/usr/local/www/vpn_ipsec_phase1.php - Annotate - pfSense - pfSense bugtracker

| Branch: | Tag: | Revision:

root/usr/local/www/vpn_ipsec_phase1.php @ adf32c24

1	a93e56c5	Matthew Grooms	<?php
2			/*
3			vpn_ipsec_phase1.php
4			part of m0n0wall (http://m0n0.ch/wall)
5
6			Copyright (C) 2008 Shrew Soft Inc
7			Copyright (C) 2003-2005 Manuel Kasper <mk@neon1.net>.
8			All rights reserved.
9
10			Redistribution and use in source and binary forms, with or without
11			modification, are permitted provided that the following conditions are met:
12
13			1. Redistributions of source code must retain the above copyright notice,
14			this list of conditions and the following disclaimer.
15
16			2. Redistributions in binary form must reproduce the above copyright
17			notice, this list of conditions and the following disclaimer in the
18			documentation and/or other materials provided with the distribution.
19
20			THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
21			INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
22			AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
23			AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
24			OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
25			SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
26			INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
27			CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
28			ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
29			POSSIBILITY OF SUCH DAMAGE.
30			*/
31
32	6b07c15a	Matthew Grooms	##\|+PRIV
33			##\|*IDENT=page-vpn-ipsec-editphase1
34			##\|*NAME=VPN: IPsec: Edit Phase 1 page
35			##\|*DESCR=Allow access to the 'VPN: IPsec: Edit Phase 1' page.
36			##\|MATCH=vpn_ipsec_phase1.php
37			##\|-PRIV
38
39	0f84b741	Scott Ullrich	require("functions.inc");
40	a93e56c5	Matthew Grooms	require("guiconfig.inc");
41	483e6de8	Scott Ullrich	require_once("ipsec.inc");
42			require_once("vpn.inc");
43	a93e56c5	Matthew Grooms
44			if (!is_array($config['ipsec']['phase1']))
45			$config['ipsec']['phase1'] = array();
46
47	647c7c48	Seth Mos	if (!is_array($config['ipsec']['phase2']))
48			$config['ipsec']['phase2'] = array();
49
50	a93e56c5	Matthew Grooms	$a_phase1 = &$config['ipsec']['phase1'];
51	647c7c48	Seth Mos	$a_phase2 = &$config['ipsec']['phase2'];
52	a93e56c5	Matthew Grooms
53			$p1index = $_GET['p1index'];
54			if (isset($_POST['p1index']))
55			$p1index = $_POST['p1index'];
56
57			if (isset($_GET['dup'])) {
58			$p1index = $_GET['dup'];
59			}
60
61	fad728ab	sullrich	if (isset($p1index) && $a_phase1[$p1index]) {
62	99bbd213	Matthew Grooms	// don't copy the ikeid on dup
63			if (!isset($_GET['dup']))
64			$pconfig['ikeid'] = $a_phase1[$p1index]['ikeid'];
65	7fc26246	Seth Mos
66	647c7c48	Seth Mos	$old_ph1ent = $a_phase1[$p1index];
67	99bbd213	Matthew Grooms
68	a93e56c5	Matthew Grooms	$pconfig['disabled'] = isset($a_phase1[$p1index]['disabled']);
69
70			if ($a_phase1[$p1index]['interface'])
71			$pconfig['interface'] = $a_phase1[$p1index]['interface'];
72			else
73			$pconfig['interface'] = "wan";
74
75			list($pconfig['remotenet'],$pconfig['remotebits']) = explode("/", $a_phase1[$p1index]['remote-subnet']);
76	3462a529	Matthew Grooms
77			if (isset($a_phase1[$p1index]['mobile']))
78			$pconfig['mobile'] = 'true';
79			else
80			$pconfig['remotegw'] = $a_phase1[$p1index]['remote-gateway'];
81
82	a93e56c5	Matthew Grooms	$pconfig['mode'] = $a_phase1[$p1index]['mode'];
83			$pconfig['myid_type'] = $a_phase1[$p1index]['myid_type'];
84			$pconfig['myid_data'] = $a_phase1[$p1index]['myid_data'];
85			$pconfig['peerid_type'] = $a_phase1[$p1index]['peerid_type'];
86			$pconfig['peerid_data'] = $a_phase1[$p1index]['peerid_data'];
87			$pconfig['ealgo'] = $a_phase1[$p1index]['encryption-algorithm'];
88			$pconfig['halgo'] = $a_phase1[$p1index]['hash-algorithm'];
89			$pconfig['dhgroup'] = $a_phase1[$p1index]['dhgroup'];
90			$pconfig['lifetime'] = $a_phase1[$p1index]['lifetime'];
91			$pconfig['authentication_method'] = $a_phase1[$p1index]['authentication_method'];
92	4e2af464	Matthew Grooms
93	fad728ab	sullrich	if (($pconfig['authentication_method'] == "pre_shared_key") \|\|
94	4e2af464	Matthew Grooms	($pconfig['authentication_method'] == "xauth_psk_server")) {
95			$pconfig['pskey'] = $a_phase1[$p1index]['pre-shared-key'];
96			} else {
97	73fbece8	mgrooms	$pconfig['certref'] = $a_phase1[$p1index]['certref'];
98	4e2af464	Matthew Grooms	}
99	a93e56c5	Matthew Grooms
100			$pconfig['descr'] = $a_phase1[$p1index]['descr'];
101			$pconfig['nat_traversal'] = $a_phase1[$p1index]['nat_traversal'];
102	3462a529	Matthew Grooms
103			if ($a_phase1[$p1index]['dpd_delay'] && $a_phase1[$p1index]['dpd_maxfail']) {
104			$pconfig['dpd_enable'] = true;
105			$pconfig['dpd_delay'] = $a_phase1[$p1index]['dpd_delay'];
106			$pconfig['dpd_maxfail'] = $a_phase1[$p1index]['dpd_maxfail'];
107			}
108	fad728ab	sullrich	} else {
109	a93e56c5	Matthew Grooms	/* defaults */
110			$pconfig['interface'] = "wan";
111			if($config['interfaces']['lan'])
112			$pconfig['localnet'] = "lan";
113			$pconfig['mode'] = "aggressive";
114			$pconfig['myid_type'] = "myaddress";
115			$pconfig['peerid_type'] = "peeraddress";
116			$pconfig['authentication_method'] = "pre_shared_key";
117			$pconfig['ealgo'] = array( name => "3des" );
118			$pconfig['halgo'] = "sha1";
119			$pconfig['dhgroup'] = "2";
120			$pconfig['lifetime'] = "28800";
121			$pconfig['nat_traversal'] = "on";
122	3462a529	Matthew Grooms	$pconfig['dpd_enable'] = true;
123
124			/* mobile client */
125			if($_GET['mobile'])
126			$pconfig['mobile']=true;
127	a93e56c5	Matthew Grooms	}
128
129			if (isset($_GET['dup']))
130			unset($p1index);
131
132			if ($_POST) {
133			unset($input_errors);
134			$pconfig = $_POST;
135
136			/* input validation */
137	3462a529	Matthew Grooms
138			$method = $pconfig['authentication_method'];
139	1f65618b	jim-p	// Only require PSK here for normal PSK tunnels (not mobile) or xauth.
