/etc/inc/ipsec.inc - Annotate - pfSense - pfSense bugtracker

| Branch: | Tag: | Revision:

root/etc/inc/ipsec.inc @ 31cf5a93

1	a93e56c5	Matthew Grooms	<?php
2			/*
3			ipsec.inc
4			Copyright (C) 2007 Scott Ullrich
5			Copyright (C) 2008 Shrew Soft Inc
6			All rights reserved.
7
8			Parts of this code was originally based on vpn_ipsec_sad.php
9			Copyright (C) 2003-2004 Manuel Kasper
10
11			Redistribution and use in source and binary forms, with or without
12			modification, are permitted provided that the following conditions are met:
13
14			1. Redistributions of source code must retain the above copyright notice,
15			this list of conditions and the following disclaimer.
16
17			2. Redistributions in binary form must reproduce the above copyright
18			notice, this list of conditions and the following disclaimer in the
19			documentation and/or other materials provided with the distribution.
20
21			THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
22			INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
23			AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
24			AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
25			OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
26			SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
27			INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
28			CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
29			ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
30			POSSIBILITY OF SUCH DAMAGE.
31	523855b0	Scott Ullrich
32	30c591d6	Ermal	pfSense_BUILDER_BINARIES: /sbin/setkey
33	523855b0	Scott Ullrich	pfSense_MODULE: ipsec
34
35	a93e56c5	Matthew Grooms	*/
36
37	3462a529	Matthew Grooms	/* IPsec defines */
38	c6efc8fd	Ermal	$ipsec_loglevels = array("dmn" => "Daemon", "mgr" => "SA Manager", "ike" => "IKE SA", "chd" => "IKE Child SA",
39			"job" => "Job Processing", "cfg" => "Configuration backend", "knl" => "Kernel Interface",
40			"net" => "Networking", "asn" => "ASN encoding", "enc" => "Message encoding",
41			"imc" => "Integrity checker", "imv" => "Integrity Verifier", "pts" => "Platform Trust Service",
42	a96dc32e	Chris Buechler	"tls" => "TLS handler", "esp" => "IPsec traffic", "lib" => "StrongSwan Lib");
43	c6efc8fd	Ermal
44	3462a529	Matthew Grooms	$my_identifier_list = array(
45	b1fd7536	Carlos Eduardo Ramos	'myaddress' => array( 'desc' => gettext('My IP address'), 'mobile' => true ),
46			'address' => array( 'desc' => gettext('IP address'), 'mobile' => true ),
47			'fqdn' => array( 'desc' => gettext('Distinguished name'), 'mobile' => true ),
48			'user_fqdn' => array( 'desc' => gettext('User distinguished name'), 'mobile' => true ),
49			'asn1dn' => array( 'desc' => gettext('ASN.1 distinguished Name'), 'mobile' => true ),
50			'keyid tag' => array( 'desc' => gettext('KeyID tag'), 'mobile' => true ),
51			'dyn_dns' => array( 'desc' => gettext('Dynamic DNS'), 'mobile' => true ));
52	3462a529	Matthew Grooms
53			$peer_identifier_list = array(
