/etc/inc/vpn.inc - Annotate - pfSense - pfSense bugtracker

| Branch: | Tag: | Revision:

root/etc/inc/vpn.inc @ 35ff72fa

1	5b237745	Scott Ullrich	<?php
2	979cd6db	Scott Ullrich
3	5b237745	Scott Ullrich	/*
4			vpn.inc
5	979cd6db	Scott Ullrich	Copyright (C) 2004 Scott Ullrich
6	a93e56c5	Matthew Grooms	Copyright (C) 2008 Shrew Soft Inc
7	5debd85f	caseyr232	Copyright (C) 2008 Ermal Lu�i
8	cfc707f7	Scott Ullrich	All rights reserved.
9	17da6c79	Scott Ullrich
10			originally part of m0n0wall (http://m0n0.ch/wall)
11			Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>.
12			All rights reserved.
13
14	5b237745	Scott Ullrich	Redistribution and use in source and binary forms, with or without
15			modification, are permitted provided that the following conditions are met:
16	17da6c79	Scott Ullrich
17	5b237745	Scott Ullrich	1. Redistributions of source code must retain the above copyright notice,
18			this list of conditions and the following disclaimer.
19	17da6c79	Scott Ullrich
20	5b237745	Scott Ullrich	2. Redistributions in binary form must reproduce the above copyright
21			notice, this list of conditions and the following disclaimer in the
22			documentation and/or other materials provided with the distribution.
23	17da6c79	Scott Ullrich
24	5b237745	Scott Ullrich	THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
25			INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
26			AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
27			AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
28			OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
29			SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
30			INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
31			CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
32			ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
33			POSSIBILITY OF SUCH DAMAGE.
34			*/
35	8f67a8e1	Scott Ullrich
36	523855b0	Scott Ullrich	/*
37	971de1f9	Renato Botelho	pfSense_BUILDER_BINARIES: /sbin/ifconfig
38	6c576b27	Ermal	pfSense_BUILDER_BINARIES: /usr/local/sbin/ipsec /usr/local/libexec/ipsec/charon /usr/local/libexec/ipsec/starter
39	09628a07	Renato Botelho	pfSense_BUILDER_BINARIES: /usr/local/sbin/filterdns /usr/local/sbin/mpd4
40	523855b0	Scott Ullrich	pfSense_MODULE: vpn
41			*/
42
43	50813d24	jim-p	require_once("ipsec.inc");
44
45	9abaa8f7	Ermal	function vpn_ipsec_configure_loglevels($forconfig = false)
46	c6efc8fd	Ermal	{
47	b305f795	Ermal	global $config, $ipsec_loglevels;
48	c6efc8fd	Ermal
49	9abaa8f7	Ermal	$cfgtext = array();
50	c6efc8fd	Ermal	foreach ($ipsec_loglevels as $lkey => $ldescr) {
51	c966c7ec	Ermal	if (!isset($config['ipsec']["ipsec_{$lkey}"]) && !$forconfig)
52	3d77ec5d	Ermal	mwexec("/usr/local/sbin/ipsec stroke loglevel {$lkey} -- -1", false);
53	c6efc8fd	Ermal	else if (is_numeric($config['ipsec']["ipsec_{$lkey}"]) &&
54	2ae99d06	Ermal LUÇI	intval($config['ipsec']["ipsec_{$lkey}"]) >= 0 && intval($config['ipsec']["ipsec_{$lkey}"]) <= 5)
55	7e7f07ae	Ermal	$forconfig ? $cfgtext[] = "${lkey} " . (intval($config['ipsec']["ipsec_{$lkey}"]) - 1) :
56	9abaa8f7	Ermal	mwexec("/usr/local/sbin/ipsec stroke loglevel {$lkey} " . (intval($config['ipsec']["ipsec_{$lkey}"]) - 1) , false);
57	c6efc8fd	Ermal	}
58	9abaa8f7	Ermal	if ($forconfig)
59			return implode(',', $cfgtext);
60	c6efc8fd	Ermal	}
61
62	5b237745	Scott Ullrich	/* include all configuration functions */
63	496acde1	Ermal	function vpn_ipsec_convert_to_modp($index)
64			{
65	8f67a8e1	Scott Ullrich
66	496acde1	Ermal	$convertion = "";
67			switch ($index) {
68			case '1':
69			$convertion = "modp768";
70			break;
71			case '2':
72			$convertion = "modp1024";
73			break;
74			case '5':
75			$convertion = "modp1536";
76			break;
77			case '14':
78			$convertion = "modp2048";
79			break;
80			case '15':
81			$convertion = "modp3072";
82			break;
83			case '16':
84			$convertion = "modp4096";
85			break;
86			case '17':
87			$convertion = "modp6144";
88			break;
89			case '18':
90			$convertion = "modp8192";
91			break;
92	920af30f	Ermal Lu?i	}
93	496acde1	Ermal
94			return $convertion;
95	600dd4e0	Scott Ullrich	}
96	8f67a8e1	Scott Ullrich
97	41da54ce	Ermal LUÇI	function vpn_ipsec_configure($restart = false)
98	a93e56c5	Matthew Grooms	{
99	5fb0e30d	Chris Buechler	global $config, $g, $sa, $sn, $p1_ealgos, $p2_ealgos, $ipsec_idhandling;
100	17da6c79	Scott Ullrich
101	7734aea6	Andrew Thompson	if ($g['platform'] == 'jail')
102			return;
103	52c9f9fa	Ermal
104	f41c9fd5	Ermal Lu?i	/* get the automatic ping_hosts.sh ready */
105	cdd5b2ce	Ermal Lu?i	unlink_if_exists("{$g['vardb_path']}/ipsecpinghosts");
106			touch("{$g['vardb_path']}/ipsecpinghosts");
107	c1f5a46b	Scott Ullrich
108	8f67a8e1	Scott Ullrich	$syscfg = $config['system'];
109	5b237745	Scott Ullrich	$ipseccfg = $config['ipsec'];
110	2f1e0311	Seth Mos	if (!isset($ipseccfg['enable'])) {
111	6c576b27	Ermal	/* try to stop charon */
112			mwexec("/usr/local/sbin/ipsec stop");
113	52c9f9fa	Ermal	/* Stop dynamic monitoring */
114	f8c10a18	Ermal	killbypid("{$g['varrun_path']}/filterdns-ipsec.pid");
115	98c02cac	Ermal
116	6c576b27	Ermal	/* wait for process to die */
117	8f67a8e1	Scott Ullrich	sleep(2);
118
119	84fa0d60	Scott Ullrich	/* disallow IPSEC, it is off */
120	52c9f9fa	Ermal	mwexec("/sbin/ifconfig enc0 down");
121	971de1f9	Renato Botelho	set_single_sysctl("net.inet.ip.ipsec_in_use", "0");
122	2f1e0311	Seth Mos
123	fee13fc0	Renato Botelho	filter_configure();
124
125	6a781df6	Ermal	return 0;
126	3c5af33a	Ermal LUÇI	}
127	8f67a8e1	Scott Ullrich
128	3c5af33a	Ermal LUÇI	$a_phase1 = $config['ipsec']['phase1'];
129			$a_phase2 = $config['ipsec']['phase2'];
130			$a_client = $config['ipsec']['client'];
131	8f67a8e1	Scott Ullrich
132	3c5af33a	Ermal LUÇI	$certpath = "{$g['varetc_path']}/ipsec/ipsec.d/certs";
133			$capath = "{$g['varetc_path']}/ipsec/ipsec.d/cacerts";
134			$keypath = "{$g['varetc_path']}/ipsec/ipsec.d/private";
135
136			mwexec("/sbin/ifconfig enc0 up");
137			set_single_sysctl("net.inet.ip.ipsec_in_use", "1");
138			/* needed for config files */
139			if (!is_dir("{$g['varetc_path']}/ipsec"))
140			mkdir("{$g['varetc_path']}/ipsec");
141			if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d"))
142			mkdir("{$g['varetc_path']}/ipsec/ipsec.d");
143			if (!is_dir($capath))
144			mkdir($capath);
145			if (!is_dir($keypath))
146			mkdir($keypath);
147			if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d/crls"))
148			mkdir("{$g['varetc_path']}/ipsec/ipsec.d/crls");
149			if (!is_dir($certpath))
150			mkdir($certpath);
151			if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d/aacerts"))
152			mkdir("{$g['varetc_path']}/ipsec/ipsec.d/aacerts");
153			if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d/acerts"))
154			mkdir("{$g['varetc_path']}/ipsec/ipsec.d/acerts");
155			if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d/ocspcerts"))
156			mkdir("{$g['varetc_path']}/ipsec/ipsec.d/ocspcerts");
157			if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d/reqs"))
158			mkdir("{$g['varetc_path']}/ipsec/ipsec.d/reqs");
159
160
161			if (platform_booting())
162			echo gettext("Configuring IPsec VPN... ");
163
164			/* fastforwarding is not compatible with ipsec tunnels */
165			set_single_sysctl("net.inet.ip.fastforwarding", "0");
166
167			/* resolve all local, peer addresses and setup pings */
168			$ipmap = array();
169			$rgmap = array();
170			$filterdns_list = array();
171			$listeniflist = array();
172			$aggressive_mode_psk = false;
173			unset($iflist);
174	89ac17e3	Ermal LUÇI	$ifacesuse = array();
175	3c5af33a	Ermal LUÇI	if (is_array($a_phase1) && count($a_phase1)) {
176
177			$ipsecpinghosts = "";
178			/* step through each phase1 entry */
179			foreach ($a_phase1 as $ph1ent) {
180			if (isset($ph1ent['disabled']))
181			continue;
182
183	083ec796	Ermal LUÇI	if (strpos($ph1ent['interface'], '_vip')) {
184	260c6a7e	Ermal LUÇI	$vpninterface = explode('_vip', $ph1ent['interface']);
185			$ifacesuse[] = get_real_interface($vpninterface[0]);
186			} else {
187			$vpninterface = get_failover_interface($ph1ent['interface']);
188	aeaa6143	Chris Buechler	if (strpos($vpninterface, '_vip')) {
189			$vpninterface = explode('_vip', $vpninterface);
190			$ifacesuse[] = get_real_interface($vpninterface[0]);
191			} elseif (!empty($vpninterface))
192	260c6a7e	Ermal LUÇI	$ifacesuse[] = $vpninterface;
193			}
194
195	3c5af33a	Ermal LUÇI	if ($ph1ent['mode'] == "aggressive" && ($ph1ent['authentication_method'] == "pre_shared_key" \|\| $ph1ent['authentication_method'] == "xauth_psk_server"))
196			$aggressive_mode_psk = true;
197
198			$ikeid = $ph1ent['ikeid'];
199			$listeniflist = get_real_interface($a_phase1['interface']);
200
201			$ep = ipsec_get_phase1_src($ph1ent);
202	ad073d9a	Chris Buechler	if (!is_ipaddr($ep)) {
203			log_error("IPsec ERROR: Could not find phase 1 source for connection {$ph1ent['descr']}. Omitting from configuration file.");
204	3c5af33a	Ermal LUÇI	continue;
205	ad073d9a	Chris Buechler	}
206	3c5af33a	Ermal LUÇI
207			if(!in_array($ep,$ipmap))
208			$ipmap[] = $ep;
209
210			/* see if this tunnel has a hostname for the remote-gateway. If so,
211			try to resolve it now and add it to the list for filterdns */
212
213			if (isset ($ph1ent['mobile']))
214			continue;
215
216			$rg = $ph1ent['remote-gateway'];
217
218			if (!is_ipaddr($rg)) {