140			if ((($method == "pre_shared_key") && (!$pconfig['mobile']))\|\|($method == "xauth_psk_server")) {
141	3462a529	Matthew Grooms	$reqdfields = explode(" ", "pskey");
142	2fbb33f1	Carlos Eduardo Ramos	$reqdfieldsn = array(gettext("Pre-Shared Key"));
143	73fbece8	mgrooms	} else {
144			$reqdfields = explode(" ", "certref");
145	2fbb33f1	Carlos Eduardo Ramos	$reqdfieldsn = array(gettext("My Certificate"));
146	a93e56c5	Matthew Grooms	}
147	3462a529	Matthew Grooms	if (!$pconfig['mobile']) {
148			$reqdfields[] = "remotegw";
149	2fbb33f1	Carlos Eduardo Ramos	$reqdfieldsn[] = gettext("Remote gateway");
150	3462a529	Matthew Grooms	}
151	a93e56c5	Matthew Grooms
152	3462a529	Matthew Grooms	do_input_validation($pconfig, $reqdfields, $reqdfieldsn, &$input_errors);
153	a93e56c5	Matthew Grooms
154	3462a529	Matthew Grooms	if (($pconfig['lifetime'] && !is_numeric($pconfig['lifetime'])))
155	2fbb33f1	Carlos Eduardo Ramos	$input_errors[] = gettext("The P1 lifetime must be an integer.");
156	a93e56c5	Matthew Grooms
157	3462a529	Matthew Grooms	if (($pconfig['remotegw'] && !is_ipaddr($pconfig['remotegw']) && !is_domain($pconfig['remotegw'])))
158	2fbb33f1	Carlos Eduardo Ramos	$input_errors[] = gettext("A valid remote gateway address or host name must be specified.");
159	a93e56c5	Matthew Grooms
160	3462a529	Matthew Grooms	if (($pconfig['remotegw'] && is_ipaddr($pconfig['remotegw']) && !isset($pconfig['disabled']) )) {
161	a93e56c5	Matthew Grooms	$t = 0;
162			foreach ($a_phase1 as $ph1tmp) {
163			if ($p1index <> $t) {
164			$tremotegw = $pconfig['remotegw'];
165			if (($ph1tmp['remote-gateway'] == $tremotegw) && !isset($ph1tmp['disabled'])) {
166	2fbb33f1	Carlos Eduardo Ramos	$input_errors[] = sprintf(gettext("The remote gateway \"%s\" is already used by phase1 \"${ph1tmp['descr']}\"."), $tremotegw);
167	a93e56c5	Matthew Grooms	}
168			}
169			$t++;
170			}
171			}
172
173			/* My identity */
174
175	3462a529	Matthew Grooms	if ($pconfig['myid_type'] == "myaddress")
176			$pconfig['myid_data'] = "";
177	a93e56c5	Matthew Grooms
178	3462a529	Matthew Grooms	if ($pconfig['myid_type'] == "address" and $pconfig['myid_data'] == "")
179	a93e56c5	Matthew Grooms	$input_errors[] = gettext("Please enter an address for 'My Identifier'");
180
181	3462a529	Matthew Grooms	if ($pconfig['myid_type'] == "keyid tag" and $pconfig['myid_data'] == "")
182	a93e56c5	Matthew Grooms	$input_errors[] = gettext("Please enter a keyid tag for 'My Identifier'");
183
184	3462a529	Matthew Grooms	if ($pconfig['myid_type'] == "fqdn" and $pconfig['myid_data'] == "")
185	a93e56c5	Matthew Grooms	$input_errors[] = gettext("Please enter a fully qualified domain name for 'My Identifier'");
186
187	3462a529	Matthew Grooms	if ($pconfig['myid_type'] == "user_fqdn" and $pconfig['myid_data'] == "")
188	a93e56c5	Matthew Grooms	$input_errors[] = gettext("Please enter a user and fully qualified domain name for 'My Identifier'");
189
190	3462a529	Matthew Grooms	if ($pconfig['myid_type'] == "dyn_dns" and $pconfig['myid_data'] == "")
191	a93e56c5	Matthew Grooms	$input_errors[] = gettext("Please enter a dynamic domain name for 'My Identifier'");
192
193	3462a529	Matthew Grooms	if ((($pconfig['myid_type'] == "address") && !is_ipaddr($pconfig['myid_data'])))
194	2fbb33f1	Carlos Eduardo Ramos	$input_errors[] = gettext("A valid IP address for 'My identifier' must be specified.");
195	a93e56c5	Matthew Grooms
196	3462a529	Matthew Grooms	if ((($pconfig['myid_type'] == "fqdn") && !is_domain($pconfig['myid_data'])))
197	2fbb33f1	Carlos Eduardo Ramos	$input_errors[] = gettext("A valid domain name for 'My identifier' must be specified.");
198	a93e56c5	Matthew Grooms
199	3462a529	Matthew Grooms	if ($pconfig['myid_type'] == "fqdn")
200			if (is_domain($pconfig['myid_data']) == false)
201	2fbb33f1	Carlos Eduardo Ramos	$input_errors[] = gettext("A valid FQDN for 'My identifier' must be specified.");
202	a93e56c5	Matthew Grooms
203	3462a529	Matthew Grooms	if ($pconfig['myid_type'] == "user_fqdn") {
204			$user_fqdn = explode("@",$pconfig['myid_data']);
205	a93e56c5	Matthew Grooms	if (is_domain($user_fqdn[1]) == false)
206	2fbb33f1	Carlos Eduardo Ramos	$input_errors[] = gettext("A valid User FQDN in the form of user@my.domain.com for 'My identifier' must be specified.");
207	a93e56c5	Matthew Grooms	}
