/etc/inc/vpn.inc - Annoter - UnivNautes - Redmine Entr’ouvert

univnautes / etc / inc / vpn.inc @ c650b2f7

1	5b237745	Scott Ullrich	<?php
2	979cd6db	Scott Ullrich
3	5b237745	Scott Ullrich	/*
4			vpn.inc
5	979cd6db	Scott Ullrich	Copyright (C) 2004 Scott Ullrich
6	a93e56c5	Matthew Grooms	Copyright (C) 2008 Shrew Soft Inc
7	5debd85f	caseyr232	Copyright (C) 2008 Ermal Lu�i
8	cfc707f7	Scott Ullrich	All rights reserved.
9	17da6c79	Scott Ullrich
10			originally part of m0n0wall (http://m0n0.ch/wall)
11			Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>.
12			All rights reserved.
13
14	5b237745	Scott Ullrich	Redistribution and use in source and binary forms, with or without
15			modification, are permitted provided that the following conditions are met:
16	17da6c79	Scott Ullrich
17	5b237745	Scott Ullrich	1. Redistributions of source code must retain the above copyright notice,
18			this list of conditions and the following disclaimer.
19	17da6c79	Scott Ullrich
20	5b237745	Scott Ullrich	2. Redistributions in binary form must reproduce the above copyright
21			notice, this list of conditions and the following disclaimer in the
22			documentation and/or other materials provided with the distribution.
23	17da6c79	Scott Ullrich
24	5b237745	Scott Ullrich	THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
25			INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
26			AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
27			AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
28			OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
29			SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
30			INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
31			CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
32			ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
33			POSSIBILITY OF SUCH DAMAGE.
34			*/
35	8f67a8e1	Scott Ullrich
36	523855b0	Scott Ullrich	/*
37	971de1f9	Renato Botelho	pfSense_BUILDER_BINARIES: /sbin/ifconfig
38	6c576b27	Ermal	pfSense_BUILDER_BINARIES: /usr/local/sbin/ipsec /usr/local/libexec/ipsec/charon /usr/local/libexec/ipsec/starter
39	09628a07	Renato Botelho	pfSense_BUILDER_BINARIES: /usr/local/sbin/filterdns /usr/local/sbin/mpd4
40	523855b0	Scott Ullrich	pfSense_MODULE: vpn
41			*/
42
43	50813d24	jim-p	require_once("ipsec.inc");
44
45	9abaa8f7	Ermal	function vpn_ipsec_configure_loglevels($forconfig = false)
46	c6efc8fd	Ermal	{
47	b305f795	Ermal	global $config, $ipsec_loglevels;
48	c6efc8fd	Ermal
49	9abaa8f7	Ermal	$cfgtext = array();
50	c6efc8fd	Ermal	foreach ($ipsec_loglevels as $lkey => $ldescr) {
51	9abaa8f7	Ermal	if (!isset($config['ipsec']["ipsec_{$lkey}"]))
52			$forconfig ? $cfgtext[] = "{$lkey} = -1" : mwexec("/usr/local/sbin/ipsec stroke loglevel {$lkey} -1", false);
53	c6efc8fd	Ermal	else if (is_numeric($config['ipsec']["ipsec_{$lkey}"]) &&
54	6ae8b844	Ermal	intval($config['ipsec']["ipsec_{$lkey}"]) >= 1 && intval($config['ipsec']["ipsec_{$lkey}"]) <= 5)
55	9abaa8f7	Ermal	$forconfig ? $cfgtext[] = "${lkey} = " . (intval($config['ipsec']["ipsec_{$lkey}"]) - 1) :
56			mwexec("/usr/local/sbin/ipsec stroke loglevel {$lkey} " . (intval($config['ipsec']["ipsec_{$lkey}"]) - 1) , false);
57	c6efc8fd	Ermal	}
58	9abaa8f7	Ermal	if ($forconfig)
59			return implode(',', $cfgtext);
60	c6efc8fd	Ermal	}
61
62	5b237745	Scott Ullrich	/* include all configuration functions */
63	496acde1	Ermal	function vpn_ipsec_convert_to_modp($index)
64			{
65	8f67a8e1	Scott Ullrich
66	496acde1	Ermal	$convertion = "";
67			switch ($index) {
68			case '1':
69			$convertion = "modp768";
70			break;
71			case '2':
72			$convertion = "modp1024";
73			break;
74			case '5':
75			$convertion = "modp1536";
76			break;
77			case '14':
78			$convertion = "modp2048";
79			break;
80			case '15':
81			$convertion = "modp3072";
82			break;
83			case '16':
84			$convertion = "modp4096";
85			break;
86			case '17':
87			$convertion = "modp6144";
88			break;
89			case '18':
90			$convertion = "modp8192";
91			break;
92	920af30f	Ermal Lu?i	}
93	496acde1	Ermal
94			return $convertion;
95	600dd4e0	Scott Ullrich	}
96	8f67a8e1	Scott Ullrich
97	a93e56c5	Matthew Grooms	function vpn_ipsec_configure($ipchg = false)
98			{
99			global $config, $g, $sa, $sn, $p1_ealgos, $p2_ealgos;
100	17da6c79	Scott Ullrich
101	7734aea6	Andrew Thompson	if ($g['platform'] == 'jail')
102			return;
103	52c9f9fa	Ermal
104	f41c9fd5	Ermal Lu?i	/* get the automatic ping_hosts.sh ready */
105	cdd5b2ce	Ermal Lu?i	unlink_if_exists("{$g['vardb_path']}/ipsecpinghosts");
106			touch("{$g['vardb_path']}/ipsecpinghosts");
107	c1f5a46b	Scott Ullrich
108	7b2fdac4	jim-p	vpn_ipsec_configure_preferoldsa();
109	8f67a8e1	Scott Ullrich
110			$syscfg = $config['system'];
111	5b237745	Scott Ullrich	$ipseccfg = $config['ipsec'];
112	a93e56c5	Matthew Grooms	$a_phase1 = $config['ipsec']['phase1'];
113			$a_phase2 = $config['ipsec']['phase2'];
114	3462a529	Matthew Grooms	$a_client = $config['ipsec']['client'];
115	8f67a8e1	Scott Ullrich
116	2f1e0311	Seth Mos	if (!isset($ipseccfg['enable'])) {
117	6c576b27	Ermal	/* try to stop charon */
118			mwexec("/usr/local/sbin/ipsec stop");
119	52c9f9fa	Ermal	/* Stop dynamic monitoring */
120	f8c10a18	Ermal	killbypid("{$g['varrun_path']}/filterdns-ipsec.pid");
121	98c02cac	Ermal
122	6c576b27	Ermal	/* wait for process to die */
123	8f67a8e1	Scott Ullrich	sleep(2);
124
125	84fa0d60	Scott Ullrich	/* disallow IPSEC, it is off */
126	52c9f9fa	Ermal	mwexec("/sbin/ifconfig enc0 down");
127	971de1f9	Renato Botelho	set_single_sysctl("net.inet.ip.ipsec_in_use", "0");
128	2f1e0311	Seth Mos
129	6a781df6	Ermal	return 0;
130	04b46591	Ermal Lu?i	} else {
131	3bb6bfd2	Ermal	mwexec("/sbin/ifconfig enc0 up");
132	971de1f9	Renato Botelho	set_single_sysctl("net.inet.ip.ipsec_in_use", "1");
133	52c9f9fa	Ermal	/* needed for config files */
134			if (!is_dir("{$g['varetc_path']}/ipsec"))
135			mkdir("{$g['varetc_path']}/ipsec");
136	3ad5fd27	Ermal	if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d"))
137			mkdir("{$g['varetc_path']}/ipsec/ipsec.d");
138			if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d/cacerts"))
139			mkdir("{$g['varetc_path']}/ipsec/ipsec.d/cacerts");
140			if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d/private"))
141			mkdir("{$g['varetc_path']}/ipsec/ipsec.d/private");
142			if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d/crls"))
143			mkdir("{$g['varetc_path']}/ipsec/ipsec.d/crls");
144			if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d/certs"))
145			mkdir("{$g['varetc_path']}/ipsec/ipsec.d/certs");
146			if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d/aacerts"))
147			mkdir("{$g['varetc_path']}/ipsec/ipsec.d/aacerts");
148			if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d/acerts"))
149			mkdir("{$g['varetc_path']}/ipsec/ipsec.d/acerts");
150	4a4fc162	Ermal	if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d/ocspcerts"))
151			mkdir("{$g['varetc_path']}/ipsec/ipsec.d/ocspcerts");
152	3ad5fd27	Ermal	if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d/reqs"))
153			mkdir("{$g['varetc_path']}/ipsec/ipsec.d/reqs");
154	496acde1	Ermal
155	3bb6bfd2	Ermal
156	924876a8	Ermal Lu?i	if ($g['booting'])
157	89ceb4ba	Renato Botelho	echo gettext("Configuring IPsec VPN... ");
158	924876a8	Ermal Lu?i
159	8f67a8e1	Scott Ullrich	/* fastforwarding is not compatible with ipsec tunnels */
160	971de1f9	Renato Botelho	set_single_sysctl("net.inet.ip.fastforwarding", "0");
161	8f67a8e1	Scott Ullrich
162	a93e56c5	Matthew Grooms	/* resolve all local, peer addresses and setup pings */
163			$ipmap = array();
164			$rgmap = array();
165	f8c10a18	Ermal	$filterdns_list = array();
166	496acde1	Ermal	$listeniflist = array();
167	b0bf6bd0	Ermal	unset($iflist);
168	a93e56c5	Matthew Grooms	if (is_array($a_phase1) && count($a_phase1)) {
169	87e07f52	mgrooms
170	ac463c00	smos	$ipsecpinghosts = "";
171	87e07f52	mgrooms	/* step through each phase1 entry */
172	a93e56c5	Matthew Grooms	foreach ($a_phase1 as $ph1ent) {
173			if (isset($ph1ent['disabled']))
174			continue;
175	8f67a8e1	Scott Ullrich
176	496acde1	Ermal	$listeniflist = get_real_interface($a_phase1['interface']);
177
178	0af7398a	Matthew Grooms	$ep = ipsec_get_phase1_src($ph1ent);
179	fb17f629	Seth Mos	if (!is_ipaddr($ep))
180	a93e56c5	Matthew Grooms	continue;
181	8f67a8e1	Scott Ullrich
182	a93e56c5	Matthew Grooms	if(!in_array($ep,$ipmap))
183			$ipmap[] = $ep;
184	8f67a8e1	Scott Ullrich
185	a93e56c5	Matthew Grooms	/* see if this tunnel has a hostname for the remote-gateway. If so,
186	f8c10a18	Ermal	try to resolve it now and add it to the list for filterdns */
187	8f67a8e1	Scott Ullrich
188	3462a529	Matthew Grooms	if (isset ($ph1ent['mobile']))
