/etc/inc/vpn.inc - Annotate - pfSense - pfSense bugtracker

| Branch: | Tag: | Revision:

root/etc/inc/vpn.inc @ ac91bae5

1	5b237745	Scott Ullrich	<?php
2	979cd6db	Scott Ullrich
3	5b237745	Scott Ullrich	/*
4			vpn.inc
5	979cd6db	Scott Ullrich	Copyright (C) 2004 Scott Ullrich
6	a93e56c5	Matthew Grooms	Copyright (C) 2008 Shrew Soft Inc
7	6d7de776	Ermal Luçi	Copyright (C) 2008 Ermal Lu?i
8	cfc707f7	Scott Ullrich	All rights reserved.
9	17da6c79	Scott Ullrich
10			originally part of m0n0wall (http://m0n0.ch/wall)
11			Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>.
12			All rights reserved.
13
14	5b237745	Scott Ullrich	Redistribution and use in source and binary forms, with or without
15			modification, are permitted provided that the following conditions are met:
16	17da6c79	Scott Ullrich
17	5b237745	Scott Ullrich	1. Redistributions of source code must retain the above copyright notice,
18			this list of conditions and the following disclaimer.
19	17da6c79	Scott Ullrich
20	5b237745	Scott Ullrich	2. Redistributions in binary form must reproduce the above copyright
21			notice, this list of conditions and the following disclaimer in the
22			documentation and/or other materials provided with the distribution.
23	17da6c79	Scott Ullrich
24	5b237745	Scott Ullrich	THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
25			INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
26			AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
27			AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
28			OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
29			SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
30			INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
31			CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
32			ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
33			POSSIBILITY OF SUCH DAMAGE.
34			*/
35	8f67a8e1	Scott Ullrich
36	523855b0	Scott Ullrich	/*
37			pfSense_BUILDER_BINARIES: /usr/bin/killall /usr/local/sbin/sasyncd /sbin/ifconfig /sbin/sysctl
38	320bba64	Ermal	pfSense_BUILDER_BINARIES: /usr/local/sbin/setkey /sbin/route /bin/mkdir
39	523855b0	Scott Ullrich	pfSense_BUILDER_BINARIES: /usr/local/sbin/racoonctl /usr/local/sbin/racoon
40	f8c10a18	Ermal	pfSense_BUILDER_BINARIES: /usr/local/sbin/filterdns /usr/local/sbin/mpd4
41	523855b0	Scott Ullrich	pfSense_MODULE: vpn
42			*/
43
44	5b237745	Scott Ullrich	/* include all configuration functions */
45	8f67a8e1	Scott Ullrich
46	600dd4e0	Scott Ullrich	function vpn_ipsec_failover_configure() {
47			global $config, $g;
48
49
50	920af30f	Ermal Lu?i	if (is_array($config['installedpackages']['sasyncd'])) {
51			$sasyncd_text = "";
52	979cd6db	Scott Ullrich	foreach ($config['installedpackages']['sasyncd']['config'] as $sasyncd) {
53			$enabled = isset ($sasyncd['enable']);
54			if (!$enabled)
55	dcca036d	Scott Ullrich	return;
56	979cd6db	Scott Ullrich	if ($sasyncd['peerip'] <> "")
57	7dd31990	Scott Ullrich	$sasyncd_text .= "peer {$sasyncd['peerip']}\n";
58	979cd6db	Scott Ullrich	if ($sasyncd['interface'])
59	7dd31990	Scott Ullrich	$sasyncd_text .= "carp interface {$sasyncd['interface']}\n";
60	979cd6db	Scott Ullrich	if ($sasyncd['sharedkey'] <> "")
61	7dd31990	Scott Ullrich	$sasyncd_text .= "sharedkey {$sasyncd['sharedkey']}\n";
62	979cd6db	Scott Ullrich	if ($sasyncd['mode'] <> "")
63	7dd31990	Scott Ullrich	$sasyncd_text .= "mode {$sasyncd['mode']}\n";
64	979cd6db	Scott Ullrich	if ($sasyncd['listenon'] <> "")
65	7dd31990	Scott Ullrich	$sasyncd_text .= "listen on {$sasyncd['listenon']}\n";
66	979cd6db	Scott Ullrich	if ($sasyncd['flushmodesync'] <> "")
67	7dd31990	Scott Ullrich	$sasyncd_text .= "flushmode sync {$sasyncd['flushmodesync']}\n";
68	dcca036d	Scott Ullrich	}
69	e1a74484	Scott Ullrich
70	920af30f	Ermal Lu?i	file_put_contents("{$g['varetc_path']}/sasyncd.conf", $sasyncd_text);
71			chmod("{$g['varetc_path']}/sasyncd.conf", 0600);
72	c52719a8	Scott Ullrich
73	920af30f	Ermal Lu?i	if(is_process_running("sasyncd"))
74			mwexec("killall sasyncd", true);
75	c52719a8	Scott Ullrich
76	920af30f	Ermal Lu?i	/* launch sasyncd, oh wise one */
77			mwexec_bg("/usr/local/sbin/sasyncd -d -v -v -v");
78			}
79	600dd4e0	Scott Ullrich	}
80	8f67a8e1	Scott Ullrich
81	a93e56c5	Matthew Grooms	function vpn_ipsec_configure($ipchg = false)
82			{
83			global $config, $g, $sa, $sn, $p1_ealgos, $p2_ealgos;
84	17da6c79	Scott Ullrich
85	7734aea6	Andrew Thompson	if ($g['platform'] == 'jail')
86			return;
87	f41c9fd5	Ermal Lu?i	/* get the automatic ping_hosts.sh ready */
88	cdd5b2ce	Ermal Lu?i	unlink_if_exists("{$g['vardb_path']}/ipsecpinghosts");
89			touch("{$g['vardb_path']}/ipsecpinghosts");
90	c1f5a46b	Scott Ullrich
91	7b2fdac4	jim-p	vpn_ipsec_configure_preferoldsa();
92	8f67a8e1	Scott Ullrich
93			$syscfg = $config['system'];
94	5b237745	Scott Ullrich	$ipseccfg = $config['ipsec'];
95	a93e56c5	Matthew Grooms	$a_phase1 = $config['ipsec']['phase1'];
96			$a_phase2 = $config['ipsec']['phase2'];
97	3462a529	Matthew Grooms	$a_client = $config['ipsec']['client'];
98	8f67a8e1	Scott Ullrich
99	2f1e0311	Seth Mos	if (!isset($ipseccfg['enable'])) {
100			mwexec("/sbin/ifconfig enc0 down");
101	8f67a8e1	Scott Ullrich
102	98c02cac	Ermal	/* send a SIGKILL to be sure */
103			sigkillbypid("{$g['varrun_path']}/racoon.pid", "KILL");
104
105	5b237745	Scott Ullrich	/* kill racoon */
106	99f98b80	sullrich	if(is_process_running("racoon"))
107			mwexec("/usr/bin/killall racoon", true);
108	f8c10a18	Ermal	killbypid("{$g['varrun_path']}/filterdns-ipsec.pid");
109	98c02cac	Ermal
110	979cd6db	Scott Ullrich	/* wait for racoon process to die */
111	8f67a8e1	Scott Ullrich	sleep(2);
112
113	2f1e0311	Seth Mos	/* flush SPD and SAD */
114	6b91fe11	Seth Mos	mwexec("/usr/local/sbin/setkey -F");
115	98c02cac	Ermal	mwexec("/usr/local/sbin/setkey -FP");
116
117	84fa0d60	Scott Ullrich	/* disallow IPSEC, it is off */
118	79eea0c1	Ermal	exec("/sbin/sysctl net.inet.ip.ipsec_in_use=0");
119	2f1e0311	Seth Mos
120			return true;
121	04b46591	Ermal Lu?i	} else {
122	3bb6bfd2	Ermal	mwexec("/sbin/ifconfig enc0 up");
123	6706a83a	Ermal	mwexec("/sbin/sysctl net.inet.ip.ipsec_in_use=1");
124	3bb6bfd2	Ermal
125	924876a8	Ermal Lu?i	if ($g['booting'])
126	89ceb4ba	Renato Botelho	echo gettext("Configuring IPsec VPN... ");
127	924876a8	Ermal Lu?i
128	8f67a8e1	Scott Ullrich	/* fastforwarding is not compatible with ipsec tunnels */
129	979cd6db	Scott Ullrich	mwexec("/sbin/sysctl net.inet.ip.fastforwarding=0");
130	8f67a8e1	Scott Ullrich
131	a93e56c5	Matthew Grooms	/* resolve all local, peer addresses and setup pings */
132			$ipmap = array();
133			$rgmap = array();
134	f8c10a18	Ermal	$filterdns_list = array();
135	a93e56c5	Matthew Grooms	if (is_array($a_phase1) && count($a_phase1)) {
136	87e07f52	mgrooms
137	ac463c00	smos	$ipsecpinghosts = "";
138	87e07f52	mgrooms	/* step through each phase1 entry */
139	80c1e99f	Seth Mos	$ipsecpinghosts = "";
140	a93e56c5	Matthew Grooms	foreach ($a_phase1 as $ph1ent) {
141			if (isset($ph1ent['disabled']))
142			continue;
143	8f67a8e1	Scott Ullrich
144	0af7398a	Matthew Grooms	$ep = ipsec_get_phase1_src($ph1ent);
145	fb17f629	Seth Mos	if (!is_ipaddr($ep))
146	a93e56c5	Matthew Grooms	continue;
147	8f67a8e1	Scott Ullrich
148	a93e56c5	Matthew Grooms	if(!in_array($ep,$ipmap))
149			$ipmap[] = $ep;
150	8f67a8e1	Scott Ullrich
151	a93e56c5	Matthew Grooms	/* see if this tunnel has a hostname for the remote-gateway. If so,
152	f8c10a18	Ermal	try to resolve it now and add it to the list for filterdns */
153	8f67a8e1	Scott Ullrich
154	3462a529	Matthew Grooms	if (isset ($ph1ent['mobile']))
155			continue;
156
157	a93e56c5	Matthew Grooms	$rg = $ph1ent['remote-gateway'];
158	979cd6db	Scott Ullrich
159	a93e56c5	Matthew Grooms	if (!is_ipaddr($rg)) {
160	f8c10a18	Ermal	$filterdns_list[] = "{$rg}";
161	c60cae98	Seth Mos	add_hostname_to_watch($rg);
162	621a459a	smos	if(! $g['booting'])
163			$rg = resolve_retry($rg);
164			if (!is_ipaddr($rg))
165	979cd6db	Scott Ullrich	continue;
166	a93e56c5	Matthew Grooms	}
167	829fa12e	smos	if(array_search($rg, $rgmap)) {
168			log_error("The remote gateway {$rg} already exists on another phase 1 entry");
169			continue;
170			}
171	a93e56c5	Matthew Grooms	$rgmap[$ph1ent['remote-gateway']] = $rg;
172	8f67a8e1	Scott Ullrich
173	a11df336	jim-p	if (is_array($a_phase2)) {
174			/* step through each phase2 entry */
175			foreach ($a_phase2 as $ph2ent) {
176			$ikeid = $ph2ent['ikeid'];
177
178			if (isset($ph2ent['disabled']))
179			continue;
180
181			if ($ikeid != $ph1ent['ikeid'])
182			continue;
183
184			$ph2ent['localid']['mode'] = $ph2ent['mode'];
185			/* add an ipsec pinghosts entry */
186			if ($ph2ent['pinghost']) {
187			$iflist = get_configured_interface_list();
188			foreach ($iflist as $ifent => $ifname) {
189			if(is_ipaddrv6($ph2ent['pinghost'])) {
190			$interface_ip = get_interface_ipv6($ifent);
191			if(!is_ipaddrv6($interface_ip))
