Revision 255075c9
Added by Chris Buechler almost 10 years ago
| etc/inc/ipsec.inc | ||
|---|---|---|
| 44 | 44 |
|
| 45 | 45 |
global $my_identifier_list; |
| 46 | 46 |
$my_identifier_list = array( |
| 47 |
'myaddress' => array( 'desc' => gettext('My IP address'), 'mobile' => true ),
|
|
| 48 |
'address' => array( 'desc' => gettext('IP address'), 'mobile' => true ),
|
|
| 49 |
'fqdn' => array( 'desc' => gettext('Distinguished name'), 'mobile' => true ),
|
|
| 50 |
'user_fqdn' => array( 'desc' => gettext('User distinguished name'), 'mobile' => true ),
|
|
| 51 |
'asn1dn' => array( 'desc' => gettext('ASN.1 distinguished Name'), 'mobile' => true ),
|
|
| 52 |
'keyid tag' => array( 'desc' => gettext('KeyID tag'), 'mobile' => true ),
|
|
| 53 |
'dyn_dns' => array( 'desc' => gettext('Dynamic DNS'), 'mobile' => true ));
|
|
| 47 |
'myaddress' => array('desc' => gettext('My IP address'), 'mobile' => true),
|
|
| 48 |
'address' => array('desc' => gettext('IP address'), 'mobile' => true),
|
|
| 49 |
'fqdn' => array('desc' => gettext('Distinguished name'), 'mobile' => true),
|
|
| 50 |
'user_fqdn' => array('desc' => gettext('User distinguished name'), 'mobile' => true),
|
|
| 51 |
'asn1dn' => array('desc' => gettext('ASN.1 distinguished Name'), 'mobile' => true),
|
|
| 52 |
'keyid tag' => array('desc' => gettext('KeyID tag'), 'mobile' => true),
|
|
| 53 |
'dyn_dns' => array('desc' => gettext('Dynamic DNS'), 'mobile' => true));
|
|
| 54 | 54 |
|
| 55 | 55 |
global $peer_identifier_list; |
| 56 | 56 |
$peer_identifier_list = array( |
| 57 |
'peeraddress' => array( 'desc' => gettext('Peer IP address'), 'mobile' => false ),
|
|
| 58 |
'address' => array( 'desc' => gettext('IP address'), 'mobile' => false ),
|
|
| 59 |
'fqdn' => array( 'desc' => gettext('Distinguished name'), 'mobile' => true ),
|
|
| 60 |
'user_fqdn' => array( 'desc' => gettext('User distinguished name'), 'mobile' => true ),
|
|
| 61 |
'asn1dn' => array( 'desc' => gettext('ASN.1 distinguished Name'), 'mobile' => true ),
|
|
| 62 |
'keyid tag' => array( 'desc' =>gettext('KeyID tag'), 'mobile' => true ));
|
|
| 57 |
'peeraddress' => array('desc' => gettext('Peer IP address'), 'mobile' => false),
|
|
| 58 |
'address' => array('desc' => gettext('IP address'), 'mobile' => false),
|
|
| 59 |
'fqdn' => array('desc' => gettext('Distinguished name'), 'mobile' => true),
|
|
| 60 |
'user_fqdn' => array('desc' => gettext('User distinguished name'), 'mobile' => true),
|
|
| 61 |
'asn1dn' => array('desc' => gettext('ASN.1 distinguished Name'), 'mobile' => true),
|
|
| 62 |
'keyid tag' => array('desc' =>gettext('KeyID tag'), 'mobile' => true));
|
|
| 63 | 63 |
|
| 64 | 64 |
global $ipsec_idhandling; |
| 65 | 65 |
$ipsec_idhandling = array( |
| ... | ... | |
| 68 | 68 |
|
| 69 | 69 |
global $p1_ealgos; |
| 70 | 70 |
$p1_ealgos = array( |
| 71 |
'aes' => array( 'name' => 'AES', 'keysel' => array( 'lo' => 128, 'hi' => 256, 'step' => 64 ) ), |
|
| 72 |
'blowfish' => array( 'name' => 'Blowfish', 'keysel' => array( 'lo' => 128, 'hi' => 256, 'step' => 64 ) ), |
|
| 73 |
'3des' => array( 'name' => '3DES' ), |
|
| 74 |
'cast128' => array( 'name' => 'CAST128' ), |
|
| 75 |
'des' => array( 'name' => 'DES' )); |
|
| 71 |
'aes' => array('name' => 'AES', 'keysel' => array('lo' => 128, 'hi' => 256, 'step' => 64)),
|
|
| 72 |
'aes128gcm' => array('name' => 'AES128-GCM', 'keysel' => array('lo' => 64, 'hi' => 128, 'step' => 32)),
|
|
| 73 |
'aes192gcm' => array('name' => 'AES192-GCM', 'keysel' => array('lo' => 64, 'hi' => 128, 'step' => 32)),
|
|
| 74 |
'aes256gcm' => array('name' => 'AES256-GCM', 'keysel' => array('lo' => 64, 'hi' => 128, 'step' => 32)),
