/src/etc/inc/vpn.inc - Annotate - pfSense - pfSense bugtracker

| Branch: | Tag: | Revision:

root/src/etc/inc/vpn.inc @ 237e70c2

1	5b237745	Scott Ullrich	<?php
2			/*
3			vpn.inc
4	09221bc3	Renato Botelho
5			part of pfSense (https://www.pfsense.org)
6	a93e56c5	Matthew Grooms	Copyright (C) 2008 Shrew Soft Inc
7	09221bc3	Renato Botelho	Copyright (c) 2004-2016 Electric Sheep Fencing, LLC.
8	cfc707f7	Scott Ullrich	All rights reserved.
9	17da6c79	Scott Ullrich
10			originally part of m0n0wall (http://m0n0.ch/wall)
11			Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>.
12			All rights reserved.
13
14	5b237745	Scott Ullrich	Redistribution and use in source and binary forms, with or without
15			modification, are permitted provided that the following conditions are met:
16	17da6c79	Scott Ullrich
17	5b237745	Scott Ullrich	1. Redistributions of source code must retain the above copyright notice,
18			this list of conditions and the following disclaimer.
19	17da6c79	Scott Ullrich
20	5b237745	Scott Ullrich	2. Redistributions in binary form must reproduce the above copyright
21	09221bc3	Renato Botelho	notice, this list of conditions and the following disclaimer in
22			the documentation and/or other materials provided with the
23			distribution.
24
25			3. All advertising materials mentioning features or use of this software
26			must display the following acknowledgment:
27			"This product includes software developed by the pfSense Project
28			for use in the pfSense® software distribution. (http://www.pfsense.org/).
29
30			4. The names "pfSense" and "pfSense Project" must not be used to
31			endorse or promote products derived from this software without
32			prior written permission. For written permission, please contact
33			coreteam@pfsense.org.
34
35			5. Products derived from this software may not be called "pfSense"
36			nor may "pfSense" appear in their names without prior written
37			permission of the Electric Sheep Fencing, LLC.
38
39			6. Redistributions of any form whatsoever must retain the following
40			acknowledgment:
41
42			"This product includes software developed by the pfSense Project
43			for use in the pfSense software distribution (http://www.pfsense.org/).
44
45			THIS SOFTWARE IS PROVIDED BY THE pfSense PROJECT ``AS IS'' AND ANY
46			EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
47			IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
48			PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE pfSense PROJECT OR
49			ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
50			SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
51			NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
52			LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
53			HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
54			STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
55			ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
56			OF THE POSSIBILITY OF SUCH DAMAGE.
57	5b237745	Scott Ullrich	*/
58	8f67a8e1	Scott Ullrich
59	50813d24	jim-p	require_once("ipsec.inc");
60	0dea741f	Chris Buechler	require_once("filter.inc");
61	50813d24	jim-p
62	c53e411f	Matt Smith	function vpn_update_daemon_loglevel($category, $level) {
63			global $ipsec_log_cats, $ipsec_log_sevs;
64	c6efc8fd	Ermal
65	c53e411f	Matt Smith	if (in_array($category, array_keys($ipsec_log_cats), true) && in_array(intval($level), array_keys($ipsec_log_sevs), true)) {
66
67			/* if you're setting to -1, need to add "--" to args */
68			$argterm = "";
69			if ($level == "-1") {
70			$argterm = "--";
71	79262830	Phil Davis	}
72	c53e411f	Matt Smith
73			mwexec("/usr/local/sbin/ipsec stroke loglevel {$category} {$argterm} {$level}");
74	c6efc8fd	Ermal	}
75	c53e411f	Matt Smith	}
76
77			function vpn_logging_cfgtxt() {
78			global $config, $ipsec_log_cats, $ipsec_log_sevs;
79
80			$cfgtext = array();
81			foreach (array_keys($ipsec_log_cats) as $cat) {
82			if (is_numeric($config['ipsec']['logging'][$cat]) &&
83			in_array(intval($config['ipsec']['logging'][$cat]), array_keys($ipsec_log_sevs), true)) {
84			$cfgtext[] = "${cat} = {$config['ipsec']['logging'][$cat]}";
85			}
86	79262830	Phil Davis	}
87	c53e411f	Matt Smith
88			return $cfgtext;
89	c6efc8fd	Ermal	}
90
91	5b237745	Scott Ullrich	/* include all configuration functions */
92	086cf944	Phil Davis	function vpn_ipsec_convert_to_modp($index) {
93	8f67a8e1	Scott Ullrich
94	51a14c58	Phil Davis	$conversion = "";
95	496acde1	Ermal	switch ($index) {
96	79262830	Phil Davis	case '1':
97	51a14c58	Phil Davis	$conversion = "modp768";
98	79262830	Phil Davis	break;
99			case '2':
100	51a14c58	Phil Davis	$conversion = "modp1024";
101	79262830	Phil Davis	break;
102			case '5':
103	51a14c58	Phil Davis	$conversion = "modp1536";
104	79262830	Phil Davis	break;
105			case '14':
106	51a14c58	Phil Davis	$conversion = "modp2048";
107	79262830	Phil Davis	break;
108			case '15':
109	51a14c58	Phil Davis	$conversion = "modp3072";
110	79262830	Phil Davis	break;
111			case '16':
112	51a14c58	Phil Davis	$conversion = "modp4096";
113	79262830	Phil Davis	break;
114			case '17':
115	51a14c58	Phil Davis	$conversion = "modp6144";
116	79262830	Phil Davis	break;
117			case '18':
118	51a14c58	Phil Davis	$conversion = "modp8192";
119	79262830	Phil Davis	break;
120	7a747654	Ermal LUÇI	case '19':
121	51a14c58	Phil Davis	$conversion = "ecp256";
122	7a747654	Ermal LUÇI	break;
123			case '20':
124	51a14c58	Phil Davis	$conversion = "ecp384";
125	7a747654	Ermal LUÇI	break;
126			case '21':
127	51a14c58	Phil Davis	$conversion = "ecp521";
128	7a747654	Ermal LUÇI	break;
129	9f52ee2c	Michael Newton	case '22':
130	51a14c58	Phil Davis	$conversion = "modp1024s160";
131	9f52ee2c	Michael Newton	break;
132			case '23':
133	51a14c58	Phil Davis	$conversion = "modp2048s224";
134	9f52ee2c	Michael Newton	break;
135			case '24':
136	51a14c58	Phil Davis	$conversion = "modp2048s256";
137	9f52ee2c	Michael Newton	break;
138	0d102fcd	Bruno Thomsen	case '28':
139	51a14c58	Phil Davis	$conversion = "ecp256bp";
140	0d102fcd	Bruno Thomsen	break;
141			case '29':
142	51a14c58	Phil Davis	$conversion = "ecp384bp";
143	0d102fcd	Bruno Thomsen	break;
144			case '30':
145	51a14c58	Phil Davis	$conversion = "ecp512bp";
146	7a747654	Ermal LUÇI	break;
147	920af30f	Ermal Lu?i	}
148	496acde1	Ermal
149	51a14c58	Phil Davis	return $conversion;
150	600dd4e0	Scott Ullrich	}
151	8f67a8e1	Scott Ullrich
152	086cf944	Phil Davis	function vpn_ipsec_configure($restart = false) {
153	34ba4e5d	Chris Buechler	global $config, $g, $sa, $sn, $p1_ealgos, $p2_ealgos, $ipsec_idhandling;
154	17da6c79	Scott Ullrich
155	82ea06cb	Chris Buechler	$ipsecstartlock = lock('ipsec', LOCK_EX);
156
157	f41c9fd5	Ermal Lu?i	/* get the automatic ping_hosts.sh ready */
158	cdd5b2ce	Ermal Lu?i	unlink_if_exists("{$g['vardb_path']}/ipsecpinghosts");
159			touch("{$g['vardb_path']}/ipsecpinghosts");
160	d315b341	Chris Buechler	$ipsecpinghostsactive = false;
161	086cf944	Phil Davis
162	0545a75e	Chris Buechler	/* service may have been enabled, disabled, or otherwise changed in a way requiring rule updates */
163			filter_configure();
164	c1f5a46b	Scott Ullrich
165	8f67a8e1	Scott Ullrich	$syscfg = $config['system'];
166	5b237745	Scott Ullrich	$ipseccfg = $config['ipsec'];
167	1a2de6d6	Luiz Otavio O Souza	if (!ipsec_enabled()) {
168	6c576b27	Ermal	/* try to stop charon */
169			mwexec("/usr/local/sbin/ipsec stop");
170	52c9f9fa	Ermal	/* Stop dynamic monitoring */
171	f8c10a18	Ermal	killbypid("{$g['varrun_path']}/filterdns-ipsec.pid");
172	98c02cac	Ermal
173	6c576b27	Ermal	/* wait for process to die */
174	8f67a8e1	Scott Ullrich	sleep(2);
175
176	ce0dbd72	Matt Smith	/* IPSEC is off, shutdown enc interface.*/
177	52c9f9fa	Ermal	mwexec("/sbin/ifconfig enc0 down");
178	2f1e0311	Seth Mos
179	82ea06cb	Chris Buechler	unlock($ipsecstartlock);
180	6a781df6	Ermal	return 0;
181	7a683b46	Ermal LUÇI	}
182	8f67a8e1	Scott Ullrich
183	d8cb5ff3	Ermal LUÇI	$a_phase1 = $config['ipsec']['phase1'];
184			$a_phase2 = $config['ipsec']['phase2'];
185			$a_client = $config['ipsec']['client'];
186
187	7a683b46	Ermal LUÇI	$certpath = "{$g['varetc_path']}/ipsec/ipsec.d/certs";
188			$capath = "{$g['varetc_path']}/ipsec/ipsec.d/cacerts";
189			$keypath = "{$g['varetc_path']}/ipsec/ipsec.d/private";
190	14ec7c4b	Chris Buechler	$crlpath = "{$g['varetc_path']}/ipsec/ipsec.d/crls";
191	7a683b46	Ermal LUÇI
192			mwexec("/sbin/ifconfig enc0 up");
193	6c07db48	Phil Davis	if (php_uname('m') != "amd64") {
194	05591613	Ermal LUÇI	set_single_sysctl("net.inet.ipsec.directdispatch", "0");
195	6c07db48	Phil Davis	}
196	05591613	Ermal LUÇI
197	7a683b46	Ermal LUÇI	/* needed for config files */
198	79262830	Phil Davis	if (!is_dir("{$g['varetc_path']}/ipsec")) {
199	7a683b46	Ermal LUÇI	mkdir("{$g['varetc_path']}/ipsec");
200	79262830	Phil Davis	}
201			if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d")) {
202	7a683b46	Ermal LUÇI	mkdir("{$g['varetc_path']}/ipsec/ipsec.d");
203	79262830	Phil Davis	}
204	96d5ca11	Chris Buechler	// delete these paths first to ensure old CAs, certs and CRLs aren't left behind. redmine #5238
205			rmdir_recursive($capath);
206			rmdir_recursive($keypath);
207			rmdir_recursive($crlpath);
208			rmdir_recursive($certpath);
209	79262830	Phil Davis	if (!is_dir($capath)) {
210	7a683b46	Ermal LUÇI	mkdir($capath);
211	79262830	Phil Davis	}
212			if (!is_dir($keypath)) {
213	7a683b46	Ermal LUÇI	mkdir($keypath);
214	79262830	Phil Davis	}
215	14ec7c4b	Chris Buechler	if (!is_dir($crlpath)) {
216			mkdir($crlpath);
217	79262830	Phil Davis	}
218			if (!is_dir($certpath)) {
219	7a683b46	Ermal LUÇI	mkdir($certpath);
220	79262830	Phil Davis	}
221			if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d/aacerts")) {
222	7a683b46	Ermal LUÇI	mkdir("{$g['varetc_path']}/ipsec/ipsec.d/aacerts");
223	79262830	Phil Davis	}
224			if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d/acerts")) {
225	7a683b46	Ermal LUÇI	mkdir("{$g['varetc_path']}/ipsec/ipsec.d/acerts");
226	79262830	Phil Davis	}
227			if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d/ocspcerts")) {
228	7a683b46	Ermal LUÇI	mkdir("{$g['varetc_path']}/ipsec/ipsec.d/ocspcerts");
229	79262830	Phil Davis	}
230			if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d/reqs")) {
231	7a683b46	Ermal LUÇI	mkdir("{$g['varetc_path']}/ipsec/ipsec.d/reqs");
232	79262830	Phil Davis	}
233
234	680e4db5	Renato Botelho	if (!file_exists("/usr/local/etc/ipsec.d") \|\|
