/etc/inc/vpn.inc - Annotate - pfSense - pfSense bugtracker

| Branch: | Tag: | Revision:

root/etc/inc/vpn.inc @ edda5d0b

1	5b237745	Scott Ullrich	<?php
2	979cd6db	Scott Ullrich
3	5b237745	Scott Ullrich	/*
4			vpn.inc
5	979cd6db	Scott Ullrich	Copyright (C) 2004 Scott Ullrich
6	a93e56c5	Matthew Grooms	Copyright (C) 2008 Shrew Soft Inc
7	5debd85f	caseyr232	Copyright (C) 2008 Ermal Lu�i
8	cfc707f7	Scott Ullrich	All rights reserved.
9	17da6c79	Scott Ullrich
10			originally part of m0n0wall (http://m0n0.ch/wall)
11			Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>.
12			All rights reserved.
13
14	5b237745	Scott Ullrich	Redistribution and use in source and binary forms, with or without
15			modification, are permitted provided that the following conditions are met:
16	17da6c79	Scott Ullrich
17	5b237745	Scott Ullrich	1. Redistributions of source code must retain the above copyright notice,
18			this list of conditions and the following disclaimer.
19	17da6c79	Scott Ullrich
20	5b237745	Scott Ullrich	2. Redistributions in binary form must reproduce the above copyright
21			notice, this list of conditions and the following disclaimer in the
22			documentation and/or other materials provided with the distribution.
23	17da6c79	Scott Ullrich
24	5b237745	Scott Ullrich	THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
25			INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
26			AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
27			AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
28			OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
29			SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
30			INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
31			CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
32			ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
33			POSSIBILITY OF SUCH DAMAGE.
34			*/
35	8f67a8e1	Scott Ullrich
36	523855b0	Scott Ullrich	/*
37	971de1f9	Renato Botelho	pfSense_BUILDER_BINARIES: /sbin/ifconfig
38	6c576b27	Ermal	pfSense_BUILDER_BINARIES: /usr/local/sbin/ipsec /usr/local/libexec/ipsec/charon /usr/local/libexec/ipsec/starter
39	09628a07	Renato Botelho	pfSense_BUILDER_BINARIES: /usr/local/sbin/filterdns /usr/local/sbin/mpd4
40	523855b0	Scott Ullrich	pfSense_MODULE: vpn
41			*/
42
43	50813d24	jim-p	require_once("ipsec.inc");
44
45	9abaa8f7	Ermal	function vpn_ipsec_configure_loglevels($forconfig = false)
46	c6efc8fd	Ermal	{
47	b305f795	Ermal	global $config, $ipsec_loglevels;
48	c6efc8fd	Ermal
49	9abaa8f7	Ermal	$cfgtext = array();
50	c6efc8fd	Ermal	foreach ($ipsec_loglevels as $lkey => $ldescr) {
51	79262830	Phil Davis	if (!isset($config['ipsec']["ipsec_{$lkey}"]) && !$forconfig) {
52	3d77ec5d	Ermal	mwexec("/usr/local/sbin/ipsec stroke loglevel {$lkey} -- -1", false);
53	79262830	Phil Davis	} else if (is_numeric($config['ipsec']["ipsec_{$lkey}"]) &&
54			intval($config['ipsec']["ipsec_{$lkey}"]) >= 0 && intval($config['ipsec']["ipsec_{$lkey}"]) <= 5) {
55	7e7f07ae	Ermal	$forconfig ? $cfgtext[] = "${lkey} " . (intval($config['ipsec']["ipsec_{$lkey}"]) - 1) :
56	9abaa8f7	Ermal	mwexec("/usr/local/sbin/ipsec stroke loglevel {$lkey} " . (intval($config['ipsec']["ipsec_{$lkey}"]) - 1) , false);
57	79262830	Phil Davis	}
58	c6efc8fd	Ermal	}
59	79262830	Phil Davis	if ($forconfig) {
60	9abaa8f7	Ermal	return implode(',', $cfgtext);
61	79262830	Phil Davis	}
62	c6efc8fd	Ermal	}
63
64	5b237745	Scott Ullrich	/* include all configuration functions */
65	496acde1	Ermal	function vpn_ipsec_convert_to_modp($index)
66			{
67	8f67a8e1	Scott Ullrich
68	496acde1	Ermal	$convertion = "";
69			switch ($index) {
70	79262830	Phil Davis	case '1':
71			$convertion = "modp768";
72			break;
73			case '2':
74			$convertion = "modp1024";
75			break;
76			case '5':
77			$convertion = "modp1536";
78			break;
79			case '14':
80			$convertion = "modp2048";
81			break;
82			case '15':
83			$convertion = "modp3072";
84			break;
85			case '16':
86			$convertion = "modp4096";
87			break;
88			case '17':
89			$convertion = "modp6144";
90			break;
91			case '18':
92			$convertion = "modp8192";
93			break;
94	7a747654	Ermal LUÇI	case '19':
95			$convertion = "ecp256";
96			break;
97			case '20':
98			$convertion = "ecp384";
99			break;
100			case '21':
101			$convertion = "ecp512";
102			break;
103	920af30f	Ermal Lu?i	}
104	496acde1	Ermal
105			return $convertion;
106	600dd4e0	Scott Ullrich	}
107	8f67a8e1	Scott Ullrich
108	420fce04	Ermal LUÇI	function vpn_ipsec_configure($restart = false)
109	a93e56c5	Matthew Grooms	{
110	34ba4e5d	Chris Buechler	global $config, $g, $sa, $sn, $p1_ealgos, $p2_ealgos, $ipsec_idhandling;
111	17da6c79	Scott Ullrich
112	79262830	Phil Davis	if ($g['platform'] == 'jail') {
113	7734aea6	Andrew Thompson	return;
114	79262830	Phil Davis	}
115	52c9f9fa	Ermal
116	f41c9fd5	Ermal Lu?i	/* get the automatic ping_hosts.sh ready */
117	cdd5b2ce	Ermal Lu?i	unlink_if_exists("{$g['vardb_path']}/ipsecpinghosts");
118			touch("{$g['vardb_path']}/ipsecpinghosts");
119	0545a75e	Chris Buechler
120			/* service may have been enabled, disabled, or otherwise changed in a way requiring rule updates */
121			filter_configure();
122	c1f5a46b	Scott Ullrich
123	8f67a8e1	Scott Ullrich	$syscfg = $config['system'];
124	5b237745	Scott Ullrich	$ipseccfg = $config['ipsec'];
125	2f1e0311	Seth Mos	if (!isset($ipseccfg['enable'])) {
126	6c576b27	Ermal	/* try to stop charon */
127			mwexec("/usr/local/sbin/ipsec stop");
128	52c9f9fa	Ermal	/* Stop dynamic monitoring */
129	f8c10a18	Ermal	killbypid("{$g['varrun_path']}/filterdns-ipsec.pid");
130	98c02cac	Ermal
131	6c576b27	Ermal	/* wait for process to die */
132	8f67a8e1	Scott Ullrich	sleep(2);
133
134	84fa0d60	Scott Ullrich	/* disallow IPSEC, it is off */
135	52c9f9fa	Ermal	mwexec("/sbin/ifconfig enc0 down");
136	971de1f9	Renato Botelho	set_single_sysctl("net.inet.ip.ipsec_in_use", "0");
137	2f1e0311	Seth Mos
138	6a781df6	Ermal	return 0;
139	7a683b46	Ermal LUÇI	}
140	8f67a8e1	Scott Ullrich
141	d8cb5ff3	Ermal LUÇI	$a_phase1 = $config['ipsec']['phase1'];
142			$a_phase2 = $config['ipsec']['phase2'];
143			$a_client = $config['ipsec']['client'];
144
145	7a683b46	Ermal LUÇI	$certpath = "{$g['varetc_path']}/ipsec/ipsec.d/certs";
146			$capath = "{$g['varetc_path']}/ipsec/ipsec.d/cacerts";
147			$keypath = "{$g['varetc_path']}/ipsec/ipsec.d/private";
148
149			mwexec("/sbin/ifconfig enc0 up");
150			set_single_sysctl("net.inet.ip.ipsec_in_use", "1");
151			/* needed for config files */
152	79262830	Phil Davis	if (!is_dir("{$g['varetc_path']}/ipsec")) {
153	7a683b46	Ermal LUÇI	mkdir("{$g['varetc_path']}/ipsec");
154	79262830	Phil Davis	}
155			if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d")) {
156	7a683b46	Ermal LUÇI	mkdir("{$g['varetc_path']}/ipsec/ipsec.d");
157	79262830	Phil Davis	}
158			if (!is_dir($capath)) {
159	7a683b46	Ermal LUÇI	mkdir($capath);
160	79262830	Phil Davis	}
161			if (!is_dir($keypath)) {
162	7a683b46	Ermal LUÇI	mkdir($keypath);
163	79262830	Phil Davis	}
164			if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d/crls")) {
165	7a683b46	Ermal LUÇI	mkdir("{$g['varetc_path']}/ipsec/ipsec.d/crls");
166	79262830	Phil Davis	}
167			if (!is_dir($certpath)) {
168	7a683b46	Ermal LUÇI	mkdir($certpath);
169	79262830	Phil Davis	}
170			if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d/aacerts")) {
171	7a683b46	Ermal LUÇI	mkdir("{$g['varetc_path']}/ipsec/ipsec.d/aacerts");
172	79262830	Phil Davis	}
173			if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d/acerts")) {
174	7a683b46	Ermal LUÇI	mkdir("{$g['varetc_path']}/ipsec/ipsec.d/acerts");
175	79262830	Phil Davis	}
176			if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d/ocspcerts")) {
177	7a683b46	Ermal LUÇI	mkdir("{$g['varetc_path']}/ipsec/ipsec.d/ocspcerts");
178	79262830	Phil Davis	}
179			if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d/reqs")) {
180	7a683b46	Ermal LUÇI	mkdir("{$g['varetc_path']}/ipsec/ipsec.d/reqs");
181	79262830	Phil Davis	}
182
183	e3afacbb	Chris Buechler
184	79262830	Phil Davis	if (platform_booting()) {
185	7a683b46	Ermal LUÇI	echo gettext("Configuring IPsec VPN... ");
186	79262830	Phil Davis	}
187	496acde1	Ermal
188	7a683b46	Ermal LUÇI	/* fastforwarding is not compatible with ipsec tunnels */
189			set_single_sysctl("net.inet.ip.fastforwarding", "0");
190	8f67a8e1	Scott Ullrich
191	7a683b46	Ermal LUÇI	/* resolve all local, peer addresses and setup pings */
192			$ipmap = array();
193			$rgmap = array();
194			$filterdns_list = array();
195			$listeniflist = array();
196			$aggressive_mode_psk = false;
197			unset($iflist);
198	778d2ea9	Ermal LUÇI	$ifacesuse = array();
199	7a683b46	Ermal LUÇI	if (is_array($a_phase1) && count($a_phase1)) {
200	8f67a8e1	Scott Ullrich
201	7a683b46	Ermal LUÇI	$ipsecpinghosts = "";
202			/* step through each phase1 entry */
203			foreach ($a_phase1 as $ph1ent) {
204	79262830	Phil Davis	if (isset($ph1ent['disabled'])) {
205	7a683b46	Ermal LUÇI	continue;
206	79262830	Phil Davis	}
207	8f67a8e1	Scott Ullrich
208	312a5188	Ermal LUÇI	if (strpos($ph1ent['interface'], '_vip')) {
209	121cde47	Ermal LUÇI	$vpninterface = explode('_vip', $ph1ent['interface']);
210			$ifacesuse[] = get_real_interface($vpninterface[0]);
211	79262830	Phil Davis	} else {
212			$vpninterface = get_failover_interface($ph1ent['interface']);
213	29de629e	Chris Buechler	if (strpos($vpninterface, '_vip')) {
214			$vpninterface = explode('_vip', $vpninterface);
215			$ifacesuse[] = get_real_interface($vpninterface[0]);
216	79262830	Phil Davis	} elseif (!empty($vpninterface)) {
217	121cde47	Ermal LUÇI	$ifacesuse[] = $vpninterface;
218	79262830	Phil Davis	}
219	121cde47	Ermal LUÇI	}
220	79262830	Phil Davis
221			if ($ph1ent['mode'] == "aggressive" && ($ph1ent['authentication_method'] == "pre_shared_key" \|\| $ph1ent['authentication_method'] == "xauth_psk_server")) {
222	7a683b46	Ermal LUÇI	$aggressive_mode_psk = true;
223	79262830	Phil Davis	}
224	3462a529	Matthew Grooms
225	7a683b46	Ermal LUÇI	$ikeid = $ph1ent['ikeid'];
226			$listeniflist = get_real_interface($a_phase1['interface']);
227	979cd6db	Scott Ullrich
228	7a683b46	Ermal LUÇI	$ep = ipsec_get_phase1_src($ph1ent);
229	79262830	Phil Davis	if (!is_ipaddr($ep)) {
230	6a2eb517	Chris Buechler	log_error("IPsec ERROR: Could not find phase 1 source for connection {$ph1ent['descr']}. Omitting from configuration file.");
231	7a683b46	Ermal LUÇI	continue;
232	79262830	Phil Davis	}
233	7a683b46	Ermal LUÇI
234	79262830	Phil Davis	if (!in_array($ep,$ipmap)) {
235	7a683b46	Ermal LUÇI	$ipmap[] = $ep;
236	79262830	Phil Davis	}
237	7a683b46	Ermal LUÇI
238			/* see if this tunnel has a hostname for the remote-gateway. If so,
239			try to resolve it now and add it to the list for filterdns */
240
241	79262830	Phil Davis	if (isset ($ph1ent['mobile'])) {
242	7a683b46	Ermal LUÇI	continue;
243	79262830	Phil Davis	}
