/etc/inc/vpn.inc - Annotate - pfSense - pfSense bugtracker

| Branch: | Tag: | Revision:

root/etc/inc/vpn.inc @ 845f9f78

1	5b237745	Scott Ullrich	<?php
2	979cd6db	Scott Ullrich
3	5b237745	Scott Ullrich	/*
4			vpn.inc
5	979cd6db	Scott Ullrich	Copyright (C) 2004 Scott Ullrich
6	a93e56c5	Matthew Grooms	Copyright (C) 2008 Shrew Soft Inc
7	5debd85f	caseyr232	Copyright (C) 2008 Ermal Lu�i
8	cfc707f7	Scott Ullrich	All rights reserved.
9	17da6c79	Scott Ullrich
10			originally part of m0n0wall (http://m0n0.ch/wall)
11			Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>.
12			All rights reserved.
13
14	5b237745	Scott Ullrich	Redistribution and use in source and binary forms, with or without
15			modification, are permitted provided that the following conditions are met:
16	17da6c79	Scott Ullrich
17	5b237745	Scott Ullrich	1. Redistributions of source code must retain the above copyright notice,
18			this list of conditions and the following disclaimer.
19	17da6c79	Scott Ullrich
20	5b237745	Scott Ullrich	2. Redistributions in binary form must reproduce the above copyright
21			notice, this list of conditions and the following disclaimer in the
22			documentation and/or other materials provided with the distribution.
23	17da6c79	Scott Ullrich
24	5b237745	Scott Ullrich	THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
25			INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
26			AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
27			AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
28			OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
29			SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
30			INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
31			CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
32			ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
33			POSSIBILITY OF SUCH DAMAGE.
34			*/
35	8f67a8e1	Scott Ullrich
36	523855b0	Scott Ullrich	/*
37	971de1f9	Renato Botelho	pfSense_BUILDER_BINARIES: /sbin/ifconfig
38	6c576b27	Ermal	pfSense_BUILDER_BINARIES: /usr/local/sbin/ipsec /usr/local/libexec/ipsec/charon /usr/local/libexec/ipsec/starter
39	09628a07	Renato Botelho	pfSense_BUILDER_BINARIES: /usr/local/sbin/filterdns /usr/local/sbin/mpd4
40	523855b0	Scott Ullrich	pfSense_MODULE: vpn
41			*/
42
43	50813d24	jim-p	require_once("ipsec.inc");
44
45	9abaa8f7	Ermal	function vpn_ipsec_configure_loglevels($forconfig = false)
46	c6efc8fd	Ermal	{
47	b305f795	Ermal	global $config, $ipsec_loglevels;
48	c6efc8fd	Ermal
49	9abaa8f7	Ermal	$cfgtext = array();
50	c6efc8fd	Ermal	foreach ($ipsec_loglevels as $lkey => $ldescr) {
51	c966c7ec	Ermal	if (!isset($config['ipsec']["ipsec_{$lkey}"]) && !$forconfig)
52	3d77ec5d	Ermal	mwexec("/usr/local/sbin/ipsec stroke loglevel {$lkey} -- -1", false);
53	c6efc8fd	Ermal	else if (is_numeric($config['ipsec']["ipsec_{$lkey}"]) &&
54	2ae99d06	Ermal LUÇI	intval($config['ipsec']["ipsec_{$lkey}"]) >= 0 && intval($config['ipsec']["ipsec_{$lkey}"]) <= 5)
55	7e7f07ae	Ermal	$forconfig ? $cfgtext[] = "${lkey} " . (intval($config['ipsec']["ipsec_{$lkey}"]) - 1) :
56	9abaa8f7	Ermal	mwexec("/usr/local/sbin/ipsec stroke loglevel {$lkey} " . (intval($config['ipsec']["ipsec_{$lkey}"]) - 1) , false);
57	c6efc8fd	Ermal	}
58	9abaa8f7	Ermal	if ($forconfig)
59			return implode(',', $cfgtext);
60	c6efc8fd	Ermal	}
61
62	5b237745	Scott Ullrich	/* include all configuration functions */
63	496acde1	Ermal	function vpn_ipsec_convert_to_modp($index)
64			{
65	8f67a8e1	Scott Ullrich
66	496acde1	Ermal	$convertion = "";
67			switch ($index) {
68			case '1':
69			$convertion = "modp768";
70			break;
71			case '2':
72			$convertion = "modp1024";
73			break;
74			case '5':
75			$convertion = "modp1536";
76			break;
77			case '14':
78			$convertion = "modp2048";
79			break;
80			case '15':
81			$convertion = "modp3072";
82			break;
83			case '16':
84			$convertion = "modp4096";
85			break;
86			case '17':
87			$convertion = "modp6144";
88			break;
89			case '18':
90			$convertion = "modp8192";
91			break;
92	920af30f	Ermal Lu?i	}
93	496acde1	Ermal
94			return $convertion;
95	600dd4e0	Scott Ullrich	}
96	8f67a8e1	Scott Ullrich
97	a93e56c5	Matthew Grooms	function vpn_ipsec_configure($ipchg = false)
98			{
99			global $config, $g, $sa, $sn, $p1_ealgos, $p2_ealgos;
100	17da6c79	Scott Ullrich
101	7734aea6	Andrew Thompson	if ($g['platform'] == 'jail')
102			return;
103	52c9f9fa	Ermal
104	f41c9fd5	Ermal Lu?i	/* get the automatic ping_hosts.sh ready */
105	cdd5b2ce	Ermal Lu?i	unlink_if_exists("{$g['vardb_path']}/ipsecpinghosts");
106			touch("{$g['vardb_path']}/ipsecpinghosts");
107	c1f5a46b	Scott Ullrich
108	7b2fdac4	jim-p	vpn_ipsec_configure_preferoldsa();
109	8f67a8e1	Scott Ullrich
110			$syscfg = $config['system'];
111	5b237745	Scott Ullrich	$ipseccfg = $config['ipsec'];
112	2f1e0311	Seth Mos	if (!isset($ipseccfg['enable'])) {
113	6c576b27	Ermal	/* try to stop charon */
114			mwexec("/usr/local/sbin/ipsec stop");
115	52c9f9fa	Ermal	/* Stop dynamic monitoring */
116	f8c10a18	Ermal	killbypid("{$g['varrun_path']}/filterdns-ipsec.pid");
117	98c02cac	Ermal
118	6c576b27	Ermal	/* wait for process to die */
119	8f67a8e1	Scott Ullrich	sleep(2);
120
121	84fa0d60	Scott Ullrich	/* disallow IPSEC, it is off */
122	52c9f9fa	Ermal	mwexec("/sbin/ifconfig enc0 down");
123	971de1f9	Renato Botelho	set_single_sysctl("net.inet.ip.ipsec_in_use", "0");
124	2f1e0311	Seth Mos
125	6a781df6	Ermal	return 0;
126	3c5af33a	Ermal LUÇI	}
127	8f67a8e1	Scott Ullrich
128	3c5af33a	Ermal LUÇI	$a_phase1 = $config['ipsec']['phase1'];
129			$a_phase2 = $config['ipsec']['phase2'];
130			$a_client = $config['ipsec']['client'];
131	8f67a8e1	Scott Ullrich
132	3c5af33a	Ermal LUÇI	$certpath = "{$g['varetc_path']}/ipsec/ipsec.d/certs";
133			$capath = "{$g['varetc_path']}/ipsec/ipsec.d/cacerts";
134			$keypath = "{$g['varetc_path']}/ipsec/ipsec.d/private";
135
136			mwexec("/sbin/ifconfig enc0 up");
137			set_single_sysctl("net.inet.ip.ipsec_in_use", "1");
138			/* needed for config files */
139			if (!is_dir("{$g['varetc_path']}/ipsec"))
140			mkdir("{$g['varetc_path']}/ipsec");
141			if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d"))
142			mkdir("{$g['varetc_path']}/ipsec/ipsec.d");
143			if (!is_dir($capath))
144			mkdir($capath);
145			if (!is_dir($keypath))
146			mkdir($keypath);
147			if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d/crls"))
148			mkdir("{$g['varetc_path']}/ipsec/ipsec.d/crls");
149			if (!is_dir($certpath))
150			mkdir($certpath);
151			if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d/aacerts"))
152			mkdir("{$g['varetc_path']}/ipsec/ipsec.d/aacerts");
153			if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d/acerts"))
154			mkdir("{$g['varetc_path']}/ipsec/ipsec.d/acerts");
155			if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d/ocspcerts"))
156			mkdir("{$g['varetc_path']}/ipsec/ipsec.d/ocspcerts");
157			if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d/reqs"))
158			mkdir("{$g['varetc_path']}/ipsec/ipsec.d/reqs");
159
160
161			if (platform_booting())
162			echo gettext("Configuring IPsec VPN... ");
163
164			/* fastforwarding is not compatible with ipsec tunnels */
165			set_single_sysctl("net.inet.ip.fastforwarding", "0");
166
167			/* resolve all local, peer addresses and setup pings */
168			$ipmap = array();
169			$rgmap = array();
170			$filterdns_list = array();
171			$listeniflist = array();
172			$aggressive_mode_psk = false;
173			unset($iflist);
174			if (is_array($a_phase1) && count($a_phase1)) {
175
176			$ipsecpinghosts = "";
177			/* step through each phase1 entry */
178			foreach ($a_phase1 as $ph1ent) {
179			if (isset($ph1ent['disabled']))
180			continue;
181
182			if ($ph1ent['mode'] == "aggressive" && ($ph1ent['authentication_method'] == "pre_shared_key" \|\| $ph1ent['authentication_method'] == "xauth_psk_server"))
183			$aggressive_mode_psk = true;
184
185			$ikeid = $ph1ent['ikeid'];
186			$listeniflist = get_real_interface($a_phase1['interface']);
187
188			$ep = ipsec_get_phase1_src($ph1ent);
189			if (!is_ipaddr($ep))
190			continue;
191
192			if(!in_array($ep,$ipmap))
193			$ipmap[] = $ep;
194
195			/* see if this tunnel has a hostname for the remote-gateway. If so,
196			try to resolve it now and add it to the list for filterdns */
197
198			if (isset ($ph1ent['mobile']))
199			continue;
200
201			$rg = $ph1ent['remote-gateway'];
202
203			if (!is_ipaddr($rg)) {
204			$filterdns_list[] = "{$rg}";
205			add_hostname_to_watch($rg);
206			if (!platform_booting())
207			$rg = resolve_retry($rg);
208			if (!is_ipaddr($rg))
209	3462a529	Matthew Grooms	continue;
210	3c5af33a	Ermal LUÇI	}
211			if(array_search($rg, $rgmap)) {
212			log_error("The remote gateway {$rg} already exists on another phase 1 entry");
213			continue;
214			}
215			$rgmap[$ph1ent['remote-gateway']] = $rg;
216	3462a529	Matthew Grooms
217	3c5af33a	Ermal LUÇI	if (is_array($a_phase2)) {
218			/* step through each phase2 entry */
219			foreach ($a_phase2 as $ph2ent) {
220			if (isset($ph2ent['disabled']))
221	979cd6db	Scott Ullrich	continue;
222	a11df336	jim-p
223	3c5af33a	Ermal LUÇI	if ($ikeid != $ph2ent['ikeid'])
224			continue;
225	a11df336	jim-p
226	3c5af33a	Ermal LUÇI	/* add an ipsec pinghosts entry */
227			if ($ph2ent['pinghost']) {
228			if (!is_array($iflist))