54	b1fd7536	Carlos Eduardo Ramos	'peeraddress' => array( 'desc' => gettext('Peer IP address'), 'mobile' => false ),
55			'address' => array( 'desc' => gettext('IP address'), 'mobile' => false ),
56			'fqdn' => array( 'desc' => gettext('Distinguished name'), 'mobile' => true ),
57			'user_fqdn' => array( 'desc' => gettext('User distinguished name'), 'mobile' => true ),
58			'asn1dn' => array( 'desc' => gettext('ASN.1 distinguished Name'), 'mobile' => true ),
59			'keyid tag' => array( 'desc' =>gettext('KeyID tag'), 'mobile' => true ));
60	3462a529	Matthew Grooms
61			$p1_ealgos = array(
62			'aes' => array( 'name' => 'AES', 'keysel' => array( 'lo' => 128, 'hi' => 256, 'step' => 64 ) ),
63	9601df8a	Ermal	'blowfish' => array( 'name' => 'Blowfish', 'keysel' => array( 'lo' => 128, 'hi' => 256, 'step' => 64 ) ),
64	3462a529	Matthew Grooms	'3des' => array( 'name' => '3DES' ),
65			'cast128' => array( 'name' => 'CAST128' ),
66			'des' => array( 'name' => 'DES' ));
67
68			$p2_ealgos = array(
69			'aes' => array( 'name' => 'AES', 'keysel' => array( 'lo' => 128, 'hi' => 256, 'step' => 64 ) ),
70	b0cbebeb	Ermal	'aes128gcm' => array( 'name' => 'AES128-GCM', 'keysel' => array( 'lo' => 64, 'hi' => 128, 'step' => 32 ) ),
71			'aes192gcm' => array( 'name' => 'AES192-GCM', 'keysel' => array( 'lo' => 64, 'hi' => 128, 'step' => 32 ) ),
72			'aes256gcm' => array( 'name' => 'AES256-GCM', 'keysel' => array( 'lo' => 64, 'hi' => 128, 'step' => 32 ) ),
73	d623693c	Ermal	'blowfish' => array( 'name' => 'Blowfish', 'keysel' => array( 'lo' => 128, 'hi' => 256, 'step' => 64 ) ),
74	3462a529	Matthew Grooms	'3des' => array( 'name' => '3DES' ),
75			'cast128' => array( 'name' => 'CAST128' ),
76			'des' => array( 'name' => 'DES' ));
77
78			$p1_halgos = array(
79	665340db	jim-p	'md5' => 'MD5',
80	3462a529	Matthew Grooms	'sha1' => 'SHA1',
81	665340db	jim-p	'sha256' => 'SHA256',
82			'sha384' => 'SHA384',
83	b0cbebeb	Ermal	'sha512' => 'SHA512',
84			'aesxcbc' => 'AES-XCBC'
85	665340db	jim-p	);
86
87			$p1_dhgroups = array(
88			1 => '1 (768 bit)',
89			2 => '2 (1024 bit)',
90			5 => '5 (1536 bit)',
91			14 => '14 (2048 bit)',
92			15 => '15 (3072 bit)',
93			16 => '16 (4096 bit)',
94			17 => '17 (6144 bit)',
95	b0cbebeb	Ermal	18 => '18 (8192 bit)',
96			22 => '22 (1024(sub 160) bit)',
97			23 => '23 (2048(sub 224) bit)',
98			24 => '24 (2048(sub 256) bit)'
99	665340db	jim-p	);
100	3462a529	Matthew Grooms
101			$p2_halgos = array(
102	665340db	jim-p	'hmac_md5' => 'MD5',
103	3462a529	Matthew Grooms	'hmac_sha1' => 'SHA1',
104	665340db	jim-p	'hmac_sha256' => 'SHA256',
105			'hmac_sha384' => 'SHA384',
106	b0cbebeb	Ermal	'hmac_sha512' => 'SHA512',
107			'aesxcbc' => 'AES-XCBC'
108	665340db	jim-p	);
109	3462a529	Matthew Grooms
110			$p1_authentication_methods = array(
111			'hybrid_rsa_server' => array( 'name' => 'Hybrid RSA + Xauth', 'mobile' => true ),
112	1703e5c5	sullrich	'xauth_rsa_server' => array( 'name' => 'Mutual RSA + Xauth', 'mobile' => true ),
113			'xauth_psk_server' => array( 'name' => 'Mutual PSK + Xauth', 'mobile' => true ),
