Project

General

Profile

Download (16.2 KB) Statistics
| Branch: | Tag: | Revision:
1
<?php
2
/*
3
 * status_ipsec.php
4
 *
5
 * part of pfSense (https://www.pfsense.org)
6
 * Copyright (c) 2004-2016 Rubicon Communications, LLC (Netgate)
7
 * All rights reserved.
8
 *
9
 * originally based on m0n0wall (http://m0n0.ch/wall)
10
 * Copyright (c) 2003-2004 Manuel Kasper <mk@neon1.net>.
11
 * All rights reserved.
12
 *
13
 * Licensed under the Apache License, Version 2.0 (the "License");
14
 * you may not use this file except in compliance with the License.
15
 * You may obtain a copy of the License at
16
 *
17
 * http://www.apache.org/licenses/LICENSE-2.0
18
 *
19
 * Unless required by applicable law or agreed to in writing, software
20
 * distributed under the License is distributed on an "AS IS" BASIS,
21
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
22
 * See the License for the specific language governing permissions and
23
 * limitations under the License.
24
 */
25

    
26
##|+PRIV
27
##|*IDENT=page-status-ipsec
28
##|*NAME=Status: IPsec
29
##|*DESCR=Allow access to the 'Status: IPsec' page.
30
##|*MATCH=status_ipsec.php*
31
##|-PRIV
32

    
33
require_once("guiconfig.inc");
34
require_once("ipsec.inc");
35

    
36
global $g;
37

    
38
if (!is_array($config['ipsec']['phase1'])) {
39
	$config['ipsec']['phase1'] = array();
40
}
41

    
42
// If this is just an AJAX call to update the table body, just generate the body and quit
43
if ($_REQUEST['ajax']) {
44
	print_ipsec_body();
45
	exit;
46
}
47

    
48
if ($_GET['act'] == 'connect') {
49
	if (ctype_digit($_GET['ikeid'])) {
50
		$ph1ent = ipsec_get_phase1($_GET['ikeid']);
51
		if (!empty($ph1ent)) {
52
			if (empty($ph1ent['iketype']) || $ph1ent['iketype'] == 'ikev1' || isset($ph1ent['splitconn'])) {
53
				$ph2entries = ipsec_get_number_of_phase2($_GET['ikeid']);
54
				for ($i = 0; $i < $ph2entries; $i++) {
55
					$connid = escapeshellarg("con{$_GET['ikeid']}00{$i}");
56
					mwexec_bg("/usr/local/sbin/ipsec down {$connid}");
57
					mwexec_bg("/usr/local/sbin/ipsec up {$connid}");
58
				}
59
			} else {
60
				mwexec_bg("/usr/local/sbin/ipsec down con" . escapeshellarg($_GET['ikeid']));
61
				mwexec_bg("/usr/local/sbin/ipsec up con" . escapeshellarg($_GET['ikeid']));
62
			}
63
		}
64
	}
65
} else if ($_GET['act'] == 'ikedisconnect') {
66
	if (ctype_digit($_GET['ikeid'])) {
67
		if (!empty($_GET['ikesaid']) && ctype_digit($_GET['ikesaid'])) {
68
			mwexec_bg("/usr/local/sbin/ipsec down con" . escapeshellarg($_GET['ikeid']) . "[" . escapeshellarg($_GET['ikesaid']) . "]");
69
		} else {
70
			mwexec_bg("/usr/local/sbin/ipsec down con" . escapeshellarg($_GET['ikeid']));
71
		}
72
	}
73
} else if ($_GET['act'] == 'childdisconnect') {
74
	if (ctype_digit($_GET['ikeid'])) {
75
		if (!empty($_GET['ikesaid']) && ctype_digit($_GET['ikesaid'])) {
76
			mwexec_bg("/usr/local/sbin/ipsec down con" . escapeshellarg($_GET['ikeid']) . "{" . escapeshellarg($_GET['ikesaid']) . "}");
77
		}
78
	}
79
}
80