|
|
| 75 |
'blowfish' => array('name' => 'Blowfish', 'keysel' => array('lo' => 128, 'hi' => 256, 'step' => 64)),
|
|
| 76 |
'3des' => array('name' => '3DES'),
|
|
| 77 |
'cast128' => array('name' => 'CAST128'),
|
|
| 78 |
'des' => array('name' => 'DES'));
|
|
| 76 | 79 |
|
| 77 | 80 |
global $p2_ealgos; |
| 78 | 81 |
$p2_ealgos = array( |
| 79 |
'aes' => array( 'name' => 'AES', 'keysel' => array( 'lo' => 128, 'hi' => 256, 'step' => 64 ) ),
|
|
| 80 |
'aes128gcm' => array( 'name' => 'AES128-GCM', 'keysel' => array( 'lo' => 64, 'hi' => 128, 'step' => 32 ) ),
|
|
| 81 |
'aes192gcm' => array( 'name' => 'AES192-GCM', 'keysel' => array( 'lo' => 64, 'hi' => 128, 'step' => 32 ) ),
|
|
| 82 |
'aes256gcm' => array( 'name' => 'AES256-GCM', 'keysel' => array( 'lo' => 64, 'hi' => 128, 'step' => 32 ) ),
|
|
| 83 |
'blowfish' => array( 'name' => 'Blowfish', 'keysel' => array( 'lo' => 128, 'hi' => 256, 'step' => 64 ) ),
|
|
| 84 |
'3des' => array( 'name' => '3DES' ),
|
|
| 85 |
'cast128' => array( 'name' => 'CAST128' ),
|
|
| 86 |
'des' => array( 'name' => 'DES' ));
|
|
| 82 |
'aes' => array('name' => 'AES', 'keysel' => array('lo' => 128, 'hi' => 256, 'step' => 64)),
|
|
| 83 |
'aes128gcm' => array('name' => 'AES128-GCM', 'keysel' => array('lo' => 64, 'hi' => 128, 'step' => 32)),
|
|
| 84 |
'aes192gcm' => array('name' => 'AES192-GCM', 'keysel' => array('lo' => 64, 'hi' => 128, 'step' => 32)),
|
|
| 85 |
'aes256gcm' => array('name' => 'AES256-GCM', 'keysel' => array('lo' => 64, 'hi' => 128, 'step' => 32)),
|
|
| 86 |
'blowfish' => array('name' => 'Blowfish', 'keysel' => array('lo' => 128, 'hi' => 256, 'step' => 64)),
|
|
| 87 |
'3des' => array('name' => '3DES'),
|
|
| 88 |
'cast128' => array('name' => 'CAST128'),
|
|
| 89 |
'des' => array('name' => 'DES'));
|
|
| 87 | 90 |
|
| 88 | 91 |
global $p1_halgos; |
| 89 | 92 |
$p1_halgos = array( |
| ... | ... | |
| 110 | 113 |
21 => '21 (nist ecp521)', |
| 111 | 114 |
22 => '22 (1024(sub 160) bit)', |
| 112 | 115 |
23 => '23 (2048(sub 224) bit)', |
| 113 |
24 => '24 (2048(sub 256) bit)' |
|
| 116 |
24 => '24 (2048(sub 256) bit)', |
|
| 117 |
28 => '28 (brainpool ecp256)', |
|
| 118 |
29 => '29 (brainpool ecp384)', |
|
| 119 |
30 => '30 (brainpool ecp512)' |
|
| 114 | 120 |
); |
| 115 | 121 |
|
| 116 | 122 |
global $p2_halgos; |
| ... | ... | |
| 125 | 131 |
|
| 126 | 132 |
global $p1_authentication_methods; |
| 127 | 133 |
$p1_authentication_methods = array( |
| 128 |
'hybrid_rsa_server' => array( 'name' => 'Hybrid RSA + Xauth', 'mobile' => true ),
|
|
| 129 |
'xauth_rsa_server' => array( 'name' => 'Mutual RSA + Xauth', 'mobile' => true ),
|
|
| 130 |
'xauth_psk_server' => array( 'name' => 'Mutual PSK + Xauth', 'mobile' => true ),
|
|
| 131 |
'eap-tls' => array( 'name' => 'EAP-TLS', 'mobile' => true),
|
|
| 132 |
'eap-radius' => array( 'name' => 'EAP-RADIUS', 'mobile' => true),
|
|
| 133 |
'eap-mschapv2' => array( 'name' => 'EAP-MSChapv2', 'mobile' => true),
|
|
| 134 |
'rsasig' => array( 'name' => 'Mutual RSA', 'mobile' => false ),
|
|
| 135 |
'pre_shared_key' => array( 'name' => 'Mutual PSK', 'mobile' => false ) );
|
|
| 134 |
'hybrid_rsa_server' => array('name' => 'Hybrid RSA + Xauth', 'mobile' => true),
|
|
| 135 |
'xauth_rsa_server' => array('name' => 'Mutual RSA + Xauth', 'mobile' => true),
|
|
| 136 |
'xauth_psk_server' => array('name' => 'Mutual PSK + Xauth', 'mobile' => true),
|
|
| 137 |
'eap-tls' => array('name' => 'EAP-TLS', 'mobile' => true),
|
|
| 138 |
'eap-radius' => array('name' => 'EAP-RADIUS', 'mobile' => true),
|
|
| 139 |
