/usr/local/www/vpn_ipsec.php - Annotate - pfSense - pfSense bugtracker

| Branch: | Tag: | Revision:

root/usr/local/www/vpn_ipsec.php @ ee8c3889

1	5b237745	Scott Ullrich	<?php
2			/*
3			vpn_ipsec.php
4	e2411886	Scott Ullrich	part of m0n0wall (http://m0n0.ch/wall)
5	574a2b47	Scott Ullrich
6	e2411886	Scott Ullrich	Copyright (C) 2003-2005 Manuel Kasper <mk@neon1.net>.
7	a93e56c5	Matthew Grooms	Copyright (C) 2008 Shrew Soft Inc
8	cfc707f7	Scott Ullrich	All rights reserved.
9	574a2b47	Scott Ullrich
10	5b237745	Scott Ullrich	Redistribution and use in source and binary forms, with or without
11			modification, are permitted provided that the following conditions are met:
12	574a2b47	Scott Ullrich
13	5b237745	Scott Ullrich	1. Redistributions of source code must retain the above copyright notice,
14			this list of conditions and the following disclaimer.
15	574a2b47	Scott Ullrich
16	5b237745	Scott Ullrich	2. Redistributions in binary form must reproduce the above copyright
17			notice, this list of conditions and the following disclaimer in the
18			documentation and/or other materials provided with the distribution.
19	574a2b47	Scott Ullrich
20	5b237745	Scott Ullrich	THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
21			INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
22			AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
23			AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
24			OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
25			SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
26			INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
27			CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
28			ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
29			POSSIBILITY OF SUCH DAMAGE.
30			*/
31
32	6b07c15a	Matthew Grooms	##\|+PRIV
33			##\|*IDENT=page-vpn-ipsec
34			##\|*NAME=VPN: IPsec page
35			##\|*DESCR=Allow access to the 'VPN: IPsec' page.
36			##\|MATCH=vpn_ipsec.php
37			##\|-PRIV
38
39	5b237745	Scott Ullrich	require("guiconfig.inc");
40	7a927e67	Scott Ullrich	require_once("functions.inc");
41			require_once("filter.inc");
42			require_once("shaper.inc");
43	483e6de8	Scott Ullrich	require_once("ipsec.inc");
44			require_once("vpn.inc");
45	5b237745	Scott Ullrich
46	a93e56c5	Matthew Grooms	if (!is_array($config['ipsec']['phase1']))
47			$config['ipsec']['phase1'] = array();
48
49			if (!is_array($config['ipsec']['phase2']))
50			$config['ipsec']['phase2'] = array();
51
52			$a_phase1 = &$config['ipsec']['phase1'];
53			$a_phase2 = &$config['ipsec']['phase2'];
54
55	e2411886	Scott Ullrich	$wancfg = &$config['interfaces']['wan'];
56	5b237745	Scott Ullrich
57			$pconfig['enable'] = isset($config['ipsec']['enable']);
58
59			if ($_POST) {
60
61			if ($_POST['apply']) {
62			$retval = 0;
63	647c7c48	Seth Mos	$retval = vpn_ipsec_refresh_policies();
64	3851094f	Scott Ullrich	$retval = vpn_ipsec_configure();
65	04b46591	Ermal Lu?i	/* reload the filter in the background */
66			filter_configure();
67	5b237745	Scott Ullrich	$savemsg = get_std_save_message($retval);
68			if ($retval == 0) {
69	a368a026	Ermal Lu?i	if (is_subsystem_dirty('ipsec'))
70			clear_subsystem_dirty('ipsec');
71	5b237745	Scott Ullrich	}
72			} else if ($_POST['submit']) {
73			$pconfig = $_POST;
74	574a2b47	Scott Ullrich
75	5b237745	Scott Ullrich	$config['ipsec']['enable'] = $_POST['enable'] ? true : false;
76	c20acc35	Scott Ullrich
77			if(!$config['ipsec']['enable']) {
