Project

General

Profile

Download (34.9 KB) Statistics
| Branch: | Tag: | Revision:

univnautes / usr / local / www / vpn_ipsec_phase2.php @ a1b66bec

1
<?php
2
/*
3
	vpn_ipsec_phase2.php
4
	part of m0n0wall (http://m0n0.ch/wall)
5

    
6
	Copyright (C) 2008 Shrew Soft Inc
7
	Copyright (C) 2003-2005 Manuel Kasper <mk@neon1.net>.
8
	All rights reserved.
9

    
10
	Redistribution and use in source and binary forms, with or without
11
	modification, are permitted provided that the following conditions are met:
12

    
13
	1. Redistributions of source code must retain the above copyright notice,
14
	   this list of conditions and the following disclaimer.
15

    
16
	2. Redistributions in binary form must reproduce the above copyright
17
	   notice, this list of conditions and the following disclaimer in the
18
	   documentation and/or other materials provided with the distribution.
19

    
20
	THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
21
	INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
22
	AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
23
	AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
24
	OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
25
	SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
26
	INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
27
	CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
28
	ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
29
	POSSIBILITY OF SUCH DAMAGE.
30
*/
31

    
32
##|+PRIV
33
##|*IDENT=page-vpn-ipsec-editphase2
34
##|*NAME=VPN: IPsec: Edit Phase 2 page
35
##|*DESCR=Allow access to the 'VPN: IPsec: Edit Phase 2' page.
36
##|*MATCH=vpn_ipsec_phase2.php*
37
##|-PRIV
38

    
39
require("functions.inc");
40
require("guiconfig.inc");
41
require_once("ipsec.inc");
42
require_once("vpn.inc");
43

    
44
if (!is_array($config['ipsec']['client']))
45
	$config['ipsec']['client'] = array();
46

    
47
$a_client = &$config['ipsec']['client'];
48

    
49
if (!is_array($config['ipsec']['phase1']))
50
	$config['ipsec']['phase1'] = array();
51

    
52
if (!is_array($config['ipsec']['phase2']))
53
	$config['ipsec']['phase2'] = array();
54

    
55
$a_phase1 = &$config['ipsec']['phase1'];
56
$a_phase2 = &$config['ipsec']['phase2'];
57

    
58
if (!empty($_GET['p2index']))
59
	$uindex = $_GET['p2index'];
60
if (!empty($_POST['uniqid']))
61
	$uindex = $_POST['uniqid'];
62

    
63
if (!empty($_GET['dup']))
64
	$uindex = $_GET['dup'];
65

    
66
$ph2found = false;
67
if (isset($uindex)) {
68
	foreach ($a_phase2 as $p2index => $ph2) {
69
		if ($ph2['uniqid'] == $uindex) {
70
			$ph2found = true;
71
			break;
72
		}
73
	}
74
}
75

    
76
if ($ph2found === true)
77
{
78
	$pconfig['ikeid'] = $ph2['ikeid'];
79
	$pconfig['disabled'] = isset($ph2['disabled']);
80
	$pconfig['mode'] = $ph2['mode'];
81
	$pconfig['descr'] = $ph2['descr'];
82
	$pconfig['uniqid'] = $ph2['uniqid'];
83

    
84
	if (!empty($ph2['natlocalid']))
85
		idinfo_to_pconfig("natlocal",$ph2['natlocalid'],$pconfig);
86
	idinfo_to_pconfig("local",$ph2['localid'],$pconfig);
87
	idinfo_to_pconfig("remote",$ph2['remoteid'],$pconfig);
88

    
89
	$pconfig['proto'] = $ph2['protocol'];
90
	ealgos_to_pconfig($ph2['encryption-algorithm-option'],$pconfig);
91
	$pconfig['halgos'] = $ph2['hash-algorithm-option'];
92
	$pconfig['pfsgroup'] = $ph2['pfsgroup'];
93
	$pconfig['lifetime'] = $ph2['lifetime'];
94
	$pconfig['pinghost'] = $ph2['pinghost'];
95

    
96
	if (isset($ph2['mobile']))
97
		$pconfig['mobile'] = true;
98
}
99
else
100
{
101
	$pconfig['ikeid'] = $_GET['ikeid'];
102

    
103
	/* defaults */
104
	$pconfig['localid_type'] = "lan";
105
	$pconfig['remoteid_type'] = "network";
106
	$pconfig['proto'] = "esp";
107
	$pconfig['ealgos'] = explode(",", "3des,blowfish,cast128,aes");
108
	$pconfig['halgos'] = explode(",", "hmac_sha1,hmac_md5");
109
	$pconfig['pfsgroup'] = "0";
110
	$pconfig['lifetime'] = "3600";
111
	$pconfig['uniqid'] = uniqid();
112

    
113
	/* mobile client */
114
	if($_GET['mobile'])
115
		$pconfig['mobile']=true;
116
}
117

    
118
unset($ph2);
119
if (!empty($_GET['dup'])) {
120
	unset($uindex);
121
	unset($p2index);
122
	$pconfig['uniqid'] = uniqid();
123
}
124

    
125
if ($_POST) {
126

    
127
	unset($input_errors);
128
	$pconfig = $_POST;
129

    
130
	if (!isset( $_POST['ikeid']))
131
		$input_errors[] = gettext("A valid ikeid must be specified.");
132

    
133
	/* input validation */
134
	$reqdfields = explode(" ", "localid_type uniqid");
135
	$reqdfieldsn = array(gettext("Local network type"), gettext("Unique Identifier"));
136
	if (!isset($pconfig['mobile'])){
137
		$reqdfields[] = "remoteid_type";
138
		$reqdfieldsn[] = gettext("Remote network type");
139
	}
140

