. * All rights reserved. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ ##|+PRIV ##|*IDENT=page-status-ipsec ##|*NAME=Status: IPsec ##|*DESCR=Allow access to the 'Status: IPsec' page. ##|*MATCH=status_ipsec.php* ##|-PRIV require_once("guiconfig.inc"); require_once("ipsec.inc"); global $g; init_config_arr(array('ipsec', 'phase1')); // If this is just an AJAX call to update the table body, just generate the body and quit if ($_REQUEST['ajax']) { print_ipsec_body(); exit; } if ($_POST['act'] == 'connect') { if (ctype_digit($_POST['ikeid'])) { $ph1ent = ipsec_get_phase1($_POST['ikeid']); if (!empty($ph1ent)) { if (empty($ph1ent['iketype']) || $ph1ent['iketype'] == 'ikev1' || isset($ph1ent['splitconn'])) { $ph2entries = ipsec_get_number_of_phase2($_POST['ikeid']); for ($i = 0; $i < $ph2entries; $i++) { $connid = escapeshellarg("con{$_POST['ikeid']}00{$i}"); mwexec_bg("/usr/local/sbin/ipsec down {$connid}"); mwexec_bg("/usr/local/sbin/ipsec up {$connid}"); } } else { mwexec_bg("/usr/local/sbin/ipsec down con" . escapeshellarg($_POST['ikeid'] . '000')); mwexec_bg("/usr/local/sbin/ipsec up con" . escapeshellarg($_POST['ikeid'] . '000')); } } } } else if ($_POST['act'] == 'ikedisconnect') { if (!empty($_POST['ikesaid']) && ctype_digit($_POST['ikesaid'])) { mwexec_bg("/usr/local/sbin/ipsec down " ."'" . escapeshellarg($_POST['ikeid']) . "[" . escapeshellarg($_POST['ikesaid']) . "]" . "'"); } else { mwexec_bg("/usr/local/sbin/ipsec down " . escapeshellarg($_POST['ikeid'])); } } else if ($_POST['act'] == 'childdisconnect') { //pull out number from id if (!empty($_POST['ikesaid']) && ctype_digit($_POST['ikesaid'])) { mwexec_bg("/usr/local/sbin/ipsec down " . escapeshellarg($_POST['ikeid']) . "{" . escapeshellarg($_POST['ikesaid']) . "}"); } } // Table body is composed here so that it can be more easily updated via AJAX function print_ipsec_body() { global $config; $a_phase1 = &$config['ipsec']['phase1']; $status = ipsec_list_sa(); $ipsecconnected = array(); if (is_array($status)) { foreach ($status as $ikeid => $ikesa) { //check which array format if(isset($ikesa['con-id'])){ $con_id = substr($ikesa['con-id'],3); }else{ $con_id = filter_var($ikeid, FILTER_SANITIZE_NUMBER_INT); } if ($ikesa['version'] == 1) { $ph1idx = substr($con_id, 0, strrpos(substr($con_id, 0, -1), '00')); $ipsecconnected[$ph1idx] = $ph1idx; } else { if (!ipsec_ikeid_used($con_id)) { // probably a v2 with split connection then $ph1idx = substr($con_id, 0, strrpos(substr($con_id, 0, -1), '00')); $ipsecconnected[$ph1idx] = $ph1idx; } else { $ipsecconnected[$con_id] = $ph1idx = $con_id; } } print("\n"); print("\n"); print(htmlspecialchars($ikesa['con-id'])) . ":\n"; print('#' . htmlspecialchars($ikesa['uniqueid'])); print("\n"); print("\n"); if (is_array($a_phase1) && htmlspecialchars(ipsec_get_descr($ph1idx)) == "") { foreach ($a_phase1 as $ph1) { if($con_id == $ph1['ikeid'] && isset($ph1['mobile']) ){ print(htmlspecialchars($ph1['descr'])); break; } } } print(htmlspecialchars(ipsec_get_descr($ph1idx))); print("\n"); print("\n"); if (!empty($ikesa['local-id'])) { if ($ikesa['local-id'] == '%any') { print(gettext('Any identifier')); } else { print(htmlspecialchars($ikesa['local-id'])); } } else { print(gettext("Unknown")); } print("\n"); print("\n"); if (!empty($ikesa['local-host'])) { print(htmlspecialchars($ikesa['local-host'])); } else { print(gettext("Unknown")); } /* * XXX: local-nat-t was defined by pfSense * When strongswan team accepted the change, they changed it to * nat-local. Keep both for a while and remove local-nat-t in * the future */ if (isset($ikesa['local-nat-t']) || isset($ikesa['nat-local'])) { print(" NAT-T"); } print("\n"); print("\n"); $identity = ""; if (!empty($ikesa['remote-id'])) { if ($ikesa['remote-id'] == '%any') { $identity = htmlspecialchars(gettext('Any identifier')); } else { $identity = htmlspecialchars($ikesa['remote-id']); } } if (!empty($ikesa['remote-xauth-id'])) { echo htmlspecialchars($ikesa['remote-xauth-id']); echo "
{$identity}"; } elseif (!empty($ikesa['remote-eap-id'])) { echo htmlspecialchars($ikesa['remote-eap-id']); echo "
{$identity}"; } else { if (empty($identity)) { print(gettext("Unknown")); } else { print($identity); } } print("\n"); print("\n"); if (!empty($ikesa['remote-host'])) { print(htmlspecialchars($ikesa['remote-host'])); } else { print(gettext("Unknown")); } /* * XXX: remote-nat-t was defined by pfSense * When strongswan team accepted the change, they changed it to * nat-remote. Keep both for a while and remove remote-nat-t in * the future */ if (isset($ikesa['remote-nat-t']) || isset($ikesa['nat-remote'])) { print(" NAT-T"); } print("\n"); print("\n"); print("IKEv" . htmlspecialchars($ikesa['version'])); print("
\n"); if ($ikesa['initiator'] == 'yes') { print("initiator"); } else { print("responder"); } print("\n"); print("\n"); print(htmlspecialchars($ikesa['reauth-time']) . gettext(" seconds (") . convert_seconds_to_dhms($ikesa['reauth-time']) . ")"); print("\n"); print("\n"); print(htmlspecialchars($ikesa['encr-alg'])); print("
"); print(htmlspecialchars($ikesa['integ-alg'])); print("
"); print(htmlspecialchars($ikesa['prf-alg'])); print("
\n"); print(htmlspecialchars($ikesa['dh-group'])); print("\n"); print("\n"); if ($ikesa['state'] == 'ESTABLISHED') { print(''); } else { print(''); } print(ucfirst(htmlspecialchars($ikesa['state']))); if ($ikesa['state'] == 'ESTABLISHED') { print("
"); printf(gettext('%1$s seconds (%2$s) ago'), htmlspecialchars($ikesa['established']), convert_seconds_to_dhms($ikesa['established'])); } print("

