/usr/local/www/vpn_ipsec_phase1.php - Annotate - pfSense - pfSense bugtracker

| Branch: | Tag: | Revision:

root/usr/local/www/vpn_ipsec_phase1.php @ fbd5fc52

1	a93e56c5	Matthew Grooms	<?php
2			/*
3			vpn_ipsec_phase1.php
4			part of m0n0wall (http://m0n0.ch/wall)
5
6			Copyright (C) 2008 Shrew Soft Inc
7			Copyright (C) 2003-2005 Manuel Kasper <mk@neon1.net>.
8			All rights reserved.
9
10			Redistribution and use in source and binary forms, with or without
11			modification, are permitted provided that the following conditions are met:
12
13			1. Redistributions of source code must retain the above copyright notice,
14			this list of conditions and the following disclaimer.
15
16			2. Redistributions in binary form must reproduce the above copyright
17			notice, this list of conditions and the following disclaimer in the
18			documentation and/or other materials provided with the distribution.
19
20			THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
21			INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
22			AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
23			AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
24			OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
25			SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
26			INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
27			CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
28			ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
29			POSSIBILITY OF SUCH DAMAGE.
30			*/
31
32	6b07c15a	Matthew Grooms	##\|+PRIV
33			##\|*IDENT=page-vpn-ipsec-editphase1
34			##\|*NAME=VPN: IPsec: Edit Phase 1 page
35			##\|*DESCR=Allow access to the 'VPN: IPsec: Edit Phase 1' page.
36			##\|MATCH=vpn_ipsec_phase1.php
37			##\|-PRIV
38
39	0f84b741	Scott Ullrich	require("functions.inc");
40	a93e56c5	Matthew Grooms	require("guiconfig.inc");
41	483e6de8	Scott Ullrich	require_once("ipsec.inc");
42			require_once("vpn.inc");
43	a93e56c5	Matthew Grooms
44			if (!is_array($config['ipsec']['phase1']))
45			$config['ipsec']['phase1'] = array();
46
47	647c7c48	Seth Mos	if (!is_array($config['ipsec']['phase2']))
48			$config['ipsec']['phase2'] = array();
49
50	a93e56c5	Matthew Grooms	$a_phase1 = &$config['ipsec']['phase1'];
51	647c7c48	Seth Mos	$a_phase2 = &$config['ipsec']['phase2'];
52	a93e56c5	Matthew Grooms
53			$p1index = $_GET['p1index'];
54			if (isset($_POST['p1index']))
55			$p1index = $_POST['p1index'];
56
57			if (isset($_GET['dup'])) {
58			$p1index = $_GET['dup'];
59			}
60
61	fad728ab	sullrich	if (isset($p1index) && $a_phase1[$p1index]) {
62	99bbd213	Matthew Grooms	// don't copy the ikeid on dup
63			if (!isset($_GET['dup']))
64			$pconfig['ikeid'] = $a_phase1[$p1index]['ikeid'];
65	7fc26246	Seth Mos
66	647c7c48	Seth Mos	$old_ph1ent = $a_phase1[$p1index];
67	99bbd213	Matthew Grooms
68	a93e56c5	Matthew Grooms	$pconfig['disabled'] = isset($a_phase1[$p1index]['disabled']);
69
70			if ($a_phase1[$p1index]['interface'])
71			$pconfig['interface'] = $a_phase1[$p1index]['interface'];
72			else
73			$pconfig['interface'] = "wan";
74
75			list($pconfig['remotenet'],$pconfig['remotebits']) = explode("/", $a_phase1[$p1index]['remote-subnet']);
76	3462a529	Matthew Grooms
77			if (isset($a_phase1[$p1index]['mobile']))
78			$pconfig['mobile'] = 'true';
79			else
80			$pconfig['remotegw'] = $a_phase1[$p1index]['remote-gateway'];
81
82	a93e56c5	Matthew Grooms	$pconfig['mode'] = $a_phase1[$p1index]['mode'];
83			$pconfig['myid_type'] = $a_phase1[$p1index]['myid_type'];
84			$pconfig['myid_data'] = $a_phase1[$p1index]['myid_data'];
85			$pconfig['peerid_type'] = $a_phase1[$p1index]['peerid_type'];
86			$pconfig['peerid_data'] = $a_phase1[$p1index]['peerid_data'];
87			$pconfig['ealgo'] = $a_phase1[$p1index]['encryption-algorithm'];
88			$pconfig['halgo'] = $a_phase1[$p1index]['hash-algorithm'];
89			$pconfig['dhgroup'] = $a_phase1[$p1index]['dhgroup'];
90			$pconfig['lifetime'] = $a_phase1[$p1index]['lifetime'];
91			$pconfig['authentication_method'] = $a_phase1[$p1index]['authentication_method'];
92	812dd35d	jim-p	$pconfig['proposal_check'] = $a_phase1[$p1index]['proposal_check'];
93	4e2af464	Matthew Grooms
94	fad728ab	sullrich	if (($pconfig['authentication_method'] == "pre_shared_key") \|\|
95	4e2af464	Matthew Grooms	($pconfig['authentication_method'] == "xauth_psk_server")) {
96			$pconfig['pskey'] = $a_phase1[$p1index]['pre-shared-key'];
97			} else {
98	73fbece8	mgrooms	$pconfig['certref'] = $a_phase1[$p1index]['certref'];
99	a22d475f	jim-p	$pconfig['caref'] = $a_phase1[$p1index]['caref'];
100	4e2af464	Matthew Grooms	}
101	a93e56c5	Matthew Grooms
102			$pconfig['descr'] = $a_phase1[$p1index]['descr'];
103			$pconfig['nat_traversal'] = $a_phase1[$p1index]['nat_traversal'];
104	3462a529	Matthew Grooms
105			if ($a_phase1[$p1index]['dpd_delay'] && $a_phase1[$p1index]['dpd_maxfail']) {
106			$pconfig['dpd_enable'] = true;
107			$pconfig['dpd_delay'] = $a_phase1[$p1index]['dpd_delay'];
108			$pconfig['dpd_maxfail'] = $a_phase1[$p1index]['dpd_maxfail'];
109			}
110	fad728ab	sullrich	} else {
111	a93e56c5	Matthew Grooms	/* defaults */
112			$pconfig['interface'] = "wan";
113			if($config['interfaces']['lan'])
114			$pconfig['localnet'] = "lan";
115			$pconfig['mode'] = "aggressive";
116			$pconfig['myid_type'] = "myaddress";
117			$pconfig['peerid_type'] = "peeraddress";
118			$pconfig['authentication_method'] = "pre_shared_key";
119			$pconfig['ealgo'] = array( name => "3des" );
120			$pconfig['halgo'] = "sha1";
121			$pconfig['dhgroup'] = "2";
122			$pconfig['lifetime'] = "28800";
123			$pconfig['nat_traversal'] = "on";
124	3462a529	Matthew Grooms	$pconfig['dpd_enable'] = true;
125
126			/* mobile client */
127			if($_GET['mobile'])
128			$pconfig['mobile']=true;
129	a93e56c5	Matthew Grooms	}
130
131			if (isset($_GET['dup']))
132			unset($p1index);
133
134			if ($_POST) {
135			unset($input_errors);
136			$pconfig = $_POST;
137
138			/* input validation */
139	3462a529	Matthew Grooms
140			$method = $pconfig['authentication_method'];
141	1f65618b	jim-p	// Only require PSK here for normal PSK tunnels (not mobile) or xauth.