78			if(is_process_running("racoon"))
79			mwexec("killall racoon");
80			} else {
81			$retval = vpn_ipsec_configure();
82			}
83
84	5b237745	Scott Ullrich	write_config();
85			}
86			}
87
88	a93e56c5	Matthew Grooms	if ($_GET['act'] == "delph1")
89			{
90			if ($a_phase1[$_GET['p1index']]) {
91	6de5d673	Seth Mos	/* remove static route if interface is not WAN */
92	99bbd213	Matthew Grooms	if ($a_phase1[$_GET['p1index']]['interface'] <> "wan")
93	fbc8af8f	sullrich	mwexec("/sbin/route delete -host {$a_phase1[$_GET['p1index']]['remote-gateway']}");
94	a93e56c5	Matthew Grooms
95			/* remove all phase2 entries that match the ikeid */
96			$ikeid = $a_phase1[$_GET['p1index']]['ikeid'];
97	99bbd213	Matthew Grooms	foreach ($a_phase2 as $p2index => $ph2tmp)
98			if ($ph2tmp['ikeid'] == $ikeid)
99	a93e56c5	Matthew Grooms	unset($a_phase2[$p2index]);
100
101			/* remove the phase1 entry */
102			unset($a_phase1[$_GET['p1index']]);
103	647c7c48	Seth Mos	vpn_ipsec_refresh_policies();
104			vpn_ipsec_configure();
105	a93e56c5	Matthew Grooms	write_config();
106	72bd8df5	Ermal Lu?i	filter_configure();
107	a93e56c5	Matthew Grooms	header("Location: vpn_ipsec.php");
108			exit;
109			}
110			}
111
112			if ($_GET['act'] == "delph2")
113			{
114			if ($a_phase2[$_GET['p2index']]) {
115			/* remove the phase2 entry */
116			unset($a_phase2[$_GET['p2index']]);
117	647c7c48	Seth Mos	vpn_ipsec_refresh_policies();
118			vpn_ipsec_configure();
119	3fdb04a6	Scott Ullrich	filter_configure();
120	5b237745	Scott Ullrich	write_config();
121			header("Location: vpn_ipsec.php");
122			exit;
123			}
124			}
125	4df96eff	Scott Ullrich
126	d88c6a9f	Scott Ullrich	$pgtitle = array("VPN","IPsec");
127	4df96eff	Scott Ullrich	include("head.inc");
128
129	53d4b84d	Scott Ullrich	?>
130	422f27c0	Scott Ullrich
131			<body link="#0000CC" vlink="#0000CC" alink="#0000CC">
132	5b237745	Scott Ullrich	<?php include("fbegin.inc"); ?>
133			<form action="vpn_ipsec.php" method="post">
134	323d040b	Scott Ullrich	<?php
135	a93e56c5	Matthew Grooms	if ($savemsg)
136			print_info_box($savemsg);
137	a368a026	Ermal Lu?i	if ($pconfig['enable'] && is_subsystem_dirty('ipsec'))
138	a93e56c5	Matthew Grooms	print_info_box_np("The IPsec tunnel configuration has been changed.<br>You must apply the changes in order for them to take effect.");
139	574a2b47	Scott Ullrich	?>
140	a93e56c5	Matthew Grooms	<table width="100%" border="0" cellpadding="0" cellspacing="0">
141			<tr>
142			<td class="tabnavtbl">
143			<?php
144			$tab_array = array();
145			$tab_array[0] = array("Tunnels", true, "vpn_ipsec.php");
146	3462a529	Matthew Grooms	$tab_array[1] = array("Mobile clients", false, "vpn_ipsec_mobile.php");
147	09725e76	Chris Buechler	$tab_array[2] = array("Logs", false, "diag_logs_ipsec.php");
148	a93e56c5	Matthew Grooms	display_top_tabs($tab_array);
149			?>
150			</td>
151			</tr>
152			<tr>
153			<td>
154			<div id="mainarea">
155			<table class="tabcont" width="100%" border="0" cellpadding="6" cellspacing="0">
156			<tr>
157			<td class="vtable">
158	667725ce	Matthew Grooms	<table border="0" cellspacing="2" cellpadding="0">
159			<tr>
160			<td>
161			<input name="enable" type="checkbox" id="enable" value="yes" <?php if ($pconfig['enable']) echo "checked";?>>
162			</td>
163			<td>
164			<strong>Enable IPsec</strong>
165			</td>
166			</tr>
167			</table>
168	a93e56c5	Matthew Grooms	</td>
169			</tr>
170			<tr>
171			<td>
