/usr/local/www/vpn_ipsec.php - Annotate - pfSense - pfSense bugtracker

| Branch: | Tag: | Revision:

root/usr/local/www/vpn_ipsec.php @ 6deedfde

1	5b237745	Scott Ullrich	<?php
2			/*
3			vpn_ipsec.php
4	e2411886	Scott Ullrich	part of m0n0wall (http://m0n0.ch/wall)
5	574a2b47	Scott Ullrich
6	e2411886	Scott Ullrich	Copyright (C) 2003-2005 Manuel Kasper <mk@neon1.net>.
7	a93e56c5	Matthew Grooms	Copyright (C) 2008 Shrew Soft Inc
8	cfc707f7	Scott Ullrich	All rights reserved.
9	574a2b47	Scott Ullrich
10	5b237745	Scott Ullrich	Redistribution and use in source and binary forms, with or without
11			modification, are permitted provided that the following conditions are met:
12	574a2b47	Scott Ullrich
13	5b237745	Scott Ullrich	1. Redistributions of source code must retain the above copyright notice,
14			this list of conditions and the following disclaimer.
15	574a2b47	Scott Ullrich
16	5b237745	Scott Ullrich	2. Redistributions in binary form must reproduce the above copyright
17			notice, this list of conditions and the following disclaimer in the
18			documentation and/or other materials provided with the distribution.
19	574a2b47	Scott Ullrich
20	5b237745	Scott Ullrich	THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
21			INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
22			AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
23			AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
24			OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
25			SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
26			INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
27			CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
28			ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
29			POSSIBILITY OF SUCH DAMAGE.
30			*/
31
32	6b07c15a	Matthew Grooms	##\|+PRIV
33			##\|*IDENT=page-vpn-ipsec
34			##\|*NAME=VPN: IPsec page
35			##\|*DESCR=Allow access to the 'VPN: IPsec' page.
36			##\|MATCH=vpn_ipsec.php
37			##\|-PRIV
38
39	5b237745	Scott Ullrich	require("guiconfig.inc");
40	7a927e67	Scott Ullrich	require_once("functions.inc");
41			require_once("filter.inc");
42			require_once("shaper.inc");
43	483e6de8	Scott Ullrich	require_once("ipsec.inc");
44			require_once("vpn.inc");
45	5b237745	Scott Ullrich
46	a93e56c5	Matthew Grooms	if (!is_array($config['ipsec']['phase1']))
47			$config['ipsec']['phase1'] = array();
48
49			if (!is_array($config['ipsec']['phase2']))
50			$config['ipsec']['phase2'] = array();
51
52			$a_phase1 = &$config['ipsec']['phase1'];
53			$a_phase2 = &$config['ipsec']['phase2'];
54
55	e2411886	Scott Ullrich	$wancfg = &$config['interfaces']['wan'];
56	5b237745	Scott Ullrich
57			$pconfig['enable'] = isset($config['ipsec']['enable']);
58
59			if ($_POST) {
60
61			if ($_POST['apply']) {
62			$retval = 0;
63	647c7c48	Seth Mos	$retval = vpn_ipsec_refresh_policies();
64	3851094f	Scott Ullrich	$retval = vpn_ipsec_configure();
65	04b46591	Ermal Lu?i	/* reload the filter in the background */
66			filter_configure();
67	5b237745	Scott Ullrich	$savemsg = get_std_save_message($retval);
68			if ($retval == 0) {
69	a368a026	Ermal Lu?i	if (is_subsystem_dirty('ipsec'))
70			clear_subsystem_dirty('ipsec');
71	5b237745	Scott Ullrich	}
72			} else if ($_POST['submit']) {
73			$pconfig = $_POST;
74	574a2b47	Scott Ullrich
75	5b237745	Scott Ullrich	$config['ipsec']['enable'] = $_POST['enable'] ? true : false;
76	c20acc35	Scott Ullrich
77			if(!$config['ipsec']['enable']) {
78			if(is_process_running("racoon"))