    
81
// Table body is composed here so that it can be more easily updated via AJAX
82
function print_ipsec_body() {
83
	global $config;
84

    
85
	$a_phase1 = &$config['ipsec']['phase1'];
86
	$status = ipsec_list_sa();
87
	$ipsecconnected = array();
88

    
89
	if (is_array($status)) {
90
		foreach ($status as $ikeid => $ikesa) {
91
			$con_id = substr($ikeid, 3);
92

    
93
			if ($ikesa['version'] == 1) {
94
				$ph1idx = substr($con_id, 0, strrpos(substr($con_id, 0, -1), '00'));
95
				$ipsecconnected[$ph1idx] = $ph1idx;
96
			} else {
97
				$ipsecconnected[$con_id] = $ph1idx = $con_id;
98
			}
99

    
100
			print("<tr>\n");
101
			print("<td>\n");
102
			print(htmlspecialchars(ipsec_get_descr($ph1idx)));
103
			print("</td>\n");
104
			print("<td>\n");
105

    
106
			if (!empty($ikesa['local-id'])) {
107
				if ($ikesa['local-id'] == '%any') {
108
					print(gettext('Any identifier'));
109
				} else {
110
					print(htmlspecialchars($ikesa['local-id']));
111
				}
112
			} else {
113
				print(gettext("Unknown"));
114
			}
115

    
116
			print("</td>\n");
117
			print("<td>\n");
118

    
119
			if (!empty($ikesa['local-host'])) {
120
				print(htmlspecialchars($ikesa['local-host']));
121
			} else {
122
				print(gettext("Unknown"));
123
			}
124

    
125
			/*
126
			 * XXX: local-nat-t was defined by pfSense
127
			 * When strongswan team accepted the change, they changed it to
128
			 * nat-local. Keep both for a while and remove local-nat-t in
129
			 * the future
130
			 */
131
			if (isset($ikesa['local-nat-t']) || isset($ikesa['nat-local'])) {
132
				print(" NAT-T");
133
			}
134

    
135
			print("</td>\n");
136
			print("<td>\n");
137

    
138
			$identity = "";
139
			if (!empty($ikesa['remote-id'])) {
140
				if ($ikesa['remote-id'] == '%any') {
141
					$identity = htmlspecialchars(gettext('Any identifier'));
142
				} else {
143
					$identity = htmlspecialchars($ikesa['remote-id']);
144
				}
145
			}
146

    
147
			if (!empty($ikesa['remote-xauth-id'])) {
148
				echo htmlspecialchars($ikesa['remote-xauth-id']);
149
				echo "<br/>{$identity}";
150
			} elseif (!empty($ikesa['remote-eap-id'])) {
151
				echo htmlspecialchars($ikesa['remote-eap-id']);
152
				echo "<br/>{$identity}";
153
			} else {
154
				if (empty($identity)) {
155
					print(gettext("Unknown"));
156
				} else {
157
					print($identity);
158
				}
159
			}
160

    
161
			print("</td>\n");
162
			print("<td>\n");
163

    
164
			if (!empty($ikesa['remote-host'])) {
165
				print(htmlspecialchars($ikesa['remote-host']));
166
			} else {
167
				print(gettext("Unknown"));
168
			}
169
			/*
170
			 * XXX: remote-nat-t was defined by pfSense
171
			 * When strongswan team accepted the change, they changed it to
172
			 * nat-remote. Keep both for a while and remove remote-nat-t in
173
			 * the future
174
			 */
175
			if (isset($ikesa['remote-nat-t']) || isset($ikesa['nat-remote'])) {
176
				print(" NAT-T");
177
			}
178

    
179
			print("</td>\n");
180
			print("<td>\n");
181
			print("IKEv" . htmlspecialchars($ikesa['version']));
182
			print("<br/>\n");
183

    
184
			if ($ikesa['initiator'] == 'yes') {
185
				print("initiator");
186
			} else {
187
				print("responder");
188
			}
189

