From 4e156911cc45c2788bfa7e04561e2a7e550c68b8 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Tue, 7 Jan 2014 00:38:36 +0100 Subject: [PATCH 1/7] IPsec: Add DPD configuration options to advanced settings. --- html/cgi-bin/vpnmain.cgi | 45 +++++++++++++++++++++++++++++++++------- langs/de/cgi-bin/de.pl | 2 ++ langs/en/cgi-bin/en.pl | 2 ++ 3 files changed, 41 insertions(+), 8 deletions(-) diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index 64bf17e93..b9a73e5f2 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -104,7 +104,8 @@ $cgiparams{'ROOTCERT_OU'} = ''; $cgiparams{'ROOTCERT_CITY'} = ''; $cgiparams{'ROOTCERT_STATE'} = ''; $cgiparams{'RW_NET'} = ''; - +$cgiparams{'DPD_DELAY'} = '30'; +$cgiparams{'DPD_TIMEOUT'} = '120'; &Header::getcgihash(\%cgiparams, {'wantfile' => 1, 'filevar' => 'FH'}); ### @@ -384,8 +385,8 @@ sub writeipsecfiles { print CONF "\tcompress=yes\n" if ($lconfighash{$key}[13] eq 'on'); # Dead Peer Detection - print CONF "\tdpddelay=30\n"; - print CONF "\tdpdtimeout=120\n"; + print CONF "\tdpddelay=$lconfighash{$key}[30]\n"; + print CONF "\tdpdtimeout=$lconfighash{$key}[31]\n"; print CONF "\tdpdaction=$lconfighash{$key}[27]\n"; # Build Authentication details: LEFTid RIGHTid : PSK psk @@ -1274,6 +1275,8 @@ END $cgiparams{'ONLY_PROPOSED'} = $confighash{$cgiparams{'KEY'}}[24]; $cgiparams{'PFS'} = $confighash{$cgiparams{'KEY'}}[28]; $cgiparams{'VHOST'} = $confighash{$cgiparams{'KEY'}}[14]; + $cgiparams{'DPD_TIMEOUT'} = $confighash{$cgiparams{'KEY'}}[30]; + $cgiparams{'DPD_DELAY'} = $confighash{$cgiparams{'KEY'}}[31]; } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'save'}) { $cgiparams{'REMARK'} = &Header::cleanhtml($cgiparams{'REMARK'}); @@ -1748,7 +1751,7 @@ END my $key = $cgiparams{'KEY'}; if (! $key) { $key = &General::findhasharraykey (\%confighash); - foreach my $i (0 .. 28) { $confighash{$key}[$i] = "";} + foreach my $i (0 .. 31) { $confighash{$key}[$i] = "";} } $confighash{$key}[0] = $cgiparams{'ENABLED'}; $confighash{$key}[1] = $cgiparams{'NAME'}; @@ -1788,6 +1791,8 @@ END $confighash{$key}[24] = $cgiparams{'ONLY_PROPOSED'}; $confighash{$key}[28] = $cgiparams{'PFS'}; $confighash{$key}[14] = $cgiparams{'VHOST'}; + $confighash{$key}[30] = $cgiparams{'DPD_TIMEOUT'}; + $confighash{$key}[31] = $cgiparams{'DPD_DELAY'}; #free unused fields! $confighash{$key}[6] = 'off'; @@ -2197,6 +2202,8 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || $confighash{$cgiparams{'KEY'}}[24] = $cgiparams{'ONLY_PROPOSED'}; $confighash{$cgiparams{'KEY'}}[28] = $cgiparams{'PFS'}; $confighash{$cgiparams{'KEY'}}[14] = $cgiparams{'VHOST'}; + $confighash{$cgiparams{'KEY'}}[30] = $cgiparams{'DPD_TIMEOUT'}; + $confighash{$cgiparams{'KEY'}}[31] = $cgiparams{'DPD_DELAY'}; &General::writehasharray("${General::swroot}/vpn/config", \%confighash); &writeipsecfiles(); if (&vpnenabled) { @@ -2217,6 +2224,8 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || $cgiparams{'ONLY_PROPOSED'} = $confighash{$cgiparams{'KEY'}}[24]; $cgiparams{'PFS'} = $confighash{$cgiparams{'KEY'}}[28]; $cgiparams{'VHOST'} = $confighash{$cgiparams{'KEY'}}[14]; + $cgiparams{'DPD_TIMEOUT'} = $confighash{$cgiparams{'KEY'}}[30]; + $cgiparams{'DPD_DELAY'} = $confighash{$cgiparams{'KEY'}}[31]; if ($confighash{$cgiparams{'KEY'}}[3] eq 'net' || $confighash{$cgiparams{'KEY'}}[10]) { $cgiparams{'VHOST'} = 'off'; @@ -2404,7 +2413,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || - @@ -2412,7 +2421,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || - - + + + + + + + + EOF ; if ($confighash{$cgiparams{'KEY'}}[3] eq 'net') { @@ -2441,7 +2470,7 @@ EOF print < - diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index 01cd3f683..90128884b 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -749,6 +749,8 @@ 'download pkcs12 file' => 'PKCS12-Datei herunterladen', 'download root certificate' => 'Root-Zertifikat herunterladen', 'dpd action' => 'Aktion für Dead Peer Detection', +'dpd timeout' => 'DPD Zeitüberschreitung', +'dpd delay' => 'DPD Verzögerung', 'driver' => 'Treiber', 'drop action' => 'Standardverhalten der (Forward) Firewall in Modus "Blocked"', 'drop action1' => 'Standardverhalten der (Outgoing) Firewall in Modus "Blocked"', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index dc38129f3..ec03edc67 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -773,6 +773,8 @@ 'download pkcs12 file' => 'Download PKCS12 file', 'download root certificate' => 'Download root certificate', 'dpd action' => 'Dead Peer Detection action', +'dpd timeout' => 'DPD timeout', +'dpd delay' => 'DPD delay', 'driver' => 'Driver', 'drop action' => 'Default behaviour of (forward) firewall in mode "Blocked"', 'drop action1' => 'Default behaviour of (outgoing) firewall in mode "Blocked"', From cbb3a8f91e2e7aa220b5bc9e9773fa4547f0ce85 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Tue, 7 Jan 2014 01:37:00 +0100 Subject: [PATCH 2/7] IPsec: Fix and enhance DPD configuration. Also the action option has now moved to the advanced settings page and the design has been improved. --- doc/language_issues.de | 2 +- doc/language_issues.en | 1 - doc/language_issues.es | 6 ++ doc/language_issues.fr | 6 ++ doc/language_issues.nl | 6 ++ doc/language_issues.pl | 6 ++ doc/language_issues.ru | 6 ++ doc/language_issues.tr | 6 ++ doc/language_missings | 16 +++++ html/cgi-bin/vpnmain.cgi | 133 ++++++++++++++++++++++++++------------- langs/de/cgi-bin/de.pl | 6 +- langs/en/cgi-bin/en.pl | 9 ++- 12 files changed, 154 insertions(+), 49 deletions(-) diff --git a/doc/language_issues.de b/doc/language_issues.de index bcc021423..548acf2a7 100644 --- a/doc/language_issues.de +++ b/doc/language_issues.de @@ -198,7 +198,6 @@ WARNING: translation string unused: from warn email bad WARNING: translation string unused: fwdfw MODE1 WARNING: translation string unused: fwdfw MODE2 WARNING: translation string unused: fwdfw err prot_port1 -WARNING: translation string unused: fwdfw err tgt_port WARNING: translation string unused: fwdfw final_rule WARNING: translation string unused: fwdfw from WARNING: translation string unused: fwdfw ipsec network @@ -572,6 +571,7 @@ WARNING: untranslated string: Scan for Songs WARNING: untranslated string: advproxy cache-digest WARNING: untranslated string: bytes WARNING: untranslated string: community rules +WARNING: untranslated string: dead peer detection WARNING: untranslated string: emerging rules WARNING: untranslated string: fwhost err hostip WARNING: untranslated string: new diff --git a/doc/language_issues.en b/doc/language_issues.en index 1eccc80a2..5266bc2d6 100644 --- a/doc/language_issues.en +++ b/doc/language_issues.en @@ -221,7 +221,6 @@ WARNING: translation string unused: from warn email bad WARNING: translation string unused: fwdfw MODE1 WARNING: translation string unused: fwdfw MODE2 WARNING: translation string unused: fwdfw err prot_port1 -WARNING: translation string unused: fwdfw err tgt_port WARNING: translation string unused: fwdfw final_rule WARNING: translation string unused: fwdfw from WARNING: translation string unused: fwdfw ipsec network diff --git a/doc/language_issues.es b/doc/language_issues.es index 6b6424a33..553772e30 100644 --- a/doc/language_issues.es +++ b/doc/language_issues.es @@ -595,6 +595,7 @@ WARNING: untranslated string: ccd none WARNING: untranslated string: ccd routes WARNING: untranslated string: ccd subnet WARNING: untranslated string: ccd used +WARNING: untranslated string: dead peer detection WARNING: untranslated string: default ip WARNING: untranslated string: deprecated fs warn WARNING: untranslated string: dnat address @@ -605,6 +606,8 @@ WARNING: untranslated string: dnsforward edit an entry WARNING: untranslated string: dnsforward entries WARNING: untranslated string: dnsforward forward_server WARNING: untranslated string: dnsforward zone +WARNING: untranslated string: dpd delay +WARNING: untranslated string: dpd timeout WARNING: untranslated string: drop action WARNING: untranslated string: drop action1 WARNING: untranslated string: drop action2 @@ -664,6 +667,7 @@ WARNING: untranslated string: fwdfw err src_addr WARNING: untranslated string: fwdfw err tgt_addr WARNING: untranslated string: fwdfw err tgt_grp WARNING: untranslated string: fwdfw err tgt_mac +WARNING: untranslated string: fwdfw err tgt_port WARNING: untranslated string: fwdfw err time WARNING: untranslated string: fwdfw external port nat WARNING: untranslated string: fwdfw hint ip1 @@ -774,6 +778,8 @@ WARNING: untranslated string: fwhost used WARNING: untranslated string: fwhost welcome WARNING: untranslated string: grouptype WARNING: untranslated string: integrity +WARNING: untranslated string: invalid input for dpd delay +WARNING: untranslated string: invalid input for dpd timeout WARNING: untranslated string: least preferred WARNING: untranslated string: lifetime WARNING: untranslated string: minute diff --git a/doc/language_issues.fr b/doc/language_issues.fr index 2f7f60d00..3d06db7a9 100644 --- a/doc/language_issues.fr +++ b/doc/language_issues.fr @@ -597,6 +597,7 @@ WARNING: untranslated string: ccd none WARNING: untranslated string: ccd routes WARNING: untranslated string: ccd subnet WARNING: untranslated string: ccd used +WARNING: untranslated string: dead peer detection WARNING: untranslated string: default ip WARNING: untranslated string: deprecated fs warn WARNING: untranslated string: dnat address @@ -608,6 +609,8 @@ WARNING: untranslated