pfSense

<?php

/*

	vpn_ipsec_mobile.php

	Copyright (C) 2008 Shrew Soft Inc

	Copyright (C) 2013-2015 Electric Sheep Fencing, LP

	All rights reserved.

	Redistribution and use in source and binary forms, with or without

	modification, are permitted provided that the following conditions are met:

	1. Redistributions of source code must retain the above copyright notice,

	   this list of conditions and the following disclaimer.

	2. Redistributions in binary form must reproduce the above copyright

	   notice, this list of conditions and the following disclaimer in the

	   documentation and/or other materials provided with the distribution.

	THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,

	INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY

	AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE

	AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,

	OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF

	SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS

	INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN

	CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)

	ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE

	POSSIBILITY OF SUCH DAMAGE.

*/

##|+PRIV

##|*IDENT=page-vpn-ipsec-mobile

##|*NAME=VPN: IPsec: Mobile page

##|*DESCR=Allow access to the 'VPN: IPsec: Mobile' page.

##|*MATCH=vpn_ipsec_mobile.php*

##|-PRIV

require("functions.inc");

require("guiconfig.inc");

require_once("ipsec.inc");

require_once("vpn.inc");

require_once("filter.inc");

if (!is_array($config['ipsec']['phase1']))

	$config['ipsec']['phase1'] = array();

$a_phase1 = &$config['ipsec']['phase1'];

if (!is_array($config['ipsec']['client']))

	$config['ipsec']['client'] = array();

$a_client = &$config['ipsec']['client'];

if (count($a_client)) {

	$pconfig['enable'] = $a_client['enable'];

	$pconfig['user_source'] = $a_client['user_source'];

	$pconfig['group_source'] = $a_client['group_source'];

	$pconfig['pool_address'] = $a_client['pool_address'];

	$pconfig['pool_netbits'] = $a_client['pool_netbits'];

	$pconfig['net_list'] = $a_client['net_list'];

	$pconfig['save_passwd'] = $a_client['save_passwd'];

	$pconfig['dns_domain'] = $a_client['dns_domain'];

	$pconfig['dns_split'] = $a_client['dns_split'];

	$pconfig['dns_server1'] = $a_client['dns_server1'];

	$pconfig['dns_server2'] = $a_client['dns_server2'];

	$pconfig['dns_server3'] = $a_client['dns_server3'];

	$pconfig['dns_server4'] = $a_client['dns_server4'];

	$pconfig['wins_server1'] = $a_client['wins_server1'];

	$pconfig['wins_server2'] = $a_client['wins_server2'];

	$pconfig['pfs_group'] = $a_client['pfs_group'];

	$pconfig['login_banner'] = $a_client['login_banner'];

	if (isset($pconfig['enable']))

		$pconfig['enable'] = true;

	if ($pconfig['pool_address']&&$pconfig['pool_netbits'])

		$pconfig['pool_enable'] = true;

	else

		$pconfig['pool_netbits'] = 24;

	if (isset($pconfig['net_list']))

		$pconfig['net_list_enable'] = true;

	if (isset($pconfig['save_passwd']))

		$pconfig['save_passwd_enable'] = true;

	if ($pconfig['dns_domain'])

		$pconfig['dns_domain_enable'] = true;

	if ($pconfig['dns_split'])

		$pconfig['dns_split_enable'] = true;

	if ($pconfig['dns_server1']||$pconfig['dns_server2']||$pconfig['dns_server3']||$pconfig['dns_server4'])

		$pconfig['dns_server_enable'] = true;

	if ($pconfig['wins_server1']||$pconfig['wins_server2'])

		$pconfig['wins_server_enable'] = true;

	if (isset($pconfig['pfs_group']))

		$pconfig['pfs_group_enable'] = true;

	if ($pconfig['login_banner'])

		$pconfig['login_banner_enable'] = true;

}

if ($_POST['create']) {

	header("Location: vpn_ipsec_phase1.php?mobile=true");

}

if ($_POST['apply']) {

	$retval = 0;

	$retval = vpn_ipsec_configure();

	$savemsg = get_std_save_message($retval);

	if ($retval >= 0)

		if (is_subsystem_dirty('ipsec'))

			clear_subsystem_dirty('ipsec');

}

if ($_POST['save']) {

	unset($input_errors);

	$pconfig = $_POST;

	/* input consolidation */

	/* input validation */

	$reqdfields = explode(" ", "user_source group_source");

	$reqdfieldsn =  array(gettext("User Authentication Source"),gettext("Group Authentication Source"));

	do_input_validation($_POST, $reqdfields, $reqdfieldsn, $input_errors);

	if ($pconfig['pool_enable'])

		if (!is_ipaddr($pconfig['pool_address']))

			$input_errors[] = gettext("A valid IP address for 'Virtual Address Pool Network' must be specified.");

	if ($pconfig['dns_domain_enable'])

		if (!is_domain($pconfig['dns_domain']))

