Project

General

Profile

Download (10.2 KB) Statistics
| Branch: | Tag: | Revision:
1
<?php
2
/*
3
 * vpn_l2tp.php
4
 *
5
 * part of pfSense (https://www.pfsense.org)
6
 * Copyright (c) 2004-2018 Rubicon Communications, LLC (Netgate)
7
 * All rights reserved.
8
 *
9
 * Licensed under the Apache License, Version 2.0 (the "License");
10
 * you may not use this file except in compliance with the License.
11
 * You may obtain a copy of the License at
12
 *
13
 * http://www.apache.org/licenses/LICENSE-2.0
14
 *
15
 * Unless required by applicable law or agreed to in writing, software
16
 * distributed under the License is distributed on an "AS IS" BASIS,
17
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
18
 * See the License for the specific language governing permissions and
19
 * limitations under the License.
20
 */
21

    
22
##|+PRIV
23
##|*IDENT=page-vpn-vpnl2tp
24
##|*NAME=VPN: L2TP
25
##|*DESCR=Allow access to the 'VPN: L2TP' page.
26
##|*MATCH=vpn_l2tp.php*
27
##|-PRIV
28

    
29
require_once("guiconfig.inc");
30
require_once("vpn.inc");
31

    
32
if (!is_array($config['l2tp']['radius'])) {
33
	$config['l2tp']['radius'] = array();
34
}
35
$l2tpcfg = &$config['l2tp'];
36

    
37
$pconfig['remoteip'] = $l2tpcfg['remoteip'];
38
$pconfig['localip'] = $l2tpcfg['localip'];
39
$pconfig['l2tp_subnet'] = $l2tpcfg['l2tp_subnet'];
40
$pconfig['mode'] = $l2tpcfg['mode'];
41
$pconfig['interface'] = $l2tpcfg['interface'];
42
$pconfig['l2tp_dns1'] = $l2tpcfg['dns1'];
43
$pconfig['l2tp_dns2'] = $l2tpcfg['dns2'];
44
$pconfig['radiusenable'] = isset($l2tpcfg['radius']['enable']);
45
$pconfig['radacct_enable'] = isset($l2tpcfg['radius']['accounting']);
46
$pconfig['radiusserver'] = $l2tpcfg['radius']['server'];
47
$pconfig['radiussecret'] = $l2tpcfg['radius']['secret'];
48
$pconfig['radiusissueips'] = isset($l2tpcfg['radius']['radiusissueips']);
49
$pconfig['n_l2tp_units'] = $l2tpcfg['n_l2tp_units'];
50
$pconfig['paporchap'] = $l2tpcfg['paporchap'];
51
$pconfig['secret'] = $l2tpcfg['secret'];
52

    
53
if ($_POST['save']) {
54

    
55
	unset($input_errors);
56
	$pconfig = $_POST;
57

    
58
	/* input validation */
59
	if ($_POST['mode'] == "server") {
60
		$reqdfields = explode(" ", "localip remoteip");
61
		$reqdfieldsn = array(gettext("Server address"), gettext("Remote start address"));
62

    
63
		if ($_POST['radiusenable']) {
64
			$reqdfields = array_merge($reqdfields, explode(" ", "radiusserver radiussecret"));
65
			$reqdfieldsn = array_merge($reqdfieldsn,
66
				array(gettext("RADIUS server address"), gettext("RADIUS shared secret")));
67
		}
68

    
69
		do_input_validation($_POST, $reqdfields, $reqdfieldsn, $input_errors);
70

    
71
		if (($_POST['localip'] && !is_ipaddr($_POST['localip']))) {
72
			$input_errors[] = gettext("A valid server address must be specified.");
73
		}
74
		if (is_ipaddr_configured($_POST['localip'])) {
75
			$input_errors[] = gettext("'Server address' parameter should NOT be set to any IP address currently in use on this firewall.");
76
		}
77
		if (($_POST['l2tp_subnet'] && !is_ipaddr($_POST['remoteip']))) {
78
			$input_errors[] = gettext("A valid remote start address must be specified.");
79
		}
80
		if (($_POST['radiusserver'] && !is_ipaddr($_POST['radiusserver']))) {
81
			$input_errors[] = gettext("A valid RADIUS server address must be specified.");
82
		}
83

    
84
		if ($_POST['secret'] != $_POST['secret_confirm']) {
85
			$input_errors[] = gettext("Secret and confirmation must match");
86
		}
87

    
88
		if ($_POST['radiussecret'] != $_POST['radiussecret_confirm']) {
89
			$input_errors[] = gettext("RADIUS secret and confirmation must match");
90
		}
91

    
92
		if (!is_numericint($_POST['n_l2tp_units']) || $_POST['n_l2tp_units'] > 255) {
93
			$input_errors[] = gettext("Number of L2TP users must be between 1 and 255");
94
		}
95