244	7a683b46	Ermal LUÇI
245			$rg = $ph1ent['remote-gateway'];
246
247			if (!is_ipaddr($rg)) {
248			$filterdns_list[] = "{$rg}";
249			add_hostname_to_watch($rg);
250	79262830	Phil Davis	if (!platform_booting()) {
251	7a683b46	Ermal LUÇI	$rg = resolve_retry($rg);
252	79262830	Phil Davis	}
253			if (!is_ipaddr($rg)) {
254	829fa12e	smos	continue;
255	79262830	Phil Davis	}
256	7a683b46	Ermal LUÇI	}
257	79262830	Phil Davis	if (array_search($rg, $rgmap)) {
258	7a683b46	Ermal LUÇI	log_error("The remote gateway {$rg} already exists on another phase 1 entry");
259			continue;
260			}
261			$rgmap[$ph1ent['remote-gateway']] = $rg;
262	8f67a8e1	Scott Ullrich
263	7a683b46	Ermal LUÇI	if (is_array($a_phase2)) {
264			/* step through each phase2 entry */
265			foreach ($a_phase2 as $ph2ent) {
266	79262830	Phil Davis	if (isset($ph2ent['disabled'])) {
267	7a683b46	Ermal LUÇI	continue;
268	79262830	Phil Davis	}
269	a11df336	jim-p
270	79262830	Phil Davis	if ($ikeid != $ph2ent['ikeid']) {
271	7a683b46	Ermal LUÇI	continue;
272	79262830	Phil Davis	}
273	a11df336	jim-p
274	7a683b46	Ermal LUÇI	/* add an ipsec pinghosts entry */
275			if ($ph2ent['pinghost']) {
276	79262830	Phil Davis	if (!is_array($iflist)) {
277	7a683b46	Ermal LUÇI	$iflist = get_configured_interface_list();
278	79262830	Phil Davis	}
279	7a683b46	Ermal LUÇI	$srcip = null;
280			$local_subnet = ipsec_idinfo_to_cidr($ph2ent['localid'], true, $ph2ent['mode']);
281	79262830	Phil Davis	if (is_ipaddrv6($ph2ent['pinghost'])) {
282	7a683b46	Ermal LUÇI	foreach ($iflist as $ifent => $ifname) {
283			$interface_ip = get_interface_ipv6($ifent);
284	79262830	Phil Davis	if (!is_ipaddrv6($interface_ip)) {
285	7a683b46	Ermal LUÇI	continue;
286	79262830	Phil Davis	}
287	7a683b46	Ermal LUÇI	if (ip_in_subnet($interface_ip, $local_subnet)) {
288			$srcip = $interface_ip;
289			break;
290	fb17f629	Seth Mos	}
291	a11df336	jim-p	}
292	7a683b46	Ermal LUÇI	} else {
293			foreach ($iflist as $ifent => $ifname) {
294			$interface_ip = get_interface_ip($ifent);
295	79262830	Phil Davis	if (!is_ipaddrv4($interface_ip)) {
296	7a683b46	Ermal LUÇI	continue;
297	79262830	Phil Davis	}
298	7a683b46	Ermal LUÇI	if ($local_subnet == "0.0.0.0/0" \|\| ip_in_subnet($interface_ip, $local_subnet)) {
299			$srcip = $interface_ip;
300			break;
301	dc63467f	Matt Smith	}
302			}
303	7a683b46	Ermal LUÇI	}
304			/* if no valid src IP was found in configured interfaces, try the vips */
305			if (is_null($srcip)) {
306	89f171b0	Ermal LUÇI	$viplist = get_configured_vips_list();
307	7a683b46	Ermal LUÇI	foreach ($viplist as $vip) {
308			if (ip_in_subnet($vip['ipaddr'], $local_subnet)) {
309			$srcip = $vip['ipaddr'];
310			break;
311			}
312	741077bc	Ermal Lu?i	}
313	87e07f52	mgrooms	}
314	7a683b46	Ermal LUÇI	$dstip = $ph2ent['pinghost'];
315	79262830	Phil Davis	if (is_ipaddrv6($dstip)) {
316	7a683b46	Ermal LUÇI	$family = "inet6";
317			} else {
318			$family = "inet";
319			}
320	79262830	Phil Davis	if (is_ipaddr($srcip)) {
321	7a683b46	Ermal LUÇI	$ipsecpinghosts[] = "{$srcip}\|{$dstip}\|3\|\|\|\|\|{$family}\|\n";
322	79262830	Phil Davis	}
323	17da6c79	Scott Ullrich	}
324	a93e56c5	Matthew Grooms	}
325			}
326			}
327	7a683b46	Ermal LUÇI	@file_put_contents("{$g['vardb_path']}/ipsecpinghosts", $ipsecpinghosts);
328			unset($ipsecpinghosts);
329			}
330			unset($iflist);
331	496acde1	Ermal
332	7a683b46	Ermal LUÇI	$accept_unencrypted = "";
333	79262830	Phil Davis	if (isset($config['ipsec']['acceptunencryptedmainmode'])) {
334	7a683b46	Ermal LUÇI	$accept_unencrypted = "accept_unencrypted_mainmode_messages = yes";
335	79262830	Phil Davis	}
336	737b18f2	Ermal
337	420fce04	Ermal LUÇI	$stronconf = '';
338	79262830	Phil Davis	if (file_exists("{$g['varetc_path']}/ipsec/strongswan.conf")) {
339	420fce04	Ermal LUÇI	$stronconf = file_get_contents("{$g['varetc_path']}/ipsec/strongswan.conf");
340	79262830	Phil Davis	}
341	420fce04	Ermal LUÇI
342	7a683b46	Ermal LUÇI	$i_dont_care_about_security_and_use_aggressive_mode_psk = "";
343			if ($aggressive_mode_psk) {
344			log_error("WARNING: Setting i_dont_care_about_security_and_use_aggressive_mode_psk option because a phase 1 is configured using aggressive mode with pre-shared keys. This is not a secure configuration.");
345	79262830	Phil Davis	if (!empty($stronconf) && strpos($stronconf, 'i_dont_care_about_security_and_use_aggressive_mode_psk') === FALSE) {
346	420fce04	Ermal LUÇI	$restart = true;
347	79262830	Phil Davis	}
348	7a683b46	Ermal LUÇI	$i_dont_care_about_security_and_use_aggressive_mode_psk = "i_dont_care_about_security_and_use_aggressive_mode_psk=yes";
349	79262830	Phil Davis	}
350	4a076e36	Ermal LUÇI
351	0759fdd8	Ermal LUÇI	$unity_enabled = 'yes';
352	79262830	Phil Davis	if (isset($config['ipsec']['unityplugin'])) {
353	0759fdd8	Ermal LUÇI	$unity_enabled = 'no';
354	c014babd	Chris Buechler	if (file_exists("/usr/local/lib/ipsec/plugins/libstrongswan-unity.so")) {
355			conf_mount_rw();
356			mwexec("mv /usr/local/lib/ipsec/plugins/libstrongswan-unity.so /usr/local/lib/ipsec/plugins/libstrongswan-unity.MOVED");
357			conf_mount_ro();
358			}
359			} else if (file_exists("/usr/local/lib/ipsec/plugins/libstrongswan-unity.MOVED")) {
360			conf_mount_rw();
361			mwexec("mv /usr/local/lib/ipsec/plugins/libstrongswan-unity.MOVED /usr/local/lib/ipsec/plugins/libstrongswan-unity.so");
362			conf_mount_ro();
363	79262830	Phil Davis	}
364	4a076e36	Ermal LUÇI
365	0608bd3c	Ermal LUÇI	$makebeforebreak = '';
366			if (isset($config['ipsec']['makebeforebreak'])) {
367			$makebeforebreak = 'make_before_break = yes';
368			}
369
370	24acc8f4	Chris Buechler	if (isset($config['ipsec']['enableinterfacesuse'])) {
371			if (!empty($ifacesuse)) {
372			$ifacesuse = 'interfaces_use = ' . implode(',', array_unique($ifacesuse));
373			} else {
374			$ifacesuse = '';
375			}
376	79262830	Phil Davis	} else {
377	778d2ea9	Ermal LUÇI	$ifacesuse = '';
378	79262830	Phil Davis	}
379	778d2ea9	Ermal LUÇI
380	1c4540dc	Ermal LUÇI	unset($stronconf);
381	420fce04	Ermal LUÇI
382	7a683b46	Ermal LUÇI	$strongswan = <<<EOD
383	496acde1	Ermal
384	79262830	Phil Davis	# Automatically generated config file - DO NOT MODIFY. Changes will be overwritten.
385	496acde1	Ermal	starter {
386	7a683b46	Ermal LUÇI	load_warning = no
387	496acde1	Ermal	}
388
389			charon {
390	7a683b46	Ermal LUÇI	# number of worker threads in charon
391			threads = 16
392			ikesa_table_size = 32
393			ikesa_table_segments = 4
394			init_limit_half_open = 1000
395			install_routes = no
396			{$i_dont_care_about_security_and_use_aggressive_mode_psk}
397			{$accept_unencrypted}
398	4a076e36	Ermal LUÇI	cisco_unity = {$unity_enabled}
399	778d2ea9	Ermal LUÇI	{$ifacesuse}
400	0608bd3c	Ermal LUÇI	{$makebeforebreak}
401	7a683b46	Ermal LUÇI
402			# And two loggers using syslog. The subsections define the facility to log
403			# to, currently one of: daemon, auth.
404			syslog {
405			identifier = charon
406			# default level to the LOG_DAEMON facility
407			daemon {
408	db9e5154	Chris Buechler	ike_name = yes
409	7a683b46	Ermal LUÇI	}
410			# very minimalistic IKE auditing logs to LOG_AUTHPRIV
411			auth {
412			default = -1
413			ike = 1
414			ike_name = yes
415	7335fa53	Ermal	}
416	7a683b46	Ermal LUÇI	}
417	c6efc8fd	Ermal
418	496acde1	Ermal	EOD;
419
420	7a683b46	Ermal LUÇI	$strongswan .= "\tplugins {\n";
421
422	cb377516	Ingo Bauersachs	$a_servers = auth_get_authserver_list();
423			foreach ($a_servers as $id => $pconfig) {
424			if ($id == $config['ipsec']['client']['user_source'] && $pconfig['type'] == "radius") {
425			$strongswan .= <<<EOD
426			eap-radius {
427			class_group = yes
428			eap_start = no
429			servers {
430			primary {
431			address = {$pconfig['host']}
432			secret = {$pconfig['radius_secret']}
433			auth_port = {$pconfig['radius_auth_port']}
434			acct_port = {$pconfig['radius_acct_port']}
435			}
436			}
437			}
438
439			EOD;
440			break;
441			}
442			}
443
444	7a683b46	Ermal LUÇI	if (is_array($a_client) && isset($a_client['enable'])) {
445			$strongswan .= "\t\tattr {\n";
446	79262830	Phil Davis	if ($a_client['pool_address'] && $a_client['pool_netbits']) {
447	7a683b46	Ermal LUÇI	$strongswan .= "\t\t\tsubnet = {$a_client['pool_address']}/{$a_client['pool_netbits']}\n";
448	79262830	Phil Davis	}
449	7a683b46	Ermal LUÇI
450			$cfgservers = array();
451	79262830	Phil Davis	if (!empty($a_client['dns_server1'])) {
452	7a683b46	Ermal LUÇI	$cfgservers[] = $a_client['dns_server1'];
453	79262830	Phil Davis	}
454			if (!empty($a_client['dns_server2'])) {
455	7a683b46	Ermal LUÇI	$cfgservers[] = $a_client['dns_server2'];
456	79262830	Phil Davis	}
457			if (!empty($a_client['dns_server3'])) {
458	7a683b46	Ermal LUÇI	$cfgservers[] = $a_client['dns_server3'];
459	79262830	Phil Davis	}
460			if (!empty($a_client['dns_server4'])) {
461	7a683b46	Ermal LUÇI	$cfgservers[] = $a_client['dns_server4'];
462	79262830	Phil Davis	}
463	7a683b46	Ermal LUÇI
464	79262830	Phil Davis	if (!empty($cfgservers)) {
465	7a683b46	Ermal LUÇI	$strongswan .= "\t\t\tdns = " . implode(",", $cfgservers) . "\n";
466	79262830	Phil Davis	}
467	7a683b46	Ermal LUÇI	unset($cfgservers);
468			$cfgservers = array();
469	79262830	Phil Davis	if (!empty($a_client['wins_server1'])) {
470	7a683b46	Ermal LUÇI	$cfgservers[] = $a_client['wins_server1'];
471	79262830	Phil Davis	}
472			if (!empty($a_client['wins_server2'])) {
473	7a683b46	Ermal LUÇI	$cfgservers[] = $a_client['wins_server2'];
474	79262830	Phil Davis	}
475			if (!empty($cfgservers)) {
476	7a683b46	Ermal LUÇI	$strongswan .= "\t\t\tnbns = " . implode(",", $cfgservers) . "\n";
477	79262830	Phil Davis	}
478	7a683b46	Ermal LUÇI	unset($cfgservers);
479
480	588d3cf6	Renato Botelho	if (isset($a_client['net_list']) && is_array($a_phase2)) {
481	7a683b46	Ermal LUÇI	$net_list = '';
482			foreach ($a_phase2 as $ph2ent) {
483	79262830	Phil Davis	if (isset($ph2ent['disabled'])) {
484	7a683b46	Ermal LUÇI	continue;
485	79262830	Phil Davis	}
486	496acde1	Ermal
487	79262830	Phil Davis	if (!isset($ph2ent['mobile'])) {
488	7a683b46	Ermal LUÇI	continue;
489	79262830	Phil Davis	}
490	496acde1	Ermal
491	7a683b46	Ermal LUÇI	$localid = ipsec_idinfo_to_cidr($ph2ent['localid'], true, $ph2ent['mode']);
492	496acde1	Ermal
493	79262830	Phil Davis	if (!empty($net_list)) {
494	7a683b46	Ermal LUÇI	$net_list .= ",";
495	79262830	Phil Davis	}
496	7a683b46	Ermal LUÇI	$net_list .= $localid;
497	496acde1	Ermal	}
498
499	7a683b46	Ermal LUÇI	if (!empty($net_list)) {
500			$strongswan .= "\t\t\tsplit-include = {$net_list}\n";
501			unset($net_list);
502	496acde1	Ermal	}
503	7a683b46	Ermal LUÇI	}
504	496acde1	Ermal
505	7a683b46	Ermal LUÇI	if (!empty($a_client['dns_domain'])) {
506			$strongswan .= "\t\t\t# Search domain and default domain\n";
507	d17ad7f5	Ermal LUÇI	$strongswan .= "\t\t\t28674 = \"{$a_client['dns_domain']}\"\n";
508	e1c4a5ff	Ermal LUÇI	if (empty($a_client['dns_split'])) {