79			mwexec("killall racoon");
80			} else {
81			$retval = vpn_ipsec_configure();
82			}
83
84	5b237745	Scott Ullrich	write_config();
85			}
86			}
87
88	a93e56c5	Matthew Grooms	if ($_GET['act'] == "delph1")
89			{
90			if ($a_phase1[$_GET['p1index']]) {
91	6de5d673	Seth Mos	/* remove static route if interface is not WAN */
92	99bbd213	Matthew Grooms	if ($a_phase1[$_GET['p1index']]['interface'] <> "wan")
93	fbc8af8f	sullrich	mwexec("/sbin/route delete -host {$a_phase1[$_GET['p1index']]['remote-gateway']}");
94	a93e56c5	Matthew Grooms
95			/* remove all phase2 entries that match the ikeid */
96			$ikeid = $a_phase1[$_GET['p1index']]['ikeid'];
97	99bbd213	Matthew Grooms	foreach ($a_phase2 as $p2index => $ph2tmp)
98			if ($ph2tmp['ikeid'] == $ikeid)
99	a93e56c5	Matthew Grooms	unset($a_phase2[$p2index]);
100
101			/* remove the phase1 entry */
102			unset($a_phase1[$_GET['p1index']]);
103	647c7c48	Seth Mos	vpn_ipsec_refresh_policies();
104			vpn_ipsec_configure();
105	a93e56c5	Matthew Grooms	write_config();
106	72bd8df5	Ermal Lu?i	filter_configure();
107	a93e56c5	Matthew Grooms	header("Location: vpn_ipsec.php");
108			exit;
109			}
110			}
111
112			if ($_GET['act'] == "delph2")
113			{
114			if ($a_phase2[$_GET['p2index']]) {
115			/* remove the phase2 entry */
116			unset($a_phase2[$_GET['p2index']]);
117	647c7c48	Seth Mos	vpn_ipsec_refresh_policies();
118			vpn_ipsec_configure();
119	3fdb04a6	Scott Ullrich	filter_configure();
120	5b237745	Scott Ullrich	write_config();
121			header("Location: vpn_ipsec.php");
122			exit;
123			}
124			}
125	4df96eff	Scott Ullrich
126	d88c6a9f	Scott Ullrich	$pgtitle = array("VPN","IPsec");
127	6deedfde	jim-p	$statusurl = "diag_ipsec.php";
128			$logurl = "diag_logs_ipsec.php";
129
130	4df96eff	Scott Ullrich	include("head.inc");
131
132	53d4b84d	Scott Ullrich	?>
133	422f27c0	Scott Ullrich
134			<body link="#0000CC" vlink="#0000CC" alink="#0000CC">
135	5b237745	Scott Ullrich	<?php include("fbegin.inc"); ?>
136			<form action="vpn_ipsec.php" method="post">
137	323d040b	Scott Ullrich	<?php
138	a93e56c5	Matthew Grooms	if ($savemsg)
139			print_info_box($savemsg);
140	a368a026	Ermal Lu?i	if ($pconfig['enable'] && is_subsystem_dirty('ipsec'))
141	a93e56c5	Matthew Grooms	print_info_box_np("The IPsec tunnel configuration has been changed.<br>You must apply the changes in order for them to take effect.");
142	574a2b47	Scott Ullrich	?>
143	a93e56c5	Matthew Grooms	<table width="100%" border="0" cellpadding="0" cellspacing="0">
144			<tr>
145			<td class="tabnavtbl">
146			<?php
147			$tab_array = array();
148			$tab_array[0] = array("Tunnels", true, "vpn_ipsec.php");
149	3462a529	Matthew Grooms	$tab_array[1] = array("Mobile clients", false, "vpn_ipsec_mobile.php");
150	6894b25a	jim-p	$tab_array[2] = array("Pre-shared keys", false, "vpn_ipsec_keys.php");
151			$tab_array[3] = array("Logs", false, "diag_logs_ipsec.php");
152	a93e56c5	Matthew Grooms	display_top_tabs($tab_array);
153			?>
154			</td>
155			</tr>
156			<tr>
157			<td>
158			<div id="mainarea">
159			<table class="tabcont" width="100%" border="0" cellpadding="6" cellspacing="0">
160			<tr>
161			<td class="vtable">
162	667725ce	Matthew Grooms	<table border="0" cellspacing="2" cellpadding="0">
163			<tr>
164			<td>
165			<input name="enable" type="checkbox" id="enable" value="yes" <?php if ($pconfig['enable']) echo "checked";?>>
166			</td>
167			<td>
168			<strong>Enable IPsec</strong>
169			</td>
170			</tr>