string: dnsforward edit an entry WARNING: untranslated string: dnsforward entries WARNING: untranslated string: dnsforward forward_server WARNING: untranslated string: dnsforward zone +WARNING: untranslated string: dpd delay +WARNING: untranslated string: dpd timeout WARNING: untranslated string: drop action WARNING: untranslated string: drop action1 WARNING: untranslated string: drop action2 @@ -667,6 +670,7 @@ WARNING: untranslated string: fwdfw err src_addr WARNING: untranslated string: fwdfw err tgt_addr WARNING: untranslated string: fwdfw err tgt_grp WARNING: untranslated string: fwdfw err tgt_mac +WARNING: untranslated string: fwdfw err tgt_port WARNING: untranslated string: fwdfw err time WARNING: untranslated string: fwdfw external port nat WARNING: untranslated string: fwdfw hint ip1 @@ -777,6 +781,8 @@ WARNING: untranslated string: fwhost used WARNING: untranslated string: fwhost welcome WARNING: untranslated string: grouptype WARNING: untranslated string: integrity +WARNING: untranslated string: invalid input for dpd delay +WARNING: untranslated string: invalid input for dpd timeout WARNING: untranslated string: least preferred WARNING: untranslated string: lifetime WARNING: untranslated string: minute diff --git a/doc/language_issues.nl b/doc/language_issues.nl index d543069f3..fdec3dd22 100644 --- a/doc/language_issues.nl +++ b/doc/language_issues.nl @@ -563,6 +563,7 @@ WARNING: untranslated string: advproxy errmsg proxy ports equal WARNING: untranslated string: advproxy proxy port transparent WARNING: untranslated string: bytes WARNING: untranslated string: ccd iroute2 +WARNING: untranslated string: dead peer detection WARNING: untranslated string: default ip WARNING: untranslated string: dnat address WARNING: untranslated string: dnsforward @@ -572,6 +573,8 @@ WARNING: untranslated string: dnsforward edit an entry WARNING: untranslated string: dnsforward entries WARNING: untranslated string: dnsforward forward_server WARNING: untranslated string: dnsforward zone +WARNING: untranslated string: dpd delay +WARNING: untranslated string: dpd timeout WARNING: untranslated string: drop action WARNING: untranslated string: drop action1 WARNING: untranslated string: drop action2 @@ -613,6 +616,7 @@ WARNING: untranslated string: fwdfw err src_addr WARNING: untranslated string: fwdfw err tgt_addr WARNING: untranslated string: fwdfw err tgt_grp WARNING: untranslated string: fwdfw err tgt_mac +WARNING: untranslated string: fwdfw err tgt_port WARNING: untranslated string: fwdfw err time WARNING: untranslated string: fwdfw external port nat WARNING: untranslated string: fwdfw hint ip1 @@ -723,6 +727,8 @@ WARNING: untranslated string: fwhost used WARNING: untranslated string: fwhost welcome WARNING: untranslated string: grouptype WARNING: untranslated string: integrity +WARNING: untranslated string: invalid input for dpd delay +WARNING: untranslated string: invalid input for dpd timeout WARNING: untranslated string: least preferred WARNING: untranslated string: lifetime WARNING: untranslated string: most preferred diff --git a/doc/language_issues.pl b/doc/language_issues.pl index 6b6424a33..553772e30 100644 --- a/doc/language_issues.pl +++ b/doc/language_issues.pl @@ -595,6 +595,7 @@ WARNING: untranslated string: ccd none WARNING: untranslated string: ccd routes WARNING: untranslated string: ccd subnet WARNING: untranslated string: ccd used +WARNING: untranslated string: dead peer detection WARNING: untranslated string: default ip WARNING: untranslated string: deprecated fs warn WARNING: untranslated string: dnat address @@ -605,6 +606,8 @@ WARNING: untranslated string: dnsforward edit an entry WARNING: untranslated string: dnsforward entries WARNING: untranslated string: dnsforward forward_server WARNING: untranslated string: dnsforward zone +WARNING: untranslated string: dpd delay +WARNING: untranslated string: dpd timeout WARNING: untranslated string: drop action WARNING: untranslated string: drop action1 WARNING: untranslated string: drop action2 @@ -664,6 +667,7 @@ WARNING: untranslated string: fwdfw err src_addr WARNING: untranslated string: fwdfw err tgt_addr WARNING: untranslated string: fwdfw err tgt_grp WARNING: untranslated string: fwdfw err tgt_mac +WARNING: untranslated string: fwdfw err tgt_port WARNING: untranslated string: fwdfw err time WARNING: untranslated string: fwdfw external port nat WARNING: untranslated string: fwdfw hint ip1 @@ -774,6 +778,8 @@ WARNING: untranslated string: fwhost used WARNING: untranslated string: fwhost welcome WARNING: untranslated string: grouptype WARNING: untranslated string: integrity +WARNING: untranslated string: invalid input for dpd delay +WARNING: untranslated string: invalid input for dpd timeout WARNING: untranslated string: least preferred WARNING: untranslated string: lifetime WARNING: untranslated string: minute diff --git a/doc/language_issues.ru b/doc/language_issues.ru index 5a1296b54..5127491f5 100644 --- a/doc/language_issues.ru +++ b/doc/language_issues.ru @@ -590,6 +590,7 @@ WARNING: untranslated string: ccd routes WARNING: untranslated string: ccd subnet WARNING: untranslated string: ccd used WARNING: untranslated string: community rules +WARNING: untranslated string: dead peer detection WARNING: untranslated string: default ip WARNING: untranslated string: deprecated fs warn WARNING: untranslated string: disk access per @@ -601,6 +602,8 @@ WARNING: untranslated string: dnsforward edit an entry WARNING: untranslated string: dnsforward entries WARNING: untranslated string: dnsforward forward_server WARNING: untranslated string: dnsforward zone +WARNING: untranslated string: dpd delay +WARNING: untranslated string: dpd timeout WARNING: untranslated string: drop action WARNING: untranslated string: drop action1 WARNING: untranslated string: drop action2 @@ -650,6 +653,7 @@ WARNING: untranslated string: fwdfw err src_addr WARNING: untranslated string: fwdfw err tgt_addr WARNING: untranslated string: fwdfw err tgt_grp WARNING: untranslated string: fwdfw err tgt_mac +WARNING: untranslated string: fwdfw err tgt_port WARNING: untranslated string: fwdfw err time WARNING: untranslated string: fwdfw external port nat WARNING: untranslated string: fwdfw hint ip1 @@ -761,6 +765,8 @@ WARNING: untranslated string: fwhost welcome WARNING: untranslated string: grouptype WARNING: untranslated string: incoming traffic in bytes per second WARNING: untranslated string: integrity +WARNING: untranslated string: invalid input for dpd delay +WARNING: untranslated string: invalid input for dpd timeout WARNING: untranslated string: least preferred WARNING: untranslated string: lifetime WARNING: untranslated string: minute diff --git a/doc/language_issues.tr b/doc/language_issues.tr index 299c74d64..e8e130602 100644 --- a/doc/language_issues.tr +++ b/doc/language_issues.tr @@ -576,8 +576,11 @@ WARNING: untranslated string: Scan for Songs WARNING: untranslated string: advproxy errmsg proxy ports equal WARNING: untranslated string: advproxy proxy port transparent WARNING: untranslated string: bytes +WARNING: untranslated string: dead peer detection WARNING: untranslated string: default ip WARNING: untranslated string: dnat address +WARNING: untranslated string: dpd delay +WARNING: untranslated string: dpd timeout WARNING: untranslated string: drop action WARNING: untranslated string: drop action1 WARNING: untranslated string: drop action2 @@ -619,6 +622,7 @@ WARNING: untranslated string: fwdfw err src_addr WARNING: untranslated string: fwdfw err tgt_addr WARNING: untranslated string: fwdfw err tgt_grp WARNING: untranslated string: fwdfw err tgt_mac +WARNING: untranslated string: fwdfw err tgt_port WARNING: untranslated string: fwdfw err time WARNING: untranslated string: fwdfw external port nat WARNING: untranslated string: fwdfw hint ip1 @@ -729,6 +733,8 @@ WARNING: untranslated string: fwhost used WARNING: untranslated string: fwhost welcome WARNING: untranslated string: grouptype WARNING: untranslated string: integrity +WARNING: untranslated string: invalid input for dpd delay +WARNING: untranslated string: invalid input for dpd timeout WARNING: untranslated string: least preferred WARNING: untranslated string: lifetime WARNING: untranslated string: most preferred diff --git a/doc/language_missings b/doc/language_missings index 86f45b004..952e1e5f2 100644 --- a/doc/language_missings +++ b/doc/language_missings @@ -70,6 +70,8 @@ < dnsforward entries < dnsforward forward_server < dnsforward zone +< dpd delay +< dpd timeout < drop action < drop action1 < drop action2 @@ -268,6 +270,8 @@ < fw settings ruletable < grouptype < integrity +< invalid input for dpd delay +< invalid input for dpd timeout < least preferred < lifetime < minute @@ -488,6 +492,8 @@ < dnsforward entries < dnsforward forward_server < dnsforward zone +< dpd delay +< dpd timeout < drop action < drop action1 < drop action2 @@ -686,6 +692,8 @@ < fw settings ruletable < grouptype < integrity +< invalid input for dpd delay +< invalid input for dpd timeout < least preferred < lifetime < minute @@ -898,6 +906,8 @@ < dnsforward entries < dnsforward forward_server < dnsforward zone +< dpd delay +< dpd timeout < drop action < drop action1 < drop action2 @@ -1088,6 +1098,8 @@ < fw settings ruletable < grouptype < integrity +< invalid input for dpd delay +< invalid input for dpd timeout < least preferred < lifetime < minute @@ -1287,6 +1299,8 @@ < dnsforward entries < dnsforward forward_server < dnsforward zone +< dpd delay +< dpd timeout < drop action < drop action1 < drop action2 @@ -1481,6 +1495,8 @@ < hour-graph < incoming traffic in bytes per second < integrity +< invalid input for dpd delay +< invalid input for dpd timeout < least preferred < lifetime < minute diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index b9a73e5f2..43d574ce5 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -385,10 +385,19 @@ sub writeipsecfiles { print CONF "\tcompress=yes\n" if ($lconfighash{$key}[13] eq 'on'); # Dead Peer Detection - print CONF "\tdpddelay=$lconfighash{$key}[30]\n"; - print CONF "\tdpdtimeout=$lconfighash{$key}[31]\n"; print CONF "\tdpdaction=$lconfighash{$key}[27]\n"; + my $dpddelay = $lconfighash{$key}[30]; + if (!$dpddelay) { + $dpddelay = 30; + } + print CONF "\tdpddelay=$dpddelay\n"; + my $dpdtimeout = $lconfighash{$key}[31]; + if (!$dpdtimeout) { + $dpdtimeout = 120; + } + print CONF "\tdpdtimeout=$dpdtimeout\n"; + # Build Authentication details: LEFTid RIGHTid : PSK psk my $psk_line; if ($lconfighash{$key}[4] eq 'psk') { @@ -1278,6 +1287,14 @@ END $cgiparams{'DPD_TIMEOUT'} = $confighash{$cgiparams{'KEY'}}[30]; $cgiparams{'DPD_DELAY'} = $confighash{$cgiparams{'KEY'}}[31]; + if (!$cgiparams{'DPD_DELAY'}) { + $cgiparams{'DPD_DELAY'} = 30; + } + + if (!$cgiparams{'DPD_TIMEOUT'}) { + $cgiparams{'DPD_TIMEOUT'} = 120; + } + } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'save'}) { $cgiparams{'REMARK'} = &Header::cleanhtml($cgiparams{'REMARK'}); if ($cgiparams{'TYPE'} !~ /^(host|net)$/) { @@ -1833,6 +1850,14 @@ END $cgiparams{'DPD_ACTION'} = 'restart'; } + if (!$cgiparams{'DPD_DELAY'}) { + $cgiparams{'DPD_DELAY'} = 30; + } + + if (!$cgiparams{'DPD_TIMEOUT'}) { + $cgiparams{'DPD_TIMEOUT'} = 120; + } + # Default IKE Version to v2 if (!$cgiparams{'IKE_VERSION'}) { $cgiparams{'IKE_VERSION'} = 'ikev2'; @@ -1874,11 +1899,6 @@ END $checked{'AUTH'}{'auth-dn'} = ''; $checked{'AUTH'}{$cgiparams{'AUTH'}} = "checked='checked'"; - $selected{'DPD_ACTION'}{'clear'} = ''; - $selected{'DPD_ACTION'}{'hold'} = ''; - $selected{'DPD_ACTION'}{'restart'} = ''; - $selected{'DPD_ACTION'}{$cgiparams{'DPD_ACTION'}} = "selected='selected'"; - $selected{'IKE_VERSION'}{'ikev1'} = ''; $selected{'IKE_VERSION'}{'ikev2'} = ''; $selected{'IKE_VERSION'}{$cgiparams{'IKE_VERSION'}} = "selected='selected'"; @@ -1915,6 +1935,9 @@ END + + + END ; if ($cgiparams{'KEY'}) { @@ -1970,13 +1993,7 @@ END - - + @@ -2189,6 +2206,16 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || goto ADVANCED_ERROR; } + if ($cgiparams{'DPD_DELAY'} !~ /^\d+$/) { + $errormessage = $Lang::tr{'invalid input for dpd delay'}; + goto ADVANCED_ERROR; + } + + if ($cgiparams{'DPD_TIMEOUT'} !~ /^\d+$/) { + $errormessage = $Lang::tr{'invalid input for dpd timeout'}; + goto ADVANCED_ERROR; + } + $confighash{$cgiparams{'KEY'}}[18] = $cgiparams{'IKE_ENCRYPTION'}; $confighash{$cgiparams{'KEY'}}[19] = $cgiparams{'IKE_INTEGRITY'}; $confighash{$cgiparams{'KEY'}}[20] = $cgiparams{'IKE_GROUPTYPE'}; @@ -2227,6 +2254,14 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || $cgiparams{'DPD_TIMEOUT'} = $confighash{$cgiparams{'KEY'}}[30]; $cgiparams{'DPD_DELAY'} = $confighash{$cgiparams{'KEY'}}[31]; + if (!$cgiparams{'DPD_DELAY'}) { + $cgiparams{'DPD_DELAY'} = 30; + } + + if (!$cgiparams{'DPD_TIMEOUT'}) { + $cgiparams{'DPD_TIMEOUT'} = 120; + } + if ($confighash{$cgiparams{'KEY'}}[3] eq 'net' || $confighash{$cgiparams{'KEY'}}[10]) { $cgiparams{'VHOST'} = 'off'; } @@ -2288,6 +2323,11 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || $checked{'PFS'} = $cgiparams{'PFS'} eq 'on' ? "checked='checked'" : '' ; $checked{'VHOST'} = $cgiparams{'VHOST'} eq 'on' ? "checked='checked'" : '' ; + $selected{'DPD_ACTION'}{'clear'} = ''; + $selected{'DPD_ACTION'}{'hold'} = ''; + $selected{'DPD_ACTION'}{'restart'} = ''; + $selected{'DPD_ACTION'}{$cgiparams{'DPD_ACTION'}} = "selected='selected'"; + &Header::showhttpheaders(); &Header::openpage($Lang::tr{'vpn configuration main'}, 1, ''); &Header::openbigbox('100%', 'left', '', $errormessage); @@ -2315,14 +2355,14 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
+
+
+
+ + + +
+ + + +
+ $Lang::tr{'dpd action'}: -
$Lang::tr{'remark title'} *
- + - + - + - + @@ -2380,7 +2420,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || - +
IKE ESP
$Lang::tr{'encryption'}$Lang::tr{'encryption'}
$Lang::tr{'integrity'}$Lang::tr{'integrity'}
$Lang::tr{'lifetime'}$Lang::tr{'lifetime'} $Lang::tr{'hours'}
$Lang::tr{'grouptype'}$Lang::tr{'grouptype'}
+

+ +

$Lang::tr{'dead peer detection'}

+ + + + + + + + + + + + + + +
$Lang::tr{'dpd action'}: + +
$Lang::tr{'dpd timeout'}: + +
$Lang::tr{'dpd delay'}: + +
