Project

General

Profile

Download (13.6 KB) Statistics
| Branch: | Tag: | Revision:
1
<?php
2
/* $Id$ */
3
/*
4
	diag_ipsec.php
5
	Copyright (C) 2004-2009 Scott Ullrich
6
	Copyright (C) 2008 Shrew Soft Inc <mgrooms@shrew.net>.
7
	Copyright (C) 2013-2015 Electric Sheep Fencing, LP
8
	All rights reserved.
9

    
10
	Parts of this code was originally based on vpn_ipsec_sad.php
11
	Copyright (C) 2003-2004 Manuel Kasper
12

    
13
	Redistribution and use in source and binary forms, with or without
14
	modification, are permitted provided that the following conditions are met:
15

    
16
	1. Redistributions of source code must retain the above copyright notice,
17
	   this list of conditions and the following disclaimer.
18

    
19
	2. Redistributions in binary form must reproduce the above copyright
20
	   notice, this list of conditions and the following disclaimer in the
21
	   documentation and/or other materials provided with the distribution.
22

    
23
	THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
24
	INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
25
	AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
26
	AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
27
	OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
28
	SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
29
	INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
30
	CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
31
	ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
32
	POSSIBILITY OF SUCH DAMAGE.
33
*/
34

    
35
/*
36
	pfSense_MODULE: ipsec
37
*/
38

    
39
##|+PRIV
40
##|*IDENT=page-status-ipsec
41
##|*NAME=Status: IPsec page
42
##|*DESCR=Allow access to the 'Status: IPsec' page.
43
##|*MATCH=diag_ipsec.php*
44
##|-PRIV
45

    
46

    
47
global $g;
48

    
49
$pgtitle = array(gettext("Status"),gettext("IPsec"));
50
$shortcut_section = "ipsec";
51

    
52
require("guiconfig.inc");
53
include("head.inc");
54
require("ipsec.inc");
55

    
56
if ($_GET['act'] == 'connect') {
57
	if (ctype_digit($_GET['ikeid'])) {
58
		$ph1ent = ipsec_get_phase1($_GET['ikeid']);
59
		if (!empty($ph1ent)) {
60
			if (empty($ph1ent['iketype']) || $ph1ent['iketype'] == 'ikev1') {
61
				$ph2entries = ipsec_get_number_of_phase2($_GET['ikeid']);
62
				for ($i = 0; $i < $ph2entries; $i++) {
63
					$connid = escapeshellarg("con{$_GET['ikeid']}00{$i}");
64
					mwexec("/usr/local/sbin/ipsec down {$connid}");
65
					mwexec("/usr/local/sbin/ipsec up {$connid}");
66
				}
67
			} else {
68
				mwexec("/usr/local/sbin/ipsec down con" . escapeshellarg($_GET['ikeid']));
69
				mwexec("/usr/local/sbin/ipsec up con" . escapeshellarg($_GET['ikeid']));
70
			}
71
		}
72
	}
73
} else if ($_GET['act'] == 'ikedisconnect') {
74
	if (ctype_digit($_GET['ikeid'])) {
75
		if (!empty($_GET['ikesaid']) && ctype_digit($_GET['ikesaid']))
76
			mwexec("/usr/local/sbin/ipsec down con" . escapeshellarg($_GET['ikeid']) . "[" . escapeshellarg($_GET['ikesaid']) . "]");
77
		else
78
			mwexec("/usr/local/sbin/ipsec down con" . escapeshellarg($_GET['ikeid']));
79
	}
80
} else if ($_GET['act'] == 'childdisconnect') {
81
	if (ctype_digit($_GET['ikeid'])) {
82
		if (!empty($_GET['ikesaid']) && ctype_digit($_GET['ikesaid']))
83
			mwexec("/usr/local/sbin/ipsec down con" . escapeshellarg($_GET['ikeid']) . "{" . escapeshellarg($_GET['ikesaid']) . "}");
84
	}
85
}
86

    
87
if (!is_array($config['ipsec']['phase1']))
88
	$config['ipsec']['phase1'] = array();
89

    
90
$a_phase1 = &$config['ipsec']['phase1'];
91

    
92
$status = ipsec_smp_dump_status();
93

    
94
$tab_array = array();
95
$tab_array[] = array(gettext("Overview"), true, "diag_ipsec.php");
96
$tab_array[] = array(gettext("Leases"), false, "diag_ipsec_leases.php");
97
$tab_array[] = array(gettext("SAD"), false, "diag_ipsec_sad.php");
98
$tab_array[] = array(gettext("SPD"), false, "diag_ipsec_spd.php");
99
$tab_array[] = array(gettext("Logs"), false, "diag_logs_ipsec.php");
100
display_top_tabs($tab_array);
101
?>
102

