Révision fa4e059e
Ajouté par Ermal il y a plus de 9 ans
etc/inc/ipsec.inc | ||
---|---|---|
114 | 114 |
'hybrid_rsa_server' => array( 'name' => 'Hybrid RSA + Xauth', 'mobile' => true ), |
115 | 115 |
'xauth_rsa_server' => array( 'name' => 'Mutual RSA + Xauth', 'mobile' => true ), |
116 | 116 |
'xauth_psk_server' => array( 'name' => 'Mutual PSK + Xauth', 'mobile' => true ), |
117 |
'eap-tls' => array( 'name' => 'EAP-TLS', 'mobile' => false ), |
|
117 | 118 |
'rsasig' => array( 'name' => 'Mutual RSA', 'mobile' => false ), |
118 | 119 |
'pre_shared_key' => array( 'name' => 'Mutual PSK', 'mobile' => false ) ); |
119 | 120 |
|
etc/inc/vpn.inc | ||
---|---|---|
49 | 49 |
$cfgtext = array(); |
50 | 50 |
foreach ($ipsec_loglevels as $lkey => $ldescr) { |
51 | 51 |
if (!isset($config['ipsec']["ipsec_{$lkey}"]) && !$forconfig) |
52 |
mwexec("/usr/local/sbin/ipsec stroke loglevel {$lkey} -- -1", false);
|
|
52 |
mwexec("/usr/local/sbin/ipsec stroke loglevel {$lkey} -1", false); |
|
53 | 53 |
else if (is_numeric($config['ipsec']["ipsec_{$lkey}"]) && |
54 | 54 |
intval($config['ipsec']["ipsec_{$lkey}"]) >= 1 && intval($config['ipsec']["ipsec_{$lkey}"]) <= 5) |
55 | 55 |
$forconfig ? $cfgtext[] = "${lkey} = " . (intval($config['ipsec']["ipsec_{$lkey}"]) - 1) : |
... | ... | |
128 | 128 |
|
129 | 129 |
return 0; |
130 | 130 |
} else { |
131 |
$certpath = "{$g['varetc_path']}/ipsec/ipsec.d/certs"; |
|
132 |
$capath = "{$g['varetc_path']}/ipsec/ipsec.d/cacerts"; |
|
133 |
$keypath = "{$g['varetc_path']}/ipsec/ipsec.d/private"; |
|
134 |
|
|
131 | 135 |
mwexec("/sbin/ifconfig enc0 up"); |
132 | 136 |
set_single_sysctl("net.inet.ip.ipsec_in_use", "1"); |
133 | 137 |
/* needed for config files */ |
... | ... | |
135 | 139 |
mkdir("{$g['varetc_path']}/ipsec"); |
136 | 140 |
if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d")) |
137 | 141 |
mkdir("{$g['varetc_path']}/ipsec/ipsec.d"); |
138 |
if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d/cacerts"))
|
|
139 |
mkdir("{$g['varetc_path']}/ipsec/ipsec.d/cacerts");
|
|
140 |
if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d/private"))
|
|
141 |
mkdir("{$g['varetc_path']}/ipsec/ipsec.d/private");
|
|
142 |
if (!is_dir($capath))
|
|
143 |
mkdir($capath);
|
|
144 |
if (!is_dir($keypath))
|
|
145 |
mkdir($keypath);
|
|
142 | 146 |
if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d/crls")) |
143 | 147 |
mkdir("{$g['varetc_path']}/ipsec/ipsec.d/crls"); |
144 |
if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d/certs"))
|
|
145 |
mkdir("{$g['varetc_path']}/ipsec/ipsec.d/certs");
|
|
148 |
if (!is_dir($certpath))
|
|
149 |
mkdir($certpath);
|
|
146 | 150 |
if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d/aacerts")) |
147 | 151 |
mkdir("{$g['varetc_path']}/ipsec/ipsec.d/aacerts"); |
148 | 152 |
if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d/acerts")) |
... | ... | |
416 | 420 |
log_error(sprintf(gettext("Error: Invalid certificate hash info for %s"), $ca['descr'])); |
417 | 421 |
continue; |
418 | 422 |
} |
419 |
$fname = "{$g['varetc_path']}/ipsec/ipsec.d/cacerts/{$x509cert['hash']}.0";
|
|
423 |
$fname = "{$capath}/{$x509cert['hash']}.0.crt";
|
|
420 | 424 |
if (!@file_put_contents($fname, $cert)) { |
421 | 425 |
