/src/etc/inc/vpn.inc - Annotate - pfSense - pfSense bugtracker

| Branch: | Tag: | Revision:

root/src/etc/inc/vpn.inc @ 2bf455ca

1	5b237745	Scott Ullrich	<?php
2			/*
3			vpn.inc
4	09221bc3	Renato Botelho
5			part of pfSense (https://www.pfsense.org)
6	a93e56c5	Matthew Grooms	Copyright (C) 2008 Shrew Soft Inc
7	09221bc3	Renato Botelho	Copyright (c) 2004-2016 Electric Sheep Fencing, LLC.
8	cfc707f7	Scott Ullrich	All rights reserved.
9	17da6c79	Scott Ullrich
10			originally part of m0n0wall (http://m0n0.ch/wall)
11			Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>.
12			All rights reserved.
13
14	5b237745	Scott Ullrich	Redistribution and use in source and binary forms, with or without
15			modification, are permitted provided that the following conditions are met:
16	17da6c79	Scott Ullrich
17	5b237745	Scott Ullrich	1. Redistributions of source code must retain the above copyright notice,
18			this list of conditions and the following disclaimer.
19	17da6c79	Scott Ullrich
20	5b237745	Scott Ullrich	2. Redistributions in binary form must reproduce the above copyright
21	09221bc3	Renato Botelho	notice, this list of conditions and the following disclaimer in
22			the documentation and/or other materials provided with the
23			distribution.
24
25			3. All advertising materials mentioning features or use of this software
26			must display the following acknowledgment:
27			"This product includes software developed by the pfSense Project
28			for use in the pfSense® software distribution. (http://www.pfsense.org/).
29
30			4. The names "pfSense" and "pfSense Project" must not be used to
31			endorse or promote products derived from this software without
32			prior written permission. For written permission, please contact
33			coreteam@pfsense.org.
34
35			5. Products derived from this software may not be called "pfSense"
36			nor may "pfSense" appear in their names without prior written
37			permission of the Electric Sheep Fencing, LLC.
38
39			6. Redistributions of any form whatsoever must retain the following
40			acknowledgment:
41
42			"This product includes software developed by the pfSense Project
43			for use in the pfSense software distribution (http://www.pfsense.org/).
44
45			THIS SOFTWARE IS PROVIDED BY THE pfSense PROJECT ``AS IS'' AND ANY
46			EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
47			IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
48			PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE pfSense PROJECT OR
49			ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
50			SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
51			NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
52			LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
53			HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
54			STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
55			ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
56			OF THE POSSIBILITY OF SUCH DAMAGE.
57	5b237745	Scott Ullrich	*/
58	8f67a8e1	Scott Ullrich
59	50813d24	jim-p	require_once("ipsec.inc");
60	0dea741f	Chris Buechler	require_once("filter.inc");
61	50813d24	jim-p
62	c53e411f	Matt Smith	function vpn_update_daemon_loglevel($category, $level) {
63			global $ipsec_log_cats, $ipsec_log_sevs;
64	c6efc8fd	Ermal
65	c53e411f	Matt Smith	if (in_array($category, array_keys($ipsec_log_cats), true) && in_array(intval($level), array_keys($ipsec_log_sevs), true)) {
66
67			/* if you're setting to -1, need to add "--" to args */
68			$argterm = "";
69			if ($level == "-1") {
70			$argterm = "--";
71	79262830	Phil Davis	}
72	c53e411f	Matt Smith
73			mwexec("/usr/local/sbin/ipsec stroke loglevel {$category} {$argterm} {$level}");
74	c6efc8fd	Ermal	}
75	c53e411f	Matt Smith	}
76
77			function vpn_logging_cfgtxt() {
78			global $config, $ipsec_log_cats, $ipsec_log_sevs;
79
80			$cfgtext = array();
81			foreach (array_keys($ipsec_log_cats) as $cat) {
82			if (is_numeric($config['ipsec']['logging'][$cat]) &&
83			in_array(intval($config['ipsec']['logging'][$cat]), array_keys($ipsec_log_sevs), true)) {
84			$cfgtext[] = "${cat} = {$config['ipsec']['logging'][$cat]}";
85			}
86	79262830	Phil Davis	}
87	c53e411f	Matt Smith
88			return $cfgtext;
89	c6efc8fd	Ermal	}
90
91	5b237745	Scott Ullrich	/* include all configuration functions */
92	086cf944	Phil Davis	function vpn_ipsec_convert_to_modp($index) {
93	8f67a8e1	Scott Ullrich
94	51a14c58	Phil Davis	$conversion = "";
95	496acde1	Ermal	switch ($index) {
96	79262830	Phil Davis	case '1':
97	51a14c58	Phil Davis	$conversion = "modp768";
98	79262830	Phil Davis	break;
99			case '2':
100	51a14c58	Phil Davis	$conversion = "modp1024";
101	79262830	Phil Davis	break;
102			case '5':
103	51a14c58	Phil Davis	$conversion = "modp1536";
104	79262830	Phil Davis	break;
105			case '14':
106	51a14c58	Phil Davis	$conversion = "modp2048";
107	79262830	Phil Davis	break;
108			case '15':
109	51a14c58	Phil Davis	$conversion = "modp3072";
110	79262830	Phil Davis	break;
111			case '16':
112	51a14c58	Phil Davis	$conversion = "modp4096";
113	79262830	Phil Davis	break;
114			case '17':
115	51a14c58	Phil Davis	$conversion = "modp6144";
116	79262830	Phil Davis	break;
117			case '18':
118	51a14c58	Phil Davis	$conversion = "modp8192";
119	79262830	Phil Davis	break;
120	7a747654	Ermal LUÇI	case '19':
121	51a14c58	Phil Davis	$conversion = "ecp256";
122	7a747654	Ermal LUÇI	break;
123			case '20':
124	51a14c58	Phil Davis	$conversion = "ecp384";
125	7a747654	Ermal LUÇI	break;
126			case '21':
127	51a14c58	Phil Davis	$conversion = "ecp521";
128	7a747654	Ermal LUÇI	break;
129	9f52ee2c	Michael Newton	case '22':
130	51a14c58	Phil Davis	$conversion = "modp1024s160";
131	9f52ee2c	Michael Newton	break;
132			case '23':
133	51a14c58	Phil Davis	$conversion = "modp2048s224";
134	9f52ee2c	Michael Newton	break;
135			case '24':
136	51a14c58	Phil Davis	$conversion = "modp2048s256";
137	9f52ee2c	Michael Newton	break;
138	0d102fcd	Bruno Thomsen	case '28':
139	51a14c58	Phil Davis	$conversion = "ecp256bp";
140	0d102fcd	Bruno Thomsen	break;
141			case '29':
142	51a14c58	Phil Davis	$conversion = "ecp384bp";
143	0d102fcd	Bruno Thomsen	break;
144			case '30':
145	51a14c58	Phil Davis	$conversion = "ecp512bp";
146	7a747654	Ermal LUÇI	break;
147	920af30f	Ermal Lu?i	}
148	496acde1	Ermal
149	51a14c58	Phil Davis	return $conversion;
150	600dd4e0	Scott Ullrich	}
151	8f67a8e1	Scott Ullrich
152	086cf944	Phil Davis	function vpn_ipsec_configure($restart = false) {
153	34ba4e5d	Chris Buechler	global $config, $g, $sa, $sn, $p1_ealgos, $p2_ealgos, $ipsec_idhandling;
154	17da6c79	Scott Ullrich
155	f41c9fd5	Ermal Lu?i	/* get the automatic ping_hosts.sh ready */
156	cdd5b2ce	Ermal Lu?i	unlink_if_exists("{$g['vardb_path']}/ipsecpinghosts");
157			touch("{$g['vardb_path']}/ipsecpinghosts");
158	d315b341	Chris Buechler	$ipsecpinghostsactive = false;
159	086cf944	Phil Davis
160	0545a75e	Chris Buechler	/* service may have been enabled, disabled, or otherwise changed in a way requiring rule updates */
161			filter_configure();
162	c1f5a46b	Scott Ullrich
163	8f67a8e1	Scott Ullrich	$syscfg = $config['system'];
164	5b237745	Scott Ullrich	$ipseccfg = $config['ipsec'];
165	1a2de6d6	Luiz Otavio O Souza	if (!ipsec_enabled()) {
166	6c576b27	Ermal	/* try to stop charon */
167			mwexec("/usr/local/sbin/ipsec stop");
168	52c9f9fa	Ermal	/* Stop dynamic monitoring */
169	f8c10a18	Ermal	killbypid("{$g['varrun_path']}/filterdns-ipsec.pid");
170	98c02cac	Ermal
171	6c576b27	Ermal	/* wait for process to die */
172	8f67a8e1	Scott Ullrich	sleep(2);
173
174	ce0dbd72	Matt Smith	/* IPSEC is off, shutdown enc interface.*/
175	52c9f9fa	Ermal	mwexec("/sbin/ifconfig enc0 down");
176	2f1e0311	Seth Mos
177	6a781df6	Ermal	return 0;
178	7a683b46	Ermal LUÇI	}
179	8f67a8e1	Scott Ullrich
180	d8cb5ff3	Ermal LUÇI	$a_phase1 = $config['ipsec']['phase1'];
181			$a_phase2 = $config['ipsec']['phase2'];
182			$a_client = $config['ipsec']['client'];
183
184	7a683b46	Ermal LUÇI	$certpath = "{$g['varetc_path']}/ipsec/ipsec.d/certs";
185			$capath = "{$g['varetc_path']}/ipsec/ipsec.d/cacerts";
186			$keypath = "{$g['varetc_path']}/ipsec/ipsec.d/private";
187	14ec7c4b	Chris Buechler	$crlpath = "{$g['varetc_path']}/ipsec/ipsec.d/crls";
188	7a683b46	Ermal LUÇI
189			mwexec("/sbin/ifconfig enc0 up");
190	6c07db48	Phil Davis	if (php_uname('m') != "amd64") {
191	05591613	Ermal LUÇI	set_single_sysctl("net.inet.ipsec.directdispatch", "0");
192	6c07db48	Phil Davis	}
193	05591613	Ermal LUÇI
194	7a683b46	Ermal LUÇI	/* needed for config files */
195	79262830	Phil Davis	if (!is_dir("{$g['varetc_path']}/ipsec")) {
196	7a683b46	Ermal LUÇI	mkdir("{$g['varetc_path']}/ipsec");
197	79262830	Phil Davis	}
198			if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d")) {
199	7a683b46	Ermal LUÇI	mkdir("{$g['varetc_path']}/ipsec/ipsec.d");
200	79262830	Phil Davis	}
201	96d5ca11	Chris Buechler	// delete these paths first to ensure old CAs, certs and CRLs aren't left behind. redmine #5238
202			rmdir_recursive($capath);
203			rmdir_recursive($keypath);
204			rmdir_recursive($crlpath);
205			rmdir_recursive($certpath);
206	79262830	Phil Davis	if (!is_dir($capath)) {
207	7a683b46	Ermal LUÇI	mkdir($capath);
208	79262830	Phil Davis	}
209			if (!is_dir($keypath)) {
210	7a683b46	Ermal LUÇI	mkdir($keypath);
211	79262830	Phil Davis	}
212	14ec7c4b	Chris Buechler	if (!is_dir($crlpath)) {
213			mkdir($crlpath);
214	79262830	Phil Davis	}
215			if (!is_dir($certpath)) {
216	7a683b46	Ermal LUÇI	mkdir($certpath);
217	79262830	Phil Davis	}
218			if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d/aacerts")) {
219	7a683b46	Ermal LUÇI	mkdir("{$g['varetc_path']}/ipsec/ipsec.d/aacerts");
220	79262830	Phil Davis	}
221			if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d/acerts")) {
222	7a683b46	Ermal LUÇI	mkdir("{$g['varetc_path']}/ipsec/ipsec.d/acerts");
223	79262830	Phil Davis	}
224			if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d/ocspcerts")) {
225	7a683b46	Ermal LUÇI	mkdir("{$g['varetc_path']}/ipsec/ipsec.d/ocspcerts");
226	79262830	Phil Davis	}
227			if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d/reqs")) {
228	7a683b46	Ermal LUÇI	mkdir("{$g['varetc_path']}/ipsec/ipsec.d/reqs");
229	79262830	Phil Davis	}
230
231	680e4db5	Renato Botelho	if (!file_exists("/usr/local/etc/ipsec.d") \|\|
232	03c4effd	Renato Botelho	!is_link("/usr/local/etc/ipsec.d")) {
