/etc/inc/vpn.inc - Annotate - pfSense - pfSense bugtracker

| Branch: | Tag: | Revision:

root/etc/inc/vpn.inc @ 842294f3

1	5b237745	Scott Ullrich	<?php
2			/*
3			vpn.inc
4	0e16b9ca	Scott Ullrich	Copyright (C) 2004-2006 Scott Ullrich
5	cfc707f7	Scott Ullrich	All rights reserved.
6	17da6c79	Scott Ullrich
7			originally part of m0n0wall (http://m0n0.ch/wall)
8			Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>.
9			All rights reserved.
10
11	5b237745	Scott Ullrich	Redistribution and use in source and binary forms, with or without
12			modification, are permitted provided that the following conditions are met:
13	17da6c79	Scott Ullrich
14	5b237745	Scott Ullrich	1. Redistributions of source code must retain the above copyright notice,
15			this list of conditions and the following disclaimer.
16	17da6c79	Scott Ullrich
17	5b237745	Scott Ullrich	2. Redistributions in binary form must reproduce the above copyright
18			notice, this list of conditions and the following disclaimer in the
19			documentation and/or other materials provided with the distribution.
20	17da6c79	Scott Ullrich
21	5b237745	Scott Ullrich	THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
22			INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
23			AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
24			AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
25			OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
26			SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
27			INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
28			CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
29			ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
30			POSSIBILITY OF SUCH DAMAGE.
31			*/
32	8f67a8e1	Scott Ullrich
33	5b237745	Scott Ullrich	/* include all configuration functions */
34			require_once("functions.inc");
35	8f67a8e1	Scott Ullrich
36	88964924	Scott Ullrich	/* master setup for vpn (mpd) */
37			function vpn_setup() {
38			/* start pptpd */
39			vpn_pptpd_configure();
40
41			/* start pppoe server */
42	c52719a8	Scott Ullrich	vpn_pppoe_configure();
43	88964924	Scott Ullrich	}
44
45	600dd4e0	Scott Ullrich	function vpn_ipsec_failover_configure() {
46			global $config, $g;
47
48	649283ef	Scott Ullrich	$sasyncd_text = "";
49	600dd4e0	Scott Ullrich
50	dcca036d	Scott Ullrich	if($config['installedpackages']['sasyncd']['config'] <> "")
51			foreach($config['installedpackages']['sasyncd']['config'] as $sasyncd) {
52			$enabled = isset($sasyncd['enable']);
53			if(!$enabled)
54			return;
55	7dd31990	Scott Ullrich	if($sasyncd['peerip'] <> "")
56			$sasyncd_text .= "peer {$sasyncd['peerip']}\n";
57			if($sasyncd['interface'])
58			$sasyncd_text .= "carp interface {$sasyncd['interface']}\n";
59			if($sasyncd['sharedkey'] <> "")
60			$sasyncd_text .= "sharedkey {$sasyncd['sharedkey']}\n";
61			if($sasyncd['mode'] <> "")
62			$sasyncd_text .= "mode {$sasyncd['mode']}\n";
63			if($sasyncd['listenon'] <> "")
64			$sasyncd_text .= "listen on {$sasyncd['listenon']}\n";
65			if($sasyncd['flushmodesync'] <> "")
66			$sasyncd_text .= "flushmode sync {$sasyncd['flushmodesync']}\n";
67	dcca036d	Scott Ullrich	}
68	e1a74484	Scott Ullrich
69	600dd4e0	Scott Ullrich	$fd = fopen("{$g['varetc_path']}/sasyncd.conf", "w");
70	649283ef	Scott Ullrich	fwrite($fd, $sasyncd_text);
71	600dd4e0	Scott Ullrich	fclose($fd);
72			chmod("{$g['varetc_path']}/sasyncd.conf", 0600);
73	c52719a8	Scott Ullrich
74	15fffebf	Scott Ullrich	mwexec("killall sasyncd");
75	c52719a8	Scott Ullrich
76	600dd4e0	Scott Ullrich	/* launch sasyncd, oh wise one */
77	dc50c7ec	Scott Ullrich	/* mwexec_bg("/usr/local/sbin/sasyncd -d -v -v -v"); */
78	600dd4e0	Scott Ullrich	}
79	8f67a8e1	Scott Ullrich
80			function find_last_gif_device() {
81	767a716e	Scott Ullrich	$regs = "";
82	8f67a8e1	Scott Ullrich	$last_gif_found = -1;
83			if (!($fp = popen("/sbin/ifconfig -l", "r"))) return -1;
84			$ifconfig_data = fread($fp, 4096);
85			pclose($fp);
86			$ifconfig_array = split(" ", $ifconfig_data);
87			foreach ($ifconfig_array as $ifconfig) {
88			ereg("gif(.)", $ifconfig, $regs);
89			if($regs[0]) {
90			if($regs[0] > $last_gif_found)
91			$last_gif_found = $regs[1];
92			}
93			}
94			return $last_gif_found;
95			}
96
97	5b237745	Scott Ullrich	function vpn_ipsec_configure($ipchg = false) {
98	767a716e	Scott Ullrich	global $config, $g, $sa, $sn;
99	17da6c79	Scott Ullrich
100	0feec714	Scott Ullrich	mwexec("/sbin/ifconfig enc0 create");
101			mwexec("/sbin/ifconfig enc0 up");
102
103	c1f5a46b	Scott Ullrich	/* get the automatic /etc/ping_hosts.sh ready */
104			unlink_if_exists("/var/db/ipsecpinghosts");
105			touch("/var/db/ipsecpinghosts");
106
107	a636c6ba	Scott Ullrich	if($g['booting'] == true) {
108			/* determine if we should load the via padlock module */
109			$dmesg_boot = `cat /var/log/dmesg.boot \| grep CPU`;
110	c52719a8	Scott Ullrich	if(stristr($dmesg_boot, "ACE") == true) {
111	637acd36	Scott Ullrich	//echo "Enabling [VIA Padlock] ...";
112			//mwexec("/sbin/kldload padlock");
113			//mwexec("/sbin/sysctl net.inet.ipsec.crypto_support=1");
114	fe227c69	Scott Ullrich	//mwexec("/sbin/setkey -F");