142			if ((($method == "pre_shared_key") && (!$pconfig['mobile']))\|\|($method == "xauth_psk_server")) {
143	3462a529	Matthew Grooms	$reqdfields = explode(" ", "pskey");
144	2fbb33f1	Carlos Eduardo Ramos	$reqdfieldsn = array(gettext("Pre-Shared Key"));
145	73fbece8	mgrooms	} else {
146	a22d475f	jim-p	$reqdfields = explode(" ", "caref certref");
147			$reqdfieldsn = array(gettext("Certificate Authority"),gettext("Certificate"));
148	a93e56c5	Matthew Grooms	}
149	3462a529	Matthew Grooms	if (!$pconfig['mobile']) {
150			$reqdfields[] = "remotegw";
151	2fbb33f1	Carlos Eduardo Ramos	$reqdfieldsn[] = gettext("Remote gateway");
152	3462a529	Matthew Grooms	}
153	a93e56c5	Matthew Grooms
154	3462a529	Matthew Grooms	do_input_validation($pconfig, $reqdfields, $reqdfieldsn, &$input_errors);
155	a93e56c5	Matthew Grooms
156	3462a529	Matthew Grooms	if (($pconfig['lifetime'] && !is_numeric($pconfig['lifetime'])))
157	2fbb33f1	Carlos Eduardo Ramos	$input_errors[] = gettext("The P1 lifetime must be an integer.");
158	a93e56c5	Matthew Grooms
159	3462a529	Matthew Grooms	if (($pconfig['remotegw'] && !is_ipaddr($pconfig['remotegw']) && !is_domain($pconfig['remotegw'])))
160	2fbb33f1	Carlos Eduardo Ramos	$input_errors[] = gettext("A valid remote gateway address or host name must be specified.");
161	a93e56c5	Matthew Grooms
162	3462a529	Matthew Grooms	if (($pconfig['remotegw'] && is_ipaddr($pconfig['remotegw']) && !isset($pconfig['disabled']) )) {
163	a93e56c5	Matthew Grooms	$t = 0;
164			foreach ($a_phase1 as $ph1tmp) {
165			if ($p1index <> $t) {
166			$tremotegw = $pconfig['remotegw'];
167			if (($ph1tmp['remote-gateway'] == $tremotegw) && !isset($ph1tmp['disabled'])) {
168	ddc55e12	Erik Fonnesbeck	$input_errors[] = sprintf(gettext('The remote gateway "%1$s" is already used by phase1 "%2$s".'), $tremotegw, $ph1tmp['descr']);
169	a93e56c5	Matthew Grooms	}
170			}
171			$t++;
172			}
173			}
174
175			/* My identity */
176
177	3462a529	Matthew Grooms	if ($pconfig['myid_type'] == "myaddress")
178			$pconfig['myid_data'] = "";
179	a93e56c5	Matthew Grooms
180	3462a529	Matthew Grooms	if ($pconfig['myid_type'] == "address" and $pconfig['myid_data'] == "")
181	a93e56c5	Matthew Grooms	$input_errors[] = gettext("Please enter an address for 'My Identifier'");
182
183	3462a529	Matthew Grooms	if ($pconfig['myid_type'] == "keyid tag" and $pconfig['myid_data'] == "")
184	a93e56c5	Matthew Grooms	$input_errors[] = gettext("Please enter a keyid tag for 'My Identifier'");
185
186	3462a529	Matthew Grooms	if ($pconfig['myid_type'] == "fqdn" and $pconfig['myid_data'] == "")
187	a93e56c5	Matthew Grooms	$input_errors[] = gettext("Please enter a fully qualified domain name for 'My Identifier'");
188
189	3462a529	Matthew Grooms	if ($pconfig['myid_type'] == "user_fqdn" and $pconfig['myid_data'] == "")
190	a93e56c5	Matthew Grooms	$input_errors[] = gettext("Please enter a user and fully qualified domain name for 'My Identifier'");
191
192	3462a529	Matthew Grooms	if ($pconfig['myid_type'] == "dyn_dns" and $pconfig['myid_data'] == "")
193	a93e56c5	Matthew Grooms	$input_errors[] = gettext("Please enter a dynamic domain name for 'My Identifier'");
194
195	3462a529	Matthew Grooms	if ((($pconfig['myid_type'] == "address") && !is_ipaddr($pconfig['myid_data'])))
196	2fbb33f1	Carlos Eduardo Ramos	$input_errors[] = gettext("A valid IP address for 'My identifier' must be specified.");
197	a93e56c5	Matthew Grooms
198	3462a529	Matthew Grooms	if ((($pconfig['myid_type'] == "fqdn") && !is_domain($pconfig['myid_data'])))
199	2fbb33f1	Carlos Eduardo Ramos	$input_errors[] = gettext("A valid domain name for 'My identifier' must be specified.");
200	a93e56c5	Matthew Grooms
201	3462a529	Matthew Grooms	if ($pconfig['myid_type'] == "fqdn")
202			if (is_domain($pconfig['myid_data']) == false)
203	2fbb33f1	Carlos Eduardo Ramos	$input_errors[] = gettext("A valid FQDN for 'My identifier' must be specified.");
204	a93e56c5	Matthew Grooms
205	3462a529	Matthew Grooms	if ($pconfig['myid_type'] == "user_fqdn") {
206			$user_fqdn = explode("@",$pconfig['myid_data']);
207	a93e56c5	Matthew Grooms	if (is_domain($user_fqdn[1]) == false)
208	2fbb33f1	Carlos Eduardo Ramos	$input_errors[] = gettext("A valid User FQDN in the form of user@my.domain.com for 'My identifier' must be specified.");
209	a93e56c5	Matthew Grooms	}
210
211	3462a529	Matthew Grooms	if ($pconfig['myid_type'] == "dyn_dns")
212			if (is_domain($pconfig['myid_data']) == false)
213	2fbb33f1	Carlos Eduardo Ramos	$input_errors[] = gettext("A valid Dynamic DNS address for 'My identifier' must be specified.");
214	a93e56c5	Matthew Grooms
215			/* Peer identity */
216
217	3462a529	Matthew Grooms	if ($pconfig['myid_type'] == "peeraddress")
218			$pconfig['peerid_data'] = "";
219
220	1f65618b	jim-p	// Only enforce peer ID if we are not dealing with a pure-psk mobile config.
