Revision a93e56c5
Added by Matthew Grooms almost 17 years ago
| etc/inc/config.inc | ||
|---|---|---|
| 1260 | 1260 |
$config['version'] = "4.6"; |
| 1261 | 1261 |
} |
| 1262 | 1262 |
|
| 1263 |
if ($prev_version != $config['version']) |
|
| 1263 |
/* Convert 4.6 -> 4.7 */ |
|
| 1264 |
if ($config['version'] <= 4.7) {
|
|
| 1265 |
|
|
| 1266 |
/* Upgrade IPsec from tunnel to phase1/phase2 */ |
|
| 1267 |
|
|
| 1268 |
echo "Beginning upgrade to version 4.7\n"; |
|
| 1269 |
|
|
| 1270 |
if(is_array($config['ipsec']['tunnel'])) {
|
|
| 1271 |
|
|
| 1272 |
$a_phase1 = array(); |
|
| 1273 |
$a_phase2 = array(); |
|
| 1274 |
$ikeid = 0; |
|
| 1275 |
|
|
| 1276 |
foreach ($config['ipsec']['tunnel'] as $tunnel) {
|
|
| 1277 |
|
|
| 1278 |
/* build new phase1 entry */ |
|
| 1279 |
|
|
| 1280 |
$ph1ent['ikeid'] = ++$ikeid; |
|
| 1281 |
|
|
| 1282 |
if (isset($tunnel['disabled'])) |
|
| 1283 |
$ph1ent['disabled'] = $tunnel['disabled']; |
|
| 1284 |
|
|
| 1285 |
$ph1ent['interface'] = $tunnel['interface']; |
|
| 1286 |
$ph1ent['remote-gateway'] = $tunnel['remote-gateway']; |
|
| 1287 |
$ph1ent['descr'] = $tunnel['descr']; |
|
| 1288 |
|
|
| 1289 |
$ph1ent['mode'] = $tunnel['p1']['mode']; |
|
| 1290 |
|
|
| 1291 |
if (isset($tunnel['p1']['myident']['myaddress'])) |
|
| 1292 |
$ph1ent['myid_type'] = "myaddress"; |
|
| 1293 |
if (isset($tunnel['p1']['myident']['address'])) {
|
|
| 1294 |
$ph1ent['myid_type'] = "address"; |
|
| 1295 |
$ph1ent['myid_data'] = $tunnel['p1']['myident']['address']; |
|
| 1296 |
} |
|
| 1297 |
if (isset($tunnel['p1']['myident']['fqdn'])) {
|
|
| 1298 |
$ph1ent['myid_type'] = "fqdn"; |
|
| 1299 |
$ph1ent['myid_data'] = $tunnel['p1']['myident']['fqdn']; |
|
| 1300 |
} |
|
| 1301 |
if (isset($tunnel['p1']['myident']['user_fqdn'])) {
|
|
| 1302 |
$ph1ent['myid_type'] = "user_fqdn"; |
|
| 1303 |
$ph1ent['myid_data'] = $tunnel['p1']['myident']['user_fqdn']; |
|
| 1304 |
} |
|
| 1305 |
if (isset($tunnel['p1']['myident']['asn1dn'])) {
|
|
| 1306 |
$ph1ent['myid_type'] = "asn1dn"; |
|
| 1307 |
$ph1ent['myid_data'] = $tunnel['p1']['myident']['asn1dn']; |
|
| 1308 |
} |
|
| 1309 |
if (isset($tunnel['p1']['myident']['dyn_dns'])) {
|
|
| 1310 |
$ph1ent['myid_type'] = "dyn_dns"; |
|
| 1311 |
$ph1ent['myid_data'] = $tunnel['p1']['myident']['dyn_dns']; |
|
| 1312 |
} |
|
| 1313 |
|
|
| 1314 |
$ph1ent['peerid_type'] = "peeraddress"; |
|
| 1315 |
|
|
| 1316 |
switch ($tunnel['p1']['encryption-algorithm']) {
|
|
| 1317 |
case "des": |
|
| 1318 |
$ph1alg = array( 'name' => 'des' ); |
|
| 1319 |
break; |
|
| 1320 |
case "3des": |
|
| 1321 |
$ph1alg = array( 'name' => '3des' ); |
|
| 1322 |
break; |
|
| 1323 |
case "blowfish": |
|
| 1324 |