'eap-mschapv2' => array('name' => 'EAP-MSChapv2', 'mobile' => true),
|
|
| 140 |
'rsasig' => array('name' => 'Mutual RSA', 'mobile' => false),
|
|
| 141 |
'pre_shared_key' => array('name' => 'Mutual PSK', 'mobile' => false));
|
|
| 136 | 142 |
|
| 137 | 143 |
global $ipsec_preshared_key_type; |
| 138 | 144 |
$ipsec_preshared_key_type = array( |
| ... | ... | |
| 161 | 167 |
15 => '15 (3072 bit)', |
| 162 | 168 |
16 => '16 (4096 bit)', |
| 163 | 169 |
17 => '17 (6144 bit)', |
| 164 |
18 => '18 (8192 bit)' |
|
| 170 |
18 => '18 (8192 bit)', |
|
| 171 |
19 => '19 (nist ecp256)', |
|
| 172 |
20 => '20 (nist ecp384)', |
|
| 173 |
21 => '21 (nist ecp521)', |
|
| 174 |
28 => '28 (brainpool ecp256)', |
|
| 175 |
29 => '29 (brainpool ecp384)', |
|
| 176 |
30 => '30 (brainpool ecp512)' |
|
| 165 | 177 |
); |
| 166 | 178 |
|
| 167 | 179 |
/* |
| ... | ... | |
| 171 | 183 |
function ipsec_ikeid_used($ikeid) {
|
| 172 | 184 |
global $config; |
| 173 | 185 |
|
| 174 |
foreach ($config['ipsec']['phase1'] as $ph1ent) |
|
| 175 |
if( $ikeid == $ph1ent['ikeid'] )
|
|
| 186 |
foreach ($config['ipsec']['phase1'] as $ph1ent) {
|
|
| 187 |
if ($ikeid == $ph1ent['ikeid']) {
|
|
| 176 | 188 |
return true; |
| 189 |
} |
|
| 190 |
} |
|
| 177 | 191 |
|
| 178 | 192 |
return false; |
| 179 | 193 |
} |
| ... | ... | |
| 181 | 195 |
function ipsec_ikeid_next() {
|
| 182 | 196 |
|
| 183 | 197 |
$ikeid = 1; |
| 184 |
while(ipsec_ikeid_used($ikeid))
|
|
| 198 |
while (ipsec_ikeid_used($ikeid)) {
|
|
| 185 | 199 |
$ikeid++; |
| 200 |
} |
|
| 186 | 201 |
|
| 187 | 202 |
return $ikeid; |
| 188 | 203 |
} |
| ... | ... | |
| 205 | 220 |
$interfaceip = get_interface_ip($if); |
| 206 | 221 |
} |
| 207 | 222 |
} else {
|
| 208 |
$interfaceip=$ph1ent['interface'];
|
|
| 223 |
$interfaceip = $ph1ent['interface'];
|
|
| 209 | 224 |
} |
| 210 | 225 |
} else {
|
| 211 | 226 |
$if = "wan"; |
| 212 |
if ($ph1ent['protocol'] == "inet6") |
|
| 227 |
if ($ph1ent['protocol'] == "inet6") {
|
|
| 213 | 228 |
$interfaceip = get_interface_ipv6($if); |
| 214 |
else
|
|
| 229 |
} else {
|
|
| 215 | 230 |
$interfaceip = get_interface_ip($if); |
| 231 |
} |
|
| 216 | 232 |
} |
| 217 | 233 |
|
| 218 | 234 |
return $interfaceip; |
| ... | ... | |
| 224 | 240 |
function ipsec_get_phase1_dst(& $ph1ent) {
|
| 225 | 241 |
global $g; |
| 226 | 242 |
|
| 227 |
if (empty($ph1ent['remote-gateway'])) |
|
| 243 |
if (empty($ph1ent['remote-gateway'])) {
|
|
| 228 | 244 |
return false; |
| 245 |
} |
|
| 229 | 246 |
$rg = $ph1ent['remote-gateway']; |
| 230 | 247 |
if (!is_ipaddr($rg)) {
|
| 231 |
if(! platform_booting())
|
|
| 248 |
if (!platform_booting()) {
|
|
| 232 | 249 |
return resolve_retry($rg); |
| 250 |
} |
|
| 233 | 251 |
} |
| 234 |
if(!is_ipaddr($rg))
|
|
| 252 |
if (!is_ipaddr($rg)) {
|
|
| 235 | 253 |
return false; |
| 254 |
} |
|
| 236 | 255 |
|
| 237 | 256 |
return $rg; |
| 238 | 257 |
} |
| ... | ... | |
| 246 | 265 |
switch ($idinfo['type']) {
|
| 247 | 266 |
case "address": |
| 248 | 267 |
if ($addrbits) {
|
| 249 |
if ($mode == "tunnel6") |
|
| 268 |
if ($mode == "tunnel6") {
|
|
| 250 | 269 |
return $idinfo['address']."/128"; |
| 251 |
else
|
|
| 270 |
} else {
|
|
| 252 | 271 |
return $idinfo['address']."/32"; |
| 253 |
} else |
|
| 272 |
} |
|
| 273 |
} else {
|
|
| 254 | 274 |
return $idinfo['address']; |
| 275 |
} |
|
| 255 | 276 |
break; /* NOTREACHED */ |
| 256 | 277 |
case "network": |
| 257 | 278 |
return "{$idinfo['address']}/{$idinfo['netbits']}";
|
| ... | ... | |
| 261 | 282 |
return '0.0.0.0/0'; |
| 262 | 283 |
break; /* NOTREACHED */ |
| 263 | 284 |
default: |
| 264 |
if (empty($mode) && !empty($idinfo['mode'])) |
