|
foreach ($a_phase1 as $ph1ent) {
|
173 |
|
|
if (isset($ph1ent['disabled']))
|
174 |
|
|
continue;
|
175 |
8f67a8e1
|
Scott Ullrich
|
|
176 |
496acde1
|
Ermal
|
$listeniflist = get_real_interface($a_phase1['interface']);
|
177 |
|
|
|
178 |
0af7398a
|
Matthew Grooms
|
$ep = ipsec_get_phase1_src($ph1ent);
|
179 |
fb17f629
|
Seth Mos
|
if (!is_ipaddr($ep))
|
180 |
a93e56c5
|
Matthew Grooms
|
continue;
|
181 |
8f67a8e1
|
Scott Ullrich
|
|
182 |
a93e56c5
|
Matthew Grooms
|
if(!in_array($ep,$ipmap))
|
183 |
|
|
$ipmap[] = $ep;
|
184 |
8f67a8e1
|
Scott Ullrich
|
|
185 |
a93e56c5
|
Matthew Grooms
|
/* see if this tunnel has a hostname for the remote-gateway. If so,
|
186 |
f8c10a18
|
Ermal
|
try to resolve it now and add it to the list for filterdns */
|
187 |
8f67a8e1
|
Scott Ullrich
|
|
188 |
3462a529
|
Matthew Grooms
|
if (isset ($ph1ent['mobile']))
|
189 |
|
|
continue;
|
190 |
|
|
|
191 |
a93e56c5
|
Matthew Grooms
|
$rg = $ph1ent['remote-gateway'];
|
192 |
979cd6db
|
Scott Ullrich
|
|
193 |
a93e56c5
|
Matthew Grooms
|
if (!is_ipaddr($rg)) {
|
194 |
f8c10a18
|
Ermal
|
$filterdns_list[] = "{$rg}";
|
195 |
c60cae98
|
Seth Mos
|
add_hostname_to_watch($rg);
|
196 |
621a459a
|
smos
|
if(! $g['booting'])
|
197 |
|
|
$rg = resolve_retry($rg);
|
198 |
|
|
if (!is_ipaddr($rg))
|
199 |
979cd6db
|
Scott Ullrich
|
continue;
|
200 |
a93e56c5
|
Matthew Grooms
|
}
|
201 |
829fa12e
|
smos
|
if(array_search($rg, $rgmap)) {
|
202 |
|
|
log_error("The remote gateway {$rg} already exists on another phase 1 entry");
|
203 |
|
|
continue;
|
204 |
|
|
}
|
205 |
a93e56c5
|
Matthew Grooms
|
$rgmap[$ph1ent['remote-gateway']] = $rg;
|
206 |
8f67a8e1
|
Scott Ullrich
|
|
207 |
a11df336
|
jim-p
|
if (is_array($a_phase2)) {
|
208 |
|
|
/* step through each phase2 entry */
|
209 |
|
|
foreach ($a_phase2 as $ph2ent) {
|
210 |
|
|
$ikeid = $ph2ent['ikeid'];
|
211 |
|
|
|
212 |
|
|
if (isset($ph2ent['disabled']))
|
213 |
|
|
continue;
|
214 |
|
|
|
215 |
|
|
if ($ikeid != $ph1ent['ikeid'])
|
216 |
|
|
continue;
|
217 |
|
|
|
218 |
|
|
/* add an ipsec pinghosts entry */
|
219 |
|
|
if ($ph2ent['pinghost']) {
|
220 |
b0bf6bd0
|
Ermal
|
if (!is_array($iflist))
|
221 |
|
|
$iflist = get_configured_interface_list();
|
222 |
a11df336
|
jim-p
|
foreach ($iflist as $ifent => $ifname) {
|
223 |
|
|
if(is_ipaddrv6($ph2ent['pinghost'])) {
|
224 |
|
|
$interface_ip = get_interface_ipv6($ifent);
|
225 |
|
|
if(!is_ipaddrv6($interface_ip))
|
226 |
|
|
continue;
|
227 |
d83045b5
|
Ermal
|
$local_subnet = ipsec_idinfo_to_cidr($ph2ent['localid'], true, $ph2ent['mode']);
|
228 |
a11df336
|
jim-p
|
if (ip_in_subnet($interface_ip, $local_subnet)) {
|
229 |
|
|
$srcip = $interface_ip;
|
230 |
|
|
break;
|
231 |
|
|
}
|
232 |
|
|
} else {
|
233 |
|
|
$interface_ip = get_interface_ip($ifent);
|
234 |
|
|
if(!is_ipaddrv4($interface_ip))
|
235 |
|
|
continue;
|
236 |
d83045b5
|
Ermal
|
$local_subnet = ipsec_idinfo_to_cidr($ph2ent['localid'], true, $ph2ent['mode']);
|
237 |
b0bf6bd0
|
Ermal
|
if ($local_subnet == "0.0.0.0/0" || ip_in_subnet($interface_ip, $local_subnet)) {
|
238 |
a11df336
|
jim-p
|
$srcip = $interface_ip;
|
239 |
|
|
break;
|
240 |
|
|
}
|
241 |
fb17f629
|
Seth Mos
|
}
|
242 |
a11df336
|
jim-p
|
}
|
243 |
|
|
$dstip = $ph2ent['pinghost'];
|
244 |
|
|
if(is_ipaddrv6($dstip)) {
|
245 |
|
|
$family = "inet6";
|
246 |
fb17f629
|
Seth Mos
|
} else {
|
247 |
a11df336
|
jim-p
|
$family = "inet";
|
248 |
741077bc
|
Ermal Lu?i
|
}
|
249 |
a11df336
|
jim-p
|
if (is_ipaddr($srcip))
|
250 |
|
|
$ipsecpinghosts[] = "{$srcip}|{$dstip}|3|||||{$family}|\n";
|
251 |
87e07f52
|
mgrooms
|
}
|
252 |
17da6c79
|
Scott Ullrich
|
}
|
253 |
a93e56c5
|
Matthew Grooms
|
}
|
254 |
|
|
}
|
255 |
923e440b
|
Renato Botelho
|
@file_put_contents("{$g['vardb_path']}/ipsecpinghosts", $ipsecpinghosts);
|
256 |
|
|
unset($ipsecpinghosts);
|
257 |
a93e56c5
|
Matthew Grooms
|
}
|
258 |
496acde1
|
Ermal
|
unset($iflist);
|
259 |
|
|
|
260 |
|
|
$strongswan = <<<EOD
|
261 |
|
|
|
262 |
ecc37958
|
Ermal
|
#Automatically generated please do not modify
|
263 |
496acde1
|
Ermal
|
starter {
|
264 |
|
|
load_warning = no
|
265 |
|
|
}
|
266 |
|
|
|
267 |
|
|
charon {
|
268 |
|
|
|
269 |
|
|
# number of worker threads in charon
|
270 |
|
|
threads = 16
|
271 |
|
|
|
272 |
466a5a81
|
Ermal
|
# XXX: There is not much choice here really users win their security!
|
273 |
|
|
i_dont_care_about_security_and_use_aggressive_mode_psk=yes
|
274 |
|
|
|
275 |
7335fa53
|
Ermal
|
# And two loggers using syslog. The subsections define the facility to log
|
276 |
|
|
# to, currently one of: daemon, auth.
|
277 |
|
|
syslog {
|
278 |
|
|
|
279 |
|
|
identifier = charon
|
280 |
|
|
# default level to the LOG_DAEMON facility
|
281 |
|
|
daemon {
|
282 |
|
|
}
|
283 |
|
|
# very minimalistic IKE auditing logs to LOG_AUTHPRIV
|
284 |
|
|
auth {
|
285 |
|
|
default = -1
|
286 |
|
|
ike = 1
|
287 |
b7b3bc71
|
Ermal
|
ike_name = yes
|
288 |
7335fa53
|
Ermal
|
}
|
289 |
|
|
}
|
290 |
c6efc8fd
|
Ermal
|
|
291 |
496acde1
|
Ermal
|
EOD;
|
292 |
|
|
|
293 |
|
|
if (is_array($a_client) && isset($a_client['enable']) && !empty($a_client['net_list']))
|
294 |
|
|
$strongswan .= "\tcisco_unity = yes\n";
|
295 |
|
|
|
296 |
|
|
$strongswan .= "\tplugins {\n";
|
297 |
|
|
|
298 |
|
|
if (is_array($a_client) && isset($a_client['enable'])) {
|
299 |
|
|
$strongswan .= "\t\tattr {\n";
|
300 |
|
|
if ($a_client['pool_address'] && $a_client['pool_netbits']) {
|
301 |
|
|
$pool_address = $a_client['pool_address'];
|
302 |
|
|
$pool_netmask = gen_subnet_mask($a_client['pool_netbits']);
|
303 |
|
|
$pool_address = long2ip32(ip2long($pool_address)+1);
|
304 |
|
|
|
305 |
|
|
$strongswan .= "\t\taddress = {$pool_address}\n";
|
306 |
|
|
$strongswan .= "\t\tnetmask = {$pool_netmask}\n";
|
307 |
|
|
}
|
308 |
|
|
|
309 |
|
|
$cfgservers = array();
|
310 |
|
|
if (!empty($a_client['dns_server1']))
|
311 |
|
|
$cfgservers[] = $a_client['dns_server1'];
|
312 |
|
|
if (!empty($a_client['dns_server2']))
|
313 |
|
|
$cfgservers[] = $a_client['dns_server2'];
|
314 |
|
|
if (!empty($a_client['dns_server3']))
|
315 |
|
|
$cfgservers[] = $a_client['dns_server3'];
|
316 |
|
|
if (!empty($a_client['dns_server4']))
|
317 |
|
|
$cfgservers[] = $a_client['dns_server4'];
|
318 |
|
|
|
319 |
|
|
if (!empty($cfgservers))
|
320 |
|
|
$strongswan .= "\t\tdns = " . implode(",", $cfgservers) . "\n";
|
321 |
|
|
unset($cfgservers);
|
322 |
|
|
$cfgservers = array();
|
323 |
|
|
if (!empty($a_client['wins_server1']))
|
324 |
|
|
$cfgservers[] = $a_client['wins_server1'];
|
325 |
|
|
if (!empty($a_client['wins_server2']))
|
326 |
|
|
$cfgservers[] = $a_client['wins_server2'];
|
327 |
|
|
if (!empty($cfgservers))
|
328 |
|
|
$strongswan .= "\t\tnbns = " . implode(",", $cfgservers) . "\n";
|
329 |
|
|
unset($cfgservers);
|
330 |
|
|
|
331 |
|
|
if (!empty($a_client['net_list'])) {
|
332 |
|
|
$net_list = '';
|
333 |
|
|
foreach ($a_phase2 as $ph2ent) {
|
334 |
|
|
if (isset($ph2ent['disabled']))
|
335 |
|
|
continue;
|
336 |
|
|
|
337 |
|
|
if (!isset($ph2ent['mobile']))
|
338 |
|
|
continue;
|
339 |
|
|
|
340 |
|
|
$localid = ipsec_idinfo_to_cidr($ph2ent['localid'], true, $ph2ent['mode']);
|
341 |
|
|
|
342 |
|
|
if ($net_list)
|
343 |
|
|
$net_list .= ", ";
|
344 |
|
|
$net_list .= $localid;
|
345 |
|
|
}
|
346 |
|
|
|
347 |
|
|
if (!empty($net_list)) {
|
348 |
|
|
$strongswan .= "\t\tsubnet = {$net_list}\n";
|
349 |
|
|
$strongswan .= "\t\tsplit-include = {$net_list}\n";
|
350 |
|
|
unset($net_list);
|
351 |
|
|
}
|
352 |
|
|
}
|
353 |
|
|
|
354 |
|
|
if (!empty($a_client['dns_domain'])) {
|
355 |
|
|
$strongswan .= "\t\t# Search domain and default domain\n";
|
356 |
|
|
$strongswan .= "\t\t28674 = {$a_client['dns_domain']}\n";
|
357 |
|
|
if (empty($a_client['dns_split']))
|
358 |
|
|
$strongswan .= "\t\t28675 = {$a_client['dns_domain']}";
|
359 |
|
|
$strongswan .= "\n";
|
360 |
|
|
}
|
361 |
|
|
|
362 |
|
|
if (!empty($a_client['dns_split'])) {
|
363 |
|
|
$strongswan .= "\t\t28675 = {$a_client['dns_split']}\n";
|
364 |
|
|
}
|
365 |
|
|
|
366 |
|
|
if (!empty($a_client['login_banner']))
|
367 |
|
|