235	03c4effd	Renato Botelho	!is_link("/usr/local/etc/ipsec.d")) {
236			conf_mount_rw();
237	680e4db5	Renato Botelho	if (file_exists("/usr/local/etc/ipsec.d")) {
238			rmdir_recursive("/usr/local/etc/ipsec.d");
239			}
240	03c4effd	Renato Botelho	@symlink("{$g['varetc_path']}/ipsec/ipsec.d",
241			"/usr/local/etc/ipsec.d");
242			conf_mount_ro();
243			}
244	a095a1e5	Renato Botelho	if (!file_exists("{$g['varetc_path']}/etc/strongswan.d") \|\|
245	65ed01c5	Renato Botelho	!is_link("{$g['varetc_path']}/etc/strongswan.d")) {
246	03c4effd	Renato Botelho	conf_mount_rw();
247	a095a1e5	Renato Botelho	if (is_link("{$g['varetc_path']}/etc/strongswan.d")) {
248			@unlink("{$g['varetc_path']}/etc/strongswan.d");
249			} else {
250			rmdir_recursive("{$g['varetc_path']}/etc/strongswan.d");
251			}
252	65ed01c5	Renato Botelho	@symlink("/usr/local/etc/strongswan.d",
253			"{$g['varetc_path']}/ipsec/strongswan.d");
254	03c4effd	Renato Botelho	conf_mount_ro();
255			}
256	b0e51046	Renato Botelho	if (!file_exists("/usr/local/etc/strongswan.conf") \|\|
257	03c4effd	Renato Botelho	!is_link("/usr/local/etc/strongswan.conf")) {
258			conf_mount_rw();
259			@unlink("/usr/local/etc/strongswan.conf");
260			@symlink("{$g['varetc_path']}/ipsec/strongswan.conf",
261			"/usr/local/etc/strongswan.conf");
262			conf_mount_ro();
263			}
264	b0e51046	Renato Botelho	if (!file_exists("/usr/local/etc/ipsec.conf") \|\|
265	03c4effd	Renato Botelho	!is_link("/usr/local/etc/ipsec.conf")) {
266			conf_mount_rw();
267			@unlink("/usr/local/etc/ipsec.conf");
268			@symlink("{$g['varetc_path']}/ipsec/ipsec.conf",
269			"/usr/local/etc/ipsec.conf");
270			conf_mount_ro();
271			}
272	e3afacbb	Chris Buechler
273	79262830	Phil Davis	if (platform_booting()) {
274	7a683b46	Ermal LUÇI	echo gettext("Configuring IPsec VPN... ");
275	79262830	Phil Davis	}
276	496acde1	Ermal
277	7a683b46	Ermal LUÇI	/* resolve all local, peer addresses and setup pings */
278			$ipmap = array();
279			$rgmap = array();
280			$filterdns_list = array();
281			$aggressive_mode_psk = false;
282			unset($iflist);
283	778d2ea9	Ermal LUÇI	$ifacesuse = array();
284	6684d594	Matt Smith	$mobile_ipsec_auth = "";
285	7a683b46	Ermal LUÇI	if (is_array($a_phase1) && count($a_phase1)) {
286	8f67a8e1	Scott Ullrich
287	7a683b46	Ermal LUÇI	$ipsecpinghosts = "";
288			/* step through each phase1 entry */
289			foreach ($a_phase1 as $ph1ent) {
290	79262830	Phil Davis	if (isset($ph1ent['disabled'])) {
291	7a683b46	Ermal LUÇI	continue;
292	79262830	Phil Davis	}
293	8f67a8e1	Scott Ullrich
294	2a5960b0	Luiz Otavio O Souza	if (substr($ph1ent['interface'], 0, 4) == "_vip") {
295			$vpninterface = get_configured_vip_interface($ph1ent['interface']);
296			$ifacesuse[] = get_real_interface($vpninterface);
297	79262830	Phil Davis	} else {
298			$vpninterface = get_failover_interface($ph1ent['interface']);
299	2a5960b0	Luiz Otavio O Souza	if (substr($vpninterface, 0, 4) == "_vip") {
300			$vpninterface = get_configured_vip_interface($vpninterface);
301			$ifacesuse[] = get_real_interface($vpninterface);
302	79262830	Phil Davis	} elseif (!empty($vpninterface)) {
303	121cde47	Ermal LUÇI	$ifacesuse[] = $vpninterface;
304	79262830	Phil Davis	}
305	121cde47	Ermal LUÇI	}
306	79262830	Phil Davis
307			if ($ph1ent['mode'] == "aggressive" && ($ph1ent['authentication_method'] == "pre_shared_key" \|\| $ph1ent['authentication_method'] == "xauth_psk_server")) {
308	7a683b46	Ermal LUÇI	$aggressive_mode_psk = true;
309	79262830	Phil Davis	}
310	3462a529	Matthew Grooms
311	7a683b46	Ermal LUÇI	$ikeid = $ph1ent['ikeid'];
312	979cd6db	Scott Ullrich
313	7a683b46	Ermal LUÇI	$ep = ipsec_get_phase1_src($ph1ent);
314	79262830	Phil Davis	if (!is_ipaddr($ep)) {
315	51a14c58	Phil Davis	log_error(sprintf(gettext("IPsec ERROR: Could not find phase 1 source for connection %s. Omitting from configuration file."), $ph1ent['descr']));
316	7a683b46	Ermal LUÇI	continue;
317	79262830	Phil Davis	}
318	7a683b46	Ermal LUÇI
319	086cf944	Phil Davis	if (!in_array($ep, $ipmap)) {
320	7a683b46	Ermal LUÇI	$ipmap[] = $ep;
321	79262830	Phil Davis	}
322	7a683b46	Ermal LUÇI
323			/* see if this tunnel has a hostname for the remote-gateway. If so,
324			try to resolve it now and add it to the list for filterdns */
325
326	79262830	Phil Davis	if (isset ($ph1ent['mobile'])) {
327	6684d594	Matt Smith	$mobile_ipsec_auth = $ph1ent['authentication_method'];
328	7a683b46	Ermal LUÇI	continue;
329	79262830	Phil Davis	}
330	7a683b46	Ermal LUÇI
331			$rg = $ph1ent['remote-gateway'];
332
333			if (!is_ipaddr($rg)) {
334			$filterdns_list[] = "{$rg}";
335			add_hostname_to_watch($rg);
336	79262830	Phil Davis	if (!platform_booting()) {
337	7a683b46	Ermal LUÇI	$rg = resolve_retry($rg);
338	79262830	Phil Davis	}
339			if (!is_ipaddr($rg)) {
340	829fa12e	smos	continue;
341	79262830	Phil Davis	}
342	7a683b46	Ermal LUÇI	}
343	79262830	Phil Davis	if (array_search($rg, $rgmap)) {
344	51a14c58	Phil Davis	log_error(sprintf(gettext("The remote gateway %s already exists on another phase 1 entry"), $rg));
345	7a683b46	Ermal LUÇI	continue;
346			}
347			$rgmap[$ph1ent['remote-gateway']] = $rg;
348	8f67a8e1	Scott Ullrich
349	7a683b46	Ermal LUÇI	if (is_array($a_phase2)) {
350			/* step through each phase2 entry */
351			foreach ($a_phase2 as $ph2ent) {
352	79262830	Phil Davis	if (isset($ph2ent['disabled'])) {
353	7a683b46	Ermal LUÇI	continue;
354	79262830	Phil Davis	}
355	a11df336	jim-p
356	79262830	Phil Davis	if ($ikeid != $ph2ent['ikeid']) {
357	7a683b46	Ermal LUÇI	continue;
358	79262830	Phil Davis	}
359	a11df336	jim-p
360	7a683b46	Ermal LUÇI	/* add an ipsec pinghosts entry */
361			if ($ph2ent['pinghost']) {
362	79262830	Phil Davis	if (!is_array($iflist)) {
363	7a683b46	Ermal LUÇI	$iflist = get_configured_interface_list();
364	79262830	Phil Davis	}
365	7a683b46	Ermal LUÇI	$srcip = null;
366			$local_subnet = ipsec_idinfo_to_cidr($ph2ent['localid'], true, $ph2ent['mode']);
367	79262830	Phil Davis	if (is_ipaddrv6($ph2ent['pinghost'])) {
368	7a683b46	Ermal LUÇI	foreach ($iflist as $ifent => $ifname) {
369			$interface_ip = get_interface_ipv6($ifent);
370	79262830	Phil Davis	if (!is_ipaddrv6($interface_ip)) {
371	7a683b46	Ermal LUÇI	continue;
372	79262830	Phil Davis	}
373	7a683b46	Ermal LUÇI	if (ip_in_subnet($interface_ip, $local_subnet)) {
374			$srcip = $interface_ip;
375			break;
376	fb17f629	Seth Mos	}
377	a11df336	jim-p	}
378	7a683b46	Ermal LUÇI	} else {
379			foreach ($iflist as $ifent => $ifname) {
380			$interface_ip = get_interface_ip($ifent);
381	79262830	Phil Davis	if (!is_ipaddrv4($interface_ip)) {
382	7a683b46	Ermal LUÇI	continue;
383	79262830	Phil Davis	}
384	7a683b46	Ermal LUÇI	if ($local_subnet == "0.0.0.0/0" \|\| ip_in_subnet($interface_ip, $local_subnet)) {
385			$srcip = $interface_ip;
386			break;
387	dc63467f	Matt Smith	}
388			}
389	7a683b46	Ermal LUÇI	}
390			/* if no valid src IP was found in configured interfaces, try the vips */
391			if (is_null($srcip)) {
392	2a5960b0	Luiz Otavio O Souza	$viplist = get_configured_vip_list();
393			foreach ($viplist as $vip => $address) {
394			if (ip_in_subnet($address, $local_subnet)) {
395			$srcip = $address;
396	7a683b46	Ermal LUÇI	break;
397			}
398	741077bc	Ermal Lu?i	}
399	87e07f52	mgrooms	}
400	7a683b46	Ermal LUÇI	$dstip = $ph2ent['pinghost'];
401	79262830	Phil Davis	if (is_ipaddrv6($dstip)) {
402	7a683b46	Ermal LUÇI	$family = "inet6";
403			} else {
404			$family = "inet";
405			}
406	79262830	Phil Davis	if (is_ipaddr($srcip)) {
407	7a683b46	Ermal LUÇI	$ipsecpinghosts[] = "{$srcip}\|{$dstip}\|3\|\|\|\|\|{$family}\|\n";
408	d315b341	Chris Buechler	$ipsecpinghostsactive = true;
409	79262830	Phil Davis	}
410	17da6c79	Scott Ullrich	}
411	a93e56c5	Matthew Grooms	}
412			}
413			}
414	7a683b46	Ermal LUÇI	@file_put_contents("{$g['vardb_path']}/ipsecpinghosts", $ipsecpinghosts);
415			unset($ipsecpinghosts);
416			}
417			unset($iflist);
418	496acde1	Ermal
419	7a683b46	Ermal LUÇI	$accept_unencrypted = "";
420	79262830	Phil Davis	if (isset($config['ipsec']['acceptunencryptedmainmode'])) {
421	7a683b46	Ermal LUÇI	$accept_unencrypted = "accept_unencrypted_mainmode_messages = yes";
422	79262830	Phil Davis	}
423	737b18f2	Ermal
424	420fce04	Ermal LUÇI	$stronconf = '';
425	79262830	Phil Davis	if (file_exists("{$g['varetc_path']}/ipsec/strongswan.conf")) {
426	420fce04	Ermal LUÇI	$stronconf = file_get_contents("{$g['varetc_path']}/ipsec/strongswan.conf");
427	79262830	Phil Davis	}
428	420fce04	Ermal LUÇI
429	7a683b46	Ermal LUÇI	$i_dont_care_about_security_and_use_aggressive_mode_psk = "";
430			if ($aggressive_mode_psk) {
431			log_error("WARNING: Setting i_dont_care_about_security_and_use_aggressive_mode_psk option because a phase 1 is configured using aggressive mode with pre-shared keys. This is not a secure configuration.");
432	79262830	Phil Davis	if (!empty($stronconf) && strpos($stronconf, 'i_dont_care_about_security_and_use_aggressive_mode_psk') === FALSE) {
433	420fce04	Ermal LUÇI	$restart = true;
434	79262830	Phil Davis	}
435	7a683b46	Ermal LUÇI	$i_dont_care_about_security_and_use_aggressive_mode_psk = "i_dont_care_about_security_and_use_aggressive_mode_psk=yes";
436	79262830	Phil Davis	}
437	4a076e36	Ermal LUÇI
438	d9a17eaf	Chris Buechler	$unity_enabled = isset($config['ipsec']['unityplugin']) ? 'yes' : 'no';
439	4a076e36	Ermal LUÇI
440	0608bd3c	Ermal LUÇI	$makebeforebreak = '';
441			if (isset($config['ipsec']['makebeforebreak'])) {
442			$makebeforebreak = 'make_before_break = yes';
443			}
444
445	24acc8f4	Chris Buechler	if (isset($config['ipsec']['enableinterfacesuse'])) {
446			if (!empty($ifacesuse)) {
447			$ifacesuse = 'interfaces_use = ' . implode(',', array_unique($ifacesuse));
448			} else {
449			$ifacesuse = '';
450			}
451	79262830	Phil Davis	} else {
452	778d2ea9	Ermal LUÇI	$ifacesuse = '';
453	79262830	Phil Davis	}
454	778d2ea9	Ermal LUÇI
455	1c4540dc	Ermal LUÇI	unset($stronconf);
456	420fce04	Ermal LUÇI
457	31630f47	Chris Buechler	$strongswanlog = "";
458	c53e411f	Matt Smith	$ipsecloglevels = vpn_logging_cfgtxt();
459	31630f47	Chris Buechler	if (is_array($ipsecloglevels)) {
460			foreach ($ipsecloglevels as $loglevel) {
461	62fb5808	Renato Botelho	$strongswanlog .= "\t\t\t" . $loglevel . "\n";
462	31630f47	Chris Buechler	}
463			}
464	7a683b46	Ermal LUÇI	$strongswan = <<<EOD
465	496acde1	Ermal
466	79262830	Phil Davis	# Automatically generated config file - DO NOT MODIFY. Changes will be overwritten.