192			continue;
193			$local_subnet = ipsec_idinfo_to_cidr($ph2ent['localid'], true);
194			if (ip_in_subnet($interface_ip, $local_subnet)) {
195			$srcip = $interface_ip;
196			break;
197			}
198			} else {
199			$interface_ip = get_interface_ip($ifent);
200			if(!is_ipaddrv4($interface_ip))
201			continue;
202			$local_subnet = ipsec_idinfo_to_cidr($ph2ent['localid'], true);
203			if (ip_in_subnet($interface_ip, $local_subnet)) {
204			$srcip = $interface_ip;
205			break;
206			}
207	fb17f629	Seth Mos	}
208	a11df336	jim-p	}
209			$dstip = $ph2ent['pinghost'];
210			if(is_ipaddrv6($dstip)) {
211			$family = "inet6";
212	fb17f629	Seth Mos	} else {
213	a11df336	jim-p	$family = "inet";
214	741077bc	Ermal Lu?i	}
215	a11df336	jim-p	if (is_ipaddr($srcip))
216			$ipsecpinghosts[] = "{$srcip}\|{$dstip}\|3\|\|\|\|\|{$family}\|\n";
217	87e07f52	mgrooms	}
218	17da6c79	Scott Ullrich	}
219	a11df336	jim-p	file_put_contents("{$g['vardb_path']}/ipsecpinghosts", $ipsecpinghosts);
220	a93e56c5	Matthew Grooms	}
221			}
222			}
223	8f67a8e1	Scott Ullrich
224	a93e56c5	Matthew Grooms	/* generate CA certificates files */
225	1e332e98	jim-p	if (is_array($config['ca']) && count($config['ca'])) {
226			foreach ($config['ca'] as $ca) {
227	73fbece8	mgrooms	if (!isset($ca['crt'])) {
228	4816e5ca	Renato Botelho	log_error(sprintf(gettext("Error: Invalid certificate info for %s"), $ca['descr']));
229	73fbece8	mgrooms	continue;
230			}
231			$cert = base64_decode($ca['crt']);
232			$x509cert = openssl_x509_parse(openssl_x509_read($cert));
233			if (!is_array($x509cert) \|\| !isset($x509cert['hash'])) {
234	4816e5ca	Renato Botelho	log_error(sprintf(gettext("Error: Invalid certificate hash info for %s"), $ca['descr']));
235	73fbece8	mgrooms	continue;
236			}
237	dd30341d	Eirik Oeverby	$fname = $g['varetc_path']."/".$x509cert['hash'].".0";
238	73fbece8	mgrooms	if (!file_put_contents($fname, $cert)) {
239	4816e5ca	Renato Botelho	log_error(sprintf(gettext("Error: Cannot write IPsec CA file for %s"), $ca['descr']));
240	73fbece8	mgrooms	continue;
241	a93e56c5	Matthew Grooms	}
242			}
243			}
244
245			/* generate psk.txt */
246			$fd = fopen("{$g['varetc_path']}/psk.txt", "w");
247			if (!$fd) {
248	89ceb4ba	Renato Botelho	printf(gettext("Error: cannot open psk.txt in vpn_ipsec_configure().") . "\n");
249	a93e56c5	Matthew Grooms	return 1;
250			}
251
252			$pskconf = "";
253	037b51b3	Seth Mos
254	a93e56c5	Matthew Grooms	if (is_array($a_phase1) && count($a_phase1)) {
255			foreach ($a_phase1 as $ph1ent) {
256
257			if (isset($ph1ent['disabled']))
258			continue;
259
260	3462a529	Matthew Grooms	if (strstr($ph1ent['authentication_method'],'rsa'))
261			continue;
262	a93e56c5	Matthew Grooms
263			$peerid_type = $ph1ent['peerid_type'];
264
265			switch ($peerid_type) {
266			case "peeraddress":
267			$peerid_type = "address";
268	3462a529	Matthew Grooms	$peerid_data = $rgmap[$ph1ent['remote-gateway']];
269	a93e56c5	Matthew Grooms	break;
270
271			case "address";
272			$peerid_data = $ph1ent['peerid_data'];
273			break;
274
275			case "fqdn";
276			case "keyid tag";
277			case "user_fqdn";
278			$peerid_data = $ph1ent['peerid_data'];
279			break;
280	5b237745	Scott Ullrich	}
281	8f67a8e1	Scott Ullrich
282	a7af5ddc	jim-p	if (!empty($peerid_data) && !empty($ph1ent['pre-shared-key']))
283			$pskconf .= trim($peerid_data) . "\t" . trim($ph1ent['pre-shared-key']) . "\n";
284	5b237745	Scott Ullrich	}
285	a93e56c5	Matthew Grooms	}
286
287	4ed2dde7	jim-p	/* Add user PSKs */
288			foreach ($config['system']['user'] as $user) {
289			if (!empty($user['ipsecpsk'])) {
290			$pskconf .= "{$user['name']}\t{$user['ipsecpsk']}\n";
291			}
292			}
293
294	2ef1b601	jim-p	/* add PSKs for mobile clients */
295			if (is_array($ipseccfg['mobilekey'])) {
296			foreach ($ipseccfg['mobilekey'] as $key) {
297	4ed2dde7	jim-p	$pskconf .= "{$key['ident']}\t{$key['pre-shared-key']}\n";
298	2ef1b601	jim-p	}
299			}
300
301	a93e56c5	Matthew Grooms	fwrite($fd, $pskconf);
302			fclose($fd);
303			chmod("{$g['varetc_path']}/psk.txt", 0600);
304
305			/* begin racoon.conf */
306			if ((is_array($a_phase1) && count($a_phase1)) \|\|
307			(is_array($a_phase2) && count($a_phase2))) {
308	8f67a8e1	Scott Ullrich
309	5b237745	Scott Ullrich	$fd = fopen("{$g['varetc_path']}/racoon.conf", "w");
310			if (!$fd) {
311	89ceb4ba	Renato Botelho	printf(gettext("Error: cannot open racoon.conf in vpn_ipsec_configure().") . "\n");
312	5b237745	Scott Ullrich	return 1;
313			}
314	17da6c79	Scott Ullrich
315	6edc48fe	Seth Mos	$racoonconf = "# This file is automatically generated. Do not edit\n";
316	c52719a8	Scott Ullrich	$racoonconf .= "path pre_shared_key \"{$g['varetc_path']}/psk.txt\";\n\n";
317	a63f7d55	Scott Ullrich	$racoonconf .= "path certificate \"{$g['varetc_path']}\";\n\n";
318	c52719a8	Scott Ullrich
319	a93e56c5	Matthew Grooms	/* begin listen section */
320			if (count($ipmap)) {
321			$racoonconf .= "\nlisten\n";
322			$racoonconf .= "{\n";
323	98718ac1	pierrepomes	$racoonconf .= " adminsock \"/var/db/racoon/racoon.sock\" \"root\" \"wheel\" 0660;\n";
324	a93e56c5	Matthew Grooms	foreach ($ipmap as $addr) {
325			$racoonconf .= "\tisakmp {$addr} [500];\n";
326			$racoonconf .= "\tisakmp_natt {$addr} [4500];\n";
327	a63f7d55	Scott Ullrich	}
328	a93e56c5	Matthew Grooms	$racoonconf .= "}\n\n";
329			}
330	c52719a8	Scott Ullrich
331	3462a529	Matthew Grooms	/* begin mode_cfg section */
332			if (is_array($a_client) && isset($a_client['enable'])) {
333
334			$racoonconf .= "\nmode_cfg\n";
335			$racoonconf .= "{\n";
336
337			if ($a_client['user_source'])
338			$racoonconf .= "\tauth_source {$a_client['user_source']};\n";
339			if ($a_client['group_source'])
340			$racoonconf .= "\tgroup_source {$a_client['group_source']};\n";
341
342			if ($a_client['pool_address'] && $a_client['pool_netbits']) {
343			$pool_address = $a_client['pool_address'];
344			$pool_netmask = gen_subnet_mask($a_client['pool_netbits']);
345
346	96033063	Erik Fonnesbeck	$pool_address = long2ip32(ip2long($pool_address)+1);
347			$pool_size = (~ip2long($pool_netmask) & 0xFFFFFFFF) - 2;
348	3462a529	Matthew Grooms
349			$racoonconf .= "\tpool_size {$pool_size};\n";
350			$racoonconf .= "\tnetwork4 {$pool_address};\n";
351			$racoonconf .= "\tnetmask4 {$pool_netmask};\n";
352			}
353
354			if (isset($a_client['net_list'])) {
355
356			$net_list = '';
357
358			foreach ($a_phase2 as $ph2ent) {
359
360			if (isset($ph2ent['disabled']))
361			continue;
362
363			if (!isset($ph2ent['mobile']))
364			continue;
365
366			$localid = ipsec_idinfo_to_cidr($ph2ent['localid'],true);
367
368			if ($net_list)
369			$net_list .= ", ";
370			$net_list .= $localid;
371			}
372
373			if ($net_list)
374			$racoonconf .= "\tsplit_network include {$net_list};\n";
375			}
376
377			if ($a_client['dns_server1'])
378			$racoonconf .= "\tdns4 {$a_client['dns_server1']};\n";
379			if ($a_client['dns_server2'])
380			$racoonconf .= "\tdns4 {$a_client['dns_server2']};\n";
381			if ($a_client['dns_server3'])
382			$racoonconf .= "\tdns4 {$a_client['dns_server3']};\n";
383			if ($a_client['dns_server4'])
384			$racoonconf .= "\tdns4 {$a_client['dns_server4']};\n";
385
386			if ($a_client['wins_server1'])
387			$racoonconf .= "\twins4 {$a_client['wins_server1']};\n";
388			if ($a_client['wins_server2'])
389			$racoonconf .= "\twins4 {$a_client['wins_server2']};\n";
390
391	5281b3e8	Chris Buechler	if ($a_client['dns_domain']) {
392	3462a529	Matthew Grooms	$racoonconf .= "\tdefault_domain \"{$a_client['dns_domain']}\";\n";
393	680d543d	jim-p	if (empty($a_client['dns_split']))
394			$racoonconf .= "\tsplit_dns \"{$a_client['dns_domain']}\";\n";
395			}
396
397			if ($a_client['dns_split']) {
398			$domain_array = preg_split("/[ ,]+/",$a_client['dns_split']);
399			$domain_string = implode('", "', $domain_array);
400			$racoonconf .= "\tsplit_dns \"{$domain_string}\";\n";
401	5281b3e8	Chris Buechler	}
402	3462a529	Matthew Grooms
403			if ($a_client['pfs_group'])
404			$racoonconf .= "\tpfs_group {$a_client['pfs_group']};\n";
405
406			if ($a_client['login_banner']) {
407			$fn = "{$g['varetc_path']}/racoon.motd";
408			$fd1 = fopen($fn, "w");
409			if (!$fd1) {
410	b1e4005f	Vinicius Coque	printf(gettext("Error: cannot open server %s in vpn.\n"), $fn);
411	3462a529	Matthew Grooms	return 1;
412			}
413
414			fwrite($fd1, $a_client['login_banner']);
415			fclose($fd1);
416
417			$racoonconf .= "\tbanner \"{$fn}\";\n";
418			}
419
420	4178a1dd	jim-p	if (isset($a_client['save_passwd']))
421			$racoonconf .= "\tsave_passwd on;\n";
422
423	3462a529	Matthew Grooms	$racoonconf .= "}\n\n";
424			}
425			/* end mode_cfg section */
426	64f3141f	Bryan Haase
427	9500537d	jim-p	// Disable this for now, when LDAP support returns it will be via external script auth,
428			// since we no longer build racoon with LDAP integrated. This is only preventing racoon from running.