189			continue;
190
191	a93e56c5	Matthew Grooms	$rg = $ph1ent['remote-gateway'];
192	979cd6db	Scott Ullrich
193	a93e56c5	Matthew Grooms	if (!is_ipaddr($rg)) {
194	f8c10a18	Ermal	$filterdns_list[] = "{$rg}";
195	c60cae98	Seth Mos	add_hostname_to_watch($rg);
196	621a459a	smos	if(! $g['booting'])
197			$rg = resolve_retry($rg);
198			if (!is_ipaddr($rg))
199	979cd6db	Scott Ullrich	continue;
200	a93e56c5	Matthew Grooms	}
201	829fa12e	smos	if(array_search($rg, $rgmap)) {
202			log_error("The remote gateway {$rg} already exists on another phase 1 entry");
203			continue;
204			}
205	a93e56c5	Matthew Grooms	$rgmap[$ph1ent['remote-gateway']] = $rg;
206	8f67a8e1	Scott Ullrich
207	a11df336	jim-p	if (is_array($a_phase2)) {
208			/* step through each phase2 entry */
209			foreach ($a_phase2 as $ph2ent) {
210			$ikeid = $ph2ent['ikeid'];
211
212			if (isset($ph2ent['disabled']))
213			continue;
214
215			if ($ikeid != $ph1ent['ikeid'])
216			continue;
217
218			/* add an ipsec pinghosts entry */
219			if ($ph2ent['pinghost']) {
220	b0bf6bd0	Ermal	if (!is_array($iflist))
221			$iflist = get_configured_interface_list();
222	dc63467f	Matt Smith	$viplist = get_configured_vips_list();
223			$srcip = null;
224			$local_subnet = ipsec_idinfo_to_cidr($ph2ent['localid'], true, $ph2ent['mode']);
225			if(is_ipaddrv6($ph2ent['pinghost'])) {
226			foreach ($iflist as $ifent => $ifname) {
227	a11df336	jim-p	$interface_ip = get_interface_ipv6($ifent);
228			if(!is_ipaddrv6($interface_ip))
229			continue;
230			if (ip_in_subnet($interface_ip, $local_subnet)) {
231			$srcip = $interface_ip;
232			break;
233			}
234	dc63467f	Matt Smith	}
235			} else {
236			foreach ($iflist as $ifent => $ifname) {
237	a11df336	jim-p	$interface_ip = get_interface_ip($ifent);
238			if(!is_ipaddrv4($interface_ip))
239			continue;
240	b0bf6bd0	Ermal	if ($local_subnet == "0.0.0.0/0" \|\| ip_in_subnet($interface_ip, $local_subnet)) {
241	a11df336	jim-p	$srcip = $interface_ip;
242			break;
243			}
244	fb17f629	Seth Mos	}
245	a11df336	jim-p	}
246	dc63467f	Matt Smith	/* if no valid src IP was found in configured interfaces, try the vips */
247			if (is_null($srcip)) {
248			foreach ($viplist as $vip) {
249			if (ip_in_subnet($vip['ipaddr'], $local_subnet)) {
250			$srcip = $vip['ipaddr'];
251			break;
252			}
253			}
254			}
255	a11df336	jim-p	$dstip = $ph2ent['pinghost'];
256			if(is_ipaddrv6($dstip)) {
257			$family = "inet6";
258	fb17f629	Seth Mos	} else {
259	a11df336	jim-p	$family = "inet";
260	741077bc	Ermal Lu?i	}
261	a11df336	jim-p	if (is_ipaddr($srcip))
262			$ipsecpinghosts[] = "{$srcip}\|{$dstip}\|3\|\|\|\|\|{$family}\|\n";
263	87e07f52	mgrooms	}
264	17da6c79	Scott Ullrich	}
265	a93e56c5	Matthew Grooms	}
266			}
267	923e440b	Renato Botelho	@file_put_contents("{$g['vardb_path']}/ipsecpinghosts", $ipsecpinghosts);
268			unset($ipsecpinghosts);
269	a93e56c5	Matthew Grooms	}
270	496acde1	Ermal	unset($iflist);
271
272			$strongswan = <<<EOD
273
274	ecc37958	Ermal	#Automatically generated please do not modify
275	496acde1	Ermal	starter {
276			load_warning = no
277			}
278
279			charon {
280
281			# number of worker threads in charon
282			threads = 16
283
284	466a5a81	Ermal	# XXX: There is not much choice here really users win their security!
285			i_dont_care_about_security_and_use_aggressive_mode_psk=yes
286
287	7335fa53	Ermal	# And two loggers using syslog. The subsections define the facility to log
288			# to, currently one of: daemon, auth.
289			syslog {
290
291			identifier = charon
292			# default level to the LOG_DAEMON facility
293			daemon {
294			}
295			# very minimalistic IKE auditing logs to LOG_AUTHPRIV
296			auth {
297			default = -1
298			ike = 1
299	b7b3bc71	Ermal	ike_name = yes
300	7335fa53	Ermal	}
301			}
302	c6efc8fd	Ermal
303	496acde1	Ermal	EOD;
304
305	75786d2a	jim-p	if (is_array($a_client) && isset($a_client['enable']) && isset($a_client['net_list']))
306	496acde1	Ermal	$strongswan .= "\tcisco_unity = yes\n";
307
308			$strongswan .= "\tplugins {\n";
309
310			if (is_array($a_client) && isset($a_client['enable'])) {
311			$strongswan .= "\t\tattr {\n";
312	5ed13df0	Ermal	if ($a_client['pool_address'] && $a_client['pool_netbits'])
313	aeb0f546	jim-p	$strongswan .= "\t\tsubnet = {$a_client['pool_address']}/{$a_client['pool_netbits']}\n";
314	496acde1	Ermal
315			$cfgservers = array();
316			if (!empty($a_client['dns_server1']))
317			$cfgservers[] = $a_client['dns_server1'];
318			if (!empty($a_client['dns_server2']))
319			$cfgservers[] = $a_client['dns_server2'];
320			if (!empty($a_client['dns_server3']))
321			$cfgservers[] = $a_client['dns_server3'];
322			if (!empty($a_client['dns_server4']))
323			$cfgservers[] = $a_client['dns_server4'];
324
325			if (!empty($cfgservers))
326			$strongswan .= "\t\tdns = " . implode(",", $cfgservers) . "\n";
327			unset($cfgservers);
328			$cfgservers = array();
329			if (!empty($a_client['wins_server1']))
330			$cfgservers[] = $a_client['wins_server1'];
331			if (!empty($a_client['wins_server2']))
332			$cfgservers[] = $a_client['wins_server2'];
333			if (!empty($cfgservers))
334			$strongswan .= "\t\tnbns = " . implode(",", $cfgservers) . "\n";
335			unset($cfgservers);
336
337	8f5ac1a1	jim-p	if (isset($a_client['net_list'])) {
338	496acde1	Ermal	$net_list = '';
339			foreach ($a_phase2 as $ph2ent) {
340			if (isset($ph2ent['disabled']))
341			continue;
342
343			if (!isset($ph2ent['mobile']))
344			continue;
345
346			$localid = ipsec_idinfo_to_cidr($ph2ent['localid'], true, $ph2ent['mode']);
347
348	29629bca	Ermal	if (!empty($net_list))
349			$net_list .= ",";
350	496acde1	Ermal	$net_list .= $localid;
351			}
352
353			if (!empty($net_list)) {
354			$strongswan .= "\t\tsplit-include = {$net_list}\n";
355			unset($net_list);
356			}
357			}
358
359			if (!empty($a_client['dns_domain'])) {
360			$strongswan .= "\t\t# Search domain and default domain\n";
361			$strongswan .= "\t\t28674 = {$a_client['dns_domain']}\n";
362			if (empty($a_client['dns_split']))
363			$strongswan .= "\t\t28675 = {$a_client['dns_domain']}";
364			$strongswan .= "\n";
365			}
366
367			if (!empty($a_client['dns_split'])) {
368			$strongswan .= "\t\t28675 = {$a_client['dns_split']}\n";
369			}
370
371			if (!empty($a_client['login_banner']))
372			$strongswan .= "\t\t28672 = {$a_client['login_banner']}\n";
373
374			if (isset($a_client['save_passwd']))
375			$strongswan .= "\t\t28673 = yes\n";
376
377			if ($a_client['pfs_group'])
378			$strongswan .= "\t\t28679 = {$a_client['pfs_group']}\n";
379			$strongswan .= "\t\t}\n";
380
381	91287d1f	Ermal	if ($a_client['user_source'] != "none") {
382			$strongswan .= "\txauth-generic {\n";
383	c6efc8fd	Ermal	$strongswan .= "\t\tscript = /etc/inc/ipsec.auth-user.php\n";
384	91287d1f	Ermal	$strongswan .= "\t\tauthcfg = ";
385			$firstsed = 0;
386	c6efc8fd	Ermal	$authcfgs = explode(",", $a_client['user_source']);
387	91287d1f	Ermal	foreach ($authcfgs as $authcfg) {
388			if ($firstsed > 0)
389			$strongswan .= ",";
390			if ($authcfg == "system")
391			$authcfg = "Local Database";
392			$strongswan .= $authcfg;
393			$firstsed = 1;
394			}
395			$strongswan .= "\n";
396			$strongswan .= "\t}\n";
397			}
398	496acde1	Ermal	}
399
400			$strongswan .= "\t}\n}\n";
401			@file_put_contents("{$g['varetc_path']}/ipsec/strongswan.conf", $strongswan);
402			unset($strongswan);
403	8f67a8e1	Scott Ullrich
404	a93e56c5	Matthew Grooms	/* generate CA certificates files */
405	1e332e98	jim-p	if (is_array($config['ca']) && count($config['ca'])) {
406			foreach ($config['ca'] as $ca) {
407	73fbece8	mgrooms	if (!isset($ca['crt'])) {
408	4816e5ca	Renato Botelho	log_error(sprintf(gettext("Error: Invalid certificate info for %s"), $ca['descr']));
409	73fbece8	mgrooms	continue;
410			}
411			$cert = base64_decode($ca['crt']);
412			$x509cert = openssl_x509_parse(openssl_x509_read($cert));
413			if (!is_array($x509cert) \|\| !isset($x509cert['hash'])) {
414	4816e5ca	Renato Botelho	log_error(sprintf(gettext("Error: Invalid certificate hash info for %s"), $ca['descr']));
415	73fbece8	mgrooms	continue;
416			}
417	3ad5fd27	Ermal	$fname = "{$g['varetc_path']}/ipsec/ipsec.d/cacerts/{$x509cert['hash']}.0";
418	52c9f9fa	Ermal	if (!@file_put_contents($fname, $cert)) {
419	4816e5ca	Renato Botelho	log_error(sprintf(gettext("Error: Cannot write IPsec CA file for %s"), $ca['descr']));
420	73fbece8	mgrooms	continue;
421	a93e56c5	Matthew Grooms	}
422	a49784a2	Ermal	unset($cert);
423	a93e56c5	Matthew Grooms	}
424			}
425	09628a07	Renato Botelho
426	a93e56c5	Matthew Grooms	$pskconf = "";
427	037b51b3	Seth Mos
428	a93e56c5	Matthew Grooms	if (is_array($a_phase1) && count($a_phase1)) {
429			foreach ($a_phase1 as $ph1ent) {
430
