1
|
<?php
|
2
|
/* $Id$ */
|
3
|
/*
|
4
|
diag_ipsec.php
|
5
|
Copyright (C) 2004-2009 Scott Ullrich
|
6
|
Copyright (C) 2008 Shrew Soft Inc <mgrooms@shrew.net>.
|
7
|
Copyright (C) 2013-2015 Electric Sheep Fencing, LP
|
8
|
All rights reserved.
|
9
|
|
10
|
Parts of this code was originally based on vpn_ipsec_sad.php
|
11
|
Copyright (C) 2003-2004 Manuel Kasper
|
12
|
|
13
|
Redistribution and use in source and binary forms, with or without
|
14
|
modification, are permitted provided that the following conditions are met:
|
15
|
|
16
|
1. Redistributions of source code must retain the above copyright notice,
|
17
|
this list of conditions and the following disclaimer.
|
18
|
|
19
|
2. Redistributions in binary form must reproduce the above copyright
|
20
|
notice, this list of conditions and the following disclaimer in the
|
21
|
documentation and/or other materials provided with the distribution.
|
22
|
|
23
|
THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
|
24
|
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
|
25
|
AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
|
26
|
AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
|
27
|
OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
|
28
|
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
|
29
|
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
|
30
|
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
31
|
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
32
|
POSSIBILITY OF SUCH DAMAGE.
|
33
|
*/
|
34
|
|
35
|
/*
|
36
|
pfSense_MODULE: ipsec
|
37
|
*/
|
38
|
|
39
|
##|+PRIV
|
40
|
##|*IDENT=page-status-ipsec
|
41
|
##|*NAME=Status: IPsec page
|
42
|
##|*DESCR=Allow access to the 'Status: IPsec' page.
|
43
|
##|*MATCH=diag_ipsec.php*
|
44
|
##|-PRIV
|
45
|
|
46
|
|
47
|
global $g;
|
48
|
|
49
|
$pgtitle = array(gettext("Status"),gettext("IPsec"));
|
50
|
$shortcut_section = "ipsec";
|
51
|
|
52
|
require("guiconfig.inc");
|
53
|
include("head.inc");
|
54
|
require("ipsec.inc");
|
55
|
|
56
|
if ($_GET['act'] == 'connect') {
|
57
|
if (ctype_digit($_GET['ikeid'])) {
|
58
|
$ph1ent = ipsec_get_phase1($_GET['ikeid']);
|
59
|
if (!empty($ph1ent)) {
|
60
|
if (empty($ph1ent['iketype']) || $ph1ent['iketype'] == 'ikev1') {
|
61
|
$ph2entries = ipsec_get_number_of_phase2($_GET['ikeid']);
|
62
|
for ($i = 0; $i < $ph2entries; $i++) {
|
63
|
$connid = escapeshellarg("con{$_GET['ikeid']}00{$i}");
|
64
|
mwexec("/usr/local/sbin/ipsec down {$connid}");
|
65
|
mwexec("/usr/local/sbin/ipsec up {$connid}");
|
66
|
}
|
67
|
} else {
|
68
|
mwexec("/usr/local/sbin/ipsec down con" . escapeshellarg($_GET['ikeid']));
|
69
|
mwexec("/usr/local/sbin/ipsec up con" . escapeshellarg($_GET['ikeid']));
|
70
|
}
|
71
|
}
|
72
|
}
|
73
|
} else if ($_GET['act'] == 'ikedisconnect') {
|
74
|
if (ctype_digit($_GET['ikeid'])) {
|
75
|
if (!empty($_GET['ikesaid']) && ctype_digit($_GET['ikesaid']))
|
76
|
mwexec("/usr/local/sbin/ipsec down con" . escapeshellarg($_GET['ikeid']) . "[" . escapeshellarg($_GET['ikesaid']) . "]");
|
77
|
else
|
78
|
mwexec("/usr/local/sbin/ipsec down con" . escapeshellarg($_GET['ikeid']));
|
79
|
}
|
80
|
} else if ($_GET['act'] == 'childdisconnect') {