$ph1alg = array( 'name' => 'blowfish', 'keylen' => 'auto' ); |
|
| 1325 |
break; |
|
| 1326 |
case "cast128": |
|
| 1327 |
$ph1alg = array( 'name' => 'cast128' ); |
|
| 1328 |
break; |
|
| 1329 |
case "rijndael": |
|
| 1330 |
$ph1alg = array( 'name' => 'aes', 'keylen' => 'auto' ); |
|
| 1331 |
break; |
|
| 1332 |
case "rijndael 256": |
|
| 1333 |
$ph1alg = array( 'name' => 'aes', 'keylen' => '256' ); |
|
| 1334 |
break; |
|
| 1335 |
} |
|
| 1336 |
|
|
| 1337 |
$ph1ent['encryption-algorithm'] = $ph1alg; |
|
| 1338 |
$ph1ent['hash-algorithm'] = $tunnel['p1']['hash-algorithm']; |
|
| 1339 |
$ph1ent['dhgroup'] = $tunnel['p1']['dhgroup']; |
|
| 1340 |
$ph1ent['lifetime'] = $tunnel['p1']['lifetime']; |
|
| 1341 |
$ph1ent['authentication_method'] = $tunnel['p1']['authentication_method']; |
|
| 1342 |
|
|
| 1343 |
if (isset($tunnel['p1']['pre-shared-key'])) |
|
| 1344 |
$ph1ent['pre-shared-key'] = $tunnel['p1']['pre-shared-key']; |
|
| 1345 |
if (isset($tunnel['p1']['cert'])) |
|
| 1346 |
$ph1ent['cert'] = $tunnel['p1']['cert']; |
|
| 1347 |
if (isset($tunnel['p1']['peercert'])) |
|
| 1348 |
$ph1ent['peercert'] = $tunnel['p1']['peercert']; |
|
| 1349 |
if (isset($tunnel['p1']['private-key'])) |
|
| 1350 |
$ph1ent['private-key'] = $tunnel['p1']['private-key']; |
|
| 1351 |
|
|
| 1352 |
if (isset($tunnel['pinghost']['pinghost'])) |
|
| 1353 |
$ph1ent['pinghost'] = $tunnel['pinghost']; |
|
| 1354 |
|
|
| 1355 |
$ph1ent['nat_traversal'] = "on"; |
|
| 1356 |
$ph1ent['dpd_enable'] = 1; |
|
| 1357 |
$ph1ent['dpd_delay'] = 10; |
|
| 1358 |
$ph1ent['dpd_maxfail'] = 5; |
|
| 1359 |
|
|
| 1360 |
$a_phase1[] = $ph1ent; |
|
| 1361 |
|
|
| 1362 |
/* build new phase2 entry */ |
|
| 1363 |
|
|
| 1364 |
$ph2ent['ikeid'] = $ikeid; |
|
| 1365 |
|
|
| 1366 |
if (isset($tunnel['disabled'])) |
|
| 1367 |
$ph1ent['disabled'] = $tunnel['disabled']; |
|
| 1368 |
|
|
| 1369 |
$ph2ent['descr'] = "phase2 for ".$tunnel['descr']; |
|
| 1370 |
|
|
| 1371 |
$type = "lan"; |
|
| 1372 |
if ($tunnel['local-subnet']['network']) |
|
| 1373 |
$type = $tunnel['local-subnet']['network']; |
|
| 1374 |
if ($tunnel['local-subnet']['address']) {
|
|
| 1375 |
list($address,$netbits) = explode("/",$tunnel['local-subnet']['address']);
|
|
| 1376 |
if (is_null($netbits)) |
|
| 1377 |
$type = "address"; |
|
| 1378 |
else |
|
| 1379 |
$type = "network"; |
|
| 1380 |
} |
|
| 1381 |
|
|
| 1382 |
switch ($type) {
|
|
| 1383 |
case "address": |
|
| 1384 |
$ph2ent['localid'] = array('type' => $type,'address' => $address);
|
|
| 1385 |
break; |
|
| 1386 |
case "network": |
|
| 1387 |
$ph2ent['localid'] = array('type' => $type,'address' => $address,'netbits' => $netbits);
|
|
| 1388 |
break; |
|
| 1389 |
default: |
|
| 1390 |