    
190
			print("</td>\n");
191
			print("<td>\n");
192
			print(htmlspecialchars($ikesa['reauth-time']) . gettext(" seconds (") . convert_seconds_to_dhms($ikesa['reauth-time']) . ")");
193
			print("</td>\n");
194
			print("<td>\n");
195
			print(htmlspecialchars($ikesa['encr-alg']));
196
			print("<br/>");
197
			print(htmlspecialchars($ikesa['integ-alg']));
198
			print("<br/>");
199
			print(htmlspecialchars($ikesa['prf-alg']));
200
			print("<br/>\n");
201
			print(htmlspecialchars($ikesa['dh-group']));
202
			print("</td>\n");
203
			print("<td>\n");
204

    
205
			if ($ikesa['state'] == 'ESTABLISHED') {
206
				print('<span class="text-success">');
207
			} else {
208
				print('<span>');
209
			}
210

    
211
			print(ucfirst(htmlspecialchars($ikesa['state'])));
212

    
213
			if ($ikesa['state'] == 'ESTABLISHED') {
214
				print("<br/>" . htmlspecialchars($ikesa['established']) . gettext(" seconds (") . convert_seconds_to_dhms($ikesa['established']) . gettext(") ago"));
215
			}
216

    
217
			print("</span>");
218
			print("</td>\n");
219
			print("<td>\n");
220

    
221
			if ($ikesa['state'] != 'ESTABLISHED') {
222

    
223
				print('<a href="status_ipsec.php?act=connect&amp;ikeid=' . $con_id . '" class="btn btn-xs btn-success" data-toggle="tooltip" title="' . gettext("Connect VPN"). '" >');
224
				print('<i class="fa fa-sign-in icon-embed-btn"></i>');
225
				print(gettext("Connect VPN"));
226
				print("</a>\n");
227

    
228
			} else {
229

    
230
				print('<a href="status_ipsec.php?act=ikedisconnect&amp;ikeid=' . $con_id . '" class="btn btn-xs btn-danger" data-toggle="tooltip" title="' . gettext("Disconnect VPN") . '">');
231
				print('<i class="fa fa-trash icon-embed-btn"></i>');
232
				print(gettext("Disconnect"));
233
				print("</a><br />\n");
234

    
235
			}
236

    
237
			print("</td>\n");
238
			print("</tr>\n");
239
			print("<tr>\n");
240
			print("<td colspan = 10>\n");
241

    
242
			if (is_array($ikesa['child-sas']) && (count($ikesa['child-sas']) > 0)) {
243

    
244
				print('<div>');
245
				print('<a type="button" id="btnchildsa-' . $ikeid .  '" class="btn btn-sm btn-info">');
246
				print('<i class="fa fa-plus-circle icon-embed-btn"></i>');
247
				print(gettext('Show child SA entries'));
248
				print("</a>\n");
249
				print("	</div>\n");
250

    
251
				print('<table class="table table-hover table-condensed" id="childsa-' . $ikeid . '" style="display:none">');
252
				print("<thead>\n");
253
				print('<tr class="bg-info">');
254
				print('<th><?=gettext("Local subnets")?></th>');
255
				print('<th><?=gettext("Local SPI(s)")?></th>');
256
				print('<th><?=gettext("Remote subnets")?></th>');
257
				print('<th><?=gettext("Times")?></th>');
258
				print('<th><?=gettext("Algo")?></th>');
259
				print('<th><?=gettext("Stats")?></th>');
260
				print('<th><!-- Buttons --></th>');
261
				print("</tr\n");
262
				print("</thead>\n");
263
				print("<tbody>\n");
264

    
265
				foreach ($ikesa['child-sas'] as $childid => $childsa) {
266
					print("<tr>");
267
					print("<td>\n");
268

    
269
					if (is_array($childsa['local-ts'])) {
270
						foreach ($childsa['local-ts'] as $lnets) {
271
							print(htmlspecialchars(ipsec_fixup_network($lnets)) . "<br />");
272
						}
273
					} else {
274
						print(gettext("Unknown"));
275
					}
276