114	ac19d32a	Ermal	'eap-tls' => array( 'name' => 'EAP-TLS', 'mobile' => true),
115	3462a529	Matthew Grooms	'rsasig' => array( 'name' => 'Mutual RSA', 'mobile' => false ),
116			'pre_shared_key' => array( 'name' => 'Mutual PSK', 'mobile' => false ) );
117
118	4b96b367	mgrooms	$p2_modes = array(
119	98790f61	Seth Mos	'tunnel' => 'Tunnel IPv4',
120			'tunnel6' => 'Tunnel IPv6',
121	4b96b367	mgrooms	'transport' => 'Transport');
122
123	3462a529	Matthew Grooms	$p2_protos = array(
124			'esp' => 'ESP',
125			'ah' => 'AH');
126
127			$p2_pfskeygroups = array(
128	665340db	jim-p	0 => 'off',
129			1 => '1 (768 bit)',
130			2 => '2 (1024 bit)',
131			5 => '5 (1536 bit)',
132			14 => '14 (2048 bit)',
133			15 => '15 (3072 bit)',
134			16 => '16 (4096 bit)',
135			17 => '17 (6144 bit)',
136			18 => '18 (8192 bit)'
137			);
138	3462a529	Matthew Grooms
139	d799787e	Matthew Grooms	/*
140			* ikeid management functions
141			*/
142
143			function ipsec_ikeid_used($ikeid) {
144			global $config;
145
146			foreach ($config['ipsec']['phase1'] as $ph1ent)
147			if( $ikeid == $ph1ent['ikeid'] )
148			return true;
149
150			return false;
151			}
152
153			function ipsec_ikeid_next() {
154
155			$ikeid = 1;
156			while(ipsec_ikeid_used($ikeid))
157			$ikeid++;
158
159			return $ikeid;
160			}
161
162	a93e56c5	Matthew Grooms	/*
163			* Return phase1 local address
164			*/
165			function ipsec_get_phase1_src(& $ph1ent) {
166
167	25f6730a	Pierre POMES	if ($ph1ent['interface']) {
168			if (!is_ipaddr($ph1ent['interface'])) {
169	909de400	Ermal	if ($ph1ent['protocol'] == "inet6") {
170	c02acef2	Renato Botelho	$interfaceip = get_interface_ipv6($ph1ent['interface']);
171	e79b24ab	Seth Mos	} else {
172	c02acef2	Renato Botelho	$interfaceip = get_interface_ip($ph1ent['interface']);
173	e79b24ab	Seth Mos	}
174	25f6730a	Pierre POMES	} else {
175			$interfaceip=$ph1ent['interface'];
176			}
177	e79b24ab	Seth Mos	} else {
178	924876a8	Ermal Lu?i	$if = "wan";
179	909de400	Ermal	if ($ph1ent['protocol'] == "inet6")
180	e79b24ab	Seth Mos	$interfaceip = get_interface_ipv6($if);
181	909de400	Ermal	else
182	e79b24ab	Seth Mos	$interfaceip = get_interface_ip($if);
183	25f6730a	Pierre POMES	}
184	a93e56c5	Matthew Grooms
185			return $interfaceip;
186			}
187
188	3462a529	Matthew Grooms	/*
189			* Return phase1 local address
190			*/
191			function ipsec_get_phase1_dst(& $ph1ent) {
192	df82fae1	smos	global $g;
193	2ffafea3	Ermal
194	a6222c03	jim-p	if (empty($ph1ent['remote-gateway']))
195	2f3554bb	jim-p	return false;
196	3462a529	Matthew Grooms	$rg = $ph1ent['remote-gateway'];
197	33d5cb7a	smos	if (!is_ipaddr($rg)) {
198	285ef132	Ermal LUÇI	if(! platform_booting())
199	33d5cb7a	smos	return resolve_retry($rg);
200			}
201	0af7398a	Matthew Grooms	if(!is_ipaddr($rg))
202			return false;
203
204	3462a529	Matthew Grooms	return $rg;
205			}
206
207	a93e56c5	Matthew Grooms	/*
208			* Return phase2 idinfo in cidr format
209			*/
210	2ffafea3	Ermal	function ipsec_idinfo_to_cidr(& $idinfo, $addrbits = false, $mode = "") {
