Project

General

Profile

Download (35.7 KB) Statistics
| Branch: | Tag: | Revision:

univnautes / usr / local / www / vpn_ipsec_phase1.php @ a1b66bec

1
<?php
2
/*
3
	vpn_ipsec_phase1.php
4
	part of m0n0wall (http://m0n0.ch/wall)
5

    
6
	Copyright (C) 2008 Shrew Soft Inc
7
	Copyright (C) 2003-2005 Manuel Kasper <mk@neon1.net>.
8
	Copyright (C) 2014 Ermal LUÇI
9
	All rights reserved.
10

    
11
	Redistribution and use in source and binary forms, with or without
12
	modification, are permitted provided that the following conditions are met:
13

    
14
	1. Redistributions of source code must retain the above copyright notice,
15
	   this list of conditions and the following disclaimer.
16

    
17
	2. Redistributions in binary form must reproduce the above copyright
18
	   notice, this list of conditions and the following disclaimer in the
19
	   documentation and/or other materials provided with the distribution.
20

    
21
	THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
22
	INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
23
	AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
24
	AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
25
	OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
26
	SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
27
	INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
28
	CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
29
	ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
30
	POSSIBILITY OF SUCH DAMAGE.
31
*/
32

    
33
##|+PRIV
34
##|*IDENT=page-vpn-ipsec-editphase1
35
##|*NAME=VPN: IPsec: Edit Phase 1 page
36
##|*DESCR=Allow access to the 'VPN: IPsec: Edit Phase 1' page.
37
##|*MATCH=vpn_ipsec_phase1.php*
38
##|-PRIV
39

    
40
require("functions.inc");
41
require("guiconfig.inc");
42
require_once("ipsec.inc");
43
require_once("vpn.inc");
44

    
45
if (!is_array($config['ipsec']['phase1']))
46
	$config['ipsec']['phase1'] = array();
47

    
48
if (!is_array($config['ipsec']['phase2']))
49
	$config['ipsec']['phase2'] = array();
50

    
51
$a_phase1 = &$config['ipsec']['phase1'];
52
$a_phase2 = &$config['ipsec']['phase2'];
53

    
54
if (is_numericint($_GET['p1index']))
55
	$p1index = $_GET['p1index'];
56
if (isset($_POST['p1index']) && is_numericint($_POST['p1index']))
57
	$p1index = $_POST['p1index'];
58

    
59
if (isset($_GET['dup']) && is_numericint($_GET['dup']))
60
	$p1index = $_GET['dup'];
61

    
62
if (isset($p1index) && $a_phase1[$p1index]) {
63
	// don't copy the ikeid on dup
64
	if (!isset($_GET['dup']) || !is_numericint($_GET['dup']))
65
		$pconfig['ikeid'] = $a_phase1[$p1index]['ikeid'];
66

    
67
	$old_ph1ent = $a_phase1[$p1index];
68

    
69
	$pconfig['disabled'] = isset($a_phase1[$p1index]['disabled']);
70

    
71
	if ($a_phase1[$p1index]['interface'])
72
		$pconfig['interface'] = $a_phase1[$p1index]['interface'];
73
	else
74
		$pconfig['interface'] = "wan";
75

    
76
	list($pconfig['remotenet'],$pconfig['remotebits']) = explode("/", $a_phase1[$p1index]['remote-subnet']);
77

    
78
	if (isset($a_phase1[$p1index]['mobile']))
79
		$pconfig['mobile'] = 'true';
80
	else
81
		$pconfig['remotegw'] = $a_phase1[$p1index]['remote-gateway'];
82

    
83
	if (empty($a_phase1[$p1index]['iketype']))
84
		$pconfig['iketype'] = "ikev1";
85
	else
86
		$pconfig['iketype'] = $a_phase1[$p1index]['iketype'];
87
	$pconfig['mode'] = $a_phase1[$p1index]['mode'];
88
	$pconfig['protocol'] = $a_phase1[$p1index]['protocol'];
89
	$pconfig['myid_type'] = $a_phase1[$p1index]['myid_type'];
90
	$pconfig['myid_data'] = $a_phase1[$p1index]['myid_data'];
91
	$pconfig['peerid_type'] = $a_phase1[$p1index]['peerid_type'];
92
	$pconfig['peerid_data'] = $a_phase1[$p1index]['peerid_data'];
93
	$pconfig['ealgo'] = $a_phase1[$p1index]['encryption-algorithm'];
94
	$pconfig['halgo'] = $a_phase1[$p1index]['hash-algorithm'];
95
	$pconfig['dhgroup'] = $a_phase1[$p1index]['dhgroup'];
96
	$pconfig['lifetime'] = $a_phase1[$p1index]['lifetime'];
97
	$pconfig['authentication_method'] = $a_phase1[$p1index]['authentication_method'];
98

    
99
	if (($pconfig['authentication_method'] == "pre_shared_key") ||
100
		($pconfig['authentication_method'] == "xauth_psk_server")) {
101
		$pconfig['pskey'] = $a_phase1[$p1index]['pre-shared-key'];
102
	} else {
103
		$pconfig['certref'] = $a_phase1[$p1index]['certref'];
104
		$pconfig['caref'] = $a_phase1[$p1index]['caref'];
105
	}
106

    
107
	$pconfig['descr'] = $a_phase1[$p1index]['descr'];
108
	$pconfig['nat_traversal'] = $a_phase1[$p1index]['nat_traversal'];
109

    
110
	if (isset($a_phase1[$p1index]['reauth_enable']))
111
		$pconfig['reauth_enable'] = true;
112
	if (isset($a_phase1[$p1index]['rekey_enable']))
113
		$pconfig['rekey_enable'] = true;
114