    
141
	do_input_validation($_POST, $reqdfields, $reqdfieldsn, $input_errors);
142

    
143
	if(($pconfig['mode'] == "tunnel") || ($pconfig['mode'] == "tunnel6")) 
144
	{
145
		switch ($pconfig['localid_type']) {
146
			case "network":
147
				if (($pconfig['localid_netbits'] != 0 && !$pconfig['localid_netbits']) || !is_numeric($pconfig['localid_netbits']))
148
					$input_errors[] = gettext("A valid local network bit count must be specified.");
149
			case "address":
150
				if (!$pconfig['localid_address'] || !is_ipaddr($pconfig['localid_address']))
151
					$input_errors[] = gettext("A valid local network IP address must be specified.");
152
				elseif (is_ipaddrv4($pconfig['localid_address']) && ($pconfig['mode'] != "tunnel"))
153
					$input_errors[] = gettext("A valid local network IPv4 address must be specified or you need to change Mode to IPv6");
154
				elseif (is_ipaddrv6($pconfig['localid_address']) && ($pconfig['mode'] != "tunnel6"))
155
					$input_errors[] = gettext("A valid local network IPv6 address must be specified or you need to change Mode to IPv4");
156
				break;
157
		}
158
		/* Check if the localid_type is an interface, to confirm if it has a valid subnet. */
159
		if (is_array($config['interfaces'][$pconfig['localid_type']])) {
160
			// Don't let an empty subnet into racoon.conf, it can cause parse errors. Ticket #2201.
161
			$address = get_interface_ip($pconfig['localid_type']);
162
			$netbits = get_interface_subnet($pconfig['localid_type']);
163

    
164
			if (empty($address) || empty($netbits))
165
				$input_errors[] = gettext("Invalid Local Network.") . " " . convert_friendly_interface_to_friendly_descr($pconfig['localid_type']) . " " . gettext("has no subnet.");
166
		}
167

    
168
		if (!empty($pconfig['natlocalid_address'])) {
169
			switch ($pconfig['natlocalid_type']) {
170
				case "network":
171
					if (($pconfig['natlocalid_netbits'] != 0 && !$pconfig['natlocalid_netbits']) || !is_numeric($pconfig['natlocalid_netbits']))
172
						$input_errors[] = gettext("A valid NAT local network bit count must be specified.");
173
					if ($pconfig['localid_type'] == "address")
174
						$input_errors[] = gettext("You cannot configure a network type address for NAT while only an address type is selected for local source."); 
175
				case "address":
176
					if (!empty($pconfig['natlocalid_address']) && !is_ipaddr($pconfig['natlocalid_address']))
177
						$input_errors[] = gettext("A valid NAT local network IP address must be specified.");
178
					elseif (is_ipaddrv4($pconfig['natlocalid_address']) && ($pconfig['mode'] != "tunnel"))
179
						$input_errors[] = gettext("A valid NAT local network IPv4 address must be specified or you need to change Mode to IPv6");
180
					elseif (is_ipaddrv6($pconfig['natlocalid_address']) && ($pconfig['mode'] != "tunnel6"))
181
						$input_errors[] = gettext("A valid NAT local network IPv6 address must be specified or you need to change Mode to IPv4");
182
					break;
183
			}
184

    
185
			if (is_array($config['interfaces'][$pconfig['natlocalid_type']])) {
186
				// Don't let an empty subnet into racoon.conf, it can cause parse errors. Ticket #2201.
187
				$address = get_interface_ip($pconfig['natlocalid_type']);
188
				$netbits = get_interface_subnet($pconfig['natlocalid_type']);
189

    
190
				if (empty($address) || empty($netbits))
191
					$input_errors[] = gettext("Invalid Local Network.") . " " . convert_friendly_interface_to_friendly_descr($pconfig['natlocalid_type']) . " " . gettext("has no subnet.");
192
			}
193
		}
194