233			conf_mount_rw();
234	680e4db5	Renato Botelho	if (file_exists("/usr/local/etc/ipsec.d")) {
235			rmdir_recursive("/usr/local/etc/ipsec.d");
236			}
237	03c4effd	Renato Botelho	@symlink("{$g['varetc_path']}/ipsec/ipsec.d",
238			"/usr/local/etc/ipsec.d");
239			conf_mount_ro();
240			}
241	a095a1e5	Renato Botelho	if (!file_exists("{$g['varetc_path']}/etc/strongswan.d") \|\|
242	65ed01c5	Renato Botelho	!is_link("{$g['varetc_path']}/etc/strongswan.d")) {
243	03c4effd	Renato Botelho	conf_mount_rw();
244	a095a1e5	Renato Botelho	if (is_link("{$g['varetc_path']}/etc/strongswan.d")) {
245			@unlink("{$g['varetc_path']}/etc/strongswan.d");
246			} else {
247			rmdir_recursive("{$g['varetc_path']}/etc/strongswan.d");
248			}
249	65ed01c5	Renato Botelho	@symlink("/usr/local/etc/strongswan.d",
250			"{$g['varetc_path']}/ipsec/strongswan.d");
251	03c4effd	Renato Botelho	conf_mount_ro();
252			}
253	b0e51046	Renato Botelho	if (!file_exists("/usr/local/etc/strongswan.conf") \|\|
254	03c4effd	Renato Botelho	!is_link("/usr/local/etc/strongswan.conf")) {
255			conf_mount_rw();
256			@unlink("/usr/local/etc/strongswan.conf");
257			@symlink("{$g['varetc_path']}/ipsec/strongswan.conf",
258			"/usr/local/etc/strongswan.conf");
259			conf_mount_ro();
260			}
261	b0e51046	Renato Botelho	if (!file_exists("/usr/local/etc/ipsec.conf") \|\|
262	03c4effd	Renato Botelho	!is_link("/usr/local/etc/ipsec.conf")) {
263			conf_mount_rw();
264			@unlink("/usr/local/etc/ipsec.conf");
265			@symlink("{$g['varetc_path']}/ipsec/ipsec.conf",
266			"/usr/local/etc/ipsec.conf");
267			conf_mount_ro();
268			}
269	e3afacbb	Chris Buechler
270	79262830	Phil Davis	if (platform_booting()) {
271	7a683b46	Ermal LUÇI	echo gettext("Configuring IPsec VPN... ");
272	79262830	Phil Davis	}
273	496acde1	Ermal
274	7a683b46	Ermal LUÇI	/* resolve all local, peer addresses and setup pings */
275			$ipmap = array();
276			$rgmap = array();
277			$filterdns_list = array();
278			$aggressive_mode_psk = false;
279			unset($iflist);
280	778d2ea9	Ermal LUÇI	$ifacesuse = array();
281	6684d594	Matt Smith	$mobile_ipsec_auth = "";
282	7a683b46	Ermal LUÇI	if (is_array($a_phase1) && count($a_phase1)) {
283	8f67a8e1	Scott Ullrich
284	7a683b46	Ermal LUÇI	$ipsecpinghosts = "";
285			/* step through each phase1 entry */
286			foreach ($a_phase1 as $ph1ent) {
287	79262830	Phil Davis	if (isset($ph1ent['disabled'])) {
288	7a683b46	Ermal LUÇI	continue;
289	79262830	Phil Davis	}
290	8f67a8e1	Scott Ullrich
291	2a5960b0	Luiz Otavio O Souza	if (substr($ph1ent['interface'], 0, 4) == "_vip") {
292			$vpninterface = get_configured_vip_interface($ph1ent['interface']);
293			$ifacesuse[] = get_real_interface($vpninterface);
294	79262830	Phil Davis	} else {
295			$vpninterface = get_failover_interface($ph1ent['interface']);
296	2a5960b0	Luiz Otavio O Souza	if (substr($vpninterface, 0, 4) == "_vip") {
297			$vpninterface = get_configured_vip_interface($vpninterface);
298			$ifacesuse[] = get_real_interface($vpninterface);
299	79262830	Phil Davis	} elseif (!empty($vpninterface)) {
300	121cde47	Ermal LUÇI	$ifacesuse[] = $vpninterface;
301	79262830	Phil Davis	}
302	121cde47	Ermal LUÇI	}
303	79262830	Phil Davis
304			if ($ph1ent['mode'] == "aggressive" && ($ph1ent['authentication_method'] == "pre_shared_key" \|\| $ph1ent['authentication_method'] == "xauth_psk_server")) {
305	7a683b46	Ermal LUÇI	$aggressive_mode_psk = true;
306	79262830	Phil Davis	}
307	3462a529	Matthew Grooms
308	7a683b46	Ermal LUÇI	$ikeid = $ph1ent['ikeid'];
309	979cd6db	Scott Ullrich
310	7a683b46	Ermal LUÇI	$ep = ipsec_get_phase1_src($ph1ent);
311	79262830	Phil Davis	if (!is_ipaddr($ep)) {
312	51a14c58	Phil Davis	log_error(sprintf(gettext("IPsec ERROR: Could not find phase 1 source for connection %s. Omitting from configuration file."), $ph1ent['descr']));
313	7a683b46	Ermal LUÇI	continue;
314	79262830	Phil Davis	}
315	7a683b46	Ermal LUÇI
316	086cf944	Phil Davis	if (!in_array($ep, $ipmap)) {
317	7a683b46	Ermal LUÇI	$ipmap[] = $ep;
318	79262830	Phil Davis	}
319	7a683b46	Ermal LUÇI
320			/* see if this tunnel has a hostname for the remote-gateway. If so,
321			try to resolve it now and add it to the list for filterdns */
322
323	79262830	Phil Davis	if (isset ($ph1ent['mobile'])) {
324	6684d594	Matt Smith	$mobile_ipsec_auth = $ph1ent['authentication_method'];
325	7a683b46	Ermal LUÇI	continue;
326	79262830	Phil Davis	}
327	7a683b46	Ermal LUÇI
328			$rg = $ph1ent['remote-gateway'];
329
330			if (!is_ipaddr($rg)) {
331			$filterdns_list[] = "{$rg}";
332			add_hostname_to_watch($rg);
333	79262830	Phil Davis	if (!platform_booting()) {
334	7a683b46	Ermal LUÇI	$rg = resolve_retry($rg);
335	79262830	Phil Davis	}
336			if (!is_ipaddr($rg)) {
337	829fa12e	smos	continue;
338	79262830	Phil Davis	}
339	7a683b46	Ermal LUÇI	}
340	79262830	Phil Davis	if (array_search($rg, $rgmap)) {
341	51a14c58	Phil Davis	log_error(sprintf(gettext("The remote gateway %s already exists on another phase 1 entry"), $rg));
342	7a683b46	Ermal LUÇI	continue;
343			}
344			$rgmap[$ph1ent['remote-gateway']] = $rg;
345	8f67a8e1	Scott Ullrich
346	7a683b46	Ermal LUÇI	if (is_array($a_phase2)) {
347			/* step through each phase2 entry */
348			foreach ($a_phase2 as $ph2ent) {
349	79262830	Phil Davis	if (isset($ph2ent['disabled'])) {
350	7a683b46	Ermal LUÇI	continue;
351	79262830	Phil Davis	}
352	a11df336	jim-p
353	79262830	Phil Davis	if ($ikeid != $ph2ent['ikeid']) {
354	7a683b46	Ermal LUÇI	continue;
355	79262830	Phil Davis	}
356	a11df336	jim-p
357	7a683b46	Ermal LUÇI	/* add an ipsec pinghosts entry */
358			if ($ph2ent['pinghost']) {
359	79262830	Phil Davis	if (!is_array($iflist)) {
360	7a683b46	Ermal LUÇI	$iflist = get_configured_interface_list();
361	79262830	Phil Davis	}
362	7a683b46	Ermal LUÇI	$srcip = null;
363			$local_subnet = ipsec_idinfo_to_cidr($ph2ent['localid'], true, $ph2ent['mode']);
364	79262830	Phil Davis	if (is_ipaddrv6($ph2ent['pinghost'])) {
365	7a683b46	Ermal LUÇI	foreach ($iflist as $ifent => $ifname) {
366			$interface_ip = get_interface_ipv6($ifent);
367	79262830	Phil Davis	if (!is_ipaddrv6($interface_ip)) {
368	7a683b46	Ermal LUÇI	continue;
369	79262830	Phil Davis	}
370	7a683b46	Ermal LUÇI	if (ip_in_subnet($interface_ip, $local_subnet)) {
371			$srcip = $interface_ip;
372			break;
373	fb17f629	Seth Mos	}
374	a11df336	jim-p	}
375	7a683b46	Ermal LUÇI	} else {
376			foreach ($iflist as $ifent => $ifname) {
377			$interface_ip = get_interface_ip($ifent);
378	79262830	Phil Davis	if (!is_ipaddrv4($interface_ip)) {
379	7a683b46	Ermal LUÇI	continue;
380	79262830	Phil Davis	}
381	7a683b46	Ermal LUÇI	if ($local_subnet == "0.0.0.0/0" \|\| ip_in_subnet($interface_ip, $local_subnet)) {
382			$srcip = $interface_ip;
383			break;
384	dc63467f	Matt Smith	}
385			}
386	7a683b46	Ermal LUÇI	}
387			/* if no valid src IP was found in configured interfaces, try the vips */
388			if (is_null($srcip)) {
389	2a5960b0	Luiz Otavio O Souza	$viplist = get_configured_vip_list();
390			foreach ($viplist as $vip => $address) {
391			if (ip_in_subnet($address, $local_subnet)) {
392			$srcip = $address;
393	7a683b46	Ermal LUÇI	break;
394			}
395	741077bc	Ermal Lu?i	}
396	87e07f52	mgrooms	}
397	7a683b46	Ermal LUÇI	$dstip = $ph2ent['pinghost'];
398	79262830	Phil Davis	if (is_ipaddrv6($dstip)) {
399	7a683b46	Ermal LUÇI	$family = "inet6";
400			} else {
401			$family = "inet";
402			}
403	79262830	Phil Davis	if (is_ipaddr($srcip)) {
404	7a683b46	Ermal LUÇI	$ipsecpinghosts[] = "{$srcip}\|{$dstip}\|3\|\|\|\|\|{$family}\|\n";
405	d315b341	Chris Buechler	$ipsecpinghostsactive = true;
406	79262830	Phil Davis	}
407	17da6c79	Scott Ullrich	}
408	a93e56c5	Matthew Grooms	}
409			}
410			}
411	7a683b46	Ermal LUÇI	@file_put_contents("{$g['vardb_path']}/ipsecpinghosts", $ipsecpinghosts);
412			unset($ipsecpinghosts);
413			}
414			unset($iflist);
415	496acde1	Ermal
416	7a683b46	Ermal LUÇI	$accept_unencrypted = "";
417	79262830	Phil Davis	if (isset($config['ipsec']['acceptunencryptedmainmode'])) {
418	7a683b46	Ermal LUÇI	$accept_unencrypted = "accept_unencrypted_mainmode_messages = yes";
419	79262830	Phil Davis	}
420	737b18f2	Ermal
421	420fce04	Ermal LUÇI	$stronconf = '';
422	79262830	Phil Davis	if (file_exists("{$g['varetc_path']}/ipsec/strongswan.conf")) {
423	420fce04	Ermal LUÇI	$stronconf = file_get_contents("{$g['varetc_path']}/ipsec/strongswan.conf");
424	79262830	Phil Davis	}
425	420fce04	Ermal LUÇI
426	7a683b46	Ermal LUÇI	$i_dont_care_about_security_and_use_aggressive_mode_psk = "";
427			if ($aggressive_mode_psk) {
428			log_error("WARNING: Setting i_dont_care_about_security_and_use_aggressive_mode_psk option because a phase 1 is configured using aggressive mode with pre-shared keys. This is not a secure configuration.");
429	79262830	Phil Davis	if (!empty($stronconf) && strpos($stronconf, 'i_dont_care_about_security_and_use_aggressive_mode_psk') === FALSE) {
430	420fce04	Ermal LUÇI	$restart = true;
431	79262830	Phil Davis	}
432	7a683b46	Ermal LUÇI	$i_dont_care_about_security_and_use_aggressive_mode_psk = "i_dont_care_about_security_and_use_aggressive_mode_psk=yes";
433	79262830	Phil Davis	}
434	4a076e36	Ermal LUÇI
435	d9a17eaf	Chris Buechler	$unity_enabled = isset($config['ipsec']['unityplugin']) ? 'yes' : 'no';
436	4a076e36	Ermal LUÇI
437	0608bd3c	Ermal LUÇI	$makebeforebreak = '';
438			if (isset($config['ipsec']['makebeforebreak'])) {
439			$makebeforebreak = 'make_before_break = yes';
440			}
441
442	24acc8f4	Chris Buechler	if (isset($config['ipsec']['enableinterfacesuse'])) {
443			if (!empty($ifacesuse)) {
444			$ifacesuse = 'interfaces_use = ' . implode(',', array_unique($ifacesuse));
445			} else {
446			$ifacesuse = '';
447			}
448	79262830	Phil Davis	} else {
449	778d2ea9	Ermal LUÇI	$ifacesuse = '';
450	79262830	Phil Davis	}
451	778d2ea9	Ermal LUÇI
452	1c4540dc	Ermal LUÇI	unset($stronconf);
453	420fce04	Ermal LUÇI
454	31630f47	Chris Buechler	$strongswanlog = "";
455	c53e411f	Matt Smith	$ipsecloglevels = vpn_logging_cfgtxt();
456	31630f47	Chris Buechler	if (is_array($ipsecloglevels)) {
457			foreach ($ipsecloglevels as $loglevel) {
458	62fb5808	Renato Botelho	$strongswanlog .= "\t\t\t" . $loglevel . "\n";
459	31630f47	Chris Buechler	}
460			}
461	7a683b46	Ermal LUÇI	$strongswan = <<<EOD
462	496acde1	Ermal
463	79262830	Phil Davis	# Automatically generated config file - DO NOT MODIFY. Changes will be overwritten.