229			$iflist = get_configured_interface_list();
230			$viplist = get_configured_vips_list();
231			$srcip = null;
232			$local_subnet = ipsec_idinfo_to_cidr($ph2ent['localid'], true, $ph2ent['mode']);
233			if(is_ipaddrv6($ph2ent['pinghost'])) {
234			foreach ($iflist as $ifent => $ifname) {
235			$interface_ip = get_interface_ipv6($ifent);
236			if(!is_ipaddrv6($interface_ip))
237			continue;
238			if (ip_in_subnet($interface_ip, $local_subnet)) {
239			$srcip = $interface_ip;
240			break;
241	fb17f629	Seth Mos	}
242	a11df336	jim-p	}
243	3c5af33a	Ermal LUÇI	} else {
244			foreach ($iflist as $ifent => $ifname) {
245			$interface_ip = get_interface_ip($ifent);
246			if(!is_ipaddrv4($interface_ip))
247			continue;
248			if ($local_subnet == "0.0.0.0/0" \|\| ip_in_subnet($interface_ip, $local_subnet)) {
249			$srcip = $interface_ip;
250			break;
251	dc63467f	Matt Smith	}
252			}
253	3c5af33a	Ermal LUÇI	}
254			/* if no valid src IP was found in configured interfaces, try the vips */
255			if (is_null($srcip)) {
256			foreach ($viplist as $vip) {
257			if (ip_in_subnet($vip['ipaddr'], $local_subnet)) {
258			$srcip = $vip['ipaddr'];
259			break;
260			}
261	741077bc	Ermal Lu?i	}
262	87e07f52	mgrooms	}
263	3c5af33a	Ermal LUÇI	$dstip = $ph2ent['pinghost'];
264			if(is_ipaddrv6($dstip)) {
265			$family = "inet6";
266			} else {
267			$family = "inet";
268			}
269			if (is_ipaddr($srcip))
270			$ipsecpinghosts[] = "{$srcip}\|{$dstip}\|3\|\|\|\|\|{$family}\|\n";
271	17da6c79	Scott Ullrich	}
272	a93e56c5	Matthew Grooms	}
273			}
274			}
275	3c5af33a	Ermal LUÇI	@file_put_contents("{$g['vardb_path']}/ipsecpinghosts", $ipsecpinghosts);
276			unset($ipsecpinghosts);
277			}
278			unset($iflist);
279	496acde1	Ermal
280	3c5af33a	Ermal LUÇI	$accept_unencrypted = "";
281			if (isset($config['ipsec']['acceptunencryptedmainmode']))
282			$accept_unencrypted = "accept_unencrypted_mainmode_messages = yes";
283	737b18f2	Ermal
284	3c5af33a	Ermal LUÇI	$i_dont_care_about_security_and_use_aggressive_mode_psk = "";
285			if ($aggressive_mode_psk) {
286			log_error("WARNING: Setting i_dont_care_about_security_and_use_aggressive_mode_psk option because a phase 1 is configured using aggressive mode with pre-shared keys. This is not a secure configuration.");
287			$i_dont_care_about_security_and_use_aggressive_mode_psk = "i_dont_care_about_security_and_use_aggressive_mode_psk=yes";
288			}
289	845f9f78	Ermal LUÇI
290			$unity_enabled = 'no';
291			if (isset($config['ipsec']['unityplugin']))
292			$unity_enabled = 'yes';
293
294	3c5af33a	Ermal LUÇI	$strongswan = <<<EOD
295	496acde1	Ermal
296	531686c1	Chris Buechler	# Automatically generated config file - DO NOT MODIFY. Changes will be overwritten.
297	496acde1	Ermal	starter {
298	3c5af33a	Ermal LUÇI	load_warning = no
299	496acde1	Ermal	}
300
301			charon {
302	3c5af33a	Ermal LUÇI	# number of worker threads in charon
303			threads = 16
304			ikesa_table_size = 32
305			ikesa_table_segments = 4
306			init_limit_half_open = 1000
307			install_routes = no
308			{$i_dont_care_about_security_and_use_aggressive_mode_psk}
309			{$accept_unencrypted}
310	845f9f78	Ermal LUÇI	cisco_unity = {$unity_enabled}
311	3c5af33a	Ermal LUÇI
312			# And two loggers using syslog. The subsections define the facility to log
313			# to, currently one of: daemon, auth.
314			syslog {
315			identifier = charon
316			# default level to the LOG_DAEMON facility
317			daemon {
318	7335fa53	Ermal	}
319	3c5af33a	Ermal LUÇI	# very minimalistic IKE auditing logs to LOG_AUTHPRIV
320			auth {
321			default = -1
322			ike = 1
323			ike_name = yes
324			}
325			}
326	c6efc8fd	Ermal
327	496acde1	Ermal	EOD;
328
329	3c5af33a	Ermal LUÇI	$strongswan .= "\tplugins {\n";
330
331			if (is_array($a_client) && isset($a_client['enable'])) {
332			$strongswan .= "\t\tattr {\n";
333			if ($a_client['pool_address'] && $a_client['pool_netbits'])
334			$strongswan .= "\t\t\tsubnet = {$a_client['pool_address']}/{$a_client['pool_netbits']}\n";
335
336			$cfgservers = array();
337			if (!empty($a_client['dns_server1']))
338			$cfgservers[] = $a_client['dns_server1'];
339			if (!empty($a_client['dns_server2']))
340			$cfgservers[] = $a_client['dns_server2'];
341			if (!empty($a_client['dns_server3']))
342			$cfgservers[] = $a_client['dns_server3'];
343			if (!empty($a_client['dns_server4']))
344			$cfgservers[] = $a_client['dns_server4'];
345
346			if (!empty($cfgservers))
347			$strongswan .= "\t\t\tdns = " . implode(",", $cfgservers) . "\n";
348			unset($cfgservers);
349			$cfgservers = array();
350			if (!empty($a_client['wins_server1']))
351			$cfgservers[] = $a_client['wins_server1'];
352			if (!empty($a_client['wins_server2']))
353			$cfgservers[] = $a_client['wins_server2'];
354			if (!empty($cfgservers))
355			$strongswan .= "\t\t\tnbns = " . implode(",", $cfgservers) . "\n";
356			unset($cfgservers);
357
358			if (isset($a_client['net_list'])) {
359			$net_list = '';
360			foreach ($a_phase2 as $ph2ent) {
361			if (isset($ph2ent['disabled']))
362			continue;
363	496acde1	Ermal
364	3c5af33a	Ermal LUÇI	if (!isset($ph2ent['mobile']))
365			continue;
366	496acde1	Ermal
367	3c5af33a	Ermal LUÇI	$localid = ipsec_idinfo_to_cidr($ph2ent['localid'], true, $ph2ent['mode']);
368	496acde1	Ermal
369	3c5af33a	Ermal LUÇI	if (!empty($net_list))
370			$net_list .= ",";
371			$net_list .= $localid;
372	496acde1	Ermal	}
373
374	3c5af33a	Ermal LUÇI	if (!empty($net_list)) {
375			$strongswan .= "\t\t\tsplit-include = {$net_list}\n";
376			unset($net_list);
377	496acde1	Ermal	}
378	3c5af33a	Ermal LUÇI	}
379	496acde1	Ermal
380	3c5af33a	Ermal LUÇI	if (!empty($a_client['dns_domain'])) {
381			$strongswan .= "\t\t\t# Search domain and default domain\n";
382			$strongswan .= "\t\t\t28674 = {$a_client['dns_domain']}\n";
383			if (empty($a_client['dns_split']))
384			$strongswan .= "\t\t\t28675 = {$a_client['dns_domain']}";
385			$strongswan .= "\n";
386			}
387	496acde1	Ermal
388	3c5af33a	Ermal LUÇI	if (!empty($a_client['dns_split'])) {
389			$strongswan .= "\t\t\t28675 = {$a_client['dns_split']}\n";
390			}
391	496acde1	Ermal
392	3c5af33a	Ermal LUÇI	if (!empty($a_client['login_banner']))
393			$strongswan .= "\t\t\t28672 = {$a_client['login_banner']}\n";
394
395			if (isset($a_client['save_passwd']))
396			$strongswan .= "\t\t\t28673 = 1\n";
397
398			if ($a_client['pfs_group'])
399			$strongswan .= "\t\t\t28679 = {$a_client['pfs_group']}\n";
400			$strongswan .= "\t\t}\n";
401
402			if ($a_client['user_source'] != "none") {
403			$strongswan .= "\t\txauth-generic {\n";
404			$strongswan .= "\t\t\tscript = /etc/inc/ipsec.auth-user.php\n";
405			$strongswan .= "\t\t\tauthcfg = ";
406			$firstsed = 0;
407			$authcfgs = explode(",", $a_client['user_source']);
408			foreach ($authcfgs as $authcfg) {
409			if ($firstsed > 0)
410			$strongswan .= ",";
411			if ($authcfg == "system")
412			$authcfg = "Local Database";
413			$strongswan .= $authcfg;
414			$firstsed = 1;
415	91287d1f	Ermal	}
416	3c5af33a	Ermal LUÇI	$strongswan .= "\n";
417			$strongswan .= "\t\t}\n";
418	496acde1	Ermal	}
419	3c5af33a	Ermal LUÇI	}
420	496acde1	Ermal
421	3c5af33a	Ermal LUÇI	$strongswan .= "\t}\n}\n";
422			@file_put_contents("{$g['varetc_path']}/ipsec/strongswan.conf", $strongswan);
423			unset($strongswan);
424	8f67a8e1	Scott Ullrich
425	3c5af33a	Ermal LUÇI	/* generate CA certificates files */
426			if (is_array($config['ca']) && count($config['ca'])) {
427			foreach ($config['ca'] as $ca) {
428			if (!isset($ca['crt'])) {
429			log_error(sprintf(gettext("Error: Invalid certificate info for %s"), $ca['descr']));
430			continue;
431			}
432			$cert = base64_decode($ca['crt']);
433			$x509cert = openssl_x509_parse(openssl_x509_read($cert));
434			if (!is_array($x509cert) \|\| !isset($x509cert['hash'])) {
435			log_error(sprintf(gettext("Error: Invalid certificate hash info for %s"), $ca['descr']));
436			continue;
437	a93e56c5	Matthew Grooms	}
438	3c5af33a	Ermal LUÇI	$fname = "{$capath}/{$x509cert['hash']}.0.crt";
439			if (!@file_put_contents($fname, $cert)) {
440			log_error(sprintf(gettext("Error: Cannot write IPsec CA file for %s"), $ca['descr']));
441			continue;
442			}
443			unset($cert);
444	a93e56c5	Matthew Grooms	}
445	3c5af33a	Ermal LUÇI	}
446	09628a07	Renato Botelho
447	3c5af33a	Ermal LUÇI	$pskconf = "";
448	037b51b3	Seth Mos
449	3c5af33a	Ermal LUÇI	if (is_array($a_phase1) && count($a_phase1)) {
450			foreach ($a_phase1 as $ph1ent) {
451	a93e56c5	Matthew Grooms
452	3c5af33a	Ermal LUÇI	if (isset($ph1ent['disabled']))
453			continue;
454	a93e56c5	Matthew Grooms
455	3c5af33a	Ermal LUÇI	if (strstr($ph1ent['authentication_method'], 'rsa') \|\| $ph1ent['authentication_method'] == 'eap-tls') {
456			$certline = '';
457	a93e56c5	Matthew Grooms
458	3c5af33a	Ermal LUÇI	$ikeid = $ph1ent['ikeid'];
459			$cert = lookup_cert($ph1ent['certref']);
460	496acde1	Ermal
461	3c5af33a	Ermal LUÇI	if (!$cert) {
462			log_error(sprintf(gettext("Error: Invalid phase1 certificate reference for %s"), $ph1ent['name']));
463			continue;
464			}
465	496acde1	Ermal
466	3c5af33a	Ermal LUÇI	@chmod($certpath, 0600);
467	496acde1	Ermal
468	3c5af33a	Ermal LUÇI	$ph1keyfile = "{$keypath}/cert-{$ikeid}.key";
469			if (!file_put_contents($ph1keyfile, base64_decode($cert['prv']))) {
