Project

General

Profile

Download (15.1 KB) Statistics
| Branch: | Tag: | Revision:
1
<?php
2
/*
3
	diag_ipsec.php
4
*/
5
/* ====================================================================
6
 *  Copyright (c)  2004-2015  Electric Sheep Fencing, LLC. All rights reserved.
7
 *  portions Copyright (c) 2008 Shrew Soft Inc <mgrooms@shrew.net>.
8
 *
9
 *  Parts of this code originally based on vpn_ipsec_sad.php from m0n0wall,
10
 *  Copyright (c) 2003-2004 Manuel Kasper (BSD 2 clause)
11
 *
12
 *  Redistribution and use in source and binary forms, with or without modification,
13
 *  are permitted provided that the following conditions are met:
14
 *
15
 *  1. Redistributions of source code must retain the above copyright notice,
16
 *      this list of conditions and the following disclaimer.
17
 *
18
 *  2. Redistributions in binary form must reproduce the above copyright
19
 *      notice, this list of conditions and the following disclaimer in
20
 *      the documentation and/or other materials provided with the
21
 *      distribution.
22
 *
23
 *  3. All advertising materials mentioning features or use of this software
24
 *      must display the following acknowledgment:
25
 *      "This product includes software developed by the pfSense Project
26
 *       for use in the pfSense software distribution. (http://www.pfsense.org/).
27
 *
28
 *  4. The names "pfSense" and "pfSense Project" must not be used to
29
 *       endorse or promote products derived from this software without
30
 *       prior written permission. For written permission, please contact
31
 *       coreteam@pfsense.org.
32
 *
33
 *  5. Products derived from this software may not be called "pfSense"
34
 *      nor may "pfSense" appear in their names without prior written
35
 *      permission of the Electric Sheep Fencing, LLC.
36
 *
37
 *  6. Redistributions of any form whatsoever must retain the following
38
 *      acknowledgment:
39
 *
40
 *  "This product includes software developed by the pfSense Project
41
 *  for use in the pfSense software distribution (http://www.pfsense.org/).
42
 *
43
 *  THIS SOFTWARE IS PROVIDED BY THE pfSense PROJECT ``AS IS'' AND ANY
44
 *  EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
45
 *  IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
46
 *  PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE pfSense PROJECT OR
47
 *  ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
48
 *  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
49
 *  NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
50
 *  LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
51
 *  HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
52
 *  STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
53
 *  ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
54
 *  OF THE POSSIBILITY OF SUCH DAMAGE.
55
 *
56
 *  ====================================================================
57
 *
58
 */
59

    
60
/*
61
	pfSense_MODULE: ipsec
62
*/
63

    
64
##|+PRIV
65
##|*IDENT=page-status-ipsec
66
##|*NAME=Status: IPsec page
67
##|*DESCR=Allow access to the 'Status: IPsec' page.
68
##|*MATCH=diag_ipsec.php*
69
##|-PRIV
70

    
71

    
72
global $g;
73

    
74
$pgtitle = array(gettext("Status"), gettext("IPsec"));
75
$shortcut_section = "ipsec";
76

    
77
require("guiconfig.inc");
78
include("head.inc");
79
require_once("ipsec.inc");
80

    
81
if ($_GET['act'] == 'connect') {
82
	if (ctype_digit($_GET['ikeid'])) {
83
		$ph1ent = ipsec_get_phase1($_GET['ikeid']);
84
		if (!empty($ph1ent)) {
85
			if (empty($ph1ent['iketype']) || $ph1ent['iketype'] == 'ikev1') {
86
				$ph2entries = ipsec_get_number_of_phase2($_GET['ikeid']);
87
				for ($i = 0; $i < $ph2entries; $i++) {
88
					$connid = escapeshellarg("con{$_GET['ikeid']}00{$i}");
89
					mwexec("/usr/local/sbin/ipsec down {$connid}");
90
					mwexec("/usr/local/sbin/ipsec up {$connid}");
91
				}
92
			} else {
93
				mwexec("/usr/local/sbin/ipsec down con" . escapeshellarg($_GET['ikeid']));
94
				mwexec("/usr/local/sbin/ipsec up con" . escapeshellarg($_GET['ikeid']));
95
			}
96
		}
97
	}
98
} else if ($_GET['act'] == 'ikedisconnect') {
99
	if (ctype_digit($_GET['ikeid'])) {
100
		if (!empty($_GET['ikesaid']) && ctype_digit($_GET['ikesaid'])) {
101
			mwexec("/usr/local/sbin/ipsec down con" . escapeshellarg($_GET['ikeid']) . "[" . escapeshellarg($_GET['ikesaid']) . "]");
102
		} else {
103
			mwexec("/usr/local/sbin/ipsec down con" . escapeshellarg($_GET['ikeid']));
104
		}
105
	}
106
} else if ($_GET['act'] == 'childdisconnect') {
107
	if (ctype_digit($_GET['ikeid'])) {
108
		if (!empty($_GET['ikesaid']) && ctype_digit($_GET['ikesaid'])) {
109
			mwexec("/usr/local/sbin/ipsec down con" . escapeshellarg($_GET['ikeid']) . "{" . escapeshellarg($_GET['ikesaid']) . "}");
110
		}
111
	}
112
}
113

