/src/usr/local/www/diag_ipsec.php - Annotate - pfSense - pfSense bugtracker

| Branch: | Tag: | Revision:

root/src/usr/local/www/diag_ipsec.php @ 7d2e572f

1	cf7d1057	Scott Ullrich	<?php
2			/* $Id$ */
3			/*
4			diag_ipsec.php
5			*/
6	fd9ebcd5	Stephen Beaver	/* ====================================================================
7			* Copyright (c) 2004-2015 Electric Sheep Fencing, LLC. All rights reserved.
8			* Copyright (c) 2004, 2005 Scott Ullrich
9			*
10			* Redistribution and use in source and binary forms, with or without modification,
11			* are permitted provided that the following conditions are met:
12			*
13			* 1. Redistributions of source code must retain the above copyright notice,
14			* this list of conditions and the following disclaimer.
15			*
16			* 2. Redistributions in binary form must reproduce the above copyright
17			* notice, this list of conditions and the following disclaimer in
18			* the documentation and/or other materials provided with the
19			* distribution.
20			*
21			* 3. All advertising materials mentioning features or use of this software
22			* must display the following acknowledgment:
23			* "This product includes software developed by the pfSense Project
24			* for use in the pfSense software distribution. (http://www.pfsense.org/).
25			*
26			* 4. The names "pfSense" and "pfSense Project" must not be used to
27			* endorse or promote products derived from this software without
28			* prior written permission. For written permission, please contact
29			* coreteam@pfsense.org.
30			*
31			* 5. Products derived from this software may not be called "pfSense"
32			* nor may "pfSense" appear in their names without prior written
33			* permission of the Electric Sheep Fencing, LLC.
34			*
35			* 6. Redistributions of any form whatsoever must retain the following
36			* acknowledgment:
37			*
38			* "This product includes software developed by the pfSense Project
39			* for use in the pfSense software distribution (http://www.pfsense.org/).
40			*
41			* THIS SOFTWARE IS PROVIDED BY THE pfSense PROJECT ``AS IS'' AND ANY
42			* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43			* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
44			* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE pfSense PROJECT OR
45			* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
46			* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
47			* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
48			* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
49			* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
50			* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
51			* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
52			* OF THE POSSIBILITY OF SUCH DAMAGE.
53			*
54			* ====================================================================
55			*
56			*/
57	cf7d1057	Scott Ullrich
58	13d193c2	Scott Ullrich	/*
59	3795cc0a	sbeaver	pfSense_MODULE: ipsec
60	13d193c2	Scott Ullrich	*/
61
62	6b07c15a	Matthew Grooms	##\|+PRIV
63			##\|*IDENT=page-status-ipsec
64			##\|*NAME=Status: IPsec page
65			##\|*DESCR=Allow access to the 'Status: IPsec' page.
66			##\|MATCH=diag_ipsec.php
