500 |
500 |
/* add PSKs for mobile clients */
|
501 |
501 |
if (is_array($ipseccfg['mobilekey'])) {
|
502 |
502 |
foreach ($ipseccfg['mobilekey'] as $key) {
|
|
503 |
if ($key['ident'] == "allusers")
|
|
504 |
$key['ident'] = '';
|
503 |
505 |
$pskconf .= "{$key['ident']} : PSK \"{$key['pre-shared-key']}\"\n";
|
504 |
506 |
}
|
505 |
507 |
}
|
... | ... | |
531 |
533 |
if (isset($ph2ent['disabled']))
|
532 |
534 |
continue;
|
533 |
535 |
|
|
536 |
if (isset($ph2ent['mobile']) && !isset($a_client['enable']))
|
|
537 |
continue;
|
|
538 |
|
534 |
539 |
$ikeid = $ph1ent['ikeid'];
|
535 |
540 |
|
536 |
541 |
$ep = ipsec_get_phase1_src($ph1ent);
|
537 |
542 |
if (!$ep)
|
538 |
543 |
continue;
|
539 |
544 |
|
540 |
|
if (!isset($ph1ent['mobile'])) {
|
|
545 |
$passive = "start";
|
|
546 |
if (isset($ph1ent['mobile'])) {
|
|
547 |
$rgip = "%any";
|
|
548 |
$passive = 'add';
|
|
549 |
} else
|
541 |
550 |
$rgip = $ph1ent['remote-gateway'];
|
542 |
|
//$rgip = $rgmap[$ph1ent['remote-gateway']];
|
543 |
|
//if (!$rgip)
|
544 |
|
// continue;
|
545 |
|
}
|
546 |
551 |
|
547 |
|
$myid_type = $ph1ent['myid_type'];
|
|
552 |
$keyexchange = "ikev1";
|
|
553 |
if (!empty($ph1ent['iketype']) && $ph1ent['iketype'] != "ikev1")
|
|
554 |
$keyexchange = "ikev2";
|
548 |
555 |
|
|
556 |
$myid_type = $ph1ent['myid_type'];
|
549 |
557 |
switch ($myid_type) {
|
550 |
558 |
case "myaddress":
|
551 |
559 |
$myid_type = "address";
|
... | ... | |
572 |
580 |
}
|
573 |
581 |
|
574 |
582 |
$peerid_type = $ph1ent['peerid_type'];
|
575 |
|
|
576 |
583 |
switch ($peerid_type) {
|
577 |
584 |
case "peeraddress":
|
578 |
585 |
$peerid_type = "address";
|
... | ... | |
593 |
600 |
break;
|
594 |
601 |
}
|
595 |
602 |
|
596 |
|
$passive = "start";
|
597 |
|
if (isset($ph1ent['mobile'])) {
|
598 |
|
$rgip = "%any";
|
599 |
|
$passive = "route";
|
600 |
|
}
|
601 |
|
|
602 |
|
$keyexchange = "ikev1";
|
603 |
|
if (!empty($ph1ent['iketype']) && $ph1ent['iketype'] != "ikev1")
|
604 |
|
$keyexchange = "ikev2";
|
605 |
|
|
606 |
603 |
if (is_array($ph1ent['encryption-algorithm']) && !empty($ph1ent['encryption-algorithm']['name']) && !empty($ph1ent['hash-algorithm'])) {
|
607 |
604 |
$ealgosp1 = '';
|
608 |
605 |
$ealg_id = $ph1ent['encryption-algorithm']['name'];
|
... | ... | |
630 |
627 |
} else
|
631 |
628 |
$dpdline = "dpdaction = none";
|
632 |
629 |
|
633 |
|
if (!empty($ph1ent['authentication_method']) && (strstr($ph1ent['authentication_method'], "xauth") || strstr($ph1ent['authentication_method'], "hybrid")))
|
|
630 |
if (!empty($ph1ent['authentication_method']) && (strpos($ph1ent['authentication_method'], "xauth") || strpos($ph1ent['authentication_method'], "hybrid")))
|
634 |
631 |
$xauth = "xauth = server";
|
635 |
632 |
|
636 |
|
|
637 |
633 |
$lifeline = '';
|
638 |
634 |
if ($ph1ent['lifetime'])
|
639 |
635 |
$lifeline = "ikelifetime = {$ph1ent['lifetime']}s";
|
... | ... | |
644 |
640 |
$peerid_spec = $peerid_data;
|
645 |
641 |
}
|
646 |
642 |
|
647 |
|
if (empty($ph1ent['mode']))
|
648 |
|
$aggressive = "no";
|
649 |
|
else if ($ph1ent['mode'] == "aggressive")
|
|
643 |
if ($ph1ent['mode'] == "aggressive")
|
650 |
644 |
$aggressive = "yes";
|
651 |
|
else if ($ph1ent['mode'] == "main")
|
652 |
|
$aggressive = "no";
|
653 |
645 |
else
|
654 |
646 |
$aggressive = "no";
|
655 |
647 |
|
656 |
|
if (isset($ph2ent['mobile']) && !isset($a_client['enable']))
|
657 |
|
continue;
|
658 |
|
|
659 |
648 |
if (($ph2ent['mode'] == 'tunnel') or ($ph2ent['mode'] == 'tunnel6')) {
|
660 |
649 |
$tunneltype = "type = tunnel";
|
661 |
650 |
|
... | ... | |
696 |
685 |
|
697 |
686 |
$remoteid_data = ipsec_idinfo_to_cidr($ph2ent['remoteid'], false, $ph2ent['mode']);
|
698 |
687 |
$remoteid_spec = $remoteid_data;
|
699 |
|
}
|
|
688 |
} else
|
|
689 |
/* XXX: Should check type of ip used on VPN? */
|
|
690 |
$remoteid_spec = "0.0.0.0/0";
|
700 |
691 |
|
701 |
692 |
} else {
|
702 |
693 |
$tunneltype = "type = transport";
|
703 |
|
//$rgip = $rgmap[$ph1ent['remote-gateway']];
|
704 |
694 |
$rgip = $ph1ent['remote-gateway'];
|
705 |
695 |
|
706 |
696 |
if ((($ph1ent['authentication_method'] == "xauth_psk_server") ||
|
... | ... | |
712 |
702 |
$localid_spec = $ep;
|
713 |
703 |
}
|
714 |
704 |
if (!isset($ph2ent['mobile'])) {
|
715 |
|
$remoteid_data = $rgmap[$ph1ent['remote-gateway']];
|
716 |
|
$remoteid_spec = $remoteid_data;
|
|
705 |
$remoteid_spec = $rgip;
|
717 |
706 |
}
|
718 |
707 |
}
|
719 |
708 |
$authentication = "";
|
... | ... | |
740 |
729 |
|
741 |
730 |
if (isset($a_client['pfs_group']))
|
742 |
731 |
$ph2ent['pfsgroup'] = $a_client['pfs_group'];
|
|
732 |
|
743 |
733 |
$ealgosp2 = '';
|
744 |
734 |
if ($ph2ent['protocol'] == 'esp') {
|
745 |
735 |
if (is_array($ph2ent['encryption-algorithm-option']) && is_array($ph2ent['hash-algorithm-option'])) {
|
Allow a key to specified for all users as for exmpale when connecting from Apple iOS