431			if (isset($ph1ent['disabled']))
432			continue;
433
434	496acde1	Ermal	if (strstr($ph1ent['authentication_method'],'rsa')) {
435			$certline = '';
436	a93e56c5	Matthew Grooms
437	496acde1	Ermal	if (strstr($authmethod,'rsa')) {
438	a93e56c5	Matthew Grooms
439	496acde1	Ermal	$cert = lookup_cert($ph1ent['certref']);
440	a93e56c5	Matthew Grooms
441	496acde1	Ermal	if (!$cert) {
442			log_error(sprintf(gettext("Error: Invalid phase1 certificate reference for %s"), $ph1ent['name']));
443			continue;
444			}
445	a93e56c5	Matthew Grooms
446	496acde1	Ermal	chmod($certpath, 0600);
447
448			$keyfile = "cert-{$ikeid}.key";
449			$keypath = "{$g['varetc_path']}/ipsec/{$keyfile}";
450	8f67a8e1	Scott Ullrich
451	496acde1	Ermal	if (!file_put_contents($keypath, base64_decode($cert['prv']))) {
452			log_error(sprintf(gettext("Error: Cannot write phase1 key file for %s"), $ph1ent['name']));
453			continue;
454			}
455
456			chmod($keypath, 0600);
457			/* XXX" Traffic selectors? */
458			$pskconf .= " : RSA {$keypath}\n";
459
460			$ca = lookup_ca($ph1ent['caref']);
461			if ($ca) {
462			$cafile = "ca-{$ikeid}.crt";
463	3ad5fd27	Ermal	$capath = "{$g['varetc_path']}/ipsec/ipsec.d/cacerts/{$cafile}";
464	496acde1	Ermal
465			if (!file_put_contents($capath, base64_decode($ca['crt'])))
466			{
467			log_error(sprintf(gettext("Error: Cannot write phase1 CA certificate file for %s"), $ph1ent['name']));
468			continue;
469			}
470
471			chmod($capath, 0600);
472			}
473			}
474			} else {
475	95589abd	jim-p	list ($myid_type, $myid_data) = ipsec_find_id($ph1ent, "local");
476			list ($peerid_type, $peerid_data) = ipsec_find_id($ph1ent, "peer", $rgmap);
477	496acde1	Ermal
478	95589abd	jim-p	if (empty($peerid_data))
479			continue;
480	496acde1	Ermal
481	95589abd	jim-p	$myid = isset($ph1ent['mobile']) ? trim($myid_data) . " " : "";
482			$peerid = ($peerid_data != "allusers") ? trim($peerid_data) : "";
483			if (!empty($ph1ent['pre-shared-key']))
484			$pskconf .= $myid . $peerid . " : PSK \"" . trim($ph1ent['pre-shared-key']) . "\"\n";
485	496acde1	Ermal	}
486	5b237745	Scott Ullrich	}
487	a93e56c5	Matthew Grooms	}
488
489	4ed2dde7	jim-p	/* Add user PSKs */
490	0b5fc1d1	Ermal	if (is_array($config['system']) && is_array($config['system']['user'])) {
491			foreach ($config['system']['user'] as $user) {
492			if (!empty($user['ipsecpsk'])) {
493			$pskconf .= "{$user['name']} : PSK \"{$user['ipsecpsk']}\"\n";
494			}
495	4ed2dde7	jim-p	}
496	0b5fc1d1	Ermal	unset($user);
497	4ed2dde7	jim-p	}
498
499	2ef1b601	jim-p	/* add PSKs for mobile clients */
500			if (is_array($ipseccfg['mobilekey'])) {
501			foreach ($ipseccfg['mobilekey'] as $key) {
502	f1bede03	Ermal	if ($key['ident'] == "allusers")
503			$key['ident'] = '';
504	496acde1	Ermal	$pskconf .= "{$key['ident']} : PSK \"{$key['pre-shared-key']}\"\n";
505	2ef1b601	jim-p	}
506	0b5fc1d1	Ermal	unset($key);
507	2ef1b601	jim-p	}
508
509	496acde1	Ermal	@file_put_contents("{$g['varetc_path']}/ipsec/ipsec.secrets", $pskconf);
510			chmod("{$g['varetc_path']}/ipsec/ipsec.secrets", 0600);
511	a49784a2	Ermal	unset($pskconf);
512	09628a07	Renato Botelho
513	3eeac256	Ermal	$natfilterrules = false;
514	496acde1	Ermal	/* begin ipsec.conf */
515			$ipsecconf = "";
516	0b5fc1d1	Ermal	if (is_array($a_phase1) && count($a_phase1)) {
517	17da6c79	Scott Ullrich
518	496acde1	Ermal	$ipsecconf .= "# This file is automatically generated. Do not edit\n";
519	0b5fc1d1	Ermal	$ipsecconf .= "config setup\n\tuniqueids = yes\n";
520			$ipsecconf .= "\tcharondebug=\"" . vpn_ipsec_configure_loglevels(true) . "\"\n";
521	4178a1dd	jim-p
522	0b5fc1d1	Ermal	foreach ($a_phase1 as $ph1ent) {
523			if (isset($ph1ent['disabled']))
524			continue;
525	96267107	Ermal
526	0b5fc1d1	Ermal	if ($ph1ent['mode'] == "aggressive")
527			$aggressive = "yes";
528			else
529			$aggressive = "no";
530	3462a529	Matthew Grooms
531	0b5fc1d1	Ermal	$ep = ipsec_get_phase1_src($ph1ent);
532			if (!$ep)
533			continue;
534	c52719a8	Scott Ullrich
535	0b5fc1d1	Ermal	$keyexchange = "ikev1";
536	3b68ec45	Ermal	$passive = "route";
537	0b5fc1d1	Ermal	if (!empty($ph1ent['iketype']) && $ph1ent['iketype'] != "ikev1") {
538			$keyexchange = "ikev2";
539	3b68ec45	Ermal	//$passive = "start";
540	0b5fc1d1	Ermal	} else
541			$passive = "route";
542
543			if (isset($ph1ent['mobile'])) {
544			$right_spec = "%any";
545			$passive = 'add';
546			} else
547			$right_spec = $ph1ent['remote-gateway'];
548
549			list ($myid_type, $myid_data) = ipsec_find_id($ph1ent, "local");
550			list ($peerid_type, $peerid_data) = ipsec_find_id($ph1ent, "peer", $rgmap);
551
552			/* Only specify peer ID if we are not dealing with a mobile PSK-only tunnel */
553			$peerid_spec = '';
554			if (!isset($ph1ent['mobile']))
555			$peerid_spec = $peerid_data;
556
557			if (is_array($ph1ent['encryption-algorithm']) && !empty($ph1ent['encryption-algorithm']['name']) && !empty($ph1ent['hash-algorithm'])) {
558			$ealgosp1 = '';
559			$ealg_id = $ph1ent['encryption-algorithm']['name'];
560			$ealg_kl = $ph1ent['encryption-algorithm']['keylen'];
561			if ($ealg_kl)
562			$ealgosp1 = "ike = {$ealg_id}{$ealg_kl}-{$ph1ent['hash-algorithm']}";
563			else
564			$ealgosp1 = "ike = {$ealg_id}-{$ph1ent['hash-algorithm']}";
565	3462a529	Matthew Grooms
566	0b5fc1d1	Ermal	$modp = vpn_ipsec_convert_to_modp($ph1ent['dhgroup']);
567			if (!empty($modp))
568			$ealgosp1 .= "-{$modp}";
569	f1bede03	Ermal
570	5d37d515	Ermal	$ealgosp1 .= "!";
571	0b5fc1d1	Ermal	}
572	c52719a8	Scott Ullrich
573	0b5fc1d1	Ermal	if ($ph1ent['dpd_delay'] && $ph1ent['dpd_maxfail']) {
574	bf8aab82	Ermal	if ($passive == "route")
575	0b5fc1d1	Ermal	$dpdline = "dpdaction = restart";
576	b4ad5b1c	Ermal	else
577	0b5fc1d1	Ermal	$dpdline = "dpdaction = clear";
578			$dpdline .= "\n\tdpddelay = {$ph1ent['dpd_delay']}s";
579			$dpdtimeout = $ph1ent['dpd_delay'] * ($ph1ent['dpd_maxfail'] + 1);
580			$dpdline .= "\n\tdpdtimeout = {$dpdtimeout}s";
581			} else
582			$dpdline = "dpdaction = none";
583
584			$ikelifeline = '';
585			if ($ph1ent['lifetime'])
586			$ikelifeline = "ikelifetime = {$ph1ent['lifetime']}s";
587
588			$authentication = "";
589	154298f1	Chris Buechler	$rightsourceip = NULL;
590	0b5fc1d1	Ermal	switch ($ph1ent['authentication_method']) {
591			case 'xauth_rsa_server':
592			$authentication = "leftauth = pubkey\n\trightauth = pubkey";
593			$authentication .= "\n\trightauth2 = xauth-generic";
594			break;
595			case 'xauth_psk_server':
596			$authentication = "leftauth = psk\n\trightauth = psk";
597			$authentication .= "\n\trightauth2 = xauth-generic";
598	154298f1	Chris Buechler	if (!empty($a_client['pool_address']))
599			$rightsourceip = "\trightsourceip = {$a_client['pool_address']}/{$a_client['pool_netbits']}\n";
600	0b5fc1d1	Ermal	break;
601			case 'pre_shared_key':
602			$authentication = "leftauth = psk\n\trightauth = psk";
603			break;
604			case 'rsasig':
605			$authentication = "leftauth = pubkey\n\trightauth = pubkey";
606			break;
607			case 'hybrid_rsa_server':
608			$authentication = "leftauth = xauth-generic\n\trightauth = pubkey";
609			$authentication .= "\n\trightauth2 = xauth";
610			break;
611			}
612	b4ad5b1c	Ermal
613	0b5fc1d1	Ermal	$left_spec = $ep;
614	c52719a8	Scott Ullrich
615	0b5fc1d1	Ermal	$ipseclifetime = 0;
616			$rightsubnet_spec = array();
617			$leftsubnet_spec = array();
618			$ealgoAHsp2arr = array();
619			$ealgoESPsp2arr = array();
620			if (is_array($a_phase2) && count($a_phase2)) {
621			foreach ($a_phase2 as $ph2ent) {
622			$ikeid = $ph2ent['ikeid'];
623			if ($ikeid != $ph1ent['ikeid'])
624			continue;
625	c52719a8	Scott Ullrich
626	0b5fc1d1	Ermal	if (isset($ph2ent['disabled']))
627			continue;
628	6586b30f	Ermal
629	0b5fc1d1	Ermal	if (isset($ph2ent['mobile']) && !isset($a_client['enable']))
630			continue;
631	96ef83a7	jim-p
632	98790f61	Seth Mos	if (($ph2ent['mode'] == 'tunnel') or ($ph2ent['mode'] == 'tunnel6')) {
633	496acde1	Ermal	$tunneltype = "type = tunnel";
634	c52719a8	Scott Ullrich
635	4b96b367	mgrooms	$localid_type = $ph2ent['localid']['type'];
636	0b5fc1d1	Ermal	$leftsubnet_data = ipsec_idinfo_to_cidr($ph2ent['localid'], false, $ph2ent['mode']);
637	8f5c3d8d	Pierre POMES	/* Do not print localid in some cases, such as a pure-psk or psk/xauth single phase2 mobile tunnel */
638	d60eea55	Ermal	if (($localid_type == "none" \|\| $localid_type == "mobile")
639	0b5fc1d1	Ermal	&& isset($ph1ent['mobile']) && (ipsec_get_number_of_phase2($ikeid)==1)) {
640			$left_spec = '%any';
641			} else {
642	20699f3f	jim-p	if ($localid_type != "address") {
643			$localid_type = "subnet";
644			}
645	6c576b27	Ermal	// Don't let an empty subnet into config, it can cause parse errors. Ticket #2201.