    
103
<div class="panel panel-default">
104
	<div class="panel-heading">IPSec status</div>
105
	<div class="panel-body table responsive">
106
		<table class="table table-striped table-hover table-condensed">
107
			<thead>
108
				<tr>
109
					<th><?=gettext("Description")?></th>
110
					<th><?=gettext("Local ID")?></th>
111
					<th><?=gettext("Local IP")?></th>
112
					<th><?=gettext("Remote ID")?></th>
113
					<th><?=gettext("Remote IP")?></th>
114
					<th><?=gettext("Role")?></th>
115
					<th><?=gettext("Reauth")?></th>
116
					<th><?=gettext("Algo")?></th>
117
					<th><?=gettext("Status")?></th>
118
					<th></th>
119
				</tr>
120
			</thead>
121
			<tbody>
122
<?php
123
$ipsecconnected = array();
124

    
125
if (is_array($status['query']) && is_array($status['query']['ikesalist']) && is_array($status['query']['ikesalist']['ikesa'])):
126
	foreach ($status['query']['ikesalist']['ikesa'] as $ikeid => $ikesa):
127
		$con_id = substr($ikesa['peerconfig'], 3);
128
		
129
		if ($ikesa['version'] == 1) {
130
			$ph1idx = substr($con_id, 0, strrpos(substr($con_id, 0, -1), '00'));
131
			$ipsecconnected[$ph1idx] = $ph1idx;
132
		} else {
133
			$ipsecconnected[$con_id] = $ph1idx = $con_id;
134
		}
135

    
136
		if (ipsec_phase1_status($status['query']['ikesalist']['ikesa'], $ikesa['id']))
137
			$icon = "pass";
138
		elseif (!isset($config['ipsec']['enable']))
139
			$icon = "block";
140
		else
141
			$icon = "reject";
142
?>
143
				<tr>
144
					<td>
145
						<?=htmlspecialchars(ipsec_get_descr($ph1idx))?>
146
					</td>
147
					<td>
148
<?php
149
			if (!is_array($ikesa['local']))
150
				echo gettext("Unknown");
151
			else {
152
				if (!empty($ikesa['local']['identification'])) {
153
					if ($ikesa['local']['identification'] == '%any')
154
						print(gettext('Any identifier'));
155
					else
156
						print(htmlspecialchars($ikesa['local']['identification']));
157
				} else
158
					print(gettext("Unknown"));
159
			}
160
?>
161
					</td>
162
					<td>
163
<?php
164
			if (!is_array($ikesa['local']))
165
				print(gettext("Unknown"));
166
			else {
167
				if (!empty($ikesa['local']['address']))
168
					print(htmlspecialchars($ikesa['local']['address']) . '<br/>' .	gettext('Port: ') . htmlspecialchars($ikesa['local']['port']));
169
				else
170
					print(gettext("Unknown"));
171
				if ($ikesa['local']['port'] == '4500')
172
					print(" NAT-T");
173
			}
174
?>
175
					</td>	
176
					<td>
177
<?php
178
			if (!is_array($ikesa['remote']))
179
				print(gettext("Unknown"));
180
			else {
181
				$identity = "";
182
				if (!empty($ikesa['remote']['identification'])) {
183
					if ($ikesa['remote']['identification'] == '%any')
184
						$identity = 'Any identifier';
185
					else
186
						$identity = htmlspecialchars($ikesa['remote']['identification']);
187
				}
188