|
| 285 |
if (empty($mode) && !empty($idinfo['mode'])) {
|
|
| 265 | 286 |
$mode = $idinfo['mode']; |
| 287 |
} |
|
| 266 | 288 |
|
| 267 | 289 |
if ($mode == "tunnel6") {
|
| 268 | 290 |
$address = get_interface_ipv6($idinfo['type']); |
| 269 | 291 |
$netbits = get_interface_subnetv6($idinfo['type']); |
| 270 |
$address = gen_subnetv6($address,$netbits); |
|
| 292 |
$address = gen_subnetv6($address, $netbits);
|
|
| 271 | 293 |
return "{$address}/{$netbits}";
|
| 272 | 294 |
} else {
|
| 273 | 295 |
$address = get_interface_ip($idinfo['type']); |
| 274 | 296 |
$netbits = get_interface_subnet($idinfo['type']); |
| 275 |
$address = gen_subnet($address,$netbits); |
|
| 297 |
$address = gen_subnet($address, $netbits);
|
|
| 276 | 298 |
return "{$address}/{$netbits}";
|
| 277 | 299 |
} |
| 278 | 300 |
break; /* NOTREACHED */ |
| ... | ... | |
| 282 | 304 |
/* |
| 283 | 305 |
* Return phase2 idinfo in address/netmask format |
| 284 | 306 |
*/ |
| 285 |
function ipsec_idinfo_to_subnet(& $idinfo,$addrbits = false) {
|
|
| 307 |
function ipsec_idinfo_to_subnet(& $idinfo, $addrbits = false) {
|
|
| 286 | 308 |
global $config; |
| 287 | 309 |
|
| 288 | 310 |
switch ($idinfo['type']) {
|
| 289 | 311 |
case "address": |
| 290 | 312 |
if ($addrbits) {
|
| 291 |
if ($idinfo['mode'] == "tunnel6") |
|
| 313 |
if ($idinfo['mode'] == "tunnel6") {
|
|
| 292 | 314 |
return $idinfo['address']."/128"; |
| 293 |
else
|
|
| 315 |
} else {
|
|
| 294 | 316 |
return $idinfo['address']."/255.255.255.255"; |
| 295 |
} else |
|
| 317 |
} |
|
| 318 |
} else {
|
|
| 296 | 319 |
return $idinfo['address']; |
| 320 |
} |
|
| 297 | 321 |
break; /* NOTREACHED */ |
| 298 | 322 |
case "none": |
| 299 | 323 |
case "network": |
| ... | ... | |
| 306 | 330 |
if ($idinfo['mode'] == "tunnel6") {
|
| 307 | 331 |
$address = get_interface_ipv6($idinfo['type']); |
| 308 | 332 |
$netbits = get_interface_subnetv6($idinfo['type']); |
| 309 |
$address = gen_subnetv6($address,$netbits); |
|
| 333 |
$address = gen_subnetv6($address, $netbits);
|
|
| 310 | 334 |
return $address."/".$netbits; |
| 311 | 335 |
} else {
|
| 312 | 336 |
$address = get_interface_ip($idinfo['type']); |
| 313 | 337 |
$netbits = get_interface_subnet($idinfo['type']); |
| 314 |
$address = gen_subnet($address,$netbits); |
|
| 338 |
$address = gen_subnet($address, $netbits);
|
|
| 315 | 339 |
return $address."/".$netbits; |
| 316 | 340 |
} |
| 317 | 341 |
break; /* NOTREACHED */ |
| ... | ... | |
| 325 | 349 |
global $config; |
| 326 | 350 |
|
| 327 | 351 |
switch ($idinfo['type']) {
|
| 328 |
case "address": |
|
| 329 |
return $idinfo['address']; |
|
| 330 |
break; /* NOTREACHED */ |
|
| 331 |
case "network": |
|
| 332 |
return $idinfo['address']."/".$idinfo['netbits']; |
|
| 333 |
break; /* NOTREACHED */ |
|
| 334 |
case "mobile": |
|
| 335 |
return gettext("Mobile Client");
|
|
| 336 |
break; /* NOTREACHED */ |
|
| 337 |
case "none": |
|
| 338 |
return gettext("None");
|
|
| 339 |
break; /* NOTREACHED */ |
|
| 340 |
default: |
|
| 341 |
if (!empty($config['interfaces'][$idinfo['type']])) |
|
| 342 |
return convert_friendly_interface_to_friendly_descr($idinfo['type']); |
|
| 343 |
else |
|
| 344 |
return strtoupper($idinfo['type']); |
|
| 345 |
break; /* NOTREACHED */ |
|
| 352 |
case "address": |
|
| 353 |
return $idinfo['address']; |
|
| 354 |
break; /* NOTREACHED */ |
|
| 355 |
case "network": |
|
| 356 |
return $idinfo['address']."/".$idinfo['netbits']; |
|
| 357 |
break; /* NOTREACHED */ |
|
| 358 |
case "mobile": |
|
| 359 |
return gettext("Mobile Client");
|
|
| 360 |
break; /* NOTREACHED */ |
|
| 361 |