log_error(sprintf(gettext("Error: Cannot write IPsec CA file for %s"), $ca['descr'])); |
422 | 426 |
continue; |
... | ... | |
433 | 437 |
if (isset($ph1ent['disabled'])) |
434 | 438 |
continue; |
435 | 439 |
|
436 |
if (strstr($ph1ent['authentication_method'],'rsa')) {
|
|
440 |
if (strpos($ph1ent['authentication_method'], 'rsa') || $ph1ent['authentication_method'] == 'eap-tls') {
|
|
437 | 441 |
$certline = ''; |
438 | 442 |
|
439 |
if (strstr($authmethod,'rsa')) { |
|
440 |
|
|
441 |
$ikeid = $ph1ent['ikeid']; |
|
442 |
$cert = lookup_cert($ph1ent['certref']); |
|
443 |
|
|
444 |
if (!$cert) { |
|
445 |
log_error(sprintf(gettext("Error: Invalid phase1 certificate reference for %s"), $ph1ent['name'])); |
|
446 |
continue; |
|
447 |
} |
|
448 |
|
|
449 |
chmod($certpath, 0600); |
|
450 |
|
|
451 |
$keyfile = "cert-{$ikeid}.key"; |
|
452 |
$keypath = "{$g['varetc_path']}/ipsec/{$keyfile}"; |
|
453 |
|
|
454 |
if (!file_put_contents($keypath, base64_decode($cert['prv']))) { |
|
455 |
log_error(sprintf(gettext("Error: Cannot write phase1 key file for %s"), $ph1ent['name'])); |
|
456 |
continue; |
|
457 |
} |
|
443 |
$ikeid = $ph1ent['ikeid']; |
|
444 |
$cert = lookup_cert($ph1ent['certref']); |
|
458 | 445 |
|
459 |
chmod($keypath, 0600); |
|
460 |
/* XXX" Traffic selectors? */ |
|
461 |
$pskconf .= " : RSA {$keypath}\n"; |
|
446 |
if (!$cert) { |
|
447 |
log_error(sprintf(gettext("Error: Invalid phase1 certificate reference for %s"), $ph1ent['name'])); |
|
448 |
continue; |
|
449 |
} |
|
462 | 450 |
|
463 |
$ca = lookup_ca($ph1ent['caref']); |
|
464 |
if ($ca) { |
|
465 |
$cafile = "ca-{$ikeid}.crt"; |
|
466 |
$capath = "{$g['varetc_path']}/ipsec/ipsec.d/cacerts/{$cafile}"; |
|
451 |
@chmod($certpath, 0600); |
|
467 | 452 |
|
468 |
if (!file_put_contents($capath, base64_decode($ca['crt']))) |
|
469 |
{ |
|
470 |
log_error(sprintf(gettext("Error: Cannot write phase1 CA certificate file for %s"), $ph1ent['name'])); |
|
471 |
continue; |
|
472 |
} |
|
453 |
$ph1keyfile = "{$keypath}/cert-{$ikeid}.key"; |
|
454 |
if (!file_put_contents($ph1keyfile, base64_decode($cert['prv']))) { |
|
455 |
log_error(sprintf(gettext("Error: Cannot write phase1 key file for %s"), $ph1ent['name'])); |
|
456 |
continue; |
|
457 |
} |
|
458 |
@chmod($ph1keyfile, 0600); |
|
473 | 459 |
|
474 |
chmod($capath, 0600); |
|
475 |
} |
|
460 |
$ph1certfile = "{$certpath}/cert-{$ikeid}.crt"; |
|
461 |
if (!file_put_contents($ph1certfile, base64_decode($cert['crt']))) { |
|
462 |
log_error(sprintf(gettext("Error: Cannot write phase1 certificate file for %s"), $ph1ent['name'])); |
|
463 |
@unlink($ph1keyfile); |
|
464 |
continue; |
|
476 | 465 |
} |
466 |
@chmod($ph1certfile, 0600); |
|
467 |
|
|
468 |
/* XXX" Traffic selectors? */ |
|
469 |
$pskconf .= " : RSA {$ph1keyfile}\n"; |
|
477 | 470 |
} else { |
478 | 471 |
list ($myid_type, $myid_data) = ipsec_find_id($ph1ent, "local"); |
479 | 472 |
list ($peerid_type, $peerid_data) = ipsec_find_id($ph1ent, "peer", $rgmap); |
... | ... | |
595 | 588 |
|
596 | 589 |
$authentication = ""; |
597 | 590 |
switch ($ph1ent['authentication_method']) { |
591 |
case 'eap-tls': |
|
592 |
$authentication = "leftauth=eap-tls\n\trightauth=eap-tls"; |
|
593 |
if (!empty($ph1ent['certref'])) |
|
594 |
$authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt"; |
|
595 |
break; |
|
598 | 596 |
case 'xauth_rsa_server': |
599 | 597 |
$authentication = "leftauth = pubkey\n\trightauth = pubkey"; |
600 | 598 |
$authentication .= "\n\trightauth2 = xauth-generic"; |
usr/local/www/vpn_ipsec_phase1.php | ||
---|---|---|
5 | 5 |
|
6 | 6 |
Copyright (C) 2008 Shrew Soft Inc |
7 | 7 |
Copyright (C) 2003-2005 Manuel Kasper <mk@neon1.net>. |
8 |
Copyright (C) 2014 Ermal LUÇI |
|
8 | 9 |
All rights reserved. |
9 | 10 |
|
10 | 11 |
Redistribution and use in source and binary forms, with or without |
... | ... | |
79 | 80 |
else |
80 | 81 |
$pconfig['remotegw'] = $a_phase1[$p1index]['remote-gateway']; |
81 | 82 |
|
82 |
$pconfig['iketype'] = $a_phase1[$p1index]['iketype']; |
|
83 |
if (empty($a_phase1[$p1index]['iketype'])) |
|
84 |
$pconfig['iketype'] = "ikev1"; |
|
85 |
else |
|
86 |
$pconfig['iketype'] = $a_phase1[$p1index]['iketype']; |
|
83 | 87 |
$pconfig['mode'] = $a_phase1[$p1index]['mode']; |
84 | 88 |
$pconfig['protocol'] = $a_phase1[$p1index]['protocol']; |
85 | 89 |
$pconfig['myid_type'] = $a_phase1[$p1index]['myid_type']; |
... | ... | |
150 | 154 |
// Only require PSK here for normal PSK tunnels (not mobile) or xauth. |
151 | 155 |
// For RSA methods, require the CA/Cert. |
152 | 156 |
switch ($method) { |
157 |
case "eap-tls": |
|
158 |
if ($pconfig['iketype'] != 'ikev2') |
|
159 |
$input_errors[] = gettext("EAP-TLS can only be used with IKEv2 type VPNs."); |
|
160 |
break; |
|
153 | 161 |
case "pre_shared_key": |
154 | 162 |
// If this is a mobile PSK tunnel the user PSKs go on |
155 | 163 |
// the PSK tab, not here, so skip the check. |
... | ... | |
405 | 413 |
value = document.iform.authentication_method.options[index].value; |
406 | 414 |
|
407 | 415 |
switch (value) { |
408 |
case 'hybrid_rsa_server': |
|
409 |
document.getElementById('opt_psk').style.display = 'none'; |
|
410 |
document.getElementById('opt_peerid').style.display = ''; |
|
411 |
document.getElementById('opt_cert').style.display = ''; |
|
412 |
document.getElementById('opt_ca').style.display = ''; |
|
413 |
document.getElementById('opt_cert').disabled = false; |
|
414 |
document.getElementById('opt_ca').disabled = false; |
|
415 |
break; |
|
416 |
case 'xauth_rsa_server': |
|
417 |
case 'rsasig': |
|
418 |
document.getElementById('opt_psk').style.display = 'none'; |
|
419 |
document.getElementById('opt_peerid').style.display = ''; |
|
420 |
document.getElementById('opt_cert').style.display = ''; |
|
421 |
document.getElementById('opt_ca').style.display = ''; |
|
422 |
document.getElementById('opt_cert').disabled = false; |
|
423 |
document.getElementById('opt_ca').disabled = false; |
|
424 |
break; |
|
416 |
case 'eap-tls': |
|
417 |
document.getElementById('opt_psk').style.display = 'none'; |
|
418 |
document.getElementById('opt_peerid').style.display = ''; |
|
419 |
document.getElementById('opt_cert').style.display = ''; |
|
420 |
document.getElementById('opt_ca').style.display = ''; |
|
421 |
document.getElementById('opt_cert').disabled = false; |
|
422 |
document.getElementById('opt_ca').disabled = false; |
|
423 |
break; |
|
424 |
case 'hybrid_rsa_server': |
|
425 |
document.getElementById('opt_psk').style.display = 'none'; |
|
426 |