+
- @@ -2421,7 +2490,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || - - - - - - - - - - EOF ; if ($confighash{$cgiparams{'KEY'}}[3] eq 'net') { diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index 90128884b..568f057cb 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -749,8 +749,8 @@ 'download pkcs12 file' => 'PKCS12-Datei herunterladen', 'download root certificate' => 'Root-Zertifikat herunterladen', 'dpd action' => 'Aktion für Dead Peer Detection', -'dpd timeout' => 'DPD Zeitüberschreitung', -'dpd delay' => 'DPD Verzögerung', +'dpd delay' => 'Verzögerung', +'dpd timeout' => 'Zeitüberschreitung', 'driver' => 'Treiber', 'drop action' => 'Standardverhalten der (Forward) Firewall in Modus "Blocked"', 'drop action1' => 'Standardverhalten der (Outgoing) Firewall in Modus "Blocked"', @@ -1211,6 +1211,8 @@ 'invalid input for dhcp dns' => 'Ungültige Eingabe für DHCP DNS', 'invalid input for dhcp domain' => 'Ungültige Eingabe für DHCP Domain', 'invalid input for dhcp wins' => 'Ungültige Eingabe für DHCP WINS', +'invalid input for dpd delay' => 'Ungültige Eingabe für DPD-Verzögerung', +'invalid input for dpd timeout' => 'Ungültige Eingabe für DPD-Zeitüberschreitung', 'invalid input for e-mail address' => 'Ungültige Eingabe für die E-mail Adresse', 'invalid input for esp keylife' => 'Ungültige Eingabe für ESP Schlüssel-Lebensdauer', 'invalid input for hostname' => 'Ungültige Eingabe für Hostname', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index ec03edc67..451ea7945 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -634,6 +634,7 @@ 'ddns noip prefix' => 'To use no-ip in group mode, prefix hostname with %', 'deactivate' => 'deactivate', 'deactivate user' => 'deactivate user', +'dead peer detection' => 'Dead Peer Detection', 'debugme' => 'Not yet implemented', 'december' => 'December', 'deep scan directories' => 'Scan recursive', @@ -772,9 +773,9 @@ 'download new ruleset' => 'Download new ruleset', 'download pkcs12 file' => 'Download PKCS12 file', 'download root certificate' => 'Download root certificate', -'dpd action' => 'Dead Peer Detection action', -'dpd timeout' => 'DPD timeout', -'dpd delay' => 'DPD delay', +'dpd action' => 'Action', +'dpd delay' => 'Delay', +'dpd timeout' => 'Timeout', 'driver' => 'Driver', 'drop action' => 'Default behaviour of (forward) firewall in mode "Blocked"', 'drop action1' => 'Default behaviour of (outgoing) firewall in mode "Blocked"', @@ -1239,6 +1240,8 @@ 'invalid input for dhcp dns' => 'Invalid input for DHCP DNS', 'invalid input for dhcp domain' => 'Invalid input for DHCP domain', 'invalid input for dhcp wins' => 'Invalid input for DHCP WINS', +'invalid input for dpd delay' => 'Invalid input for DPD delay', +'invalid input for dpd timeout' => 'Invalid input for DPD timeout', 'invalid input for e-mail address' => 'Invalid input for e-mail address.', 'invalid input for esp keylife' => 'Invalid input for ESP Keylife', 'invalid input for hostname' => 'Invalid input for hostname.', From 277060a472c826541885b40392e0d5a96ba1cf97 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Tue, 7 Jan 2014 16:14:30 +0100 Subject: [PATCH 3/7] mysql: Fix compiling with -fno-strict-aliasing. --- lfs/mysql | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/lfs/mysql b/lfs/mysql index 5fcd7b3ac..aa5c3579f 100644 --- a/lfs/mysql +++ b/lfs/mysql @@ -32,7 +32,9 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = mysql -PAK_VER = 2 +PAK_VER = 3 + +CFLAGS += -fno-strict-aliasing ############################################################################### # Top-level Rules @@ -75,7 +77,6 @@ $(subst %,%_MD5,$(objects)) : $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE) - cd $(DIR_APP) && C_EXTRA_FLAGS=-fno-strict-aliasing cd $(DIR_APP) && ./configure --prefix=/usr \ --sysconfdir=/etc \ --libexecdir=/usr/sbin \ From afd5d8f76e725ac910c238e94f2282f78bce5da7 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Tue, 7 Jan 2014 17:00:30 +0100 Subject: [PATCH 4/7] IPsec: Allow to disable DPD. --- html/cgi-bin/vpnmain.cgi | 37 +++++++++++++++++++++++++------------ 1 file changed, 25 insertions(+), 12 deletions(-) diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index 43d574ce5..83d2414b4 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -385,18 +385,27 @@ sub writeipsecfiles { print CONF "\tcompress=yes\n" if ($lconfighash{$key}[13] eq 'on'); # Dead Peer Detection - print CONF "\tdpdaction=$lconfighash{$key}[27]\n"; + my $dpdaction = $lconfighash{$key}[27]; + print CONF "\tdpdaction=$dpdaction\n"; - my $dpddelay = $lconfighash{$key}[30]; - if (!