219			$filterdns_list[] = "{$rg}";
220			add_hostname_to_watch($rg);
221			if (!platform_booting())
222			$rg = resolve_retry($rg);
223			if (!is_ipaddr($rg))
224	3462a529	Matthew Grooms	continue;
225	3c5af33a	Ermal LUÇI	}
226			if(array_search($rg, $rgmap)) {
227			log_error("The remote gateway {$rg} already exists on another phase 1 entry");
228			continue;
229			}
230			$rgmap[$ph1ent['remote-gateway']] = $rg;
231	3462a529	Matthew Grooms
232	3c5af33a	Ermal LUÇI	if (is_array($a_phase2)) {
233			/* step through each phase2 entry */
234			foreach ($a_phase2 as $ph2ent) {
235			if (isset($ph2ent['disabled']))
236	979cd6db	Scott Ullrich	continue;
237	a11df336	jim-p
238	3c5af33a	Ermal LUÇI	if ($ikeid != $ph2ent['ikeid'])
239			continue;
240	a11df336	jim-p
241	3c5af33a	Ermal LUÇI	/* add an ipsec pinghosts entry */
242			if ($ph2ent['pinghost']) {
243			if (!is_array($iflist))
244			$iflist = get_configured_interface_list();
245			$viplist = get_configured_vips_list();
246			$srcip = null;
247			$local_subnet = ipsec_idinfo_to_cidr($ph2ent['localid'], true, $ph2ent['mode']);
248			if(is_ipaddrv6($ph2ent['pinghost'])) {
249			foreach ($iflist as $ifent => $ifname) {
250			$interface_ip = get_interface_ipv6($ifent);
251			if(!is_ipaddrv6($interface_ip))
252			continue;
253			if (ip_in_subnet($interface_ip, $local_subnet)) {
254			$srcip = $interface_ip;
255			break;
256	fb17f629	Seth Mos	}
257	a11df336	jim-p	}
258	3c5af33a	Ermal LUÇI	} else {
259			foreach ($iflist as $ifent => $ifname) {
260			$interface_ip = get_interface_ip($ifent);
261			if(!is_ipaddrv4($interface_ip))
262			continue;
263			if ($local_subnet == "0.0.0.0/0" \|\| ip_in_subnet($interface_ip, $local_subnet)) {
264			$srcip = $interface_ip;
265			break;
266	dc63467f	Matt Smith	}
267			}
268	3c5af33a	Ermal LUÇI	}
269			/* if no valid src IP was found in configured interfaces, try the vips */
270			if (is_null($srcip)) {
271			foreach ($viplist as $vip) {
272			if (ip_in_subnet($vip['ipaddr'], $local_subnet)) {
273			$srcip = $vip['ipaddr'];
274			break;
275			}
276	741077bc	Ermal Lu?i	}
277	87e07f52	mgrooms	}
278	3c5af33a	Ermal LUÇI	$dstip = $ph2ent['pinghost'];
279			if(is_ipaddrv6($dstip)) {
280			$family = "inet6";
281			} else {
282			$family = "inet";
283			}
284			if (is_ipaddr($srcip))
285			$ipsecpinghosts[] = "{$srcip}\|{$dstip}\|3\|\|\|\|\|{$family}\|\n";
286	17da6c79	Scott Ullrich	}
287	a93e56c5	Matthew Grooms	}
288			}
289			}
290	3c5af33a	Ermal LUÇI	@file_put_contents("{$g['vardb_path']}/ipsecpinghosts", $ipsecpinghosts);
291			unset($ipsecpinghosts);
292			}
293			unset($iflist);
294	496acde1	Ermal
295	3c5af33a	Ermal LUÇI	$accept_unencrypted = "";
296			if (isset($config['ipsec']['acceptunencryptedmainmode']))
297			$accept_unencrypted = "accept_unencrypted_mainmode_messages = yes";
298	737b18f2	Ermal
299	41da54ce	Ermal LUÇI	$stronconf = '';
300			if (file_exists("{$g['varetc_path']}/ipsec/strongswan.conf"))
301			$stronconf = file_get_contents("{$g['varetc_path']}/ipsec/strongswan.conf");
302
303	3c5af33a	Ermal LUÇI	$i_dont_care_about_security_and_use_aggressive_mode_psk = "";
304			if ($aggressive_mode_psk) {
305			log_error("WARNING: Setting i_dont_care_about_security_and_use_aggressive_mode_psk option because a phase 1 is configured using aggressive mode with pre-shared keys. This is not a secure configuration.");
306	41da54ce	Ermal LUÇI	if (!empty($stronconf) && strpos($stronconf, 'i_dont_care_about_security_and_use_aggressive_mode_psk') === FALSE)
307			$restart = true;
308	3c5af33a	Ermal LUÇI	$i_dont_care_about_security_and_use_aggressive_mode_psk = "i_dont_care_about_security_and_use_aggressive_mode_psk=yes";
309			}
310	845f9f78	Ermal LUÇI
311	7a959780	Ermal LUÇI	$unity_enabled = 'yes';
312	1ca17c45	Chris Buechler	if (isset($config['ipsec']['unityplugin'])) {
313	7a959780	Ermal LUÇI	$unity_enabled = 'no';
314	1ca17c45	Chris Buechler	if (file_exists("/usr/local/lib/ipsec/plugins/libstrongswan-unity.so")) {
315			conf_mount_rw();
316			mwexec("mv /usr/local/lib/ipsec/plugins/libstrongswan-unity.so /usr/local/lib/ipsec/plugins/libstrongswan-unity.MOVED");
317			conf_mount_ro();
318			}
319			} else if (file_exists("/usr/local/lib/ipsec/plugins/libstrongswan-unity.MOVED")) {
320			conf_mount_rw();
321			mwexec("mv /usr/local/lib/ipsec/plugins/libstrongswan-unity.MOVED /usr/local/lib/ipsec/plugins/libstrongswan-unity.so");
322			conf_mount_ro();
323			}
324
325	eb6495c3	Chris Buechler	if (isset($config['ipsec']['enableinterfacesuse'])) {
326			if (!empty($ifacesuse)) {
327			$ifacesuse = 'interfaces_use = ' . implode(',', array_unique($ifacesuse));
328			} else {
329			$ifacesuse = '';
330			}
331			} else {
332	89ac17e3	Ermal LUÇI	$ifacesuse = '';
333	eb6495c3	Chris Buechler	}
334	89ac17e3	Ermal LUÇI
335	42275e69	Ermal LUÇI	unset($stronconf);
336	41da54ce	Ermal LUÇI
337	3c5af33a	Ermal LUÇI	$strongswan = <<<EOD
338	496acde1	Ermal
339	531686c1	Chris Buechler	# Automatically generated config file - DO NOT MODIFY. Changes will be overwritten.
340	496acde1	Ermal	starter {
341	3c5af33a	Ermal LUÇI	load_warning = no
342	496acde1	Ermal	}
343
344			charon {
345	3c5af33a	Ermal LUÇI	# number of worker threads in charon
346			threads = 16
347			ikesa_table_size = 32
348			ikesa_table_segments = 4
349			init_limit_half_open = 1000
350			install_routes = no
351			{$i_dont_care_about_security_and_use_aggressive_mode_psk}
352			{$accept_unencrypted}
353	845f9f78	Ermal LUÇI	cisco_unity = {$unity_enabled}
354	89ac17e3	Ermal LUÇI	{$ifacesuse}
355	3c5af33a	Ermal LUÇI
356			# And two loggers using syslog. The subsections define the facility to log
357			# to, currently one of: daemon, auth.
358			syslog {
359			identifier = charon
360			# default level to the LOG_DAEMON facility
361			daemon {
362	7335fa53	Ermal	}
363	3c5af33a	Ermal LUÇI	# very minimalistic IKE auditing logs to LOG_AUTHPRIV
364			auth {
365			default = -1
366			ike = 1
367			ike_name = yes
368			}
369			}
370	c6efc8fd	Ermal
371	496acde1	Ermal	EOD;
372
373	3c5af33a	Ermal LUÇI	$strongswan .= "\tplugins {\n";
374
375			if (is_array($a_client) && isset($a_client['enable'])) {
376			$strongswan .= "\t\tattr {\n";
377			if ($a_client['pool_address'] && $a_client['pool_netbits'])
378			$strongswan .= "\t\t\tsubnet = {$a_client['pool_address']}/{$a_client['pool_netbits']}\n";
379
380			$cfgservers = array();
381			if (!empty($a_client['dns_server1']))
382			$cfgservers[] = $a_client['dns_server1'];
383			if (!empty($a_client['dns_server2']))
384			$cfgservers[] = $a_client['dns_server2'];
385			if (!empty($a_client['dns_server3']))
386			$cfgservers[] = $a_client['dns_server3'];
387			if (!empty($a_client['dns_server4']))
388			$cfgservers[] = $a_client['dns_server4'];
389
390			if (!empty($cfgservers))
391			$strongswan .= "\t\t\tdns = " . implode(",", $cfgservers) . "\n";
392			unset($cfgservers);
393			$cfgservers = array();
394			if (!empty($a_client['wins_server1']))
395			$cfgservers[] = $a_client['wins_server1'];
396			if (!empty($a_client['wins_server2']))
397			$cfgservers[] = $a_client['wins_server2'];
398			if (!empty($cfgservers))
399			$strongswan .= "\t\t\tnbns = " . implode(",", $cfgservers) . "\n";
400			unset($cfgservers);
401
402	c17478a6	Renato Botelho	if (isset($a_client['net_list']) && is_array($a_phase2)) {
403	3c5af33a	Ermal LUÇI	$net_list = '';
404			foreach ($a_phase2 as $ph2ent) {
405			if (isset($ph2ent['disabled']))
406			continue;
407	496acde1	Ermal
408	3c5af33a	Ermal LUÇI	if (!isset($ph2ent['mobile']))
409			continue;
410	496acde1	Ermal
411	3c5af33a	Ermal LUÇI	$localid = ipsec_idinfo_to_cidr($ph2ent['localid'], true, $ph2ent['mode']);
412	496acde1	Ermal
413	3c5af33a	Ermal LUÇI	if (!empty($net_list))
414			$net_list .= ",";
415			$net_list .= $localid;
416	496acde1	Ermal	}
417
418	3c5af33a	Ermal LUÇI	if (!empty($net_list)) {
419			$strongswan .= "\t\t\tsplit-include = {$net_list}\n";
420			unset($net_list);
421	496acde1	Ermal	}
422	3c5af33a	Ermal LUÇI	}
423	496acde1	Ermal
424	3c5af33a	Ermal LUÇI	if (!empty($a_client['dns_domain'])) {
425			$strongswan .= "\t\t\t# Search domain and default domain\n";
426	fc06d8ea	Ermal LUÇI	$strongswan .= "\t\t\t28674 = \"{$a_client['dns_domain']}\"\n";
427	82e6fde2	Ermal LUÇI	if (empty($a_client['dns_split'])) {
428	fc06d8ea	Ermal LUÇI	$strongswan .= "\t\t\t28675 = \"{$a_client['dns_domain']}\"";
429	82e6fde2	Ermal LUÇI	}
430	3c5af33a	Ermal LUÇI	$strongswan .= "\n";
431			}
432	496acde1	Ermal
433	3c5af33a	Ermal LUÇI	if (!empty($a_client['dns_split'])) {
434	4c9b272d	Ermal LUÇI	$strongswan .= "\t\t\t28675 = {$a_client['dns_split']}\n";
435	3c5af33a	Ermal LUÇI	}
436	496acde1	Ermal
437	3c5af33a	Ermal LUÇI	if (!empty($a_client['login_banner']))
438	fc06d8ea	Ermal LUÇI	$strongswan .= "\t\t\t28672 = \"{$a_client['login_banner']}\"\n";
439	3c5af33a	Ermal LUÇI
440			if (isset($a_client['save_passwd']))
441			$strongswan .= "\t\t\t28673 = 1\n";
442
443			if ($a_client['pfs_group'])
444	fc06d8ea	Ermal LUÇI	$strongswan .= "\t\t\t28679 = \"{$a_client['pfs_group']}\"\n";
445	3c5af33a	Ermal LUÇI	$strongswan .= "\t\t}\n";
446
447			if ($a_client['user_source'] != "none") {
448			$strongswan .= "\t\txauth-generic {\n";
449			$strongswan .= "\t\t\tscript = /etc/inc/ipsec.auth-user.php\n";
450			$strongswan .= "\t\t\tauthcfg = ";
451			$firstsed = 0;