$strongswan .= "\t\t28672 = {$a_client['login_banner']}\n";
|
368 |
|
|
|
369 |
|
|
if (isset($a_client['save_passwd']))
|
370 |
|
|
$strongswan .= "\t\t28673 = yes\n";
|
371 |
|
|
|
372 |
|
|
if ($a_client['pfs_group'])
|
373 |
|
|
$strongswan .= "\t\t28679 = {$a_client['pfs_group']}\n";
|
374 |
|
|
$strongswan .= "\t\t}\n";
|
375 |
|
|
|
376 |
91287d1f
|
Ermal
|
if ($a_client['user_source'] != "none") {
|
377 |
|
|
$strongswan .= "\txauth-generic {\n";
|
378 |
c6efc8fd
|
Ermal
|
$strongswan .= "\t\tscript = /etc/inc/ipsec.auth-user.php\n";
|
379 |
91287d1f
|
Ermal
|
$strongswan .= "\t\tauthcfg = ";
|
380 |
|
|
$firstsed = 0;
|
381 |
c6efc8fd
|
Ermal
|
$authcfgs = explode(",", $a_client['user_source']);
|
382 |
91287d1f
|
Ermal
|
foreach ($authcfgs as $authcfg) {
|
383 |
|
|
if ($firstsed > 0)
|
384 |
|
|
$strongswan .= ",";
|
385 |
|
|
if ($authcfg == "system")
|
386 |
|
|
$authcfg = "Local Database";
|
387 |
|
|
$strongswan .= $authcfg;
|
388 |
|
|
$firstsed = 1;
|
389 |
|
|
}
|
390 |
|
|
$strongswan .= "\n";
|
391 |
|
|
$strongswan .= "\t}\n";
|
392 |
|
|
}
|
393 |
496acde1
|
Ermal
|
}
|
394 |
|
|
|
395 |
|
|
$strongswan .= "\t}\n}\n";
|
396 |
|
|
@file_put_contents("{$g['varetc_path']}/ipsec/strongswan.conf", $strongswan);
|
397 |
|
|
unset($strongswan);
|
398 |
8f67a8e1
|
Scott Ullrich
|
|
399 |
a93e56c5
|
Matthew Grooms
|
/* generate CA certificates files */
|
400 |
1e332e98
|
jim-p
|
if (is_array($config['ca']) && count($config['ca'])) {
|
401 |
|
|
foreach ($config['ca'] as $ca) {
|
402 |
73fbece8
|
mgrooms
|
if (!isset($ca['crt'])) {
|
403 |
4816e5ca
|
Renato Botelho
|
log_error(sprintf(gettext("Error: Invalid certificate info for %s"), $ca['descr']));
|
404 |
73fbece8
|
mgrooms
|
continue;
|
405 |
|
|
}
|
406 |
|
|
$cert = base64_decode($ca['crt']);
|
407 |
|
|
$x509cert = openssl_x509_parse(openssl_x509_read($cert));
|
408 |
|
|
if (!is_array($x509cert) || !isset($x509cert['hash'])) {
|
409 |
4816e5ca
|
Renato Botelho
|
log_error(sprintf(gettext("Error: Invalid certificate hash info for %s"), $ca['descr']));
|
410 |
73fbece8
|
mgrooms
|
continue;
|
411 |
|
|
}
|
412 |
3ad5fd27
|
Ermal
|
$fname = "{$g['varetc_path']}/ipsec/ipsec.d/cacerts/{$x509cert['hash']}.0";
|
413 |
52c9f9fa
|
Ermal
|
if (!@file_put_contents($fname, $cert)) {
|
414 |
4816e5ca
|
Renato Botelho
|
log_error(sprintf(gettext("Error: Cannot write IPsec CA file for %s"), $ca['descr']));
|
415 |
73fbece8
|
mgrooms
|
continue;
|
416 |
a93e56c5
|
Matthew Grooms
|
}
|
417 |
a49784a2
|
Ermal
|
unset($cert);
|
418 |
a93e56c5
|
Matthew Grooms
|
}
|
419 |
|
|
}
|
420 |
09628a07
|
Renato Botelho
|
|
421 |
a93e56c5
|
Matthew Grooms
|
$pskconf = "";
|
422 |
037b51b3
|
Seth Mos
|
|
423 |
a93e56c5
|
Matthew Grooms
|
if (is_array($a_phase1) && count($a_phase1)) {
|
424 |
|
|
foreach ($a_phase1 as $ph1ent) {
|
425 |
|
|
|
426 |
|
|
if (isset($ph1ent['disabled']))
|
427 |
|
|
continue;
|
428 |
|
|
|
429 |
496acde1
|
Ermal
|
if (strstr($ph1ent['authentication_method'],'rsa')) {
|
430 |
|
|
$certline = '';
|
431 |
a93e56c5
|
Matthew Grooms
|
|
432 |
496acde1
|
Ermal
|
if (strstr($authmethod,'rsa')) {
|
433 |
a93e56c5
|
Matthew Grooms
|
|
434 |
496acde1
|
Ermal
|
$cert = lookup_cert($ph1ent['certref']);
|
435 |
a93e56c5
|
Matthew Grooms
|
|
436 |
496acde1
|
Ermal
|
if (!$cert) {
|
437 |
|
|
log_error(sprintf(gettext("Error: Invalid phase1 certificate reference for %s"), $ph1ent['name']));
|
438 |
|
|
continue;
|
439 |
|
|
}
|
440 |
a93e56c5
|
Matthew Grooms
|
|
441 |
496acde1
|
Ermal
|
chmod($certpath, 0600);
|
442 |
|
|
|
443 |
|
|
$keyfile = "cert-{$ikeid}.key";
|
444 |
|
|
$keypath = "{$g['varetc_path']}/ipsec/{$keyfile}";
|
445 |
8f67a8e1
|
Scott Ullrich
|
|
446 |
496acde1
|
Ermal
|
if (!file_put_contents($keypath, base64_decode($cert['prv']))) {
|
447 |
|
|
log_error(sprintf(gettext("Error: Cannot write phase1 key file for %s"), $ph1ent['name']));
|
448 |
|
|
continue;
|
449 |
|
|
}
|
450 |
|
|
|
451 |
|
|
chmod($keypath, 0600);
|
452 |
|
|
/* XXX" Traffic selectors? */
|
453 |
|
|
$pskconf .= " : RSA {$keypath}\n";
|
454 |
|
|
|
455 |
|
|
$ca = lookup_ca($ph1ent['caref']);
|
456 |
|
|
if ($ca) {
|
457 |
|
|
$cafile = "ca-{$ikeid}.crt";
|
458 |
3ad5fd27
|
Ermal
|
$capath = "{$g['varetc_path']}/ipsec/ipsec.d/cacerts/{$cafile}";
|
459 |
496acde1
|
Ermal
|
|
460 |
|
|
if (!file_put_contents($capath, base64_decode($ca['crt'])))
|
461 |
|
|
{
|
462 |
|
|
log_error(sprintf(gettext("Error: Cannot write phase1 CA certificate file for %s"), $ph1ent['name']));
|
463 |
|
|
continue;
|
464 |
|
|
}
|
465 |
|
|
|
466 |
|
|
chmod($capath, 0600);
|
467 |
|
|
}
|
468 |
|
|
}
|
469 |
|
|
} else {
|
470 |
|
|
|
471 |
|
|
$peerid_type = $ph1ent['peerid_type'];
|
472 |
|
|
|
473 |
|
|
switch ($peerid_type) {
|
474 |
|
|
case "peeraddress":
|
475 |
|
|
$peerid_type = "address";
|
476 |
|
|
$peerid_data = $rgmap[$ph1ent['remote-gateway']];
|
477 |
|
|
break;
|
478 |
|
|
|
479 |
|
|
case "address";
|
480 |
|
|
$peerid_data = $ph1ent['peerid_data'];
|
481 |
|
|
break;
|
482 |
|
|
|
483 |
|
|
case "fqdn";
|
484 |
|
|
case "keyid tag";
|
485 |
|
|
case "user_fqdn";
|
486 |
|
|
$peerid_data = $ph1ent['peerid_data'];
|
487 |
|
|
break;
|
488 |
|
|
}
|
489 |
|
|
|
490 |
|
|
if (!empty($peerid_data) && !empty($ph1ent['pre-shared-key']))
|
491 |
c6efc8fd
|
Ermal
|
$pskconf .= trim($peerid_data) . " : PSK \"" . trim($ph1ent['pre-shared-key']) . "\"\n";
|
492 |
496acde1
|
Ermal
|
}
|
493 |
5b237745
|
Scott Ullrich
|
}
|
494 |
a93e56c5
|
Matthew Grooms
|
}
|
495 |
|
|
|
496 |
4ed2dde7
|
jim-p
|
/* Add user PSKs */
|
497 |
|
|
foreach ($config['system']['user'] as $user) {
|
498 |
|
|
if (!empty($user['ipsecpsk'])) {
|
499 |
496acde1
|
Ermal
|
$pskconf .= "{$user['name']} : PSK \"{$user['ipsecpsk']}\"\n";
|
500 |
4ed2dde7
|
jim-p
|
}
|
501 |
|
|
}
|
502 |
|
|
|
503 |
2ef1b601
|
jim-p
|
/* add PSKs for mobile clients */
|
504 |
|
|
if (is_array($ipseccfg['mobilekey'])) {
|
505 |
|
|
foreach ($ipseccfg['mobilekey'] as $key) {
|
506 |
f1bede03
|
Ermal
|
if ($key['ident'] == "allusers")
|
507 |
|
|
$key['ident'] = '';
|
508 |
496acde1
|
Ermal
|
$pskconf .= "{$key['ident']} : PSK \"{$key['pre-shared-key']}\"\n";
|
509 |
2ef1b601
|
jim-p
|
}
|
510 |
|
|
}
|
511 |
|
|
|
512 |
496acde1
|
Ermal
|
@file_put_contents("{$g['varetc_path']}/ipsec/ipsec.secrets", $pskconf);
|
513 |
|
|
chmod("{$g['varetc_path']}/ipsec/ipsec.secrets", 0600);
|
514 |
a49784a2
|
Ermal
|
unset($pskconf);
|
515 |
09628a07
|
Renato Botelho
|
|
516 |
3eeac256
|
Ermal
|
$natfilterrules = false;
|
517 |
496acde1
|
Ermal
|
/* begin ipsec.conf */
|
518 |
|
|
$ipsecconf = "";
|
519 |
52c9f9fa
|
Ermal
|
if ((is_array($a_phase1) && count($a_phase1)) || (is_array($a_phase2) && count($a_phase2))) {
|
520 |
17da6c79
|
Scott Ullrich
|
|
521 |
496acde1
|
Ermal
|
$ipsecconf .= "# This file is automatically generated. Do not edit\n";
|
522 |
|
|
if (is_array($a_phase2) && count($a_phase2)) {
|
523 |
|
|
$ipsecconf .= "config setup\n\tuniqueids = yes\n";
|
524 |
9abaa8f7
|
Ermal
|
$ipsecconf .= "\tcharondebug=\"" . vpn_ipsec_configure_loglevels(true) . "\"\n";
|
525 |
4178a1dd
|
jim-p
|
|
526 |
496acde1
|
Ermal
|
foreach ($a_phase2 as $ph2ent) {
|
527 |
|
|
$ikeid = $ph2ent['ikeid'];
|
528 |
96267107
|
Ermal
|
|
529 |
496acde1
|
Ermal
|
$ph1ent = false;
|
530 |
|
|
if (!ipsec_lookup_phase1($ph2ent,$ph1ent))
|
531 |
|
|
continue;
|
532 |
3462a529
|
Matthew Grooms
|
|
533 |
a93e56c5
|
Matthew Grooms
|
if (isset($ph1ent['disabled']))
|
534 |
|
|
continue;
|
535 |
c52719a8
|
Scott Ullrich
|
|
536 |
496acde1
|
Ermal
|
if (isset($ph2ent['disabled']))
|
537 |
3462a529
|
Matthew Grooms
|
continue;
|
538 |
|
|
|
539 |
f1bede03
|
Ermal
|
if (isset($ph2ent['mobile']) && !isset($a_client['enable']))
|
540 |
|
|
continue;
|
541 |
|
|
|
542 |
a93e56c5
|
Matthew Grooms
|
$ikeid = $ph1ent['ikeid'];
|
543 |
c52719a8
|
Scott Ullrich
|
|
544 |
b4ad5b1c
|
Ermal
|
if ($ph1ent['mode'] == "aggressive")
|
545 |
|
|
$aggressive = "yes";
|
546 |
|
|
else
|
547 |
|
|
$aggressive = "no";
|
548 |
|
|
|
549 |
0af7398a
|
Matthew Grooms
|
$ep = ipsec_get_phase1_src($ph1ent);
|
550 |
a93e56c5
|
Matthew Grooms
|