208
209	3462a529	Matthew Grooms	if ($pconfig['myid_type'] == "dyn_dns")
210			if (is_domain($pconfig['myid_data']) == false)
211	2fbb33f1	Carlos Eduardo Ramos	$input_errors[] = gettext("A valid Dynamic DNS address for 'My identifier' must be specified.");
212	a93e56c5	Matthew Grooms
213			/* Peer identity */
214
215	3462a529	Matthew Grooms	if ($pconfig['myid_type'] == "peeraddress")
216			$pconfig['peerid_data'] = "";
217
218	1f65618b	jim-p	// Only enforce peer ID if we are not dealing with a pure-psk mobile config.
219			if (!(($pconfig['authentication_method'] == "pre_shared_key") && ($pconfig['mobile']))) {
220			if ($pconfig['peerid_type'] == "address" and $pconfig['peerid_data'] == "")
221			$input_errors[] = gettext("Please enter an address for 'Peer Identifier'");
222	a93e56c5	Matthew Grooms
223	1f65618b	jim-p	if ($pconfig['peerid_type'] == "keyid tag" and $pconfig['peerid_data'] == "")
224			$input_errors[] = gettext("Please enter a keyid tag for 'Peer Identifier'");
225	a93e56c5	Matthew Grooms
226	1f65618b	jim-p	if ($pconfig['peerid_type'] == "fqdn" and $pconfig['peerid_data'] == "")
227			$input_errors[] = gettext("Please enter a fully qualified domain name for 'Peer Identifier'");
228	a93e56c5	Matthew Grooms
229	1f65618b	jim-p	if ($pconfig['peerid_type'] == "user_fqdn" and $pconfig['peerid_data'] == "")
230			$input_errors[] = gettext("Please enter a user and fully qualified domain name for 'Peer Identifier'");
231	a93e56c5	Matthew Grooms
232	1f65618b	jim-p	if ((($pconfig['peerid_type'] == "address") && !is_ipaddr($pconfig['peerid_data'])))
233	2fbb33f1	Carlos Eduardo Ramos	$input_errors[] = gettext("A valid IP address for 'Peer identifier' must be specified.");
234	a93e56c5	Matthew Grooms
235	1f65618b	jim-p	if ((($pconfig['peerid_type'] == "fqdn") && !is_domain($pconfig['peerid_data'])))
236	2fbb33f1	Carlos Eduardo Ramos	$input_errors[] = gettext("A valid domain name for 'Peer identifier' must be specified.");
237	a93e56c5	Matthew Grooms
238	1f65618b	jim-p	if ($pconfig['peerid_type'] == "fqdn")
239			if (is_domain($pconfig['peerid_data']) == false)
240	2fbb33f1	Carlos Eduardo Ramos	$input_errors[] = gettext("A valid FQDN for 'Peer identifier' must be specified.");
241	a93e56c5	Matthew Grooms
242	1f65618b	jim-p	if ($pconfig['peerid_type'] == "user_fqdn") {
243			$user_fqdn = explode("@",$pconfig['peerid_data']);
244			if (is_domain($user_fqdn[1]) == false)
245	2fbb33f1	Carlos Eduardo Ramos	$input_errors[] = gettext("A valid User FQDN in the form of user@my.domain.com for 'Peer identifier' must be specified.");
246	1f65618b	jim-p	}
247	a93e56c5	Matthew Grooms	}
248
249	3462a529	Matthew Grooms	if ($pconfig['dpd_enable']) {
250			if (!is_numeric($pconfig['dpd_delay']))
251	2fbb33f1	Carlos Eduardo Ramos	$input_errors[] = gettext("A numeric value must be specified for DPD delay.");
252	a93e56c5	Matthew Grooms
253	3462a529	Matthew Grooms	if (!is_numeric($pconfig['dpd_maxfail']))
254	2fbb33f1	Carlos Eduardo Ramos	$input_errors[] = gettext("A numeric value must be specified for DPD retries.");
255	a93e56c5	Matthew Grooms	}
256
257			/* build our encryption algorithms array */
258			$pconfig['ealgo'] = array();
259			$pconfig['ealgo']['name'] = $_POST['ealgo'];
260	3462a529	Matthew Grooms	if($pconfig['ealgo_keylen'])
261	a93e56c5	Matthew Grooms	$pconfig['ealgo']['keylen'] = $_POST['ealgo_keylen'];
262
263			if (!$input_errors) {
264	3462a529	Matthew Grooms	$ph1ent['ikeid'] = $pconfig['ikeid'];
265			$ph1ent['disabled'] = $pconfig['disabled'] ? true : false;
266	a93e56c5	Matthew Grooms	$ph1ent['interface'] = $pconfig['interface'];
267			/* if the remote gateway changed and the interface is not WAN then remove route */
268			/* the vpn_ipsec_configure() handles adding the route */
269	3462a529	Matthew Grooms	if ($pconfig['interface'] <> "wan") {
270	7fc26246	Seth Mos	if($old_ph1ent['remote-gateway'] <> $pconfig['remotegw']) {
271			mwexec("/sbin/route delete -host {$oldph1ent['remote-gateway']}");
272	a93e56c5	Matthew Grooms	}
273			}
274
275	3462a529	Matthew Grooms	if ($pconfig['mobile'])
276			$ph1ent['mobile'] = true;
277			else
278			$ph1ent['remote-gateway'] = $pconfig['remotegw'];
279
280			$ph1ent['mode'] = $pconfig['mode'];
281
282			$ph1ent['myid_type'] = $pconfig['myid_type'];