646	0b5fc1d1	Ermal	if (!is_ipaddr($leftsubnet_data) && !is_subnet($leftsubnet_data) && ($leftsubnet_data != "0.0.0.0/0")) {
647	cf0a2714	jim-p	log_error("Invalid IPsec Phase 2 \"{$ph2ent['descr']}\" - {$ph2ent['localid']['type']} has no subnet.");
648			continue;
649			}
650	3eeac256	Ermal	if (!empty($ph2ent['natlocalid'])) {
651	0b5fc1d1	Ermal	$natleftsubnet_data = ipsec_idinfo_to_cidr($ph2ent['natlocalid'], false, $ph2ent['mode']);
652	a0c4a6ce	Ermal	if ($ph2ent['natlocalid']['type'] != "address") {
653	0b5fc1d1	Ermal	if (is_subnet($natleftsubnet_data))
654			$leftsubnet_data = "{$natleftsubnet_data}\|{$leftsubnet_data}";
655	a0c4a6ce	Ermal	} else {
656	0b5fc1d1	Ermal	if (is_ipaddr($natleftsubnet_data))
657			$leftsubnet_data = "{$natleftsubnet_data}\|{$leftsubnet_data}";
658	3c107b76	Ermal	}
659	3eeac256	Ermal	$natfilterrules = true;
660	3c107b76	Ermal	}
661	20699f3f	jim-p	}
662	3462a529	Matthew Grooms
663	ae170e96	Ermal	if (empty($leftsubnet_spec[$leftsubnet_data]))
664			$leftsubnet_spec[$leftsubnet_data] = $leftsubnet_data;
665	0b5fc1d1	Ermal
666	4b96b367	mgrooms	if (!isset($ph2ent['mobile'])) {
667	ae170e96	Ermal	$tmpsubnet = ipsec_idinfo_to_cidr($ph2ent['remoteid'], false, $ph2ent['mode']);
668			if (empty($rightsubnet_spec[$tmpsubnet]))
669			$rightsubnet_spec[$tmpsubnet] = $tmpsubnet;
670	7f1b720f	Chris Buechler	} else if (!empty($a_client['pool_address'])) {
671	ae170e96	Ermal	if (empty($rightsubnet_spec["{$a_client['pool_address']}/{$a_client['pool_netbits']}"]))
672			$rightsubnet_spec["{$a_client['pool_address']}/{$a_client['pool_netbits']}"] = "{$a_client['pool_address']}/{$a_client['pool_netbits']}";
673	7f1b720f	Chris Buechler	}
674	4b96b367	mgrooms	} else {
675	496acde1	Ermal	$tunneltype = "type = transport";
676	5b237745	Scott Ullrich
677	20699f3f	jim-p	if ((($ph1ent['authentication_method'] == "xauth_psk_server") \|\|
678	0b5fc1d1	Ermal	($ph1ent['authentication_method'] == "pre_shared_key")) && isset($ph1ent['mobile'])) {
679			$left_spec = "%any";
680			} else {
681	ae170e96	Ermal	$tmpsubnet = ipsec_get_phase1_src($ph1ent);
682			if ($leftsubnet_spec[$tmpsubnet])
683			$leftsubnet_spec[$tmpsubnet] = $tmpsubnet;
684	496acde1	Ermal	}
685	0b5fc1d1	Ermal
686	ae170e96	Ermal	if (!isset($ph2ent['mobile'])) {
687			if (empty($rightsubnet_spec[$right_spec]))
688			$rightsubnet_spec[$right_spec] = $right_spec;
689			}
690	3462a529	Matthew Grooms	}
691	c52719a8	Scott Ullrich
692	496acde1	Ermal	if (isset($a_client['pfs_group']))
693			$ph2ent['pfsgroup'] = $a_client['pfs_group'];
694	f1bede03	Ermal
695	496acde1	Ermal	if ($ph2ent['protocol'] == 'esp') {
696	c650b2f7	Ermal	if (is_array($ph2ent['encryption-algorithm-option'])) {
697	496acde1	Ermal	foreach ($ph2ent['encryption-algorithm-option'] as $ealg) {
698			$ealg_id = $ealg['name'];
699			$ealg_kl = $ealg['keylen'];
700
701			if (!empty($ealg_kl) && $ealg_kl == "auto") {
702			if (empty($p2_ealgos) \|\| !is_array($p2_ealgos))
703	4ae540e5	Scott Ullrich	require("ipsec.inc");
704	4b96b367	mgrooms	$key_hi = $p2_ealgos[$ealg_id]['keysel']['hi'];
705			$key_lo = $p2_ealgos[$ealg_id]['keysel']['lo'];
706			$key_step = $p2_ealgos[$ealg_id]['keysel']['step'];
707	496acde1	Ermal	/* XXX: in some cases where include ordering is suspect these variables
708			* are somehow 0 and we enter this loop forever and timeout after 900
709			* seconds wrecking bootup */
710			if ($key_hi != 0 and $key_lo !=0 and $key_step !=0) {
711	d86d411a	Scott Ullrich	for ($keylen = $key_hi; $keylen >= $key_lo; $keylen -= $key_step) {
712	c650b2f7	Ermal	if (!empty($ph2ent['hash-algorithm-option']) && is_array($ph2ent['hash-algorithm-option'])) {
713			foreach ($ph2ent['hash-algorithm-option'] as $halgo) {
714			$halgo = str_replace('hmac_', '', $halgo);
715			$tmpealgo = "{$ealg_id}{$keylen}-{$halgo}";
716			$modp = vpn_ipsec_convert_to_modp($ph2ent['pfsgroup']);
717			if (!empty($modp))
718			$tmpealgo .= "-{$modp}";
719			$ealgoESPsp2arr[] = $tmpealgo;
720			}
721			} else {
722			$tmpealgo = "{$ealg_id}{$keylen}";
723	496acde1	Ermal	$modp = vpn_ipsec_convert_to_modp($ph2ent['pfsgroup']);
724			if (!empty($modp))
725			$tmpealgo .= "-{$modp}";
726	0b5fc1d1	Ermal	$ealgoESPsp2arr[] = $tmpealgo;
727	496acde1	Ermal	}
728	d86d411a	Scott Ullrich	}
729	4b96b367	mgrooms	}
730			} else {
731	c650b2f7	Ermal	if (!empty($ph2ent['hash-algorithm-option']) && is_array($ph2ent['hash-algorithm-option'])) {
732			foreach ($ph2ent['hash-algorithm-option'] as $halgo) {
733			$halgo = str_replace('hmac_', '', $halgo);
734			$tmpealgo = "{$ealg_id}{$ealg_kl}-{$halgo}";
735			$modp = vpn_ipsec_convert_to_modp($ph2ent['pfsgroup']);
736			if (!empty($modp))
737			$tmpealgo .= "-{$modp}";
738			$ealgoESPsp2arr[] = $tmpealgo;
739			}
740			} else {
741			$tmpealgo = "{$ealg_id}{$ealg_kl}";
742	496acde1	Ermal	$modp = vpn_ipsec_convert_to_modp($ph2ent['pfsgroup']);
743			if (!empty($modp))
744			$tmpealgo .= "-{$modp}";
745	0b5fc1d1	Ermal	$ealgoESPsp2arr[] = $tmpealgo;
746	496acde1	Ermal	}
747	a93e56c5	Matthew Grooms	}
748	979cd6db	Scott Ullrich	}
749	496acde1	Ermal	}
750			} else if ($ph2ent['protocol'] == 'ah') {
751	c650b2f7	Ermal	if (!empty($ph2ent['hash-algorithm-option']) && is_array($ph2ent['hash-algorithm-option'])) {
752	496acde1	Ermal	$modp = vpn_ipsec_convert_to_modp($ph2ent['pfsgroup']);
753	0b5fc1d1	Ermal	foreach ($ph2ent['hash-algorithm-option'] as $tmpAHalgo) {
754			$tmpAHalgo = str_replace('hmac_', '', $tmpAHalgo);
755			if (!empty($modp))
756			$tmpAHalgo = "-{$modp}";
757			$ealgoAHsp2arr[] = $tmpAHalgo;
758			}
759	a93e56c5	Matthew Grooms	}
760	a63f7d55	Scott Ullrich	}
761	c52719a8	Scott Ullrich
762	4b96b367	mgrooms
763	0b5fc1d1	Ermal	if (!empty($ph2ent['lifetime'])) {
764			if ($ipseclifetime == 0 \|\| intval($ipseclifetime) > intval($ph2ent['lifetime']))
765			$ipseclifetime = intval($ph2ent['lifetime']);
766			}
767			}
768			}
769	496acde1	Ermal
770	0b5fc1d1	Ermal	$ipsecconf .=<<<EOD
771	496acde1	Ermal
772	0b5fc1d1	Ermal	conn con{$ph1ent['ikeid']}
773	496acde1	Ermal	aggressive = {$aggressive}
774			fragmentation = yes
775			keyexchange = {$keyexchange}
776			reauth = yes
777	0b5fc1d1	Ermal	rekey = yes
778	496acde1	Ermal	reqid = {$ikeid}
779			installpolicy = yes
780			{$tunneltype}
781			{$dpdline}
782			auto = {$passive}
783	0b5fc1d1	Ermal	left = {$left_spec}
784			right = {$right_spec}
785	496acde1	Ermal	leftid = {$myid_data}
786	5b237745	Scott Ullrich
787			EOD;
788	4b96b367	mgrooms
789	0b5fc1d1	Ermal	if (!empty($ikelifeline))
790			$ipsecconf .= "\t{$ikelifeline}\n";
791			if ($ipseclifetime > 0)
792			$ipsecconf .= "\tlifetime = {$ipseclifetime}s\n";
793	7f1b720f	Chris Buechler	if (!empty($rightsourceip))
794			$ipsecconf .= "{$rightsourceip}";
795	0b5fc1d1	Ermal	if (!empty($rightsubnet_spec))
796			$ipsecconf .= "\trightsubnet = " . join(",", $rightsubnet_spec) . "\n";
797			if (!empty($leftsubnet_spec))
798			$ipsecconf .= "\tleftsubnet = " . join(",", $leftsubnet_spec) . "\n";
799			if (!empty($ealgosp1))
800			$ipsecconf .= "\t{$ealgosp1}\n";
801			if (!empty($ealgoAHsp2arr))
802			$ipsecconf .= "\tah = " . join(',', $ealgoAHsp2arr) . "!\n";
803	c650b2f7	Ermal	if (!empty($ealgoESPsp2arr)) {
804			file_put_contents("/var/etc/ipsec/dump_test", print_r($ealgoESPsp2arr, true));
805	0b5fc1d1	Ermal	$ipsecconf .= "\tesp = " . join(',', $ealgoESPsp2arr) . "!\n";
806	c650b2f7	Ermal	}
807	0b5fc1d1	Ermal	if (!empty($authentication))
808			$ipsecconf .= "\t{$authentication}\n";
809			if (!empty($peerid_spec))
810			$ipsecconf .= "\trightid = {$peerid_spec}\n";
811	a93e56c5	Matthew Grooms	}
812			}