    
115
	if ($a_phase1[$p1index]['dpd_delay'] &&	$a_phase1[$p1index]['dpd_maxfail']) {
116
		$pconfig['dpd_enable'] = true;
117
		$pconfig['dpd_delay'] = $a_phase1[$p1index]['dpd_delay'];
118
		$pconfig['dpd_maxfail'] = $a_phase1[$p1index]['dpd_maxfail'];
119
	}
120
} else {
121
	/* defaults */
122
	$pconfig['interface'] = "wan";
123
	if($config['interfaces']['lan'])
124
		$pconfig['localnet'] = "lan";
125
	$pconfig['mode'] = "aggressive";
126
	$pconfig['protocol'] = "inet";
127
	$pconfig['myid_type'] = "myaddress";
128
	$pconfig['peerid_type'] = "peeraddress";
129
	$pconfig['authentication_method'] = "pre_shared_key";
130
	$pconfig['ealgo'] = array( name => "3des" );
131
	$pconfig['halgo'] = "sha1";
132
	$pconfig['dhgroup'] = "2";
133
	$pconfig['lifetime'] = "28800";
134
	$pconfig['nat_traversal'] = 'on';
135
	$pconfig['dpd_enable'] = true;
136
	$pconfig['iketype'] = "ikev1";
137

    
138
	/* mobile client */
139
	if($_GET['mobile'])
140
		$pconfig['mobile']=true;
141
}
142

    
143
if (isset($_GET['dup']) && is_numericint($_GET['dup']))
144
	unset($p1index);
145

    
146
if ($_POST) {
147
	unset($input_errors);
148
	$pconfig = $_POST;
149

    
150
	/* input validation */
151

    
152
	$method = $pconfig['authentication_method'];
153
	// Unset ca and cert if not required to avaoid storing in config
154
	if ($method == "pre_shared_key" || $method == "xauth_psk_server"){
155
		unset($pconfig['caref']);
156
		unset($pconfig['certref']);
157
	}
158

    
159
	// Only require PSK here for normal PSK tunnels (not mobile) or xauth.
160
	// For RSA methods, require the CA/Cert.
161
	switch ($method) {
162
		case "eap-tls":
163
			if ($pconfig['iketype'] != 'ikev2')
164
				$input_errors[] = gettext("EAP-TLS can only be used with IKEv2 type VPNs.");
165
			break;
166
		case "pre_shared_key":
167
			// If this is a mobile PSK tunnel the user PSKs go on
168
			//    the PSK tab, not here, so skip the check.
169
			if ($pconfig['mobile'])
170
				break;
171
		case "xauth_psk_server":
172
			$reqdfields = explode(" ", "pskey");
173
			$reqdfieldsn = array(gettext("Pre-Shared Key"));
174
			$validate_pskey = true;
175
			break;
176
		case "hybrid_rsa_server":
177
		case "xauth_rsa_server":
178
		case "rsasig":
179
			$reqdfields = explode(" ", "caref certref");
180
			$reqdfieldsn = array(gettext("Certificate Authority"),gettext("Certificate"));
181
			break;
182
	}
183
	if (!$pconfig['mobile']) {
184
		$reqdfields[] = "remotegw";
185
		$reqdfieldsn[] = gettext("Remote gateway");
186
	}
187

    
188
	do_input_validation($pconfig, $reqdfields, $reqdfieldsn, $input_errors);
189

    
190
	if (isset($validate_pskey) && isset($pconfig['pskey']) && !preg_match('/^[[:ascii:]]*$/', $pconfig['pskey'])) {
191
		unset($validate_pskey);
192
		$input_errors[] = gettext("Pre-Shared Key contains invalid characters.");
193
	}
194

    
195
	if (($pconfig['lifetime'] && !is_numeric($pconfig['lifetime'])))
196
		$input_errors[] = gettext("The P1 lifetime must be an integer.");
197

    
198
	if ($pconfig['remotegw']) {
199
		if (!is_ipaddr($pconfig['remotegw']) && !is_domain($pconfig['remotegw']))
200
			$input_errors[] = gettext("A valid remote gateway address or host name must be specified.");
201
		elseif (is_ipaddrv4($pconfig['remotegw']) && ($pconfig['protocol'] != "inet"))
202
			$input_errors[] = gettext("A valid remote gateway IPv4 address must be specified or you need to change protocol to IPv6");
203
		elseif (is_ipaddrv6($pconfig['remotegw']) && ($pconfig['protocol'] != "inet6"))
204
			$input_errors[] = gettext("A valid remote gateway IPv6 address must be specified or you need to change protocol to IPv4");
205
	}
206

    
207
	if (($pconfig['remotegw'] && is_ipaddr($pconfig['remotegw']) && !isset($pconfig['disabled']) )) {
208
		$t = 0;
209
		foreach ($a_phase1 as $ph1tmp) {
210
			if ($p1index <> $t) {
211
				$tremotegw = $pconfig['remotegw'];
212
				if (($ph1tmp['remote-gateway'] == $tremotegw) && !isset($ph1tmp['disabled'])) {
213
					$input_errors[] = sprintf(gettext('The remote gateway "%1$s" is already used by phase1 "%2$s".'), $tremotegw, $ph1tmp['descr']);
214
				}
215
			}
216
			$t++;
217
		}
218
	}
219

    
220
	if (is_array($a_phase2) && (count($a_phase2))) {
221
		foreach ($a_phase2 as $phase2) {
222
			if($phase2['ikeid'] == $pconfig['ikeid']) {
223
				if (($pconfig['protocol'] == "inet") && ($phase2['mode'] == "tunnel6")) {
224
					$input_errors[] = gettext("There is a Phase 2 using IPv6, you cannot use IPv4.");
225
					break;
226
				}
227
				if (($pconfig['protocol'] == "inet6") && ($phase2['mode'] == "tunnel")) {
228
					$input_errors[] = gettext("There is a Phase 2 using IPv4, you cannot use IPv6.");
229
					break;
230
				}
231
			}
232
		}
233
	}
234