    
114
if (!is_array($config['ipsec']['phase1'])) {
115
	$config['ipsec']['phase1'] = array();
116
}
117

    
118
$a_phase1 = &$config['ipsec']['phase1'];
119

    
120
$status = ipsec_list_sa();
121

    
122
$tab_array = array();
123
$tab_array[] = array(gettext("Overview"), true, "diag_ipsec.php");
124
$tab_array[] = array(gettext("Leases"), false, "diag_ipsec_leases.php");
125
$tab_array[] = array(gettext("SAD"), false, "diag_ipsec_sad.php");
126
$tab_array[] = array(gettext("SPD"), false, "diag_ipsec_spd.php");
127
$tab_array[] = array(gettext("Logs"), false, "diag_logs.php?logfile=ipsec");
128
display_top_tabs($tab_array);
129
?>
130

    
131
<div class="panel panel-default">
132
	<div class="panel-heading">IPSec status</div>
133
	<div class="panel-body table responsive">
134
		<table class="table table-striped table-condensed table-hover sortable-theme-bootstrap" data-sortable>
135
			<thead>
136
				<tr>
137
					<th><?=gettext("Description")?></th>
138
					<th><?=gettext("Local ID")?></th>
139
					<th><?=gettext("Local IP")?></th>
140
					<th><?=gettext("Remote ID")?></th>
141
					<th><?=gettext("Remote IP")?></th>
142
					<th><?=gettext("Role")?></th>
143
					<th><?=gettext("Reauth")?></th>
144
					<th><?=gettext("Algo")?></th>
145
					<th><?=gettext("Status")?></th>
146
					<th></th>
147
				</tr>
148
			</thead>
149
			<tbody>
150
<?php
151
$ipsecconnected = array();
152

    
153
if (is_array($status)) {
154
	foreach ($status as $ikeid => $ikesa) {
155
	$con_id = substr($ikeid, 3);
156

    
157
		if ($ikesa['version'] == 1) {
158
			$ph1idx = substr($con_id, 0, strrpos(substr($con_id, 0, -1), '00'));
159
			$ipsecconnected[$ph1idx] = $ph1idx;
160
		} else {
161
			$ipsecconnected[$con_id] = $ph1idx = $con_id;
162
		}
163
?>
164
				<tr>
165
					<td>
166
						<?=htmlspecialchars(ipsec_get_descr($ph1idx))?>
167
					</td>
168
					<td>
169
<?php
170
		if (!empty($ikesa['local-id'])) {
171
			if ($ikesa['local-id'] == '%any') {
172
				print(gettext('Any identifier'));
173
			} else {
174
				print(htmlspecialchars($ikesa['local-id']));
175
			}
176
		} else {
177
			print(gettext("Unknown"));
178
		}
179