115			//mwexec("/sbin/setkey -FP");
116	637acd36	Scott Ullrich	//echo " done.\n";
117	1a5eeb97	Scott Ullrich	}
118	b26cc217	Scott Ullrich	}
119	8c5096aa	Scott Ullrich
120	8f67a8e1	Scott Ullrich	if(isset($config['ipsec']['preferredoldsa'])) {
121			mwexec("/sbin/sysctl net.key.preferred_oldsa=0");
122			} else {
123			mwexec("/sbin/sysctl -w net.key.preferred_oldsa=-30");
124			}
125
126			$number_of_gifs = find_last_gif_device();
127			for($x=0; $x<$number_of_gifs; $x++) {
128			mwexec("/sbin/ifconfig gif" . $x . " delete");
129			}
130
131	a63f7d55	Scott Ullrich	$curwanip = get_current_wan_address();
132	600dd4e0	Scott Ullrich
133	8f67a8e1	Scott Ullrich	$syscfg = $config['system'];
134	5b237745	Scott Ullrich	$ipseccfg = $config['ipsec'];
135			$lancfg = $config['interfaces']['lan'];
136			$lanip = $lancfg['ipaddr'];
137			$lansa = gen_subnet($lancfg['ipaddr'], $lancfg['subnet']);
138			$lansn = $lancfg['subnet'];
139	8f67a8e1	Scott Ullrich
140	2f1e0311	Seth Mos	if (!isset($ipseccfg['enable'])) {
141			mwexec("/sbin/ifconfig enc0 down");
142			mwexec("/sbin/ifconfig enc0 destroy");
143	8f67a8e1	Scott Ullrich
144	5b237745	Scott Ullrich	/* kill racoon */
145	637acd36	Scott Ullrich	mwexec("/usr/bin/killall racoon");
146	8f67a8e1	Scott Ullrich
147			/* wait for process to die */
148			sleep(2);
149
150	5b237745	Scott Ullrich	/* send a SIGKILL to be sure */
151			sigkillbypid("{$g['varrun_path']}/racoon.pid", "KILL");
152	2f1e0311	Seth Mos
153			/* flush SPD and SAD */
154			mwexec("/sbin/setkey -FP");
155			mwexec("/sbin/setkey -F");
156
157			return true;
158	5b237745	Scott Ullrich	}
159	8f67a8e1	Scott Ullrich
160	2f1e0311	Seth Mos	if ($g['booting']) {
161			echo "Configuring IPsec VPN... ";
162			}
163	8f67a8e1	Scott Ullrich
164	5b237745	Scott Ullrich	if (isset($ipseccfg['enable'])) {
165	8f67a8e1	Scott Ullrich
166			/* fastforwarding is not compatible with ipsec tunnels */
167			system("/sbin/sysctl net.inet.ip.fastforwarding=0 >/dev/null 2>&1");
168
169	5b237745	Scott Ullrich	if (!$curwanip) {
170			/* IP address not configured yet, exit */
171			if ($g['booting'])
172	a63f7d55	Scott Ullrich	echo "done\n";
173	5b237745	Scott Ullrich	return 0;
174			}
175	8f67a8e1	Scott Ullrich
176	5b237745	Scott Ullrich	if ((is_array($ipseccfg['tunnel']) && count($ipseccfg['tunnel'])) \|\|
177			isset($ipseccfg['mobileclients']['enable'])) {
178	8f67a8e1	Scott Ullrich
179	5b237745	Scott Ullrich	if (is_array($ipseccfg['tunnel']) && count($ipseccfg['tunnel'])) {
180	8f67a8e1	Scott Ullrich
181	5b237745	Scott Ullrich	/* generate spd.conf */
182			$fd = fopen("{$g['varetc_path']}/spd.conf", "w");
183			if (!$fd) {
184			printf("Error: cannot open spd.conf in vpn_ipsec_configure().\n");
185			return 1;
186			}
187	8f67a8e1	Scott Ullrich
188	5b237745	Scott Ullrich	$spdconf = "";
189	8f67a8e1	Scott Ullrich
190	5b237745	Scott Ullrich	$spdconf .= "spdadd {$lansa}/{$lansn} {$lanip}/32 any -P in none;\n";
191			$spdconf .= "spdadd {$lanip}/32 {$lansa}/{$lansn} any -P out none;\n";
192	8f67a8e1	Scott Ullrich
193	5b237745	Scott Ullrich	foreach ($ipseccfg['tunnel'] as $tunnel) {
194	8f67a8e1	Scott Ullrich
195	5b237745	Scott Ullrich	if (isset($tunnel['disabled']))
196			continue;
197	8f67a8e1	Scott Ullrich
198	5b237745	Scott Ullrich	$ep = vpn_endpoint_determine($tunnel, $curwanip);
199	87e72a58	Scott Ullrich	if (!$ep) {
200			log_error("Could not deterimine VPN endpoint for {$tunnel['descr']}");
201			continue;
202			}
203	8f67a8e1	Scott Ullrich
204	5b237745	Scott Ullrich	vpn_localnet_determine($tunnel['local-subnet'], $sa, $sn);
205	8f67a8e1	Scott Ullrich
206	8ee9b271	Scott Ullrich	if(is_domain($tunnel['remote-gateway'])) {
207			$tmp = gethostbyname($tunnel['remote-gateway']);
208			if($tmp)
209			$tunnel['remote-gateway'] = $tmp;
210			}
211
212	c1f5a46b	Scott Ullrich	/* add entry to host pinger */
213			if($tunnel['pinghost']) {
214			$pfd = fopen("/var/db/ipsecpinghosts","a");
215			$srcip = find_interface_ip($config['interfaces']['lan']['if']);
216			$dstip = $tunnel['pinghost'];
217	f5969e91	Scott Ullrich	fwrite($pfd, "$srcip\|$dstip\|3\n");
218	c1f5a46b	Scott Ullrich	fclose($pfd);
219			}
220
221	17da6c79	Scott Ullrich	if(isset($tunnel['creategif'])) {
222			$number_of_gifs = find_last_gif_device();
223			$number_of_gifs++;
224	a63f7d55	Scott Ullrich	$curwanip = get_current_wan_address();
225	87e72a58	Scott Ullrich
226	a63f7d55	Scott Ullrich	mwexec("/sbin/ifconfig gif" . $number_of_gifs . " tunnel" . $curwanip . " " . $tunnel['remote-gateway']);
227	17da6c79	Scott Ullrich	mwexec("/sbin/ifconfig gif" . $number_of_gifs . " {$lansa}/{$lansn} {$lanip}/32");
228			}
229	8f67a8e1	Scott Ullrich
230			$spdconf .= "spdadd {$sa}/{$sn} " .
231			"{$tunnel['remote-subnet']} any -P out ipsec " .
232	5b237745	Scott Ullrich	"{$tunnel['p2']['protocol']}/tunnel/{$ep}-" .
233			"{$tunnel['remote-gateway']}/unique;\n";
234	8f67a8e1	Scott Ullrich
235			$spdconf .= "spdadd {$tunnel['remote-subnet']} " .
236			"{$sa}/{$sn} any -P in ipsec " .
237	5b237745	Scott Ullrich	"{$tunnel['p2']['protocol']}/tunnel/{$tunnel['remote-gateway']}-" .