if (!$ep)
|
551 |
979cd6db
|
Scott Ullrich
|
continue;
|
552 |
c52719a8
|
Scott Ullrich
|
|
553 |
f1bede03
|
Ermal
|
$passive = "start";
|
554 |
|
|
if (isset($ph1ent['mobile'])) {
|
555 |
|
|
$rgip = "%any";
|
556 |
|
|
$passive = 'add';
|
557 |
|
|
} else
|
558 |
f9fb8d2b
|
Ermal
|
$rgip = $ph1ent['remote-gateway'];
|
559 |
3462a529
|
Matthew Grooms
|
|
560 |
f1bede03
|
Ermal
|
$keyexchange = "ikev1";
|
561 |
|
|
if (!empty($ph1ent['iketype']) && $ph1ent['iketype'] != "ikev1")
|
562 |
|
|
$keyexchange = "ikev2";
|
563 |
c52719a8
|
Scott Ullrich
|
|
564 |
f1bede03
|
Ermal
|
$myid_type = $ph1ent['myid_type'];
|
565 |
a93e56c5
|
Matthew Grooms
|
switch ($myid_type) {
|
566 |
496acde1
|
Ermal
|
case "myaddress":
|
567 |
|
|
$myid_type = "address";
|
568 |
|
|
$myid_data = $ep;
|
569 |
|
|
break;
|
570 |
725dd10a
|
Scott Ullrich
|
|
571 |
496acde1
|
Ermal
|
case "dyn_dns":
|
572 |
|
|
$myid_type = "address";
|
573 |
|
|
$myid_data = resolve_retry($ph1ent['myid_data']);
|
574 |
|
|
break;
|
575 |
c52719a8
|
Scott Ullrich
|
|
576 |
496acde1
|
Ermal
|
case "address";
|
577 |
|
|
$myid_data = $ph1ent['myid_data'];
|
578 |
|
|
break;
|
579 |
a93e56c5
|
Matthew Grooms
|
|
580 |
496acde1
|
Ermal
|
case "fqdn";
|
581 |
|
|
case "keyid tag";
|
582 |
|
|
case "user_fqdn";
|
583 |
|
|
case "asn1dn";
|
584 |
|
|
$myid_data = $ph1ent['myid_data'];
|
585 |
|
|
if( $myid_data )
|
586 |
484e6adc
|
Ermal
|
$myid_data = "{$myid_data}";
|
587 |
496acde1
|
Ermal
|
break;
|
588 |
a63f7d55
|
Scott Ullrich
|
}
|
589 |
c52719a8
|
Scott Ullrich
|
|
590 |
a93e56c5
|
Matthew Grooms
|
$peerid_type = $ph1ent['peerid_type'];
|
591 |
|
|
switch ($peerid_type) {
|
592 |
496acde1
|
Ermal
|
case "peeraddress":
|
593 |
|
|
$peerid_type = "address";
|
594 |
|
|
$peerid_data = $rgip;
|
595 |
|
|
break;
|
596 |
a93e56c5
|
Matthew Grooms
|
|
597 |
496acde1
|
Ermal
|
case "address";
|
598 |
|
|
$peerid_data = $ph1ent['peerid_data'];
|
599 |
|
|
break;
|
600 |
a93e56c5
|
Matthew Grooms
|
|
601 |
496acde1
|
Ermal
|
case "fqdn";
|
602 |
|
|
case "keyid tag";
|
603 |
|
|
case "user_fqdn";
|
604 |
|
|
case "asn1dn";
|
605 |
|
|
$peerid_data = $ph1ent['peerid_data'];
|
606 |
|
|
if( $peerid_data )
|
607 |
484e6adc
|
Ermal
|
$peerid_data = "{$peerid_data}";
|
608 |
496acde1
|
Ermal
|
break;
|
609 |
d597b0b9
|
Scott Ullrich
|
}
|
610 |
6586b30f
|
Ermal
|
|
611 |
|
|
/* Only specify peer ID if we are not dealing with a mobile PSK-only tunnel */
|
612 |
|
|
$peerid_spec = '';
|
613 |
7a1f391a
|
Ermal
|
if (!isset($ph1ent['mobile']))
|
614 |
6586b30f
|
Ermal
|
$peerid_spec = $peerid_data;
|
615 |
d597b0b9
|
Scott Ullrich
|
|
616 |
496acde1
|
Ermal
|
if (is_array($ph1ent['encryption-algorithm']) && !empty($ph1ent['encryption-algorithm']['name']) && !empty($ph1ent['hash-algorithm'])) {
|
617 |
|
|
$ealgosp1 = '';
|
618 |
|
|
$ealg_id = $ph1ent['encryption-algorithm']['name'];
|
619 |
|
|
$ealg_kl = $ph1ent['encryption-algorithm']['keylen'];
|
620 |
|
|
if ($ealg_kl)
|
621 |
|
|
$ealgosp1 = "ike = {$ealg_id}{$ealg_kl}-{$ph1ent['hash-algorithm']}";
|
622 |
|
|
else
|
623 |
|
|
$ealgosp1 = "ike = {$ealg_id}-{$ph1ent['hash-algorithm']}";
|
624 |
73fbece8
|
mgrooms
|
|
625 |
496acde1
|
Ermal
|
$modp = vpn_ipsec_convert_to_modp($ph1ent['dhgroup']);
|
626 |
|
|
if (!empty($modp))
|
627 |
|
|
$ealgosp1 .= "-{$modp}";
|
628 |
dc291feb
|
jim-p
|
|
629 |
496acde1
|
Ermal
|
if ($keyexchange == "ikev1")
|
630 |
|
|
$ealgosp1 .= "!";
|
631 |
|
|
}
|
632 |
96ef83a7
|
jim-p
|
|
633 |
496acde1
|
Ermal
|
if ($ph1ent['dpd_delay'] && $ph1ent['dpd_maxfail']) {
|
634 |
|
|
if ($passive == "start")
|
635 |
|
|
$dpdline = "dpdaction = restart";
|
636 |
|
|
else
|
637 |
|
|
$dpdline = "dpdaction = clear";
|
638 |
|
|
$dpdline .= "\n\tdpddelay = {$ph1ent['dpd_delay']}s";
|
639 |
|
|
$dpdline .= "\n\tdpdtimeout = {$ph1ent['dpd_maxfail']}s";
|
640 |
|
|
} else
|
641 |
|
|
$dpdline = "dpdaction = none";
|
642 |
96ef83a7
|
jim-p
|
|
643 |
f1bede03
|
Ermal
|
if (!empty($ph1ent['authentication_method']) && (strpos($ph1ent['authentication_method'], "xauth") || strpos($ph1ent['authentication_method'], "hybrid")))
|
644 |
496acde1
|
Ermal
|
$xauth = "xauth = server";
|
645 |
a93e56c5
|
Matthew Grooms
|
|
646 |
|
|
$lifeline = '';
|
647 |
|
|
if ($ph1ent['lifetime'])
|
648 |
496acde1
|
Ermal
|
$lifeline = "ikelifetime = {$ph1ent['lifetime']}s";
|
649 |
3462a529
|
Matthew Grooms
|
|
650 |
98790f61
|
Seth Mos
|
if (($ph2ent['mode'] == 'tunnel') or ($ph2ent['mode'] == 'tunnel6')) {
|
651 |
496acde1
|
Ermal
|
$tunneltype = "type = tunnel";
|
652 |
c52719a8
|
Scott Ullrich
|
|
653 |
4b96b367
|
mgrooms
|
$localid_type = $ph2ent['localid']['type'];
|
654 |
d83045b5
|
Ermal
|
$localid_data = ipsec_idinfo_to_cidr($ph2ent['localid'], false, $ph2ent['mode']);
|
655 |
8f5c3d8d
|
Pierre POMES
|
/* Do not print localid in some cases, such as a pure-psk or psk/xauth single phase2 mobile tunnel */
|
656 |
d60eea55
|
Ermal
|
if (($localid_type == "none" || $localid_type == "mobile")
|
657 |
8f5c3d8d
|
Pierre POMES
|
&& isset($ph1ent['mobile'])
|
658 |
|
|
&& (ipsec_get_number_of_phase2($ikeid)==1))
|
659 |
d60eea55
|
Ermal
|
$localid_spec = "%any";
|
660 |
aab78bd9
|
pierrepomes
|
else {
|
661 |
20699f3f
|
jim-p
|
if ($localid_type != "address") {
|
662 |
|
|
$localid_type = "subnet";
|
663 |
|
|
}
|
664 |
6c576b27
|
Ermal
|
// Don't let an empty subnet into config, it can cause parse errors. Ticket #2201.
|
665 |
2c6de2ea
|
jim-p
|
if (!is_ipaddr($localid_data) && !is_subnet($localid_data) && ($localid_data != "0.0.0.0/0")) {
|
666 |
cf0a2714
|
jim-p
|
log_error("Invalid IPsec Phase 2 \"{$ph2ent['descr']}\" - {$ph2ent['localid']['type']} has no subnet.");
|
667 |
|
|
continue;
|
668 |
|
|
}
|
669 |
496acde1
|
Ermal
|
$localid_spec = $ep;
|
670 |
3eeac256
|
Ermal
|
if (!empty($ph2ent['natlocalid'])) {
|
671 |
d83045b5
|
Ermal
|
$natlocalid_data = ipsec_idinfo_to_cidr($ph2ent['natlocalid'], false, $ph2ent['mode']);
|
672 |
a0c4a6ce
|
Ermal
|
if ($ph2ent['natlocalid']['type'] != "address") {
|
673 |
|
|
if (is_subnet($natlocalid_data))
|
674 |
3eeac256
|
Ermal
|
$localid_data = "{$natlocalid_data}|{$localid_data}";
|
675 |
a0c4a6ce
|
Ermal
|
} else {
|
676 |
|
|
if (is_ipaddr($natlocalid_data))
|
677 |
3eeac256
|
Ermal
|
$localid_data = "{$natlocalid_data}|{$localid_data}";
|
678 |
3c107b76
|
Ermal
|
}
|
679 |
3eeac256
|
Ermal
|
$natfilterrules = true;
|
680 |
3c107b76
|
Ermal
|
}
|
681 |
20699f3f
|
jim-p
|
}
|
682 |
3462a529
|
Matthew Grooms
|
|
683 |
4b96b367
|
mgrooms
|
if (!isset($ph2ent['mobile'])) {
|
684 |
|
|
$remoteid_type = $ph2ent['remoteid']['type'];
|
685 |
|
|
if ($remoteid_type != "address")
|
686 |
|
|
$remoteid_type = "subnet";
|
687 |
3462a529
|
Matthew Grooms
|
|
688 |
d83045b5
|
Ermal
|
$remoteid_data = ipsec_idinfo_to_cidr($ph2ent['remoteid'], false, $ph2ent['mode']);
|
689 |
496acde1
|
Ermal
|
$remoteid_spec = $remoteid_data;
|
690 |
9879f03a
|
Ermal
|
}
|
691 |
4b96b367
|
mgrooms
|
} else {
|
692 |
496acde1
|
Ermal
|
$tunneltype = "type = transport";
|
693 |
f9fb8d2b
|
Ermal
|
$rgip = $ph1ent['remote-gateway'];
|
694 |
5b237745
|
Scott Ullrich
|
|
695 |
20699f3f
|
jim-p
|
if ((($ph1ent['authentication_method'] == "xauth_psk_server") ||
|
696 |
|
|
($ph1ent['authentication_method'] == "pre_shared_key"))
|
697 |
|
|
&& isset($ph1ent['mobile']))
|
698 |
496acde1
|
Ermal
|
$localid_spec = "%any";
|
699 |
20699f3f
|
jim-p
|
else {
|
700 |
|
|
$localid_data = ipsec_get_phase1_src($ph1ent);
|
701 |
496acde1
|
Ermal
|
$localid_spec = $ep;
|
702 |
20699f3f
|
jim-p
|
}
|
703 |
|
|
if (!isset($ph2ent['mobile'])) {
|
704 |
f1bede03
|
Ermal
|
$remoteid_spec = $rgip;
|
705 |
496acde1
|
Ermal
|
}
|
706 |
|
|
}
|
707 |
|
|
$authentication = "";
|
708 |
|
|
switch ($ph1ent['authentication_method']) {
|
709 |
|
|
case 'xauth_rsa_server':
|
710 |
|
|
$authentication = "leftauth = pubkey\n\trightauth = pubkey";
|
711 |
abd3c8f4
|
Ermal
|
$authentication .= "\n\trightauth2 = xauth-generic";
|
712 |
496acde1
|
Ermal
|
break;
|
713 |
|
|
case 'xauth_psk_server':
|
714 |
|
|
$authentication = "leftauth = psk\n\trightauth = psk";
|
715 |
abd3c8f4
|
Ermal
|