464	496acde1	Ermal	starter {
465	03c4effd	Renato Botelho	load_warning = no
466			config_file = {$g['varetc_path']}/ipsec/ipsec.conf
467	496acde1	Ermal	}
468
469			charon {
470	7a683b46	Ermal LUÇI	# number of worker threads in charon
471	62fb5808	Renato Botelho	threads = 16
472			ikesa_table_size = 32
473			ikesa_table_segments = 4
474			init_limit_half_open = 1000
475			install_routes = no
476	2a44b0eb	Renato Botelho	load_modular = yes
477	62fb5808	Renato Botelho	{$i_dont_care_about_security_and_use_aggressive_mode_psk}
478			{$accept_unencrypted}
479			cisco_unity = {$unity_enabled}
480			{$ifacesuse}
481			{$makebeforebreak}
482
483			syslog {
484			identifier = charon
485			# log everything under daemon since it ends up in the same place regardless with our syslog.conf
486			daemon {
487			ike_name = yes
488	31630f47	Chris Buechler	{$strongswanlog}
489	62fb5808	Renato Botelho	}
490			# disable logging under auth so logs aren't duplicated
491			auth {
492			default = -1
493			}
494	7335fa53	Ermal	}
495	c6efc8fd	Ermal
496	03c4effd	Renato Botelho	plugins {
497	2a44b0eb	Renato Botelho	# Load defaults
498			include {$g['varetc_path']}/ipsec/strongswan.d/charon/*.conf
499
500	03c4effd	Renato Botelho	stroke {
501			secrets_file = {$g['varetc_path']}/ipsec/ipsec.secrets
502			}
503	496acde1	Ermal
504	2a44b0eb	Renato Botelho	unity {
505			load = {$unity_enabled}
506			}
507
508	03c4effd	Renato Botelho	EOD;
509	7a683b46	Ermal LUÇI
510	6684d594	Matt Smith	/* Find RADIUS servers designated for Mobile IPsec user auth */
511			$radius_server_txt = "";
512			$user_sources = explode(',', $config['ipsec']['client']['user_source']);
513			foreach ($user_sources as $user_source) {
514			$auth_server = auth_get_authserver($user_source);
515			$nice_user_source = strtolower(preg_replace('/\s+/', '_', $user_source));
516			if ($auth_server && $auth_server['type'] === 'radius') {
517			$radius_server_txt .= <<<EOD
518			{$nice_user_source} {
519			address = {$auth_server['host']}
520	53e8d0a3	Jose Luis Duran	secret = "{$auth_server['radius_secret']}"
521	6684d594	Matt Smith	auth_port = {$auth_server['radius_auth_port']}
522			acct_port = {$auth_server['radius_acct_port']}
523			}
524
525			EOD;
526			}
527			}
528
529			/* write an eap-radius config section if appropriate */
530			if (strlen($radius_server_txt) && ($mobile_ipsec_auth === "eap-radius")) {
531			$strongswan .= <<<EOD
532			eap-radius {
533			class_group = yes
534			eap_start = no
535			servers {
536			{$radius_server_txt}
537			}
538			}
539
540			EOD;
541			}
542
543	7a683b46	Ermal LUÇI	if (is_array($a_client) && isset($a_client['enable'])) {
544			$strongswan .= "\t\tattr {\n";
545
546			$cfgservers = array();
547	79262830	Phil Davis	if (!empty($a_client['dns_server1'])) {
548	7a683b46	Ermal LUÇI	$cfgservers[] = $a_client['dns_server1'];
549	79262830	Phil Davis	}
550			if (!empty($a_client['dns_server2'])) {
551	7a683b46	Ermal LUÇI	$cfgservers[] = $a_client['dns_server2'];
552	79262830	Phil Davis	}
553			if (!empty($a_client['dns_server3'])) {
554	7a683b46	Ermal LUÇI	$cfgservers[] = $a_client['dns_server3'];
555	79262830	Phil Davis	}
556			if (!empty($a_client['dns_server4'])) {
557	7a683b46	Ermal LUÇI	$cfgservers[] = $a_client['dns_server4'];
558	79262830	Phil Davis	}
559	7a683b46	Ermal LUÇI
560	79262830	Phil Davis	if (!empty($cfgservers)) {
561	7a683b46	Ermal LUÇI	$strongswan .= "\t\t\tdns = " . implode(",", $cfgservers) . "\n";
562	79262830	Phil Davis	}
563	7a683b46	Ermal LUÇI	unset($cfgservers);
564			$cfgservers = array();
565	79262830	Phil Davis	if (!empty($a_client['wins_server1'])) {
566	7a683b46	Ermal LUÇI	$cfgservers[] = $a_client['wins_server1'];
567	79262830	Phil Davis	}
568			if (!empty($a_client['wins_server2'])) {
569	7a683b46	Ermal LUÇI	$cfgservers[] = $a_client['wins_server2'];
570	79262830	Phil Davis	}
571			if (!empty($cfgservers)) {
572	7a683b46	Ermal LUÇI	$strongswan .= "\t\t\tnbns = " . implode(",", $cfgservers) . "\n";
573	79262830	Phil Davis	}
574	7a683b46	Ermal LUÇI	unset($cfgservers);
575
576	588d3cf6	Renato Botelho	if (isset($a_client['net_list']) && is_array($a_phase2)) {
577	7a683b46	Ermal LUÇI	$net_list = '';
578			foreach ($a_phase2 as $ph2ent) {
579	79262830	Phil Davis	if (isset($ph2ent['disabled'])) {
580	7a683b46	Ermal LUÇI	continue;
581	79262830	Phil Davis	}
582	496acde1	Ermal
583	79262830	Phil Davis	if (!isset($ph2ent['mobile'])) {
584	7a683b46	Ermal LUÇI	continue;
585	79262830	Phil Davis	}
586	496acde1	Ermal
587	7a683b46	Ermal LUÇI	$localid = ipsec_idinfo_to_cidr($ph2ent['localid'], true, $ph2ent['mode']);
588	496acde1	Ermal
589	79262830	Phil Davis	if (!empty($net_list)) {
590	7a683b46	Ermal LUÇI	$net_list .= ",";
591	79262830	Phil Davis	}
592	7a683b46	Ermal LUÇI	$net_list .= $localid;
593	496acde1	Ermal	}
594
595	7a683b46	Ermal LUÇI	if (!empty($net_list)) {
596	41f7b662	Matt Smith	$strongswan .= "\t\t\tsubnet = {$net_list}\n";
597	7a683b46	Ermal LUÇI	$strongswan .= "\t\t\tsplit-include = {$net_list}\n";
598			unset($net_list);
599	496acde1	Ermal	}
600	7a683b46	Ermal LUÇI	}
601	496acde1	Ermal
602	7a683b46	Ermal LUÇI	if (!empty($a_client['dns_domain'])) {
603			$strongswan .= "\t\t\t# Search domain and default domain\n";
604	d17ad7f5	Ermal LUÇI	$strongswan .= "\t\t\t28674 = \"{$a_client['dns_domain']}\"\n";
605	e1c4a5ff	Ermal LUÇI	if (empty($a_client['dns_split'])) {
606	d17ad7f5	Ermal LUÇI	$strongswan .= "\t\t\t28675 = \"{$a_client['dns_domain']}\"";
607	e1c4a5ff	Ermal LUÇI	}
608	7a683b46	Ermal LUÇI	$strongswan .= "\n";
609			}
610	496acde1	Ermal
611	7a683b46	Ermal LUÇI	if (!empty($a_client['dns_split'])) {
612	883096d8	Ermal LUÇI	$strongswan .= "\t\t\t28675 = {$a_client['dns_split']}\n";
613	7a683b46	Ermal LUÇI	}
614	496acde1	Ermal
615	79262830	Phil Davis	if (!empty($a_client['login_banner'])) {
616	d17ad7f5	Ermal LUÇI	$strongswan .= "\t\t\t28672 = \"{$a_client['login_banner']}\"\n";
617	79262830	Phil Davis	}
618	7a683b46	Ermal LUÇI
619	79262830	Phil Davis	if (isset($a_client['save_passwd'])) {
620	7a683b46	Ermal LUÇI	$strongswan .= "\t\t\t28673 = 1\n";
621	79262830	Phil Davis	}
622	7a683b46	Ermal LUÇI
623	79262830	Phil Davis	if ($a_client['pfs_group']) {
624	d17ad7f5	Ermal LUÇI	$strongswan .= "\t\t\t28679 = \"{$a_client['pfs_group']}\"\n";
625	79262830	Phil Davis	}
626	7a683b46	Ermal LUÇI	$strongswan .= "\t\t}\n";
627
628			if ($a_client['user_source'] != "none") {
629			$strongswan .= "\t\txauth-generic {\n";
630			$strongswan .= "\t\t\tscript = /etc/inc/ipsec.auth-user.php\n";
631			$strongswan .= "\t\t\tauthcfg = ";
632			$firstsed = 0;
633			$authcfgs = explode(",", $a_client['user_source']);
634			foreach ($authcfgs as $authcfg) {
635	79262830	Phil Davis	if ($firstsed > 0) {
636	7a683b46	Ermal LUÇI	$strongswan .= ",";
637	79262830	Phil Davis	}
638			if ($authcfg == "system") {
639	7a683b46	Ermal LUÇI	$authcfg = "Local Database";
640	79262830	Phil Davis	}
641	7a683b46	Ermal LUÇI	$strongswan .= $authcfg;
642			$firstsed = 1;
643	91287d1f	Ermal	}
644	7a683b46	Ermal LUÇI	$strongswan .= "\n";
645			$strongswan .= "\t\t}\n";
646	496acde1	Ermal	}
647	7a683b46	Ermal LUÇI	}
648	496acde1	Ermal
649	de985aea	Renato Botelho	$strongswan .= "\n\t}\n}\n";
650	7a683b46	Ermal LUÇI	@file_put_contents("{$g['varetc_path']}/ipsec/strongswan.conf", $strongswan);
651			unset($strongswan);
652	8f67a8e1	Scott Ullrich
653	14ec7c4b	Chris Buechler	/* write out CRL files */
654			if (is_array($config['crl']) && count($config['crl'])) {
655			foreach ($config['crl'] as $crl) {
656			if (!isset($crl['text'])) {
657	905205a2	Chris Buechler	log_error(sprintf(gettext("Warning: Missing CRL data for %s"), $crl['descr']));
658	14ec7c4b	Chris Buechler	continue;
659			}
660			$fpath = "{$crlpath}/{$crl['refid']}.crl";
661			if (!@file_put_contents($fpath, base64_decode($crl['text']))) {
662			log_error(sprintf(gettext("Error: Cannot write IPsec CRL file for %s"), $crl['descr']));
663			continue;
664			}
665			}
666			}
667	09628a07	Renato Botelho
668	7a683b46	Ermal LUÇI	$pskconf = "";
669	037b51b3	Seth Mos
670	9d8f66b9	Matt Smith	$vpncas = array();
671	7a683b46	Ermal LUÇI	if (is_array($a_phase1) && count($a_phase1)) {
672			foreach ($a_phase1 as $ph1ent) {
673	a93e56c5	Matthew Grooms
674	79262830	Phil Davis	if (isset($ph1ent['disabled'])) {
675	7a683b46	Ermal LUÇI	continue;
676	79262830	Phil Davis	}
677	a93e56c5	Matthew Grooms
678	07d0d1b2	Ermal LUÇI	if (strstr($ph1ent['authentication_method'], 'rsa') \|\|
679	cb377516	Ingo Bauersachs	in_array($ph1ent['authentication_method'], array('eap-mschapv2', 'eap-tls', 'eap-radius'))) {
680	7a683b46	Ermal LUÇI	$certline = '';
681	a93e56c5	Matthew Grooms
682	7a683b46	Ermal LUÇI	$ikeid = $ph1ent['ikeid'];
683			$cert = lookup_cert($ph1ent['certref']);
684	496acde1	Ermal
685	7a683b46	Ermal LUÇI	if (!$cert) {
686			log_error(sprintf(gettext("Error: Invalid phase1 certificate reference for %s"), $ph1ent['name']));
687			continue;
688			}
689	496acde1	Ermal
690	9d8f66b9	Matt Smith	/* add signing CA cert chain of server cert
691			* to the list of CAs to write
692			*/
693			$cachain = ca_chain_array($cert);
694			if ($cachain && is_array($cachain)) {
695			foreach ($cachain as $cacrt) {
696			$vpncas[$cacrt['refid']] = $cacrt;
697			}
698			}
699
700	7a683b46	Ermal LUÇI	@chmod($certpath, 0600);
701	496acde1	Ermal
702	7a683b46	Ermal LUÇI	$ph1keyfile = "{$keypath}/cert-{$ikeid}.key";
703			if (!file_put_contents($ph1keyfile, base64_decode($cert['prv']))) {
704			log_error(sprintf(gettext("Error: Cannot write phase1 key file for %s"), $ph1ent['name']));
705			continue;
706			}
707			@chmod($ph1keyfile, 0600);
708	496acde1	Ermal
709	7a683b46	Ermal LUÇI	$ph1certfile = "{$certpath}/cert-{$ikeid}.crt";
710			if (!file_put_contents($ph1certfile, base64_decode($cert['crt']))) {
711			log_error(sprintf(gettext("Error: Cannot write phase1 certificate file for %s"), $ph1ent['name']));
712			@unlink($ph1keyfile);
713			continue;
714			}
715			@chmod($ph1certfile, 0600);
716	fa4e059e	Ermal
717	7a683b46	Ermal LUÇI	/* XXX" Traffic selectors? */
718			$pskconf .= " : RSA {$ph1keyfile}\n";
719			} else {
720	5324ea38	Ermal LUÇI	list ($myid_type, $myid_data) = ipsec_find_id($ph1ent, 'local');
721			list ($peerid_type, $peerid_data) = ipsec_find_id($ph1ent, 'peer', $rgmap);
722	6990ad35	Phil Davis
723	d812e83e	Chris Buechler	$myid = trim($myid_data);
724	496acde1	Ermal
725	79262830	Phil Davis	if (empty($peerid_data)) {
726	7a683b46	Ermal LUÇI	continue;
727	79262830	Phil Davis	}
728	496acde1	Ermal
729	019ee2bc	Renato Botelho	if ($myid_type == 'fqdn' && !empty($myid)) {
730			$myid = "@{$myid}";
731			}
732	6990ad35	Phil Davis
733	d44e7dc0	Chris Buechler	$myid = isset($ph1ent['mobile']) ? trim($myid_data) : "%any";
734	019ee2bc	Renato Botelho
735	5324ea38	Ermal LUÇI	$peerid = ($peerid_data != 'allusers') ? trim($peerid_data) : '';
736	019ee2bc	Renato Botelho
737			if ($peerid_type == 'fqdn' && !empty($peerid)) {
738			$peerid = "@{$peerid}";
739			}
740
741	13403bd1	Ermal LUÇI	if (!empty($ph1ent['pre-shared-key'])) {
742	019ee2bc	Renato Botelho	$pskconf .= "{$myid} {$peerid} : PSK 0s" . base64_encode(trim($ph1ent['pre-shared-key'])) . "\n";
