Revision f579c0fb
Added by Ermal Luçi over 10 years ago
| etc/inc/ipsec.inc | ||
|---|---|---|
| 112 | 112 |
'xauth_rsa_server' => array( 'name' => 'Mutual RSA + Xauth', 'mobile' => true ), |
| 113 | 113 |
'xauth_psk_server' => array( 'name' => 'Mutual PSK + Xauth', 'mobile' => true ), |
| 114 | 114 |
'eap-tls' => array( 'name' => 'EAP-TLS', 'mobile' => true), |
| 115 |
'eap-mschapv2' => array( 'name' => 'EAP-MSChapv2', 'mobile' => true), |
|
| 115 | 116 |
'rsasig' => array( 'name' => 'Mutual RSA', 'mobile' => false ), |
| 116 | 117 |
'pre_shared_key' => array( 'name' => 'Mutual PSK', 'mobile' => false ) ); |
| 117 | 118 |
|
| 119 |
$ipsec_preshared_key_type = array( |
|
| 120 |
'PSK' => 'PSK', |
|
| 121 |
'EAP' => 'EAP' |
|
| 122 |
); |
|
| 123 |
|
|
| 118 | 124 |
$p2_modes = array( |
| 119 | 125 |
'tunnel' => 'Tunnel IPv4', |
| 120 | 126 |
'tunnel6' => 'Tunnel IPv6', |
| etc/inc/vpn.inc | ||
|---|---|---|
| 516 | 516 |
foreach ($ipseccfg['mobilekey'] as $key) {
|
| 517 | 517 |
if ($key['ident'] == "allusers") |
| 518 | 518 |
$key['ident'] = '%any'; |
| 519 |
$pskconf .= "%any {$key['ident']} : PSK 0s" . base64_encode($key['pre-shared-key']) . "\n";
|
|
| 519 |
if (empty($key['type'])) |
|
| 520 |
$key['type'] = 'PSK'; |
|
| 521 |
$pskconf .= "%any {$key['ident']} : {$key['type']} 0s" . base64_encode($key['pre-shared-key']) . "\n";
|
|
| 520 | 522 |
} |
| 521 | 523 |
unset($key); |
| 522 | 524 |
} |
| ... | ... | |
| 616 | 618 |
|
| 617 | 619 |
$authentication = ""; |
| 618 | 620 |
switch ($ph1ent['authentication_method']) {
|
| 621 |
case 'eap-mschapv2': |
|
| 622 |
if (isset($ph1ent['mobile'])) {
|
|
| 623 |
$authentication = "eap_identity=%any\n\t"; |
|
| 624 |
$authentication .= "leftauth=pubkey\n\trightauth=eap-mschapv2"; |
|
| 625 |
if (!empty($ph1ent['certref'])) |
|
| 626 |
$authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt";
|
|
| 627 |
} |
|
| 628 |
break; |
|
| 619 | 629 |
case 'eap-tls': |
| 620 | 630 |
if (isset($ph1ent['mobile'])) {
|
| 621 | 631 |
$authentication = "eap_identity=%identity\n\t"; |
| usr/local/www/vpn_ipsec_keys.php | ||
|---|---|---|
| 52 | 52 |
$userkeys = array(); |
| 53 | 53 |
foreach ($config['system']['user'] as $id => $user) {
|
| 54 | 54 |
if (!empty($user['ipsecpsk'])) {
|
| 55 |
$userkeys[] = array('ident' => $user['name'], 'pre-shared-key' => $user['ipsecpsk'], 'id' => $id);;
|
|
| 55 |
$userkeys[] = array('ident' => $user['name'], 'type' => 'PSK', 'pre-shared-key' => $user['ipsecpsk'], 'id' => $id);;
|
|
| 56 | 56 |
} |
| 57 | 57 |
} |
| 58 | 58 |
|
| ... | ... | |
| 110 | 110 |
<table class="tabcont" width="100%" border="0" cellpadding="0" cellspacing="0" summary="main area"> |
| 111 | 111 |
<tr> |
| 112 | 112 |
<td class="listhdrr"><?=gettext("Identifier"); ?></td>
|
| 113 |
<td class="listhdrr"><?=gettext("Type"); ?></td>
|
|
| 113 | 114 |
<td class="listhdr"><?=gettext("Pre-Shared Key"); ?></td>
|
| 114 | 115 |
<td class="list"> |
| 115 | 116 |
<table border="0" cellspacing="0" cellpadding="1" summary="add key"> |
| ... | ... | |
| 130 | 131 |
echo htmlspecialchars($secretent['ident']); |
| 131 | 132 |
?> |
| 132 | 133 |
</td> |
| 134 |
<td class="listlr gray"> |
|
| 135 |
<?php |
|
| 136 |
if (empty($secretent['type'])) |
|
| 137 |
echo 'PSK'; |
|
| 138 |
else |
|
| 139 |
echo htmlspecialchars($secretent['type']); |
|
| 140 |
?> |
|
| 141 |
</td> |
|
| 133 | 142 |
<td class="listr gray"> |
| 134 | 143 |
<?=htmlspecialchars($secretent['pre-shared-key']);?> |
| 135 | 144 |
</td> |
| ... | ... | |
| 150 | 159 |
<td class="listlr"> |
| 151 | 160 |
<?=htmlspecialchars($secretent['ident']);?> |
| 152 | 161 |
</td> |
| 162 |
<td class="listlr"> |
|
| 163 |
<?php |
|
| 164 |
if (empty($secretent['type'])) |
|
| 165 |
echo 'PSK'; |
|
| 166 |
else |