509	d17ad7f5	Ermal LUÇI	$strongswan .= "\t\t\t28675 = \"{$a_client['dns_domain']}\"";
510	e1c4a5ff	Ermal LUÇI	}
511	7a683b46	Ermal LUÇI	$strongswan .= "\n";
512			}
513	496acde1	Ermal
514	7a683b46	Ermal LUÇI	if (!empty($a_client['dns_split'])) {
515	883096d8	Ermal LUÇI	$strongswan .= "\t\t\t28675 = {$a_client['dns_split']}\n";
516	7a683b46	Ermal LUÇI	}
517	496acde1	Ermal
518	79262830	Phil Davis	if (!empty($a_client['login_banner'])) {
519	d17ad7f5	Ermal LUÇI	$strongswan .= "\t\t\t28672 = \"{$a_client['login_banner']}\"\n";
520	79262830	Phil Davis	}
521	7a683b46	Ermal LUÇI
522	79262830	Phil Davis	if (isset($a_client['save_passwd'])) {
523	7a683b46	Ermal LUÇI	$strongswan .= "\t\t\t28673 = 1\n";
524	79262830	Phil Davis	}
525	7a683b46	Ermal LUÇI
526	79262830	Phil Davis	if ($a_client['pfs_group']) {
527	d17ad7f5	Ermal LUÇI	$strongswan .= "\t\t\t28679 = \"{$a_client['pfs_group']}\"\n";
528	79262830	Phil Davis	}
529	7a683b46	Ermal LUÇI	$strongswan .= "\t\t}\n";
530
531			if ($a_client['user_source'] != "none") {
532			$strongswan .= "\t\txauth-generic {\n";
533			$strongswan .= "\t\t\tscript = /etc/inc/ipsec.auth-user.php\n";
534			$strongswan .= "\t\t\tauthcfg = ";
535			$firstsed = 0;
536			$authcfgs = explode(",", $a_client['user_source']);
537			foreach ($authcfgs as $authcfg) {
538	79262830	Phil Davis	if ($firstsed > 0) {
539	7a683b46	Ermal LUÇI	$strongswan .= ",";
540	79262830	Phil Davis	}
541			if ($authcfg == "system") {
542	7a683b46	Ermal LUÇI	$authcfg = "Local Database";
543	79262830	Phil Davis	}
544	7a683b46	Ermal LUÇI	$strongswan .= $authcfg;
545			$firstsed = 1;
546	91287d1f	Ermal	}
547	7a683b46	Ermal LUÇI	$strongswan .= "\n";
548			$strongswan .= "\t\t}\n";
549	496acde1	Ermal	}
550	7a683b46	Ermal LUÇI	}
551	496acde1	Ermal
552	7a683b46	Ermal LUÇI	$strongswan .= "\t}\n}\n";
553			@file_put_contents("{$g['varetc_path']}/ipsec/strongswan.conf", $strongswan);
554			unset($strongswan);
555	8f67a8e1	Scott Ullrich
556	7a683b46	Ermal LUÇI	/* generate CA certificates files */
557			if (is_array($config['ca']) && count($config['ca'])) {
558			foreach ($config['ca'] as $ca) {
559			if (!isset($ca['crt'])) {
560			log_error(sprintf(gettext("Error: Invalid certificate info for %s"), $ca['descr']));
561			continue;
562			}
563			$cert = base64_decode($ca['crt']);
564			$x509cert = openssl_x509_parse(openssl_x509_read($cert));
565			if (!is_array($x509cert) \|\| !isset($x509cert['hash'])) {
566			log_error(sprintf(gettext("Error: Invalid certificate hash info for %s"), $ca['descr']));
567			continue;
568	a93e56c5	Matthew Grooms	}
569	7a683b46	Ermal LUÇI	$fname = "{$capath}/{$x509cert['hash']}.0.crt";
570			if (!@file_put_contents($fname, $cert)) {
571			log_error(sprintf(gettext("Error: Cannot write IPsec CA file for %s"), $ca['descr']));
572			continue;
573			}
574			unset($cert);
575	a93e56c5	Matthew Grooms	}
576	7a683b46	Ermal LUÇI	}
577	09628a07	Renato Botelho
578	7a683b46	Ermal LUÇI	$pskconf = "";
579	037b51b3	Seth Mos
580	7a683b46	Ermal LUÇI	if (is_array($a_phase1) && count($a_phase1)) {
581			foreach ($a_phase1 as $ph1ent) {
582	a93e56c5	Matthew Grooms
583	79262830	Phil Davis	if (isset($ph1ent['disabled'])) {
584	7a683b46	Ermal LUÇI	continue;
585	79262830	Phil Davis	}
586	a93e56c5	Matthew Grooms
587	07d0d1b2	Ermal LUÇI	if (strstr($ph1ent['authentication_method'], 'rsa') \|\|
588	cb377516	Ingo Bauersachs	in_array($ph1ent['authentication_method'], array('eap-mschapv2', 'eap-tls', 'eap-radius'))) {
589	7a683b46	Ermal LUÇI	$certline = '';
590	a93e56c5	Matthew Grooms
591	7a683b46	Ermal LUÇI	$ikeid = $ph1ent['ikeid'];
592			$cert = lookup_cert($ph1ent['certref']);
593	496acde1	Ermal
594	7a683b46	Ermal LUÇI	if (!$cert) {
595			log_error(sprintf(gettext("Error: Invalid phase1 certificate reference for %s"), $ph1ent['name']));
596			continue;
597			}
598	496acde1	Ermal
599	7a683b46	Ermal LUÇI	@chmod($certpath, 0600);
600	496acde1	Ermal
601	7a683b46	Ermal LUÇI	$ph1keyfile = "{$keypath}/cert-{$ikeid}.key";
602			if (!file_put_contents($ph1keyfile, base64_decode($cert['prv']))) {
603			log_error(sprintf(gettext("Error: Cannot write phase1 key file for %s"), $ph1ent['name']));
604			continue;
605			}
606			@chmod($ph1keyfile, 0600);
607	496acde1	Ermal
608	7a683b46	Ermal LUÇI	$ph1certfile = "{$certpath}/cert-{$ikeid}.crt";
609			if (!file_put_contents($ph1certfile, base64_decode($cert['crt']))) {
610			log_error(sprintf(gettext("Error: Cannot write phase1 certificate file for %s"), $ph1ent['name']));
611			@unlink($ph1keyfile);
612			continue;
613			}
614			@chmod($ph1certfile, 0600);
615	fa4e059e	Ermal
616	7a683b46	Ermal LUÇI	/* XXX" Traffic selectors? */
617			$pskconf .= " : RSA {$ph1keyfile}\n";
618			} else {
619	5324ea38	Ermal LUÇI	list ($myid_type, $myid_data) = ipsec_find_id($ph1ent, 'local');
620			list ($peerid_type, $peerid_data) = ipsec_find_id($ph1ent, 'peer', $rgmap);
621	496acde1	Ermal
622	79262830	Phil Davis	if (empty($peerid_data)) {
623	7a683b46	Ermal LUÇI	continue;
624	79262830	Phil Davis	}
625	496acde1	Ermal
626	13403bd1	Ermal LUÇI	$myid = isset($ph1ent['mobile']) ? trim($myid_data) : "%any";
627	5324ea38	Ermal LUÇI	$peerid = ($peerid_data != 'allusers') ? trim($peerid_data) : '';
628	13403bd1	Ermal LUÇI	if (!empty($ph1ent['pre-shared-key'])) {
629	79262830	Phil Davis	if ($myid_type == 'fqdn' && !empty($myid_data)) {
630	69f7d82f	Ermal	$pskconf .= "@{$myid} {$peerid} : PSK 0s" . base64_encode(trim($ph1ent['pre-shared-key'])) . "\n";
631	79262830	Phil Davis	} else {
632	69f7d82f	Ermal	$pskconf .= "{$myid} {$peerid} : PSK 0s" . base64_encode(trim($ph1ent['pre-shared-key'])) . "\n";
633	79262830	Phil Davis	}
634	13403bd1	Ermal LUÇI	}
635	5b237745	Scott Ullrich	}
636	a93e56c5	Matthew Grooms	}
637	7a683b46	Ermal LUÇI	}
638	a93e56c5	Matthew Grooms
639	7a683b46	Ermal LUÇI	/* Add user PSKs */
640			if (is_array($config['system']) && is_array($config['system']['user'])) {
641			foreach ($config['system']['user'] as $user) {
642			if (!empty($user['ipsecpsk'])) {
643	69f7d82f	Ermal	$pskconf .= "%any {$user['name']} : PSK 0s" . base64_encode($user['ipsecpsk']) . "\n";
644	4ed2dde7	jim-p	}
645			}
646	7a683b46	Ermal LUÇI	unset($user);
647			}
648	4ed2dde7	jim-p
649	7a683b46	Ermal LUÇI	/* add PSKs for mobile clients */
650			if (is_array($ipseccfg['mobilekey'])) {
651			foreach ($ipseccfg['mobilekey'] as $key) {
652	79262830	Phil Davis	if ($key['ident'] == "allusers") {
653	7f69cbe7	Ermal LUÇI	$key['ident'] = '%any';
654	79262830	Phil Davis	}
655			if (empty($key['type'])) {
656	10e2acb5	Ermal LUÇI	$key['type'] = 'PSK';
657	79262830	Phil Davis	}
658	10e2acb5	Ermal LUÇI	$pskconf .= "%any {$key['ident']} : {$key['type']} 0s" . base64_encode($key['pre-shared-key']) . "\n";
659	2ef1b601	jim-p	}
660	7a683b46	Ermal LUÇI	unset($key);
661			}
662	2ef1b601	jim-p
663	7a683b46	Ermal LUÇI	@file_put_contents("{$g['varetc_path']}/ipsec/ipsec.secrets", $pskconf);
664			chmod("{$g['varetc_path']}/ipsec/ipsec.secrets", 0600);
665			unset($pskconf);
666	09628a07	Renato Botelho
667	86e1846f	Ermal LUÇI	$uniqueids = 'yes';
668			if (!empty($config['ipsec']['uniqueids'])) {
669	0ca36ca3	benny	if (array_key_exists($config['ipsec']['uniqueids'], $ipsec_idhandling))
670	86e1846f	Ermal LUÇI	$uniqueids = $config['ipsec']['uniqueids'];
671			}
672	7a683b46	Ermal LUÇI	$natfilterrules = false;
673			/* begin ipsec.conf */
674			$ipsecconf = "";
675	40cc36d1	Ermal LUÇI	$enablecompression = false;
676	7a683b46	Ermal LUÇI	if (is_array($a_phase1) && count($a_phase1)) {
677	17da6c79	Scott Ullrich
678	7a683b46	Ermal LUÇI	$ipsecconf .= "# This file is automatically generated. Do not edit\n";
679	86e1846f	Ermal LUÇI	$ipsecconf .= "config setup\n\tuniqueids = {$uniqueids}\n";
680	7a683b46	Ermal LUÇI	$ipsecconf .= "\tcharondebug=\"" . vpn_ipsec_configure_loglevels(true) . "\"\n";
681	4178a1dd	jim-p
682	0a9e6c85	Chris Buechler	if (!isset($config['ipsec']['noshuntlaninterfaces'])) {
683	0887e836	Ermal LUÇI	if ($config['interfaces']['lan']) {
684			$lanip = get_interface_ip("lan");
685			if (!empty($lanip) && is_ipaddrv4($lanip)) {
686			$lansn = get_interface_subnet("lan");
687			$lansa = gen_subnet($lanip, $lansn);
688			$ipsecconf .= <<<EOD
689	755b75c7	Ermal LUÇI
690	0887e836	Ermal LUÇI	conn bypasslan
691	0a9e6c85	Chris Buechler	leftsubnet = {$lanip}/32
692			rightsubnet = {$lansa}/{$lansn}
693			authby = never
694			type = passthrough
695			auto = route
696	0887e836	Ermal LUÇI
697			EOD;
698			}
699			}
700			}
701
702	7a683b46	Ermal LUÇI	foreach ($a_phase1 as $ph1ent) {
703	79262830	Phil Davis	if (isset($ph1ent['disabled'])) {
704	7a683b46	Ermal LUÇI	continue;
705	79262830	Phil Davis	}
706	96267107	Ermal
707	79262830	Phil Davis	if ($ph1ent['mode'] == "aggressive") {
708	7a683b46	Ermal LUÇI	$aggressive = "yes";
709	79262830	Phil Davis	} else {
710	7a683b46	Ermal LUÇI	$aggressive = "no";
711	79262830	Phil Davis	}
712	7a683b46	Ermal LUÇI
713			$ep = ipsec_get_phase1_src($ph1ent);
714	79262830	Phil Davis	if (!$ep) {
715	7a683b46	Ermal LUÇI	continue;
716	79262830	Phil Davis	}
717	7a683b46	Ermal LUÇI
718			$ikeid = $ph1ent['ikeid'];
719			$keyexchange = "ikev1";
720			$passive = "route";
721			if (!empty($ph1ent['iketype'])) {
722			if ($ph1ent['iketype'] == "ikev2") {
723			$keyexchange = "ikev2";
724			//$passive = "start";
725	79262830	Phil Davis	} else if ($ph1ent['iketype'] == "auto") {
726	7a683b46	Ermal LUÇI	$keyexchange = "ike";
727	79262830	Phil Davis	}
728	7a683b46	Ermal LUÇI	}
729	0b5fc1d1	Ermal
730	7a683b46	Ermal LUÇI	if (isset($ph1ent['mobile'])) {
731			$right_spec = "%any";
732			$passive = 'add';
733	95783403	Ermal LUÇI	} else {
734	79262830	Phil Davis	if (isset($ph1ent['responderonly'])) {
735	87808568	Ermal LUÇI	$passive = 'add';
736	79262830	Phil Davis	}
737	87808568	Ermal LUÇI
738	7a683b46	Ermal LUÇI	$right_spec = $ph1ent['remote-gateway'];
739	79262830	Phil Davis	if (is_ipaddr($right_spec)) {
740	7f9844c2	Ermal LUÇI	$sourcehost = $right_spec;
741	79262830	Phil Davis	} else {
742	7f9844c2	Ermal LUÇI	$sourcehost = $rgmap['remote-gateway'];
743	79262830	Phil Davis	}
744	7f9844c2	Ermal LUÇI
745	c7d44786	Ermal LUÇI	if ($ph1ent['protocol'] == 'inet') {
746	95783403	Ermal LUÇI	if (strpos($ph1ent['interface'], '_vip')) {
747			$vpninterface = explode('_vip', $ph1ent['interface']);
748			$ifacesuse = get_real_interface($vpninterface[0]);
749	52b25e81	Ermal LUÇI	$vpninterface = $vpninterface[0];
750	95783403	Ermal LUÇI	} else {
751			$ifacesuse = get_failover_interface($ph1ent['interface']);
752	29de629e	Chris Buechler	if (strpos($ifacesuse, '_vip')) {
753			$vpninterface = explode('_vip', $ifacesuse);
754			$ifacesuse = get_real_interface($vpninterface[0]);
755			$vpninterface = $vpninterface[0];
756			} else {
757			$vpninterface = convert_real_interface_to_friendly_interface_name($ifacesuse);
758			}
759	95783403	Ermal LUÇI	}