case "none": |
|
| 362 |
return gettext("None");
|
|
| 363 |
break; /* NOTREACHED */ |
|
| 364 |
default: |
|
| 365 |
if (!empty($config['interfaces'][$idinfo['type']])) {
|
|
| 366 |
return convert_friendly_interface_to_friendly_descr($idinfo['type']); |
|
| 367 |
} else {
|
|
| 368 |
return strtoupper($idinfo['type']); |
|
| 369 |
} |
|
| 370 |
break; /* NOTREACHED */ |
|
| 346 | 371 |
} |
| 347 | 372 |
} |
| 348 | 373 |
|
| 349 | 374 |
/* |
| 350 | 375 |
* Return phase1 association for phase2 |
| 351 | 376 |
*/ |
| 352 |
function ipsec_lookup_phase1(& $ph2ent,& $ph1ent) {
|
|
| 377 |
function ipsec_lookup_phase1(& $ph2ent, & $ph1ent) {
|
|
| 353 | 378 |
global $config; |
| 354 | 379 |
|
| 355 |
if (!is_array($config['ipsec'])) |
|
| 380 |
if (!is_array($config['ipsec'])) {
|
|
| 356 | 381 |
return false; |
| 357 |
if (!is_array($config['ipsec']['phase1'])) |
|
| 382 |
} |
|
| 383 |
if (!is_array($config['ipsec']['phase1'])) {
|
|
| 358 | 384 |
return false; |
| 359 |
if (empty($config['ipsec']['phase1'])) |
|
| 385 |
} |
|
| 386 |
if (empty($config['ipsec']['phase1'])) {
|
|
| 360 | 387 |
return false; |
| 388 |
} |
|
| 361 | 389 |
|
| 362 | 390 |
foreach ($config['ipsec']['phase1'] as $ph1tmp) {
|
| 363 |
if ($ph1tmp['ikeid'] == $ph2ent['ikeid']) {
|
|
| 364 |
$ph1ent = $ph1tmp; |
|
| 365 |
return $ph1ent; |
|
| 366 |
}
|
|
| 391 |
if ($ph1tmp['ikeid'] == $ph2ent['ikeid']) {
|
|
| 392 |
$ph1ent = $ph1tmp;
|
|
| 393 |
return $ph1ent;
|
|
| 394 |
}
|
|
| 367 | 395 |
} |
| 368 | 396 |
|
| 369 | 397 |
return false; |
| ... | ... | |
| 376 | 404 |
|
| 377 | 405 |
foreach ($ipsec_status as $ike) {
|
| 378 | 406 |
if ($ike['id'] == $ikeid) {
|
| 379 |
if ($ike['status'] == 'established') |
|
| 407 |
if ($ike['status'] == 'established') {
|
|
| 380 | 408 |
return true; |
| 409 |
} |
|
| 381 | 410 |
} |
| 382 | 411 |
} |
| 383 | 412 |
|
| ... | ... | |
| 389 | 418 |
*/ |
| 390 | 419 |
function ipsec_phase2_status(&$ipsec_status, &$phase2) {
|
| 391 | 420 |
|
| 392 |
if (ipsec_lookup_phase1($ph2ent,$ph1ent))
|
|
| 421 |
if (ipsec_lookup_phase1($ph2ent, $ph1ent)) {
|
|
| 393 | 422 |
return ipsec_phase1_status($ipsec_status, $ph1ent['ikeid']); |
| 423 |
} |
|
| 394 | 424 |
|
| 395 | 425 |
return false; |
| 396 | 426 |
} |
| ... | ... | |
| 419 | 449 |
$response = ""; |
| 420 | 450 |
while (!strstr($sread, "</message>")) {
|
| 421 | 451 |
$sread = fgets($fd); |
| 422 |
if ($sread === false) |
|
| 452 |
if ($sread === false) {
|
|
| 423 | 453 |
break; |
| 454 |
} |
|
| 424 | 455 |
$response .= $sread; |
| 425 | 456 |
} |
| 426 | 457 |
fclose($fd); |
| ... | ... | |
| 444 | 475 |
/* |
| 445 | 476 |
* Return dump of SPD table |
| 446 | 477 |
*/ |
| 447 |
function ipsec_dump_spd() |
|
| 448 |
{
|
|
| 478 |
function ipsec_dump_spd() {
|
|
| 449 | 479 |
$fd = @popen("/sbin/setkey -DP", "r");
|
| 450 | 480 |
$spd = array(); |
| 451 | 481 |
if ($fd) {
|
| 452 | 482 |
while (!feof($fd)) {
|
| 453 | 483 |
$line = chop(fgets($fd)); |
| 454 |
if (!$line) |
|
| 484 |
if (!$line) {
|
|
| 455 | 485 |
continue; |
| 456 |
if ($line == "No SPD entries.") |
|
| 486 |
} |
|
| 487 |
if ($line == "No SPD entries.") {
|
|
| 457 | 488 |
break; |
| 489 |
} |
|
| 458 | 490 |
if ($line[0] != "\t") {
|
| 459 |
if (is_array($cursp)) |
|
| 491 |
if (is_array($cursp)) {
|
|
| 460 | 492 |
$spd[] = $cursp; |
| 493 |
} |
|
| 461 | 494 |
$cursp = array(); |
| 462 | 495 |
$linea = explode(" ", $line);
|
| 463 | 496 |
$cursp['srcid'] = substr($linea[0], 0, strpos($linea[0], "[")); |
| ... | ... | |
| 466 | 499 |
} else if (is_array($cursp)) {
|
| 467 | 500 |
$line = trim($line, "\t\r\n "); |