171			</table>
172	a93e56c5	Matthew Grooms	</td>
173			</tr>
174			<tr>
175			<td>
176			<input name="submit" type="submit" class="formbtn" value="Save">
177			</td>
178			</tr>
179			</table>
180			<table class="tabcont" width="100%" border="0" cellpadding="0" cellspacing="0">
181	5bba8dfb	Scott Ullrich	<?php
182			$i = 0;
183			foreach ($a_phase1 as $ph1ent) {
184			if (isset( $ph1ent['disabled'])) {
185			$spans = "<span class=\"gray\">";
186			$spane = "</span>";
187			}
188			else
189			$spans = $spane = "";
190	96162327	Scott Ullrich
191			show_ipsec_header($ph1ent);
192	4494cf6a	Chris Buechler	$counter++; // used to determine if we need to output header manually (no records exist)
193	96162327	Scott Ullrich	?>
194	a0d4c5da	Matthew Grooms	<tr valign="top" ondblclick="document.location='vpn_ipsec_phase1.php?p1index=<?=$i;?>'">
195			<td class="listlr">
196	a93e56c5	Matthew Grooms	<?=$spans;?>
197			<?php
198			if ($ph1ent['interface']) {
199			$iflabels = get_configured_interface_with_descr();
200	abcb2bed	Ermal Lu?i	$carplist = get_configured_carp_interface_list();
201			foreach ($carplist as $cif => $carpip)
202			$iflabels[$cif] = strtoupper($cif) . " ({$carpip})";
203	a93e56c5	Matthew Grooms	$if = htmlspecialchars($iflabels[$ph1ent['interface']]);
204			}
205			else
206			$if = "WAN";
207
208	3462a529	Matthew Grooms	if (!isset($ph1ent['mobile']))
209			echo $if."<br>".$ph1ent['remote-gateway'];
210			else
211			echo $if."<br><strong>Mobile Client</strong>";
212	a93e56c5	Matthew Grooms	?>
213			<?=$spane;?>
214			</td>
215	a0d4c5da	Matthew Grooms	<td class="listr">
216	a93e56c5	Matthew Grooms	<?=$spans;?>
217			<?=$ph1ent['mode'];?>
218			<?=$spane;?>
219			</td>
220	a0d4c5da	Matthew Grooms	<td class="listr">
221	a93e56c5	Matthew Grooms	<?=$spans;?>
222			<?=$p1_ealgos[$ph1ent['encryption-algorithm']['name']]['name'];?>
223			<?php
224			if ($ph1ent['encryption-algorithm']['keylen']) {
225			if ($ph1ent['encryption-algorithm']['keylen']=="auto")
226			echo " (auto)";
227			else
228			echo " ({$ph1ent['encryption-algorithm']['keylen']} bits)";
229			}
230			?>
231			<?=$spane;?>
232			</td>
233	a0d4c5da	Matthew Grooms	<td class="listr">
234	a93e56c5	Matthew Grooms	<?=$spans;?>
235			<?=$p1_halgos[$ph1ent['hash-algorithm']];?>
236			<?=$spane;?>
237			</td>
238	b9056c39	Scott Ullrich	<td class="listbg">
239	a93e56c5	Matthew Grooms	<?=$spans;?>
240	b9056c39	Scott Ullrich	<?=htmlspecialchars($ph1ent['descr']);?>
241	a93e56c5	Matthew Grooms	<?=$spane;?>
242			</td>
243			<td valign="middle" nowrap class="list">
244			<table border="0" cellspacing="0" cellpadding="1">
245			<tr>
246			<td>
247			<a href="vpn_ipsec_phase1.php?p1index=<?=$i;?>">
248			<img src="./themes/<?= $g['theme']; ?>/images/icons/icon_e.gif" title="edit phase1 entry" width="17" height="17" border="0">
249			</a>
250			</td>
251			<td>
252			<a href="vpn_ipsec.php?act=delph1&p1index=<?=$i;?>" onclick="return confirm('Do you really want to delete this phase1 and all associated phase2 entries?')">
253			<img src="./themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" title="delete phase1 entry" width="17" height="17" border="0">
254			</a>
255			</td>
256			</tr>
257	fce61eda	Matthew Grooms	<?php if (!isset($ph1ent['mobile'])): ?>
258	a93e56c5	Matthew Grooms	<tr>
259			<td>
260			</td>
261			<td>
262			<a href="vpn_ipsec_phase1.php?dup=<?=$i;?>">
263			<img src="./themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" title="copy phase1 entry" width="17" height="17" border="0">