743	41d968bd	Chris Buechler	if (isset($ph1ent['mobile'])) {
744			$pskconf .= " : PSK 0s" . base64_encode(trim($ph1ent['pre-shared-key'])) . "\n";
745			}
746	13403bd1	Ermal LUÇI	}
747	5b237745	Scott Ullrich	}
748	9d8f66b9	Matt Smith
749			/* if the client authenticates with a cert add the
750			* client cert CA chain to the list of CAs to write
751			*/
752			if (in_array($ph1ent['authentication_method'],
753			array('rsasig', 'eap-tls', 'xauth_rsa_server'))) {
754
755			if (!empty($ph1ent['caref']) && !array_key_exists($ph1ent['caref'], $vpncas)) {
756			$thisca = lookup_ca($ph1ent['caref']);
757			$vpncas[$ph1ent['caref']] = $thisca;
758
759			/* follow chain up to root */
760			$cachain = ca_chain_array($thisca);
761			if ($cachain and is_array($cachain)) {
762			foreach ($cachain as $cacrt) {
763			$vpncas[$cacrt['refid']] = $cacrt;
764			}
765			}
766			}
767			}
768			}
769			}
770
771			/* write the required CAs */
772			foreach ($vpncas as $carefid => $cadata) {
773			$cacrt = base64_decode($cadata['crt']);
774			$cacrtattrs = openssl_x509_parse($cacrt);
775			if (!is_array($cacrtattrs) \|\| !isset($cacrtattrs['hash'])) {
776			log_error(sprintf(gettext("Error: Invalid certificate hash info for %s"), $cadata['descr']));
777			continue;
778			}
779			$cafilename = "{$capath}/{$cacrtattrs['hash']}.0.crt";
780			if (!@file_put_contents($cafilename, $cacrt)) {
781			log_error(sprintf(gettext("Error: Cannot write IPsec CA file for %s"), $cadata['descr']));
782			continue;
783	a93e56c5	Matthew Grooms	}
784	7a683b46	Ermal LUÇI	}
785	a93e56c5	Matthew Grooms
786	7a683b46	Ermal LUÇI	/* Add user PSKs */
787			if (is_array($config['system']) && is_array($config['system']['user'])) {
788			foreach ($config['system']['user'] as $user) {
789			if (!empty($user['ipsecpsk'])) {
790	62102a8b	Chris Buechler	$pskconf .= "{$myid} {$user['name']} : PSK 0s" . base64_encode($user['ipsecpsk']) . "\n";
791	4ed2dde7	jim-p	}
792			}
793	7a683b46	Ermal LUÇI	unset($user);
794			}
795	4ed2dde7	jim-p
796	7a683b46	Ermal LUÇI	/* add PSKs for mobile clients */
797			if (is_array($ipseccfg['mobilekey'])) {
798			foreach ($ipseccfg['mobilekey'] as $key) {
799	79262830	Phil Davis	if ($key['ident'] == "allusers") {
800	7f69cbe7	Ermal LUÇI	$key['ident'] = '%any';
801	79262830	Phil Davis	}
802	a83fce46	Chris Buechler	if ($key['ident'] == "any") {
803			$key['ident'] = '%any';
804			}
805	79262830	Phil Davis	if (empty($key['type'])) {
806	10e2acb5	Ermal LUÇI	$key['type'] = 'PSK';
807	79262830	Phil Davis	}
808	62102a8b	Chris Buechler	$pskconf .= "{$myid} {$key['ident']} : {$key['type']} 0s" . base64_encode($key['pre-shared-key']) . "\n";
809	2ef1b601	jim-p	}
810	7a683b46	Ermal LUÇI	unset($key);
811			}
812	2ef1b601	jim-p
813	7a683b46	Ermal LUÇI	@file_put_contents("{$g['varetc_path']}/ipsec/ipsec.secrets", $pskconf);
814			chmod("{$g['varetc_path']}/ipsec/ipsec.secrets", 0600);
815			unset($pskconf);
816	09628a07	Renato Botelho
817	86e1846f	Ermal LUÇI	$uniqueids = 'yes';
818			if (!empty($config['ipsec']['uniqueids'])) {
819	086cf944	Phil Davis	if (array_key_exists($config['ipsec']['uniqueids'], $ipsec_idhandling)) {
820	86e1846f	Ermal LUÇI	$uniqueids = $config['ipsec']['uniqueids'];
821	086cf944	Phil Davis	}
822	86e1846f	Ermal LUÇI	}
823	7a683b46	Ermal LUÇI	$natfilterrules = false;
824			/* begin ipsec.conf */
825			$ipsecconf = "";
826	40cc36d1	Ermal LUÇI	$enablecompression = false;
827	6c07db48	Phil Davis	if (is_array($a_phase1) && count($a_phase1)) {
828	17da6c79	Scott Ullrich
829	7a683b46	Ermal LUÇI	$ipsecconf .= "# This file is automatically generated. Do not edit\n";
830	86e1846f	Ermal LUÇI	$ipsecconf .= "config setup\n\tuniqueids = {$uniqueids}\n";
831	6990ad35	Phil Davis
832	df4de32d	Chris Buechler	if (isset($config['ipsec']['strictcrlpolicy'])) {
833			$ipsecconf .= "\tstrictcrlpolicy = yes \n";
834			}
835	4178a1dd	jim-p
836	0a9e6c85	Chris Buechler	if (!isset($config['ipsec']['noshuntlaninterfaces'])) {
837	0887e836	Ermal LUÇI	if ($config['interfaces']['lan']) {
838			$lanip = get_interface_ip("lan");
839			if (!empty($lanip) && is_ipaddrv4($lanip)) {
840			$lansn = get_interface_subnet("lan");
841			$lansa = gen_subnet($lanip, $lansn);
842			$ipsecconf .= <<<EOD
843	755b75c7	Ermal LUÇI
844	0887e836	Ermal LUÇI	conn bypasslan
845	699e2074	Chris Buechler	leftsubnet = {$lansa}/{$lansn}
846	0a9e6c85	Chris Buechler	rightsubnet = {$lansa}/{$lansn}
847			authby = never
848			type = passthrough
849			auto = route
850	0887e836	Ermal LUÇI
851			EOD;
852			}
853			}
854			}
855
856	7a683b46	Ermal LUÇI	foreach ($a_phase1 as $ph1ent) {
857	79262830	Phil Davis	if (isset($ph1ent['disabled'])) {
858	7a683b46	Ermal LUÇI	continue;
859	79262830	Phil Davis	}
860	96267107	Ermal
861	79262830	Phil Davis	if ($ph1ent['mode'] == "aggressive") {
862	7a683b46	Ermal LUÇI	$aggressive = "yes";
863	79262830	Phil Davis	} else {
864	7a683b46	Ermal LUÇI	$aggressive = "no";
865	79262830	Phil Davis	}
866	7a683b46	Ermal LUÇI
867			$ep = ipsec_get_phase1_src($ph1ent);
868	79262830	Phil Davis	if (!$ep) {
869	7a683b46	Ermal LUÇI	continue;
870	79262830	Phil Davis	}
871	7a683b46	Ermal LUÇI
872			$ikeid = $ph1ent['ikeid'];
873			$keyexchange = "ikev1";
874			$passive = "route";
875			if (!empty($ph1ent['iketype'])) {
876			if ($ph1ent['iketype'] == "ikev2") {
877			$keyexchange = "ikev2";
878	f15f4c17	Chris Buechler	} elseif ($ph1ent['iketype'] == "auto") {
879			$keyexchange = "ike";
880	6990ad35	Phil Davis	}
881	7a683b46	Ermal LUÇI	}
882	0b5fc1d1	Ermal
883	7a683b46	Ermal LUÇI	if (isset($ph1ent['mobile'])) {
884			$right_spec = "%any";
885			$passive = 'add';
886	95783403	Ermal LUÇI	} else {
887	79262830	Phil Davis	if (isset($ph1ent['responderonly'])) {
888	87808568	Ermal LUÇI	$passive = 'add';
889	79262830	Phil Davis	}
890	87808568	Ermal LUÇI
891	7a683b46	Ermal LUÇI	$right_spec = $ph1ent['remote-gateway'];
892	79262830	Phil Davis	if (is_ipaddr($right_spec)) {
893	7f9844c2	Ermal LUÇI	$sourcehost = $right_spec;
894	79262830	Phil Davis	} else {
895	7f9844c2	Ermal LUÇI	$sourcehost = $rgmap['remote-gateway'];
896	79262830	Phil Davis	}
897	7f9844c2	Ermal LUÇI
898	c7d44786	Ermal LUÇI	if ($ph1ent['protocol'] == 'inet') {
899	2a5960b0	Luiz Otavio O Souza	if (substr($ph1ent['interface'], 0, 4) == "_vip") {
900			$vpninterface = get_configured_vip_interface($ph1ent['interface']);
901			$ifacesuse = get_real_interface($vpninterface);
902	95783403	Ermal LUÇI	} else {
903			$ifacesuse = get_failover_interface($ph1ent['interface']);
904	2a5960b0	Luiz Otavio O Souza	if (substr($ifacesuse, 0, 4) == "_vip") {
905			$vpninterface = get_configured_vip_interface($ifacesuse);
906			$ifacesuse = get_real_interface($vpninterface);
907	29de629e	Chris Buechler	} else {
908			$vpninterface = convert_real_interface_to_friendly_interface_name($ifacesuse);
909			}
910	95783403	Ermal LUÇI	}
911	79262830	Phil Davis
912	52b25e81	Ermal LUÇI	if (!empty($ifacesuse) && interface_has_gateway($vpninterface)) {
913	b61930dc	Ermal LUÇI	$gatewayip = get_interface_gateway($vpninterface);
914			$interfaceip = get_interface_ip($vpninterface);
915			$subnet_bits = get_interface_subnet($vpninterface);
916	95783403	Ermal LUÇI	$subnet_ip = gen_subnetv4($interfaceip, $subnet_bits);
917			/* if the remote gateway is in the local subnet, then don't add a route */
918	b61930dc	Ermal LUÇI	if (!ip_in_subnet($sourcehost, "{$subnet_ip}/{$subnet_bits}")) {
919	95783403	Ermal LUÇI	if (is_ipaddrv4($gatewayip)) {
920	1e453232	Ermal LUÇI	// log_error("IPSEC interface is not WAN but {$ifacesuse}, adding static route for VPN endpoint {$rgip} via {$gatewayip}");
921	b61930dc	Ermal LUÇI	mwexec("/sbin/route change -host {$sourcehost} {$gatewayip}", true);
922	95783403	Ermal LUÇI	}
923			}
924			}
925	c7d44786	Ermal LUÇI	} else if ($ph1ent['protocol'] == 'inet6') {
926	2a5960b0	Luiz Otavio O Souza	if (substr($ph1ent['interface'], 0, 4) == "_vip") {
927			$vpninterface = get_configured_vip_interface($ph1ent['interface']);
928			$ifacesuse = get_real_interface($vpninterface);
929	95783403	Ermal LUÇI	} else {
930			$ifacesuse = get_failover_interface($ph1ent['interface']);
931	2a5960b0	Luiz Otavio O Souza	if (substr($ifacesuse, 0, 4) == "_vip") {
932			$vpninterface = get_configured_vip_interface($ifacesuse);
933			$ifacesuse = get_real_interface($vpninterface);
934	c406924f	Chris Buechler	} else {
935			$vpninterface = convert_real_interface_to_friendly_interface_name($ifacesuse);
936			}
937	95783403	Ermal LUÇI	}
938	79262830	Phil Davis
939	b61930dc	Ermal LUÇI	if (!empty($ifacesuse) && interface_has_gateway($vpninterface)) {
940			$gatewayip = get_interface_gateway_v6($vpninterface);
941			$interfaceip = get_interface_ipv6($vpninterface);
942			$subnet_bits = get_interface_subnetv6($vpninterface);
943	95783403	Ermal LUÇI	$subnet_ip = gen_subnetv6($interfaceip, $subnet_bits);
944			/* if the remote gateway is in the local subnet, then don't add a route */
945	b61930dc	Ermal LUÇI	if (!ip_in_subnet($sourcehost, "{$subnet_ip}/{$subnet_bits}")) {
946	95783403	Ermal LUÇI	if (is_ipaddrv6($gatewayip)) {
947	1e453232	Ermal LUÇI	// log_error("IPSEC interface is not WAN but {$ifacesuse}, adding static route for VPN endpoint {$rgip} via {$gatewayip}");
948	b61930dc	Ermal LUÇI	mwexec("/sbin/route change -inet6 -host {$sourcehost} {$gatewayip}", true);
949	95783403	Ermal LUÇI	}
950			}
951			}
952			}
953			}
954	7a683b46	Ermal LUÇI
955	5324ea38	Ermal LUÇI	list ($myid_type, $myid_data) = ipsec_find_id($ph1ent, 'local');
956	d9d237af	Renato Botelho	if ($myid_type != 'address' && $myid_type != 'keyid' && $myid_type != 'asn1dn') {
957	5324ea38	Ermal LUÇI	$myid_data = "{$myid_type}:{$myid_data}";
958	d9d237af	Renato Botelho	} elseif ($myid_type == "asn1dn" && !empty($myid_data)) {
959			if ($myid_data[0] == '#') {
960	d5dd538d	Renato Botelho	/* asn1dn needs double quotes */
961	d9d237af	Renato Botelho	$myid_data = "\"{$myid_type}:{$myid_data}\"";
962			} else {
963			$myid_data = "\"{$myid_data}\"";
964	d5dd538d	Renato Botelho	}
965	79262830	Phil Davis	}
966	d9d237af	Renato Botelho	$leftid = '';
967			if (!empty($myid_data)) {
968			$leftid = "leftid = {$myid_data}";
969			}
970	7a683b46	Ermal LUÇI
971			$peerid_spec = '';
972	021a97b5	Chris Buechler	if (isset($ph1ent['mobile']) && ($ph1ent['authentication_method'] == "pre_shared_key" \|\| $ph1ent['authentication_method'] == "xauth_psk_server")) {
973			// Only specify peer ID if we are not dealing with mobile PSK
974			} else {
975	5324ea38	Ermal LUÇI	list ($peerid_type, $peerid_data) = ipsec_find_id($ph1ent, 'peer', $rgmap);
976	b0994811	Chris Buechler	if ($peerid_type == 'any') {
977			$peerid_spec = '';
978			} elseif ($peerid_type != 'address' && $peerid_type != 'keyid' && $peerid_type != 'asn1dn') {
979	5324ea38	Ermal LUÇI	$peerid_spec = "{$peerid_type}:{$peerid_data}";
980	d9d237af	Renato Botelho	} elseif ($peerid_type == "asn1dn") {
981	d5dd538d	Renato Botelho	/* asn1dn needs double quotes */
982	d9d237af	Renato Botelho	if ($peerid_data[0] == '#') {
983			$peerid_spec = "\"{$peerid_type}:{$peerid_data}\"";
984			} elseif (!empty($peerid_data)) {
985			$peerid_spec = "\"{$peerid_data}\"";