470			log_error(sprintf(gettext("Error: Cannot write phase1 key file for %s"), $ph1ent['name']));
471			continue;
472			}
473			@chmod($ph1keyfile, 0600);
474	496acde1	Ermal
475	3c5af33a	Ermal LUÇI	$ph1certfile = "{$certpath}/cert-{$ikeid}.crt";
476			if (!file_put_contents($ph1certfile, base64_decode($cert['crt']))) {
477			log_error(sprintf(gettext("Error: Cannot write phase1 certificate file for %s"), $ph1ent['name']));
478			@unlink($ph1keyfile);
479			continue;
480			}
481			@chmod($ph1certfile, 0600);
482	fa4e059e	Ermal
483	3c5af33a	Ermal LUÇI	/* XXX" Traffic selectors? */
484			$pskconf .= " : RSA {$ph1keyfile}\n";
485			} else {
486	1ada4c8c	Ermal LUÇI	list ($myid_type, $myid_data) = ipsec_find_id($ph1ent, 'local');
487			list ($peerid_type, $peerid_data) = ipsec_find_id($ph1ent, 'peer', $rgmap);
488	496acde1	Ermal
489	3c5af33a	Ermal LUÇI	if (empty($peerid_data))
490			continue;
491	496acde1	Ermal
492	f3106b3f	Ermal LUÇI	$myid = isset($ph1ent['mobile']) ? trim($myid_data) : "%any";
493	1ada4c8c	Ermal LUÇI	$peerid = ($peerid_data != 'allusers') ? trim($peerid_data) : '';
494	f3106b3f	Ermal LUÇI	if (!empty($ph1ent['pre-shared-key'])) {
495			if ($myid_type == 'fqdn' && !empty($myid_data))
496	430f8380	Ermal	$pskconf .= "@{$myid} {$peerid} : PSK 0s" . base64_encode(trim($ph1ent['pre-shared-key'])) . "\n";
497	f3106b3f	Ermal LUÇI	else
498	430f8380	Ermal	$pskconf .= "{$myid} {$peerid} : PSK 0s" . base64_encode(trim($ph1ent['pre-shared-key'])) . "\n";
499	f3106b3f	Ermal LUÇI	}
500	5b237745	Scott Ullrich	}
501	a93e56c5	Matthew Grooms	}
502	3c5af33a	Ermal LUÇI	}
503	a93e56c5	Matthew Grooms
504	3c5af33a	Ermal LUÇI	/* Add user PSKs */
505			if (is_array($config['system']) && is_array($config['system']['user'])) {
506			foreach ($config['system']['user'] as $user) {
507			if (!empty($user['ipsecpsk'])) {
508	430f8380	Ermal	$pskconf .= "%any {$user['name']} : PSK 0s" . base64_encode($user['ipsecpsk']) . "\n";
509	4ed2dde7	jim-p	}
510			}
511	3c5af33a	Ermal LUÇI	unset($user);
512			}
513	4ed2dde7	jim-p
514	3c5af33a	Ermal LUÇI	/* add PSKs for mobile clients */
515			if (is_array($ipseccfg['mobilekey'])) {
516			foreach ($ipseccfg['mobilekey'] as $key) {
517			if ($key['ident'] == "allusers")
518	c86c2b8b	Ermal LUÇI	$key['ident'] = '%any';
519	f3106b3f	Ermal LUÇI	$pskconf .= "%any {$key['ident']} : PSK 0s" . base64_encode($key['pre-shared-key']) . "\n";
520	2ef1b601	jim-p	}
521	3c5af33a	Ermal LUÇI	unset($key);
522			}
523	2ef1b601	jim-p
524	3c5af33a	Ermal LUÇI	@file_put_contents("{$g['varetc_path']}/ipsec/ipsec.secrets", $pskconf);
525			chmod("{$g['varetc_path']}/ipsec/ipsec.secrets", 0600);
526			unset($pskconf);
527
528			$natfilterrules = false;
529			/* begin ipsec.conf */
530			$ipsecconf = "";
531	45efe1b6	Ermal LUÇI	$enablecompression = false;
532	3c5af33a	Ermal LUÇI	if (is_array($a_phase1) && count($a_phase1)) {
533
534			$ipsecconf .= "# This file is automatically generated. Do not edit\n";
535			$ipsecconf .= "config setup\n\tuniqueids = yes\n";
536			$ipsecconf .= "\tcharondebug=\"" . vpn_ipsec_configure_loglevels(true) . "\"\n";
537
538			foreach ($a_phase1 as $ph1ent) {
539			if (isset($ph1ent['disabled']))
540			continue;
541
542			if ($ph1ent['mode'] == "aggressive")
543			$aggressive = "yes";
544			else
545			$aggressive = "no";
546
547			$ep = ipsec_get_phase1_src($ph1ent);
548			if (!$ep)
549			continue;
550
551			$ikeid = $ph1ent['ikeid'];
552			$keyexchange = "ikev1";
553			$passive = "route";
554			if (!empty($ph1ent['iketype'])) {
555			if ($ph1ent['iketype'] == "ikev2") {
556			$keyexchange = "ikev2";
557			//$passive = "start";
558			} else if ($ph1ent['iketype'] == "auto")
559			$keyexchange = "ike";
560			}
561	09628a07	Renato Botelho
562	3c5af33a	Ermal LUÇI	if (isset($ph1ent['mobile'])) {
563			$right_spec = "%any";
564			$passive = 'add';
565			} else
566			$right_spec = $ph1ent['remote-gateway'];
567
568	1ada4c8c	Ermal LUÇI	list ($myid_type, $myid_data) = ipsec_find_id($ph1ent, 'local');
569			if ($myid_type != 'address')
570			$myid_data = "{$myid_type}:{$myid_data}";
571	3c5af33a	Ermal LUÇI
572			/* Only specify peer ID if we are not dealing with a mobile PSK-only tunnel */
573			$peerid_spec = '';
574	1ada4c8c	Ermal LUÇI	if (!isset($ph1ent['mobile'])) {
575			list ($peerid_type, $peerid_data) = ipsec_find_id($ph1ent, 'peer', $rgmap);
576			if ($peerid_type != 'address')
577			$peerid_spec = "{$peerid_type}:{$peerid_data}";
578			else
579			$peerid_spec = $peerid_data;
580			}
581	3c5af33a	Ermal LUÇI
582			if (is_array($ph1ent['encryption-algorithm']) && !empty($ph1ent['encryption-algorithm']['name']) && !empty($ph1ent['hash-algorithm'])) {
583			$ealgosp1 = '';
584			$ealg_id = $ph1ent['encryption-algorithm']['name'];
585			$ealg_kl = $ph1ent['encryption-algorithm']['keylen'];
586			if ($ealg_kl)
587			$ealgosp1 = "ike = {$ealg_id}{$ealg_kl}-{$ph1ent['hash-algorithm']}";
588			else
589			$ealgosp1 = "ike = {$ealg_id}-{$ph1ent['hash-algorithm']}";
590	17da6c79	Scott Ullrich
591	3c5af33a	Ermal LUÇI	$modp = vpn_ipsec_convert_to_modp($ph1ent['dhgroup']);
592			if (!empty($modp))
593			$ealgosp1 .= "-{$modp}";
594	4178a1dd	jim-p
595	3c5af33a	Ermal LUÇI	$ealgosp1 .= "!";
596			}
597	96267107	Ermal
598	3c5af33a	Ermal LUÇI	if ($ph1ent['dpd_delay'] && $ph1ent['dpd_maxfail']) {
599			if ($passive == "route")
600			$dpdline = "dpdaction = restart";
601	0b5fc1d1	Ermal	else
602	3c5af33a	Ermal LUÇI	$dpdline = "dpdaction = clear";
603			$dpdline .= "\n\tdpddelay = {$ph1ent['dpd_delay']}s";
604			$dpdtimeout = $ph1ent['dpd_delay'] * ($ph1ent['dpd_maxfail'] + 1);
605			$dpdline .= "\n\tdpdtimeout = {$dpdtimeout}s";
606			} else
607			$dpdline = "dpdaction = none";
608
609			$ikelifeline = '';
610			if ($ph1ent['lifetime'])
611			$ikelifeline = "ikelifetime = {$ph1ent['lifetime']}s";
612
613			$rightsourceip = NULL;
614			if (isset($ph1ent['mobile']) && !empty($a_client['pool_address']))
615			$rightsourceip = "\trightsourceip = {$a_client['pool_address']}/{$a_client['pool_netbits']}\n";
616
617			$authentication = "";
618			switch ($ph1ent['authentication_method']) {
619			case 'eap-tls':
620			$authentication = "leftauth=eap-tls\n\trightauth=eap-tls";
621			if (!empty($ph1ent['certref']))
622			$authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt";
623			break;
624			case 'xauth_rsa_server':
625			$authentication = "leftauth = pubkey\n\trightauth = pubkey";
626			$authentication .= "\n\trightauth2 = xauth-generic";
627			if (!empty($ph1ent['certref']))
628			$authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt";
629			break;
630			case 'xauth_psk_server':
631			$authentication = "leftauth = psk\n\trightauth = psk";
632			$authentication .= "\n\trightauth2 = xauth-generic";
633			break;
634			case 'pre_shared_key':
635			$authentication = "leftauth = psk\n\trightauth = psk";
636			break;
637			case 'rsasig':
638			$authentication = "leftauth = pubkey\n\trightauth = pubkey";
639			if (!empty($ph1ent['certref']))
640			$authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt";
641			break;
642			case 'hybrid_rsa_server':
643			$authentication = "leftauth = xauth-generic\n\trightauth = pubkey";
644			$authentication .= "\n\trightauth2 = xauth";
645			if (!empty($ph1ent['certref']))
646			$authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt";
647			break;
648			}
649	3462a529	Matthew Grooms
650	3c5af33a	Ermal LUÇI	$left_spec = $ep;
651
652			if (isset($ph1ent['reauth_enable']))
653			$reauth = "reauth = no";
654			else
655			$reauth = "reauth = yes";
656			if (isset($ph1ent['rekey_enable']))
657			$rekey = "rekey = no";
658			else
659			$rekey = "rekey = yes";
660
661			if ($ph1ent['nat_traversal'] == 'off')
662			$forceencaps = 'forceencaps = no';
663			else if ($ph1ent['nat_traversal'] == 'force')
664			$forceencaps = 'forceencaps = yes';
665			else
666			$forceencaps = 'forceencaps = no';
667
668			$ipseclifetime = 0;
669			$rightsubnet_spec = array();
670			$leftsubnet_spec = array();
671			$ealgoAHsp2arr = array();
672			$ealgoESPsp2arr = array();
673			if (is_array($a_phase2) && count($a_phase2)) {
674			foreach ($a_phase2 as $ph2ent) {
675			if ($ikeid != $ph2ent['ikeid'])
676	0b5fc1d1	Ermal	continue;
677	c52719a8	Scott Ullrich
678	3c5af33a	Ermal LUÇI	if (isset($ph2ent['disabled']))
679			continue;
680	c52719a8	Scott Ullrich
681	3c5af33a	Ermal LUÇI	if (isset($ph2ent['mobile']) && !isset($a_client['enable']))
682			continue;
683	6586b30f	Ermal
684	3c5af33a	Ermal LUÇI	if (($ph2ent['mode'] == 'tunnel') or ($ph2ent['mode'] == 'tunnel6')) {
685			$tunneltype = "type = tunnel";
686	96ef83a7	jim-p
687	3c5af33a	Ermal LUÇI	$localid_type = $ph2ent['localid']['type'];
688			$leftsubnet_data = ipsec_idinfo_to_cidr($ph2ent['localid'], false, $ph2ent['mode']);
689	c52719a8	Scott Ullrich
690	3c5af33a	Ermal LUÇI	/* Do not print localid in some cases, such as a pure-psk or psk/xauth single phase2 mobile tunnel */
691			if (($localid_type == "none" \|\| $localid_type == "mobile")
692			&& isset($ph1ent['mobile']) && (ipsec_get_number_of_phase2($ikeid)==1)) {
693			$left_spec = '%any';
694			} else {
695			if ($localid_type != "address") {
696			$localid_type = "subnet";
697			}
698			// Don't let an empty subnet into config, it can cause parse errors. Ticket #2201.