429			//
430			// if ($a_client['user_source'] != "system") {
431			// if (is_array($config['system']['authserver'])) {
432			// foreach ($config['system']['authserver'] as $authcfg) {
433			// if ($authcfg['type'] == 'ldap' and $authcfg['name'] == $a_client['user_source'])
434			// $thisauthcfg = $authcfg;
435			// }
436			//
437			// /* begin ldapcfg */
438			// $racoonconf .= "ldapcfg {\n";
439			// $racoonconf .= "\tversion 3;\n";
440			// $racoonconf .= "\thost \"".$thisauthcfg['host']."\";\n";
441			// $lport = "389";
442			// if ($authcfg['port'] != "")
443			// $lport = $authcfg['port'];
444			// $racoonconf .= "\tport ".$lport.";\n";
445			// $racoonconf .= "\tbase \"".$thisauthcfg['ldap_basedn']."\";\n";
446			// $racoonconf .= "\tsubtree on;\n";
447			// $racoonconf .= "\tbind_dn \"".$thisauthcfg['ldap_binddn']."\";\n";
448			// $racoonconf .= "\tbind_pw \"".$thisauthcfg['ldap_bindpw']."\";\n";
449			// $racoonconf .= "\tattr_user \"".$thisauthcfg['ldap_attr_user']."\";\n";
450			// $racoonconf .= "}\n\n";
451			// /* end ldapcfg */
452			// }
453			// }
454	96267107	Ermal
455	a93e56c5	Matthew Grooms	/* begin remote sections */
456			if (is_array($a_phase1) && count($a_phase1)) {
457			/* begin remote */
458			foreach ($a_phase1 as $ph1ent) {
459	3462a529	Matthew Grooms
460	a93e56c5	Matthew Grooms	if (isset($ph1ent['disabled']))
461			continue;
462	c52719a8	Scott Ullrich
463	3462a529	Matthew Grooms	if (isset($ph1ent['mobile']) && !isset($a_client['enable']))
464			continue;
465
466	a93e56c5	Matthew Grooms	$ikeid = $ph1ent['ikeid'];
467	c52719a8	Scott Ullrich
468	0af7398a	Matthew Grooms	$ep = ipsec_get_phase1_src($ph1ent);
469	a93e56c5	Matthew Grooms	if (!$ep)
470	979cd6db	Scott Ullrich	continue;
471	c52719a8	Scott Ullrich
472	3462a529	Matthew Grooms	if (!isset($ph1ent['mobile'])) {
473			$rgip = $rgmap[$ph1ent['remote-gateway']];
474			if (!$rgip)
475			continue;
476			}
477
478	a93e56c5	Matthew Grooms	$myid_type = $ph1ent['myid_type'];
479	c52719a8	Scott Ullrich
480	a93e56c5	Matthew Grooms	switch ($myid_type) {
481	725dd10a	Scott Ullrich
482	a93e56c5	Matthew Grooms	case "myaddress":
483			$myid_type = "address";
484			$myid_data = $ep;
485			break;
486
487			case "dyn_dns":
488	19ef5120	Ermal Lu?i	$myid_type = "address";
489	6c4f3b54	Seth Mos	$myid_data = resolve_retry($ph1ent['myid_data']);
490	a93e56c5	Matthew Grooms	break;
491	c52719a8	Scott Ullrich
492	a93e56c5	Matthew Grooms	case "address";
493			$myid_data = $ph1ent['myid_data'];
494			break;
495
496			case "fqdn";
497			case "keyid tag";
498			case "user_fqdn";
499			case "asn1dn";
500			$myid_data = $ph1ent['myid_data'];
501			if( $myid_data )
502			$myid_data = "\"".$myid_data."\"";
503			break;
504	a63f7d55	Scott Ullrich	}
505	c52719a8	Scott Ullrich
506	a93e56c5	Matthew Grooms	$peerid_type = $ph1ent['peerid_type'];
507
508			switch ($peerid_type) {
509			case "peeraddress":
510			$peerid_type = "address";
511			$peerid_data = $rgip;
512			break;
513
514			case "address";
515			$peerid_data = $ph1ent['peerid_data'];
516			break;
517
518			case "fqdn";
519			case "keyid tag";
520			case "user_fqdn";
521			case "asn1dn";
522			$peerid_data = $ph1ent['peerid_data'];
523			if( $peerid_data )
524			$peerid_data = "\"".$peerid_data."\"";
525			break;
526	d597b0b9	Scott Ullrich	}
527
528	3462a529	Matthew Grooms	$natt = "off";
529	a93e56c5	Matthew Grooms	if (isset($ph1ent['nat_traversal']))
530	3462a529	Matthew Grooms	$natt = $ph1ent['nat_traversal'];
531
532			$init = "on";
533	5cd9e96a	jim-p	$genp = !empty($ph1ent['generate_policy']) ? $ph1ent['generate_policy'] : "off";
534	4ccea790	jim-p	$pcheck = !empty($ph1ent['proposal_check']) ? $ph1ent['proposal_check'] : $pcheck = "claim";
535	cee72940	jim-p	$passive = "";
536	3462a529	Matthew Grooms	if (isset($ph1ent['mobile'])) {
537			$rgip = "anonymous";
538	9c04a8c0	Chris Buechler	$passive = "passive on;";
539	ac91bae5	jim-p	$pcheck = !empty($ph1ent['proposal_check']) ? $ph1ent['proposal_check'] : $pcheck = "obey";
540	10d171f2	jim-p	/* Mimic 1.2.3's behavior for pure-psk mobile tunnels */
541	d98f1fa9	jim-p	if ($ph1ent['authentication_method'] == "pre_shared_key") {
542	5cd9e96a	jim-p	$genp = !empty($ph1ent['generate_policy']) ? $ph1ent['generate_policy'] : "on";
543	d98f1fa9	jim-p	} else {
544			$init = "off";
545	5cd9e96a	jim-p	$genp = !empty($ph1ent['generate_policy']) ? $ph1ent['generate_policy'] : "unique";
546	d98f1fa9	jim-p	}
547	3462a529	Matthew Grooms	}
548
549			$dpdline1 = '';
550			$dpdline2 = '';
551			if ($ph1ent['dpd_delay'] && $ph1ent['dpd_maxfail']) {
552			$dpdline1 = "dpd_delay = {$ph1ent['dpd_delay']};";
553			$dpdline2 = "dpd_maxfail = {$ph1ent['dpd_maxfail']};";
554			}
555	c52719a8	Scott Ullrich
556	a93e56c5	Matthew Grooms	if (isset ($ph1ent['authentication_method']))
557			$authmethod = $ph1ent['authentication_method'];
558			else
559	979cd6db	Scott Ullrich	$authmethod = 'pre_shared_key';
560	a63f7d55	Scott Ullrich
561	979cd6db	Scott Ullrich	$certline = '';
562
563	3462a529	Matthew Grooms	if (strstr($authmethod,'rsa')) {
564	c52719a8	Scott Ullrich
565	73fbece8	mgrooms	$cert = lookup_cert($ph1ent['certref']);
566	979cd6db	Scott Ullrich
567	73fbece8	mgrooms	if (!$cert)
568			{
569	89ceb4ba	Renato Botelho	log_error(sprintf(gettext("Error: Invalid phase1 certificate reference for %s"), $ph1ent['name']));
570	73fbece8	mgrooms	continue;
571	a63f7d55	Scott Ullrich	}
572	73fbece8	mgrooms
573			$certfile = "cert-".$ikeid.".crt";
574			$certpath = $g['varetc_path']."/".$certfile;
575
576			if (!file_put_contents($certpath, base64_decode($cert['crt'])))
577			{
578	89ceb4ba	Renato Botelho	log_error(sprintf(gettext("Error: Cannot write phase1 certificate file for %s"), $ph1ent['name']));
579	73fbece8	mgrooms	continue;
580	979cd6db	Scott Ullrich	}
581	73fbece8	mgrooms
582			chmod($certpath, 0600);
583
584			$keyfile = "cert-".$ikeid.".key";
585			$keypath = $g['varetc_path']."/".$keyfile;
586
587	dd30341d	Eirik Oeverby	if (!file_put_contents($keypath, base64_decode($cert['prv'])))
588	73fbece8	mgrooms	{
589	89ceb4ba	Renato Botelho	log_error(sprintf(gettext("Error: Cannot write phase1 key file for %s"), $ph1ent['name']));
590	73fbece8	mgrooms	continue;
591	979cd6db	Scott Ullrich	}
592	73fbece8	mgrooms
593			chmod($keypath, 0600);
594
595	a22d475f	jim-p	$ca = lookup_ca($ph1ent['caref']);
596	dc291feb	jim-p	if ($ca) {
597			$cafile = "ca-".$ikeid.".crt";
598			$capath = $g['varetc_path']."/".$cafile;
599
600			if (!file_put_contents($capath, base64_decode($ca['crt'])))
601			{
602	89ceb4ba	Renato Botelho	log_error(sprintf(gettext("Error: Cannot write phase1 CA certificate file for %s"), $ph1ent['name']));
603	dc291feb	jim-p	continue;
604			}
605	96ef83a7	jim-p
606	dc291feb	jim-p	chmod($capath, 0600);
607			$caline = "ca_type x509 \"".basename($capath)."\";";
608	96ef83a7	jim-p	}
609
610	dd30341d	Eirik Oeverby	$certline = "certificate_type x509 \"".basename($certpath)."\" \"".basename($keypath)."\";";
611	96ef83a7	jim-p
612	c52719a8	Scott Ullrich	}
613	a93e56c5	Matthew Grooms
614			$ealgos = '';
615			$ealg_id = $ph1ent['encryption-algorithm']['name'];
616			$ealg_kl = $ph1ent['encryption-algorithm']['keylen'];
617			if ($ealg_kl)
618			$ealgos = $ealgos.$ealg_id." ".$ealg_kl;
619			else
620			$ealgos = $ealgos.$ealg_id;
621
622			$lifeline = '';
623			if ($ph1ent['lifetime'])
624			$lifeline = "lifetime time {$ph1ent['lifetime']} secs;";
625	3462a529	Matthew Grooms
626	36d047f5	jim-p	/* Only specify peer ID if we are not dealing with a mobile PSK-only tunnel */
627			if (!(($ph1ent['authentication_method'] == "pre_shared_key") && isset($ph1ent['mobile']))) {
628			$peerid_spec = "peers_identifier {$peerid_type} {$peerid_data};";
629			}
630
631	a93e56c5	Matthew Grooms	/* add remote section to configuration */
632
633	979cd6db	Scott Ullrich	$racoonconf .=<<<EOD
634	3462a529	Matthew Grooms
635	a93e56c5	Matthew Grooms	remote {$rgip}
636			{
637			ph1id {$ikeid};
638			exchange_mode {$ph1ent['mode']};
639			my_identifier {$myid_type} {$myid_data};
640	36d047f5	jim-p	{$peerid_spec}
641	a93e56c5	Matthew Grooms	ike_frag on;
642	3462a529	Matthew Grooms	generate_policy = {$genp};
643			initial_contact = {$init};
644			nat_traversal = {$natt};
645	a63f7d55	Scott Ullrich	{$certline}
646	96ef83a7	jim-p	{$caline}
647	3462a529	Matthew Grooms	{$dpdline1}
648			{$dpdline2}
649	5b237745	Scott Ullrich	support_proxy on;
650	bdf4ad85	jim-p	proposal_check {$pcheck};
651			{$passive}
652	5b237745	Scott Ullrich
653	a93e56c5	Matthew Grooms	proposal
654			{
655	a63f7d55	Scott Ullrich	authentication_method {$authmethod};
656	a93e56c5	Matthew Grooms	encryption_algorithm ${ealgos};
657			hash_algorithm {$ph1ent['hash-algorithm']};
658			dh_group {$ph1ent['dhgroup']};
659			${lifeline}
660			}
661			}
662	5b237745	Scott Ullrich
663			EOD;
664	a93e56c5	Matthew Grooms	}
665			/* end remote */
666			}
667			/* end remote sections */
668
669			/* begin sainfo sections */
670			if (is_array($a_phase2) && count($a_phase2)) {
671	3462a529	Matthew Grooms
672	a93e56c5	Matthew Grooms	/* begin sainfo */
673			foreach ($a_phase2 as $ph2ent) {
674	c52719a8	Scott Ullrich
675	a93e56c5	Matthew Grooms	$ikeid = $ph2ent['ikeid'];
676	c52719a8	Scott Ullrich
677	4b96b367	mgrooms	if( !ipsec_lookup_phase1($ph2ent,$ph1ent))
678			continue;
679
680			if (isset($ph1ent['disabled']))
681			continue;
682
683	3462a529	Matthew Grooms	if (isset($ph2ent['disabled']))
684			continue;
685
686			if (isset($ph2ent['mobile']) && !isset($a_client['enable']))
687			continue;
688
689	98790f61	Seth Mos	if (($ph2ent['mode'] == 'tunnel') or ($ph2ent['mode'] == 'tunnel6')) {
690	c52719a8	Scott Ullrich
691	4b96b367	mgrooms	$localid_type = $ph2ent['localid']['type'];
692	98790f61	Seth Mos	$ph2ent['localid']['mode'] = $ph2ent['mode'];
693	4b96b367	mgrooms	$localid_data = ipsec_idinfo_to_cidr($ph2ent['localid']);
694	8f5c3d8d	Pierre POMES	/* Do not print localid in some cases, such as a pure-psk or psk/xauth single phase2 mobile tunnel */
695	8ab82dec	jim-p	if (($localid_type == "none") \|\|
696			(($ph1ent['authentication_method'] == "xauth_psk_server") \|\|
697			($ph1ent['authentication_method'] == "pre_shared_key"))
698	8f5c3d8d	Pierre POMES	&& isset($ph1ent['mobile'])
699			&& (ipsec_get_number_of_phase2($ikeid)==1))
700	63017a73	Ermal Lu?i	$localid_spec = " ";
701	aab78bd9	pierrepomes	else {
702	20699f3f	jim-p	if ($localid_type != "address") {
703			$localid_type = "subnet";
704			}
705	cf0a2714	jim-p	// Don't let an empty subnet into racoon.conf, it can cause parse errors. Ticket #2201.
706	e3df974b	jim-p	if (!is_ipaddr($localid_data) && !is_subnet($localid_data)) {
707	cf0a2714	jim-p	log_error("Invalid IPsec Phase 2 \"{$ph2ent['descr']}\" - {$ph2ent['localid']['type']} has no subnet.");
708			continue;
709			}
710	db535a1c	Ermal	$localid_spec = "{$localid_type} {$localid_data} any";
711	3c107b76	Ermal	if (!empty($ph2ent['natlocalid'])) {
712			$natlocalid_data = ipsec_idinfo_to_cidr($ph2ent['natlocalid']);
713	a0c4a6ce	Ermal	if ($ph2ent['natlocalid']['type'] != "address") {
714			if (is_subnet($natlocalid_data))
715	909890c4	Ermal	$localid_spec .= " nat subnet {$natlocalid_data} any";
716	a0c4a6ce	Ermal	} else {
717			if (is_ipaddr($natlocalid_data))
718	909890c4	Ermal	$localid_spec .= " nat address {$natlocalid_data} any";
719	3c107b76	Ermal	}
720			}
721	20699f3f	jim-p	}
722	3462a529	Matthew Grooms
723	4b96b367	mgrooms	if (!isset($ph2ent['mobile'])) {
724			$remoteid_type = $ph2ent['remoteid']['type'];
725			if ($remoteid_type != "address")
726			$remoteid_type = "subnet";
727	3462a529	Matthew Grooms
728	4b96b367	mgrooms	$remoteid_data = ipsec_idinfo_to_cidr($ph2ent['remoteid']);
729			$remoteid_spec = $remoteid_type." ".$remoteid_data." any";
730			} else
731			$remoteid_spec = "anonymous";
732	3462a529	Matthew Grooms
733	4b96b367	mgrooms	} else {
734			$rgip = $rgmap[$ph1ent['remote-gateway']];
735	5b237745	Scott Ullrich
736	20699f3f	jim-p	if ((($ph1ent['authentication_method'] == "xauth_psk_server") \|\|
737			($ph1ent['authentication_method'] == "pre_shared_key"))
738			&& isset($ph1ent['mobile']))
739			$localid_spec = " ";
740			else {
741			$localid_data = ipsec_get_phase1_src($ph1ent);
742			if($ph2ent['mode'] == 'transport') { $localid_data="$localid_data any"; }
743			$localid_spec = "address {$localid_data}";
744			}
745			if (!isset($ph2ent['mobile'])) {
746			$remoteid_data = $rgmap[$ph1ent['remote-gateway']];
747			if($ph2ent['mode'] == 'transport') { $remoteid_data="$remoteid_data any"; }
748			$remoteid_spec = "address {$remoteid_data}";
749			} else
750			$remoteid_spec = "anonymous";
751	3462a529	Matthew Grooms	}
752	c52719a8	Scott Ullrich
753	57dc2556	mgrooms	if($ph2ent['protocol'] == 'esp') {
754	4b96b367	mgrooms
755			$ealgos = '';
756	c52719a8	Scott Ullrich
757	4b96b367	mgrooms	foreach ($ph2ent['encryption-algorithm-option'] as $ealg) {
758	c52719a8	Scott Ullrich
759	4b96b367	mgrooms	$ealg_id = $ealg['name'];
760			$ealg_kl = $ealg['keylen'];
761	c52719a8	Scott Ullrich
762	4b96b367	mgrooms	if ($ealg_kl) {
763			if( $ealg_kl == "auto" ) {
764	4ae540e5	Scott Ullrich	/* This seems to be required on my system and was not reproducable
765			* on other systems. For some reason $p2_ealgos is not defined
766			* and needs to be read back in!? -sullrich Aug 26, 2009
767			*/
768			if(!$p2_ealgos)
769			require("ipsec.inc");
770	4b96b367	mgrooms	$key_hi = $p2_ealgos[$ealg_id]['keysel']['hi'];
771			$key_lo = $p2_ealgos[$ealg_id]['keysel']['lo'];
772			$key_step = $p2_ealgos[$ealg_id]['keysel']['step'];
773	d86d411a	Scott Ullrich	/* in some cases where include ordering is suspect these variables
774			are somehow 0 and we enter this loop forever and timeout after 900
775			seconds wrecking bootup */
776	52bcf4b2	Scott Ullrich	if($key_hi != 0 and $key_lo !=0 and $key_step !=0) {
777	d86d411a	Scott Ullrich	for ($keylen = $key_hi; $keylen >= $key_lo; $keylen -= $key_step) {
778	4ae540e5	Scott Ullrich	// Uncomment the next line if you want to test the comment 5 lines up.