283			$ph1ent['myid_data'] = $pconfig['myid_data'];
284			$ph1ent['peerid_type'] = $pconfig['peerid_type'];
285			$ph1ent['peerid_data'] = $pconfig['peerid_data'];
286	a93e56c5	Matthew Grooms
287			$ph1ent['encryption-algorithm'] = $pconfig['ealgo'];
288	3462a529	Matthew Grooms	$ph1ent['hash-algorithm'] = $pconfig['halgo'];
289			$ph1ent['dhgroup'] = $pconfig['dhgroup'];
290			$ph1ent['lifetime'] = $pconfig['lifetime'];
291			$ph1ent['pre-shared-key'] = $pconfig['pskey'];
292			$ph1ent['private-key'] = base64_encode($pconfig['privatekey']);
293	73fbece8	mgrooms	$ph1ent['certref'] = $pconfig['certref'];
294	3462a529	Matthew Grooms	$ph1ent['authentication_method'] = $pconfig['authentication_method'];
295
296			$ph1ent['descr'] = $pconfig['descr'];
297			$ph1ent['nat_traversal'] = $pconfig['nat_traversal'];
298
299			if (isset($pconfig['dpd_enable'])) {
300			$ph1ent['dpd_delay'] = $pconfig['dpd_delay'];
301			$ph1ent['dpd_maxfail'] = $pconfig['dpd_maxfail'];
302			}
303
304	a93e56c5	Matthew Grooms	/* generate unique phase1 ikeid */
305	d799787e	Matthew Grooms	if ($ph1ent['ikeid'] == 0)
306			$ph1ent['ikeid'] = ipsec_ikeid_next();
307	a93e56c5	Matthew Grooms
308			if (isset($p1index) && $a_phase1[$p1index])
309			$a_phase1[$p1index] = $ph1ent;
310			else
311			$a_phase1[] = $ph1ent;
312
313	647c7c48	Seth Mos	/* now we need to find all phase2 entries for this host */
314			if (is_array($a_phase2) && (count($a_phase2))) {
315			foreach ($a_phase2 as $phase2) {
316			if($phase2['ikeid'] == $ph1ent['ikeid']) {
317	7fc26246	Seth Mos	log_error("Reload {$ph1ent['descr']} tunnel(s)");
318	647c7c48	Seth Mos	$old_ph1ent['remote-gateway'] = resolve_retry($old_ph1ent['remote-gateway']);
319			$old_phase2 = $phase2;
320			reload_tunnel_spd_policy ($ph1ent, $phase2, $old_ph1ent, $old_phase2);
321			}
322			}
323			}
324	a93e56c5	Matthew Grooms	write_config();
325	a368a026	Ermal Lu?i	mark_subsystem_dirty('ipsec');
326	a93e56c5	Matthew Grooms
327			header("Location: vpn_ipsec.php");
328			exit;
329			}
330			}
331
332	3462a529	Matthew Grooms	if ($pconfig['mobile'])
333	2fbb33f1	Carlos Eduardo Ramos	$pgtitle = array(gettext("VPN"),gettext("IPsec"),gettext("Edit Phase 1"), gettext("Mobile Client"));
334	3462a529	Matthew Grooms	else
335	2fbb33f1	Carlos Eduardo Ramos	$pgtitle = array(gettext("VPN"),gettext("IPsec"),gettext("Edit Phase 1"));
336	6deedfde	jim-p	$statusurl = "diag_ipsec.php";
337			$logurl = "diag_logs_ipsec.php";
338
339	3462a529	Matthew Grooms
340	a93e56c5	Matthew Grooms	include("head.inc");
341
342			?>
343
344			<body link="#0000CC" vlink="#0000CC" alink="#0000CC">
345			<?php include("fbegin.inc"); ?>
346			<script language="JavaScript">
347			<!--
348	3462a529	Matthew Grooms
349			function myidsel_change() {
350			index = document.iform.myid_type.selectedIndex;
351			value = document.iform.myid_type.options[index].value;
352			if (value == 'myaddress')
353	5a3b0d3b	mgrooms	document.getElementById('myid_data').style.visibility = 'hidden';
354	3462a529	Matthew Grooms	else
355	5a3b0d3b	mgrooms	document.getElementById('myid_data').style.visibility = 'visible';
356	3462a529	Matthew Grooms	}
357
358			function peeridsel_change() {
359			index = document.iform.peerid_type.selectedIndex;
360			value = document.iform.peerid_type.options[index].value;
361			if (value == 'peeraddress')
362	5a3b0d3b	mgrooms	document.getElementById('peerid_data').style.visibility = 'hidden';
363	3462a529	Matthew Grooms	else
364	5a3b0d3b	mgrooms	document.getElementById('peerid_data').style.visibility = 'visible';
365	3462a529	Matthew Grooms	}
366
367	a93e56c5	Matthew Grooms	function methodsel_change() {
368	3462a529	Matthew Grooms	index = document.iform.authentication_method.selectedIndex;
369			value = document.iform.authentication_method.options[index].value;
370
371			switch (value) {
372			case 'hybrid_rsa_server':
373	5a3b0d3b	mgrooms	document.getElementById('opt_psk').style.display = 'none';
374	1f65618b	jim-p	document.getElementById('opt_peerid').style.display = '';
375	73fbece8	mgrooms	document.getElementById('opt_cert').style.display = '';
376	3462a529	Matthew Grooms	break;
377			case 'xauth_rsa_server':
378			case 'rsasig':
379	5a3b0d3b	mgrooms	document.getElementById('opt_psk').style.display = 'none';