467	496acde1	Ermal	starter {
468	03c4effd	Renato Botelho	load_warning = no
469			config_file = {$g['varetc_path']}/ipsec/ipsec.conf
470	496acde1	Ermal	}
471
472			charon {
473	7a683b46	Ermal LUÇI	# number of worker threads in charon
474	62fb5808	Renato Botelho	threads = 16
475			ikesa_table_size = 32
476			ikesa_table_segments = 4
477			init_limit_half_open = 1000
478			install_routes = no
479	2a44b0eb	Renato Botelho	load_modular = yes
480	4225416f	Chris Buechler	ignore_acquire_ts = yes
481	62fb5808	Renato Botelho	{$i_dont_care_about_security_and_use_aggressive_mode_psk}
482			{$accept_unencrypted}
483			cisco_unity = {$unity_enabled}
484			{$ifacesuse}
485			{$makebeforebreak}
486
487			syslog {
488			identifier = charon
489			# log everything under daemon since it ends up in the same place regardless with our syslog.conf
490			daemon {
491			ike_name = yes
492	31630f47	Chris Buechler	{$strongswanlog}
493	62fb5808	Renato Botelho	}
494			# disable logging under auth so logs aren't duplicated
495			auth {
496			default = -1
497			}
498	7335fa53	Ermal	}
499	c6efc8fd	Ermal
500	03c4effd	Renato Botelho	plugins {
501	2a44b0eb	Renato Botelho	# Load defaults
502			include {$g['varetc_path']}/ipsec/strongswan.d/charon/*.conf
503
504	03c4effd	Renato Botelho	stroke {
505			secrets_file = {$g['varetc_path']}/ipsec/ipsec.secrets
506			}
507	496acde1	Ermal
508	2a44b0eb	Renato Botelho	unity {
509			load = {$unity_enabled}
510			}
511
512	03c4effd	Renato Botelho	EOD;
513	7a683b46	Ermal LUÇI
514	6684d594	Matt Smith	/* Find RADIUS servers designated for Mobile IPsec user auth */
515			$radius_server_txt = "";
516			$user_sources = explode(',', $config['ipsec']['client']['user_source']);
517			foreach ($user_sources as $user_source) {
518			$auth_server = auth_get_authserver($user_source);
519			$nice_user_source = strtolower(preg_replace('/\s+/', '_', $user_source));
520			if ($auth_server && $auth_server['type'] === 'radius') {
521			$radius_server_txt .= <<<EOD
522			{$nice_user_source} {
523			address = {$auth_server['host']}
524	53e8d0a3	Jose Luis Duran	secret = "{$auth_server['radius_secret']}"
525	6684d594	Matt Smith	auth_port = {$auth_server['radius_auth_port']}
526			acct_port = {$auth_server['radius_acct_port']}
527			}
528
529			EOD;
530			}
531			}
532
533			/* write an eap-radius config section if appropriate */
534			if (strlen($radius_server_txt) && ($mobile_ipsec_auth === "eap-radius")) {
535			$strongswan .= <<<EOD
536			eap-radius {
537			class_group = yes
538			eap_start = no
539			servers {
540			{$radius_server_txt}
541			}
542			}
543
544			EOD;
545			}
546
547	7a683b46	Ermal LUÇI	if (is_array($a_client) && isset($a_client['enable'])) {
548			$strongswan .= "\t\tattr {\n";
549
550			$cfgservers = array();
551	79262830	Phil Davis	if (!empty($a_client['dns_server1'])) {
552	7a683b46	Ermal LUÇI	$cfgservers[] = $a_client['dns_server1'];
553	79262830	Phil Davis	}
554			if (!empty($a_client['dns_server2'])) {
555	7a683b46	Ermal LUÇI	$cfgservers[] = $a_client['dns_server2'];
556	79262830	Phil Davis	}
557			if (!empty($a_client['dns_server3'])) {
558	7a683b46	Ermal LUÇI	$cfgservers[] = $a_client['dns_server3'];
559	79262830	Phil Davis	}
560			if (!empty($a_client['dns_server4'])) {
561	7a683b46	Ermal LUÇI	$cfgservers[] = $a_client['dns_server4'];
562	79262830	Phil Davis	}
563	7a683b46	Ermal LUÇI
564	79262830	Phil Davis	if (!empty($cfgservers)) {
565	7a683b46	Ermal LUÇI	$strongswan .= "\t\t\tdns = " . implode(",", $cfgservers) . "\n";
566	79262830	Phil Davis	}
567	7a683b46	Ermal LUÇI	unset($cfgservers);
568			$cfgservers = array();
569	79262830	Phil Davis	if (!empty($a_client['wins_server1'])) {
570	7a683b46	Ermal LUÇI	$cfgservers[] = $a_client['wins_server1'];
571	79262830	Phil Davis	}
572			if (!empty($a_client['wins_server2'])) {
573	7a683b46	Ermal LUÇI	$cfgservers[] = $a_client['wins_server2'];
574	79262830	Phil Davis	}
575			if (!empty($cfgservers)) {
576	7a683b46	Ermal LUÇI	$strongswan .= "\t\t\tnbns = " . implode(",", $cfgservers) . "\n";
577	79262830	Phil Davis	}
578	7a683b46	Ermal LUÇI	unset($cfgservers);
579
580	588d3cf6	Renato Botelho	if (isset($a_client['net_list']) && is_array($a_phase2)) {
581	7a683b46	Ermal LUÇI	$net_list = '';
582			foreach ($a_phase2 as $ph2ent) {
583	79262830	Phil Davis	if (isset($ph2ent['disabled'])) {
584	7a683b46	Ermal LUÇI	continue;
585	79262830	Phil Davis	}
586	496acde1	Ermal
587	79262830	Phil Davis	if (!isset($ph2ent['mobile'])) {
588	7a683b46	Ermal LUÇI	continue;
589	79262830	Phil Davis	}
590	496acde1	Ermal
591	7a683b46	Ermal LUÇI	$localid = ipsec_idinfo_to_cidr($ph2ent['localid'], true, $ph2ent['mode']);
592	496acde1	Ermal
593	79262830	Phil Davis	if (!empty($net_list)) {
594	7a683b46	Ermal LUÇI	$net_list .= ",";
595	79262830	Phil Davis	}
596	7a683b46	Ermal LUÇI	$net_list .= $localid;
597	496acde1	Ermal	}
598
599	7a683b46	Ermal LUÇI	if (!empty($net_list)) {
600	41f7b662	Matt Smith	$strongswan .= "\t\t\tsubnet = {$net_list}\n";
601	7a683b46	Ermal LUÇI	$strongswan .= "\t\t\tsplit-include = {$net_list}\n";
602			unset($net_list);
603	496acde1	Ermal	}
604	7a683b46	Ermal LUÇI	}
605	496acde1	Ermal
606	7a683b46	Ermal LUÇI	if (!empty($a_client['dns_domain'])) {
607			$strongswan .= "\t\t\t# Search domain and default domain\n";
608	d17ad7f5	Ermal LUÇI	$strongswan .= "\t\t\t28674 = \"{$a_client['dns_domain']}\"\n";
609	e1c4a5ff	Ermal LUÇI	if (empty($a_client['dns_split'])) {
610	d17ad7f5	Ermal LUÇI	$strongswan .= "\t\t\t28675 = \"{$a_client['dns_domain']}\"";
611	e1c4a5ff	Ermal LUÇI	}
612	7a683b46	Ermal LUÇI	$strongswan .= "\n";
613			}
614	496acde1	Ermal
615	7a683b46	Ermal LUÇI	if (!empty($a_client['dns_split'])) {
616	883096d8	Ermal LUÇI	$strongswan .= "\t\t\t28675 = {$a_client['dns_split']}\n";
617	7a683b46	Ermal LUÇI	}
618	496acde1	Ermal
619	79262830	Phil Davis	if (!empty($a_client['login_banner'])) {
620	d17ad7f5	Ermal LUÇI	$strongswan .= "\t\t\t28672 = \"{$a_client['login_banner']}\"\n";
621	79262830	Phil Davis	}
622	7a683b46	Ermal LUÇI
623	79262830	Phil Davis	if (isset($a_client['save_passwd'])) {
624	7a683b46	Ermal LUÇI	$strongswan .= "\t\t\t28673 = 1\n";
625	79262830	Phil Davis	}
626	7a683b46	Ermal LUÇI
627	79262830	Phil Davis	if ($a_client['pfs_group']) {
628	d17ad7f5	Ermal LUÇI	$strongswan .= "\t\t\t28679 = \"{$a_client['pfs_group']}\"\n";
629	79262830	Phil Davis	}
630	7a683b46	Ermal LUÇI	$strongswan .= "\t\t}\n";
631
632			if ($a_client['user_source'] != "none") {
633			$strongswan .= "\t\txauth-generic {\n";
634			$strongswan .= "\t\t\tscript = /etc/inc/ipsec.auth-user.php\n";
635			$strongswan .= "\t\t\tauthcfg = ";
636			$firstsed = 0;
637			$authcfgs = explode(",", $a_client['user_source']);
638			foreach ($authcfgs as $authcfg) {
639	79262830	Phil Davis	if ($firstsed > 0) {
640	7a683b46	Ermal LUÇI	$strongswan .= ",";
641	79262830	Phil Davis	}
642			if ($authcfg == "system") {
643	7a683b46	Ermal LUÇI	$authcfg = "Local Database";
644	79262830	Phil Davis	}
645	7a683b46	Ermal LUÇI	$strongswan .= $authcfg;
646			$firstsed = 1;
647	91287d1f	Ermal	}
648	7a683b46	Ermal LUÇI	$strongswan .= "\n";
649			$strongswan .= "\t\t}\n";
650	496acde1	Ermal	}
651	7a683b46	Ermal LUÇI	}
652	496acde1	Ermal
653	de985aea	Renato Botelho	$strongswan .= "\n\t}\n}\n";
654	7a683b46	Ermal LUÇI	@file_put_contents("{$g['varetc_path']}/ipsec/strongswan.conf", $strongswan);
655			unset($strongswan);
656	8f67a8e1	Scott Ullrich
657	14ec7c4b	Chris Buechler	/* write out CRL files */
658			if (is_array($config['crl']) && count($config['crl'])) {
659			foreach ($config['crl'] as $crl) {
660			if (!isset($crl['text'])) {
661	905205a2	Chris Buechler	log_error(sprintf(gettext("Warning: Missing CRL data for %s"), $crl['descr']));
662	14ec7c4b	Chris Buechler	continue;
663			}
664			$fpath = "{$crlpath}/{$crl['refid']}.crl";
665			if (!@file_put_contents($fpath, base64_decode($crl['text']))) {
666			log_error(sprintf(gettext("Error: Cannot write IPsec CRL file for %s"), $crl['descr']));
667			continue;
668			}
669			}
670			}
671	09628a07	Renato Botelho
672	7a683b46	Ermal LUÇI	$pskconf = "";
673	037b51b3	Seth Mos
674	9d8f66b9	Matt Smith	$vpncas = array();
675	7a683b46	Ermal LUÇI	if (is_array($a_phase1) && count($a_phase1)) {
676			foreach ($a_phase1 as $ph1ent) {
677	a93e56c5	Matthew Grooms
678	79262830	Phil Davis	if (isset($ph1ent['disabled'])) {
679	7a683b46	Ermal LUÇI	continue;
680	79262830	Phil Davis	}
681	a93e56c5	Matthew Grooms
682	07d0d1b2	Ermal LUÇI	if (strstr($ph1ent['authentication_method'], 'rsa') \|\|
683	cb377516	Ingo Bauersachs	in_array($ph1ent['authentication_method'], array('eap-mschapv2', 'eap-tls', 'eap-radius'))) {
684	7a683b46	Ermal LUÇI	$certline = '';
685	a93e56c5	Matthew Grooms
686	7a683b46	Ermal LUÇI	$ikeid = $ph1ent['ikeid'];
687			$cert = lookup_cert($ph1ent['certref']);
688	496acde1	Ermal
689	7a683b46	Ermal LUÇI	if (!$cert) {
690			log_error(sprintf(gettext("Error: Invalid phase1 certificate reference for %s"), $ph1ent['name']));
691			continue;
692			}
693	496acde1	Ermal
694	9d8f66b9	Matt Smith	/* add signing CA cert chain of server cert
695			* to the list of CAs to write
696			*/
697			$cachain = ca_chain_array($cert);
698			if ($cachain && is_array($cachain)) {
699			foreach ($cachain as $cacrt) {
700			$vpncas[$cacrt['refid']] = $cacrt;
701			}
702			}
703
704	7a683b46	Ermal LUÇI	@chmod($certpath, 0600);
705	496acde1	Ermal
706	7a683b46	Ermal LUÇI	$ph1keyfile = "{$keypath}/cert-{$ikeid}.key";
707			if (!file_put_contents($ph1keyfile, base64_decode($cert['prv']))) {
708			log_error(sprintf(gettext("Error: Cannot write phase1 key file for %s"), $ph1ent['name']));
709			continue;
710			}
711			@chmod($ph1keyfile, 0600);
712	496acde1	Ermal
713	7a683b46	Ermal LUÇI	$ph1certfile = "{$certpath}/cert-{$ikeid}.crt";
714			if (!file_put_contents($ph1certfile, base64_decode($cert['crt']))) {
715			log_error(sprintf(gettext("Error: Cannot write phase1 certificate file for %s"), $ph1ent['name']));
716			@unlink($ph1keyfile);
717			continue;
718			}
719			@chmod($ph1certfile, 0600);
720	fa4e059e	Ermal
721	7a683b46	Ermal LUÇI	/* XXX" Traffic selectors? */
722			$pskconf .= " : RSA {$ph1keyfile}\n";
723			} else {
724	5324ea38	Ermal LUÇI	list ($myid_type, $myid_data) = ipsec_find_id($ph1ent, 'local');
725			list ($peerid_type, $peerid_data) = ipsec_find_id($ph1ent, 'peer', $rgmap);
726	6990ad35	Phil Davis
727	d812e83e	Chris Buechler	$myid = trim($myid_data);
728	496acde1	Ermal
729	79262830	Phil Davis	if (empty($peerid_data)) {
730	7a683b46	Ermal LUÇI	continue;
731	79262830	Phil Davis	}
732	496acde1	Ermal
733	019ee2bc	Renato Botelho	if ($myid_type == 'fqdn' && !empty($myid)) {
734			$myid = "@{$myid}";
735			}
736	6990ad35	Phil Davis
737	d44e7dc0	Chris Buechler	$myid = isset($ph1ent['mobile']) ? trim($myid_data) : "%any";
738	019ee2bc	Renato Botelho