264			</a>
265			</td>
266			</tr>
267	fce61eda	Matthew Grooms	<?php endif; ?>
268	a93e56c5	Matthew Grooms	</table>
269			</td>
270			</tr>
271			<tr>
272	abd378bf	Scott Ullrich	<td class="listrborder" colspan="5">
273	0a95b653	Scott Ullrich	<div id="shph2but-<?=$i?>">
274	e1b74950	Scott Ullrich	<?php
275			$phase2count=0;
276	b2a189a8	Scott Ullrich	foreach ($a_phase2 as $ph2ent) {
277	c82c89ac	Scott Ullrich	if ($ph2ent['ikeid'] != $ph1ent['ikeid'])
278	b2a189a8	Scott Ullrich	continue;
279			if (isset( $ph2ent['disabled']) \|\| isset($ph1ent['disabled']))
280			continue;
281	e1b74950	Scott Ullrich	$phase2count++;
282	b2a189a8	Scott Ullrich	}
283	e1b74950	Scott Ullrich	?>
284			<input type="button" onClick="show_phase2('tdph2-<?=$i?>','shph2but-<?=$i?>')" value="+"></input> - Show <?=$phase2count?> Phase-2 entries</a>
285	0a95b653	Scott Ullrich	</div>
286			<table class="tabcont" width="100%" height="100%" border="0" cellspacing="0" cellpadding="0" id="tdph2-<?=$i?>" style="display:none">
287	a93e56c5	Matthew Grooms	<tr>
288	4b96b367	mgrooms	<td class="listhdrr">Mode</td>
289			<?php if($ph2ent['mode'] == "tunnel"): ?>
290	fabd8cdb	Seth Mos	<td class="listhdrr">Local Subnet</td>
291			<td class="listhdrr">Remote Subnet</td>
292	4b96b367	mgrooms	<?php endif; ?>
293	fabd8cdb	Seth Mos	<td class="listhdrr">P2 Protocol</td>
294			<td class="listhdrr">P2 Transforms</td>
295			<td class="listhdrr">P2 Auth Methods</td>
296	a93e56c5	Matthew Grooms	<td class ="list">
297	3462a529	Matthew Grooms	<a href="vpn_ipsec_phase2.php?ikeid=<?=$ph1ent['ikeid'];?><?php if (isset($ph1ent['mobile'])) echo "&mobile=true";?>">
298	a93e56c5	Matthew Grooms	<img src="./themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" title="add phase2 entry" width="17" height="17" border="0">
299			</a>
300			</td>
301			</tr>
302			<?php
303			$j = 0;
304			foreach ($a_phase2 as $ph2ent) {
305			if ($ph2ent['ikeid'] != $ph1ent['ikeid']) {
306			$j++;
307			continue;
308			}
309
310			if (isset( $ph2ent['disabled']) \|\| isset($ph1ent['disabled'])) {
311			$spans = "<span class=\"gray\">";
312			$spane = "</span>";
313			}
314			else
315			$spans = $spane = "";
316			?>
317	4da0e32a	Seth Mos	<tr valign="top" ondblclick="document.location='vpn_ipsec_phase2.php?p2index=<?=$j;?>'">
318	3462a529	Matthew Grooms
319	a0d4c5da	Matthew Grooms	<td nowrap class="listlr">
320	4b96b367	mgrooms	<?=$spans;?>
321			<?=$ph2ent['mode'];?>
322			<?=$spane;?>
323			</td>
324	c443bb14	Scott Ullrich	<?php
325			if($ph2ent['mode'] <> "tunnel") {
326			echo "<td nowrap class=\"listr\"> </td><td nowrap class=\"listr\"> </td>";
327			}
328			?>
329	4b96b367	mgrooms	<?php if($ph2ent['mode'] == "tunnel"): ?>
330			<td nowrap class="listr">
331	a93e56c5	Matthew Grooms	<?=$spans;?>
332	3462a529	Matthew Grooms	<?=ipsec_idinfo_to_text($ph2ent['localid']); ?>
333	a93e56c5	Matthew Grooms	<?=$spane;?>
334			</td>
335	a0d4c5da	Matthew Grooms	<td nowrap class="listr">
336	a93e56c5	Matthew Grooms	<?=$spans;?>
337	3462a529	Matthew Grooms	<?=ipsec_idinfo_to_text($ph2ent['remoteid']); ?>
338	a93e56c5	Matthew Grooms	<?=$spane;?>
339			</td>
340	4b96b367	mgrooms	<?php endif; ?>
341	a0d4c5da	Matthew Grooms	<td nowrap class="listr">
342	a93e56c5	Matthew Grooms	<?=$spans;?>
343	3462a529	Matthew Grooms	<?php echo $p2_protos[$ph2ent['protocol']]; ?>
344	a93e56c5	Matthew Grooms	<?=$spane;?>
345			</td>
346	a0d4c5da	Matthew Grooms	<td class="listr">