221			if (!(($pconfig['authentication_method'] == "pre_shared_key") && ($pconfig['mobile']))) {
222			if ($pconfig['peerid_type'] == "address" and $pconfig['peerid_data'] == "")
223			$input_errors[] = gettext("Please enter an address for 'Peer Identifier'");
224	a93e56c5	Matthew Grooms
225	1f65618b	jim-p	if ($pconfig['peerid_type'] == "keyid tag" and $pconfig['peerid_data'] == "")
226			$input_errors[] = gettext("Please enter a keyid tag for 'Peer Identifier'");
227	a93e56c5	Matthew Grooms
228	1f65618b	jim-p	if ($pconfig['peerid_type'] == "fqdn" and $pconfig['peerid_data'] == "")
229			$input_errors[] = gettext("Please enter a fully qualified domain name for 'Peer Identifier'");
230	a93e56c5	Matthew Grooms
231	1f65618b	jim-p	if ($pconfig['peerid_type'] == "user_fqdn" and $pconfig['peerid_data'] == "")
232			$input_errors[] = gettext("Please enter a user and fully qualified domain name for 'Peer Identifier'");
233	a93e56c5	Matthew Grooms
234	1f65618b	jim-p	if ((($pconfig['peerid_type'] == "address") && !is_ipaddr($pconfig['peerid_data'])))
235	2fbb33f1	Carlos Eduardo Ramos	$input_errors[] = gettext("A valid IP address for 'Peer identifier' must be specified.");
236	a93e56c5	Matthew Grooms
237	1f65618b	jim-p	if ((($pconfig['peerid_type'] == "fqdn") && !is_domain($pconfig['peerid_data'])))
238	2fbb33f1	Carlos Eduardo Ramos	$input_errors[] = gettext("A valid domain name for 'Peer identifier' must be specified.");
239	a93e56c5	Matthew Grooms
240	1f65618b	jim-p	if ($pconfig['peerid_type'] == "fqdn")
241			if (is_domain($pconfig['peerid_data']) == false)
242	2fbb33f1	Carlos Eduardo Ramos	$input_errors[] = gettext("A valid FQDN for 'Peer identifier' must be specified.");
243	a93e56c5	Matthew Grooms
244	1f65618b	jim-p	if ($pconfig['peerid_type'] == "user_fqdn") {
245			$user_fqdn = explode("@",$pconfig['peerid_data']);
246			if (is_domain($user_fqdn[1]) == false)
247	2fbb33f1	Carlos Eduardo Ramos	$input_errors[] = gettext("A valid User FQDN in the form of user@my.domain.com for 'Peer identifier' must be specified.");
248	1f65618b	jim-p	}
249	a93e56c5	Matthew Grooms	}
250
251	3462a529	Matthew Grooms	if ($pconfig['dpd_enable']) {
252			if (!is_numeric($pconfig['dpd_delay']))
253	2fbb33f1	Carlos Eduardo Ramos	$input_errors[] = gettext("A numeric value must be specified for DPD delay.");
254	a93e56c5	Matthew Grooms
255	3462a529	Matthew Grooms	if (!is_numeric($pconfig['dpd_maxfail']))
256	2fbb33f1	Carlos Eduardo Ramos	$input_errors[] = gettext("A numeric value must be specified for DPD retries.");
257	a93e56c5	Matthew Grooms	}
258
259			/* build our encryption algorithms array */
260			$pconfig['ealgo'] = array();
261			$pconfig['ealgo']['name'] = $_POST['ealgo'];
262	3462a529	Matthew Grooms	if($pconfig['ealgo_keylen'])
263	a93e56c5	Matthew Grooms	$pconfig['ealgo']['keylen'] = $_POST['ealgo_keylen'];
264
265			if (!$input_errors) {
266	3462a529	Matthew Grooms	$ph1ent['ikeid'] = $pconfig['ikeid'];
267			$ph1ent['disabled'] = $pconfig['disabled'] ? true : false;
268	a93e56c5	Matthew Grooms	$ph1ent['interface'] = $pconfig['interface'];
269			/* if the remote gateway changed and the interface is not WAN then remove route */
270			/* the vpn_ipsec_configure() handles adding the route */
271	3462a529	Matthew Grooms	if ($pconfig['interface'] <> "wan") {
272	7fc26246	Seth Mos	if($old_ph1ent['remote-gateway'] <> $pconfig['remotegw']) {
273			mwexec("/sbin/route delete -host {$oldph1ent['remote-gateway']}");
274	a93e56c5	Matthew Grooms	}
275			}
276
277	3462a529	Matthew Grooms	if ($pconfig['mobile'])
278			$ph1ent['mobile'] = true;
279			else
280			$ph1ent['remote-gateway'] = $pconfig['remotegw'];
281
282			$ph1ent['mode'] = $pconfig['mode'];
283
284			$ph1ent['myid_type'] = $pconfig['myid_type'];
285			$ph1ent['myid_data'] = $pconfig['myid_data'];
286			$ph1ent['peerid_type'] = $pconfig['peerid_type'];
287			$ph1ent['peerid_data'] = $pconfig['peerid_data'];
288	a93e56c5	Matthew Grooms
289			$ph1ent['encryption-algorithm'] = $pconfig['ealgo'];
290	3462a529	Matthew Grooms	$ph1ent['hash-algorithm'] = $pconfig['halgo'];
291			$ph1ent['dhgroup'] = $pconfig['dhgroup'];
292			$ph1ent['lifetime'] = $pconfig['lifetime'];
293			$ph1ent['pre-shared-key'] = $pconfig['pskey'];
294			$ph1ent['private-key'] = base64_encode($pconfig['privatekey']);