			$input_errors[] = gettext("A valid value for 'DNS Default Domain' must be specified.");

	if ($pconfig['dns_split_enable']) {

		if (!empty($pconfig['dns_split'])) {

			$domain_array=preg_split("/[ ,]+/",$pconfig['dns_split']);

			foreach ($domain_array as $curdomain) {

				if (!is_domain($curdomain)) {

					$input_errors[] = gettext("A valid split DNS domain list must be specified.");

					break;

				}

			}

		}

	}

	if ($pconfig['dns_server_enable']) {

		if (!$pconfig['dns_server1'] && !$pconfig['dns_server2'] &&

			!$pconfig['dns_server3'] && !$pconfig['dns_server4'] )

			$input_errors[] = gettext("At least one DNS server must be specified to enable the DNS Server option.");

		if ($pconfig['dns_server1'] && !is_ipaddr($pconfig['dns_server1']))

			$input_errors[] = gettext("A valid IP address for 'DNS Server #1' must be specified.");

		if ($pconfig['dns_server2'] && !is_ipaddr($pconfig['dns_server2']))

			$input_errors[] = gettext("A valid IP address for 'DNS Server #2' must be specified.");

		if ($pconfig['dns_server3'] && !is_ipaddr($pconfig['dns_server3']))

			$input_errors[] = gettext("A valid IP address for 'DNS Server #3' must be specified.");

		if ($pconfig['dns_server4'] && !is_ipaddr($pconfig['dns_server4']))

			$input_errors[] = gettext("A valid IP address for 'DNS Server #4' must be specified.");

	}

	if ($pconfig['wins_server_enable']) {

		if (!$pconfig['wins_server1'] && !$pconfig['wins_server2'])

			$input_errors[] = gettext("At least one WINS server must be specified to enable the DNS Server option.");

		if ($pconfig['wins_server1'] && !is_ipaddr($pconfig['wins_server1']))

			$input_errors[] = gettext("A valid IP address for 'WINS Server #1' must be specified.");

		if ($pconfig['wins_server2'] && !is_ipaddr($pconfig['wins_server2']))

			$input_errors[] = gettext("A valid IP address for 'WINS Server #2' must be specified.");

	}

	if ($pconfig['login_banner_enable'])

		if (!strlen($pconfig['login_banner']))

			$input_errors[] = gettext("A valid value for 'Login Banner' must be specified.");

	if (!$input_errors) {

		$client = array();

		if ($pconfig['enable'])

			$client['enable'] = true;

		if (!empty($pconfig['user_source']))

			$client['user_source'] = implode(",", $pconfig['user_source']);

		$client['group_source'] = $pconfig['group_source'];

		if ($pconfig['pool_enable']) {

			$client['pool_address'] = $pconfig['pool_address'];

			$client['pool_netbits'] = $pconfig['pool_netbits'];

		}

		if ($pconfig['net_list_enable'])

			$client['net_list'] = true;

		if ($pconfig['save_passwd_enable'])

			$client['save_passwd'] = true;

		if ($pconfig['dns_domain_enable'])

			$client['dns_domain'] = $pconfig['dns_domain'];

		if ($pconfig['dns_split_enable'])

			$client['dns_split'] = $pconfig['dns_split'];

		if ($pconfig['dns_server_enable']) {

			$client['dns_server1'] = $pconfig['dns_server1'];

			$client['dns_server2'] = $pconfig['dns_server2'];

			$client['dns_server3'] = $pconfig['dns_server3'];

			$client['dns_server4'] = $pconfig['dns_server4'];

		}

		if ($pconfig['wins_server_enable']) {

			$client['wins_server1'] = $pconfig['wins_server1'];

			$client['wins_server2'] = $pconfig['wins_server2'];

		}

		if ($pconfig['pfs_group_enable'])

			$client['pfs_group'] = $pconfig['pfs_group'];

		if ($pconfig['login_banner_enable'])

			$client['login_banner'] = $pconfig['login_banner'];

//		$echo "login banner = {$pconfig['login_banner']}";

		$a_client = $client;

		write_config();

		mark_subsystem_dirty('ipsec');

		header("Location: vpn_ipsec_mobile.php");

		exit;

	}

}

$pgtitle = array(gettext("VPN"),gettext("IPsec"),gettext("Mobile"));

$shortcut_section = "ipsec";

include("head.inc");

?>

	<script type="text/javascript">

		//<![CDATA[

		function pool_change() {

			if (document.iform.pool_enable.checked) {

				document.iform.pool_address.disabled = 0;

				document.iform.pool_netbits.disabled = 0;

			} else {

				document.iform.pool_address.disabled = 1;

				document.iform.pool_netbits.disabled = 1;