67			##\|-PRIV
68
69
70	a93e56c5	Matthew Grooms	global $g;
71
72	699737d9	Phil Davis	$pgtitle = array(gettext("Status"), gettext("IPsec"));
73	b32dd0a6	jim-p	$shortcut_section = "ipsec";
74	cf7d1057	Scott Ullrich
75			require("guiconfig.inc");
76			include("head.inc");
77	483e6de8	Scott Ullrich	require("ipsec.inc");
78	a93e56c5	Matthew Grooms
79	17402c63	Ermal	if ($_GET['act'] == 'connect') {
80			if (ctype_digit($_GET['ikeid'])) {
81	483c3b5b	Ermal LUÇI	$ph1ent = ipsec_get_phase1($_GET['ikeid']);
82			if (!empty($ph1ent)) {
83	43531ed7	Phil Davis	if (empty($ph1ent['iketype']) \|\| $ph1ent['iketype'] == 'ikev1') {
84	483c3b5b	Ermal LUÇI	$ph2entries = ipsec_get_number_of_phase2($_GET['ikeid']);
85			for ($i = 0; $i < $ph2entries; $i++) {
86			$connid = escapeshellarg("con{$_GET['ikeid']}00{$i}");
87			mwexec("/usr/local/sbin/ipsec down {$connid}");
88			mwexec("/usr/local/sbin/ipsec up {$connid}");
89			}
90			} else {
91			mwexec("/usr/local/sbin/ipsec down con" . escapeshellarg($_GET['ikeid']));
92			mwexec("/usr/local/sbin/ipsec up con" . escapeshellarg($_GET['ikeid']));
93			}
94			}
95	6e8b0ec3	jim-p	}
96	17402c63	Ermal	} else if ($_GET['act'] == 'ikedisconnect') {
97			if (ctype_digit($_GET['ikeid'])) {
98	5f601060	Phil Davis	if (!empty($_GET['ikesaid']) && ctype_digit($_GET['ikesaid'])) {
99	e952906e	Ermal	mwexec("/usr/local/sbin/ipsec down con" . escapeshellarg($_GET['ikeid']) . "[" . escapeshellarg($_GET['ikesaid']) . "]");
100	5f601060	Phil Davis	} else {
101	e952906e	Ermal	mwexec("/usr/local/sbin/ipsec down con" . escapeshellarg($_GET['ikeid']));
102	5f601060	Phil Davis	}
103	614be051	bcyrill	}
104	e952906e	Ermal	} else if ($_GET['act'] == 'childdisconnect') {
105			if (ctype_digit($_GET['ikeid'])) {
106	5f601060	Phil Davis	if (!empty($_GET['ikesaid']) && ctype_digit($_GET['ikesaid'])) {
107	e952906e	Ermal	mwexec("/usr/local/sbin/ipsec down con" . escapeshellarg($_GET['ikeid']) . "{" . escapeshellarg($_GET['ikesaid']) . "}");
108	5f601060	Phil Davis	}
109	6e0b68bf	jim-p	}
110			}
111
112	5f601060	Phil Davis	if (!is_array($config['ipsec']['phase1'])) {
113	3795cc0a	sbeaver	$config['ipsec']['phase1'] = array();
114	5f601060	Phil Davis	}
115	a93e56c5	Matthew Grooms
116	fd875a8d	Ermal	$a_phase1 = &$config['ipsec']['phase1'];
117	a93e56c5	Matthew Grooms
118	df0878b0	Ermal	$status = ipsec_smp_dump_status();
119	a93e56c5	Matthew Grooms
120	3795cc0a	sbeaver	$tab_array = array();
121			$tab_array[] = array(gettext("Overview"), true, "diag_ipsec.php");
122			$tab_array[] = array(gettext("Leases"), false, "diag_ipsec_leases.php");
123			$tab_array[] = array(gettext("SAD"), false, "diag_ipsec_sad.php");
124			$tab_array[] = array(gettext("SPD"), false, "diag_ipsec_spd.php");
125			$tab_array[] = array(gettext("Logs"), false, "diag_logs_ipsec.php");
126			display_top_tabs($tab_array);
127	c7fbdd6c	Ermal	?>
128	3795cc0a	sbeaver
129			<div class="panel panel-default">
130			<div class="panel-heading">IPSec status</div>
131			<div class="panel-body table responsive">
132			<table class="table table-striped table-hover table-condensed">
133			<thead>
134			<tr>
135			<th><?=gettext("Description")?></th>
136			<th><?=gettext("Local ID")?></th>