452			$authcfgs = explode(",", $a_client['user_source']);
453			foreach ($authcfgs as $authcfg) {
454			if ($firstsed > 0)
455			$strongswan .= ",";
456			if ($authcfg == "system")
457			$authcfg = "Local Database";
458			$strongswan .= $authcfg;
459			$firstsed = 1;
460	91287d1f	Ermal	}
461	3c5af33a	Ermal LUÇI	$strongswan .= "\n";
462			$strongswan .= "\t\t}\n";
463	496acde1	Ermal	}
464	3c5af33a	Ermal LUÇI	}
465	496acde1	Ermal
466	3c5af33a	Ermal LUÇI	$strongswan .= "\t}\n}\n";
467			@file_put_contents("{$g['varetc_path']}/ipsec/strongswan.conf", $strongswan);
468			unset($strongswan);
469	8f67a8e1	Scott Ullrich
470	3c5af33a	Ermal LUÇI	/* generate CA certificates files */
471			if (is_array($config['ca']) && count($config['ca'])) {
472			foreach ($config['ca'] as $ca) {
473			if (!isset($ca['crt'])) {
474			log_error(sprintf(gettext("Error: Invalid certificate info for %s"), $ca['descr']));
475			continue;
476			}
477			$cert = base64_decode($ca['crt']);
478			$x509cert = openssl_x509_parse(openssl_x509_read($cert));
479			if (!is_array($x509cert) \|\| !isset($x509cert['hash'])) {
480			log_error(sprintf(gettext("Error: Invalid certificate hash info for %s"), $ca['descr']));
481			continue;
482	a93e56c5	Matthew Grooms	}
483	3c5af33a	Ermal LUÇI	$fname = "{$capath}/{$x509cert['hash']}.0.crt";
484			if (!@file_put_contents($fname, $cert)) {
485			log_error(sprintf(gettext("Error: Cannot write IPsec CA file for %s"), $ca['descr']));
486			continue;
487			}
488			unset($cert);
489	a93e56c5	Matthew Grooms	}
490	3c5af33a	Ermal LUÇI	}
491	09628a07	Renato Botelho
492	3c5af33a	Ermal LUÇI	$pskconf = "";
493	037b51b3	Seth Mos
494	3c5af33a	Ermal LUÇI	if (is_array($a_phase1) && count($a_phase1)) {
495			foreach ($a_phase1 as $ph1ent) {
496	a93e56c5	Matthew Grooms
497	3c5af33a	Ermal LUÇI	if (isset($ph1ent['disabled']))
498			continue;
499	a93e56c5	Matthew Grooms
500	bc62f818	Ermal LUÇI	if (strstr($ph1ent['authentication_method'], 'rsa') \|\|
501			in_array($ph1ent['authentication_method'], array('eap-mschapv2', 'eap-tls'))) {
502	3c5af33a	Ermal LUÇI	$certline = '';
503	a93e56c5	Matthew Grooms
504	3c5af33a	Ermal LUÇI	$ikeid = $ph1ent['ikeid'];
505			$cert = lookup_cert($ph1ent['certref']);
506	496acde1	Ermal
507	3c5af33a	Ermal LUÇI	if (!$cert) {
508			log_error(sprintf(gettext("Error: Invalid phase1 certificate reference for %s"), $ph1ent['name']));
509			continue;
510			}
511	496acde1	Ermal
512	3c5af33a	Ermal LUÇI	@chmod($certpath, 0600);
513	496acde1	Ermal
514	3c5af33a	Ermal LUÇI	$ph1keyfile = "{$keypath}/cert-{$ikeid}.key";
515			if (!file_put_contents($ph1keyfile, base64_decode($cert['prv']))) {
516			log_error(sprintf(gettext("Error: Cannot write phase1 key file for %s"), $ph1ent['name']));
517			continue;
518			}
519			@chmod($ph1keyfile, 0600);
520	496acde1	Ermal
521	3c5af33a	Ermal LUÇI	$ph1certfile = "{$certpath}/cert-{$ikeid}.crt";
522			if (!file_put_contents($ph1certfile, base64_decode($cert['crt']))) {
523			log_error(sprintf(gettext("Error: Cannot write phase1 certificate file for %s"), $ph1ent['name']));
524			@unlink($ph1keyfile);
525			continue;
526			}
527			@chmod($ph1certfile, 0600);
528	fa4e059e	Ermal
529	3c5af33a	Ermal LUÇI	/* XXX" Traffic selectors? */
530			$pskconf .= " : RSA {$ph1keyfile}\n";
531			} else {
532	4e8eacfd	Ermal LUÇI	list ($myid_type, $myid_data) = ipsec_find_id($ph1ent, "local");
533			list ($peerid_type, $peerid_data) = ipsec_find_id($ph1ent, "peer", $rgmap);
534	496acde1	Ermal
535	3c5af33a	Ermal LUÇI	if (empty($peerid_data))
536			continue;
537	496acde1	Ermal
538	f3106b3f	Ermal LUÇI	$myid = isset($ph1ent['mobile']) ? trim($myid_data) : "%any";
539	4e8eacfd	Ermal LUÇI	$peerid = ($peerid_data != "allusers") ? trim($peerid_data) : "";
540	f3106b3f	Ermal LUÇI	if (!empty($ph1ent['pre-shared-key'])) {
541			if ($myid_type == 'fqdn' && !empty($myid_data))
542	430f8380	Ermal	$pskconf .= "@{$myid} {$peerid} : PSK 0s" . base64_encode(trim($ph1ent['pre-shared-key'])) . "\n";
543	f3106b3f	Ermal LUÇI	else
544	430f8380	Ermal	$pskconf .= "{$myid} {$peerid} : PSK 0s" . base64_encode(trim($ph1ent['pre-shared-key'])) . "\n";
545	f3106b3f	Ermal LUÇI	}
546	5b237745	Scott Ullrich	}
547	a93e56c5	Matthew Grooms	}
548	3c5af33a	Ermal LUÇI	}
549	a93e56c5	Matthew Grooms
550	3c5af33a	Ermal LUÇI	/* Add user PSKs */
551			if (is_array($config['system']) && is_array($config['system']['user'])) {
552			foreach ($config['system']['user'] as $user) {
553			if (!empty($user['ipsecpsk'])) {
554	430f8380	Ermal	$pskconf .= "%any {$user['name']} : PSK 0s" . base64_encode($user['ipsecpsk']) . "\n";
555	4ed2dde7	jim-p	}
556			}
557	3c5af33a	Ermal LUÇI	unset($user);
558			}
559	4ed2dde7	jim-p
560	3c5af33a	Ermal LUÇI	/* add PSKs for mobile clients */
561			if (is_array($ipseccfg['mobilekey'])) {
562			foreach ($ipseccfg['mobilekey'] as $key) {
563			if ($key['ident'] == "allusers")
564	c86c2b8b	Ermal LUÇI	$key['ident'] = '%any';
565	f579c0fb	Ermal LUÇI	if (empty($key['type']))
566			$key['type'] = 'PSK';
567			$pskconf .= "%any {$key['ident']} : {$key['type']} 0s" . base64_encode($key['pre-shared-key']) . "\n";
568	2ef1b601	jim-p	}
569	3c5af33a	Ermal LUÇI	unset($key);
570			}
571	2ef1b601	jim-p
572	3c5af33a	Ermal LUÇI	@file_put_contents("{$g['varetc_path']}/ipsec/ipsec.secrets", $pskconf);
573			chmod("{$g['varetc_path']}/ipsec/ipsec.secrets", 0600);
574			unset($pskconf);
575
576	908edbd3	Ermal LUÇI	$uniqueids = 'yes';
577			if (!empty($config['ipsec']['uniqueids'])) {
578	887f2517	Ermal LUÇI	if (array_key_exists($config['ipsec']['uniqueids'], $ipsec_idhandling)) {
579	908edbd3	Ermal LUÇI	$uniqueids = $config['ipsec']['uniqueids'];
580	887f2517	Ermal LUÇI	}
581	908edbd3	Ermal LUÇI	}
582	3c5af33a	Ermal LUÇI	$natfilterrules = false;
583			/* begin ipsec.conf */
584			$ipsecconf = "";
585	45efe1b6	Ermal LUÇI	$enablecompression = false;
586	3c5af33a	Ermal LUÇI	if (is_array($a_phase1) && count($a_phase1)) {
587
588			$ipsecconf .= "# This file is automatically generated. Do not edit\n";
589	908edbd3	Ermal LUÇI	$ipsecconf .= "config setup\n\tuniqueids = {$uniqueids}\n";
590	3c5af33a	Ermal LUÇI	$ipsecconf .= "\tcharondebug=\"" . vpn_ipsec_configure_loglevels(true) . "\"\n";
591
592			foreach ($a_phase1 as $ph1ent) {
593			if (isset($ph1ent['disabled']))
594			continue;
595
596			if ($ph1ent['mode'] == "aggressive")
597			$aggressive = "yes";
598			else
599			$aggressive = "no";
600
601			$ep = ipsec_get_phase1_src($ph1ent);
602			if (!$ep)
603			continue;
604
605			$ikeid = $ph1ent['ikeid'];
606			$keyexchange = "ikev1";
607			$passive = "route";
608			if (!empty($ph1ent['iketype'])) {
609			if ($ph1ent['iketype'] == "ikev2") {
610			$keyexchange = "ikev2";
611			//$passive = "start";
612			} else if ($ph1ent['iketype'] == "auto")
613			$keyexchange = "ike";
614			}
615	09628a07	Renato Botelho
616	3c5af33a	Ermal LUÇI	if (isset($ph1ent['mobile'])) {
617			$right_spec = "%any";
618			$passive = 'add';
619	c7edf1f8	Ermal LUÇI	} else {
620	fdc9ac09	Ermal LUÇI	if (isset($ph1ent['responderonly']))
621			$passive = 'add';
622
623	3c5af33a	Ermal LUÇI	$right_spec = $ph1ent['remote-gateway'];
624	4e1fd3b6	Ermal LUÇI	if (is_ipaddr($right_spec))
625			$sourcehost = $right_spec;
626			else
627			$sourcehost = $rgmap['remote-gateway'];
628
629	39e3b27b	Ermal LUÇI	if ($ph1ent['protocol'] == 'inet') {
630	c7edf1f8	Ermal LUÇI	if (strpos($ph1ent['interface'], '_vip')) {
631			$vpninterface = explode('_vip', $ph1ent['interface']);
632			$ifacesuse = get_real_interface($vpninterface[0]);
633	3ad33c0e	Ermal LUÇI	$vpninterface = $vpninterface[0];
634	c7edf1f8	Ermal LUÇI	} else {
635			$ifacesuse = get_failover_interface($ph1ent['interface']);
636	aeaa6143	Chris Buechler	if (strpos($ifacesuse, '_vip')) {
637			$vpninterface = explode('_vip', $ifacesuse);
638			$ifacesuse = get_real_interface($vpninterface[0]);
639			$vpninterface = $vpninterface[0];
640			} else {
641			$vpninterface = convert_real_interface_to_friendly_interface_name($ifacesuse);
642			}
643	c7edf1f8	Ermal LUÇI	}
644
645	3ad33c0e	Ermal LUÇI	if (!empty($ifacesuse) && interface_has_gateway($vpninterface)) {
646	44085a65	Ermal LUÇI	$gatewayip = get_interface_gateway($vpninterface);
647			$interfaceip = get_interface_ip($vpninterface);
648			$subnet_bits = get_interface_subnet($vpninterface);
649	c7edf1f8	Ermal LUÇI	$subnet_ip = gen_subnetv4($interfaceip, $subnet_bits);
650			/* if the remote gateway is in the local subnet, then don't add a route */
651	44085a65	Ermal LUÇI	if (!ip_in_subnet($sourcehost, "{$subnet_ip}/{$subnet_bits}")) {
652	c7edf1f8	Ermal LUÇI	if (is_ipaddrv4($gatewayip)) {
653	cde88d5e	Ermal LUÇI	// log_error("IPSEC interface is not WAN but {$ifacesuse}, adding static route for VPN endpoint {$rgip} via {$gatewayip}");
654	44085a65	Ermal LUÇI	mwexec("/sbin/route change -host {$sourcehost} {$gatewayip}", true);
655	c7edf1f8	Ermal LUÇI	}
656			}
657			}
658	39e3b27b	Ermal LUÇI	} else if ($ph1ent['protocol'] == 'inet6') {
659	c7edf1f8	Ermal LUÇI	if (strpos($ph1ent['interface'], '_vip')) {
660			$vpninterface = explode('_vip', $ph1ent['interface']);
661			$ifacesuse = get_real_interface($vpninterface[0]);
662	3ad33c0e	Ermal LUÇI	$vpninterface = $vpninterface[0];
663	c7edf1f8	Ermal LUÇI	} else {
664			$ifacesuse = get_failover_interface($ph1ent['interface']);
665	d8e4918f	Chris Buechler	if (strpos($ifacesuse, '_vip')) {