    
277
					print("</td>\n");
278
					print("<td>\n");
279

    
280
					if (isset($childsa['spi-in'])) {
281
						print(gettext("Local: ") . htmlspecialchars($childsa['spi-in']));
282
					}
283

    
284
					if (isset($childsa['spi-out'])) {
285
						print('<br/>' . gettext('Remote: ') . htmlspecialchars($childsa['spi-out']));
286
					}
287

    
288
					print("</td>\n");
289
					print("<td>\n");
290

    
291
					if (is_array($childsa['remote-ts'])) {
292
						foreach ($childsa['remote-ts'] as $rnets) {
293
							print(htmlspecialchars(ipsec_fixup_network($rnets)) . '<br />');
294
						}
295
					} else {
296
						print(gettext("Unknown"));
297
					}
298

    
299
					print("</td>\n");
300
					print("<td>\n");
301

    
302
					print(gettext("Rekey: ") . htmlspecialchars($childsa['rekey-time']) . gettext(" seconds (") . convert_seconds_to_dhms($childsa['rekey-time']) . ")");
303
					print('<br/>' . gettext('Life: ') . htmlspecialchars($childsa['life-time']) . gettext(" seconds (") . convert_seconds_to_dhms($childsa['life-time']) . ")");
304
					print('<br/>' . gettext('Install: ') .htmlspecialchars($childsa['install-time']) . gettext(" seconds (") . convert_seconds_to_dhms($childsa['install-time']) . ")");
305

    
306

    
307
					print("</td>\n");
308
					print("<td>\n");
309

    
310
					print(htmlspecialchars($childsa['encr-alg']) . '<br/>');
311
					print(htmlspecialchars($childsa['integ-alg']) . '<br/>');
312

    
313
					if (!empty($childsa['prf-alg'])) {
314
						print(htmlspecialchars($childsa['prf-alg']) . '<br/>');
315
					}
316

    
317
					if (!empty($childsa['dh-group'])) {
318
						print(htmlspecialchars($childsa['dh-group']) . '<br/>');
319
					}
320

    
321
					if (!empty($childsa['esn'])) {
322
						print(htmlspecialchars($childsa['esn']) . '<br/>');
323
					}
324

    
325
					print(gettext("IPComp: "));
326
					if (!empty($childsa['cpi-in']) || !empty($childsa['cpi-out'])) {
327
						print(htmlspecialchars($childsa['cpi-in']) . " " . htmlspecialchars($childsa['cpi-out']));
328
					} else {
329
						print(gettext('none'));
330
					}
331

    
332
					print("</td>\n");
333
					print("<td>\n");
334

    
335
					print(gettext("Bytes-In: ") . htmlspecialchars(number_format($childsa['bytes-in'])) . ' (' . htmlspecialchars(format_bytes($childsa['bytes-in'])) . ')<br/>');
336
					print(gettext("Packets-In: ") . htmlspecialchars(number_format($childsa['packets-in'])) . '<br/>');
337
					print(gettext("Bytes-Out: ") . htmlspecialchars(number_format($childsa['bytes-out'])) . ' (' . htmlspecialchars(format_bytes($childsa['bytes-out'])) . ')<br/>');
338
					print(gettext("Packets-Out: ") . htmlspecialchars(number_format($childsa['packets-out'])) . '<br/>');
339

    
340
					print("</td>\n");
341
					print("<td>\n");
342
					print('<a href="status_ipsec.php?act=childdisconnect&amp;ikeid=' . $con_id . '&amp;ikesaid=' . $childsa['uniqueid'] . '" class="btn btn-xs btn-warning" data-toggle="tooltip" title="' . gettext('Disconnect Child SA') . '">');
343
					print('<i class="fa fa-trash icon-embed-btn"></i>');
344
					print(gettext("Disconnect"));
345
					print("</a>\n");
346
					print("</td>\n");
347
					print("</tr>\n");
348