699			if (!is_ipaddr($leftsubnet_data) && !is_subnet($leftsubnet_data) && ($leftsubnet_data != "0.0.0.0/0")) {
700			log_error("Invalid IPsec Phase 2 \"{$ph2ent['descr']}\" - {$ph2ent['localid']['type']} has no subnet.");
701			continue;
702			}
703			if (!empty($ph2ent['natlocalid'])) {
704			$natleftsubnet_data = ipsec_idinfo_to_cidr($ph2ent['natlocalid'], false, $ph2ent['mode']);
705			if ($ph2ent['natlocalid']['type'] != "address") {
706			if (is_subnet($natleftsubnet_data))
707			$leftsubnet_data = "{$natleftsubnet_data}\|{$leftsubnet_data}";
708			} else {
709			if (is_ipaddr($natleftsubnet_data))
710			$leftsubnet_data = "{$natleftsubnet_data}\|{$leftsubnet_data}";
711	3c107b76	Ermal	}
712	3c5af33a	Ermal LUÇI	$natfilterrules = true;
713	20699f3f	jim-p	}
714	3c5af33a	Ermal LUÇI	}
715	3462a529	Matthew Grooms
716	3c5af33a	Ermal LUÇI	$leftsubnet_spec[] = $leftsubnet_data;
717	0b5fc1d1	Ermal
718	3c5af33a	Ermal LUÇI	if (!isset($ph2ent['mobile'])) {
719			$tmpsubnet = ipsec_idinfo_to_cidr($ph2ent['remoteid'], false, $ph2ent['mode']);
720			$rightsubnet_spec[] = $tmpsubnet;
721			} else if (!empty($a_client['pool_address'])) {
722			$rightsubnet_spec[] = "{$a_client['pool_address']}/{$a_client['pool_netbits']}";
723			}
724			} else {
725			$tunneltype = "type = transport";
726	5b237745	Scott Ullrich
727	3c5af33a	Ermal LUÇI	if ((($ph1ent['authentication_method'] == "xauth_psk_server") \|\|
728			($ph1ent['authentication_method'] == "pre_shared_key")) && isset($ph1ent['mobile'])) {
729			$left_spec = "%any";
730			} else {
731			$tmpsubnet = ipsec_get_phase1_src($ph1ent);
732			$leftsubnet_spec[] = $tmpsubnet;
733			}
734	0b5fc1d1	Ermal
735	3c5af33a	Ermal LUÇI	if (!isset($ph2ent['mobile'])) {
736			$rightsubnet_spec[] = $right_spec;
737	3462a529	Matthew Grooms	}
738	3c5af33a	Ermal LUÇI	}
739	c52719a8	Scott Ullrich
740	3c5af33a	Ermal LUÇI	if (isset($a_client['pfs_group']))
741			$ph2ent['pfsgroup'] = $a_client['pfs_group'];
742
743			if ($ph2ent['protocol'] == 'esp') {
744			if (is_array($ph2ent['encryption-algorithm-option'])) {
745			foreach ($ph2ent['encryption-algorithm-option'] as $ealg) {
746			$ealg_id = $ealg['name'];
747			$ealg_kl = $ealg['keylen'];
748
749			if (!empty($ealg_kl) && $ealg_kl == "auto") {
750			if (empty($p2_ealgos) \|\| !is_array($p2_ealgos))
751			require("ipsec.inc");
752			$key_hi = $p2_ealgos[$ealg_id]['keysel']['hi'];
753			$key_lo = $p2_ealgos[$ealg_id]['keysel']['lo'];
754			$key_step = $p2_ealgos[$ealg_id]['keysel']['step'];
755			/* XXX: in some cases where include ordering is suspect these variables
756			* are somehow 0 and we enter this loop forever and timeout after 900
757			* seconds wrecking bootup */
758			if ($key_hi != 0 and $key_lo !=0 and $key_step !=0) {
759			for ($keylen = $key_hi; $keylen >= $key_lo; $keylen -= $key_step) {
760			if (!empty($ph2ent['hash-algorithm-option']) && is_array($ph2ent['hash-algorithm-option'])) {
761			foreach ($ph2ent['hash-algorithm-option'] as $halgo) {
762			$halgo = str_replace('hmac_', '', $halgo);
763			$tmpealgo = "{$ealg_id}{$keylen}-{$halgo}";
764	496acde1	Ermal	$modp = vpn_ipsec_convert_to_modp($ph2ent['pfsgroup']);
765			if (!empty($modp))
766			$tmpealgo .= "-{$modp}";
767	0b5fc1d1	Ermal	$ealgoESPsp2arr[] = $tmpealgo;
768	496acde1	Ermal	}
769	3c5af33a	Ermal LUÇI	} else {
770			$tmpealgo = "{$ealg_id}{$keylen}";
771	c650b2f7	Ermal	$modp = vpn_ipsec_convert_to_modp($ph2ent['pfsgroup']);
772			if (!empty($modp))
773			$tmpealgo .= "-{$modp}";
774			$ealgoESPsp2arr[] = $tmpealgo;
775			}
776	3c5af33a	Ermal LUÇI	}
777			}
778			} else {
779			if (!empty($ph2ent['hash-algorithm-option']) && is_array($ph2ent['hash-algorithm-option'])) {
780			foreach ($ph2ent['hash-algorithm-option'] as $halgo) {
781			$halgo = str_replace('hmac_', '', $halgo);
782			$tmpealgo = "{$ealg_id}{$ealg_kl}-{$halgo}";
783	496acde1	Ermal	$modp = vpn_ipsec_convert_to_modp($ph2ent['pfsgroup']);
784			if (!empty($modp))
785			$tmpealgo .= "-{$modp}";
786	0b5fc1d1	Ermal	$ealgoESPsp2arr[] = $tmpealgo;
787	496acde1	Ermal	}
788	3c5af33a	Ermal LUÇI	} else {
789			$tmpealgo = "{$ealg_id}{$ealg_kl}";
790			$modp = vpn_ipsec_convert_to_modp($ph2ent['pfsgroup']);
791			if (!empty($modp))
792			$tmpealgo .= "-{$modp}";
793			$ealgoESPsp2arr[] = $tmpealgo;
794	a93e56c5	Matthew Grooms	}
795	979cd6db	Scott Ullrich	}
796	496acde1	Ermal	}
797	3c5af33a	Ermal LUÇI	}
798			} else if ($ph2ent['protocol'] == 'ah') {
799			if (!empty($ph2ent['hash-algorithm-option']) && is_array($ph2ent['hash-algorithm-option'])) {
800			$modp = vpn_ipsec_convert_to_modp($ph2ent['pfsgroup']);
801			foreach ($ph2ent['hash-algorithm-option'] as $tmpAHalgo) {
802			$tmpAHalgo = str_replace('hmac_', '', $tmpAHalgo);
803			if (!empty($modp))
804			$tmpAHalgo = "-{$modp}";
805			$ealgoAHsp2arr[] = $tmpAHalgo;
806	a93e56c5	Matthew Grooms	}
807	a63f7d55	Scott Ullrich	}
808	3c5af33a	Ermal LUÇI	}
809	c52719a8	Scott Ullrich
810	4b96b367	mgrooms
811	3c5af33a	Ermal LUÇI	if (!empty($ph2ent['lifetime'])) {
812			if ($ipseclifetime == 0 \|\| intval($ipseclifetime) > intval($ph2ent['lifetime']))
813			$ipseclifetime = intval($ph2ent['lifetime']);
814	0b5fc1d1	Ermal	}
815	496acde1	Ermal
816	3c5af33a	Ermal LUÇI	}
817			}
818	496acde1	Ermal
819	3c5af33a	Ermal LUÇI	$ipsecconnect =<<<EOD
820	496acde1	Ermal	fragmentation = yes
821			keyexchange = {$keyexchange}
822	16c02722	Ermal	{$reauth}
823	8cb7d3e3	Ermal	{$forceencaps}
824	16c02722	Ermal	{$rekey}
825	496acde1	Ermal	installpolicy = yes
826			{$tunneltype}
827			{$dpdline}
828			auto = {$passive}
829	0b5fc1d1	Ermal	left = {$left_spec}
830			right = {$right_spec}
831	496acde1	Ermal	leftid = {$myid_data}
832	5b237745	Scott Ullrich
833			EOD;
834	4b96b367	mgrooms
835	d2884b9a	Chris Buechler	if (isset($config['ipsec']['compression'])) {
836	45efe1b6	Ermal LUÇI	$ipsecconnect .= '\tcompress = yes\n';
837			$enablecompression = true;
838			}
839	3c5af33a	Ermal LUÇI	if (!empty($ikelifeline))
840			$ipsecconnect .= "\t{$ikelifeline}\n";
841			if ($ipseclifetime > 0)
842			$ipsecconnect .= "\tlifetime = {$ipseclifetime}s\n";
843			if (!empty($rightsourceip))
844			$ipsecconnect .= "{$rightsourceip}";
845			if (!empty($ealgosp1))
846			$ipsecconnect .= "\t{$ealgosp1}\n";
847			if (!empty($ealgoAHsp2arr))
848			$ipsecconnect .= "\tah = " . join(',', $ealgoAHsp2arr) . "!\n";
849			if (!empty($ealgoESPsp2arr))
850			$ipsecconnect .= "\tesp = " . join(',', $ealgoESPsp2arr) . "!\n";
851			if (!empty($authentication))
852			$ipsecconnect .= "\t{$authentication}\n";
853			if (!empty($peerid_spec))
854			$ipsecconnect .= "\trightid = {$peerid_spec}\n";
855			if ($keyexchange == 'ikev1')
856			$ipsecconnect .= "\taggressive = {$aggressive}\n";
857
858			if (!isset($ph1ent['mobile']) && $keyexchange == 'ikev1') {
859			if (!empty($rightsubnet_spec)) {
860			$ipsecfin = '';
861			foreach ($rightsubnet_spec as $idx => $rsubnet) {
862			$ipsecfin .= "\nconn con{$ph1ent['ikeid']}00{$idx}\n";
863			$ipsecfin .= "\treqid = {$ikeid}00{$idx}\n";
864			$ipsecfin .= $ipsecconnect;
865			$ipsecfin .= "\trightsubnet = {$rsubnet}\n";
866			$ipsecfin .= "\tleftsubnet = " . $leftsubnet_spec[$idx] . "\n";
867			}
868			} else
869			log_error("No phase2 specifications for tunnel with REQID = {$ikeid}");
870			} else {
871			$ipsecfin = "\nconn con{$ph1ent['ikeid']}\n";
872			$ipsecfin .= "\treqid = {$ikeid}\n";
873			$ipsecfin .= $ipsecconnect;
874			if (!empty($rightsubnet_spec)) {
875			$tempsubnets = array();
876			foreach ($rightsubnet_spec as $rightsubnet)
877			$tempsubnets[$rightsubnet] = $rightsubnet;
878			$ipsecfin .= "\trightsubnet = " . join(",", $tempsubnets) . "\n";
879			unset($tempsubnets, $rightsubnet);
880			}
881			if (!empty($leftsubnet_spec)) {
882			$tempsubnets = array();
883			foreach ($leftsubnet_spec as $leftsubnet)