137			<th><?=gettext("Local IP")?></th>
138			<th><?=gettext("Remote ID")?></th>
139			<th><?=gettext("Remote IP")?></th>
140			<th><?=gettext("Role")?></th>
141			<th><?=gettext("Reauth")?></th>
142			<th><?=gettext("Algo")?></th>
143			<th><?=gettext("Status")?></th>
144			<th></th>
145			</tr>
146			</thead>
147			<tbody>
148			<?php
149			$ipsecconnected = array();
150
151			if (is_array($status['query']) && is_array($status['query']['ikesalist']) && is_array($status['query']['ikesalist']['ikesa'])):
152			foreach ($status['query']['ikesalist']['ikesa'] as $ikeid => $ikesa):
153			$con_id = substr($ikesa['peerconfig'], 3);
154
155			if ($ikesa['version'] == 1) {
156			$ph1idx = substr($con_id, 0, strrpos(substr($con_id, 0, -1), '00'));
157			$ipsecconnected[$ph1idx] = $ph1idx;
158			} else {
159			$ipsecconnected[$con_id] = $ph1idx = $con_id;
160			}
161
162			if (ipsec_phase1_status($status['query']['ikesalist']['ikesa'], $ikesa['id']))
163			$icon = "pass";
164			elseif (!isset($config['ipsec']['enable']))
165			$icon = "block";
166			else
167			$icon = "reject";
168			?>
169			<tr>
170			<td>
171			<?=htmlspecialchars(ipsec_get_descr($ph1idx))?>
172			</td>
173			<td>
174			<?php
175			if (!is_array($ikesa['local']))
176			echo gettext("Unknown");
177			else {
178			if (!empty($ikesa['local']['identification'])) {
179			if ($ikesa['local']['identification'] == '%any')
180			print(gettext('Any identifier'));
181			else
182			print(htmlspecialchars($ikesa['local']['identification']));
183			} else
184			print(gettext("Unknown"));
185			}
186	55d6f48b	Renato Botelho
187	5f601060	Phil Davis	if (ipsec_phase1_status($status['query']['ikesalist']['ikesa'], $ikesa['id'])) {
188	17402c63	Ermal	$icon = "pass";
189	5f601060	Phil Davis	} elseif (!isset($config['ipsec']['enable'])) {
190	17402c63	Ermal	$icon = "block";
191	5f601060	Phil Davis	} else {
192	17402c63	Ermal	$icon = "reject";
193	5f601060	Phil Davis	}
194	6795e0da	Renato Botelho	?>
195	3795cc0a	sbeaver	</td>
196			<td>
197	6795e0da	Renato Botelho	<?php
198	3795cc0a	sbeaver	if (!is_array($ikesa['local']))
199			print(gettext("Unknown"));
200			else {
201			if (!empty($ikesa['local']['address']))
202			print(htmlspecialchars($ikesa['local']['address']) . '<br/>' . gettext('Port: ') . htmlspecialchars($ikesa['local']['port']));
203			else
204			print(gettext("Unknown"));
205			if ($ikesa['local']['port'] == '4500')
206			print(" NAT-T");
207			}
208	6795e0da	Renato Botelho	?>
209	3795cc0a	sbeaver	</td>
210			<td>
211	6795e0da	Renato Botelho	<?php
212	3795cc0a	sbeaver	if (!is_array($ikesa['remote']))
213			print(gettext("Unknown"));
214			else {
215			$identity = "";
216			if (!empty($ikesa['remote']['identification'])) {
217			if ($ikesa['remote']['identification'] == '%any')
218			$identity = 'Any identifier';
219	c7fbdd6c	Ermal	else
220	3795cc0a	sbeaver	$identity = htmlspecialchars($ikesa['remote']['identification']);
221	c7fbdd6c	Ermal	}
222	3795cc0a	sbeaver
223			if (is_array($ikesa['remote']['auth']) && !empty($ikesa['remote']['auth'][0]['identity'])) {
224			print(htmlspecialchars($ikesa['remote']['auth'][0]['identity']));
225			print('<br/>' . $identity);
