diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi
index 0fb7c930a..e8aab43b0 100644
--- a/html/cgi-bin/vpnmain.cgi
+++ b/html/cgi-bin/vpnmain.cgi
@@ -73,17 +73,9 @@ $cgiparams{'ENABLED'} = 'off';
$cgiparams{'EDIT_ADVANCED'} = 'off';
$cgiparams{'ACTION'} = '';
$cgiparams{'CA_NAME'} = '';
-$cgiparams{'DBG_CRYPT'} = '';
-$cgiparams{'DBG_PARSING'} = '';
-$cgiparams{'DBG_EMITTING'} = '';
-$cgiparams{'DBG_CONTROL'} = '';
-$cgiparams{'DBG_KLIPS'} = '';
-$cgiparams{'DBG_DNS'} = '';
-$cgiparams{'DBG_NAT_T'} = '';
$cgiparams{'KEY'} = '';
$cgiparams{'TYPE'} = '';
$cgiparams{'ADVANCED'} = '';
-$cgiparams{'INTERFACE'} = '';
$cgiparams{'NAME'} = '';
$cgiparams{'LOCAL_SUBNET'} = '';
$cgiparams{'REMOTE_SUBNET'} = '';
@@ -253,50 +245,8 @@ sub writeipsecfiles {
flock CONF, 2;
flock SECRETS, 2;
print CONF "version 2\n\n";
- print CONF "config setup\n";
- #create an ipsec Interface for each 'enabled' ones
- #loop trought configuration and add physical interfaces to the list
- my $interfaces = "\tinterfaces=\"";
- foreach my $key (keys %lconfighash) {
- next if ($lconfighash{$key}[0] ne 'on');
- $interfaces .= "%defaultroute " if ($interfaces !~ /defaultroute/ && $lconfighash{$key}[26] eq 'RED');
- $interfaces .= "$netsettings{'GREEN_DEV'} " if ($interfaces !~ /ipsec1/ && $lconfighash{$key}[26] eq 'GREEN');
- $interfaces .= "$netsettings{'BLUE_DEV'} " if ($interfaces !~ /ipsec2/ && $lconfighash{$key}[26] eq 'BLUE');
- $interfaces .= "$netsettings{'ORANGE_DEV'} " if ($interfaces !~ /ipsec3/ && $lconfighash{$key}[26] eq 'ORANGE');
- }
- print CONF $interfaces . "\"\n";
-
- my $plutodebug = ''; # build debug list
- map ($plutodebug .= $lvpnsettings{$_} eq 'on' ? lc (substr($_,4)).' ' : '',
- ('DBG_CRYPT','DBG_PARSING','DBG_EMITTING','DBG_CONTROL',
- 'DBG_DNS'));
- $plutodebug = 'none' if $plutodebug eq ''; # if nothing selected, use 'none'.