    
189
				if (is_array($ikesa['remote']['auth']) && !empty($ikesa['remote']['auth'][0]['identity'])) {
190
					print(htmlspecialchars($ikesa['remote']['auth'][0]['identity']));
191
					print('<br/>' . $identity);
192
				} else {
193
					if (empty($identity))
194
						print(ettext("Unknown"));
195
					else
196
						print($identity);
197
				}
198
			}
199
?>
200
					</td>
201
					<td>
202
<?php
203
			if (!is_array($ikesa['remote']))
204
				print(gettext("Unknown"));
205
			else {
206
				if (!empty($ikesa['remote']['address']))
207
					print(htmlspecialchars($ikesa['remote']['address']) . '<br/>' . gettext('Port: ') . htmlspecialchars($ikesa['remote']['port']));
208
				else
209
					print(gettext("Unknown"));
210
				if ($ikesa['remote']['port'] == '4500')
211
					print(" NAT-T");
212
			}
213
?>
214
					</td>
215
					<td>
216
						IKEv<?=htmlspecialchars($ikesa['version'])?>
217
						<br/>
218
						<?=htmlspecialchars($ikesa['role'])?>
219
					</td>
220
					<td>
221
						<?=htmlspecialchars($ikesa['reauth']);?>
222
					</td>
223
					<td>
224
						<?=htmlspecialchars($ikesa['encalg'])?>
225
						<br/>
226
						<?=htmlspecialchars($ikesa['intalg'])?>
227
						<br/>
228
						<?=htmlspecialchars($ikesa['prfalg'])?>
229
						<br/>
230
						<?=htmlspecialchars($ikesa['dhgroup'])?>
231
					</td>
232
					<td>
233
<?php
234
			if($ikesa['status'] == 'established')
235
				print('<span style="color:green">');
236
			else
237
				print('<span>');
238
?>
239
						<?=ucfirst(htmlspecialchars($ikesa['status']))?>
240
						<br/><?=htmlspecialchars($ikesa['established'])?>
241
						</span>
242
					</td>
243
					<td >
244
<?php
245
				if ($icon != "pass"):
246
?>
247
					<a href="diag_ipsec.php?act=connect&amp;ikeid=<?=$con_id; ?>" class="btn btn-xs btn-success" data-toggle="tooltip" title="Connect VPN" >
248
							<?=gettext("Connect VPN")?>
249
						</a>
250
<?php
251
				else:
252
?>
253
						<a href="diag_ipsec.php?act=ikedisconnect&amp;ikeid=<?=$con_id; ?>" class="btn btn-xs btn-danger" data-toggle="tooltip" title="Disconnect VPN">
254
							<?=gettext("Disconnect")?>
255
						</a><br />
256
						<a href="diag_ipsec.php?act=ikedisconnect&amp;ikeid=<?=$con_id; ?>&amp;ikesaid=<?=$ikesa['id']; ?>" class="btn btn-xs btn-warning" data-toggle="tooltip" title="Disconnect VPN connection">
257
							<?=gettext("Disconnect")?>
258
						</a>
259
<?php
260
				endif;
261
?>
262
					</td>
263
				</tr>
264
				<tr>
265
					<td colspan = 10>
266
<?php
267
		    if (is_array($ikesa['childsalist'])):
268
?>
269
						<div id="btnchildsa-<?=$ikeid?>">
270
							<a type="button" onclick="show_childsa('childsa-<?=$ikeid?>','btnchildsa-<?=$ikeid?>');" class="btn btn-sm btn-default" />
271
								<?=gettext('Show child SA entries')?>
272
							</a>
273
						</div>
274

    
275
						<table class="table table-hover table-condensed" id="childsa-<?=$ikeid?>" style="display:none">
276
							<thead>
277
								<tr class="info">
278
									<th><?=gettext("Local subnets")?></th>
279
									<th><?=gettext("Local SPI(s)")?></th>
280
									<th><?=gettext("Remote subnets")?></th>
281
									<th><?=gettext("Times")?></th>
282
									<th><?=gettext("Algo")?></th>
283
									<th><?=gettext("Stats")?></th>
284
									<th><!-- Buttons --></th>
285
								</tr>
286
							</thead>
287
							<tbody>
288
<?php
289
			if (is_array($ikesa['childsalist']['childsa'])):
290
				foreach ($ikesa['childsalist']['childsa'] as $childsa):
291
?>
292
								<tr>
293
									<td>
294
<?php
295
				if (is_array($childsa['local']) &&
296
					is_array($childsa['local']['networks']) &&
297
					is_array($childsa['local']['networks']['network']))
298
					foreach ($childsa['local']['networks']['network'] as $lnets)
299
						print(htmlspecialchars(ipsec_fixup_network($lnets)) . "<br />");
300
				else
301
					print(gettext("Unknown"));
302
?>
303
									</td>
304
									<td>
305
<?php
306
				if (is_array($childsa['local']))
307
					print(gettext("Local: ") . htmlspecialchars($childsa['local']['spi']));
308
					
309
				if (is_array($childsa['remote']))
310
					print('<br/>' . gettext('Remote: ') . htmlspecialchars($childsa['remote']['spi']));
311
?>
312
									</td>
313
									<td>
314
<?php
315
				if (is_array($childsa['remote']) &&
316
					is_array($childsa['remote']['networks']) &&
317
					is_array($childsa['remote']['networks']['network']))
318
					foreach ($childsa['remote']['networks']['network'] as $rnets)
319
						print(htmlspecialchars(ipsec_fixup_network($rnets)) . '<br />');
320
				else
321
					print(gettext("Unknown"));
322
?>
323
									</td>
324
									<td>
325
<?php
326
				print(gettext("Rekey: ") . htmlspecialchars($childsa['rekey']));
327
				print('<br/>' . gettext('Life: ') . htmlspecialchars($childsa['lifetime']));
328
				print('<br/>' . gettext('Install: ') .htmlspecialchars($childsa['installtime']));
329

    
330
?>
331
									</td>
332
									<td>
333
<?php
334
				print(htmlspecialchars($childsa['encalg']) . '<br/>');
335
				print(htmlspecialchars($childsa['intalg']) . '<br/>');
336
				
337
				if (!empty($childsa['prfalg']))
338
					print(htmlspecialchars($childsa['prfalg']) . '<br/>');
339
				