739	5324ea38	Ermal LUÇI	$peerid = ($peerid_data != 'allusers') ? trim($peerid_data) : '';
740	019ee2bc	Renato Botelho
741			if ($peerid_type == 'fqdn' && !empty($peerid)) {
742			$peerid = "@{$peerid}";
743			}
744
745	13403bd1	Ermal LUÇI	if (!empty($ph1ent['pre-shared-key'])) {
746	019ee2bc	Renato Botelho	$pskconf .= "{$myid} {$peerid} : PSK 0s" . base64_encode(trim($ph1ent['pre-shared-key'])) . "\n";
747	41d968bd	Chris Buechler	if (isset($ph1ent['mobile'])) {
748			$pskconf .= " : PSK 0s" . base64_encode(trim($ph1ent['pre-shared-key'])) . "\n";
749			}
750	13403bd1	Ermal LUÇI	}
751	5b237745	Scott Ullrich	}
752	9d8f66b9	Matt Smith
753			/* if the client authenticates with a cert add the
754			* client cert CA chain to the list of CAs to write
755			*/
756			if (in_array($ph1ent['authentication_method'],
757			array('rsasig', 'eap-tls', 'xauth_rsa_server'))) {
758
759			if (!empty($ph1ent['caref']) && !array_key_exists($ph1ent['caref'], $vpncas)) {
760			$thisca = lookup_ca($ph1ent['caref']);
761			$vpncas[$ph1ent['caref']] = $thisca;
762
763			/* follow chain up to root */
764			$cachain = ca_chain_array($thisca);
765			if ($cachain and is_array($cachain)) {
766			foreach ($cachain as $cacrt) {
767			$vpncas[$cacrt['refid']] = $cacrt;
768			}
769			}
770			}
771			}
772			}
773			}
774
775			/* write the required CAs */
776			foreach ($vpncas as $carefid => $cadata) {
777			$cacrt = base64_decode($cadata['crt']);
778			$cacrtattrs = openssl_x509_parse($cacrt);
779			if (!is_array($cacrtattrs) \|\| !isset($cacrtattrs['hash'])) {
780			log_error(sprintf(gettext("Error: Invalid certificate hash info for %s"), $cadata['descr']));
781			continue;
782			}
783			$cafilename = "{$capath}/{$cacrtattrs['hash']}.0.crt";
784			if (!@file_put_contents($cafilename, $cacrt)) {
785			log_error(sprintf(gettext("Error: Cannot write IPsec CA file for %s"), $cadata['descr']));
786			continue;
787	a93e56c5	Matthew Grooms	}
788	7a683b46	Ermal LUÇI	}
789	a93e56c5	Matthew Grooms
790	7a683b46	Ermal LUÇI	/* Add user PSKs */
791			if (is_array($config['system']) && is_array($config['system']['user'])) {
792			foreach ($config['system']['user'] as $user) {
793			if (!empty($user['ipsecpsk'])) {
794	62102a8b	Chris Buechler	$pskconf .= "{$myid} {$user['name']} : PSK 0s" . base64_encode($user['ipsecpsk']) . "\n";
795	4ed2dde7	jim-p	}
796			}
797	7a683b46	Ermal LUÇI	unset($user);
798			}
799	4ed2dde7	jim-p
800	7a683b46	Ermal LUÇI	/* add PSKs for mobile clients */
801			if (is_array($ipseccfg['mobilekey'])) {
802			foreach ($ipseccfg['mobilekey'] as $key) {
803	79262830	Phil Davis	if ($key['ident'] == "allusers") {
804	7f69cbe7	Ermal LUÇI	$key['ident'] = '%any';
805	79262830	Phil Davis	}
806	a83fce46	Chris Buechler	if ($key['ident'] == "any") {
807			$key['ident'] = '%any';
808			}
809	79262830	Phil Davis	if (empty($key['type'])) {
810	10e2acb5	Ermal LUÇI	$key['type'] = 'PSK';
811	79262830	Phil Davis	}
812	96bf55d9	Chris Buechler	$pskconf .= " {$key['ident']} : {$key['type']} 0s" . base64_encode($key['pre-shared-key']) . "\n";
813	2ef1b601	jim-p	}
814	7a683b46	Ermal LUÇI	unset($key);
815			}
816	2ef1b601	jim-p
817	7a683b46	Ermal LUÇI	@file_put_contents("{$g['varetc_path']}/ipsec/ipsec.secrets", $pskconf);
818			chmod("{$g['varetc_path']}/ipsec/ipsec.secrets", 0600);
819			unset($pskconf);
820	09628a07	Renato Botelho
821	86e1846f	Ermal LUÇI	$uniqueids = 'yes';
822			if (!empty($config['ipsec']['uniqueids'])) {
823	086cf944	Phil Davis	if (array_key_exists($config['ipsec']['uniqueids'], $ipsec_idhandling)) {
824	86e1846f	Ermal LUÇI	$uniqueids = $config['ipsec']['uniqueids'];
825	086cf944	Phil Davis	}
826	86e1846f	Ermal LUÇI	}
827	7a683b46	Ermal LUÇI	$natfilterrules = false;
828			/* begin ipsec.conf */
829			$ipsecconf = "";
830	40cc36d1	Ermal LUÇI	$enablecompression = false;
831	6c07db48	Phil Davis	if (is_array($a_phase1) && count($a_phase1)) {
832	17da6c79	Scott Ullrich
833	7a683b46	Ermal LUÇI	$ipsecconf .= "# This file is automatically generated. Do not edit\n";
834	86e1846f	Ermal LUÇI	$ipsecconf .= "config setup\n\tuniqueids = {$uniqueids}\n";
835	6990ad35	Phil Davis
836	df4de32d	Chris Buechler	if (isset($config['ipsec']['strictcrlpolicy'])) {
837			$ipsecconf .= "\tstrictcrlpolicy = yes \n";
838			}
839	4178a1dd	jim-p
840	0a9e6c85	Chris Buechler	if (!isset($config['ipsec']['noshuntlaninterfaces'])) {
841	0887e836	Ermal LUÇI	if ($config['interfaces']['lan']) {
842			$lanip = get_interface_ip("lan");
843			if (!empty($lanip) && is_ipaddrv4($lanip)) {
844			$lansn = get_interface_subnet("lan");
845			$lansa = gen_subnet($lanip, $lansn);
846			$ipsecconf .= <<<EOD
847	755b75c7	Ermal LUÇI
848	0887e836	Ermal LUÇI	conn bypasslan
849	699e2074	Chris Buechler	leftsubnet = {$lansa}/{$lansn}
850	0a9e6c85	Chris Buechler	rightsubnet = {$lansa}/{$lansn}
851			authby = never
852			type = passthrough
853			auto = route
854	0887e836	Ermal LUÇI
855			EOD;
856			}
857			}
858			}
859
860	7a683b46	Ermal LUÇI	foreach ($a_phase1 as $ph1ent) {
861	79262830	Phil Davis	if (isset($ph1ent['disabled'])) {
862	7a683b46	Ermal LUÇI	continue;
863	79262830	Phil Davis	}
864	96267107	Ermal
865	79262830	Phil Davis	if ($ph1ent['mode'] == "aggressive") {
866	7a683b46	Ermal LUÇI	$aggressive = "yes";
867	79262830	Phil Davis	} else {
868	7a683b46	Ermal LUÇI	$aggressive = "no";
869	79262830	Phil Davis	}
870	7a683b46	Ermal LUÇI
871			$ep = ipsec_get_phase1_src($ph1ent);
872	79262830	Phil Davis	if (!$ep) {
873	7a683b46	Ermal LUÇI	continue;
874	79262830	Phil Davis	}
875	7a683b46	Ermal LUÇI
876			$ikeid = $ph1ent['ikeid'];
877			$keyexchange = "ikev1";
878			$passive = "route";
879			if (!empty($ph1ent['iketype'])) {
880			if ($ph1ent['iketype'] == "ikev2") {
881			$keyexchange = "ikev2";
882	f15f4c17	Chris Buechler	} elseif ($ph1ent['iketype'] == "auto") {
883			$keyexchange = "ike";
884	6990ad35	Phil Davis	}
885	7a683b46	Ermal LUÇI	}
886	0b5fc1d1	Ermal
887	7a683b46	Ermal LUÇI	if (isset($ph1ent['mobile'])) {
888			$right_spec = "%any";
889			$passive = 'add';
890	95783403	Ermal LUÇI	} else {
891	79262830	Phil Davis	if (isset($ph1ent['responderonly'])) {
892	87808568	Ermal LUÇI	$passive = 'add';
893	79262830	Phil Davis	}
894	87808568	Ermal LUÇI
895	7a683b46	Ermal LUÇI	$right_spec = $ph1ent['remote-gateway'];
896	79262830	Phil Davis	if (is_ipaddr($right_spec)) {
897	7f9844c2	Ermal LUÇI	$sourcehost = $right_spec;
898	79262830	Phil Davis	} else {
899	7f9844c2	Ermal LUÇI	$sourcehost = $rgmap['remote-gateway'];
900	79262830	Phil Davis	}
901	7f9844c2	Ermal LUÇI
902	c7d44786	Ermal LUÇI	if ($ph1ent['protocol'] == 'inet') {
903	2a5960b0	Luiz Otavio O Souza	if (substr($ph1ent['interface'], 0, 4) == "_vip") {
904			$vpninterface = get_configured_vip_interface($ph1ent['interface']);
905			$ifacesuse = get_real_interface($vpninterface);
906	95783403	Ermal LUÇI	} else {
907			$ifacesuse = get_failover_interface($ph1ent['interface']);
908	2a5960b0	Luiz Otavio O Souza	if (substr($ifacesuse, 0, 4) == "_vip") {
909			$vpninterface = get_configured_vip_interface($ifacesuse);
910			$ifacesuse = get_real_interface($vpninterface);
911	29de629e	Chris Buechler	} else {
912			$vpninterface = convert_real_interface_to_friendly_interface_name($ifacesuse);
913			}
914	95783403	Ermal LUÇI	}
915	79262830	Phil Davis
916	52b25e81	Ermal LUÇI	if (!empty($ifacesuse) && interface_has_gateway($vpninterface)) {
917	b61930dc	Ermal LUÇI	$gatewayip = get_interface_gateway($vpninterface);
918			$interfaceip = get_interface_ip($vpninterface);
919			$subnet_bits = get_interface_subnet($vpninterface);
920	95783403	Ermal LUÇI	$subnet_ip = gen_subnetv4($interfaceip, $subnet_bits);
921			/* if the remote gateway is in the local subnet, then don't add a route */
922	b61930dc	Ermal LUÇI	if (!ip_in_subnet($sourcehost, "{$subnet_ip}/{$subnet_bits}")) {
923	95783403	Ermal LUÇI	if (is_ipaddrv4($gatewayip)) {
924	1e453232	Ermal LUÇI	// log_error("IPSEC interface is not WAN but {$ifacesuse}, adding static route for VPN endpoint {$rgip} via {$gatewayip}");
925	b61930dc	Ermal LUÇI	mwexec("/sbin/route change -host {$sourcehost} {$gatewayip}", true);
926	95783403	Ermal LUÇI	}
927			}
928			}
929	c7d44786	Ermal LUÇI	} else if ($ph1ent['protocol'] == 'inet6') {
930	2a5960b0	Luiz Otavio O Souza	if (substr($ph1ent['interface'], 0, 4) == "_vip") {
931			$vpninterface = get_configured_vip_interface($ph1ent['interface']);
932			$ifacesuse = get_real_interface($vpninterface);
933	95783403	Ermal LUÇI	} else {
934			$ifacesuse = get_failover_interface($ph1ent['interface']);
935	2a5960b0	Luiz Otavio O Souza	if (substr($ifacesuse, 0, 4) == "_vip") {
936			$vpninterface = get_configured_vip_interface($ifacesuse);
937			$ifacesuse = get_real_interface($vpninterface);
938	c406924f	Chris Buechler	} else {
939			$vpninterface = convert_real_interface_to_friendly_interface_name($ifacesuse);
940			}
941	95783403	Ermal LUÇI	}
942	79262830	Phil Davis
943	b61930dc	Ermal LUÇI	if (!empty($ifacesuse) && interface_has_gateway($vpninterface)) {
944			$gatewayip = get_interface_gateway_v6($vpninterface);
945			$interfaceip = get_interface_ipv6($vpninterface);
946			$subnet_bits = get_interface_subnetv6($vpninterface);
947	95783403	Ermal LUÇI	$subnet_ip = gen_subnetv6($interfaceip, $subnet_bits);
948			/* if the remote gateway is in the local subnet, then don't add a route */
949	b61930dc	Ermal LUÇI	if (!ip_in_subnet($sourcehost, "{$subnet_ip}/{$subnet_bits}")) {
950	95783403	Ermal LUÇI	if (is_ipaddrv6($gatewayip)) {
951	1e453232	Ermal LUÇI	// log_error("IPSEC interface is not WAN but {$ifacesuse}, adding static route for VPN endpoint {$rgip} via {$gatewayip}");
952	b61930dc	Ermal LUÇI	mwexec("/sbin/route change -inet6 -host {$sourcehost} {$gatewayip}", true);
953	95783403	Ermal LUÇI	}
954			}
955			}
956			}
957			}
958	7a683b46	Ermal LUÇI
959	5324ea38	Ermal LUÇI	list ($myid_type, $myid_data) = ipsec_find_id($ph1ent, 'local');
960	d9d237af	Renato Botelho	if ($myid_type != 'address' && $myid_type != 'keyid' && $myid_type != 'asn1dn') {
961	5324ea38	Ermal LUÇI	$myid_data = "{$myid_type}:{$myid_data}";
962	d9d237af	Renato Botelho	} elseif ($myid_type == "asn1dn" && !empty($myid_data)) {
963			if ($myid_data[0] == '#') {
964	d5dd538d	Renato Botelho	/* asn1dn needs double quotes */
965	d9d237af	Renato Botelho	$myid_data = "\"{$myid_type}:{$myid_data}\"";
966			} else {
967			$myid_data = "\"{$myid_data}\"";
968	d5dd538d	Renato Botelho	}
969	79262830	Phil Davis	}
970	d9d237af	Renato Botelho	$leftid = '';
971			if (!empty($myid_data)) {
972			$leftid = "leftid = {$myid_data}";
973			}
974	7a683b46	Ermal LUÇI
975			$peerid_spec = '';
976	021a97b5	Chris Buechler	if (isset($ph1ent['mobile']) && ($ph1ent['authentication_method'] == "pre_shared_key" \|\| $ph1ent['authentication_method'] == "xauth_psk_server")) {