211	a93e56c5	Matthew Grooms	global $config;
212
213	2ffafea3	Ermal	switch ($idinfo['type']) {
214	a93e56c5	Matthew Grooms	case "address":
215	98790f61	Seth Mos	if ($addrbits) {
216	2ffafea3	Ermal	if ($mode == "tunnel6")
217	98790f61	Seth Mos	return $idinfo['address']."/128";
218	2ffafea3	Ermal	else
219	98790f61	Seth Mos	return $idinfo['address']."/32";
220	2ffafea3	Ermal	} else
221	a93e56c5	Matthew Grooms	return $idinfo['address'];
222	2ffafea3	Ermal	break; /* NOTREACHED */
223	a93e56c5	Matthew Grooms	case "network":
224	2ffafea3	Ermal	return "{$idinfo['address']}/{$idinfo['netbits']}";
225			break; /* NOTREACHED */
226	63017a73	Ermal Lu?i	case "none":
227	3462a529	Matthew Grooms	case "mobile":
228	9b182b08	Ermal LUÇI	return '0.0.0.0/0';
229	2ffafea3	Ermal	break; /* NOTREACHED */
230	a55e9c70	Ermal Lu?i	default:
231	2ffafea3	Ermal	if (empty($mode) && !empty($idinfo['mode']))
232			$mode = $idinfo['mode'];
233
234			if ($mode == "tunnel6") {
235	98790f61	Seth Mos	$address = get_interface_ipv6($idinfo['type']);
236			$netbits = get_interface_subnetv6($idinfo['type']);
237			$address = gen_subnetv6($address,$netbits);
238	2ffafea3	Ermal	return "{$address}/{$netbits}";
239	98790f61	Seth Mos	} else {
240			$address = get_interface_ip($idinfo['type']);
241			$netbits = get_interface_subnet($idinfo['type']);
242			$address = gen_subnet($address,$netbits);
243	2ffafea3	Ermal	return "{$address}/{$netbits}";
244	98790f61	Seth Mos	}
245	2ffafea3	Ermal	break; /* NOTREACHED */
246	98790f61	Seth Mos	}
247	a93e56c5	Matthew Grooms	}
248
249			/*
250			* Return phase2 idinfo in address/netmask format
251			*/
252			function ipsec_idinfo_to_subnet(& $idinfo,$addrbits = false) {
253			global $config;
254
255	2ffafea3	Ermal	switch ($idinfo['type']) {
256	a93e56c5	Matthew Grooms	case "address":
257	98790f61	Seth Mos	if ($addrbits) {
258	2ffafea3	Ermal	if ($idinfo['mode'] == "tunnel6")
259	98790f61	Seth Mos	return $idinfo['address']."/128";
260	2ffafea3	Ermal	else
261	98790f61	Seth Mos	return $idinfo['address']."/255.255.255.255";
262	2ffafea3	Ermal	} else
263	a93e56c5	Matthew Grooms	return $idinfo['address'];
264	2ffafea3	Ermal	break; /* NOTREACHED */
265	63017a73	Ermal Lu?i	case "none":
266	a93e56c5	Matthew Grooms	case "network":
267			return $idinfo['address']."/".gen_subnet_mask($idinfo['netbits']);
268	2ffafea3	Ermal	break; /* NOTREACHED */
269	3462a529	Matthew Grooms	case "mobile":
270			return "0.0.0.0/0";
271	2ffafea3	Ermal	break; /* NOTREACHED */
272	63017a73	Ermal Lu?i	default:
273	2ffafea3	Ermal	if ($idinfo['mode'] == "tunnel6") {
274	98790f61	Seth Mos	$address = get_interface_ipv6($idinfo['type']);
275			$netbits = get_interface_subnetv6($idinfo['type']);
276			$address = gen_subnetv6($address,$netbits);
277			return $address."/".$netbits;
278			} else {
279			$address = get_interface_ip($idinfo['type']);
280			$netbits = get_interface_subnet($idinfo['type']);
281			$address = gen_subnet($address,$netbits);
282			return $address."/".$netbits;