- #print CONF "\tklipsdebug=\"none\"\n";
- print CONF "\tplutodebug=\"$plutodebug\"\n";
- # deprecated in ipsec.conf version 2
- #print CONF "\tplutoload=%search\n";
- #print CONF "\tplutostart=%search\n";
- print CONF "\tuniqueids=yes\n";
- print CONF "\tnat_traversal=yes\n";
- print CONF "\toverridemtu=$lvpnsettings{'VPN_OVERRIDE_MTU'}\n" if ($lvpnsettings{'VPN_OVERRIDE_MTU'} ne '');
- print CONF "\tvirtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16";
- print CONF ",%v4:!$green_cidr";
- if (length($netsettings{'ORANGE_DEV'}) > 2) {
- print CONF ",%v4:!$orange_cidr";
- }
- if (length($netsettings{'BLUE_DEV'}) > 2) {
- print CONF ",%v4:!$blue_cidr";
- }
- foreach my $key (keys %lconfighash) {
- if ($lconfighash{$key}[3] eq 'net') {
- print CONF ",%v4:!$lconfighash{$key}[11]";
- }
- }
- print CONF "\n\n";
print CONF "conn %default\n";
print CONF "\tkeyingtries=0\n";
- #strongswan doesn't know this
- #print CONF "\tdisablearrivalcheck=no\n";
print CONF "\n";
# Add user includes to config file
@@ -329,7 +279,6 @@ sub writeipsecfiles {
print CONF "conn $lconfighash{$key}[1]\n";
print CONF "\tleft=$localside\n";
- print CONF "\tleftnexthop=%defaultroute\n" if ($lconfighash{$key}[26] eq 'RED' && $lvpnsettings{'VPN_IP'} ne '%defaultroute');
my $cidr_net=&General::ipcidr($lconfighash{$key}[8]);
print CONF "\tleftsubnet=$cidr_net\n";
print CONF "\tleftfirewall=yes\n";
@@ -339,7 +288,6 @@ sub writeipsecfiles {
if ($lconfighash{$key}[3] eq 'net') {
my $cidr_net=&General::ipcidr($lconfighash{$key}[11]);
print CONF "\trightsubnet=$cidr_net\n";
- print CONF "\trightnexthop=%defaultroute\n";
} elsif ($lconfighash{$key}[10] eq '%any' && $lconfighash{$key}[14] eq 'on') { #vhost allowed for roadwarriors?
print CONF "\trightsubnet=vhost:%no,%priv\n";
}
@@ -354,6 +302,9 @@ sub writeipsecfiles {
print CONF "\tleftid=\"$lconfighash{$key}[7]\"\n" if ($lconfighash{$key}[7]);
print CONF "\trightid=\"$lconfighash{$key}[9]\"\n" if ($lconfighash{$key}[9]);
+ # Is PFS enabled?
+ my $pfs = $lconfighash{$key}[28] eq 'on' ? 'on' : 'off';
+
# Algorithms
if ($lconfighash{$key}[18] && $lconfighash{$key}[19] && $lconfighash{$key}[20]) {
print CONF "\tike=";
@@ -379,11 +330,20 @@ sub writeipsecfiles {
print CONF "\tesp=";
my @encs = split('\|', $lconfighash{$key}[21]);
my @ints = split('\|', $lconfighash{$key}[22]);
+ my @groups = split('\|', $lconfighash{$key}[20]);
my $comma = 0;
foreach my $i (@encs) {
foreach my $j (@ints) {
- if ($comma != 0) { print CONF ","; } else { $comma = 1; }
- print CONF "$i-$j";
+ my $modp = "";
+ foreach my $k (@groups) {
+ if ($comma != 0) { print CONF ","; } else { $comma = 1; }
+ if ($pfs eq "on") {
+ $modp = "-modp$k";
+ } else {
+ $modp = "";
+ }
+ print CONF "$i-$j$modp";
+ }
}
}
if ($lconfighash{$key}[24] eq 'on') { #only proposed algorythms?
@@ -392,9 +352,6 @@ sub writeipsecfiles {
print CONF "\n";
}
}
- if ($lconfighash{$key}[23]) {
- print CONF "\tpfsgroup=$lconfighash{$key}[23]\n";
- }
# IKE V1 or V2
if (! $lconfighash{$key}[29]) {
@@ -414,9 +371,6 @@ sub writeipsecfiles {
print CONF "\tdpdtimeout=120\n";
print CONF "\tdpdaction=$lconfighash{$key}[27]\n";
- # Disable pfs ?
- print CONF "\tpfs=". ($lconfighash{$key}[28] eq 'on' ? "yes\n" : "no\n");
-
# Build Authentication details: LEFTid RIGHTid : PSK psk
my $psk_line;
if ($lconfighash{$key}[4] eq 'psk') {
@@ -450,6 +404,12 @@ sub writeipsecfiles {
close(SECRETS);
}
+# Hook to regenerate the configuration files.
