Révision fa4e059e
Ajouté par Ermal il y a plus de 9 ans
etc/inc/vpn.inc | ||
---|---|---|
49 | 49 |
$cfgtext = array(); |
50 | 50 |
foreach ($ipsec_loglevels as $lkey => $ldescr) { |
51 | 51 |
if (!isset($config['ipsec']["ipsec_{$lkey}"]) && !$forconfig) |
52 |
mwexec("/usr/local/sbin/ipsec stroke loglevel {$lkey} -- -1", false);
|
|
52 |
mwexec("/usr/local/sbin/ipsec stroke loglevel {$lkey} -1", false); |
|
53 | 53 |
else if (is_numeric($config['ipsec']["ipsec_{$lkey}"]) && |
54 | 54 |
intval($config['ipsec']["ipsec_{$lkey}"]) >= 1 && intval($config['ipsec']["ipsec_{$lkey}"]) <= 5) |
55 | 55 |
$forconfig ? $cfgtext[] = "${lkey} = " . (intval($config['ipsec']["ipsec_{$lkey}"]) - 1) : |
... | ... | |
128 | 128 |
|
129 | 129 |
return 0; |
130 | 130 |
} else { |
131 |
$certpath = "{$g['varetc_path']}/ipsec/ipsec.d/certs"; |
|
132 |
$capath = "{$g['varetc_path']}/ipsec/ipsec.d/cacerts"; |
|
133 |
$keypath = "{$g['varetc_path']}/ipsec/ipsec.d/private"; |
|
134 |
|
|
131 | 135 |
mwexec("/sbin/ifconfig enc0 up"); |
132 | 136 |
set_single_sysctl("net.inet.ip.ipsec_in_use", "1"); |
133 | 137 |
/* needed for config files */ |
... | ... | |
135 | 139 |
mkdir("{$g['varetc_path']}/ipsec"); |
136 | 140 |
if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d")) |
137 | 141 |
mkdir("{$g['varetc_path']}/ipsec/ipsec.d"); |
138 |
if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d/cacerts"))
|
|
139 |
mkdir("{$g['varetc_path']}/ipsec/ipsec.d/cacerts");
|
|
140 |
if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d/private"))
|
|
141 |
mkdir("{$g['varetc_path']}/ipsec/ipsec.d/private");
|
|
142 |
if (!is_dir($capath))
|
|
143 |
mkdir($capath);
|
|
144 |
if (!is_dir($keypath))
|
|
145 |
mkdir($keypath);
|
|
142 | 146 |
if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d/crls")) |
143 | 147 |
mkdir("{$g['varetc_path']}/ipsec/ipsec.d/crls"); |
144 |
if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d/certs"))
|
|
145 |
mkdir("{$g['varetc_path']}/ipsec/ipsec.d/certs");
|
|
148 |
if (!is_dir($certpath))
|
|
149 |
mkdir($certpath);
|
|
146 | 150 |
if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d/aacerts")) |
147 | 151 |
mkdir("{$g['varetc_path']}/ipsec/ipsec.d/aacerts"); |
148 | 152 |
if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d/acerts")) |
... | ... | |
416 | 420 |
log_error(sprintf(gettext("Error: Invalid certificate hash info for %s"), $ca['descr'])); |
417 | 421 |
continue; |
418 | 422 |
} |
419 |
$fname = "{$g['varetc_path']}/ipsec/ipsec.d/cacerts/{$x509cert['hash']}.0";
|
|
423 |
$fname = "{$capath}/{$x509cert['hash']}.0.crt";
|
|
420 | 424 |
if (!@file_put_contents($fname, $cert)) { |
421 | 425 |
log_error(sprintf(gettext("Error: Cannot write IPsec CA file for %s"), $ca['descr'])); |
422 | 426 |
continue; |
... | ... | |
433 | 437 |
if (isset($ph1ent['disabled'])) |
434 | 438 |
continue; |
435 | 439 |
|
436 |
if (strstr($ph1ent['authentication_method'],'rsa')) {
|
|
440 |
if (strpos($ph1ent['authentication_method'], 'rsa') || $ph1ent['authentication_method'] == 'eap-tls') {
|
|
437 | 441 |
$certline = ''; |
438 | 442 |
|
439 |
if (strstr($authmethod,'rsa')) { |
|
440 |
|
|
441 |