    
195
		switch ($pconfig['remoteid_type']) {
196
			case "network":
197
				if (($pconfig['remoteid_netbits'] != 0 && !$pconfig['remoteid_netbits']) || !is_numeric($pconfig['remoteid_netbits']))
198
					$input_errors[] = gettext("A valid remote network bit count must be specified.");
199
			case "address":
200
				if (!$pconfig['remoteid_address'] || !is_ipaddr($pconfig['remoteid_address']))
201
					$input_errors[] = gettext("A valid remote network IP address must be specified.");
202
				elseif (is_ipaddrv4($pconfig['remoteid_address']) && ($pconfig['mode'] != "tunnel"))
203
					$input_errors[] = gettext("A valid remote network IPv4 address must be specified or you need to change Mode to IPv6");
204
				elseif (is_ipaddrv6($pconfig['remoteid_address']) && ($pconfig['mode'] != "tunnel6"))
205
					$input_errors[] = gettext("A valid remote network IPv6 address must be specified or you need to change Mode to IPv4");
206
				break;
207
		}
208
	}
209
	/* Validate enabled phase2's are not duplicates */
210
	if (isset($pconfig['mobile'])){
211
		/* User is adding phase 2 for mobile phase1 */
212
		foreach($a_phase2 as $key => $name){
213
			if (isset($name['mobile']) && $name['uniqid'] != $pconfig['uniqid']) {
214
				/* check duplicate localids only for mobile clents */
215
				$localid_data = ipsec_idinfo_to_cidr($name['localid'], false, $name['mode']);
216
				$entered = array();
217
				$entered['type'] = $pconfig['localid_type'];
218
				if (isset($pconfig['localid_address'])) $entered['address'] = $pconfig['localid_address'];
219
				if (isset($pconfig['localid_netbits'])) $entered['netbits'] = $pconfig['localid_netbits'];
220
				$entered_localid_data = ipsec_idinfo_to_cidr($entered, false, $pconfig['mode']);
221
				if ($localid_data == $entered_localid_data){
222
					/* adding new p2 entry */
223
					$input_errors[] = gettext("Phase2 with this Local Network is already defined for mobile clients.");
224
					break;
225
				}
226
			}
227
		}
228
	}else{
229
		/* User is adding phase 2 for site-to-site phase1 */
230
		$input_error = 0;
231
		foreach($a_phase2 as $key => $name){
232
			if (!isset($name['mobile']) && $pconfig['ikeid'] == $name['ikeid'] && $pconfig['uniqid'] != $name['uniqid']) {
233
				/* check duplicate subnets only for given phase1 */
234
				$localid_data = ipsec_idinfo_to_cidr($name['localid'], false, $name['mode']);
235
				$remoteid_data = ipsec_idinfo_to_cidr($name['remoteid'], false, $name['mode']);
236
				$entered_local = array();
237
				$entered_local['type'] = $pconfig['localid_type'];
238
				if (isset($pconfig['localid_address'])) $entered_local['address'] = $pconfig['localid_address'];
239
				if (isset($pconfig['localid_netbits'])) $entered_local['netbits'] = $pconfig['localid_netbits'];
240
				$entered_localid_data = ipsec_idinfo_to_cidr($entered_local, false, $pconfig['mode']);
241
				$entered_remote = array();
242
				$entered_remote['type'] = $pconfig['remoteid_type'];
243
				if (isset($pconfig['remoteid_address'])) $entered_remote['address'] = $pconfig['remoteid_address'];
244
				if (isset($pconfig['remoteid_netbits'])) $entered_remote['netbits'] = $pconfig['remoteid_netbits'];
245
				$entered_remoteid_data = ipsec_idinfo_to_cidr($entered_remote, false, $pconfig['mode']);
246
				if ($localid_data == $entered_localid_data && $remoteid_data == $entered_remoteid_data) { 
247
					/* adding new p2 entry */
248
					$input_errors[] = gettext("Phase2 with this Local/Remote networks combination is already defined for this Phase1.");
249
					break;
250
				}
251
			}
252
		}
253
		foreach ($a_phase1 as $phase1) {
254
			if($phase1['ikeid'] == $pconfig['ikeid']) {
255
				/* This is the P1 for this entry, validate its remote-gateway and local interface isn't within tunnel */
256
				$entered_local = array();
257
				$entered_local['type'] = $pconfig['localid_type'];
258
				if (isset($pconfig['localid_address'])) $entered_local['address'] = $pconfig['localid_address'];
259
				if (isset($pconfig['localid_netbits'])) $entered_local['netbits'] = $pconfig['localid_netbits'];
260
				$entered_localid_data = ipsec_idinfo_to_cidr($entered_local, false, $pconfig['mode']);
261
				list($entered_local_network, $entered_local_mask) = split("/", $entered_localid_data);
262
				$entered_remote = array();
263
				$entered_remote['type'] = $pconfig['remoteid_type'];
264
				if (isset($pconfig['remoteid_address'])) $entered_remote['address'] = $pconfig['remoteid_address'];
265
				if (isset($pconfig['remoteid_netbits'])) $entered_remote['netbits'] = $pconfig['remoteid_netbits'];
266
				$entered_remoteid_data = ipsec_idinfo_to_cidr($entered_remote, false, $pconfig['mode']);
267
				list($entered_remote_network, $entered_remote_mask) = split("/", $entered_remoteid_data);
268
				if ($phase1['protocol'] == "inet6") { 
269
					$if = get_failover_interface($phase1['interface'], "inet6");
270
					$interfaceip = get_interface_ipv6($if);
271
				} else {
272
					$if = get_failover_interface($phase1['interface']);
273
					$interfaceip = get_interface_ip($if);
274
				}
275
				/* skip validation for hostnames, they're subject to change anyway */
276
				if (is_ipaddr($phase1['remote-gateway'])) {
277
					if ($pconfig['mode'] == "tunnel") {
278
						if(check_subnets_overlap($interfaceip, 32, $entered_local_network, $entered_local_mask) && check_subnets_overlap($phase1['remote-gateway'], 32, $entered_remote_network, $entered_remote_mask)) {
279
							$input_errors[] = gettext("The local and remote networks of a phase 2 entry cannot overlap the outside of the tunnel (interface and remote gateway) configured in its phase 1.");
280
							break;
281
						}
282
					} else if ($pconfig['mode'] == "tunnel6") {
283
						if(check_subnetsv6_overlap($interfaceip, 128, $entered_local_network, $entered_local_mask) && check_subnets_overlap($phase1['remote-gateway'], 128, $entered_remote_network, $entered_remote_mask)) {
284
							$input_errors[] = gettext("The local and remote networks of a phase 2 entry cannot overlap the outside of the tunnel (interface and remote gateway) configured in its phase 1.");
285
							break;
286
						}							
287
					}				
288
				}
289
			}
290
		}
291
        }
292

    
293
	/* For ESP protocol, handle encryption algorithms */
294
	if ( $pconfig['proto'] == "esp") {
295
		$ealgos = pconfig_to_ealgos($pconfig);
296

    
297
		if (!count($ealgos)) {
298
			$input_errors[] = gettext("At least one encryption algorithm must be selected.");
299
		} else {
300
			if (empty($pconfig['halgos'])) {
301
				foreach ($ealgos as $ealgo) {
302
					if (!strpos($ealgo['name'], "gcm")) {
303
						$input_errors[] = gettext("At least one hashing algorithm needs to be selected.");
304
						break;
305
					}
306
				}
307
			}
308
		}
309
		
