Project

General

Profile

Download (26.5 KB) Statistics
| Branch: | Tag: | Revision:
1
<?php
2
/*
3
	vpn_ipsec_phase1.php
4
	part of m0n0wall (http://m0n0.ch/wall)
5

    
6
	Copyright (C) 2008 Shrew Soft Inc
7
	Copyright (C) 2003-2005 Manuel Kasper <mk@neon1.net>.
8
	All rights reserved.
9

    
10
	Redistribution and use in source and binary forms, with or without
11
	modification, are permitted provided that the following conditions are met:
12

    
13
	1. Redistributions of source code must retain the above copyright notice,
14
	   this list of conditions and the following disclaimer.
15

    
16
	2. Redistributions in binary form must reproduce the above copyright
17
	   notice, this list of conditions and the following disclaimer in the
18
	   documentation and/or other materials provided with the distribution.
19

    
20
	THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
21
	INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
22
	AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
23
	AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
24
	OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
25
	SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
26
	INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
27
	CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
28
	ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
29
	POSSIBILITY OF SUCH DAMAGE.
30
*/
31

    
32
##|+PRIV
33
##|*IDENT=page-vpn-ipsec-editphase1
34
##|*NAME=VPN: IPsec: Edit Phase 1 page
35
##|*DESCR=Allow access to the 'VPN: IPsec: Edit Phase 1' page.
36
##|*MATCH=vpn_ipsec_phase1.php*
37
##|-PRIV
38

    
39

    
40
require("guiconfig.inc");
41

    
42
if (!is_array($config['ipsec']['phase1']))
43
	$config['ipsec']['phase1'] = array();
44

    
45
if (!is_array($config['ipsec']['phase2']))
46
	$config['ipsec']['phase2'] = array();
47

    
48
$a_phase1 = &$config['ipsec']['phase1'];
49
$a_phase2 = &$config['ipsec']['phase2'];
50

    
51
if($config['interfaces']['lan']) 
52
		$specialsrcdst = explode(" ", "lan");
53

    
54
$p1index = $_GET['p1index'];
55
if (isset($_POST['p1index']))
56
	$p1index = $_POST['p1index'];
57

    
58
if (isset($_GET['dup'])) {
59
	$p1index = $_GET['dup'];
60
}
61

    
62
if (isset($p1index) && $a_phase1[$p1index])
63
{
64
	// don't copy the ikeid on dup
65
	if (!isset($_GET['dup']))
66
		$pconfig['ikeid'] = $a_phase1[$p1index]['ikeid'];
67
	$old_ph1ent = $a_phase1[$p1index];
68

    
69
	$pconfig['disabled'] = isset($a_phase1[$p1index]['disabled']);
70

    
71
	if ($a_phase1[$p1index]['interface'])
72
		$pconfig['interface'] = $a_phase1[$p1index]['interface'];
73
	else
74
		$pconfig['interface'] = "wan";
75

    
76
	list($pconfig['remotenet'],$pconfig['remotebits']) = explode("/", $a_phase1[$p1index]['remote-subnet']);
77

    
78
	if (isset($a_phase1[$p1index]['mobile']))
79
		$pconfig['mobile'] = 'true';
80
	else
81
		$pconfig['remotegw'] = $a_phase1[$p1index]['remote-gateway'];
82

    
83
	$pconfig['mode'] = $a_phase1[$p1index]['mode'];
84
	$pconfig['myid_type'] = $a_phase1[$p1index]['myid_type'];
85
	$pconfig['myid_data'] = $a_phase1[$p1index]['myid_data'];
86
	$pconfig['peerid_type'] = $a_phase1[$p1index]['peerid_type'];
87
	$pconfig['peerid_data'] = $a_phase1[$p1index]['peerid_data'];
88
	$pconfig['ealgo'] = $a_phase1[$p1index]['encryption-algorithm'];
89
	$pconfig['halgo'] = $a_phase1[$p1index]['hash-algorithm'];
90
	$pconfig['dhgroup'] = $a_phase1[$p1index]['dhgroup'];
91
	$pconfig['lifetime'] = $a_phase1[$p1index]['lifetime'];
92
	$pconfig['authentication_method'] = $a_phase1[$p1index]['authentication_method'];
93

    
94
	if (($pconfig['authentication_method'] == "pre_shared_key")||
95
		($pconfig['authentication_method'] == "xauth_psk_server")) {
96
		$pconfig['pskey'] = $a_phase1[$p1index]['pre-shared-key'];
97
	} else {
98
		$pconfig['certref'] = $a_phase1[$p1index]['certref'];
99
	}
100