    
235
	/* My identity */
236

    
237
	if ($pconfig['myid_type'] == "myaddress")
238
		$pconfig['myid_data'] = "";
239

    
240
	if ($pconfig['myid_type'] == "address" and $pconfig['myid_data'] == "")
241
		$input_errors[] = gettext("Please enter an address for 'My Identifier'");
242

    
243
	if ($pconfig['myid_type'] == "keyid tag" and $pconfig['myid_data'] == "")
244
		$input_errors[] = gettext("Please enter a keyid tag for 'My Identifier'");
245

    
246
	if ($pconfig['myid_type'] == "fqdn" and $pconfig['myid_data'] == "")
247
		$input_errors[] = gettext("Please enter a fully qualified domain name for 'My Identifier'");
248

    
249
	if ($pconfig['myid_type'] == "user_fqdn" and $pconfig['myid_data'] == "")
250
		$input_errors[] = gettext("Please enter a user and fully qualified domain name for 'My Identifier'");
251

    
252
	if ($pconfig['myid_type'] == "dyn_dns" and $pconfig['myid_data'] == "")
253
		$input_errors[] = gettext("Please enter a dynamic domain name for 'My Identifier'");
254

    
255
	if ((($pconfig['myid_type'] == "address") && !is_ipaddr($pconfig['myid_data'])))
256
		$input_errors[] = gettext("A valid IP address for 'My identifier' must be specified.");
257

    
258
	if ((($pconfig['myid_type'] == "fqdn") && !is_domain($pconfig['myid_data'])))
259
		$input_errors[] = gettext("A valid domain name for 'My identifier' must be specified.");
260

    
261
	if ($pconfig['myid_type'] == "fqdn")
262
		if (is_domain($pconfig['myid_data']) == false)
263
			$input_errors[] = gettext("A valid FQDN for 'My identifier' must be specified.");
264

    
265
	if ($pconfig['myid_type'] == "user_fqdn") {
266
		$user_fqdn = explode("@",$pconfig['myid_data']);
267
		if (is_domain($user_fqdn[1]) == false)
268
			$input_errors[] = gettext("A valid User FQDN in the form of user@my.domain.com for 'My identifier' must be specified.");
269
	}
270

    
271
	if ($pconfig['myid_type'] == "dyn_dns")
272
		if (is_domain($pconfig['myid_data']) == false)
273
			$input_errors[] = gettext("A valid Dynamic DNS address for 'My identifier' must be specified.");
274

    
275
	/* Peer identity */
276

    
277
	if ($pconfig['myid_type'] == "peeraddress")
278
		$pconfig['peerid_data'] = "";
279

    
280
	// Only enforce peer ID if we are not dealing with a pure-psk mobile config.
281
	if (!(($pconfig['authentication_method'] == "pre_shared_key") && ($pconfig['mobile']))) {
282
		if ($pconfig['peerid_type'] == "address" and $pconfig['peerid_data'] == "")
283
			$input_errors[] = gettext("Please enter an address for 'Peer Identifier'");
284

    
285
		if ($pconfig['peerid_type'] == "keyid tag" and $pconfig['peerid_data'] == "")
286
			$input_errors[] = gettext("Please enter a keyid tag for 'Peer Identifier'");
287

    
288
		if ($pconfig['peerid_type'] == "fqdn" and $pconfig['peerid_data'] == "")
289
			$input_errors[] = gettext("Please enter a fully qualified domain name for 'Peer Identifier'");
290

    
291
		if ($pconfig['peerid_type'] == "user_fqdn" and $pconfig['peerid_data'] == "")
292
			$input_errors[] = gettext("Please enter a user and fully qualified domain name for 'Peer Identifier'");
293

    
294
		if ((($pconfig['peerid_type'] == "address") && !is_ipaddr($pconfig['peerid_data'])))
295
			$input_errors[] = gettext("A valid IP address for 'Peer identifier' must be specified.");
296

    
297
		if ((($pconfig['peerid_type'] == "fqdn") && !is_domain($pconfig['peerid_data'])))
298
			$input_errors[] = gettext("A valid domain name for 'Peer identifier' must be specified.");
299

    
300
		if ($pconfig['peerid_type'] == "fqdn")
301
			if (is_domain($pconfig['peerid_data']) == false)
302
				$input_errors[] = gettext("A valid FQDN for 'Peer identifier' must be specified.");
303

    
304
		if ($pconfig['peerid_type'] == "user_fqdn") {
305
			$user_fqdn = explode("@",$pconfig['peerid_data']);
306
			if (is_domain($user_fqdn[1]) == false)
307
				$input_errors[] = gettext("A valid User FQDN in the form of user@my.domain.com for 'Peer identifier' must be specified.");
308
		}
309
	}
310

    
311
	if ($pconfig['dpd_enable']) {
312
		if (!is_numeric($pconfig['dpd_delay']))
313
			$input_errors[] = gettext("A numeric value must be specified for DPD delay.");
314

    
315
		if (!is_numeric($pconfig['dpd_maxfail']))
316
			$input_errors[] = gettext("A numeric value must be specified for DPD retries.");
317
	}
318

    
319
	if (!empty($pconfig['iketype']) && $pconfig['iketype'] != "ikev1" && $pconfig['iketype'] != "ikev2")
320
		$input_errors[] = gettext("Valid arguments for IKE type is v1 or v2");
321

    
322
	/* build our encryption algorithms array */
323
	$pconfig['ealgo'] = array();
324
	$pconfig['ealgo']['name'] = $_POST['ealgo'];
325
	if($pconfig['ealgo_keylen'])
326
		$pconfig['ealgo']['keylen'] = $_POST['ealgo_keylen'];
327