$authentication .= "\n\trightauth2 = xauth-generic";
|
716 |
496acde1
|
Ermal
|
break;
|
717 |
|
|
case 'pre_shared_key':
|
718 |
|
|
$authentication = "leftauth = psk\n\trightauth = psk";
|
719 |
|
|
break;
|
720 |
|
|
case 'rsasig':
|
721 |
|
|
$authentication = "leftauth = pubkey\n\trightauth = pubkey";
|
722 |
|
|
break;
|
723 |
|
|
case 'hybrid_rsa_server':
|
724 |
ff3d516f
|
Ermal
|
$authentication = "leftauth = xauth-generic\n\trightauth = pubkey";
|
725 |
496acde1
|
Ermal
|
$authentication .= "\n\trightauth2 = xauth";
|
726 |
|
|
break;
|
727 |
3462a529
|
Matthew Grooms
|
}
|
728 |
c52719a8
|
Scott Ullrich
|
|
729 |
496acde1
|
Ermal
|
if (isset($a_client['pfs_group']))
|
730 |
|
|
$ph2ent['pfsgroup'] = $a_client['pfs_group'];
|
731 |
f1bede03
|
Ermal
|
|
732 |
496acde1
|
Ermal
|
$ealgosp2 = '';
|
733 |
|
|
if ($ph2ent['protocol'] == 'esp') {
|
734 |
|
|
if (is_array($ph2ent['encryption-algorithm-option']) && is_array($ph2ent['hash-algorithm-option'])) {
|
735 |
|
|
$ealgosp2arr = array();
|
736 |
|
|
foreach ($ph2ent['encryption-algorithm-option'] as $ealg) {
|
737 |
|
|
$ealg_id = $ealg['name'];
|
738 |
|
|
$ealg_kl = $ealg['keylen'];
|
739 |
|
|
|
740 |
|
|
if (!empty($ealg_kl) && $ealg_kl == "auto") {
|
741 |
|
|
if (empty($p2_ealgos) || !is_array($p2_ealgos))
|
742 |
4ae540e5
|
Scott Ullrich
|
require("ipsec.inc");
|
743 |
4b96b367
|
mgrooms
|
$key_hi = $p2_ealgos[$ealg_id]['keysel']['hi'];
|
744 |
|
|
$key_lo = $p2_ealgos[$ealg_id]['keysel']['lo'];
|
745 |
|
|
$key_step = $p2_ealgos[$ealg_id]['keysel']['step'];
|
746 |
496acde1
|
Ermal
|
/* XXX: in some cases where include ordering is suspect these variables
|
747 |
|
|
* are somehow 0 and we enter this loop forever and timeout after 900
|
748 |
|
|
* seconds wrecking bootup */
|
749 |
|
|
if ($key_hi != 0 and $key_lo !=0 and $key_step !=0) {
|
750 |
d86d411a
|
Scott Ullrich
|
for ($keylen = $key_hi; $keylen >= $key_lo; $keylen -= $key_step) {
|
751 |
496acde1
|
Ermal
|
foreach ($ph2ent['hash-algorithm-option'] as $halgo) {
|
752 |
|
|
$halgo = str_replace('hmac_', '', $halgo);
|
753 |
|
|
$tmpealgo = "{$ealg_id}{$keylen}-{$halgo}";
|
754 |
|
|
$modp = vpn_ipsec_convert_to_modp($ph2ent['pfsgroup']);
|
755 |
|
|
if (!empty($modp))
|
756 |
|
|
$tmpealgo .= "-{$modp}";
|
757 |
|
|
$ealgosp2arr[] = $tmpealgo;
|
758 |
|
|
}
|
759 |
d86d411a
|
Scott Ullrich
|
}
|
760 |
4b96b367
|
mgrooms
|
}
|
761 |
|
|
} else {
|
762 |
496acde1
|
Ermal
|
foreach ($ph2ent['hash-algorithm-option'] as $halgo) {
|
763 |
|
|
$halgo = str_replace('hmac_', '', $halgo);
|
764 |
|
|
$tmpealgo = "{$ealg_id}{$ealg_kl}-{$halgo}";
|
765 |
|
|
$modp = vpn_ipsec_convert_to_modp($ph2ent['pfsgroup']);
|
766 |
|
|
if (!empty($modp))
|
767 |
|
|
$tmpealgo .= "-{$modp}";
|
768 |
|
|
$ealgosp2arr[] = $tmpealgo;
|
769 |
|
|
}
|
770 |
a93e56c5
|
Matthew Grooms
|
}
|
771 |
979cd6db
|
Scott Ullrich
|
}
|
772 |
496acde1
|
Ermal
|
$ealgosp2 = "esp = " . join(",", $ealgosp2arr);
|
773 |
|
|
unset($ealgosp2arr);
|
774 |
|
|
$ealgosp2 .= "!";
|
775 |
|
|
}
|
776 |
|
|
} else if ($ph2ent['protocol'] == 'ah') {
|
777 |
|
|
if (is_array($ph2ent['hash-algorithm-option'])) {
|
778 |
|
|
$ealgosp2 = "ah = " . join(",", $ph2ent['hash-algorithm-option']);
|
779 |
|
|
$ealgosp2 = str_replace('hmac_', '', $ealgosp2);
|
780 |
|
|
$modp = vpn_ipsec_convert_to_modp($ph2ent['pfsgroup']);
|
781 |
|
|
if (!empty($modp))
|
782 |
|
|
$ealgosp2 .= "-{$modp}";
|
783 |
|
|
$ealgosp2 .= "!";
|
784 |
a93e56c5
|
Matthew Grooms
|
}
|
785 |
a63f7d55
|
Scott Ullrich
|
}
|
786 |
c52719a8
|
Scott Ullrich
|
|
787 |
4b96b367
|
mgrooms
|
|
788 |
|
|
if ($ph2ent['lifetime'])
|
789 |
496acde1
|
Ermal
|
$lifeline = "ikelifetime = {$ph2ent['lifetime']}s";
|
790 |
|
|
|
791 |
|
|
$ipsecconf .=<<<EOD
|
792 |
|
|
|
793 |
e26e5e25
|
Ermal
|
conn con{$ph2ent['ikeid']}-{$ph2ent['ikeid']}
|
794 |
496acde1
|
Ermal
|
aggressive = {$aggressive}
|
795 |
|
|
fragmentation = yes
|
796 |
|
|
keyexchange = {$keyexchange}
|
797 |
|
|
keyingtries = %forever
|
798 |
|
|
reauth = yes
|
799 |
|
|
reqid = {$ikeid}
|
800 |
|
|
installpolicy = yes
|
801 |
3462a529
|
Matthew Grooms
|
{$lifeline}
|
802 |
496acde1
|
Ermal
|
{$tunneltype}
|
803 |
|
|
{$dpdline}
|
804 |
|
|
auto = {$passive}
|
805 |
|
|
left = {$localid_spec}
|
806 |
|
|
leftsubnet = {$localid_data}
|
807 |
|
|
right = {$rgip}
|
808 |
|
|
leftid = {$myid_data}
|
809 |
5b237745
|
Scott Ullrich
|
|
810 |
|
|
EOD;
|
811 |
4b96b367
|
mgrooms
|
|
812 |
496acde1
|
Ermal
|
if (!empty($remoteid_spec))
|
813 |
|
|
$ipsecconf .= "\trightsubnet = $remoteid_spec\n";
|
814 |
|
|
if (!empty($ealgosp1))
|
815 |
|
|
$ipsecconf .= "\t{$ealgosp1}\n";
|
816 |
|
|
if (!empty($ealgosp2))
|
817 |
|
|
$ipsecconf .= "\t{$ealgosp2}\n";
|
818 |
|
|
if (!empty($authentication))
|
819 |
|
|
$ipsecconf .= "\t{$authentication}\n";
|
820 |
|
|
if (!empty($peerid_spec))
|
821 |
|
|
$ipsecconf .= "\trightid = {$peerid_spec}\n";
|
822 |
09628a07
|
Renato Botelho
|
}
|
823 |
a93e56c5
|
Matthew Grooms
|
}
|
824 |
|
|
}
|
825 |
496acde1
|
Ermal
|
}
|
826 |
|
|
@file_put_contents("{$g['varetc_path']}/ipsec/ipsec.conf", $ipsecconf);
|
827 |
|
|
unset($ipsecconf);
|
828 |
6c576b27
|
Ermal
|
/* end ipsec.conf */
|
829 |
496acde1
|
Ermal
|
|
830 |
6c576b27
|
Ermal
|
/* mange process */
|
831 |
c6efc8fd
|
Ermal
|
if (isvalidpid("{$g['varrun_path']}/charon.pid")) {
|
832 |
7335fa53
|
Ermal
|
/* Read secrets */
|
833 |
|
|
mwexec("/usr/local/sbin/ipsec rereadall", false);
|
834 |
|
|
/* Update configuration changes */
|
835 |
|
|
mwexec("/usr/local/sbin/ipsec update", false);
|
836 |
496acde1
|
Ermal
|
} else {
|
837 |
63159749
|
Ermal
|
mwexec("/usr/local/sbin/ipsec start", false);
|
838 |
496acde1
|
Ermal
|
}
|
839 |
9abaa8f7
|
Ermal
|
|
840 |
496acde1
|
Ermal
|
if ($natfilterrules == true)
|
841 |
|
|
filter_configure();
|
842 |
|
|
/* start filterdns, if necessary */
|
843 |
|
|
if (count($filterdns_list) > 0) {
|
844 |
|
|
$interval = 60;
|
845 |
|
|
if (!empty($ipseccfg['dns-interval']) && is_numeric($ipseccfg['dns-interval']))
|
846 |
|
|
$interval = $ipseccfg['dns-interval'];
|
847 |
|
|
|
848 |
|
|
$hostnames = "";
|
849 |
|
|
array_unique($filterdns_list);
|
850 |
|
|
foreach ($filterdns_list as $hostname)
|
851 |
|
|
$hostnames .= "cmd {$hostname} '/usr/local/sbin/pfSctl -c \"service reload ipsecdns\"'\n";
|
852 |
|
|
file_put_contents("{$g['varetc_path']}/ipsec/filterdns-ipsec.hosts", $hostnames);
|
853 |
|
|
unset($hostnames);
|
854 |
|
|
|
855 |
|
|
if (isvalidpid("{$g['varrun_path']}/filterdns-ipsec.pid"))
|
856 |
|
|
sigkillbypid("{$g['varrun_path']}/filterdns-ipsec.pid", "HUP");
|
857 |
|
|
else {
|
858 |
|
|
mwexec("/usr/local/sbin/filterdns -p {$g['varrun_path']}/filterdns-ipsec.pid -i {$interval} -c {$g['varetc_path']}/ipsec/filterdns-ipsec.hosts -d 1");
|
859 |
5b237745
|
Scott Ullrich
|
}
|
860 |
496acde1
|
Ermal
|
} else {
|
861 |
|
|
killbypid("{$g['varrun_path']}/filterdns-ipsec.pid");
|
862 |
|
|
@unlink("{$g['varrun_path']}/filterdns-ipsec.pid");
|
863 |
|
|
}
|
864 |
09628a07
|
Renato Botelho
|
|
865 |
496acde1
|
Ermal
|
if ($g['booting'])
|
866 |
|
|
echo "done\n";
|
867 |
8f67a8e1
|
Scott Ullrich
|
|
868 |
496acde1
|
Ermal
|
return count($filterdns_list);
|
869 |
5b237745
|
Scott Ullrich
|
}
|
870 |
|
|
|
871 |
09628a07
|
Renato Botelho
|
/*
|
872 |
52c9f9fa
|
Ermal
|
* Forcefully restart IPsec
|
873 |
67ee1ec5
|
Ermal Luçi
|
* This is required for when dynamic interfaces reload
|
874 |
|
|
* For all other occasions the normal vpn_ipsec_configure()
|
875 |
|
|
* will gracefully reload the settings without restarting
|
876 |
|
|
*/
|
877 |
aa752473
|
Renato Botelho
|
function vpn_ipsec_force_reload($interface = "") {
|
878 |
|
|
global $g, $config;
|
879 |
67ee1ec5
|
Ermal Luçi
|
|
880 |
|
|
$ipseccfg = $config['ipsec'];
|
881 |
|
|
|
882 |
aa752473
|
Renato Botelho
|
if (!empty($interface) && is_array($ipseccfg['phase1'])) {
|
883 |
|
|
$found = false;
|
884 |
|
|
foreach ($ipseccfg['phase1'] as $ipsec) {
|
885 |
|
|
if (!isset($ipsec['disabled']) && ($ipsec['interface'] == $interface)) {
|
886 |
|
|
$found = true;
|
887 |
|
|
break;
|
888 |
|
|
}
