Project

General

Profile

Download (17.8 KB) Statistics
| Branch: | Tag: | Revision:
1
<?php
2
/*
3
	vpn_ipsec_mobile.php
4
	part of m0n0wall (http://m0n0.ch/wall)
5
	
6
	Copyright (C) 2003-2005 Manuel Kasper <mk@neon1.net>.
7
	All rights reserved.
8
	
9
	Redistribution and use in source and binary forms, with or without
10
	modification, are permitted provided that the following conditions are met:
11
	
12
	1. Redistributions of source code must retain the above copyright notice,
13
	   this list of conditions and the following disclaimer.
14
	
15
	2. Redistributions in binary form must reproduce the above copyright
16
	   notice, this list of conditions and the following disclaimer in the
17
	   documentation and/or other materials provided with the distribution.
18
	
19
	THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
20
	INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
21
	AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
22
	AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
23
	OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
24
	SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
25
	INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
26
	CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
27
	ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
28
	POSSIBILITY OF SUCH DAMAGE.
29
*/
30

    
31
require("guiconfig.inc");
32

    
33
if (!is_array($config['ipsec']['mobileclients'])) {
34
	$config['ipsec']['mobileclients'] = array();
35
}
36
$a_ipsec = &$config['ipsec']['mobileclients'];
37

    
38
if (count($a_ipsec) == 0) {
39
	/* defaults */
40
	$pconfig['p1mode'] = "aggressive";
41
	$pconfig['p1myidentt'] = "myaddress";
42
	$pconfig['p1ealgo'] = "3des";
43
	$pconfig['p1halgo'] = "sha1";
44
	$pconfig['p1dhgroup'] = "2";
45
	$pconfig['p1authentication_method'] = "pre_shared_key";
46
	$pconfig['p2proto'] = "esp";
47
	$pconfig['p2ealgos'] = explode(",", "3des,blowfish,cast128,rijndael");
48
	$pconfig['p2halgos'] = explode(",", "hmac_sha1,hmac_md5");
49
	$pconfig['p2pfsgroup'] = "0";
50
} else {
51
	$pconfig['enable'] = isset($a_ipsec['enable']);
52
	$pconfig['natt'] = isset($a_ipsec['natt']);
53
	$pconfig['p1mode'] = $a_ipsec['p1']['mode'];
54
		
55
	if (isset($a_ipsec['p1']['myident']['myaddress']))
56
		$pconfig['p1myidentt'] = 'myaddress';
57
	else if (isset($a_ipsec['p1']['myident']['address'])) {
58
		$pconfig['p1myidentt'] = 'address';
59
		$pconfig['p1myident'] = $a_ipsec['p1']['myident']['address'];
60
	} else if (isset($a_ipsec['p1']['myident']['fqdn'])) {
61
		$pconfig['p1myidentt'] = 'fqdn';
62
		$pconfig['p1myident'] = $a_ipsec['p1']['myident']['fqdn'];
63
	} else if (isset($a_ipsec['p1']['myident']['ufqdn'])) {
64
		$pconfig['p1myidentt'] = 'user_fqdn';
65
		$pconfig['p1myident'] = $a_ipsec['p1']['myident']['ufqdn'];
66
 	}
67
	
68
	$pconfig['p1ealgo'] = $a_ipsec['p1']['encryption-algorithm'];
69
	$pconfig['p1halgo'] = $a_ipsec['p1']['hash-algorithm'];
70
	$pconfig['p1dhgroup'] = $a_ipsec['p1']['dhgroup'];
71
	$pconfig['p1lifetime'] = $a_ipsec['p1']['lifetime'];
72
	$pconfig['p1authentication_method'] = $a_ipsec['p1']['authentication_method'];
73
	$pconfig['p1cert'] = base64_decode($a_ipsec['p1']['cert']);
74
	$pconfig['p1privatekey'] = base64_decode($a_ipsec['p1']['private-key']);
75
	$pconfig['p2proto'] = $a_ipsec['p2']['protocol'];
76

    
77
	$pconfig['p2ealgos'] = $a_ipsec['p2']['encryption-algorithm-option'];
78
	$pconfig['p2halgos'] = $a_ipsec['p2']['hash-algorithm-option'];
79