$ikeid = $ph1ent['ikeid']; |
|
442 |
$cert = lookup_cert($ph1ent['certref']); |
|
443 |
|
|
444 |
if (!$cert) { |
|
445 |
log_error(sprintf(gettext("Error: Invalid phase1 certificate reference for %s"), $ph1ent['name'])); |
|
446 |
continue; |
|
447 |
} |
|
448 |
|
|
449 |
chmod($certpath, 0600); |
|
450 |
|
|
451 |
$keyfile = "cert-{$ikeid}.key"; |
|
452 |
$keypath = "{$g['varetc_path']}/ipsec/{$keyfile}"; |
|
453 |
|
|
454 |
if (!file_put_contents($keypath, base64_decode($cert['prv']))) { |
|
455 |
log_error(sprintf(gettext("Error: Cannot write phase1 key file for %s"), $ph1ent['name'])); |
|
456 |
continue; |
|
457 |
} |
|
443 |
$ikeid = $ph1ent['ikeid']; |
|
444 |
$cert = lookup_cert($ph1ent['certref']); |
|
458 | 445 |
|
459 |
chmod($keypath, 0600); |
|
460 |
/* XXX" Traffic selectors? */ |
|
461 |
$pskconf .= " : RSA {$keypath}\n"; |
|
446 |
if (!$cert) { |
|
447 |
log_error(sprintf(gettext("Error: Invalid phase1 certificate reference for %s"), $ph1ent['name'])); |
|
448 |
continue; |
|
449 |
} |
|
462 | 450 |
|
463 |
$ca = lookup_ca($ph1ent['caref']); |
|
464 |
if ($ca) { |
|
465 |
$cafile = "ca-{$ikeid}.crt"; |
|
466 |
$capath = "{$g['varetc_path']}/ipsec/ipsec.d/cacerts/{$cafile}"; |
|
451 |
@chmod($certpath, 0600); |
|
467 | 452 |
|
468 |
if (!file_put_contents($capath, base64_decode($ca['crt']))) |
|
469 |
{ |
|
470 |
log_error(sprintf(gettext("Error: Cannot write phase1 CA certificate file for %s"), $ph1ent['name'])); |
|
471 |
continue; |
|
472 |
} |
|
453 |
$ph1keyfile = "{$keypath}/cert-{$ikeid}.key"; |
|
454 |
if (!file_put_contents($ph1keyfile, base64_decode($cert['prv']))) { |
|
455 |
log_error(sprintf(gettext("Error: Cannot write phase1 key file for %s"), $ph1ent['name'])); |
|
456 |
continue; |
|
457 |
} |
|
458 |
@chmod($ph1keyfile, 0600); |
|
473 | 459 |
|
474 |
chmod($capath, 0600); |
|
475 |
} |
|
460 |
$ph1certfile = "{$certpath}/cert-{$ikeid}.crt"; |
|
461 |
if (!file_put_contents($ph1certfile, base64_decode($cert['crt']))) { |
|
462 |
log_error(sprintf(gettext("Error: Cannot write phase1 certificate file for %s"), $ph1ent['name'])); |
|
463 |
@unlink($ph1keyfile); |
|
464 |
continue; |
|
476 | 465 |
} |
466 |
@chmod($ph1certfile, 0600); |
|
467 |
|
|
468 |
/* XXX" Traffic selectors? */ |
|
469 |
$pskconf .= " : RSA {$ph1keyfile}\n"; |
|
477 | 470 |
} else { |
478 | 471 |
list ($myid_type, $myid_data) = ipsec_find_id($ph1ent, "local"); |
479 | 472 |
list ($peerid_type, $peerid_data) = ipsec_find_id($ph1ent, "peer", $rgmap); |
... | ... | |
595 | 588 |
|
596 | 589 |
$authentication = ""; |
597 | 590 |
switch ($ph1ent['authentication_method']) { |
591 |
case 'eap-tls': |
|
592 |
$authentication = "leftauth=eap-tls\n\trightauth=eap-tls"; |
|
593 |
if (!empty($ph1ent['certref'])) |
|
594 |
$authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt"; |
|
595 |
break; |
|
598 | 596 |
case 'xauth_rsa_server': |
599 | 597 |
$authentication = "leftauth = pubkey\n\trightauth = pubkey"; |
600 | 598 |
$authentication .= "\n\trightauth2 = xauth-generic"; |
Formats disponibles : Unified diff
Provide a first implementation of EAP-TLS authentication with IKEv2. It is a start and might not work on all cases