    
96
		if (!$input_errors) {
97
			$_POST['remoteip'] = $pconfig['remoteip'] = gen_subnet($_POST['remoteip'], $_POST['l2tp_subnet']);
98
			if (is_inrange_v4($_POST['localip'], $_POST['remoteip'], ip_after($_POST['remoteip'], $_POST['n_l2tp_units'] - 1))) {
99
				$input_errors[] = gettext("The specified server address lies in the remote subnet.");
100
			}
101
			if ($_POST['localip'] == get_interface_ip("lan")) {
102
				$input_errors[] = gettext("The specified server address is equal to the LAN interface address.");
103
			}
104
		}
105

    
106
		if (!empty($_POST['l2tp_dns1']) && !is_ipaddrv4(trim($_POST['l2tp_dns1']))) {
107
			$input_errors[] = gettext("The field 'Primary L2TP DNS Server' must contain a valid IPv4 address.");
108
		}
109
		if (!empty($_POST['l2tp_dns2']) && !is_ipaddrv4(trim($_POST['l2tp_dns2']))) {
110
			$input_errors[] = gettext("The field 'Secondary L2TP DNS Server' must contain a valid IPv4 address.");
111
		}
112
		if (!empty($_POST['l2tp_dns2']) && empty($_POST['l2tp_dns1'])) {
113
			$input_errors[] = gettext("The Secondary L2TP DNS Server cannot be set when the Primary L2TP DNS Server is empty.");
114
		}
115

    
116
	}
117

    
118
	if (!$input_errors) {
119
		$l2tpcfg['remoteip'] = $_POST['remoteip'];
120
		$l2tpcfg['localip'] = $_POST['localip'];
121
		$l2tpcfg['l2tp_subnet'] = $_POST['l2tp_subnet'];
122
		$l2tpcfg['mode'] = $_POST['mode'];
123
		$l2tpcfg['interface'] = $_POST['interface'];
124
		$l2tpcfg['n_l2tp_units'] = $_POST['n_l2tp_units'];
125
		$l2tpcfg['radius']['server'] = $_POST['radiusserver'];
126
		if ($_POST['radiussecret'] != DMYPWD) {
127
			$l2tpcfg['radius']['secret'] = $_POST['radiussecret'];
128
		}
129

    
130
		if ($_POST['secret'] != DMYPWD) {
131
			$l2tpcfg['secret'] = $_POST['secret'];
132
		}
133

    
134
		$l2tpcfg['paporchap'] = $_POST['paporchap'];
135

    
136

    
137
		if ($_POST['l2tp_dns1'] == "") {
138
			if (isset($l2tpcfg['dns1'])) {
139
				unset($l2tpcfg['dns1']);
140
			}
141
		} else {
142
			$l2tpcfg['dns1'] = $_POST['l2tp_dns1'];
143
		}
144

    
145
		if ($_POST['l2tp_dns2'] == "") {
146
			if (isset($l2tpcfg['dns2'])) {
147
				unset($l2tpcfg['dns2']);
148
			}
149
		} else {
150
			$l2tpcfg['dns2'] = $_POST['l2tp_dns2'];
151
		}
152

    
153
		if ($_POST['radiusenable'] == "yes") {
154
			$l2tpcfg['radius']['enable'] = true;
155
		} else {
156
			unset($l2tpcfg['radius']['enable']);
157
		}
158

    
159
		if ($_POST['radacct_enable'] == "yes") {
160
			$l2tpcfg['radius']['accounting'] = true;
161
		} else {
162
			unset($l2tpcfg['radius']['accounting']);
163
		}
164

    
165
		if ($_POST['radiusissueips'] == "yes") {
166
			$l2tpcfg['radius']['radiusissueips'] = true;
167
		} else {
168
			unset($l2tpcfg['radius']['radiusissueips']);
169
		}
170

    
171
		write_config(gettext("L2TP VPN configuration changed."));
172

    
173
		$changes_applied = true;
174
		$retval = 0;
175
		$retval |= vpn_l2tp_configure();
176
	}
177
}
178

    
179
$pgtitle = array(gettext("VPN"), gettext("L2TP"), gettext("Configuration"));
180
$pglinks = array("", "@self", "@self");
181
$shortcut_section = "l2tps";
182
include("head.inc");
183

    
184
if ($input_errors) {
185
	print_input_errors($input_errors);
186
}
187

    
188
if ($changes_applied) {
189
	print_apply_result_box($retval);
190
}
191

    
192
$tab_array = array();
193
$tab_array[] = array(gettext("Configuration"), true, "vpn_l2tp.php");
194
$tab_array[] = array(gettext("Users"), false, "vpn_l2tp_users.php");
195
display_top_tabs($tab_array);
196

    
197
$form = new Form();
198

    
199
$section = new Form_Section("Enable L2TP");
200

    
201
$section->addInput(new Form_Checkbox(
202
	'mode',
203
	'Enable',
204
	'Enable L2TP server',
205
	($pconfig['mode'] == "server"),
206
	'server'
207
));
208

    
209
$form->add($section);
210

    
211
$iflist = array();
212
$interfaces = get_configured_interface_with_descr();
213
foreach ($interfaces as $iface => $ifacename) {
214
	$iflist[$iface] = $ifacename;
215
}
216