986	d5dd538d	Renato Botelho	}
987	79262830	Phil Davis	} else {
988	5324ea38	Ermal LUÇI	$peerid_spec = $peerid_data;
989	79262830	Phil Davis	}
990	5324ea38	Ermal LUÇI	}
991	7a683b46	Ermal LUÇI
992			if (is_array($ph1ent['encryption-algorithm']) && !empty($ph1ent['encryption-algorithm']['name']) && !empty($ph1ent['hash-algorithm'])) {
993			$ealgosp1 = '';
994			$ealg_id = $ph1ent['encryption-algorithm']['name'];
995			$ealg_kl = $ph1ent['encryption-algorithm']['keylen'];
996	79262830	Phil Davis	if ($ealg_kl) {
997	7a683b46	Ermal LUÇI	$ealgosp1 = "ike = {$ealg_id}{$ealg_kl}-{$ph1ent['hash-algorithm']}";
998	79262830	Phil Davis	} else {
999	7a683b46	Ermal LUÇI	$ealgosp1 = "ike = {$ealg_id}-{$ph1ent['hash-algorithm']}";
1000	79262830	Phil Davis	}
1001	0b5fc1d1	Ermal
1002	7a683b46	Ermal LUÇI	$modp = vpn_ipsec_convert_to_modp($ph1ent['dhgroup']);
1003	79262830	Phil Davis	if (!empty($modp)) {
1004	7a683b46	Ermal LUÇI	$ealgosp1 .= "-{$modp}";
1005	79262830	Phil Davis	}
1006	0b5fc1d1	Ermal
1007	7a683b46	Ermal LUÇI	$ealgosp1 .= "!";
1008			}
1009	c52719a8	Scott Ullrich
1010	7a683b46	Ermal LUÇI	if ($ph1ent['dpd_delay'] && $ph1ent['dpd_maxfail']) {
1011	79262830	Phil Davis	if ($passive == "route") {
1012	7a683b46	Ermal LUÇI	$dpdline = "dpdaction = restart";
1013	79262830	Phil Davis	} else {
1014	7a683b46	Ermal LUÇI	$dpdline = "dpdaction = clear";
1015	79262830	Phil Davis	}
1016	7a683b46	Ermal LUÇI	$dpdline .= "\n\tdpddelay = {$ph1ent['dpd_delay']}s";
1017			$dpdtimeout = $ph1ent['dpd_delay'] * ($ph1ent['dpd_maxfail'] + 1);
1018			$dpdline .= "\n\tdpdtimeout = {$dpdtimeout}s";
1019	79262830	Phil Davis	} else {
1020	7a683b46	Ermal LUÇI	$dpdline = "dpdaction = none";
1021	79262830	Phil Davis	}
1022	7a683b46	Ermal LUÇI
1023			$ikelifeline = '';
1024	79262830	Phil Davis	if ($ph1ent['lifetime']) {
1025	7a683b46	Ermal LUÇI	$ikelifeline = "ikelifetime = {$ph1ent['lifetime']}s";
1026	79262830	Phil Davis	}
1027	7a683b46	Ermal LUÇI
1028			$rightsourceip = NULL;
1029	86330e2b	jim-p	if (isset($ph1ent['mobile'])) {
1030	446db735	Matt Smith	$rightsourceips = array();
1031	86330e2b	jim-p	if (!empty($a_client['pool_address'])) {
1032	446db735	Matt Smith	$rightsourceips[] = "{$a_client['pool_address']}/{$a_client['pool_netbits']}";
1033			}
1034			if (!empty($a_client['pool_address_v6'])) {
1035			$rightsourceips[] = "{$a_client['pool_address_v6']}/{$a_client['pool_netbits_v6']}";
1036			}
1037			if ($ph1ent['authentication_method'] == "eap-radius" && !count($rightsourceips)) {
1038			$rightsourceips[] = "%radius";
1039			}
1040			if (count($rightsourceips)) {
1041			$rightsourceip = "\trightsourceip = " . implode(',', $rightsourceips) . "\n";
1042	86330e2b	jim-p	}
1043	79262830	Phil Davis	}
1044	7a683b46	Ermal LUÇI
1045	7a7e1ba9	Matt Smith	if (!empty($ph1ent['caref'])) {
1046			$ca = lookup_ca($ph1ent['caref']);
1047			if ($ca) {
1048			$casubarr = cert_get_subject_array($ca['crt']);
1049			$casub = "";
1050			foreach ($casubarr as $casubfield) {
1051			if (empty($casub)) {
1052			$casub = "/";
1053			}
1054			$casub .= "{$casubfield['a']}={$casubfield['v']}/";
1055			}
1056
1057			}
1058			}
1059
1060	7a683b46	Ermal LUÇI	$authentication = "";
1061			switch ($ph1ent['authentication_method']) {
1062	79262830	Phil Davis	case 'eap-mschapv2':
1063			if (isset($ph1ent['mobile'])) {
1064			$authentication = "eap_identity=%any\n\t";
1065			$authentication .= "leftauth=pubkey\n\trightauth=eap-mschapv2";
1066			if (!empty($ph1ent['certref'])) {
1067			$authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt";
1068	ce0dbd72	Matt Smith	$authentication .= "\n\tleftsendcert=always";
1069	79262830	Phil Davis	}
1070			}
1071			break;
1072			case 'eap-tls':
1073			if (isset($ph1ent['mobile'])) {
1074			$authentication = "eap_identity=%identity\n\t";
1075			$authentication .= "leftauth=pubkey\n\trightauth=eap-tls";
1076			if (!empty($ph1ent['certref'])) {
1077			$authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt";
1078	ce0dbd72	Matt Smith	$authentication .= "\n\tleftsendcert=always";
1079	79262830	Phil Davis	}
1080			} else {
1081			$authentication = "leftauth=eap-tls\n\trightauth=eap-tls";
1082			if (!empty($ph1ent['certref'])) {
1083			$authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt";
1084	ce0dbd72	Matt Smith	$authentication .= "\n\tleftsendcert=always";
1085	79262830	Phil Davis	}
1086	cb377516	Ingo Bauersachs	}
1087	7a7e1ba9	Matt Smith	if (isset($casub)) {
1088			$authentication .= "\n\trightca=\"$casub\"";
1089			}
1090	cb377516	Ingo Bauersachs	break;
1091			case 'eap-radius':
1092			if (isset($ph1ent['mobile'])) {
1093			$authentication = "eap_identity=%identity\n\t";
1094			$authentication .= "leftauth=pubkey\n\trightauth=eap-radius";
1095	086cf944	Phil Davis	if (!empty($ph1ent['certref'])) {
1096	cb377516	Ingo Bauersachs	$authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt";
1097	ce0dbd72	Matt Smith	$authentication .= "\n\tleftsendcert=always";
1098	086cf944	Phil Davis	}
1099	cb377516	Ingo Bauersachs	} else {
1100			$authentication = "leftauth=eap-radius\n\trightauth=eap-radius";
1101			if (!empty($ph1ent['certref'])) {
1102			$authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt";
1103	ce0dbd72	Matt Smith	$authentication .= "\n\tleftsendcert=always";
1104	cb377516	Ingo Bauersachs	}
1105	79262830	Phil Davis	}
1106			break;
1107			case 'xauth_rsa_server':
1108			$authentication = "leftauth = pubkey\n\trightauth = pubkey";
1109			$authentication .= "\n\trightauth2 = xauth-generic";
1110			if (!empty($ph1ent['certref'])) {
1111	10e2acb5	Ermal LUÇI	$authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt";
1112	79262830	Phil Davis	}
1113	7a7e1ba9	Matt Smith	if (isset($casub)) {
1114			$authentication .= "\n\trightca=\"$casub\"";
1115			}
1116	79262830	Phil Davis	break;
1117			case 'xauth_psk_server':
1118			$authentication = "leftauth = psk\n\trightauth = psk";
1119			$authentication .= "\n\trightauth2 = xauth-generic";
1120			break;
1121			case 'pre_shared_key':
1122			$authentication = "leftauth = psk\n\trightauth = psk";
1123			break;
1124			case 'rsasig':
1125			$authentication = "leftauth = pubkey\n\trightauth = pubkey";
1126			if (!empty($ph1ent['certref'])) {
1127	54ab1bdc	Ermal LUÇI	$authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt";
1128	79262830	Phil Davis	}
1129	7a7e1ba9	Matt Smith	if (isset($casub)) {
1130			$authentication .= "\n\trightca=\"$casub\"";
1131			}
1132	79262830	Phil Davis	break;
1133			case 'hybrid_rsa_server':
1134	7b1e6c3a	Matt Smith	$authentication = "leftauth = pubkey\n\trightauth = xauth-generic";
1135	79262830	Phil Davis	if (!empty($ph1ent['certref'])) {
1136	54ab1bdc	Ermal LUÇI	$authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt";
1137	79262830	Phil Davis	}
1138			break;
1139	7a683b46	Ermal LUÇI	}
1140	b4ad5b1c	Ermal
1141	7a683b46	Ermal LUÇI	$left_spec = $ep;
1142	c52719a8	Scott Ullrich
1143	79262830	Phil Davis	if (isset($ph1ent['reauth_enable'])) {
1144	7a683b46	Ermal LUÇI	$reauth = "reauth = no";
1145	79262830	Phil Davis	} else {
1146	7a683b46	Ermal LUÇI	$reauth = "reauth = yes";
1147	79262830	Phil Davis	}
1148			if (isset($ph1ent['rekey_enable'])) {
1149	7a683b46	Ermal LUÇI	$rekey = "rekey = no";
1150	79262830	Phil Davis	} else {
1151	7a683b46	Ermal LUÇI	$rekey = "rekey = yes";
1152	79262830	Phil Davis	}
1153	16c02722	Ermal
1154	79262830	Phil Davis	if ($ph1ent['nat_traversal'] == 'off') {
1155	7a683b46	Ermal LUÇI	$forceencaps = 'forceencaps = no';
1156	79262830	Phil Davis	} else if ($ph1ent['nat_traversal'] == 'force') {
1157	7a683b46	Ermal LUÇI	$forceencaps = 'forceencaps = yes';
1158	79262830	Phil Davis	} else {
1159	7a683b46	Ermal LUÇI	$forceencaps = 'forceencaps = no';
1160	79262830	Phil Davis	}
1161
1162			if ($ph1ent['mobike'] == 'on') {
1163	065e78b3	Chris Buechler	$mobike = 'mobike = yes';
1164	79262830	Phil Davis	} else {
1165	065e78b3	Chris Buechler	$mobike = 'mobike = no';
1166	79262830	Phil Davis	}
1167	7a683b46	Ermal LUÇI
1168	54c36056	Chris Buechler	if (isset($ph1ent['tfc_enable'])) {
1169			if (isset($ph1ent['tfc_bytes']) && is_numericint($ph1ent['tfc_bytes'])) {
1170			$tfc = "tfc = {$ph1ent['tfc_bytes']}";
1171			} else {
1172			$tfc = "tfc = %mtu";
1173			}
1174			}
1175
1176	7a683b46	Ermal LUÇI	$ipseclifetime = 0;
1177			$rightsubnet_spec = array();
1178			$leftsubnet_spec = array();
1179	1fe208ec	Ermal LUÇI	$reqids = array();
1180	7a683b46	Ermal LUÇI	$ealgoAHsp2arr = array();
1181			$ealgoESPsp2arr = array();
1182			if (is_array($a_phase2) && count($a_phase2)) {
1183			foreach ($a_phase2 as $ph2ent) {
1184	79262830	Phil Davis	if ($ikeid != $ph2ent['ikeid']) {
1185	7a683b46	Ermal LUÇI	continue;
1186	79262830	Phil Davis	}
1187	c52719a8	Scott Ullrich
1188	79262830	Phil Davis	if (isset($ph2ent['disabled'])) {
1189	7a683b46	Ermal LUÇI	continue;
1190	79262830	Phil Davis	}
1191	6586b30f	Ermal
1192	79262830	Phil Davis	if (isset($ph2ent['mobile']) && !isset($a_client['enable'])) {
1193	7a683b46	Ermal LUÇI	continue;
1194	79262830	Phil Davis	}
1195	96ef83a7	jim-p
1196	7a683b46	Ermal LUÇI	if (($ph2ent['mode'] == 'tunnel') or ($ph2ent['mode'] == 'tunnel6')) {
1197			$tunneltype = "type = tunnel";
1198	c52719a8	Scott Ullrich
1199	7a683b46	Ermal LUÇI	$localid_type = $ph2ent['localid']['type'];
1200			$leftsubnet_data = ipsec_idinfo_to_cidr($ph2ent['localid'], false, $ph2ent['mode']);
1201	d8cb5ff3	Ermal LUÇI
1202	7a683b46	Ermal LUÇI	/* Do not print localid in some cases, such as a pure-psk or psk/xauth single phase2 mobile tunnel */
1203	79262830	Phil Davis	if (($localid_type == "none" \|\| $localid_type == "mobile") &&
1204	086cf944	Phil Davis	isset($ph1ent['mobile']) && (ipsec_get_number_of_phase2($ikeid) == 1)) {
1205	7a683b46	Ermal LUÇI	$left_spec = '%any';
1206			} else {
1207			if ($localid_type != "address") {
1208			$localid_type = "subnet";
1209			}
1210			// Don't let an empty subnet into config, it can cause parse errors. Ticket #2201.
1211			if (!is_ipaddr($leftsubnet_data) && !is_subnet($leftsubnet_data) && ($leftsubnet_data != "0.0.0.0/0")) {
1212			log_error("Invalid IPsec Phase 2 \"{$ph2ent['descr']}\" - {$ph2ent['localid']['type']} has no subnet.");
1213			continue;
1214			}
1215			if (!empty($ph2ent['natlocalid'])) {
1216	6c07db48	Phil Davis	$natleftsubnet_data = ipsec_idinfo_to_cidr($ph2ent['natlocalid'], false, $ph2ent['mode']);
1217	7a683b46	Ermal LUÇI	if ($ph2ent['natlocalid']['type'] != "address") {
1218	79262830	Phil Davis	if (is_subnet($natleftsubnet_data)) {
1219	7a683b46	Ermal LUÇI	$leftsubnet_data = "{$natleftsubnet_data}\|{$leftsubnet_data}";
1220	79262830	Phil Davis	}
1221	7a683b46	Ermal LUÇI	} else {
1222	79262830	Phil Davis	if (is_ipaddr($natleftsubnet_data)) {
1223	7a683b46	Ermal LUÇI	$leftsubnet_data = "{$natleftsubnet_data}\|{$leftsubnet_data}";
1224	79262830	Phil Davis	}
1225	3c107b76	Ermal	}
1226	7a683b46	Ermal LUÇI	$natfilterrules = true;
1227	20699f3f	jim-p	}
1228	7a683b46	Ermal LUÇI	}
1229	3462a529	Matthew Grooms
1230	d8cb5ff3	Ermal LUÇI	$leftsubnet_spec[] = $leftsubnet_data;
1231	0b5fc1d1	Ermal
1232	7a683b46	Ermal LUÇI	if (!isset($ph2ent['mobile'])) {
