Revision 6684d594
Added by Matthew Smith over 9 years ago
| src/etc/inc/vpn.inc | ||
|---|---|---|
| 143 | 143 |
/* wait for process to die */ |
| 144 | 144 |
sleep(2); |
| 145 | 145 |
|
| 146 |
/* IPSEC is off, shutdown enc interface. */
|
|
| 146 |
/* disallow IPSEC, it is off */
|
|
| 147 | 147 |
mwexec("/sbin/ifconfig enc0 down");
|
| 148 |
set_single_sysctl("net.inet.ip.ipsec_in_use", "0");
|
|
| 148 | 149 |
|
| 149 | 150 |
return 0; |
| 150 | 151 |
} |
| ... | ... | |
| 159 | 160 |
$crlpath = "{$g['varetc_path']}/ipsec/ipsec.d/crls";
|
| 160 | 161 |
|
| 161 | 162 |
mwexec("/sbin/ifconfig enc0 up");
|
| 163 |
set_single_sysctl("net.inet.ip.ipsec_in_use", "1");
|
|
| 162 | 164 |
if (php_uname('m') != "amd64") {
|
| 163 | 165 |
set_single_sysctl("net.inet.ipsec.directdispatch", "0");
|
| 164 | 166 |
} |
| ... | ... | |
| 205 | 207 |
echo gettext("Configuring IPsec VPN... ");
|
| 206 | 208 |
} |
| 207 | 209 |
|
| 210 |
/* fastforwarding is not compatible with ipsec tunnels */ |
|
| 211 |
set_single_sysctl("net.inet.ip.fastforwarding", "0");
|
|
| 212 |
|
|
| 208 | 213 |
/* resolve all local, peer addresses and setup pings */ |
| 209 | 214 |
$ipmap = array(); |
| 210 | 215 |
$rgmap = array(); |
| ... | ... | |
| 213 | 218 |
$aggressive_mode_psk = false; |
| 214 | 219 |
unset($iflist); |
| 215 | 220 |
$ifacesuse = array(); |
| 221 |
$mobile_ipsec_auth = ""; |
|
| 216 | 222 |
if (is_array($a_phase1) && count($a_phase1)) {
|
| 217 | 223 |
|
| 218 | 224 |
$ipsecpinghosts = ""; |
| ... | ... | |
| 256 | 262 |
try to resolve it now and add it to the list for filterdns */ |
| 257 | 263 |
|
| 258 | 264 |
if (isset ($ph1ent['mobile'])) {
|
| 265 |
$mobile_ipsec_auth = $ph1ent['authentication_method']; |
|
| 259 | 266 |
continue; |
| 260 | 267 |
} |
| 261 | 268 |
|
| ... | ... | |
| 440 | 447 |
|
| 441 | 448 |
$strongswan .= "\tplugins {\n";
|
| 442 | 449 |
|
| 450 |
/* Find RADIUS servers designated for Mobile IPsec user auth */ |
|
| 451 |
$radius_server_txt = ""; |
|
| 452 |
$user_sources = explode(',', $config['ipsec']['client']['user_source']);
|
|
| 453 |
foreach ($user_sources as $user_source) {
|
|
| 454 |
$auth_server = auth_get_authserver($user_source); |
|
| 455 |
$nice_user_source = strtolower(preg_replace('/\s+/', '_', $user_source));
|
|
| 456 |
if ($auth_server && $auth_server['type'] === 'radius') {
|
|
| 457 |
$radius_server_txt .= <<<EOD |
|
| 458 |
{$nice_user_source} {
|
|
| 459 |
address = {$auth_server['host']}
|
|
| 460 |
secret = {$auth_server['radius_secret']}
|
|
| 461 |
auth_port = {$auth_server['radius_auth_port']}
|
|
| 462 |
acct_port = {$auth_server['radius_acct_port']}
|
|
| 463 |
} |
|
| 464 |
|
|
| 465 |
EOD; |
|
| 466 |
} |
|
| 467 |
} |
|
| 468 |
|
|
| 469 |
/* write an eap-radius config section if appropriate */ |
|
| 470 |
if (strlen($radius_server_txt) && ($mobile_ipsec_auth === "eap-radius")) {
|
|
| 471 |
$strongswan .= <<<EOD |
|
| 472 |
eap-radius {
|
|
| 473 |
class_group = yes |
|
| 474 |
eap_start = no |
|
| 475 |
servers {
|
|
| 476 |
{$radius_server_txt}
|
|
| 477 |
} |
|
| 478 |
} |
|
| 479 |
|
|
| 480 |
EOD; |
|
| 481 |
} |
|
| 482 |
|
|
| 483 |
/* |
|
| 443 | 484 |
$a_servers = auth_get_authserver_list(); |
| 444 | 485 |
foreach ($a_servers as $id => $pconfig) {
|
| 445 | 486 |
if ($id == $config['ipsec']['client']['user_source'] && $pconfig['type'] == "radius") {
|
| ... | ... | |
| 461 | 502 |
break; |
| 462 | 503 |
} |
| 463 | 504 |
} |
| 505 |
*/ |
|
| 464 | 506 |
|
| 465 | 507 |
if (is_array($a_client) && isset($a_client['enable'])) {
|
| 466 | 508 |
$strongswan .= "\t\tattr {\n";
|
| ... | ... | |
| 990 | 1032 |
$authentication .= "leftauth=pubkey\n\trightauth=eap-mschapv2"; |
| 991 | 1033 |
if (!empty($ph1ent['certref'])) {
|
| 992 | 1034 |
$authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt";
|
| 993 |
$authentication .= "\n\tleftsendcert=always"; |
|
| 994 | 1035 |
} |
| 995 | 1036 |
} |
| 996 | 1037 |
break; |
| ... | ... | |
| 1000 | 1041 |
$authentication .= "leftauth=pubkey\n\trightauth=eap-tls"; |
| 1001 | 1042 |
if (!empty($ph1ent['certref'])) {
|
| 1002 | 1043 |
$authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt";