813	496acde1	Ermal	}
814			@file_put_contents("{$g['varetc_path']}/ipsec/ipsec.conf", $ipsecconf);
815			unset($ipsecconf);
816	6c576b27	Ermal	/* end ipsec.conf */
817	496acde1	Ermal
818	6c576b27	Ermal	/* mange process */
819	c6efc8fd	Ermal	if (isvalidpid("{$g['varrun_path']}/charon.pid")) {
820	7335fa53	Ermal	/* Read secrets */
821			mwexec("/usr/local/sbin/ipsec rereadall", false);
822			/* Update configuration changes */
823	9f6a5b50	Ermal	mwexec("/usr/local/sbin/ipsec reload", false);
824	496acde1	Ermal	} else {
825	63159749	Ermal	mwexec("/usr/local/sbin/ipsec start", false);
826	496acde1	Ermal	}
827	9abaa8f7	Ermal
828	496acde1	Ermal	if ($natfilterrules == true)
829			filter_configure();
830			/* start filterdns, if necessary */
831			if (count($filterdns_list) > 0) {
832			$interval = 60;
833			if (!empty($ipseccfg['dns-interval']) && is_numeric($ipseccfg['dns-interval']))
834			$interval = $ipseccfg['dns-interval'];
835
836			$hostnames = "";
837			array_unique($filterdns_list);
838			foreach ($filterdns_list as $hostname)
839			$hostnames .= "cmd {$hostname} '/usr/local/sbin/pfSctl -c \"service reload ipsecdns\"'\n";
840			file_put_contents("{$g['varetc_path']}/ipsec/filterdns-ipsec.hosts", $hostnames);
841			unset($hostnames);
842
843			if (isvalidpid("{$g['varrun_path']}/filterdns-ipsec.pid"))
844			sigkillbypid("{$g['varrun_path']}/filterdns-ipsec.pid", "HUP");
845			else {
846			mwexec("/usr/local/sbin/filterdns -p {$g['varrun_path']}/filterdns-ipsec.pid -i {$interval} -c {$g['varetc_path']}/ipsec/filterdns-ipsec.hosts -d 1");
847	5b237745	Scott Ullrich	}
848	496acde1	Ermal	} else {
849			killbypid("{$g['varrun_path']}/filterdns-ipsec.pid");
850			@unlink("{$g['varrun_path']}/filterdns-ipsec.pid");
851			}
852	09628a07	Renato Botelho
853	496acde1	Ermal	if ($g['booting'])
854			echo "done\n";
855	8f67a8e1	Scott Ullrich
856	496acde1	Ermal	return count($filterdns_list);
857	5b237745	Scott Ullrich	}
858
859	09628a07	Renato Botelho	/*
860	52c9f9fa	Ermal	* Forcefully restart IPsec
861	67ee1ec5	Ermal Luçi	* This is required for when dynamic interfaces reload
862			* For all other occasions the normal vpn_ipsec_configure()
863			* will gracefully reload the settings without restarting
864			*/
865	aa752473	Renato Botelho	function vpn_ipsec_force_reload($interface = "") {
866			global $g, $config;
867	67ee1ec5	Ermal Luçi
868			$ipseccfg = $config['ipsec'];
869
870	aa752473	Renato Botelho	if (!empty($interface) && is_array($ipseccfg['phase1'])) {
871			$found = false;
872			foreach ($ipseccfg['phase1'] as $ipsec) {
873			if (!isset($ipsec['disabled']) && ($ipsec['interface'] == $interface)) {
874			$found = true;
875			break;
876			}
877			}
878			if (!$found) {
879	8b4abd59	Ermal	log_error(sprintf(gettext("Ignoring IPsec reload since there are no tunnels on interface %s"), $interface));
880	aa752473	Renato Botelho	return;
881			}
882			}
883
884	67ee1ec5	Ermal Luçi	/* if ipsec is enabled, start up again */
885			if (isset($ipseccfg['enable'])) {
886	8b4abd59	Ermal	log_error(gettext("Forcefully reloading IPsec"));
887	67ee1ec5	Ermal Luçi	vpn_ipsec_configure();
888			}
889			}
890
891			/* master setup for vpn (mpd) */
892			function vpn_setup() {
893	7734aea6	Andrew Thompson	global $g;
894
895			if ($g['platform'] == 'jail')
896			return;
897
898	67ee1ec5	Ermal Luçi	/* start pptpd */
899			vpn_pptpd_configure();
900
901			/* start pppoe server */
902	0e642c78	Ermal	vpn_pppoes_configure();
903	67ee1ec5	Ermal Luçi
904			/* setup l2tp */
905			vpn_l2tp_configure();
906			}
907
908	67b057a9	Ermal	function vpn_netgraph_support() {
909			$iflist = get_configured_interface_list();
910			foreach ($iflist as $iface) {
911			$realif = get_real_interface($iface);
912			/* Get support for netgraph(4) from the nic */
913	c513c309	Ermal	$ifinfo = pfSense_get_interface_addresses($realif);
914			if (!empty($ifinfo) && in_array($ifinfo['iftype'], array("ether", "vlan", "bridge")))
915	09628a07	Renato Botelho	pfSense_ngctl_attach(".", $realif);
916	67b057a9	Ermal	}
917			}
918
919	5b237745	Scott Ullrich	function vpn_pptpd_configure() {
920			global $config, $g;
921	c52719a8	Scott Ullrich
922	5b237745	Scott Ullrich	$syscfg = $config['system'];
923			$pptpdcfg = $config['pptpd'];
924	c52719a8	Scott Ullrich
925	5b237745	Scott Ullrich	if ($g['booting']) {
926			if (!$pptpdcfg['mode'] \|\| ($pptpdcfg['mode'] == "off"))
927			return 0;
928	c52719a8	Scott Ullrich
929	89ceb4ba	Renato Botelho	echo gettext("Configuring PPTP VPN service... ");
930	c52719a8	Scott Ullrich	} else {
931	5b237745	Scott Ullrich	/* kill mpd */
932	67ee1ec5	Ermal Luçi	killbypid("{$g['varrun_path']}/pptp-vpn.pid");
933	c52719a8	Scott Ullrich
934	5b237745	Scott Ullrich	/* wait for process to die */
935	48bff85c	Scott Ullrich	sleep(3);
936	c52719a8	Scott Ullrich
937	979cd6db	Scott Ullrich	if (is_process_running("mpd -b")) {
938	67ee1ec5	Ermal Luçi	killbypid("{$g['varrun_path']}/pptp-vpn.pid");
939	89ceb4ba	Renato Botelho	log_error(gettext("Could not kill mpd within 3 seconds. Trying again."));
940	48bff85c	Scott Ullrich	}
941	c52719a8	Scott Ullrich
942	5b237745	Scott Ullrich	/* remove mpd.conf, if it exists */
943	67ee1ec5	Ermal Luçi	unlink_if_exists("{$g['varetc_path']}/pptp-vpn/mpd.conf");
944			unlink_if_exists("{$g['varetc_path']}/pptp-vpn/mpd.links");
945			unlink_if_exists("{$g['varetc_path']}/pptp-vpn/mpd.secret");
946	5b237745	Scott Ullrich	}
947	c52719a8	Scott Ullrich
948	1fb8d314	Ermal	if (empty($pptpdcfg['n_pptp_units'])) {
949			log_error("Something wrong in the PPTPd configuration. Preventing starting the daemon because issues would arise.");
950	09628a07	Renato Botelho	return;
951	1fb8d314	Ermal	}
952
953	67ee1ec5	Ermal Luçi	/* make sure pptp-vpn directory exists */
954			if (!file_exists("{$g['varetc_path']}/pptp-vpn"))
955			mkdir("{$g['varetc_path']}/pptp-vpn");
956	c52719a8	Scott Ullrich
957	5b237745	Scott Ullrich	switch ($pptpdcfg['mode']) {
958	979cd6db	Scott Ullrich	case 'server' :
959	5b237745	Scott Ullrich	/* write mpd.conf */
960	67ee1ec5	Ermal Luçi	$fd = fopen("{$g['varetc_path']}/pptp-vpn/mpd.conf", "w");
961	5b237745	Scott Ullrich	if (!$fd) {
962	89ceb4ba	Renato Botelho	printf(gettext("Error: cannot open mpd.conf in vpn_pptpd_configure().") . "\n");
963	5b237745	Scott Ullrich	return 1;
964			}
965	c52719a8	Scott Ullrich
966	045c9cc9	sullrich	$mpdconf = <<<EOD
967	a6607b5f	jim-p	pptps:
968	5b237745	Scott Ullrich
969			EOD;
970
971	f2b4ff2b	sullrich	for ($i = 0; $i < $pptpdcfg['n_pptp_units']; $i++) {
972	5b237745	Scott Ullrich	$mpdconf .= " load pt{$i}\n";
973			}
974	c52719a8	Scott Ullrich
975	f2b4ff2b	sullrich	for ($i = 0; $i < $pptpdcfg['n_pptp_units']; $i++) {
976	c52719a8	Scott Ullrich
977	96033063	Erik Fonnesbeck	$clientip = long2ip32(ip2long($pptpdcfg['remoteip']) + $i);
978	c52719a8	Scott Ullrich
979	045c9cc9	sullrich	$mpdconf .= <<<EOD
980	5b237745	Scott Ullrich
981			pt{$i}:
982	bfa6d878	Ermal Lu?i	new -i pptpd{$i} pt{$i} pt{$i}
983	045c9cc9	sullrich	set ipcp ranges {$pptpdcfg['localip']}/32 {$clientip}/32
984	979cd6db	Scott Ullrich	load pts
985	5b237745	Scott Ullrich
986			EOD;
987			}
988	c52719a8	Scott Ullrich
989	979cd6db	Scott Ullrich	$mpdconf .=<<<EOD
990	5b237745	Scott Ullrich
991	979cd6db	Scott Ullrich	pts:
992	5b237745	Scott Ullrich	set iface disable on-demand
993			set iface enable proxy-arp
994	07cae4b2	Scott Ullrich	set iface enable tcpmssfix
995	979cd6db	Scott Ullrich	set iface idle 1800
996	e9a95ac8	jim-p	set iface up-script /usr/local/sbin/vpn-linkup
997			set iface down-script /usr/local/sbin/vpn-linkdown
998	5b237745	Scott Ullrich	set bundle enable multilink