666			$vpninterface = explode('_vip', $ifacesuse);
667			$ifacesuse = get_real_interface($vpninterface[0]);
668			$vpninterface = $vpninterface[0];
669			} else {
670			$vpninterface = convert_real_interface_to_friendly_interface_name($ifacesuse);
671			}
672	c7edf1f8	Ermal LUÇI	}
673
674	44085a65	Ermal LUÇI	if (!empty($ifacesuse) && interface_has_gateway($vpninterface)) {
675			$gatewayip = get_interface_gateway_v6($vpninterface);
676			$interfaceip = get_interface_ipv6($vpninterface);
677			$subnet_bits = get_interface_subnetv6($vpninterface);
678	c7edf1f8	Ermal LUÇI	$subnet_ip = gen_subnetv6($interfaceip, $subnet_bits);
679			/* if the remote gateway is in the local subnet, then don't add a route */
680	44085a65	Ermal LUÇI	if (!ip_in_subnet($sourcehost, "{$subnet_ip}/{$subnet_bits}")) {
681	c7edf1f8	Ermal LUÇI	if (is_ipaddrv6($gatewayip)) {
682	cde88d5e	Ermal LUÇI	// log_error("IPSEC interface is not WAN but {$ifacesuse}, adding static route for VPN endpoint {$rgip} via {$gatewayip}");
683	44085a65	Ermal LUÇI	mwexec("/sbin/route change -inet6 -host {$sourcehost} {$gatewayip}", true);
684	c7edf1f8	Ermal LUÇI	}
685			}
686			}
687			}
688			}
689	3c5af33a	Ermal LUÇI
690	4e8eacfd	Ermal LUÇI	list ($myid_type, $myid_data) = ipsec_find_id($ph1ent, "local");
691			if ($myid_type == 'fqdn')
692			$myid_data = "@{$myid_data}";
693			list ($peerid_type, $peerid_data) = ipsec_find_id($ph1ent, "peer", $rgmap);
694			if ($peerid_type == 'fqdn')
695			$peerid_data = "@{$peerid_data}";
696	3c5af33a	Ermal LUÇI
697			/* Only specify peer ID if we are not dealing with a mobile PSK-only tunnel */
698			$peerid_spec = '';
699	4e8eacfd	Ermal LUÇI	if (!isset($ph1ent['mobile']))
700			$peerid_spec = $peerid_data;
701	3c5af33a	Ermal LUÇI
702			if (is_array($ph1ent['encryption-algorithm']) && !empty($ph1ent['encryption-algorithm']['name']) && !empty($ph1ent['hash-algorithm'])) {
703			$ealgosp1 = '';
704			$ealg_id = $ph1ent['encryption-algorithm']['name'];
705			$ealg_kl = $ph1ent['encryption-algorithm']['keylen'];
706			if ($ealg_kl)
707			$ealgosp1 = "ike = {$ealg_id}{$ealg_kl}-{$ph1ent['hash-algorithm']}";
708			else
709			$ealgosp1 = "ike = {$ealg_id}-{$ph1ent['hash-algorithm']}";
710	17da6c79	Scott Ullrich
711	3c5af33a	Ermal LUÇI	$modp = vpn_ipsec_convert_to_modp($ph1ent['dhgroup']);
712			if (!empty($modp))
713			$ealgosp1 .= "-{$modp}";
714	4178a1dd	jim-p
715	3c5af33a	Ermal LUÇI	$ealgosp1 .= "!";
716			}
717	96267107	Ermal
718	3c5af33a	Ermal LUÇI	if ($ph1ent['dpd_delay'] && $ph1ent['dpd_maxfail']) {
719			if ($passive == "route")
720			$dpdline = "dpdaction = restart";
721	0b5fc1d1	Ermal	else
722	3c5af33a	Ermal LUÇI	$dpdline = "dpdaction = clear";
723			$dpdline .= "\n\tdpddelay = {$ph1ent['dpd_delay']}s";
724			$dpdtimeout = $ph1ent['dpd_delay'] * ($ph1ent['dpd_maxfail'] + 1);
725			$dpdline .= "\n\tdpdtimeout = {$dpdtimeout}s";
726			} else
727			$dpdline = "dpdaction = none";
728
729			$ikelifeline = '';
730			if ($ph1ent['lifetime'])
731			$ikelifeline = "ikelifetime = {$ph1ent['lifetime']}s";
732
733			$rightsourceip = NULL;
734			if (isset($ph1ent['mobile']) && !empty($a_client['pool_address']))
735			$rightsourceip = "\trightsourceip = {$a_client['pool_address']}/{$a_client['pool_netbits']}\n";
736
737			$authentication = "";
738			switch ($ph1ent['authentication_method']) {
739	f579c0fb	Ermal LUÇI	case 'eap-mschapv2':
740			if (isset($ph1ent['mobile'])) {
741			$authentication = "eap_identity=%any\n\t";
742			$authentication .= "leftauth=pubkey\n\trightauth=eap-mschapv2";
743			if (!empty($ph1ent['certref']))
744			$authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt";
745			}
746			break;
747	3c5af33a	Ermal LUÇI	case 'eap-tls':
748	eb26d310	Ermal LUÇI	if (isset($ph1ent['mobile'])) {
749			$authentication = "eap_identity=%identity\n\t";
750			$authentication .= "leftauth=pubkey\n\trightauth=eap-tls";
751			if (!empty($ph1ent['certref']))
752			$authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt";
753	88a46519	Ermal LUÇI	} else {
754	eb26d310	Ermal LUÇI	$authentication = "leftauth=eap-tls\n\trightauth=eap-tls";
755			if (!empty($ph1ent['certref']))
756			$authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt";
757			}
758	3c5af33a	Ermal LUÇI	break;
759			case 'xauth_rsa_server':
760			$authentication = "leftauth = pubkey\n\trightauth = pubkey";
761			$authentication .= "\n\trightauth2 = xauth-generic";
762			if (!empty($ph1ent['certref']))
763			$authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt";
764			break;
765			case 'xauth_psk_server':
766			$authentication = "leftauth = psk\n\trightauth = psk";
767			$authentication .= "\n\trightauth2 = xauth-generic";
768			break;
769			case 'pre_shared_key':
770			$authentication = "leftauth = psk\n\trightauth = psk";
771			break;
772			case 'rsasig':
773			$authentication = "leftauth = pubkey\n\trightauth = pubkey";
774			if (!empty($ph1ent['certref']))
775			$authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt";
776			break;
777			case 'hybrid_rsa_server':
778			$authentication = "leftauth = xauth-generic\n\trightauth = pubkey";
779			$authentication .= "\n\trightauth2 = xauth";
780			if (!empty($ph1ent['certref']))
781			$authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt";
782			break;
783			}
784	3462a529	Matthew Grooms
785	3c5af33a	Ermal LUÇI	$left_spec = $ep;
786
787			if (isset($ph1ent['reauth_enable']))
788			$reauth = "reauth = no";
789			else
790			$reauth = "reauth = yes";
791			if (isset($ph1ent['rekey_enable']))
792			$rekey = "rekey = no";
793			else
794			$rekey = "rekey = yes";
795
796			if ($ph1ent['nat_traversal'] == 'off')
797			$forceencaps = 'forceencaps = no';
798			else if ($ph1ent['nat_traversal'] == 'force')
799			$forceencaps = 'forceencaps = yes';
800			else
801			$forceencaps = 'forceencaps = no';
802	7b404fde	Chris Buechler
803			if ($ph1ent['mobike'] == 'on')
804			$mobike = 'mobike = yes';
805			else
806			$mobike = 'mobike = no';
807	3c5af33a	Ermal LUÇI
808			$ipseclifetime = 0;
809			$rightsubnet_spec = array();
810			$leftsubnet_spec = array();
811	b4013725	Ermal LUÇI	$reqids = array();
812	3c5af33a	Ermal LUÇI	$ealgoAHsp2arr = array();
813			$ealgoESPsp2arr = array();
814			if (is_array($a_phase2) && count($a_phase2)) {
815			foreach ($a_phase2 as $ph2ent) {
816			if ($ikeid != $ph2ent['ikeid'])
817	0b5fc1d1	Ermal	continue;
818	c52719a8	Scott Ullrich
819	3c5af33a	Ermal LUÇI	if (isset($ph2ent['disabled']))
820			continue;
821	c52719a8	Scott Ullrich
822	3c5af33a	Ermal LUÇI	if (isset($ph2ent['mobile']) && !isset($a_client['enable']))
823			continue;
824	6586b30f	Ermal
825	3c5af33a	Ermal LUÇI	if (($ph2ent['mode'] == 'tunnel') or ($ph2ent['mode'] == 'tunnel6')) {
826			$tunneltype = "type = tunnel";
827	96ef83a7	jim-p
828	3c5af33a	Ermal LUÇI	$localid_type = $ph2ent['localid']['type'];
829			$leftsubnet_data = ipsec_idinfo_to_cidr($ph2ent['localid'], false, $ph2ent['mode']);
830	c52719a8	Scott Ullrich
831	3c5af33a	Ermal LUÇI	/* Do not print localid in some cases, such as a pure-psk or psk/xauth single phase2 mobile tunnel */
832			if (($localid_type == "none" \|\| $localid_type == "mobile")
833			&& isset($ph1ent['mobile']) && (ipsec_get_number_of_phase2($ikeid)==1)) {
834			$left_spec = '%any';
835			} else {
836			if ($localid_type != "address") {
837			$localid_type = "subnet";
838			}
839			// Don't let an empty subnet into config, it can cause parse errors. Ticket #2201.
840			if (!is_ipaddr($leftsubnet_data) && !is_subnet($leftsubnet_data) && ($leftsubnet_data != "0.0.0.0/0")) {
841			log_error("Invalid IPsec Phase 2 \"{$ph2ent['descr']}\" - {$ph2ent['localid']['type']} has no subnet.");
842			continue;
843			}
844			if (!empty($ph2ent['natlocalid'])) {
845			$natleftsubnet_data = ipsec_idinfo_to_cidr($ph2ent['natlocalid'], false, $ph2ent['mode']);
846			if ($ph2ent['natlocalid']['type'] != "address") {
847			if (is_subnet($natleftsubnet_data))
848			$leftsubnet_data = "{$natleftsubnet_data}\|{$leftsubnet_data}";
849			} else {
850			if (is_ipaddr($natleftsubnet_data))
851			$leftsubnet_data = "{$natleftsubnet_data}\|{$leftsubnet_data}";
852	3c107b76	Ermal	}
853	3c5af33a	Ermal LUÇI	$natfilterrules = true;
854	20699f3f	jim-p	}
855	3c5af33a	Ermal LUÇI	}
856	3462a529	Matthew Grooms
857	3c5af33a	Ermal LUÇI	$leftsubnet_spec[] = $leftsubnet_data;
858	0b5fc1d1	Ermal
859	3c5af33a	Ermal LUÇI	if (!isset($ph2ent['mobile'])) {
860			$tmpsubnet = ipsec_idinfo_to_cidr($ph2ent['remoteid'], false, $ph2ent['mode']);
861			$rightsubnet_spec[] = $tmpsubnet;
862			} else if (!empty($a_client['pool_address'])) {
863			$rightsubnet_spec[] = "{$a_client['pool_address']}/{$a_client['pool_netbits']}";
864			}
865			} else {
866			$tunneltype = "type = transport";
867	5b237745	Scott Ullrich
868	3c5af33a	Ermal LUÇI	if ((($ph1ent['authentication_method'] == "xauth_psk_server") \|\|
869			($ph1ent['authentication_method'] == "pre_shared_key")) && isset($ph1ent['mobile'])) {
870			$left_spec = "%any";
871			} else {
872			$tmpsubnet = ipsec_get_phase1_src($ph1ent);
873			$leftsubnet_spec[] = $tmpsubnet;
874			}
875	0b5fc1d1	Ermal
876	3c5af33a	Ermal LUÇI	if (!isset($ph2ent['mobile'])) {
877			$rightsubnet_spec[] = $right_spec;
878	3462a529	Matthew Grooms	}
879	3c5af33a	Ermal LUÇI	}
880	c52719a8	Scott Ullrich
881	3c5af33a	Ermal LUÇI	if (isset($a_client['pfs_group']))