    
101
	$pconfig['descr'] = $a_phase1[$p1index]['descr'];
102
	$pconfig['nat_traversal'] = $a_phase1[$p1index]['nat_traversal'];
103

    
104
	if ($a_phase1[$p1index]['dpd_delay'] &&	$a_phase1[$p1index]['dpd_maxfail']) {
105
		$pconfig['dpd_enable'] = true;
106
		$pconfig['dpd_delay'] = $a_phase1[$p1index]['dpd_delay'];
107
		$pconfig['dpd_maxfail'] = $a_phase1[$p1index]['dpd_maxfail'];
108
	}
109
}
110
else
111
{
112
	/* defaults */
113
	$pconfig['interface'] = "wan";
114
	if($config['interfaces']['lan']) 
115
		$pconfig['localnet'] = "lan";
116
	$pconfig['mode'] = "aggressive";
117
	$pconfig['myid_type'] = "myaddress";
118
	$pconfig['peerid_type'] = "peeraddress";
119
	$pconfig['authentication_method'] = "pre_shared_key";
120
	$pconfig['ealgo'] = array( name => "3des" );
121
	$pconfig['halgo'] = "sha1";
122
	$pconfig['dhgroup'] = "2";
123
	$pconfig['lifetime'] = "28800";
124
	$pconfig['nat_traversal'] = "on";
125
	$pconfig['dpd_enable'] = true;
126

    
127
	/* mobile client */
128
	if($_GET['mobile'])
129
		$pconfig['mobile']=true;
130
}
131

    
132
if (isset($_GET['dup']))
133
	unset($p1index);
134

    
135
if ($_POST) {
136
	unset($input_errors);
137
	$pconfig = $_POST;
138

    
139
	/* input validation */
140

    
141
	$method = $pconfig['authentication_method'];
142
	if (($method == "pre_shared_key")||($method == "xauth_psk_server")) {
143
		$reqdfields = explode(" ", "pskey");
144
		$reqdfieldsn = explode(",", "Pre-Shared Key");
145
	} else {
146
		$reqdfields = explode(" ", "certref");
147
		$reqdfieldsn = explode(",", "My Certificate");
148
	}
149
	if (!$pconfig['mobile']) {
150
		$reqdfields[] = "remotegw";
151
		$reqdfieldsn[] = "Remote gateway";
152
	}
153

    
154
	do_input_validation($pconfig, $reqdfields, $reqdfieldsn, &$input_errors);
155

    
156
	if (($pconfig['lifetime'] && !is_numeric($pconfig['lifetime'])))
157
		$input_errors[] = "The P1 lifetime must be an integer.";
158

    
159
	if (($pconfig['remotegw'] && !is_ipaddr($pconfig['remotegw']) && !is_domain($pconfig['remotegw']))) 
160
		$input_errors[] = "A valid remote gateway address or host name must be specified.";
161

    
162
	if (($pconfig['remotegw'] && is_ipaddr($pconfig['remotegw']) && !isset($pconfig['disabled']) )) {
163
		$t = 0;
164
		foreach ($a_phase1 as $ph1tmp) {
165
			if ($p1index <> $t) {
166
				$tremotegw = $pconfig['remotegw'];
167
				if (($ph1tmp['remote-gateway'] == $tremotegw) && !isset($ph1tmp['disabled'])) {
168
					$input_errors[] = "The remote gateway \"$tremotegw\" is already used by phase1 \"${ph1tmp['descr']}\".";
169
				}
170
			}
171
			$t++;
172
		}
173
	}
174

    
175
	/* My identity */
176

    
177
	if ($pconfig['myid_type'] == "myaddress")
178
		$pconfig['myid_data'] = "";
179

    
180
	if ($pconfig['myid_type'] == "address" and $pconfig['myid_data'] == "")
181
		$input_errors[] = gettext("Please enter an address for 'My Identifier'");
182

    
183
	if ($pconfig['myid_type'] == "keyid tag" and $pconfig['myid_data'] == "")
184
		$input_errors[] = gettext("Please enter a keyid tag for 'My Identifier'");
185

    
186
	if ($pconfig['myid_type'] == "fqdn" and $pconfig['myid_data'] == "")
187
		$input_errors[] = gettext("Please enter a fully qualified domain name for 'My Identifier'");
188