| 468 | 501 |
$linea = explode(" ", $line);
|
| 469 |
switch($i) |
|
| 470 |
{
|
|
| 502 |
switch ($i) {
|
|
| 471 | 503 |
case 1: |
| 472 |
if ($linea[1] == "none") /* don't show default anti-lockout rule */ |
|
| 504 |
if ($linea[1] == "none") /* don't show default anti-lockout rule */ {
|
|
| 473 | 505 |
unset($cursp); |
| 474 |
else
|
|
| 506 |
} else {
|
|
| 475 | 507 |
$cursp['dir'] = $linea[0]; |
| 508 |
} |
|
| 476 | 509 |
break; |
| 477 | 510 |
case 2: |
| 478 | 511 |
$upperspec = explode("/", $linea[0]);
|
| 479 | 512 |
$cursp['proto'] = $upperspec[0]; |
| 480 | 513 |
list($cursp['src'], $cursp['dst']) = explode("-", $upperspec[2]);
|
| 481 |
$cursp['reqid'] = substr($upperspec[3], strpos($upperspec[3], "#")+1);
|
|
| 514 |
$cursp['reqid'] = substr($upperspec[3], strpos($upperspec[3], "#")+1); |
|
| 482 | 515 |
break; |
| 483 | 516 |
} |
| 484 | 517 |
} |
| 485 | 518 |
$i++; |
| 486 | 519 |
} |
| 487 |
if (is_array($cursp) && count($cursp)) |
|
| 520 |
if (is_array($cursp) && count($cursp)) {
|
|
| 488 | 521 |
$spd[] = $cursp; |
| 522 |
} |
|
| 489 | 523 |
pclose($fd); |
| 490 | 524 |
} |
| 491 | 525 |
|
| ... | ... | |
| 495 | 529 |
/* |
| 496 | 530 |
* Return dump of SAD table |
| 497 | 531 |
*/ |
| 498 |
function ipsec_dump_sad() |
|
| 499 |
{
|
|
| 532 |
function ipsec_dump_sad() {
|
|
| 500 | 533 |
$fd = @popen("/sbin/setkey -D", "r");
|
| 501 | 534 |
$sad = array(); |
| 502 | 535 |
if ($fd) {
|
| 503 | 536 |
while (!feof($fd)) {
|
| 504 | 537 |
$line = chop(fgets($fd)); |
| 505 |
if (!$line || $line[0] == " ") |
|
| 538 |
if (!$line || $line[0] == " ") {
|
|
| 506 | 539 |
continue; |
| 507 |
if ($line == "No SAD entries.") |
|
| 540 |
} |
|
| 541 |
if ($line == "No SAD entries.") {
|
|
| 508 | 542 |
break; |
| 509 |
if ($line[0] != "\t")
|
|
| 510 |
{
|
|
| 511 |
if (is_array($cursa)) |
|
| 543 |
}
|
|
| 544 |
if ($line[0] != "\t") {
|
|
| 545 |
if (is_array($cursa)) {
|
|
| 512 | 546 |
$sad[] = $cursa; |
| 547 |
} |
|
| 513 | 548 |
$cursa = array(); |
| 514 |
list($cursa['src'],$cursa['dst']) = explode(" ", $line);
|
|
| 515 |
} |
|
| 516 |
else |
|
| 517 |
{
|
|
| 549 |
list($cursa['src'], $cursa['dst']) = explode(" ", $line);
|
|
| 550 |
} else {
|
|
| 518 | 551 |
$line = trim($line, "\t\n\r "); |
| 519 | 552 |
$linea = explode(" ", $line);
|
| 520 | 553 |
foreach ($linea as $idx => $linee) {
|
| 521 |
if ($linee == 'esp' || $linee == 'ah' || $linee[0] == '#') |
|
| 554 |
if ($linee == 'esp' || $linee == 'ah' || $linee[0] == '#') {
|
|
| 522 | 555 |
$cursa['proto'] = $linee; |
| 523 |
else if (substr($linee, 0, 3) == 'spi')
|
|
| 556 |
} else if (substr($linee, 0, 3) == 'spi') {
|
|
| 524 | 557 |
$cursa['spi'] = substr($linee, strpos($linee, 'x') + 1, -1); |
| 525 |
else if (substr($linee, 0, 5) == 'reqid')
|
|
| 558 |
} else if (substr($linee, 0, 5) == 'reqid') {
|
|
| 526 | 559 |
$cursa['reqid'] = substr($linee, strpos($linee, 'x') + 1, -1); |
| 527 |
else if (substr($linee, 0, 2) == 'E:') {
|
|
| 560 |
} else if (substr($linee, 0, 2) == 'E:') {
|
|
| 528 | 561 |
$cursa['ealgo'] = $linea[$idx + 1]; |
| 529 | 562 |
break; |
| 530 | 563 |
} else if (substr($linee, 0, 2) == 'A:') {
|
| ... | ... | |
| 534 | 567 |
$cursa['data'] = substr($linea[$idx + 1], 0, strpos($linea[$idx + 1], 'bytes') - 1) . ' B'; |
| 535 | 568 |
break; |
| 536 | 569 |
} |
| 537 |
|
|
| 538 | 570 |
} |
| 539 | 571 |
} |
| 540 | 572 |
} |
| 541 |
if (is_array($cursa) && count($cursa)) |
|
| 573 |
if (is_array($cursa) && count($cursa)) {
|
|
| 542 | 574 |
$sad[] = $cursa; |
| 575 |
} |
|
| 543 | 576 |
pclose($fd); |
| 544 | 577 |
} |