884			$tempsubnets[$leftsubnet] = $leftsubnet;
885			$ipsecfin .= "\tleftsubnet = " . join(",", $leftsubnet_spec) . "\n";
886			unset($tempsubnets, $leftsubnet);
887			}
888	a93e56c5	Matthew Grooms	}
889	3c5af33a	Ermal LUÇI	$ipsecconf .= $ipsecfin;
890			unset($ipsecfin);
891
892	a93e56c5	Matthew Grooms	}
893	496acde1	Ermal	}
894	3c5af33a	Ermal LUÇI
895	496acde1	Ermal	@file_put_contents("{$g['varetc_path']}/ipsec/ipsec.conf", $ipsecconf);
896			unset($ipsecconf);
897	6c576b27	Ermal	/* end ipsec.conf */
898	496acde1	Ermal
899	45efe1b6	Ermal LUÇI	if ($enablecompression === true)
900			set_single_sysctl('net.inet.ipcomp.ipcomp_enable', 1);
901			else
902			set_single_sysctl('net.inet.ipcomp.ipcomp_enable', 0);
903
904	6c576b27	Ermal	/* mange process */
905	c6efc8fd	Ermal	if (isvalidpid("{$g['varrun_path']}/charon.pid")) {
906	7335fa53	Ermal	/* Read secrets */
907			mwexec("/usr/local/sbin/ipsec rereadall", false);
908			/* Update configuration changes */
909	e82a1d11	Ermal	mwexec("/usr/local/sbin/ipsec update", false);
910	9f6a5b50	Ermal	mwexec("/usr/local/sbin/ipsec reload", false);
911	496acde1	Ermal	} else {
912	63159749	Ermal	mwexec("/usr/local/sbin/ipsec start", false);
913	496acde1	Ermal	}
914	9abaa8f7	Ermal
915	496acde1	Ermal	if ($natfilterrules == true)
916			filter_configure();
917			/* start filterdns, if necessary */
918			if (count($filterdns_list) > 0) {
919			$interval = 60;
920			if (!empty($ipseccfg['dns-interval']) && is_numeric($ipseccfg['dns-interval']))
921			$interval = $ipseccfg['dns-interval'];
922
923			$hostnames = "";
924			array_unique($filterdns_list);
925			foreach ($filterdns_list as $hostname)
926			$hostnames .= "cmd {$hostname} '/usr/local/sbin/pfSctl -c \"service reload ipsecdns\"'\n";
927			file_put_contents("{$g['varetc_path']}/ipsec/filterdns-ipsec.hosts", $hostnames);
928			unset($hostnames);
929
930			if (isvalidpid("{$g['varrun_path']}/filterdns-ipsec.pid"))
931			sigkillbypid("{$g['varrun_path']}/filterdns-ipsec.pid", "HUP");
932			else {
933			mwexec("/usr/local/sbin/filterdns -p {$g['varrun_path']}/filterdns-ipsec.pid -i {$interval} -c {$g['varetc_path']}/ipsec/filterdns-ipsec.hosts -d 1");
934	5b237745	Scott Ullrich	}
935	496acde1	Ermal	} else {
936			killbypid("{$g['varrun_path']}/filterdns-ipsec.pid");
937			@unlink("{$g['varrun_path']}/filterdns-ipsec.pid");
938			}
939	09628a07	Renato Botelho
940	285ef132	Ermal LUÇI	if (platform_booting())
941	496acde1	Ermal	echo "done\n";
942	8f67a8e1	Scott Ullrich
943	496acde1	Ermal	return count($filterdns_list);
944	5b237745	Scott Ullrich	}
945
946	09628a07	Renato Botelho	/*
947	52c9f9fa	Ermal	* Forcefully restart IPsec
948	67ee1ec5	Ermal Luçi	* This is required for when dynamic interfaces reload
949			* For all other occasions the normal vpn_ipsec_configure()
950			* will gracefully reload the settings without restarting
951			*/
952	aa752473	Renato Botelho	function vpn_ipsec_force_reload($interface = "") {
953			global $g, $config;
954	67ee1ec5	Ermal Luçi
955			$ipseccfg = $config['ipsec'];
956
957	aa752473	Renato Botelho	if (!empty($interface) && is_array($ipseccfg['phase1'])) {
958			$found = false;
959			foreach ($ipseccfg['phase1'] as $ipsec) {
960			if (!isset($ipsec['disabled']) && ($ipsec['interface'] == $interface)) {
961			$found = true;
962			break;
963			}
964			}
965			if (!$found) {
966	8b4abd59	Ermal	log_error(sprintf(gettext("Ignoring IPsec reload since there are no tunnels on interface %s"), $interface));
967	aa752473	Renato Botelho	return;
968			}
969			}
970
971	67ee1ec5	Ermal Luçi	/* if ipsec is enabled, start up again */
972			if (isset($ipseccfg['enable'])) {
973	8b4abd59	Ermal	log_error(gettext("Forcefully reloading IPsec"));
974	67ee1ec5	Ermal Luçi	vpn_ipsec_configure();
975			}
976			}
977
978			/* master setup for vpn (mpd) */
979			function vpn_setup() {
980	7734aea6	Andrew Thompson	global $g;
981
982			if ($g['platform'] == 'jail')
983			return;
984
985	67ee1ec5	Ermal Luçi	/* start pptpd */
986			vpn_pptpd_configure();
987
988			/* start pppoe server */
989	0e642c78	Ermal	vpn_pppoes_configure();
990	67ee1ec5	Ermal Luçi
991			/* setup l2tp */
992			vpn_l2tp_configure();
993			}
994
995	67b057a9	Ermal	function vpn_netgraph_support() {
996			$iflist = get_configured_interface_list();
997			foreach ($iflist as $iface) {
998			$realif = get_real_interface($iface);
999			/* Get support for netgraph(4) from the nic */
1000	c513c309	Ermal	$ifinfo = pfSense_get_interface_addresses($realif);
1001			if (!empty($ifinfo) && in_array($ifinfo['iftype'], array("ether", "vlan", "bridge")))
1002	09628a07	Renato Botelho	pfSense_ngctl_attach(".", $realif);
1003	67b057a9	Ermal	}
1004			}
1005
1006	5b237745	Scott Ullrich	function vpn_pptpd_configure() {
1007			global $config, $g;
1008	c52719a8	Scott Ullrich
1009	5b237745	Scott Ullrich	$syscfg = $config['system'];
1010			$pptpdcfg = $config['pptpd'];
1011	c52719a8	Scott Ullrich
1012	285ef132	Ermal LUÇI	if (platform_booting()) {
1013	5b237745	Scott Ullrich	if (!$pptpdcfg['mode'] \|\| ($pptpdcfg['mode'] == "off"))
1014			return 0;
1015	c52719a8	Scott Ullrich
1016	52e97bcc	Renato Botelho	if (platform_booting(true))
1017			echo gettext("Configuring PPTP VPN service... ");
1018	c52719a8	Scott Ullrich	} else {
1019	5b237745	Scott Ullrich	/* kill mpd */
1020	67ee1ec5	Ermal Luçi	killbypid("{$g['varrun_path']}/pptp-vpn.pid");
1021	c52719a8	Scott Ullrich
1022	5b237745	Scott Ullrich	/* wait for process to die */
1023	48bff85c	Scott Ullrich	sleep(3);
1024	c52719a8	Scott Ullrich
1025	979cd6db	Scott Ullrich	if (is_process_running("mpd -b")) {
1026	67ee1ec5	Ermal Luçi	killbypid("{$g['varrun_path']}/pptp-vpn.pid");
1027	89ceb4ba	Renato Botelho	log_error(gettext("Could not kill mpd within 3 seconds. Trying again."));
1028	48bff85c	Scott Ullrich	}
1029	c52719a8	Scott Ullrich
1030	5b237745	Scott Ullrich	/* remove mpd.conf, if it exists */
1031	67ee1ec5	Ermal Luçi	unlink_if_exists("{$g['varetc_path']}/pptp-vpn/mpd.conf");
1032			unlink_if_exists("{$g['varetc_path']}/pptp-vpn/mpd.links");
1033			unlink_if_exists("{$g['varetc_path']}/pptp-vpn/mpd.secret");
1034	5b237745	Scott Ullrich	}
1035	c52719a8	Scott Ullrich
1036	1fb8d314	Ermal	if (empty($pptpdcfg['n_pptp_units'])) {
1037			log_error("Something wrong in the PPTPd configuration. Preventing starting the daemon because issues would arise.");
1038	09628a07	Renato Botelho	return;
1039	1fb8d314	Ermal	}
1040
1041	67ee1ec5	Ermal Luçi	/* make sure pptp-vpn directory exists */
1042			if (!file_exists("{$g['varetc_path']}/pptp-vpn"))
1043			mkdir("{$g['varetc_path']}/pptp-vpn");
1044	c52719a8	Scott Ullrich
1045	5b237745	Scott Ullrich	switch ($pptpdcfg['mode']) {
1046	979cd6db	Scott Ullrich	case 'server' :
1047	5b237745	Scott Ullrich	/* write mpd.conf */
1048	67ee1ec5	Ermal Luçi	$fd = fopen("{$g['varetc_path']}/pptp-vpn/mpd.conf", "w");
1049	5b237745	Scott Ullrich	if (!$fd) {
1050	89ceb4ba	Renato Botelho	printf(gettext("Error: cannot open mpd.conf in vpn_pptpd_configure().") . "\n");
1051	5b237745	Scott Ullrich	return 1;
1052			}
1053	c52719a8	Scott Ullrich
1054	045c9cc9	sullrich	$mpdconf = <<<EOD
1055	a6607b5f	jim-p	pptps:
1056	5b237745	Scott Ullrich
1057			EOD;
1058
1059	f2b4ff2b	sullrich	for ($i = 0; $i < $pptpdcfg['n_pptp_units']; $i++) {
1060	5b237745	Scott Ullrich	$mpdconf .= " load pt{$i}\n";
1061			}
1062	c52719a8	Scott Ullrich
1063	f2b4ff2b	sullrich	for ($i = 0; $i < $pptpdcfg['n_pptp_units']; $i++) {
1064	c52719a8	Scott Ullrich
1065	96033063	Erik Fonnesbeck	$clientip = long2ip32(ip2long($pptpdcfg['remoteip']) + $i);
1066	c52719a8	Scott Ullrich
1067	045c9cc9	sullrich	$mpdconf .= <<<EOD
1068	5b237745	Scott Ullrich
1069			pt{$i}:
1070	bfa6d878	Ermal Lu?i	new -i pptpd{$i} pt{$i} pt{$i}
1071	045c9cc9	sullrich	set ipcp ranges {$pptpdcfg['localip']}/32 {$clientip}/32
1072	979cd6db	Scott Ullrich	load pts