1233			$tmpsubnet = ipsec_idinfo_to_cidr($ph2ent['remoteid'], false, $ph2ent['mode']);
1234	d8cb5ff3	Ermal LUÇI	$rightsubnet_spec[] = $tmpsubnet;
1235	7a683b46	Ermal LUÇI	} else if (!empty($a_client['pool_address'])) {
1236	d8cb5ff3	Ermal LUÇI	$rightsubnet_spec[] = "{$a_client['pool_address']}/{$a_client['pool_netbits']}";
1237	7a683b46	Ermal LUÇI	}
1238			} else {
1239			$tunneltype = "type = transport";
1240	5b237745	Scott Ullrich
1241	7a683b46	Ermal LUÇI	if ((($ph1ent['authentication_method'] == "xauth_psk_server") \|\|
1242	4e322e2c	Phil Davis	($ph1ent['authentication_method'] == "pre_shared_key")) &&
1243			isset($ph1ent['mobile'])) {
1244	7a683b46	Ermal LUÇI	$left_spec = "%any";
1245			} else {
1246			$tmpsubnet = ipsec_get_phase1_src($ph1ent);
1247	d8cb5ff3	Ermal LUÇI	$leftsubnet_spec[] = $tmpsubnet;
1248	7a683b46	Ermal LUÇI	}
1249	0b5fc1d1	Ermal
1250	7a683b46	Ermal LUÇI	if (!isset($ph2ent['mobile'])) {
1251	d8cb5ff3	Ermal LUÇI	$rightsubnet_spec[] = $right_spec;
1252	3462a529	Matthew Grooms	}
1253	7a683b46	Ermal LUÇI	}
1254	c52719a8	Scott Ullrich
1255	8b760d4b	Chris Buechler	if (isset($a_client['pfs_group']) && isset($ph2ent['mobile'])) {
1256	7a683b46	Ermal LUÇI	$ph2ent['pfsgroup'] = $a_client['pfs_group'];
1257	79262830	Phil Davis	}
1258	7a683b46	Ermal LUÇI
1259			if ($ph2ent['protocol'] == 'esp') {
1260			if (is_array($ph2ent['encryption-algorithm-option'])) {
1261			foreach ($ph2ent['encryption-algorithm-option'] as $ealg) {
1262			$ealg_id = $ealg['name'];
1263			$ealg_kl = $ealg['keylen'];
1264
1265			if (!empty($ealg_kl) && $ealg_kl == "auto") {
1266	79262830	Phil Davis	if (empty($p2_ealgos) \|\| !is_array($p2_ealgos)) {
1267	7a683b46	Ermal LUÇI	require("ipsec.inc");
1268	79262830	Phil Davis	}
1269	7a683b46	Ermal LUÇI	$key_hi = $p2_ealgos[$ealg_id]['keysel']['hi'];
1270			$key_lo = $p2_ealgos[$ealg_id]['keysel']['lo'];
1271			$key_step = $p2_ealgos[$ealg_id]['keysel']['step'];
1272			/* XXX: in some cases where include ordering is suspect these variables
1273			* are somehow 0 and we enter this loop forever and timeout after 900
1274			* seconds wrecking bootup */
1275	6c07db48	Phil Davis	if ($key_hi != 0 and $key_lo != 0 and $key_step != 0) {
1276	7a683b46	Ermal LUÇI	for ($keylen = $key_hi; $keylen >= $key_lo; $keylen -= $key_step) {
1277			if (!empty($ph2ent['hash-algorithm-option']) && is_array($ph2ent['hash-algorithm-option'])) {
1278			foreach ($ph2ent['hash-algorithm-option'] as $halgo) {
1279			$halgo = str_replace('hmac_', '', $halgo);
1280			$tmpealgo = "{$ealg_id}{$keylen}-{$halgo}";
1281	496acde1	Ermal	$modp = vpn_ipsec_convert_to_modp($ph2ent['pfsgroup']);
1282	79262830	Phil Davis	if (!empty($modp)) {
1283	496acde1	Ermal	$tmpealgo .= "-{$modp}";
1284	79262830	Phil Davis	}
1285	0b5fc1d1	Ermal	$ealgoESPsp2arr[] = $tmpealgo;
1286	496acde1	Ermal	}
1287	7a683b46	Ermal LUÇI	} else {
1288			$tmpealgo = "{$ealg_id}{$keylen}";
1289	c650b2f7	Ermal	$modp = vpn_ipsec_convert_to_modp($ph2ent['pfsgroup']);
1290	79262830	Phil Davis	if (!empty($modp)) {
1291	c650b2f7	Ermal	$tmpealgo .= "-{$modp}";
1292	79262830	Phil Davis	}
1293	c650b2f7	Ermal	$ealgoESPsp2arr[] = $tmpealgo;
1294			}
1295	7a683b46	Ermal LUÇI	}
1296			}
1297			} else {
1298			if (!empty($ph2ent['hash-algorithm-option']) && is_array($ph2ent['hash-algorithm-option'])) {
1299			foreach ($ph2ent['hash-algorithm-option'] as $halgo) {
1300			$halgo = str_replace('hmac_', '', $halgo);
1301			$tmpealgo = "{$ealg_id}{$ealg_kl}-{$halgo}";
1302	496acde1	Ermal	$modp = vpn_ipsec_convert_to_modp($ph2ent['pfsgroup']);
1303	79262830	Phil Davis	if (!empty($modp)) {
1304	496acde1	Ermal	$tmpealgo .= "-{$modp}";
1305	79262830	Phil Davis	}
1306	0b5fc1d1	Ermal	$ealgoESPsp2arr[] = $tmpealgo;
1307	496acde1	Ermal	}
1308	7a683b46	Ermal LUÇI	} else {
1309			$tmpealgo = "{$ealg_id}{$ealg_kl}";
1310			$modp = vpn_ipsec_convert_to_modp($ph2ent['pfsgroup']);
1311	79262830	Phil Davis	if (!empty($modp)) {
1312	7a683b46	Ermal LUÇI	$tmpealgo .= "-{$modp}";
1313	79262830	Phil Davis	}
1314	7a683b46	Ermal LUÇI	$ealgoESPsp2arr[] = $tmpealgo;
1315	a93e56c5	Matthew Grooms	}
1316	979cd6db	Scott Ullrich	}
1317	496acde1	Ermal	}
1318	7a683b46	Ermal LUÇI	}
1319			} else if ($ph2ent['protocol'] == 'ah') {
1320			if (!empty($ph2ent['hash-algorithm-option']) && is_array($ph2ent['hash-algorithm-option'])) {
1321			$modp = vpn_ipsec_convert_to_modp($ph2ent['pfsgroup']);
1322			foreach ($ph2ent['hash-algorithm-option'] as $tmpAHalgo) {
1323			$tmpAHalgo = str_replace('hmac_', '', $tmpAHalgo);
1324	79262830	Phil Davis	if (!empty($modp)) {
1325	7a683b46	Ermal LUÇI	$tmpAHalgo = "-{$modp}";
1326	79262830	Phil Davis	}
1327	7a683b46	Ermal LUÇI	$ealgoAHsp2arr[] = $tmpAHalgo;
1328	a93e56c5	Matthew Grooms	}
1329	a63f7d55	Scott Ullrich	}
1330	7a683b46	Ermal LUÇI	}
1331	c52719a8	Scott Ullrich
1332	1fe208ec	Ermal LUÇI	$reqids[] = $ph2ent['reqid'];
1333	4b96b367	mgrooms
1334	7a683b46	Ermal LUÇI	if (!empty($ph2ent['lifetime'])) {
1335	79262830	Phil Davis	if ($ipseclifetime == 0 \|\| intval($ipseclifetime) > intval($ph2ent['lifetime'])) {
1336	7a683b46	Ermal LUÇI	$ipseclifetime = intval($ph2ent['lifetime']);
1337	79262830	Phil Davis	}
1338	0b5fc1d1	Ermal	}
1339	7a683b46	Ermal LUÇI
1340	0b5fc1d1	Ermal	}
1341	7a683b46	Ermal LUÇI	}
1342	496acde1	Ermal
1343	d8cb5ff3	Ermal LUÇI	$ipsecconnect =<<<EOD
1344	0b7f174c	Ermal LUÇI	fragmentation = yes
1345			keyexchange = {$keyexchange}
1346			{$reauth}
1347			{$forceencaps}
1348	065e78b3	Chris Buechler	{$mobike}
1349	54c36056	Chris Buechler	{$tfc}
1350	0b7f174c	Ermal LUÇI	{$rekey}
1351			installpolicy = yes
1352			{$tunneltype}
1353			{$dpdline}
1354			auto = {$passive}
1355			left = {$left_spec}
1356			right = {$right_spec}
1357	d9d237af	Renato Botelho	{$leftid}
1358	5b237745	Scott Ullrich
1359			EOD;
1360	4b96b367	mgrooms
1361	e57a3e40	Chris Buechler	if (isset($config['ipsec']['compression'])) {
1362	2a691e34	Chris Buechler	$ipsecconnect .= "\tcompress = yes\n";
1363	40cc36d1	Ermal LUÇI	$enablecompression = true;
1364			}
1365	79262830	Phil Davis	if (!empty($ikelifeline)) {
1366	d8cb5ff3	Ermal LUÇI	$ipsecconnect .= "\t{$ikelifeline}\n";
1367	79262830	Phil Davis	}
1368			if ($ipseclifetime > 0) {
1369	d8cb5ff3	Ermal LUÇI	$ipsecconnect .= "\tlifetime = {$ipseclifetime}s\n";
1370	79262830	Phil Davis	}
1371			if (!empty($rightsourceip)) {
1372	d8cb5ff3	Ermal LUÇI	$ipsecconnect .= "{$rightsourceip}";
1373	79262830	Phil Davis	}
1374			if (!empty($ealgosp1)) {
1375	d8cb5ff3	Ermal LUÇI	$ipsecconnect .= "\t{$ealgosp1}\n";
1376	79262830	Phil Davis	}
1377			if (!empty($ealgoAHsp2arr)) {
1378	d8cb5ff3	Ermal LUÇI	$ipsecconnect .= "\tah = " . join(',', $ealgoAHsp2arr) . "!\n";
1379	79262830	Phil Davis	}
1380			if (!empty($ealgoESPsp2arr)) {
1381	d8cb5ff3	Ermal LUÇI	$ipsecconnect .= "\tesp = " . join(',', $ealgoESPsp2arr) . "!\n";
1382	79262830	Phil Davis	}
1383			if (!empty($authentication)) {
1384	d8cb5ff3	Ermal LUÇI	$ipsecconnect .= "\t{$authentication}\n";
1385	79262830	Phil Davis	}
1386			if (!empty($peerid_spec)) {
1387	d8cb5ff3	Ermal LUÇI	$ipsecconnect .= "\trightid = {$peerid_spec}\n";
1388	79262830	Phil Davis	}
1389			if ($keyexchange == 'ikev1') {
1390	d8cb5ff3	Ermal LUÇI	$ipsecconnect .= "\taggressive = {$aggressive}\n";
1391	79262830	Phil Davis	}
1392	d8cb5ff3	Ermal LUÇI
1393	9d51fcde	Chris Buechler	if (!isset($ph1ent['mobile']) && ($keyexchange == 'ikev1' \|\| isset($ph1ent['splitconn']))) {
1394	d8cb5ff3	Ermal LUÇI	if (!empty($rightsubnet_spec)) {
1395			$ipsecfin = '';
1396			foreach ($rightsubnet_spec as $idx => $rsubnet) {
1397			$ipsecfin .= "\nconn con{$ph1ent['ikeid']}00{$idx}\n";
1398	b27fdc8b	Ermal LUÇI	//if (!empty($reqids[$idx])) {
1399			// $ipsecfin .= "\treqid = " . $reqids[$idx] . "\n";
1400	d55e91c1	Chris Buechler	//}
1401	d8cb5ff3	Ermal LUÇI	$ipsecfin .= $ipsecconnect;
1402			$ipsecfin .= "\trightsubnet = {$rsubnet}\n";
1403			$ipsecfin .= "\tleftsubnet = " . $leftsubnet_spec[$idx] . "\n";
1404			}
1405	79262830	Phil Davis	} else {
1406	51a14c58	Phil Davis	log_error(sprintf(gettext("No phase2 specifications for tunnel with REQID = %s"), $ikeid));
1407	79262830	Phil Davis	}
1408	d8cb5ff3	Ermal LUÇI	} else {
1409			$ipsecfin = "\nconn con{$ph1ent['ikeid']}\n";
1410	b27fdc8b	Ermal LUÇI	//if (!empty($reqids[$idx])) {
1411			// $ipsecfin .= "\treqid = " . $reqids[0] . "\n";
1412	d55e91c1	Chris Buechler	//}
1413	d8cb5ff3	Ermal LUÇI	$ipsecfin .= $ipsecconnect;
1414	bfcb1e4a	Ermal LUÇI	if (!isset($ph1ent['mobile']) && !empty($rightsubnet_spec)) {
1415	d8cb5ff3	Ermal LUÇI	$tempsubnets = array();
1416	79262830	Phil Davis	foreach ($rightsubnet_spec as $rightsubnet) {
1417	d8cb5ff3	Ermal LUÇI	$tempsubnets[$rightsubnet] = $rightsubnet;
1418	79262830	Phil Davis	}
1419	d8cb5ff3	Ermal LUÇI	$ipsecfin .= "\trightsubnet = " . join(",", $tempsubnets) . "\n";
1420			unset($tempsubnets, $rightsubnet);
1421			}
1422			if (!empty($leftsubnet_spec)) {
1423			$tempsubnets = array();
1424	79262830	Phil Davis	foreach ($leftsubnet_spec as $leftsubnet) {
1425	d8cb5ff3	Ermal LUÇI	$tempsubnets[$leftsubnet] = $leftsubnet;
1426	79262830	Phil Davis	}
1427	edda5d0b	Ermal LUÇI	$ipsecfin .= "\tleftsubnet = " . join(",", $tempsubnets) . "\n";
1428	d8cb5ff3	Ermal LUÇI	unset($tempsubnets, $leftsubnet);
1429			}
1430			}
1431			$ipsecconf .= $ipsecfin;
1432			unset($ipsecfin);
1433	a93e56c5	Matthew Grooms	}
1434	496acde1	Ermal	}
1435	7a683b46	Ermal LUÇI
1436	496acde1	Ermal	@file_put_contents("{$g['varetc_path']}/ipsec/ipsec.conf", $ipsecconf);
1437			unset($ipsecconf);
1438	6c576b27	Ermal	/* end ipsec.conf */
1439	496acde1	Ermal
1440	79262830	Phil Davis	if ($enablecompression === true) {
1441	40cc36d1	Ermal LUÇI	set_single_sysctl('net.inet.ipcomp.ipcomp_enable', 1);
1442	79262830	Phil Davis	} else {
1443	40cc36d1	Ermal LUÇI	set_single_sysctl('net.inet.ipcomp.ipcomp_enable', 0);
1444	79262830	Phil Davis	}
1445	40cc36d1	Ermal LUÇI
1446	79262830	Phil Davis	/* manage process */
1447	420fce04	Ermal LUÇI	if ($restart === true) {
1448	bc771514	Renato Botelho	mwexec("/usr/local/sbin/ipsec restart", false);
1449	496acde1	Ermal	} else {
1450	7370c469	Ermal LUÇI	if (isvalidpid("{$g['varrun_path']}/starter.charon.pid")) {
1451	420fce04	Ermal LUÇI	/* Update configuration changes */
1452	7370c469	Ermal LUÇI	/* Read secrets */
1453	9edeadc5	Renato Botelho	mwexec("/usr/local/sbin/ipsec rereadall", false);
1454	96072f52	Renato Botelho	mwexec("/usr/local/sbin/ipsec reload", false);
1455	420fce04	Ermal LUÇI	} else {
1456	bc771514	Renato Botelho	mwexec("/usr/local/sbin/ipsec start", false);
1457	420fce04	Ermal LUÇI	}
1458	496acde1	Ermal	}
1459	9abaa8f7	Ermal
1460	d315b341	Chris Buechler	// run ping_hosts.sh once if it's enabled to avoid wait for minicron
1461			if ($ipsecpinghostsactive == true) {
1462			mwexec_bg("/usr/local/bin/ping_hosts.sh");
1463			}
1464
1465	79262830	Phil Davis	if ($natfilterrules == true) {
1466	496acde1	Ermal	filter_configure();
1467	79262830	Phil Davis	}
1468	496acde1	Ermal	/* start filterdns, if necessary */
1469			if (count($filterdns_list) > 0) {
1470			$interval = 60;
1471	79262830	Phil Davis	if (!empty($ipseccfg['dns-interval']) && is_numeric($ipseccfg['dns-interval'])) {