    
189
	if ($pconfig['myid_type'] == "user_fqdn" and $pconfig['myid_data'] == "")
190
		$input_errors[] = gettext("Please enter a user and fully qualified domain name for 'My Identifier'");
191

    
192
	if ($pconfig['myid_type'] == "dyn_dns" and $pconfig['myid_data'] == "")
193
		$input_errors[] = gettext("Please enter a dynamic domain name for 'My Identifier'");
194

    
195
	if ((($pconfig['myid_type'] == "address") && !is_ipaddr($pconfig['myid_data'])))
196
		$input_errors[] = "A valid IP address for 'My identifier' must be specified.";
197

    
198
	if ((($pconfig['myid_type'] == "fqdn") && !is_domain($pconfig['myid_data'])))
199
		$input_errors[] = "A valid domain name for 'My identifier' must be specified.";
200

    
201
	if ($pconfig['myid_type'] == "fqdn")
202
		if (is_domain($pconfig['myid_data']) == false)
203
			$input_errors[] = "A valid FQDN for 'My identifier' must be specified.";
204

    
205
	if ($pconfig['myid_type'] == "user_fqdn") {
206
		$user_fqdn = explode("@",$pconfig['myid_data']);
207
		if (is_domain($user_fqdn[1]) == false)
208
			$input_errors[] = "A valid User FQDN in the form of user@my.domain.com for 'My identifier' must be specified.";
209
	}
210

    
211
	if ($pconfig['myid_type'] == "dyn_dns")
212
		if (is_domain($pconfig['myid_data']) == false)
213
			$input_errors[] = "A valid Dynamic DNS address for 'My identifier' must be specified.";
214

    
215
	/* Peer identity */
216

    
217
	if ($pconfig['myid_type'] == "peeraddress")
218
		$pconfig['peerid_data'] = "";
219

    
220
	if ($pconfig['peerid_type'] == "address" and $pconfig['peerid_data'] == "")
221
		$input_errors[] = gettext("Please enter an address for 'Peer Identifier'");
222

    
223
	if ($pconfig['peerid_type'] == "keyid tag" and $pconfig['peerid_data'] == "")
224
		$input_errors[] = gettext("Please enter a keyid tag for 'Peer Identifier'");
225

    
226
	if ($pconfig['peerid_type'] == "fqdn" and $pconfig['peerid_data'] == "")
227
		$input_errors[] = gettext("Please enter a fully qualified domain name for 'Peer Identifier'");
228

    
229
	if ($pconfig['peerid_type'] == "user_fqdn" and $pconfig['peerid_data'] == "")
230
		$input_errors[] = gettext("Please enter a user and fully qualified domain name for 'Peer Identifier'");
231

    
232
	if ((($pconfig['peerid_type'] == "address") && !is_ipaddr($pconfig['peerid_data'])))
233
		$input_errors[] = "A valid IP address for 'Peer identifier' must be specified.";
234

    
235
	if ((($pconfig['peerid_type'] == "fqdn") && !is_domain($pconfig['peerid_data'])))
236
		$input_errors[] = "A valid domain name for 'Peer identifier' must be specified.";
237

    
238
	if ($pconfig['peerid_type'] == "fqdn")
239
		if (is_domain($pconfig['peerid_data']) == false)
240
			$input_errors[] = "A valid FQDN for 'Peer identifier' must be specified.";
241

    
242
	if ($pconfig['peerid_type'] == "user_fqdn") {
243
		$user_fqdn = explode("@",$pconfig['peerid_data']);
244
		if (is_domain($user_fqdn[1]) == false)
245
			$input_errors[] = "A valid User FQDN in the form of user@my.domain.com for 'Peer identifier' must be specified.";
246
	}
247

    
248
	if ($pconfig['dpd_enable']) {
249
		if (!is_numeric($pconfig['dpd_delay']))
250
			$input_errors[] = "A numeric value must be specified for DPD delay.";
251

    
252
		if (!is_numeric($pconfig['dpd_maxfail']))
253
			$input_errors[] = "A numeric value must be specified for DPD retries.";
254
	}
255

    
256
	/* build our encryption algorithms array */
257
	$pconfig['ealgo'] = array();
258
	$pconfig['ealgo']['name'] = $_POST['ealgo'];
259
	if($pconfig['ealgo_keylen'])
260
		$pconfig['ealgo']['keylen'] = $_POST['ealgo_keylen'];
261