977			// Only specify peer ID if we are not dealing with mobile PSK
978			} else {
979	5324ea38	Ermal LUÇI	list ($peerid_type, $peerid_data) = ipsec_find_id($ph1ent, 'peer', $rgmap);
980	b0994811	Chris Buechler	if ($peerid_type == 'any') {
981			$peerid_spec = '';
982			} elseif ($peerid_type != 'address' && $peerid_type != 'keyid' && $peerid_type != 'asn1dn') {
983	5324ea38	Ermal LUÇI	$peerid_spec = "{$peerid_type}:{$peerid_data}";
984	d9d237af	Renato Botelho	} elseif ($peerid_type == "asn1dn") {
985	d5dd538d	Renato Botelho	/* asn1dn needs double quotes */
986	d9d237af	Renato Botelho	if ($peerid_data[0] == '#') {
987			$peerid_spec = "\"{$peerid_type}:{$peerid_data}\"";
988			} elseif (!empty($peerid_data)) {
989			$peerid_spec = "\"{$peerid_data}\"";
990	d5dd538d	Renato Botelho	}
991	79262830	Phil Davis	} else {
992	5324ea38	Ermal LUÇI	$peerid_spec = $peerid_data;
993	79262830	Phil Davis	}
994	5324ea38	Ermal LUÇI	}
995	7a683b46	Ermal LUÇI
996			if (is_array($ph1ent['encryption-algorithm']) && !empty($ph1ent['encryption-algorithm']['name']) && !empty($ph1ent['hash-algorithm'])) {
997			$ealgosp1 = '';
998			$ealg_id = $ph1ent['encryption-algorithm']['name'];
999			$ealg_kl = $ph1ent['encryption-algorithm']['keylen'];
1000	79262830	Phil Davis	if ($ealg_kl) {
1001	7a683b46	Ermal LUÇI	$ealgosp1 = "ike = {$ealg_id}{$ealg_kl}-{$ph1ent['hash-algorithm']}";
1002	79262830	Phil Davis	} else {
1003	7a683b46	Ermal LUÇI	$ealgosp1 = "ike = {$ealg_id}-{$ph1ent['hash-algorithm']}";
1004	79262830	Phil Davis	}
1005	0b5fc1d1	Ermal
1006	7a683b46	Ermal LUÇI	$modp = vpn_ipsec_convert_to_modp($ph1ent['dhgroup']);
1007	79262830	Phil Davis	if (!empty($modp)) {
1008	7a683b46	Ermal LUÇI	$ealgosp1 .= "-{$modp}";
1009	79262830	Phil Davis	}
1010	0b5fc1d1	Ermal
1011	7a683b46	Ermal LUÇI	$ealgosp1 .= "!";
1012			}
1013	c52719a8	Scott Ullrich
1014	7a683b46	Ermal LUÇI	if ($ph1ent['dpd_delay'] && $ph1ent['dpd_maxfail']) {
1015	79262830	Phil Davis	if ($passive == "route") {
1016	7a683b46	Ermal LUÇI	$dpdline = "dpdaction = restart";
1017	79262830	Phil Davis	} else {
1018	7a683b46	Ermal LUÇI	$dpdline = "dpdaction = clear";
1019	79262830	Phil Davis	}
1020	7a683b46	Ermal LUÇI	$dpdline .= "\n\tdpddelay = {$ph1ent['dpd_delay']}s";
1021			$dpdtimeout = $ph1ent['dpd_delay'] * ($ph1ent['dpd_maxfail'] + 1);
1022			$dpdline .= "\n\tdpdtimeout = {$dpdtimeout}s";
1023	79262830	Phil Davis	} else {
1024	7a683b46	Ermal LUÇI	$dpdline = "dpdaction = none";
1025	79262830	Phil Davis	}
1026	7a683b46	Ermal LUÇI
1027			$ikelifeline = '';
1028	79262830	Phil Davis	if ($ph1ent['lifetime']) {
1029	7a683b46	Ermal LUÇI	$ikelifeline = "ikelifetime = {$ph1ent['lifetime']}s";
1030	79262830	Phil Davis	}
1031	7a683b46	Ermal LUÇI
1032			$rightsourceip = NULL;
1033	86330e2b	jim-p	if (isset($ph1ent['mobile'])) {
1034	446db735	Matt Smith	$rightsourceips = array();
1035	86330e2b	jim-p	if (!empty($a_client['pool_address'])) {
1036	446db735	Matt Smith	$rightsourceips[] = "{$a_client['pool_address']}/{$a_client['pool_netbits']}";
1037			}
1038			if (!empty($a_client['pool_address_v6'])) {
1039			$rightsourceips[] = "{$a_client['pool_address_v6']}/{$a_client['pool_netbits_v6']}";
1040			}
1041			if ($ph1ent['authentication_method'] == "eap-radius" && !count($rightsourceips)) {
1042			$rightsourceips[] = "%radius";
1043			}
1044			if (count($rightsourceips)) {
1045			$rightsourceip = "\trightsourceip = " . implode(',', $rightsourceips) . "\n";
1046	86330e2b	jim-p	}
1047	79262830	Phil Davis	}
1048	7a683b46	Ermal LUÇI
1049	7a7e1ba9	Matt Smith	if (!empty($ph1ent['caref'])) {
1050			$ca = lookup_ca($ph1ent['caref']);
1051			if ($ca) {
1052			$casubarr = cert_get_subject_array($ca['crt']);
1053			$casub = "";
1054			foreach ($casubarr as $casubfield) {
1055			if (empty($casub)) {
1056			$casub = "/";
1057			}
1058			$casub .= "{$casubfield['a']}={$casubfield['v']}/";
1059			}
1060
1061			}
1062			}
1063
1064	7a683b46	Ermal LUÇI	$authentication = "";
1065			switch ($ph1ent['authentication_method']) {
1066	79262830	Phil Davis	case 'eap-mschapv2':
1067			if (isset($ph1ent['mobile'])) {
1068			$authentication = "eap_identity=%any\n\t";
1069			$authentication .= "leftauth=pubkey\n\trightauth=eap-mschapv2";
1070			if (!empty($ph1ent['certref'])) {
1071			$authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt";
1072	ce0dbd72	Matt Smith	$authentication .= "\n\tleftsendcert=always";
1073	79262830	Phil Davis	}
1074			}
1075			break;
1076			case 'eap-tls':
1077			if (isset($ph1ent['mobile'])) {
1078			$authentication = "eap_identity=%identity\n\t";
1079			$authentication .= "leftauth=pubkey\n\trightauth=eap-tls";
1080			if (!empty($ph1ent['certref'])) {
1081			$authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt";
1082	ce0dbd72	Matt Smith	$authentication .= "\n\tleftsendcert=always";
1083	79262830	Phil Davis	}
1084			} else {
1085			$authentication = "leftauth=eap-tls\n\trightauth=eap-tls";
1086			if (!empty($ph1ent['certref'])) {
1087			$authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt";
1088	ce0dbd72	Matt Smith	$authentication .= "\n\tleftsendcert=always";
1089	79262830	Phil Davis	}
1090	cb377516	Ingo Bauersachs	}
1091	7a7e1ba9	Matt Smith	if (isset($casub)) {
1092			$authentication .= "\n\trightca=\"$casub\"";
1093			}
1094	cb377516	Ingo Bauersachs	break;
1095			case 'eap-radius':
1096			if (isset($ph1ent['mobile'])) {
1097			$authentication = "eap_identity=%identity\n\t";
1098			$authentication .= "leftauth=pubkey\n\trightauth=eap-radius";
1099	086cf944	Phil Davis	if (!empty($ph1ent['certref'])) {
1100	cb377516	Ingo Bauersachs	$authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt";
1101	ce0dbd72	Matt Smith	$authentication .= "\n\tleftsendcert=always";
1102	086cf944	Phil Davis	}
1103	cb377516	Ingo Bauersachs	} else {
1104			$authentication = "leftauth=eap-radius\n\trightauth=eap-radius";
1105			if (!empty($ph1ent['certref'])) {
1106			$authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt";
1107	ce0dbd72	Matt Smith	$authentication .= "\n\tleftsendcert=always";
1108	cb377516	Ingo Bauersachs	}
1109	79262830	Phil Davis	}
1110			break;
1111			case 'xauth_rsa_server':
1112			$authentication = "leftauth = pubkey\n\trightauth = pubkey";
1113			$authentication .= "\n\trightauth2 = xauth-generic";
1114			if (!empty($ph1ent['certref'])) {
1115	10e2acb5	Ermal LUÇI	$authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt";
1116	ae568465	Chris Buechler	$authentication .= "\n\tleftsendcert=always";
1117	79262830	Phil Davis	}
1118	7a7e1ba9	Matt Smith	if (isset($casub)) {
1119			$authentication .= "\n\trightca=\"$casub\"";
1120			}
1121	79262830	Phil Davis	break;
1122			case 'xauth_psk_server':
1123			$authentication = "leftauth = psk\n\trightauth = psk";
1124			$authentication .= "\n\trightauth2 = xauth-generic";
1125			break;
1126			case 'pre_shared_key':
1127			$authentication = "leftauth = psk\n\trightauth = psk";
1128			break;
1129			case 'rsasig':
1130			$authentication = "leftauth = pubkey\n\trightauth = pubkey";
1131			if (!empty($ph1ent['certref'])) {
1132	54ab1bdc	Ermal LUÇI	$authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt";
1133	ae568465	Chris Buechler	$authentication .= "\n\tleftsendcert=always";
1134	79262830	Phil Davis	}
1135	7a7e1ba9	Matt Smith	if (isset($casub)) {
1136			$authentication .= "\n\trightca=\"$casub\"";
1137			}
1138	79262830	Phil Davis	break;
1139			case 'hybrid_rsa_server':
1140	7b1e6c3a	Matt Smith	$authentication = "leftauth = pubkey\n\trightauth = xauth-generic";
1141	79262830	Phil Davis	if (!empty($ph1ent['certref'])) {
1142	54ab1bdc	Ermal LUÇI	$authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt";
1143	ae568465	Chris Buechler	$authentication .= "\n\tleftsendcert=always";
1144	79262830	Phil Davis	}
1145			break;
1146	7a683b46	Ermal LUÇI	}
1147	b4ad5b1c	Ermal
1148	7a683b46	Ermal LUÇI	$left_spec = $ep;
1149	c52719a8	Scott Ullrich
1150	79262830	Phil Davis	if (isset($ph1ent['reauth_enable'])) {
1151	7a683b46	Ermal LUÇI	$reauth = "reauth = no";
1152	79262830	Phil Davis	} else {
1153	7a683b46	Ermal LUÇI	$reauth = "reauth = yes";
1154	79262830	Phil Davis	}
1155			if (isset($ph1ent['rekey_enable'])) {
1156	7a683b46	Ermal LUÇI	$rekey = "rekey = no";
1157	79262830	Phil Davis	} else {
1158	7a683b46	Ermal LUÇI	$rekey = "rekey = yes";
1159	79262830	Phil Davis	}
1160	16c02722	Ermal
1161	79262830	Phil Davis	if ($ph1ent['nat_traversal'] == 'off') {
1162	7a683b46	Ermal LUÇI	$forceencaps = 'forceencaps = no';
1163	79262830	Phil Davis	} else if ($ph1ent['nat_traversal'] == 'force') {
1164	7a683b46	Ermal LUÇI	$forceencaps = 'forceencaps = yes';
1165	79262830	Phil Davis	} else {
1166	7a683b46	Ermal LUÇI	$forceencaps = 'forceencaps = no';
1167	79262830	Phil Davis	}
1168
1169			if ($ph1ent['mobike'] == 'on') {
1170	065e78b3	Chris Buechler	$mobike = 'mobike = yes';
1171	79262830	Phil Davis	} else {
1172	065e78b3	Chris Buechler	$mobike = 'mobike = no';
1173	79262830	Phil Davis	}
1174	7a683b46	Ermal LUÇI
1175	54c36056	Chris Buechler	if (isset($ph1ent['tfc_enable'])) {
1176			if (isset($ph1ent['tfc_bytes']) && is_numericint($ph1ent['tfc_bytes'])) {
1177			$tfc = "tfc = {$ph1ent['tfc_bytes']}";
1178			} else {
1179			$tfc = "tfc = %mtu";
1180			}
1181			}
1182
1183	7a683b46	Ermal LUÇI	$ipseclifetime = 0;
1184			$rightsubnet_spec = array();
1185			$leftsubnet_spec = array();
1186	1fe208ec	Ermal LUÇI	$reqids = array();
1187	7a683b46	Ermal LUÇI	$ealgoAHsp2arr = array();
1188			$ealgoESPsp2arr = array();
1189	1e678c38	Renato Botelho	if (is_array($a_phase2) && count($a_phase2)) {
1190			foreach ($a_phase2 as $ph2ent) {
1191			if ($ikeid != $ph2ent['ikeid']) {
1192			continue;
1193			}
1194	c52719a8	Scott Ullrich
1195	1e678c38	Renato Botelho	if (isset($ph2ent['disabled'])) {
1196			continue;
1197			}
1198	6586b30f	Ermal
1199	1e678c38	Renato Botelho	if (isset($ph2ent['mobile']) && !isset($a_client['enable'])) {
1200			continue;
1201			}
1202	96ef83a7	jim-p
1203	1e678c38	Renato Botelho	if (($ph2ent['mode'] == 'tunnel') or ($ph2ent['mode'] == 'tunnel6')) {
1204			$tunneltype = "type = tunnel";
1205	c52719a8	Scott Ullrich
1206	1e678c38	Renato Botelho	$localid_type = $ph2ent['localid']['type'];
1207			$leftsubnet_data = ipsec_idinfo_to_cidr($ph2ent['localid'], false, $ph2ent['mode']);
1208	d8cb5ff3	Ermal LUÇI
1209	1e678c38	Renato Botelho	/* Do not print localid in some cases, such as a pure-psk or psk/xauth single phase2 mobile tunnel */
1210			if (($localid_type == "none" \|\| $localid_type == "mobile") &&
1211			isset($ph1ent['mobile']) && (ipsec_get_number_of_phase2($ikeid) == 1)) {
1212			$left_spec = '%any';
1213			} else {
1214			if ($localid_type != "address") {
1215			$localid_type = "subnet";
1216			}
1217			// Don't let an empty subnet into config, it can cause parse errors. Ticket #2201.