380	1f65618b	jim-p	document.getElementById('opt_peerid').style.display = '';
381	73fbece8	mgrooms	document.getElementById('opt_cert').style.display = '';
382	a93e56c5	Matthew Grooms	break;
383	1f65618b	jim-p	<?php if ($pconfig['mobile']) { ?>
384			case 'pre_shared_key':
385			document.getElementById('opt_psk').style.display = 'none';
386			document.getElementById('opt_peerid').style.display = 'none';
387			document.getElementById('opt_cert').style.display = 'none';
388			break;
389			<?php } ?>
390	3462a529	Matthew Grooms	default: /* psk modes*/
391	5a3b0d3b	mgrooms	document.getElementById('opt_psk').style.display = '';
392	1f65618b	jim-p	document.getElementById('opt_peerid').style.display = '';
393	73fbece8	mgrooms	document.getElementById('opt_cert').style.display = 'none';
394	a93e56c5	Matthew Grooms	break;
395			}
396			}
397
398			/* PHP generated java script for variable length keys */
399			function ealgosel_change(bits) {
400			switch (document.iform.ealgo.selectedIndex) {
401			<?php
402			$i = 0;
403			foreach ($p1_ealgos as $algo => $algodata) {
404			if (is_array($algodata['keysel'])) {
405			echo " case {$i}:\n";
406			echo " document.iform.ealgo_keylen.style.visibility = 'visible';\n";
407			echo " document.iform.ealgo_keylen.options.length = 0;\n";
408			// echo " document.iform.ealgo_keylen.options[document.iform.ealgo_keylen.options.length] = new Option( 'auto', 'auto' );\n";
409
410			$key_hi = $algodata['keysel']['hi'];
411			$key_lo = $algodata['keysel']['lo'];
412			$key_step = $algodata['keysel']['step'];
413
414			for ($keylen = $key_hi; $keylen >= $key_lo; $keylen -= $key_step)
415			echo " document.iform.ealgo_keylen.options[document.iform.ealgo_keylen.options.length] = new Option( '{$keylen} bits', '{$keylen}' );\n";
416			echo " break;\n";
417			} else {
418			echo " case {$i}:\n";
419			echo " document.iform.ealgo_keylen.style.visibility = 'hidden';\n";
420			echo " document.iform.ealgo_keylen.options.length = 0;\n";
421			echo " break;\n";
422			}
423			$i++;
424			}
425			?>
426			}
427
428			if( bits )
429			document.iform.ealgo_keylen.value = bits;
430			}
431	3462a529	Matthew Grooms
432	a93e56c5	Matthew Grooms	function dpdchkbox_change() {
433	5a3b0d3b	mgrooms	if( document.iform.dpd_enable.checked )
434			document.getElementById('opt_dpd').style.display = '';
435			else
436			document.getElementById('opt_dpd').style.display = 'none';
437	3462a529	Matthew Grooms
438			if (!document.iform.dpd_delay.value)
439			document.iform.dpd_delay.value = "10";
440
441			if (!document.iform.dpd_maxfail.value)
442			document.iform.dpd_maxfail.value = "5";
443	a93e56c5	Matthew Grooms	}
444	3462a529	Matthew Grooms
445	a93e56c5	Matthew Grooms	//-->
446			</script>
447	5a3b0d3b	mgrooms
448			<form action="vpn_ipsec_phase1.php" method="post" name="iform" id="iform">
449
450			<?php
451			if ($input_errors)
452			print_input_errors($input_errors);
453			?>
454
455			<table width="100%" border="0" cellpadding="0" cellspacing="0">
456			<tr class="tabnavtbl">
457			<td id="tabnav">
458			<?php
459			$tab_array = array();
460	2fbb33f1	Carlos Eduardo Ramos	$tab_array[0] = array(gettext("Tunnels"), true, "vpn_ipsec.php");
461			$tab_array[1] = array(gettext("Mobile clients"), false, "vpn_ipsec_mobile.php");
462			$tab_array[2] = array(gettext("Pre-shared keys"), false, "vpn_ipsec_keys.php");
463	5a3b0d3b	mgrooms	display_top_tabs($tab_array);
464			?>
465			</td>
466			</tr>
467			<tr>
468			<td id="mainarea">
469			<div class="tabcont">
470			<table width="100%" border="0" cellpadding="6" cellspacing="0">
471			<tr>
472	2fbb33f1	Carlos Eduardo Ramos	<td colspan="2" valign="top" class="listtopic"><?=gettext("General information"); ?></td>
473	5a3b0d3b	mgrooms	</tr>
474			<tr>
475	2fbb33f1	Carlos Eduardo Ramos	<td width="22%" valign="top" class="vncellreq"><?=gettext("Disabled"); ?></td>
476	5a3b0d3b	mgrooms	<td width="78%" class="vtable">
477			<input name="disabled" type="checkbox" id="disabled" value="yes" <?php if ($pconfig['disabled']) echo "checked"; ?>>
478	2fbb33f1	Carlos Eduardo Ramos	<strong><?=gettext("Disable this phase1 entry"); ?></strong><br>
479	5a3b0d3b	mgrooms	<span class="vexpl">
480	2fbb33f1	Carlos Eduardo Ramos	<?=gettext("Set this option to disable this phase1 without " .
481			"removing it from the list"); ?>.