283			}
284	2ffafea3	Ermal	break; /* NOTREACHED */
285	98790f61	Seth Mos	}
286	a93e56c5	Matthew Grooms	}
287
288			/*
289			* Return phase2 idinfo in text format
290			*/
291			function ipsec_idinfo_to_text(& $idinfo) {
292	2ffafea3	Ermal	global $config;
293	a93e56c5	Matthew Grooms
294	2ffafea3	Ermal	switch ($idinfo['type']) {
295	a93e56c5	Matthew Grooms	case "address":
296	2ffafea3	Ermal	return $idinfo['address'];
297			break; /* NOTREACHED */
298	a93e56c5	Matthew Grooms	case "network":
299	2ffafea3	Ermal	return $idinfo['address']."/".$idinfo['netbits'];
300			break; /* NOTREACHED */
301	63017a73	Ermal Lu?i	case "mobile":
302	b1fd7536	Carlos Eduardo Ramos	return gettext("Mobile Client");
303	2ffafea3	Ermal	break; /* NOTREACHED */
304	63017a73	Ermal Lu?i	case "none":
305	b1fd7536	Carlos Eduardo Ramos	return gettext("None");
306	2ffafea3	Ermal	break; /* NOTREACHED */
307	a93e56c5	Matthew Grooms	default:
308	2ffafea3	Ermal	if (!empty($config['interfaces'][$idinfo['type']]))
309			return convert_friendly_interface_to_friendly_descr($idinfo['type']);
310			else
311			return strtoupper($idinfo['type']);
312			break; /* NOTREACHED */
313			}
314	a93e56c5	Matthew Grooms	}
315
316			/*
317			* Return phase1 association for phase2
318			*/
319	2ffafea3	Ermal	function ipsec_lookup_phase1(& $ph2ent,& $ph1ent) {
320			global $config;
321
322			if (!is_array($config['ipsec']))
323	fe12d7ea	Ermal	return false;
324	2ffafea3	Ermal	if (!is_array($config['ipsec']['phase1']))
325	fe12d7ea	Ermal	return false;
326	2ffafea3	Ermal	if (empty($config['ipsec']['phase1']))
327	fe12d7ea	Ermal	return false;
328	2ffafea3	Ermal
329			foreach ($config['ipsec']['phase1'] as $ph1tmp) {
330			if ($ph1tmp['ikeid'] == $ph2ent['ikeid']) {
331			$ph1ent = $ph1tmp;
332			return $ph1ent;
333			}
334			}
335
336			return false;
337	a93e56c5	Matthew Grooms	}
338
339			/*
340			* Check phase1 communications status
341			*/
342	ed6e93ea	Chris Buechler	function ipsec_phase1_status(&$ipsec_status, $ikeid) {
343	a93e56c5	Matthew Grooms
344	39f93e00	Ermal	foreach ($ipsec_status as $ike) {
345	b4997579	Ermal LUÇI	if ($ike['id'] == $ikeid) {
346			if ($ike['status'] == 'established')
347			return true;
348			}
349	fe12d7ea	Ermal	}
350	a93e56c5	Matthew Grooms
351			return false;
352			}
353
354			/*
355			* Check phase2 communications status
356			*/
357	ed6e93ea	Chris Buechler	function ipsec_phase2_status(&$ipsec_status, &$phase2) {
358	a93e56c5	Matthew Grooms
359	fe12d7ea	Ermal	if (ipsec_lookup_phase1($ph2ent,$ph1ent))
360			return ipsec_phase1_status($ipsec_status, $ph1ent['ikeid']);
361	a93e56c5	Matthew Grooms
362			return false;
363			}
364
365	df0878b0	Ermal	function ipsec_smp_dump_status() {
366			global $config, $g, $custom_listtags;
367
368			if (!file_exists("{$g['varrun_path']}/charon.xml")) {
369	276efd64	Chris Buechler	log_error("IPsec daemon not running or has a problem!");
370	df0878b0	Ermal	return;
371			}
372
373	c7fbdd6c	Ermal	$fd = @fsockopen("unix://{$g['varrun_path']}/charon.xml");