882			$ph2ent['pfsgroup'] = $a_client['pfs_group'];
883
884			if ($ph2ent['protocol'] == 'esp') {
885			if (is_array($ph2ent['encryption-algorithm-option'])) {
886			foreach ($ph2ent['encryption-algorithm-option'] as $ealg) {
887			$ealg_id = $ealg['name'];
888			$ealg_kl = $ealg['keylen'];
889
890			if (!empty($ealg_kl) && $ealg_kl == "auto") {
891			if (empty($p2_ealgos) \|\| !is_array($p2_ealgos))
892			require("ipsec.inc");
893			$key_hi = $p2_ealgos[$ealg_id]['keysel']['hi'];
894			$key_lo = $p2_ealgos[$ealg_id]['keysel']['lo'];
895			$key_step = $p2_ealgos[$ealg_id]['keysel']['step'];
896			/* XXX: in some cases where include ordering is suspect these variables
897			* are somehow 0 and we enter this loop forever and timeout after 900
898			* seconds wrecking bootup */
899			if ($key_hi != 0 and $key_lo !=0 and $key_step !=0) {
900			for ($keylen = $key_hi; $keylen >= $key_lo; $keylen -= $key_step) {
901			if (!empty($ph2ent['hash-algorithm-option']) && is_array($ph2ent['hash-algorithm-option'])) {
902			foreach ($ph2ent['hash-algorithm-option'] as $halgo) {
903			$halgo = str_replace('hmac_', '', $halgo);
904			$tmpealgo = "{$ealg_id}{$keylen}-{$halgo}";
905	496acde1	Ermal	$modp = vpn_ipsec_convert_to_modp($ph2ent['pfsgroup']);
906			if (!empty($modp))
907			$tmpealgo .= "-{$modp}";
908	0b5fc1d1	Ermal	$ealgoESPsp2arr[] = $tmpealgo;
909	496acde1	Ermal	}
910	3c5af33a	Ermal LUÇI	} else {
911			$tmpealgo = "{$ealg_id}{$keylen}";
912	c650b2f7	Ermal	$modp = vpn_ipsec_convert_to_modp($ph2ent['pfsgroup']);
913			if (!empty($modp))
914			$tmpealgo .= "-{$modp}";
915			$ealgoESPsp2arr[] = $tmpealgo;
916			}
917	3c5af33a	Ermal LUÇI	}
918			}
919			} else {
920			if (!empty($ph2ent['hash-algorithm-option']) && is_array($ph2ent['hash-algorithm-option'])) {
921			foreach ($ph2ent['hash-algorithm-option'] as $halgo) {
922			$halgo = str_replace('hmac_', '', $halgo);
923			$tmpealgo = "{$ealg_id}{$ealg_kl}-{$halgo}";
924	496acde1	Ermal	$modp = vpn_ipsec_convert_to_modp($ph2ent['pfsgroup']);
925			if (!empty($modp))
926			$tmpealgo .= "-{$modp}";
927	0b5fc1d1	Ermal	$ealgoESPsp2arr[] = $tmpealgo;
928	496acde1	Ermal	}
929	3c5af33a	Ermal LUÇI	} else {
930			$tmpealgo = "{$ealg_id}{$ealg_kl}";
931			$modp = vpn_ipsec_convert_to_modp($ph2ent['pfsgroup']);
932			if (!empty($modp))
933			$tmpealgo .= "-{$modp}";
934			$ealgoESPsp2arr[] = $tmpealgo;
935	a93e56c5	Matthew Grooms	}
936	979cd6db	Scott Ullrich	}
937	496acde1	Ermal	}
938	3c5af33a	Ermal LUÇI	}
939			} else if ($ph2ent['protocol'] == 'ah') {
940			if (!empty($ph2ent['hash-algorithm-option']) && is_array($ph2ent['hash-algorithm-option'])) {
941			$modp = vpn_ipsec_convert_to_modp($ph2ent['pfsgroup']);
942			foreach ($ph2ent['hash-algorithm-option'] as $tmpAHalgo) {
943			$tmpAHalgo = str_replace('hmac_', '', $tmpAHalgo);
944			if (!empty($modp))
945			$tmpAHalgo = "-{$modp}";
946			$ealgoAHsp2arr[] = $tmpAHalgo;
947	a93e56c5	Matthew Grooms	}
948	a63f7d55	Scott Ullrich	}
949	3c5af33a	Ermal LUÇI	}
950	c52719a8	Scott Ullrich
951	b4013725	Ermal LUÇI	$reqids[] = $ph2ent['reqid'];
952	4b96b367	mgrooms
953	3c5af33a	Ermal LUÇI	if (!empty($ph2ent['lifetime'])) {
954			if ($ipseclifetime == 0 \|\| intval($ipseclifetime) > intval($ph2ent['lifetime']))
955			$ipseclifetime = intval($ph2ent['lifetime']);
956	0b5fc1d1	Ermal	}
957	496acde1	Ermal
958	3c5af33a	Ermal LUÇI	}
959			}
960	496acde1	Ermal
961	3c5af33a	Ermal LUÇI	$ipsecconnect =<<<EOD
962	496acde1	Ermal	fragmentation = yes
963			keyexchange = {$keyexchange}
964	16c02722	Ermal	{$reauth}
965	8cb7d3e3	Ermal	{$forceencaps}
966	7b404fde	Chris Buechler	{$mobike}
967	16c02722	Ermal	{$rekey}
968	496acde1	Ermal	installpolicy = yes
969			{$tunneltype}
970			{$dpdline}
971			auto = {$passive}
972	0b5fc1d1	Ermal	left = {$left_spec}
973			right = {$right_spec}
974	496acde1	Ermal	leftid = {$myid_data}
975	5b237745	Scott Ullrich
976			EOD;
977	4b96b367	mgrooms
978	d2884b9a	Chris Buechler	if (isset($config['ipsec']['compression'])) {
979	6be58d9d	Chris Buechler	$ipsecconnect .= "\tcompress = yes\n";
980	45efe1b6	Ermal LUÇI	$enablecompression = true;
981			}
982	3c5af33a	Ermal LUÇI	if (!empty($ikelifeline))
983			$ipsecconnect .= "\t{$ikelifeline}\n";
984			if ($ipseclifetime > 0)
985			$ipsecconnect .= "\tlifetime = {$ipseclifetime}s\n";
986			if (!empty($rightsourceip))
987			$ipsecconnect .= "{$rightsourceip}";
988			if (!empty($ealgosp1))
989			$ipsecconnect .= "\t{$ealgosp1}\n";
990			if (!empty($ealgoAHsp2arr))
991			$ipsecconnect .= "\tah = " . join(',', $ealgoAHsp2arr) . "!\n";
992			if (!empty($ealgoESPsp2arr))
993			$ipsecconnect .= "\tesp = " . join(',', $ealgoESPsp2arr) . "!\n";
994			if (!empty($authentication))
995			$ipsecconnect .= "\t{$authentication}\n";
996			if (!empty($peerid_spec))
997			$ipsecconnect .= "\trightid = {$peerid_spec}\n";
998			if ($keyexchange == 'ikev1')
999			$ipsecconnect .= "\taggressive = {$aggressive}\n";
1000
1001			if (!isset($ph1ent['mobile']) && $keyexchange == 'ikev1') {
1002			if (!empty($rightsubnet_spec)) {
1003			$ipsecfin = '';
1004			foreach ($rightsubnet_spec as $idx => $rsubnet) {
1005			$ipsecfin .= "\nconn con{$ph1ent['ikeid']}00{$idx}\n";
1006	656fd270	Ermal LUÇI	if (!empty($reqids[$idx]))
1007			$ipsecfin .= "\treqid = " . $reqids[$idx] . "\n";
1008	3c5af33a	Ermal LUÇI	$ipsecfin .= $ipsecconnect;
1009			$ipsecfin .= "\trightsubnet = {$rsubnet}\n";
1010			$ipsecfin .= "\tleftsubnet = " . $leftsubnet_spec[$idx] . "\n";
1011			}
1012			} else
1013			log_error("No phase2 specifications for tunnel with REQID = {$ikeid}");
1014			} else {
1015			$ipsecfin = "\nconn con{$ph1ent['ikeid']}\n";
1016	656fd270	Ermal LUÇI	if (!empty($reqids[$idx]))
1017			$ipsecfin .= "\treqid = " . $reqids[0] . "\n";
1018	3c5af33a	Ermal LUÇI	$ipsecfin .= $ipsecconnect;
1019	034a23f0	Ermal LUÇI	if (!isset($ph1ent['mobile']) && !empty($rightsubnet_spec)) {
1020	3c5af33a	Ermal LUÇI	$tempsubnets = array();
1021			foreach ($rightsubnet_spec as $rightsubnet)
1022			$tempsubnets[$rightsubnet] = $rightsubnet;
1023			$ipsecfin .= "\trightsubnet = " . join(",", $tempsubnets) . "\n";
1024			unset($tempsubnets, $rightsubnet);
1025			}
1026			if (!empty($leftsubnet_spec)) {
1027			$tempsubnets = array();
1028			foreach ($leftsubnet_spec as $leftsubnet)
1029			$tempsubnets[$leftsubnet] = $leftsubnet;
1030			$ipsecfin .= "\tleftsubnet = " . join(",", $leftsubnet_spec) . "\n";
1031			unset($tempsubnets, $leftsubnet);
1032			}
1033	a93e56c5	Matthew Grooms	}
1034	3c5af33a	Ermal LUÇI	$ipsecconf .= $ipsecfin;
1035			unset($ipsecfin);
1036
1037	a93e56c5	Matthew Grooms	}
1038	496acde1	Ermal	}
1039	3c5af33a	Ermal LUÇI
1040	496acde1	Ermal	@file_put_contents("{$g['varetc_path']}/ipsec/ipsec.conf", $ipsecconf);
1041			unset($ipsecconf);
1042	6c576b27	Ermal	/* end ipsec.conf */
1043	496acde1	Ermal
1044	45efe1b6	Ermal LUÇI	if ($enablecompression === true)
1045			set_single_sysctl('net.inet.ipcomp.ipcomp_enable', 1);
1046			else
1047			set_single_sysctl('net.inet.ipcomp.ipcomp_enable', 0);
1048
1049	6c576b27	Ermal	/* mange process */
1050	41da54ce	Ermal LUÇI	if ($restart === true) {
1051			mwexec("/usr/local/sbin/ipsec restart", false);
1052	496acde1	Ermal	} else {
1053	41da54ce	Ermal LUÇI	if (isvalidpid("{$g['varrun_path']}/charon.pid")) {
1054			/* Read secrets */
1055			mwexec("/usr/local/sbin/ipsec rereadall", false);
1056			/* Update configuration changes */
1057			mwexec("/usr/local/sbin/ipsec update", false);
1058			} else {
1059			mwexec("/usr/local/sbin/ipsec start", false);
1060			}
1061	496acde1	Ermal	}
1062	9abaa8f7	Ermal
1063	496acde1	Ermal	if ($natfilterrules == true)
1064			filter_configure();
1065			/* start filterdns, if necessary */
1066			if (count($filterdns_list) > 0) {
1067			$interval = 60;
1068			if (!empty($ipseccfg['dns-interval']) && is_numeric($ipseccfg['dns-interval']))
1069			$interval = $ipseccfg['dns-interval'];
1070
1071			$hostnames = "";
1072			array_unique($filterdns_list);
1073			foreach ($filterdns_list as $hostname)
1074			$hostnames .= "cmd {$hostname} '/usr/local/sbin/pfSctl -c \"service reload ipsecdns\"'\n";
1075			file_put_contents("{$g['varetc_path']}/ipsec/filterdns-ipsec.hosts", $hostnames);
1076			unset($hostnames);
1077
1078			if (isvalidpid("{$g['varrun_path']}/filterdns-ipsec.pid"))
1079			sigkillbypid("{$g['varrun_path']}/filterdns-ipsec.pid", "HUP");
1080			else {
1081			mwexec("/usr/local/sbin/filterdns -p {$g['varrun_path']}/filterdns-ipsec.pid -i {$interval} -c {$g['varetc_path']}/ipsec/filterdns-ipsec.hosts -d 1");
1082	5b237745	Scott Ullrich	}
1083	496acde1	Ermal	} else {
1084			killbypid("{$g['varrun_path']}/filterdns-ipsec.pid");
1085			@unlink("{$g['varrun_path']}/filterdns-ipsec.pid");
1086			}
1087	09628a07	Renato Botelho
1088	285ef132	Ermal LUÇI	if (platform_booting())
1089	496acde1	Ermal	echo "done\n";
1090	8f67a8e1	Scott Ullrich
1091	496acde1	Ermal	return count($filterdns_list);
1092	5b237745	Scott Ullrich	}
1093
1094	09628a07	Renato Botelho	/*
1095	52c9f9fa	Ermal	* Forcefully restart IPsec
1096	67ee1ec5	Ermal Luçi	* This is required for when dynamic interfaces reload
1097			* For all other occasions the normal vpn_ipsec_configure()
1098			* will gracefully reload the settings without restarting
1099			*/
1100	aa752473	Renato Botelho	function vpn_ipsec_force_reload($interface = "") {