779	68e74187	Scott Ullrich	// echo "$keylen = $key_hi; $keylen >= $key_lo; $keylen -= $key_step \n";
780	d86d411a	Scott Ullrich	if ($ealgos)
781			$ealgos = $ealgos.", ";
782			$ealgos = $ealgos.$ealg_id." ".$keylen;
783			}
784	4b96b367	mgrooms	}
785			} else {
786			if ($ealgos)
787	a93e56c5	Matthew Grooms	$ealgos = $ealgos.", ";
788	4b96b367	mgrooms	$ealgos = $ealgos.$ealg_id." ".$ealg_kl;
789	a93e56c5	Matthew Grooms	}
790			} else {
791			if ($ealgos)
792			$ealgos = $ealgos.", ";
793	4b96b367	mgrooms	$ealgos = $ealgos.$ealg_id;
794	979cd6db	Scott Ullrich	}
795	a93e56c5	Matthew Grooms	}
796	4b96b367	mgrooms
797			$ealgosline = "encryption_algorithm {$ealgos};";
798
799			} else {
800
801			$ealgosline = "encryption_algorithm null_enc;";
802	a63f7d55	Scott Ullrich	}
803	c52719a8	Scott Ullrich
804	4b96b367	mgrooms	$halgos = join(",", $ph2ent['hash-algorithm-option']);
805			$halgosline = "authentication_algorithm {$halgos};";
806
807			$pfsline = '';
808			if ($ph2ent['pfsgroup'])
809			$pfsline = "pfs_group {$ph2ent['pfsgroup']};";
810			if (isset($a_client['pfs_group'])) {
811			$pfsline = '';
812			if ($a_client['pfs_group'])
813			$pfsline = "pfs_group {$a_client['pfs_group']};";
814			}
815
816			$lifeline = '';
817			if ($ph2ent['lifetime'])
818			$lifeline = "lifetime time {$ph2ent['lifetime']} secs;";
819
820	a93e56c5	Matthew Grooms	/* add sainfo section to configuration */
821
822			$racoonconf .=<<<EOD
823
824	3462a529	Matthew Grooms	sainfo {$localid_spec} {$remoteid_spec}
825	a93e56c5	Matthew Grooms	{
826			remoteid {$ikeid};
827	4b96b367	mgrooms	{$ealgosline}
828			{$halgosline}
829	3462a529	Matthew Grooms	{$pfsline}
830			{$lifeline}
831	4b96b367	mgrooms	compression_algorithm deflate;
832	a93e56c5	Matthew Grooms	}
833	5b237745	Scott Ullrich
834			EOD;
835	a93e56c5	Matthew Grooms	}
836			/* end sainfo */
837	5b237745	Scott Ullrich	}
838	a93e56c5	Matthew Grooms	/* end sainfo sections */
839	c52719a8	Scott Ullrich
840	5b237745	Scott Ullrich	fwrite($fd, $racoonconf);
841			fclose($fd);
842	a93e56c5	Matthew Grooms	}
843			/* end racoon.conf */
844	c52719a8	Scott Ullrich
845	a93e56c5	Matthew Grooms	/* generate IPsec policies */
846	7dcf1cc7	jim-p	/* generate spd.conf */
847			$fd = fopen("{$g['varetc_path']}/spd.conf", "w");
848			if (!$fd) {
849			printf(gettext("Error: cannot open spd.conf in vpn_ipsec_configure().") . "\n");
850			return 1;
851			}
852	c52719a8	Scott Ullrich
853	7dcf1cc7	jim-p	$spdconf = "";
854	3c107b76	Ermal	$natfilterrules = false;
855	7dcf1cc7	jim-p	if (is_array($a_phase2) && count($a_phase2)) {
856	e1bcba1f	Ermal Lu?i	/* Try to prevent people from locking themselves out of webgui. Just in case. */
857			if ($config['interfaces']['lan']) {
858	6c74ac23	Ermal	$lanip = get_interface_ip("lan");
859	98790f61	Seth Mos	if (!empty($lanip) && is_ipaddrv4($lanip)) {
860	6c74ac23	Ermal	$lansn = get_interface_subnet("lan");
861			$lansa = gen_subnet($lanip, $lansn);
862	98790f61	Seth Mos	$spdconf .= "spdadd -4 {$lanip}/32 {$lansa}/{$lansn} any -P out none;\n";
863			$spdconf .= "spdadd -4 {$lansa}/{$lansn} {$lanip}/32 any -P in none;\n";
864			}
865			$lanipv6 = get_interface_ipv6("lan");
866			if (!empty($lanipv6) && is_ipaddrv6($lanipv6)) {
867			$lansnv6 = get_interface_subnetv6("lan");
868			$lansav6 = gen_subnetv6($lanipv6, $lansnv6);
869			$spdconf .= "spdadd -6 {$lanipv6}/128 {$lansav6}/{$lansnv6} any -P out none;\n";
870			$spdconf .= "spdadd -6 {$lansav6}/{$lansnv6} {$lanipv6}/128 any -P in none;\n";
871	6c74ac23	Ermal	}
872	e1bcba1f	Ermal Lu?i	}
873	c52719a8	Scott Ullrich
874	a93e56c5	Matthew Grooms	foreach ($a_phase2 as $ph2ent) {
875	3462a529	Matthew Grooms
876	a93e56c5	Matthew Grooms	if( !ipsec_lookup_phase1($ph2ent,$ph1ent))
877			continue;
878	c52719a8	Scott Ullrich
879	3462a529	Matthew Grooms	if (isset($ph1ent['mobile']))
880			continue;
881
882			if (isset($ph1ent['disabled']))
883	a93e56c5	Matthew Grooms	continue;
884
885	3462a529	Matthew Grooms	if (isset($ph2ent['disabled']))
886	a93e56c5	Matthew Grooms	continue;
887
888	0af7398a	Matthew Grooms	$ep = ipsec_get_phase1_src($ph1ent);
889	a93e56c5	Matthew Grooms	if (!$ep)
890			continue;
891
892			$rgip = $rgmap[$ph1ent['remote-gateway']];
893	71e91e50	smos	if(!is_ipaddr($rgip))
894	41393f1e	smos	continue;
895	a93e56c5	Matthew Grooms
896	98790f61	Seth Mos	$ph2ent['localid']['mode'] = $ph2ent['mode'];
897	a93e56c5	Matthew Grooms	$localid = ipsec_idinfo_to_cidr($ph2ent['localid'],true);
898			$remoteid = ipsec_idinfo_to_cidr($ph2ent['remoteid'],true);
899
900	98790f61	Seth Mos	if(($ph2ent['mode'] == "tunnel") or ($ph2ent['mode'] == 'tunnel6')) {
901	e3df974b	jim-p	// Error will be logged above, no need to log this twice. #2201
902			if (!is_subnet($localid))
903			continue;
904
905	98790f61	Seth Mos	if($ph2ent['mode'] == "tunnel6")
906			$family = "-6";
907			else
908			$family = "-4";
909	4b96b367	mgrooms
910	98790f61	Seth Mos	$spdconf .= "spdadd {$family} {$localid} {$remoteid} any -P out ipsec " .
911	4b96b367	mgrooms	"{$ph2ent['protocol']}/tunnel/{$ep}-{$rgip}/unique;\n";
912	a93e56c5	Matthew Grooms
913	3c107b76	Ermal	if (!empty($ph2ent['natlocalid'])) {
914			$natlocalid = ipsec_idinfo_to_cidr($ph2ent['natlocalid'],true);
915			$spdconf .= "spdadd {$family} {$remoteid} {$natlocalid} any -P in ipsec " .
916			"{$ph2ent['protocol']}/tunnel/{$rgip}-{$ep}/unique;\n";
917			$natfilterrules = true;
918			} else
919			$spdconf .= "spdadd {$family} {$remoteid} {$localid} any -P in ipsec " .
920			"{$ph2ent['protocol']}/tunnel/{$rgip}-{$ep}/unique;\n";
921	4b96b367	mgrooms
922			} else {
923
924	dd30341d	Eirik Oeverby	$localid_data = ipsec_get_phase1_src($ph1ent);
925			$remoteid_data = $rgmap[$ph1ent['remote-gateway']];
926	4b96b367	mgrooms
927	dd30341d	Eirik Oeverby	$spdconf .= "spdadd {$localid_data} {$remoteid_data} any -P out ipsec " .
928			"{$ph2ent['protocol']}/transport//require;\n";
929
930			$spdconf .= "spdadd {$remoteid_data} {$localid_data} any -P in ipsec " .