760	79262830	Phil Davis
761	52b25e81	Ermal LUÇI	if (!empty($ifacesuse) && interface_has_gateway($vpninterface)) {
762	b61930dc	Ermal LUÇI	$gatewayip = get_interface_gateway($vpninterface);
763			$interfaceip = get_interface_ip($vpninterface);
764			$subnet_bits = get_interface_subnet($vpninterface);
765	95783403	Ermal LUÇI	$subnet_ip = gen_subnetv4($interfaceip, $subnet_bits);
766			/* if the remote gateway is in the local subnet, then don't add a route */
767	b61930dc	Ermal LUÇI	if (!ip_in_subnet($sourcehost, "{$subnet_ip}/{$subnet_bits}")) {
768	95783403	Ermal LUÇI	if (is_ipaddrv4($gatewayip)) {
769	1e453232	Ermal LUÇI	// log_error("IPSEC interface is not WAN but {$ifacesuse}, adding static route for VPN endpoint {$rgip} via {$gatewayip}");
770	b61930dc	Ermal LUÇI	mwexec("/sbin/route change -host {$sourcehost} {$gatewayip}", true);
771	95783403	Ermal LUÇI	}
772			}
773			}
774	c7d44786	Ermal LUÇI	} else if ($ph1ent['protocol'] == 'inet6') {
775	95783403	Ermal LUÇI	if (strpos($ph1ent['interface'], '_vip')) {
776			$vpninterface = explode('_vip', $ph1ent['interface']);
777			$ifacesuse = get_real_interface($vpninterface[0]);
778	52b25e81	Ermal LUÇI	$vpninterface = $vpninterface[0];
779	95783403	Ermal LUÇI	} else {
780			$ifacesuse = get_failover_interface($ph1ent['interface']);
781	c406924f	Chris Buechler	if (strpos($ifacesuse, '_vip')) {
782			$vpninterface = explode('_vip', $ifacesuse);
783			$ifacesuse = get_real_interface($vpninterface[0]);
784			$vpninterface = $vpninterface[0];
785			} else {
786			$vpninterface = convert_real_interface_to_friendly_interface_name($ifacesuse);
787			}
788	95783403	Ermal LUÇI	}
789	79262830	Phil Davis
790	b61930dc	Ermal LUÇI	if (!empty($ifacesuse) && interface_has_gateway($vpninterface)) {
791			$gatewayip = get_interface_gateway_v6($vpninterface);
792			$interfaceip = get_interface_ipv6($vpninterface);
793			$subnet_bits = get_interface_subnetv6($vpninterface);
794	95783403	Ermal LUÇI	$subnet_ip = gen_subnetv6($interfaceip, $subnet_bits);
795			/* if the remote gateway is in the local subnet, then don't add a route */
796	b61930dc	Ermal LUÇI	if (!ip_in_subnet($sourcehost, "{$subnet_ip}/{$subnet_bits}")) {
797	95783403	Ermal LUÇI	if (is_ipaddrv6($gatewayip)) {
798	1e453232	Ermal LUÇI	// log_error("IPSEC interface is not WAN but {$ifacesuse}, adding static route for VPN endpoint {$rgip} via {$gatewayip}");
799	b61930dc	Ermal LUÇI	mwexec("/sbin/route change -inet6 -host {$sourcehost} {$gatewayip}", true);
800	95783403	Ermal LUÇI	}
801			}
802			}
803			}
804			}
805	7a683b46	Ermal LUÇI
806	5324ea38	Ermal LUÇI	list ($myid_type, $myid_data) = ipsec_find_id($ph1ent, 'local');
807	79262830	Phil Davis	if ($myid_type != 'address') {
808	5324ea38	Ermal LUÇI	$myid_data = "{$myid_type}:{$myid_data}";
809	79262830	Phil Davis	}
810	7a683b46	Ermal LUÇI
811			/* Only specify peer ID if we are not dealing with a mobile PSK-only tunnel */
812			$peerid_spec = '';
813	5324ea38	Ermal LUÇI	if (!isset($ph1ent['mobile'])) {
814			list ($peerid_type, $peerid_data) = ipsec_find_id($ph1ent, 'peer', $rgmap);
815	79262830	Phil Davis	if ($peerid_type != 'address') {
816	5324ea38	Ermal LUÇI	$peerid_spec = "{$peerid_type}:{$peerid_data}";
817	79262830	Phil Davis	} else {
818	5324ea38	Ermal LUÇI	$peerid_spec = $peerid_data;
819	79262830	Phil Davis	}
820	5324ea38	Ermal LUÇI	}
821	7a683b46	Ermal LUÇI
822			if (is_array($ph1ent['encryption-algorithm']) && !empty($ph1ent['encryption-algorithm']['name']) && !empty($ph1ent['hash-algorithm'])) {
823			$ealgosp1 = '';
824			$ealg_id = $ph1ent['encryption-algorithm']['name'];
825			$ealg_kl = $ph1ent['encryption-algorithm']['keylen'];
826	79262830	Phil Davis	if ($ealg_kl) {
827	7a683b46	Ermal LUÇI	$ealgosp1 = "ike = {$ealg_id}{$ealg_kl}-{$ph1ent['hash-algorithm']}";
828	79262830	Phil Davis	} else {
829	7a683b46	Ermal LUÇI	$ealgosp1 = "ike = {$ealg_id}-{$ph1ent['hash-algorithm']}";
830	79262830	Phil Davis	}
831	0b5fc1d1	Ermal
832	7a683b46	Ermal LUÇI	$modp = vpn_ipsec_convert_to_modp($ph1ent['dhgroup']);
833	79262830	Phil Davis	if (!empty($modp)) {
834	7a683b46	Ermal LUÇI	$ealgosp1 .= "-{$modp}";
835	79262830	Phil Davis	}
836	0b5fc1d1	Ermal
837	7a683b46	Ermal LUÇI	$ealgosp1 .= "!";
838			}
839	c52719a8	Scott Ullrich
840	7a683b46	Ermal LUÇI	if ($ph1ent['dpd_delay'] && $ph1ent['dpd_maxfail']) {
841	79262830	Phil Davis	if ($passive == "route") {
842	7a683b46	Ermal LUÇI	$dpdline = "dpdaction = restart";
843	79262830	Phil Davis	} else {
844	7a683b46	Ermal LUÇI	$dpdline = "dpdaction = clear";
845	79262830	Phil Davis	}
846	7a683b46	Ermal LUÇI	$dpdline .= "\n\tdpddelay = {$ph1ent['dpd_delay']}s";
847			$dpdtimeout = $ph1ent['dpd_delay'] * ($ph1ent['dpd_maxfail'] + 1);
848			$dpdline .= "\n\tdpdtimeout = {$dpdtimeout}s";
849	79262830	Phil Davis	} else {
850	7a683b46	Ermal LUÇI	$dpdline = "dpdaction = none";
851	79262830	Phil Davis	}
852	7a683b46	Ermal LUÇI
853			$ikelifeline = '';
854	79262830	Phil Davis	if ($ph1ent['lifetime']) {
855	7a683b46	Ermal LUÇI	$ikelifeline = "ikelifetime = {$ph1ent['lifetime']}s";
856	79262830	Phil Davis	}
857	7a683b46	Ermal LUÇI
858			$rightsourceip = NULL;
859	79262830	Phil Davis	if (isset($ph1ent['mobile']) && !empty($a_client['pool_address'])) {
860	7a683b46	Ermal LUÇI	$rightsourceip = "\trightsourceip = {$a_client['pool_address']}/{$a_client['pool_netbits']}\n";
861	79262830	Phil Davis	}
862	7a683b46	Ermal LUÇI
863			$authentication = "";
864			switch ($ph1ent['authentication_method']) {
865	79262830	Phil Davis	case 'eap-mschapv2':
866			if (isset($ph1ent['mobile'])) {
867			$authentication = "eap_identity=%any\n\t";
868			$authentication .= "leftauth=pubkey\n\trightauth=eap-mschapv2";
869			if (!empty($ph1ent['certref'])) {
870			$authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt";
871			}
872			}
873			break;
874			case 'eap-tls':
875			if (isset($ph1ent['mobile'])) {
876			$authentication = "eap_identity=%identity\n\t";
877			$authentication .= "leftauth=pubkey\n\trightauth=eap-tls";
878			if (!empty($ph1ent['certref'])) {
879			$authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt";
880			}
881			} else {
882			$authentication = "leftauth=eap-tls\n\trightauth=eap-tls";
883			if (!empty($ph1ent['certref'])) {
884			$authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt";
885			}
886	cb377516	Ingo Bauersachs	}
887			break;
888			case 'eap-radius':
889			if (isset($ph1ent['mobile'])) {
890			$authentication = "eap_identity=%identity\n\t";
891			$authentication .= "leftauth=pubkey\n\trightauth=eap-radius";
892			if (!empty($ph1ent['certref']))
893			$authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt";
894			} else {
895			$authentication = "leftauth=eap-radius\n\trightauth=eap-radius";
896			if (!empty($ph1ent['certref'])) {
897			$authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt";
898			}
899	79262830	Phil Davis	}
900			break;
901			case 'xauth_rsa_server':
902			$authentication = "leftauth = pubkey\n\trightauth = pubkey";
903			$authentication .= "\n\trightauth2 = xauth-generic";
904			if (!empty($ph1ent['certref'])) {
905	10e2acb5	Ermal LUÇI	$authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt";
906	79262830	Phil Davis	}
907			break;
908			case 'xauth_psk_server':
909			$authentication = "leftauth = psk\n\trightauth = psk";
910			$authentication .= "\n\trightauth2 = xauth-generic";
911			break;
912			case 'pre_shared_key':
913			$authentication = "leftauth = psk\n\trightauth = psk";
914			break;
915			case 'rsasig':
916			$authentication = "leftauth = pubkey\n\trightauth = pubkey";
917			if (!empty($ph1ent['certref'])) {
918	54ab1bdc	Ermal LUÇI	$authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt";
919	79262830	Phil Davis	}
920			break;
921			case 'hybrid_rsa_server':
922			$authentication = "leftauth = xauth-generic\n\trightauth = pubkey";
923			$authentication .= "\n\trightauth2 = xauth";
924			if (!empty($ph1ent['certref'])) {
925	54ab1bdc	Ermal LUÇI	$authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt";
926	79262830	Phil Davis	}
927			break;
928	7a683b46	Ermal LUÇI	}
929	b4ad5b1c	Ermal
930	7a683b46	Ermal LUÇI	$left_spec = $ep;
931	c52719a8	Scott Ullrich
932	79262830	Phil Davis	if (isset($ph1ent['reauth_enable'])) {
933	7a683b46	Ermal LUÇI	$reauth = "reauth = no";
934	79262830	Phil Davis	} else {
935	7a683b46	Ermal LUÇI	$reauth = "reauth = yes";
936	79262830	Phil Davis	}
937			if (isset($ph1ent['rekey_enable'])) {
938	7a683b46	Ermal LUÇI	$rekey = "rekey = no";
939	79262830	Phil Davis	} else {
940	7a683b46	Ermal LUÇI	$rekey = "rekey = yes";
941	79262830	Phil Davis	}
942	16c02722	Ermal
943	79262830	Phil Davis	if ($ph1ent['nat_traversal'] == 'off') {
944	7a683b46	Ermal LUÇI	$forceencaps = 'forceencaps = no';
945	79262830	Phil Davis	} else if ($ph1ent['nat_traversal'] == 'force') {
946	7a683b46	Ermal LUÇI	$forceencaps = 'forceencaps = yes';
947	79262830	Phil Davis	} else {
948	7a683b46	Ermal LUÇI	$forceencaps = 'forceencaps = no';
949	79262830	Phil Davis	}
950
951			if ($ph1ent['mobike'] == 'on') {
952	065e78b3	Chris Buechler	$mobike = 'mobike = yes';
953	79262830	Phil Davis	} else {
954	065e78b3	Chris Buechler	$mobike = 'mobike = no';
955	79262830	Phil Davis	}
956	7a683b46	Ermal LUÇI
957			$ipseclifetime = 0;
958			$rightsubnet_spec = array();
959			$leftsubnet_spec = array();
960	1fe208ec	Ermal LUÇI	$reqids = array();
961	7a683b46	Ermal LUÇI	$ealgoAHsp2arr = array();
962			$ealgoESPsp2arr = array();
963			if (is_array($a_phase2) && count($a_phase2)) {
964			foreach ($a_phase2 as $ph2ent) {
965	79262830	Phil Davis	if ($ikeid != $ph2ent['ikeid']) {
966	7a683b46	Ermal LUÇI	continue;
967	79262830	Phil Davis	}
968	c52719a8	Scott Ullrich
969	79262830	Phil Davis	if (isset($ph2ent['disabled'])) {
970	7a683b46	Ermal LUÇI	continue;
971	79262830	Phil Davis	}
972	6586b30f	Ermal
973	79262830	Phil Davis	if (isset($ph2ent['mobile']) && !isset($a_client['enable'])) {
974	7a683b46	Ermal LUÇI	continue;
975	79262830	Phil Davis	}
976	96ef83a7	jim-p
977	7a683b46	Ermal LUÇI	if (($ph2ent['mode'] == 'tunnel') or ($ph2ent['mode'] == 'tunnel6')) {
978			$tunneltype = "type = tunnel";
979	c52719a8	Scott Ullrich
980	7a683b46	Ermal LUÇI	$localid_type = $ph2ent['localid']['type'];
981			$leftsubnet_data = ipsec_idinfo_to_cidr($ph2ent['localid'], false, $ph2ent['mode']);
982	d8cb5ff3	Ermal LUÇI
983	7a683b46	Ermal LUÇI	/* Do not print localid in some cases, such as a pure-psk or psk/xauth single phase2 mobile tunnel */
984	79262830	Phil Davis	if (($localid_type == "none" \|\| $localid_type == "mobile") &&
985			isset($ph1ent['mobile']) && (ipsec_get_number_of_phase2($ikeid)==1)) {
986	7a683b46	Ermal LUÇI	$left_spec = '%any';
987			} else {
988			if ($localid_type != "address") {
989			$localid_type = "subnet";
990			}
991			// Don't let an empty subnet into config, it can cause parse errors. Ticket #2201.