|
81
|
if (ctype_digit($_GET['ikeid'])) {
|
82
|
if (!empty($_GET['ikesaid']) && ctype_digit($_GET['ikesaid']))
|
83
|
mwexec("/usr/local/sbin/ipsec down con" . escapeshellarg($_GET['ikeid']) . "{" . escapeshellarg($_GET['ikesaid']) . "}");
|
84
|
}
|
85
|
}
|
86
|
|
87
|
if (!is_array($config['ipsec']['phase1']))
|
88
|
$config['ipsec']['phase1'] = array();
|
89
|
|
90
|
$a_phase1 = &$config['ipsec']['phase1'];
|
91
|
|
92
|
$status = ipsec_smp_dump_status();
|
93
|
|
94
|
$tab_array = array();
|
95
|
$tab_array[] = array(gettext("Overview"), true, "diag_ipsec.php");
|
96
|
$tab_array[] = array(gettext("Leases"), false, "diag_ipsec_leases.php");
|
97
|
$tab_array[] = array(gettext("SAD"), false, "diag_ipsec_sad.php");
|
98
|
$tab_array[] = array(gettext("SPD"), false, "diag_ipsec_spd.php");
|
99
|
$tab_array[] = array(gettext("Logs"), false, "diag_logs_ipsec.php");
|
100
|
display_top_tabs($tab_array);
|
101
|
?>
|
102
|
|
103
|
<div class="panel panel-default">
|
104
|
<div class="panel-heading">IPSec status</div>
|
105
|
<div class="panel-body table responsive">
|
106
|
<table class="table table-striped table-hover table-condensed">
|
107
|
<thead>
|
108
|
<tr>
|
109
|
<th><?=gettext("Description")?></th>
|
110
|
<th><?=gettext("Local ID")?></th>
|
111
|
<th><?=gettext("Local IP")?></th>
|
112
|
<th><?=gettext("Remote ID")?></th>
|
113
|
<th><?=gettext("Remote IP")?></th>
|
114
|
<th><?=gettext("Role")?></th>
|
115
|
<th><?=gettext("Reauth")?></th>
|
116
|
<th><?=gettext("Algo")?></th>
|
117
|
<th><?=gettext("Status")?></th>
|
118
|
<th></th>
|
119
|
</tr>
|
120
|
</thead>
|
121
|
<tbody>
|
122
|
<?php
|
123
|
$ipsecconnected = array();
|
124
|
|
125
|
if (is_array($status['query']) && is_array($status['query']['ikesalist']) && is_array($status['query']['ikesalist']['ikesa'])):
|
126
|
foreach ($status['query']['ikesalist']['ikesa'] as $ikeid => $ikesa):
|
127
|
$con_id = substr($ikesa['peerconfig'], 3);
|
128
|
|
129
|
if ($ikesa['version'] == 1) {
|
130
|
$ph1idx = substr($con_id, 0, strrpos(substr($con_id, 0, -1), '00'));
|
131
|
$ipsecconnected[$ph1idx] = $ph1idx;
|
132
|
} else {
|
133
|
$ipsecconnected[$con_id] = $ph1idx = $con_id;
|
134
|
}
|
135
|
|
136
|
if (ipsec_phase1_status($status['query']['ikesalist']['ikesa'], $ikesa['id']))
|
137
|
$icon = "pass";
|
138
|
elseif (!isset($config['ipsec']['enable']))
|
139
|
$icon = "block";
|
140
|
else
|
141
|
$icon = "reject";
|
142
|
?>
|
143
|
<tr>
|
144
|
<td>
|
145
|
<?=htmlspecialchars(ipsec_get_descr($ph1idx))?>
|
146
|
</td>
|
147
|
<td>
|
148
|
<?php
|
149
|
if (!is_array($ikesa['local']))
|
150
|
echo gettext("Unknown");
|
151
|
else {
|
152
|
if (!empty($ikesa['local']['identification'])) {
|
153
|
if ($ikesa['local']['identification'] == '%any')
|
154
|
print(gettext('Any identifier'));
|
155
|
else
|
156
|
print(htmlspecialchars($ikesa['local']['identification']));
|
157
|
} else
|
158
|
print(gettext("Unknown"));
|
159
|
}
|
160
|
?>
|
161
|
</td>
|
162
|
<td>
|
163
|
<?php
|
164
|
if (!is_array($ikesa['local']))
|
165
|
print(gettext("Unknown"));
|
166
|
else {
|
167
|
if (!empty($ikesa['local']['address']))
|
168
|