    
80
	$pconfig['p2pfsgroup'] = $a_ipsec['p2']['pfsgroup'];
81
	$pconfig['p2lifetime'] = $a_ipsec['p2']['lifetime'];
82
}
83

    
84
if ($_POST['apply']) {
85
		$retval = 0;
86
		$retval = vpn_ipsec_configure();
87
		$savemsg = get_std_save_message($retval);	
88
		unlink($d_ipsecconfdirty_path);
89
} else if($_POST)  {
90
	unset($input_errors);
91
	$pconfig = $_POST;
92

    
93
	/* input validation */
94
	$reqdfields = explode(" ", "p2ealgos p2halgos");
95
	$reqdfieldsn = explode(",", "P2 Encryption Algorithms,P2 Hash Algorithms");
96
	
97
	do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors);
98
	
99
	if ($_POST['p1authentication_method']== "rsasig") {
100
		if (!strstr($_POST['p1cert'], "BEGIN CERTIFICATE") || !strstr($_POST['p1cert'], "END CERTIFICATE"))
101
			$input_errors[] = "This certificate does not appear to be valid.";
102
		if (!strstr($_POST['p1privatekey'], "BEGIN RSA PRIVATE KEY") || !strstr($_POST['p1privatekey'], "END RSA PRIVATE KEY"))
103
			$input_errors[] = "This key does not appear to be valid.";	
104
	}
105
	
106
	if (($_POST['p1lifetime'] && !is_numeric($_POST['p1lifetime']))) {
107
		$input_errors[] = "The P1 lifetime must be an integer.";
108
	}
109
	if (($_POST['p2lifetime'] && !is_numeric($_POST['p2lifetime']))) {
110
		$input_errors[] = "The P2 lifetime must be an integer.";
111
	}
112
	if ((($_POST['p1myidentt'] == "address") && !is_ipaddr($_POST['p1myident']))) {
113
		$input_errors[] = "A valid IP address for 'My identifier' must be specified.";
114
	}
115
	if ((($_POST['p1myidentt'] == "fqdn") && !is_domain($_POST['p1myident']))) {
116
		$input_errors[] = "A valid domain name for 'My identifier' must be specified.";
117
	}
118
	if ($_POST['p1myidentt'] == "user_fqdn") {
119
		$ufqdn = explode("@",$_POST['p1myident']);
120
		if (!is_domain($ufqdn[1])) 
121
			$input_errors[] = "A valid User FQDN in the form of user@my.domain.com for 'My identifier' must be specified.";
122
	}
123
	
124
	if ($_POST['p1myidentt'] == "myaddress")
125
		$_POST['p1myident'] = "";
126

    
127
	if (!$input_errors) {
128
		$ipsecent = array();
129
		$ipsecent['enable'] = $_POST['enable'] ? true : false;
130
		$ipsecent['p1']['mode'] = $_POST['p1mode'];
131
		$ipsecent['natt'] = $_POST['natt'] ? true : false;
132
		
133
		$ipsecent['p1']['myident'] = array();
134
		switch ($_POST['p1myidentt']) {
135
			case 'myaddress':
136
				$ipsecent['p1']['myident']['myaddress'] = true;
137
				break;
138
			case 'address':
139
				$ipsecent['p1']['myident']['address'] = $_POST['p1myident'];
140
				break;
141
			case 'fqdn':
142
				$ipsecent['p1']['myident']['fqdn'] = $_POST['p1myident'];
143
				break;
144
			case 'user_fqdn':
145
				$ipsecent['p1']['myident']['ufqdn'] = $_POST['p1myident'];
146
				break;
147
		}
148
		
149
		$ipsecent['p1']['encryption-algorithm'] = $_POST['p1ealgo'];
150
		$ipsecent['p1']['hash-algorithm'] = $_POST['p1halgo'];
151
		$ipsecent['p1']['dhgroup'] = $_POST['p1dhgroup'];
152
		$ipsecent['p1']['lifetime'] = $_POST['p1lifetime'];
153
		$ipsecent['p1']['private-key'] = base64_encode($_POST['p1privatekey']);
154
		$ipsecent['p1']['cert'] = base64_encode($_POST['p1cert']);
155
		$ipsecent['p1']['authentication_method'] = $_POST['p1authentication_method'];
156
		$ipsecent['p2']['protocol'] = $_POST['p2proto'];
157
		$ipsecent['p2']['encryption-algorithm-option'] = $_POST['p2ealgos'];
158
		$ipsecent['p2']['hash-algorithm-option'] = $_POST['p2halgos'];
159
		$ipsecent['p2']['pfsgroup'] = $_POST['p2pfsgroup'];
160
		$ipsecent['p2']['lifetime'] = $_POST['p2lifetime'];
161
		