347	a93e56c5	Matthew Grooms	<?=$spans;?>
348			<?php
349			$k = 0;
350			foreach ($ph2ent['encryption-algorithm-option'] as $ph2ea) {
351			if ($k++)
352			echo ", ";
353			echo $p2_ealgos[$ph2ea['name']]['name'];
354			if ($ph2ea['keylen']) {
355			if ($ph2ea['keylen']=="auto")
356			echo " (auto)";
357			else
358			echo " ({$ph2ea['keylen']} bits)";
359			}
360			}
361			?>
362			<?=$spane;?>
363			</td>
364	a0d4c5da	Matthew Grooms	<td nowrap class="listr">
365	a93e56c5	Matthew Grooms	<?=$spans;?>
366			<?php
367			$k = 0;
368			foreach ($ph2ent['hash-algorithm-option'] as $ph2ha) {
369			if ($k++)
370			echo ", ";
371			echo $p2_halgos[$ph2ha];
372			}
373			?>
374			<?=$spane;?>
375			</td>
376			<td nowrap class="list">
377			<a href="vpn_ipsec_phase2.php?p2index=<?=$j;?>">
378			<img src="./themes/<?= $g['theme']; ?>/images/icons/icon_e.gif" title="edit phase2 entry" width="17" height="17" border="0">
379			</a>
380			<a href="vpn_ipsec.php?act=delph2&p2index=<?=$j;?>" onclick="return confirm('Do you really want to delete this phase2 entry?')">
381			<img src="./themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" title="delete phase2 entry" width="17" height="17" border="0">
382			</a>
383			</td>
384			</tr>
385	3462a529	Matthew Grooms
386	a93e56c5	Matthew Grooms	<?php
387			$j++;
388			}
389			?>
390			</table>
391			</td>
392			</tr>
393	0a95b653	Scott Ullrich	<tr>
394			<td>
395
396			</td>
397			</tr>
398	a93e56c5	Matthew Grooms	<?php
399			$i++;
400			}
401	96162327	Scott Ullrich	if(!$counter)
402	83221d3b	sullrich	show_ipsec_header($ph1ent);
403	5b237745	Scott Ullrich	?>
404	a93e56c5	Matthew Grooms	<tr>
405			<td class="list" colspan="5"></td>
406			<td class="list">
407			<table border="0" cellspacing="0" cellpadding="1">
408			<tr>
409			<td width="17"></td>
410			<td>
411			<a href="vpn_ipsec_phase1.php">
412			<img src="./themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" title="add phase1 entry" width="17" height="17" border="0">
413			</a>
414			</td>
415			</tr>
416			</table>
417			<td>
418			</tr>
419			<tr>
420			<td colspan="4">
421			<p>
422			<span class="vexpl">
423			<span class="red">
424			<strong>Note:<br></strong>
425			</span>
426			You can check your IPsec status at <a href="diag_ipsec.php">Status:IPsec</a>.
427			</span>
428			</p>
429			</td>
430			</tr>
431			</table>
432			</div>
433			</td>
434	5b237745	Scott Ullrich	</tr>
435			</table>
436			</form>
437			<?php include("fend.inc"); ?>
438	0a95b653	Scott Ullrich	<script type="text/javascript">
439			function show_phase2(id, buttonid) {
440			document.getElementById(buttonid).innerHTML='';
441			aodiv = document.getElementById(id);
442			aodiv.style.display = "block";
443			}
444			</script>
445	323d040b	Scott Ullrich	</body>
446			</html>
447	96162327	Scott Ullrich
448			<?php
449
450	afcda0d0	sullrich	function show_ipsec_header($ph1ent) {
451			global $g;
452	83221d3b	sullrich	if (isset($ph1ent['mobile']))
453			$mobile = "&mobile=true";
454	96162327	Scott Ullrich	echo <<<EOF
455			<tr>
456	fabd8cdb	Seth Mos	<td class="listhdrr">Remote Gateway</td>
457			<td class="listhdrr">Mode</td>
458			<td class="listhdrr">P1 Protocol</td>
459			<td class="listhdrr">P1 Transforms</td>
460	87e07f52	mgrooms	<td class="listhdrr">P1 Description</td>
461	96162327	Scott Ullrich	<td class ="list">
462			</td>
463			</tr>
464
465			EOF;
466
467			}
468
469	04831121	Bill Marquette	?>

Project

General

Profile

pfSense