310
	}
311
	if (($_POST['lifetime'] && !is_numeric($_POST['lifetime']))) {
312
		$input_errors[] = gettext("The P2 lifetime must be an integer.");
313
	}
314

    
315
	if (!$input_errors) {
316

    
317
		$ph2ent = array();
318
		$ph2ent['ikeid'] = $pconfig['ikeid'];
319
		$ph2ent['uniqid'] = $pconfig['uniqid'];
320
		$ph2ent['mode'] = $pconfig['mode'];
321
		$ph2ent['disabled'] = $pconfig['disabled'] ? true : false;
322

    
323
		if(($ph2ent['mode'] == "tunnel") || ($ph2ent['mode'] == "tunnel6")){
324
			if (!empty($pconfig['natlocalid_address']))
325
				$ph2ent['natlocalid'] = pconfig_to_idinfo("natlocal",$pconfig);
326
			$ph2ent['localid'] = pconfig_to_idinfo("local",$pconfig);
327
			$ph2ent['remoteid'] = pconfig_to_idinfo("remote",$pconfig);
328
		}
329

    
330
		$ph2ent['protocol'] = $pconfig['proto'];
331
		$ph2ent['encryption-algorithm-option'] = $ealgos;
332
		if (!empty($pconfig['halgos']))
333
			$ph2ent['hash-algorithm-option'] = $pconfig['halgos'];
334
		else
335
			unset($ph2ent['hash-algorithm-option']);
336
		$ph2ent['pfsgroup'] = $pconfig['pfsgroup'];
337
		$ph2ent['lifetime'] = $pconfig['lifetime'];
338
		$ph2ent['pinghost'] = $pconfig['pinghost'];
339
		$ph2ent['descr'] = $pconfig['descr'];
340

    
341
		if (isset($pconfig['mobile']))
342
			$ph2ent['mobile'] = true;
343

    
344
		if ($ph2found === true && $a_phase2[$p2index])
345
			$a_phase2[$p2index] = $ph2ent;
346
		else
347
			$a_phase2[] = $ph2ent;
348

    
349

    
350
		write_config();
351
		mark_subsystem_dirty('ipsec');
352

    
353
		header("Location: vpn_ipsec.php");
354
		exit;
355
	}
356
}
357

    
358
if ($pconfig['mobile'])
359
    $pgtitle = array(gettext("VPN"),gettext("IPsec"),gettext("Edit Phase 2"), gettext("Mobile Client"));
360
else
361
    $pgtitle = array(gettext("VPN"),gettext("IPsec"),gettext("Edit Phase 2"));
362
$shortcut_section = "ipsec";
363

    
364

    
365
include("head.inc");
366

    
367
?>
368

    
369
<body link="#0000CC" vlink="#0000CC" alink="#0000CC">
370
<?php include("fbegin.inc"); ?>
371
<script type="text/javascript" src="/javascript/jquery.ipv4v6ify.js"></script>
372
<script type="text/javascript">
373
//<![CDATA[
374

    
375
function change_mode() {
376
	index = document.iform.mode.selectedIndex;
377
	value = document.iform.mode.options[index].value;
378
	if ((value == 'tunnel') || (value == 'tunnel6')) {
379
		document.getElementById('opt_localid').style.display = '';
380
<?php if (!isset($pconfig['mobile'])): ?>
381
		document.getElementById('opt_remoteid').style.display = '';
382
<?php endif; ?>
383
	} else {
384
		document.getElementById('opt_localid').style.display = 'none';
385
<?php if (!isset($pconfig['mobile'])): ?>
386
		document.getElementById('opt_remoteid').style.display = 'none';
387
<?php endif; ?>
388
	}
389
}
390

    
391
function typesel_change_natlocal(bits) {
392
	var value = document.iform.mode.options[index].value;
393
	if (typeof(bits) === "undefined") {
394
		if (value === "tunnel") {
395
			bits = 24;
396
		}
397
		else if (value === "tunnel6") {
398
			bits = 64;
399
		}
400
	}
401
	var address_is_blank = !/\S/.test(document.iform.natlocalid_address.value);
402
	switch (document.iform.natlocalid_type.selectedIndex) {
403
		case 0:	/* single */
404
			document.iform.natlocalid_address.disabled = 0;
405
			if (address_is_blank) {
406
				document.iform.natlocalid_netbits.value = 0;
407
			}
408
			document.iform.natlocalid_netbits.disabled = 1;
409
			break;
410
		case 1:	/* network */
411
			document.iform.natlocalid_address.disabled = 0;
412
			if (address_is_blank) {
413
				document.iform.natlocalid_netbits.value = bits;
414
			}
415
			document.iform.natlocalid_netbits.disabled = 0;
416
			break;
417
		case 3:	/* none */
418
			document.iform.natlocalid_address.disabled = 1;
419
			document.iform.natlocalid_netbits.disabled = 1;
420
			break;
421
		default:
422
			document.iform.natlocalid_address.value = "";
423
			document.iform.natlocalid_address.disabled = 1;
424
			if (address_is_blank) {
425
				document.iform.natlocalid_netbits.value = 0;
426
			}
427
			document.iform.natlocalid_netbits.disabled = 1;
428
			break;
429
	}
430
}
431