| 545 | 578 |
|
| ... | ... | |
| 560 | 593 |
} |
| 561 | 594 |
|
| 562 | 595 |
/* This is needed for fixing #4130 */ |
| 563 |
if (filesize("{$g['tmp_path']}/strongswan_leases.xml") < 200)
|
|
| 596 |
if (filesize("{$g['tmp_path']}/strongswan_leases.xml") < 200) {
|
|
| 564 | 597 |
return array(); |
| 598 |
} |
|
| 565 | 599 |
|
| 566 | 600 |
$custom_listtags = array('lease', 'pool');
|
| 567 | 601 |
$response = parse_xml_config("{$g['tmp_path']}/strongswan_leases.xml", "leases");
|
| ... | ... | |
| 583 | 617 |
|
| 584 | 618 |
function ipsec_get_number_of_phase2($ikeid) {
|
| 585 | 619 |
global $config; |
| 586 |
$a_phase2 = $config['ipsec']['phase2'];
|
|
| 620 |
$a_phase2 = $config['ipsec']['phase2']; |
|
| 587 | 621 |
|
| 588 |
$nbph2=0;
|
|
| 622 |
$nbph2 = 0;
|
|
| 589 | 623 |
|
| 590 |
if (is_array($a_phase2) && count($a_phase2)) {
|
|
| 591 |
foreach ($a_phase2 as $ph2tmp) {
|
|
| 592 |
if ($ph2tmp['ikeid'] == $ikeid) {
|
|
| 624 |
if (is_array($a_phase2) && count($a_phase2)) {
|
|
| 625 |
foreach ($a_phase2 as $ph2tmp) {
|
|
| 626 |
if ($ph2tmp['ikeid'] == $ikeid) {
|
|
| 593 | 627 |
$nbph2++; |
| 594 | 628 |
} |
| 595 | 629 |
} |
| ... | ... | |
| 602 | 636 |
global $config; |
| 603 | 637 |
|
| 604 | 638 |
if (!isset($config['ipsec']['phase1']) || |
| 605 |
!is_array($config['ipsec']['phase1'])) |
|
| 639 |
!is_array($config['ipsec']['phase1'])) {
|
|
| 606 | 640 |
return ''; |
| 641 |
} |
|
| 607 | 642 |
|
| 608 | 643 |
foreach ($config['ipsec']['phase1'] as $p1) {
|
| 609 | 644 |
if ($p1['ikeid'] == $ikeid) {
|
| ... | ... | |
| 615 | 650 |
} |
| 616 | 651 |
|
| 617 | 652 |
function ipsec_get_phase1($ikeid) {
|
| 618 |
global $config;
|
|
| 653 |
global $config;
|
|
| 619 | 654 |
|
| 620 |
if (!isset($config['ipsec']['phase1']) || |
|
| 621 |
!is_array($config['ipsec']['phase1'])) |
|
| 622 |
return ''; |
|
| 655 |
if (!isset($config['ipsec']['phase1']) || |
|
| 656 |
!is_array($config['ipsec']['phase1'])) {
|
|
| 657 |
return ''; |
|
| 658 |
} |
|
| 623 | 659 |
|
| 624 |
$a_phase1 = $config['ipsec']['phase1'];
|
|
| 625 |
foreach ($a_phase1 as $p1) {
|
|
| 626 |
if ($p1['ikeid'] == $ikeid) {
|
|
| 627 |
return $p1;
|
|
| 628 |
}
|
|
| 629 |
}
|
|
| 630 |
unset($a_phase1);
|
|
| 660 |
$a_phase1 = $config['ipsec']['phase1'];
|
|
| 661 |
foreach ($a_phase1 as $p1) {
|
|
| 662 |
if ($p1['ikeid'] == $ikeid) {
|
|
| 663 |
return $p1;
|
|
| 664 |
}
|
|
| 665 |
}
|
|
| 666 |
unset($a_phase1);
|
|
| 631 | 667 |
} |
| 632 | 668 |
|
| 633 | 669 |
function ipsec_fixup_ip($ipaddr) {
|
| 634 |
if (is_ipaddrv6($ipaddr) || is_subnetv6($ipaddr)) |
|
| 670 |
if (is_ipaddrv6($ipaddr) || is_subnetv6($ipaddr)) {
|
|
| 635 | 671 |
return Net_IPv6::compress(Net_IPv6::uncompress($ipaddr)); |
| 636 |
else
|
|
| 672 |
} else {
|
|
| 637 | 673 |
return $ipaddr; |
| 674 |
} |
|
| 638 | 675 |
} |
| 639 | 676 |
|
| 640 | 677 |
function ipsec_find_id(& $ph1ent, $side = "local", $rgmap = array()) {
|
| ... | ... | |
| 643 | 680 |
$id_data = $ph1ent['myid_data']; |
| 644 | 681 |
|
| 645 | 682 |
$addr = ipsec_get_phase1_src($ph1ent); |
| 646 |
if (!$addr) |
|
| 683 |
if (!$addr) {
|
|
| 647 | 684 |
return array(); |
| 685 |
} |
|
| 648 | 686 |
} elseif ($side == "peer") {
|
| 649 | 687 |
$id_type = $ph1ent['peerid_type']; |
| 650 | 688 |
$id_data = $ph1ent['peerid_data']; |
| 651 | 689 |
|
| 652 |
if (isset($ph1ent['mobile'])) |
|
| 690 |
if (isset($ph1ent['mobile'])) {
|
|
| 653 | 691 |
$addr = "%any"; |
| 654 |
else
|
|
| 692 |
} else {
|
|
| 655 | 693 |
$addr = $ph1ent['remote-gateway']; |
| 656 |
} else |
|
| 694 |
} |
|
| 695 |
} else {
|
|
| 657 | 696 |