1101			global $g, $config;
1102	67ee1ec5	Ermal Luçi
1103			$ipseccfg = $config['ipsec'];
1104
1105	aa752473	Renato Botelho	if (!empty($interface) && is_array($ipseccfg['phase1'])) {
1106			$found = false;
1107			foreach ($ipseccfg['phase1'] as $ipsec) {
1108			if (!isset($ipsec['disabled']) && ($ipsec['interface'] == $interface)) {
1109			$found = true;
1110			break;
1111			}
1112			}
1113			if (!$found) {
1114	8b4abd59	Ermal	log_error(sprintf(gettext("Ignoring IPsec reload since there are no tunnels on interface %s"), $interface));
1115	aa752473	Renato Botelho	return;
1116			}
1117			}
1118
1119	67ee1ec5	Ermal Luçi	/* if ipsec is enabled, start up again */
1120			if (isset($ipseccfg['enable'])) {
1121	8b4abd59	Ermal	log_error(gettext("Forcefully reloading IPsec"));
1122	67ee1ec5	Ermal Luçi	vpn_ipsec_configure();
1123			}
1124			}
1125
1126			/* master setup for vpn (mpd) */
1127			function vpn_setup() {
1128	7734aea6	Andrew Thompson	global $g;
1129
1130			if ($g['platform'] == 'jail')
1131			return;
1132
1133	67ee1ec5	Ermal Luçi	/* start pptpd */
1134			vpn_pptpd_configure();
1135
1136			/* start pppoe server */
1137	0e642c78	Ermal	vpn_pppoes_configure();
1138	67ee1ec5	Ermal Luçi
1139			/* setup l2tp */
1140			vpn_l2tp_configure();
1141			}
1142
1143	67b057a9	Ermal	function vpn_netgraph_support() {
1144			$iflist = get_configured_interface_list();
1145			foreach ($iflist as $iface) {
1146			$realif = get_real_interface($iface);
1147			/* Get support for netgraph(4) from the nic */
1148	c513c309	Ermal	$ifinfo = pfSense_get_interface_addresses($realif);
1149			if (!empty($ifinfo) && in_array($ifinfo['iftype'], array("ether", "vlan", "bridge")))
1150	09628a07	Renato Botelho	pfSense_ngctl_attach(".", $realif);
1151	67b057a9	Ermal	}
1152			}
1153
1154	5b237745	Scott Ullrich	function vpn_pptpd_configure() {
1155			global $config, $g;
1156	c52719a8	Scott Ullrich
1157	5b237745	Scott Ullrich	$syscfg = $config['system'];
1158			$pptpdcfg = $config['pptpd'];
1159	c52719a8	Scott Ullrich
1160	285ef132	Ermal LUÇI	if (platform_booting()) {
1161	5b237745	Scott Ullrich	if (!$pptpdcfg['mode'] \|\| ($pptpdcfg['mode'] == "off"))
1162			return 0;
1163	c52719a8	Scott Ullrich
1164	52e97bcc	Renato Botelho	if (platform_booting(true))
1165			echo gettext("Configuring PPTP VPN service... ");
1166	c52719a8	Scott Ullrich	} else {
1167	5b237745	Scott Ullrich	/* kill mpd */
1168	67ee1ec5	Ermal Luçi	killbypid("{$g['varrun_path']}/pptp-vpn.pid");
1169	c52719a8	Scott Ullrich
1170	5b237745	Scott Ullrich	/* wait for process to die */
1171	48bff85c	Scott Ullrich	sleep(3);
1172	c52719a8	Scott Ullrich
1173	979cd6db	Scott Ullrich	if (is_process_running("mpd -b")) {
1174	67ee1ec5	Ermal Luçi	killbypid("{$g['varrun_path']}/pptp-vpn.pid");
1175	89ceb4ba	Renato Botelho	log_error(gettext("Could not kill mpd within 3 seconds. Trying again."));
1176	48bff85c	Scott Ullrich	}
1177	c52719a8	Scott Ullrich
1178	5b237745	Scott Ullrich	/* remove mpd.conf, if it exists */
1179	67ee1ec5	Ermal Luçi	unlink_if_exists("{$g['varetc_path']}/pptp-vpn/mpd.conf");
1180			unlink_if_exists("{$g['varetc_path']}/pptp-vpn/mpd.links");
1181			unlink_if_exists("{$g['varetc_path']}/pptp-vpn/mpd.secret");
1182	5b237745	Scott Ullrich	}
1183	c52719a8	Scott Ullrich
1184	1fb8d314	Ermal	if (empty($pptpdcfg['n_pptp_units'])) {
1185			log_error("Something wrong in the PPTPd configuration. Preventing starting the daemon because issues would arise.");
1186	09628a07	Renato Botelho	return;
1187	1fb8d314	Ermal	}
1188
1189	67ee1ec5	Ermal Luçi	/* make sure pptp-vpn directory exists */
1190			if (!file_exists("{$g['varetc_path']}/pptp-vpn"))
1191			mkdir("{$g['varetc_path']}/pptp-vpn");
1192	c52719a8	Scott Ullrich
1193	5b237745	Scott Ullrich	switch ($pptpdcfg['mode']) {
1194	979cd6db	Scott Ullrich	case 'server' :
1195	5b237745	Scott Ullrich	/* write mpd.conf */
1196	67ee1ec5	Ermal Luçi	$fd = fopen("{$g['varetc_path']}/pptp-vpn/mpd.conf", "w");
1197	5b237745	Scott Ullrich	if (!$fd) {
1198	89ceb4ba	Renato Botelho	printf(gettext("Error: cannot open mpd.conf in vpn_pptpd_configure().") . "\n");
1199	5b237745	Scott Ullrich	return 1;
1200			}
1201	c52719a8	Scott Ullrich
1202	045c9cc9	sullrich	$mpdconf = <<<EOD
1203	a6607b5f	jim-p	pptps:
1204	5b237745	Scott Ullrich
1205			EOD;
1206
1207	f2b4ff2b	sullrich	for ($i = 0; $i < $pptpdcfg['n_pptp_units']; $i++) {
1208	5b237745	Scott Ullrich	$mpdconf .= " load pt{$i}\n";
1209			}
1210	c52719a8	Scott Ullrich
1211	f2b4ff2b	sullrich	for ($i = 0; $i < $pptpdcfg['n_pptp_units']; $i++) {
1212	c52719a8	Scott Ullrich
1213	96033063	Erik Fonnesbeck	$clientip = long2ip32(ip2long($pptpdcfg['remoteip']) + $i);
1214	c52719a8	Scott Ullrich
1215	045c9cc9	sullrich	$mpdconf .= <<<EOD
1216	5b237745	Scott Ullrich
1217			pt{$i}:
1218	bfa6d878	Ermal Lu?i	new -i pptpd{$i} pt{$i} pt{$i}
1219	045c9cc9	sullrich	set ipcp ranges {$pptpdcfg['localip']}/32 {$clientip}/32
1220	979cd6db	Scott Ullrich	load pts
1221	5b237745	Scott Ullrich
1222			EOD;
1223			}
1224	c52719a8	Scott Ullrich
1225	979cd6db	Scott Ullrich	$mpdconf .=<<<EOD
1226	5b237745	Scott Ullrich
1227	979cd6db	Scott Ullrich	pts:
1228	5b237745	Scott Ullrich	set iface disable on-demand
1229			set iface enable proxy-arp
1230	07cae4b2	Scott Ullrich	set iface enable tcpmssfix
1231	979cd6db	Scott Ullrich	set iface idle 1800
1232	e9a95ac8	jim-p	set iface up-script /usr/local/sbin/vpn-linkup
1233			set iface down-script /usr/local/sbin/vpn-linkdown
1234	5b237745	Scott Ullrich	set bundle enable multilink
1235	979cd6db	Scott Ullrich	set bundle enable crypt-reqd
1236	5b237745	Scott Ullrich	set link yes acfcomp protocomp
1237			set link no pap chap
1238	979cd6db	Scott Ullrich	set link enable chap-msv2
1239	ee953edc	Scott Ullrich	set link mtu 1460
1240	5b237745	Scott Ullrich	set link keep-alive 10 60
1241			set ipcp yes vjcomp
1242			set bundle enable compression
1243			set ccp yes mppc
1244			set ccp yes mpp-e128
1245			set ccp yes mpp-stateless
1246
1247			EOD;
1248	c52719a8	Scott Ullrich
1249	979cd6db	Scott Ullrich	if (!isset ($pptpdcfg['req128'])) {
1250			$mpdconf .=<<<EOD
1251	5b237745	Scott Ullrich	set ccp yes mpp-e40
1252	979cd6db	Scott Ullrich	set ccp yes mpp-e56
1253	5b237745	Scott Ullrich
1254			EOD;
1255			}
1256	c8c416db	Scott Ullrich
1257	871ce025	Bill Marquette	if (isset($pptpdcfg["wins"]) && $pptpdcfg['wins'] != "")
1258	979cd6db	Scott Ullrich	$mpdconf .= " set ipcp nbns {$pptpdcfg['wins']}\n";
1259	09f2bf85	jim-p
1260			if (!empty($pptpdcfg['dns1'])) {
1261			$mpdconf .= " set ipcp dns " . $pptpdcfg['dns1'];
1262			if (!empty($pptpdcfg['dns2']))
1263			$mpdconf .= " " . $pptpdcfg['dns2'];
1264			$mpdconf .= "\n";
1265			} elseif (isset ($config['dnsmasq']['enable'])) {
1266			$mpdconf .= " set ipcp dns " . get_interface_ip("lan");
1267			if ($syscfg['dnsserver'][0])
1268			$mpdconf .= " " . $syscfg['dnsserver'][0];
1269			$mpdconf .= "\n";
1270	ad750d3b	Warren Baker	} elseif (isset($config['unbound']['enable'])) {
1271			$mpdconf .= " set ipcp dns " . get_interface_ip("lan");
1272			if ($syscfg['dnsserver'][0])
1273			$mpdconf .= " " . $syscfg['dnsserver'][0];
1274			$mpdconf .= "\n";
1275	09f2bf85	jim-p	} elseif (is_array($syscfg['dnsserver']) && ($syscfg['dnsserver'][0])) {
1276			$mpdconf .= " set ipcp dns " . join(" ", $syscfg['dnsserver']) . "\n";
1277			}
1278	07cae4b2	Scott Ullrich
1279	71569a7e	jim-p	if (isset ($pptpdcfg['radius']['server']['enable'])) {
1280			$authport = (isset($pptpdcfg['radius']['server']['port']) && strlen($pptpdcfg['radius']['server']['port']) > 1) ? $pptpdcfg['radius']['server']['port'] : 1812;
1281	979cd6db	Scott Ullrich	$acctport = $authport + 1;
1282			$mpdconf .=<<<EOD
1283	71569a7e	jim-p	set radius server {$pptpdcfg['radius']['server']['ip']} "{$pptpdcfg['radius']['server']['secret']}" {$authport} {$acctport}
1284	35b91f77	sullrich
1285	71569a7e	jim-p	EOD;
1286			if (isset ($pptpdcfg['radius']['server2']['enable'])) {
1287			$authport = (isset($pptpdcfg['radius']['server2']['port']) && strlen($pptpdcfg['radius']['server2']['port']) > 1) ? $pptpdcfg['radius']['server2']['port'] : 1812;
1288			$acctport = $authport + 1;
1289			$mpdconf .=<<<EOD
1290	846a6dc2	jim-p	set radius server {$pptpdcfg['radius']['server2']['ip']} "{$pptpdcfg['radius']['server2']['secret2']}" {$authport} {$acctport}
1291	35b91f77	sullrich
1292	71569a7e	jim-p	EOD;
1293			}
1294			$mpdconf .=<<<EOD
1295	5b237745	Scott Ullrich	set radius retries 3
1296	979cd6db	Scott Ullrich	set radius timeout 10
1297	0af9dba4	Ermal Lu?i	set auth enable radius-auth
1298	5b237745	Scott Ullrich
1299			EOD;
1300
1301	979cd6db	Scott Ullrich	if (isset ($pptpdcfg['radius']['accounting'])) {
1302			$mpdconf .=<<<EOD
1303	0af9dba4	Ermal Lu?i	set auth enable radius-acct
1304	979cd6db	Scott Ullrich	set radius acct-update 300
1305	5b237745	Scott Ullrich
1306			EOD;
1307			}
1308			}
1309
1310			fwrite($fd, $mpdconf);
1311			fclose($fd);
1312	a49784a2	Ermal	unset($mpdconf);
1313	c52719a8	Scott Ullrich
1314	5b237745	Scott Ullrich	/* write mpd.links */
1315	67ee1ec5	Ermal Luçi	$fd = fopen("{$g['varetc_path']}/pptp-vpn/mpd.links", "w");
1316	5b237745	Scott Ullrich	if (!$fd) {
1317	89ceb4ba	Renato Botelho	printf(gettext("Error: cannot open mpd.links in vpn_pptpd_configure().") . "\n");
1318	5b237745	Scott Ullrich	return 1;
1319			}
1320	c52719a8	Scott Ullrich
1321	5b237745	Scott Ullrich	$mpdlinks = "";