|
| 1003 |
$authentication .= "\n\tleftsendcert=always"; |
|
| 1004 | 1044 |
} |
| 1005 | 1045 |
} else {
|
| 1006 | 1046 |
$authentication = "leftauth=eap-tls\n\trightauth=eap-tls"; |
| 1007 | 1047 |
if (!empty($ph1ent['certref'])) {
|
| 1008 | 1048 |
$authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt";
|
| 1009 |
$authentication .= "\n\tleftsendcert=always"; |
|
| 1010 | 1049 |
} |
| 1011 | 1050 |
} |
| 1012 | 1051 |
if (isset($casub)) {
|
| ... | ... | |
| 1019 | 1058 |
$authentication .= "leftauth=pubkey\n\trightauth=eap-radius"; |
| 1020 | 1059 |
if (!empty($ph1ent['certref'])) {
|
| 1021 | 1060 |
$authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt";
|
| 1022 |
$authentication .= "\n\tleftsendcert=always"; |
|
| 1023 | 1061 |
} |
| 1024 | 1062 |
} else {
|
| 1025 | 1063 |
$authentication = "leftauth=eap-radius\n\trightauth=eap-radius"; |
| 1026 | 1064 |
if (!empty($ph1ent['certref'])) {
|
| 1027 | 1065 |
$authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt";
|
| 1028 |
$authentication .= "\n\tleftsendcert=always"; |
|
| 1029 | 1066 |
} |
| 1030 | 1067 |
} |
| 1031 | 1068 |
break; |
| src/usr/local/www/vpn_ipsec_mobile.php | ||
|---|---|---|
| 147 | 147 |
unset($input_errors); |
| 148 | 148 |
$pconfig = $_POST; |
| 149 | 149 |
|
| 150 |
foreach ($a_phase1 as $ph1ent) {
|
|
| 151 |
if (isset($ph1ent['mobile'])) {
|
|
| 152 |
$mobileph1 = $ph1ent; |
|
| 153 |
} |
|
| 154 |
} |
|
| 150 | 155 |
/* input consolidation */ |
| 151 | 156 |
|
| 152 | 157 |
/* input validation */ |
| ... | ... | |
| 222 | 227 |
} |
| 223 | 228 |
} |
| 224 | 229 |
|
| 230 |
if ($pconfig['user_source']) {
|
|
| 231 |
if (isset($mobileph1) && $mobileph1['authentication_method'] == 'eap-radius') {
|
|
| 232 |
foreach ($pconfig['user_source'] as $auth_server_name) {
|
|
| 233 |
$auth_server = auth_get_authserver($auth_server_name); |
|
| 234 |
if (!is_array($auth_server) || ($auth_server['type'] != 'radius')) {
|
|
| 235 |
$input_errors[] = gettext("Only valid RADIUS servers may be selected as a user source when using EAP-RADIUS for authentication on the Mobile IPsec VPN.");
|
|
| 236 |
$pconfig['user_source'] = implode(',', $pconfig['user_source']);
|
|
| 237 |
} |
|
| 238 |
} |
|
| 239 |
} |
|
| 240 |
} |
|
| 241 |
|
|
| 225 | 242 |
if (!$input_errors) {
|
| 226 | 243 |
$client = array(); |
| 227 | 244 |
|
| src/usr/local/www/vpn_ipsec_phase1.php | ||
|---|---|---|
| 416 | 416 |
} |
| 417 | 417 |
|
| 418 | 418 |
/* auth backend for mobile eap-radius VPNs should be a RADIUS server */ |
| 419 |
|
|
| 420 | 419 |
if (($pconfig['authentication_method'] == 'eap-radius') && $pconfig['mobile']) {
|
| 421 |
$auth_server_name = $config['ipsec']['client']['user_source']; |
|
| 422 |
$auth_server = auth_get_authserver($auth_server_name); |
|
| 423 |
if (!is_array($auth_server) || ($auth_server['type'] != 'radius')) {
|
|
| 424 |
$input_errors[] = gettext("A valid RADIUS server must be selected for user authentication on the Mobile Clients tab in order to set EAP-RADIUS as the authentication method.");
|
|
| 420 |
if (!empty($config['ipsec']['client']['user_source'])) {
|
|
| 421 |
$auth_server_list = explode(',', $config['ipsec']['client']['user_source']);
|
|
| 422 |
foreach ($auth_server_list as $auth_server_name) {
|
|
| 423 |
$auth_server = auth_get_authserver($auth_server_name); |
|
| 424 |
if (!is_array($auth_server) || ($auth_server['type'] != 'radius')) {
|
|
| 425 |
$input_errors[] = gettext("A valid RADIUS server must be selected for user authentication on the Mobile Clients tab in order to set EAP-RADIUS as the authentication method.");
|
|
| 426 |
} |
|
| 427 |
} |
|
| 425 | 428 |
} |
| 426 | 429 |
} |
| 427 |
|
|
| 428 |
|
|
| 430 |
|
|
| 429 | 431 |
/* build our encryption algorithms array */ |
| 430 | 432 |
$pconfig['ealgo'] = array(); |
| 431 | 433 |
$pconfig['ealgo']['name'] = $_POST['ealgo']; |
Also available in: Unified diff
Don't allow IPsec mobile clients user auth source to not be a RADIUS server if
the phase1 auth method is EAP-RADIUS. Properly handle selection of multiple
RADIUS servers when using EAP-RADIUS. Fixes #5219.