226			} else {
227			if (empty($identity))
228			print(ettext("Unknown"));
229	c7fbdd6c	Ermal	else
230	3795cc0a	sbeaver	print($identity);
231	c7fbdd6c	Ermal	}
232	3795cc0a	sbeaver	}
233	6795e0da	Renato Botelho	?>
234	3795cc0a	sbeaver	</td>
235			<td>
236	6795e0da	Renato Botelho	<?php
237	3795cc0a	sbeaver	if (!is_array($ikesa['remote']))
238			print(gettext("Unknown"));
239			else {
240			if (!empty($ikesa['remote']['address']))
241			print(htmlspecialchars($ikesa['remote']['address']) . '<br/>' . gettext('Port: ') . htmlspecialchars($ikesa['remote']['port']));
242			else
243			print(gettext("Unknown"));
244			if ($ikesa['remote']['port'] == '4500')
245			print(" NAT-T");
246			}
247	6795e0da	Renato Botelho	?>
248	4a098495	Sjon Hortensius	</td>
249	3795cc0a	sbeaver	<td>
250			IKEv<?=htmlspecialchars($ikesa['version'])?>
251			<br/>
252			<?=htmlspecialchars($ikesa['role'])?>
253			</td>
254			<td>
255			<?=htmlspecialchars($ikesa['reauth']);?>
256			</td>
257			<td>
258			<?=htmlspecialchars($ikesa['encalg'])?>
259			<br/>
260			<?=htmlspecialchars($ikesa['intalg'])?>
261			<br/>
262			<?=htmlspecialchars($ikesa['prfalg'])?>
263			<br/>
264			<?=htmlspecialchars($ikesa['dhgroup'])?>
265			</td>
266			<td>
267			<?php
268			if($ikesa['status'] == 'established')
269			print('<span style="color:green">');
270			else
271			print('<span>');
272	6795e0da	Renato Botelho	?>
273	3795cc0a	sbeaver	<?=ucfirst(htmlspecialchars($ikesa['status']))?>
274			<br/><?=htmlspecialchars($ikesa['established'])?>
275			</span>
276			</td>
277			<td >
278	6795e0da	Renato Botelho	<?php
279			if ($icon != "pass"):
280			?>
281	4a098495	Sjon Hortensius	<a href="diag_ipsec.php?act=connect&ikeid=<?=$con_id; ?>" class="btn btn-xs btn-success" data-toggle="tooltip" title="Connect VPN" >
282	3795cc0a	sbeaver	<?=gettext("Connect VPN")?>
283	17402c63	Ermal	</a>
284	6795e0da	Renato Botelho	<?php
285			else:
286			?>
287	3795cc0a	sbeaver	<a href="diag_ipsec.php?act=ikedisconnect&ikeid=<?=$con_id; ?>" class="btn btn-xs btn-danger" data-toggle="tooltip" title="Disconnect VPN">
288			<?=gettext("Disconnect")?>
289			</a><br />
290			<a href="diag_ipsec.php?act=ikedisconnect&ikeid=<?=$con_id; ?>&ikesaid=<?=$ikesa['id']; ?>" class="btn btn-xs btn-warning" data-toggle="tooltip" title="Disconnect VPN connection">
291			<?=gettext("Disconnect")?>
292	e952906e	Ermal	</a>
293	6795e0da	Renato Botelho	<?php
294			endif;
295			?>
296	3795cc0a	sbeaver	</td>
297			</tr>
298			<tr>
299			<td colspan = 10>
300	6795e0da	Renato Botelho	<?php
301	3795cc0a	sbeaver	if (is_array($ikesa['childsalist'])):
302	6795e0da	Renato Botelho	?>
303	3795cc0a	sbeaver	<div id="btnchildsa-<?=$ikeid?>">
304			<a type="button" onclick="show_childsa('childsa-<?=$ikeid?>','btnchildsa-<?=$ikeid?>');" class="btn btn-sm btn-default" />
305			<?=gettext('Show child SA entries')?>
306			</a>
307			</div>
308	fd875a8d	Ermal
309	3795cc0a	sbeaver	<table class="table table-hover table-condensed" id="childsa-<?=$ikeid?>" style="display:none">
310			<thead>
311			<tr class="info">
312			<th><?=gettext("Local subnets")?></th>
313			<th><?=gettext("Local SPI(s)")?></th>
314			<th><?=gettext("Remote subnets")?></th>