1322	c52719a8	Scott Ullrich
1323	a56120f2	Ermal Lu?i	for ($i = 0; $i < $pptpdcfg['n_pptp_units']; $i++) {
1324	979cd6db	Scott Ullrich	$mpdlinks .=<<<EOD
1325	5b237745	Scott Ullrich
1326			pt{$i}:
1327			set link type pptp
1328			set pptp enable incoming
1329			set pptp disable originate
1330	979cd6db	Scott Ullrich	set pptp disable windowing
1331	5b237745	Scott Ullrich
1332			EOD;
1333			}
1334
1335			fwrite($fd, $mpdlinks);
1336			fclose($fd);
1337	a49784a2	Ermal	unset($mpdlinks);
1338	c52719a8	Scott Ullrich
1339	5b237745	Scott Ullrich	/* write mpd.secret */
1340	67ee1ec5	Ermal Luçi	$fd = fopen("{$g['varetc_path']}/pptp-vpn/mpd.secret", "w");
1341	5b237745	Scott Ullrich	if (!$fd) {
1342	89ceb4ba	Renato Botelho	printf(gettext("Error: cannot open mpd.secret in vpn_pptpd_configure().") . "\n");
1343	5b237745	Scott Ullrich	return 1;
1344			}
1345	c52719a8	Scott Ullrich
1346	5b237745	Scott Ullrich	$mpdsecret = "";
1347	c52719a8	Scott Ullrich
1348	5b237745	Scott Ullrich	if (is_array($pptpdcfg['user'])) {
1349	4cf82d52	jim-p	foreach ($pptpdcfg['user'] as $user) {
1350	4222087e	jim-p	$pass = str_replace('\\', '\\\\', $user['password']);
1351			$pass = str_replace('"', '\"', $pass);
1352	4cf82d52	jim-p	$mpdsecret .= "{$user['name']} \"{$pass}\" {$user['ip']}\n";
1353			}
1354	5b237745	Scott Ullrich	}
1355
1356			fwrite($fd, $mpdsecret);
1357			fclose($fd);
1358	a49784a2	Ermal	unset($mpdsecret);
1359	67ee1ec5	Ermal Luçi	chmod("{$g['varetc_path']}/pptp-vpn/mpd.secret", 0600);
1360	c52719a8	Scott Ullrich
1361	67b057a9	Ermal	vpn_netgraph_support();
1362
1363	5b237745	Scott Ullrich	/* fire up mpd */
1364	a6607b5f	jim-p	mwexec("/usr/local/sbin/mpd4 -b -d {$g['varetc_path']}/pptp-vpn -p {$g['varrun_path']}/pptp-vpn.pid -s pptps pptps");
1365	c52719a8	Scott Ullrich
1366	5b237745	Scott Ullrich	break;
1367	c52719a8	Scott Ullrich
1368	979cd6db	Scott Ullrich	case 'redir' :
1369	5b237745	Scott Ullrich	break;
1370			}
1371	c52719a8	Scott Ullrich
1372	285ef132	Ermal LUÇI	if (platform_booting())
1373	a63f7d55	Scott Ullrich	echo "done\n";
1374	c52719a8	Scott Ullrich
1375	5b237745	Scott Ullrich	return 0;
1376			}
1377
1378	0e642c78	Ermal	function vpn_pppoes_configure() {
1379			global $config;
1380
1381			if (is_array($config['pppoes']['pppoe'])) {
1382			foreach ($config['pppoes']['pppoe'] as $pppoe)
1383			vpn_pppoe_configure($pppoe);
1384			}
1385			}
1386
1387			function vpn_pppoe_configure(&$pppoecfg) {
1388	06e69b03	Scott Ullrich	global $config, $g;
1389
1390			$syscfg = $config['system'];
1391
1392	48918ed5	Scott Ullrich	/* create directory if it does not exist */
1393	0e642c78	Ermal	if (!is_dir("{$g['varetc_path']}/pppoe{$pppoecfg['pppoeid']}-vpn"))
1394			mkdir("{$g['varetc_path']}/pppoe{$pppoecfg['pppoeid']}-vpn");
1395	c52719a8	Scott Ullrich
1396	285ef132	Ermal LUÇI	if (platform_booting()) {
1397	06e69b03	Scott Ullrich	if (!$pppoecfg['mode'] \|\| ($pppoecfg['mode'] == "off"))
1398			return 0;
1399
1400	d3d23754	Chris Buechler	echo gettext("Configuring PPPoE Server service... ");
1401	979cd6db	Scott Ullrich	} else {
1402			/* kill mpd */
1403	0e642c78	Ermal	killbypid("{$g['varrun_path']}/pppoe{$pppoecfg['pppoeid']}-vpn.pid");
1404	979cd6db	Scott Ullrich
1405			/* wait for process to die */
1406			sleep(2);
1407
1408	06e69b03	Scott Ullrich	}
1409
1410			switch ($pppoecfg['mode']) {
1411
1412	979cd6db	Scott Ullrich	case 'server' :
1413	06e69b03	Scott Ullrich
1414	0e642c78	Ermal	$pppoe_interface = get_real_interface($pppoecfg['interface']);
1415	0301deff	Scott Ullrich
1416	979cd6db	Scott Ullrich	if ($pppoecfg['paporchap'] == "chap")
1417			$paporchap = "set link enable chap";
1418			else
1419			$paporchap = "set link enable pap";
1420
1421	06e69b03	Scott Ullrich	/* write mpd.conf */
1422	0e642c78	Ermal	$fd = fopen("{$g['varetc_path']}/pppoe{$pppoecfg['pppoeid']}-vpn/mpd.conf", "w");
1423	06e69b03	Scott Ullrich	if (!$fd) {
1424	89ceb4ba	Renato Botelho	printf(gettext("Error: cannot open mpd.conf in vpn_pppoe_configure().") . "\n");
1425	06e69b03	Scott Ullrich	return 1;
1426			}
1427			$mpdconf = "\n\n";
1428	a6607b5f	jim-p	$mpdconf .= "poes:\n";
1429	06e69b03	Scott Ullrich
1430	a429d105	Scott Ullrich	for ($i = 0; $i < $pppoecfg['n_pppoe_units']; $i++) {
1431	0e642c78	Ermal	$mpdconf .= " load poes{$pppoecfg['pppoeid']}{$i}\n";
1432	06e69b03	Scott Ullrich	}
1433
1434	a429d105	Scott Ullrich	for ($i = 0; $i < $pppoecfg['n_pppoe_units']; $i++) {
1435	06e69b03	Scott Ullrich
1436	96033063	Erik Fonnesbeck	$clientip = long2ip32(ip2long($pppoecfg['remoteip']) + $i);
1437	c52719a8	Scott Ullrich
1438	b0943409	Ermal	if (isset($pppoecfg['radius']['radiusissueips']) && isset($pppoecfg['radius']['server']['enable'])) {
1439	5dfdc1fb	Scott Ullrich	$isssue_ip_type = "set ipcp ranges {$pppoecfg['localip']}/32 0.0.0.0/0";
1440	5264023a	Scott Ullrich	} else {
1441			$isssue_ip_type = "set ipcp ranges {$pppoecfg['localip']}/32 {$clientip}/32";
1442	5dfdc1fb	Scott Ullrich	}
1443	c52719a8	Scott Ullrich
1444	979cd6db	Scott Ullrich	$mpdconf .=<<<EOD
1445	06e69b03	Scott Ullrich
1446	0e642c78	Ermal	poes{$pppoecfg['pppoeid']}{$i}:
1447			new -i poes{$pppoecfg['pppoeid']}{$i} poes{$pppoecfg['pppoeid']}{$i} poes{$pppoecfg['pppoeid']}{$i}
1448	5dfdc1fb	Scott Ullrich	{$isssue_ip_type}
1449	f856e762	jim-p	load pppoe_standard
1450	06e69b03	Scott Ullrich
1451			EOD;
1452			}
1453
1454	979cd6db	Scott Ullrich	$mpdconf .=<<<EOD
1455	06e69b03	Scott Ullrich
1456	f856e762	jim-p	pppoe_standard:
1457	979cd6db	Scott Ullrich	set bundle no multilink
1458			set bundle enable compression
1459	78155ff9	Scott Ullrich	set auth max-logins 1
1460	e9a95ac8	jim-p	set iface up-script /usr/local/sbin/vpn-linkup
1461			set iface down-script /usr/local/sbin/vpn-linkdown
1462	979cd6db	Scott Ullrich	set iface idle 0
1463	06e69b03	Scott Ullrich	set iface disable on-demand
1464			set iface disable proxy-arp
1465			set iface enable tcpmssfix
1466	979cd6db	Scott Ullrich	set iface mtu 1500
1467	06e69b03	Scott Ullrich	set link no pap chap
1468	979cd6db	Scott Ullrich	{$paporchap}
1469			set link keep-alive 60 180
1470			set ipcp yes vjcomp
1471			set ipcp no vjcomp
1472			set link max-redial -1
1473			set link mtu 1492
1474			set link mru 1492
1475	06e69b03	Scott Ullrich	set ccp yes mpp-e40
1476			set ccp yes mpp-e128
1477			set ccp yes mpp-stateless
1478	979cd6db	Scott Ullrich	set link latency 1
1479			#set ipcp dns 10.10.1.3
1480			#set bundle accept encryption
1481	06e69b03	Scott Ullrich
1482	c8c416db	Scott Ullrich	EOD;
1483
1484	09f2bf85	jim-p	if (!empty($pppoecfg['dns1'])) {
1485			$mpdconf .= " set ipcp dns " . $pppoecfg['dns1'];
1486			if (!empty($pppoecfg['dns2']))
1487			$mpdconf .= " " . $pppoecfg['dns2'];
1488			$mpdconf .= "\n";
1489			} elseif (isset ($config['dnsmasq']['enable'])) {
1490	a55e9c70	Ermal Lu?i	$mpdconf .= " set ipcp dns " . get_interface_ip("lan");
1491	06e69b03	Scott Ullrich	if ($syscfg['dnsserver'][0])
1492			$mpdconf .= " " . $syscfg['dnsserver'][0];
1493			$mpdconf .= "\n";
1494	ad750d3b	Warren Baker	} elseif (isset ($config['unbound']['enable'])) {
1495			$mpdconf .= " set ipcp dns " . get_interface_ip("lan");
1496			if ($syscfg['dnsserver'][0])
1497			$mpdconf .= " " . $syscfg['dnsserver'][0];
1498			$mpdconf .= "\n";
1499	09f2bf85	jim-p	} elseif (is_array($syscfg['dnsserver']) && ($syscfg['dnsserver'][0])) {
1500	979cd6db	Scott Ullrich	$mpdconf .= " set ipcp dns " . join(" ", $syscfg['dnsserver']) . "\n";
1501	09f2bf85	jim-p	}
1502	07cae4b2	Scott Ullrich
1503	37d7de2d	jim-p	if (isset ($pppoecfg['radius']['server']['enable'])) {
1504	c3583058	Ermal	$radiusport = "";
1505			$radiusacctport = "";
1506			if (isset($pppoecfg['radius']['server']['port']))
1507			$radiusport = $pppoecfg['radius']['server']['port'];
1508			if (isset($pppoecfg['radius']['server']['acctport']))
1509			$radiusacctport = $pppoecfg['radius']['server']['acctport'];
1510	979cd6db	Scott Ullrich	$mpdconf .=<<<EOD
1511	b0943409	Ermal	set radius server {$pppoecfg['radius']['server']['ip']} "{$pppoecfg['radius']['server']['secret']}" {$radiusport} {$radiusacctport}
1512	06e69b03	Scott Ullrich	set radius retries 3
1513	979cd6db	Scott Ullrich	set radius timeout 10
1514	0af9dba4	Ermal Lu?i	set auth enable radius-auth
1515	06e69b03	Scott Ullrich
1516			EOD;
1517
1518	979cd6db	Scott Ullrich	if (isset ($pppoecfg['radius']['accounting'])) {
1519			$mpdconf .=<<<EOD
1520	0af9dba4	Ermal Lu?i	set auth enable radius-acct
1521	07cae4b2	Scott Ullrich
1522	06e69b03	Scott Ullrich	EOD;
1523			}
1524			}
1525
1526			fwrite($fd, $mpdconf);
1527			fclose($fd);
1528	a49784a2	Ermal	unset($mpdconf);
1529	06e69b03	Scott Ullrich
1530			/* write mpd.links */
1531	0e642c78	Ermal	$fd = fopen("{$g['varetc_path']}/pppoe{$pppoecfg['pppoeid']}-vpn/mpd.links", "w");
1532	06e69b03	Scott Ullrich	if (!$fd) {
1533	89ceb4ba	Renato Botelho	printf(gettext("Error: cannot open mpd.links in vpn_pppoe_configure().") . "\n");
1534	06e69b03	Scott Ullrich	return 1;
1535			}
1536
1537			$mpdlinks = "";
1538
1539	a429d105	Scott Ullrich	for ($i = 0; $i < $pppoecfg['n_pppoe_units']; $i++) {
1540	979cd6db	Scott Ullrich	$mpdlinks .=<<<EOD
1541	09628a07	Renato Botelho
1542	0e642c78	Ermal	poes{$pppoecfg['pppoeid']}{$i}:
1543	67ee1ec5	Ermal Luçi	set phys type pppoe
1544	09628a07	Renato Botelho	set pppoe iface {$pppoe_interface}
1545			set pppoe service "*"