374	df0878b0	Ermal	if (!$fd) {
375	276efd64	Chris Buechler	log_error("Could not read status from IPsec");
376	df0878b0	Ermal	return;
377			}
378	2124fad4	Ermal	$query = '<?xml version="1.0"?><message xmlns="http://www.strongswan.org/smp/1.0" type="request" id="1">';
379			$query .= '<query><ikesalist/></query></message>';
380
381	df0878b0	Ermal	@fwrite($fd, $query);
382			$response = "";
383			while (!strstr($sread, "</message>")) {
384			$sread = fgets($fd);
385	68f0da59	Phil Davis	if ($sread === false)
386			break;
387	df0878b0	Ermal	$response .= $sread;
388			}
389			fclose($fd);
390
391	68f0da59	Phil Davis	if ($sread === false) {
392			log_error("Error during reading of status from IPsec");
393			return;
394			}
395
396	df0878b0	Ermal	@file_put_contents("{$g['tmp_path']}/smp_status.xml", $response);
397			unset($response, $sread);
398
399	fa9667d2	Ermal	$custom_listtags = array('ikesa', 'childsa', 'network', 'auth');
400	df0878b0	Ermal	$response = parse_xml_config("{$g['tmp_path']}/smp_status.xml", "message");
401			@unlink("{$g['tmp_path']}/smp_status.xml");
402			unset($custom_listtags);
403
404			return $response;
405			}
406
407	a93e56c5	Matthew Grooms	/*
408			* Return dump of SPD table
409			*/
410			function ipsec_dump_spd()
411			{
412	30c591d6	Ermal	$fd = @popen("/sbin/setkey -DP", "r");
413	a93e56c5	Matthew Grooms	$spd = array();
414			if ($fd) {
415			while (!feof($fd)) {
416			$line = chop(fgets($fd));
417			if (!$line)
418			continue;
419			if ($line == "No SPD entries.")
420			break;
421			if ($line[0] != "\t") {
422			if (is_array($cursp))
423			$spd[] = $cursp;
424			$cursp = array();
425			$linea = explode(" ", $line);
426			$cursp['srcid'] = substr($linea[0], 0, strpos($linea[0], "["));
427			$cursp['dstid'] = substr($linea[1], 0, strpos($linea[1], "["));
428			$i = 0;
429			} else if (is_array($cursp)) {
430	648661c5	Ermal LUÇI	$line = trim($line, "\t\r\n ");
431			$linea = explode(" ", $line);
432	a93e56c5	Matthew Grooms	switch($i)
433			{
434			case 1:
435			if ($linea[1] == "none") /* don't show default anti-lockout rule */
436			unset($cursp);
437			else
438			$cursp['dir'] = $linea[0];
439			break;
440			case 2:
441			$upperspec = explode("/", $linea[0]);
442			$cursp['proto'] = $upperspec[0];
443			list($cursp['src'], $cursp['dst']) = explode("-", $upperspec[2]);
444			$cursp['reqid'] = substr($upperspec[3], strpos($upperspec[3], "#")+1);
445			break;
446			}
447			}
448			$i++;
449			}
450			if (is_array($cursp) && count($cursp))
451			$spd[] = $cursp;
452			pclose($fd);
453			}
454
455			return $spd;
456			}
457
458			/*
459			* Return dump of SAD table
460			*/
461			function ipsec_dump_sad()
462			{
463	30c591d6	Ermal	$fd = @popen("/sbin/setkey -D", "r");
464	a93e56c5	Matthew Grooms	$sad = array();
465			if ($fd) {
466			while (!feof($fd)) {
467			$line = chop(fgets($fd));
468	ed5f7e9e	Renato Botelho	if (!$line \|\| $line[0] == " ")
469	a93e56c5	Matthew Grooms	continue;
470			if ($line == "No SAD entries.")