|
889 |
|
|
}
|
890 |
|
|
if (!$found) {
|
891 |
8b4abd59
|
Ermal
|
log_error(sprintf(gettext("Ignoring IPsec reload since there are no tunnels on interface %s"), $interface));
|
892 |
aa752473
|
Renato Botelho
|
return;
|
893 |
|
|
}
|
894 |
|
|
}
|
895 |
|
|
|
896 |
67ee1ec5
|
Ermal Luçi
|
/* if ipsec is enabled, start up again */
|
897 |
|
|
if (isset($ipseccfg['enable'])) {
|
898 |
8b4abd59
|
Ermal
|
log_error(gettext("Forcefully reloading IPsec"));
|
899 |
67ee1ec5
|
Ermal Luçi
|
vpn_ipsec_configure();
|
900 |
|
|
}
|
901 |
|
|
}
|
902 |
|
|
|
903 |
|
|
/* master setup for vpn (mpd) */
|
904 |
|
|
function vpn_setup() {
|
905 |
7734aea6
|
Andrew Thompson
|
global $g;
|
906 |
|
|
|
907 |
|
|
if ($g['platform'] == 'jail')
|
908 |
|
|
return;
|
909 |
|
|
|
910 |
67ee1ec5
|
Ermal Luçi
|
/* start pptpd */
|
911 |
|
|
vpn_pptpd_configure();
|
912 |
|
|
|
913 |
|
|
/* start pppoe server */
|
914 |
0e642c78
|
Ermal
|
vpn_pppoes_configure();
|
915 |
67ee1ec5
|
Ermal Luçi
|
|
916 |
|
|
/* setup l2tp */
|
917 |
|
|
vpn_l2tp_configure();
|
918 |
|
|
}
|
919 |
|
|
|
920 |
67b057a9
|
Ermal
|
function vpn_netgraph_support() {
|
921 |
|
|
$iflist = get_configured_interface_list();
|
922 |
|
|
foreach ($iflist as $iface) {
|
923 |
|
|
$realif = get_real_interface($iface);
|
924 |
|
|
/* Get support for netgraph(4) from the nic */
|
925 |
c513c309
|
Ermal
|
$ifinfo = pfSense_get_interface_addresses($realif);
|
926 |
|
|
if (!empty($ifinfo) && in_array($ifinfo['iftype'], array("ether", "vlan", "bridge")))
|
927 |
09628a07
|
Renato Botelho
|
pfSense_ngctl_attach(".", $realif);
|
928 |
67b057a9
|
Ermal
|
}
|
929 |
|
|
}
|
930 |
|
|
|
931 |
5b237745
|
Scott Ullrich
|
function vpn_pptpd_configure() {
|
932 |
|
|
global $config, $g;
|
933 |
c52719a8
|
Scott Ullrich
|
|
934 |
5b237745
|
Scott Ullrich
|
$syscfg = $config['system'];
|
935 |
|
|
$pptpdcfg = $config['pptpd'];
|
936 |
c52719a8
|
Scott Ullrich
|
|
937 |
5b237745
|
Scott Ullrich
|
if ($g['booting']) {
|
938 |
|
|
if (!$pptpdcfg['mode'] || ($pptpdcfg['mode'] == "off"))
|
939 |
|
|
return 0;
|
940 |
c52719a8
|
Scott Ullrich
|
|
941 |
89ceb4ba
|
Renato Botelho
|
echo gettext("Configuring PPTP VPN service... ");
|
942 |
c52719a8
|
Scott Ullrich
|
} else {
|
943 |
5b237745
|
Scott Ullrich
|
/* kill mpd */
|
944 |
67ee1ec5
|
Ermal Luçi
|
killbypid("{$g['varrun_path']}/pptp-vpn.pid");
|
945 |
c52719a8
|
Scott Ullrich
|
|
946 |
5b237745
|
Scott Ullrich
|
/* wait for process to die */
|
947 |
48bff85c
|
Scott Ullrich
|
sleep(3);
|
948 |
c52719a8
|
Scott Ullrich
|
|
949 |
979cd6db
|
Scott Ullrich
|
if (is_process_running("mpd -b")) {
|
950 |
67ee1ec5
|
Ermal Luçi
|
killbypid("{$g['varrun_path']}/pptp-vpn.pid");
|
951 |
89ceb4ba
|
Renato Botelho
|
log_error(gettext("Could not kill mpd within 3 seconds. Trying again."));
|
952 |
48bff85c
|
Scott Ullrich
|
}
|
953 |
c52719a8
|
Scott Ullrich
|
|
954 |
5b237745
|
Scott Ullrich
|
/* remove mpd.conf, if it exists */
|
955 |
67ee1ec5
|
Ermal Luçi
|
unlink_if_exists("{$g['varetc_path']}/pptp-vpn/mpd.conf");
|
956 |
|
|
unlink_if_exists("{$g['varetc_path']}/pptp-vpn/mpd.links");
|
957 |
|
|
unlink_if_exists("{$g['varetc_path']}/pptp-vpn/mpd.secret");
|
958 |
5b237745
|
Scott Ullrich
|
}
|
959 |
c52719a8
|
Scott Ullrich
|
|
960 |
1fb8d314
|
Ermal
|
if (empty($pptpdcfg['n_pptp_units'])) {
|
961 |
|
|
log_error("Something wrong in the PPTPd configuration. Preventing starting the daemon because issues would arise.");
|
962 |
09628a07
|
Renato Botelho
|
return;
|
963 |
1fb8d314
|
Ermal
|
}
|
964 |
|
|
|
965 |
67ee1ec5
|
Ermal Luçi
|
/* make sure pptp-vpn directory exists */
|
966 |
|
|
if (!file_exists("{$g['varetc_path']}/pptp-vpn"))
|
967 |
|
|
mkdir("{$g['varetc_path']}/pptp-vpn");
|
968 |
c52719a8
|
Scott Ullrich
|
|
969 |
5b237745
|
Scott Ullrich
|
switch ($pptpdcfg['mode']) {
|
970 |
979cd6db
|
Scott Ullrich
|
case 'server' :
|
971 |
5b237745
|
Scott Ullrich
|
/* write mpd.conf */
|
972 |
67ee1ec5
|
Ermal Luçi
|
$fd = fopen("{$g['varetc_path']}/pptp-vpn/mpd.conf", "w");
|
973 |
5b237745
|
Scott Ullrich
|
if (!$fd) {
|
974 |
89ceb4ba
|
Renato Botelho
|
printf(gettext("Error: cannot open mpd.conf in vpn_pptpd_configure().") . "\n");
|
975 |
5b237745
|
Scott Ullrich
|
return 1;
|
976 |
|
|
}
|
977 |
c52719a8
|
Scott Ullrich
|
|
978 |
045c9cc9
|
sullrich
|
$mpdconf = <<<EOD
|
979 |
a6607b5f
|
jim-p
|
pptps:
|
980 |
5b237745
|
Scott Ullrich
|
|
981 |
|
|
EOD;
|
982 |
|
|
|
983 |
f2b4ff2b
|
sullrich
|
for ($i = 0; $i < $pptpdcfg['n_pptp_units']; $i++) {
|
984 |
5b237745
|
Scott Ullrich
|
$mpdconf .= " load pt{$i}\n";
|
985 |
|
|
}
|
986 |
c52719a8
|
Scott Ullrich
|
|
987 |
f2b4ff2b
|
sullrich
|
for ($i = 0; $i < $pptpdcfg['n_pptp_units']; $i++) {
|
988 |
c52719a8
|
Scott Ullrich
|
|
989 |
96033063
|
Erik Fonnesbeck
|
$clientip = long2ip32(ip2long($pptpdcfg['remoteip']) + $i);
|
990 |
c52719a8
|
Scott Ullrich
|
|
991 |
045c9cc9
|
sullrich
|
$mpdconf .= <<<EOD
|
992 |
5b237745
|
Scott Ullrich
|
|
993 |
|
|
pt{$i}:
|
994 |
bfa6d878
|
Ermal Lu?i
|
new -i pptpd{$i} pt{$i} pt{$i}
|
995 |
045c9cc9
|
sullrich
|
set ipcp ranges {$pptpdcfg['localip']}/32 {$clientip}/32
|
996 |
979cd6db
|
Scott Ullrich
|
load pts
|
997 |
5b237745
|
Scott Ullrich
|
|
998 |
|
|
EOD;
|
999 |
|
|
}
|
1000 |
c52719a8
|
Scott Ullrich
|
|
1001 |
979cd6db
|
Scott Ullrich
|
$mpdconf .=<<<EOD
|
1002 |
5b237745
|
Scott Ullrich
|
|
1003 |
979cd6db
|
Scott Ullrich
|
pts:
|
1004 |
5b237745
|
Scott Ullrich
|
set iface disable on-demand
|
1005 |
|
|
set iface enable proxy-arp
|
1006 |
07cae4b2
|
Scott Ullrich
|
set iface enable tcpmssfix
|
1007 |
979cd6db
|
Scott Ullrich
|
set iface idle 1800
|
1008 |
e9a95ac8
|
jim-p
|
set iface up-script /usr/local/sbin/vpn-linkup
|
1009 |
|
|
set iface down-script /usr/local/sbin/vpn-linkdown
|
1010 |
5b237745
|
Scott Ullrich
|
set bundle enable multilink
|
1011 |
979cd6db
|
Scott Ullrich
|
set bundle enable crypt-reqd
|
1012 |
5b237745
|
Scott Ullrich
|
set link yes acfcomp protocomp
|
1013 |
|
|
set link no pap chap
|
1014 |
979cd6db
|
Scott Ullrich
|
set link enable chap-msv2
|
1015 |
ee953edc
|
Scott Ullrich
|
set link mtu 1460
|
1016 |
5b237745
|
Scott Ullrich
|
set link keep-alive 10 60
|
1017 |
|
|
set ipcp yes vjcomp
|
1018 |
|
|
set bundle enable compression
|
1019 |
|
|
set ccp yes mppc
|
1020 |
|
|
set ccp yes mpp-e128
|
1021 |
|
|
set ccp yes mpp-stateless
|
1022 |
|
|
|
1023 |
|
|
EOD;
|
1024 |
c52719a8
|
Scott Ullrich
|
|
1025 |
979cd6db
|
Scott Ullrich
|
if (!isset ($pptpdcfg['req128'])) {
|
1026 |
|
|
$mpdconf .=<<<EOD
|
1027 |
5b237745
|
Scott Ullrich
|
set ccp yes mpp-e40
|
1028 |
979cd6db
|
Scott Ullrich
|
set ccp yes mpp-e56
|
1029 |
5b237745
|
Scott Ullrich
|
|
1030 |
|
|
EOD;
|
1031 |
|
|
}
|
1032 |
c8c416db
|
Scott Ullrich
|
|
1033 |
871ce025
|
Bill Marquette
|
if (isset($pptpdcfg["wins"]) && $pptpdcfg['wins'] != "")
|
1034 |
979cd6db
|
Scott Ullrich
|
$mpdconf .= " set ipcp nbns {$pptpdcfg['wins']}\n";
|
1035 |
09f2bf85
|
jim-p
|
|
1036 |
|
|
if (!empty($pptpdcfg['dns1'])) {
|
1037 |
|
|
$mpdconf .= " set ipcp dns " . $pptpdcfg['dns1'];
|
1038 |
|
|
if (!empty($pptpdcfg['dns2']))
|
1039 |
|
|
$mpdconf .= " " . $pptpdcfg['dns2'];
|
1040 |
|
|
$mpdconf .= "\n";
|
1041 |
|
|
} elseif (isset ($config['dnsmasq']['enable'])) {
|
1042 |
|
|
$mpdconf .= " set ipcp dns " . get_interface_ip("lan");
|
1043 |
|
|
if ($syscfg['dnsserver'][0])
|
1044 |
|
|
$mpdconf .= " " . $syscfg['dnsserver'][0];
|
1045 |
|
|
$mpdconf .= "\n";
|
1046 |
ad750d3b
|
Warren Baker
|
} elseif (isset($config['unbound']['enable'])) {
|
1047 |
|
|
$mpdconf .= " set ipcp dns " . get_interface_ip("lan");
|
1048 |
|
|
if ($syscfg['dnsserver'][0])
|
1049 |
|
|
$mpdconf .= " " . $syscfg['dnsserver'][0];
|
1050 |
|
|
$mpdconf .= "\n";
|
1051 |
09f2bf85
|
jim-p
|
} elseif (is_array($syscfg['dnsserver']) && ($syscfg['dnsserver'][0])) {
|
1052 |
|
|
$mpdconf .= " set ipcp dns " . join(" ", $syscfg['dnsserver']) . "\n";
|
1053 |
|
|
}
|
1054 |
07cae4b2
|
Scott Ullrich
|
|
1055 |
71569a7e
|
jim-p
|
if (isset ($pptpdcfg['radius']['server']['enable'])) {
|
1056 |
|
|