    
328
	if (!$input_errors) {
329
		$ph1ent['ikeid'] = $pconfig['ikeid'];
330
		$ph1ent['iketype'] = $pconfig['iketype'];
331
		$ph1ent['disabled'] = $pconfig['disabled'] ? true : false;
332
		$ph1ent['interface'] = $pconfig['interface'];
333
		/* if the remote gateway changed and the interface is not WAN then remove route */
334
		/* the vpn_ipsec_configure() handles adding the route */
335
		if ($pconfig['interface'] <> "wan") {
336
			if($old_ph1ent['remote-gateway'] <> $pconfig['remotegw']) {
337
				mwexec("/sbin/route delete -host {$old_ph1ent['remote-gateway']}");
338
			}
339
		}
340

    
341
		if ($pconfig['mobile'])
342
			$ph1ent['mobile'] = true;
343
		else
344
			$ph1ent['remote-gateway'] = $pconfig['remotegw'];
345

    
346
		$ph1ent['mode'] = $pconfig['mode'];
347
		$ph1ent['protocol'] = $pconfig['protocol'];
348

    
349
		$ph1ent['myid_type'] = $pconfig['myid_type'];
350
		$ph1ent['myid_data'] = $pconfig['myid_data'];
351
		$ph1ent['peerid_type'] = $pconfig['peerid_type'];
352
		$ph1ent['peerid_data'] = $pconfig['peerid_data'];
353

    
354
		$ph1ent['encryption-algorithm'] = $pconfig['ealgo'];
355
		$ph1ent['hash-algorithm'] = $pconfig['halgo'];
356
		$ph1ent['dhgroup'] = $pconfig['dhgroup'];
357
		$ph1ent['lifetime'] = $pconfig['lifetime'];
358
		$ph1ent['pre-shared-key'] = $pconfig['pskey'];
359
		$ph1ent['private-key'] = base64_encode($pconfig['privatekey']);
360
		$ph1ent['certref'] = $pconfig['certref'];
361
		$ph1ent['caref'] = $pconfig['caref'];
362
		$ph1ent['authentication_method'] = $pconfig['authentication_method'];
363
		$ph1ent['descr'] = $pconfig['descr'];
364
		$ph1ent['nat_traversal'] = $pconfig['nat_traversal'];
365

    
366
		if (isset($pconfig['reauth_enable']))
367
			$ph1ent['reauth_enable'] = true;
368
		if (isset($pconfig['rekey_enable']))
369
			$ph1ent['rekey_enable'] = true;
370

    
371
		if (isset($pconfig['dpd_enable'])) {
372
			$ph1ent['dpd_delay'] = $pconfig['dpd_delay'];
373
			$ph1ent['dpd_maxfail'] = $pconfig['dpd_maxfail'];
374
		}
375

    
376
		/* generate unique phase1 ikeid */
377
		if ($ph1ent['ikeid'] == 0)
378
			$ph1ent['ikeid'] = ipsec_ikeid_next();
379

    
380
		if (isset($p1index) && $a_phase1[$p1index])
381
			$a_phase1[$p1index] = $ph1ent;
382
		else
383
			$a_phase1[] = $ph1ent;
384

    
385
		write_config();
386
		mark_subsystem_dirty('ipsec');
387

    
388
		header("Location: vpn_ipsec.php");
389
		exit;
390
	}
391
}
392

    
393
if ($pconfig['mobile'])
394
	$pgtitle = array(gettext("VPN"),gettext("IPsec"),gettext("Edit Phase 1"), gettext("Mobile Client"));
395
else
396
	$pgtitle = array(gettext("VPN"),gettext("IPsec"),gettext("Edit Phase 1"));
397
$shortcut_section = "ipsec";
398

    
399

    
400
include("head.inc");
401

    
402
?>
403

    
404
<body link="#0000CC" vlink="#0000CC" alink="#0000CC">
405
<?php include("fbegin.inc"); ?>
406
<script type="text/javascript">
407
//<![CDATA[
408

    
409
function myidsel_change() {
410
	index = document.iform.myid_type.selectedIndex;
411
	value = document.iform.myid_type.options[index].value;
412
	if (value == 'myaddress')
413
			document.getElementById('myid_data').style.visibility = 'hidden';
414
	else
415
			document.getElementById('myid_data').style.visibility = 'visible';
416
}
417

    
418
function peeridsel_change() {
419
	index = document.iform.peerid_type.selectedIndex;
420
	value = document.iform.peerid_type.options[index].value;
421
	if (value == 'peeraddress')
422
			document.getElementById('peerid_data').style.visibility = 'hidden';
423
	else
424
			document.getElementById('peerid_data').style.visibility = 'visible';
425
}
426

    
427
function methodsel_change() {
428
	index = document.iform.authentication_method.selectedIndex;
429
	value = document.iform.authentication_method.options[index].value;
430

    
431
	switch (value) {
432
	case 'eap-tls':
433
		document.getElementById('opt_psk').style.display = 'none';
434
		document.getElementById('opt_peerid').style.display = '';
435
		document.getElementById('opt_cert').style.display = '';
436
		document.getElementById('opt_ca').style.display = '';
437
		document.getElementById('opt_cert').disabled = false;
438
		document.getElementById('opt_ca').disabled = false;
439
		break;
440
	case 'hybrid_rsa_server':
441
		document.getElementById('opt_psk').style.display = 'none';
442
		document.getElementById('opt_peerid').style.display = '';
443
		document.getElementById('opt_cert').style.display = '';
444
		document.getElementById('opt_ca').style.display = '';
445
		document.getElementById('opt_cert').disabled = false;
446
		document.getElementById('opt_ca').disabled = false;
447
		break;
448
	case 'xauth_rsa_server':
449
	case 'rsasig':
450
		document.getElementById('opt_psk').style.display = 'none';
451
		document.getElementById('opt_peerid').style.display = '';
452
		document.getElementById('opt_cert').style.display = '';
453
		document.getElementById('opt_ca').style.display = '';
454
		document.getElementById('opt_cert').disabled = false;
455
		document.getElementById('opt_ca').disabled = false;
456
		break;
457
<?php if ($pconfig['mobile']) { ?>
458
	case 'pre_shared_key':
459
		document.getElementById('opt_psk').style.display = 'none';
460
		document.getElementById('opt_peerid').style.display = 'none';
461
		document.getElementById('opt_cert').style.display = 'none';
462
		document.getElementById('opt_ca').style.display = 'none';
463
		document.getElementById('opt_cert').disabled = true;
464
		document.getElementById('opt_ca').disabled = true;
465
		break;
466
<?php } ?>
467
	default: /* psk modes*/
468
		document.getElementById('opt_psk').style.display = '';
469
		document.getElementById('opt_peerid').style.display = '';
470
		document.getElementById('opt_cert').style.display = 'none';
471
		document.getElementById('opt_ca').style.display = 'none';
472
		document.getElementById('opt_cert').disabled = true;
473
		document.getElementById('opt_ca').disabled = true;
474
		break;
475
	}
476
}
477