162
		$a_ipsec = $ipsecent;
163
		
164
		write_config();
165
		touch($d_ipsecconfdirty_path);
166
		
167
		header("Location: vpn_ipsec_mobile.php");
168
		exit;
169
	}
170
}
171

    
172
$pgtitle = "VPN: IPsec: Mobile";
173
include("head.inc");
174

    
175
?>
176
<body link="#0000CC" vlink="#0000CC" alink="#0000CC">
177
<?php include("fbegin.inc"); ?>
178
<p class="pgtitle"><?=$pgtitle?></p>
179
<script language="JavaScript">
180
<!--
181
function methodsel_change() {
182
	switch (document.iform.p1authentication_method.selectedIndex) {
183
		case 1:	/* rsa */
184
			document.iform.p1privatekey.disabled = 0;
185
			document.iform.p1cert.disabled = 0;
186
			break;
187
		default: /* pre-shared */
188
			document.iform.p1privatekey.disabled = 1;
189
			document.iform.p1cert.disabled = 1;
190
			break;
191
	}
192
}
193
//-->
194
</script>
195
<form action="vpn_ipsec_mobile.php" method="post">
196
<?php if ($savemsg) print_info_box($savemsg); ?>
197
<?php if ($input_errors) print_input_errors($input_errors); ?>
198
<?php if (file_exists($d_ipsecconfdirty_path)): ?><p>
199
<?php print_info_box_np("The IPsec tunnel configuration has been changed.<br>You must apply the changes in order for them to take effect.");?><br>
200
<?php endif; ?>
201
</form>
202
<form action="vpn_ipsec_mobile.php" method="post" name="iform" id="iform">
203
<table width="100%" border="0" cellpadding="0" cellspacing="0">
204
  <tr><td class="tabnavtbl">
205
<?php
206
	$tab_array = array();
207
	$tab_array[0] = array("Tunnels", false, "vpn_ipsec.php");
208
	$tab_array[1] = array("Mobile clients", true, "vpn_ipsec_mobile.php");
209
	$tab_array[2] = array("Pre-shared keys", false, "vpn_ipsec_keys.php");
210
	$tab_array[3] = array("CAs", false, "vpn_ipsec_ca.php");
211
	display_top_tabs($tab_array);
212
?>
213
  </td></tr>
214
  <tr> 
215
    <td>
216
	 <div id="mainarea">
217
              <table class="tabcont" width="100%" border="0" cellpadding="6" cellspacing="0">
218
			  <tr> 
219
                        <td width="22%" valign="top">&nbsp;</td>
220
                        <td width="78%"> 
221
                    <input name="enable" type="checkbox" id="enable" value="yes" <?php if ($pconfig['enable']) echo "checked"; ?>>
222
                    <strong>Allow mobile clients</strong></td>
223
                </tr>
224
                <tr> 
225
                  <td colspan="2" valign="top" class="listtopic">Phase 1 proposal 
226
                    (Authentication)</td>
227
                </tr>
228
                <tr> 
229
                  <td width="22%" valign="top" class="vncellreq">Negotiation mode</td>
230
                        <td width="78%" class="vtable">
231
					<select name="p1mode" class="formfld">
232
                      <?php $modes = explode(" ", "main aggressive"); foreach ($modes as $mode): ?>
233
                      <option value="<?=$mode;?>" <?php if ($mode == $pconfig['p1mode']) echo "selected"; ?>> 
234
                      <?=htmlspecialchars($mode);?>
235
                      </option>
236
                      <?php endforeach; ?>
237
                    </select> <br> <span class="vexpl">Aggressive is faster, but 
238
                    less secure.</span></td>
239
                </tr>
240
                <tr> 
241
                  <td width="22%" valign="top" class="vncellreq">My identifier</td>
242
                        <td width="78%" class="vtable">
243
					<select name="p1myidentt" class="formfld">
244
                      <?php foreach ($my_identifier_list as $mode => $modename): ?>
245
                      <option value="<?=$mode;?>" <?php if ($mode == $pconfig['p1myidentt']) echo "selected"; ?>> 
246
                      <?=htmlspecialchars($modename);?>
247
                      </option>
248
                      <?php endforeach; ?>
249
                    </select> <input name="p1myident" type="text" class="formfld" id="p1myident" size="30" value="<?=$pconfig['p1myident'];?>"> 
250
                  </td>
251
                </tr>
252
                <tr> 
253
                  <td width="22%" valign="top" class="vncellreq">Encryption algorithm</td>
254
                        <td width="78%" class="vtable">