    
262
	if (!$input_errors) {
263
		$ph1ent['ikeid'] = $pconfig['ikeid'];
264
		$ph1ent['disabled'] = $pconfig['disabled'] ? true : false;
265
		$ph1ent['interface'] = $pconfig['interface'];
266
		/* if the remote gateway changed and the interface is not WAN then remove route */
267
		/* the vpn_ipsec_configure() handles adding the route */
268
		if ($pconfig['interface'] <> "wan") {
269
			if($ph1ent['remote-gateway'] <> $pconfig['remotegw']) {
270
				mwexec("/sbin/route delete -host {$ph1ent['remote-gateway']}");
271
			}
272
		}
273

    
274
		if ($pconfig['mobile'])
275
			$ph1ent['mobile'] = true;
276
		else
277
			$ph1ent['remote-gateway'] = $pconfig['remotegw'];
278

    
279
		$ph1ent['mode'] = $pconfig['mode'];
280

    
281
		$ph1ent['myid_type'] = $pconfig['myid_type'];
282
		$ph1ent['myid_data'] = $pconfig['myid_data'];
283
		$ph1ent['peerid_type'] = $pconfig['peerid_type'];
284
		$ph1ent['peerid_data'] = $pconfig['peerid_data'];
285

    
286
		$ph1ent['encryption-algorithm'] = $pconfig['ealgo'];
287
		$ph1ent['hash-algorithm'] = $pconfig['halgo'];
288
		$ph1ent['dhgroup'] = $pconfig['dhgroup'];
289
		$ph1ent['lifetime'] = $pconfig['lifetime'];
290
		$ph1ent['pre-shared-key'] = $pconfig['pskey'];
291
		$ph1ent['private-key'] = base64_encode($pconfig['privatekey']);
292
		$ph1ent['certref'] = $pconfig['certref'];
293
		$ph1ent['authentication_method'] = $pconfig['authentication_method'];
294

    
295
		$ph1ent['descr'] = $pconfig['descr'];
296
		$ph1ent['nat_traversal'] = $pconfig['nat_traversal'];
297

    
298
		if (isset($pconfig['dpd_enable'])) {
299
			$ph1ent['dpd_delay'] = $pconfig['dpd_delay'];
300
			$ph1ent['dpd_maxfail'] = $pconfig['dpd_maxfail'];
301
		}
302

    
303
		/* generate unique phase1 ikeid */
304
		if ($ph1ent['ikeid'] == 0)
305
			$ph1ent['ikeid'] = ipsec_ikeid_next();
306

    
307
		if (isset($p1index) && $a_phase1[$p1index])
308
			$a_phase1[$p1index] = $ph1ent;
309
		else
310
			$a_phase1[] = $ph1ent;
311

    
312
		/* now we need to find all phase2 entries for this host */
313
		if (is_array($a_phase2) && (count($a_phase2))) {
314
			foreach ($a_phase2 as $phase2) {
315
				if($phase2['ikeid'] == $ph1ent['ikeid']) {
316
					log_error("Reload {$ph1ent['descr']} tunnels");
317
					$old_ph1ent['remote-gateway'] = resolve_retry($old_ph1ent['remote-gateway']);
318
					$old_phase2 = $phase2;
319
					reload_tunnel_spd_policy ($ph1ent, $phase2, $old_ph1ent, $old_phase2);
320
				}
321
			}
322
		}
323
		write_config();
324
		mark_subsystem_dirty('ipsec');
325

    
326
		header("Location: vpn_ipsec.php");
327
		exit;
328
	}
329
}
330

    
331
if ($pconfig['mobile'])
332
	$pgtitle = array("VPN","IPsec","Edit Phase 1", "Mobile Client");
333
else
334
	$pgtitle = array("VPN","IPsec","Edit Phase 1");
335

    
336
include("head.inc");
337

    
338
?>
339

    
340
<body link="#0000CC" vlink="#0000CC" alink="#0000CC">
341
<?php include("fbegin.inc"); ?>
342
<script language="JavaScript">
343
<!--
344

    
345
function myidsel_change() {
346
	index = document.iform.myid_type.selectedIndex;
347
	value = document.iform.myid_type.options[index].value;
348
	if (value == 'myaddress')
349
			document.getElementById('myid_data').style.visibility = 'hidden';
350
	else
351
			document.getElementById('myid_data').style.visibility = 'visible';
352
}
353