$dpddelay) { - $dpddelay = 30; + # If the dead peer detection is disabled and IKEv2 is used, + # dpddelay must be set to zero, too. + if ($dpdaction eq "none") { + if ($lconfighash{$key}[29] eq "ikev2") { + print CONF "\tdpddelay=0\n"; + } + } else { + my $dpddelay = $lconfighash{$key}[30]; + if (!$dpddelay) { + $dpddelay = 30; + } + print CONF "\tdpddelay=$dpddelay\n"; + my $dpdtimeout = $lconfighash{$key}[31]; + if (!$dpdtimeout) { + $dpdtimeout = 120; + } + print CONF "\tdpdtimeout=$dpdtimeout\n"; } - print CONF "\tdpddelay=$dpddelay\n"; - my $dpdtimeout = $lconfighash{$key}[31]; - if (!$dpdtimeout) { - $dpdtimeout = 120; - } - print CONF "\tdpdtimeout=$dpdtimeout\n"; # Build Authentication details: LEFTid RIGHTid : PSK psk my $psk_line; @@ -1845,9 +1854,9 @@ END # choose appropriate dpd action if ($cgiparams{'TYPE'} eq 'host') { - $cgiparams{'DPD_ACTION'} = 'clear'; + $cgiparams{'DPD_ACTION'} = 'clear'; } else { - $cgiparams{'DPD_ACTION'} = 'restart'; + $cgiparams{'DPD_ACTION'} = 'restart'; } if (!$cgiparams{'DPD_DELAY'}) { @@ -2229,6 +2238,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || $confighash{$cgiparams{'KEY'}}[24] = $cgiparams{'ONLY_PROPOSED'}; $confighash{$cgiparams{'KEY'}}[28] = $cgiparams{'PFS'}; $confighash{$cgiparams{'KEY'}}[14] = $cgiparams{'VHOST'}; + $confighash{$cgiparams{'KEY'}}[27] = $cgiparams{'DPD_ACTION'}; $confighash{$cgiparams{'KEY'}}[30] = $cgiparams{'DPD_TIMEOUT'}; $confighash{$cgiparams{'KEY'}}[31] = $cgiparams{'DPD_DELAY'}; &General::writehasharray("${General::swroot}/vpn/config", \%confighash); @@ -2251,6 +2261,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || $cgiparams{'ONLY_PROPOSED'} = $confighash{$cgiparams{'KEY'}}[24]; $cgiparams{'PFS'} = $confighash{$cgiparams{'KEY'}}[28]; $cgiparams{'VHOST'} = $confighash{$cgiparams{'KEY'}}[14]; + $cgiparams{'DPD_ACTION'} = $confighash{$cgiparams{'KEY'}}[27]; $cgiparams{'DPD_TIMEOUT'} = $confighash{$cgiparams{'KEY'}}[30]; $cgiparams{'DPD_DELAY'} = $confighash{$cgiparams{'KEY'}}[31]; @@ -2326,6 +2337,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || $selected{'DPD_ACTION'}{'clear'} = ''; $selected{'DPD_ACTION'}{'hold'} = ''; $selected{'DPD_ACTION'}{'restart'} = ''; + $selected{'DPD_ACTION'}{'none'} = ''; $selected{'DPD_ACTION'}{$cgiparams{'DPD_ACTION'}} = "selected='selected'"; &Header::showhttpheaders(); @@ -2458,6 +2470,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || - - - - - @@ -2225,6 +2213,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || goto ADVANCED_ERROR; } + $confighash{$cgiparams{'KEY'}}[29] = $cgiparams{'IKE_VERSION'}; $confighash{$cgiparams{'KEY'}}[18] = $cgiparams{'IKE_ENCRYPTION'}; $confighash{$cgiparams{'KEY'}}[19] = $cgiparams{'IKE_INTEGRITY'}; $confighash{$cgiparams{'KEY'}}[20] = $cgiparams{'IKE_GROUPTYPE'}; @@ -2249,6 +2238,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || } goto ADVANCED_END; } else { + $cgiparams{'IKE_VERSION'} = $confighash{$cgiparams{'KEY'}}[29]; $cgiparams{'IKE_ENCRYPTION'} = $confighash{$cgiparams{'KEY'}}[18]; $cgiparams{'IKE_INTEGRITY'} = $confighash{$cgiparams{'KEY'}}[19]; $cgiparams{'IKE_GROUPTYPE'} = $confighash{$cgiparams{'KEY'}}[20]; @@ -2334,6 +2324,10 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || $checked{'PFS'} = $cgiparams{'PFS'} eq 'on' ? "checked='checked'" : '' ; $checked{'VHOST'} = $cgiparams{'VHOST'} eq 'on' ? "checked='checked'" : '' ; + $selected{'IKE_VERSION'}{'ikev1'} = ''; + $selected{'IKE_VERSION'}{'ikev2'} = ''; + $selected{'IKE_VERSION'}{$cgiparams{'IKE_VERSION'}} = "selected='selected'"; + $selected{'DPD_ACTION'}{'clear'} = ''; $selected{'DPD_ACTION'}{'hold'} = ''; $selected{'DPD_ACTION'}{'restart'} = ''; @@ -2373,6 +2367,16 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || + + + + +
+
+
+
- - - -
- - - -
$Lang::tr{'dpd action'}: @@ -1994,15 +1991,6 @@ END $Lang::tr{'vpn remote id'}:

$Lang::tr{'vpn keyexchange'}: -
$Lang::tr{'remark title'} *
$Lang::tr{'vpn keyexchange'}: + +
$Lang::tr{'encryption'} From d2d87f2ca06349f63d025e12dafda1b910956e40 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Tue, 7 Jan 2014 17:50:44 +0100 Subject: [PATCH 6/7] IPsec: Make connection configuration more pleasant for the eye. --- html/cgi-bin/vpnmain.cgi | 68 +++++++++++++++++++++++++--------------- 1 file changed, 42 insertions(+), 26 deletions(-) diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index b3e24ba0c..af68d50a2 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -1948,19 +1948,23 @@ END ; if ($cgiparams{'KEY'}) { print ""; + print ""; print ""; } - &Header::openbox('100%', 'left', "$Lang::tr{'connection'}:"); + &Header::openbox('100%', 'left', "$Lang::tr{'connection'}: $cgiparams{'NAME'}"); print ""; - print ""; - if ($cgiparams{'KEY'}) { - print ""; - } else { - print ""; + if (!