$authport = (isset($pptpdcfg['radius']['server']['port']) && strlen($pptpdcfg['radius']['server']['port']) > 1) ? $pptpdcfg['radius']['server']['port'] : 1812;
|
1057 |
979cd6db
|
Scott Ullrich
|
$acctport = $authport + 1;
|
1058 |
|
|
$mpdconf .=<<<EOD
|
1059 |
71569a7e
|
jim-p
|
set radius server {$pptpdcfg['radius']['server']['ip']} "{$pptpdcfg['radius']['server']['secret']}" {$authport} {$acctport}
|
1060 |
35b91f77
|
sullrich
|
|
1061 |
71569a7e
|
jim-p
|
EOD;
|
1062 |
|
|
if (isset ($pptpdcfg['radius']['server2']['enable'])) {
|
1063 |
|
|
$authport = (isset($pptpdcfg['radius']['server2']['port']) && strlen($pptpdcfg['radius']['server2']['port']) > 1) ? $pptpdcfg['radius']['server2']['port'] : 1812;
|
1064 |
|
|
$acctport = $authport + 1;
|
1065 |
|
|
$mpdconf .=<<<EOD
|
1066 |
846a6dc2
|
jim-p
|
set radius server {$pptpdcfg['radius']['server2']['ip']} "{$pptpdcfg['radius']['server2']['secret2']}" {$authport} {$acctport}
|
1067 |
35b91f77
|
sullrich
|
|
1068 |
71569a7e
|
jim-p
|
EOD;
|
1069 |
|
|
}
|
1070 |
|
|
$mpdconf .=<<<EOD
|
1071 |
5b237745
|
Scott Ullrich
|
set radius retries 3
|
1072 |
979cd6db
|
Scott Ullrich
|
set radius timeout 10
|
1073 |
0af9dba4
|
Ermal Lu?i
|
set auth enable radius-auth
|
1074 |
5b237745
|
Scott Ullrich
|
|
1075 |
|
|
EOD;
|
1076 |
|
|
|
1077 |
979cd6db
|
Scott Ullrich
|
if (isset ($pptpdcfg['radius']['accounting'])) {
|
1078 |
|
|
$mpdconf .=<<<EOD
|
1079 |
0af9dba4
|
Ermal Lu?i
|
set auth enable radius-acct
|
1080 |
979cd6db
|
Scott Ullrich
|
set radius acct-update 300
|
1081 |
5b237745
|
Scott Ullrich
|
|
1082 |
|
|
EOD;
|
1083 |
|
|
}
|
1084 |
|
|
}
|
1085 |
|
|
|
1086 |
|
|
fwrite($fd, $mpdconf);
|
1087 |
|
|
fclose($fd);
|
1088 |
a49784a2
|
Ermal
|
unset($mpdconf);
|
1089 |
c52719a8
|
Scott Ullrich
|
|
1090 |
5b237745
|
Scott Ullrich
|
/* write mpd.links */
|
1091 |
67ee1ec5
|
Ermal Luçi
|
$fd = fopen("{$g['varetc_path']}/pptp-vpn/mpd.links", "w");
|
1092 |
5b237745
|
Scott Ullrich
|
if (!$fd) {
|
1093 |
89ceb4ba
|
Renato Botelho
|
printf(gettext("Error: cannot open mpd.links in vpn_pptpd_configure().") . "\n");
|
1094 |
5b237745
|
Scott Ullrich
|
return 1;
|
1095 |
|
|
}
|
1096 |
c52719a8
|
Scott Ullrich
|
|
1097 |
5b237745
|
Scott Ullrich
|
$mpdlinks = "";
|
1098 |
c52719a8
|
Scott Ullrich
|
|
1099 |
a56120f2
|
Ermal Lu?i
|
for ($i = 0; $i < $pptpdcfg['n_pptp_units']; $i++) {
|
1100 |
979cd6db
|
Scott Ullrich
|
$mpdlinks .=<<<EOD
|
1101 |
5b237745
|
Scott Ullrich
|
|
1102 |
|
|
pt{$i}:
|
1103 |
|
|
set link type pptp
|
1104 |
|
|
set pptp enable incoming
|
1105 |
|
|
set pptp disable originate
|
1106 |
979cd6db
|
Scott Ullrich
|
set pptp disable windowing
|
1107 |
5b237745
|
Scott Ullrich
|
|
1108 |
|
|
EOD;
|
1109 |
|
|
}
|
1110 |
|
|
|
1111 |
|
|
fwrite($fd, $mpdlinks);
|
1112 |
|
|
fclose($fd);
|
1113 |
a49784a2
|
Ermal
|
unset($mpdlinks);
|
1114 |
c52719a8
|
Scott Ullrich
|
|
1115 |
5b237745
|
Scott Ullrich
|
/* write mpd.secret */
|
1116 |
67ee1ec5
|
Ermal Luçi
|
$fd = fopen("{$g['varetc_path']}/pptp-vpn/mpd.secret", "w");
|
1117 |
5b237745
|
Scott Ullrich
|
if (!$fd) {
|
1118 |
89ceb4ba
|
Renato Botelho
|
printf(gettext("Error: cannot open mpd.secret in vpn_pptpd_configure().") . "\n");
|
1119 |
5b237745
|
Scott Ullrich
|
return 1;
|
1120 |
|
|
}
|
1121 |
c52719a8
|
Scott Ullrich
|
|
1122 |
5b237745
|
Scott Ullrich
|
$mpdsecret = "";
|
1123 |
c52719a8
|
Scott Ullrich
|
|
1124 |
5b237745
|
Scott Ullrich
|
if (is_array($pptpdcfg['user'])) {
|
1125 |
4cf82d52
|
jim-p
|
foreach ($pptpdcfg['user'] as $user) {
|
1126 |
4222087e
|
jim-p
|
$pass = str_replace('\\', '\\\\', $user['password']);
|
1127 |
|
|
$pass = str_replace('"', '\"', $pass);
|
1128 |
4cf82d52
|
jim-p
|
$mpdsecret .= "{$user['name']} \"{$pass}\" {$user['ip']}\n";
|
1129 |
|
|
}
|
1130 |
5b237745
|
Scott Ullrich
|
}
|
1131 |
|
|
|
1132 |
|
|
fwrite($fd, $mpdsecret);
|
1133 |
|
|
fclose($fd);
|
1134 |
a49784a2
|
Ermal
|
unset($mpdsecret);
|
1135 |
67ee1ec5
|
Ermal Luçi
|
chmod("{$g['varetc_path']}/pptp-vpn/mpd.secret", 0600);
|
1136 |
c52719a8
|
Scott Ullrich
|
|
1137 |
67b057a9
|
Ermal
|
vpn_netgraph_support();
|
1138 |
|
|
|
1139 |
5b237745
|
Scott Ullrich
|
/* fire up mpd */
|
1140 |
a6607b5f
|
jim-p
|
mwexec("/usr/local/sbin/mpd4 -b -d {$g['varetc_path']}/pptp-vpn -p {$g['varrun_path']}/pptp-vpn.pid -s pptps pptps");
|
1141 |
c52719a8
|
Scott Ullrich
|
|
1142 |
5b237745
|
Scott Ullrich
|
break;
|
1143 |
c52719a8
|
Scott Ullrich
|
|
1144 |
979cd6db
|
Scott Ullrich
|
case 'redir' :
|
1145 |
5b237745
|
Scott Ullrich
|
break;
|
1146 |
|
|
}
|
1147 |
c52719a8
|
Scott Ullrich
|
|
1148 |
a63f7d55
|
Scott Ullrich
|
if ($g['booting'])
|
1149 |
|
|
echo "done\n";
|
1150 |
c52719a8
|
Scott Ullrich
|
|
1151 |
5b237745
|
Scott Ullrich
|
return 0;
|
1152 |
|
|
}
|
1153 |
|
|
|
1154 |
0e642c78
|
Ermal
|
function vpn_pppoes_configure() {
|
1155 |
|
|
global $config;
|
1156 |
|
|
|
1157 |
|
|
if (is_array($config['pppoes']['pppoe'])) {
|
1158 |
|
|
foreach ($config['pppoes']['pppoe'] as $pppoe)
|
1159 |
|
|
vpn_pppoe_configure($pppoe);
|
1160 |
|
|
}
|
1161 |
|
|
}
|
1162 |
|
|
|
1163 |
|
|
function vpn_pppoe_configure(&$pppoecfg) {
|
1164 |
06e69b03
|
Scott Ullrich
|
global $config, $g;
|
1165 |
|
|
|
1166 |
|
|
$syscfg = $config['system'];
|
1167 |
|
|
|
1168 |
48918ed5
|
Scott Ullrich
|
/* create directory if it does not exist */
|
1169 |
0e642c78
|
Ermal
|
if (!is_dir("{$g['varetc_path']}/pppoe{$pppoecfg['pppoeid']}-vpn"))
|
1170 |
|
|
mkdir("{$g['varetc_path']}/pppoe{$pppoecfg['pppoeid']}-vpn");
|
1171 |
c52719a8
|
Scott Ullrich
|
|
1172 |
06e69b03
|
Scott Ullrich
|
if ($g['booting']) {
|
1173 |
|
|
if (!$pppoecfg['mode'] || ($pppoecfg['mode'] == "off"))
|
1174 |
|
|
return 0;
|
1175 |
|
|
|
1176 |
89ceb4ba
|
Renato Botelho
|
echo gettext("Configuring PPPoE VPN service... ");
|
1177 |
979cd6db
|
Scott Ullrich
|
} else {
|
1178 |
|
|
/* kill mpd */
|
1179 |
0e642c78
|
Ermal
|
killbypid("{$g['varrun_path']}/pppoe{$pppoecfg['pppoeid']}-vpn.pid");
|
1180 |
979cd6db
|
Scott Ullrich
|
|
1181 |
|
|
/* wait for process to die */
|
1182 |
|
|
sleep(2);
|
1183 |
|
|
|
1184 |
06e69b03
|
Scott Ullrich
|
}
|
1185 |
|
|
|
1186 |
|
|
switch ($pppoecfg['mode']) {
|
1187 |
|
|
|
1188 |
979cd6db
|
Scott Ullrich
|
case 'server' :
|
1189 |
06e69b03
|
Scott Ullrich
|
|
1190 |
0e642c78
|
Ermal
|
$pppoe_interface = get_real_interface($pppoecfg['interface']);
|
1191 |
0301deff
|
Scott Ullrich
|
|
1192 |
979cd6db
|
Scott Ullrich
|
if ($pppoecfg['paporchap'] == "chap")
|
1193 |
|
|
$paporchap = "set link enable chap";
|
1194 |
|
|
else
|
1195 |
|
|
$paporchap = "set link enable pap";
|
1196 |
|
|
|
1197 |
06e69b03
|
Scott Ullrich
|
/* write mpd.conf */
|
1198 |
0e642c78
|
Ermal
|
$fd = fopen("{$g['varetc_path']}/pppoe{$pppoecfg['pppoeid']}-vpn/mpd.conf", "w");
|
1199 |
06e69b03
|
Scott Ullrich
|
if (!$fd) {
|
1200 |
89ceb4ba
|
Renato Botelho
|
printf(gettext("Error: cannot open mpd.conf in vpn_pppoe_configure().") . "\n");
|
1201 |
06e69b03
|
Scott Ullrich
|
return 1;
|
1202 |
|
|
}
|
1203 |
|
|
$mpdconf = "\n\n";
|
1204 |
a6607b5f
|
jim-p
|
$mpdconf .= "poes:\n";
|
1205 |
06e69b03
|
Scott Ullrich
|
|
1206 |
a429d105
|
Scott Ullrich
|
for ($i = 0; $i < $pppoecfg['n_pppoe_units']; $i++) {
|
1207 |
0e642c78
|
Ermal
|
$mpdconf .= " load poes{$pppoecfg['pppoeid']}{$i}\n";
|
1208 |
06e69b03
|
Scott Ullrich
|
}
|
1209 |
|
|
|
1210 |
a429d105
|
Scott Ullrich
|
for ($i = 0; $i < $pppoecfg['n_pppoe_units']; $i++) {
|
1211 |
06e69b03
|
Scott Ullrich
|
|
1212 |
96033063
|
Erik Fonnesbeck
|
$clientip = long2ip32(ip2long($pppoecfg['remoteip']) + $i);
|
1213 |
c52719a8
|
Scott Ullrich
|
|
1214 |
b0943409
|
Ermal
|
if (isset($pppoecfg['radius']['radiusissueips']) && isset($pppoecfg['radius']['server']['enable'])) {
|
1215 |
5dfdc1fb
|
Scott Ullrich
|
$isssue_ip_type = "set ipcp ranges {$pppoecfg['localip']}/32 0.0.0.0/0";
|
1216 |
5264023a
|
Scott Ullrich
|
} else {
|
1217 |
|
|
$isssue_ip_type = "set ipcp ranges {$pppoecfg['localip']}/32 {$clientip}/32";
|
1218 |
5dfdc1fb
|
Scott Ullrich
|
}
|
1219 |
c52719a8
|
Scott Ullrich
|
|
1220 |
979cd6db
|
Scott Ullrich
|
$mpdconf .=<<<EOD
|
1221 |
06e69b03
|
Scott Ullrich
|
|
1222 |
0e642c78
|