1073	5b237745	Scott Ullrich
1074			EOD;
1075			}
1076	c52719a8	Scott Ullrich
1077	979cd6db	Scott Ullrich	$mpdconf .=<<<EOD
1078	5b237745	Scott Ullrich
1079	979cd6db	Scott Ullrich	pts:
1080	5b237745	Scott Ullrich	set iface disable on-demand
1081			set iface enable proxy-arp
1082	07cae4b2	Scott Ullrich	set iface enable tcpmssfix
1083	979cd6db	Scott Ullrich	set iface idle 1800
1084	e9a95ac8	jim-p	set iface up-script /usr/local/sbin/vpn-linkup
1085			set iface down-script /usr/local/sbin/vpn-linkdown
1086	5b237745	Scott Ullrich	set bundle enable multilink
1087	979cd6db	Scott Ullrich	set bundle enable crypt-reqd
1088	5b237745	Scott Ullrich	set link yes acfcomp protocomp
1089			set link no pap chap
1090	979cd6db	Scott Ullrich	set link enable chap-msv2
1091	ee953edc	Scott Ullrich	set link mtu 1460
1092	5b237745	Scott Ullrich	set link keep-alive 10 60
1093			set ipcp yes vjcomp
1094			set bundle enable compression
1095			set ccp yes mppc
1096			set ccp yes mpp-e128
1097			set ccp yes mpp-stateless
1098
1099			EOD;
1100	c52719a8	Scott Ullrich
1101	979cd6db	Scott Ullrich	if (!isset ($pptpdcfg['req128'])) {
1102			$mpdconf .=<<<EOD
1103	5b237745	Scott Ullrich	set ccp yes mpp-e40
1104	979cd6db	Scott Ullrich	set ccp yes mpp-e56
1105	5b237745	Scott Ullrich
1106			EOD;
1107			}
1108	c8c416db	Scott Ullrich
1109	871ce025	Bill Marquette	if (isset($pptpdcfg["wins"]) && $pptpdcfg['wins'] != "")
1110	979cd6db	Scott Ullrich	$mpdconf .= " set ipcp nbns {$pptpdcfg['wins']}\n";
1111	09f2bf85	jim-p
1112			if (!empty($pptpdcfg['dns1'])) {
1113			$mpdconf .= " set ipcp dns " . $pptpdcfg['dns1'];
1114			if (!empty($pptpdcfg['dns2']))
1115			$mpdconf .= " " . $pptpdcfg['dns2'];
1116			$mpdconf .= "\n";
1117			} elseif (isset ($config['dnsmasq']['enable'])) {
1118			$mpdconf .= " set ipcp dns " . get_interface_ip("lan");
1119			if ($syscfg['dnsserver'][0])
1120			$mpdconf .= " " . $syscfg['dnsserver'][0];
1121			$mpdconf .= "\n";
1122	ad750d3b	Warren Baker	} elseif (isset($config['unbound']['enable'])) {
1123			$mpdconf .= " set ipcp dns " . get_interface_ip("lan");
1124			if ($syscfg['dnsserver'][0])
1125			$mpdconf .= " " . $syscfg['dnsserver'][0];
1126			$mpdconf .= "\n";
1127	09f2bf85	jim-p	} elseif (is_array($syscfg['dnsserver']) && ($syscfg['dnsserver'][0])) {
1128			$mpdconf .= " set ipcp dns " . join(" ", $syscfg['dnsserver']) . "\n";
1129			}
1130	07cae4b2	Scott Ullrich
1131	71569a7e	jim-p	if (isset ($pptpdcfg['radius']['server']['enable'])) {
1132			$authport = (isset($pptpdcfg['radius']['server']['port']) && strlen($pptpdcfg['radius']['server']['port']) > 1) ? $pptpdcfg['radius']['server']['port'] : 1812;
1133	979cd6db	Scott Ullrich	$acctport = $authport + 1;
1134			$mpdconf .=<<<EOD
1135	71569a7e	jim-p	set radius server {$pptpdcfg['radius']['server']['ip']} "{$pptpdcfg['radius']['server']['secret']}" {$authport} {$acctport}
1136	35b91f77	sullrich
1137	71569a7e	jim-p	EOD;
1138			if (isset ($pptpdcfg['radius']['server2']['enable'])) {
1139			$authport = (isset($pptpdcfg['radius']['server2']['port']) && strlen($pptpdcfg['radius']['server2']['port']) > 1) ? $pptpdcfg['radius']['server2']['port'] : 1812;
1140			$acctport = $authport + 1;
1141			$mpdconf .=<<<EOD
1142	846a6dc2	jim-p	set radius server {$pptpdcfg['radius']['server2']['ip']} "{$pptpdcfg['radius']['server2']['secret2']}" {$authport} {$acctport}
1143	35b91f77	sullrich
1144	71569a7e	jim-p	EOD;
1145			}
1146			$mpdconf .=<<<EOD
1147	5b237745	Scott Ullrich	set radius retries 3
1148	979cd6db	Scott Ullrich	set radius timeout 10
1149	0af9dba4	Ermal Lu?i	set auth enable radius-auth
1150	5b237745	Scott Ullrich
1151			EOD;
1152
1153	979cd6db	Scott Ullrich	if (isset ($pptpdcfg['radius']['accounting'])) {
1154			$mpdconf .=<<<EOD
1155	0af9dba4	Ermal Lu?i	set auth enable radius-acct
1156	979cd6db	Scott Ullrich	set radius acct-update 300
1157	5b237745	Scott Ullrich
1158			EOD;
1159			}
1160			}
1161
1162			fwrite($fd, $mpdconf);
1163			fclose($fd);
1164	a49784a2	Ermal	unset($mpdconf);
1165	c52719a8	Scott Ullrich
1166	5b237745	Scott Ullrich	/* write mpd.links */
1167	67ee1ec5	Ermal Luçi	$fd = fopen("{$g['varetc_path']}/pptp-vpn/mpd.links", "w");
1168	5b237745	Scott Ullrich	if (!$fd) {
1169	89ceb4ba	Renato Botelho	printf(gettext("Error: cannot open mpd.links in vpn_pptpd_configure().") . "\n");
1170	5b237745	Scott Ullrich	return 1;
1171			}
1172	c52719a8	Scott Ullrich
1173	5b237745	Scott Ullrich	$mpdlinks = "";
1174	c52719a8	Scott Ullrich
1175	a56120f2	Ermal Lu?i	for ($i = 0; $i < $pptpdcfg['n_pptp_units']; $i++) {
1176	979cd6db	Scott Ullrich	$mpdlinks .=<<<EOD
1177	5b237745	Scott Ullrich
1178			pt{$i}:
1179			set link type pptp
1180			set pptp enable incoming
1181			set pptp disable originate
1182	979cd6db	Scott Ullrich	set pptp disable windowing
1183	5b237745	Scott Ullrich
1184			EOD;
1185			}
1186
1187			fwrite($fd, $mpdlinks);
1188			fclose($fd);
1189	a49784a2	Ermal	unset($mpdlinks);
1190	c52719a8	Scott Ullrich
1191	5b237745	Scott Ullrich	/* write mpd.secret */
1192	67ee1ec5	Ermal Luçi	$fd = fopen("{$g['varetc_path']}/pptp-vpn/mpd.secret", "w");
1193	5b237745	Scott Ullrich	if (!$fd) {
1194	89ceb4ba	Renato Botelho	printf(gettext("Error: cannot open mpd.secret in vpn_pptpd_configure().") . "\n");
1195	5b237745	Scott Ullrich	return 1;
1196			}
1197	c52719a8	Scott Ullrich
1198	5b237745	Scott Ullrich	$mpdsecret = "";
1199	c52719a8	Scott Ullrich
1200	5b237745	Scott Ullrich	if (is_array($pptpdcfg['user'])) {
1201	4cf82d52	jim-p	foreach ($pptpdcfg['user'] as $user) {
1202	4222087e	jim-p	$pass = str_replace('\\', '\\\\', $user['password']);
1203			$pass = str_replace('"', '\"', $pass);
1204	4cf82d52	jim-p	$mpdsecret .= "{$user['name']} \"{$pass}\" {$user['ip']}\n";
1205			}
1206	5b237745	Scott Ullrich	}
1207
1208			fwrite($fd, $mpdsecret);
1209			fclose($fd);
1210	a49784a2	Ermal	unset($mpdsecret);
1211	67ee1ec5	Ermal Luçi	chmod("{$g['varetc_path']}/pptp-vpn/mpd.secret", 0600);
1212	c52719a8	Scott Ullrich
1213	67b057a9	Ermal	vpn_netgraph_support();
1214
1215	5b237745	Scott Ullrich	/* fire up mpd */
1216	a6607b5f	jim-p	mwexec("/usr/local/sbin/mpd4 -b -d {$g['varetc_path']}/pptp-vpn -p {$g['varrun_path']}/pptp-vpn.pid -s pptps pptps");
1217	c52719a8	Scott Ullrich
1218	5b237745	Scott Ullrich	break;
1219	c52719a8	Scott Ullrich
1220	979cd6db	Scott Ullrich	case 'redir' :
1221	5b237745	Scott Ullrich	break;
1222			}
1223	c52719a8	Scott Ullrich
1224	285ef132	Ermal LUÇI	if (platform_booting())
1225	a63f7d55	Scott Ullrich	echo "done\n";
1226	c52719a8	Scott Ullrich
1227	5b237745	Scott Ullrich	return 0;
1228			}
1229
1230	0e642c78	Ermal	function vpn_pppoes_configure() {
1231			global $config;
1232
1233			if (is_array($config['pppoes']['pppoe'])) {
1234			foreach ($config['pppoes']['pppoe'] as $pppoe)
1235			vpn_pppoe_configure($pppoe);
1236			}
1237			}
1238
1239			function vpn_pppoe_configure(&$pppoecfg) {
1240	06e69b03	Scott Ullrich	global $config, $g;
1241
1242			$syscfg = $config['system'];
1243
1244	48918ed5	Scott Ullrich	/* create directory if it does not exist */
1245	0e642c78	Ermal	if (!is_dir("{$g['varetc_path']}/pppoe{$pppoecfg['pppoeid']}-vpn"))
1246			mkdir("{$g['varetc_path']}/pppoe{$pppoecfg['pppoeid']}-vpn");
1247	c52719a8	Scott Ullrich
1248	285ef132	Ermal LUÇI	if (platform_booting()) {
1249	06e69b03	Scott Ullrich	if (!$pppoecfg['mode'] \|\| ($pppoecfg['mode'] == "off"))
1250			return 0;
1251
1252	d3d23754	Chris Buechler	echo gettext("Configuring PPPoE Server service... ");
1253	979cd6db	Scott Ullrich	} else {
1254			/* kill mpd */
1255	0e642c78	Ermal	killbypid("{$g['varrun_path']}/pppoe{$pppoecfg['pppoeid']}-vpn.pid");
1256	979cd6db	Scott Ullrich
1257			/* wait for process to die */
1258			sleep(2);
1259
1260	06e69b03	Scott Ullrich	}
1261
1262			switch ($pppoecfg['mode']) {
1263
1264	979cd6db	Scott Ullrich	case 'server' :