295	73fbece8	mgrooms	$ph1ent['certref'] = $pconfig['certref'];
296	a22d475f	jim-p	$ph1ent['caref'] = $pconfig['caref'];
297	3462a529	Matthew Grooms	$ph1ent['authentication_method'] = $pconfig['authentication_method'];
298	812dd35d	jim-p	$ph1ent['proposal_check'] = $pconfig['proposal_check'];
299	3462a529	Matthew Grooms	$ph1ent['descr'] = $pconfig['descr'];
300			$ph1ent['nat_traversal'] = $pconfig['nat_traversal'];
301
302			if (isset($pconfig['dpd_enable'])) {
303			$ph1ent['dpd_delay'] = $pconfig['dpd_delay'];
304			$ph1ent['dpd_maxfail'] = $pconfig['dpd_maxfail'];
305			}
306
307	a93e56c5	Matthew Grooms	/* generate unique phase1 ikeid */
308	d799787e	Matthew Grooms	if ($ph1ent['ikeid'] == 0)
309			$ph1ent['ikeid'] = ipsec_ikeid_next();
310	a93e56c5	Matthew Grooms
311			if (isset($p1index) && $a_phase1[$p1index])
312			$a_phase1[$p1index] = $ph1ent;
313			else
314			$a_phase1[] = $ph1ent;
315
316	647c7c48	Seth Mos	/* now we need to find all phase2 entries for this host */
317			if (is_array($a_phase2) && (count($a_phase2))) {
318			foreach ($a_phase2 as $phase2) {
319			if($phase2['ikeid'] == $ph1ent['ikeid']) {
320	7fc26246	Seth Mos	log_error("Reload {$ph1ent['descr']} tunnel(s)");
321	647c7c48	Seth Mos	$old_ph1ent['remote-gateway'] = resolve_retry($old_ph1ent['remote-gateway']);
322			$old_phase2 = $phase2;
323			reload_tunnel_spd_policy ($ph1ent, $phase2, $old_ph1ent, $old_phase2);
324			}
325			}
326			}
327	a93e56c5	Matthew Grooms	write_config();
328	a368a026	Ermal Lu?i	mark_subsystem_dirty('ipsec');
329	a93e56c5	Matthew Grooms
330			header("Location: vpn_ipsec.php");
331			exit;
332			}
333			}
334
335	3462a529	Matthew Grooms	if ($pconfig['mobile'])
336	2fbb33f1	Carlos Eduardo Ramos	$pgtitle = array(gettext("VPN"),gettext("IPsec"),gettext("Edit Phase 1"), gettext("Mobile Client"));
337	3462a529	Matthew Grooms	else
338	2fbb33f1	Carlos Eduardo Ramos	$pgtitle = array(gettext("VPN"),gettext("IPsec"),gettext("Edit Phase 1"));
339	6deedfde	jim-p	$statusurl = "diag_ipsec.php";
340			$logurl = "diag_logs_ipsec.php";
341
342	3462a529	Matthew Grooms
343	a93e56c5	Matthew Grooms	include("head.inc");
344
345			?>
346
347			<body link="#0000CC" vlink="#0000CC" alink="#0000CC">
348			<?php include("fbegin.inc"); ?>
349			<script language="JavaScript">
350			<!--
351	3462a529	Matthew Grooms
352			function myidsel_change() {
353			index = document.iform.myid_type.selectedIndex;
354			value = document.iform.myid_type.options[index].value;
355			if (value == 'myaddress')
356	5a3b0d3b	mgrooms	document.getElementById('myid_data').style.visibility = 'hidden';
357	3462a529	Matthew Grooms	else
358	5a3b0d3b	mgrooms	document.getElementById('myid_data').style.visibility = 'visible';
359	3462a529	Matthew Grooms	}
360
361			function peeridsel_change() {
362			index = document.iform.peerid_type.selectedIndex;
363			value = document.iform.peerid_type.options[index].value;
364			if (value == 'peeraddress')
365	5a3b0d3b	mgrooms	document.getElementById('peerid_data').style.visibility = 'hidden';
366	3462a529	Matthew Grooms	else
367	5a3b0d3b	mgrooms	document.getElementById('peerid_data').style.visibility = 'visible';
368	3462a529	Matthew Grooms	}
369
370	a93e56c5	Matthew Grooms	function methodsel_change() {
371	3462a529	Matthew Grooms	index = document.iform.authentication_method.selectedIndex;
372			value = document.iform.authentication_method.options[index].value;
373
374			switch (value) {
375			case 'hybrid_rsa_server':
376	5a3b0d3b	mgrooms	document.getElementById('opt_psk').style.display = 'none';
377	1f65618b	jim-p	document.getElementById('opt_peerid').style.display = '';
378	73fbece8	mgrooms	document.getElementById('opt_cert').style.display = '';
379	a22d475f	jim-p	document.getElementById('opt_ca').style.display = '';
380	3462a529	Matthew Grooms	break;
381			case 'xauth_rsa_server':
382			case 'rsasig':
383	5a3b0d3b	mgrooms	document.getElementById('opt_psk').style.display = 'none';
384	1f65618b	jim-p	document.getElementById('opt_peerid').style.display = '';
385	73fbece8	mgrooms	document.getElementById('opt_cert').style.display = '';
386	a22d475f	jim-p	document.getElementById('opt_ca').style.display = '';
387	a93e56c5	Matthew Grooms	break;
388	1f65618b	jim-p	<?php if ($pconfig['mobile']) { ?>