    
349
				}
350

    
351
				print("</tbody>\n");
352
				print("	</table>\n");
353
				print("</td>\n");
354
				print("</tr>\n");
355

    
356
			}
357

    
358
			unset($con_id);
359
		}
360

    
361
	}
362

    
363
	$rgmap = array();
364
	if (is_array($a_phase1)) {
365
		foreach ($a_phase1 as $ph1ent) {
366
			if (isset($ph1ent['disabled'])) {
367
				continue;
368
			}
369

    
370
			$rgmap[$ph1ent['remote-gateway']] = $ph1ent['remote-gateway'];
371

    
372
			if ($ipsecconnected[$ph1ent['ikeid']]) {
373
				continue;
374
			}
375

    
376
			print("<tr>\n");
377
			print("<td>\n");
378

    
379
			print(htmlspecialchars($ph1ent['descr']));
380
			print("</td>\n");
381
			print("<td>\n");
382
			list ($myid_type, $myid_data) = ipsec_find_id($ph1ent, "local");
383

    
384
			if (empty($myid_data)) {
385
				print(gettext("Unknown"));
386
			} else {
387
				print(htmlspecialchars($myid_data));
388
			}
389

    
390
			print("</td>\n");
391
			print("<td>\n");
392
			$ph1src = ipsec_get_phase1_src($ph1ent);
393

    
394
			if (empty($ph1src)) {
395
				print(gettext("Unknown"));
396
			} else {
397
				print(htmlspecialchars($ph1src));
398
			}
399

    
400
			print("</td>\n");
401
			print("<td>\n");
402

    
403
			list ($peerid_type, $peerid_data) = ipsec_find_id($ph1ent, "peer", $rgmap);
404

    
405
			if (empty($peerid_data)) {
406
				print(gettext("Unknown"));
407
			} else {
408
				print(htmlspecialchars($peerid_data));
409
			}
410
			print("			</td>\n");
411
			print("			<td>\n");
412
			$ph1src = ipsec_get_phase1_dst($ph1ent);
413

    
414
			if (empty($ph1src)) {
415
				print(gettext("Unknown"));
416
			} else {
417
				print(htmlspecialchars($ph1src));
418
			}
419

    
420
			print("</td>\n");
421
			print("<td>\n");
422
			print("</td>\n");
423
			print("<td>\n");
424
			print("</td>\n");
425
			print("<td>\n");
426
			print("</td>\n");
427

    
428
			if (isset($ph1ent['mobile'])) {
429

    
430
				print("<td>\n");
431
				print(gettext("Awaiting connections"));
432
				print("</td>\n");
433
				print("<td>\n");
434
				print("</td>\n");
435
				print("</td>\n");
436
			} else {
437

    
438
				print("<td>\n");
439
				print(gettext("Disconnected"));
440
				print("</td>\n");
441
				print("<td>\n");
442
				print('<a href="status_ipsec.php?act=connect&amp;ikeid=' . $ph1ent['ikeid'] . '" class="btn btn-xs btn-success">');
443
				print('<i class="fa fa-sign-in icon-embed-btn"></i>');
444
				print(gettext("Connect VPN"));
445
				print("</a>\n");
446
				print("</td>\n");
447

    
448
			}
449
			print("</tr>\n");
450
		}
451
	}
452

    
453
	unset($ipsecconnected, $phase1, $rgmap);
454
}
455

    
456
$pgtitle = array(gettext("Status"), gettext("IPsec"), gettext("Overview"));
457
$pglinks = array("", "@self", "@self");
458
$shortcut_section = "ipsec";
459

    
460
include("head.inc");
461

    
462
$tab_array = array();
463
$tab_array[] = array(gettext("Overview"), true, "status_ipsec.php");
464
$tab_array[] = array(gettext("Leases"), false, "status_ipsec_leases.php");
465
$tab_array[] = array(gettext("SADs"), false, "status_ipsec_sad.php");
466
$tab_array[] = array(gettext("SPDs"), false, "status_ipsec_spd.php");
467
display_top_tabs($tab_array);
468
?>
469