    
354
function peeridsel_change() {
355
	index = document.iform.peerid_type.selectedIndex;
356
	value = document.iform.peerid_type.options[index].value;
357
	if (value == 'peeraddress')
358
			document.getElementById('peerid_data').style.visibility = 'hidden';
359
	else
360
			document.getElementById('peerid_data').style.visibility = 'visible';
361
}
362

    
363
function methodsel_change() {
364
	index = document.iform.authentication_method.selectedIndex;
365
	value = document.iform.authentication_method.options[index].value;
366

    
367
	switch (value) {
368
		case 'hybrid_rsa_server':
369
			document.getElementById('opt_psk').style.display = 'none';
370
			document.getElementById('opt_cert').style.display = '';
371
			break;
372
		case 'xauth_rsa_server':
373
		case 'rsasig':
374
			document.getElementById('opt_psk').style.display = 'none';
375
			document.getElementById('opt_cert').style.display = '';
376
			break;
377
		default: /* psk modes*/
378
			document.getElementById('opt_psk').style.display = '';
379
			document.getElementById('opt_cert').style.display = 'none';
380
			break;
381
	}
382
}
383

    
384
/* PHP generated java script for variable length keys */
385
function ealgosel_change(bits) {
386
	switch (document.iform.ealgo.selectedIndex) {
387
<?php
388
  $i = 0;
389
  foreach ($p1_ealgos as $algo => $algodata) {
390
    if (is_array($algodata['keysel'])) {
391
      echo "		case {$i}:\n";
392
      echo "			document.iform.ealgo_keylen.style.visibility = 'visible';\n";
393
      echo "			document.iform.ealgo_keylen.options.length = 0;\n";
394
//      echo "			document.iform.ealgo_keylen.options[document.iform.ealgo_keylen.options.length] = new Option( 'auto', 'auto' );\n";
395

    
396
      $key_hi = $algodata['keysel']['hi'];
397
      $key_lo = $algodata['keysel']['lo'];
398
      $key_step = $algodata['keysel']['step'];
399

    
400
      for ($keylen = $key_hi; $keylen >= $key_lo; $keylen -= $key_step)
401
        echo "			document.iform.ealgo_keylen.options[document.iform.ealgo_keylen.options.length] = new Option( '{$keylen} bits', '{$keylen}' );\n";
402
      echo "			break;\n";
403
    } else {
404
      echo "		case {$i}:\n";
405
      echo "			document.iform.ealgo_keylen.style.visibility = 'hidden';\n";
406
      echo "			document.iform.ealgo_keylen.options.length = 0;\n";
407
      echo "			break;\n";
408
    }
409
    $i++;
410
  }
411
?>
412
	}
413

    
414
	if( bits )
415
		document.iform.ealgo_keylen.value = bits;
416
}
417

    
418
function dpdchkbox_change() {
419
	if( document.iform.dpd_enable.checked )
420
		document.getElementById('opt_dpd').style.display = '';
421
	else
422
		document.getElementById('opt_dpd').style.display = 'none';
423

    
424
	if (!document.iform.dpd_delay.value)
425
		document.iform.dpd_delay.value = "10";
426

    
427
	if (!document.iform.dpd_maxfail.value)
428
		document.iform.dpd_maxfail.value = "5";
429
}
430

    
431
//-->
432
</script>
433

    
434
<form action="vpn_ipsec_phase1.php" method="post" name="iform" id="iform">
435

    
436
<?php
437
	if ($input_errors)
438
		print_input_errors($input_errors);
439
?>
440