255
					<select name="p1ealgo" class="formfld">
256
                      <?php foreach ($p1_ealgos as $algo => $algoname): ?>
257
                      <option value="<?=$algo;?>" <?php if ($algo == $pconfig['p1ealgo']) echo "selected"; ?>> 
258
                      <?=htmlspecialchars($algoname);?>
259
                      </option>
260
                      <?php endforeach; ?>
261
                    </select> <br> <span class="vexpl">Must match the setting 
262
                    chosen on the remote side. </span></td>
263
                </tr>
264
                <tr> 
265
                  <td width="22%" valign="top" class="vncellreq">Hash algorithm</td>
266
                        <td width="78%" class="vtable">
267
					<select name="p1halgo" class="formfld">
268
                      <?php foreach ($p1_halgos as $algo => $algoname): ?>
269
                      <option value="<?=$algo;?>" <?php if ($algo == $pconfig['p1halgo']) echo "selected"; ?>> 
270
                      <?=htmlspecialchars($algoname);?>
271
                      </option>
272
                      <?php endforeach; ?>
273
                    </select> <br> <span class="vexpl">Must match the setting 
274
                    chosen on the remote side. </span></td>
275
                </tr>
276
                <tr> 
277
                  <td width="22%" valign="top" class="vncellreq">DH key group</td>
278
                        <td width="78%" class="vtable">
279
					<select name="p1dhgroup" class="formfld">
280
                      <?php $keygroups = explode(" ", "1 2 5"); foreach ($keygroups as $keygroup): ?>
281
                      <option value="<?=$keygroup;?>" <?php if ($keygroup == $pconfig['p1dhgroup']) echo "selected"; ?>> 
282
                      <?=htmlspecialchars($keygroup);?>
283
                      </option>
284
                      <?php endforeach; ?>
285
                    </select> <br> <span class="vexpl"><em>1 = 768 bit, 2 = 1024 
286
                    bit, 5 = 1536 bit</em><br>
287
                    Must match the setting chosen on the remote side. </span></td>
288
                </tr>
289
                <tr> 
290
                  <td width="22%" valign="top" class="vncell">Lifetime</td>
291
                        <td width="78%" class="vtable"> 
292
                    <input name="p1lifetime" type="text" class="formfld" id="p1lifetime" size="20" value="<?=$pconfig['p1lifetime'];?>">
293
                    seconds</td>
294
                </tr>
295
                <tr> 
296
                  <td width="22%" valign="top" class="vncellreq">Authentication method</td>
297
                  <td width="78%" class="vtable">
298
					<select name="p1authentication_method" class="formfld" onChange="methodsel_change()">
299
                      <?php foreach ($p1_authentication_methods as $method => $methodname): ?>
300
                      <option value="<?=$method;?>" <?php if ($method == $pconfig['p1authentication_method']) echo "selected"; ?>> 
301
                      <?=htmlspecialchars($methodname);?>
302
                      </option>
303
                      <?php endforeach; ?>
304
                    </select> <br> <span class="vexpl">Must match the setting 
305
                    chosen on the remote side. </span></td>
306
                </tr>
307
                <tr> 
308
                  <td width="22%" valign="top" class="vncellreq">Certificate</td>
309
                  <td width="78%" class="vtable"> 
310
                    <textarea name="p1cert" cols="65" rows="7" id="p1cert" class="formpre"><?=htmlspecialchars($pconfig['p1cert']);?></textarea>
311
                    <br> 
312
                    Paste a certificate in X.509 PEM format here.</td>
313
                </tr>
314
                <tr> 
315
                  <td width="22%" valign="top" class="vncellreq">Key</td>
316
                  <td width="78%" class="vtable"> 
317
                    <textarea name="p1privatekey" cols="65" rows="7" id="p1privatekey" class="formpre"><?=htmlspecialchars($pconfig['p1privatekey']);?></textarea>
318
                    <br> 
319