    
478
/* PHP generated java script for variable length keys */
479
function ealgosel_change(bits) {
480
	switch (document.iform.ealgo.selectedIndex) {
481
<?php
482
$i = 0;
483
foreach ($p1_ealgos as $algo => $algodata) {
484
	if (is_array($algodata['keysel'])) {
485
		echo "		case {$i}:\n";
486
		echo "			document.iform.ealgo_keylen.style.visibility = 'visible';\n";
487
		echo "			document.iform.ealgo_keylen.options.length = 0;\n";
488
	//      echo "			document.iform.ealgo_keylen.options[document.iform.ealgo_keylen.options.length] = new Option( 'auto', 'auto' );\n";
489

    
490
		$key_hi = $algodata['keysel']['hi'];
491
		$key_lo = $algodata['keysel']['lo'];
492
		$key_step = $algodata['keysel']['step'];
493

    
494
		for ($keylen = $key_hi; $keylen >= $key_lo; $keylen -= $key_step)
495
			echo "			document.iform.ealgo_keylen.options[document.iform.ealgo_keylen.options.length] = new Option( '{$keylen} bits', '{$keylen}' );\n";
496
		echo "			break;\n";
497
	} else {
498
		echo "		case {$i}:\n";
499
		echo "			document.iform.ealgo_keylen.style.visibility = 'hidden';\n";
500
		echo "			document.iform.ealgo_keylen.options.length = 0;\n";
501
		echo "			break;\n";
502
	}
503
	$i++;
504
}
505
?>
506
	}
507

    
508
	if( bits )
509
		document.iform.ealgo_keylen.value = bits;
510
}
511

    
512
function dpdchkbox_change() {
513
	if( document.iform.dpd_enable.checked )
514
		document.getElementById('opt_dpd').style.display = '';
515
	else
516
		document.getElementById('opt_dpd').style.display = 'none';
517

    
518
	if (!document.iform.dpd_delay.value)
519
		document.iform.dpd_delay.value = "10";
520

    
521
	if (!document.iform.dpd_maxfail.value)
522
		document.iform.dpd_maxfail.value = "5";
523
}
524

    
525
//]]>
526
</script>
527

    
528
<form action="vpn_ipsec_phase1.php" method="post" name="iform" id="iform">
529

    
530
<?php
531
	if ($input_errors)
532
		print_input_errors($input_errors);
533
?>
534

    
535
<table width="100%" border="0" cellpadding="0" cellspacing="0" summary="vpn ipsec phase-1">
536
	<tr class="tabnavtbl">
537
		<td id="tabnav">
538
			<?php
539
				$tab_array = array();
540
				$tab_array[0] = array(gettext("Tunnels"), true, "vpn_ipsec.php");
541
				$tab_array[1] = array(gettext("Mobile clients"), false, "vpn_ipsec_mobile.php");
542
				$tab_array[2] = array(gettext("Pre-Shared Keys"), false, "vpn_ipsec_keys.php");
543
				$tab_array[3] = array(gettext("Advanced Settings"), false, "vpn_ipsec_settings.php");
544
				display_top_tabs($tab_array);
545
			?>
546
		</td>
547
	</tr>
548
	<tr>
549
		<td id="mainarea">
550
			<div class="tabcont">
551
				<table width="100%" border="0" cellpadding="6" cellspacing="0" summary="main area">
552
					<tr>
553
						<td colspan="2" valign="top" class="listtopic"><?=gettext("General information"); ?></td>
554
					</tr>
555
					<tr>
556
						<td width="22%" valign="top" class="vncellreq"><?=gettext("Disabled"); ?></td>
557
						<td width="78%" class="vtable">
558
							<input name="disabled" type="checkbox" id="disabled" value="yes" <?php if ($pconfig['disabled']) echo "checked=\"checked\""; ?> />
559
							<strong><?=gettext("Disable this phase1 entry"); ?></strong><br />
560
							<span class="vexpl">
561
								<?=gettext("Set this option to disable this phase1 without " .
562
								"removing it from the list"); ?>.
563
							</span>
564
						</td>
565
					</tr>
566
					<tr>
567
						<td width="22%" valign="top" class="vncellreq"><?=gettext("Key Exchange version"); ?></td>
568
						<td width="78%" class="vtable">
569
							<select name="iketype" class="formselect">
570
							<?php
571
								$keyexchange = array("ikev1" => "V1", "ikev2" => "V2");
572
								foreach ($keyexchange as $kidx => $name):
573
							?>
574
								<option value="<?=$kidx;?>" <?php if ($kidx == $pconfig['iketype']) echo "selected=\"selected\""; ?>>
575
									<?=htmlspecialchars($name);?>
576
								</option>
577
							<?php endforeach; ?>
578
							</select> <br /> <span class="vexpl"><?=gettext("Select the KeyExchange Protocol version to be used. Usually known as IKEv1 or IKEv2."); ?>.</span>
579
						</td>
580
					</tr>
581
					<tr>
582
						<td width="22%" valign="top" class="vncellreq"><?=gettext("Internet Protocol"); ?></td>
583
						<td width="78%" class="vtable">
584
							<select name="protocol" class="formselect">
585
							<?php
586
								$protocols = array("inet" => "IPv4", "inet6" => "IPv6");
587
								foreach ($protocols as $protocol => $name):
588
							?>
589
								<option value="<?=$protocol;?>" <?php if ($protocol == $pconfig['protocol']) echo "selected=\"selected\""; ?>>
590
									<?=htmlspecialchars($name);?>
591
								</option>
592
							<?php endforeach; ?>
593
							</select> <br /> <span class="vexpl"><?=gettext("Select the Internet Protocol family from this dropdown"); ?>.</span>
594
						</td>
595
					</tr>
596
					<tr>
597
						<td width="22%" valign="top" class="vncellreq"><?=gettext("Interface"); ?></td>
598
						<td width="78%" class="vtable">
599
							<select name="interface" class="formselect">
600
							<?php
601
								$interfaces = get_configured_interface_with_descr();
602