238			"{$ep}/unique;\n";
239	357cde41	Scott Ullrich
240			if($tunnel['interface'] <> "wan") {
241			/* static route needed? */
242			if(strstr("carp", $tunnel['interface'])) {
243
244			}
245			}
246	5b237745	Scott Ullrich	}
247	8f67a8e1	Scott Ullrich
248	5b237745	Scott Ullrich	fwrite($fd, $spdconf);
249			fclose($fd);
250	8f67a8e1	Scott Ullrich
251	5b237745	Scott Ullrich	/* load SPD */
252	fe227c69	Scott Ullrich	mwexec("/sbin/setkey -c < {$g['varetc_path']}/spd.conf");
253	5b237745	Scott Ullrich	}
254	8f67a8e1	Scott Ullrich
255	5b237745	Scott Ullrich	/* generate racoon.conf */
256			$fd = fopen("{$g['varetc_path']}/racoon.conf", "w");
257			if (!$fd) {
258			printf("Error: cannot open racoon.conf in vpn_ipsec_configure().\n");
259			return 1;
260			}
261	17da6c79	Scott Ullrich
262	8f67a8e1	Scott Ullrich	$racoonconf = "";
263
264	c52719a8	Scott Ullrich	$racoonconf .= "path pre_shared_key \"{$g['varetc_path']}/psk.txt\";\n\n";
265	a63f7d55	Scott Ullrich	$racoonconf .= "path certificate \"{$g['varetc_path']}\";\n\n";
266	c52719a8	Scott Ullrich
267	a63f7d55	Scott Ullrich	/* generate CA certificates files */
268			$cacertnum = 0;
269			if (is_array($ipseccfg['cacert']) && count($ipseccfg['cacert']))
270			foreach ($ipseccfg['cacert'] as $cacert) {
271			++$cacertnum;
272			if (isset($cacert['cert'])) {
273			$cert = base64_decode($cacert['cert']);
274			$x509cert = openssl_x509_parse(openssl_x509_read($cert));
275			if(is_array($x509cert) && isset($x509cert['hash'])) {
276			$fd1 = fopen("{$g['varetc_path']}/{$x509cert['hash']}.0", "w");
277			if (!$fd1) {
278			printf("Error: cannot open {$x509cert['hash']}.0 in vpn.\n");
279			return 1;
280			}
281			chmod("{$g['varetc_path']}/{$x509cert['hash']}.0", 0600);
282			fwrite($fd1, $cert);
283			fclose($fd1);
284			}
285			}
286			}
287	c52719a8	Scott Ullrich
288	a63f7d55	Scott Ullrich	$tunnelnumber = 0;
289	5b237745	Scott Ullrich	if (is_array($ipseccfg['tunnel']) && count($ipseccfg['tunnel']))
290			foreach ($ipseccfg['tunnel'] as $tunnel) {
291	c52719a8	Scott Ullrich
292	a63f7d55	Scott Ullrich	++$tunnelnumber;
293	c52719a8	Scott Ullrich
294	5b237745	Scott Ullrich	if (isset($tunnel['disabled']))
295			continue;
296	c52719a8	Scott Ullrich
297	5b237745	Scott Ullrich	$ep = vpn_endpoint_determine($tunnel, $curwanip);
298			if (!$ep)
299			continue;
300	c52719a8	Scott Ullrich
301	5b237745	Scott Ullrich	vpn_localnet_determine($tunnel['local-subnet'], $sa, $sn);
302	c52719a8	Scott Ullrich
303	5b237745	Scott Ullrich	if (isset($tunnel['p1']['myident']['myaddress'])) {
304			$myidentt = "address";
305			$myident = $ep;
306			} else if (isset($tunnel['p1']['myident']['address'])) {
307			$myidentt = "address";
308			$myident = $tunnel['p1']['myident']['address'];
309			} else if (isset($tunnel['p1']['myident']['fqdn'])) {
310			$myidentt = "fqdn";
311			$myident = $tunnel['p1']['myident']['fqdn'];
312			} else if (isset($tunnel['p1']['myident']['ufqdn'])) {
313			$myidentt = "user_fqdn";
314			$myident = $tunnel['p1']['myident']['ufqdn'];
315	41c649df	Scott Ullrich	} else if (isset($tunnel['p1']['myident']['dyn_dns'])) {
316			$myidentt = "dyn_dns";
317			$myident = gethostbyname($tunnel['p1']['myident']['dyn_dns']);
318	5b237745	Scott Ullrich	}
319	c52719a8	Scott Ullrich
320	a63f7d55	Scott Ullrich	if (isset($tunnel['p1']['authentication_method'])) {
321			$authmethod = $tunnel['p1']['authentication_method'];
322			} else {$authmethod = 'pre_shared_key';}
323	c52719a8	Scott Ullrich
324			$certline = '';
325
326	a63f7d55	Scott Ullrich	if ($authmethod == 'rsasig') {
327			if ($tunnel['p1']['cert'] && $tunnel['p1']['private-key']) {
328			$cert = base64_decode($tunnel['p1']['cert']);
329			$private_key = base64_decode($tunnel['p1']['private-key']);
330			} else {
331			/* null certificate/key */
332			$cert = '';
333			$private_key = '';
334			}
335	c52719a8	Scott Ullrich
336			if ($tunnel['p1']['peercert'])
337	a63f7d55	Scott Ullrich	$peercert = base64_decode($tunnel['p1']['peercert']);
338	c52719a8	Scott Ullrich	else
339	a63f7d55	Scott Ullrich	$peercert = '';
340	c52719a8	Scott Ullrich
341	a63f7d55	Scott Ullrich	$fd1 = fopen("{$g['varetc_path']}/server{$tunnelnumber}-signed.pem", "w");
342			if (!$fd1) {
343			printf("Error: cannot open server{$tunnelnumber}-signed.pem in vpn.\n");
344			return 1;
345			}
346			chmod("{$g['varetc_path']}/server{$tunnelnumber}-signed.pem", 0600);
347			fwrite($fd1, $cert);
348			fclose($fd1);
349	c52719a8	Scott Ullrich
350	a63f7d55	Scott Ullrich	$fd1 = fopen("{$g['varetc_path']}/server{$tunnelnumber}-key.pem", "w");
351			if (!$fd1) {
352			printf("Error: cannot open server{$tunnelnumber}-key.pem in vpn.\n");
353			return 1;
354			}
355			chmod("{$g['varetc_path']}/server{$tunnelnumber}-key.pem", 0600);
356			fwrite($fd1, $private_key);
357			fclose($fd1);
358
359			$certline = "certificate_type x509 \"server{$tunnelnumber}-signed.pem\" \"server{$tunnelnumber}-key.pem\";";
360	c52719a8	Scott Ullrich
361	a63f7d55	Scott Ullrich	if ($peercert!=''){
362			$fd1 = fopen("{$g['varetc_path']}/peer{$tunnelnumber}-signed.pem", "w");
363			if (!$fd1) {
364			printf("Error: cannot open server{$tunnelnumber}-signed.pem in vpn.\n");
365			return 1;
366			}
367			chmod("{$g['varetc_path']}/peer{$tunnelnumber}-signed.pem", 0600);
368			fwrite($fd1, $peercert);
369	c52719a8	Scott Ullrich	fclose($fd1);
370	a63f7d55	Scott Ullrich	$certline .= <<<EOD
371	c52719a8	Scott Ullrich
372	a63f7d55	Scott Ullrich	peers_certfile "peer{$tunnelnumber}-signed.pem";
373			EOD;