$ph2ent['localid'] = array('type' => $type);
|
|
| 1391 |
break; |
|
| 1392 |
} |
|
| 1393 |
|
|
| 1394 |
list($address,$netbits) = explode("/",$tunnel['remote-subnet']);
|
|
| 1395 |
$ph2ent['remoteid'] = array('type' => 'network','address' => $address,'netbits' => $netbits);
|
|
| 1396 |
|
|
| 1397 |
$ph2ent['protocol'] = $tunnel['p2']['protocol']; |
|
| 1398 |
|
|
| 1399 |
foreach( $tunnel['p2']['encryption-algorithm-option'] as $tunalg ) {
|
|
| 1400 |
switch ($tunalg) {
|
|
| 1401 |
case "des": |
|
| 1402 |
$ph2alg = array( 'name' => 'des' ); |
|
| 1403 |
break; |
|
| 1404 |
case "3des": |
|
| 1405 |
$ph2alg = array( 'name' => '3des' ); |
|
| 1406 |
break; |
|
| 1407 |
case "blowfish": |
|
| 1408 |
$ph2alg = array( 'name' => 'blowfish', 'keylen' => 'auto' ); |
|
| 1409 |
break; |
|
| 1410 |
case "cast128": |
|
| 1411 |
$ph2alg = array( 'name' => 'cast128' ); |
|
| 1412 |
break; |
|
| 1413 |
case "rijndael": |
|
| 1414 |
$ph2alg = array( 'name' => 'aes', 'keylen' => 'auto' ); |
|
| 1415 |
break; |
|
| 1416 |
case "rijndael 256": |
|
| 1417 |
$ph2alg = array( 'name' => 'aes', 'keylen' => '256' ); |
|
| 1418 |
break; |
|
| 1419 |
} |
|
| 1420 |
|
|
| 1421 |
$ph2ent['encryption-algorithm-option'][] = $ph2alg; |
|
| 1422 |
} |
|
| 1423 |
|
|
| 1424 |
$ph2ent['hash-algorithm-option'] = $tunnel['p2']['hash-algorithm-option']; |
|
| 1425 |
$ph2ent['pfsgroup'] = $tunnel['p2']['pfsgroup']; |
|
| 1426 |
$ph2ent['lifetime'] = $tunnel['p2']['lifetime']; |
|
| 1427 |
|
|
| 1428 |
$a_phase2[] = $ph2ent; |
|
| 1429 |
} |
|
| 1430 |
|
|
| 1431 |
unset($config['ipsec']['tunnel']); |
|
| 1432 |
$config['ipsec']['phase1'] = $a_phase1; |
|
| 1433 |
$config['ipsec']['phase2'] = $a_phase2; |
|
| 1434 |
} |
|
| 1435 |
|
|
| 1436 |
$config['version'] = "4.7"; |
|
| 1437 |
} |
|
| 1438 |
|
|
| 1439 |
// if ($prev_version != $config['version']) |
|
| 1264 | 1440 |
write_config("Upgraded config version level from {$prev_version} to {$config['version']}");
|
| 1265 | 1441 |
} |
| 1266 | 1442 |
|
Also available in: Unified diff
Overhaul IPsec related code. Shared functions have been consolidated into
a new file named /etc/ipsec.inc. Tunnel definitions have been split into
phase1 and phase2. This allows any number of phase2 definitions to be
created for a single phase1 definition. Several facets of configuration
have also been improved. The key size for variable length algorithms can
now be selected and the phase1 ID options have been extended to allow for
more flexible configuration. Several NAT-T related issues have also been
resolved.
Please note, IPsec remote access functionality has been temporarily
disabled. An improved implementation will be included in a follow up
commit.