    
603
								$carplist = get_configured_carp_interface_list();
604
								foreach ($carplist as $cif => $carpip)
605
									$interfaces[$cif] = $carpip." (".get_vip_descr($carpip).")";
606

    
607
								$aliaslist = get_configured_ip_aliases_list();
608
								foreach ($aliaslist as $aliasip => $aliasif)
609
									$interfaces[$aliasip] = $aliasip." (".get_vip_descr($aliasip).")";
610

    
611
								$grouplist = return_gateway_groups_array();
612
								foreach ($grouplist as $name => $group) {
613
									if($group[0]['vip'] <> "")
614
										$vipif = $group[0]['vip'];
615
									else
616
										$vipif = $group[0]['int'];
617
									$interfaces[$name] = "GW Group {$name}";
618
								}
619

    
620

    
621
								foreach ($interfaces as $iface => $ifacename):
622
							?>
623
								<option value="<?=$iface;?>" <?php if ($iface == $pconfig['interface']) echo "selected=\"selected\""; ?>>
624
									<?=htmlspecialchars($ifacename);?>
625
								</option>
626
							<?php endforeach; ?>
627
							</select>
628
							<br />
629
							<span class="vexpl"><?=gettext("Select the interface for the local endpoint of this phase1 entry"); ?>.</span>
630
						</td>
631
					</tr>
632

    
633
					<?php if (!$pconfig['mobile']): ?>
634

    
635
					<tr>
636
						<td width="22%" valign="top" class="vncellreq"><?=gettext("Remote gateway"); ?></td>
637
						<td width="78%" class="vtable">
638
							<?=$mandfldhtml;?><input name="remotegw" type="text" class="formfld unknown" id="remotegw" size="28" value="<?=htmlspecialchars($pconfig['remotegw']);?>" />
639
							<br />
640
							<?=gettext("Enter the public IP address or host name of the remote gateway"); ?>
641
						</td>
642
					</tr>
643