			}

		}

		function dns_domain_change() {

			if (document.iform.dns_domain_enable.checked)

				document.iform.dns_domain.disabled = 0;

			else

				document.iform.dns_domain.disabled = 1;

		}

		function dns_split_change() {

			if (document.iform.dns_split_enable.checked)

				document.iform.dns_split.disabled = 0;

			else

				document.iform.dns_split.disabled = 1;

		}

		function dns_server_change() {

			if (document.iform.dns_server_enable.checked) {

				document.iform.dns_server1.disabled = 0;

				document.iform.dns_server2.disabled = 0;

				document.iform.dns_server3.disabled = 0;

				document.iform.dns_server4.disabled = 0;

			} else {

				document.iform.dns_server1.disabled = 1;

				document.iform.dns_server2.disabled = 1;

				document.iform.dns_server3.disabled = 1;

				document.iform.dns_server4.disabled = 1;

			}

		}

		function wins_server_change() {

			if (document.iform.wins_server_enable.checked) {

				document.iform.wins_server1.disabled = 0;

				document.iform.wins_server2.disabled = 0;

			} else {

				document.iform.wins_server1.disabled = 1;

				document.iform.wins_server2.disabled = 1;

			}

		}

		function pfs_group_change() {

			if (document.iform.pfs_group_enable.checked)

				document.iform.pfs_group.disabled = 0;

			else

				document.iform.pfs_group.disabled = 1;

		}

		function login_banner_change() {

			if (document.iform.login_banner_enable.checked)

				document.iform.login_banner.disabled = 0;

			else

				document.iform.login_banner.disabled = 1;

		}

		//]]>

	</script>

<?php

if ($savemsg)

	print_info_box($savemsg);

if (isset($config['ipsec']['enable']) && is_subsystem_dirty('ipsec'))

	print_info_box_np(gettext("The IPsec tunnel configuration has been changed") . ".<br />" . gettext("You must apply the changes in order for them to take effect."));

foreach ($a_phase1 as $ph1ent)

	if (isset($ph1ent['mobile']))

		$ph1found = true;

if ($pconfig['enable'] && !$ph1found)

	print_info_box_np(gettext("Support for IPsec Mobile clients is enabled but a Phase1 definition was not found") . ".<br />" . gettext("Please click Create to define one."),gettext("create"),gettext("Create Phase1"));

if ($input_errors)

	print_input_errors($input_errors);

?>

<?php

$tab_array = array();

$tab_array[0] = array(gettext("Tunnels"), false, "vpn_ipsec.php");

$tab_array[1] = array(gettext("Mobile clients"), true, "vpn_ipsec_mobile.php");

$tab_array[2] = array(gettext("Pre-Shared Key"), false, "vpn_ipsec_keys.php");

$tab_array[3] = array(gettext("Advanced Settings"), false, "vpn_ipsec_settings.php");

display_top_tabs($tab_array, false, 'pills');

require('classes/Form.class.php');

$form = new Form;

$section = new Form_Section('Enable IPsec Mobile Client Support');

$section->addInput(new Form_Checkbox(

	'enable',

	'IKE Extensions',

	'Enable IPsec Mobile Client Support',

	$pconfig['enable']

));

$form->add($section);

$section = new Form_Section('Extended Authentication (Xauth)');

$authServers = array();

foreach (auth_get_authserver_list() as $authServer)

	$authServers[$authServer['name']] = $authServer['name']; // Value == name

$section->addInput(new Form_Select(

	'user_source',

	'User Authentication',

	explode(",", $pconfig['user_source']),

	$authServers,

	true

))->setHelp('Source');

$section->addInput(new Form_Select(

	'group_source',

	'Group Authentication',

	$pconfig['group_source'],

	array(

		'none' => 'none',

		'system' => 'system',

	)

))->setHelp('Source');

$form->add($section);

$section = new Form_Section('Client Configuration (mode-cfg)');

$section->addInput(new Form_Checkbox(

	'pool_enable',

	'Virtual Address Pool',

	'Provide a virtual IP address to clients',

	$pconfig['pool_enable']

))->setAttribute('data-toggle', 'collapse')->setAttribute('data-target', '.toggle-pool_enable');

// TODO: Refactor this manual setup

$group = new Form_Group('');

$group->addClass('toggle-pool_enable collapse');

if (!empty($pconfig['pool_enable']))

	$group->addClass('in');

$group->add(new Form_Input(

	'pool_address',

	'Network',

	'text',

	htmlspecialchars($pconfig['pool_address'])

))->setWidth(4)->setHelp('Network configuration for Virtual Address Pool');

$netBits = array();

for ($i = 32; $i >= 0; $i--)

	$netBits[$i] = $i;

$group->add(new Form_Select(

	'pool_netbits',

	'',

	$pconfig['pool_netbits'],

	$netBits

))->setWidth(2);

$section->add($group);