document.getElementById('opt_peerid').style.display = ''; |
|
427 |
document.getElementById('opt_cert').style.display = ''; |
|
428 |
document.getElementById('opt_ca').style.display = ''; |
|
429 |
document.getElementById('opt_cert').disabled = false; |
|
430 |
document.getElementById('opt_ca').disabled = false; |
|
431 |
break; |
|
432 |
case 'xauth_rsa_server': |
|
433 |
case 'rsasig': |
|
434 |
document.getElementById('opt_psk').style.display = 'none'; |
|
435 |
document.getElementById('opt_peerid').style.display = ''; |
|
436 |
document.getElementById('opt_cert').style.display = ''; |
|
437 |
document.getElementById('opt_ca').style.display = ''; |
|
438 |
document.getElementById('opt_cert').disabled = false; |
|
439 |
document.getElementById('opt_ca').disabled = false; |
|
440 |
break; |
|
425 | 441 |
<?php if ($pconfig['mobile']) { ?> |
426 |
case 'pre_shared_key':
|
|
427 |
document.getElementById('opt_psk').style.display = 'none';
|
|
428 |
document.getElementById('opt_peerid').style.display = 'none';
|
|
429 |
document.getElementById('opt_cert').style.display = 'none';
|
|
430 |
document.getElementById('opt_ca').style.display = 'none';
|
|
431 |
document.getElementById('opt_cert').disabled = true;
|
|
432 |
document.getElementById('opt_ca').disabled = true;
|
|
433 |
break;
|
|
442 |
case 'pre_shared_key': |
|
443 |
document.getElementById('opt_psk').style.display = 'none'; |
|
444 |
document.getElementById('opt_peerid').style.display = 'none'; |
|
445 |
document.getElementById('opt_cert').style.display = 'none'; |
|
446 |
document.getElementById('opt_ca').style.display = 'none'; |
|
447 |
document.getElementById('opt_cert').disabled = true; |
|
448 |
document.getElementById('opt_ca').disabled = true; |
|
449 |
break; |
|
434 | 450 |
<?php } ?> |
435 |
default: /* psk modes*/
|
|
436 |
document.getElementById('opt_psk').style.display = '';
|
|
437 |
document.getElementById('opt_peerid').style.display = '';
|
|
438 |
document.getElementById('opt_cert').style.display = 'none';
|
|
439 |
document.getElementById('opt_ca').style.display = 'none';
|
|
440 |
document.getElementById('opt_cert').disabled = true;
|
|
441 |
document.getElementById('opt_ca').disabled = true;
|
|
442 |
break;
|
|
451 |
default: /* psk modes*/ |
|
452 |
document.getElementById('opt_psk').style.display = ''; |
|
453 |
document.getElementById('opt_peerid').style.display = ''; |
|
454 |
document.getElementById('opt_cert').style.display = 'none'; |
|
455 |
document.getElementById('opt_ca').style.display = 'none'; |
|
456 |
document.getElementById('opt_cert').disabled = true; |
|
457 |
document.getElementById('opt_ca').disabled = true; |
|
458 |
break; |
|
443 | 459 |
} |
444 | 460 |
} |
445 | 461 |
|
... | ... | |
709 | 725 |
</span> |
710 | 726 |
</td> |
711 | 727 |
</tr> |
728 |
<tr id="opt_cert"> |
|
729 |
<td width="22%" valign="top" class="vncellreq"><?=gettext("My Certificate"); ?></td> |
|
730 |
<td width="78%" class="vtable"> |
|
731 |
<select name="certref" class="formselect"> |
|
732 |
<?php |
|
733 |
foreach ($config['cert'] as $cert): |
|
734 |
$selected = ""; |
|
735 |
if ($pconfig['certref'] == $cert['refid']) |
|
736 |
$selected = "selected=\"selected\""; |
|
737 |
?> |
|
738 |
<option value="<?=$cert['refid'];?>" <?=$selected;?>><?=$cert['descr'];?></option> |