    
432
function typesel_change_local(bits) {
433
	var value = document.iform.mode.options[index].value;
434
	if (typeof(bits) === "undefined") {
435
		if (value === "tunnel") {
436
			bits = 24;
437
		}
438
		else if (value === "tunnel6") {
439
			bits = 64;
440
		}
441
	}
442
	var address_is_blank = !/\S/.test(document.iform.localid_address.value);
443
	switch (document.iform.localid_type.selectedIndex) {
444
		case 0:	/* single */
445
			document.iform.localid_address.disabled = 0;
446
			if (address_is_blank) {
447
				document.iform.localid_netbits.value = 0;
448
			}
449
			document.iform.localid_netbits.disabled = 1;
450
			break;
451
		case 1:	/* network */
452
			document.iform.localid_address.disabled = 0;
453
			if (address_is_blank) {
454
				document.iform.localid_netbits.value = bits;
455
			}
456
			document.iform.localid_netbits.disabled = 0;
457
			break;
458
		case 3:	/* none */
459
			document.iform.localid_address.disabled = 1;
460
			document.iform.localid_netbits.disabled = 1;
461
			break;
462
		default:
463
			document.iform.localid_address.value = "";
464
			document.iform.localid_address.disabled = 1;
465
			if (address_is_blank) {
466
				document.iform.localid_netbits.value = 0;
467
			}
468
			document.iform.localid_netbits.disabled = 1;
469
			break;
470
	}
471
}
472

    
473
<?php if (!isset($pconfig['mobile'])): ?>
474

    
475
function typesel_change_remote(bits) {
476
	var value = document.iform.mode.options[index].value;
477
	if (typeof(bits) === "undefined") {
478
		if (value === "tunnel") {
479
			bits = 24;
480
		}
481
		else if (value === "tunnel6") {
482
			bits = 64;
483
		}
484
	}
485
	var address_is_blank = !/\S/.test(document.iform.remoteid_address.value);
486
	switch (document.iform.remoteid_type.selectedIndex) {
487
		case 0:	/* single */
488
			document.iform.remoteid_address.disabled = 0;
489
			if (address_is_blank) {
490
				document.iform.remoteid_netbits.value = 0;
491
			}
492
			document.iform.remoteid_netbits.disabled = 1;
493
			break;
494
		case 1:	/* network */
495
			document.iform.remoteid_address.disabled = 0;
496
			if (address_is_blank) {
497
				document.iform.remoteid_netbits.value = bits;
498
			}
499
			document.iform.remoteid_netbits.disabled = 0;
500
			break;
501
		default:
502
			document.iform.remoteid_address.value = "";
503
			document.iform.remoteid_address.disabled = 1;
504
			if (address_is_blank) {
505
				document.iform.remoteid_netbits.value = 0;
506
			}
507
			document.iform.remoteid_netbits.disabled = 1;
508
			break;
509
	}
510
}
511

    
512
<?php endif; ?>
513

    
514
function change_protocol() {
515
	index = document.iform.proto.selectedIndex;
516
	value = document.iform.proto.options[index].value;
517
	if (value == 'esp')
518
		document.getElementById('opt_enc').style.display = '';
519
	else
520
		document.getElementById('opt_enc').style.display = 'none';
521
}
522

    
523
//]]>
524
</script>
525

    
526
<form action="vpn_ipsec_phase2.php" method="post" name="iform" id="iform">
527

    
528
<?php
529
	if ($input_errors)
530
		print_input_errors($input_errors);
531
?>
532