Ermal
|
poes{$pppoecfg['pppoeid']}{$i}:
|
1223 |
|
|
new -i poes{$pppoecfg['pppoeid']}{$i} poes{$pppoecfg['pppoeid']}{$i} poes{$pppoecfg['pppoeid']}{$i}
|
1224 |
5dfdc1fb
|
Scott Ullrich
|
{$isssue_ip_type}
|
1225 |
f856e762
|
jim-p
|
load pppoe_standard
|
1226 |
06e69b03
|
Scott Ullrich
|
|
1227 |
|
|
EOD;
|
1228 |
|
|
}
|
1229 |
|
|
|
1230 |
979cd6db
|
Scott Ullrich
|
$mpdconf .=<<<EOD
|
1231 |
06e69b03
|
Scott Ullrich
|
|
1232 |
f856e762
|
jim-p
|
pppoe_standard:
|
1233 |
979cd6db
|
Scott Ullrich
|
set bundle no multilink
|
1234 |
|
|
set bundle enable compression
|
1235 |
78155ff9
|
Scott Ullrich
|
set auth max-logins 1
|
1236 |
e9a95ac8
|
jim-p
|
set iface up-script /usr/local/sbin/vpn-linkup
|
1237 |
|
|
set iface down-script /usr/local/sbin/vpn-linkdown
|
1238 |
979cd6db
|
Scott Ullrich
|
set iface idle 0
|
1239 |
06e69b03
|
Scott Ullrich
|
set iface disable on-demand
|
1240 |
|
|
set iface disable proxy-arp
|
1241 |
|
|
set iface enable tcpmssfix
|
1242 |
979cd6db
|
Scott Ullrich
|
set iface mtu 1500
|
1243 |
06e69b03
|
Scott Ullrich
|
set link no pap chap
|
1244 |
979cd6db
|
Scott Ullrich
|
{$paporchap}
|
1245 |
|
|
set link keep-alive 60 180
|
1246 |
|
|
set ipcp yes vjcomp
|
1247 |
|
|
set ipcp no vjcomp
|
1248 |
|
|
set link max-redial -1
|
1249 |
|
|
set link mtu 1492
|
1250 |
|
|
set link mru 1492
|
1251 |
06e69b03
|
Scott Ullrich
|
set ccp yes mpp-e40
|
1252 |
|
|
set ccp yes mpp-e128
|
1253 |
|
|
set ccp yes mpp-stateless
|
1254 |
979cd6db
|
Scott Ullrich
|
set link latency 1
|
1255 |
|
|
#set ipcp dns 10.10.1.3
|
1256 |
|
|
#set bundle accept encryption
|
1257 |
06e69b03
|
Scott Ullrich
|
|
1258 |
c8c416db
|
Scott Ullrich
|
EOD;
|
1259 |
|
|
|
1260 |
09f2bf85
|
jim-p
|
if (!empty($pppoecfg['dns1'])) {
|
1261 |
|
|
$mpdconf .= " set ipcp dns " . $pppoecfg['dns1'];
|
1262 |
|
|
if (!empty($pppoecfg['dns2']))
|
1263 |
|
|
$mpdconf .= " " . $pppoecfg['dns2'];
|
1264 |
|
|
$mpdconf .= "\n";
|
1265 |
|
|
} elseif (isset ($config['dnsmasq']['enable'])) {
|
1266 |
a55e9c70
|
Ermal Lu?i
|
$mpdconf .= " set ipcp dns " . get_interface_ip("lan");
|
1267 |
06e69b03
|
Scott Ullrich
|
if ($syscfg['dnsserver'][0])
|
1268 |
|
|
$mpdconf .= " " . $syscfg['dnsserver'][0];
|
1269 |
|
|
$mpdconf .= "\n";
|
1270 |
ad750d3b
|
Warren Baker
|
} elseif (isset ($config['unbound']['enable'])) {
|
1271 |
|
|
$mpdconf .= " set ipcp dns " . get_interface_ip("lan");
|
1272 |
|
|
if ($syscfg['dnsserver'][0])
|
1273 |
|
|
$mpdconf .= " " . $syscfg['dnsserver'][0];
|
1274 |
|
|
$mpdconf .= "\n";
|
1275 |
09f2bf85
|
jim-p
|
} elseif (is_array($syscfg['dnsserver']) && ($syscfg['dnsserver'][0])) {
|
1276 |
979cd6db
|
Scott Ullrich
|
$mpdconf .= " set ipcp dns " . join(" ", $syscfg['dnsserver']) . "\n";
|
1277 |
09f2bf85
|
jim-p
|
}
|
1278 |
07cae4b2
|
Scott Ullrich
|
|
1279 |
37d7de2d
|
jim-p
|
if (isset ($pppoecfg['radius']['server']['enable'])) {
|
1280 |
c3583058
|
Ermal
|
$radiusport = "";
|
1281 |
|
|
$radiusacctport = "";
|
1282 |
|
|
if (isset($pppoecfg['radius']['server']['port']))
|
1283 |
|
|
$radiusport = $pppoecfg['radius']['server']['port'];
|
1284 |
|
|
if (isset($pppoecfg['radius']['server']['acctport']))
|
1285 |
|
|
$radiusacctport = $pppoecfg['radius']['server']['acctport'];
|
1286 |
979cd6db
|
Scott Ullrich
|
$mpdconf .=<<<EOD
|
1287 |
b0943409
|
Ermal
|
set radius server {$pppoecfg['radius']['server']['ip']} "{$pppoecfg['radius']['server']['secret']}" {$radiusport} {$radiusacctport}
|
1288 |
06e69b03
|
Scott Ullrich
|
set radius retries 3
|
1289 |
979cd6db
|
Scott Ullrich
|
set radius timeout 10
|
1290 |
0af9dba4
|
Ermal Lu?i
|
set auth enable radius-auth
|
1291 |
06e69b03
|
Scott Ullrich
|
|
1292 |
|
|
EOD;
|
1293 |
|
|
|
1294 |
979cd6db
|
Scott Ullrich
|
if (isset ($pppoecfg['radius']['accounting'])) {
|
1295 |
|
|
$mpdconf .=<<<EOD
|
1296 |
0af9dba4
|
Ermal Lu?i
|
set auth enable radius-acct
|
1297 |
07cae4b2
|
Scott Ullrich
|
|
1298 |
06e69b03
|
Scott Ullrich
|
EOD;
|
1299 |
|
|
}
|
1300 |
|
|
}
|
1301 |
|
|
|
1302 |
|
|
fwrite($fd, $mpdconf);
|
1303 |
|
|
fclose($fd);
|
1304 |
a49784a2
|
Ermal
|
unset($mpdconf);
|
1305 |
06e69b03
|
Scott Ullrich
|
|
1306 |
|
|
/* write mpd.links */
|
1307 |
0e642c78
|
Ermal
|
$fd = fopen("{$g['varetc_path']}/pppoe{$pppoecfg['pppoeid']}-vpn/mpd.links", "w");
|
1308 |
06e69b03
|
Scott Ullrich
|
if (!$fd) {
|
1309 |
89ceb4ba
|
Renato Botelho
|
printf(gettext("Error: cannot open mpd.links in vpn_pppoe_configure().") . "\n");
|
1310 |
06e69b03
|
Scott Ullrich
|
return 1;
|
1311 |
|
|
}
|
1312 |
|
|
|
1313 |
|
|
$mpdlinks = "";
|
1314 |
|
|
|
1315 |
a429d105
|
Scott Ullrich
|
for ($i = 0; $i < $pppoecfg['n_pppoe_units']; $i++) {
|
1316 |
979cd6db
|
Scott Ullrich
|
$mpdlinks .=<<<EOD
|
1317 |
09628a07
|
Renato Botelho
|
|
1318 |
0e642c78
|
Ermal
|
poes{$pppoecfg['pppoeid']}{$i}:
|
1319 |
67ee1ec5
|
Ermal Luçi
|
set phys type pppoe
|
1320 |
09628a07
|
Renato Botelho
|
set pppoe iface {$pppoe_interface}
|
1321 |
|
|
set pppoe service "*"
|
1322 |
|
|
set pppoe disable originate
|
1323 |
|
|
set pppoe enable incoming
|
1324 |
06e69b03
|
Scott Ullrich
|
|
1325 |
|
|
EOD;
|
1326 |
|
|
}
|
1327 |
|
|
|
1328 |
|
|
fwrite($fd, $mpdlinks);
|
1329 |
|
|
fclose($fd);
|
1330 |
a49784a2
|
Ermal
|
unset($mpdlinks);
|
1331 |
06e69b03
|
Scott Ullrich
|
|
1332 |
0e642c78
|
Ermal
|
if ($pppoecfg['username']) {
|
1333 |
|
|
/* write mpd.secret */
|
1334 |
|
|
$fd = fopen("{$g['varetc_path']}/pppoe{$pppoecfg['pppoeid']}-vpn/mpd.secret", "w");
|
1335 |
|
|
if (!$fd) {
|
1336 |
8c04b1ae
|
Renato Botelho
|
printf(gettext("Error: cannot open mpd.secret in vpn_pppoe_configure().") . "\n");
|
1337 |
0e642c78
|
Ermal
|
return 1;
|
1338 |
|
|
}
|
1339 |
06e69b03
|
Scott Ullrich
|
|
1340 |
0e642c78
|
Ermal
|
$mpdsecret = "\n\n";
|
1341 |
06e69b03
|
Scott Ullrich
|
|
1342 |
0e642c78
|
Ermal
|
if (!empty($pppoecfg['username'])) {
|
1343 |
|
|
$item = explode(" ", $pppoecfg['username']);
|
1344 |
|
|
foreach($item as $userdata) {
|
1345 |
|
|
$data = explode(":", $userdata);
|
1346 |
90388e48
|
Ermal
|
$mpdsecret .= "{$data[0]} \"" . base64_decode($data[1]) . "\" {$data[2]}\n";
|
1347 |
0e642c78
|
Ermal
|
}
|
1348 |
|
|
}
|
1349 |
06e69b03
|
Scott Ullrich
|
|
1350 |
0e642c78
|
Ermal
|
fwrite($fd, $mpdsecret);
|
1351 |
|
|
fclose($fd);
|
1352 |
a49784a2
|
Ermal
|
unset($mpdsecret);
|
1353 |
0e642c78
|
Ermal
|
chmod("{$g['varetc_path']}/pppoe{$pppoecfg['pppoeid']}-vpn/mpd.secret", 0600);
|
1354 |
|
|
}
|
1355 |
979cd6db
|
Scott Ullrich
|
|
1356 |
062676f8
|
Ermal
|
/* Check if previous instance is still up */
|
1357 |
|
|
while (file_exists("{$g['varrun_path']}/pppoe{$pppoecfg['pppoeid']}-vpn.pid") && isvalidpid("{$g['varrun_path']}/pppoe{$pppoecfg['pppoeid']}-vpn.pid"))
|
1358 |
|
|
killbypid("{$g['varrun_path']}/pppoe{$pppoecfg['pppoeid']}-vpn.pid");
|
1359 |
|
|
|
1360 |
67b057a9
|
Ermal
|
/* Get support for netgraph(4) from the nic */
|
1361 |
|
|
pfSense_ngctl_attach(".", $pppoe_interface);
|
1362 |
979cd6db
|
Scott Ullrich
|
/* fire up mpd */
|
1363 |
a6607b5f
|
jim-p
|
mwexec("/usr/local/sbin/mpd4 -b -d {$g['varetc_path']}/pppoe{$pppoecfg['pppoeid']}-vpn -p {$g['varrun_path']}/pppoe{$pppoecfg['pppoeid']}-vpn.pid -s poes poes");
|
1364 |
979cd6db
|
Scott Ullrich
|
|
1365 |
|
|
break;
|
1366 |
|
|
}
|
1367 |
|
|
|
1368 |
|
|
if ($g['booting'])
|
1369 |
561130e4
|
Carlos Eduardo Ramos
|
echo gettext("done") . "\n";
|
1370 |
979cd6db
|
Scott Ullrich
|
|
1371 |
|
|
return 0;
|
1372 |
|
|
}
|
1373 |
|
|
|
1374 |
|
|
function vpn_l2tp_configure() {
|
1375 |
|
|
global $config, $g;
|
1376 |
|
|
|
1377 |
|
|
$syscfg = $config['system'];
|
1378 |
|
|
$l2tpcfg = $config['l2tp'];
|
1379 |
|
|
|
1380 |
|
|
/* create directory if it does not exist */
|
1381 |
67ee1ec5
|
Ermal Luçi
|
if (!is_dir("{$g['varetc_path']}/l2tp-vpn"))
|
1382 |
|
|
mkdir("{$g['varetc_path']}/l2tp-vpn");
|
1383 |
979cd6db
|
Scott Ullrich
|
|
1384 |
|
|
if ($g['booting']) {
|
1385 |
|
|
if (!$l2tpcfg['mode'] || ($l2tpcfg['mode'] == "off"))
|
1386 |
|
|
return 0;
|
1387 |
|
|
|
1388 |
89ceb4ba
|
Renato Botelho
|
echo gettext("Configuring l2tp VPN service... ");
|
1389 |
979cd6db
|