482	5a3b0d3b	mgrooms	</span>
483			</td>
484			</tr>
485			<tr>
486	2fbb33f1	Carlos Eduardo Ramos	<td width="22%" valign="top" class="vncellreq"><?=gettext("Interface"); ?></td>
487	5a3b0d3b	mgrooms	<td width="78%" class="vtable">
488			<select name="interface" class="formselect">
489			<?php
490			$interfaces = get_configured_interface_with_descr();
491	abcb2bed	Ermal Lu?i	$carplist = get_configured_carp_interface_list();
492			foreach ($carplist as $cif => $carpip)
493			$interfaces[$cif] = strtoupper($cif) . " ({$carpip})";
494	5a3b0d3b	mgrooms	foreach ($interfaces as $iface => $ifacename):
495			?>
496			<option value="<?=$iface;?>" <?php if ($iface == $pconfig['interface']) echo "selected"; ?>>
497			<?=htmlspecialchars($ifacename);?>
498			</option>
499			<?php endforeach; ?>
500			</select>
501			<br>
502	2fbb33f1	Carlos Eduardo Ramos	<span class="vexpl"><?=gettext("Select the interface for the local endpoint of this phase1 entry"); ?>.</span>
503	5a3b0d3b	mgrooms	</td>
504			</tr>
505
506			<?php if (!$pconfig['mobile']): ?>
507
508			<tr>
509	2fbb33f1	Carlos Eduardo Ramos	<td width="22%" valign="top" class="vncellreq"><?=gettext("Remote gateway"); ?></td>
510	5a3b0d3b	mgrooms	<td width="78%" class="vtable">
511			<?=$mandfldhtml;?><input name="remotegw" type="text" class="formfld unknown" id="remotegw" size="20" value="<?=$pconfig['remotegw'];?>">
512			<br>
513	2fbb33f1	Carlos Eduardo Ramos	<?=gettext("Enter the public IP address or host name of the remote gateway"); ?>
514	5a3b0d3b	mgrooms	</td>
515			</tr>
516
517			<?php endif; ?>
518
519			<tr>
520	2fbb33f1	Carlos Eduardo Ramos	<td width="22%" valign="top" class="vncell"><?=gettext("Description"); ?></td>
521	5a3b0d3b	mgrooms	<td width="78%" class="vtable">
522			<input name="descr" type="text" class="formfld unknown" id="descr" size="40" value="<?=htmlspecialchars($pconfig['descr']);?>">
523			<br>
524			<span class="vexpl">
525	2fbb33f1	Carlos Eduardo Ramos	<?=gettext("You may enter a description here " .
526			"for your reference (not parsed)"); ?>.
527	5a3b0d3b	mgrooms	</span>
528			</td>
529			</tr>
530			<tr>
531			<td colspan="2" class="list" height="12"></td>
532			</tr>
533			<tr>
534			<td colspan="2" valign="top" class="listtopic">
535	2fbb33f1	Carlos Eduardo Ramos	<?=gettext("Phase 1 proposal (Authentication)"); ?>
536	5a3b0d3b	mgrooms	</td>
537			</tr>
538	71d61aa5	jim-p	<tr>
539	2fbb33f1	Carlos Eduardo Ramos	<td width="22%" valign="top" class="vncellreq"><?=gettext("Authentication method"); ?></td>
540	71d61aa5	jim-p	<td width="78%" class="vtable">
541			<select name="authentication_method" class="formselect" onChange="methodsel_change()">
542			<?php
543			foreach ($p1_authentication_methods as $method_type => $method_params):
544			if (!$pconfig['mobile'] && $method_params['mobile'])
545			continue;
546			?>
547			<option value="<?=$method_type;?>" <?php if ($method_type == $pconfig['authentication_method']) echo "selected"; ?>>
548			<?=htmlspecialchars($method_params['name']);?>
549			</option>
550			<?php endforeach; ?>
551			</select>
552			<br>
553			<span class="vexpl">
554	2fbb33f1	Carlos Eduardo Ramos	<?=gettext("Must match the setting chosen on the remote side"); ?>.
555	71d61aa5	jim-p	</span>
556			</td>
557			</tr>
558	5a3b0d3b	mgrooms	<tr>
559	2fbb33f1	Carlos Eduardo Ramos	<td width="22%" valign="top" class="vncellreq"><?=gettext("Negotiation mode"); ?></td>
560	5a3b0d3b	mgrooms	<td width="78%" class="vtable">
561			<select name="mode" class="formselect">
562			<?php
563			$modes = explode(" ", "main aggressive");
564			foreach ($modes as $mode):
565			?>
566			<option value="<?=$mode;?>" <?php if ($mode == $pconfig['mode']) echo "selected"; ?>>
567			<?=htmlspecialchars($mode);?>
568			</option>
569			<?php endforeach; ?>
570	2fbb33f1	Carlos Eduardo Ramos	</select> <br> <span class="vexpl"><?=gettext("Aggressive is more flexible, but less secure"); ?>.</span>
571	5a3b0d3b	mgrooms	</td>
572			</tr>
573			<tr>
574	2fbb33f1	Carlos Eduardo Ramos	<td width="22%" valign="top" class="vncellreq"><?=gettext("My identifier"); ?></td>
575	5a3b0d3b	mgrooms	<td width="78%" class="vtable">
576			<select name="myid_type" class="formselect" onChange="myidsel_change()">
577			<?php foreach ($my_identifier_list as $id_type => $id_params): ?>
578			<option value="<?=$id_type;?>" <?php if ($id_type == $pconfig['myid_type']) echo "selected"; ?>>
579			<?=htmlspecialchars($id_params['desc']);?>
580			</option>
581			<?php endforeach; ?>
582			</select>
583			<input name="myid_data" type="text" class="formfld unknown" id="myid_data" size="30" value="<?=$pconfig['myid_data'];?>">
584			</td>
585			</tr>
586	1f65618b	jim-p	<tr id="opt_peerid">
587	2fbb33f1	Carlos Eduardo Ramos	<td width="22%" valign="top" class="vncellreq"><?=gettext("Peer identifier"); ?></td>
588	5a3b0d3b	mgrooms	<td width="78%" class="vtable">
589			<select name="peerid_type" class="formselect" onChange="peeridsel_change()">
590			<?php
591			foreach ($peer_identifier_list as $id_type => $id_params):
592			if ($pconfig['mobile'] && !$id_params['mobile'])
593			continue;
594			?>
595			<option value="<?=$id_type;?>" <?php if ($id_type == $pconfig['peerid_type']) echo "selected"; ?>>
596			<?=htmlspecialchars($id_params['desc']);?>
597			</option>
598			<?php endforeach; ?>
599			</select>
600			<input name="peerid_data" type="text" class="formfld unknown" id="peerid_data" size="30" value="<?=$pconfig['peerid_data'];?>">
601	1f65618b	jim-p	<?php if ($pconfig['mobile']) { ?>
602	2fbb33f1	Carlos Eduardo Ramos	<br/><br/><?=gettext("NOTE: This is known as the \"group\" setting on some VPN client implementations"); ?>.