|
739 |
<?php endforeach; ?> |
|
740 |
</select> |
|
741 |
<br /> |
|
742 |
<span class="vexpl"> |
|
743 |
<?=gettext("Select a certificate previously configured in the Certificate Manager"); ?>. |
|
744 |
</span> |
|
745 |
</td> |
|
746 |
</tr> |
|
747 |
<tr id="opt_ca"> |
|
748 |
<td width="22%" valign="top" class="vncellreq"><?=gettext("My Certificate Authority"); ?></td> |
|
749 |
<td width="78%" class="vtable"> |
|
750 |
<select name="caref" class="formselect"> |
|
751 |
<?php |
|
752 |
foreach ($config['ca'] as $ca): |
|
753 |
$selected = ""; |
|
754 |
if ($pconfig['caref'] == $ca['refid']) |
|
755 |
$selected = "selected=\"selected\""; |
|
756 |
?> |
|
757 |
<option value="<?=$ca['refid'];?>" <?=$selected;?>><?=$ca['descr'];?></option> |
|
758 |
<?php endforeach; ?> |
|
759 |
</select> |
|
760 |
<br /> |
|
761 |
<span class="vexpl"> |
|
762 |
<?=gettext("Select a certificate authority previously configured in the Certificate Manager"); ?>. |
|
763 |
</span> |
|
764 |
</td> |
|
765 |
</tr> |
|
766 |
<tr> |
|
767 |
<td colspan="2" valign="top" class="listtopic"> |
|
768 |
<?=gettext("Phase 1 proposal (Algorithms)"); ?> |
|
769 |
</td> |
|
770 |
</tr> |
|
712 | 771 |
<tr> |
713 | 772 |
<td width="22%" valign="top" class="vncellreq"><?=gettext("Encryption algorithm"); ?></td> |
714 | 773 |
<td width="78%" class="vtable"> |
... | ... | |
767 | 826 |
<?=gettext("seconds"); ?> |
768 | 827 |
</td> |
769 | 828 |
</tr> |
770 |
<tr id="opt_cert"> |
|
771 |
<td width="22%" valign="top" class="vncellreq"><?=gettext("My Certificate"); ?></td> |
|
772 |
<td width="78%" class="vtable"> |
|
773 |
<select name="certref" class="formselect"> |
|
774 |
<?php |
|
775 |
foreach ($config['cert'] as $cert): |
|
776 |
$selected = ""; |
|
777 |
if ($pconfig['certref'] == $cert['refid']) |
|
778 |
$selected = "selected=\"selected\""; |
|
779 |
?> |
|
780 |
<option value="<?=$cert['refid'];?>" <?=$selected;?>><?=$cert['descr'];?></option> |
|
781 |
<?php endforeach; ?> |
|
782 |
</select> |
|
783 |
<br /> |
|
784 |
<span class="vexpl"> |
|
785 |
<?=gettext("Select a certificate previously configured in the Certificate Manager"); ?>. |
|
786 |
</span> |
|
787 |
</td> |
|
788 |
</tr> |
|
789 |
<tr id="opt_ca"> |
|
790 |
<td width="22%" valign="top" class="vncellreq"><?=gettext("My Certificate Authority"); ?></td> |
|
791 |
<td width="78%" class="vtable"> |
|
792 |
<select name="caref" class="formselect"> |
|
793 |
<?php |
|
794 |
foreach ($config['ca'] as $ca): |
|
795 |
$selected = ""; |
|
796 |
if ($pconfig['caref'] == $ca['refid']) |
|
797 |
$selected = "selected=\"selected\""; |
|
798 |
?> |
|
799 |
<option value="<?=$ca['refid'];?>" <?=$selected;?>><?=$ca['descr'];?></option> |
|
800 |
<?php endforeach; ?> |
|
801 |
</select> |
|
802 |
<br /> |
|
803 |
<span class="vexpl"> |
|
804 |
<?=gettext("Select a certificate authority previously configured in the Certificate Manager"); ?>. |
|
805 |
</span> |
|
806 |
</td> |
|
807 |
</tr> |
|
808 | 829 |
<tr> |
809 | 830 |
<td colspan="2" class="list" height="12"></td> |
810 | 831 |
</tr> |
Formats disponibles : Unified diff
Provide a first implementation of EAP-TLS authentication with IKEv2. It is a start and might not work on all cases