471			break;
472			if ($line[0] != "\t")
473			{
474			if (is_array($cursa))
475			$sad[] = $cursa;
476			$cursa = array();
477			list($cursa['src'],$cursa['dst']) = explode(" ", $line);
478			}
479			else
480			{
481	648661c5	Ermal LUÇI	$line = trim($line, "\t\n\r ");
482			$linea = explode(" ", $line);
483			foreach ($linea as $idx => $linee) {
484			if ($linee == 'esp' \|\| $linee == 'ah' \|\| $linee[0] == '#')
485			$cursa['proto'] = $linee;
486			else if (substr($linee, 0, 3) == 'spi')
487			$cursa['spi'] = substr($linee, strpos($linee, 'x') + 1, -1);
488			else if (substr($linee, 0, 5) == 'reqid')
489			$cursa['reqid'] = substr($linee, strpos($linee, 'x') + 1, -1);
490			else if (substr($linee, 0, 2) == 'E:') {
491			$cursa['ealgo'] = $linea[$idx + 1];
492	a93e56c5	Matthew Grooms	break;
493	648661c5	Ermal LUÇI	} else if (substr($linee, 0, 2) == 'A:') {
494			$cursa['aalgo'] = $linea[$idx + 1];
495	a93e56c5	Matthew Grooms	break;
496	648661c5	Ermal LUÇI	} else if (substr($linee, 0, 8) == 'current:') {
497			$cursa['data'] = substr($linea[$idx + 1], 0, strpos($linea[$idx + 1], 'bytes') - 1) . ' B';
498	f451ea09	jim-p	break;
499	648661c5	Ermal LUÇI	}
500
501	a93e56c5	Matthew Grooms	}
502			}
503			}
504			if (is_array($cursa) && count($cursa))
505			$sad[] = $cursa;
506			pclose($fd);
507			}
508
509			return $sad;
510			}
511
512	6e0b68bf	jim-p	/*
513			* Return dump of mobile user list
514			*/
515			function ipsec_dump_mobile() {
516	7a668bd8	Ermal	global $g, $custom_listtags;
517	ed5fc757	Ermal
518	7ab6ad70	Ermal	$_gb = exec("/usr/local/sbin/ipsec stroke leases > {$g['tmp_path']}/strongswan_leases.xml");
519	6e0b68bf	jim-p
520	7a668bd8	Ermal	if (!file_exists("{$g['tmp_path']}/strongswan_leases.xml")) {
521	276efd64	Chris Buechler	log_error(gettext("Unable to find IPsec daemon leases file. Could not display mobile user stats!"));
522	7ab6ad70	Ermal	return array();
523	6e0b68bf	jim-p	}
524
525	046d253a	Ermal LUÇI	/* This is needed for fixing #4130 */
526			if (filesize("{$g['tmp_path']}/strongswan_leases.xml") < 200)
527			return array();
528
529	7ab6ad70	Ermal	$custom_listtags = array('lease', 'pool');
530			$response = parse_xml_config("{$g['tmp_path']}/strongswan_leases.xml", "leases");
531			@unlink("{$g['tmp_path']}/strongswan_leases.xml");
532			unset($custom_listtags, $_gb);
533
534			return $response;
535	6e0b68bf	jim-p	}
536
537	958420c5	jim-p	function ipsec_mobilekey_sort() {
538			global $config;
539
540			function mobilekeycmp($a, $b) {
541			return strcmp($a['ident'][0], $b['ident'][0]);
542			}
543
544			usort($config['ipsec']['mobilekey'], "mobilekeycmp");
545			}
546
547	8f5c3d8d	Pierre POMES	function ipsec_get_number_of_phase2($ikeid) {
548			global $config;
549			$a_phase2 = $config['ipsec']['phase2'];
550
551			$nbph2=0;
552
553			if (is_array($a_phase2) && count($a_phase2)) {
554			foreach ($a_phase2 as $ph2tmp) {
555			if ($ph2tmp['ikeid'] == $ikeid) {
556			$nbph2++;
557			}
558			}
559			}
560
561			return $nbph2;
562			}
563
564	859a5304	Renato Botelho	function ipsec_get_descr($ikeid) {
565			global $config;
566
567			if (!isset($config['ipsec']['phase1']) \|\|