    
644
					<?php endif; ?>
645

    
646
					<tr>
647
						<td width="22%" valign="top" class="vncell"><?=gettext("Description"); ?></td>
648
						<td width="78%" class="vtable">
649
							<input name="descr" type="text" class="formfld unknown" id="descr" size="40" value="<?=htmlspecialchars($pconfig['descr']);?>" />
650
							<br />
651
							<span class="vexpl">
652
								<?=gettext("You may enter a description here " .
653
								"for your reference (not parsed)"); ?>.
654
							</span>
655
						</td>
656
					</tr>
657
					<tr>
658
						<td colspan="2" class="list" height="12"></td>
659
					</tr>
660
					<tr>
661
						<td colspan="2" valign="top" class="listtopic">
662
							<?=gettext("Phase 1 proposal (Authentication)"); ?>
663
						</td>
664
					</tr>
665
					<tr>
666
						<td width="22%" valign="top" class="vncellreq"><?=gettext("Authentication method"); ?></td>
667
						<td width="78%" class="vtable">
668
							<select name="authentication_method" class="formselect" onchange="methodsel_change()">
669
							<?php
670
								foreach ($p1_authentication_methods as $method_type => $method_params):
671
									if (!$pconfig['mobile'] && $method_params['mobile'])
672
										continue;
673
							?>
674
								<option value="<?=$method_type;?>" <?php if ($method_type == $pconfig['authentication_method']) echo "selected=\"selected\""; ?>>
675
									<?=htmlspecialchars($method_params['name']);?>
676
								</option>
677
							<?php endforeach; ?>
678
							</select>
679
							<br />
680
							<span class="vexpl">
681
								<?=gettext("Must match the setting chosen on the remote side"); ?>.
682
							</span>
683
						</td>
684
					</tr>
685
					<tr>
686
						<td width="22%" valign="top" class="vncellreq"><?=gettext("Negotiation mode"); ?></td>
687
						<td width="78%" class="vtable">
688
							<select name="mode" class="formselect">
689
							<?php
690
								$modes = array("main" => "Main", "aggressive" => "Aggressive");
691
								foreach ($modes as $mode => $mdescr):
692
							?>
693
								<option value="<?=$mode;?>" <?php if ($mode == $pconfig['mode']) echo "selected=\"selected\""; ?>>
694
									<?=htmlspecialchars($mdescr);?>
695
								</option>
696
							<?php endforeach; ?>
697
							</select> <br /> <span class="vexpl"><?=gettext("Aggressive is more flexible, but less secure"); ?>.</span>
698
						</td>
699
					</tr>
700
					<tr>
701
						<td width="22%" valign="top" class="vncellreq"><?=gettext("My identifier"); ?></td>
702
						<td width="78%" class="vtable">
703
							<select name="myid_type" class="formselect" onchange="myidsel_change()">
704
							<?php foreach ($my_identifier_list as $id_type => $id_params): ?>
705
								<option value="<?=$id_type;?>" <?php if ($id_type == $pconfig['myid_type']) echo "selected=\"selected\""; ?>>
706
									<?=htmlspecialchars($id_params['desc']);?>
707
								</option>
708
							<?php endforeach; ?>
709
							</select>
710
							<input name="myid_data" type="text" class="formfld unknown" id="myid_data" size="30" value="<?=htmlspecialchars($pconfig['myid_data']);?>" />
711
						</td>
712
					</tr>
713
					<tr id="opt_peerid">
714
						<td width="22%" valign="top" class="vncellreq"><?=gettext("Peer identifier"); ?></td>
715
						<td width="78%" class="vtable">
716
							<select name="peerid_type" class="formselect" onchange="peeridsel_change()">
717
							<?php
718
								foreach ($peer_identifier_list as $id_type => $id_params):
719
									if ($pconfig['mobile'] && !$id_params['mobile'])
720
										continue;
721
							?>
722
							<option value="<?=$id_type;?>" <?php if ($id_type == $pconfig['peerid_type']) echo "selected=\"selected\""; ?>>
723
								<?=htmlspecialchars($id_params['desc']);?>
724
							</option>
725
							<?php endforeach; ?>
726
							</select>
727
							<input name="peerid_data" type="text" class="formfld unknown" id="peerid_data" size="30" value="<?=htmlspecialchars($pconfig['peerid_data']);?>" />
728
						<?php if ($pconfig['mobile']) { ?>
729
							<br /><br /><?=gettext("NOTE: This is known as the \"group\" setting on some VPN client implementations"); ?>.
730
						<?php } ?>
731
						</td>
732
					</tr>
733
					<tr id="opt_psk">
734
						<td width="22%" valign="top" class="vncellreq"><?=gettext("Pre-Shared Key"); ?></td>
735
						<td width="78%" class="vtable">
736
							<?=$mandfldhtml;?>
737
							<input name="pskey" type="text" class="formfld unknown" id="pskey" size="40" value="<?=htmlspecialchars($pconfig['pskey']);?>" />
738
							<span class="vexpl">
739
							<br />
740
								<?=gettext("Input your Pre-Shared Key string"); ?>.
741
							</span>
742
						</td>
743
					</tr>
744
					<tr id="opt_cert">
745
						<td width="22%" valign="top" class="vncellreq"><?=gettext("My Certificate"); ?></td>
746
						<td width="78%" class="vtable">
747
							<select name="certref" class="formselect">
748
							<?php
749
								foreach ($config['cert'] as $cert):
750
									$selected = "";
751
									if ($pconfig['certref'] == $cert['refid'])
752
										$selected = "selected=\"selected\"";
753
							?>
754
								<option value="<?=$cert['refid'];?>" <?=$selected;?>><?=$cert['descr'];?></option>
755
							<?php endforeach; ?>
756
							</select>
757
							<br />
758
							<span class="vexpl">
759
								<?=gettext("Select a certificate previously configured in the Certificate Manager"); ?>.
760
							</span>
761
						</td>
762
					</tr>
763
					<tr id="opt_ca">
764
						<td width="22%" valign="top" class="vncellreq"><?=gettext("My Certificate Authority"); ?></td>
765
						<td width="78%" class="vtable">
766
							<select name="caref" class="formselect">
767
							<?php
768
								foreach ($config['ca'] as $ca):
769
									$selected = "";
770
									if ($pconfig['caref'] == $ca['refid'])
771
										$selected = "selected=\"selected\"";
772
							?>
773
								<option value="<?=$ca['refid'];?>" <?=$selected;?>><?=$ca['descr'];?></option>
774
							<?php endforeach; ?>
775
							</select>
776
							<br />
777
							<span class="vexpl">
778
								<?=gettext("Select a certificate authority previously configured in the Certificate Manager"); ?>.
779
							</span>
780
						</td>
781
					</tr>
782
					<tr>
783
						<td colspan="2" valign="top" class="listtopic">
784
							<?=gettext("Phase 1 proposal (Algorithms)"); ?>
785
						</td>
786
					</tr>
787
					<tr>
788
						<td width="22%" valign="top" class="vncellreq"><?=gettext("Encryption algorithm"); ?></td>
789
						<td width="78%" class="vtable">
790
							<select name="ealgo" class="formselect" onchange="ealgosel_change()">