374	c52719a8	Scott Ullrich	}
375			}
376	5b237745	Scott Ullrich	$racoonconf .= <<<EOD
377			remote {$tunnel['remote-gateway']} \{
378			exchange_mode {$tunnel['p1']['mode']};
379			my_identifier {$myidentt} "{$myident}";
380	a63f7d55	Scott Ullrich	{$certline}
381	5b237745	Scott Ullrich	peers_identifier address {$tunnel['remote-gateway']};
382			initial_contact on;
383			support_proxy on;
384			proposal_check obey;
385
386			proposal \{
387			encryption_algorithm {$tunnel['p1']['encryption-algorithm']};
388			hash_algorithm {$tunnel['p1']['hash-algorithm']};
389	a63f7d55	Scott Ullrich	authentication_method {$authmethod};
390	5b237745	Scott Ullrich	dh_group {$tunnel['p1']['dhgroup']};
391
392			EOD;
393			if ($tunnel['p1']['lifetime'])
394			$racoonconf .= " lifetime time {$tunnel['p1']['lifetime']} secs;\n";
395	c52719a8	Scott Ullrich
396	5b237745	Scott Ullrich	$racoonconf .= " }\n";
397	c52719a8	Scott Ullrich
398	5b237745	Scott Ullrich	if ($tunnel['p1']['lifetime'])
399			$racoonconf .= " lifetime time {$tunnel['p1']['lifetime']} secs;\n";
400	c52719a8	Scott Ullrich
401	5b237745	Scott Ullrich	$racoonconf .= "}\n\n";
402	c52719a8	Scott Ullrich
403	5b237745	Scott Ullrich	$p2ealgos = join(",", $tunnel['p2']['encryption-algorithm-option']);
404			$p2halgos = join(",", $tunnel['p2']['hash-algorithm-option']);
405	c52719a8	Scott Ullrich
406	5b237745	Scott Ullrich	$racoonconf .= <<<EOD
407			sainfo address {$sa}/{$sn} any address {$tunnel['remote-subnet']} any \{
408			encryption_algorithm {$p2ealgos};
409			authentication_algorithm {$p2halgos};
410			compression_algorithm deflate;
411
412			EOD;
413
414			if ($tunnel['p2']['pfsgroup'])
415			$racoonconf .= " pfs_group {$tunnel['p2']['pfsgroup']};\n";
416	c52719a8	Scott Ullrich
417	5b237745	Scott Ullrich	if ($tunnel['p2']['lifetime'])
418			$racoonconf .= " lifetime time {$tunnel['p2']['lifetime']} secs;\n";
419	c52719a8	Scott Ullrich
420	5b237745	Scott Ullrich	$racoonconf .= "}\n\n";
421			}
422	c52719a8	Scott Ullrich
423	5b237745	Scott Ullrich	/* mobile clients? */
424			if (isset($ipseccfg['mobileclients']['enable'])) {
425	c52719a8	Scott Ullrich
426	5b237745	Scott Ullrich	$tunnel = $ipseccfg['mobileclients'];
427	c52719a8	Scott Ullrich
428	5b237745	Scott Ullrich	if (isset($tunnel['p1']['myident']['myaddress'])) {
429			$myidentt = "address";
430			$myident = $curwanip;
431			} else if (isset($tunnel['p1']['myident']['address'])) {
432			$myidentt = "address";
433			$myident = $tunnel['p1']['myident']['address'];
434			} else if (isset($tunnel['p1']['myident']['fqdn'])) {
435			$myidentt = "fqdn";
436			$myident = $tunnel['p1']['myident']['fqdn'];
437			} else if (isset($tunnel['p1']['myident']['ufqdn'])) {
438			$myidentt = "user_fqdn";
439			$myident = $tunnel['p1']['myident']['ufqdn'];
440			}
441	c52719a8	Scott Ullrich
442	a63f7d55	Scott Ullrich	if (isset($tunnel['p1']['authentication_method'])) {
443			$authmethod = $tunnel['p1']['authentication_method'];
444			} else {$authmethod = 'pre_shared_key';}
445	c52719a8	Scott Ullrich
446			$certline = '';
447	a63f7d55	Scott Ullrich	if ($authmethod == 'rsasig') {
448			if ($tunnel['p1']['cert'] && $tunnel['p1']['private-key']) {
449			$cert = base64_decode($tunnel['p1']['cert']);
450			$private_key = base64_decode($tunnel['p1']['private-key']);
451			} else {
452			/* null certificate/key */
453			$cert = '';
454			$private_key = '';
455			}
456	c52719a8	Scott Ullrich
457			if ($tunnel['p1']['peercert'])
458	a63f7d55	Scott Ullrich	$peercert = base64_decode($tunnel['p1']['peercert']);
459	c52719a8	Scott Ullrich	else
460	a63f7d55	Scott Ullrich	$peercert = '';
461	c52719a8	Scott Ullrich
462	a63f7d55	Scott Ullrich	$fd1 = fopen("{$g['varetc_path']}/server-mobile{$tunnelnumber}-signed.pem", "w");
463			if (!$fd1) {
464			printf("Error: cannot open server-mobile{$tunnelnumber}-signed.pem in vpn.\n");
465			return 1;
466			}
467			chmod("{$g['varetc_path']}/server-mobile{$tunnelnumber}-signed.pem", 0600);
468			fwrite($fd1, $cert);
469			fclose($fd1);
470	c52719a8	Scott Ullrich
471	a63f7d55	Scott Ullrich	$fd1 = fopen("{$g['varetc_path']}/server-mobile{$tunnelnumber}-key.pem", "w");
472			if (!$fd1) {
473			printf("Error: cannot open server-mobile{$tunnelnumber}-key.pem in vpn.\n");
474			return 1;
475			}
476			chmod("{$g['varetc_path']}/server-mobile{$tunnelnumber}-key.pem", 0600);
477			fwrite($fd1, $private_key);
478			fclose($fd1);
479	f6f1d6f7	Scott Ullrich
480	a63f7d55	Scott Ullrich	$certline = "certificate_type x509 \"server-mobile{$tunnelnumber}-signed.pem\" \"server-mobile{$tunnelnumber}-key.pem\";";
481			}
482	5b237745	Scott Ullrich	$racoonconf .= <<<EOD
483			remote anonymous \{
484			exchange_mode {$tunnel['p1']['mode']};
485			my_identifier {$myidentt} "{$myident}";
486	a63f7d55	Scott Ullrich	{$certline}
487	5b237745	Scott Ullrich	initial_contact on;
488			passive on;
489			generate_policy on;
490			support_proxy on;
491			proposal_check obey;
492
493			proposal \{
494			encryption_algorithm {$tunnel['p1']['encryption-algorithm']};
495			hash_algorithm {$tunnel['p1']['hash-algorithm']};
496	a63f7d55	Scott Ullrich	authentication_method {$authmethod};
497	5b237745	Scott Ullrich	dh_group {$tunnel['p1']['dhgroup']};
498
499			EOD;
500			if ($tunnel['p1']['lifetime'])
501			$racoonconf .= " lifetime time {$tunnel['p1']['lifetime']} secs;\n";
502	c52719a8	Scott Ullrich
503	5b237745	Scott Ullrich	$racoonconf .= " }\n";
504	c52719a8	Scott Ullrich
505	5b237745	Scott Ullrich	if ($tunnel['p1']['lifetime'])