992			if (!is_ipaddr($leftsubnet_data) && !is_subnet($leftsubnet_data) && ($leftsubnet_data != "0.0.0.0/0")) {
993			log_error("Invalid IPsec Phase 2 \"{$ph2ent['descr']}\" - {$ph2ent['localid']['type']} has no subnet.");
994			continue;
995			}
996			if (!empty($ph2ent['natlocalid'])) {
997			$natleftsubnet_data = ipsec_idinfo_to_cidr($ph2ent['natlocalid'], false, $ph2ent['mode']);
998			if ($ph2ent['natlocalid']['type'] != "address") {
999	79262830	Phil Davis	if (is_subnet($natleftsubnet_data)) {
1000	7a683b46	Ermal LUÇI	$leftsubnet_data = "{$natleftsubnet_data}\|{$leftsubnet_data}";
1001	79262830	Phil Davis	}
1002	7a683b46	Ermal LUÇI	} else {
1003	79262830	Phil Davis	if (is_ipaddr($natleftsubnet_data)) {
1004	7a683b46	Ermal LUÇI	$leftsubnet_data = "{$natleftsubnet_data}\|{$leftsubnet_data}";
1005	79262830	Phil Davis	}
1006	3c107b76	Ermal	}
1007	7a683b46	Ermal LUÇI	$natfilterrules = true;
1008	20699f3f	jim-p	}
1009	7a683b46	Ermal LUÇI	}
1010	3462a529	Matthew Grooms
1011	d8cb5ff3	Ermal LUÇI	$leftsubnet_spec[] = $leftsubnet_data;
1012	0b5fc1d1	Ermal
1013	7a683b46	Ermal LUÇI	if (!isset($ph2ent['mobile'])) {
1014			$tmpsubnet = ipsec_idinfo_to_cidr($ph2ent['remoteid'], false, $ph2ent['mode']);
1015	d8cb5ff3	Ermal LUÇI	$rightsubnet_spec[] = $tmpsubnet;
1016	7a683b46	Ermal LUÇI	} else if (!empty($a_client['pool_address'])) {
1017	d8cb5ff3	Ermal LUÇI	$rightsubnet_spec[] = "{$a_client['pool_address']}/{$a_client['pool_netbits']}";
1018	7a683b46	Ermal LUÇI	}
1019			} else {
1020			$tunneltype = "type = transport";
1021	5b237745	Scott Ullrich
1022	7a683b46	Ermal LUÇI	if ((($ph1ent['authentication_method'] == "xauth_psk_server") \|\|
1023			($ph1ent['authentication_method'] == "pre_shared_key")) && isset($ph1ent['mobile'])) {
1024			$left_spec = "%any";
1025			} else {
1026			$tmpsubnet = ipsec_get_phase1_src($ph1ent);
1027	d8cb5ff3	Ermal LUÇI	$leftsubnet_spec[] = $tmpsubnet;
1028	7a683b46	Ermal LUÇI	}
1029	0b5fc1d1	Ermal
1030	7a683b46	Ermal LUÇI	if (!isset($ph2ent['mobile'])) {
1031	d8cb5ff3	Ermal LUÇI	$rightsubnet_spec[] = $right_spec;
1032	3462a529	Matthew Grooms	}
1033	7a683b46	Ermal LUÇI	}
1034	c52719a8	Scott Ullrich
1035	8b760d4b	Chris Buechler	if (isset($a_client['pfs_group']) && isset($ph2ent['mobile'])) {
1036	7a683b46	Ermal LUÇI	$ph2ent['pfsgroup'] = $a_client['pfs_group'];
1037	79262830	Phil Davis	}
1038	7a683b46	Ermal LUÇI
1039			if ($ph2ent['protocol'] == 'esp') {
1040			if (is_array($ph2ent['encryption-algorithm-option'])) {
1041			foreach ($ph2ent['encryption-algorithm-option'] as $ealg) {
1042			$ealg_id = $ealg['name'];
1043			$ealg_kl = $ealg['keylen'];
1044
1045			if (!empty($ealg_kl) && $ealg_kl == "auto") {
1046	79262830	Phil Davis	if (empty($p2_ealgos) \|\| !is_array($p2_ealgos)) {
1047	7a683b46	Ermal LUÇI	require("ipsec.inc");
1048	79262830	Phil Davis	}
1049	7a683b46	Ermal LUÇI	$key_hi = $p2_ealgos[$ealg_id]['keysel']['hi'];
1050			$key_lo = $p2_ealgos[$ealg_id]['keysel']['lo'];
1051			$key_step = $p2_ealgos[$ealg_id]['keysel']['step'];
1052			/* XXX: in some cases where include ordering is suspect these variables
1053			* are somehow 0 and we enter this loop forever and timeout after 900
1054			* seconds wrecking bootup */
1055			if ($key_hi != 0 and $key_lo !=0 and $key_step !=0) {
1056			for ($keylen = $key_hi; $keylen >= $key_lo; $keylen -= $key_step) {
1057			if (!empty($ph2ent['hash-algorithm-option']) && is_array($ph2ent['hash-algorithm-option'])) {
1058			foreach ($ph2ent['hash-algorithm-option'] as $halgo) {
1059			$halgo = str_replace('hmac_', '', $halgo);
1060			$tmpealgo = "{$ealg_id}{$keylen}-{$halgo}";
1061	496acde1	Ermal	$modp = vpn_ipsec_convert_to_modp($ph2ent['pfsgroup']);
1062	79262830	Phil Davis	if (!empty($modp)) {
1063	496acde1	Ermal	$tmpealgo .= "-{$modp}";
1064	79262830	Phil Davis	}
1065	0b5fc1d1	Ermal	$ealgoESPsp2arr[] = $tmpealgo;
1066	496acde1	Ermal	}
1067	7a683b46	Ermal LUÇI	} else {
1068			$tmpealgo = "{$ealg_id}{$keylen}";
1069	c650b2f7	Ermal	$modp = vpn_ipsec_convert_to_modp($ph2ent['pfsgroup']);
1070	79262830	Phil Davis	if (!empty($modp)) {
1071	c650b2f7	Ermal	$tmpealgo .= "-{$modp}";
1072	79262830	Phil Davis	}
1073	c650b2f7	Ermal	$ealgoESPsp2arr[] = $tmpealgo;
1074			}
1075	7a683b46	Ermal LUÇI	}
1076			}
1077			} else {
1078			if (!empty($ph2ent['hash-algorithm-option']) && is_array($ph2ent['hash-algorithm-option'])) {
1079			foreach ($ph2ent['hash-algorithm-option'] as $halgo) {
1080			$halgo = str_replace('hmac_', '', $halgo);
1081			$tmpealgo = "{$ealg_id}{$ealg_kl}-{$halgo}";
1082	496acde1	Ermal	$modp = vpn_ipsec_convert_to_modp($ph2ent['pfsgroup']);
1083	79262830	Phil Davis	if (!empty($modp)) {
1084	496acde1	Ermal	$tmpealgo .= "-{$modp}";
1085	79262830	Phil Davis	}
1086	0b5fc1d1	Ermal	$ealgoESPsp2arr[] = $tmpealgo;
1087	496acde1	Ermal	}
1088	7a683b46	Ermal LUÇI	} else {
1089			$tmpealgo = "{$ealg_id}{$ealg_kl}";
1090			$modp = vpn_ipsec_convert_to_modp($ph2ent['pfsgroup']);
1091	79262830	Phil Davis	if (!empty($modp)) {
1092	7a683b46	Ermal LUÇI	$tmpealgo .= "-{$modp}";
1093	79262830	Phil Davis	}
1094	7a683b46	Ermal LUÇI	$ealgoESPsp2arr[] = $tmpealgo;
1095	a93e56c5	Matthew Grooms	}
1096	979cd6db	Scott Ullrich	}
1097	496acde1	Ermal	}
1098	7a683b46	Ermal LUÇI	}
1099			} else if ($ph2ent['protocol'] == 'ah') {
1100			if (!empty($ph2ent['hash-algorithm-option']) && is_array($ph2ent['hash-algorithm-option'])) {
1101			$modp = vpn_ipsec_convert_to_modp($ph2ent['pfsgroup']);
1102			foreach ($ph2ent['hash-algorithm-option'] as $tmpAHalgo) {
1103			$tmpAHalgo = str_replace('hmac_', '', $tmpAHalgo);
1104	79262830	Phil Davis	if (!empty($modp)) {
1105	7a683b46	Ermal LUÇI	$tmpAHalgo = "-{$modp}";
1106	79262830	Phil Davis	}
1107	7a683b46	Ermal LUÇI	$ealgoAHsp2arr[] = $tmpAHalgo;
1108	a93e56c5	Matthew Grooms	}
1109	a63f7d55	Scott Ullrich	}
1110	7a683b46	Ermal LUÇI	}
1111	c52719a8	Scott Ullrich
1112	1fe208ec	Ermal LUÇI	$reqids[] = $ph2ent['reqid'];
1113	4b96b367	mgrooms
1114	7a683b46	Ermal LUÇI	if (!empty($ph2ent['lifetime'])) {
1115	79262830	Phil Davis	if ($ipseclifetime == 0 \|\| intval($ipseclifetime) > intval($ph2ent['lifetime'])) {
1116	7a683b46	Ermal LUÇI	$ipseclifetime = intval($ph2ent['lifetime']);
1117	79262830	Phil Davis	}
1118	0b5fc1d1	Ermal	}
1119	7a683b46	Ermal LUÇI
1120	0b5fc1d1	Ermal	}
1121	7a683b46	Ermal LUÇI	}
1122	496acde1	Ermal
1123	d8cb5ff3	Ermal LUÇI	$ipsecconnect =<<<EOD
1124	0b7f174c	Ermal LUÇI	fragmentation = yes
1125			keyexchange = {$keyexchange}
1126			{$reauth}
1127			{$forceencaps}
1128	065e78b3	Chris Buechler	{$mobike}
1129	0b7f174c	Ermal LUÇI	{$rekey}
1130			installpolicy = yes
1131			{$tunneltype}
1132			{$dpdline}
1133			auto = {$passive}
1134			left = {$left_spec}
1135			right = {$right_spec}
1136			leftid = {$myid_data}
1137	5b237745	Scott Ullrich
1138			EOD;
1139	4b96b367	mgrooms
1140	e57a3e40	Chris Buechler	if (isset($config['ipsec']['compression'])) {
1141	2a691e34	Chris Buechler	$ipsecconnect .= "\tcompress = yes\n";
1142	40cc36d1	Ermal LUÇI	$enablecompression = true;
1143			}
1144	79262830	Phil Davis	if (!empty($ikelifeline)) {
1145	d8cb5ff3	Ermal LUÇI	$ipsecconnect .= "\t{$ikelifeline}\n";
1146	79262830	Phil Davis	}
1147			if ($ipseclifetime > 0) {
1148	d8cb5ff3	Ermal LUÇI	$ipsecconnect .= "\tlifetime = {$ipseclifetime}s\n";
1149	79262830	Phil Davis	}
1150			if (!empty($rightsourceip)) {
1151	d8cb5ff3	Ermal LUÇI	$ipsecconnect .= "{$rightsourceip}";
1152	79262830	Phil Davis	}
1153			if (!empty($ealgosp1)) {
1154	d8cb5ff3	Ermal LUÇI	$ipsecconnect .= "\t{$ealgosp1}\n";
1155	79262830	Phil Davis	}
1156			if (!empty($ealgoAHsp2arr)) {
1157	d8cb5ff3	Ermal LUÇI	$ipsecconnect .= "\tah = " . join(',', $ealgoAHsp2arr) . "!\n";
1158	79262830	Phil Davis	}
1159			if (!empty($ealgoESPsp2arr)) {
1160	d8cb5ff3	Ermal LUÇI	$ipsecconnect .= "\tesp = " . join(',', $ealgoESPsp2arr) . "!\n";
1161	79262830	Phil Davis	}
1162			if (!empty($authentication)) {
1163	d8cb5ff3	Ermal LUÇI	$ipsecconnect .= "\t{$authentication}\n";
1164	79262830	Phil Davis	}
1165			if (!empty($peerid_spec)) {
1166	d8cb5ff3	Ermal LUÇI	$ipsecconnect .= "\trightid = {$peerid_spec}\n";
1167	79262830	Phil Davis	}
1168			if ($keyexchange == 'ikev1') {
1169	d8cb5ff3	Ermal LUÇI	$ipsecconnect .= "\taggressive = {$aggressive}\n";
1170	79262830	Phil Davis	}
1171	d8cb5ff3	Ermal LUÇI
1172			if (!isset($ph1ent['mobile']) && $keyexchange == 'ikev1') {
1173			if (!empty($rightsubnet_spec)) {
1174			$ipsecfin = '';
1175			foreach ($rightsubnet_spec as $idx => $rsubnet) {
1176			$ipsecfin .= "\nconn con{$ph1ent['ikeid']}00{$idx}\n";
1177	79262830	Phil Davis	if (!empty($reqids[$idx])) {
1178	1ec35c4d	Ermal LUÇI	$ipsecfin .= "\treqid = " . $reqids[$idx] . "\n";
1179	79262830	Phil Davis	}
1180	d8cb5ff3	Ermal LUÇI	$ipsecfin .= $ipsecconnect;
1181			$ipsecfin .= "\trightsubnet = {$rsubnet}\n";
1182			$ipsecfin .= "\tleftsubnet = " . $leftsubnet_spec[$idx] . "\n";
1183			}
1184	79262830	Phil Davis	} else {
1185	d8cb5ff3	Ermal LUÇI	log_error("No phase2 specifications for tunnel with REQID = {$ikeid}");
1186	79262830	Phil Davis	}
1187	d8cb5ff3	Ermal LUÇI	} else {
1188			$ipsecfin = "\nconn con{$ph1ent['ikeid']}\n";
1189	79262830	Phil Davis	if (!empty($reqids[$idx])) {
1190	1ec35c4d	Ermal LUÇI	$ipsecfin .= "\treqid = " . $reqids[0] . "\n";
1191	79262830	Phil Davis	}
1192	d8cb5ff3	Ermal LUÇI	$ipsecfin .= $ipsecconnect;
1193	bfcb1e4a	Ermal LUÇI	if (!isset($ph1ent['mobile']) && !empty($rightsubnet_spec)) {
1194	d8cb5ff3	Ermal LUÇI	$tempsubnets = array();
1195	79262830	Phil Davis	foreach ($rightsubnet_spec as $rightsubnet) {
1196	d8cb5ff3	Ermal LUÇI	$tempsubnets[$rightsubnet] = $rightsubnet;
1197	79262830	Phil Davis	}
1198	d8cb5ff3	Ermal LUÇI	$ipsecfin .= "\trightsubnet = " . join(",", $tempsubnets) . "\n";
1199			unset($tempsubnets, $rightsubnet);
1200			}
1201			if (!empty($leftsubnet_spec)) {
1202			$tempsubnets = array();
1203	79262830	Phil Davis	foreach ($leftsubnet_spec as $leftsubnet) {
1204	d8cb5ff3	Ermal LUÇI	$tempsubnets[$leftsubnet] = $leftsubnet;
1205	79262830	Phil Davis	}
1206	edda5d0b	Ermal LUÇI	$ipsecfin .= "\tleftsubnet = " . join(",", $tempsubnets) . "\n";
1207	d8cb5ff3	Ermal LUÇI	unset($tempsubnets, $leftsubnet);
1208			}
1209			}
1210			$ipsecconf .= $ipsecfin;
1211			unset($ipsecfin);
1212	a93e56c5	Matthew Grooms	}
1213	496acde1	Ermal	}
1214	7a683b46	Ermal LUÇI
1215	496acde1	Ermal	@file_put_contents("{$g['varetc_path']}/ipsec/ipsec.conf", $ipsecconf);
1216			unset($ipsecconf);
1217	6c576b27	Ermal	/* end ipsec.conf */
1218	496acde1	Ermal
1219	79262830	Phil Davis	if ($enablecompression === true) {
1220	40cc36d1	Ermal LUÇI	set_single_sysctl('net.inet.ipcomp.ipcomp_enable', 1);
1221	79262830	Phil Davis	} else {
1222	40cc36d1	Ermal LUÇI	set_single_sysctl('net.inet.ipcomp.ipcomp_enable', 0);
1223	79262830	Phil Davis	}
1224	40cc36d1	Ermal LUÇI
1225	79262830	Phil Davis	/* manage process */
1226	420fce04	Ermal LUÇI	if ($restart === true) {