791
							<?php
792
								foreach ($p1_ealgos as $algo => $algodata):
793
									$selected = "";
794
									if ($algo == $pconfig['ealgo']['name'])
795
										$selected = " selected=\"selected\"";
796
							?>
797
								<option value="<?=$algo;?>"<?=$selected?>>
798
									<?=htmlspecialchars($algodata['name']);?>
799
								</option>
800
							<?php endforeach; ?>
801
							</select>
802
							<select name="ealgo_keylen" width="30" class="formselect">
803
							</select>
804
						</td>
805
					</tr>
806
					<tr>
807
						<td width="22%" valign="top" class="vncellreq"><?=gettext("Hash algorithm"); ?></td>
808
						<td width="78%" class="vtable">
809
							<select name="halgo" class="formselect">
810
							<?php foreach ($p1_halgos as $algo => $algoname): ?>
811
								<option value="<?=$algo;?>" <?php if ($algo == $pconfig['halgo']) echo "selected=\"selected\""; ?>>
812
									<?=htmlspecialchars($algoname);?>
813
								</option>
814
							<?php endforeach; ?>
815
							</select>
816
							<br />
817
							<span class="vexpl">
818
								<?=gettext("Must match the setting chosen on the remote side"); ?>.
819
							</span>
820
						</td>
821
					</tr>
822
					<tr>
823
						<td width="22%" valign="top" class="vncellreq"><?=gettext("DH key group"); ?></td>
824
						<td width="78%" class="vtable">
825
							<select name="dhgroup" class="formselect">
826
							<?php foreach ($p1_dhgroups as $keygroup => $keygroupname): ?>
827
								<option value="<?=$keygroup;?>" <?php if ($keygroup == $pconfig['dhgroup']) echo "selected=\"selected\""; ?>>
828
									<?=htmlspecialchars($keygroupname);?>
829
								</option>
830
							<?php endforeach; ?>
831
							</select>
832
							<br />
833
							<span class="vexpl">
834
								<?=gettext("Must match the setting chosen on the remote side"); ?>.
835
							</span>
836
						</td>
837
					</tr>
838
					<tr>
839
						<td width="22%" valign="top" class="vncell"><?=gettext("Lifetime"); ?></td>
840
						<td width="78%" class="vtable">
841
							<input name="lifetime" type="text" class="formfld unknown" id="lifetime" size="20" value="<?=htmlspecialchars($pconfig['lifetime']);?>" />
842
							<?=gettext("seconds"); ?>
843
						</td>
844
					</tr>
845
					<tr>
846
						<td colspan="2" class="list" height="12"></td>
847
					</tr>
848
					<tr>
849
						<td colspan="2" valign="top" class="listtopic"><?=gettext("Advanced Options"); ?></td>
850
					</tr>
851
					<tr>
852
						<td width="22%" valign="top" class="vncell"><?=gettext("Disable Rekey");?></td>
853
						<td width="78%" class="vtable">
854
							<input name="rekey_enable" type="checkbox" id="rekey_enable" value="yes" <?php if (isset($pconfig['rekey_enable'])) echo "checked=\"checked\""; ?> />
855
							<?=gettext("Whether a connection should be renegotiated when it is about to expire."); ?><br />
856
						</td>
857
					</tr>
858
					<tr>
859
						<td width="22%" valign="top" class="vncell"><?=gettext("Disable Reauth");?></td>
860
						<td width="78%" class="vtable">
861
							<input name="reauth_enable" type="checkbox" id="reauth_enable" value="yes" <?php if (isset($pconfig['reauth_enable'])) echo "checked=\"checked\""; ?> />
862
							<?=gettext("Whether rekeying of an IKE_SA should also reauthenticate the peer. In IKEv1, reauthentication is always done."); ?><br />
863
						</td>
864
					</tr>
865
					<tr>
866
						<td width="22%" valign="top" class="vncell"><?=gettext("NAT Traversal"); ?></td>
867
						<td width="78%" class="vtable">
868
							<select name="nat_traversal" class="formselect">
869
								<option value="on" <?php if ($pconfig['nat_traversal'] != 'on') echo "selected=\"selected\""; ?>><?=gettext("Auto"); ?></option>
870
								<option value="force" <?php if ($pconfig['nat_traversal'] == 'force') echo "selected=\"selected\""; ?>><?=gettext("Force"); ?></option>
871
							</select>
872
							<br />
873
							<span class="vexpl">
874
								<?=gettext("Set this option to enable the use of NAT-T (i.e. the encapsulation of ESP in UDP packets) if needed, " .
875
								"which can help with clients that are behind restrictive firewalls"); ?>.
876
							</span>
877
						</td>
878
					</tr>
879
					<tr>
880
						<td width="22%" valign="top" class="vncell"><?=gettext("Dead Peer Detection"); ?></td>
881
						<td width="78%" class="vtable">
882
							<input name="dpd_enable" type="checkbox" id="dpd_enable" value="yes" <?php if (isset($pconfig['dpd_enable'])) echo "checked=\"checked\""; ?> onclick="dpdchkbox_change()" />
883
							<?=gettext("Enable DPD"); ?><br />
884
							<div id="opt_dpd">
885
								<br />
886
								<input name="dpd_delay" type="text" class="formfld unknown" id="dpd_delay" size="5" value="<?=htmlspecialchars($pconfig['dpd_delay']);?>" />
887
								<?=gettext("seconds"); ?><br />
888
								<span class="vexpl">
889
									<?=gettext("Delay between requesting peer acknowledgement"); ?>.
890
								</span><br />
891
								<br />
892
								<input name="dpd_maxfail" type="text" class="formfld unknown" id="dpd_maxfail" size="5" value="<?=htmlspecialchars($pconfig['dpd_maxfail']);?>" />
893
								<?=gettext("retries"); ?><br />
894
								<span class="vexpl">
895
									<?=gettext("Number of consecutive failures allowed before disconnect"); ?>.
896
								</span>
897
								<br />
898
							</div>
899
						</td>
900
					</tr>
901
					<tr>
902
						<td width="22%" valign="top">&nbsp;</td>
903
						<td width="78%">
904
							<?php if (isset($p1index) && $a_phase1[$p1index]): ?>
905
							<input name="p1index" type="hidden" value="<?=htmlspecialchars($p1index);?>" />
906
							<?php endif; ?>
907
							<?php if ($pconfig['mobile']): ?>
908
							<input name="mobile" type="hidden" value="true" />
909
							<?php endif; ?>
910
							<input name="ikeid" type="hidden" value="<?=htmlspecialchars($pconfig['ikeid']);?>" />
911
							<input name="Submit" type="submit" class="formbtn" value="<?=gettext("Save"); ?>" />
912
						</td>
913
					</tr>
914
				</table>
915
			</div>
916
		</td>
917
	</tr>
918
</table>
919
</form>
920

    
921
<script type="text/javascript">
922
//<![CDATA[
923
<?php
924
	/* determine if we should init the key length */
925
	$keyset = '';
926
	if (isset($pconfig['ealgo']['keylen']))
927
		if (is_numeric($pconfig['ealgo']['keylen']))
928
			$keyset = $pconfig['ealgo']['keylen'];
929
?>
930
myidsel_change();
931
peeridsel_change();
932
methodsel_change();
933
ealgosel_change(<?=$keyset;?>);
934
dpdchkbox_change();
935
//]]>
936
</script>
937
<?php include("fend.inc"); ?>
938
</body>
939
</html>
(241-241/256)