print(htmlspecialchars($ikesa['local']['address']) . '<br/>' . gettext('Port: ') . htmlspecialchars($ikesa['local']['port']));
|
169
|
else
|
170
|
print(gettext("Unknown"));
|
171
|
if ($ikesa['local']['port'] == '4500')
|
172
|
print(" NAT-T");
|
173
|
}
|
174
|
?>
|
175
|
</td>
|
176
|
<td>
|
177
|
<?php
|
178
|
if (!is_array($ikesa['remote']))
|
179
|
print(gettext("Unknown"));
|
180
|
else {
|
181
|
$identity = "";
|
182
|
if (!empty($ikesa['remote']['identification'])) {
|
183
|
if ($ikesa['remote']['identification'] == '%any')
|
184
|
$identity = 'Any identifier';
|
185
|
else
|
186
|
$identity = htmlspecialchars($ikesa['remote']['identification']);
|
187
|
}
|
188
|
|
189
|
if (is_array($ikesa['remote']['auth']) && !empty($ikesa['remote']['auth'][0]['identity'])) {
|
190
|
print(htmlspecialchars($ikesa['remote']['auth'][0]['identity']));
|
191
|
print('<br/>' . $identity);
|
192
|
} else {
|
193
|
if (empty($identity))
|
194
|
print(ettext("Unknown"));
|
195
|
else
|
196
|
print($identity);
|
197
|
}
|
198
|
}
|
199
|
?>
|
200
|
</td>
|
201
|
<td>
|
202
|
<?php
|
203
|
if (!is_array($ikesa['remote']))
|
204
|
print(gettext("Unknown"));
|
205
|
else {
|
206
|
if (!empty($ikesa['remote']['address']))
|
207
|
print(htmlspecialchars($ikesa['remote']['address']) . '<br/>' . gettext('Port: ') . htmlspecialchars($ikesa['remote']['port']));
|
208
|
else
|
209
|
print(gettext("Unknown"));
|
210
|
if ($ikesa['remote']['port'] == '4500')
|
211
|
print(" NAT-T");
|
212
|
}
|
213
|
?>
|
214
|
</td>
|
215
|
<td>
|
216
|
IKEv<?=htmlspecialchars($ikesa['version'])?>
|
217
|
<br/>
|
218
|
<?=htmlspecialchars($ikesa['role'])?>
|
219
|
</td>
|
220
|
<td>
|
221
|
<?=htmlspecialchars($ikesa['reauth']);?>
|
222
|
</td>
|
223
|
<td>
|
224
|
<?=htmlspecialchars($ikesa['encalg'])?>
|
225
|
<br/>
|
226
|
<?=htmlspecialchars($ikesa['intalg'])?>
|
227
|
<br/>
|
228
|
<?=htmlspecialchars($ikesa['prfalg'])?>
|
229
|
<br/>
|
230
|
<?=htmlspecialchars($ikesa['dhgroup'])?>
|
231
|
</td>
|
232
|
<td>
|
233
|
<?php
|
234
|
if($ikesa['status'] == 'established')
|
235
|
print('<span style="color:green">');
|
236
|
else
|
237
|
print('<span>');
|
238
|
?>
|
239
|
<?=ucfirst(htmlspecialchars($ikesa['status']))?>
|
240
|
<br/><?=htmlspecialchars($ikesa['established'])?>
|
241
|
</span>
|
242
|
</td>
|
243
|
<td >
|
244
|
<?php
|
245
|
if ($icon != "pass"):
|
246
|
?>
|
247
|
<a href="diag_ipsec.php?act=connect&ikeid=<?=$con_id; ?>" class="btn btn-xs btn-success" data-toggle="tooltip" title="Connect VPN" >
|
248
|
<?=gettext("Connect VPN")?>
|
249
|
</a>
|
250
|
<?php
|
251
|
else:
|
252
|
?>
|
253
|
<a href="diag_ipsec.php?act=ikedisconnect&ikeid=<?=$con_id; ?>" class="btn btn-xs btn-danger" data-toggle="tooltip" title="Disconnect VPN">
|
254
|
<?=gettext("Disconnect")?>
|
255
|
</a><br />
|
256
|
<a href="diag_ipsec.php?act=ikedisconnect&ikeid=<?=$con_id; ?>&ikesaid=<?=$ikesa['id']; ?>" class="btn btn-xs btn-warning" data-toggle="tooltip" title="Disconnect VPN connection">
|
257
|
<?=gettext("Disconnect")?>
|
258
|
</a>
|
259
|
<?php
|
260
|
endif;
|
261
|
?>
|
262
|
</td>
|
263
|
</tr>
|
264
|
<tr>
|
265
|
<td colspan = 10>
|
266
|
<?php
|
267
|
if (is_array($ikesa['childsalist'])):
|
268
|
?>
|
269
|