389			case 'pre_shared_key':
390			document.getElementById('opt_psk').style.display = 'none';
391			document.getElementById('opt_peerid').style.display = 'none';
392			document.getElementById('opt_cert').style.display = 'none';
393	a22d475f	jim-p	document.getElementById('opt_ca').style.display = 'none';
394	1f65618b	jim-p	break;
395			<?php } ?>
396	3462a529	Matthew Grooms	default: /* psk modes*/
397	5a3b0d3b	mgrooms	document.getElementById('opt_psk').style.display = '';
398	1f65618b	jim-p	document.getElementById('opt_peerid').style.display = '';
399	73fbece8	mgrooms	document.getElementById('opt_cert').style.display = 'none';
400	a22d475f	jim-p	document.getElementById('opt_ca').style.display = 'none';
401	a93e56c5	Matthew Grooms	break;
402			}
403			}
404
405			/* PHP generated java script for variable length keys */
406			function ealgosel_change(bits) {
407			switch (document.iform.ealgo.selectedIndex) {
408			<?php
409			$i = 0;
410			foreach ($p1_ealgos as $algo => $algodata) {
411			if (is_array($algodata['keysel'])) {
412			echo " case {$i}:\n";
413			echo " document.iform.ealgo_keylen.style.visibility = 'visible';\n";
414			echo " document.iform.ealgo_keylen.options.length = 0;\n";
415			// echo " document.iform.ealgo_keylen.options[document.iform.ealgo_keylen.options.length] = new Option( 'auto', 'auto' );\n";
416
417			$key_hi = $algodata['keysel']['hi'];
418			$key_lo = $algodata['keysel']['lo'];
419			$key_step = $algodata['keysel']['step'];
420
421			for ($keylen = $key_hi; $keylen >= $key_lo; $keylen -= $key_step)
422			echo " document.iform.ealgo_keylen.options[document.iform.ealgo_keylen.options.length] = new Option( '{$keylen} bits', '{$keylen}' );\n";
423			echo " break;\n";
424			} else {
425			echo " case {$i}:\n";
426			echo " document.iform.ealgo_keylen.style.visibility = 'hidden';\n";
427			echo " document.iform.ealgo_keylen.options.length = 0;\n";
428			echo " break;\n";
429			}
430			$i++;
431			}
432			?>
433			}
434
435			if( bits )
436			document.iform.ealgo_keylen.value = bits;
437			}
438	3462a529	Matthew Grooms
439	a93e56c5	Matthew Grooms	function dpdchkbox_change() {
440	5a3b0d3b	mgrooms	if( document.iform.dpd_enable.checked )
441			document.getElementById('opt_dpd').style.display = '';
442			else
443			document.getElementById('opt_dpd').style.display = 'none';
444	3462a529	Matthew Grooms
445			if (!document.iform.dpd_delay.value)
446			document.iform.dpd_delay.value = "10";
447
448			if (!document.iform.dpd_maxfail.value)
449			document.iform.dpd_maxfail.value = "5";
450	a93e56c5	Matthew Grooms	}
451	3462a529	Matthew Grooms
452	a93e56c5	Matthew Grooms	//-->
453			</script>
454	5a3b0d3b	mgrooms
455			<form action="vpn_ipsec_phase1.php" method="post" name="iform" id="iform">
456
457			<?php
458			if ($input_errors)
459			print_input_errors($input_errors);
460			?>
461
462			<table width="100%" border="0" cellpadding="0" cellspacing="0">
463			<tr class="tabnavtbl">
464			<td id="tabnav">
465			<?php
466			$tab_array = array();
467	2fbb33f1	Carlos Eduardo Ramos	$tab_array[0] = array(gettext("Tunnels"), true, "vpn_ipsec.php");
468			$tab_array[1] = array(gettext("Mobile clients"), false, "vpn_ipsec_mobile.php");
469			$tab_array[2] = array(gettext("Pre-shared keys"), false, "vpn_ipsec_keys.php");
470	5a3b0d3b	mgrooms	display_top_tabs($tab_array);
471			?>
472			</td>
473			</tr>
474			<tr>
475			<td id="mainarea">
476			<div class="tabcont">
477			<table width="100%" border="0" cellpadding="6" cellspacing="0">
478			<tr>
479	2fbb33f1	Carlos Eduardo Ramos	<td colspan="2" valign="top" class="listtopic"><?=gettext("General information"); ?></td>
480	5a3b0d3b	mgrooms	</tr>
481			<tr>
482	2fbb33f1	Carlos Eduardo Ramos	<td width="22%" valign="top" class="vncellreq"><?=gettext("Disabled"); ?></td>
483	5a3b0d3b	mgrooms	<td width="78%" class="vtable">
484			<input name="disabled" type="checkbox" id="disabled" value="yes" <?php if ($pconfig['disabled']) echo "checked"; ?>>
485	2fbb33f1	Carlos Eduardo Ramos	<strong><?=gettext("Disable this phase1 entry"); ?></strong><br>
486	5a3b0d3b	mgrooms	<span class="vexpl">
487	2fbb33f1	Carlos Eduardo Ramos	<?=gettext("Set this option to disable this phase1 without " .
488			"removing it from the list"); ?>.