    
441
<table width="100%" border="0" cellpadding="0" cellspacing="0">
442
	<tr class="tabnavtbl">
443
		<td id="tabnav">
444
			<?php
445
				$tab_array = array();
446
				$tab_array[0] = array("Tunnels", true, "vpn_ipsec.php");
447
				$tab_array[1] = array("Mobile clients", false, "vpn_ipsec_mobile.php");
448
				display_top_tabs($tab_array);
449
			?>
450
		</td>
451
	</tr>
452
	<tr>
453
		<td id="mainarea">
454
			<div class="tabcont">
455
				<table width="100%" border="0" cellpadding="6" cellspacing="0">
456
					<tr>
457
						<td colspan="2" valign="top" class="listtopic">General information</td>
458
					</tr>
459
					<tr>
460
						<td width="22%" valign="top" class="vncellreq">Disabled</td>
461
						<td width="78%" class="vtable">
462
							<input name="disabled" type="checkbox" id="disabled" value="yes" <?php if ($pconfig['disabled']) echo "checked"; ?>>
463
							<strong>Disable this phase1 entry</strong><br>
464
							<span class="vexpl">
465
								Set this option to disable this phase1 without
466
								removing it from the list.
467
							</span>
468
						</td>
469
					</tr>
470
					<tr>
471
						<td width="22%" valign="top" class="vncellreq">Interface</td>
472
						<td width="78%" class="vtable">
473
							<select name="interface" class="formselect">
474
							<?php 
475
								$interfaces = get_configured_interface_with_descr();
476
								$carpips = find_number_of_needed_carp_interfaces();
477
								for ($i=0; $i<$carpips; $i++) {
478
									$carpip = find_interface_ip("carp" . $i);
479
									$interfaces['carp' . $i] = "CARP{$i} ({$carpip})"; 
480
								}
481
								foreach ($interfaces as $iface => $ifacename):
482
							?>
483
								<option value="<?=$iface;?>" <?php if ($iface == $pconfig['interface']) echo "selected"; ?>>
484
									<?=htmlspecialchars($ifacename);?>
485
								</option>
486
							<?php endforeach; ?>
487
							</select>
488
							<br>
489
							<span class="vexpl">Select the interface for the local endpoint of this phase1 entry.</span>
490
						</td>
491
					</tr>
492

    
493
					<?php if (!$pconfig['mobile']): ?>
494

    
495
					<tr>
496
						<td width="22%" valign="top" class="vncellreq">Remote gateway</td>
497
						<td width="78%" class="vtable">
498
							<?=$mandfldhtml;?><input name="remotegw" type="text" class="formfld unknown" id="remotegw" size="20" value="<?=$pconfig['remotegw'];?>">
499
							<br>
500
							Enter the public IP address or host name of the remote gateway
501
						</td>
502
					</tr>
503

    
504
					<?php endif; ?>
505

    
506
					<tr>
507
						<td width="22%" valign="top" class="vncell">Description</td>
508
						<td width="78%" class="vtable">
509
							<input name="descr" type="text" class="formfld unknown" id="descr" size="40" value="<?=htmlspecialchars($pconfig['descr']);?>">
510
							<br>
511
							<span class="vexpl">
512
								You may enter a description here
513
								for your reference (not parsed).
514
							</span>
515
						</td>
516
					</tr>
517
					<tr>
518
						<td colspan="2" class="list" height="12"></td>
519
					</tr>
520
					<tr>
521
						<td colspan="2" valign="top" class="listtopic">
522
							Phase 1 proposal (Authentication)
523
						</td>
524
					</tr>
525
					<tr>
526
						<td width="22%" valign="top" class="vncellreq">Negotiation mode</td>
527
						<td width="78%" class="vtable">
528
							<select name="mode" class="formselect">
529
							<?php
530
								$modes = explode(" ", "main aggressive");
531
								foreach ($modes as $mode):
532
							?>
533
								<option value="<?=$mode;?>" <?php if ($mode == $pconfig['mode']) echo "selected"; ?>>
534
									<?=htmlspecialchars($mode);?>
535
								</option>
536
							<?php endforeach; ?>
537
							</select> <br> <span class="vexpl">Aggressive is more flexible, but less secure.</span>
538
						</td>
539
					</tr>
540
					<tr>
541
						<td width="22%" valign="top" class="vncellreq">My identifier</td>
542
						<td width="78%" class="vtable">
543
							<select name="myid_type" class="formselect" onChange="myidsel_change()">
544
							<?php foreach ($my_identifier_list as $id_type => $id_params): ?>
545
								<option value="<?=$id_type;?>" <?php if ($id_type == $pconfig['myid_type']) echo "selected"; ?>>
546
									<?=htmlspecialchars($id_params['desc']);?>
547
								</option>
548
							<?php endforeach; ?>
549
							</select>
550
							<input name="myid_data" type="text" class="formfld unknown" id="myid_data" size="30" value="<?=$pconfig['myid_data'];?>">
551
						</td>
552
					</tr>
553
					<tr>
554
						<td width="22%" valign="top" class="vncellreq">Peer identifier</td>
555
						<td width="78%" class="vtable">
556
							<select name="peerid_type" class="formselect" onChange="peeridsel_change()">
557
							<?php
558
								foreach ($peer_identifier_list as $id_type => $id_params):
559
									if ($pconfig['mobile'] && !$id_params['mobile'])
560
										continue;
561
							?>
562
							<option value="<?=$id_type;?>" <?php if ($id_type == $pconfig['peerid_type']) echo "selected"; ?>>
563
								<?=htmlspecialchars($id_params['desc']);?>
564
							</option>
565
							<?php endforeach; ?>
566
							</select>
567
							<input name="peerid_data" type="text" class="formfld unknown" id="peerid_data" size="30" value="<?=$pconfig['peerid_data'];?>">
568
						</td>
569
					</tr>
570
					<tr>
571
						<td width="22%" valign="top" class="vncellreq">Encryption algorithm</td>
572
						<td width="78%" class="vtable">
573
							<select name="ealgo" class="formselect" onChange="ealgosel_change()">
574
							<?php
575
								foreach ($p1_ealgos as $algo => $algodata):
576
									$selected = '';
577
									if ($algo == $pconfig['ealgo']['name'])
578
										$selected = ' selected';
579
							?>
580
								<option value="<?=$algo;?>"<?=$selected?>>
581
									<?=htmlspecialchars($algodata['name']);?>
582
								</option>
583
							<?php endforeach; ?>
584
							</select>
585
							<select name="ealgo_keylen" width="30" class="formselect">
586
							</select>
587
						</td>
588
					</tr>
589
					<tr>
590
						<td width="22%" valign="top" class="vncellreq">Hash algorithm</td>
591
						<td width="78%" class="vtable">
592
							<select name="halgo" class="formselect">
593
							<?php foreach ($p1_halgos as $algo => $algoname): ?>
594
								<option value="<?=$algo;?>" <?php if ($algo == $pconfig['halgo']) echo "selected"; ?>>
595
									<?=htmlspecialchars($algoname);?>
596
								</option>
597
							<?php endforeach; ?>
598
							</select>
599
							<br>
600
							<span class="vexpl">
601
								Must match the setting chosen on the remote side.
602
							</span>
603
						</td>
604
					</tr>
605
					<tr>
606
						<td width="22%" valign="top" class="vncellreq">DH key group</td>
607
						<td width="78%" class="vtable">
608
							<select name="dhgroup" class="formselect">
609
							<?php $keygroups = explode(" ", "1 2 5"); foreach ($keygroups as $keygroup): ?>
610
								<option value="<?=$keygroup;?>" <?php if ($keygroup == $pconfig['dhgroup']) echo "selected"; ?>>
611
									<?=htmlspecialchars($keygroup);?>
612
								</option>
613
							<?php endforeach; ?>
614
							</select>
615
							<br>
616
							<span class="vexpl">
617
								<em>1 = 768 bit, 2 = 1024 bit, 5 = 1536 bit</em>
618
								<br>
619
								Must match the setting chosen on the remote side.
620
							</span>
621
						</td>
622
					</tr>
623
					<tr>
624
						<td width="22%" valign="top" class="vncell">Lifetime</td>
625
						<td width="78%" class="vtable">
626
							<input name="lifetime" type="text" class="formfld unknown" id="lifetime" size="20" value="<?=$pconfig['lifetime'];?>">
627
							seconds
628
						</td>
629
					</tr>