"); if ($ikesa['state'] != 'ESTABLISHED') { print(''); print(''); print(gettext("Connect VPN")); print("\n"); } else { print(''); print(''); print(gettext("Disconnect")); print("
\n"); } print("\n"); print("\n"); print("\n"); print("\n"); if (is_array($ikesa['child-sas']) && (count($ikesa['child-sas']) > 0)) { $child_key = ""; foreach ($ikesa['child-sas'] as $key => $val){ $child_key = $key; break; } print('

'); print(''); print(''); print(gettext('Show child SA entries')); print("\n"); print("

\n"); print(''); print("\n"); print(''); print(''); print(''); print(''); print(''); print(''); print(''); print(''); print(''); print("\n"); print("\n"); foreach ($ikesa['child-sas'] as $childid => $childsa) { print(""); print("\n"); print("\n"); print("\n"); print("\n"); print("\n"); print("\n"); print("\n"); print("\n"); print("\n"); } print("\n"); print("

' . gettext("IPsec ID") . '	' . gettext("Local subnets") . '	' . gettext("Local SPI(s)") . '	' . gettext("Remote subnets") . '	' . gettext("Times") . '	' . gettext("Algo") . '	' . gettext("Stats") . '
\n"); print($childsa['name'] . ": "); print("#" . $childsa['uniqueid']); print("	\n"); if (is_array($childsa['local-ts'])) { foreach ($childsa['local-ts'] as $lnets) { print(htmlspecialchars(ipsec_fixup_network($lnets)) . " "); } } else { print(gettext("Unknown")); } print("	\n"); if (isset($childsa['spi-in'])) { print(gettext("Local: ") . htmlspecialchars($childsa['spi-in'])); } if (isset($childsa['spi-out'])) { print(' ' . gettext('Remote: ') . htmlspecialchars($childsa['spi-out'])); } print("	\n"); if (is_array($childsa['remote-ts'])) { foreach ($childsa['remote-ts'] as $rnets) { print(htmlspecialchars(ipsec_fixup_network($rnets)) . ' '); } } else { print(gettext("Unknown")); } print("	\n"); printf(gettext('Rekey: %1$s seconds (%2$s)'), htmlspecialchars($childsa['rekey-time']), convert_seconds_to_dhms($childsa['rekey-time'])); print(' '); printf(gettext('Life: %1$s seconds (%2$s)'), htmlspecialchars($childsa['life-time']), convert_seconds_to_dhms($childsa['life-time'])); print(' '); printf(gettext('Install: %1$s seconds (%2$s)'), htmlspecialchars($childsa['install-time']), convert_seconds_to_dhms($childsa['install-time'])); print("	\n"); print(htmlspecialchars($childsa['encr-alg']) . ' '); print(htmlspecialchars($childsa['integ-alg']) . ' '); if (!empty($childsa['prf-alg'])) { print(htmlspecialchars($childsa['prf-alg']) . ' '); } if (!empty($childsa['dh-group'])) { print(htmlspecialchars($childsa['dh-group']) . ' '); } if (!empty($childsa['esn'])) { print(htmlspecialchars($childsa['esn']) . ' '); } print(gettext("IPComp: ")); if (!empty($childsa['cpi-in']) \|\| !empty($childsa['cpi-out'])) { print(htmlspecialchars($childsa['cpi-in']) . " " . htmlspecialchars($childsa['cpi-out'])); } else { print(gettext('none')); } print("	\n"); print(gettext("Bytes-In: ") . htmlspecialchars(number_format($childsa['bytes-in'])) . ' (' . htmlspecialchars(format_bytes($childsa['bytes-in'])) . ') '); print(gettext("Packets-In: ") . htmlspecialchars(number_format($childsa['packets-in'])) . ' '); print(gettext("Bytes-Out: ") . htmlspecialchars(number_format($childsa['bytes-out'])) . ' (' . htmlspecialchars(format_bytes($childsa['bytes-out'])) . ') '); print(gettext("Packets-Out: ") . htmlspecialchars(number_format($childsa['packets-out'])) . ' '); print("	\n"); print(''); print(''); print(gettext("Disconnect")); print("\n"); print("

\n"); print("\n"); print("\n"); } unset($con_id); } } $rgmap = array(); if (is_array($a_phase1)) { foreach ($a_phase1 as $ph1ent) { if (isset($ph1ent['disabled'])) { continue; } $rgmap[$ph1ent['remote-gateway']] = $ph1ent['remote-gateway']; if ($ipsecconnected[$ph1ent['ikeid']]) { continue; } print("\n"); print("\n"); print("\n"); print(htmlspecialchars($ph1ent['descr'])); print("\n"); print("\n"); list ($myid_type, $myid_data) = ipsec_find_id($ph1ent, "local"); if (empty($myid_data)) { print(gettext("Unknown")); } else { print(htmlspecialchars($myid_data)); } print("\n"); print("\n"); $ph1src = ipsec_get_phase1_src($ph1ent); if (empty($ph1src)) { print(gettext("Unknown")); } else { print(htmlspecialchars($ph1src)); } print("\n"); print("\n"); list ($peerid_type, $peerid_data) = ipsec_find_id($ph1ent, "peer", $rgmap); if (empty($peerid_data)) { print(gettext("Unknown")); } else { print(htmlspecialchars($peerid_data)); } print(" \n"); print(" \n"); $ph1src = ipsec_get_phase1_dst($ph1ent); if (empty($ph1src)) { print(gettext("Unknown")); } else { print(htmlspecialchars($ph1src)); } print("\n"); print("\n"); print("\n"); print("\n"); print("\n"); print("\n"); print("\n"); if (isset($ph1ent['mobile'])) { print("\n"); print(gettext("Awaiting connections")); print("\n"); print("\n"); print("\n"); print("\n"); } else { print("\n"); print(gettext("Disconnected")); print("\n"); print("\n"); print(''); print(''); print(gettext("Connect VPN")); print("\n"); print("\n"); } print("\n"); } } unset($ipsecconnected, $phase1, $rgmap); } $pgtitle = array(gettext("Status"), gettext("IPsec"), gettext("Overview")); $pglinks = array("", "@self", "@self"); $shortcut_section = "ipsec"; include("head.inc"); $tab_array = array(); $tab_array[] = array(gettext("Overview"), true, "status_ipsec.php"); $tab_array[] = array(gettext("Leases"), false, "status_ipsec_leases.php"); $tab_array[] = array(gettext("SADs"), false, "status_ipsec_sad.php"); $tab_array[] = array(gettext("SPDs"), false, "status_ipsec_spd.php"); display_top_tabs($tab_array); ?>

'); } else { print('

'); } print_info_box(sprintf(gettext('IPsec can be configured %1$shere%2$s.'), '', ''), 'info', false); ?>