172			<input name="submit" type="submit" class="formbtn" value="Save">
173			</td>
174			</tr>
175			</table>
176			<table class="tabcont" width="100%" border="0" cellpadding="0" cellspacing="0">
177	5bba8dfb	Scott Ullrich	<?php
178			$i = 0;
179			foreach ($a_phase1 as $ph1ent) {
180			if (isset( $ph1ent['disabled'])) {
181			$spans = "<span class=\"gray\">";
182			$spane = "</span>";
183			}
184			else
185			$spans = $spane = "";
186	96162327	Scott Ullrich
187			show_ipsec_header($ph1ent);
188	4494cf6a	Chris Buechler	$counter++; // used to determine if we need to output header manually (no records exist)
189	96162327	Scott Ullrich	?>
190	a0d4c5da	Matthew Grooms	<tr valign="top" ondblclick="document.location='vpn_ipsec_phase1.php?p1index=<?=$i;?>'">
191			<td class="listlr">
192	a93e56c5	Matthew Grooms	<?=$spans;?>
193			<?php
194			if ($ph1ent['interface']) {
195			$iflabels = get_configured_interface_with_descr();
196	abcb2bed	Ermal Lu?i	$carplist = get_configured_carp_interface_list();
197			foreach ($carplist as $cif => $carpip)
198			$iflabels[$cif] = strtoupper($cif) . " ({$carpip})";
199	a93e56c5	Matthew Grooms	$if = htmlspecialchars($iflabels[$ph1ent['interface']]);
200			}
201			else
202			$if = "WAN";
203
204	3462a529	Matthew Grooms	if (!isset($ph1ent['mobile']))
205			echo $if."<br>".$ph1ent['remote-gateway'];
206			else
207			echo $if."<br><strong>Mobile Client</strong>";
208	a93e56c5	Matthew Grooms	?>
209			<?=$spane;?>
210			</td>
211	a0d4c5da	Matthew Grooms	<td class="listr">
212	a93e56c5	Matthew Grooms	<?=$spans;?>
213			<?=$ph1ent['mode'];?>
214			<?=$spane;?>
215			</td>
216	a0d4c5da	Matthew Grooms	<td class="listr">
217	a93e56c5	Matthew Grooms	<?=$spans;?>
218			<?=$p1_ealgos[$ph1ent['encryption-algorithm']['name']]['name'];?>
219			<?php
220			if ($ph1ent['encryption-algorithm']['keylen']) {
221			if ($ph1ent['encryption-algorithm']['keylen']=="auto")
222			echo " (auto)";
223			else
224			echo " ({$ph1ent['encryption-algorithm']['keylen']} bits)";
225			}
226			?>
227			<?=$spane;?>
228			</td>
229	a0d4c5da	Matthew Grooms	<td class="listr">
230	a93e56c5	Matthew Grooms	<?=$spans;?>
231			<?=$p1_halgos[$ph1ent['hash-algorithm']];?>
232			<?=$spane;?>
233			</td>
234	b9056c39	Scott Ullrich	<td class="listbg">
235	a93e56c5	Matthew Grooms	<?=$spans;?>
236	b9056c39	Scott Ullrich	<?=htmlspecialchars($ph1ent['descr']);?>
237	a93e56c5	Matthew Grooms	<?=$spane;?>
238			</td>
239			<td valign="middle" nowrap class="list">
240			<table border="0" cellspacing="0" cellpadding="1">
241			<tr>
242			<td>
243			<a href="vpn_ipsec_phase1.php?p1index=<?=$i;?>">
244			<img src="./themes/<?= $g['theme']; ?>/images/icons/icon_e.gif" title="edit phase1 entry" width="17" height="17" border="0">
245			</a>
246			</td>
247			<td>
248			<a href="vpn_ipsec.php?act=delph1&p1index=<?=$i;?>" onclick="return confirm('Do you really want to delete this phase1 and all associated phase2 entries?')">
249			<img src="./themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" title="delete phase1 entry" width="17" height="17" border="0">
250			</a>
251			</td>
252			</tr>
253	fce61eda	Matthew Grooms	<?php if (!isset($ph1ent['mobile'])): ?>
254	a93e56c5	Matthew Grooms	<tr>
255			<td>
256			</td>
257			<td>
258			<a href="vpn_ipsec_phase1.php?dup=<?=$i;?>">
259			<img src="./themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" title="copy phase1 entry" width="17" height="17" border="0">
260			</a>
261			</td>
