Révision f1bede03
Ajouté par Ermal il y a presque 10 ans
etc/inc/vpn.inc | ||
---|---|---|
500 | 500 |
/* add PSKs for mobile clients */ |
501 | 501 |
if (is_array($ipseccfg['mobilekey'])) { |
502 | 502 |
foreach ($ipseccfg['mobilekey'] as $key) { |
503 |
if ($key['ident'] == "allusers") |
|
504 |
$key['ident'] = ''; |
|
503 | 505 |
$pskconf .= "{$key['ident']} : PSK \"{$key['pre-shared-key']}\"\n"; |
504 | 506 |
} |
505 | 507 |
} |
... | ... | |
531 | 533 |
if (isset($ph2ent['disabled'])) |
532 | 534 |
continue; |
533 | 535 |
|
536 |
if (isset($ph2ent['mobile']) && !isset($a_client['enable'])) |
|
537 |
continue; |
|
538 |
|
|
534 | 539 |
$ikeid = $ph1ent['ikeid']; |
535 | 540 |
|
536 | 541 |
$ep = ipsec_get_phase1_src($ph1ent); |
537 | 542 |
if (!$ep) |
538 | 543 |
continue; |
539 | 544 |
|
540 |
if (!isset($ph1ent['mobile'])) { |
|
545 |
$passive = "start"; |
|
546 |
if (isset($ph1ent['mobile'])) { |
|
547 |
$rgip = "%any"; |
|
548 |
$passive = 'add'; |
|
549 |
} else |
|
541 | 550 |
$rgip = $ph1ent['remote-gateway']; |
542 |
//$rgip = $rgmap[$ph1ent['remote-gateway']]; |
|
543 |
//if (!$rgip) |
|
544 |
// continue; |
|
545 |
} |
|
546 | 551 |
|
547 |
$myid_type = $ph1ent['myid_type']; |
|
552 |
$keyexchange = "ikev1"; |
|
553 |
if (!empty($ph1ent['iketype']) && $ph1ent['iketype'] != "ikev1") |
|
554 |
$keyexchange = "ikev2"; |
|
548 | 555 |
|
556 |
$myid_type = $ph1ent['myid_type']; |
|
549 | 557 |
switch ($myid_type) { |
550 | 558 |
case "myaddress": |
551 | 559 |
$myid_type = "address"; |
... | ... | |
572 | 580 |
} |
573 | 581 |
|
574 | 582 |
$peerid_type = $ph1ent['peerid_type']; |
575 |
|
|
576 | 583 |
switch ($peerid_type) { |
577 | 584 |
case "peeraddress": |
578 | 585 |
$peerid_type = "address"; |
... | ... | |
593 | 600 |
break; |
594 | 601 |
} |
595 | 602 |
|
596 |
$passive = "start"; |
|
597 |
if (isset($ph1ent['mobile'])) { |
|
598 |
$rgip = "%any"; |
|
599 |
$passive = "route"; |
|
600 |
} |
|
601 |
|
|
602 |
$keyexchange = "ikev1"; |
|
603 |
if (!empty($ph1ent['iketype']) && $ph1ent['iketype'] != "ikev1") |
|
604 |
$keyexchange = "ikev2"; |
|
605 |
|
|
606 | 603 |
if (is_array($ph1ent['encryption-algorithm']) && !empty($ph1ent['encryption-algorithm']['name']) && !empty($ph1ent['hash-algorithm'])) { |
607 | 604 |
$ealgosp1 = ''; |
608 | 605 |
$ealg_id = $ph1ent['encryption-algorithm']['name']; |
... | ... | |
630 | 627 |
} else |
631 | 628 |
$dpdline = "dpdaction = none"; |
632 | 629 |
|
633 |
if (!empty($ph1ent['authentication_method']) && (strstr($ph1ent['authentication_method'], "xauth") || strstr($ph1ent['authentication_method'], "hybrid")))
|
|
630 |
if (!empty($ph1ent['authentication_method']) && (strpos($ph1ent['authentication_method'], "xauth") || strpos($ph1ent['authentication_method'], "hybrid")))
|
|
634 | 631 |
$xauth = "xauth = server"; |
635 | 632 |
|
636 |
|
|
637 | 633 |
$lifeline = ''; |
638 | 634 |
if ($ph1ent['lifetime']) |
639 | 635 |
$lifeline = "ikelifetime = {$ph1ent['lifetime']}s"; |
... | ... | |
644 | 640 |
$peerid_spec = $peerid_data; |
645 | 641 |
} |
646 | 642 |
|
647 |
if (empty($ph1ent['mode'])) |
|
648 |
$aggressive = "no"; |
|
649 |
else if ($ph1ent['mode'] == "aggressive") |
|
643 |
if ($ph1ent['mode'] == "aggressive") |
|
650 | 644 |
$aggressive = "yes"; |
651 |
else if ($ph1ent['mode'] == "main") |
|
652 |
$aggressive = "no"; |
|
653 | 645 |
else |
654 | 646 |
$aggressive = "no"; |
655 | 647 |
|
656 |
if (isset($ph2ent['mobile']) && !isset($a_client['enable'])) |
|
657 |
continue; |
|
658 |
|
|
659 | 648 |
if (($ph2ent['mode'] == 'tunnel') or ($ph2ent['mode'] == 'tunnel6')) { |
660 | 649 |
$tunneltype = "type = tunnel"; |
661 | 650 |
|
... | ... | |
696 | 685 |
|
697 | 686 |
$remoteid_data = ipsec_idinfo_to_cidr($ph2ent['remoteid'], false, $ph2ent['mode']); |
698 | 687 |
$remoteid_spec = $remoteid_data; |
699 |
} |
|
688 |
} else |
|
689 |
/* XXX: Should check type of ip used on VPN? */ |
|
690 |
$remoteid_spec = "0.0.0.0/0"; |
|
700 | 691 |
|
701 | 692 |
} else { |
702 | 693 |
$tunneltype = "type = transport"; |
703 |
//$rgip = $rgmap[$ph1ent['remote-gateway']]; |
|
704 | 694 |
$rgip = $ph1ent['remote-gateway']; |
705 | 695 |
|
706 | 696 |
if ((($ph1ent['authentication_method'] == "xauth_psk_server") || |
... | ... | |
712 | 702 |
$localid_spec = $ep; |
713 | 703 |
} |
714 | 704 |
if (!isset($ph2ent['mobile'])) { |
715 |
$remoteid_data = $rgmap[$ph1ent['remote-gateway']]; |
|
716 |
$remoteid_spec = $remoteid_data; |
|
705 |
$remoteid_spec = $rgip; |
|
717 | 706 |
} |
718 | 707 |
} |
719 | 708 |
$authentication = ""; |
... | ... | |
740 | 729 |
|
741 | 730 |
if (isset($a_client['pfs_group'])) |
742 | 731 |
$ph2ent['pfsgroup'] = $a_client['pfs_group']; |
732 |
|
|
743 | 733 |
$ealgosp2 = ''; |
744 | 734 |
if ($ph2ent['protocol'] == 'esp') { |
745 | 735 |
if (is_array($ph2ent['encryption-algorithm-option']) && is_array($ph2ent['hash-algorithm-option'])) { |
Formats disponibles : Unified diff
Allow a key to specified for all users as for exmpale when connecting from Apple iOS