1227	79262830	Phil Davis	mwexec("/usr/local/sbin/ipsec restart", false);
1228	496acde1	Ermal	} else {
1229	420fce04	Ermal LUÇI	if (isvalidpid("{$g['varrun_path']}/charon.pid")) {
1230			/* Read secrets */
1231			mwexec("/usr/local/sbin/ipsec rereadall", false);
1232			/* Update configuration changes */
1233			mwexec("/usr/local/sbin/ipsec update", false);
1234			} else {
1235	79262830	Phil Davis	mwexec("/usr/local/sbin/ipsec start", false);
1236	420fce04	Ermal LUÇI	}
1237	496acde1	Ermal	}
1238	9abaa8f7	Ermal
1239	79262830	Phil Davis	if ($natfilterrules == true) {
1240	496acde1	Ermal	filter_configure();
1241	79262830	Phil Davis	}
1242	496acde1	Ermal	/* start filterdns, if necessary */
1243			if (count($filterdns_list) > 0) {
1244			$interval = 60;
1245	79262830	Phil Davis	if (!empty($ipseccfg['dns-interval']) && is_numeric($ipseccfg['dns-interval'])) {
1246	496acde1	Ermal	$interval = $ipseccfg['dns-interval'];
1247	79262830	Phil Davis	}
1248	496acde1	Ermal
1249			$hostnames = "";
1250			array_unique($filterdns_list);
1251	79262830	Phil Davis	foreach ($filterdns_list as $hostname) {
1252	496acde1	Ermal	$hostnames .= "cmd {$hostname} '/usr/local/sbin/pfSctl -c \"service reload ipsecdns\"'\n";
1253	79262830	Phil Davis	}
1254	496acde1	Ermal	file_put_contents("{$g['varetc_path']}/ipsec/filterdns-ipsec.hosts", $hostnames);
1255			unset($hostnames);
1256
1257	79262830	Phil Davis	if (isvalidpid("{$g['varrun_path']}/filterdns-ipsec.pid")) {
1258	496acde1	Ermal	sigkillbypid("{$g['varrun_path']}/filterdns-ipsec.pid", "HUP");
1259	79262830	Phil Davis	} else {
1260	496acde1	Ermal	mwexec("/usr/local/sbin/filterdns -p {$g['varrun_path']}/filterdns-ipsec.pid -i {$interval} -c {$g['varetc_path']}/ipsec/filterdns-ipsec.hosts -d 1");
1261	5b237745	Scott Ullrich	}
1262	496acde1	Ermal	} else {
1263			killbypid("{$g['varrun_path']}/filterdns-ipsec.pid");
1264			@unlink("{$g['varrun_path']}/filterdns-ipsec.pid");
1265			}
1266	09628a07	Renato Botelho
1267	79262830	Phil Davis	if (platform_booting()) {
1268	496acde1	Ermal	echo "done\n";
1269	79262830	Phil Davis	}
1270	8f67a8e1	Scott Ullrich
1271	496acde1	Ermal	return count($filterdns_list);
1272	5b237745	Scott Ullrich	}
1273
1274	09628a07	Renato Botelho	/*
1275	52c9f9fa	Ermal	* Forcefully restart IPsec
1276	67ee1ec5	Ermal Luçi	* This is required for when dynamic interfaces reload
1277			* For all other occasions the normal vpn_ipsec_configure()
1278			* will gracefully reload the settings without restarting
1279			*/
1280	aa752473	Renato Botelho	function vpn_ipsec_force_reload($interface = "") {
1281			global $g, $config;
1282	67ee1ec5	Ermal Luçi
1283			$ipseccfg = $config['ipsec'];
1284
1285	aa752473	Renato Botelho	if (!empty($interface) && is_array($ipseccfg['phase1'])) {
1286			$found = false;
1287			foreach ($ipseccfg['phase1'] as $ipsec) {
1288			if (!isset($ipsec['disabled']) && ($ipsec['interface'] == $interface)) {
1289			$found = true;
1290			break;
1291			}
1292			}
1293			if (!$found) {
1294	8b4abd59	Ermal	log_error(sprintf(gettext("Ignoring IPsec reload since there are no tunnels on interface %s"), $interface));
1295	aa752473	Renato Botelho	return;
1296			}
1297			}
1298
1299	67ee1ec5	Ermal Luçi	/* if ipsec is enabled, start up again */
1300			if (isset($ipseccfg['enable'])) {
1301	8b4abd59	Ermal	log_error(gettext("Forcefully reloading IPsec"));
1302	67ee1ec5	Ermal Luçi	vpn_ipsec_configure();
1303			}
1304			}
1305
1306			/* master setup for vpn (mpd) */
1307			function vpn_setup() {
1308	7734aea6	Andrew Thompson	global $g;
1309
1310	79262830	Phil Davis	if ($g['platform'] == 'jail') {
1311	7734aea6	Andrew Thompson	return;
1312	79262830	Phil Davis	}
1313	7734aea6	Andrew Thompson
1314	67ee1ec5	Ermal Luçi	/* start pptpd */
1315			vpn_pptpd_configure();
1316
1317			/* start pppoe server */
1318	0e642c78	Ermal	vpn_pppoes_configure();
1319	67ee1ec5	Ermal Luçi
1320			/* setup l2tp */
1321			vpn_l2tp_configure();
1322			}
1323
1324	67b057a9	Ermal	function vpn_netgraph_support() {
1325			$iflist = get_configured_interface_list();
1326			foreach ($iflist as $iface) {
1327			$realif = get_real_interface($iface);
1328			/* Get support for netgraph(4) from the nic */
1329	c513c309	Ermal	$ifinfo = pfSense_get_interface_addresses($realif);
1330	79262830	Phil Davis	if (!empty($ifinfo) && in_array($ifinfo['iftype'], array("ether", "vlan", "bridge"))) {
1331	09628a07	Renato Botelho	pfSense_ngctl_attach(".", $realif);
1332	79262830	Phil Davis	}
1333	67b057a9	Ermal	}
1334			}
1335
1336	5b237745	Scott Ullrich	function vpn_pptpd_configure() {
1337			global $config, $g;
1338	c52719a8	Scott Ullrich
1339	5b237745	Scott Ullrich	$syscfg = $config['system'];
1340			$pptpdcfg = $config['pptpd'];
1341	c52719a8	Scott Ullrich
1342	285ef132	Ermal LUÇI	if (platform_booting()) {
1343	79262830	Phil Davis	if (!$pptpdcfg['mode'] \|\| ($pptpdcfg['mode'] == "off")) {
1344	5b237745	Scott Ullrich	return 0;
1345	79262830	Phil Davis	}
1346	c52719a8	Scott Ullrich
1347	79262830	Phil Davis	if (platform_booting(true)) {
1348	b8dd129d	Renato Botelho	echo gettext("Configuring PPTP VPN service... ");
1349	79262830	Phil Davis	}
1350	c52719a8	Scott Ullrich	} else {
1351	5b237745	Scott Ullrich	/* kill mpd */
1352	67ee1ec5	Ermal Luçi	killbypid("{$g['varrun_path']}/pptp-vpn.pid");
1353	c52719a8	Scott Ullrich
1354	5b237745	Scott Ullrich	/* wait for process to die */
1355	48bff85c	Scott Ullrich	sleep(3);
1356	c52719a8	Scott Ullrich
1357	979cd6db	Scott Ullrich	if (is_process_running("mpd -b")) {
1358	67ee1ec5	Ermal Luçi	killbypid("{$g['varrun_path']}/pptp-vpn.pid");
1359	89ceb4ba	Renato Botelho	log_error(gettext("Could not kill mpd within 3 seconds. Trying again."));
1360	48bff85c	Scott Ullrich	}
1361	c52719a8	Scott Ullrich
1362	5b237745	Scott Ullrich	/* remove mpd.conf, if it exists */
1363	67ee1ec5	Ermal Luçi	unlink_if_exists("{$g['varetc_path']}/pptp-vpn/mpd.conf");
1364			unlink_if_exists("{$g['varetc_path']}/pptp-vpn/mpd.links");
1365			unlink_if_exists("{$g['varetc_path']}/pptp-vpn/mpd.secret");
1366	5b237745	Scott Ullrich	}
1367	c52719a8	Scott Ullrich
1368	1fb8d314	Ermal	if (empty($pptpdcfg['n_pptp_units'])) {
1369			log_error("Something wrong in the PPTPd configuration. Preventing starting the daemon because issues would arise.");
1370	09628a07	Renato Botelho	return;
1371	1fb8d314	Ermal	}
1372
1373	67ee1ec5	Ermal Luçi	/* make sure pptp-vpn directory exists */
1374	79262830	Phil Davis	if (!file_exists("{$g['varetc_path']}/pptp-vpn")) {
1375	67ee1ec5	Ermal Luçi	mkdir("{$g['varetc_path']}/pptp-vpn");
1376	79262830	Phil Davis	}
1377	c52719a8	Scott Ullrich
1378	5b237745	Scott Ullrich	switch ($pptpdcfg['mode']) {
1379	79262830	Phil Davis	case 'server':
1380	5b237745	Scott Ullrich	/* write mpd.conf */
1381	67ee1ec5	Ermal Luçi	$fd = fopen("{$g['varetc_path']}/pptp-vpn/mpd.conf", "w");
1382	5b237745	Scott Ullrich	if (!$fd) {
1383	89ceb4ba	Renato Botelho	printf(gettext("Error: cannot open mpd.conf in vpn_pptpd_configure().") . "\n");
1384	5b237745	Scott Ullrich	return 1;
1385			}
1386	c52719a8	Scott Ullrich
1387	045c9cc9	sullrich	$mpdconf = <<<EOD
1388	a6607b5f	jim-p	pptps:
1389	5b237745	Scott Ullrich
1390			EOD;
1391
1392	f2b4ff2b	sullrich	for ($i = 0; $i < $pptpdcfg['n_pptp_units']; $i++) {
1393	5b237745	Scott Ullrich	$mpdconf .= " load pt{$i}\n";
1394			}
1395	c52719a8	Scott Ullrich
1396	f2b4ff2b	sullrich	for ($i = 0; $i < $pptpdcfg['n_pptp_units']; $i++) {
1397	c52719a8	Scott Ullrich
1398	96033063	Erik Fonnesbeck	$clientip = long2ip32(ip2long($pptpdcfg['remoteip']) + $i);
1399	c52719a8	Scott Ullrich
1400	045c9cc9	sullrich	$mpdconf .= <<<EOD
1401	5b237745	Scott Ullrich
1402			pt{$i}:
1403	bfa6d878	Ermal Lu?i	new -i pptpd{$i} pt{$i} pt{$i}
1404	045c9cc9	sullrich	set ipcp ranges {$pptpdcfg['localip']}/32 {$clientip}/32
1405	979cd6db	Scott Ullrich	load pts
1406	5b237745	Scott Ullrich
1407			EOD;
1408			}
1409	c52719a8	Scott Ullrich
1410	979cd6db	Scott Ullrich	$mpdconf .=<<<EOD
1411	5b237745	Scott Ullrich
1412	979cd6db	Scott Ullrich	pts:
1413	5b237745	Scott Ullrich	set iface disable on-demand
1414			set iface enable proxy-arp
1415	07cae4b2	Scott Ullrich	set iface enable tcpmssfix
1416	979cd6db	Scott Ullrich	set iface idle 1800
1417	e9a95ac8	jim-p	set iface up-script /usr/local/sbin/vpn-linkup
1418			set iface down-script /usr/local/sbin/vpn-linkdown
1419	5b237745	Scott Ullrich	set bundle enable multilink
1420	979cd6db	Scott Ullrich	set bundle enable crypt-reqd
1421	5b237745	Scott Ullrich	set link yes acfcomp protocomp
1422			set link no pap chap
1423	979cd6db	Scott Ullrich	set link enable chap-msv2
1424	ee953edc	Scott Ullrich	set link mtu 1460
1425	5b237745	Scott Ullrich	set link keep-alive 10 60
1426			set ipcp yes vjcomp
1427			set bundle enable compression
1428			set ccp yes mppc
1429			set ccp yes mpp-e128
1430			set ccp yes mpp-stateless
1431
1432			EOD;
1433	c52719a8	Scott Ullrich
1434	979cd6db	Scott Ullrich	if (!isset ($pptpdcfg['req128'])) {
1435			$mpdconf .=<<<EOD
1436	5b237745	Scott Ullrich	set ccp yes mpp-e40
1437	979cd6db	Scott Ullrich	set ccp yes mpp-e56
1438	5b237745	Scott Ullrich
1439			EOD;
1440			}
1441	c8c416db	Scott Ullrich
1442	79262830	Phil Davis	if (isset($pptpdcfg["wins"]) && $pptpdcfg['wins'] != "") {
1443	979cd6db	Scott Ullrich	$mpdconf .= " set ipcp nbns {$pptpdcfg['wins']}\n";
1444	79262830	Phil Davis	}
1445	09f2bf85	jim-p
1446			if (!empty($pptpdcfg['dns1'])) {
1447			$mpdconf .= " set ipcp dns " . $pptpdcfg['dns1'];
1448	79262830	Phil Davis	if (!empty($pptpdcfg['dns2'])) {
1449	09f2bf85	jim-p	$mpdconf .= " " . $pptpdcfg['dns2'];
1450	79262830	Phil Davis	}
1451	09f2bf85	jim-p	$mpdconf .= "\n";
1452			} elseif (isset ($config['dnsmasq']['enable'])) {
1453			$mpdconf .= " set ipcp dns " . get_interface_ip("lan");
1454	79262830	Phil Davis	if ($syscfg['dnsserver'][0]) {
1455	09f2bf85	jim-p	$mpdconf .= " " . $syscfg['dnsserver'][0];
1456	79262830	Phil Davis	}
1457	09f2bf85	jim-p	$mpdconf .= "\n";
1458	ad750d3b	Warren Baker	} elseif (isset($config['unbound']['enable'])) {
1459			$mpdconf .= " set ipcp dns " . get_interface_ip("lan");
1460	79262830	Phil Davis	if ($syscfg['dnsserver'][0]) {
1461	ad750d3b	Warren Baker	$mpdconf .= " " . $syscfg['dnsserver'][0];
1462	79262830	Phil Davis	}
1463	ad750d3b	Warren Baker	$mpdconf .= "\n";
1464	09f2bf85	jim-p	} elseif (is_array($syscfg['dnsserver']) && ($syscfg['dnsserver'][0])) {
1465			$mpdconf .= " set ipcp dns " . join(" ", $syscfg['dnsserver']) . "\n";
1466			}
1467	07cae4b2	Scott Ullrich
1468	71569a7e	jim-p	if (isset ($pptpdcfg['radius']['server']['enable'])) {
1469			$authport = (isset($pptpdcfg['radius']['server']['port']) && strlen($pptpdcfg['radius']['server']['port']) > 1) ? $pptpdcfg['radius']['server']['port'] : 1812;
1470	979cd6db	Scott Ullrich	$acctport = $authport + 1;
1471			$mpdconf .=<<<EOD
1472	71569a7e	jim-p	set radius server {$pptpdcfg['radius']['server']['ip']} "{$pptpdcfg['radius']['server']['secret']}" {$authport} {$acctport}