    
180
?>
181
					</td>
182
					<td>
183
<?php
184
		if (!empty($ikesa['local-host'])) {
185
			print(htmlspecialchars($ikesa['local-host']));
186
		} else {
187
			print(gettext("Unknown"));
188
		}
189
		/*
190
		 * XXX: local-nat-t was defined by pfSense
191
		 * When strongswan team accepted the change, they changed it to
192
		 * nat-local. Keep both for a while and remove local-nat-t in
193
		 * the future
194
		 */
195
		if (isset($ikesa['local-nat-t']) || isset($ikesa['nat-local'])) {
196
			print(" NAT-T");
197
		}
198
?>
199
					</td>
200
					<td>
201
<?php
202
		$identity = "";
203
		if (!empty($ikesa['remote-id'])) {
204
			if ($ikesa['remote-id'] == '%any') {
205
				$identity = 'Any identifier';
206
			} else {
207
				$identity = htmlspecialchars($ikesa['remote']['identification']);
208
			}
209
		}
210
		if (!empty($ikesa['remote-xauth-id'])) {
211
			echo htmlspecialchars($ikesa['remote-xauth-id']);
212
			echo "<br/>{$identity}";
213
		} elseif (!empty($ikesa['remote-eap-id'])) {
214
			echo htmlspecialchars($ikesa['remote-eap-id']);
215
			echo "<br/>{$identity}";
216
		} else {
217
			if (empty($identity)) {
218
				print(gettext("Unknown"));
219
			} else {
220
				print($identity);
221
			}
222
		}
223
?>
224
					</td>
225
					<td>
226
<?php
227
		if (!empty($ikesa['remote-host'])) {
228
			print(htmlspecialchars($ikesa['remote-host']));
229
		} else {
230
			print(gettext("Unknown"));
231
		}
232
		/*
233
		 * XXX: remote-nat-t was defined by pfSense
234
		 * When strongswan team accepted the change, they changed it to
235
		 * nat-remote. Keep both for a while and remove remote-nat-t in
236
		 * the future
237
		 */
238
		if (isset($ikesa['remote-nat-t']) || isset($ikesa['nat-remote'])) {
239
			print(" NAT-T");
240
		}
241
?>
242
					</td>
243
					<td>
244
						IKEv<?=htmlspecialchars($ikesa['version'])?>
245
						<br/>
246
<?php
247
		if ($ikesa['initiator'] == 'yes') {
248
			print("initiator");
249
		} else {
250
			print("responder");
251
		}
252
?>
253
					</td>
254
					<td>
255
						<?=htmlspecialchars($ikesa['reauth-time']) . gettext(" seconds (") . convert_seconds_to_hms($ikesa['reauth-time']) . ")";?>
256
					</td>
257
					<td>
258
						<?=htmlspecialchars($ikesa['encr-alg'])?>
259
						<br/>
260
						<?=htmlspecialchars($ikesa['integ-alg'])?>
261
						<br/>
262
						<?=htmlspecialchars($ikesa['prf-alg'])?>
263
						<br/>
264
						<?=htmlspecialchars($ikesa['dh-group'])?>
265
					</td>
266
					<td>
267
<?php
268
		if ($ikesa['state'] == 'ESTABLISHED') {
269
			print('<span style="color:green">');
270
		} else {
271
			print('<span>');
272
		}
273
?>
274
						<?=ucfirst(htmlspecialchars($ikesa['state']))?>
275
						<br/><?=htmlspecialchars($ikesa['established']) . gettext(" seconds (" . convert_seconds_to_hms($ikesa['established']) . ") ago")?>
276
						</span>
277
					</td>
278
					<td >
279
<?php
280
		if ($ikesa['state'] != 'ESTABLISHED') {
281
?>
282
					<a href="diag_ipsec.php?act=connect&amp;ikeid=<?=$con_id; ?>" class="btn btn-xs btn-success" data-toggle="tooltip" title="Connect VPN" >
283
							<?=gettext("Connect VPN")?>
284
						</a>
285
<?php
286
		} else {
287
?>
288
						<a href="diag_ipsec.php?act=ikedisconnect&amp;ikeid=<?=$con_id; ?>" class="btn btn-xs btn-danger" data-toggle="tooltip" title="Disconnect VPN">
289
							<?=gettext("Disconnect")?>
290
						</a><br />
291
						<a href="diag_ipsec.php?act=ikedisconnect&amp;ikeid=<?=$con_id; ?>&amp;ikesaid=<?=$ikesa['uniqueid']; ?>" class="btn btn-xs btn-warning" data-toggle="tooltip" title="Disconnect VPN connection">
292
							<?=gettext("Disconnect")?>
293
						</a>
294
<?php
295
		}
296
?>
297
					</td>
298
				</tr>
299
				<tr>
300
					<td colspan = 10>
301
<?php
302
		if (is_array($ikesa['child-sas']) && (count($ikesa['child-sas']) > 0)) {
303
?>
304
						<div id="btnchildsa-<?=$ikeid?>">
305
							<a type="button" onclick="show_childsa('childsa-<?=$ikeid?>','btnchildsa-<?=$ikeid?>');" class="btn btn-sm btn-default" />
306
								<?=gettext('Show child SA entries')?>
307
							</a>
308
						</div>
309