603	1f65618b	jim-p	<?php } ?>
604	5a3b0d3b	mgrooms	</td>
605			</tr>
606	71d61aa5	jim-p	<tr id="opt_psk">
607	2fbb33f1	Carlos Eduardo Ramos	<td width="22%" valign="top" class="vncellreq"><?=gettext("Pre-Shared Key"); ?></td>
608	71d61aa5	jim-p	<td width="78%" class="vtable">
609			<?=$mandfldhtml;?>
610			<input name="pskey" type="text" class="formfld unknown" id="pskey" size="40" value="<?=htmlspecialchars($pconfig['pskey']);?>">
611			<span class="vexpl">
612			<br>
613	2fbb33f1	Carlos Eduardo Ramos	<?=gettext("Input your pre-shared key string"); ?>.
614	71d61aa5	jim-p	</span>
615			</td>
616			</tr>
617	5a3b0d3b	mgrooms	<tr>
618	2fbb33f1	Carlos Eduardo Ramos	<td width="22%" valign="top" class="vncellreq"><?=gettext("Encryption algorithm"); ?></td>
619	5a3b0d3b	mgrooms	<td width="78%" class="vtable">
620			<select name="ealgo" class="formselect" onChange="ealgosel_change()">
621			<?php
622			foreach ($p1_ealgos as $algo => $algodata):
623			$selected = '';
624			if ($algo == $pconfig['ealgo']['name'])
625			$selected = ' selected';
626			?>
627			<option value="<?=$algo;?>"<?=$selected?>>
628			<?=htmlspecialchars($algodata['name']);?>
629			</option>
630			<?php endforeach; ?>
631			</select>
632			<select name="ealgo_keylen" width="30" class="formselect">
633			</select>
634			</td>
635			</tr>
636			<tr>
637	2fbb33f1	Carlos Eduardo Ramos	<td width="22%" valign="top" class="vncellreq"><?=gettext("Hash algorithm"); ?></td>
638	5a3b0d3b	mgrooms	<td width="78%" class="vtable">
639			<select name="halgo" class="formselect">
640			<?php foreach ($p1_halgos as $algo => $algoname): ?>
641			<option value="<?=$algo;?>" <?php if ($algo == $pconfig['halgo']) echo "selected"; ?>>
642			<?=htmlspecialchars($algoname);?>
643			</option>
644			<?php endforeach; ?>
645			</select>
646			<br>
647			<span class="vexpl">
648	2fbb33f1	Carlos Eduardo Ramos	<?=gettext("Must match the setting chosen on the remote side"); ?>.
649	5a3b0d3b	mgrooms	</span>
650			</td>
651			</tr>
652			<tr>
653	2fbb33f1	Carlos Eduardo Ramos	<td width="22%" valign="top" class="vncellreq"><?=gettext("DH key group"); ?></td>
654	5a3b0d3b	mgrooms	<td width="78%" class="vtable">
655			<select name="dhgroup" class="formselect">
656			<?php $keygroups = explode(" ", "1 2 5"); foreach ($keygroups as $keygroup): ?>
657			<option value="<?=$keygroup;?>" <?php if ($keygroup == $pconfig['dhgroup']) echo "selected"; ?>>
658			<?=htmlspecialchars($keygroup);?>
659			</option>
660			<?php endforeach; ?>
661			</select>
662			<br>
663			<span class="vexpl">
664	2fbb33f1	Carlos Eduardo Ramos	<em><?=gettext("1 = 768 bit, 2 = 1024 bit, 5 = 1536 bit"); ?></em>
665	5a3b0d3b	mgrooms	<br>
666	2fbb33f1	Carlos Eduardo Ramos	<?=gettext("Must match the setting chosen on the remote side"); ?>.
667	5a3b0d3b	mgrooms	</span>
668			</td>
669			</tr>
670			<tr>
671	2fbb33f1	Carlos Eduardo Ramos	<td width="22%" valign="top" class="vncell"><?=gettext("Lifetime"); ?></td>
672	5a3b0d3b	mgrooms	<td width="78%" class="vtable">
673			<input name="lifetime" type="text" class="formfld unknown" id="lifetime" size="20" value="<?=$pconfig['lifetime'];?>">
674	2fbb33f1	Carlos Eduardo Ramos	<?=gettext("seconds"); ?>
675	5a3b0d3b	mgrooms	</td>
676			</tr>
677	73fbece8	mgrooms	<tr id="opt_cert">
678	2fbb33f1	Carlos Eduardo Ramos	<td width="22%" valign="top" class="vncellreq"><?=gettext("My Certificate"); ?></td>
679	5a3b0d3b	mgrooms	<td width="78%" class="vtable">
680	73fbece8	mgrooms	<select name='certref' class="formselect">
681			<?php
682			foreach ($config['system']['cert'] as $cert):
683			$selected = "";
684			if ($pconfig['certref'] == $cert['refid'])
685			$selected = "selected";
686			?>
687			<option value="<?=$cert['refid'];?>" <?=$selected;?>><?=$cert['name'];?></option>
688			<?php endforeach; ?>
689			</select>
690	5a3b0d3b	mgrooms	<br>
691	73fbece8	mgrooms	<span class="vexpl">
692	2fbb33f1	Carlos Eduardo Ramos	<?=gettext("Select a certificate previously configured in the Certificate Manager"); ?>.