    
533
<table width="100%" border="0" cellpadding="0" cellspacing="0" summary="vpn ipsec phase-2">
534
	<tr class="tabnavtbl">
535
		<td id="tabnav">
536
			<?php
537
				$tab_array = array();
538
				$tab_array[0] = array(gettext("Tunnels"), true, "vpn_ipsec.php");
539
				$tab_array[1] = array(gettext("Mobile clients"), false, "vpn_ipsec_mobile.php");
540
				$tab_array[2] = array(gettext("Pre-Shared Keys"), false, "vpn_ipsec_keys.php");
541
				$tab_array[3] = array(gettext("Advanced Settings"), false, "vpn_ipsec_settings.php");
542
				display_top_tabs($tab_array);
543
			?>
544
		</td>
545
	</tr>
546
	<tr>
547
		<td id="mainarea">
548
			<div class="tabcont">
549
				<table width="100%" border="0" cellpadding="6" cellspacing="0" summary="main area">
550
					<tr>
551
						<td width="22%" valign="top" class="vncellreq"><?=gettext("Disabled"); ?></td>
552
						<td width="78%" class="vtable">
553
							<input name="disabled" type="checkbox" id="disabled" value="yes" <?php if ($pconfig['disabled']) echo "checked=\"checked\""; ?> />
554
							<strong><?=gettext("Disable this phase2 entry"); ?></strong>
555
							<br />
556
							<span class="vexpl"><?=gettext("Set this option to disable this phase2 entry without " .
557
							  "removing it from the list"); ?>.
558
							</span>
559
						</td>
560
					</tr>
561
					<tr>
562
						<td width="22%" valign="top" class="vncellreq"><?=gettext("Mode"); ?></td>
563
						<td width="78%" class="vtable">
564
							<select name="mode" class="formselect" onchange="change_mode()">
565
								<?php
566
									foreach($p2_modes as $name => $value):
567
										$selected = "";
568
										if ($name == $pconfig['mode'])
569
											$selected = "selected=\"selected\"";
570
								?>
571
								<option value="<?=$name;?>" <?=$selected;?>><?=$value;?></option>
572
								<?php endforeach; ?>
573
							</select>
574
						</td>
575
					</tr>
576
					<tr id="opt_localid">
577
						<td width="22%" valign="top" class="vncellreq"><?=gettext("Local Network"); ?></td>
578
						<td width="78%" class="vtable">
579
							<table border="0" cellspacing="0" cellpadding="0" summary="local network">
580
								<tr>
581
									<td><?=gettext("Type"); ?>:&nbsp;&nbsp;</td>
582
									<td></td>
583
									<td>
584
										<select name="localid_type" class="formselect" onchange="typesel_change_local()">
585
											<option value="address" <?php if ($pconfig['localid_type'] == "address") echo "selected=\"selected\"";?>><?=gettext("Address"); ?></option>
586
											<option value="network" <?php if ($pconfig['localid_type'] == "network") echo "selected=\"selected\"";?>><?=gettext("Network"); ?></option>
587
											<?php
588
												$iflist = get_configured_interface_with_descr();
589
												foreach ($iflist as $ifname => $ifdescr):
590
											?>
591
											<option value="<?=$ifname; ?>" <?php if ($pconfig['localid_type'] == $ifname ) echo "selected=\"selected\"";?>><?=sprintf(gettext("%s subnet"), $ifdescr); ?></option>
592
											<?php endforeach; ?>
593
										</select>
594
									</td>
595
								</tr>
596
								<tr>
597
									<td><?=gettext("Address:");?>&nbsp;&nbsp;</td>
598
									<td><?=$mandfldhtmlspc;?></td>
599
									<td>
600
										<input name="localid_address" type="text" class="formfld unknown ipv4v6" id="localid_address" size="28" value="<?=htmlspecialchars($pconfig['localid_address']);?>" />
601
										/
602
										<select name="localid_netbits" class="formselect ipv4v6" id="localid_netbits">
603
										<?php for ($i = 128; $i >= 0; $i--): ?>
604
											<option value="<?=$i;?>" <?php if (isset($pconfig['localid_netbits']) && $i == $pconfig['localid_netbits']) echo "selected=\"selected\""; ?>>
605
												<?=$i;?>
606
											</option>
607
										<?php endfor; ?>
608
										</select>
609
									</td>
610
								</tr>
611
								<tr> <td colspan="3">
612
								<br />
613
								<?php echo gettext("In case you need NAT/BINAT on this network specify the address to be translated"); ?>
614
								</td></tr>
615
								<tr>
616
									<td><?=gettext("Type"); ?>:&nbsp;&nbsp;</td>
617
									<td></td>
618
									<td>
619
										<select name="natlocalid_type" class="formselect" onchange="typesel_change_natlocal()">
620
											<option value="address" <?php if ($pconfig['natlocalid_type'] == "address") echo "selected=\"selected\"";?>><?=gettext("Address"); ?></option>
621
											<option value="network" <?php if ($pconfig['natlocalid_type'] == "network") echo "selected=\"selected\"";?>><?=gettext("Network"); ?></option>
622
											<?php
623
												$iflist = get_configured_interface_with_descr();
624
												foreach ($iflist as $ifname => $ifdescr):
625
											?>
626
											<option value="<?=$ifname; ?>" <?php if ($pconfig['natlocalid_type'] == $ifname ) echo "selected=\"selected\"";?>><?=sprintf(gettext("%s subnet"), $ifdescr); ?></option>
627
											<?php endforeach; ?>
628
											<option value="none" <?php if (empty($pconfig['natlocalid_type']) || $pconfig['natlocalid_type'] == "none" ) echo "selected=\"selected\"";?>><?=gettext("None"); ?></option>
629
										</select>
630
									</td>
631
								</tr>
632
								<tr>
633
									<td><?=gettext("Address:");?>&nbsp;&nbsp;</td>
634
									<td><?=$mandfldhtmlspc;?></td>
635
									<td>
636
										<input name="natlocalid_address" type="text" class="formfld unknown ipv4v6" id="natlocalid_address" size="28" value="<?=htmlspecialchars($pconfig['natlocalid_address']);?>" />
637
										/
638
										<select name="natlocalid_netbits" class="formselect ipv4v6" id="natlocalid_netbits">
639
										<?php for ($i = 128; $i >= 0; $i--): ?>
640
											<option value="<?=$i;?>" <?php if (isset($pconfig['natlocalid_netbits']) && $i == $pconfig['natlocalid_netbits']) echo "selected=\"selected\""; ?>>
641
												<?=$i;?>
642
											</option>
643
										<?php endfor; ?>
644
										</select>
645
									</td>
646
								</tr>
647
							</table>
648
						</td>
649
					</tr>
650

    
651
					<?php if (!isset($pconfig['mobile'])): ?>
652
					
653
					<tr id="opt_remoteid">
654
						<td width="22%" valign="top" class="vncellreq"><?=gettext("Remote Network"); ?></td>
655
						<td width="78%" class="vtable">
656
							<table border="0" cellspacing="0" cellpadding="0" summary="remote network">
657
								<tr>
658
									<td><?=gettext("Type"); ?>:&nbsp;&nbsp;</td>
659
									<td></td>
660
									<td>
661
										<select name="remoteid_type" class="formselect" onchange="typesel_change_remote()">
662
											<option value="address" <?php if ($pconfig['remoteid_type'] == "address") echo "selected=\"selected\""; ?>><?=gettext("Address"); ?></option>
663
											<option value="network" <?php if ($pconfig['remoteid_type'] == "network") echo "selected=\"selected\""; ?>><?=gettext("Network"); ?></option>
664
										</select>
665
									</td>
666
								</tr>
667
								<tr>
668
									<td><?=gettext("Address"); ?>:&nbsp;&nbsp;</td>
669
									<td><?=$mandfldhtmlspc;?></td>
670
									<td>
671
										<input name="remoteid_address" type="text" class="formfld unknown ipv4v6" id="remoteid_address" size="28" value="<?=htmlspecialchars($pconfig['remoteid_address']);?>" />
672
										/
673
										<select name="remoteid_netbits" class="formselect ipv4v6" id="remoteid_netbits">
674
										<?php for ($i = 128; $i >= 0; $i--) { 
675
											