1473	35b91f77	sullrich
1474	71569a7e	jim-p	EOD;
1475	79262830	Phil Davis	if (isset ($pptpdcfg['radius']['server2']['enable'])) {
1476			$authport = (isset($pptpdcfg['radius']['server2']['port']) && strlen($pptpdcfg['radius']['server2']['port']) > 1) ? $pptpdcfg['radius']['server2']['port'] : 1812;
1477			$acctport = $authport + 1;
1478			$mpdconf .=<<<EOD
1479	846a6dc2	jim-p	set radius server {$pptpdcfg['radius']['server2']['ip']} "{$pptpdcfg['radius']['server2']['secret2']}" {$authport} {$acctport}
1480	35b91f77	sullrich
1481	71569a7e	jim-p	EOD;
1482	79262830	Phil Davis	}
1483			$mpdconf .=<<<EOD
1484	5b237745	Scott Ullrich	set radius retries 3
1485	979cd6db	Scott Ullrich	set radius timeout 10
1486	0af9dba4	Ermal Lu?i	set auth enable radius-auth
1487	5b237745	Scott Ullrich
1488			EOD;
1489
1490	979cd6db	Scott Ullrich	if (isset ($pptpdcfg['radius']['accounting'])) {
1491			$mpdconf .=<<<EOD
1492	0af9dba4	Ermal Lu?i	set auth enable radius-acct
1493	979cd6db	Scott Ullrich	set radius acct-update 300
1494	5b237745	Scott Ullrich
1495			EOD;
1496			}
1497			}
1498
1499			fwrite($fd, $mpdconf);
1500			fclose($fd);
1501	a49784a2	Ermal	unset($mpdconf);
1502	c52719a8	Scott Ullrich
1503	5b237745	Scott Ullrich	/* write mpd.links */
1504	67ee1ec5	Ermal Luçi	$fd = fopen("{$g['varetc_path']}/pptp-vpn/mpd.links", "w");
1505	5b237745	Scott Ullrich	if (!$fd) {
1506	89ceb4ba	Renato Botelho	printf(gettext("Error: cannot open mpd.links in vpn_pptpd_configure().") . "\n");
1507	5b237745	Scott Ullrich	return 1;
1508			}
1509	c52719a8	Scott Ullrich
1510	5b237745	Scott Ullrich	$mpdlinks = "";
1511	c52719a8	Scott Ullrich
1512	a56120f2	Ermal Lu?i	for ($i = 0; $i < $pptpdcfg['n_pptp_units']; $i++) {
1513	979cd6db	Scott Ullrich	$mpdlinks .=<<<EOD
1514	5b237745	Scott Ullrich
1515			pt{$i}:
1516			set link type pptp
1517			set pptp enable incoming
1518			set pptp disable originate
1519	979cd6db	Scott Ullrich	set pptp disable windowing
1520	5b237745	Scott Ullrich
1521			EOD;
1522			}
1523
1524			fwrite($fd, $mpdlinks);
1525			fclose($fd);
1526	a49784a2	Ermal	unset($mpdlinks);
1527	c52719a8	Scott Ullrich
1528	5b237745	Scott Ullrich	/* write mpd.secret */
1529	67ee1ec5	Ermal Luçi	$fd = fopen("{$g['varetc_path']}/pptp-vpn/mpd.secret", "w");
1530	5b237745	Scott Ullrich	if (!$fd) {
1531	89ceb4ba	Renato Botelho	printf(gettext("Error: cannot open mpd.secret in vpn_pptpd_configure().") . "\n");
1532	5b237745	Scott Ullrich	return 1;
1533			}
1534	c52719a8	Scott Ullrich
1535	5b237745	Scott Ullrich	$mpdsecret = "";
1536	c52719a8	Scott Ullrich
1537	5b237745	Scott Ullrich	if (is_array($pptpdcfg['user'])) {
1538	4cf82d52	jim-p	foreach ($pptpdcfg['user'] as $user) {
1539	4222087e	jim-p	$pass = str_replace('\\', '\\\\', $user['password']);
1540			$pass = str_replace('"', '\"', $pass);
1541	4cf82d52	jim-p	$mpdsecret .= "{$user['name']} \"{$pass}\" {$user['ip']}\n";
1542			}
1543	5b237745	Scott Ullrich	}
1544
1545			fwrite($fd, $mpdsecret);
1546			fclose($fd);
1547	a49784a2	Ermal	unset($mpdsecret);
1548	67ee1ec5	Ermal Luçi	chmod("{$g['varetc_path']}/pptp-vpn/mpd.secret", 0600);
1549	c52719a8	Scott Ullrich
1550	67b057a9	Ermal	vpn_netgraph_support();
1551
1552	5b237745	Scott Ullrich	/* fire up mpd */
1553	a6607b5f	jim-p	mwexec("/usr/local/sbin/mpd4 -b -d {$g['varetc_path']}/pptp-vpn -p {$g['varrun_path']}/pptp-vpn.pid -s pptps pptps");
1554	c52719a8	Scott Ullrich
1555	5b237745	Scott Ullrich	break;
1556	c52719a8	Scott Ullrich
1557	79262830	Phil Davis	case 'redir':
1558	5b237745	Scott Ullrich	break;
1559			}
1560	c52719a8	Scott Ullrich
1561	79262830	Phil Davis	if (platform_booting()) {
1562	a63f7d55	Scott Ullrich	echo "done\n";
1563	79262830	Phil Davis	}
1564	c52719a8	Scott Ullrich
1565	5b237745	Scott Ullrich	return 0;
1566			}
1567
1568	0e642c78	Ermal	function vpn_pppoes_configure() {
1569			global $config;
1570
1571			if (is_array($config['pppoes']['pppoe'])) {
1572	79262830	Phil Davis	foreach ($config['pppoes']['pppoe'] as $pppoe) {
1573	0e642c78	Ermal	vpn_pppoe_configure($pppoe);
1574	79262830	Phil Davis	}
1575	0e642c78	Ermal	}
1576			}
1577
1578			function vpn_pppoe_configure(&$pppoecfg) {
1579	06e69b03	Scott Ullrich	global $config, $g;
1580
1581			$syscfg = $config['system'];
1582
1583	48918ed5	Scott Ullrich	/* create directory if it does not exist */
1584	79262830	Phil Davis	if (!is_dir("{$g['varetc_path']}/pppoe{$pppoecfg['pppoeid']}-vpn")) {
1585	0e642c78	Ermal	mkdir("{$g['varetc_path']}/pppoe{$pppoecfg['pppoeid']}-vpn");
1586	79262830	Phil Davis	}
1587	c52719a8	Scott Ullrich
1588	285ef132	Ermal LUÇI	if (platform_booting()) {
1589	79262830	Phil Davis	if (!$pppoecfg['mode'] \|\| ($pppoecfg['mode'] == "off")) {
1590	06e69b03	Scott Ullrich	return 0;
1591	79262830	Phil Davis	}
1592	06e69b03	Scott Ullrich
1593	d3d23754	Chris Buechler	echo gettext("Configuring PPPoE Server service... ");
1594	979cd6db	Scott Ullrich	} else {
1595			/* kill mpd */
1596	0e642c78	Ermal	killbypid("{$g['varrun_path']}/pppoe{$pppoecfg['pppoeid']}-vpn.pid");
1597	979cd6db	Scott Ullrich
1598			/* wait for process to die */
1599			sleep(2);
1600
1601	06e69b03	Scott Ullrich	}
1602
1603			switch ($pppoecfg['mode']) {
1604
1605	79262830	Phil Davis	case 'server':
1606	06e69b03	Scott Ullrich
1607	0e642c78	Ermal	$pppoe_interface = get_real_interface($pppoecfg['interface']);
1608	0301deff	Scott Ullrich
1609	79262830	Phil Davis	if ($pppoecfg['paporchap'] == "chap") {
1610	979cd6db	Scott Ullrich	$paporchap = "set link enable chap";
1611	79262830	Phil Davis	} else {
1612	979cd6db	Scott Ullrich	$paporchap = "set link enable pap";
1613	79262830	Phil Davis	}
1614	979cd6db	Scott Ullrich
1615	06e69b03	Scott Ullrich	/* write mpd.conf */
1616	0e642c78	Ermal	$fd = fopen("{$g['varetc_path']}/pppoe{$pppoecfg['pppoeid']}-vpn/mpd.conf", "w");
1617	06e69b03	Scott Ullrich	if (!$fd) {
1618	89ceb4ba	Renato Botelho	printf(gettext("Error: cannot open mpd.conf in vpn_pppoe_configure().") . "\n");
1619	06e69b03	Scott Ullrich	return 1;
1620			}
1621			$mpdconf = "\n\n";
1622	a6607b5f	jim-p	$mpdconf .= "poes:\n";
1623	06e69b03	Scott Ullrich
1624	a429d105	Scott Ullrich	for ($i = 0; $i < $pppoecfg['n_pppoe_units']; $i++) {
1625	0e642c78	Ermal	$mpdconf .= " load poes{$pppoecfg['pppoeid']}{$i}\n";
1626	06e69b03	Scott Ullrich	}
1627
1628	a429d105	Scott Ullrich	for ($i = 0; $i < $pppoecfg['n_pppoe_units']; $i++) {
1629	06e69b03	Scott Ullrich
1630	96033063	Erik Fonnesbeck	$clientip = long2ip32(ip2long($pppoecfg['remoteip']) + $i);
1631	c52719a8	Scott Ullrich
1632	b0943409	Ermal	if (isset($pppoecfg['radius']['radiusissueips']) && isset($pppoecfg['radius']['server']['enable'])) {
1633	5dfdc1fb	Scott Ullrich	$isssue_ip_type = "set ipcp ranges {$pppoecfg['localip']}/32 0.0.0.0/0";
1634	5264023a	Scott Ullrich	} else {
1635			$isssue_ip_type = "set ipcp ranges {$pppoecfg['localip']}/32 {$clientip}/32";
1636	5dfdc1fb	Scott Ullrich	}
1637	c52719a8	Scott Ullrich
1638	979cd6db	Scott Ullrich	$mpdconf .=<<<EOD
1639	06e69b03	Scott Ullrich
1640	0e642c78	Ermal	poes{$pppoecfg['pppoeid']}{$i}:
1641			new -i poes{$pppoecfg['pppoeid']}{$i} poes{$pppoecfg['pppoeid']}{$i} poes{$pppoecfg['pppoeid']}{$i}
1642	5dfdc1fb	Scott Ullrich	{$isssue_ip_type}
1643	f856e762	jim-p	load pppoe_standard
1644	06e69b03	Scott Ullrich
1645			EOD;
1646			}
1647
1648	979cd6db	Scott Ullrich	$mpdconf .=<<<EOD
1649	06e69b03	Scott Ullrich
1650	f856e762	jim-p	pppoe_standard:
1651	979cd6db	Scott Ullrich	set bundle no multilink
1652			set bundle enable compression
1653	78155ff9	Scott Ullrich	set auth max-logins 1
1654	e9a95ac8	jim-p	set iface up-script /usr/local/sbin/vpn-linkup
1655			set iface down-script /usr/local/sbin/vpn-linkdown
1656	979cd6db	Scott Ullrich	set iface idle 0
1657	06e69b03	Scott Ullrich	set iface disable on-demand
1658			set iface disable proxy-arp
1659			set iface enable tcpmssfix
1660	979cd6db	Scott Ullrich	set iface mtu 1500
1661	06e69b03	Scott Ullrich	set link no pap chap
1662	979cd6db	Scott Ullrich	{$paporchap}
1663			set link keep-alive 60 180
1664			set ipcp yes vjcomp
1665			set ipcp no vjcomp
1666			set link max-redial -1
1667			set link mtu 1492
1668			set link mru 1492
1669	06e69b03	Scott Ullrich	set ccp yes mpp-e40
1670			set ccp yes mpp-e128
1671			set ccp yes mpp-stateless
1672	979cd6db	Scott Ullrich	set link latency 1
1673			#set ipcp dns 10.10.1.3
1674			#set bundle accept encryption
1675	06e69b03	Scott Ullrich
1676	c8c416db	Scott Ullrich	EOD;
1677
1678	09f2bf85	jim-p	if (!empty($pppoecfg['dns1'])) {
1679			$mpdconf .= " set ipcp dns " . $pppoecfg['dns1'];
1680	79262830	Phil Davis	if (!empty($pppoecfg['dns2'])) {
1681	09f2bf85	jim-p	$mpdconf .= " " . $pppoecfg['dns2'];
1682	79262830	Phil Davis	}
1683	09f2bf85	jim-p	$mpdconf .= "\n";
1684			} elseif (isset ($config['dnsmasq']['enable'])) {
1685	a55e9c70	Ermal Lu?i	$mpdconf .= " set ipcp dns " . get_interface_ip("lan");
1686	79262830	Phil Davis	if ($syscfg['dnsserver'][0]) {
1687	06e69b03	Scott Ullrich	$mpdconf .= " " . $syscfg['dnsserver'][0];
1688	79262830	Phil Davis	}
1689	06e69b03	Scott Ullrich	$mpdconf .= "\n";
1690	ad750d3b	Warren Baker	} elseif (isset ($config['unbound']['enable'])) {
1691			$mpdconf .= " set ipcp dns " . get_interface_ip("lan");
1692	79262830	Phil Davis	if ($syscfg['dnsserver'][0]) {
1693	ad750d3b	Warren Baker	$mpdconf .= " " . $syscfg['dnsserver'][0];
1694	79262830	Phil Davis	}
1695	ad750d3b	Warren Baker	$mpdconf .= "\n";
1696	09f2bf85	jim-p	} elseif (is_array($syscfg['dnsserver']) && ($syscfg['dnsserver'][0])) {
1697	979cd6db	Scott Ullrich	$mpdconf .= " set ipcp dns " . join(" ", $syscfg['dnsserver']) . "\n";
1698	09f2bf85	jim-p	}
1699	07cae4b2	Scott Ullrich
1700	37d7de2d	jim-p	if (isset ($pppoecfg['radius']['server']['enable'])) {
1701	c3583058	Ermal	$radiusport = "";
1702			$radiusacctport = "";
1703	79262830	Phil Davis	if (isset($pppoecfg['radius']['server']['port'])) {
1704	c3583058	Ermal	$radiusport = $pppoecfg['radius']['server']['port'];
1705	79262830	Phil Davis	}
1706			if (isset($pppoecfg['radius']['server']['acctport'])) {
1707	c3583058	Ermal	$radiusacctport = $pppoecfg['radius']['server']['acctport'];
1708	79262830	Phil Davis	}
1709	979cd6db	Scott Ullrich	$mpdconf .=<<<EOD
1710	b0943409	Ermal	set radius server {$pppoecfg['radius']['server']['ip']} "{$pppoecfg['radius']['server']['secret']}" {$radiusport} {$radiusacctport}
1711	06e69b03	Scott Ullrich	set radius retries 3
1712	979cd6db	Scott Ullrich	set radius timeout 10
1713	0af9dba4	Ermal Lu?i	set auth enable radius-auth
1714	06e69b03	Scott Ullrich
1715			EOD;
1716
1717	979cd6db	Scott Ullrich	if (isset ($pppoecfg['radius']['accounting'])) {
1718			$mpdconf .=<<<EOD
1719	0af9dba4	Ermal Lu?i	set auth enable radius-acct
1720	07cae4b2	Scott Ullrich
1721	06e69b03	Scott Ullrich	EOD;
1722			}
1723			}
1724
1725			fwrite($fd, $mpdconf);
1726			fclose($fd);
1727	a49784a2	Ermal	unset($mpdconf);
1728	06e69b03	Scott Ullrich