489	5a3b0d3b	mgrooms	</span>
490			</td>
491			</tr>
492			<tr>
493	2fbb33f1	Carlos Eduardo Ramos	<td width="22%" valign="top" class="vncellreq"><?=gettext("Interface"); ?></td>
494	5a3b0d3b	mgrooms	<td width="78%" class="vtable">
495			<select name="interface" class="formselect">
496			<?php
497			$interfaces = get_configured_interface_with_descr();
498	abcb2bed	Ermal Lu?i	$carplist = get_configured_carp_interface_list();
499			foreach ($carplist as $cif => $carpip)
500			$interfaces[$cif] = strtoupper($cif) . " ({$carpip})";
501	5a3b0d3b	mgrooms	foreach ($interfaces as $iface => $ifacename):
502			?>
503			<option value="<?=$iface;?>" <?php if ($iface == $pconfig['interface']) echo "selected"; ?>>
504			<?=htmlspecialchars($ifacename);?>
505			</option>
506			<?php endforeach; ?>
507			</select>
508			<br>
509	2fbb33f1	Carlos Eduardo Ramos	<span class="vexpl"><?=gettext("Select the interface for the local endpoint of this phase1 entry"); ?>.</span>
510	5a3b0d3b	mgrooms	</td>
511			</tr>
512
513			<?php if (!$pconfig['mobile']): ?>
514
515			<tr>
516	2fbb33f1	Carlos Eduardo Ramos	<td width="22%" valign="top" class="vncellreq"><?=gettext("Remote gateway"); ?></td>
517	5a3b0d3b	mgrooms	<td width="78%" class="vtable">
518			<?=$mandfldhtml;?><input name="remotegw" type="text" class="formfld unknown" id="remotegw" size="20" value="<?=$pconfig['remotegw'];?>">
519			<br>
520	2fbb33f1	Carlos Eduardo Ramos	<?=gettext("Enter the public IP address or host name of the remote gateway"); ?>
521	5a3b0d3b	mgrooms	</td>
522			</tr>
523
524			<?php endif; ?>
525
526			<tr>
527	2fbb33f1	Carlos Eduardo Ramos	<td width="22%" valign="top" class="vncell"><?=gettext("Description"); ?></td>
528	5a3b0d3b	mgrooms	<td width="78%" class="vtable">
529			<input name="descr" type="text" class="formfld unknown" id="descr" size="40" value="<?=htmlspecialchars($pconfig['descr']);?>">
530			<br>
531			<span class="vexpl">
532	2fbb33f1	Carlos Eduardo Ramos	<?=gettext("You may enter a description here " .
533			"for your reference (not parsed)"); ?>.
534	5a3b0d3b	mgrooms	</span>
535			</td>
536			</tr>
537			<tr>
538			<td colspan="2" class="list" height="12"></td>
539			</tr>
540			<tr>
541			<td colspan="2" valign="top" class="listtopic">
542	2fbb33f1	Carlos Eduardo Ramos	<?=gettext("Phase 1 proposal (Authentication)"); ?>
543	5a3b0d3b	mgrooms	</td>
544			</tr>
545	71d61aa5	jim-p	<tr>
546	2fbb33f1	Carlos Eduardo Ramos	<td width="22%" valign="top" class="vncellreq"><?=gettext("Authentication method"); ?></td>
547	71d61aa5	jim-p	<td width="78%" class="vtable">
548			<select name="authentication_method" class="formselect" onChange="methodsel_change()">
549			<?php
550			foreach ($p1_authentication_methods as $method_type => $method_params):
551			if (!$pconfig['mobile'] && $method_params['mobile'])
552			continue;
553			?>
554			<option value="<?=$method_type;?>" <?php if ($method_type == $pconfig['authentication_method']) echo "selected"; ?>>
555			<?=htmlspecialchars($method_params['name']);?>
556			</option>
557			<?php endforeach; ?>
558			</select>
559			<br>
560			<span class="vexpl">
561	2fbb33f1	Carlos Eduardo Ramos	<?=gettext("Must match the setting chosen on the remote side"); ?>.
562	71d61aa5	jim-p	</span>
563			</td>
564			</tr>
565	5a3b0d3b	mgrooms	<tr>
566	2fbb33f1	Carlos Eduardo Ramos	<td width="22%" valign="top" class="vncellreq"><?=gettext("Negotiation mode"); ?></td>
567	5a3b0d3b	mgrooms	<td width="78%" class="vtable">
568			<select name="mode" class="formselect">
569			<?php
570	cd82ab61	Carlos Eduardo Ramos	$modes = array(gettext("main"),gettext("aggressive"));
571	5a3b0d3b	mgrooms	foreach ($modes as $mode):
572			?>
573			<option value="<?=$mode;?>" <?php if ($mode == $pconfig['mode']) echo "selected"; ?>>
574			<?=htmlspecialchars($mode);?>
575			</option>
576			<?php endforeach; ?>
577	2fbb33f1	Carlos Eduardo Ramos	</select> <br> <span class="vexpl"><?=gettext("Aggressive is more flexible, but less secure"); ?>.</span>
578	5a3b0d3b	mgrooms	</td>
579			</tr>
580			<tr>
581	2fbb33f1	Carlos Eduardo Ramos	<td width="22%" valign="top" class="vncellreq"><?=gettext("My identifier"); ?></td>
582	5a3b0d3b	mgrooms	<td width="78%" class="vtable">
583			<select name="myid_type" class="formselect" onChange="myidsel_change()">
584			<?php foreach ($my_identifier_list as $id_type => $id_params): ?>
585			<option value="<?=$id_type;?>" <?php if ($id_type == $pconfig['myid_type']) echo "selected"; ?>>
586			<?=htmlspecialchars($id_params['desc']);?>
587			</option>
588			<?php endforeach; ?>
589			</select>
590			<input name="myid_data" type="text" class="formfld unknown" id="myid_data" size="30" value="<?=$pconfig['myid_data'];?>">
591			</td>
592			</tr>
593	1f65618b	jim-p	<tr id="opt_peerid">
594	2fbb33f1	Carlos Eduardo Ramos	<td width="22%" valign="top" class="vncellreq"><?=gettext("Peer identifier"); ?></td>
595	5a3b0d3b	mgrooms	<td width="78%" class="vtable">
596			<select name="peerid_type" class="formselect" onChange="peeridsel_change()">
597			<?php
598			foreach ($peer_identifier_list as $id_type => $id_params):
599			if ($pconfig['mobile'] && !$id_params['mobile'])
600			continue;
601			?>
602			<option value="<?=$id_type;?>" <?php if ($id_type == $pconfig['peerid_type']) echo "selected"; ?>>
603			<?=htmlspecialchars($id_params['desc']);?>
604			</option>
605			<?php endforeach; ?>
606			</select>
607			<input name="peerid_data" type="text" class="formfld unknown" id="peerid_data" size="30" value="<?=$pconfig['peerid_data'];?>">
608	1f65618b	jim-p	<?php if ($pconfig['mobile']) { ?>
609	2fbb33f1	Carlos Eduardo Ramos	<br/><br/><?=gettext("NOTE: This is known as the \"group\" setting on some VPN client implementations"); ?>.