|
| 167 |
echo htmlspecialchars($secretent['type']); |
|
| 168 |
?> |
|
| 169 |
</td> |
|
| 153 | 170 |
<td class="listr"> |
| 154 | 171 |
<?=htmlspecialchars($secretent['pre-shared-key']);?> |
| 155 | 172 |
</td> |
| ... | ... | |
| 158 | 175 |
</tr> |
| 159 | 176 |
<?php $i++; endforeach; ?> |
| 160 | 177 |
<tr> |
| 161 |
<td class="list" colspan="2"></td>
|
|
| 178 |
<td class="list" colspan="3"></td>
|
|
| 162 | 179 |
<td class="list"> |
| 163 | 180 |
<table border="0" cellspacing="0" cellpadding="1" summary="add key"> |
| 164 | 181 |
<tr> |
| usr/local/www/vpn_ipsec_keys_edit.php | ||
|---|---|---|
| 55 | 55 |
|
| 56 | 56 |
if (isset($id) && $a_secret[$id]) {
|
| 57 | 57 |
$pconfig['ident'] = $a_secret[$id]['ident']; |
| 58 |
$pconfig['type'] = $a_secret[$id]['type']; |
|
| 58 | 59 |
$pconfig['psk'] = $a_secret[$id]['pre-shared-key']; |
| 59 | 60 |
} |
| 60 | 61 |
|
| ... | ... | |
| 99 | 100 |
$secretent = $a_secret[$id]; |
| 100 | 101 |
|
| 101 | 102 |
$secretent['ident'] = $_POST['ident']; |
| 103 |
$secretent['type'] = $_POST['type']; |
|
| 102 | 104 |
$secretent['pre-shared-key'] = $_POST['psk']; |
| 103 | 105 |
$text = ""; |
| 104 | 106 |
|
| ... | ... | |
| 130 | 132 |
<?php if ($input_errors) print_input_errors($input_errors); ?> |
| 131 | 133 |
<form action="vpn_ipsec_keys_edit.php" method="post" name="iform" id="iform"> |
| 132 | 134 |
<table width="100%" border="0" cellpadding="6" cellspacing="0" summary="vpn ipsec keys edit"> |
| 135 |
<tr> |
|
| 136 |
<td colspan="2" valign="top" class="listtopic">Edit pre-shared secret</td> |
|
| 137 |
</tr> |
|
| 133 | 138 |
<tr> |
| 134 | 139 |
<td valign="top" class="vncellreq"><?=gettext("Identifier"); ?></td>
|
| 135 | 140 |
<td class="vtable"> |
| ... | ... | |
| 138 | 143 |
<?=gettext("This can be either an IP address, fully qualified domain name or an e-mail address"); ?>.
|
| 139 | 144 |
</td> |
| 140 | 145 |
</tr> |
| 146 |
<tr> |
|
| 147 |
<td width="22%" valign="top" class="vncellreq"><?=gettext("Secret type"); ?></td>
|
|
| 148 |
<td width="78%" class="vtable"> |
|
| 149 |
<select name="type" class="formselect"> |
|
| 150 |
<?php |
|
| 151 |
foreach ($ipsec_preshared_key_type as $value => $descr) {
|
|
| 152 |
echo "<option value='{$value}' ";
|
|
| 153 |
if ($pconfig['type'] == $value) |
|
| 154 |
echo "selected=\"selected\""; |
|
| 155 |
echo ">{$descr}</option>";
|
|
| 156 |
} |
|
| 157 |
?> |
|
| 158 |
</select> |
|
| 159 |
</td> |
|
| 160 |
</tr> |
|
| 141 | 161 |
<tr> |
| 142 | 162 |
<td width="22%" valign="top" class="vncellreq"><?=gettext("Pre-Shared Key"); ?></td>
|
| 143 | 163 |
<td width="78%" class="vtable"> |
| usr/local/www/vpn_ipsec_phase1.php | ||
|---|---|---|
| 162 | 162 |
// Only require PSK here for normal PSK tunnels (not mobile) or xauth. |
| 163 | 163 |
// For RSA methods, require the CA/Cert. |
| 164 | 164 |
switch ($method) {
|
| 165 |
case 'eap-mschapv2': |
|
| 166 |
if ($pconfig['iketype'] != 'ikev2') |
|
| 167 |
$input_errors[] = gettext("EAP-MSChapv2 can only be used with IKEv2 type VPNs.");
|
|
| 168 |
break; |
|
| 165 | 169 |
case "eap-tls": |
| 166 | 170 |
if ($pconfig['iketype'] != 'ikev2') |
| 167 | 171 |
$input_errors[] = gettext("EAP-TLS can only be used with IKEv2 type VPNs.");
|
| ... | ... | |
| 448 | 452 |
value = document.iform.authentication_method.options[index].value; |
| 449 | 453 |
|
| 450 | 454 |
switch (value) {
|
| 455 |
case 'eap-mschapv2': |
|
| 451 | 456 |
case 'eap-tls': |
| 452 | 457 |
document.getElementById('opt_psk').style.display = 'none';
|
| 453 | 458 |
document.getElementById('opt_peerid').style.display = '';
|
Also available in: Unified diff
Add EAP-MSChapv2 implementation for Windows ipsec support as reported here https://forum.pfsense.org/index.php?topic=81657.15