506			$racoonconf .= " lifetime time {$tunnel['p1']['lifetime']} secs;\n";
507	c52719a8	Scott Ullrich
508	5b237745	Scott Ullrich	$racoonconf .= "}\n\n";
509	c52719a8	Scott Ullrich
510	5b237745	Scott Ullrich	$p2ealgos = join(",", $tunnel['p2']['encryption-algorithm-option']);
511			$p2halgos = join(",", $tunnel['p2']['hash-algorithm-option']);
512	c52719a8	Scott Ullrich
513	5b237745	Scott Ullrich	$racoonconf .= <<<EOD
514			sainfo anonymous \{
515			encryption_algorithm {$p2ealgos};
516			authentication_algorithm {$p2halgos};
517			compression_algorithm deflate;
518
519			EOD;
520
521			if ($tunnel['p2']['pfsgroup'])
522			$racoonconf .= " pfs_group {$tunnel['p2']['pfsgroup']};\n";
523	c52719a8	Scott Ullrich
524	5b237745	Scott Ullrich	if ($tunnel['p2']['lifetime'])
525			$racoonconf .= " lifetime time {$tunnel['p2']['lifetime']} secs;\n";
526	c52719a8	Scott Ullrich
527	5b237745	Scott Ullrich	$racoonconf .= "}\n\n";
528			}
529	c52719a8	Scott Ullrich
530	5b237745	Scott Ullrich	fwrite($fd, $racoonconf);
531			fclose($fd);
532	c52719a8	Scott Ullrich
533	5b237745	Scott Ullrich	/* generate psk.txt */
534			$fd = fopen("{$g['varetc_path']}/psk.txt", "w");
535			if (!$fd) {
536			printf("Error: cannot open psk.txt in vpn_ipsec_configure().\n");
537			return 1;
538			}
539	c52719a8	Scott Ullrich
540	5b237745	Scott Ullrich	$pskconf = "";
541	c52719a8	Scott Ullrich
542	5b237745	Scott Ullrich	if (is_array($ipseccfg['tunnel'])) {
543			foreach ($ipseccfg['tunnel'] as $tunnel) {
544			if (isset($tunnel['disabled']))
545			continue;
546			$pskconf .= "{$tunnel['remote-gateway']} {$tunnel['p1']['pre-shared-key']}\n";
547			}
548			}
549	c52719a8	Scott Ullrich
550	5b237745	Scott Ullrich	/* add PSKs for mobile clients */
551			if (is_array($ipseccfg['mobilekey'])) {
552			foreach ($ipseccfg['mobilekey'] as $key) {
553			$pskconf .= "{$key['ident']} {$key['pre-shared-key']}\n";
554			}
555			}
556	c52719a8	Scott Ullrich
557	5b237745	Scott Ullrich	fwrite($fd, $pskconf);
558			fclose($fd);
559			chmod("{$g['varetc_path']}/psk.txt", 0600);
560	c52719a8	Scott Ullrich
561	2f1e0311	Seth Mos	if(is_process_running("racoon")) {
562			/* We are already online, reload */
563			mwexec("/usr/local/sbin/racoonctl reload-config");
564	842294f3	Seth Mos	sleep(1);
565			exec("/usr/bin/ps auxw \| grep \"/usr/local/sbin/[r]acoon\" \| awk '{print $2}'", $racoonpid);
566			if(! empty($racoonpid)) {
567			mwexec("/usr/bin/kill -HUP $racoonpid[0]");
568			}
569	2f1e0311	Seth Mos	} else {
570			/* sleep for a bit */
571			sleep (2);
572
573			/* start racoon */
574			mwexec("/usr/local/sbin/racoon -f {$g['varetc_path']}/racoon.conf");
575			}
576	5b237745	Scott Ullrich	}
577			}
578	8f67a8e1	Scott Ullrich
579	a63f7d55	Scott Ullrich	vpn_ipsec_failover_configure();
580
581	5b237745	Scott Ullrich	if (!$g['booting']) {
582	8f67a8e1	Scott Ullrich	/* reload the filter */
583	fa40522b	Scott Ullrich	touch("{$g["tmp_path"]}/filter_dirty");
584	5b237745	Scott Ullrich	}
585	8f67a8e1	Scott Ullrich
586	5b237745	Scott Ullrich	if ($g['booting'])
587	a63f7d55	Scott Ullrich	echo "done\n";
588	8f67a8e1	Scott Ullrich
589	5b237745	Scott Ullrich	return 0;
590			}
591
592			function vpn_pptpd_configure() {
593			global $config, $g;
594	c52719a8	Scott Ullrich
595	5b237745	Scott Ullrich	$syscfg = $config['system'];
596			$pptpdcfg = $config['pptpd'];
597	c52719a8	Scott Ullrich
598	07cae4b2	Scott Ullrich	$starting_ng = get_number_of_wan_netgraph_interfaces_needed();
599
600	5b237745	Scott Ullrich	if ($g['booting']) {
601			if (!$pptpdcfg['mode'] \|\| ($pptpdcfg['mode'] == "off"))
602			return 0;
603	c52719a8	Scott Ullrich
604	a63f7d55	Scott Ullrich	echo "Configuring PPTP VPN service... ";
605	c52719a8	Scott Ullrich	} else {
606	5b237745	Scott Ullrich	/* kill mpd */
607	07cae4b2	Scott Ullrich	killbypid("{$g['varrun_path']}/mpd-pptpd.pid");
608	c52719a8	Scott Ullrich
609	5b237745	Scott Ullrich	/* wait for process to die */
610	48bff85c	Scott Ullrich	sleep(3);
611	c52719a8	Scott Ullrich
612	07cae4b2	Scott Ullrich	if (is_process_running("mpd4 -b")) {
613			killbypid("{$g['varrun_path']}/mpd-pptpd.pid");
614	48bff85c	Scott Ullrich	log_error("Could not kill mpd within 3 seconds. Trying again.");
615			}
616	c52719a8	Scott Ullrich
617	5b237745	Scott Ullrich	/* remove mpd.conf, if it exists */
618	07cae4b2	Scott Ullrich	unlink_if_exists("{$g['varetc_path']}/mpd-pptpd/mpd.conf");
619			unlink_if_exists("{$g['varetc_path']}/mpd-pptpd/mpd.links");
620			unlink_if_exists("{$g['varetc_path']}/mpd-pptpd/mpd.secret");
621	5b237745	Scott Ullrich	}
622	c52719a8	Scott Ullrich
623	5b237745	Scott Ullrich	/* make sure mpd-vpn directory exists */
624	07cae4b2	Scott Ullrich	if (!file_exists("{$g['varetc_path']}/mpd-pptpd"))
625			mkdir("{$g['varetc_path']}/mpd-pptpd");
626	c52719a8	Scott Ullrich
627	5b237745	Scott Ullrich	switch ($pptpdcfg['mode']) {
628	c52719a8	Scott Ullrich
629	5b237745	Scott Ullrich	case 'server':
630	c52719a8	Scott Ullrich
631	5b237745	Scott Ullrich	/* write mpd.conf */
632	07cae4b2	Scott Ullrich	$fd = fopen("{$g['varetc_path']}/mpd-pptpd/mpd.conf", "w");
633	5b237745	Scott Ullrich	if (!$fd) {
634			printf("Error: cannot open mpd.conf in vpn_pptpd_configure().\n");
635			return 1;
636			}
637	c52719a8	Scott Ullrich
638	5b237745	Scott Ullrich	$mpdconf = <<<EOD
639	07cae4b2	Scott Ullrich	startup:
640	5b237745	Scott Ullrich	pptpd:
641
642			EOD;
643
644	07cae4b2	Scott Ullrich	for ($i = 0; $i < $pptpdcfg['n_pptp_units']; $i++) {
645	5b237745	Scott Ullrich	$mpdconf .= " load pt{$i}\n";
646			}