1472	496acde1	Ermal	$interval = $ipseccfg['dns-interval'];
1473	79262830	Phil Davis	}
1474	496acde1	Ermal
1475			$hostnames = "";
1476			array_unique($filterdns_list);
1477	79262830	Phil Davis	foreach ($filterdns_list as $hostname) {
1478	496acde1	Ermal	$hostnames .= "cmd {$hostname} '/usr/local/sbin/pfSctl -c \"service reload ipsecdns\"'\n";
1479	79262830	Phil Davis	}
1480	496acde1	Ermal	file_put_contents("{$g['varetc_path']}/ipsec/filterdns-ipsec.hosts", $hostnames);
1481			unset($hostnames);
1482
1483	79262830	Phil Davis	if (isvalidpid("{$g['varrun_path']}/filterdns-ipsec.pid")) {
1484	496acde1	Ermal	sigkillbypid("{$g['varrun_path']}/filterdns-ipsec.pid", "HUP");
1485	79262830	Phil Davis	} else {
1486	496acde1	Ermal	mwexec("/usr/local/sbin/filterdns -p {$g['varrun_path']}/filterdns-ipsec.pid -i {$interval} -c {$g['varetc_path']}/ipsec/filterdns-ipsec.hosts -d 1");
1487	5b237745	Scott Ullrich	}
1488	496acde1	Ermal	} else {
1489			killbypid("{$g['varrun_path']}/filterdns-ipsec.pid");
1490			@unlink("{$g['varrun_path']}/filterdns-ipsec.pid");
1491			}
1492	09628a07	Renato Botelho
1493	79262830	Phil Davis	if (platform_booting()) {
1494	496acde1	Ermal	echo "done\n";
1495	79262830	Phil Davis	}
1496	8f67a8e1	Scott Ullrich
1497	496acde1	Ermal	return count($filterdns_list);
1498	5b237745	Scott Ullrich	}
1499
1500	09628a07	Renato Botelho	/*
1501	52c9f9fa	Ermal	* Forcefully restart IPsec
1502	67ee1ec5	Ermal Luçi	* This is required for when dynamic interfaces reload
1503			* For all other occasions the normal vpn_ipsec_configure()
1504			* will gracefully reload the settings without restarting
1505			*/
1506	aa752473	Renato Botelho	function vpn_ipsec_force_reload($interface = "") {
1507			global $g, $config;
1508	67ee1ec5	Ermal Luçi
1509	1ee4cd19	Phil Davis	if (!ipsec_enabled()) {
1510			return;
1511			}
1512
1513	67ee1ec5	Ermal Luçi	$ipseccfg = $config['ipsec'];
1514
1515	aa752473	Renato Botelho	if (!empty($interface) && is_array($ipseccfg['phase1'])) {
1516			$found = false;
1517			foreach ($ipseccfg['phase1'] as $ipsec) {
1518			if (!isset($ipsec['disabled']) && ($ipsec['interface'] == $interface)) {
1519			$found = true;
1520			break;
1521			}
1522			}
1523			if (!$found) {
1524	8b4abd59	Ermal	log_error(sprintf(gettext("Ignoring IPsec reload since there are no tunnels on interface %s"), $interface));
1525	aa752473	Renato Botelho	return;
1526			}
1527			}
1528
1529	1ee4cd19	Phil Davis	/* If we get this far then we need to take action. */
1530			log_error(gettext("Forcefully reloading IPsec"));
1531			vpn_ipsec_configure();
1532	67ee1ec5	Ermal Luçi	}
1533
1534			/* master setup for vpn (mpd) */
1535			function vpn_setup() {
1536			/* start pppoe server */
1537	0e642c78	Ermal	vpn_pppoes_configure();
1538	67ee1ec5	Ermal Luçi
1539			/* setup l2tp */
1540			vpn_l2tp_configure();
1541			}
1542
1543	67b057a9	Ermal	function vpn_netgraph_support() {
1544			$iflist = get_configured_interface_list();
1545			foreach ($iflist as $iface) {
1546			$realif = get_real_interface($iface);
1547			/* Get support for netgraph(4) from the nic */
1548	c513c309	Ermal	$ifinfo = pfSense_get_interface_addresses($realif);
1549	79262830	Phil Davis	if (!empty($ifinfo) && in_array($ifinfo['iftype'], array("ether", "vlan", "bridge"))) {
1550	09628a07	Renato Botelho	pfSense_ngctl_attach(".", $realif);
1551	79262830	Phil Davis	}
1552	67b057a9	Ermal	}
1553			}
1554
1555	0e642c78	Ermal	function vpn_pppoes_configure() {
1556			global $config;
1557
1558			if (is_array($config['pppoes']['pppoe'])) {
1559	79262830	Phil Davis	foreach ($config['pppoes']['pppoe'] as $pppoe) {
1560	0e642c78	Ermal	vpn_pppoe_configure($pppoe);
1561	79262830	Phil Davis	}
1562	0e642c78	Ermal	}
1563			}
1564
1565			function vpn_pppoe_configure(&$pppoecfg) {
1566	06e69b03	Scott Ullrich	global $config, $g;
1567
1568			$syscfg = $config['system'];
1569
1570	48918ed5	Scott Ullrich	/* create directory if it does not exist */
1571	79262830	Phil Davis	if (!is_dir("{$g['varetc_path']}/pppoe{$pppoecfg['pppoeid']}-vpn")) {
1572	0e642c78	Ermal	mkdir("{$g['varetc_path']}/pppoe{$pppoecfg['pppoeid']}-vpn");
1573	79262830	Phil Davis	}
1574	c52719a8	Scott Ullrich
1575	285ef132	Ermal LUÇI	if (platform_booting()) {
1576	79262830	Phil Davis	if (!$pppoecfg['mode'] \|\| ($pppoecfg['mode'] == "off")) {
1577	06e69b03	Scott Ullrich	return 0;
1578	79262830	Phil Davis	}
1579	06e69b03	Scott Ullrich
1580	d3d23754	Chris Buechler	echo gettext("Configuring PPPoE Server service... ");
1581	979cd6db	Scott Ullrich	} else {
1582			/* kill mpd */
1583	0e642c78	Ermal	killbypid("{$g['varrun_path']}/pppoe{$pppoecfg['pppoeid']}-vpn.pid");
1584	979cd6db	Scott Ullrich
1585			/* wait for process to die */
1586			sleep(2);
1587
1588	06e69b03	Scott Ullrich	}
1589
1590			switch ($pppoecfg['mode']) {
1591
1592	79262830	Phil Davis	case 'server':
1593	06e69b03	Scott Ullrich
1594	0e642c78	Ermal	$pppoe_interface = get_real_interface($pppoecfg['interface']);
1595	0301deff	Scott Ullrich
1596	79262830	Phil Davis	if ($pppoecfg['paporchap'] == "chap") {
1597	979cd6db	Scott Ullrich	$paporchap = "set link enable chap";
1598	79262830	Phil Davis	} else {
1599	979cd6db	Scott Ullrich	$paporchap = "set link enable pap";
1600	79262830	Phil Davis	}
1601	979cd6db	Scott Ullrich
1602	06e69b03	Scott Ullrich	/* write mpd.conf */
1603	0e642c78	Ermal	$fd = fopen("{$g['varetc_path']}/pppoe{$pppoecfg['pppoeid']}-vpn/mpd.conf", "w");
1604	06e69b03	Scott Ullrich	if (!$fd) {
1605	89ceb4ba	Renato Botelho	printf(gettext("Error: cannot open mpd.conf in vpn_pppoe_configure().") . "\n");
1606	06e69b03	Scott Ullrich	return 1;
1607			}
1608			$mpdconf = "\n\n";
1609	a6607b5f	jim-p	$mpdconf .= "poes:\n";
1610	06e69b03	Scott Ullrich
1611	a429d105	Scott Ullrich	for ($i = 0; $i < $pppoecfg['n_pppoe_units']; $i++) {
1612	0e642c78	Ermal	$mpdconf .= " load poes{$pppoecfg['pppoeid']}{$i}\n";
1613	06e69b03	Scott Ullrich	}
1614
1615	a429d105	Scott Ullrich	for ($i = 0; $i < $pppoecfg['n_pppoe_units']; $i++) {
1616	06e69b03	Scott Ullrich
1617	c50634b5	stilez	$clientip = ip_after($pppoecfg['remoteip'], $i);
1618	c52719a8	Scott Ullrich
1619	b0943409	Ermal	if (isset($pppoecfg['radius']['radiusissueips']) && isset($pppoecfg['radius']['server']['enable'])) {
1620	b03de800	Phil Davis	$issue_ip_type = "set ipcp ranges {$pppoecfg['localip']}/32 0.0.0.0/0";
1621	5264023a	Scott Ullrich	} else {
1622	b03de800	Phil Davis	$issue_ip_type = "set ipcp ranges {$pppoecfg['localip']}/32 {$clientip}/32";
1623	5dfdc1fb	Scott Ullrich	}
1624	c52719a8	Scott Ullrich
1625	979cd6db	Scott Ullrich	$mpdconf .=<<<EOD
1626	06e69b03	Scott Ullrich
1627	0e642c78	Ermal	poes{$pppoecfg['pppoeid']}{$i}:
1628			new -i poes{$pppoecfg['pppoeid']}{$i} poes{$pppoecfg['pppoeid']}{$i} poes{$pppoecfg['pppoeid']}{$i}
1629	b03de800	Phil Davis	{$issue_ip_type}
1630	f856e762	jim-p	load pppoe_standard
1631	06e69b03	Scott Ullrich
1632			EOD;
1633			}
1634	fa6e6196	jim-p	if (is_numeric($pppoecfg['n_pppoe_maxlogin']) && ($pppoecfg['n_pppoe_maxlogin'] > 0)) {
1635			$pppoemaxlogins = $pppoecfg['n_pppoe_maxlogin'];
1636			} else {
1637	6801de75	jim-p	$pppoemaxlogins = 1;
1638	fa6e6196	jim-p	}
1639	06e69b03	Scott Ullrich
1640	979cd6db	Scott Ullrich	$mpdconf .=<<<EOD
1641	06e69b03	Scott Ullrich
1642	f856e762	jim-p	pppoe_standard:
1643	979cd6db	Scott Ullrich	set bundle no multilink
1644			set bundle enable compression
1645	fa6e6196	jim-p	set auth max-logins {$pppoemaxlogins}
1646	e9a95ac8	jim-p	set iface up-script /usr/local/sbin/vpn-linkup
1647			set iface down-script /usr/local/sbin/vpn-linkdown
1648	979cd6db	Scott Ullrich	set iface idle 0
1649	06e69b03	Scott Ullrich	set iface disable on-demand
1650			set iface disable proxy-arp
1651			set iface enable tcpmssfix
1652	979cd6db	Scott Ullrich	set iface mtu 1500
1653	06e69b03	Scott Ullrich	set link no pap chap
1654	979cd6db	Scott Ullrich	{$paporchap}
1655			set link keep-alive 60 180
1656			set ipcp yes vjcomp
1657			set ipcp no vjcomp
1658			set link max-redial -1
1659			set link mtu 1492
1660			set link mru 1492
1661	06e69b03	Scott Ullrich	set ccp yes mpp-e40
1662			set ccp yes mpp-e128
1663			set ccp yes mpp-stateless
1664	979cd6db	Scott Ullrich	set link latency 1
1665			#set ipcp dns 10.10.1.3
1666			#set bundle accept encryption
1667	06e69b03	Scott Ullrich
1668	c8c416db	Scott Ullrich	EOD;
1669
1670	09f2bf85	jim-p	if (!empty($pppoecfg['dns1'])) {
1671			$mpdconf .= " set ipcp dns " . $pppoecfg['dns1'];
1672	79262830	Phil Davis	if (!empty($pppoecfg['dns2'])) {
1673	09f2bf85	jim-p	$mpdconf .= " " . $pppoecfg['dns2'];
1674	79262830	Phil Davis	}
1675	09f2bf85	jim-p	$mpdconf .= "\n";
1676			} elseif (isset ($config['dnsmasq']['enable'])) {
1677	a55e9c70	Ermal Lu?i	$mpdconf .= " set ipcp dns " . get_interface_ip("lan");
1678	79262830	Phil Davis	if ($syscfg['dnsserver'][0]) {
1679	06e69b03	Scott Ullrich	$mpdconf .= " " . $syscfg['dnsserver'][0];
1680	79262830	Phil Davis	}
1681	06e69b03	Scott Ullrich	$mpdconf .= "\n";
1682	ad750d3b	Warren Baker	} elseif (isset ($config['unbound']['enable'])) {
1683			$mpdconf .= " set ipcp dns " . get_interface_ip("lan");
1684	79262830	Phil Davis	if ($syscfg['dnsserver'][0]) {
1685	ad750d3b	Warren Baker	$mpdconf .= " " . $syscfg['dnsserver'][0];
1686	79262830	Phil Davis	}
1687	ad750d3b	Warren Baker	$mpdconf .= "\n";
1688	09f2bf85	jim-p	} elseif (is_array($syscfg['dnsserver']) && ($syscfg['dnsserver'][0])) {
1689	979cd6db	Scott Ullrich	$mpdconf .= " set ipcp dns " . join(" ", $syscfg['dnsserver']) . "\n";
1690	09f2bf85	jim-p	}
1691	07cae4b2	Scott Ullrich
1692	37d7de2d	jim-p	if (isset ($pppoecfg['radius']['server']['enable'])) {
1693	c3583058	Ermal	$radiusport = "";
1694			$radiusacctport = "";
1695	79262830	Phil Davis	if (isset($pppoecfg['radius']['server']['port'])) {
1696	c3583058	Ermal	$radiusport = $pppoecfg['radius']['server']['port'];
1697	79262830	Phil Davis	}
1698			if (isset($pppoecfg['radius']['server']['acctport'])) {
1699	c3583058	Ermal	$radiusacctport = $pppoecfg['radius']['server']['acctport'];
1700	79262830	Phil Davis	}
1701	979cd6db	Scott Ullrich	$mpdconf .=<<<EOD
1702	b0943409	Ermal	set radius server {$pppoecfg['radius']['server']['ip']} "{$pppoecfg['radius']['server']['secret']}" {$radiusport} {$radiusacctport}
1703	06e69b03	Scott Ullrich	set radius retries 3
1704	979cd6db	Scott Ullrich	set radius timeout 10
1705	0af9dba4	Ermal Lu?i	set auth enable radius-auth
1706	06e69b03	Scott Ullrich
1707			EOD;
1708
1709	979cd6db	Scott Ullrich	if (isset ($pppoecfg['radius']['accounting'])) {
1710			$mpdconf .=<<<EOD
1711	0af9dba4	Ermal Lu?i	set auth enable radius-acct
1712	07cae4b2	Scott Ullrich
1713	06e69b03	Scott Ullrich	EOD;
1714			}
1715	f362c73b	Chris Buechler	if (isset($pppoecfg['radius']['nasip'])) {
1716			$mpdconf .= "\tset radius me {$pppoecfg['radius']['nasip']}\n";
1717			}
1718	06e69b03	Scott Ullrich	}
1719
1720			fwrite($fd, $mpdconf);
1721			fclose($fd);
1722	a49784a2	Ermal	unset($mpdconf);
1723	06e69b03	Scott Ullrich
1724			/* write mpd.links */
1725	0e642c78	Ermal	$fd = fopen("{$g['varetc_path']}/pppoe{$pppoecfg['pppoeid']}-vpn/mpd.links", "w");
1726	06e69b03	Scott Ullrich	if (!$fd) {