693	73fbece8	mgrooms	</span>
694	5a3b0d3b	mgrooms	</td>
695			</tr>
696			<tr>
697			<td colspan="2" class="list" height="12"></td>
698			</tr>
699			<tr>
700	2fbb33f1	Carlos Eduardo Ramos	<td colspan="2" valign="top" class="listtopic"><?=gettext("Advanced Options"); ?></td>
701	5a3b0d3b	mgrooms	</tr>
702			<tr>
703	2fbb33f1	Carlos Eduardo Ramos	<td width="22%" valign="top" class="vncell"><?=gettext("NAT Traversal"); ?></td>
704	5a3b0d3b	mgrooms	<td width="78%" class="vtable">
705			<select name="nat_traversal" class="formselect">
706	2fbb33f1	Carlos Eduardo Ramos	<option value="off" <?php if ($pconfig['nat_traversal'] == "off") echo "selected"; ?>><?=gettext("Disable"); ?></option>
707			<option value="on" <?php if ($pconfig['nat_traversal'] == "on") echo "selected"; ?>><?=gettext("Enable"); ?></option>
708			<option value="force" <?php if ($pconfig['nat_traversal'] == "force") echo "selected"; ?>><?=gettext("Force"); ?></option>
709	5a3b0d3b	mgrooms	</select>
710			<br/>
711			<span class="vexpl">
712	2fbb33f1	Carlos Eduardo Ramos	<?=gettext("Set this option to enable the use of NAT-T (i.e. the encapsulation of ESP in UDP packets) if needed, " .
713			"which can help with clients that are behind restrictive firewalls"); ?>.
714	5a3b0d3b	mgrooms	</span>
715			</td>
716			</tr>
717			<tr>
718	2fbb33f1	Carlos Eduardo Ramos	<td width="22%" valign="top" class="vncell"><?=gettext("Dead Peer Detection"); ?></td>
719	5a3b0d3b	mgrooms	<td width="78%" class="vtable">
720			<input name="dpd_enable" type="checkbox" id="dpd_enable" value="yes" <?php if (isset($pconfig['dpd_enable'])) echo "checked"; ?> onClick="dpdchkbox_change()">
721	2fbb33f1	Carlos Eduardo Ramos	<?=gettext("Enable DPD"); ?><br>
722	5a3b0d3b	mgrooms	<div id="opt_dpd">
723			<br>
724			<input name="dpd_delay" type="text" class="formfld unknown" id="dpd_delay" size="5" value="<?=$pconfig['dpd_delay'];?>">
725	2fbb33f1	Carlos Eduardo Ramos	<?=gettext("seconds"); ?><br>
726	5a3b0d3b	mgrooms	<span class="vexpl">
727	2fbb33f1	Carlos Eduardo Ramos	<?=gettext("Delay between requesting peer acknowledgement"); ?>.
728	5a3b0d3b	mgrooms	</span><br>
729			<br>
730			<input name="dpd_maxfail" type="text" class="formfld unknown" id="dpd_maxfail" size="5" value="<?=$pconfig['dpd_maxfail'];?>">
731	2fbb33f1	Carlos Eduardo Ramos	<?=gettext("retries"); ?><br>
732	5a3b0d3b	mgrooms	<span class="vexpl">
733	2fbb33f1	Carlos Eduardo Ramos	<?=gettext("Number of consecutive failures allowed before disconnect"); ?>.
734	5a3b0d3b	mgrooms	</span>
735			<br>
736			</div>
737			</td>
738			</tr>
739			<tr>
740			<td width="22%" valign="top"> </td>
741			<td width="78%">
742			<?php if (isset($p1index) && $a_phase1[$p1index]): ?>
743			<input name="p1index" type="hidden" value="<?=$p1index;?>">
744			<?php endif; ?>
745			<?php if ($pconfig['mobile']): ?>
746			<input name="mobile" type="hidden" value="true">
747			<?php endif; ?>
748			<input name="ikeid" type="hidden" value="<?=$pconfig['ikeid'];?>">
749	2fbb33f1	Carlos Eduardo Ramos	<input name="Submit" type="submit" class="formbtn" value="<?=gettext("Save"); ?>">
750	5a3b0d3b	mgrooms	</td>
751			</tr>
752			</table>
753			</div>
754			</td>
755			</tr>
756			</table>
757	a93e56c5	Matthew Grooms	</form>
758	5a3b0d3b	mgrooms
759	a93e56c5	Matthew Grooms	<script lannguage="JavaScript">
760			<!--
761			<?php
762			/* determine if we should init the key length */
763			$keyset = '';
764			if (isset($pconfig['ealgo']['keylen']))
765			if (is_numeric($pconfig['ealgo']['keylen']))
766			$keyset = $pconfig['ealgo']['keylen'];
767			?>
768	3462a529	Matthew Grooms	myidsel_change();
769			peeridsel_change();
770	a93e56c5	Matthew Grooms	methodsel_change();
771			ealgosel_change(<?=$keyset;?>);
772			dpdchkbox_change();
773			//-->
774			</script>
775			<?php include("fend.inc"); ?>
776	3462a529	Matthew Grooms	</body>
777			</html>

Project

General

Profile

pfSense