568			!is_array($config['ipsec']['phase1']))
569	5afffea4	Ermal LUÇI	return '';
570	859a5304	Renato Botelho
571	5afffea4	Ermal LUÇI	foreach ($config['ipsec']['phase1'] as $p1) {
572	859a5304	Renato Botelho	if ($p1['ikeid'] == $ikeid) {
573	5afffea4	Ermal LUÇI	return $p1['descr'];
574	859a5304	Renato Botelho	}
575			}
576
577	5afffea4	Ermal LUÇI	return '';
578	859a5304	Renato Botelho	}
579
580	fe2e680b	Ermal LUÇI	function ipsec_get_phase1($ikeid) {
581			global $config;
582
583			if (!isset($config['ipsec']['phase1']) \|\|
584			!is_array($config['ipsec']['phase1']))
585			return '';
586
587			$a_phase1 = $config['ipsec']['phase1'];
588			foreach ($a_phase1 as $p1) {
589			if ($p1['ikeid'] == $ikeid) {
590			return $p1;
591			}
592			}
593			unset($a_phase1);
594			}
595
596	3ec026a4	jim-p	function ipsec_fixup_ip($ipaddr) {
597	2379c48e	jim-p	if (is_ipaddrv6($ipaddr) \|\| is_subnetv6($ipaddr))
598	3ec026a4	jim-p	return Net_IPv6::compress(Net_IPv6::uncompress($ipaddr));
599			else
600			return $ipaddr;
601			}
602
603	95589abd	jim-p	function ipsec_find_id(& $ph1ent, $side = "local", $rgmap = array()) {
604			if ($side == "local") {
605			$id_type = $ph1ent['myid_type'];
606			$id_data = $ph1ent['myid_data'];
607
608			$addr = ipsec_get_phase1_src($ph1ent);
609			if (!$addr)
610			return array();
611			} elseif ($side = "peer") {
612			$id_type = $ph1ent['peerid_type'];
613			$id_data = $ph1ent['peerid_data'];
614
615			if (isset($ph1ent['mobile']))
616			$addr = "%any";
617			else
618			$addr = $ph1ent['remote-gateway'];
619	1ada4c8c	Ermal LUÇI	} else
620	95589abd	jim-p	return array();
621
622
623			$thisid_type = $id_type;
624			switch ($thisid_type) {
625	1ada4c8c	Ermal LUÇI	case 'myaddress':
626			$thisid_type = 'address';
627	95589abd	jim-p	$thisid_data = $addr;
628			break;
629	1ada4c8c	Ermal LUÇI	case 'dyn_dns':
630			$thisid_type = 'dns';
631			$thisid_data = $id_data;
632	95589abd	jim-p	break;
633	1ada4c8c	Ermal LUÇI	case 'peeraddress':
634			$thisid_type = 'address';
635	95589abd	jim-p	$thisid_data = $rgmap[$ph1ent['remote-gateway']];
636			break;
637	1ada4c8c	Ermal LUÇI	case 'address';
638	95589abd	jim-p	$thisid_data = $id_data;
639			break;
640	1ada4c8c	Ermal LUÇI	case 'fqdn';
641			$thisid_data = "{$id_data}";
642			break;
643			case 'keyid tag';
644			$thisid_type = 'keyid';
645			$thisid_data = "{$thisid_data}";
646			break;
647			case 'user_fqdn';
648			$thisid_type = 'userfqdn';
649			$thisid_data = "{$id_data}";
650			break;
651			case 'asn1dn';
652	95589abd	jim-p	$thisid_data = $id_data;
653	1ada4c8c	Ermal LUÇI	$thisid_data = "{$id_data}";
654	95589abd	jim-p	break;
655			}
656			return array($thisid_type, $thisid_data);
657			}
658	060c3ac0	Renato Botelho
659			function ipsec_fixup_network($network) {
660			if (substr($network, -3) == '\|/0')
661			$result = substr($network, 0, -3);
662			else {
663			$tmp = explode('\|', $network);
664			if (isset($tmp[1]))
665			$result = $tmp[1];
666			else
667			$result = $tmp[0];
668			unset($tmp);
669			}
670
671			return $result;
672			}
673
674	8f5c3d8d	Pierre POMES	?>

Project

General

Profile

pfSense