1546			set pppoe disable originate
1547			set pppoe enable incoming
1548	06e69b03	Scott Ullrich
1549			EOD;
1550			}
1551
1552			fwrite($fd, $mpdlinks);
1553			fclose($fd);
1554	a49784a2	Ermal	unset($mpdlinks);
1555	06e69b03	Scott Ullrich
1556	0e642c78	Ermal	if ($pppoecfg['username']) {
1557			/* write mpd.secret */
1558			$fd = fopen("{$g['varetc_path']}/pppoe{$pppoecfg['pppoeid']}-vpn/mpd.secret", "w");
1559			if (!$fd) {
1560	8c04b1ae	Renato Botelho	printf(gettext("Error: cannot open mpd.secret in vpn_pppoe_configure().") . "\n");
1561	0e642c78	Ermal	return 1;
1562			}
1563	06e69b03	Scott Ullrich
1564	0e642c78	Ermal	$mpdsecret = "\n\n";
1565	06e69b03	Scott Ullrich
1566	0e642c78	Ermal	if (!empty($pppoecfg['username'])) {
1567			$item = explode(" ", $pppoecfg['username']);
1568			foreach($item as $userdata) {
1569			$data = explode(":", $userdata);
1570	90388e48	Ermal	$mpdsecret .= "{$data[0]} \"" . base64_decode($data[1]) . "\" {$data[2]}\n";
1571	0e642c78	Ermal	}
1572			}
1573	06e69b03	Scott Ullrich
1574	0e642c78	Ermal	fwrite($fd, $mpdsecret);
1575			fclose($fd);
1576	a49784a2	Ermal	unset($mpdsecret);
1577	0e642c78	Ermal	chmod("{$g['varetc_path']}/pppoe{$pppoecfg['pppoeid']}-vpn/mpd.secret", 0600);
1578			}
1579	979cd6db	Scott Ullrich
1580	062676f8	Ermal	/* Check if previous instance is still up */
1581			while (file_exists("{$g['varrun_path']}/pppoe{$pppoecfg['pppoeid']}-vpn.pid") && isvalidpid("{$g['varrun_path']}/pppoe{$pppoecfg['pppoeid']}-vpn.pid"))
1582			killbypid("{$g['varrun_path']}/pppoe{$pppoecfg['pppoeid']}-vpn.pid");
1583
1584	67b057a9	Ermal	/* Get support for netgraph(4) from the nic */
1585			pfSense_ngctl_attach(".", $pppoe_interface);
1586	979cd6db	Scott Ullrich	/* fire up mpd */
1587	a6607b5f	jim-p	mwexec("/usr/local/sbin/mpd4 -b -d {$g['varetc_path']}/pppoe{$pppoecfg['pppoeid']}-vpn -p {$g['varrun_path']}/pppoe{$pppoecfg['pppoeid']}-vpn.pid -s poes poes");
1588	979cd6db	Scott Ullrich
1589			break;
1590			}
1591
1592	285ef132	Ermal LUÇI	if (platform_booting())
1593	561130e4	Carlos Eduardo Ramos	echo gettext("done") . "\n";
1594	979cd6db	Scott Ullrich
1595			return 0;
1596			}
1597
1598			function vpn_l2tp_configure() {
1599			global $config, $g;
1600
1601			$syscfg = $config['system'];
1602			$l2tpcfg = $config['l2tp'];
1603
1604			/* create directory if it does not exist */
1605	67ee1ec5	Ermal Luçi	if (!is_dir("{$g['varetc_path']}/l2tp-vpn"))
1606			mkdir("{$g['varetc_path']}/l2tp-vpn");
1607	979cd6db	Scott Ullrich
1608	285ef132	Ermal LUÇI	if (platform_booting()) {
1609	979cd6db	Scott Ullrich	if (!$l2tpcfg['mode'] \|\| ($l2tpcfg['mode'] == "off"))
1610			return 0;
1611
1612	89ceb4ba	Renato Botelho	echo gettext("Configuring l2tp VPN service... ");
1613	979cd6db	Scott Ullrich	} else {
1614			/* kill mpd */
1615	67ee1ec5	Ermal Luçi	killbypid("{$g['varrun_path']}/l2tp-vpn.pid");
1616	979cd6db	Scott Ullrich
1617			/* wait for process to die */
1618	01c41d40	Ermal Lu?i	sleep(8);
1619	979cd6db	Scott Ullrich
1620			}
1621
1622	67ee1ec5	Ermal Luçi	/* make sure l2tp-vpn directory exists */
1623			if (!file_exists("{$g['varetc_path']}/l2tp-vpn"))
1624			mkdir("{$g['varetc_path']}/l2tp-vpn");
1625	979cd6db	Scott Ullrich
1626			switch ($l2tpcfg['mode']) {
1627
1628			case 'server' :
1629			if ($l2tpcfg['paporchap'] == "chap")
1630			$paporchap = "set link enable chap";
1631			else
1632			$paporchap = "set link enable pap";
1633
1634			/* write mpd.conf */
1635	67ee1ec5	Ermal Luçi	$fd = fopen("{$g['varetc_path']}/l2tp-vpn/mpd.conf", "w");
1636	979cd6db	Scott Ullrich	if (!$fd) {
1637	89ceb4ba	Renato Botelho	printf(gettext("Error: cannot open mpd.conf in vpn_l2tp_configure().") . "\n");
1638	979cd6db	Scott Ullrich	return 1;
1639			}
1640			$mpdconf = "\n\n";
1641			$mpdconf .=<<<EOD
1642	a6607b5f	jim-p	l2tps:
1643	979cd6db	Scott Ullrich
1644			EOD;
1645
1646			for ($i = 0; $i < $l2tpcfg['n_l2tp_units']; $i++) {
1647			$mpdconf .= " load l2tp{$i}\n";
1648			}
1649
1650			for ($i = 0; $i < $l2tpcfg['n_l2tp_units']; $i++) {
1651
1652	96033063	Erik Fonnesbeck	$clientip = long2ip32(ip2long($l2tpcfg['remoteip']) + $i);
1653	979cd6db	Scott Ullrich
1654			if (isset ($l2tpcfg['radius']['radiusissueips']) && isset ($l2tpcfg['radius']['enable'])) {
1655			$isssue_ip_type = "set ipcp ranges {$l2tpcfg['localip']}/32 0.0.0.0/0";
1656			} else {
1657			$isssue_ip_type = "set ipcp ranges {$l2tpcfg['localip']}/32 {$clientip}/32";
1658			}
1659
1660			$mpdconf .=<<<EOD
1661
1662			l2tp{$i}:
1663	2c7feef7	jim-p	new -i l2tp{$i} l2tp{$i} l2tp{$i}
1664	979cd6db	Scott Ullrich	{$isssue_ip_type}
1665			load l2tp_standard
1666
1667			EOD;
1668			}
1669
1670			$mpdconf .=<<<EOD
1671
1672			l2tp_standard:
1673	09628a07	Renato Botelho	set bundle disable multilink
1674			set bundle enable compression
1675			set bundle yes crypt-reqd
1676			set ipcp yes vjcomp
1677			# set ipcp ranges 131.188.69.161/32 131.188.69.170/28
1678			set ccp yes mppc
1679			set iface disable on-demand
1680			set iface enable proxy-arp
1681	e9a95ac8	jim-p	set iface up-script /usr/local/sbin/vpn-linkup
1682			set iface down-script /usr/local/sbin/vpn-linkdown
1683	09628a07	Renato Botelho	set link yes acfcomp protocomp
1684			set link no pap chap
1685	ec1d66cc	Sebastian Öhman	{$paporchap}
1686	09628a07	Renato Botelho	set link keep-alive 10 180
1687	979cd6db	Scott Ullrich
1688			EOD;
1689
1690	c8cc0c1c	smos	if (is_ipaddr($l2tpcfg['wins'])) {
1691			$mpdconf .= " set ipcp nbns {$l2tpcfg['wins']}\n";
1692			}
1693			if (is_ipaddr($l2tpcfg['dns1'])) {
1694	09f2bf85	jim-p	$mpdconf .= " set ipcp dns " . $l2tpcfg['dns1'];
1695	c8cc0c1c	smos	if (is_ipaddr($l2tpcfg['dns2']))
1696	09f2bf85	jim-p	$mpdconf .= " " . $l2tpcfg['dns2'];
1697			$mpdconf .= "\n";
1698			} elseif (isset ($config['dnsmasq']['enable'])) {
1699	a55e9c70	Ermal Lu?i	$mpdconf .= " set ipcp dns " . get_interface_ip("lan");
1700	979cd6db	Scott Ullrich	if ($syscfg['dnsserver'][0])
1701			$mpdconf .= " " . $syscfg['dnsserver'][0];
1702			$mpdconf .= "\n";
1703	ad750d3b	Warren Baker	} elseif (isset ($config['unbound']['enable'])) {
1704			$mpdconf .= " set ipcp dns " . get_interface_ip("lan");
1705			if ($syscfg['dnsserver'][0])
1706			$mpdconf .= " " . $syscfg['dnsserver'][0];
1707			$mpdconf .= "\n";
1708	09f2bf85	jim-p	} elseif (is_array($syscfg['dnsserver']) && ($syscfg['dnsserver'][0])) {
1709	979cd6db	Scott Ullrich	$mpdconf .= " set ipcp dns " . join(" ", $syscfg['dnsserver']) . "\n";
1710	09f2bf85	jim-p	}
1711	979cd6db	Scott Ullrich
1712			if (isset ($l2tpcfg['radius']['enable'])) {
1713			$mpdconf .=<<<EOD
1714			set radius server {$l2tpcfg['radius']['server']} "{$l2tpcfg['radius']['secret']}"
1715			set radius retries 3
1716			set radius timeout 10
1717	0af9dba4	Ermal Lu?i	set auth enable radius-auth
1718	979cd6db	Scott Ullrich
1719			EOD;
1720
1721			if (isset ($l2tpcfg['radius']['accounting'])) {
1722			$mpdconf .=<<<EOD
1723	0af9dba4	Ermal Lu?i	set auth enable radius-acct
1724	979cd6db	Scott Ullrich
1725			EOD;
1726			}
1727			}
1728
1729			fwrite($fd, $mpdconf);
1730			fclose($fd);
1731	a49784a2	Ermal	unset($mpdconf);
1732	979cd6db	Scott Ullrich
1733			/* write mpd.links */
1734	67ee1ec5	Ermal Luçi	$fd = fopen("{$g['varetc_path']}/l2tp-vpn/mpd.links", "w");
1735	979cd6db	Scott Ullrich	if (!$fd) {
1736	89ceb4ba	Renato Botelho	printf(gettext("Error: cannot open mpd.links in vpn_l2tp_configure().") . "\n");
1737	979cd6db	Scott Ullrich	return 1;
1738			}
1739
1740			$mpdlinks = "";
1741
1742			for ($i = 0; $i < $l2tpcfg['n_l2tp_units']; $i++) {
1743			$mpdlinks .=<<<EOD
1744
1745	daa20efd	Ermal Lu?i	l2tp{$i}:
1746	979cd6db	Scott Ullrich	set link type l2tp
1747	09628a07	Renato Botelho	set l2tp enable incoming
1748			set l2tp disable originate
1749	979cd6db	Scott Ullrich
1750			EOD;
1751	00f9e567	Ermal Lu?i	if (!empty($l2tpcfg['secret']))
1752			$mpdlinks .= "set l2tp secret {$l2tpcfg['secret']}\n";
1753	979cd6db	Scott Ullrich	}
1754
1755			fwrite($fd, $mpdlinks);
1756			fclose($fd);
1757	a49784a2	Ermal	unset($mpdlinks);
1758	979cd6db	Scott Ullrich
1759			/* write mpd.secret */
1760	67ee1ec5	Ermal Luçi	$fd = fopen("{$g['varetc_path']}/l2tp-vpn/mpd.secret", "w");
1761	979cd6db	Scott Ullrich	if (!$fd) {
1762	89ceb4ba	Renato Botelho	printf(gettext("Error: cannot open mpd.secret in vpn_l2tp_configure().") . "\n");
1763	979cd6db	Scott Ullrich	return 1;
1764			}
1765
1766			$mpdsecret = "\n\n";
1767
1768			if (is_array($l2tpcfg['user'])) {
1769			foreach ($l2tpcfg['user'] as $user)
1770			$mpdsecret .= "{$user['name']} \"{$user['password']}\" {$user['ip']}\n";
1771			}
1772
1773			fwrite($fd, $mpdsecret);
1774			fclose($fd);
1775	a49784a2	Ermal	unset($mpdsecret);
1776	67ee1ec5	Ermal Luçi	chmod("{$g['varetc_path']}/l2tp-vpn/mpd.secret", 0600);
1777	06e69b03	Scott Ullrich
1778	67b057a9	Ermal	vpn_netgraph_support();
1779
1780	06e69b03	Scott Ullrich	/* fire up mpd */
1781	a6607b5f	jim-p	mwexec("/usr/local/sbin/mpd4 -b -d {$g['varetc_path']}/l2tp-vpn -p {$g['varrun_path']}/l2tp-vpn.pid -s l2tps l2tps");
1782	06e69b03	Scott Ullrich
1783			break;
1784
1785	979cd6db	Scott Ullrich	case 'redir' :
1786	06e69b03	Scott Ullrich	break;
1787			}
1788
1789	285ef132	Ermal LUÇI	if (platform_booting())
1790	06e69b03	Scott Ullrich	echo "done\n";
1791
1792			return 0;
1793			}
1794	630cfa6c	Scott Ullrich
1795	1ca17c45	Chris Buechler	?>

Project

General

Profile

pfSense