931			"{$ph2ent['protocol']}/transport//require;\n";
932	4b96b367	mgrooms
933			}
934	a93e56c5	Matthew Grooms
935			/* static route needed? */
936	5a61fd69	smos	if (preg_match("/^carp\|^[a-z0-9]+_vip/i", $ph1ent['interface']))
937	a93e56c5	Matthew Grooms	$parentinterface = link_carp_interface_to_parent($ph1ent['interface']);
938			else
939			$parentinterface = $ph1ent['interface'];
940
941	58070e1c	Chris Buechler	if (is_ipaddr($rgip)) {
942	a93e56c5	Matthew Grooms	/* add endpoint routes to correct gateway on interface */
943			if (interface_has_gateway($parentinterface)) {
944			$gatewayip = get_interface_gateway("$parentinterface");
945	a55e9c70	Ermal Lu?i	$interfaceip = get_interface_ip($parentinterface);
946			$subnet_bits = get_interface_subnet($parentinterface);
947	a93e56c5	Matthew Grooms	$subnet_ip = gen_subnet("{$interfaceip}", "{$subnet_bits}");
948			/* if the remote gateway is in the local subnet, then don't add a route */
949			if (! ip_in_subnet($rgip, "{$subnet_ip}/{$subnet_bits}")) {
950			if(is_ipaddr($gatewayip)) {
951	c60cae98	Seth Mos	/* FIXME: does adding route-to and reply-to on the in/outbound
952			* rules fix this? smos@ 13-01-2009 */
953	131f3a50	jim-p	// log_error("IPSEC interface is not WAN but {$parentinterface}, adding static route for VPN endpoint {$rgip} via {$gatewayip}");
954	8ff6b72c	Ermal	mwexec("/sbin/route change -host {$rgip} {$gatewayip}", true);
955	a93e56c5	Matthew Grooms	}
956			}
957	979cd6db	Scott Ullrich	}
958	58070e1c	Chris Buechler	}
959	a93e56c5	Matthew Grooms	}
960			}
961	7dcf1cc7	jim-p	fwrite($fd, $spdconf);
962			fclose($fd);
963	a93e56c5	Matthew Grooms
964	c8423fbf	Matthew Grooms	/* needed for racoonctl admin socket */
965	f0c3eea0	Scott Ullrich	if (!is_dir("/var/db/racoon"))
966	c8423fbf	Matthew Grooms	mkdir("/var/db/racoon/");
967
968	a93e56c5	Matthew Grooms	/* mange racoon process */
969			if (is_process_running("racoon")) {
970	223547eb	Seth Mos	sleep("0.1");
971	6b5e978b	Ermal	mwexec("/usr/local/sbin/racoonctl -s /var/db/racoon/racoon.sock reload-config", false);
972	f3c8bd98	Ermal Lu?i	/* load SPD without flushing to be safe on config additions or changes. */
973			mwexec("/usr/local/sbin/setkey -f {$g['varetc_path']}/spd.conf", false);
974	a93e56c5	Matthew Grooms	} else {
975			/* flush SA + SPD entries */
976	c60cae98	Seth Mos	mwexec("/usr/local/sbin/setkey -FP", false);
977			sleep("0.1");
978			mwexec("/usr/local/sbin/setkey -F", false);
979			sleep("0.1");
980			/* start racoon */
981	127eb8e0	jim-p	$ipsecdebug = isset($config['ipsec']['racoondebug']) ? "-d -v" : "";
982			mwexec("/usr/local/sbin/racoon {$ipsecdebug} -f {$g['varetc_path']}/racoon.conf", false);
983	c60cae98	Seth Mos	sleep("0.1");
984			/* load SPD */
985			mwexec("/usr/local/sbin/setkey -f {$g['varetc_path']}/spd.conf", false);
986	a93e56c5	Matthew Grooms
987	d161b4d4	smos	}
988	3c107b76	Ermal	if ($natfilterrules == true)
989			filter_configure();
990	d161b4d4	smos	/* start filterdns, if necessary */
991			if (count($filterdns_list) > 0) {
992			$interval = 60;
993			if (!empty($ipseccfg['dns-interval']) && is_numeric($ipseccfg['dns-interval']))
994			$interval = $ipseccfg['dns-interval'];
995
996			$hostnames = "";
997			array_unique($filterdns_list);
998			foreach ($filterdns_list as $hostname)
999	4e192846	Ermal	$hostnames .= "cmd {$hostname} '/usr/local/sbin/pfSctl -c \"service reload ipsecdns\"'\n";
1000	d161b4d4	smos	file_put_contents("{$g['varetc_path']}/filterdns-ipsec.hosts", $hostnames);
1001
1002			killbypid("{$g['varrun_path']}/filterdns-ipsec.pid");
1003	8c218e1d	Ermal	sleep(1);
1004	d161b4d4	smos	mwexec("/usr/local/sbin/filterdns -p {$g['varrun_path']}/filterdns-ipsec.pid -i {$interval} -c {$g['varetc_path']}/filterdns-ipsec.hosts -d 1");
1005	5b237745	Scott Ullrich	}
1006	a93e56c5	Matthew Grooms
1007	924876a8	Ermal Lu?i	vpn_ipsec_failover_configure();
1008	a63f7d55	Scott Ullrich
1009	72bd8df5	Ermal Lu?i	if ($g['booting'])
1010	924876a8	Ermal Lu?i	echo "done\n";
1011	5b237745	Scott Ullrich	}
1012	8f67a8e1	Scott Ullrich
1013	5b237745	Scott Ullrich	return 0;
1014			}
1015
1016	67ee1ec5	Ermal Luçi	/* Forcefully restart IPsec
1017			* This is required for when dynamic interfaces reload
1018			* For all other occasions the normal vpn_ipsec_configure()
1019			* will gracefully reload the settings without restarting
1020			*/
1021			function vpn_ipsec_force_reload() {
1022			global $config;
1023			global $g;
1024
1025			$ipseccfg = $config['ipsec'];
1026
1027			/* kill racoon */
1028	99f98b80	sullrich	if(is_process_running("racoon"))
1029			mwexec("/usr/bin/killall racoon", true);
1030	67ee1ec5	Ermal Luçi
1031			/* wait for process to die */
1032			sleep(4);
1033
1034			/* send a SIGKILL to be sure */
1035			sigkillbypid("{$g['varrun_path']}/racoon.pid", "KILL");
1036
1037			/* wait for flushing to finish */
1038			sleep(1);
1039
1040			/* if ipsec is enabled, start up again */
1041			if (isset($ipseccfg['enable'])) {
1042	89ceb4ba	Renato Botelho	log_error(gettext("Forcefully reloading IPsec racoon daemon"));
1043	67ee1ec5	Ermal Luçi	vpn_ipsec_configure();
1044			}
1045
1046			}
1047
1048			/* master setup for vpn (mpd) */
1049			function vpn_setup() {
1050	7734aea6	Andrew Thompson	global $g;
1051
1052			if ($g['platform'] == 'jail')
1053			return;
1054
1055	67ee1ec5	Ermal Luçi	/* start pptpd */
1056			vpn_pptpd_configure();
1057
1058			/* start pppoe server */
1059	0e642c78	Ermal	vpn_pppoes_configure();
1060	67ee1ec5	Ermal Luçi
1061			/* setup l2tp */
1062			vpn_l2tp_configure();
1063			}
1064
1065	67b057a9	Ermal	function vpn_netgraph_support() {
1066			$iflist = get_configured_interface_list();
1067			foreach ($iflist as $iface) {
1068			$realif = get_real_interface($iface);
1069			/* Get support for netgraph(4) from the nic */
1070	c513c309	Ermal	$ifinfo = pfSense_get_interface_addresses($realif);
1071			if (!empty($ifinfo) && in_array($ifinfo['iftype'], array("ether", "vlan", "bridge")))
1072			pfSense_ngctl_attach(".", $realif);
1073	67b057a9	Ermal	}
1074			}
1075
1076	5b237745	Scott Ullrich	function vpn_pptpd_configure() {
1077			global $config, $g;
1078	c52719a8	Scott Ullrich
1079	5b237745	Scott Ullrich	$syscfg = $config['system'];
1080			$pptpdcfg = $config['pptpd'];
1081	c52719a8	Scott Ullrich
1082	5b237745	Scott Ullrich	if ($g['booting']) {
1083			if (!$pptpdcfg['mode'] \|\| ($pptpdcfg['mode'] == "off"))
1084			return 0;
1085	c52719a8	Scott Ullrich
1086	89ceb4ba	Renato Botelho	echo gettext("Configuring PPTP VPN service... ");
1087	c52719a8	Scott Ullrich	} else {
1088	5b237745	Scott Ullrich	/* kill mpd */
1089	67ee1ec5	Ermal Luçi	killbypid("{$g['varrun_path']}/pptp-vpn.pid");
1090	c52719a8	Scott Ullrich
1091	5b237745	Scott Ullrich	/* wait for process to die */
1092	48bff85c	Scott Ullrich	sleep(3);
1093	c52719a8	Scott Ullrich
1094	979cd6db	Scott Ullrich	if (is_process_running("mpd -b")) {
1095	67ee1ec5	Ermal Luçi	killbypid("{$g['varrun_path']}/pptp-vpn.pid");
1096	89ceb4ba	Renato Botelho	log_error(gettext("Could not kill mpd within 3 seconds. Trying again."));
1097	48bff85c	Scott Ullrich	}
1098	c52719a8	Scott Ullrich
1099	5b237745	Scott Ullrich	/* remove mpd.conf, if it exists */
1100	67ee1ec5	Ermal Luçi	unlink_if_exists("{$g['varetc_path']}/pptp-vpn/mpd.conf");
1101			unlink_if_exists("{$g['varetc_path']}/pptp-vpn/mpd.links");
1102			unlink_if_exists("{$g['varetc_path']}/pptp-vpn/mpd.secret");
1103	5b237745	Scott Ullrich	}
1104	c52719a8	Scott Ullrich
1105	1fb8d314	Ermal	if (empty($pptpdcfg['n_pptp_units'])) {
1106			log_error("Something wrong in the PPTPd configuration. Preventing starting the daemon because issues would arise.");
1107			return;
1108			}
1109
1110	67ee1ec5	Ermal Luçi	/* make sure pptp-vpn directory exists */
1111			if (!file_exists("{$g['varetc_path']}/pptp-vpn"))
1112			mkdir("{$g['varetc_path']}/pptp-vpn");
1113	c52719a8	Scott Ullrich
1114	5b237745	Scott Ullrich	switch ($pptpdcfg['mode']) {
1115	979cd6db	Scott Ullrich	case 'server' :
1116	5b237745	Scott Ullrich	/* write mpd.conf */
1117	67ee1ec5	Ermal Luçi	$fd = fopen("{$g['varetc_path']}/pptp-vpn/mpd.conf", "w");
1118	5b237745	Scott Ullrich	if (!$fd) {
1119	89ceb4ba	Renato Botelho	printf(gettext("Error: cannot open mpd.conf in vpn_pptpd_configure().") . "\n");
1120	5b237745	Scott Ullrich	return 1;
1121			}
1122	c52719a8	Scott Ullrich
1123	045c9cc9	sullrich	$mpdconf = <<<EOD
1124	a6607b5f	jim-p	pptps:
1125	5b237745	Scott Ullrich
1126			EOD;
1127
1128	f2b4ff2b	sullrich	for ($i = 0; $i < $pptpdcfg['n_pptp_units']; $i++) {
1129	5b237745	Scott Ullrich	$mpdconf .= " load pt{$i}\n";
1130			}
1131	c52719a8	Scott Ullrich
1132	f2b4ff2b	sullrich	for ($i = 0; $i < $pptpdcfg['n_pptp_units']; $i++) {
1133	c52719a8	Scott Ullrich
1134	96033063	Erik Fonnesbeck	$clientip = long2ip32(ip2long($pptpdcfg['remoteip']) + $i);
1135	c52719a8	Scott Ullrich
1136	045c9cc9	sullrich	$mpdconf .= <<<EOD
1137	5b237745	Scott Ullrich
1138			pt{$i}:
1139	bfa6d878	Ermal Lu?i	new -i pptpd{$i} pt{$i} pt{$i}
1140	045c9cc9	sullrich	set ipcp ranges {$pptpdcfg['localip']}/32 {$clientip}/32
1141	979cd6db	Scott Ullrich	load pts
1142	5b237745	Scott Ullrich
1143			EOD;
1144			}
1145	c52719a8	Scott Ullrich
1146	979cd6db	Scott Ullrich	$mpdconf .=<<<EOD
1147	5b237745	Scott Ullrich
1148	979cd6db	Scott Ullrich	pts:
1149	5b237745	Scott Ullrich	set iface disable on-demand
1150			set iface enable proxy-arp
1151	07cae4b2	Scott Ullrich	set iface enable tcpmssfix
1152	979cd6db	Scott Ullrich	set iface idle 1800
1153	e9a95ac8	jim-p	set iface up-script /usr/local/sbin/vpn-linkup
1154			set iface down-script /usr/local/sbin/vpn-linkdown
1155	5b237745	Scott Ullrich	set bundle enable multilink
1156	979cd6db	Scott Ullrich	set bundle enable crypt-reqd
1157	5b237745	Scott Ullrich	set link yes acfcomp protocomp
1158			set link no pap chap
1159	979cd6db	Scott Ullrich	set link enable chap-msv2
1160	ee953edc	Scott Ullrich	set link mtu 1460
1161	5b237745	Scott Ullrich	set link keep-alive 10 60
1162			set ipcp yes vjcomp