    
217
$section = new Form_Section("Configuration");
218
$section->addClass('toggle-l2tp-enable');
219

    
220
$section->addInput(new Form_Select(
221
	'interface',
222
	'*Interface',
223
	$pconfig['interface'],
224
	$iflist
225
));
226

    
227
$section->addInput(new Form_Input(
228
	'localip',
229
	'*Server address',
230
	'text',
231
	$pconfig['localip']
232
))->setHelp('Enter the IP address the L2TP server should give to clients for use as their "gateway". %1$s' .
233
			'Typically this is set to an unused IP just outside of the client range.%1$s%1$s' .
234
			'NOTE: This should NOT be set to any IP address currently in use on this firewall.', '<br />');
235

    
236
$section->addInput(new Form_IpAddress(
237
        'remoteip',
238
        '*Remote address range',
239
        $pconfig['remoteip']
240
))->addMask('l2tp_subnet', $pconfig['l2tp_subnet'])
241
  ->setHelp('Specify the starting address for the client IP address subnet.');
242

    
243
$section->addInput(new Form_Select(
244
	'n_l2tp_units',
245
	'*Number of L2TP users',
246
	$pconfig['n_l2tp_units'],
247
	array_combine(range(1, 255, 1), range(1, 255, 1))
248
));
249

    
250
$section->addPassword(new Form_Input(
251
	'secret',
252
	'Secret',
253
	'password',
254
	$pconfig['secret']
255
))->setHelp('Specify optional secret shared between peers. Required on some devices/setups.');
256

    
257
$section->addInput(new Form_Select(
258
	'paporchap',
259
	'*Authentication type',
260
	$pconfig['paporchap'],
261
	array(
262
		'chap' => 'CHAP',
263
		'chap-msv2' => 'MS-CHAPv2',
264
		'pap' => 'PAP'
265
		)
266
))->setHelp('Specifies the protocol to use for authentication.');
267

    
268
$section->addInput(new Form_Input(
269
	'l2tp_dns1',
270
	'Primary L2TP DNS server',
271
	'text',
272
	$pconfig['l2tp_dns1']
273
));
274

    
275
$section->addInput(new Form_Input(
276
	'l2tp_dns2',
277
	'Secondary L2TP DNS server',
278
	'text',
279
	$pconfig['l2tp_dns2']
280
));
281

    
282
$form->add($section);
283

    
284
$section = new Form_Section("RADIUS");
285
$section->addClass('toggle-l2tp-enable');
286

    
287
$section->addInput(new Form_Checkbox(
288
	'radiusenable',
289
	'Enable',
290
	'Use a RADIUS server for authentication',
291
	$pconfig['radiusenable']
292
))->setHelp('When set, all users will be authenticated using the RADIUS server specified below. The local user database will not be used.');
293

    
294
$section->addInput(new Form_Checkbox(
295
	'radacct_enable',
296
	'Accounting',
297
	'Enable RADIUS accounting',
298
	$pconfig['radacct_enable']
299
))->setHelp('Sends accounting packets to the RADIUS server.');
300

    
301
$section->addInput(new Form_IpAddress(
302
	'radiusserver',
303
	'*Server',
304
	$pconfig['radiusserver']
305
))->setHelp('Enter the IP address of the RADIUS server.');
306

    
307
$section->addPassword(new Form_Input(
308
	'radiussecret',
309
	'*Secret',
310
	'password',
311
	$pconfig['radiussecret']
312
))->setHelp('Enter the shared secret that will be used to authenticate to the RADIUS server.');
313

    
314
$section->addInput(new Form_Checkbox(
315
	'radiusissueips',
316
	'RADIUS issued IPs',
317
	'Issue IP Addresses via RADIUS server.',
318
	$pconfig['radiusissueips']
319
));
320

    
321
$form->add($section);
322

    
323
print($form);
324
?>
325
<div class="infoblock blockopen">
326
<?php
327
	print_info_box(gettext("Don't forget to add a firewall rule to permit traffic from L2TP clients."), 'info', false);
328
?>
329
</div>
330

    
331
<script type="text/javascript">
332
//<![CDATA[
333
events.push(function() {
334

    
335
	function setL2TP () {
336
		hide = ! $('#mode').prop('checked');
337

    
338
		hideClass('toggle-l2tp-enable', hide);
339
	}
340

    
341
	function setRADIUS () {
342
		hide = ! $('#radiusenable').prop('checked');
343

    
344
		hideCheckbox('radacct_enable', hide);
345
		hideInput('radiusserver', hide);
346
		hideInput('radiussecret', hide);
347
		hideCheckbox('radiusissueips', hide);
348
	}
349

    
350
	// on-click
351
	$('#mode').click(function () {
352
		setL2TP();
353
	});
354

    
355
	$('#radiusenable').click(function () {
356
		setRADIUS();
357
	});
358

    
359
	// on-page-load
360
	setRADIUS();
361
	setL2TP();
362

    
363
});
364
//]]>
365
</script>
366

    
367
<?php include("foot.inc")?>
(228-228/235)