647	c52719a8	Scott Ullrich
648	07cae4b2	Scott Ullrich	for ($i = 0; $i < $pptpdcfg['n_pptp_units']; $i++) {
649	c52719a8	Scott Ullrich
650	5b237745	Scott Ullrich	$clientip = long2ip(ip2long($pptpdcfg['remoteip']) + $i);
651			$ngif = "ng" . ($i+1);
652	c52719a8	Scott Ullrich
653	07cae4b2	Scott Ullrich	if(isset($pptpdcfg['radius']['radiusissueips']) && isset($pptpdcfg['radius']['enable'])) {
654			$isssue_ip_type = "set ipcp ranges {$pptpdcfg['localip']}/32 0.0.0.0/0";
655			} else {
656			$isssue_ip_type = "set ipcp ranges {$pptpdcfg['localip']}/32 {$clientip}/32";
657			}
658
659	5b237745	Scott Ullrich	$mpdconf .= <<<EOD
660
661			pt{$i}:
662			new -i {$ngif} pt{$i} pt{$i}
663	07cae4b2	Scott Ullrich	{$isssue_ip_type}
664			load pptpd_standard
665	5b237745	Scott Ullrich
666			EOD;
667			}
668	c52719a8	Scott Ullrich
669	5b237745	Scott Ullrich	$mpdconf .= <<<EOD
670
671	07cae4b2	Scott Ullrich	pptpd_standard:
672			set iface up-script /usr/local/sbin/vpn-linkup
673			set iface down-script /usr/local/sbin/vpn-linkdown
674	5b237745	Scott Ullrich	set iface disable on-demand
675			set iface enable proxy-arp
676			set iface idle 1800
677	07cae4b2	Scott Ullrich	set iface enable tcpmssfix
678	5b237745	Scott Ullrich	set bundle enable multilink
679			set link yes acfcomp protocomp
680			set link no pap chap
681	07cae4b2	Scott Ullrich	set link enable chap
682	ee953edc	Scott Ullrich	set link mtu 1460
683	5b237745	Scott Ullrich	set link keep-alive 10 60
684			set ipcp yes vjcomp
685			set bundle enable compression
686			set ccp yes mppc
687			set ccp yes mpp-e128
688			set ccp yes mpp-stateless
689
690			EOD;
691	c52719a8	Scott Ullrich
692	5b237745	Scott Ullrich	if (!isset($pptpdcfg['req128'])) {
693			$mpdconf .= <<<EOD
694			set ccp yes mpp-e40
695
696			EOD;
697			}
698	c8c416db	Scott Ullrich	if (isset($pptpdcfg['wins'])) {
699			$mpdconf .= <<<EOD
700			set ipcp nbns {$pptpdcfg['wins']}
701
702			EOD;
703			}
704			if (isset($pptpdcfg['dns1'])) {
705			$mpdconf .= <<<EOD
706			set ipcp dns {$pptpdcfg['dns1']} {$pptpdcfg['dns2']}
707
708			EOD;
709	ee953edc	Scott Ullrich	} else if (isset($config['dnsmasq']['enable'])) {
710	5b237745	Scott Ullrich	$mpdconf .= " set ipcp dns " . $config['interfaces']['lan']['ipaddr'];
711			if ($syscfg['dnsserver'][0])
712			$mpdconf .= " " . $syscfg['dnsserver'][0];
713			$mpdconf .= "\n";
714			} else if (is_array($syscfg['dnsserver']) && ($syscfg['dnsserver'][0])) {
715			$mpdconf .= " set ipcp dns " . join(" ", $syscfg['dnsserver']) . "\n";
716			}
717	c52719a8	Scott Ullrich
718	c8c416db	Scott Ullrich	if (isset($pptpdcfg['radius']['server']['enable'])) {
719	5b237745	Scott Ullrich	$mpdconf .= <<<EOD
720	07cae4b2	Scott Ullrich	load radius
721
722			radius:
723	5b237745	Scott Ullrich	set radius retries 3
724	07cae4b2	Scott Ullrich	set radius timeout 3
725	c8c416db	Scott Ullrich	set radius me {$pptpdcfg['radius']['nasip']}
726	07cae4b2	Scott Ullrich	set auth enable radius-auth
727			set radius enable message-authentic
728	5b237745	Scott Ullrich
729			EOD;
730
731	c8c416db	Scott Ullrich	if (isset($pptpdcfg['radius']['server2']['enable'])) {
732	5b237745	Scott Ullrich	$mpdconf .= <<<EOD
733	c8c416db	Scott Ullrich	set radius server {$pptpdcfg['radius']['server2']['ip']} "{$pptpdcfg['radius']['server2']['secret']}" {$pptpdcfg['radius']['server2']['port']} {$pptpdcfg['radius']['server2']['acctport']}
734	5b237745	Scott Ullrich
735			EOD;
736			}
737	07cae4b2	Scott Ullrich
738	c8c416db	Scott Ullrich	if (isset($pptpdcfg['radius']['server']['enable'])) {
739	07cae4b2	Scott Ullrich	$mpdconf .= <<<EOD
740	c8c416db	Scott Ullrich	set radius server {$pptpdcfg['radius']['server']['ip']} "{$pptpdcfg['radius']['server']['secret']}" {$pptpdcfg['radius']['server']['port']} {$pptpdcfg['radius']['server']['acctport']}
741	07cae4b2	Scott Ullrich
742			EOD;
743	5b237745	Scott Ullrich	}
744
745	07cae4b2	Scott Ullrich	if (isset($pptpdcfg['radius']['accounting'])) {
746			$mpdconf .= <<<EOD
747			set auth enable radius-acct
748	c8c416db	Scott Ullrich	set auth acct-update {$pptpdcfg['radius']['acct_update']}
749	07cae4b2	Scott Ullrich	EOD;
750			}
751			} else {
752			$mpdconf .= <<<EOD
753			set auth enable system
754			set auth timeout 30
755
756			EOD;
757
758			}
759	5b237745	Scott Ullrich	fwrite($fd, $mpdconf);
760			fclose($fd);
761	c52719a8	Scott Ullrich
762	5b237745	Scott Ullrich	/* write mpd.links */
763	07cae4b2	Scott Ullrich	$fd = fopen("{$g['varetc_path']}/mpd-pptpd/mpd.links", "w");
764	5b237745	Scott Ullrich	if (!$fd) {
765			printf("Error: cannot open mpd.links in vpn_pptpd_configure().\n");
766			return 1;
767			}
768	c52719a8	Scott Ullrich
769	5b237745	Scott Ullrich	$mpdlinks = "";
770	c52719a8	Scott Ullrich
771	a63f7d55	Scott Ullrich	for ($i = 0; $i < $g['n_pptp_units']; $i++) {
772	5b237745	Scott Ullrich	$mpdlinks .= <<<EOD
773
774			pt{$i}:
775			set link type pptp
776	07cae4b2	Scott Ullrich	set pptp self 127.0.0.1
777	5b237745	Scott Ullrich	set pptp enable incoming
778			set pptp disable originate
779
780			EOD;
781			}
782
783			fwrite($fd, $mpdlinks);
784			fclose($fd);
785	c52719a8	Scott Ullrich
786	5b237745	Scott Ullrich	/* write mpd.secret */
787	07cae4b2	Scott Ullrich	$fd = fopen("{$g['varetc_path']}/mpd-pptpd/mpd.secret", "w");
788	5b237745	Scott Ullrich	if (!$fd) {
789			printf("Error: cannot open mpd.secret in vpn_pptpd_configure().\n");
790			return 1;
791			}
792	c52719a8	Scott Ullrich
793	5b237745	Scott Ullrich	$mpdsecret = "";
794	c52719a8	Scott Ullrich
795	5b237745	Scott Ullrich	if (is_array($pptpdcfg['user'])) {