1218			if (!is_ipaddr($leftsubnet_data) && !is_subnet($leftsubnet_data) && ($leftsubnet_data != "0.0.0.0/0")) {
1219			log_error("Invalid IPsec Phase 2 \"{$ph2ent['descr']}\" - {$ph2ent['localid']['type']} has no subnet.");
1220			continue;
1221			}
1222			if (!empty($ph2ent['natlocalid'])) {
1223			$natleftsubnet_data = ipsec_idinfo_to_cidr($ph2ent['natlocalid'], false, $ph2ent['mode']);
1224			if ($ph2ent['natlocalid']['type'] != "address") {
1225			if (is_subnet($natleftsubnet_data)) {
1226			$leftsubnet_data = "{$natleftsubnet_data}\|{$leftsubnet_data}";
1227			}
1228			} else {
1229			if (is_ipaddr($natleftsubnet_data)) {
1230			$leftsubnet_data = "{$natleftsubnet_data}\|{$leftsubnet_data}";
1231			}
1232	79262830	Phil Davis	}
1233	1e678c38	Renato Botelho	$natfilterrules = true;
1234	3c107b76	Ermal	}
1235	20699f3f	jim-p	}
1236	3462a529	Matthew Grooms
1237	1e678c38	Renato Botelho	$leftsubnet_spec[] = $leftsubnet_data;
1238	0b5fc1d1	Ermal
1239	1e678c38	Renato Botelho	if (!isset($ph2ent['mobile'])) {
1240			$tmpsubnet = ipsec_idinfo_to_cidr($ph2ent['remoteid'], false, $ph2ent['mode']);
1241			$rightsubnet_spec[] = $tmpsubnet;
1242			} else if (!empty($a_client['pool_address'])) {
1243			$rightsubnet_spec[] = "{$a_client['pool_address']}/{$a_client['pool_netbits']}";
1244			}
1245	7a683b46	Ermal LUÇI	} else {
1246	1e678c38	Renato Botelho	$tunneltype = "type = transport";
1247
1248			if ((($ph1ent['authentication_method'] == "xauth_psk_server") \|\|
1249			($ph1ent['authentication_method'] == "pre_shared_key")) &&
1250			isset($ph1ent['mobile'])) {
1251			$left_spec = "%any";
1252			} else {
1253			$tmpsubnet = ipsec_get_phase1_src($ph1ent);
1254			$leftsubnet_spec[] = $tmpsubnet;
1255			}
1256	0b5fc1d1	Ermal
1257	1e678c38	Renato Botelho	if (!isset($ph2ent['mobile'])) {
1258			$rightsubnet_spec[] = $right_spec;
1259			}
1260	3462a529	Matthew Grooms	}
1261	c52719a8	Scott Ullrich
1262	1e678c38	Renato Botelho	if (isset($a_client['pfs_group']) && isset($ph2ent['mobile'])) {
1263			$ph2ent['pfsgroup'] = $a_client['pfs_group'];
1264			}
1265	7a683b46	Ermal LUÇI
1266	1e678c38	Renato Botelho	if ($ph2ent['protocol'] == 'esp') {
1267			if (is_array($ph2ent['encryption-algorithm-option'])) {
1268			foreach ($ph2ent['encryption-algorithm-option'] as $ealg) {
1269			$ealg_id = $ealg['name'];
1270			$ealg_kl = $ealg['keylen'];
1271	7a683b46	Ermal LUÇI
1272	1e678c38	Renato Botelho	if (!empty($ealg_kl) && $ealg_kl == "auto") {
1273			if (empty($p2_ealgos) \|\| !is_array($p2_ealgos)) {
1274			require("ipsec.inc");
1275			}
1276			$key_hi = $p2_ealgos[$ealg_id]['keysel']['hi'];
1277			$key_lo = $p2_ealgos[$ealg_id]['keysel']['lo'];
1278			$key_step = $p2_ealgos[$ealg_id]['keysel']['step'];
1279			/* XXX: in some cases where include ordering is suspect these variables
1280			* are somehow 0 and we enter this loop forever and timeout after 900
1281			* seconds wrecking bootup */
1282			if ($key_hi != 0 and $key_lo != 0 and $key_step != 0) {
1283			for ($keylen = $key_hi; $keylen >= $key_lo; $keylen -= $key_step) {
1284			if (!empty($ph2ent['hash-algorithm-option']) && is_array($ph2ent['hash-algorithm-option'])) {
1285			foreach ($ph2ent['hash-algorithm-option'] as $halgo) {
1286			$halgo = str_replace('hmac_', '', $halgo);
1287			$tmpealgo = "{$ealg_id}{$keylen}-{$halgo}";
1288			$modp = vpn_ipsec_convert_to_modp($ph2ent['pfsgroup']);
1289			if (!empty($modp)) {
1290			$tmpealgo .= "-{$modp}";
1291			}
1292			$ealgoESPsp2arr[] = $tmpealgo;
1293			}
1294			} else {
1295			$tmpealgo = "{$ealg_id}{$keylen}";
1296	496acde1	Ermal	$modp = vpn_ipsec_convert_to_modp($ph2ent['pfsgroup']);
1297	79262830	Phil Davis	if (!empty($modp)) {
1298	496acde1	Ermal	$tmpealgo .= "-{$modp}";
1299	79262830	Phil Davis	}
1300	0b5fc1d1	Ermal	$ealgoESPsp2arr[] = $tmpealgo;
1301	496acde1	Ermal	}
1302	1e678c38	Renato Botelho	}
1303			}
1304			} else {
1305			if (!empty($ph2ent['hash-algorithm-option']) && is_array($ph2ent['hash-algorithm-option'])) {
1306			foreach ($ph2ent['hash-algorithm-option'] as $halgo) {
1307			$halgo = str_replace('hmac_', '', $halgo);
1308			$tmpealgo = "{$ealg_id}{$ealg_kl}-{$halgo}";
1309	c650b2f7	Ermal	$modp = vpn_ipsec_convert_to_modp($ph2ent['pfsgroup']);
1310	79262830	Phil Davis	if (!empty($modp)) {
1311	c650b2f7	Ermal	$tmpealgo .= "-{$modp}";
1312	79262830	Phil Davis	}
1313	c650b2f7	Ermal	$ealgoESPsp2arr[] = $tmpealgo;
1314			}
1315	1e678c38	Renato Botelho	} else {
1316			$tmpealgo = "{$ealg_id}{$ealg_kl}";
1317	496acde1	Ermal	$modp = vpn_ipsec_convert_to_modp($ph2ent['pfsgroup']);
1318	79262830	Phil Davis	if (!empty($modp)) {
1319	496acde1	Ermal	$tmpealgo .= "-{$modp}";
1320	79262830	Phil Davis	}
1321	0b5fc1d1	Ermal	$ealgoESPsp2arr[] = $tmpealgo;
1322	496acde1	Ermal	}
1323	a93e56c5	Matthew Grooms	}
1324	979cd6db	Scott Ullrich	}
1325	496acde1	Ermal	}
1326	1e678c38	Renato Botelho	} else if ($ph2ent['protocol'] == 'ah') {
1327			if (!empty($ph2ent['hash-algorithm-option']) && is_array($ph2ent['hash-algorithm-option'])) {
1328			$modp = vpn_ipsec_convert_to_modp($ph2ent['pfsgroup']);
1329			foreach ($ph2ent['hash-algorithm-option'] as $tmpAHalgo) {
1330			$tmpAHalgo = str_replace('hmac_', '', $tmpAHalgo);
1331			if (!empty($modp)) {
1332			$tmpAHalgo = "-{$modp}";
1333			}
1334			$ealgoAHsp2arr[] = $tmpAHalgo;
1335	79262830	Phil Davis	}
1336	a93e56c5	Matthew Grooms	}
1337	a63f7d55	Scott Ullrich	}
1338	c52719a8	Scott Ullrich
1339	1e678c38	Renato Botelho	$reqids[] = $ph2ent['reqid'];
1340	4b96b367	mgrooms
1341	1e678c38	Renato Botelho	if (!empty($ph2ent['lifetime'])) {
1342			if ($ipseclifetime == 0 \|\| intval($ipseclifetime) > intval($ph2ent['lifetime'])) {
1343			$ipseclifetime = intval($ph2ent['lifetime']);
1344			}
1345	79262830	Phil Davis	}
1346	7a683b46	Ermal LUÇI
1347	1e678c38	Renato Botelho	}
1348	0b5fc1d1	Ermal	}
1349	496acde1	Ermal
1350	d8cb5ff3	Ermal LUÇI	$ipsecconnect =<<<EOD
1351	0b7f174c	Ermal LUÇI	fragmentation = yes
1352			keyexchange = {$keyexchange}
1353			{$reauth}
1354			{$forceencaps}
1355	065e78b3	Chris Buechler	{$mobike}
1356	54c36056	Chris Buechler	{$tfc}
1357	0b7f174c	Ermal LUÇI	{$rekey}
1358			installpolicy = yes
1359			{$tunneltype}
1360			{$dpdline}
1361			auto = {$passive}
1362			left = {$left_spec}
1363			right = {$right_spec}
1364	d9d237af	Renato Botelho	{$leftid}
1365	5b237745	Scott Ullrich
1366			EOD;
1367	4b96b367	mgrooms
1368	a23600ef	Chris Buechler	/* Disable ipcomp for now. redmine #6167
1369	e57a3e40	Chris Buechler	if (isset($config['ipsec']['compression'])) {
1370	2a691e34	Chris Buechler	$ipsecconnect .= "\tcompress = yes\n";
1371	40cc36d1	Ermal LUÇI	$enablecompression = true;
1372	a23600ef	Chris Buechler	} */
1373	79262830	Phil Davis	if (!empty($ikelifeline)) {
1374	d8cb5ff3	Ermal LUÇI	$ipsecconnect .= "\t{$ikelifeline}\n";
1375	79262830	Phil Davis	}
1376			if ($ipseclifetime > 0) {
1377	d8cb5ff3	Ermal LUÇI	$ipsecconnect .= "\tlifetime = {$ipseclifetime}s\n";
1378	79262830	Phil Davis	}
1379			if (!empty($rightsourceip)) {
1380	d8cb5ff3	Ermal LUÇI	$ipsecconnect .= "{$rightsourceip}";
1381	79262830	Phil Davis	}
1382			if (!empty($ealgosp1)) {
1383	d8cb5ff3	Ermal LUÇI	$ipsecconnect .= "\t{$ealgosp1}\n";
1384	79262830	Phil Davis	}
1385			if (!empty($ealgoAHsp2arr)) {
1386	d8cb5ff3	Ermal LUÇI	$ipsecconnect .= "\tah = " . join(',', $ealgoAHsp2arr) . "!\n";
1387	79262830	Phil Davis	}
1388			if (!empty($ealgoESPsp2arr)) {
1389	d8cb5ff3	Ermal LUÇI	$ipsecconnect .= "\tesp = " . join(',', $ealgoESPsp2arr) . "!\n";
1390	79262830	Phil Davis	}
1391			if (!empty($authentication)) {
1392	d8cb5ff3	Ermal LUÇI	$ipsecconnect .= "\t{$authentication}\n";
1393	79262830	Phil Davis	}
1394			if (!empty($peerid_spec)) {
1395	d8cb5ff3	Ermal LUÇI	$ipsecconnect .= "\trightid = {$peerid_spec}\n";
1396	79262830	Phil Davis	}
1397			if ($keyexchange == 'ikev1') {
1398	d8cb5ff3	Ermal LUÇI	$ipsecconnect .= "\taggressive = {$aggressive}\n";
1399	79262830	Phil Davis	}
1400	d8cb5ff3	Ermal LUÇI
1401	9d51fcde	Chris Buechler	if (!isset($ph1ent['mobile']) && ($keyexchange == 'ikev1' \|\| isset($ph1ent['splitconn']))) {
1402	d8cb5ff3	Ermal LUÇI	if (!empty($rightsubnet_spec)) {
1403			$ipsecfin = '';
1404			foreach ($rightsubnet_spec as $idx => $rsubnet) {
1405			$ipsecfin .= "\nconn con{$ph1ent['ikeid']}00{$idx}\n";
1406	b27fdc8b	Ermal LUÇI	//if (!empty($reqids[$idx])) {
1407			// $ipsecfin .= "\treqid = " . $reqids[$idx] . "\n";
1408	d55e91c1	Chris Buechler	//}
1409	d8cb5ff3	Ermal LUÇI	$ipsecfin .= $ipsecconnect;
1410			$ipsecfin .= "\trightsubnet = {$rsubnet}\n";
1411			$ipsecfin .= "\tleftsubnet = " . $leftsubnet_spec[$idx] . "\n";
1412			}
1413	79262830	Phil Davis	} else {
1414	51a14c58	Phil Davis	log_error(sprintf(gettext("No phase2 specifications for tunnel with REQID = %s"), $ikeid));
1415	79262830	Phil Davis	}
1416	d8cb5ff3	Ermal LUÇI	} else {
1417			$ipsecfin = "\nconn con{$ph1ent['ikeid']}\n";
1418	b27fdc8b	Ermal LUÇI	//if (!empty($reqids[$idx])) {
1419			// $ipsecfin .= "\treqid = " . $reqids[0] . "\n";
1420	d55e91c1	Chris Buechler	//}
1421	d8cb5ff3	Ermal LUÇI	$ipsecfin .= $ipsecconnect;
1422	bfcb1e4a	Ermal LUÇI	if (!isset($ph1ent['mobile']) && !empty($rightsubnet_spec)) {
1423	d8cb5ff3	Ermal LUÇI	$tempsubnets = array();
1424	79262830	Phil Davis	foreach ($rightsubnet_spec as $rightsubnet) {
1425	d8cb5ff3	Ermal LUÇI	$tempsubnets[$rightsubnet] = $rightsubnet;
1426	79262830	Phil Davis	}
1427	d8cb5ff3	Ermal LUÇI	$ipsecfin .= "\trightsubnet = " . join(",", $tempsubnets) . "\n";
1428			unset($tempsubnets, $rightsubnet);
1429			}
1430			if (!empty($leftsubnet_spec)) {
1431			$tempsubnets = array();
1432	79262830	Phil Davis	foreach ($leftsubnet_spec as $leftsubnet) {
1433	d8cb5ff3	Ermal LUÇI	$tempsubnets[$leftsubnet] = $leftsubnet;
1434	79262830	Phil Davis	}
1435	edda5d0b	Ermal LUÇI	$ipsecfin .= "\tleftsubnet = " . join(",", $tempsubnets) . "\n";
1436	d8cb5ff3	Ermal LUÇI	unset($tempsubnets, $leftsubnet);
1437			}
1438			}
1439			$ipsecconf .= $ipsecfin;
1440			unset($ipsecfin);
1441	a93e56c5	Matthew Grooms	}
1442	496acde1	Ermal	}
1443	7a683b46	Ermal LUÇI
1444	496acde1	Ermal	@file_put_contents("{$g['varetc_path']}/ipsec/ipsec.conf", $ipsecconf);
1445			unset($ipsecconf);
1446	6c576b27	Ermal	/* end ipsec.conf */
1447	496acde1	Ermal
1448	79262830	Phil Davis	if ($enablecompression === true) {
1449	40cc36d1	Ermal LUÇI	set_single_sysctl('net.inet.ipcomp.ipcomp_enable', 1);
1450	79262830	Phil Davis	} else {
1451	40cc36d1	Ermal LUÇI	set_single_sysctl('net.inet.ipcomp.ipcomp_enable', 0);
1452	79262830	Phil Davis	}
1453	40cc36d1	Ermal LUÇI
1454	79262830	Phil Davis	/* manage process */
1455	420fce04	Ermal LUÇI	if ($restart === true) {
1456	bc771514	Renato Botelho	mwexec("/usr/local/sbin/ipsec restart", false);
1457	496acde1	Ermal	} else {
1458	7370c469	Ermal LUÇI	if (isvalidpid("{$g['varrun_path']}/starter.charon.pid")) {
1459	420fce04	Ermal LUÇI	/* Update configuration changes */
1460	7370c469	Ermal LUÇI	/* Read secrets */
1461	9edeadc5	Renato Botelho	mwexec("/usr/local/sbin/ipsec rereadall", false);
1462	96072f52	Renato Botelho	mwexec("/usr/local/sbin/ipsec reload", false);
1463	420fce04	Ermal LUÇI	} else {
1464	bc771514	Renato Botelho	mwexec("/usr/local/sbin/ipsec start", false);
1465	420fce04	Ermal LUÇI	}
1466	496acde1	Ermal	}
1467	9abaa8f7	Ermal
1468	d315b341	Chris Buechler	// run ping_hosts.sh once if it's enabled to avoid wait for minicron
1469			if ($ipsecpinghostsactive == true) {