<div id="btnchildsa-<?=$ikeid?>">
|
270
|
<a type="button" onclick="show_childsa('childsa-<?=$ikeid?>','btnchildsa-<?=$ikeid?>');" class="btn btn-sm btn-default" />
|
271
|
<?=gettext('Show child SA entries')?>
|
272
|
</a>
|
273
|
</div>
|
274
|
|
275
|
<table class="table table-hover table-condensed" id="childsa-<?=$ikeid?>" style="display:none">
|
276
|
<thead>
|
277
|
<tr class="info">
|
278
|
<th><?=gettext("Local subnets")?></th>
|
279
|
<th><?=gettext("Local SPI(s)")?></th>
|
280
|
<th><?=gettext("Remote subnets")?></th>
|
281
|
<th><?=gettext("Times")?></th>
|
282
|
<th><?=gettext("Algo")?></th>
|
283
|
<th><?=gettext("Stats")?></th>
|
284
|
<th><!-- Buttons --></th>
|
285
|
</tr>
|
286
|
</thead>
|
287
|
<tbody>
|
288
|
<?php
|
289
|
if (is_array($ikesa['childsalist']['childsa'])):
|
290
|
foreach ($ikesa['childsalist']['childsa'] as $childsa):
|
291
|
?>
|
292
|
<tr>
|
293
|
<td>
|
294
|
<?php
|
295
|
if (is_array($childsa['local']) &&
|
296
|
is_array($childsa['local']['networks']) &&
|
297
|
is_array($childsa['local']['networks']['network']))
|
298
|
foreach ($childsa['local']['networks']['network'] as $lnets)
|
299
|
print(htmlspecialchars(ipsec_fixup_network($lnets)) . "<br />");
|
300
|
else
|
301
|
print(gettext("Unknown"));
|
302
|
?>
|
303
|
</td>
|
304
|
<td>
|
305
|
<?php
|
306
|
if (is_array($childsa['local']))
|
307
|
print(gettext("Local: ") . htmlspecialchars($childsa['local']['spi']));
|
308
|
|
309
|
if (is_array($childsa['remote']))
|
310
|
print('<br/>' . gettext('Remote: ') . htmlspecialchars($childsa['remote']['spi']));
|
311
|
?>
|
312
|
</td>
|
313
|
<td>
|
314
|
<?php
|
315
|
if (is_array($childsa['remote']) &&
|
316
|
is_array($childsa['remote']['networks']) &&
|
317
|
is_array($childsa['remote']['networks']['network']))
|
318
|
foreach ($childsa['remote']['networks']['network'] as $rnets)
|
319
|
print(htmlspecialchars(ipsec_fixup_network($rnets)) . '<br />');
|
320
|
else
|
321
|
print(gettext("Unknown"));
|
322
|
?>
|
323
|
</td>
|
324
|
<td>
|
325
|
<?php
|
326
|
print(gettext("Rekey: ") . htmlspecialchars($childsa['rekey']));
|
327
|
print('<br/>' . gettext('Life: ') . htmlspecialchars($childsa['lifetime']));
|
328
|
print('<br/>' . gettext('Install: ') .htmlspecialchars($childsa['installtime']));
|
329
|
|
330
|
?>
|
331
|
</td>
|
332
|
<td>
|
333
|
<?php
|
334
|
print(htmlspecialchars($childsa['encalg']) . '<br/>');
|
335
|
print(htmlspecialchars($childsa['intalg']) . '<br/>');
|
336
|
|
337
|
if (!empty($childsa['prfalg']))
|
338
|
print(htmlspecialchars($childsa['prfalg']) . '<br/>');
|
339
|
|
340
|
if (!empty($childsa['dhgroup']))
|
341
|
print(htmlspecialchars($childsa['dhgroup']) . '<br/>');
|
342
|
|
343
|
if (!empty($childsa['esn']))
|
344
|
|
345
|
print(gettext("IPComp: ") . htmlspecialchars($childsa['ipcomp']));
|
346
|
?>
|
347
|
</td>
|
348
|
<td>
|
349
|
<?php
|
350
|
print(gettext("Bytes-In: ") . htmlspecialchars($childsa['bytesin']) . '<br/>');
|
351
|
print(gettext("Packets-In: ") . htmlspecialchars($childsa['packetsin']) . '<br/>');
|
352
|
print(gettext("Bytes-Out: ") . htmlspecialchars($childsa['bytesout']) . '<br/>');
|
353
|
print(gettext("Packets-Out: ") . htmlspecialchars($childsa['packetsout']) . '<br/>');