796			foreach ($pptpdcfg['user'] as $user)
797			$mpdsecret .= "{$user['name']} \"{$user['password']}\" {$user['ip']}\n";
798			}
799
800			fwrite($fd, $mpdsecret);
801			fclose($fd);
802	07cae4b2	Scott Ullrich	chmod("{$g['varetc_path']}/mpd-pptpd/mpd.secret", 0600);
803	c52719a8	Scott Ullrich
804	5b237745	Scott Ullrich	/* fire up mpd */
805	07cae4b2	Scott Ullrich	mwexec("/usr/local/sbin/mpd4 -b -d {$g['varetc_path']}/mpd-pptpd -p {$g['varrun_path']}/mpd-pptpd.pid pptpd");
806	c52719a8	Scott Ullrich
807	5b237745	Scott Ullrich	break;
808	c52719a8	Scott Ullrich
809	5b237745	Scott Ullrich	case 'redir':
810			break;
811			}
812	c52719a8	Scott Ullrich
813	ee953edc	Scott Ullrich	if (!$g['booting']) {
814			/* reload the filter */
815			filter_configure();
816			}
817	c52719a8	Scott Ullrich
818	a63f7d55	Scott Ullrich	if ($g['booting'])
819			echo "done\n";
820	c52719a8	Scott Ullrich
821	5b237745	Scott Ullrich	return 0;
822			}
823
824			function vpn_localnet_determine($adr, &$sa, &$sn) {
825			global $config, $g;
826
827			if (isset($adr)) {
828	c52719a8	Scott Ullrich	if ($adr['network']) {
829	5b237745	Scott Ullrich	switch ($adr['network']) {
830			case 'lan':
831			$sn = $config['interfaces']['lan']['subnet'];
832			$sa = gen_subnet($config['interfaces']['lan']['ipaddr'], $sn);
833			break;
834			}
835			} else if ($adr['address']) {
836			list($sa,$sn) = explode("/", $adr['address']);
837			if (is_null($sn))
838			$sn = 32;
839			}
840			} else {
841			$sn = $config['interfaces']['lan']['subnet'];
842			$sa = gen_subnet($config['interfaces']['lan']['ipaddr'], $sn);
843			}
844			}
845
846			function vpn_endpoint_determine($tunnel, $curwanip) {
847	c52719a8	Scott Ullrich
848	5b237745	Scott Ullrich	global $g, $config;
849	c52719a8	Scott Ullrich
850	5b237745	Scott Ullrich	if ((!$tunnel['interface']) \|\| ($tunnel['interface'] == "wan")) {
851			if ($curwanip)
852			return $curwanip;
853			else
854			return null;
855			} else if ($tunnel['interface'] == "lan") {
856			return $config['interfaces']['lan']['ipaddr'];
857			} else {
858			$oc = $config['interfaces'][$tunnel['interface']];
859	87e72a58	Scott Ullrich	/* carp ips, etc */
860			$ip = find_interface_ip($tunnel['interface']);
861			if($ip)
862			return $ip;
863	c52719a8	Scott Ullrich
864	5b237745	Scott Ullrich	if (isset($oc['enable']) && $oc['if']) {
865			return $oc['ipaddr'];
866			}
867			}
868	c52719a8	Scott Ullrich
869	5b237745	Scott Ullrich	return null;
870			}
871	8f67a8e1	Scott Ullrich
872	06e69b03	Scott Ullrich	function vpn_pppoe_configure() {
873			global $config, $g;
874
875			$syscfg = $config['system'];
876			$pppoecfg = $config['pppoe'];
877
878	07cae4b2	Scott Ullrich	$starting_ng = get_number_of_wan_netgraph_interfaces_needed();
879
880	48918ed5	Scott Ullrich	/* create directory if it does not exist */
881	07cae4b2	Scott Ullrich	if (!is_dir("{$g['varetc_path']}/mpd-pppoe"))
882			mkdir("{$g['varetc_path']}/mpd-pppoe");
883	c52719a8	Scott Ullrich
884	06e69b03	Scott Ullrich	if ($g['booting']) {
885			if (!$pppoecfg['mode'] \|\| ($pppoecfg['mode'] == "off"))
886			return 0;
887
888			echo "Configuring PPPoE VPN service... ";
889	07cae4b2	Scott Ullrich	} else {
890			/* kill mpd */
891			killbypid("{$g['varrun_path']}/mpd-pppoe.pid");
892
893			/* wait for process to die */
894			sleep(2);
895	c8c416db	Scott Ullrich	unlink_if_exists("{$g['varetc_path']}/mpd-pppoe/mpd.conf");
896			unlink_if_exists("{$g['varetc_path']}/mpd-pppoe/mpd.links");
897			unlink_if_exists("{$g['varetc_path']}/mpd-pppoe/mpd.secret");
898	06e69b03	Scott Ullrich	}
899
900			/* make sure mpd-vpn directory exists */
901	07cae4b2	Scott Ullrich	if (!file_exists("{$g['varetc_path']}/mpd-pppoe"))
902			mkdir("{$g['varetc_path']}/mpd-pppoe");
903	06e69b03	Scott Ullrich
904			switch ($pppoecfg['mode']) {
905
906			case 'server':
907
908	8b3500fe	Scott Ullrich	$pppoe_interface = filter_translate_type_to_real_interface($pppoecfg['interface']);
909	0301deff	Scott Ullrich
910	06e69b03	Scott Ullrich	/* write mpd.conf */
911	07cae4b2	Scott Ullrich	$fd = fopen("{$g['varetc_path']}/mpd-pppoe/mpd.conf", "a");
912	06e69b03	Scott Ullrich	if (!$fd) {
913			printf("Error: cannot open mpd.conf in vpn_pppoe_configure().\n");
914			return 1;
915			}
916			$mpdconf = "\n\n";
917			$mpdconf .= <<<EOD
918	07cae4b2	Scott Ullrich	startup:
919	06e69b03	Scott Ullrich	pppoe:
920
921			EOD;
922
923	a429d105	Scott Ullrich	for ($i = 0; $i < $pppoecfg['n_pppoe_units']; $i++) {
924	69a779d5	Scott Ullrich	$mpdconf .= " load pppoe{$i}\n";
925	06e69b03	Scott Ullrich	}
926
927	a429d105	Scott Ullrich	for ($i = 0; $i < $pppoecfg['n_pppoe_units']; $i++) {
928	06e69b03	Scott Ullrich
929			$clientip = long2ip(ip2long($pppoecfg['remoteip']) + $i);
930			$ngif = "ng" . ($i+1);
931	c52719a8	Scott Ullrich
932	110d1076	Scott Ullrich	if(isset($pppoecfg['radius']['radiusissueips']) && isset($pppoecfg['radius']['enable'])) {
933	5dfdc1fb	Scott Ullrich	$isssue_ip_type = "set ipcp ranges {$pppoecfg['localip']}/32 0.0.0.0/0";
934	5264023a	Scott Ullrich	} else {
935			$isssue_ip_type = "set ipcp ranges {$pppoecfg['localip']}/32 {$clientip}/32";
936	5dfdc1fb	Scott Ullrich	}
937	c52719a8	Scott Ullrich
938	06e69b03	Scott Ullrich	$mpdconf .= <<<EOD
939
940	2991a0d6	Scott Ullrich	pppoe{$i}:
941	bb75cfdf	Scott Ullrich	new -i {$ngif} pppoe{$i} pppoe{$i}
942	5dfdc1fb	Scott Ullrich	{$isssue_ip_type}
943	06e69b03	Scott Ullrich	load pppoe_standart
944
945			EOD;
946			}
947
948			$mpdconf .= <<<EOD
949
950			pppoe_standart:
951	83773ab0	Scott Ullrich	set link type pppoe
952	8b3500fe	Scott Ullrich	set pppoe iface {$pppoe_interface}
953	06e69b03	Scott Ullrich	set pppoe service "*"
954	07cae4b2	Scott Ullrich	set iface up-script /usr/local/sbin/vpn-linkup
955			set iface down-script /usr/local/sbin/vpn-linkdown
956	06e69b03	Scott Ullrich	set bundle enable compression
957	07cae4b2	Scott Ullrich	set auth max-logins 1
958			set link max-redial -1
959			set pppoe enable incoming
960			set pppoe disable originate
961	06e69b03	Scott Ullrich	set iface disable on-demand
962			set iface disable proxy-arp
963	07cae4b2	Scott Ullrich	set iface idle 0
964	06e69b03	Scott Ullrich	set iface enable tcpmssfix
965	07cae4b2	Scott Ullrich	set bundle no multilink
966			set link no acfcomp
967			set link no protocomp
968	06e69b03	Scott Ullrich	set link no pap chap
969			set link enable chap
970	07cae4b2	Scott Ullrich	set link keep-alive 30 100
971			set link mtu 1460
972	06e69b03	Scott Ullrich	set ccp yes mpp-e40
973			set ccp yes mpp-e128
974			set ccp yes mpp-stateless
975	07cae4b2	Scott Ullrich	set ipcp no vjcomp
976	06e69b03	Scott Ullrich
977	c8c416db	Scott Ullrich	EOD;
978			if (isset($pppoecfg['dns1'])) {
979			$mpdconf .= <<<EOD
980			set ipcp dns {$pppoecfg['dns1']} {$pppoecfg['dns2']}
981
982	06e69b03	Scott Ullrich	EOD;
983
984	c8c416db	Scott Ullrich	} else if (isset($config['dnsmasq']['enable'])) {
985	06e69b03	Scott Ullrich	$mpdconf .= " set ipcp dns " . $config['interfaces']['lan']['ipaddr'];
986			if ($syscfg['dnsserver'][0])
987			$mpdconf .= " " . $syscfg['dnsserver'][0];
988			$mpdconf .= "\n";
989			} else if (is_array($syscfg['dnsserver']) && ($syscfg['dnsserver'][0])) {
990			$mpdconf .= " set ipcp dns " . join(" ", $syscfg['dnsserver']) . "\n";
991			}
992
993	c8c416db	Scott Ullrich	if (isset($pppoecfg['radius']['server']['enable'])) {
994	06e69b03	Scott Ullrich	$mpdconf .= <<<EOD
995	07cae4b2	Scott Ullrich	load radius
996
997			radius:
998	06e69b03	Scott Ullrich	set radius retries 3
999	07cae4b2	Scott Ullrich	set radius timeout 3
1000	c8c416db	Scott Ullrich	set radius me {$pppoecfg['radius']['nasip']}
1001	07cae4b2	Scott Ullrich	set auth enable radius-auth
1002			set radius enable message-authentic
1003	06e69b03	Scott Ullrich
1004			EOD;
1005	c8c416db	Scott Ullrich	if (isset($pppoecfg['radius']['server2']['enable'])) {
1006	07cae4b2	Scott Ullrich	$mpdconf .= <<<EOD
1007	c8c416db	Scott Ullrich	set radius server {$pppoecfg['radius']['server2']['ip']} "{$pppoecfg['radius']['server2']['secret']}" {$pppoecfg['radius']['server2']['port']} {$pppoecfg['radius']['server2']['acctport']}
1008	06e69b03	Scott Ullrich
1009	07cae4b2	Scott Ullrich	EOD;
1010			}
1011
1012	c8c416db	Scott Ullrich	if (isset($pppoecfg['radius']['server']['enable'])) {
1013	06e69b03	Scott Ullrich	$mpdconf .= <<<EOD
1014	c8c416db	Scott Ullrich	set radius server {$pppoecfg['radius']['server']['ip']} "{$pppoecfg['radius']['server']['secret']}" {$pppoecfg['radius']['server']['port']} {$pppoecfg['radius']['server']['acctport']}
1015	07cae4b2	Scott Ullrich
1016	06e69b03	Scott Ullrich	EOD;
1017			}
1018	07cae4b2	Scott Ullrich
1019			if (isset($pppoecfg['radius']['accounting'])) {
1020			$mpdconf .= <<<EOD
1021			set auth enable radius-acct
1022	c8c416db	Scott Ullrich	set auth acct-update {$pppoecfg['radius']['acct_update']}
1023	07cae4b2	Scott Ullrich	EOD;
1024	06e69b03	Scott Ullrich	}
1025	07cae4b2	Scott Ullrich	} else {
1026			$mpdconf .= <<<EOD
1027			set auth enable system
1028			set auth timeout 30
1029	06e69b03	Scott Ullrich
1030	07cae4b2	Scott Ullrich	EOD;
1031			}
1032	06e69b03	Scott Ullrich	fwrite($fd, $mpdconf);
1033			fclose($fd);
1034
1035			/* write mpd.links */
1036	07cae4b2	Scott Ullrich	$fd = fopen("{$g['varetc_path']}/mpd-pppoe/mpd.links", "a");
1037	06e69b03	Scott Ullrich	if (!$fd) {
1038			printf("Error: cannot open mpd.links in vpn_pppoe_configure().\n");
1039			return 1;
1040			}
1041
1042			$mpdlinks = "";
1043
1044	a429d105	Scott Ullrich	for ($i = 0; $i < $pppoecfg['n_pppoe_units']; $i++) {
1045	06e69b03	Scott Ullrich	$mpdlinks .= <<<EOD
1046
1047			pppoe:
1048			set link type pppoe
1049	bc090ffc	Scott Ullrich	set pppoe iface {$pppoe_interface}
1050	07cae4b2	Scott Ullrich	set pppoe service "*"
1051			set pppoe disable incoming
1052			set pppoe enable originate
1053
1054	06e69b03	Scott Ullrich
1055			EOD;
1056			}
1057
1058			fwrite($fd, $mpdlinks);
1059			fclose($fd);
1060
1061			/* write mpd.secret */
1062	07cae4b2	Scott Ullrich	$fd = fopen("{$g['varetc_path']}/mpd-pppoe/mpd.secret", "a");
1063	06e69b03	Scott Ullrich	if (!$fd) {
1064			printf("Error: cannot open mpd.secret in vpn_pppoe_configure().\n");
1065			return 1;
1066			}
1067
1068			$mpdsecret = "\n\n";
1069
1070			if (is_array($pppoecfg['user'])) {
1071			foreach ($pppoecfg['user'] as $user)
1072			$mpdsecret .= "{$user['name']} \"{$user['password']}\" {$user['ip']}\n";
1073			}
1074
1075			fwrite($fd, $mpdsecret);
1076			fclose($fd);
1077	07cae4b2	Scott Ullrich	chmod("{$g['varetc_path']}/mpd-pppoe/mpd.secret", 0600);
1078	06e69b03	Scott Ullrich
1079			/* fire up mpd */
1080	07cae4b2	Scott Ullrich	mwexec("/usr/local/sbin/mpd4 -b -d {$g['varetc_path']}/mpd-pppoe -p {$g['varrun_path']}/mpd-pppoe.pid pppoe");
1081	06e69b03	Scott Ullrich
1082			break;
1083
1084			case 'redir':
1085			break;
1086			}
1087
1088			touch("{$g["tmp_path"]}/filter_dirty");
1089
1090			if ($g['booting'])
1091			echo "done\n";
1092
1093			return 0;
1094			}
1095
1096	2f1e0311	Seth Mos	?>

Project

General

Profile

pfSense