262			</tr>
263	fce61eda	Matthew Grooms	<?php endif; ?>
264	a93e56c5	Matthew Grooms	</table>
265			</td>
266			</tr>
267			<tr>
268	abd378bf	Scott Ullrich	<td class="listrborder" colspan="5">
269	0a95b653	Scott Ullrich	<div id="shph2but-<?=$i?>">
270	e1b74950	Scott Ullrich	<?php
271			$phase2count=0;
272	b2a189a8	Scott Ullrich	foreach ($a_phase2 as $ph2ent) {
273	c82c89ac	Scott Ullrich	if ($ph2ent['ikeid'] != $ph1ent['ikeid'])
274	b2a189a8	Scott Ullrich	continue;
275			if (isset( $ph2ent['disabled']) \|\| isset($ph1ent['disabled']))
276			continue;
277	e1b74950	Scott Ullrich	$phase2count++;
278	b2a189a8	Scott Ullrich	}
279	e1b74950	Scott Ullrich	?>
280			<input type="button" onClick="show_phase2('tdph2-<?=$i?>','shph2but-<?=$i?>')" value="+"></input> - Show <?=$phase2count?> Phase-2 entries</a>
281	0a95b653	Scott Ullrich	</div>
282			<table class="tabcont" width="100%" height="100%" border="0" cellspacing="0" cellpadding="0" id="tdph2-<?=$i?>" style="display:none">
283	a93e56c5	Matthew Grooms	<tr>
284	4b96b367	mgrooms	<td class="listhdrr">Mode</td>
285			<?php if($ph2ent['mode'] == "tunnel"): ?>
286	fabd8cdb	Seth Mos	<td class="listhdrr">Local Subnet</td>
287			<td class="listhdrr">Remote Subnet</td>
288	4b96b367	mgrooms	<?php endif; ?>
289	fabd8cdb	Seth Mos	<td class="listhdrr">P2 Protocol</td>
290			<td class="listhdrr">P2 Transforms</td>
291			<td class="listhdrr">P2 Auth Methods</td>
292	a93e56c5	Matthew Grooms	<td class ="list">
293	3462a529	Matthew Grooms	<a href="vpn_ipsec_phase2.php?ikeid=<?=$ph1ent['ikeid'];?><?php if (isset($ph1ent['mobile'])) echo "&mobile=true";?>">
294	a93e56c5	Matthew Grooms	<img src="./themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" title="add phase2 entry" width="17" height="17" border="0">
295			</a>
296			</td>
297			</tr>
298			<?php
299			$j = 0;
300			foreach ($a_phase2 as $ph2ent) {
301			if ($ph2ent['ikeid'] != $ph1ent['ikeid']) {
302			$j++;
303			continue;
304			}
305
306			if (isset( $ph2ent['disabled']) \|\| isset($ph1ent['disabled'])) {
307			$spans = "<span class=\"gray\">";
308			$spane = "</span>";
309			}
310			else
311			$spans = $spane = "";
312			?>
313	4da0e32a	Seth Mos	<tr valign="top" ondblclick="document.location='vpn_ipsec_phase2.php?p2index=<?=$j;?>'">
314	3462a529	Matthew Grooms
315	a0d4c5da	Matthew Grooms	<td nowrap class="listlr">
316	4b96b367	mgrooms	<?=$spans;?>
317			<?=$ph2ent['mode'];?>
318			<?=$spane;?>
319			</td>
320	c443bb14	Scott Ullrich	<?php
321			if($ph2ent['mode'] <> "tunnel") {
322			echo "<td nowrap class=\"listr\"> </td><td nowrap class=\"listr\"> </td>";
323			}
324			?>
325	4b96b367	mgrooms	<?php if($ph2ent['mode'] == "tunnel"): ?>
326			<td nowrap class="listr">
327	a93e56c5	Matthew Grooms	<?=$spans;?>
328	3462a529	Matthew Grooms	<?=ipsec_idinfo_to_text($ph2ent['localid']); ?>
329	a93e56c5	Matthew Grooms	<?=$spane;?>
330			</td>
331	a0d4c5da	Matthew Grooms	<td nowrap class="listr">
332	a93e56c5	Matthew Grooms	<?=$spans;?>
333	3462a529	Matthew Grooms	<?=ipsec_idinfo_to_text($ph2ent['remoteid']); ?>
334	a93e56c5	Matthew Grooms	<?=$spane;?>
335			</td>
336	4b96b367	mgrooms	<?php endif; ?>
337	a0d4c5da	Matthew Grooms	<td nowrap class="listr">
338	a93e56c5	Matthew Grooms	<?=$spans;?>
339	3462a529	Matthew Grooms	<?php echo $p2_protos[$ph2ent['protocol']]; ?>
340	a93e56c5	Matthew Grooms	<?=$spane;?>
341			</td>
342	a0d4c5da	Matthew Grooms	<td class="listr">
343	a93e56c5	Matthew Grooms	<?=$spans;?>