610	1f65618b	jim-p	<?php } ?>
611	5a3b0d3b	mgrooms	</td>
612			</tr>
613	71d61aa5	jim-p	<tr id="opt_psk">
614	2fbb33f1	Carlos Eduardo Ramos	<td width="22%" valign="top" class="vncellreq"><?=gettext("Pre-Shared Key"); ?></td>
615	71d61aa5	jim-p	<td width="78%" class="vtable">
616			<?=$mandfldhtml;?>
617			<input name="pskey" type="text" class="formfld unknown" id="pskey" size="40" value="<?=htmlspecialchars($pconfig['pskey']);?>">
618			<span class="vexpl">
619			<br>
620	2fbb33f1	Carlos Eduardo Ramos	<?=gettext("Input your pre-shared key string"); ?>.
621	71d61aa5	jim-p	</span>
622			</td>
623			</tr>
624	812dd35d	jim-p	<tr id="proposal_check">
625			<td width="22%" valign="top" class="vncellreq"><?=gettext("Proposal Checking"); ?></td>
626			<td width="78%" class="vtable">
627			<select name="proposal_check" class="formselect">
628			<option value="" <?php if (empty($pconfig['proposal_check'])) echo "selected"; ?>>Default</option>
629			<option value="obey" <?php if ($pconfig['proposal_check'] == "obey") echo "selected"; ?>>Obey</option>
630			<option value="strict" <?php if ($pconfig['proposal_check'] == "strict") echo "selected"; ?>>Strict</option>
631			<option value="claim" <?php if ($pconfig['proposal_check'] == "claim") echo "selected"; ?>>Claim</option>
632			<option value="exact" <?php if ($pconfig['proposal_check'] == "exact") echo "selected"; ?>>Exact</option>
633			</select>
634			<br>
635			<span class="vexpl">
636			<?=gettext("Specifies the action of lifetime length, key length, and PFS of the phase 2 selection on the responder side, and the action of lifetime check in phase 1."); ?>
637			</span>
638			</td>
639			</tr>
640	5a3b0d3b	mgrooms	<tr>
641	2fbb33f1	Carlos Eduardo Ramos	<td width="22%" valign="top" class="vncellreq"><?=gettext("Encryption algorithm"); ?></td>
642	5a3b0d3b	mgrooms	<td width="78%" class="vtable">
643			<select name="ealgo" class="formselect" onChange="ealgosel_change()">
644			<?php
645			foreach ($p1_ealgos as $algo => $algodata):
646			$selected = '';
647			if ($algo == $pconfig['ealgo']['name'])
648			$selected = ' selected';
649			?>
650			<option value="<?=$algo;?>"<?=$selected?>>
651			<?=htmlspecialchars($algodata['name']);?>
652			</option>
653			<?php endforeach; ?>
654			</select>
655			<select name="ealgo_keylen" width="30" class="formselect">
656			</select>
657			</td>
658			</tr>
659			<tr>
660	2fbb33f1	Carlos Eduardo Ramos	<td width="22%" valign="top" class="vncellreq"><?=gettext("Hash algorithm"); ?></td>
661	5a3b0d3b	mgrooms	<td width="78%" class="vtable">
662			<select name="halgo" class="formselect">
663			<?php foreach ($p1_halgos as $algo => $algoname): ?>
664			<option value="<?=$algo;?>" <?php if ($algo == $pconfig['halgo']) echo "selected"; ?>>
665			<?=htmlspecialchars($algoname);?>
666			</option>
667			<?php endforeach; ?>
668			</select>
669			<br>
670			<span class="vexpl">
671	2fbb33f1	Carlos Eduardo Ramos	<?=gettext("Must match the setting chosen on the remote side"); ?>.
672	5a3b0d3b	mgrooms	</span>
673			</td>
674			</tr>
675			<tr>
676	2fbb33f1	Carlos Eduardo Ramos	<td width="22%" valign="top" class="vncellreq"><?=gettext("DH key group"); ?></td>
677	5a3b0d3b	mgrooms	<td width="78%" class="vtable">
678			<select name="dhgroup" class="formselect">
679			<?php $keygroups = explode(" ", "1 2 5"); foreach ($keygroups as $keygroup): ?>
680			<option value="<?=$keygroup;?>" <?php if ($keygroup == $pconfig['dhgroup']) echo "selected"; ?>>
681			<?=htmlspecialchars($keygroup);?>
682			</option>
683			<?php endforeach; ?>
684			</select>
685			<br>
686			<span class="vexpl">
687	2fbb33f1	Carlos Eduardo Ramos	<em><?=gettext("1 = 768 bit, 2 = 1024 bit, 5 = 1536 bit"); ?></em>
688	5a3b0d3b	mgrooms	<br>
689	2fbb33f1	Carlos Eduardo Ramos	<?=gettext("Must match the setting chosen on the remote side"); ?>.
690	5a3b0d3b	mgrooms	</span>
691			</td>
692			</tr>
693			<tr>
694	2fbb33f1	Carlos Eduardo Ramos	<td width="22%" valign="top" class="vncell"><?=gettext("Lifetime"); ?></td>
695	5a3b0d3b	mgrooms	<td width="78%" class="vtable">
696			<input name="lifetime" type="text" class="formfld unknown" id="lifetime" size="20" value="<?=$pconfig['lifetime'];?>">
697	2fbb33f1	Carlos Eduardo Ramos	<?=gettext("seconds"); ?>
698	5a3b0d3b	mgrooms	</td>
699			</tr>
700	73fbece8	mgrooms	<tr id="opt_cert">
701	2fbb33f1	Carlos Eduardo Ramos	<td width="22%" valign="top" class="vncellreq"><?=gettext("My Certificate"); ?></td>
702	5a3b0d3b	mgrooms	<td width="78%" class="vtable">
703	73fbece8	mgrooms	<select name='certref' class="formselect">
704			<?php
705	b4e6524c	jim-p	foreach ($config['cert'] as $cert):
706	73fbece8	mgrooms	$selected = "";
707			if ($pconfig['certref'] == $cert['refid'])
708			$selected = "selected";
709			?>
710			<option value="<?=$cert['refid'];?>" <?=$selected;?>><?=$cert['name'];?></option>
711			<?php endforeach; ?>
712			</select>
713	5a3b0d3b	mgrooms	<br>
714	73fbece8	mgrooms	<span class="vexpl">
715	2fbb33f1	Carlos Eduardo Ramos	<?=gettext("Select a certificate previously configured in the Certificate Manager"); ?>.