630
					<tr>
631
						<td width="22%" valign="top" class="vncellreq">Authentication method</td>
632
						<td width="78%" class="vtable">
633
							<select name="authentication_method" class="formselect" onChange="methodsel_change()">
634
							<?php
635
								foreach ($p1_authentication_methods as $method_type => $method_params):
636
									if (!$pconfig['mobile'] && $method_params['mobile'])
637
										continue;
638
							?>
639
								<option value="<?=$method_type;?>" <?php if ($method_type == $pconfig['authentication_method']) echo "selected"; ?>>
640
									<?=htmlspecialchars($method_params['name']);?>
641
								</option>
642
							<?php endforeach; ?>
643
							</select>
644
							<br>
645
							<span class="vexpl">
646
								Must match the setting chosen on the remote side.
647
							</span>
648
						</td>
649
					</tr>
650
					<tr id="opt_psk">
651
						<td width="22%" valign="top" class="vncellreq">Pre-Shared Key</td>
652
						<td width="78%" class="vtable">
653
							<?=$mandfldhtml;?>
654
							<input name="pskey" type="text" class="formfld unknown" id="pskey" size="40" value="<?=htmlspecialchars($pconfig['pskey']);?>">
655
							<span class="vexpl">
656
							<br>
657
								Input your pre-shared key string.
658
							</span>
659
						</td>
660
					</tr>
661
					<tr id="opt_cert">
662
						<td width="22%" valign="top" class="vncellreq">My Certificate</td>
663
						<td width="78%" class="vtable">
664
							<select name='certref' class="formselect">
665
							<?php
666
								foreach ($config['system']['cert'] as $cert):
667
									$selected = "";
668
									if ($pconfig['certref'] == $cert['refid'])
669
										$selected = "selected";
670
							?>
671
								<option value="<?=$cert['refid'];?>" <?=$selected;?>><?=$cert['name'];?></option>
672
							<?php endforeach; ?>
673
							</select>
674
							<br>
675
							<span class="vexpl">
676
								Select a certificate previously configured in the Certificate Manager.
677
							</span>
678
						</td>
679
					</tr>
680
					<tr>
681
						<td colspan="2" class="list" height="12"></td>
682
					</tr>
683
					<tr>
684
						<td colspan="2" valign="top" class="listtopic">Advanced Options</td>
685
					</tr>
686
					<tr>
687
						<td width="22%" valign="top" class="vncell">NAT Traversal</td>
688
						<td width="78%" class="vtable">
689
							<select name="nat_traversal" class="formselect">
690
								<option value="off" <?php if ($pconfig['nat_traversal'] == "off") echo "selected"; ?>>Disable</option>
691
								<option value="on" <?php if ($pconfig['nat_traversal'] == "on") echo "selected"; ?>>Enable</option>
692
								<option value="force" <?php if ($pconfig['nat_traversal'] == "force") echo "selected"; ?>>Force</option>
693
							</select>
694
							<br/>
695
							<span class="vexpl">
696
								Set this option to enable the use of NAT-T (i.e. the encapsulation of ESP in UDP packets) if needed,
697
								which can help with clients that are behind restrictive firewalls.
698
							</span>
699
						</td>
700
					</tr>
701
					<tr>
702
						<td width="22%" valign="top" class="vncell">Dead Peer Detection</td>
703
						<td width="78%" class="vtable">
704
							<input name="dpd_enable" type="checkbox" id="dpd_enable" value="yes" <?php if (isset($pconfig['dpd_enable'])) echo "checked"; ?> onClick="dpdchkbox_change()">
705
							Enable DPD<br>
706
							<div id="opt_dpd">
707
								<br>
708
								<input name="dpd_delay" type="text" class="formfld unknown" id="dpd_delay" size="5" value="<?=$pconfig['dpd_delay'];?>">
709
								seconds<br>
710
								<span class="vexpl">
711
									Delay between requesting peer acknowledgement.
712
								</span><br>
713
								<br>
714
								<input name="dpd_maxfail" type="text" class="formfld unknown" id="dpd_maxfail" size="5" value="<?=$pconfig['dpd_maxfail'];?>">
715
								retries<br>
716
								<span class="vexpl">
717
									Number of consecutive failures allowed before disconnect.
718
								</span>
719
								<br>
720
							</div>
721
						</td>
722
					</tr>
723
					<tr>
724
						<td width="22%" valign="top">&nbsp;</td>
725
						<td width="78%">
726
							<?php if (isset($p1index) && $a_phase1[$p1index]): ?>
727
							<input name="p1index" type="hidden" value="<?=$p1index;?>">
728
							<?php endif; ?>
729
							<?php if ($pconfig['mobile']): ?>
730
							<input name="mobile" type="hidden" value="true">
731
							<?php endif; ?>
732
							<input name="ikeid" type="hidden" value="<?=$pconfig['ikeid'];?>">
733
							<input name="Submit" type="submit" class="formbtn" value="Save">
734
						</td>
735
					</tr>
736
				</table>
737
			</div>
738
		</td>
739
	</tr>
740
</table>
741
</form>
742

    
743
<script lannguage="JavaScript">
744
<!--
745
<?php
746
	/* determine if we should init the key length */
747
	$keyset = '';
748
	if (isset($pconfig['ealgo']['keylen']))
749
		if (is_numeric($pconfig['ealgo']['keylen']))
750
			$keyset = $pconfig['ealgo']['keylen'];
751
?>
752
myidsel_change();
753
peeridsel_change();
754
methodsel_change();
755
ealgosel_change(<?=$keyset;?>);
756
dpdchkbox_change();
757
//-->
758
</script>
759
<?php include("fend.inc"); ?>
760
</body>
761
</html>
(202-202/217)