$section->addInput(new Form_Checkbox(

	'net_list_enable',

	'Network List',

	'Provide a list of accessible networks to clients',

	$pconfig['net_list_enable']

));

$section->addInput(new Form_Checkbox(

	'save_passwd_enable',

	'Save Xauth Password',

	'Allow clients to save Xauth passwords (Cisco VPN client only).',

	$pconfig['save_passwd_enable']

))->setHelp('NOTE: With iPhone clients, this does not work when deployed via the iPhone configuration utility, only by manual entry.');

$section->addInput(new Form_Checkbox(

	'dns_domain_enable',

	'DNS Default Domain',

	'Provide a default domain name to clients',

	$pconfig['dns_domain_enable']

))->setAttribute('data-toggle', 'collapse')->setAttribute('data-target', '.toggle-dns_domain');

$group = new Form_Group('');

$group->addClass('toggle-dns_domain collapse');

if (!empty($pconfig['dns_domain_enable']))

	$group->addClass('in');

$group->add(new Form_Input(

	'dns_domain',

	'',

	'text',

	htmlspecialchars($pconfig['dns_domain'])

))->setHelp('Specify domain as DNS Default Domain');

$section->add($group);

$section->addInput(new Form_Checkbox(

	'dns_split_enable',

	'Split DNS',

	'Provide a list of split DNS domain names to clients. Enter a comma separated list.',

	$pconfig['dns_split_enable']

))->setAttribute('data-toggle', 'collapse')->setAttribute('data-target', '.toggle-dns_split');

$group = new Form_Group('');

$group->addClass('toggle-dns_split collapse');

if (!empty($pconfig['dns_split_enable']))

	$group->addClass('in');

$group->add(new Form_Input(

	'dns_split',

	'',

	'text',

	htmlspecialchars($pconfig['dns_split'])

))->setHelp('NOTE: If left blank, and a default domain is set, it will be used for this value.');

$section->add($group);

$section->addInput(new Form_Checkbox(

	'dns_server_enable',

	'DNS Servers',

	'Provide a DNS server list to clients',

	$pconfig['dns_server_enable']

))->setAttribute('data-toggle', 'collapse')->setAttribute('data-target', '.toggle-dns_server_enable');

for ($i = 1; $i <= 4; $i++)

{

	$group = new Form_Group('Server #' . $i);

	$group->addClass('toggle-dns_server_enable collapse');

	if (!empty($pconfig['dns_server_enable']))

		$group->addClass('in');

	$group->add(new Form_Input(

		'dns_server' . $i,

		'Server #' . $i,

		'text',

		htmlspecialchars($pconfig['dns_server' . $i])

	));

	$section->add($group);

}

$section->addInput(new Form_Checkbox(

	'wins_server_enable',

	'WINS Servers',

	'Provide a WINS server list to clients',

	$pconfig['wins_server_enable']

))->setAttribute('data-toggle', 'collapse')->setAttribute('data-target', '.toggle-wins_server_enable');

for ($i = 1; $i <= 2; $i++)

{

	$group = new Form_Group('Server #' . $i);

	$group->addClass('toggle-wins_server_enable collapse');

	if (!empty($pconfig['wins_server_enable']))

		$group->addClass('in');

	$group->add(new Form_Input(

		'wins_server' . $i,

		'Server #' . $i,

		'text',

		htmlspecialchars($pconfig['wins_server' . $i]),

		array('size' => 20)

	));

	$section->add($group);

}

$section->addInput(new Form_Checkbox(

	'pfs_group_enable',

	'Phase2 PFS Group',

	'Provide the Phase2 PFS group to clients ( overrides all mobile phase2 settings )',

	$pconfig['pfs_group_enable']

))->setAttribute('data-toggle', 'collapse')->setAttribute('data-target', '.toggle-pfs_group');

$group = new Form_Group('Group');

$group->addClass('toggle-pfs_group collapse');

if (!empty($pconfig['pfs_group_enable']))

	$group->addClass('in');

$group->add(new Form_Select(

	'pfs_group',

	'Group',

	$pconfig['pfs_group'],

	$p2_pfskeygroups

))->setWidth(2);

$section->add($group);

$section->addInput(new Form_Checkbox(

	'login_banner_enable',

	'Login Banner',

	'Provide a login banner to clients',

	$pconfig['login_banner_enable']

))->setAttribute('data-toggle', 'collapse')->setAttribute('data-target', '.toggle-login_banner');

$group = new Form_Group('');

$group->addClass('toggle-login_banner collapse');

if (!empty($pconfig['login_banner_enable']))

	$group->addClass('in');

// TODO: should be a textarea

$group->add(new Form_Input(

	'login_banner',

	'',

	'text',

	htmlspecialchars($pconfig['login_banner'])

));

$section->add($group);

$form->add($section);

print $form;

include("foot.inc");