1265	06e69b03	Scott Ullrich
1266	0e642c78	Ermal	$pppoe_interface = get_real_interface($pppoecfg['interface']);
1267	0301deff	Scott Ullrich
1268	979cd6db	Scott Ullrich	if ($pppoecfg['paporchap'] == "chap")
1269			$paporchap = "set link enable chap";
1270			else
1271			$paporchap = "set link enable pap";
1272
1273	06e69b03	Scott Ullrich	/* write mpd.conf */
1274	0e642c78	Ermal	$fd = fopen("{$g['varetc_path']}/pppoe{$pppoecfg['pppoeid']}-vpn/mpd.conf", "w");
1275	06e69b03	Scott Ullrich	if (!$fd) {
1276	89ceb4ba	Renato Botelho	printf(gettext("Error: cannot open mpd.conf in vpn_pppoe_configure().") . "\n");
1277	06e69b03	Scott Ullrich	return 1;
1278			}
1279			$mpdconf = "\n\n";
1280	a6607b5f	jim-p	$mpdconf .= "poes:\n";
1281	06e69b03	Scott Ullrich
1282	a429d105	Scott Ullrich	for ($i = 0; $i < $pppoecfg['n_pppoe_units']; $i++) {
1283	0e642c78	Ermal	$mpdconf .= " load poes{$pppoecfg['pppoeid']}{$i}\n";
1284	06e69b03	Scott Ullrich	}
1285
1286	a429d105	Scott Ullrich	for ($i = 0; $i < $pppoecfg['n_pppoe_units']; $i++) {
1287	06e69b03	Scott Ullrich
1288	96033063	Erik Fonnesbeck	$clientip = long2ip32(ip2long($pppoecfg['remoteip']) + $i);
1289	c52719a8	Scott Ullrich
1290	b0943409	Ermal	if (isset($pppoecfg['radius']['radiusissueips']) && isset($pppoecfg['radius']['server']['enable'])) {
1291	5dfdc1fb	Scott Ullrich	$isssue_ip_type = "set ipcp ranges {$pppoecfg['localip']}/32 0.0.0.0/0";
1292	5264023a	Scott Ullrich	} else {
1293			$isssue_ip_type = "set ipcp ranges {$pppoecfg['localip']}/32 {$clientip}/32";
1294	5dfdc1fb	Scott Ullrich	}
1295	c52719a8	Scott Ullrich
1296	979cd6db	Scott Ullrich	$mpdconf .=<<<EOD
1297	06e69b03	Scott Ullrich
1298	0e642c78	Ermal	poes{$pppoecfg['pppoeid']}{$i}:
1299			new -i poes{$pppoecfg['pppoeid']}{$i} poes{$pppoecfg['pppoeid']}{$i} poes{$pppoecfg['pppoeid']}{$i}
1300	5dfdc1fb	Scott Ullrich	{$isssue_ip_type}
1301	f856e762	jim-p	load pppoe_standard
1302	06e69b03	Scott Ullrich
1303			EOD;
1304			}
1305
1306	979cd6db	Scott Ullrich	$mpdconf .=<<<EOD
1307	06e69b03	Scott Ullrich
1308	f856e762	jim-p	pppoe_standard:
1309	979cd6db	Scott Ullrich	set bundle no multilink
1310			set bundle enable compression
1311	78155ff9	Scott Ullrich	set auth max-logins 1
1312	e9a95ac8	jim-p	set iface up-script /usr/local/sbin/vpn-linkup
1313			set iface down-script /usr/local/sbin/vpn-linkdown
1314	979cd6db	Scott Ullrich	set iface idle 0
1315	06e69b03	Scott Ullrich	set iface disable on-demand
1316			set iface disable proxy-arp
1317			set iface enable tcpmssfix
1318	979cd6db	Scott Ullrich	set iface mtu 1500
1319	06e69b03	Scott Ullrich	set link no pap chap
1320	979cd6db	Scott Ullrich	{$paporchap}
1321			set link keep-alive 60 180
1322			set ipcp yes vjcomp
1323			set ipcp no vjcomp
1324			set link max-redial -1
1325			set link mtu 1492
1326			set link mru 1492
1327	06e69b03	Scott Ullrich	set ccp yes mpp-e40
1328			set ccp yes mpp-e128
1329			set ccp yes mpp-stateless
1330	979cd6db	Scott Ullrich	set link latency 1
1331			#set ipcp dns 10.10.1.3
1332			#set bundle accept encryption
1333	06e69b03	Scott Ullrich
1334	c8c416db	Scott Ullrich	EOD;
1335
1336	09f2bf85	jim-p	if (!empty($pppoecfg['dns1'])) {
1337			$mpdconf .= " set ipcp dns " . $pppoecfg['dns1'];
1338			if (!empty($pppoecfg['dns2']))
1339			$mpdconf .= " " . $pppoecfg['dns2'];
1340			$mpdconf .= "\n";
1341			} elseif (isset ($config['dnsmasq']['enable'])) {
1342	a55e9c70	Ermal Lu?i	$mpdconf .= " set ipcp dns " . get_interface_ip("lan");
1343	06e69b03	Scott Ullrich	if ($syscfg['dnsserver'][0])
1344			$mpdconf .= " " . $syscfg['dnsserver'][0];
1345			$mpdconf .= "\n";
1346	ad750d3b	Warren Baker	} elseif (isset ($config['unbound']['enable'])) {
1347			$mpdconf .= " set ipcp dns " . get_interface_ip("lan");
1348			if ($syscfg['dnsserver'][0])
1349			$mpdconf .= " " . $syscfg['dnsserver'][0];
1350			$mpdconf .= "\n";
1351	09f2bf85	jim-p	} elseif (is_array($syscfg['dnsserver']) && ($syscfg['dnsserver'][0])) {
1352	979cd6db	Scott Ullrich	$mpdconf .= " set ipcp dns " . join(" ", $syscfg['dnsserver']) . "\n";
1353	09f2bf85	jim-p	}
1354	07cae4b2	Scott Ullrich
1355	37d7de2d	jim-p	if (isset ($pppoecfg['radius']['server']['enable'])) {
1356	c3583058	Ermal	$radiusport = "";
1357			$radiusacctport = "";
1358			if (isset($pppoecfg['radius']['server']['port']))
1359			$radiusport = $pppoecfg['radius']['server']['port'];
1360			if (isset($pppoecfg['radius']['server']['acctport']))
1361			$radiusacctport = $pppoecfg['radius']['server']['acctport'];
1362	979cd6db	Scott Ullrich	$mpdconf .=<<<EOD
1363	b0943409	Ermal	set radius server {$pppoecfg['radius']['server']['ip']} "{$pppoecfg['radius']['server']['secret']}" {$radiusport} {$radiusacctport}
1364	06e69b03	Scott Ullrich	set radius retries 3
1365	979cd6db	Scott Ullrich	set radius timeout 10
1366	0af9dba4	Ermal Lu?i	set auth enable radius-auth
1367	06e69b03	Scott Ullrich
1368			EOD;
1369
1370	979cd6db	Scott Ullrich	if (isset ($pppoecfg['radius']['accounting'])) {
1371			$mpdconf .=<<<EOD
1372	0af9dba4	Ermal Lu?i	set auth enable radius-acct
1373	07cae4b2	Scott Ullrich
1374	06e69b03	Scott Ullrich	EOD;
1375			}
1376			}
1377
1378			fwrite($fd, $mpdconf);
1379			fclose($fd);
1380	a49784a2	Ermal	unset($mpdconf);
1381	06e69b03	Scott Ullrich
1382			/* write mpd.links */
1383	0e642c78	Ermal	$fd = fopen("{$g['varetc_path']}/pppoe{$pppoecfg['pppoeid']}-vpn/mpd.links", "w");
1384	06e69b03	Scott Ullrich	if (!$fd) {
1385	89ceb4ba	Renato Botelho	printf(gettext("Error: cannot open mpd.links in vpn_pppoe_configure().") . "\n");
1386	06e69b03	Scott Ullrich	return 1;
1387			}
1388
1389			$mpdlinks = "";
1390
1391	a429d105	Scott Ullrich	for ($i = 0; $i < $pppoecfg['n_pppoe_units']; $i++) {
1392	979cd6db	Scott Ullrich	$mpdlinks .=<<<EOD
1393	09628a07	Renato Botelho
1394	0e642c78	Ermal	poes{$pppoecfg['pppoeid']}{$i}:
1395	67ee1ec5	Ermal Luçi	set phys type pppoe
1396	09628a07	Renato Botelho	set pppoe iface {$pppoe_interface}
1397			set pppoe service "*"
1398			set pppoe disable originate
1399			set pppoe enable incoming
1400	06e69b03	Scott Ullrich
1401			EOD;
1402			}
1403
1404			fwrite($fd, $mpdlinks);
1405			fclose($fd);
1406	a49784a2	Ermal	unset($mpdlinks);
1407	06e69b03	Scott Ullrich
1408	0e642c78	Ermal	if ($pppoecfg['username']) {
1409			/* write mpd.secret */
1410			$fd = fopen("{$g['varetc_path']}/pppoe{$pppoecfg['pppoeid']}-vpn/mpd.secret", "w");
1411			if (!$fd) {
1412	8c04b1ae	Renato Botelho	printf(gettext("Error: cannot open mpd.secret in vpn_pppoe_configure().") . "\n");
1413	0e642c78	Ermal	return 1;
1414			}
1415	06e69b03	Scott Ullrich
1416	0e642c78	Ermal	$mpdsecret = "\n\n";
1417	06e69b03	Scott Ullrich
1418	0e642c78	Ermal	if (!empty($pppoecfg['username'])) {
1419			$item = explode(" ", $pppoecfg['username']);
1420			foreach($item as $userdata) {
1421			$data = explode(":", $userdata);
1422	90388e48	Ermal	$mpdsecret .= "{$data[0]} \"" . base64_decode($data[1]) . "\" {$data[2]}\n";
1423	0e642c78	Ermal	}
1424			}
1425	06e69b03	Scott Ullrich
1426	0e642c78	Ermal	fwrite($fd, $mpdsecret);
1427			fclose($fd);
1428	a49784a2	Ermal	unset($mpdsecret);
1429	0e642c78	Ermal	chmod("{$g['varetc_path']}/pppoe{$pppoecfg['pppoeid']}-vpn/mpd.secret", 0600);
1430			}
1431	979cd6db	Scott Ullrich
1432	062676f8	Ermal	/* Check if previous instance is still up */
1433			while (file_exists("{$g['varrun_path']}/pppoe{$pppoecfg['pppoeid']}-vpn.pid") && isvalidpid("{$g['varrun_path']}/pppoe{$pppoecfg['pppoeid']}-vpn.pid"))
1434			killbypid("{$g['varrun_path']}/pppoe{$pppoecfg['pppoeid']}-vpn.pid");
1435
1436	67b057a9	Ermal	/* Get support for netgraph(4) from the nic */
1437			pfSense_ngctl_attach(".", $pppoe_interface);
1438	979cd6db	Scott Ullrich	/* fire up mpd */
1439	a6607b5f	jim-p	mwexec("/usr/local/sbin/mpd4 -b -d {$g['varetc_path']}/pppoe{$pppoecfg['pppoeid']}-vpn -p {$g['varrun_path']}/pppoe{$pppoecfg['pppoeid']}-vpn.pid -s poes poes");