Scott Ullrich
|
} else {
|
1390 |
|
|
/* kill mpd */
|
1391 |
67ee1ec5
|
Ermal Luçi
|
killbypid("{$g['varrun_path']}/l2tp-vpn.pid");
|
1392 |
979cd6db
|
Scott Ullrich
|
|
1393 |
|
|
/* wait for process to die */
|
1394 |
01c41d40
|
Ermal Lu?i
|
sleep(8);
|
1395 |
979cd6db
|
Scott Ullrich
|
|
1396 |
|
|
}
|
1397 |
|
|
|
1398 |
67ee1ec5
|
Ermal Luçi
|
/* make sure l2tp-vpn directory exists */
|
1399 |
|
|
if (!file_exists("{$g['varetc_path']}/l2tp-vpn"))
|
1400 |
|
|
mkdir("{$g['varetc_path']}/l2tp-vpn");
|
1401 |
979cd6db
|
Scott Ullrich
|
|
1402 |
|
|
switch ($l2tpcfg['mode']) {
|
1403 |
|
|
|
1404 |
|
|
case 'server' :
|
1405 |
|
|
if ($l2tpcfg['paporchap'] == "chap")
|
1406 |
|
|
$paporchap = "set link enable chap";
|
1407 |
|
|
else
|
1408 |
|
|
$paporchap = "set link enable pap";
|
1409 |
|
|
|
1410 |
|
|
/* write mpd.conf */
|
1411 |
67ee1ec5
|
Ermal Luçi
|
$fd = fopen("{$g['varetc_path']}/l2tp-vpn/mpd.conf", "w");
|
1412 |
979cd6db
|
Scott Ullrich
|
if (!$fd) {
|
1413 |
89ceb4ba
|
Renato Botelho
|
printf(gettext("Error: cannot open mpd.conf in vpn_l2tp_configure().") . "\n");
|
1414 |
979cd6db
|
Scott Ullrich
|
return 1;
|
1415 |
|
|
}
|
1416 |
|
|
$mpdconf = "\n\n";
|
1417 |
|
|
$mpdconf .=<<<EOD
|
1418 |
a6607b5f
|
jim-p
|
l2tps:
|
1419 |
979cd6db
|
Scott Ullrich
|
|
1420 |
|
|
EOD;
|
1421 |
|
|
|
1422 |
|
|
for ($i = 0; $i < $l2tpcfg['n_l2tp_units']; $i++) {
|
1423 |
|
|
$mpdconf .= " load l2tp{$i}\n";
|
1424 |
|
|
}
|
1425 |
|
|
|
1426 |
|
|
for ($i = 0; $i < $l2tpcfg['n_l2tp_units']; $i++) {
|
1427 |
|
|
|
1428 |
96033063
|
Erik Fonnesbeck
|
$clientip = long2ip32(ip2long($l2tpcfg['remoteip']) + $i);
|
1429 |
979cd6db
|
Scott Ullrich
|
|
1430 |
|
|
if (isset ($l2tpcfg['radius']['radiusissueips']) && isset ($l2tpcfg['radius']['enable'])) {
|
1431 |
|
|
$isssue_ip_type = "set ipcp ranges {$l2tpcfg['localip']}/32 0.0.0.0/0";
|
1432 |
|
|
} else {
|
1433 |
|
|
$isssue_ip_type = "set ipcp ranges {$l2tpcfg['localip']}/32 {$clientip}/32";
|
1434 |
|
|
}
|
1435 |
|
|
|
1436 |
|
|
$mpdconf .=<<<EOD
|
1437 |
|
|
|
1438 |
|
|
l2tp{$i}:
|
1439 |
2c7feef7
|
jim-p
|
new -i l2tp{$i} l2tp{$i} l2tp{$i}
|
1440 |
979cd6db
|
Scott Ullrich
|
{$isssue_ip_type}
|
1441 |
|
|
load l2tp_standard
|
1442 |
|
|
|
1443 |
|
|
EOD;
|
1444 |
|
|
}
|
1445 |
|
|
|
1446 |
|
|
$mpdconf .=<<<EOD
|
1447 |
|
|
|
1448 |
|
|
l2tp_standard:
|
1449 |
09628a07
|
Renato Botelho
|
set bundle disable multilink
|
1450 |
|
|
set bundle enable compression
|
1451 |
|
|
set bundle yes crypt-reqd
|
1452 |
|
|
set ipcp yes vjcomp
|
1453 |
|
|
# set ipcp ranges 131.188.69.161/32 131.188.69.170/28
|
1454 |
|
|
set ccp yes mppc
|
1455 |
|
|
set iface disable on-demand
|
1456 |
|
|
set iface enable proxy-arp
|
1457 |
e9a95ac8
|
jim-p
|
set iface up-script /usr/local/sbin/vpn-linkup
|
1458 |
|
|
set iface down-script /usr/local/sbin/vpn-linkdown
|
1459 |
09628a07
|
Renato Botelho
|
set link yes acfcomp protocomp
|
1460 |
|
|
set link no pap chap
|
1461 |
|
|
set link enable chap
|
1462 |
|
|
set link keep-alive 10 180
|
1463 |
979cd6db
|
Scott Ullrich
|
|
1464 |
|
|
EOD;
|
1465 |
|
|
|
1466 |
c8cc0c1c
|
smos
|
if (is_ipaddr($l2tpcfg['wins'])) {
|
1467 |
|
|
$mpdconf .= " set ipcp nbns {$l2tpcfg['wins']}\n";
|
1468 |
|
|
}
|
1469 |
|
|
if (is_ipaddr($l2tpcfg['dns1'])) {
|
1470 |
09f2bf85
|
jim-p
|
$mpdconf .= " set ipcp dns " . $l2tpcfg['dns1'];
|
1471 |
c8cc0c1c
|
smos
|
if (is_ipaddr($l2tpcfg['dns2']))
|
1472 |
09f2bf85
|
jim-p
|
$mpdconf .= " " . $l2tpcfg['dns2'];
|
1473 |
|
|
$mpdconf .= "\n";
|
1474 |
|
|
} elseif (isset ($config['dnsmasq']['enable'])) {
|
1475 |
a55e9c70
|
Ermal Lu?i
|
$mpdconf .= " set ipcp dns " . get_interface_ip("lan");
|
1476 |
979cd6db
|
Scott Ullrich
|
if ($syscfg['dnsserver'][0])
|
1477 |
|
|
$mpdconf .= " " . $syscfg['dnsserver'][0];
|
1478 |
|
|
$mpdconf .= "\n";
|
1479 |
ad750d3b
|
Warren Baker
|
} elseif (isset ($config['unbound']['enable'])) {
|
1480 |
|
|
$mpdconf .= " set ipcp dns " . get_interface_ip("lan");
|
1481 |
|
|
if ($syscfg['dnsserver'][0])
|
1482 |
|
|
$mpdconf .= " " . $syscfg['dnsserver'][0];
|
1483 |
|
|
$mpdconf .= "\n";
|
1484 |
09f2bf85
|
jim-p
|
} elseif (is_array($syscfg['dnsserver']) && ($syscfg['dnsserver'][0])) {
|
1485 |
979cd6db
|
Scott Ullrich
|
$mpdconf .= " set ipcp dns " . join(" ", $syscfg['dnsserver']) . "\n";
|
1486 |
09f2bf85
|
jim-p
|
}
|
1487 |
979cd6db
|
Scott Ullrich
|
|
1488 |
|
|
if (isset ($l2tpcfg['radius']['enable'])) {
|
1489 |
|
|
$mpdconf .=<<<EOD
|
1490 |
|
|
set radius server {$l2tpcfg['radius']['server']} "{$l2tpcfg['radius']['secret']}"
|
1491 |
|
|
set radius retries 3
|
1492 |
|
|
set radius timeout 10
|
1493 |
0af9dba4
|
Ermal Lu?i
|
set auth enable radius-auth
|
1494 |
979cd6db
|
Scott Ullrich
|
|
1495 |
|
|
EOD;
|
1496 |
|
|
|
1497 |
|
|
if (isset ($l2tpcfg['radius']['accounting'])) {
|
1498 |
|
|
$mpdconf .=<<<EOD
|
1499 |
0af9dba4
|
Ermal Lu?i
|
set auth enable radius-acct
|
1500 |
979cd6db
|
Scott Ullrich
|
|
1501 |
|
|
EOD;
|
1502 |
|
|
}
|
1503 |
|
|
}
|
1504 |
|
|
|
1505 |
|
|
fwrite($fd, $mpdconf);
|
1506 |
|
|
fclose($fd);
|
1507 |
a49784a2
|
Ermal
|
unset($mpdconf);
|
1508 |
979cd6db
|
Scott Ullrich
|
|
1509 |
|
|
/* write mpd.links */
|
1510 |
67ee1ec5
|
Ermal Luçi
|
$fd = fopen("{$g['varetc_path']}/l2tp-vpn/mpd.links", "w");
|
1511 |
979cd6db
|
Scott Ullrich
|
if (!$fd) {
|
1512 |
89ceb4ba
|
Renato Botelho
|
printf(gettext("Error: cannot open mpd.links in vpn_l2tp_configure().") . "\n");
|
1513 |
979cd6db
|
Scott Ullrich
|
return 1;
|
1514 |
|
|
}
|
1515 |
|
|
|
1516 |
|
|
$mpdlinks = "";
|
1517 |
|
|
|
1518 |
|
|
for ($i = 0; $i < $l2tpcfg['n_l2tp_units']; $i++) {
|
1519 |
|
|
$mpdlinks .=<<<EOD
|
1520 |
|
|
|
1521 |
daa20efd
|
Ermal Lu?i
|
l2tp{$i}:
|
1522 |
979cd6db
|
Scott Ullrich
|
set link type l2tp
|
1523 |
09628a07
|
Renato Botelho
|
set l2tp enable incoming
|
1524 |
|
|
set l2tp disable originate
|
1525 |
979cd6db
|
Scott Ullrich
|
|
1526 |
|
|
EOD;
|
1527 |
00f9e567
|
Ermal Lu?i
|
if (!empty($l2tpcfg['secret']))
|
1528 |
|
|
$mpdlinks .= "set l2tp secret {$l2tpcfg['secret']}\n";
|
1529 |
979cd6db
|
Scott Ullrich
|
}
|
1530 |
|
|
|
1531 |
|
|
fwrite($fd, $mpdlinks);
|
1532 |
|
|
fclose($fd);
|
1533 |
a49784a2
|
Ermal
|
unset($mpdlinks);
|
1534 |
979cd6db
|
Scott Ullrich
|
|
1535 |
|
|
/* write mpd.secret */
|
1536 |
67ee1ec5
|
Ermal Luçi
|
$fd = fopen("{$g['varetc_path']}/l2tp-vpn/mpd.secret", "w");
|
1537 |
979cd6db
|
Scott Ullrich
|
if (!$fd) {
|
1538 |
89ceb4ba
|
Renato Botelho
|
printf(gettext("Error: cannot open mpd.secret in vpn_l2tp_configure().") . "\n");
|
1539 |
979cd6db
|
Scott Ullrich
|
return 1;
|
1540 |
|
|
}
|
1541 |
|
|
|
1542 |
|
|
$mpdsecret = "\n\n";
|
1543 |
|
|
|
1544 |
|
|
if (is_array($l2tpcfg['user'])) {
|
1545 |
|
|
foreach ($l2tpcfg['user'] as $user)
|
1546 |
|
|
$mpdsecret .= "{$user['name']} \"{$user['password']}\" {$user['ip']}\n";
|
1547 |
|
|
}
|
1548 |
|
|
|
1549 |
|
|
fwrite($fd, $mpdsecret);
|
1550 |
|
|
fclose($fd);
|
1551 |
a49784a2
|
Ermal
|
unset($mpdsecret);
|
1552 |
67ee1ec5
|
Ermal Luçi
|
chmod("{$g['varetc_path']}/l2tp-vpn/mpd.secret", 0600);
|
1553 |
06e69b03
|
Scott Ullrich
|
|
1554 |
67b057a9
|
Ermal
|
vpn_netgraph_support();
|
1555 |
|
|
|
1556 |
06e69b03
|
Scott Ullrich
|
/* fire up mpd */
|
1557 |
a6607b5f
|
jim-p
|
mwexec("/usr/local/sbin/mpd4 -b -d {$g['varetc_path']}/l2tp-vpn -p {$g['varrun_path']}/l2tp-vpn.pid -s l2tps l2tps");
|
1558 |
06e69b03
|
Scott Ullrich
|
|
1559 |
|
|
break;
|
1560 |
|
|
|
1561 |
979cd6db
|
Scott Ullrich
|
case 'redir' :
|
1562 |
06e69b03
|
Scott Ullrich
|
break;
|
1563 |
|
|
}
|
1564 |
|
|
|
1565 |
|
|
if ($g['booting'])
|
1566 |
|
|
echo "done\n";
|
1567 |
|
|
|
1568 |
|
|
return 0;
|
1569 |
|
|
}
|
1570 |
630cfa6c
|
Scott Ullrich
|
|
1571 |
7b2fdac4
|
jim-p
|
function vpn_ipsec_configure_preferoldsa() {
|
1572 |
|
|
global $config;
|
1573 |
|
|
if(isset($config['ipsec']['preferoldsa']))
|
1574 |
|
|
mwexec("/sbin/sysctl -w net.key.preferred_oldsa=-30");
|
1575 |
|
|
else
|
1576 |
|
|
mwexec("/sbin/sysctl net.key.preferred_oldsa=0");
|
1577 |
|
|
}
|
1578 |
9734b054
|
Scott Ullrich
|
|
1579 |
c513c309
|
Ermal
|
?>
|