1729			/* write mpd.links */
1730	0e642c78	Ermal	$fd = fopen("{$g['varetc_path']}/pppoe{$pppoecfg['pppoeid']}-vpn/mpd.links", "w");
1731	06e69b03	Scott Ullrich	if (!$fd) {
1732	89ceb4ba	Renato Botelho	printf(gettext("Error: cannot open mpd.links in vpn_pppoe_configure().") . "\n");
1733	06e69b03	Scott Ullrich	return 1;
1734			}
1735
1736			$mpdlinks = "";
1737
1738	a429d105	Scott Ullrich	for ($i = 0; $i < $pppoecfg['n_pppoe_units']; $i++) {
1739	979cd6db	Scott Ullrich	$mpdlinks .=<<<EOD
1740	09628a07	Renato Botelho
1741	0e642c78	Ermal	poes{$pppoecfg['pppoeid']}{$i}:
1742	67ee1ec5	Ermal Luçi	set phys type pppoe
1743	09628a07	Renato Botelho	set pppoe iface {$pppoe_interface}
1744			set pppoe service "*"
1745			set pppoe disable originate
1746			set pppoe enable incoming
1747	06e69b03	Scott Ullrich
1748			EOD;
1749			}
1750
1751			fwrite($fd, $mpdlinks);
1752			fclose($fd);
1753	a49784a2	Ermal	unset($mpdlinks);
1754	06e69b03	Scott Ullrich
1755	0e642c78	Ermal	if ($pppoecfg['username']) {
1756			/* write mpd.secret */
1757			$fd = fopen("{$g['varetc_path']}/pppoe{$pppoecfg['pppoeid']}-vpn/mpd.secret", "w");
1758			if (!$fd) {
1759	8c04b1ae	Renato Botelho	printf(gettext("Error: cannot open mpd.secret in vpn_pppoe_configure().") . "\n");
1760	0e642c78	Ermal	return 1;
1761			}
1762	06e69b03	Scott Ullrich
1763	0e642c78	Ermal	$mpdsecret = "\n\n";
1764	06e69b03	Scott Ullrich
1765	0e642c78	Ermal	if (!empty($pppoecfg['username'])) {
1766			$item = explode(" ", $pppoecfg['username']);
1767	79262830	Phil Davis	foreach ($item as $userdata) {
1768	0e642c78	Ermal	$data = explode(":", $userdata);
1769	90388e48	Ermal	$mpdsecret .= "{$data[0]} \"" . base64_decode($data[1]) . "\" {$data[2]}\n";
1770	0e642c78	Ermal	}
1771			}
1772	06e69b03	Scott Ullrich
1773	0e642c78	Ermal	fwrite($fd, $mpdsecret);
1774			fclose($fd);
1775	a49784a2	Ermal	unset($mpdsecret);
1776	0e642c78	Ermal	chmod("{$g['varetc_path']}/pppoe{$pppoecfg['pppoeid']}-vpn/mpd.secret", 0600);
1777			}
1778	979cd6db	Scott Ullrich
1779	062676f8	Ermal	/* Check if previous instance is still up */
1780	79262830	Phil Davis	while (file_exists("{$g['varrun_path']}/pppoe{$pppoecfg['pppoeid']}-vpn.pid") && isvalidpid("{$g['varrun_path']}/pppoe{$pppoecfg['pppoeid']}-vpn.pid")) {
1781	062676f8	Ermal	killbypid("{$g['varrun_path']}/pppoe{$pppoecfg['pppoeid']}-vpn.pid");
1782	79262830	Phil Davis	}
1783	062676f8	Ermal
1784	67b057a9	Ermal	/* Get support for netgraph(4) from the nic */
1785			pfSense_ngctl_attach(".", $pppoe_interface);
1786	979cd6db	Scott Ullrich	/* fire up mpd */
1787	a6607b5f	jim-p	mwexec("/usr/local/sbin/mpd4 -b -d {$g['varetc_path']}/pppoe{$pppoecfg['pppoeid']}-vpn -p {$g['varrun_path']}/pppoe{$pppoecfg['pppoeid']}-vpn.pid -s poes poes");
1788	979cd6db	Scott Ullrich
1789			break;
1790			}
1791
1792	79262830	Phil Davis	if (platform_booting()) {
1793	561130e4	Carlos Eduardo Ramos	echo gettext("done") . "\n";
1794	79262830	Phil Davis	}
1795	979cd6db	Scott Ullrich
1796			return 0;
1797			}
1798
1799			function vpn_l2tp_configure() {
1800			global $config, $g;
1801
1802			$syscfg = $config['system'];
1803			$l2tpcfg = $config['l2tp'];
1804
1805			/* create directory if it does not exist */
1806	79262830	Phil Davis	if (!is_dir("{$g['varetc_path']}/l2tp-vpn")) {
1807	67ee1ec5	Ermal Luçi	mkdir("{$g['varetc_path']}/l2tp-vpn");
1808	79262830	Phil Davis	}
1809	979cd6db	Scott Ullrich
1810	285ef132	Ermal LUÇI	if (platform_booting()) {
1811	79262830	Phil Davis	if (!$l2tpcfg['mode'] \|\| ($l2tpcfg['mode'] == "off")) {
1812	979cd6db	Scott Ullrich	return 0;
1813	79262830	Phil Davis	}
1814	979cd6db	Scott Ullrich
1815	89ceb4ba	Renato Botelho	echo gettext("Configuring l2tp VPN service... ");
1816	979cd6db	Scott Ullrich	} else {
1817			/* kill mpd */
1818	67ee1ec5	Ermal Luçi	killbypid("{$g['varrun_path']}/l2tp-vpn.pid");
1819	979cd6db	Scott Ullrich
1820			/* wait for process to die */
1821	01c41d40	Ermal Lu?i	sleep(8);
1822	979cd6db	Scott Ullrich
1823			}
1824
1825	67ee1ec5	Ermal Luçi	/* make sure l2tp-vpn directory exists */
1826	79262830	Phil Davis	if (!file_exists("{$g['varetc_path']}/l2tp-vpn")) {
1827	67ee1ec5	Ermal Luçi	mkdir("{$g['varetc_path']}/l2tp-vpn");
1828	79262830	Phil Davis	}
1829	979cd6db	Scott Ullrich
1830			switch ($l2tpcfg['mode']) {
1831
1832	79262830	Phil Davis	case 'server':
1833			if ($l2tpcfg['paporchap'] == "chap") {
1834	979cd6db	Scott Ullrich	$paporchap = "set link enable chap";
1835	79262830	Phil Davis	} else {
1836	979cd6db	Scott Ullrich	$paporchap = "set link enable pap";
1837	79262830	Phil Davis	}
1838	979cd6db	Scott Ullrich
1839			/* write mpd.conf */
1840	67ee1ec5	Ermal Luçi	$fd = fopen("{$g['varetc_path']}/l2tp-vpn/mpd.conf", "w");
1841	979cd6db	Scott Ullrich	if (!$fd) {
1842	89ceb4ba	Renato Botelho	printf(gettext("Error: cannot open mpd.conf in vpn_l2tp_configure().") . "\n");
1843	979cd6db	Scott Ullrich	return 1;
1844			}
1845			$mpdconf = "\n\n";
1846			$mpdconf .=<<<EOD
1847	a6607b5f	jim-p	l2tps:
1848	979cd6db	Scott Ullrich
1849			EOD;
1850
1851			for ($i = 0; $i < $l2tpcfg['n_l2tp_units']; $i++) {
1852			$mpdconf .= " load l2tp{$i}\n";
1853			}
1854
1855			for ($i = 0; $i < $l2tpcfg['n_l2tp_units']; $i++) {
1856
1857	96033063	Erik Fonnesbeck	$clientip = long2ip32(ip2long($l2tpcfg['remoteip']) + $i);
1858	979cd6db	Scott Ullrich
1859			if (isset ($l2tpcfg['radius']['radiusissueips']) && isset ($l2tpcfg['radius']['enable'])) {
1860			$isssue_ip_type = "set ipcp ranges {$l2tpcfg['localip']}/32 0.0.0.0/0";
1861			} else {
1862			$isssue_ip_type = "set ipcp ranges {$l2tpcfg['localip']}/32 {$clientip}/32";
1863			}
1864
1865			$mpdconf .=<<<EOD
1866
1867			l2tp{$i}:
1868	2c7feef7	jim-p	new -i l2tp{$i} l2tp{$i} l2tp{$i}
1869	979cd6db	Scott Ullrich	{$isssue_ip_type}
1870			load l2tp_standard
1871
1872			EOD;
1873			}
1874
1875			$mpdconf .=<<<EOD
1876
1877			l2tp_standard:
1878	09628a07	Renato Botelho	set bundle disable multilink
1879			set bundle enable compression
1880			set bundle yes crypt-reqd
1881			set ipcp yes vjcomp
1882			# set ipcp ranges 131.188.69.161/32 131.188.69.170/28
1883			set ccp yes mppc
1884			set iface disable on-demand
1885			set iface enable proxy-arp
1886	e9a95ac8	jim-p	set iface up-script /usr/local/sbin/vpn-linkup
1887			set iface down-script /usr/local/sbin/vpn-linkdown
1888	09628a07	Renato Botelho	set link yes acfcomp protocomp
1889			set link no pap chap
1890	d06f9ebe	Sebastian Öhman	{$paporchap}
1891	09628a07	Renato Botelho	set link keep-alive 10 180
1892	979cd6db	Scott Ullrich
1893			EOD;
1894
1895	c8cc0c1c	smos	if (is_ipaddr($l2tpcfg['wins'])) {
1896			$mpdconf .= " set ipcp nbns {$l2tpcfg['wins']}\n";
1897			}
1898			if (is_ipaddr($l2tpcfg['dns1'])) {
1899	09f2bf85	jim-p	$mpdconf .= " set ipcp dns " . $l2tpcfg['dns1'];
1900	79262830	Phil Davis	if (is_ipaddr($l2tpcfg['dns2'])) {
1901	09f2bf85	jim-p	$mpdconf .= " " . $l2tpcfg['dns2'];
1902	79262830	Phil Davis	}
1903	09f2bf85	jim-p	$mpdconf .= "\n";
1904			} elseif (isset ($config['dnsmasq']['enable'])) {
1905	a55e9c70	Ermal Lu?i	$mpdconf .= " set ipcp dns " . get_interface_ip("lan");
1906	79262830	Phil Davis	if ($syscfg['dnsserver'][0]) {
1907	979cd6db	Scott Ullrich	$mpdconf .= " " . $syscfg['dnsserver'][0];
1908	79262830	Phil Davis	}
1909	979cd6db	Scott Ullrich	$mpdconf .= "\n";
1910	ad750d3b	Warren Baker	} elseif (isset ($config['unbound']['enable'])) {
1911			$mpdconf .= " set ipcp dns " . get_interface_ip("lan");
1912	79262830	Phil Davis	if ($syscfg['dnsserver'][0]) {
1913	ad750d3b	Warren Baker	$mpdconf .= " " . $syscfg['dnsserver'][0];
1914	79262830	Phil Davis	}
1915	ad750d3b	Warren Baker	$mpdconf .= "\n";
1916	09f2bf85	jim-p	} elseif (is_array($syscfg['dnsserver']) && ($syscfg['dnsserver'][0])) {
1917	79262830	Phil Davis	$mpdconf .= " set ipcp dns " . join(" ", $syscfg['dnsserver']) . "\n";
1918	09f2bf85	jim-p	}
1919	979cd6db	Scott Ullrich
1920			if (isset ($l2tpcfg['radius']['enable'])) {
1921			$mpdconf .=<<<EOD
1922			set radius server {$l2tpcfg['radius']['server']} "{$l2tpcfg['radius']['secret']}"
1923			set radius retries 3
1924			set radius timeout 10
1925	0af9dba4	Ermal Lu?i	set auth enable radius-auth
1926	979cd6db	Scott Ullrich
1927			EOD;
1928
1929			if (isset ($l2tpcfg['radius']['accounting'])) {
1930			$mpdconf .=<<<EOD
1931	0af9dba4	Ermal Lu?i	set auth enable radius-acct
1932	979cd6db	Scott Ullrich
1933			EOD;
1934			}
1935			}
1936
1937			fwrite($fd, $mpdconf);
1938			fclose($fd);
1939	a49784a2	Ermal	unset($mpdconf);
1940	979cd6db	Scott Ullrich
1941			/* write mpd.links */
1942	67ee1ec5	Ermal Luçi	$fd = fopen("{$g['varetc_path']}/l2tp-vpn/mpd.links", "w");
1943	979cd6db	Scott Ullrich	if (!$fd) {
1944	89ceb4ba	Renato Botelho	printf(gettext("Error: cannot open mpd.links in vpn_l2tp_configure().") . "\n");
1945	979cd6db	Scott Ullrich	return 1;
1946			}
1947
1948			$mpdlinks = "";
1949
1950			for ($i = 0; $i < $l2tpcfg['n_l2tp_units']; $i++) {
1951			$mpdlinks .=<<<EOD
1952
1953	daa20efd	Ermal Lu?i	l2tp{$i}:
1954	979cd6db	Scott Ullrich	set link type l2tp
1955	09628a07	Renato Botelho	set l2tp enable incoming
1956			set l2tp disable originate
1957	979cd6db	Scott Ullrich
1958			EOD;
1959	79262830	Phil Davis	if (!empty($l2tpcfg['secret'])) {
1960	00f9e567	Ermal Lu?i	$mpdlinks .= "set l2tp secret {$l2tpcfg['secret']}\n";
1961	79262830	Phil Davis	}
1962	979cd6db	Scott Ullrich	}
1963
1964			fwrite($fd, $mpdlinks);
1965			fclose($fd);
1966	a49784a2	Ermal	unset($mpdlinks);
1967	979cd6db	Scott Ullrich
1968			/* write mpd.secret */
1969	67ee1ec5	Ermal Luçi	$fd = fopen("{$g['varetc_path']}/l2tp-vpn/mpd.secret", "w");
1970	979cd6db	Scott Ullrich	if (!$fd) {
1971	89ceb4ba	Renato Botelho	printf(gettext("Error: cannot open mpd.secret in vpn_l2tp_configure().") . "\n");
1972	979cd6db	Scott Ullrich	return 1;
1973			}
1974
1975			$mpdsecret = "\n\n";
1976
1977			if (is_array($l2tpcfg['user'])) {
1978	79262830	Phil Davis	foreach ($l2tpcfg['user'] as $user) {
1979	979cd6db	Scott Ullrich	$mpdsecret .= "{$user['name']} \"{$user['password']}\" {$user['ip']}\n";
1980	79262830	Phil Davis	}
1981	979cd6db	Scott Ullrich	}
1982
1983			fwrite($fd, $mpdsecret);
1984			fclose($fd);
1985	a49784a2	Ermal	unset($mpdsecret);
1986	67ee1ec5	Ermal Luçi	chmod("{$g['varetc_path']}/l2tp-vpn/mpd.secret", 0600);
1987	06e69b03	Scott Ullrich
1988	67b057a9	Ermal	vpn_netgraph_support();
1989
1990	06e69b03	Scott Ullrich	/* fire up mpd */
1991	a6607b5f	jim-p	mwexec("/usr/local/sbin/mpd4 -b -d {$g['varetc_path']}/l2tp-vpn -p {$g['varrun_path']}/l2tp-vpn.pid -s l2tps l2tps");
1992	06e69b03	Scott Ullrich
1993			break;
1994
1995	79262830	Phil Davis	case 'redir':
1996	06e69b03	Scott Ullrich	break;
1997			}
1998
1999	79262830	Phil Davis	if (platform_booting()) {
2000	06e69b03	Scott Ullrich	echo "done\n";
2001	79262830	Phil Davis	}
2002	06e69b03	Scott Ullrich
2003			return 0;
2004			}
2005	630cfa6c	Scott Ullrich
2006	79262830	Phil Davis	?>

Project

General

Profile

pfSense