    
310
						<table class="table table-hover table-condensed" id="childsa-<?=$ikeid?>" style="display:none">
311
							<thead>
312
								<tr class="info">
313
									<th><?=gettext("Local subnets")?></th>
314
									<th><?=gettext("Local SPI(s)")?></th>
315
									<th><?=gettext("Remote subnets")?></th>
316
									<th><?=gettext("Times")?></th>
317
									<th><?=gettext("Algo")?></th>
318
									<th><?=gettext("Stats")?></th>
319
									<th><!-- Buttons --></th>
320
								</tr>
321
							</thead>
322
							<tbody>
323
<?php
324
			foreach ($ikesa['child-sas'] as $childid => $childsa) {
325
?>
326
								<tr>
327
									<td>
328
<?php
329
				if (is_array($childsa['local-ts'])) {
330
					foreach ($childsa['local-ts'] as $lnets) {
331
						print(htmlspecialchars(ipsec_fixup_network($lnets)) . "<br />");
332
					}
333
				} else {
334
					print(gettext("Unknown"));
335
				}
336
?>
337
									</td>
338
									<td>
339
<?php
340
				if (isset($childsa['spi-in'])) {
341
					print(gettext("Local: ") . htmlspecialchars($childsa['spi-in']));
342
				}
343

    
344
				if (isset($childsa['spi-out'])) {
345
					print('<br/>' . gettext('Remote: ') . htmlspecialchars($childsa['spi-out']));
346
				}
347
?>
348
									</td>
349
									<td>
350
<?php
351
				if (is_array($childsa['remote-ts'])) {
352
					foreach ($childsa['remote-ts'] as $rnets) {
353
						print(htmlspecialchars(ipsec_fixup_network($rnets)) . '<br />');
354
					}
355
				} else {
356
					print(gettext("Unknown"));
357
				}
358
?>
359
									</td>
360
									<td>
361
<?php
362
				print(gettext("Rekey: ") . htmlspecialchars($childsa['rekey-time']) . gettext(" seconds (") . convert_seconds_to_hms($childsa['rekey-time']) . ")");
363
				print('<br/>' . gettext('Life: ') . htmlspecialchars($childsa['life-time']) . gettext(" seconds (") . convert_seconds_to_hms($childsa['life-time']) . ")" );
364
				print('<br/>' . gettext('Install: ') .htmlspecialchars($childsa['install-time']) . gettext(" seconds (") . convert_seconds_to_hms($childsa['install-time']) . ")" );
365

    
366
?>
367
									</td>
368
									<td>
369
<?php
370
				print(htmlspecialchars($childsa['encr-alg']) . '<br/>');
371
				print(htmlspecialchars($childsa['integ-alg']) . '<br/>');
372

    
373
				if (!empty($childsa['prf-alg'])) {
374
					print(htmlspecialchars($childsa['prf-alg']) . '<br/>');
375
				}
376
				if (!empty($childsa['dh-group'])) {
377
					print(htmlspecialchars($childsa['dh-group']) . '<br/>');
378
				}
379
				if (!empty($childsa['esn'])) {
380
					print(htmlspecialchars($childsa['esn']) . '<br/>');
381
				}
382