999	979cd6db	Scott Ullrich	set bundle enable crypt-reqd
1000	5b237745	Scott Ullrich	set link yes acfcomp protocomp
1001			set link no pap chap
1002	979cd6db	Scott Ullrich	set link enable chap-msv2
1003	ee953edc	Scott Ullrich	set link mtu 1460
1004	5b237745	Scott Ullrich	set link keep-alive 10 60
1005			set ipcp yes vjcomp
1006			set bundle enable compression
1007			set ccp yes mppc
1008			set ccp yes mpp-e128
1009			set ccp yes mpp-stateless
1010
1011			EOD;
1012	c52719a8	Scott Ullrich
1013	979cd6db	Scott Ullrich	if (!isset ($pptpdcfg['req128'])) {
1014			$mpdconf .=<<<EOD
1015	5b237745	Scott Ullrich	set ccp yes mpp-e40
1016	979cd6db	Scott Ullrich	set ccp yes mpp-e56
1017	5b237745	Scott Ullrich
1018			EOD;
1019			}
1020	c8c416db	Scott Ullrich
1021	871ce025	Bill Marquette	if (isset($pptpdcfg["wins"]) && $pptpdcfg['wins'] != "")
1022	979cd6db	Scott Ullrich	$mpdconf .= " set ipcp nbns {$pptpdcfg['wins']}\n";
1023	09f2bf85	jim-p
1024			if (!empty($pptpdcfg['dns1'])) {
1025			$mpdconf .= " set ipcp dns " . $pptpdcfg['dns1'];
1026			if (!empty($pptpdcfg['dns2']))
1027			$mpdconf .= " " . $pptpdcfg['dns2'];
1028			$mpdconf .= "\n";
1029			} elseif (isset ($config['dnsmasq']['enable'])) {
1030			$mpdconf .= " set ipcp dns " . get_interface_ip("lan");
1031			if ($syscfg['dnsserver'][0])
1032			$mpdconf .= " " . $syscfg['dnsserver'][0];
1033			$mpdconf .= "\n";
1034	ad750d3b	Warren Baker	} elseif (isset($config['unbound']['enable'])) {
1035			$mpdconf .= " set ipcp dns " . get_interface_ip("lan");
1036			if ($syscfg['dnsserver'][0])
1037			$mpdconf .= " " . $syscfg['dnsserver'][0];
1038			$mpdconf .= "\n";
1039	09f2bf85	jim-p	} elseif (is_array($syscfg['dnsserver']) && ($syscfg['dnsserver'][0])) {
1040			$mpdconf .= " set ipcp dns " . join(" ", $syscfg['dnsserver']) . "\n";
1041			}
1042	07cae4b2	Scott Ullrich
1043	71569a7e	jim-p	if (isset ($pptpdcfg['radius']['server']['enable'])) {
1044			$authport = (isset($pptpdcfg['radius']['server']['port']) && strlen($pptpdcfg['radius']['server']['port']) > 1) ? $pptpdcfg['radius']['server']['port'] : 1812;
1045	979cd6db	Scott Ullrich	$acctport = $authport + 1;
1046			$mpdconf .=<<<EOD
1047	71569a7e	jim-p	set radius server {$pptpdcfg['radius']['server']['ip']} "{$pptpdcfg['radius']['server']['secret']}" {$authport} {$acctport}
1048	35b91f77	sullrich
1049	71569a7e	jim-p	EOD;
1050			if (isset ($pptpdcfg['radius']['server2']['enable'])) {
1051			$authport = (isset($pptpdcfg['radius']['server2']['port']) && strlen($pptpdcfg['radius']['server2']['port']) > 1) ? $pptpdcfg['radius']['server2']['port'] : 1812;
1052			$acctport = $authport + 1;
1053			$mpdconf .=<<<EOD
1054	846a6dc2	jim-p	set radius server {$pptpdcfg['radius']['server2']['ip']} "{$pptpdcfg['radius']['server2']['secret2']}" {$authport} {$acctport}
1055	35b91f77	sullrich
1056	71569a7e	jim-p	EOD;
1057			}
1058			$mpdconf .=<<<EOD
1059	5b237745	Scott Ullrich	set radius retries 3
1060	979cd6db	Scott Ullrich	set radius timeout 10
1061	0af9dba4	Ermal Lu?i	set auth enable radius-auth
1062	5b237745	Scott Ullrich
1063			EOD;
1064
1065	979cd6db	Scott Ullrich	if (isset ($pptpdcfg['radius']['accounting'])) {
1066			$mpdconf .=<<<EOD
1067	0af9dba4	Ermal Lu?i	set auth enable radius-acct
1068	979cd6db	Scott Ullrich	set radius acct-update 300
1069	5b237745	Scott Ullrich
1070			EOD;
1071			}
1072			}
1073
1074			fwrite($fd, $mpdconf);
1075			fclose($fd);
1076	a49784a2	Ermal	unset($mpdconf);
1077	c52719a8	Scott Ullrich
1078	5b237745	Scott Ullrich	/* write mpd.links */
1079	67ee1ec5	Ermal Luçi	$fd = fopen("{$g['varetc_path']}/pptp-vpn/mpd.links", "w");
1080	5b237745	Scott Ullrich	if (!$fd) {
1081	89ceb4ba	Renato Botelho	printf(gettext("Error: cannot open mpd.links in vpn_pptpd_configure().") . "\n");
1082	5b237745	Scott Ullrich	return 1;
1083			}
1084	c52719a8	Scott Ullrich
1085	5b237745	Scott Ullrich	$mpdlinks = "";
1086	c52719a8	Scott Ullrich
1087	a56120f2	Ermal Lu?i	for ($i = 0; $i < $pptpdcfg['n_pptp_units']; $i++) {
1088	979cd6db	Scott Ullrich	$mpdlinks .=<<<EOD
1089	5b237745	Scott Ullrich
1090			pt{$i}:
1091			set link type pptp
1092			set pptp enable incoming
1093			set pptp disable originate
1094	979cd6db	Scott Ullrich	set pptp disable windowing
1095	5b237745	Scott Ullrich
1096			EOD;
1097			}
1098
1099			fwrite($fd, $mpdlinks);
1100			fclose($fd);
1101	a49784a2	Ermal	unset($mpdlinks);
1102	c52719a8	Scott Ullrich
1103	5b237745	Scott Ullrich	/* write mpd.secret */
1104	67ee1ec5	Ermal Luçi	$fd = fopen("{$g['varetc_path']}/pptp-vpn/mpd.secret", "w");
1105	5b237745	Scott Ullrich	if (!$fd) {
1106	89ceb4ba	Renato Botelho	printf(gettext("Error: cannot open mpd.secret in vpn_pptpd_configure().") . "\n");
1107	5b237745	Scott Ullrich	return 1;
1108			}
1109	c52719a8	Scott Ullrich
1110	5b237745	Scott Ullrich	$mpdsecret = "";
1111	c52719a8	Scott Ullrich
1112	5b237745	Scott Ullrich	if (is_array($pptpdcfg['user'])) {
1113	4cf82d52	jim-p	foreach ($pptpdcfg['user'] as $user) {
1114	4222087e	jim-p	$pass = str_replace('\\', '\\\\', $user['password']);
1115			$pass = str_replace('"', '\"', $pass);
1116	4cf82d52	jim-p	$mpdsecret .= "{$user['name']} \"{$pass}\" {$user['ip']}\n";
1117			}
1118	5b237745	Scott Ullrich	}
1119
1120			fwrite($fd, $mpdsecret);
1121			fclose($fd);
1122	a49784a2	Ermal	unset($mpdsecret);
1123	67ee1ec5	Ermal Luçi	chmod("{$g['varetc_path']}/pptp-vpn/mpd.secret", 0600);
1124	c52719a8	Scott Ullrich
1125	67b057a9	Ermal	vpn_netgraph_support();
1126
1127	5b237745	Scott Ullrich	/* fire up mpd */
1128	a6607b5f	jim-p	mwexec("/usr/local/sbin/mpd4 -b -d {$g['varetc_path']}/pptp-vpn -p {$g['varrun_path']}/pptp-vpn.pid -s pptps pptps");
1129	c52719a8	Scott Ullrich
1130	5b237745	Scott Ullrich	break;
1131	c52719a8	Scott Ullrich
1132	979cd6db	Scott Ullrich	case 'redir' :
1133	5b237745	Scott Ullrich	break;
1134			}
1135	c52719a8	Scott Ullrich
1136	a63f7d55	Scott Ullrich	if ($g['booting'])
1137			echo "done\n";
1138	c52719a8	Scott Ullrich
1139	5b237745	Scott Ullrich	return 0;
1140			}
1141
1142	0e642c78	Ermal	function vpn_pppoes_configure() {
1143			global $config;
1144
1145			if (is_array($config['pppoes']['pppoe'])) {
1146			foreach ($config['pppoes']['pppoe'] as $pppoe)
1147			vpn_pppoe_configure($pppoe);
1148			}
1149			}
1150
1151			function vpn_pppoe_configure(&$pppoecfg) {
1152	06e69b03	Scott Ullrich	global $config, $g;
1153
1154			$syscfg = $config['system'];
1155
1156	48918ed5	Scott Ullrich	/* create directory if it does not exist */
1157	0e642c78	Ermal	if (!is_dir("{$g['varetc_path']}/pppoe{$pppoecfg['pppoeid']}-vpn"))
1158			mkdir("{$g['varetc_path']}/pppoe{$pppoecfg['pppoeid']}-vpn");
1159	c52719a8	Scott Ullrich
1160	06e69b03	Scott Ullrich	if ($g['booting']) {
1161			if (!$pppoecfg['mode'] \|\| ($pppoecfg['mode'] == "off"))
1162			return 0;
1163
1164	89ceb4ba	Renato Botelho	echo gettext("Configuring PPPoE VPN service... ");
1165	979cd6db	Scott Ullrich	} else {
1166			/* kill mpd */
1167	0e642c78	Ermal	killbypid("{$g['varrun_path']}/pppoe{$pppoecfg['pppoeid']}-vpn.pid");
1168	979cd6db	Scott Ullrich
1169			/* wait for process to die */
1170			sleep(2);
1171
1172	06e69b03	Scott Ullrich	}
1173
1174			switch ($pppoecfg['mode']) {
1175
1176	979cd6db	Scott Ullrich	case 'server' :
1177	06e69b03	Scott Ullrich
1178	0e642c78	Ermal	$pppoe_interface = get_real_interface($pppoecfg['interface']);
1179	0301deff	Scott Ullrich
1180	979cd6db	Scott Ullrich	if ($pppoecfg['paporchap'] == "chap")
1181			$paporchap = "set link enable chap";
1182			else
1183			$paporchap = "set link enable pap";
1184
1185	06e69b03	Scott Ullrich	/* write mpd.conf */