1727	89ceb4ba	Renato Botelho	printf(gettext("Error: cannot open mpd.links in vpn_pppoe_configure().") . "\n");
1728	06e69b03	Scott Ullrich	return 1;
1729			}
1730
1731			$mpdlinks = "";
1732
1733	a429d105	Scott Ullrich	for ($i = 0; $i < $pppoecfg['n_pppoe_units']; $i++) {
1734	979cd6db	Scott Ullrich	$mpdlinks .=<<<EOD
1735	09628a07	Renato Botelho
1736	0e642c78	Ermal	poes{$pppoecfg['pppoeid']}{$i}:
1737	67ee1ec5	Ermal Luçi	set phys type pppoe
1738	09628a07	Renato Botelho	set pppoe iface {$pppoe_interface}
1739			set pppoe service "*"
1740			set pppoe disable originate
1741			set pppoe enable incoming
1742	06e69b03	Scott Ullrich
1743			EOD;
1744			}
1745
1746			fwrite($fd, $mpdlinks);
1747			fclose($fd);
1748	a49784a2	Ermal	unset($mpdlinks);
1749	06e69b03	Scott Ullrich
1750	0e642c78	Ermal	if ($pppoecfg['username']) {
1751			/* write mpd.secret */
1752			$fd = fopen("{$g['varetc_path']}/pppoe{$pppoecfg['pppoeid']}-vpn/mpd.secret", "w");
1753			if (!$fd) {
1754	8c04b1ae	Renato Botelho	printf(gettext("Error: cannot open mpd.secret in vpn_pppoe_configure().") . "\n");
1755	0e642c78	Ermal	return 1;
1756			}
1757	06e69b03	Scott Ullrich
1758	0e642c78	Ermal	$mpdsecret = "\n\n";
1759	06e69b03	Scott Ullrich
1760	0e642c78	Ermal	if (!empty($pppoecfg['username'])) {
1761			$item = explode(" ", $pppoecfg['username']);
1762	79262830	Phil Davis	foreach ($item as $userdata) {
1763	0e642c78	Ermal	$data = explode(":", $userdata);
1764	90388e48	Ermal	$mpdsecret .= "{$data[0]} \"" . base64_decode($data[1]) . "\" {$data[2]}\n";
1765	0e642c78	Ermal	}
1766			}
1767	06e69b03	Scott Ullrich
1768	0e642c78	Ermal	fwrite($fd, $mpdsecret);
1769			fclose($fd);
1770	a49784a2	Ermal	unset($mpdsecret);
1771	0e642c78	Ermal	chmod("{$g['varetc_path']}/pppoe{$pppoecfg['pppoeid']}-vpn/mpd.secret", 0600);
1772			}
1773	979cd6db	Scott Ullrich
1774	062676f8	Ermal	/* Check if previous instance is still up */
1775	79262830	Phil Davis	while (file_exists("{$g['varrun_path']}/pppoe{$pppoecfg['pppoeid']}-vpn.pid") && isvalidpid("{$g['varrun_path']}/pppoe{$pppoecfg['pppoeid']}-vpn.pid")) {
1776	062676f8	Ermal	killbypid("{$g['varrun_path']}/pppoe{$pppoecfg['pppoeid']}-vpn.pid");
1777	79262830	Phil Davis	}
1778	062676f8	Ermal
1779	67b057a9	Ermal	/* Get support for netgraph(4) from the nic */
1780			pfSense_ngctl_attach(".", $pppoe_interface);
1781	979cd6db	Scott Ullrich	/* fire up mpd */
1782	a6607b5f	jim-p	mwexec("/usr/local/sbin/mpd4 -b -d {$g['varetc_path']}/pppoe{$pppoecfg['pppoeid']}-vpn -p {$g['varrun_path']}/pppoe{$pppoecfg['pppoeid']}-vpn.pid -s poes poes");
1783	979cd6db	Scott Ullrich
1784			break;
1785			}
1786
1787	79262830	Phil Davis	if (platform_booting()) {
1788	561130e4	Carlos Eduardo Ramos	echo gettext("done") . "\n";
1789	79262830	Phil Davis	}
1790	979cd6db	Scott Ullrich
1791			return 0;
1792			}
1793
1794			function vpn_l2tp_configure() {
1795			global $config, $g;
1796
1797			$syscfg = $config['system'];
1798			$l2tpcfg = $config['l2tp'];
1799
1800			/* create directory if it does not exist */
1801	79262830	Phil Davis	if (!is_dir("{$g['varetc_path']}/l2tp-vpn")) {
1802	67ee1ec5	Ermal Luçi	mkdir("{$g['varetc_path']}/l2tp-vpn");
1803	79262830	Phil Davis	}
1804	979cd6db	Scott Ullrich
1805	285ef132	Ermal LUÇI	if (platform_booting()) {
1806	79262830	Phil Davis	if (!$l2tpcfg['mode'] \|\| ($l2tpcfg['mode'] == "off")) {
1807	979cd6db	Scott Ullrich	return 0;
1808	79262830	Phil Davis	}
1809	979cd6db	Scott Ullrich
1810	89ceb4ba	Renato Botelho	echo gettext("Configuring l2tp VPN service... ");
1811	979cd6db	Scott Ullrich	} else {
1812			/* kill mpd */
1813	67ee1ec5	Ermal Luçi	killbypid("{$g['varrun_path']}/l2tp-vpn.pid");
1814	979cd6db	Scott Ullrich
1815			/* wait for process to die */
1816	01c41d40	Ermal Lu?i	sleep(8);
1817	979cd6db	Scott Ullrich
1818			}
1819
1820	67ee1ec5	Ermal Luçi	/* make sure l2tp-vpn directory exists */
1821	79262830	Phil Davis	if (!file_exists("{$g['varetc_path']}/l2tp-vpn")) {
1822	67ee1ec5	Ermal Luçi	mkdir("{$g['varetc_path']}/l2tp-vpn");
1823	79262830	Phil Davis	}
1824	979cd6db	Scott Ullrich
1825			switch ($l2tpcfg['mode']) {
1826
1827	79262830	Phil Davis	case 'server':
1828	adc70099	Renato Botelho	$l2tp_listen="";
1829			$ipaddr = get_interface_ip(get_failover_interface($l2tpcfg['interface']));
1830			if (is_ipaddrv4($ipaddr)) {
1831			$l2tp_listen="set l2tp self $ipaddr";
1832			}
1833	c4f22962	TarasSavchuk
1834	3fac0afc	Jose Luis Duran	switch ($l2tpcfg['paporchap']) {
1835			case 'chap':
1836			$paporchap = "set link enable chap";
1837			break;
1838			case 'chap-msv2':
1839			$paporchap = "set link enable chap-msv2";
1840			break;
1841			default:
1842			$paporchap = "set link enable pap";
1843			break;
1844	79262830	Phil Davis	}
1845	979cd6db	Scott Ullrich
1846			/* write mpd.conf */
1847	67ee1ec5	Ermal Luçi	$fd = fopen("{$g['varetc_path']}/l2tp-vpn/mpd.conf", "w");
1848	979cd6db	Scott Ullrich	if (!$fd) {
1849	89ceb4ba	Renato Botelho	printf(gettext("Error: cannot open mpd.conf in vpn_l2tp_configure().") . "\n");
1850	979cd6db	Scott Ullrich	return 1;
1851			}
1852			$mpdconf = "\n\n";
1853			$mpdconf .=<<<EOD
1854	a6607b5f	jim-p	l2tps:
1855	979cd6db	Scott Ullrich
1856			EOD;
1857
1858			for ($i = 0; $i < $l2tpcfg['n_l2tp_units']; $i++) {
1859			$mpdconf .= " load l2tp{$i}\n";
1860			}
1861
1862			for ($i = 0; $i < $l2tpcfg['n_l2tp_units']; $i++) {
1863
1864	c50634b5	stilez	$clientip = ip_after($l2tpcfg['remoteip'], $i);
1865	979cd6db	Scott Ullrich
1866			if (isset ($l2tpcfg['radius']['radiusissueips']) && isset ($l2tpcfg['radius']['enable'])) {
1867	b03de800	Phil Davis	$issue_ip_type = "set ipcp ranges {$l2tpcfg['localip']}/32 0.0.0.0/0";
1868	979cd6db	Scott Ullrich	} else {
1869	b03de800	Phil Davis	$issue_ip_type = "set ipcp ranges {$l2tpcfg['localip']}/32 {$clientip}/32";
1870	979cd6db	Scott Ullrich	}
1871
1872			$mpdconf .=<<<EOD
1873
1874			l2tp{$i}:
1875	2c7feef7	jim-p	new -i l2tp{$i} l2tp{$i} l2tp{$i}
1876	b03de800	Phil Davis	{$issue_ip_type}
1877	979cd6db	Scott Ullrich	load l2tp_standard
1878
1879			EOD;
1880			}
1881
1882			$mpdconf .=<<<EOD
1883
1884			l2tp_standard:
1885	09628a07	Renato Botelho	set bundle disable multilink
1886			set bundle enable compression
1887			set bundle yes crypt-reqd
1888			set ipcp yes vjcomp
1889			# set ipcp ranges 131.188.69.161/32 131.188.69.170/28
1890			set ccp yes mppc
1891			set iface disable on-demand
1892			set iface enable proxy-arp
1893	e9a95ac8	jim-p	set iface up-script /usr/local/sbin/vpn-linkup
1894			set iface down-script /usr/local/sbin/vpn-linkdown
1895	09628a07	Renato Botelho	set link yes acfcomp protocomp
1896			set link no pap chap
1897	d06f9ebe	Sebastian Öhman	{$paporchap}
1898	adc70099	Renato Botelho	{$l2tp_listen}
1899	09628a07	Renato Botelho	set link keep-alive 10 180
1900	979cd6db	Scott Ullrich
1901			EOD;
1902
1903	c8cc0c1c	smos	if (is_ipaddr($l2tpcfg['wins'])) {
1904			$mpdconf .= " set ipcp nbns {$l2tpcfg['wins']}\n";
1905			}
1906			if (is_ipaddr($l2tpcfg['dns1'])) {
1907	09f2bf85	jim-p	$mpdconf .= " set ipcp dns " . $l2tpcfg['dns1'];
1908	79262830	Phil Davis	if (is_ipaddr($l2tpcfg['dns2'])) {
1909	09f2bf85	jim-p	$mpdconf .= " " . $l2tpcfg['dns2'];
1910	79262830	Phil Davis	}
1911	09f2bf85	jim-p	$mpdconf .= "\n";
1912			} elseif (isset ($config['dnsmasq']['enable'])) {
1913	a55e9c70	Ermal Lu?i	$mpdconf .= " set ipcp dns " . get_interface_ip("lan");
1914	79262830	Phil Davis	if ($syscfg['dnsserver'][0]) {
1915	979cd6db	Scott Ullrich	$mpdconf .= " " . $syscfg['dnsserver'][0];
1916	79262830	Phil Davis	}
1917	979cd6db	Scott Ullrich	$mpdconf .= "\n";
1918	ad750d3b	Warren Baker	} elseif (isset ($config['unbound']['enable'])) {
1919			$mpdconf .= " set ipcp dns " . get_interface_ip("lan");
1920	79262830	Phil Davis	if ($syscfg['dnsserver'][0]) {
1921	ad750d3b	Warren Baker	$mpdconf .= " " . $syscfg['dnsserver'][0];
1922	79262830	Phil Davis	}
1923	ad750d3b	Warren Baker	$mpdconf .= "\n";
1924	09f2bf85	jim-p	} elseif (is_array($syscfg['dnsserver']) && ($syscfg['dnsserver'][0])) {
1925	79262830	Phil Davis	$mpdconf .= " set ipcp dns " . join(" ", $syscfg['dnsserver']) . "\n";
1926	09f2bf85	jim-p	}
1927	979cd6db	Scott Ullrich
1928			if (isset ($l2tpcfg['radius']['enable'])) {
1929			$mpdconf .=<<<EOD
1930			set radius server {$l2tpcfg['radius']['server']} "{$l2tpcfg['radius']['secret']}"
1931			set radius retries 3
1932			set radius timeout 10
1933	0af9dba4	Ermal Lu?i	set auth enable radius-auth
1934	979cd6db	Scott Ullrich
1935			EOD;
1936
1937			if (isset ($l2tpcfg['radius']['accounting'])) {
1938			$mpdconf .=<<<EOD
1939	0af9dba4	Ermal Lu?i	set auth enable radius-acct
1940	979cd6db	Scott Ullrich
1941			EOD;
1942			}
1943			}
1944
1945			fwrite($fd, $mpdconf);
1946			fclose($fd);
1947	a49784a2	Ermal	unset($mpdconf);
1948	979cd6db	Scott Ullrich
1949			/* write mpd.links */
1950	67ee1ec5	Ermal Luçi	$fd = fopen("{$g['varetc_path']}/l2tp-vpn/mpd.links", "w");
1951	979cd6db	Scott Ullrich	if (!$fd) {
1952	89ceb4ba	Renato Botelho	printf(gettext("Error: cannot open mpd.links in vpn_l2tp_configure().") . "\n");
1953	979cd6db	Scott Ullrich	return 1;
1954			}
1955
1956			$mpdlinks = "";
1957
1958			for ($i = 0; $i < $l2tpcfg['n_l2tp_units']; $i++) {
1959			$mpdlinks .=<<<EOD
1960
1961	daa20efd	Ermal Lu?i	l2tp{$i}:
1962	979cd6db	Scott Ullrich	set link type l2tp
1963	09628a07	Renato Botelho	set l2tp enable incoming
1964			set l2tp disable originate
1965	979cd6db	Scott Ullrich
1966			EOD;
1967	79262830	Phil Davis	if (!empty($l2tpcfg['secret'])) {
1968	00f9e567	Ermal Lu?i	$mpdlinks .= "set l2tp secret {$l2tpcfg['secret']}\n";
1969	79262830	Phil Davis	}
1970	979cd6db	Scott Ullrich	}
1971
1972			fwrite($fd, $mpdlinks);
1973			fclose($fd);
1974	a49784a2	Ermal	unset($mpdlinks);
1975	979cd6db	Scott Ullrich
1976			/* write mpd.secret */
1977	67ee1ec5	Ermal Luçi	$fd = fopen("{$g['varetc_path']}/l2tp-vpn/mpd.secret", "w");
1978	979cd6db	Scott Ullrich	if (!$fd) {
1979	89ceb4ba	Renato Botelho	printf(gettext("Error: cannot open mpd.secret in vpn_l2tp_configure().") . "\n");
1980	979cd6db	Scott Ullrich	return 1;
1981			}
1982
1983			$mpdsecret = "\n\n";
1984
1985			if (is_array($l2tpcfg['user'])) {
1986	79262830	Phil Davis	foreach ($l2tpcfg['user'] as $user) {
1987	979cd6db	Scott Ullrich	$mpdsecret .= "{$user['name']} \"{$user['password']}\" {$user['ip']}\n";
1988	79262830	Phil Davis	}
1989	979cd6db	Scott Ullrich	}
1990
1991			fwrite($fd, $mpdsecret);
1992			fclose($fd);
1993	a49784a2	Ermal	unset($mpdsecret);
1994	67ee1ec5	Ermal Luçi	chmod("{$g['varetc_path']}/l2tp-vpn/mpd.secret", 0600);
1995	06e69b03	Scott Ullrich
1996	67b057a9	Ermal	vpn_netgraph_support();
1997
1998	06e69b03	Scott Ullrich	/* fire up mpd */
1999	a6607b5f	jim-p	mwexec("/usr/local/sbin/mpd4 -b -d {$g['varetc_path']}/l2tp-vpn -p {$g['varrun_path']}/l2tp-vpn.pid -s l2tps l2tps");
2000	06e69b03	Scott Ullrich
2001			break;
2002
2003	79262830	Phil Davis	case 'redir':
2004	06e69b03	Scott Ullrich	break;
2005			}
2006
2007	79262830	Phil Davis	if (platform_booting()) {
2008	06e69b03	Scott Ullrich	echo "done\n";
2009	79262830	Phil Davis	}
2010	06e69b03	Scott Ullrich
2011			return 0;
2012			}
2013	630cfa6c	Scott Ullrich
2014	79262830	Phil Davis	?>

Project

General

Profile

pfSense