    
470
<div class="panel panel-default">
471
	<div class="panel-heading"><h2 class="panel-title"><?=gettext("IPsec Status");?></h2></div>
472
	<div class="panel-body table-responsive">
473
		<table class="table table-striped table-condensed table-hover sortable-theme-bootstrap" data-sortable>
474
			<thead>
475
				<tr>
476
					<th><?=gettext("Description")?></th>
477
					<th><?=gettext("Local ID")?></th>
478
					<th><?=gettext("Local IP")?></th>
479
					<th><?=gettext("Remote ID")?></th>
480
					<th><?=gettext("Remote IP")?></th>
481
					<th><?=gettext("Role")?></th>
482
					<th><?=gettext("Reauth")?></th>
483
					<th><?=gettext("Algo")?></th>
484
					<th><?=gettext("Status")?></th>
485
					<th></th>
486
				</tr>
487
			</thead>
488
			<tbody id="ipsec-body">
489
				<tr>
490
					<td colspan="10">
491
						<?=print_info_box(gettext("Collecting IPsec status information."), "warning", "")?>
492
					</td>
493
				</tr>
494
			</tbody>
495
		</table>
496
	</div>
497
</div>
498

    
499
<?php
500
unset($status);
501

    
502
if (ipsec_enabled()) {
503
	print('<div class="infoblock">');
504
} else {
505
	print('<div class="infoblock blockopen">');
506
}
507

    
508
print_info_box(sprintf(gettext('IPsec can be configured %1$shere%2$s.'), '<a href="vpn_ipsec.php">', '</a>'), 'info', false);
509
?>
510
</div>
511

    
512
<script type="text/javascript">
513
//<![CDATA[
514

    
515
events.push(function() {
516
	ajax_lock = false;		// Mutex so we don't make a call until the previous call is finished
517
	sa_open = new Array();	// Array in which to keep the child SA show/hide state
518

    
519
	// Fetch the tbody contents from the server
520
	function update_table() {
521
		if (ajax_lock) {
522
			return;
523
		}
524

    
525
		ajax_lock = true;
526

    
527
		ajaxRequest = $.ajax(
528
			{
529
				url: "/status_ipsec.php",
530
				type: "post",
531
				data: {
532
					ajax: 	"ajax"
533
				}
534
			}
535
		);
536

    
537
		// Deal with the results of the above ajax call
538
		ajaxRequest.done(function (response, textStatus, jqXHR) {
539

    
540
			if (!response) {
541
				response = '<tr><td colspan="10"><?=print_info_box(gettext("No IPsec status information available."), "warning", "")?></td></tr>';
542
			}
543

    
544
			$('#ipsec-body').html(response);
545
			ajax_lock = false;
546

    
547
			// Update "Show child SA" handlers
548
			$('[id^=btnchildsa-]').click(function () {
549
				show_childsa($(this).prop("id").replace( /^\D+/g, ''));
550
			});
551

    
552
			// Check the sa_open array for child SAs that have been opened
553
			$('[id^=childsa-con]').each(function(idx) {
554
				sa_idx = $(this).prop("id").replace( /^\D+/g, '');
555

    
556
				if (sa_open[sa_idx]) {
557
					show_childsa(sa_idx);
558
				}
559
			});
560

    
561
			// and do it again
562
			setTimeout(update_table, 5000);
563
		});
564
	}
565

    
566
	function show_childsa(said) {
567
		sa_open[said] = true;
568
		$('#childsa-con' + said).show();
569
		$('#btnchildsa-con' + said).hide();
570
	}
571

    
572
	// Populate the tbody on page load
573
	update_table();
574
});
575
//]]>
576
</script>
577

    
578
<?php
579
include("foot.inc"); ?>
(164-164/225)