1440	979cd6db	Scott Ullrich
1441			break;
1442			}
1443
1444	285ef132	Ermal LUÇI	if (platform_booting())
1445	561130e4	Carlos Eduardo Ramos	echo gettext("done") . "\n";
1446	979cd6db	Scott Ullrich
1447			return 0;
1448			}
1449
1450			function vpn_l2tp_configure() {
1451			global $config, $g;
1452
1453			$syscfg = $config['system'];
1454			$l2tpcfg = $config['l2tp'];
1455
1456			/* create directory if it does not exist */
1457	67ee1ec5	Ermal Luçi	if (!is_dir("{$g['varetc_path']}/l2tp-vpn"))
1458			mkdir("{$g['varetc_path']}/l2tp-vpn");
1459	979cd6db	Scott Ullrich
1460	285ef132	Ermal LUÇI	if (platform_booting()) {
1461	979cd6db	Scott Ullrich	if (!$l2tpcfg['mode'] \|\| ($l2tpcfg['mode'] == "off"))
1462			return 0;
1463
1464	89ceb4ba	Renato Botelho	echo gettext("Configuring l2tp VPN service... ");
1465	979cd6db	Scott Ullrich	} else {
1466			/* kill mpd */
1467	67ee1ec5	Ermal Luçi	killbypid("{$g['varrun_path']}/l2tp-vpn.pid");
1468	979cd6db	Scott Ullrich
1469			/* wait for process to die */
1470	01c41d40	Ermal Lu?i	sleep(8);
1471	979cd6db	Scott Ullrich
1472			}
1473
1474	67ee1ec5	Ermal Luçi	/* make sure l2tp-vpn directory exists */
1475			if (!file_exists("{$g['varetc_path']}/l2tp-vpn"))
1476			mkdir("{$g['varetc_path']}/l2tp-vpn");
1477	979cd6db	Scott Ullrich
1478			switch ($l2tpcfg['mode']) {
1479
1480			case 'server' :
1481			if ($l2tpcfg['paporchap'] == "chap")
1482			$paporchap = "set link enable chap";
1483			else
1484			$paporchap = "set link enable pap";
1485
1486			/* write mpd.conf */
1487	67ee1ec5	Ermal Luçi	$fd = fopen("{$g['varetc_path']}/l2tp-vpn/mpd.conf", "w");
1488	979cd6db	Scott Ullrich	if (!$fd) {
1489	89ceb4ba	Renato Botelho	printf(gettext("Error: cannot open mpd.conf in vpn_l2tp_configure().") . "\n");
1490	979cd6db	Scott Ullrich	return 1;
1491			}
1492			$mpdconf = "\n\n";
1493			$mpdconf .=<<<EOD
1494	a6607b5f	jim-p	l2tps:
1495	979cd6db	Scott Ullrich
1496			EOD;
1497
1498			for ($i = 0; $i < $l2tpcfg['n_l2tp_units']; $i++) {
1499			$mpdconf .= " load l2tp{$i}\n";
1500			}
1501
1502			for ($i = 0; $i < $l2tpcfg['n_l2tp_units']; $i++) {
1503
1504	96033063	Erik Fonnesbeck	$clientip = long2ip32(ip2long($l2tpcfg['remoteip']) + $i);
1505	979cd6db	Scott Ullrich
1506			if (isset ($l2tpcfg['radius']['radiusissueips']) && isset ($l2tpcfg['radius']['enable'])) {
1507			$isssue_ip_type = "set ipcp ranges {$l2tpcfg['localip']}/32 0.0.0.0/0";
1508			} else {
1509			$isssue_ip_type = "set ipcp ranges {$l2tpcfg['localip']}/32 {$clientip}/32";
1510			}
1511
1512			$mpdconf .=<<<EOD
1513
1514			l2tp{$i}:
1515	2c7feef7	jim-p	new -i l2tp{$i} l2tp{$i} l2tp{$i}
1516	979cd6db	Scott Ullrich	{$isssue_ip_type}
1517			load l2tp_standard
1518
1519			EOD;
1520			}
1521
1522			$mpdconf .=<<<EOD
1523
1524			l2tp_standard:
1525	09628a07	Renato Botelho	set bundle disable multilink
1526			set bundle enable compression
1527			set bundle yes crypt-reqd
1528			set ipcp yes vjcomp
1529			# set ipcp ranges 131.188.69.161/32 131.188.69.170/28
1530			set ccp yes mppc
1531			set iface disable on-demand
1532			set iface enable proxy-arp
1533	e9a95ac8	jim-p	set iface up-script /usr/local/sbin/vpn-linkup
1534			set iface down-script /usr/local/sbin/vpn-linkdown
1535	09628a07	Renato Botelho	set link yes acfcomp protocomp
1536			set link no pap chap
1537			set link enable chap
1538			set link keep-alive 10 180
1539	979cd6db	Scott Ullrich
1540			EOD;
1541
1542	c8cc0c1c	smos	if (is_ipaddr($l2tpcfg['wins'])) {
1543			$mpdconf .= " set ipcp nbns {$l2tpcfg['wins']}\n";
1544			}
1545			if (is_ipaddr($l2tpcfg['dns1'])) {
1546	09f2bf85	jim-p	$mpdconf .= " set ipcp dns " . $l2tpcfg['dns1'];
1547	c8cc0c1c	smos	if (is_ipaddr($l2tpcfg['dns2']))
1548	09f2bf85	jim-p	$mpdconf .= " " . $l2tpcfg['dns2'];
1549			$mpdconf .= "\n";
1550			} elseif (isset ($config['dnsmasq']['enable'])) {
1551	a55e9c70	Ermal Lu?i	$mpdconf .= " set ipcp dns " . get_interface_ip("lan");
1552	979cd6db	Scott Ullrich	if ($syscfg['dnsserver'][0])
1553			$mpdconf .= " " . $syscfg['dnsserver'][0];
1554			$mpdconf .= "\n";
1555	ad750d3b	Warren Baker	} elseif (isset ($config['unbound']['enable'])) {
1556			$mpdconf .= " set ipcp dns " . get_interface_ip("lan");
1557			if ($syscfg['dnsserver'][0])
1558			$mpdconf .= " " . $syscfg['dnsserver'][0];
1559			$mpdconf .= "\n";
1560	09f2bf85	jim-p	} elseif (is_array($syscfg['dnsserver']) && ($syscfg['dnsserver'][0])) {
1561	979cd6db	Scott Ullrich	$mpdconf .= " set ipcp dns " . join(" ", $syscfg['dnsserver']) . "\n";
1562	09f2bf85	jim-p	}
1563	979cd6db	Scott Ullrich
1564			if (isset ($l2tpcfg['radius']['enable'])) {
1565			$mpdconf .=<<<EOD
1566			set radius server {$l2tpcfg['radius']['server']} "{$l2tpcfg['radius']['secret']}"
1567			set radius retries 3
1568			set radius timeout 10
1569	0af9dba4	Ermal Lu?i	set auth enable radius-auth
1570	979cd6db	Scott Ullrich
1571			EOD;
1572
1573			if (isset ($l2tpcfg['radius']['accounting'])) {
1574			$mpdconf .=<<<EOD
1575	0af9dba4	Ermal Lu?i	set auth enable radius-acct
1576	979cd6db	Scott Ullrich
1577			EOD;
1578			}
1579			}
1580
1581			fwrite($fd, $mpdconf);
1582			fclose($fd);
1583	a49784a2	Ermal	unset($mpdconf);
1584	979cd6db	Scott Ullrich
1585			/* write mpd.links */
1586	67ee1ec5	Ermal Luçi	$fd = fopen("{$g['varetc_path']}/l2tp-vpn/mpd.links", "w");
1587	979cd6db	Scott Ullrich	if (!$fd) {
1588	89ceb4ba	Renato Botelho	printf(gettext("Error: cannot open mpd.links in vpn_l2tp_configure().") . "\n");
1589	979cd6db	Scott Ullrich	return 1;
1590			}
1591
1592			$mpdlinks = "";
1593
1594			for ($i = 0; $i < $l2tpcfg['n_l2tp_units']; $i++) {
1595			$mpdlinks .=<<<EOD
1596
1597	daa20efd	Ermal Lu?i	l2tp{$i}:
1598	979cd6db	Scott Ullrich	set link type l2tp
1599	09628a07	Renato Botelho	set l2tp enable incoming
1600			set l2tp disable originate
1601	979cd6db	Scott Ullrich
1602			EOD;
1603	00f9e567	Ermal Lu?i	if (!empty($l2tpcfg['secret']))
1604			$mpdlinks .= "set l2tp secret {$l2tpcfg['secret']}\n";
1605	979cd6db	Scott Ullrich	}
1606
1607			fwrite($fd, $mpdlinks);
1608			fclose($fd);
1609	a49784a2	Ermal	unset($mpdlinks);
1610	979cd6db	Scott Ullrich
1611			/* write mpd.secret */
1612	67ee1ec5	Ermal Luçi	$fd = fopen("{$g['varetc_path']}/l2tp-vpn/mpd.secret", "w");
1613	979cd6db	Scott Ullrich	if (!$fd) {
1614	89ceb4ba	Renato Botelho	printf(gettext("Error: cannot open mpd.secret in vpn_l2tp_configure().") . "\n");
1615	979cd6db	Scott Ullrich	return 1;
1616			}
1617
1618			$mpdsecret = "\n\n";
1619
1620			if (is_array($l2tpcfg['user'])) {
1621			foreach ($l2tpcfg['user'] as $user)
1622			$mpdsecret .= "{$user['name']} \"{$user['password']}\" {$user['ip']}\n";
1623			}
1624
1625			fwrite($fd, $mpdsecret);
1626			fclose($fd);
1627	a49784a2	Ermal	unset($mpdsecret);
1628	67ee1ec5	Ermal Luçi	chmod("{$g['varetc_path']}/l2tp-vpn/mpd.secret", 0600);
1629	06e69b03	Scott Ullrich
1630	67b057a9	Ermal	vpn_netgraph_support();
1631
1632	06e69b03	Scott Ullrich	/* fire up mpd */
1633	a6607b5f	jim-p	mwexec("/usr/local/sbin/mpd4 -b -d {$g['varetc_path']}/l2tp-vpn -p {$g['varrun_path']}/l2tp-vpn.pid -s l2tps l2tps");
1634	06e69b03	Scott Ullrich
1635			break;
1636
1637	979cd6db	Scott Ullrich	case 'redir' :
1638	06e69b03	Scott Ullrich	break;
1639			}
1640
1641	285ef132	Ermal LUÇI	if (platform_booting())
1642	06e69b03	Scott Ullrich	echo "done\n";
1643
1644			return 0;
1645			}
1646	630cfa6c	Scott Ullrich
1647	7b2fdac4	jim-p	function vpn_ipsec_configure_preferoldsa() {
1648			global $config;
1649			if(isset($config['ipsec']['preferoldsa']))
1650	971de1f9	Renato Botelho	set_single_sysctl("net.key.preferred_oldsa", "-30");
1651	7b2fdac4	jim-p	else
1652	971de1f9	Renato Botelho	set_single_sysctl("net.key.preferred_oldsa", "0");
1653	7b2fdac4	jim-p	}
1654	9734b054	Scott Ullrich
1655	7c2a9397	Ermal LUÇI	?>

Project

General

Profile

pfSense