344			<?php
345			$k = 0;
346			foreach ($ph2ent['encryption-algorithm-option'] as $ph2ea) {
347			if ($k++)
348			echo ", ";
349			echo $p2_ealgos[$ph2ea['name']]['name'];
350			if ($ph2ea['keylen']) {
351			if ($ph2ea['keylen']=="auto")
352			echo " (auto)";
353			else
354			echo " ({$ph2ea['keylen']} bits)";
355			}
356			}
357			?>
358			<?=$spane;?>
359			</td>
360	a0d4c5da	Matthew Grooms	<td nowrap class="listr">
361	a93e56c5	Matthew Grooms	<?=$spans;?>
362			<?php
363			$k = 0;
364			foreach ($ph2ent['hash-algorithm-option'] as $ph2ha) {
365			if ($k++)
366			echo ", ";
367			echo $p2_halgos[$ph2ha];
368			}
369			?>
370			<?=$spane;?>
371			</td>
372			<td nowrap class="list">
373			<a href="vpn_ipsec_phase2.php?p2index=<?=$j;?>">
374			<img src="./themes/<?= $g['theme']; ?>/images/icons/icon_e.gif" title="edit phase2 entry" width="17" height="17" border="0">
375			</a>
376			<a href="vpn_ipsec.php?act=delph2&p2index=<?=$j;?>" onclick="return confirm('Do you really want to delete this phase2 entry?')">
377			<img src="./themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" title="delete phase2 entry" width="17" height="17" border="0">
378			</a>
379			</td>
380			</tr>
381	3462a529	Matthew Grooms
382	a93e56c5	Matthew Grooms	<?php
383			$j++;
384			}
385			?>
386			</table>
387			</td>
388			</tr>
389	0a95b653	Scott Ullrich	<tr>
390			<td>
391
392			</td>
393			</tr>
394	a93e56c5	Matthew Grooms	<?php
395			$i++;
396			}
397	96162327	Scott Ullrich	if(!$counter)
398	83221d3b	sullrich	show_ipsec_header($ph1ent);
399	5b237745	Scott Ullrich	?>
400	a93e56c5	Matthew Grooms	<tr>
401			<td class="list" colspan="5"></td>
402			<td class="list">
403			<table border="0" cellspacing="0" cellpadding="1">
404			<tr>
405			<td width="17"></td>
406			<td>
407			<a href="vpn_ipsec_phase1.php">
408			<img src="./themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" title="add phase1 entry" width="17" height="17" border="0">
409			</a>
410			</td>
411			</tr>
412			</table>
413			<td>
414			</tr>
415			<tr>
416			<td colspan="4">
417			<p>
418			<span class="vexpl">
419			<span class="red">
420			<strong>Note:<br></strong>
421			</span>
422			You can check your IPsec status at <a href="diag_ipsec.php">Status:IPsec</a>.
423			</span>
424			</p>
425			</td>
426			</tr>
427			</table>
428			</div>
429			</td>
430	5b237745	Scott Ullrich	</tr>
431			</table>
432			</form>
433			<?php include("fend.inc"); ?>
434	0a95b653	Scott Ullrich	<script type="text/javascript">
435			function show_phase2(id, buttonid) {
436			document.getElementById(buttonid).innerHTML='';
437			aodiv = document.getElementById(id);
438			aodiv.style.display = "block";
439			}
440			</script>
441	323d040b	Scott Ullrich	</body>
442			</html>
443	96162327	Scott Ullrich
444			<?php
445
446	afcda0d0	sullrich	function show_ipsec_header($ph1ent) {
447			global $g;
448	83221d3b	sullrich	if (isset($ph1ent['mobile']))
449			$mobile = "&mobile=true";
450	96162327	Scott Ullrich	echo <<<EOF
451			<tr>
452	fabd8cdb	Seth Mos	<td class="listhdrr">Remote Gateway</td>
453			<td class="listhdrr">Mode</td>
454			<td class="listhdrr">P1 Protocol</td>
455			<td class="listhdrr">P1 Transforms</td>
456	87e07f52	mgrooms	<td class="listhdrr">P1 Description</td>
457	96162327	Scott Ullrich	<td class ="list">
458			</td>
459			</tr>
460
461			EOF;
462
463			}
464
465	04831121	Bill Marquette	?>

Project

General

Profile

pfSense