return array(); |
| 697 |
} |
|
| 658 | 698 |
|
| 659 | 699 |
|
| 660 | 700 |
$thisid_type = $id_type; |
| 661 | 701 |
switch ($thisid_type) {
|
| 662 |
case 'myaddress': |
|
| 663 |
$thisid_type = 'address'; |
|
| 664 |
$thisid_data = $addr; |
|
| 665 |
break; |
|
| 666 |
case 'dyn_dns': |
|
| 667 |
$thisid_type = 'dns'; |
|
| 668 |
$thisid_data = $id_data; |
|
| 669 |
break; |
|
| 670 |
case 'peeraddress': |
|
| 671 |
$thisid_type = 'address'; |
|
| 672 |
$thisid_data = $rgmap[$ph1ent['remote-gateway']]; |
|
| 673 |
break; |
|
| 674 |
case 'address': |
|
| 675 |
$thisid_data = $id_data; |
|
| 676 |
break; |
|
| 677 |
case 'fqdn': |
|
| 678 |
$thisid_data = "{$id_data}";
|
|
| 679 |
break; |
|
| 680 |
case 'keyid tag': |
|
| 681 |
$thisid_type = 'keyid'; |
|
| 682 |
$thisid_data = "{$id_data}";
|
|
| 683 |
break; |
|
| 684 |
case 'user_fqdn': |
|
| 685 |
$thisid_type = 'userfqdn'; |
|
| 686 |
$thisid_data = "{$id_data}";
|
|
| 687 |
break; |
|
| 688 |
case 'asn1dn': |
|
| 689 |
$thisid_data = $id_data; |
|
| 690 |
$thisid_data = "{$id_data}";
|
|
| 691 |
break; |
|
| 702 |
case 'myaddress': |
|
| 703 |
$thisid_type = 'address'; |
|
| 704 |
$thisid_data = $addr; |
|
| 705 |
break; |
|
| 706 |
case 'dyn_dns': |
|
| 707 |
$thisid_type = 'dns'; |
|
| 708 |
$thisid_data = $id_data; |
|
| 709 |
break; |
|
| 710 |
case 'peeraddress': |
|
| 711 |
$thisid_type = 'address'; |
|
| 712 |
$thisid_data = $rgmap[$ph1ent['remote-gateway']]; |
|
| 713 |
break; |
|
| 714 |
case 'address': |
|
| 715 |
$thisid_data = $id_data; |
|
| 716 |
break; |
|
| 717 |
case 'fqdn': |
|
| 718 |
$thisid_data = "{$id_data}";
|
|
| 719 |
break; |
|
| 720 |
case 'keyid tag': |
|
| 721 |
$thisid_type = 'keyid'; |
|
| 722 |
$thisid_data = "{$id_data}";
|
|
| 723 |
break; |
|
| 724 |
case 'user_fqdn': |
|
| 725 |
$thisid_type = 'userfqdn'; |
|
| 726 |
$thisid_data = "{$id_data}";
|
|
| 727 |
break; |
|
| 728 |
case 'asn1dn': |
|
| 729 |
$thisid_data = $id_data; |
|
| 730 |
if ($thisid_data && $thisid_data[0] != '"') {
|
|
| 731 |
$thisid_data = "\"{$id_data}\"";
|
|
| 732 |
} |
|
| 733 |
break; |
|
| 692 | 734 |
} |
| 693 | 735 |
return array($thisid_type, $thisid_data); |
| 694 | 736 |
} |
| 695 | 737 |
|
| 696 | 738 |
function ipsec_fixup_network($network) {
|
| 697 |
if (substr($network, -3) == '|/0') |
|
| 739 |
if (substr($network, -3) == '|/0') {
|
|
| 698 | 740 |
$result = substr($network, 0, -3); |
| 699 |
else {
|
|
| 741 |
} else {
|
|
| 700 | 742 |
$tmp = explode('|', $network);
|
| 701 |
if (isset($tmp[1])) |
|
| 743 |
if (isset($tmp[1])) {
|
|
| 702 | 744 |
$result = $tmp[1]; |
| 703 |
else
|
|
| 745 |
} else {
|
|
| 704 | 746 |
$result = $tmp[0]; |
| 747 |
} |
|
| 705 | 748 |
unset($tmp); |
| 706 | 749 |
} |
| 707 | 750 |
|
| ... | ... | |
| 711 | 754 |
function ipsec_new_reqid() {
|
| 712 | 755 |
global $config; |
| 713 | 756 |
|
| 714 |
if (!is_array($config['ipsec']) || !is_array($config['ipsec']['phase2'])) |
|
| 757 |
if (!is_array($config['ipsec']) || !is_array($config['ipsec']['phase2'])) {
|
|
| 715 | 758 |
return; |
| 759 |
} |
|
| 716 | 760 |
|
| 717 | 761 |
$ipsecreqid = lock('ipsecreqids', LOCK_EX);
|
| 718 | 762 |
$keyids = array(); |
| 719 | 763 |
$keyid = 1; |
| 720 |
foreach ($config['ipsec']['phase2'] as $ph2) |
|
| 764 |
foreach ($config['ipsec']['phase2'] as $ph2) {
|
|
| 721 | 765 |
$keyids[$ph2['reqid']] = $ph2['reqid']; |
| 766 |
} |
|
| 722 | 767 |
|
| 723 | 768 |
for ($i = 1; $i < 16000; $i++) {
|
| 724 | 769 |
if (!isset($keyids[$i])) {
|
Also available in: Unified diff
sync up ipsec.inc with master. Mostly whitespace and style changes.