+if ($ENV{"REMOTE_ADDR"} eq "") {
+ writeipsecfiles;
+ exit(0);
+}
+
###
### Save main settings
###
@@ -466,11 +426,6 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cg
goto SAVE_ERROR;
}
- unless ($cgiparams{'VPN_OVERRIDE_MTU'} =~ /^(|[0-9]{1,5})$/ ) { #allow 0-99999
- $errormessage = $Lang::tr{'vpn mtu invalid'};
- goto SAVE_ERROR;
- }
-
unless ($cgiparams{'VPN_WATCH'} =~ /^(|off|on)$/ ) {
$errormessage = $Lang::tr{'invalid input'};
goto SAVE_ERROR;
@@ -481,13 +436,8 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cg
goto SAVE_ERROR;
}
- map ($vpnsettings{$_} = $cgiparams{$_},
- ('ENABLED','DBG_CRYPT','DBG_PARSING','DBG_EMITTING','DBG_CONTROL',
- 'DBG_DNS'));
-
$vpnsettings{'VPN_IP'} = $cgiparams{'VPN_IP'};
$vpnsettings{'VPN_DELAYED_START'} = $cgiparams{'VPN_DELAYED_START'};
- $vpnsettings{'VPN_OVERRIDE_MTU'} = $cgiparams{'VPN_OVERRIDE_MTU'};
$vpnsettings{'VPN_WATCH'} = $cgiparams{'VPN_WATCH'};
$vpnsettings{'RW_NET'} = $cgiparams{'RW_NET'};
&General::writehash("${General::swroot}/vpn/settings", \%vpnsettings);
@@ -1298,7 +1248,6 @@ END
$cgiparams{'REMOTE'} = $confighash{$cgiparams{'KEY'}}[10];
$cgiparams{'REMOTE_SUBNET'} = $confighash{$cgiparams{'KEY'}}[11];
$cgiparams{'REMARK'} = $confighash{$cgiparams{'KEY'}}[25];
- $cgiparams{'INTERFACE'} = $confighash{$cgiparams{'KEY'}}[26];
$cgiparams{'DPD_ACTION'} = $confighash{$cgiparams{'KEY'}}[27];
$cgiparams{'IKE_VERSION'} = $confighash{$cgiparams{'KEY'}}[29];
$cgiparams{'IKE_ENCRYPTION'} = $confighash{$cgiparams{'KEY'}}[18];
@@ -1801,7 +1750,7 @@ END
$confighash{$key}[9] = $cgiparams{'REMOTE_ID'};
$confighash{$key}[10] = $cgiparams{'REMOTE'};
$confighash{$key}[25] = $cgiparams{'REMARK'};
- $confighash{$key}[26] = $cgiparams{'INTERFACE'};
+ $confighash{$key}[26] = ""; # Formerly INTERFACE
$confighash{$key}[27] = $cgiparams{'DPD_ACTION'};
$confighash{$key}[29] = $cgiparams{'IKE_VERSION'};
@@ -1859,28 +1808,25 @@ END
$cgiparams{'DPD_ACTION'} = 'restart';
}
- # Default IKE Version to V1
- if (! $cgiparams{'IKE_VERSION'}) {
- $cgiparams{'IKE_VERSION'} = 'ikev1';
+ # Default IKE Version to v2
+ if (!$cgiparams{'IKE_VERSION'}) {
+ $cgiparams{'IKE_VERSION'} = 'ikev2';
}
- # Default is yes for 'pfs'
- $cgiparams{'PFS'} = 'on';
-
# ID are empty
$cgiparams{'LOCAL_ID'} = '';
$cgiparams{'REMOTE_ID'} = '';
#use default advanced value
- $cgiparams{'IKE_ENCRYPTION'} = 'aes128|3des'; #[18];
