Révision f1bede03
Ajouté par Ermal il y a presque 10 ans
| etc/inc/vpn.inc | ||
|---|---|---|
| 500 | 500 |
/* add PSKs for mobile clients */ |
| 501 | 501 |
if (is_array($ipseccfg['mobilekey'])) {
|
| 502 | 502 |
foreach ($ipseccfg['mobilekey'] as $key) {
|
| 503 |
if ($key['ident'] == "allusers") |
|
| 504 |
$key['ident'] = ''; |
|
| 503 | 505 |
$pskconf .= "{$key['ident']} : PSK \"{$key['pre-shared-key']}\"\n";
|
| 504 | 506 |
} |
| 505 | 507 |
} |
| ... | ... | |
| 531 | 533 |
if (isset($ph2ent['disabled'])) |
| 532 | 534 |
continue; |
| 533 | 535 |
|
| 536 |
if (isset($ph2ent['mobile']) && !isset($a_client['enable'])) |
|
| 537 |
continue; |
|
| 538 |
|
|
| 534 | 539 |
$ikeid = $ph1ent['ikeid']; |
| 535 | 540 |
|
| 536 | 541 |
$ep = ipsec_get_phase1_src($ph1ent); |
| 537 | 542 |
if (!$ep) |
| 538 | 543 |
continue; |
| 539 | 544 |
|
| 540 |
if (!isset($ph1ent['mobile'])) {
|
|
| 545 |
$passive = "start"; |
|
| 546 |
if (isset($ph1ent['mobile'])) {
|
|
| 547 |
$rgip = "%any"; |
|
| 548 |
$passive = 'add'; |
|
| 549 |
} else |
|
| 541 | 550 |
$rgip = $ph1ent['remote-gateway']; |
| 542 |
//$rgip = $rgmap[$ph1ent['remote-gateway']]; |
|
| 543 |
//if (!$rgip) |
|
| 544 |
// continue; |
|
| 545 |
} |
|
| 546 | 551 |
|
| 547 |
$myid_type = $ph1ent['myid_type']; |
|
| 552 |
$keyexchange = "ikev1"; |
|
| 553 |
if (!empty($ph1ent['iketype']) && $ph1ent['iketype'] != "ikev1") |
|
| 554 |
$keyexchange = "ikev2"; |
|
| 548 | 555 |
|
| 556 |
$myid_type = $ph1ent['myid_type']; |
|
| 549 | 557 |
switch ($myid_type) {
|
| 550 | 558 |
case "myaddress": |
| 551 | 559 |
$myid_type = "address"; |
| ... | ... | |
| 572 | 580 |
} |
| 573 | 581 |
|
| 574 | 582 |
$peerid_type = $ph1ent['peerid_type']; |
| 575 |
|
|
| 576 | 583 |
switch ($peerid_type) {
|
| 577 | 584 |
case "peeraddress": |
| 578 | 585 |
$peerid_type = "address"; |
| ... | ... | |
| 593 | 600 |
break; |
| 594 | 601 |
} |
| 595 | 602 |
|
| 596 |
$passive = "start"; |
|
| 597 |
if (isset($ph1ent['mobile'])) {
|
|
| 598 |
$rgip = "%any"; |
|
| 599 |
$passive = "route"; |
|
| 600 |
} |
|
| 601 |
|
|
| 602 |
$keyexchange = "ikev1"; |
|
| 603 |
if (!empty($ph1ent['iketype']) && $ph1ent['iketype'] != "ikev1") |
|
| 604 |
$keyexchange = "ikev2"; |
|
| 605 |
|
|
| 606 | 603 |
if (is_array($ph1ent['encryption-algorithm']) && !empty($ph1ent['encryption-algorithm']['name']) && !empty($ph1ent['hash-algorithm'])) {
|
| 607 | 604 |
$ealgosp1 = ''; |
| 608 | 605 |
$ealg_id = $ph1ent['encryption-algorithm']['name']; |
| ... | ... | |
| 630 | 627 |
} else |
| 631 | 628 |
$dpdline = "dpdaction = none"; |
| 632 | 629 |
|
| 633 |