1470			mwexec_bg("/usr/local/bin/ping_hosts.sh");
1471			}
1472
1473	79262830	Phil Davis	if ($natfilterrules == true) {
1474	496acde1	Ermal	filter_configure();
1475	79262830	Phil Davis	}
1476	496acde1	Ermal	/* start filterdns, if necessary */
1477			if (count($filterdns_list) > 0) {
1478			$interval = 60;
1479	79262830	Phil Davis	if (!empty($ipseccfg['dns-interval']) && is_numeric($ipseccfg['dns-interval'])) {
1480	496acde1	Ermal	$interval = $ipseccfg['dns-interval'];
1481	79262830	Phil Davis	}
1482	496acde1	Ermal
1483			$hostnames = "";
1484			array_unique($filterdns_list);
1485	79262830	Phil Davis	foreach ($filterdns_list as $hostname) {
1486	496acde1	Ermal	$hostnames .= "cmd {$hostname} '/usr/local/sbin/pfSctl -c \"service reload ipsecdns\"'\n";
1487	79262830	Phil Davis	}
1488	496acde1	Ermal	file_put_contents("{$g['varetc_path']}/ipsec/filterdns-ipsec.hosts", $hostnames);
1489			unset($hostnames);
1490
1491	79262830	Phil Davis	if (isvalidpid("{$g['varrun_path']}/filterdns-ipsec.pid")) {
1492	496acde1	Ermal	sigkillbypid("{$g['varrun_path']}/filterdns-ipsec.pid", "HUP");
1493	79262830	Phil Davis	} else {
1494	496acde1	Ermal	mwexec("/usr/local/sbin/filterdns -p {$g['varrun_path']}/filterdns-ipsec.pid -i {$interval} -c {$g['varetc_path']}/ipsec/filterdns-ipsec.hosts -d 1");
1495	5b237745	Scott Ullrich	}
1496	496acde1	Ermal	} else {
1497			killbypid("{$g['varrun_path']}/filterdns-ipsec.pid");
1498			@unlink("{$g['varrun_path']}/filterdns-ipsec.pid");
1499			}
1500	09628a07	Renato Botelho
1501	79262830	Phil Davis	if (platform_booting()) {
1502	496acde1	Ermal	echo "done\n";
1503	79262830	Phil Davis	}
1504	8f67a8e1	Scott Ullrich
1505	82ea06cb	Chris Buechler	unlock($ipsecstartlock);
1506	496acde1	Ermal	return count($filterdns_list);
1507	5b237745	Scott Ullrich	}
1508
1509	09628a07	Renato Botelho	/*
1510	52c9f9fa	Ermal	* Forcefully restart IPsec
1511	67ee1ec5	Ermal Luçi	* This is required for when dynamic interfaces reload
1512			* For all other occasions the normal vpn_ipsec_configure()
1513			* will gracefully reload the settings without restarting
1514			*/
1515	aa752473	Renato Botelho	function vpn_ipsec_force_reload($interface = "") {
1516			global $g, $config;
1517	67ee1ec5	Ermal Luçi
1518	1ee4cd19	Phil Davis	if (!ipsec_enabled()) {
1519			return;
1520			}
1521
1522	67ee1ec5	Ermal Luçi	$ipseccfg = $config['ipsec'];
1523
1524	aa752473	Renato Botelho	if (!empty($interface) && is_array($ipseccfg['phase1'])) {
1525			$found = false;
1526			foreach ($ipseccfg['phase1'] as $ipsec) {
1527			if (!isset($ipsec['disabled']) && ($ipsec['interface'] == $interface)) {
1528			$found = true;
1529			break;
1530			}
1531			}
1532			if (!$found) {
1533	8b4abd59	Ermal	log_error(sprintf(gettext("Ignoring IPsec reload since there are no tunnels on interface %s"), $interface));
1534	aa752473	Renato Botelho	return;
1535			}
1536			}
1537
1538	1ee4cd19	Phil Davis	/* If we get this far then we need to take action. */
1539			log_error(gettext("Forcefully reloading IPsec"));
1540			vpn_ipsec_configure();
1541	67ee1ec5	Ermal Luçi	}
1542
1543			/* master setup for vpn (mpd) */
1544			function vpn_setup() {
1545			/* start pppoe server */
1546	0e642c78	Ermal	vpn_pppoes_configure();
1547	67ee1ec5	Ermal Luçi
1548			/* setup l2tp */
1549			vpn_l2tp_configure();
1550			}
1551
1552	67b057a9	Ermal	function vpn_netgraph_support() {
1553			$iflist = get_configured_interface_list();
1554			foreach ($iflist as $iface) {
1555			$realif = get_real_interface($iface);
1556			/* Get support for netgraph(4) from the nic */
1557	c513c309	Ermal	$ifinfo = pfSense_get_interface_addresses($realif);
1558	79262830	Phil Davis	if (!empty($ifinfo) && in_array($ifinfo['iftype'], array("ether", "vlan", "bridge"))) {
1559	09628a07	Renato Botelho	pfSense_ngctl_attach(".", $realif);
1560	79262830	Phil Davis	}
1561	67b057a9	Ermal	}
1562			}
1563
1564	0e642c78	Ermal	function vpn_pppoes_configure() {
1565			global $config;
1566
1567			if (is_array($config['pppoes']['pppoe'])) {
1568	79262830	Phil Davis	foreach ($config['pppoes']['pppoe'] as $pppoe) {
1569	0e642c78	Ermal	vpn_pppoe_configure($pppoe);
1570	79262830	Phil Davis	}
1571	0e642c78	Ermal	}
1572			}
1573
1574			function vpn_pppoe_configure(&$pppoecfg) {
1575	06e69b03	Scott Ullrich	global $config, $g;
1576
1577			$syscfg = $config['system'];
1578
1579	48918ed5	Scott Ullrich	/* create directory if it does not exist */
1580	79262830	Phil Davis	if (!is_dir("{$g['varetc_path']}/pppoe{$pppoecfg['pppoeid']}-vpn")) {
1581	0e642c78	Ermal	mkdir("{$g['varetc_path']}/pppoe{$pppoecfg['pppoeid']}-vpn");
1582	79262830	Phil Davis	}
1583	c52719a8	Scott Ullrich
1584	285ef132	Ermal LUÇI	if (platform_booting()) {
1585	79262830	Phil Davis	if (!$pppoecfg['mode'] \|\| ($pppoecfg['mode'] == "off")) {
1586	06e69b03	Scott Ullrich	return 0;
1587	79262830	Phil Davis	}
1588	06e69b03	Scott Ullrich
1589	d3d23754	Chris Buechler	echo gettext("Configuring PPPoE Server service... ");
1590	979cd6db	Scott Ullrich	} else {
1591			/* kill mpd */
1592	0e642c78	Ermal	killbypid("{$g['varrun_path']}/pppoe{$pppoecfg['pppoeid']}-vpn.pid");
1593	979cd6db	Scott Ullrich
1594			/* wait for process to die */
1595			sleep(2);
1596
1597	06e69b03	Scott Ullrich	}
1598
1599			switch ($pppoecfg['mode']) {
1600
1601	79262830	Phil Davis	case 'server':
1602	06e69b03	Scott Ullrich
1603	0e642c78	Ermal	$pppoe_interface = get_real_interface($pppoecfg['interface']);
1604	0301deff	Scott Ullrich
1605	79262830	Phil Davis	if ($pppoecfg['paporchap'] == "chap") {
1606	979cd6db	Scott Ullrich	$paporchap = "set link enable chap";
1607	79262830	Phil Davis	} else {
1608	979cd6db	Scott Ullrich	$paporchap = "set link enable pap";
1609	79262830	Phil Davis	}
1610	979cd6db	Scott Ullrich
1611	06e69b03	Scott Ullrich	/* write mpd.conf */
1612	0e642c78	Ermal	$fd = fopen("{$g['varetc_path']}/pppoe{$pppoecfg['pppoeid']}-vpn/mpd.conf", "w");
1613	06e69b03	Scott Ullrich	if (!$fd) {
1614	89ceb4ba	Renato Botelho	printf(gettext("Error: cannot open mpd.conf in vpn_pppoe_configure().") . "\n");
1615	06e69b03	Scott Ullrich	return 1;
1616			}
1617			$mpdconf = "\n\n";
1618	a6607b5f	jim-p	$mpdconf .= "poes:\n";
1619	06e69b03	Scott Ullrich
1620	a429d105	Scott Ullrich	for ($i = 0; $i < $pppoecfg['n_pppoe_units']; $i++) {
1621	0e642c78	Ermal	$mpdconf .= " load poes{$pppoecfg['pppoeid']}{$i}\n";
1622	06e69b03	Scott Ullrich	}
1623
1624	a429d105	Scott Ullrich	for ($i = 0; $i < $pppoecfg['n_pppoe_units']; $i++) {
1625	06e69b03	Scott Ullrich
1626	c50634b5	stilez	$clientip = ip_after($pppoecfg['remoteip'], $i);
1627	c52719a8	Scott Ullrich
1628	b0943409	Ermal	if (isset($pppoecfg['radius']['radiusissueips']) && isset($pppoecfg['radius']['server']['enable'])) {
1629	b03de800	Phil Davis	$issue_ip_type = "set ipcp ranges {$pppoecfg['localip']}/32 0.0.0.0/0";
1630	5264023a	Scott Ullrich	} else {
1631	b03de800	Phil Davis	$issue_ip_type = "set ipcp ranges {$pppoecfg['localip']}/32 {$clientip}/32";
1632	5dfdc1fb	Scott Ullrich	}
1633	c52719a8	Scott Ullrich
1634	979cd6db	Scott Ullrich	$mpdconf .=<<<EOD
1635	06e69b03	Scott Ullrich
1636	0e642c78	Ermal	poes{$pppoecfg['pppoeid']}{$i}:
1637			new -i poes{$pppoecfg['pppoeid']}{$i} poes{$pppoecfg['pppoeid']}{$i} poes{$pppoecfg['pppoeid']}{$i}
1638	b03de800	Phil Davis	{$issue_ip_type}
1639	f856e762	jim-p	load pppoe_standard
1640	06e69b03	Scott Ullrich
1641			EOD;
1642			}
1643	fa6e6196	jim-p	if (is_numeric($pppoecfg['n_pppoe_maxlogin']) && ($pppoecfg['n_pppoe_maxlogin'] > 0)) {
1644			$pppoemaxlogins = $pppoecfg['n_pppoe_maxlogin'];
1645			} else {
1646	6801de75	jim-p	$pppoemaxlogins = 1;
1647	fa6e6196	jim-p	}
1648	06e69b03	Scott Ullrich
1649	979cd6db	Scott Ullrich	$mpdconf .=<<<EOD
1650	06e69b03	Scott Ullrich
1651	f856e762	jim-p	pppoe_standard:
1652	979cd6db	Scott Ullrich	set bundle no multilink
1653			set bundle enable compression
1654	fa6e6196	jim-p	set auth max-logins {$pppoemaxlogins}
1655	e9a95ac8	jim-p	set iface up-script /usr/local/sbin/vpn-linkup
1656			set iface down-script /usr/local/sbin/vpn-linkdown
1657	979cd6db	Scott Ullrich	set iface idle 0
1658	06e69b03	Scott Ullrich	set iface disable on-demand
1659			set iface disable proxy-arp
1660			set iface enable tcpmssfix
1661	979cd6db	Scott Ullrich	set iface mtu 1500
1662	06e69b03	Scott Ullrich	set link no pap chap
1663	979cd6db	Scott Ullrich	{$paporchap}
1664			set link keep-alive 60 180
1665			set ipcp yes vjcomp
1666			set ipcp no vjcomp
1667			set link max-redial -1
1668			set link mtu 1492
1669			set link mru 1492
1670	06e69b03	Scott Ullrich	set ccp yes mpp-e40
1671			set ccp yes mpp-e128
1672			set ccp yes mpp-stateless
1673	979cd6db	Scott Ullrich	set link latency 1
1674			#set ipcp dns 10.10.1.3
1675			#set bundle accept encryption
1676	06e69b03	Scott Ullrich
1677	c8c416db	Scott Ullrich	EOD;
1678
1679	09f2bf85	jim-p	if (!empty($pppoecfg['dns1'])) {
1680			$mpdconf .= " set ipcp dns " . $pppoecfg['dns1'];
1681	79262830	Phil Davis	if (!empty($pppoecfg['dns2'])) {
1682	09f2bf85	jim-p	$mpdconf .= " " . $pppoecfg['dns2'];
1683	79262830	Phil Davis	}
1684	09f2bf85	jim-p	$mpdconf .= "\n";
1685			} elseif (isset ($config['dnsmasq']['enable'])) {
1686	a55e9c70	Ermal Lu?i	$mpdconf .= " set ipcp dns " . get_interface_ip("lan");
1687	79262830	Phil Davis	if ($syscfg['dnsserver'][0]) {
1688	06e69b03	Scott Ullrich	$mpdconf .= " " . $syscfg['dnsserver'][0];
1689	79262830	Phil Davis	}
1690	06e69b03	Scott Ullrich	$mpdconf .= "\n";
1691	ad750d3b	Warren Baker	} elseif (isset ($config['unbound']['enable'])) {
1692			$mpdconf .= " set ipcp dns " . get_interface_ip("lan");
1693	79262830	Phil Davis	if ($syscfg['dnsserver'][0]) {
1694	ad750d3b	Warren Baker	$mpdconf .= " " . $syscfg['dnsserver'][0];
1695	79262830	Phil Davis	}
1696	ad750d3b	Warren Baker	$mpdconf .= "\n";
1697	09f2bf85	jim-p	} elseif (is_array($syscfg['dnsserver']) && ($syscfg['dnsserver'][0])) {
1698	979cd6db	Scott Ullrich	$mpdconf .= " set ipcp dns " . join(" ", $syscfg['dnsserver']) . "\n";
1699	09f2bf85	jim-p	}
1700	07cae4b2	Scott Ullrich
1701	37d7de2d	jim-p	if (isset ($pppoecfg['radius']['server']['enable'])) {
1702	c3583058	Ermal	$radiusport = "";
1703			$radiusacctport = "";
1704	79262830	Phil Davis	if (isset($pppoecfg['radius']['server']['port'])) {
1705	c3583058	Ermal	$radiusport = $pppoecfg['radius']['server']['port'];
1706	79262830	Phil Davis	}
1707			if (isset($pppoecfg['radius']['server']['acctport'])) {
1708	c3583058	Ermal	$radiusacctport = $pppoecfg['radius']['server']['acctport'];
1709	79262830	Phil Davis	}
1710	979cd6db	Scott Ullrich	$mpdconf .=<<<EOD
1711	b0943409	Ermal	set radius server {$pppoecfg['radius']['server']['ip']} "{$pppoecfg['radius']['server']['secret']}" {$radiusport} {$radiusacctport}
1712	06e69b03	Scott Ullrich	set radius retries 3
1713	979cd6db	Scott Ullrich	set radius timeout 10
1714	0af9dba4	Ermal Lu?i	set auth enable radius-auth
1715	06e69b03	Scott Ullrich
1716			EOD;
1717
1718	979cd6db	Scott Ullrich	if (isset ($pppoecfg['radius']['accounting'])) {
1719			$mpdconf .=<<<EOD
1720	0af9dba4	Ermal Lu?i	set auth enable radius-acct
1721	07cae4b2	Scott Ullrich
1722	06e69b03	Scott Ullrich	EOD;
1723			}
1724	f362c73b	Chris Buechler	if (isset($pppoecfg['radius']['nasip'])) {
1725			$mpdconf .= "\tset radius me {$pppoecfg['radius']['nasip']}\n";
1726			}
1727	06e69b03	Scott Ullrich	}
1728
1729			fwrite($fd, $mpdconf);
1730			fclose($fd);
1731	a49784a2	Ermal	unset($mpdconf);