1163			set bundle enable compression
1164			set ccp yes mppc
1165			set ccp yes mpp-e128
1166			set ccp yes mpp-stateless
1167
1168			EOD;
1169	c52719a8	Scott Ullrich
1170	979cd6db	Scott Ullrich	if (!isset ($pptpdcfg['req128'])) {
1171			$mpdconf .=<<<EOD
1172	5b237745	Scott Ullrich	set ccp yes mpp-e40
1173	979cd6db	Scott Ullrich	set ccp yes mpp-e56
1174	5b237745	Scott Ullrich
1175			EOD;
1176			}
1177	c8c416db	Scott Ullrich
1178	871ce025	Bill Marquette	if (isset($pptpdcfg["wins"]) && $pptpdcfg['wins'] != "")
1179	979cd6db	Scott Ullrich	$mpdconf .= " set ipcp nbns {$pptpdcfg['wins']}\n";
1180	09f2bf85	jim-p
1181			if (!empty($pptpdcfg['dns1'])) {
1182			$mpdconf .= " set ipcp dns " . $pptpdcfg['dns1'];
1183			if (!empty($pptpdcfg['dns2']))
1184			$mpdconf .= " " . $pptpdcfg['dns2'];
1185			$mpdconf .= "\n";
1186			} elseif (isset ($config['dnsmasq']['enable'])) {
1187			$mpdconf .= " set ipcp dns " . get_interface_ip("lan");
1188			if ($syscfg['dnsserver'][0])
1189			$mpdconf .= " " . $syscfg['dnsserver'][0];
1190			$mpdconf .= "\n";
1191			} elseif (is_array($syscfg['dnsserver']) && ($syscfg['dnsserver'][0])) {
1192			$mpdconf .= " set ipcp dns " . join(" ", $syscfg['dnsserver']) . "\n";
1193			}
1194	07cae4b2	Scott Ullrich
1195	71569a7e	jim-p	if (isset ($pptpdcfg['radius']['server']['enable'])) {
1196			$authport = (isset($pptpdcfg['radius']['server']['port']) && strlen($pptpdcfg['radius']['server']['port']) > 1) ? $pptpdcfg['radius']['server']['port'] : 1812;
1197	979cd6db	Scott Ullrich	$acctport = $authport + 1;
1198			$mpdconf .=<<<EOD
1199	71569a7e	jim-p	set radius server {$pptpdcfg['radius']['server']['ip']} "{$pptpdcfg['radius']['server']['secret']}" {$authport} {$acctport}
1200	35b91f77	sullrich
1201	71569a7e	jim-p	EOD;
1202			if (isset ($pptpdcfg['radius']['server2']['enable'])) {
1203			$authport = (isset($pptpdcfg['radius']['server2']['port']) && strlen($pptpdcfg['radius']['server2']['port']) > 1) ? $pptpdcfg['radius']['server2']['port'] : 1812;
1204			$acctport = $authport + 1;
1205			$mpdconf .=<<<EOD
1206	846a6dc2	jim-p	set radius server {$pptpdcfg['radius']['server2']['ip']} "{$pptpdcfg['radius']['server2']['secret2']}" {$authport} {$acctport}
1207	35b91f77	sullrich
1208	71569a7e	jim-p	EOD;
1209			}
1210			$mpdconf .=<<<EOD
1211	5b237745	Scott Ullrich	set radius retries 3
1212	979cd6db	Scott Ullrich	set radius timeout 10
1213	0af9dba4	Ermal Lu?i	set auth enable radius-auth
1214	5b237745	Scott Ullrich
1215			EOD;
1216
1217	979cd6db	Scott Ullrich	if (isset ($pptpdcfg['radius']['accounting'])) {
1218			$mpdconf .=<<<EOD
1219	0af9dba4	Ermal Lu?i	set auth enable radius-acct
1220	979cd6db	Scott Ullrich	set radius acct-update 300
1221	5b237745	Scott Ullrich
1222			EOD;
1223			}
1224			}
1225
1226			fwrite($fd, $mpdconf);
1227			fclose($fd);
1228	c52719a8	Scott Ullrich
1229	5b237745	Scott Ullrich	/* write mpd.links */
1230	67ee1ec5	Ermal Luçi	$fd = fopen("{$g['varetc_path']}/pptp-vpn/mpd.links", "w");
1231	5b237745	Scott Ullrich	if (!$fd) {
1232	89ceb4ba	Renato Botelho	printf(gettext("Error: cannot open mpd.links in vpn_pptpd_configure().") . "\n");
1233	5b237745	Scott Ullrich	return 1;
1234			}
1235	c52719a8	Scott Ullrich
1236	5b237745	Scott Ullrich	$mpdlinks = "";
1237	c52719a8	Scott Ullrich
1238	a56120f2	Ermal Lu?i	for ($i = 0; $i < $pptpdcfg['n_pptp_units']; $i++) {
1239	979cd6db	Scott Ullrich	$mpdlinks .=<<<EOD
1240	5b237745	Scott Ullrich
1241			pt{$i}:
1242			set link type pptp
1243			set pptp enable incoming
1244			set pptp disable originate
1245	979cd6db	Scott Ullrich	set pptp disable windowing
1246	5b237745	Scott Ullrich
1247			EOD;
1248			}
1249
1250			fwrite($fd, $mpdlinks);
1251			fclose($fd);
1252	c52719a8	Scott Ullrich
1253	5b237745	Scott Ullrich	/* write mpd.secret */
1254	67ee1ec5	Ermal Luçi	$fd = fopen("{$g['varetc_path']}/pptp-vpn/mpd.secret", "w");
1255	5b237745	Scott Ullrich	if (!$fd) {
1256	89ceb4ba	Renato Botelho	printf(gettext("Error: cannot open mpd.secret in vpn_pptpd_configure().") . "\n");
1257	5b237745	Scott Ullrich	return 1;
1258			}
1259	c52719a8	Scott Ullrich
1260	5b237745	Scott Ullrich	$mpdsecret = "";
1261	c52719a8	Scott Ullrich
1262	5b237745	Scott Ullrich	if (is_array($pptpdcfg['user'])) {
1263	4cf82d52	jim-p	foreach ($pptpdcfg['user'] as $user) {
1264	4222087e	jim-p	$pass = str_replace('\\', '\\\\', $user['password']);
1265			$pass = str_replace('"', '\"', $pass);
1266	4cf82d52	jim-p	$mpdsecret .= "{$user['name']} \"{$pass}\" {$user['ip']}\n";
1267			}
1268	5b237745	Scott Ullrich	}
1269
1270			fwrite($fd, $mpdsecret);
1271			fclose($fd);
1272	67ee1ec5	Ermal Luçi	chmod("{$g['varetc_path']}/pptp-vpn/mpd.secret", 0600);
1273	c52719a8	Scott Ullrich
1274	67b057a9	Ermal	vpn_netgraph_support();
1275
1276	5b237745	Scott Ullrich	/* fire up mpd */
1277	a6607b5f	jim-p	mwexec("/usr/local/sbin/mpd4 -b -d {$g['varetc_path']}/pptp-vpn -p {$g['varrun_path']}/pptp-vpn.pid -s pptps pptps");
1278	c52719a8	Scott Ullrich
1279	5b237745	Scott Ullrich	break;
1280	c52719a8	Scott Ullrich
1281	979cd6db	Scott Ullrich	case 'redir' :
1282	5b237745	Scott Ullrich	break;
1283			}
1284	c52719a8	Scott Ullrich
1285	a63f7d55	Scott Ullrich	if ($g['booting'])
1286			echo "done\n";
1287	c52719a8	Scott Ullrich
1288	5b237745	Scott Ullrich	return 0;
1289			}
1290
1291	0e642c78	Ermal	function vpn_pppoes_configure() {
1292			global $config;
1293
1294			if (is_array($config['pppoes']['pppoe'])) {
1295			foreach ($config['pppoes']['pppoe'] as $pppoe)
1296			vpn_pppoe_configure($pppoe);
1297			}
1298			}
1299
1300			function vpn_pppoe_configure(&$pppoecfg) {
1301	06e69b03	Scott Ullrich	global $config, $g;
1302
1303			$syscfg = $config['system'];
1304
1305	48918ed5	Scott Ullrich	/* create directory if it does not exist */
1306	0e642c78	Ermal	if (!is_dir("{$g['varetc_path']}/pppoe{$pppoecfg['pppoeid']}-vpn"))
1307			mkdir("{$g['varetc_path']}/pppoe{$pppoecfg['pppoeid']}-vpn");
1308	c52719a8	Scott Ullrich
1309	06e69b03	Scott Ullrich	if ($g['booting']) {
1310			if (!$pppoecfg['mode'] \|\| ($pppoecfg['mode'] == "off"))
1311			return 0;
1312
1313	89ceb4ba	Renato Botelho	echo gettext("Configuring PPPoE VPN service... ");
1314	979cd6db	Scott Ullrich	} else {
1315			/* kill mpd */
1316	0e642c78	Ermal	killbypid("{$g['varrun_path']}/pppoe{$pppoecfg['pppoeid']}-vpn.pid");
1317	979cd6db	Scott Ullrich
1318			/* wait for process to die */
1319			sleep(2);
1320
1321	06e69b03	Scott Ullrich	}
1322
1323			switch ($pppoecfg['mode']) {
1324
1325	979cd6db	Scott Ullrich	case 'server' :
1326	06e69b03	Scott Ullrich
1327	0e642c78	Ermal	$pppoe_interface = get_real_interface($pppoecfg['interface']);
1328	0301deff	Scott Ullrich
1329	979cd6db	Scott Ullrich	if ($pppoecfg['paporchap'] == "chap")
1330			$paporchap = "set link enable chap";
1331			else
1332			$paporchap = "set link enable pap";
1333
1334	06e69b03	Scott Ullrich	/* write mpd.conf */
1335	0e642c78	Ermal	$fd = fopen("{$g['varetc_path']}/pppoe{$pppoecfg['pppoeid']}-vpn/mpd.conf", "w");
1336	06e69b03	Scott Ullrich	if (!$fd) {
1337	89ceb4ba	Renato Botelho	printf(gettext("Error: cannot open mpd.conf in vpn_pppoe_configure().") . "\n");
1338	06e69b03	Scott Ullrich	return 1;
1339			}
1340			$mpdconf = "\n\n";
1341	a6607b5f	jim-p	$mpdconf .= "poes:\n";
1342	06e69b03	Scott Ullrich
1343	a429d105	Scott Ullrich	for ($i = 0; $i < $pppoecfg['n_pppoe_units']; $i++) {
1344	0e642c78	Ermal	$mpdconf .= " load poes{$pppoecfg['pppoeid']}{$i}\n";
1345	06e69b03	Scott Ullrich	}
1346
1347	a429d105	Scott Ullrich	for ($i = 0; $i < $pppoecfg['n_pppoe_units']; $i++) {
1348	06e69b03	Scott Ullrich
1349	96033063	Erik Fonnesbeck	$clientip = long2ip32(ip2long($pppoecfg['remoteip']) + $i);
1350	c52719a8	Scott Ullrich
1351	b0943409	Ermal	if (isset($pppoecfg['radius']['radiusissueips']) && isset($pppoecfg['radius']['server']['enable'])) {
1352	5dfdc1fb	Scott Ullrich	$isssue_ip_type = "set ipcp ranges {$pppoecfg['localip']}/32 0.0.0.0/0";
1353	5264023a	Scott Ullrich	} else {
1354			$isssue_ip_type = "set ipcp ranges {$pppoecfg['localip']}/32 {$clientip}/32";
1355	5dfdc1fb	Scott Ullrich	}
1356	c52719a8	Scott Ullrich
1357	979cd6db	Scott Ullrich	$mpdconf .=<<<EOD
1358	06e69b03	Scott Ullrich
1359	0e642c78	Ermal	poes{$pppoecfg['pppoeid']}{$i}:
1360			new -i poes{$pppoecfg['pppoeid']}{$i} poes{$pppoecfg['pppoeid']}{$i} poes{$pppoecfg['pppoeid']}{$i}
1361	5dfdc1fb	Scott Ullrich	{$isssue_ip_type}
1362	f856e762	jim-p	load pppoe_standard
1363	06e69b03	Scott Ullrich
1364			EOD;
1365			}
1366
1367	979cd6db	Scott Ullrich	$mpdconf .=<<<EOD
1368	06e69b03	Scott Ullrich
1369	f856e762	jim-p	pppoe_standard:
1370	979cd6db	Scott Ullrich	set bundle no multilink
1371			set bundle enable compression
1372	78155ff9	Scott Ullrich	set auth max-logins 1
1373	e9a95ac8	jim-p	set iface up-script /usr/local/sbin/vpn-linkup
1374			set iface down-script /usr/local/sbin/vpn-linkdown
1375	979cd6db	Scott Ullrich	set iface idle 0
1376	06e69b03	Scott Ullrich	set iface disable on-demand
1377			set iface disable proxy-arp
1378			set iface enable tcpmssfix
1379	979cd6db	Scott Ullrich	set iface mtu 1500
1380	06e69b03	Scott Ullrich	set link no pap chap
1381	979cd6db	Scott Ullrich	{$paporchap}
1382			set link keep-alive 60 180
1383			set ipcp yes vjcomp
1384			set ipcp no vjcomp
1385			set link max-redial -1
1386			set link mtu 1492
1387			set link mru 1492
1388	06e69b03	Scott Ullrich	set ccp yes mpp-e40
1389			set ccp yes mpp-e128
1390			set ccp yes mpp-stateless
1391	979cd6db	Scott Ullrich	set link latency 1
1392			#set ipcp dns 10.10.1.3
1393			#set bundle accept encryption
1394	06e69b03	Scott Ullrich
1395	c8c416db	Scott Ullrich	EOD;
1396
1397	09f2bf85	jim-p	if (!empty($pppoecfg['dns1'])) {
1398			$mpdconf .= " set ipcp dns " . $pppoecfg['dns1'];
1399			if (!empty($pppoecfg['dns2']))
1400			$mpdconf .= " " . $pppoecfg['dns2'];
1401			$mpdconf .= "\n";
1402			} elseif (isset ($config['dnsmasq']['enable'])) {
1403	a55e9c70	Ermal Lu?i	$mpdconf .= " set ipcp dns " . get_interface_ip("lan");
1404	06e69b03	Scott Ullrich	if ($syscfg['dnsserver'][0])