if (!empty($ph1ent['authentication_method']) && (strstr($ph1ent['authentication_method'], "xauth") || strstr($ph1ent['authentication_method'], "hybrid")))
|
|
| 630 |
if (!empty($ph1ent['authentication_method']) && (strpos($ph1ent['authentication_method'], "xauth") || strpos($ph1ent['authentication_method'], "hybrid")))
|
|
| 634 | 631 |
$xauth = "xauth = server"; |
| 635 | 632 |
|
| 636 |
|
|
| 637 | 633 |
$lifeline = ''; |
| 638 | 634 |
if ($ph1ent['lifetime']) |
| 639 | 635 |
$lifeline = "ikelifetime = {$ph1ent['lifetime']}s";
|
| ... | ... | |
| 644 | 640 |
$peerid_spec = $peerid_data; |
| 645 | 641 |
} |
| 646 | 642 |
|
| 647 |
if (empty($ph1ent['mode'])) |
|
| 648 |
$aggressive = "no"; |
|
| 649 |
else if ($ph1ent['mode'] == "aggressive") |
|
| 643 |
if ($ph1ent['mode'] == "aggressive") |
|
| 650 | 644 |
$aggressive = "yes"; |
| 651 |
else if ($ph1ent['mode'] == "main") |
|
| 652 |
$aggressive = "no"; |
|
| 653 | 645 |
else |
| 654 | 646 |
$aggressive = "no"; |
| 655 | 647 |
|
| 656 |
if (isset($ph2ent['mobile']) && !isset($a_client['enable'])) |
|
| 657 |
continue; |
|
| 658 |
|
|
| 659 | 648 |
if (($ph2ent['mode'] == 'tunnel') or ($ph2ent['mode'] == 'tunnel6')) {
|
| 660 | 649 |
$tunneltype = "type = tunnel"; |
| 661 | 650 |
|
| ... | ... | |
| 696 | 685 |
|
| 697 | 686 |
$remoteid_data = ipsec_idinfo_to_cidr($ph2ent['remoteid'], false, $ph2ent['mode']); |
| 698 | 687 |
$remoteid_spec = $remoteid_data; |
| 699 |
} |
|
| 688 |
} else |
|
| 689 |
/* XXX: Should check type of ip used on VPN? */ |
|
| 690 |
$remoteid_spec = "0.0.0.0/0"; |
|
| 700 | 691 |
|
| 701 | 692 |
} else {
|
| 702 | 693 |
$tunneltype = "type = transport"; |
| 703 |
//$rgip = $rgmap[$ph1ent['remote-gateway']]; |
|
| 704 | 694 |
$rgip = $ph1ent['remote-gateway']; |
| 705 | 695 |
|
| 706 | 696 |
if ((($ph1ent['authentication_method'] == "xauth_psk_server") || |
| ... | ... | |
| 712 | 702 |
$localid_spec = $ep; |
| 713 | 703 |
} |
| 714 | 704 |
if (!isset($ph2ent['mobile'])) {
|
| 715 |
$remoteid_data = $rgmap[$ph1ent['remote-gateway']]; |
|
| 716 |
$remoteid_spec = $remoteid_data; |
|
| 705 |
$remoteid_spec = $rgip; |
|
| 717 | 706 |
} |
| 718 | 707 |
} |
| 719 | 708 |
$authentication = ""; |
| ... | ... | |
| 740 | 729 |
|
| 741 | 730 |
if (isset($a_client['pfs_group'])) |
| 742 | 731 |
$ph2ent['pfsgroup'] = $a_client['pfs_group']; |
| 732 |
|
|
| 743 | 733 |
$ealgosp2 = ''; |
| 744 | 734 |
if ($ph2ent['protocol'] == 'esp') {
|
| 745 | 735 |
if (is_array($ph2ent['encryption-algorithm-option']) && is_array($ph2ent['hash-algorithm-option'])) {
|
Formats disponibles : Unified diff
Allow a key to specified for all users as for exmpale when connecting from Apple iOS