1732	06e69b03	Scott Ullrich
1733			/* write mpd.links */
1734	0e642c78	Ermal	$fd = fopen("{$g['varetc_path']}/pppoe{$pppoecfg['pppoeid']}-vpn/mpd.links", "w");
1735	06e69b03	Scott Ullrich	if (!$fd) {
1736	89ceb4ba	Renato Botelho	printf(gettext("Error: cannot open mpd.links in vpn_pppoe_configure().") . "\n");
1737	06e69b03	Scott Ullrich	return 1;
1738			}
1739
1740			$mpdlinks = "";
1741
1742	a429d105	Scott Ullrich	for ($i = 0; $i < $pppoecfg['n_pppoe_units']; $i++) {
1743	979cd6db	Scott Ullrich	$mpdlinks .=<<<EOD
1744	09628a07	Renato Botelho
1745	0e642c78	Ermal	poes{$pppoecfg['pppoeid']}{$i}:
1746	67ee1ec5	Ermal Luçi	set phys type pppoe
1747	09628a07	Renato Botelho	set pppoe iface {$pppoe_interface}
1748			set pppoe service "*"
1749			set pppoe disable originate
1750			set pppoe enable incoming
1751	06e69b03	Scott Ullrich
1752			EOD;
1753			}
1754
1755			fwrite($fd, $mpdlinks);
1756			fclose($fd);
1757	a49784a2	Ermal	unset($mpdlinks);
1758	06e69b03	Scott Ullrich
1759	0e642c78	Ermal	if ($pppoecfg['username']) {
1760			/* write mpd.secret */
1761			$fd = fopen("{$g['varetc_path']}/pppoe{$pppoecfg['pppoeid']}-vpn/mpd.secret", "w");
1762			if (!$fd) {
1763	8c04b1ae	Renato Botelho	printf(gettext("Error: cannot open mpd.secret in vpn_pppoe_configure().") . "\n");
1764	0e642c78	Ermal	return 1;
1765			}
1766	06e69b03	Scott Ullrich
1767	0e642c78	Ermal	$mpdsecret = "\n\n";
1768	06e69b03	Scott Ullrich
1769	0e642c78	Ermal	if (!empty($pppoecfg['username'])) {
1770			$item = explode(" ", $pppoecfg['username']);
1771	79262830	Phil Davis	foreach ($item as $userdata) {
1772	0e642c78	Ermal	$data = explode(":", $userdata);
1773	90388e48	Ermal	$mpdsecret .= "{$data[0]} \"" . base64_decode($data[1]) . "\" {$data[2]}\n";
1774	0e642c78	Ermal	}
1775			}
1776	06e69b03	Scott Ullrich
1777	0e642c78	Ermal	fwrite($fd, $mpdsecret);
1778			fclose($fd);
1779	a49784a2	Ermal	unset($mpdsecret);
1780	0e642c78	Ermal	chmod("{$g['varetc_path']}/pppoe{$pppoecfg['pppoeid']}-vpn/mpd.secret", 0600);
1781			}
1782	979cd6db	Scott Ullrich
1783	062676f8	Ermal	/* Check if previous instance is still up */
1784	79262830	Phil Davis	while (file_exists("{$g['varrun_path']}/pppoe{$pppoecfg['pppoeid']}-vpn.pid") && isvalidpid("{$g['varrun_path']}/pppoe{$pppoecfg['pppoeid']}-vpn.pid")) {
1785	062676f8	Ermal	killbypid("{$g['varrun_path']}/pppoe{$pppoecfg['pppoeid']}-vpn.pid");
1786	79262830	Phil Davis	}
1787	062676f8	Ermal
1788	67b057a9	Ermal	/* Get support for netgraph(4) from the nic */
1789			pfSense_ngctl_attach(".", $pppoe_interface);
1790	979cd6db	Scott Ullrich	/* fire up mpd */
1791	a6607b5f	jim-p	mwexec("/usr/local/sbin/mpd4 -b -d {$g['varetc_path']}/pppoe{$pppoecfg['pppoeid']}-vpn -p {$g['varrun_path']}/pppoe{$pppoecfg['pppoeid']}-vpn.pid -s poes poes");
1792	979cd6db	Scott Ullrich
1793			break;
1794			}
1795
1796	79262830	Phil Davis	if (platform_booting()) {
1797	561130e4	Carlos Eduardo Ramos	echo gettext("done") . "\n";
1798	79262830	Phil Davis	}
1799	979cd6db	Scott Ullrich
1800			return 0;
1801			}
1802
1803			function vpn_l2tp_configure() {
1804			global $config, $g;
1805
1806			$syscfg = $config['system'];
1807			$l2tpcfg = $config['l2tp'];
1808
1809			/* create directory if it does not exist */
1810	79262830	Phil Davis	if (!is_dir("{$g['varetc_path']}/l2tp-vpn")) {
1811	67ee1ec5	Ermal Luçi	mkdir("{$g['varetc_path']}/l2tp-vpn");
1812	79262830	Phil Davis	}
1813	979cd6db	Scott Ullrich
1814	285ef132	Ermal LUÇI	if (platform_booting()) {
1815	79262830	Phil Davis	if (!$l2tpcfg['mode'] \|\| ($l2tpcfg['mode'] == "off")) {
1816	979cd6db	Scott Ullrich	return 0;
1817	79262830	Phil Davis	}
1818	979cd6db	Scott Ullrich
1819	89ceb4ba	Renato Botelho	echo gettext("Configuring l2tp VPN service... ");
1820	979cd6db	Scott Ullrich	} else {
1821			/* kill mpd */
1822	67ee1ec5	Ermal Luçi	killbypid("{$g['varrun_path']}/l2tp-vpn.pid");
1823	979cd6db	Scott Ullrich
1824			/* wait for process to die */
1825	01c41d40	Ermal Lu?i	sleep(8);
1826	979cd6db	Scott Ullrich
1827			}
1828
1829	67ee1ec5	Ermal Luçi	/* make sure l2tp-vpn directory exists */
1830	79262830	Phil Davis	if (!file_exists("{$g['varetc_path']}/l2tp-vpn")) {
1831	67ee1ec5	Ermal Luçi	mkdir("{$g['varetc_path']}/l2tp-vpn");
1832	79262830	Phil Davis	}
1833	979cd6db	Scott Ullrich
1834			switch ($l2tpcfg['mode']) {
1835
1836	79262830	Phil Davis	case 'server':
1837	adc70099	Renato Botelho	$l2tp_listen="";
1838			$ipaddr = get_interface_ip(get_failover_interface($l2tpcfg['interface']));
1839			if (is_ipaddrv4($ipaddr)) {
1840			$l2tp_listen="set l2tp self $ipaddr";
1841			}
1842	c4f22962	TarasSavchuk
1843	3fac0afc	Jose Luis Duran	switch ($l2tpcfg['paporchap']) {
1844			case 'chap':
1845			$paporchap = "set link enable chap";
1846			break;
1847			case 'chap-msv2':
1848			$paporchap = "set link enable chap-msv2";
1849			break;
1850			default:
1851			$paporchap = "set link enable pap";
1852			break;
1853	79262830	Phil Davis	}
1854	979cd6db	Scott Ullrich
1855			/* write mpd.conf */
1856	67ee1ec5	Ermal Luçi	$fd = fopen("{$g['varetc_path']}/l2tp-vpn/mpd.conf", "w");
1857	979cd6db	Scott Ullrich	if (!$fd) {
1858	89ceb4ba	Renato Botelho	printf(gettext("Error: cannot open mpd.conf in vpn_l2tp_configure().") . "\n");
1859	979cd6db	Scott Ullrich	return 1;
1860			}
1861			$mpdconf = "\n\n";
1862			$mpdconf .=<<<EOD
1863	a6607b5f	jim-p	l2tps:
1864	979cd6db	Scott Ullrich
1865			EOD;
1866
1867			for ($i = 0; $i < $l2tpcfg['n_l2tp_units']; $i++) {
1868			$mpdconf .= " load l2tp{$i}\n";
1869			}
1870
1871			for ($i = 0; $i < $l2tpcfg['n_l2tp_units']; $i++) {
1872
1873	c50634b5	stilez	$clientip = ip_after($l2tpcfg['remoteip'], $i);
1874	979cd6db	Scott Ullrich
1875			if (isset ($l2tpcfg['radius']['radiusissueips']) && isset ($l2tpcfg['radius']['enable'])) {
1876	b03de800	Phil Davis	$issue_ip_type = "set ipcp ranges {$l2tpcfg['localip']}/32 0.0.0.0/0";
1877	979cd6db	Scott Ullrich	} else {
1878	b03de800	Phil Davis	$issue_ip_type = "set ipcp ranges {$l2tpcfg['localip']}/32 {$clientip}/32";
1879	979cd6db	Scott Ullrich	}
1880
1881			$mpdconf .=<<<EOD
1882
1883			l2tp{$i}:
1884	2c7feef7	jim-p	new -i l2tp{$i} l2tp{$i} l2tp{$i}
1885	b03de800	Phil Davis	{$issue_ip_type}
1886	979cd6db	Scott Ullrich	load l2tp_standard
1887
1888			EOD;
1889			}
1890
1891			$mpdconf .=<<<EOD
1892
1893			l2tp_standard:
1894	09628a07	Renato Botelho	set bundle disable multilink
1895			set bundle enable compression
1896			set bundle yes crypt-reqd
1897			set ipcp yes vjcomp
1898			# set ipcp ranges 131.188.69.161/32 131.188.69.170/28
1899			set ccp yes mppc
1900			set iface disable on-demand
1901			set iface enable proxy-arp
1902	e9a95ac8	jim-p	set iface up-script /usr/local/sbin/vpn-linkup
1903			set iface down-script /usr/local/sbin/vpn-linkdown
1904	09628a07	Renato Botelho	set link yes acfcomp protocomp
1905			set link no pap chap
1906	d06f9ebe	Sebastian Öhman	{$paporchap}
1907	adc70099	Renato Botelho	{$l2tp_listen}
1908	09628a07	Renato Botelho	set link keep-alive 10 180
1909	979cd6db	Scott Ullrich
1910			EOD;
1911
1912	c8cc0c1c	smos	if (is_ipaddr($l2tpcfg['wins'])) {
1913			$mpdconf .= " set ipcp nbns {$l2tpcfg['wins']}\n";
1914			}
1915			if (is_ipaddr($l2tpcfg['dns1'])) {
1916	09f2bf85	jim-p	$mpdconf .= " set ipcp dns " . $l2tpcfg['dns1'];
1917	79262830	Phil Davis	if (is_ipaddr($l2tpcfg['dns2'])) {
1918	09f2bf85	jim-p	$mpdconf .= " " . $l2tpcfg['dns2'];
1919	79262830	Phil Davis	}
1920	09f2bf85	jim-p	$mpdconf .= "\n";
1921			} elseif (isset ($config['dnsmasq']['enable'])) {
1922	a55e9c70	Ermal Lu?i	$mpdconf .= " set ipcp dns " . get_interface_ip("lan");
1923	79262830	Phil Davis	if ($syscfg['dnsserver'][0]) {
1924	979cd6db	Scott Ullrich	$mpdconf .= " " . $syscfg['dnsserver'][0];
1925	79262830	Phil Davis	}
1926	979cd6db	Scott Ullrich	$mpdconf .= "\n";
1927	ad750d3b	Warren Baker	} elseif (isset ($config['unbound']['enable'])) {
1928			$mpdconf .= " set ipcp dns " . get_interface_ip("lan");
1929	79262830	Phil Davis	if ($syscfg['dnsserver'][0]) {
1930	ad750d3b	Warren Baker	$mpdconf .= " " . $syscfg['dnsserver'][0];
1931	79262830	Phil Davis	}
1932	ad750d3b	Warren Baker	$mpdconf .= "\n";
1933	09f2bf85	jim-p	} elseif (is_array($syscfg['dnsserver']) && ($syscfg['dnsserver'][0])) {
1934	79262830	Phil Davis	$mpdconf .= " set ipcp dns " . join(" ", $syscfg['dnsserver']) . "\n";
1935	09f2bf85	jim-p	}
1936	979cd6db	Scott Ullrich
1937			if (isset ($l2tpcfg['radius']['enable'])) {
1938			$mpdconf .=<<<EOD
1939			set radius server {$l2tpcfg['radius']['server']} "{$l2tpcfg['radius']['secret']}"
1940			set radius retries 3
1941			set radius timeout 10
1942	0af9dba4	Ermal Lu?i	set auth enable radius-auth
1943	979cd6db	Scott Ullrich
1944			EOD;
1945
1946			if (isset ($l2tpcfg['radius']['accounting'])) {
1947			$mpdconf .=<<<EOD
1948	0af9dba4	Ermal Lu?i	set auth enable radius-acct
1949	979cd6db	Scott Ullrich
1950			EOD;
1951			}
1952			}
1953
1954			fwrite($fd, $mpdconf);
1955			fclose($fd);
1956	a49784a2	Ermal	unset($mpdconf);
1957	979cd6db	Scott Ullrich
1958			/* write mpd.links */
1959	67ee1ec5	Ermal Luçi	$fd = fopen("{$g['varetc_path']}/l2tp-vpn/mpd.links", "w");
1960	979cd6db	Scott Ullrich	if (!$fd) {
1961	89ceb4ba	Renato Botelho	printf(gettext("Error: cannot open mpd.links in vpn_l2tp_configure().") . "\n");
1962	979cd6db	Scott Ullrich	return 1;
1963			}
1964
1965			$mpdlinks = "";
1966
1967			for ($i = 0; $i < $l2tpcfg['n_l2tp_units']; $i++) {
1968			$mpdlinks .=<<<EOD
1969
1970	daa20efd	Ermal Lu?i	l2tp{$i}:
1971	979cd6db	Scott Ullrich	set link type l2tp
1972	09628a07	Renato Botelho	set l2tp enable incoming
1973			set l2tp disable originate
1974	979cd6db	Scott Ullrich
1975			EOD;
1976	79262830	Phil Davis	if (!empty($l2tpcfg['secret'])) {
1977	00f9e567	Ermal Lu?i	$mpdlinks .= "set l2tp secret {$l2tpcfg['secret']}\n";
1978	79262830	Phil Davis	}
1979	979cd6db	Scott Ullrich	}
1980
1981			fwrite($fd, $mpdlinks);
1982			fclose($fd);
1983	a49784a2	Ermal	unset($mpdlinks);
1984	979cd6db	Scott Ullrich
1985			/* write mpd.secret */
1986	67ee1ec5	Ermal Luçi	$fd = fopen("{$g['varetc_path']}/l2tp-vpn/mpd.secret", "w");
1987	979cd6db	Scott Ullrich	if (!$fd) {
1988	89ceb4ba	Renato Botelho	printf(gettext("Error: cannot open mpd.secret in vpn_l2tp_configure().") . "\n");
1989	979cd6db	Scott Ullrich	return 1;
1990			}
1991
1992			$mpdsecret = "\n\n";
1993
1994			if (is_array($l2tpcfg['user'])) {
1995	79262830	Phil Davis	foreach ($l2tpcfg['user'] as $user) {
1996	979cd6db	Scott Ullrich	$mpdsecret .= "{$user['name']} \"{$user['password']}\" {$user['ip']}\n";
1997	79262830	Phil Davis	}
1998	979cd6db	Scott Ullrich	}
1999
2000			fwrite($fd, $mpdsecret);
2001			fclose($fd);
2002	a49784a2	Ermal	unset($mpdsecret);
2003	67ee1ec5	Ermal Luçi	chmod("{$g['varetc_path']}/l2tp-vpn/mpd.secret", 0600);
2004	06e69b03	Scott Ullrich
2005	67b057a9	Ermal	vpn_netgraph_support();
2006
2007	06e69b03	Scott Ullrich	/* fire up mpd */
2008	a6607b5f	jim-p	mwexec("/usr/local/sbin/mpd4 -b -d {$g['varetc_path']}/l2tp-vpn -p {$g['varrun_path']}/l2tp-vpn.pid -s l2tps l2tps");
2009	06e69b03	Scott Ullrich
2010			break;
2011
2012	79262830	Phil Davis	case 'redir':
2013	06e69b03	Scott Ullrich	break;
2014			}
2015
2016	79262830	Phil Davis	if (platform_booting()) {
2017	06e69b03	Scott Ullrich	echo "done\n";
2018	79262830	Phil Davis	}
2019	06e69b03	Scott Ullrich
2020			return 0;
2021			}
2022	630cfa6c	Scott Ullrich
2023	79262830	Phil Davis	?>

Project

General

Profile

pfSense