                    Paste an RSA private key in PEM format here.</td>
320
                </tr>
321
                <tr> 
322
                  <td colspan="2" class="list" height="12"></td>
323
                </tr>
324
                <tr> 
325
                  <td colspan="2" valign="top" class="listtopic">Phase 2 proposal 
326
                    (SA/Key Exchange)</td>
327
                </tr>
328
                <tr> 
329
                  <td width="22%" valign="top" class="vncellreq">Protocol</td>
330
                        <td width="78%" class="vtable">
331
					<select name="p2proto" class="formfld">
332
                      <?php foreach ($p2_protos as $proto => $protoname): ?>
333
                      <option value="<?=$proto;?>" <?php if ($proto == $pconfig['p2proto']) echo "selected"; ?>> 
334
                      <?=htmlspecialchars($protoname);?>
335
                      </option>
336
                      <?php endforeach; ?>
337
                    </select> <br> <span class="vexpl">ESP is encryption, AH is 
338
                    authentication only </span></td>
339
                </tr>
340
                <tr> 
341
                  <td width="22%" valign="top" class="vncellreq">Encryption algorithms</td>
342
                        <td width="78%" class="vtable"> 
343
                          <?php foreach ($p2_ealgos as $algo => $algoname): ?>
344
                    <input type="checkbox" name="p2ealgos[]" value="<?=$algo;?>" <?php if (in_array($algo, $pconfig['p2ealgos'])) echo "checked"; ?>> 
345
                    <?=htmlspecialchars($algoname);?>
346
                    <br> 
347
                    <?php endforeach; ?>
348
                    <br>
349
                    Hint: use 3DES for best compatibility or if you have a hardware 
350
                    crypto accelerator card. Blowfish is usually the fastest in 
351
                    software encryption. </td>
352
                </tr>
353
                <tr> 
354
                  <td width="22%" valign="top" class="vncellreq">Hash algorithms</td>
355
                        <td width="78%" class="vtable"> 
356
                          <?php foreach ($p2_halgos as $algo => $algoname): ?>
357
                    <input type="checkbox" name="p2halgos[]" value="<?=$algo;?>" <?php if (in_array($algo, $pconfig['p2halgos'])) echo "checked"; ?>> 
358
                    <?=htmlspecialchars($algoname);?>
359
                    <br> 
360
                    <?php endforeach; ?>
361
                  </td>
362
                </tr>
363
                <tr> 
364
                  <td width="22%" valign="top" class="vncellreq">PFS key group</td>
365
                        <td width="78%" class="vtable">
366
					<select name="p2pfsgroup" class="formfld">
367
                      <?php foreach ($p2_pfskeygroups as $keygroup => $keygroupname): ?>
368
                      <option value="<?=$keygroup;?>" <?php if ($keygroup == $pconfig['p2pfsgroup']) echo "selected"; ?>> 
369
                      <?=htmlspecialchars($keygroupname);?>
370
                      </option>
371
                      <?php endforeach; ?>
372
                    </select> <br> <span class="vexpl"><em>1 = 768 bit, 2 = 1024 
373
                    bit, 5 = 1536 bit</em></span></td>
374
                </tr>
375
                <tr> 
376
                  <td width="22%" valign="top" class="vncell">Lifetime</td>
377
                        <td width="78%" class="vtable"> 
378
                    <input name="p2lifetime" type="text" class="formfld" id="p2lifetime" size="20" value="<?=$pconfig['p2lifetime'];?>">
379
                    seconds</td>
380
                </tr>
381
                <tr> 
382
                  <td width="22%" valign="top">&nbsp;</td>
383
                  <td width="78%"> 
384
                    <input name="Submit" type="submit" class="formbtn" value="Save">
385
                  </td>
386
                </tr>
387
              </table>
388
	  </div>
389
	 </td>
390
	</tr>
391
</table>
392
</form>
393
<script language="JavaScript">
394
<!--
395
methodsel_change();
396
//-->
397
</script>
398
<?php include("fend.inc"); ?>
399
</body>
400
</html>
(155-155/173)