1186	0e642c78	Ermal	$fd = fopen("{$g['varetc_path']}/pppoe{$pppoecfg['pppoeid']}-vpn/mpd.conf", "w");
1187	06e69b03	Scott Ullrich	if (!$fd) {
1188	89ceb4ba	Renato Botelho	printf(gettext("Error: cannot open mpd.conf in vpn_pppoe_configure().") . "\n");
1189	06e69b03	Scott Ullrich	return 1;
1190			}
1191			$mpdconf = "\n\n";
1192	a6607b5f	jim-p	$mpdconf .= "poes:\n";
1193	06e69b03	Scott Ullrich
1194	a429d105	Scott Ullrich	for ($i = 0; $i < $pppoecfg['n_pppoe_units']; $i++) {
1195	0e642c78	Ermal	$mpdconf .= " load poes{$pppoecfg['pppoeid']}{$i}\n";
1196	06e69b03	Scott Ullrich	}
1197
1198	a429d105	Scott Ullrich	for ($i = 0; $i < $pppoecfg['n_pppoe_units']; $i++) {
1199	06e69b03	Scott Ullrich
1200	96033063	Erik Fonnesbeck	$clientip = long2ip32(ip2long($pppoecfg['remoteip']) + $i);
1201	c52719a8	Scott Ullrich
1202	b0943409	Ermal	if (isset($pppoecfg['radius']['radiusissueips']) && isset($pppoecfg['radius']['server']['enable'])) {
1203	5dfdc1fb	Scott Ullrich	$isssue_ip_type = "set ipcp ranges {$pppoecfg['localip']}/32 0.0.0.0/0";
1204	5264023a	Scott Ullrich	} else {
1205			$isssue_ip_type = "set ipcp ranges {$pppoecfg['localip']}/32 {$clientip}/32";
1206	5dfdc1fb	Scott Ullrich	}
1207	c52719a8	Scott Ullrich
1208	979cd6db	Scott Ullrich	$mpdconf .=<<<EOD
1209	06e69b03	Scott Ullrich
1210	0e642c78	Ermal	poes{$pppoecfg['pppoeid']}{$i}:
1211			new -i poes{$pppoecfg['pppoeid']}{$i} poes{$pppoecfg['pppoeid']}{$i} poes{$pppoecfg['pppoeid']}{$i}
1212	5dfdc1fb	Scott Ullrich	{$isssue_ip_type}
1213	f856e762	jim-p	load pppoe_standard
1214	06e69b03	Scott Ullrich
1215			EOD;
1216			}
1217
1218	979cd6db	Scott Ullrich	$mpdconf .=<<<EOD
1219	06e69b03	Scott Ullrich
1220	f856e762	jim-p	pppoe_standard:
1221	979cd6db	Scott Ullrich	set bundle no multilink
1222			set bundle enable compression
1223	78155ff9	Scott Ullrich	set auth max-logins 1
1224	e9a95ac8	jim-p	set iface up-script /usr/local/sbin/vpn-linkup
1225			set iface down-script /usr/local/sbin/vpn-linkdown
1226	979cd6db	Scott Ullrich	set iface idle 0
1227	06e69b03	Scott Ullrich	set iface disable on-demand
1228			set iface disable proxy-arp
1229			set iface enable tcpmssfix
1230	979cd6db	Scott Ullrich	set iface mtu 1500
1231	06e69b03	Scott Ullrich	set link no pap chap
1232	979cd6db	Scott Ullrich	{$paporchap}
1233			set link keep-alive 60 180
1234			set ipcp yes vjcomp
1235			set ipcp no vjcomp
1236			set link max-redial -1
1237			set link mtu 1492
1238			set link mru 1492
1239	06e69b03	Scott Ullrich	set ccp yes mpp-e40
1240			set ccp yes mpp-e128
1241			set ccp yes mpp-stateless
1242	979cd6db	Scott Ullrich	set link latency 1
1243			#set ipcp dns 10.10.1.3
1244			#set bundle accept encryption
1245	06e69b03	Scott Ullrich
1246	c8c416db	Scott Ullrich	EOD;
1247
1248	09f2bf85	jim-p	if (!empty($pppoecfg['dns1'])) {
1249			$mpdconf .= " set ipcp dns " . $pppoecfg['dns1'];
1250			if (!empty($pppoecfg['dns2']))
1251			$mpdconf .= " " . $pppoecfg['dns2'];
1252			$mpdconf .= "\n";
1253			} elseif (isset ($config['dnsmasq']['enable'])) {
1254	a55e9c70	Ermal Lu?i	$mpdconf .= " set ipcp dns " . get_interface_ip("lan");
1255	06e69b03	Scott Ullrich	if ($syscfg['dnsserver'][0])
1256			$mpdconf .= " " . $syscfg['dnsserver'][0];
1257			$mpdconf .= "\n";
1258	ad750d3b	Warren Baker	} elseif (isset ($config['unbound']['enable'])) {
1259			$mpdconf .= " set ipcp dns " . get_interface_ip("lan");
1260			if ($syscfg['dnsserver'][0])
1261			$mpdconf .= " " . $syscfg['dnsserver'][0];
1262			$mpdconf .= "\n";
1263	09f2bf85	jim-p	} elseif (is_array($syscfg['dnsserver']) && ($syscfg['dnsserver'][0])) {
1264	979cd6db	Scott Ullrich	$mpdconf .= " set ipcp dns " . join(" ", $syscfg['dnsserver']) . "\n";
1265	09f2bf85	jim-p	}
1266	07cae4b2	Scott Ullrich
1267	37d7de2d	jim-p	if (isset ($pppoecfg['radius']['server']['enable'])) {
1268	c3583058	Ermal	$radiusport = "";
1269			$radiusacctport = "";
1270			if (isset($pppoecfg['radius']['server']['port']))
1271			$radiusport = $pppoecfg['radius']['server']['port'];
1272			if (isset($pppoecfg['radius']['server']['acctport']))
1273			$radiusacctport = $pppoecfg['radius']['server']['acctport'];
1274	979cd6db	Scott Ullrich	$mpdconf .=<<<EOD
1275	b0943409	Ermal	set radius server {$pppoecfg['radius']['server']['ip']} "{$pppoecfg['radius']['server']['secret']}" {$radiusport} {$radiusacctport}
1276	06e69b03	Scott Ullrich	set radius retries 3
1277	979cd6db	Scott Ullrich	set radius timeout 10
1278	0af9dba4	Ermal Lu?i	set auth enable radius-auth
1279	06e69b03	Scott Ullrich
1280			EOD;
1281
1282	979cd6db	Scott Ullrich	if (isset ($pppoecfg['radius']['accounting'])) {
1283			$mpdconf .=<<<EOD
1284	0af9dba4	Ermal Lu?i	set auth enable radius-acct
1285	07cae4b2	Scott Ullrich
1286	06e69b03	Scott Ullrich	EOD;
1287			}
1288			}
1289
1290			fwrite($fd, $mpdconf);
1291			fclose($fd);
1292	a49784a2	Ermal	unset($mpdconf);
1293	06e69b03	Scott Ullrich
1294			/* write mpd.links */
1295	0e642c78	Ermal	$fd = fopen("{$g['varetc_path']}/pppoe{$pppoecfg['pppoeid']}-vpn/mpd.links", "w");
1296	06e69b03	Scott Ullrich	if (!$fd) {
1297	89ceb4ba	Renato Botelho	printf(gettext("Error: cannot open mpd.links in vpn_pppoe_configure().") . "\n");
1298	06e69b03	Scott Ullrich	return 1;
1299			}
1300
1301			$mpdlinks = "";
1302
1303	a429d105	Scott Ullrich	for ($i = 0; $i < $pppoecfg['n_pppoe_units']; $i++) {
1304	979cd6db	Scott Ullrich	$mpdlinks .=<<<EOD
1305	09628a07	Renato Botelho
1306	0e642c78	Ermal	poes{$pppoecfg['pppoeid']}{$i}:
1307	67ee1ec5	Ermal Luçi	set phys type pppoe
1308	09628a07	Renato Botelho	set pppoe iface {$pppoe_interface}
1309			set pppoe service "*"
1310			set pppoe disable originate
1311			set pppoe enable incoming
1312	06e69b03	Scott Ullrich
1313			EOD;
1314			}
1315
1316			fwrite($fd, $mpdlinks);
1317			fclose($fd);
1318	a49784a2	Ermal	unset($mpdlinks);
1319	06e69b03	Scott Ullrich
1320	0e642c78	Ermal	if ($pppoecfg['username']) {
1321			/* write mpd.secret */
1322			$fd = fopen("{$g['varetc_path']}/pppoe{$pppoecfg['pppoeid']}-vpn/mpd.secret", "w");
1323			if (!$fd) {
1324	8c04b1ae	Renato Botelho	printf(gettext("Error: cannot open mpd.secret in vpn_pppoe_configure().") . "\n");
1325	0e642c78	Ermal	return 1;
1326			}
1327	06e69b03	Scott Ullrich
1328	0e642c78	Ermal	$mpdsecret = "\n\n";
1329	06e69b03	Scott Ullrich
1330	0e642c78	Ermal	if (!empty($pppoecfg['username'])) {
1331			$item = explode(" ", $pppoecfg['username']);
1332			foreach($item as $userdata) {
1333			$data = explode(":", $userdata);
1334	90388e48	Ermal	$mpdsecret .= "{$data[0]} \"" . base64_decode($data[1]) . "\" {$data[2]}\n";
1335	0e642c78	Ermal	}
1336			}
1337	06e69b03	Scott Ullrich
1338	0e642c78	Ermal	fwrite($fd, $mpdsecret);
1339			fclose($fd);
1340	a49784a2	Ermal	unset($mpdsecret);
1341	0e642c78	Ermal	chmod("{$g['varetc_path']}/pppoe{$pppoecfg['pppoeid']}-vpn/mpd.secret", 0600);
1342			}
1343	979cd6db	Scott Ullrich
1344	062676f8	Ermal	/* Check if previous instance is still up */
1345			while (file_exists("{$g['varrun_path']}/pppoe{$pppoecfg['pppoeid']}-vpn.pid") && isvalidpid("{$g['varrun_path']}/pppoe{$pppoecfg['pppoeid']}-vpn.pid"))
1346			killbypid("{$g['varrun_path']}/pppoe{$pppoecfg['pppoeid']}-vpn.pid");
1347
1348	67b057a9	Ermal	/* Get support for netgraph(4) from the nic */
1349			pfSense_ngctl_attach(".", $pppoe_interface);
1350	979cd6db	Scott Ullrich	/* fire up mpd */
1351	a6607b5f	jim-p	mwexec("/usr/local/sbin/mpd4 -b -d {$g['varetc_path']}/pppoe{$pppoecfg['pppoeid']}-vpn -p {$g['varrun_path']}/pppoe{$pppoecfg['pppoeid']}-vpn.pid -s poes poes");
1352	979cd6db	Scott Ullrich
1353			break;
1354			}
1355
1356			if ($g['booting'])
1357	561130e4	Carlos Eduardo Ramos	echo gettext("done") . "\n";
1358	979cd6db	Scott Ullrich
1359			return 0;
1360			}
1361
1362			function vpn_l2tp_configure() {
1363			global $config, $g;
1364
1365			$syscfg = $config['system'];
1366			$l2tpcfg = $config['l2tp'];
1367
1368			/* create directory if it does not exist */
1369	67ee1ec5	Ermal Luçi	if (!is_dir("{$g['varetc_path']}/l2tp-vpn"))
1370			mkdir("{$g['varetc_path']}/l2tp-vpn");
1371	979cd6db	Scott Ullrich
1372			if ($g['booting']) {
1373			if (!$l2tpcfg['mode'] \|\| ($l2tpcfg['mode'] == "off"))
1374			return 0;
1375
1376	89ceb4ba	Renato Botelho	echo gettext("Configuring l2tp VPN service... ");
1377	979cd6db	Scott Ullrich	} else {
1378			/* kill mpd */
1379	67ee1ec5	Ermal Luçi	killbypid("{$g['varrun_path']}/l2tp-vpn.pid");
1380	979cd6db	Scott Ullrich
1381			/* wait for process to die */
1382	01c41d40	Ermal Lu?i	sleep(8);
1383	979cd6db	Scott Ullrich
1384			}
1385
1386	67ee1ec5	Ermal Luçi	/* make sure l2tp-vpn directory exists */
1387			if (!file_exists("{$g['varetc_path']}/l2tp-vpn"))
1388			mkdir("{$g['varetc_path']}/l2tp-vpn");
1389	979cd6db	Scott Ullrich
1390			switch ($l2tpcfg['mode']) {
1391
1392			case 'server' :
1393			if ($l2tpcfg['paporchap'] == "chap")
1394			$paporchap = "set link enable chap";
1395			else
1396			$paporchap = "set link enable pap";
1397
1398			/* write mpd.conf */
1399	67ee1ec5	Ermal Luçi	$fd = fopen("{$g['varetc_path']}/l2tp-vpn/mpd.conf", "w");
1400	979cd6db	Scott Ullrich	if (!$fd) {
1401	89ceb4ba	Renato Botelho	printf(gettext("Error: cannot open mpd.conf in vpn_l2tp_configure().") . "\n");
1402	979cd6db	Scott Ullrich	return 1;
1403			}
1404			$mpdconf = "\n\n";
1405			$mpdconf .=<<<EOD
1406	a6607b5f	jim-p	l2tps:
1407	979cd6db	Scott Ullrich
1408			EOD;
1409
1410			for ($i = 0; $i < $l2tpcfg['n_l2tp_units']; $i++) {
1411			$mpdconf .= " load l2tp{$i}\n";
1412			}
1413
1414			for ($i = 0; $i < $l2tpcfg['n_l2tp_units']; $i++) {
1415
1416	96033063	Erik Fonnesbeck	$clientip = long2ip32(ip2long($l2tpcfg['remoteip']) + $i);
1417	979cd6db	Scott Ullrich
1418			if (isset ($l2tpcfg['radius']['radiusissueips']) && isset ($l2tpcfg['radius']['enable'])) {
1419			$isssue_ip_type = "set ipcp ranges {$l2tpcfg['localip']}/32 0.0.0.0/0";
1420			} else {
1421			$isssue_ip_type = "set ipcp ranges {$l2tpcfg['localip']}/32 {$clientip}/32";
1422			}
1423
1424			$mpdconf .=<<<EOD
1425
1426			l2tp{$i}:
1427	2c7feef7	jim-p	new -i l2tp{$i} l2tp{$i} l2tp{$i}
1428	979cd6db	Scott Ullrich	{$isssue_ip_type}
1429			load l2tp_standard
1430
1431			EOD;
1432			}
1433
1434			$mpdconf .=<<<EOD
1435
1436			l2tp_standard:
1437	09628a07	Renato Botelho	set bundle disable multilink
1438			set bundle enable compression
1439			set bundle yes crypt-reqd
1440			set ipcp yes vjcomp
1441			# set ipcp ranges 131.188.69.161/32 131.188.69.170/28
1442			set ccp yes mppc
1443			set iface disable on-demand
1444			set iface enable proxy-arp
1445	e9a95ac8	jim-p	set iface up-script /usr/local/sbin/vpn-linkup
1446			set iface down-script /usr/local/sbin/vpn-linkdown
1447	09628a07	Renato Botelho	set link yes acfcomp protocomp
1448			set link no pap chap
1449			set link enable chap
1450			set link keep-alive 10 180
1451	979cd6db	Scott Ullrich
1452			EOD;
1453
1454	c8cc0c1c	smos	if (is_ipaddr($l2tpcfg['wins'])) {
1455			$mpdconf .= " set ipcp nbns {$l2tpcfg['wins']}\n";
1456			}
1457			if (is_ipaddr($l2tpcfg['dns1'])) {
1458	09f2bf85	jim-p	$mpdconf .= " set ipcp dns " . $l2tpcfg['dns1'];
1459	c8cc0c1c	smos	if (is_ipaddr($l2tpcfg['dns2']))
1460	09f2bf85	jim-p	$mpdconf .= " " . $l2tpcfg['dns2'];
1461			$mpdconf .= "\n";
1462			} elseif (isset ($config['dnsmasq']['enable'])) {
1463	a55e9c70	Ermal Lu?i	$mpdconf .= " set ipcp dns " . get_interface_ip("lan");
1464	979cd6db	Scott Ullrich	if ($syscfg['dnsserver'][0])
1465			$mpdconf .= " " . $syscfg['dnsserver'][0];
1466			$mpdconf .= "\n";
1467	ad750d3b	Warren Baker	} elseif (isset ($config['unbound']['enable'])) {
1468			$mpdconf .= " set ipcp dns " . get_interface_ip("lan");
1469			if ($syscfg['dnsserver'][0])
1470			$mpdconf .= " " . $syscfg['dnsserver'][0];
1471			$mpdconf .= "\n";
1472	09f2bf85	jim-p	} elseif (is_array($syscfg['dnsserver']) && ($syscfg['dnsserver'][0])) {
1473	979cd6db	Scott Ullrich	$mpdconf .= " set ipcp dns " . join(" ", $syscfg['dnsserver']) . "\n";
1474	09f2bf85	jim-p	}
1475	979cd6db	Scott Ullrich
1476			if (isset ($l2tpcfg['radius']['enable'])) {
1477			$mpdconf .=<<<EOD
1478			set radius server {$l2tpcfg['radius']['server']} "{$l2tpcfg['radius']['secret']}"
1479			set radius retries 3
1480			set radius timeout 10
1481	0af9dba4	Ermal Lu?i	set auth enable radius-auth
1482	979cd6db	Scott Ullrich
1483			EOD;
1484
1485			if (isset ($l2tpcfg['radius']['accounting'])) {
1486			$mpdconf .=<<<EOD
1487	0af9dba4	Ermal Lu?i	set auth enable radius-acct
1488	979cd6db	Scott Ullrich
1489			EOD;
1490			}
1491			}
1492
1493			fwrite($fd, $mpdconf);
1494			fclose($fd);
1495	a49784a2	Ermal	unset($mpdconf);
1496	979cd6db	Scott Ullrich
1497			/* write mpd.links */
1498	67ee1ec5	Ermal Luçi	$fd = fopen("{$g['varetc_path']}/l2tp-vpn/mpd.links", "w");
1499	979cd6db	Scott Ullrich	if (!$fd) {
1500	89ceb4ba	Renato Botelho	printf(gettext("Error: cannot open mpd.links in vpn_l2tp_configure().") . "\n");
1501	979cd6db	Scott Ullrich	return 1;
1502			}
1503
1504			$mpdlinks = "";
1505
1506			for ($i = 0; $i < $l2tpcfg['n_l2tp_units']; $i++) {
1507			$mpdlinks .=<<<EOD
1508
1509	daa20efd	Ermal Lu?i	l2tp{$i}:
1510	979cd6db	Scott Ullrich	set link type l2tp
1511	09628a07	Renato Botelho	set l2tp enable incoming
1512			set l2tp disable originate
1513	979cd6db	Scott Ullrich
1514			EOD;
1515	00f9e567	Ermal Lu?i	if (!empty($l2tpcfg['secret']))
1516			$mpdlinks .= "set l2tp secret {$l2tpcfg['secret']}\n";
1517	979cd6db	Scott Ullrich	}
1518
1519			fwrite($fd, $mpdlinks);
1520			fclose($fd);
1521	a49784a2	Ermal	unset($mpdlinks);
1522	979cd6db	Scott Ullrich
1523			/* write mpd.secret */
1524	67ee1ec5	Ermal Luçi	$fd = fopen("{$g['varetc_path']}/l2tp-vpn/mpd.secret", "w");
1525	979cd6db	Scott Ullrich	if (!$fd) {
1526	89ceb4ba	Renato Botelho	printf(gettext("Error: cannot open mpd.secret in vpn_l2tp_configure().") . "\n");
1527	979cd6db	Scott Ullrich	return 1;
1528			}
1529
1530			$mpdsecret = "\n\n";
1531
1532			if (is_array($l2tpcfg['user'])) {
1533			foreach ($l2tpcfg['user'] as $user)
1534			$mpdsecret .= "{$user['name']} \"{$user['password']}\" {$user['ip']}\n";
1535			}
1536
1537			fwrite($fd, $mpdsecret);
1538			fclose($fd);
1539	a49784a2	Ermal	unset($mpdsecret);
1540	67ee1ec5	Ermal Luçi	chmod("{$g['varetc_path']}/l2tp-vpn/mpd.secret", 0600);
1541	06e69b03	Scott Ullrich
1542	67b057a9	Ermal	vpn_netgraph_support();
1543
1544	06e69b03	Scott Ullrich	/* fire up mpd */
1545	a6607b5f	jim-p	mwexec("/usr/local/sbin/mpd4 -b -d {$g['varetc_path']}/l2tp-vpn -p {$g['varrun_path']}/l2tp-vpn.pid -s l2tps l2tps");
1546	06e69b03	Scott Ullrich
1547			break;
1548
1549	979cd6db	Scott Ullrich	case 'redir' :
1550	06e69b03	Scott Ullrich	break;
1551			}
1552
1553			if ($g['booting'])
1554			echo "done\n";
1555
1556			return 0;
1557			}
1558	630cfa6c	Scott Ullrich
1559	7b2fdac4	jim-p	function vpn_ipsec_configure_preferoldsa() {
1560			global $config;
1561			if(isset($config['ipsec']['preferoldsa']))
1562	971de1f9	Renato Botelho	set_single_sysctl("net.key.preferred_oldsa", "-30");
1563	7b2fdac4	jim-p	else
1564	971de1f9	Renato Botelho	set_single_sysctl("net.key.preferred_oldsa", "0");
1565	7b2fdac4	jim-p	}
1566	9734b054	Scott Ullrich
1567	c513c309	Ermal	?>

Projet

Général

Profil

UnivNautes

univnautes / etc / inc / vpn.inc @ c650b2f7