676
											echo "<option value=\"{$i}\"";
677
											if (isset($pconfig['remoteid_netbits']) && $i == $pconfig['remoteid_netbits']) echo " selected=\"selected\"";
678
											echo ">{$i}</option>\n";
679
											} ?>
680
										</select>
681
									</td>
682
								</tr>
683
							</table>
684
						</td>
685
					</tr>
686
					
687
					<?php endif; ?>
688
					
689
					<tr>
690
						<td width="22%" valign="top" class="vncell"><?=gettext("Description"); ?></td>
691
						<td width="78%" class="vtable">
692
							<input name="descr" type="text" class="formfld unknown" id="descr" size="40" value="<?=htmlspecialchars($pconfig['descr']);?>" />
693
							<br />
694
							<span class="vexpl">
695
								<?=gettext("You may enter a description here " .
696
								"for your reference (not parsed)"); ?>.
697
							</span>
698
						</td>
699
					</tr>
700
					<tr>
701
						<td colspan="2" class="list" height="12"></td>
702
					</tr>
703
					<tr>
704
						<td colspan="2" valign="top" class="listtopic">
705
							<?=gettext("Phase 2 proposal (SA/Key Exchange)"); ?>
706
						</td>
707
					</tr>
708
					<tr>
709
						<td width="22%" valign="top" class="vncellreq"><?=gettext("Protocol"); ?></td>
710
						<td width="78%" class="vtable">
711
							<select name="proto" class="formselect" onchange="change_protocol()">
712
							<?php foreach ($p2_protos as $proto => $protoname): ?>
713
								<option value="<?=$proto;?>" <?php if ($proto == $pconfig['proto']) echo "selected=\"selected\""; ?>>
714
									<?=htmlspecialchars($protoname);?>
715
								</option>
716
							<?php endforeach; ?>
717
							</select>
718
							<br />
719
							<span class="vexpl">
720
								<?=gettext("ESP is encryption, AH is authentication only"); ?>
721
							</span>
722
						</td>
723
					</tr>
724
					<tr id="opt_enc">
725
						<td width="22%" valign="top" class="vncellreq"><?=gettext("Encryption algorithms"); ?></td>
726
						<td width="78%" class="vtable">
727
							<table border="0" cellspacing="0" cellpadding="0" summary="encryption">
728
							<?php
729
								foreach ($p2_ealgos as $algo => $algodata):
730
									$checked = '';
731
									if (is_array($pconfig['ealgos']) && in_array($algo,$pconfig['ealgos']))
732
										$checked = " checked=\"checked\"";
733
								?>
734
								<tr>
735
									<td>
736
										<input type="checkbox" name="ealgos[]" value="<?=$algo;?>"<?=$checked?> />
737
									</td>
738
									<td>
739
										<?=htmlspecialchars($algodata['name']);?>
740
									</td>
741
									<td>
742
										<?php if(is_array($algodata['keysel'])): ?>
743
										&nbsp;&nbsp;
744
										<select name="keylen_<?=$algo;?>" class="formselect">
745
											<option value="auto"><?=gettext("auto"); ?></option>
746
											<?php
747
												$key_hi = $algodata['keysel']['hi'];
748
												$key_lo = $algodata['keysel']['lo'];
749
												$key_step = $algodata['keysel']['step'];
750
												for ($keylen = $key_hi; $keylen >= $key_lo; $keylen -= $key_step):
751
													$selected = "";
752
				//									if ($checked && in_array("keylen_".$algo,$pconfig))
753
													if ($keylen == $pconfig["keylen_".$algo])
754
														$selected = " selected=\"selected\"";
755
											?>
756
											<option value="<?=$keylen;?>"<?=$selected;?>><?=$keylen;?> <?=gettext("bits"); ?></option>
757
											<?php endfor; ?>
758
										</select>
759
										<?php endif; ?>
760
									</td>
761
								</tr>
762
								
763
								<?php endforeach; ?>
764
								
765
							</table>
766
							<br />
767
							<?=gettext("Hint: use 3DES for best compatibility or if you have a hardware " . 
768
							"crypto accelerator card. Blowfish is usually the fastest in " .
769
							"software encryption"); ?>.
770
						</td>
771
					</tr>
772
					<tr>
773
						<td width="22%" valign="top" class="vncellreq"><?=gettext("Hash algorithms"); ?></td>
774
						<td width="78%" class="vtable">
775
						<?php foreach ($p2_halgos as $algo => $algoname): ?>
776
							<input type="checkbox" name="halgos[]" value="<?=$algo;?>" <?php if (in_array($algo, $pconfig['halgos'])) echo "checked=\"checked\""; ?> />
777
							<?=htmlspecialchars($algoname);?>
778
							<br />
779
						<?php endforeach; ?>
780
						</td>
781
					</tr>
782
					<tr>
783
						<td width="22%" valign="top" class="vncellreq"><?=gettext("PFS key group"); ?></td>
784
						<td width="78%" class="vtable">
785
						<?php if (!isset($pconfig['mobile']) || !isset($a_client['pfs_group'])): ?>
786
							<select name="pfsgroup" class="formselect">
787
							<?php foreach ($p2_pfskeygroups as $keygroup => $keygroupname): ?>
788
								<option value="<?=$keygroup;?>" <?php if ($keygroup == $pconfig['pfsgroup']) echo "selected=\"selected\""; ?>>
789
									<?=htmlspecialchars($keygroupname);?>
790
								</option>
791
							<?php endforeach; ?>
792
							</select>
793
							<br />
794
							<?php else: ?>
795