716	73fbece8	mgrooms	</span>
717	5a3b0d3b	mgrooms	</td>
718			</tr>
719	a22d475f	jim-p	<tr id="opt_ca">
720			<td width="22%" valign="top" class="vncellreq"><?=gettext("My Certificate Authority"); ?></td>
721			<td width="78%" class="vtable">
722			<select name='caref' class="formselect">
723			<?php
724	b4e6524c	jim-p	foreach ($config['ca'] as $ca):
725	a22d475f	jim-p	$selected = "";
726			if ($pconfig['caref'] == $ca['refid'])
727			$selected = "selected";
728			?>
729			<option value="<?=$ca['refid'];?>" <?=$selected;?>><?=$ca['name'];?></option>
730			<?php endforeach; ?>
731			</select>
732			<br>
733			<span class="vexpl">
734			<?=gettext("Select a certificate authority previously configured in the Certificate Manager"); ?>.
735			</span>
736			</td>
737			</tr>
738	5a3b0d3b	mgrooms	<tr>
739			<td colspan="2" class="list" height="12"></td>
740			</tr>
741			<tr>
742	2fbb33f1	Carlos Eduardo Ramos	<td colspan="2" valign="top" class="listtopic"><?=gettext("Advanced Options"); ?></td>
743	5a3b0d3b	mgrooms	</tr>
744			<tr>
745	2fbb33f1	Carlos Eduardo Ramos	<td width="22%" valign="top" class="vncell"><?=gettext("NAT Traversal"); ?></td>
746	5a3b0d3b	mgrooms	<td width="78%" class="vtable">
747			<select name="nat_traversal" class="formselect">
748	2fbb33f1	Carlos Eduardo Ramos	<option value="off" <?php if ($pconfig['nat_traversal'] == "off") echo "selected"; ?>><?=gettext("Disable"); ?></option>
749			<option value="on" <?php if ($pconfig['nat_traversal'] == "on") echo "selected"; ?>><?=gettext("Enable"); ?></option>
750			<option value="force" <?php if ($pconfig['nat_traversal'] == "force") echo "selected"; ?>><?=gettext("Force"); ?></option>
751	5a3b0d3b	mgrooms	</select>
752			<br/>
753			<span class="vexpl">
754	2fbb33f1	Carlos Eduardo Ramos	<?=gettext("Set this option to enable the use of NAT-T (i.e. the encapsulation of ESP in UDP packets) if needed, " .
755			"which can help with clients that are behind restrictive firewalls"); ?>.
756	5a3b0d3b	mgrooms	</span>
757			</td>
758			</tr>
759			<tr>
760	2fbb33f1	Carlos Eduardo Ramos	<td width="22%" valign="top" class="vncell"><?=gettext("Dead Peer Detection"); ?></td>
761	5a3b0d3b	mgrooms	<td width="78%" class="vtable">
762			<input name="dpd_enable" type="checkbox" id="dpd_enable" value="yes" <?php if (isset($pconfig['dpd_enable'])) echo "checked"; ?> onClick="dpdchkbox_change()">
763	2fbb33f1	Carlos Eduardo Ramos	<?=gettext("Enable DPD"); ?><br>
764	5a3b0d3b	mgrooms	<div id="opt_dpd">
765			<br>
766			<input name="dpd_delay" type="text" class="formfld unknown" id="dpd_delay" size="5" value="<?=$pconfig['dpd_delay'];?>">
767	2fbb33f1	Carlos Eduardo Ramos	<?=gettext("seconds"); ?><br>
768	5a3b0d3b	mgrooms	<span class="vexpl">
769	2fbb33f1	Carlos Eduardo Ramos	<?=gettext("Delay between requesting peer acknowledgement"); ?>.
770	5a3b0d3b	mgrooms	</span><br>
771			<br>
772			<input name="dpd_maxfail" type="text" class="formfld unknown" id="dpd_maxfail" size="5" value="<?=$pconfig['dpd_maxfail'];?>">
773	2fbb33f1	Carlos Eduardo Ramos	<?=gettext("retries"); ?><br>
774	5a3b0d3b	mgrooms	<span class="vexpl">
775	2fbb33f1	Carlos Eduardo Ramos	<?=gettext("Number of consecutive failures allowed before disconnect"); ?>.
776	5a3b0d3b	mgrooms	</span>
777			<br>
778			</div>
779			</td>
780			</tr>
781			<tr>
782			<td width="22%" valign="top"> </td>
783			<td width="78%">
784			<?php if (isset($p1index) && $a_phase1[$p1index]): ?>
785			<input name="p1index" type="hidden" value="<?=$p1index;?>">
786			<?php endif; ?>
787			<?php if ($pconfig['mobile']): ?>
788			<input name="mobile" type="hidden" value="true">
789			<?php endif; ?>
790			<input name="ikeid" type="hidden" value="<?=$pconfig['ikeid'];?>">
791	2fbb33f1	Carlos Eduardo Ramos	<input name="Submit" type="submit" class="formbtn" value="<?=gettext("Save"); ?>">
792	5a3b0d3b	mgrooms	</td>
793			</tr>
794			</table>
795			</div>
796			</td>
797			</tr>
798			</table>
799	a93e56c5	Matthew Grooms	</form>
800	5a3b0d3b	mgrooms
801	a93e56c5	Matthew Grooms	<script lannguage="JavaScript">
802			<!--
803			<?php
804			/* determine if we should init the key length */
805			$keyset = '';
806			if (isset($pconfig['ealgo']['keylen']))
807			if (is_numeric($pconfig['ealgo']['keylen']))
808			$keyset = $pconfig['ealgo']['keylen'];
809			?>
810	3462a529	Matthew Grooms	myidsel_change();
811			peeridsel_change();
812	a93e56c5	Matthew Grooms	methodsel_change();
813			ealgosel_change(<?=$keyset;?>);
814			dpdchkbox_change();
815			//-->
816			</script>
817			<?php include("fend.inc"); ?>
818	3462a529	Matthew Grooms	</body>
819			</html>

Project

General

Profile

pfSense