315			<th><?=gettext("Times")?></th>
316			<th><?=gettext("Algo")?></th>
317			<th><?=gettext("Stats")?></th>
318			<th><!-- Buttons --></th>
319			</tr>
320			</thead>
321			<tbody>
322			<?php
323			if (is_array($ikesa['childsalist']['childsa'])):
324			foreach ($ikesa['childsalist']['childsa'] as $childsa):
325			?>
326			<tr>
327			<td>
328			<?php
329			if (is_array($childsa['local']) &&
330			is_array($childsa['local']['networks']) &&
331			is_array($childsa['local']['networks']['network']))
332			foreach ($childsa['local']['networks']['network'] as $lnets)
333			print(htmlspecialchars(ipsec_fixup_network($lnets)) . "<br />");
334	6795e0da	Renato Botelho	else
335	3795cc0a	sbeaver	print(gettext("Unknown"));
336	6795e0da	Renato Botelho	?>
337	3795cc0a	sbeaver	</td>
338			<td>
339	6795e0da	Renato Botelho	<?php
340	3795cc0a	sbeaver	if (is_array($childsa['local']))
341			print(gettext("Local: ") . htmlspecialchars($childsa['local']['spi']));
342
343			if (is_array($childsa['remote']))
344			print('<br/>' . gettext('Remote: ') . htmlspecialchars($childsa['remote']['spi']));
345	6795e0da	Renato Botelho	?>
346	3795cc0a	sbeaver	</td>
347			<td>
348	6795e0da	Renato Botelho	<?php
349	3795cc0a	sbeaver	if (is_array($childsa['remote']) &&
350			is_array($childsa['remote']['networks']) &&
351			is_array($childsa['remote']['networks']['network']))
352			foreach ($childsa['remote']['networks']['network'] as $rnets)
353			print(htmlspecialchars(ipsec_fixup_network($rnets)) . '<br />');
354	6795e0da	Renato Botelho	else
355	3795cc0a	sbeaver	print(gettext("Unknown"));
356	6795e0da	Renato Botelho	?>
357	3795cc0a	sbeaver	</td>
358			<td>
359	6795e0da	Renato Botelho	<?php
360	3795cc0a	sbeaver	print(gettext("Rekey: ") . htmlspecialchars($childsa['rekey']));
361			print('<br/>' . gettext('Life: ') . htmlspecialchars($childsa['lifetime']));
362			print('<br/>' . gettext('Install: ') .htmlspecialchars($childsa['installtime']));
363
364	6795e0da	Renato Botelho	?>
365	3795cc0a	sbeaver	</td>
366			<td>
367			<?php
368	6e332f7f	Stephen Beaver	print(htmlspecialchars($childsa['encalg']) . '<br/>');
369			print(htmlspecialchars($childsa['intalg']) . '<br/>');
370	3795cc0a	sbeaver
371	6e332f7f	Stephen Beaver	if (!empty($childsa['prfalg']))
372			print(htmlspecialchars($childsa['prfalg']) . '<br/>');
373	3795cc0a	sbeaver
374	6e332f7f	Stephen Beaver	if (!empty($childsa['dhgroup']))
375			print(htmlspecialchars($childsa['dhgroup']) . '<br/>');
376	3795cc0a	sbeaver
377	6e332f7f	Stephen Beaver	if (!empty($childsa['esn']))
378	3795cc0a	sbeaver
379			print(gettext("IPComp: ") . htmlspecialchars($childsa['ipcomp']));
380			?>
381			</td>
382			<td>
383			<?php
384	6e332f7f	Stephen Beaver	print(gettext("Bytes-In: ") . htmlspecialchars($childsa['bytesin']) . '<br/>');
385			print(gettext("Packets-In: ") . htmlspecialchars($childsa['packetsin']) . '<br/>');
386			print(gettext("Bytes-Out: ") . htmlspecialchars($childsa['bytesout']) . '<br/>');
387			print(gettext("Packets-Out: ") . htmlspecialchars($childsa['packetsout']) . '<br/>');
388	3795cc0a	sbeaver	?>
389			</td>
390			<td>