    
383
				print(gettext("IPComp: "));
384
				if (!empty($childsa['cpi-in']) || !empty($childsa['cpi-out'])) {
385
					print(htmlspecialchars($childsa['cpi-in']) . " " . htmlspecialchars($childsa['cpi-out']));
386
				} else {
387
					print(gettext('none'));
388
				}
389
?>
390
									</td>
391
									<td>
392
<?php
393
				print(gettext("Bytes-In: ") . htmlspecialchars(number_format($childsa['bytes-in'])) . ' (' . htmlspecialchars(format_bytes($childsa['bytes-in'])) . ')<br/>');
394
				print(gettext("Packets-In: ") . htmlspecialchars(number_format($childsa['packets-in'])) . '<br/>');
395
				print(gettext("Bytes-Out: ") . htmlspecialchars(number_format($childsa['bytes-out'])) . ' (' . htmlspecialchars(format_bytes($childsa['bytes-out'])) . ')<br/>');
396
				print(gettext("Packets-Out: ") . htmlspecialchars(number_format($childsa['packets-out'])) . '<br/>');
397
?>
398
									</td>
399
									<td>
400
										<a href="diag_ipsec.php?act=childdisconnect&amp;ikeid=<?=$con_id; ?>&amp;ikesaid=<?=$childsa['uniqueid']; ?>" class="btn btn-xs btn-warning" data-toggle="tooltip" title="<?=gettext('Disconnect Child SA')?>">
401
											<?=gettext("Disconnect")?>
402
										</a>
403
									</td>
404
								</tr>
405
<?php
406
			}
407
?>
408

    
409
							</tbody>
410
						</table>
411
					</td>
412
				</tr>
413
<?php
414
		}
415

    
416
		unset($con_id);
417
	}
418

    
419
}
420

    
421
$rgmap = array();
422
foreach ($a_phase1 as $ph1ent) {
423
	if (isset($ph1ent['disabled'])) {
424
		continue;
425
	}
426

    
427
	$rgmap[$ph1ent['remote-gateway']] = $ph1ent['remote-gateway'];
428

    
429
	if ($ipsecconnected[$ph1ent['ikeid']]) {
430
		continue;
431
	}
432
?>
433
				<tr>
434
					<td>
435
<?php
436
	print(htmlspecialchars($ph1ent['descr']));
437
?>
438
					</td>
439
					<td>
440
<?php
441
	list ($myid_type, $myid_data) = ipsec_find_id($ph1ent, "local");
442
	if (empty($myid_data))
443
		print(gettext("Unknown"));
444
	else
445
		print(htmlspecialchars($myid_data));
446
?>
447
					</td>
448
					<td>
449
<?php
450
	$ph1src = ipsec_get_phase1_src($ph1ent);
451

    
452
	if (empty($ph1src))
453
		print(gettext("Unknown"));
454
	else
455
		print(htmlspecialchars($ph1src));
456
?>
457
					</td>
458
					<td>
459
<?php
460
	list ($peerid_type, $peerid_data) = ipsec_find_id($ph1ent, "peer", $rgmap);
461
	if (empty($peerid_data))
462
		print(gettext("Unknown"));
463
	else
464
		print(htmlspecialchars($peerid_data));
465
?>
466
					</td>
467
					<td>
468
<?php
469
	$ph1src = ipsec_get_phase1_dst($ph1ent);
470
	if (empty($ph1src))
471
		print(gettext("Unknown"));
472
	else
473
		print(htmlspecialchars($ph1src));
474
?>
475
					</td>
476
					<td>
477
					</td>
478
					<td>
479
					</td>
480
					<td>
481
					</td>
482
<?php
483
	if (isset($ph1ent['mobile'])) {
484
?>
485
					<td>
486
						<?=gettext("Awaiting connections")?>
487
					</td>
488
					<td>
489
					</td>
490
<?php
491
	} else {
492
?>
493
					<td>
494
						<?=gettext("Disconnected")?>
495
					</td>
496
					<td >
497
						<a href="diag_ipsec.php?act=connect&amp;ikeid=<?=$ph1ent['ikeid']; ?>" class="btn btn-xs btn-success">
498
							<?=gettext("Connect VPN")?>
499
						</a>
500
					</td>
501
<?php
502
	}
503
?>
504
					<td>
505
					</td>
506
				</tr>
507
<?php
508
}
509
unset($ipsecconnected, $phase1, $rgmap);
510
?>
511
			</tbody>
512
		</table>
513
	</div>
514
</div>
515

    
516
<script type="text/javascript">
517
//<![CDATA[
518
function show_childsa(id, buttonid) {
519
	document.getElementById(buttonid).innerHTML='';
520
	aodiv = document.getElementById(id);
521
	aodiv.style.display = "block";
522
}
523
//]]>
524
</script>
525

    
526
<?php
527
unset($status);
528
print_info_box(gettext("You can configure IPsec ") . '<a href="vpn_ipsec.php">Here</a>');
529
include("foot.inc"); ?>
(15-15/234)