1405			$mpdconf .= " " . $syscfg['dnsserver'][0];
1406			$mpdconf .= "\n";
1407	09f2bf85	jim-p	} elseif (is_array($syscfg['dnsserver']) && ($syscfg['dnsserver'][0])) {
1408	979cd6db	Scott Ullrich	$mpdconf .= " set ipcp dns " . join(" ", $syscfg['dnsserver']) . "\n";
1409	09f2bf85	jim-p	}
1410	07cae4b2	Scott Ullrich
1411	37d7de2d	jim-p	if (isset ($pppoecfg['radius']['server']['enable'])) {
1412	c3583058	Ermal	$radiusport = "";
1413			$radiusacctport = "";
1414			if (isset($pppoecfg['radius']['server']['port']))
1415			$radiusport = $pppoecfg['radius']['server']['port'];
1416			if (isset($pppoecfg['radius']['server']['acctport']))
1417			$radiusacctport = $pppoecfg['radius']['server']['acctport'];
1418	979cd6db	Scott Ullrich	$mpdconf .=<<<EOD
1419	b0943409	Ermal	set radius server {$pppoecfg['radius']['server']['ip']} "{$pppoecfg['radius']['server']['secret']}" {$radiusport} {$radiusacctport}
1420	06e69b03	Scott Ullrich	set radius retries 3
1421	979cd6db	Scott Ullrich	set radius timeout 10
1422	0af9dba4	Ermal Lu?i	set auth enable radius-auth
1423	06e69b03	Scott Ullrich
1424			EOD;
1425
1426	979cd6db	Scott Ullrich	if (isset ($pppoecfg['radius']['accounting'])) {
1427			$mpdconf .=<<<EOD
1428	0af9dba4	Ermal Lu?i	set auth enable radius-acct
1429	07cae4b2	Scott Ullrich
1430	06e69b03	Scott Ullrich	EOD;
1431			}
1432			}
1433
1434			fwrite($fd, $mpdconf);
1435			fclose($fd);
1436
1437			/* write mpd.links */
1438	0e642c78	Ermal	$fd = fopen("{$g['varetc_path']}/pppoe{$pppoecfg['pppoeid']}-vpn/mpd.links", "w");
1439	06e69b03	Scott Ullrich	if (!$fd) {
1440	89ceb4ba	Renato Botelho	printf(gettext("Error: cannot open mpd.links in vpn_pppoe_configure().") . "\n");
1441	06e69b03	Scott Ullrich	return 1;
1442			}
1443
1444			$mpdlinks = "";
1445
1446	a429d105	Scott Ullrich	for ($i = 0; $i < $pppoecfg['n_pppoe_units']; $i++) {
1447	979cd6db	Scott Ullrich	$mpdlinks .=<<<EOD
1448	67ee1ec5	Ermal Luçi
1449	0e642c78	Ermal	poes{$pppoecfg['pppoeid']}{$i}:
1450	67ee1ec5	Ermal Luçi	set phys type pppoe
1451	78155ff9	Scott Ullrich	set pppoe iface {$pppoe_interface}
1452			set pppoe service "*"
1453			set pppoe disable originate
1454			set pppoe enable incoming
1455	06e69b03	Scott Ullrich
1456			EOD;
1457			}
1458
1459			fwrite($fd, $mpdlinks);
1460			fclose($fd);
1461
1462	0e642c78	Ermal	if ($pppoecfg['username']) {
1463			/* write mpd.secret */
1464			$fd = fopen("{$g['varetc_path']}/pppoe{$pppoecfg['pppoeid']}-vpn/mpd.secret", "w");
1465			if (!$fd) {
1466	8c04b1ae	Renato Botelho	printf(gettext("Error: cannot open mpd.secret in vpn_pppoe_configure().") . "\n");
1467	0e642c78	Ermal	return 1;
1468			}
1469	06e69b03	Scott Ullrich
1470	0e642c78	Ermal	$mpdsecret = "\n\n";
1471	06e69b03	Scott Ullrich
1472	0e642c78	Ermal	if (!empty($pppoecfg['username'])) {
1473			$item = explode(" ", $pppoecfg['username']);
1474			foreach($item as $userdata) {
1475			$data = explode(":", $userdata);
1476	90388e48	Ermal	$mpdsecret .= "{$data[0]} \"" . base64_decode($data[1]) . "\" {$data[2]}\n";
1477	0e642c78	Ermal	}
1478			}
1479	06e69b03	Scott Ullrich
1480	0e642c78	Ermal	fwrite($fd, $mpdsecret);
1481			fclose($fd);
1482			chmod("{$g['varetc_path']}/pppoe{$pppoecfg['pppoeid']}-vpn/mpd.secret", 0600);
1483			}
1484	979cd6db	Scott Ullrich
1485	062676f8	Ermal	/* Check if previous instance is still up */
1486			while (file_exists("{$g['varrun_path']}/pppoe{$pppoecfg['pppoeid']}-vpn.pid") && isvalidpid("{$g['varrun_path']}/pppoe{$pppoecfg['pppoeid']}-vpn.pid"))
1487			killbypid("{$g['varrun_path']}/pppoe{$pppoecfg['pppoeid']}-vpn.pid");
1488
1489	67b057a9	Ermal	/* Get support for netgraph(4) from the nic */
1490			pfSense_ngctl_attach(".", $pppoe_interface);
1491	979cd6db	Scott Ullrich	/* fire up mpd */
1492	a6607b5f	jim-p	mwexec("/usr/local/sbin/mpd4 -b -d {$g['varetc_path']}/pppoe{$pppoecfg['pppoeid']}-vpn -p {$g['varrun_path']}/pppoe{$pppoecfg['pppoeid']}-vpn.pid -s poes poes");
1493	979cd6db	Scott Ullrich
1494			break;
1495			}
1496
1497			if ($g['booting'])
1498	561130e4	Carlos Eduardo Ramos	echo gettext("done") . "\n";
1499	979cd6db	Scott Ullrich
1500			return 0;
1501			}
1502
1503			function vpn_l2tp_configure() {
1504			global $config, $g;
1505
1506			$syscfg = $config['system'];
1507			$l2tpcfg = $config['l2tp'];
1508
1509			/* create directory if it does not exist */
1510	67ee1ec5	Ermal Luçi	if (!is_dir("{$g['varetc_path']}/l2tp-vpn"))
1511			mkdir("{$g['varetc_path']}/l2tp-vpn");
1512	979cd6db	Scott Ullrich
1513			if ($g['booting']) {
1514			if (!$l2tpcfg['mode'] \|\| ($l2tpcfg['mode'] == "off"))
1515			return 0;
1516
1517	89ceb4ba	Renato Botelho	echo gettext("Configuring l2tp VPN service... ");
1518	979cd6db	Scott Ullrich	} else {
1519			/* kill mpd */
1520	67ee1ec5	Ermal Luçi	killbypid("{$g['varrun_path']}/l2tp-vpn.pid");
1521	979cd6db	Scott Ullrich
1522			/* wait for process to die */
1523	01c41d40	Ermal Lu?i	sleep(8);
1524	979cd6db	Scott Ullrich
1525			}
1526
1527	67ee1ec5	Ermal Luçi	/* make sure l2tp-vpn directory exists */
1528			if (!file_exists("{$g['varetc_path']}/l2tp-vpn"))
1529			mkdir("{$g['varetc_path']}/l2tp-vpn");
1530	979cd6db	Scott Ullrich
1531			switch ($l2tpcfg['mode']) {
1532
1533			case 'server' :
1534			if ($l2tpcfg['paporchap'] == "chap")
1535			$paporchap = "set link enable chap";
1536			else
1537			$paporchap = "set link enable pap";
1538
1539			/* write mpd.conf */
1540	67ee1ec5	Ermal Luçi	$fd = fopen("{$g['varetc_path']}/l2tp-vpn/mpd.conf", "w");
1541	979cd6db	Scott Ullrich	if (!$fd) {
1542	89ceb4ba	Renato Botelho	printf(gettext("Error: cannot open mpd.conf in vpn_l2tp_configure().") . "\n");
1543	979cd6db	Scott Ullrich	return 1;
1544			}
1545			$mpdconf = "\n\n";
1546			$mpdconf .=<<<EOD
1547	a6607b5f	jim-p	l2tps:
1548	979cd6db	Scott Ullrich
1549			EOD;
1550
1551			for ($i = 0; $i < $l2tpcfg['n_l2tp_units']; $i++) {
1552			$mpdconf .= " load l2tp{$i}\n";
1553			}
1554
1555			for ($i = 0; $i < $l2tpcfg['n_l2tp_units']; $i++) {
1556
1557	96033063	Erik Fonnesbeck	$clientip = long2ip32(ip2long($l2tpcfg['remoteip']) + $i);
1558	979cd6db	Scott Ullrich
1559			if (isset ($l2tpcfg['radius']['radiusissueips']) && isset ($l2tpcfg['radius']['enable'])) {
1560			$isssue_ip_type = "set ipcp ranges {$l2tpcfg['localip']}/32 0.0.0.0/0";
1561			} else {
1562			$isssue_ip_type = "set ipcp ranges {$l2tpcfg['localip']}/32 {$clientip}/32";
1563			}
1564
1565			$mpdconf .=<<<EOD
1566
1567			l2tp{$i}:
1568	2c7feef7	jim-p	new -i l2tp{$i} l2tp{$i} l2tp{$i}
1569	979cd6db	Scott Ullrich	{$isssue_ip_type}
1570			load l2tp_standard
1571
1572			EOD;
1573			}
1574
1575			$mpdconf .=<<<EOD
1576
1577			l2tp_standard:
1578			set bundle disable multilink
1579			set bundle enable compression
1580			set bundle yes crypt-reqd
1581			set ipcp yes vjcomp
1582			# set ipcp ranges 131.188.69.161/32 131.188.69.170/28
1583			set ccp yes mppc
1584			set iface disable on-demand
1585			set iface enable proxy-arp
1586	e9a95ac8	jim-p	set iface up-script /usr/local/sbin/vpn-linkup
1587			set iface down-script /usr/local/sbin/vpn-linkdown
1588	979cd6db	Scott Ullrich	set link yes acfcomp protocomp
1589			set link no pap chap
1590			set link enable chap
1591			set link keep-alive 10 180
1592
1593			EOD;
1594
1595	c8cc0c1c	smos	if (is_ipaddr($l2tpcfg['wins'])) {
1596			$mpdconf .= " set ipcp nbns {$l2tpcfg['wins']}\n";
1597			}
1598			if (is_ipaddr($l2tpcfg['dns1'])) {
1599	09f2bf85	jim-p	$mpdconf .= " set ipcp dns " . $l2tpcfg['dns1'];
1600	c8cc0c1c	smos	if (is_ipaddr($l2tpcfg['dns2']))
1601	09f2bf85	jim-p	$mpdconf .= " " . $l2tpcfg['dns2'];
1602			$mpdconf .= "\n";
1603			} elseif (isset ($config['dnsmasq']['enable'])) {
1604	a55e9c70	Ermal Lu?i	$mpdconf .= " set ipcp dns " . get_interface_ip("lan");
1605	979cd6db	Scott Ullrich	if ($syscfg['dnsserver'][0])
1606			$mpdconf .= " " . $syscfg['dnsserver'][0];
1607			$mpdconf .= "\n";
1608	09f2bf85	jim-p	} elseif (is_array($syscfg['dnsserver']) && ($syscfg['dnsserver'][0])) {
1609	979cd6db	Scott Ullrich	$mpdconf .= " set ipcp dns " . join(" ", $syscfg['dnsserver']) . "\n";
1610	09f2bf85	jim-p	}
1611	979cd6db	Scott Ullrich
1612			if (isset ($l2tpcfg['radius']['enable'])) {
1613			$mpdconf .=<<<EOD
1614			set radius server {$l2tpcfg['radius']['server']} "{$l2tpcfg['radius']['secret']}"
1615			set radius retries 3
1616			set radius timeout 10
1617	0af9dba4	Ermal Lu?i	set auth enable radius-auth
1618	979cd6db	Scott Ullrich
1619			EOD;
1620
1621			if (isset ($l2tpcfg['radius']['accounting'])) {
1622			$mpdconf .=<<<EOD
1623	0af9dba4	Ermal Lu?i	set auth enable radius-acct
1624	979cd6db	Scott Ullrich
1625			EOD;
1626			}
1627			}
1628
1629			fwrite($fd, $mpdconf);
1630			fclose($fd);
1631
1632			/* write mpd.links */
1633	67ee1ec5	Ermal Luçi	$fd = fopen("{$g['varetc_path']}/l2tp-vpn/mpd.links", "w");
1634	979cd6db	Scott Ullrich	if (!$fd) {
1635	89ceb4ba	Renato Botelho	printf(gettext("Error: cannot open mpd.links in vpn_l2tp_configure().") . "\n");
1636	979cd6db	Scott Ullrich	return 1;
1637			}
1638
1639			$mpdlinks = "";
1640
1641			for ($i = 0; $i < $l2tpcfg['n_l2tp_units']; $i++) {
1642			$mpdlinks .=<<<EOD
1643
1644	daa20efd	Ermal Lu?i	l2tp{$i}:
1645	979cd6db	Scott Ullrich	set link type l2tp
1646	eff29d62	Ermal Lu?i	set l2tp enable incoming
1647			set l2tp disable originate
1648	979cd6db	Scott Ullrich
1649			EOD;
1650	00f9e567	Ermal Lu?i	if (!empty($l2tpcfg['secret']))
1651			$mpdlinks .= "set l2tp secret {$l2tpcfg['secret']}\n";
1652	979cd6db	Scott Ullrich	}
1653
1654			fwrite($fd, $mpdlinks);
1655			fclose($fd);
1656
1657			/* write mpd.secret */
1658	67ee1ec5	Ermal Luçi	$fd = fopen("{$g['varetc_path']}/l2tp-vpn/mpd.secret", "w");
1659	979cd6db	Scott Ullrich	if (!$fd) {
1660	89ceb4ba	Renato Botelho	printf(gettext("Error: cannot open mpd.secret in vpn_l2tp_configure().") . "\n");
1661	979cd6db	Scott Ullrich	return 1;
1662			}
1663
1664			$mpdsecret = "\n\n";
1665
1666			if (is_array($l2tpcfg['user'])) {
1667			foreach ($l2tpcfg['user'] as $user)
1668			$mpdsecret .= "{$user['name']} \"{$user['password']}\" {$user['ip']}\n";