340
				if (!empty($childsa['dhgroup']))
341
					print(htmlspecialchars($childsa['dhgroup']) . '<br/>');
342
				
343
				if (!empty($childsa['esn']))
344
				
345
				print(gettext("IPComp: ") . htmlspecialchars($childsa['ipcomp']));
346
?>
347
									</td>
348
									<td>
349
<?php
350
				print(gettext("Bytes-In: ") . htmlspecialchars($childsa['bytesin']) . '<br/>');
351
				print(gettext("Packets-In: ") . htmlspecialchars($childsa['packetsin']) . '<br/>');
352
				print(gettext("Bytes-Out: ") . htmlspecialchars($childsa['bytesout']) . '<br/>');
353
				print(gettext("Packets-Out: ") . htmlspecialchars($childsa['packetsout']) . '<br/>');
354
?>
355
									</td>
356
									<td>
357
										<a href="diag_ipsec.php?act=childdisconnect&amp;ikeid=<?=$con_id; ?>&amp;ikesaid=<?=$childsa['reqid']; ?>" class="btn btn-xs btn-warning" data-toggle="tooltip" title="<?=gettext('Disconnect Child SA')?>">
358
											<?=gettext("Disconnect")?>
359
										</a>
360
									</td>
361
								</tr>
362
<?php
363
				endforeach;
364
			endif;
365
?>
366

    
367
							</tbody>
368
						</table>
369
					</td>
370
				</tr>
371
<?php
372
		endif;
373

    
374
		unset($con_id);
375
	endforeach;
376
endif;
377

    
378
$rgmap = array();
379
foreach ($a_phase1 as $ph1ent):
380
	if (isset($ph1ent['disabled']))
381
		continue;
382
		
383
	$rgmap[$ph1ent['remote-gateway']] = $ph1ent['remote-gateway'];
384
	
385
	if ($ipsecconnected[$ph1ent['ikeid']])
386
		continue;
387
?>
388
				<tr>
389
					<td>
390
<?php
391
	print(htmlspecialchars($ph1ent['descr']));
392
?>
393
					</td>
394
					<td>
395
<?php
396
	list ($myid_type, $myid_data) = ipsec_find_id($ph1ent, "local");
397
	if (empty($myid_data))
398
		print(gettext("Unknown"));
399
	else
400
		print(htmlspecialchars($myid_data));
401
?>
402
					</td>
403
					<td>
404
<?php
405
	$ph1src = ipsec_get_phase1_src($ph1ent);
406
	
407
	if (empty($ph1src))
408
		print(gettext("Unknown"));
409
	else
410
		print(htmlspecialchars($ph1src));
411
?>
412
					</td>
413
					<td>
414
<?php
415
	list ($peerid_type, $peerid_data) = ipsec_find_id($ph1ent, "peer", $rgmap);
416
	if (empty($peerid_data))
417
		print(gettext("Unknown"));
418
	else
419
		print(htmlspecialchars($peerid_data));
420
?>
421
					</td>
422
					<td>
423
<?php
424
	$ph1src = ipsec_get_phase1_dst($ph1ent);
425
	if (empty($ph1src))
426
		print(gettext("Unknown"));
427
	else
428
		print(htmlspecialchars($ph1src));
429
?>
430
					</td>
431
					<td>
432
					</td>
433
					<td>
434
					</td>
435
					<td>
436
					</td>
437
<?php
438
	if (isset($ph1ent['mobile'])):
439
?>
440
					<td>
441
						<?=gettext("Awaiting connections")?>
442
					</td>
443
					<td>
444
					</td>
445
<?php
446
	else:
447
?>
448
					<td>
449
						<?=gettext("Disconnected")?>
450
					</td>
451
					<td >
452
						<a href="diag_ipsec.php?act=connect&amp;ikeid=<?=$ph1ent['ikeid']; ?>" class="btn btn-xs btn-success">
453
							<?=gettext("Connect VPN")?>
454
						</a>
455
					</td>
456
<?php
457
	endif;
458
?>
459
					<td>>
460
					</td>
461
				</tr>
462
<?php
463
endforeach;
464
unset($ipsecconnected, $phase1, $rgmap);
465
?>
466
			</tbody>
467
		</table>
468
	</div>
469
</div>
470

    
471
<script type="text/javascript">
472
//<![CDATA[
473
function show_childsa(id, buttonid) {
474
	document.getElementById(buttonid).innerHTML='';
475
	aodiv = document.getElementById(id);
476
	aodiv.style.display = "block";
477
}
478
//]]>
479
</script>
480

    
481
<?php
482
unset($status);
483
print_info_box(gettext("You can configure IPsec ") . '<a href="vpn_ipsec.php">Here</a>');
484
include("foot.inc"); ?>
(14-14/237)