+ $cgiparams{'IKE_ENCRYPTION'} = 'aes256|aes128|3des'; #[18];
$cgiparams{'IKE_INTEGRITY'} = 'sha|md5'; #[19];
- $cgiparams{'IKE_GROUPTYPE'} = '1536|1024'; #[20];
+ $cgiparams{'IKE_GROUPTYPE'} = '2048'; #[20];
$cgiparams{'IKE_LIFETIME'} = '1'; #[16];
- $cgiparams{'ESP_ENCRYPTION'} = 'aes128|3des'; #[21];
+ $cgiparams{'ESP_ENCRYPTION'} = 'aes256|aes128|3des'; #[21];
$cgiparams{'ESP_INTEGRITY'} = 'sha1|md5'; #[22];
$cgiparams{'ESP_GROUPTYPE'} = ''; #[23];
$cgiparams{'ESP_KEYLIFE'} = '8'; #[17];
- $cgiparams{'COMPRESSION'} = 'off'; #[13];
+ $cgiparams{'COMPRESSION'} = 'on'; #[13];
$cgiparams{'ONLY_PROPOSED'} = 'off'; #[24];
$cgiparams{'PFS'} = 'on'; #[28];
$cgiparams{'VHOST'} = 'on'; #[14];
@@ -1903,12 +1849,6 @@ END
$checked{'AUTH'}{'auth-dn'} = '';
$checked{'AUTH'}{$cgiparams{'AUTH'}} = "checked='checked'";
- $selected{'INTERFACE'}{'RED'} = '';
- $selected{'INTERFACE'}{'ORANGE'} = '';
- $selected{'INTERFACE'}{'GREEN'} = '';
- $selected{'INTERFACE'}{'BLUE'} = '';
- $selected{'INTERFACE'}{$cgiparams{'INTERFACE'}} = "selected='selected'";
-
$selected{'DPD_ACTION'}{'clear'} = '';
$selected{'DPD_ACTION'}{'hold'} = '';
$selected{'DPD_ACTION'}{'restart'} = '';
@@ -1975,22 +1915,24 @@ END
$blob = "
";
};
- print "| $Lang::tr{'host ip'}: | ";
- print " | ";
print <
$Lang::tr{'remote host/ip'}: $blob |
- |
-
- | $Lang::tr{'local subnet'} |
- |
+
+
+ |
$Lang::tr{'remote subnet'} |
- |
-
+ |
+
+ |
+
+
+ | $Lang::tr{'local subnet'} |
+
+
+ |
+
+
$Lang::tr{'vpn local id'}:
($Lang::tr{'eg'} @xy.example.com) |
|
$Lang::tr{'vpn remote id'}: |
@@ -1999,22 +1941,18 @@ END
|
| $Lang::tr{'vpn keyexchange'}: |
+
+
|
$Lang::tr{'dpd action'}: |
?
+
|
-
| $Lang::tr{'remark title'} |
|
@@ -2448,10 +2386,7 @@ EOF
$cgiparams{'VPN_DELAYED_START'} = 0 if (! defined ($cgiparams{'VPN_DELAYED_START'}));
$checked{'VPN_WATCH'} = $cgiparams{'VPN_WATCH'} eq 'on' ? "checked='checked'" : '' ;
- map ($checked{$_} = $cgiparams{$_} eq 'on' ? "checked='checked'" : '',
- ('ENABLED','DBG_CRYPT','DBG_PARSING','DBG_EMITTING','DBG_CONTROL',
- 'DBG_DNS'));
-
+ $checked{'ENABLED'} = $cgiparams{'ENABLED'} eq 'on' ? "checked='checked'" : '';
&Header::showhttpheaders();
&Header::openpage($Lang::tr{'vpn configuration main'}, 1, '');
@@ -2473,13 +2408,6 @@ EOF
|
$Lang::tr{'enabled'} |
-END
- ;
- print <
- $Lang::tr{'override mtu'}: |
- |
-
END
;
print <
$Lang::tr{'vpn watch'}:
-PLUTO DEBUG =
-crypt:,
-parsing:,
-emitting:,
-control:,
-dns: