| 500 |
500 |
/* add PSKs for mobile clients */
|
| 501 |
501 |
if (is_array($ipseccfg['mobilekey'])) {
|
| 502 |
502 |
foreach ($ipseccfg['mobilekey'] as $key) {
|
|
503 |
if ($key['ident'] == "allusers")
|
|
504 |
$key['ident'] = '';
|
| 503 |
505 |
$pskconf .= "{$key['ident']} : PSK \"{$key['pre-shared-key']}\"\n";
|
| 504 |
506 |
}
|
| 505 |
507 |
}
|
| ... | ... | |
| 531 |
533 |
if (isset($ph2ent['disabled']))
|
| 532 |
534 |
continue;
|
| 533 |
535 |
|
|
536 |
if (isset($ph2ent['mobile']) && !isset($a_client['enable']))
|
|
537 |
continue;
|
|
538 |
|
| 534 |
539 |
$ikeid = $ph1ent['ikeid'];
|
| 535 |
540 |
|
| 536 |
541 |
$ep = ipsec_get_phase1_src($ph1ent);
|
| 537 |
542 |
if (!$ep)
|
| 538 |
543 |
continue;
|
| 539 |
544 |
|
| 540 |
|
if (!isset($ph1ent['mobile'])) {
|
|
545 |
$passive = "start";
|
|
546 |
if (isset($ph1ent['mobile'])) {
|
|
547 |
$rgip = "%any";
|
|
548 |
$passive = 'add';
|
|
549 |
} else
|
| 541 |
550 |
$rgip = $ph1ent['remote-gateway'];
|
| 542 |
|
//$rgip = $rgmap[$ph1ent['remote-gateway']];
|
| 543 |
|
//if (!$rgip)
|
| 544 |
|
// continue;
|
| 545 |
|
}
|
| 546 |
551 |
|
| 547 |
|
$myid_type = $ph1ent['myid_type'];
|
|
552 |
$keyexchange = "ikev1";
|
|
553 |
if (!empty($ph1ent['iketype']) && $ph1ent['iketype'] != "ikev1")
|
|
554 |
$keyexchange = "ikev2";
|
| 548 |
555 |
|
|
556 |
$myid_type = $ph1ent['myid_type'];
|
| 549 |
557 |
switch ($myid_type) {
|
| 550 |
558 |
case "myaddress":
|
| 551 |
559 |
$myid_type = "address";
|
| ... | ... | |
| 572 |
580 |
}
|
| 573 |
581 |
|
| 574 |
582 |
$peerid_type = $ph1ent['peerid_type'];
|
| 575 |
|
|
| 576 |
583 |
switch ($peerid_type) {
|
| 577 |
584 |
case "peeraddress":
|
| 578 |
585 |
$peerid_type = "address";
|
| ... | ... | |
| 593 |
600 |
break;
|
| 594 |
601 |
}
|
| 595 |
602 |
|
| 596 |
|
$passive = "start";
|
| 597 |
|
if (isset($ph1ent['mobile'])) {
|
| 598 |
|
$rgip = "%any";
|
| 599 |
|
$passive = "route";
|
| 600 |
|
}
|
| 601 |
|
|
| 602 |
|
$keyexchange = "ikev1";
|
| 603 |
|
if (!empty($ph1ent['iketype']) && $ph1ent['iketype'] != "ikev1")
|
| 604 |
|
$keyexchange = "ikev2";
|
| 605 |
|
|
| 606 |
603 |
if (is_array($ph1ent['encryption-algorithm']) && !empty($ph1ent['encryption-algorithm']['name']) && !empty($ph1ent['hash-algorithm'])) {
|
| 607 |
604 |
$ealgosp1 = '';
|
| 608 |
605 |
$ealg_id = $ph1ent['encryption-algorithm']['name'];
|
| ... | ... | |
| 630 |
627 |
} else
|
| 631 |
628 |
$dpdline = "dpdaction = none";
|
| 632 |
629 |
|
| 633 |
|
if (!empty($ph1ent['authentication_method']) && (strstr($ph1ent['authentication_method'], "xauth") || strstr($ph1ent['authentication_method'], "hybrid")))
|
|
630 |
if (!empty($ph1ent['authentication_method']) && (strpos($ph1ent['authentication_method'], "xauth") || strpos($ph1ent['authentication_method'], "hybrid")))
|
| 634 |
631 |
$xauth = "xauth = server";
|
| 635 |
632 |
|
| 636 |
|
|
| 637 |
633 |
$lifeline = '';
|
| 638 |
634 |
if ($ph1ent['lifetime'])
|
| 639 |
635 |
$lifeline = "ikelifetime = {$ph1ent['lifetime']}s";
|
| ... | ... | |
| 644 |
640 |
$peerid_spec = $peerid_data;
|
| 645 |
641 |
}
|
| 646 |
642 |
|
| 647 |
|
if (empty($ph1ent['mode']))
|
| 648 |
|
$aggressive = "no";
|
| 649 |
|
else if ($ph1ent['mode'] == "aggressive")
|
|
643 |
if ($ph1ent['mode'] == "aggressive")
|
| 650 |
644 |
$aggressive = "yes";
|
| 651 |
|
else if ($ph1ent['mode'] == "main")
|
| 652 |
|
$aggressive = "no";
|
| 653 |
645 |
else
|
| 654 |
646 |
$aggressive = "no";
|
| 655 |
647 |
|
| 656 |
|
if (isset($ph2ent['mobile']) && !isset($a_client['enable']))
|
| 657 |
|
continue;
|
| 658 |
|
|
| 659 |
648 |
if (($ph2ent['mode'] == 'tunnel') or ($ph2ent['mode'] == 'tunnel6')) {
|
| 660 |
649 |
$tunneltype = "type = tunnel";
|
| 661 |
650 |
|
| ... | ... | |
| 696 |
685 |
|
| 697 |
686 |
$remoteid_data = ipsec_idinfo_to_cidr($ph2ent['remoteid'], false, $ph2ent['mode']);
|
| 698 |
687 |
$remoteid_spec = $remoteid_data;
|
| 699 |
|
}
|
|
688 |
} else
|
|
689 |
/* XXX: Should check type of ip used on VPN? */
|
|
690 |
$remoteid_spec = "0.0.0.0/0";
|
| 700 |
691 |
|
| 701 |
692 |
} else {
|
| 702 |
693 |
$tunneltype = "type = transport";
|
| 703 |
|
//$rgip = $rgmap[$ph1ent['remote-gateway']];
|
| 704 |
694 |
$rgip = $ph1ent['remote-gateway'];
|
| 705 |
695 |
|
| 706 |
696 |
if ((($ph1ent['authentication_method'] == "xauth_psk_server") ||
|
| ... | ... | |
| 712 |
702 |
$localid_spec = $ep;
|
| 713 |
703 |
}
|
| 714 |
704 |
if (!isset($ph2ent['mobile'])) {
|
| 715 |
|
$remoteid_data = $rgmap[$ph1ent['remote-gateway']];
|
| 716 |
|
$remoteid_spec = $remoteid_data;
|
|
705 |
$remoteid_spec = $rgip;
|
| 717 |
706 |
}
|
| 718 |
707 |
}
|
| 719 |
708 |
$authentication = "";
|
| ... | ... | |
| 740 |
729 |
|
| 741 |
730 |
if (isset($a_client['pfs_group']))
|
| 742 |
731 |
$ph2ent['pfsgroup'] = $a_client['pfs_group'];
|
|
732 |
|
| 743 |
733 |
$ealgosp2 = '';
|
| 744 |
734 |
if ($ph2ent['protocol'] == 'esp') {
|
| 745 |
735 |
if (is_array($ph2ent['encryption-algorithm-option']) && is_array($ph2ent['hash-algorithm-option'])) {
|
Allow a key to specified for all users as for exmpale when connecting from Apple iOS