391			<a href="diag_ipsec.php?act=childdisconnect&ikeid=<?=$con_id; ?>&ikesaid=<?=$childsa['reqid']; ?>" class="btn btn-xs btn-warning" data-toggle="tooltip" title="<?=gettext('Disconnect Child SA')?>">
392			<?=gettext("Disconnect")?>
393			</a>
394			</td>
395			</tr>
396			<?php
397			endforeach;
398			endif;
399	b907136c	Renato Botelho	?>
400	3795cc0a	sbeaver
401			</tbody>
402			</table>
403			</td>
404			</tr>
405	b907136c	Renato Botelho	<?php
406	3795cc0a	sbeaver	endif;
407
408			unset($con_id);
409			endforeach;
410			endif;
411
412			$rgmap = array();
413			foreach ($a_phase1 as $ph1ent):
414			if (isset($ph1ent['disabled']))
415			continue;
416
417			$rgmap[$ph1ent['remote-gateway']] = $ph1ent['remote-gateway'];
418
419			if ($ipsecconnected[$ph1ent['ikeid']])
420			continue;
421			?>
422			<tr>
423			<td>
424			<?php
425			print(htmlspecialchars($ph1ent['descr']));
426			?>
427			</td>
428			<td>
429			<?php
430			list ($myid_type, $myid_data) = ipsec_find_id($ph1ent, "local");
431			if (empty($myid_data))
432			print(gettext("Unknown"));
433			else
434			print(htmlspecialchars($myid_data));
435			?>
436			</td>
437			<td>
438			<?php
439			$ph1src = ipsec_get_phase1_src($ph1ent);
440
441			if (empty($ph1src))
442			print(gettext("Unknown"));
443			else
444			print(htmlspecialchars($ph1src));
445			?>
446			</td>
447			<td>
448			<?php
449			list ($peerid_type, $peerid_data) = ipsec_find_id($ph1ent, "peer", $rgmap);
450			if (empty($peerid_data))
451			print(gettext("Unknown"));
452			else
453			print(htmlspecialchars($peerid_data));
454			?>
455			</td>
456			<td>
457			<?php
458			$ph1src = ipsec_get_phase1_dst($ph1ent);
459			if (empty($ph1src))
460			print(gettext("Unknown"));
461			else
462			print(htmlspecialchars($ph1src));
463			?>
464			</td>
465			<td>
466			</td>
467			<td>
468			</td>
469			<td>
470			</td>
471			<?php
472			if (isset($ph1ent['mobile'])):
473			?>
474			<td>
475			<?=gettext("Awaiting connections")?>
476			</td>
477			<td>
478			</td>
479			<?php
480			else:
481			?>
482			<td>
483			<?=gettext("Disconnected")?>
484			</td>
485			<td >
486			<a href="diag_ipsec.php?act=connect&ikeid=<?=$ph1ent['ikeid']; ?>" class="btn btn-xs btn-success">
487			<?=gettext("Connect VPN")?>
488	6795e0da	Renato Botelho	</a>
489	3795cc0a	sbeaver	</td>
490	b907136c	Renato Botelho	<?php
491	3795cc0a	sbeaver	endif;
492	b907136c	Renato Botelho	?>
493	3795cc0a	sbeaver	<td>>
494			</td>
495			</tr>
496	fd875a8d	Ermal	<?php
497	3795cc0a	sbeaver	endforeach;
498			unset($ipsecconnected, $phase1, $rgmap);
499	c7fbdd6c	Ermal	?>
500	3795cc0a	sbeaver	</tbody>
501	c7fbdd6c	Ermal	</table>
502			</div>
503	3795cc0a	sbeaver	</div>
504
505	c7fbdd6c	Ermal	<script type="text/javascript">
506	a8590dd6	Colin Fleming	//<![CDATA[
507	c7fbdd6c	Ermal	function show_childsa(id, buttonid) {
508			document.getElementById(buttonid).innerHTML='';
509			aodiv = document.getElementById(id);
510			aodiv.style.display = "block";
511			}
512	a8590dd6	Colin Fleming	//]]>
513	c7fbdd6c	Ermal	</script>
514	3795cc0a	sbeaver
515			<?php
516			unset($status);
517			print_info_box(gettext("You can configure IPsec ") . '<a href="vpn_ipsec.php">Here</a>');
518			include("foot.inc"); ?>

Project

General

Profile

pfSense