|
354
|
?>
|
355
|
</td>
|
356
|
<td>
|
357
|
<a href="diag_ipsec.php?act=childdisconnect&ikeid=<?=$con_id; ?>&ikesaid=<?=$childsa['reqid']; ?>" class="btn btn-xs btn-warning" data-toggle="tooltip" title="<?=gettext('Disconnect Child SA')?>">
|
358
|
<?=gettext("Disconnect")?>
|
359
|
</a>
|
360
|
</td>
|
361
|
</tr>
|
362
|
<?php
|
363
|
endforeach;
|
364
|
endif;
|
365
|
?>
|
366
|
|
367
|
</tbody>
|
368
|
</table>
|
369
|
</td>
|
370
|
</tr>
|
371
|
<?php
|
372
|
endif;
|
373
|
|
374
|
unset($con_id);
|
375
|
endforeach;
|
376
|
endif;
|
377
|
|
378
|
$rgmap = array();
|
379
|
foreach ($a_phase1 as $ph1ent):
|
380
|
if (isset($ph1ent['disabled']))
|
381
|
continue;
|
382
|
|
383
|
$rgmap[$ph1ent['remote-gateway']] = $ph1ent['remote-gateway'];
|
384
|
|
385
|
if ($ipsecconnected[$ph1ent['ikeid']])
|
386
|
continue;
|
387
|
?>
|
388
|
<tr>
|
389
|
<td>
|
390
|
<?php
|
391
|
print(htmlspecialchars($ph1ent['descr']));
|
392
|
?>
|
393
|
</td>
|
394
|
<td>
|
395
|
<?php
|
396
|
list ($myid_type, $myid_data) = ipsec_find_id($ph1ent, "local");
|
397
|
if (empty($myid_data))
|
398
|
print(gettext("Unknown"));
|
399
|
else
|
400
|
print(htmlspecialchars($myid_data));
|
401
|
?>
|
402
|
</td>
|
403
|
<td>
|
404
|
<?php
|
405
|
$ph1src = ipsec_get_phase1_src($ph1ent);
|
406
|
|
407
|
if (empty($ph1src))
|
408
|
print(gettext("Unknown"));
|
409
|
else
|
410
|
print(htmlspecialchars($ph1src));
|
411
|
?>
|
412
|
</td>
|
413
|
<td>
|
414
|
<?php
|
415
|
list ($peerid_type, $peerid_data) = ipsec_find_id($ph1ent, "peer", $rgmap);
|
416
|
if (empty($peerid_data))
|
417
|
print(gettext("Unknown"));
|
418
|
else
|
419
|
print(htmlspecialchars($peerid_data));
|
420
|
?>
|
421
|
</td>
|
422
|
<td>
|
423
|
<?php
|
424
|
$ph1src = ipsec_get_phase1_dst($ph1ent);
|
425
|
if (empty($ph1src))
|
426
|
print(gettext("Unknown"));
|
427
|
else
|
428
|
print(htmlspecialchars($ph1src));
|
429
|
?>
|
430
|
</td>
|
431
|
<td>
|
432
|
</td>
|
433
|
<td>
|
434
|
</td>
|
435
|
<td>
|
436
|
</td>
|
437
|
<?php
|
438
|
if (isset($ph1ent['mobile'])):
|
439
|
?>
|
440
|
<td>
|
441
|
<?=gettext("Awaiting connections")?>
|
442
|
</td>
|
443
|
<td>
|
444
|
</td>
|
445
|
<?php
|
446
|
else:
|
447
|
?>
|
448
|
<td>
|
449
|
<?=gettext("Disconnected")?>
|
450
|
</td>
|
451
|
<td >
|
452
|
<a href="diag_ipsec.php?act=connect&ikeid=<?=$ph1ent['ikeid']; ?>" class="btn btn-xs btn-success">
|
453
|
<?=gettext("Connect VPN")?>
|
454
|
</a>
|
455
|
</td>
|
456
|
<?php
|
457
|
endif;
|
458
|
?>
|
459
|
<td>>
|
460
|
</td>
|
461
|
</tr>
|
462
|
<?php
|
463
|
endforeach;
|
464
|
unset($ipsecconnected, $phase1, $rgmap);
|
465
|
?>
|
466
|
</tbody>
|
467
|
</table>
|
468
|
</div>
|
469
|
</div>
|
470
|
|
471
|
<script type="text/javascript">
|
472
|
//<![CDATA[
|
473
|
function show_childsa(id, buttonid) {
|
474
|
document.getElementById(buttonid).innerHTML='';
|
475
|
aodiv = document.getElementById(id);
|
476
|
aodiv.style.display = "block";
|
477
|
}
|
478
|
//]]>
|
479
|
</script>
|
480
|
|
481
|
<?php
|
482
|
unset($status);
|
483
|
print_info_box(gettext("You can configure IPsec ") . '<a href="vpn_ipsec.php">Here</a>');
|
484
|
include("foot.inc"); ?>
|