1669			}
1670
1671			fwrite($fd, $mpdsecret);
1672			fclose($fd);
1673	67ee1ec5	Ermal Luçi	chmod("{$g['varetc_path']}/l2tp-vpn/mpd.secret", 0600);
1674	06e69b03	Scott Ullrich
1675	67b057a9	Ermal	vpn_netgraph_support();
1676
1677	06e69b03	Scott Ullrich	/* fire up mpd */
1678	a6607b5f	jim-p	mwexec("/usr/local/sbin/mpd4 -b -d {$g['varetc_path']}/l2tp-vpn -p {$g['varrun_path']}/l2tp-vpn.pid -s l2tps l2tps");
1679	06e69b03	Scott Ullrich
1680			break;
1681
1682	979cd6db	Scott Ullrich	case 'redir' :
1683	06e69b03	Scott Ullrich	break;
1684			}
1685
1686			if ($g['booting'])
1687			echo "done\n";
1688
1689			return 0;
1690			}
1691	630cfa6c	Scott Ullrich
1692	c60cae98	Seth Mos	/* Walk the tunnels for hostname endpoints. If the hostnames
1693			* resolve to a different IP now compared to the DNS cache
1694			* we reload the policies if the endpoint has changed */
1695			function vpn_ipsec_refresh_policies() {
1696			global $config;
1697			global $g;
1698
1699			$ipseccfg = $config['ipsec'];
1700	9f14066f	Seth Mos	$a_phase1 = $config['ipsec']['phase1'];
1701			$a_phase2 = $config['ipsec']['phase2'];
1702	c60cae98	Seth Mos
1703	9f14066f	Seth Mos	if (isset($ipseccfg['disable'])) {
1704	c60cae98	Seth Mos	return true;
1705			}
1706
1707			/* Walk the Ipsec tunnel array */
1708	9f14066f	Seth Mos	if (!is_array($a_phase1) \|\| (!count($a_phase1))) {
1709	eb9ae6bb	Bill Marquette	return;
1710	9f14066f	Seth Mos	}
1711	c60cae98	Seth Mos
1712	9f14066f	Seth Mos	foreach ($a_phase1 as $phase1) {
1713			if (isset($phase1['disabled'])) {
1714			continue;
1715			}
1716			if (is_ipaddr($phase1['remote-gateway'])) {
1717			continue;
1718			}
1719			if (!is_ipaddr($phase1['remote-gateway'])) {
1720			$dnscache = compare_hostname_to_dnscache($phase1['remote-gateway']);
1721			$dnscache = trim($dnscache);
1722			/* we should have the old IP addresses in the dnscache now */
1723			if($dnscache <> "") {
1724			$oldphase1 = $phase1;
1725			$oldphase1['remote-gateway'] = trim($dnscache);
1726			/* now we need to find all tunnels for this host */
1727			if (!is_array($a_phase2) \|\| (!count($a_phase2))) {
1728			continue;
1729			}
1730			foreach ($a_phase2 as $phase2) {
1731	98718ac1	pierrepomes	if($phase2['ikeid'] == $phase1['ikeid']) {
1732			reload_tunnel_spd_policy ($phase1, $phase2, $oldphase1, $oldphase2);
1733			}
1734	c60cae98	Seth Mos	}
1735			}
1736			}
1737			}
1738
1739	1d69f52f	Seth Mos	/* process all generated spd.conf files from tmp which are left behind
1740			* behind by either changes of dynamic tunnels or manual edits
1741			* scandir() is only available in PHP5 */
1742			$tmpfiles = array();
1743			$dh = opendir($g['tmp_path']);
1744			while (false !== ($filename = readdir($dh))) {
1745	98718ac1	pierrepomes	if(preg_match("/^spd.conf.reload./", $filename)) {
1746	8d534565	Seth Mos	$tmpfiles[] = $filename;
1747			}
1748	1d69f52f	Seth Mos	}
1749			sort($tmpfiles);
1750			foreach($tmpfiles as $tmpfile) {
1751	8d534565	Seth Mos	$ret = mwexec("/usr/local/sbin/setkey -f {$g['tmp_path']}/{$tmpfile} 2>&1", false);
1752			if($ret == 0) {
1753			unlink_if_exists("{$g['tmp_path']}/{$tmpfile}");
1754			} else {
1755			rename("{$g['tmp_path']}/{$tmpfile}", ("{$g['tmp_path']}/failed.{$tmpfile}"));
1756	1d69f52f	Seth Mos	}
1757			}
1758	c60cae98	Seth Mos	}
1759
1760			/* reloads the tunnel configuration for a tunnel item
1761			* Will remove and add SPD polices */
1762	9f14066f	Seth Mos	function reload_tunnel_spd_policy($phase1, $phase2, $old_phase1, $old_phase2) {
1763	c60cae98	Seth Mos	global $config;
1764			global $g;
1765
1766	1d69f52f	Seth Mos	/* if we are not passed a old tunnel array we create one */
1767	9f14066f	Seth Mos	if(empty($old_phase1)) {
1768			$old_phase1 = $phase1;
1769			}
1770			if(empty($old_phase2)) {
1771			$old_phase2 = $phase2;
1772	1d69f52f	Seth Mos	}
1773
1774	9f14066f	Seth Mos	$sad_arr = ipsec_dump_sad();
1775	1d69f52f	Seth Mos
1776	9f14066f	Seth Mos	$ep = ipsec_get_phase1_src($phase1);
1777	98790f61	Seth Mos	$phase2['localid']['mode'] = $phase2['mode'];
1778	9f14066f	Seth Mos	$local_subnet = ipsec_idinfo_to_cidr($phase2['localid']);
1779			$remote_subnet = ipsec_idinfo_to_cidr($phase2['remoteid']);
1780	c60cae98	Seth Mos
1781	1d69f52f	Seth Mos	/* make sure we pass the oldtunnel array with a IP for the remote gw */
1782	9f14066f	Seth Mos	$old_gw = trim($old_phase1['remote-gateway']);
1783
1784			$old_ep = ipsec_get_phase1_src($old_phase1);
1785	98790f61	Seth Mos	$old_phase2['localid']['mode'] = $old_phase2['mode'];
1786	9f14066f	Seth Mos	$old_local_subnet = ipsec_idinfo_to_cidr($old_phase2['localid']);
1787			$old_remote_subnet = ipsec_idinfo_to_cidr($old_phase2['remoteid']);
1788	1d69f52f	Seth Mos
1789	c60cae98	Seth Mos	/* see if this tunnel has a hostname for the remote-gateway, and if so,
1790	f8c10a18	Ermal	* try to resolve it now and add it to the list for filterdns */
1791	603b4346	smos	$rgip = "";
1792	9f14066f	Seth Mos	if (!is_ipaddr($phase1['remote-gateway'])) {
1793	d0399410	smos	if(! $g['booting']) {
1794			$rgip = resolve_retry($phase1['remote-gateway']);
1795			add_hostname_to_watch($phase1['remote-gateway']);
1796			} else {
1797			add_hostname_to_watch($phase1['remote-gateway']);
1798			}
1799	71e91e50	smos	if (!is_ipaddr($rgip)) {
1800	9f14066f	Seth Mos	log_error("Could not determine VPN endpoint for '{$phase1['descr']}'");
1801	c60cae98	Seth Mos	return false;
1802			}
1803			} else {
1804	9f14066f	Seth Mos	$rgip = $phase1['remote-gateway'];
1805	c60cae98	Seth Mos	}
1806			if (!$ep) {
1807	89ceb4ba	Renato Botelho	log_error(sprintf(gettext("Could not determine VPN endpoint for '%s'"), $phase1['descr']));
1808	c60cae98	Seth Mos	return false;
1809			}
1810
1811	287e0c9d	Seth Mos	if((!is_ipaddr($old_ep)) \|\| (! is_ipaddr($ep))) {
1812	addc0439	Renato Botelho	log_error(sprintf(gettext("IPSEC: ERROR: One of the endpoints is not a IP address. Old EP '%1\$s' new EP '%2\$s'"), $old_ep, $ep));
1813	287e0c9d	Seth Mos	}
1814			if((! is_ipaddr($rgip)) \|\| (! is_ipaddr($old_gw))) {
1815	addc0439	Renato Botelho	log_error(sprintf(gettext("IPSEC: ERROR: One of the remote endpoints is not a IP address. Old RG '%1\$s' new RG '%2\$s'"), $old_gw, $rgip));
1816	bd6af475	Seth Mos	}
1817	1d69f52f	Seth Mos
1818	bd6af475	Seth Mos	$spdconf = "";
1819	1d69f52f	Seth Mos	/* Delete old SPD policies if there are changes between the old and new */
1820	9f14066f	Seth Mos	if(($phase1 != $old_phase1) \|\| ($phase2 != $old_phase2)) {
1821	98790f61	Seth Mos	if($old_phase2['mode'] == "tunnel6")
1822			$family = "-6";
1823			else
1824			$family = "-4";
1825
1826			$spdconf .= "spddelete {$family} {$old_local_subnet} " .
1827	9f14066f	Seth Mos	"{$old_remote_subnet} any -P out ipsec " .
1828			"{$old_phase2['protocol']}/tunnel/{$old_ep}-" .
1829			"{$old_gw}/unique;\n";
1830	3c107b76	Ermal	if (!empty($old_phase2['natlocalid']))
1831			$old_local_subnet = ipsec_idinfo_to_cidr($old_phase2['natlocalid']);
1832	98790f61	Seth Mos	$spdconf .= "spddelete {$family} {$old_remote_subnet} " .
1833	9f14066f	Seth Mos	"{$old_local_subnet} any -P in ipsec " .
1834			"{$old_phase2['protocol']}/tunnel/{$old_gw}-" .
1835			"{$old_ep}/unique;\n";
1836	1d69f52f	Seth Mos
1837			/* zap any existing SA entries */
1838	c60cae98	Seth Mos	foreach($sad_arr as $sad) {
1839	9f14066f	Seth Mos	if(($sad['dst'] == $old_ep) && ($sad['src'] == $old_gw)) {
1840	98790f61	Seth Mos	$spdconf .= "delete {$family} {$old_ep} {$old_gw} {$old_phase2['protocol']} 0x{$sad['spi']};\n";
1841	c60cae98	Seth Mos	}
1842	9f14066f	Seth Mos	if(($sad['src'] == $oldep) && ($sad['dst'] == $old_gw)) {
1843	98790f61	Seth Mos	$spdconf .= "delete {$family} {$old_gw} {$old_ep} {$old_phase2['protocol']} 0x{$sad['spi']};\n";
1844	c60cae98	Seth Mos	}
1845			}
1846			}
1847	1d69f52f	Seth Mos
1848	98790f61	Seth Mos	if($phase2['mode'] == "tunnel6")
1849			$family = "-6";
1850			else
1851			$family = "-4";
1852
1853	1d69f52f	Seth Mos	/* Create new SPD entries for the new configuration */
1854			/* zap any existing SA entries beforehand */
1855	c60cae98	Seth Mos	foreach($sad_arr as $sad) {
1856	1d69f52f	Seth Mos	if(($sad['dst'] == $ep) && ($sad['src'] == $rgip)) {
1857	98790f61	Seth Mos	$spdconf .= "delete {$family} {$rgip} {$ep} {$phase2['protocol']} 0x{$sad['spi']};\n";
1858	c60cae98	Seth Mos	}
1859	1d69f52f	Seth Mos	if(($sad['src'] == $ep) && ($sad['dst'] == $rgip)) {
1860	98790f61	Seth Mos	$spdconf .= "delete {$family} {$ep} {$rgip} {$phase2['protocol']} 0x{$sad['spi']};\n";
1861	c60cae98	Seth Mos	}
1862			}
1863			/* add new SPD policies to replace them */
1864	f00278f1	Pierre POMES	if (!isset($phase1['disabled'])) {
1865			$spdconf .= "spdadd {$family} {$local_subnet} " .
1866			"{$remote_subnet} any -P out ipsec " .
1867			"{$phase2['protocol']}/tunnel/{$ep}-" .
1868			"{$rgip}/unique;\n";
1869	3c107b76	Ermal
1870			if (!empty($phase2['natlocalid']))
1871			$local_subnet = ipsec_idinfo_to_cidr($phase2['natlocalid']);
1872	f00278f1	Pierre POMES	$spdconf .= "spdadd {$family} {$remote_subnet} " .
1873			"{$local_subnet} any -P in ipsec " .
1874			"{$phase2['protocol']}/tunnel/{$rgip}-" .
1875			"{$ep}/unique;\n";
1876			}
1877	c60cae98	Seth Mos
1878	addc0439	Renato Botelho	log_error(sprintf(gettext("Reloading IPsec tunnel '%1\$s'. Previous IP '%2\$s', current IP '%3\$s'. Reloading policy"), $phase1['descr'], $old_gw, $rgip));
1879	1d69f52f	Seth Mos
1880			$now = time();
1881			$spdfile = tempnam("{$g['tmp_path']}", "spd.conf.reload.{$now}.");
1882	c60cae98	Seth Mos	/* generate temporary spd.conf */
1883	1d69f52f	Seth Mos	file_put_contents($spdfile, $spdconf);
1884	c60cae98	Seth Mos	return true;
1885			}
1886
1887	7b2fdac4	jim-p	function vpn_ipsec_configure_preferoldsa() {
1888			global $config;
1889			if(isset($config['ipsec']['preferoldsa']))
1890			mwexec("/sbin/sysctl -w net.key.preferred_oldsa=-30");
1891			else
1892			mwexec("/sbin/sysctl net.key.preferred_oldsa=0");
1893			}
1894	9734b054	Scott Ullrich
1895	c513c309	Ermal	?>

Project

General

Profile

pfSense