    
796
							<select class="formselect" disabled="disabled">
797
								<option selected="selected"><?=$p2_pfskeygroups[$a_client['pfs_group']];?></option>
798
							</select>
799
							<input name="pfsgroup" type="hidden" value="<?=htmlspecialchars($pconfig['pfsgroup']);?>" />
800
							<br />
801
							<span class="vexpl"><em><?=gettext("Set globally in mobile client options"); ?></em></span>
802
						<?php endif; ?>
803
						</td>
804
					</tr>
805
					<tr>
806
						<td width="22%" valign="top" class="vncell"><?=gettext("Lifetime"); ?></td>
807
						<td width="78%" class="vtable">
808
							<input name="lifetime" type="text" class="formfld unknown" id="lifetime" size="20" value="<?=htmlspecialchars($pconfig['lifetime']);?>" />
809
							<?=gettext("seconds"); ?>
810
						</td>
811
					</tr>
812
					<tr>
813
						<td colspan="2" class="list" height="12"></td>
814
					</tr>
815
					<tr>
816
						<td colspan="2" valign="top" class="listtopic"><?=gettext("Advanced Options"); ?></td>
817
					</tr>
818
					<tr>
819
						<td width="22%" valign="top" class="vncell"><?=gettext("Automatically ping host"); ?></td>
820
						<td width="78%" class="vtable">
821
							<input name="pinghost" type="text" class="formfld unknown" id="pinghost" size="28" value="<?=htmlspecialchars($pconfig['pinghost']);?>" />
822
							<?=gettext("IP address"); ?>
823
						</td>
824
					</tr>
825
					<tr>
826
						<td width="22%" valign="top">&nbsp;</td>
827
						<td width="78%">
828
						<?php if ($pconfig['mobile']): ?>
829
							<input name="mobile" type="hidden" value="true" />
830
							<input name="remoteid_type" type="hidden" value="mobile" />
831
						<?php endif; ?>
832
							<input name="Submit" type="submit" class="formbtn" value="<?=gettext("Save"); ?>" />
833
							<input name="ikeid" type="hidden" value="<?=htmlspecialchars($pconfig['ikeid']);?>" />
834
							<input name="uniqid" type="hidden" value="<?=htmlspecialchars($pconfig['uniqid']);?>" />
835
						</td>
836
					</tr>
837
				</table>
838
			</div>
839
		</td>
840
	</tr>
841
</table>
842
</form>
843
<script type="text/javascript">
844
//<![CDATA[
845
change_mode('<?=htmlspecialchars($pconfig['mode'])?>');
846
change_protocol('<?=htmlspecialchars($pconfig['proto'])?>');
847
typesel_change_local(<?=htmlspecialchars($pconfig['localid_netbits'])?>);
848
typesel_change_natlocal(<?=htmlspecialchars($pconfig['natlocalid_netbits'])?>);
849
<?php if (!isset($pconfig['mobile'])): ?>
850
typesel_change_remote(<?=htmlspecialchars($pconfig['remoteid_netbits'])?>);
851
<?php endif; ?>
852
//]]>
853
</script>
854
<?php include("fend.inc"); ?>
855
</body>
856
</html>
857

    
858
<?php
859

    
860
/* local utility functions */
861

    
862
function pconfig_to_ealgos(& $pconfig) {
863
	global $p2_ealgos;
864

    
865
	$ealgos = array();
866
	if (is_array($pconfig['ealgos'])) {
867
		foreach ($p2_ealgos as $algo_name => $algo_data) {
868
			if (in_array($algo_name,$pconfig['ealgos'])) {
869
				$ealg = array();
870
				$ealg['name'] = $algo_name;
871
				if (is_array($algo_data['keysel']))
872
					$ealg['keylen'] = $_POST["keylen_".$algo_name];
873
				$ealgos[] = $ealg;
874
			}
875
		}
876
	}
877

    
878
	return $ealgos;
879
}
880

    
881
function ealgos_to_pconfig(& $ealgos,& $pconfig) {
882

    
883
	$pconfig['ealgos'] = array();
884
	foreach ($ealgos as $algo_data) {
885
		$pconfig['ealgos'][] = $algo_data['name'];
886
		if (isset($algo_data['keylen']))
887
			$pconfig["keylen_".$algo_data['name']] = $algo_data['keylen'];
888
	}
889

    
890
	return $ealgos;
891
}
892

    
893
function pconfig_to_idinfo($prefix,& $pconfig) {
894

    
895
	$type = $pconfig[$prefix."id_type"];
896
	$address = $pconfig[$prefix."id_address"];
897
	$netbits = $pconfig[$prefix."id_netbits"];
898

    
899
	switch( $type )
900
	{
901
		case "address":
902
			return array('type' => $type, 'address' => $address);
903
		case "network":
904
			return array('type' => $type, 'address' => $address, 'netbits' => $netbits);
905
		default:
906
			return array('type' => $type );
907
	}
908
}
909

    
910
function idinfo_to_pconfig($prefix,& $idinfo,& $pconfig) {
911

    
912
	switch( $idinfo['type'] )
913
	{
914
		case "address":
915
			$pconfig[$prefix."id_type"] = $idinfo['type'];
916
			$pconfig[$prefix."id_address"] = $idinfo['address'];
917
			break;
918
		case "network":
919
			$pconfig[$prefix."id_type"] = $idinfo['type'];
920
			$pconfig[$prefix."id_address"] = $idinfo['address'];
921
			$pconfig[$prefix."id_netbits"] = $idinfo['netbits'];
922
			break;
923
		default:
924
			$pconfig[$prefix."id_type"] = $idinfo['type'];
925
			break;
926
	}
927
}
928

    
929
?>
(242-242/256)