$cgiparams{'KEY'}) { + print < + + + + +EOF } - print ""; - print ''; my $disabled; my $blob; @@ -1971,30 +1975,42 @@ END print < - - - - + + + - + + + + + + + + + + + + + + - - - - - - - - - END ; if (!$cgiparams{'KEY'}) { From af8750fdc2c974899c35114a7340f51a09516bd9 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Tue, 7 Jan 2014 17:54:10 +0100 Subject: [PATCH 7/7] Update translations. --- doc/language_issues.de | 1 + doc/language_issues.en | 1 + doc/language_issues.es | 1 + doc/language_issues.fr | 1 + doc/language_issues.nl | 1 + doc/language_issues.pl | 1 + doc/language_issues.ru | 1 + doc/language_issues.tr | 1 + 8 files changed, 8 insertions(+) diff --git a/doc/language_issues.de b/doc/language_issues.de index 548acf2a7..02c999070 100644 --- a/doc/language_issues.de +++ b/doc/language_issues.de @@ -150,6 +150,7 @@ WARNING: translation string unused: eciadsl upload WARNING: translation string unused: edit network WARNING: translation string unused: edit service WARNING: translation string unused: editor +WARNING: translation string unused: eg WARNING: translation string unused: email server can not be empty WARNING: translation string unused: enable javascript WARNING: translation string unused: enabled on diff --git a/doc/language_issues.en b/doc/language_issues.en index 5266bc2d6..b6b506f6d 100644 --- a/doc/language_issues.en +++ b/doc/language_issues.en @@ -173,6 +173,7 @@ WARNING: translation string unused: eciadsl upload WARNING: translation string unused: edit network WARNING: translation string unused: edit service WARNING: translation string unused: editor +WARNING: translation string unused: eg WARNING: translation string unused: email server can not be empty WARNING: translation string unused: enable javascript WARNING: translation string unused: enabled on diff --git a/doc/language_issues.es b/doc/language_issues.es index 553772e30..d32c90a58 100644 --- a/doc/language_issues.es +++ b/doc/language_issues.es @@ -167,6 +167,7 @@ WARNING: translation string unused: eciadsl upload WARNING: translation string unused: edit network WARNING: translation string unused: edit service WARNING: translation string unused: editor +WARNING: translation string unused: eg WARNING: translation string unused: email server can not be empty WARNING: translation string unused: enable javascript WARNING: translation string unused: enabled on diff --git a/doc/language_issues.fr b/doc/language_issues.fr index 3d06db7a9..344c234d4 100644 --- a/doc/language_issues.fr +++ b/doc/language_issues.fr @@ -167,6 +167,7 @@ WARNING: translation string unused: eciadsl upload WARNING: translation string unused: edit network WARNING: translation string unused: edit service WARNING: translation string unused: editor +WARNING: translation string unused: eg WARNING: translation string unused: email server can not be empty WARNING: translation string unused: enable javascript WARNING: translation string unused: enabled on diff --git a/doc/language_issues.nl b/doc/language_issues.nl index fdec3dd22..44d92e585 100644 --- a/doc/language_issues.nl +++ b/doc/language_issues.nl @@ -169,6 +169,7 @@ WARNING: translation string unused: eciadsl upload WARNING: translation string unused: edit network WARNING: translation string unused: edit service WARNING: translation string unused: editor +WARNING: translation string unused: eg WARNING: translation string unused: email server can not be empty WARNING: translation string unused: enable javascript WARNING: translation string unused: enabled on diff --git a/doc/language_issues.pl b/doc/language_issues.pl index 553772e30..d32c90a58 100644 --- a/doc/language_issues.pl +++ b/doc/language_issues.pl @@ -167,6 +167,7 @@ WARNING: translation string unused: eciadsl upload WARNING: translation string unused: edit network WARNING: translation string unused: edit service WARNING: translation string unused: editor +WARNING: translation string unused: eg WARNING: translation string unused: email server can not be empty WARNING: translation string unused: enable javascript WARNING: translation string unused: enabled on diff --git a/doc/language_issues.ru b/doc/language_issues.ru index 5127491f5..09c6930b5 100644 --- a/doc/language_issues.ru +++ b/doc/language_issues.ru @@ -166,6 +166,7 @@ WARNING: translation string unused: eciadsl upload WARNING: translation string unused: edit network WARNING: translation string unused: edit service WARNING: translation string unused: editor +WARNING: translation string unused: eg WARNING: translation string unused: email server can not be empty WARNING: translation string unused: enable javascript WARNING: translation string unused: enabled on diff --git a/doc/language_issues.tr b/doc/language_issues.tr index e8e130602..07ee128b3 100644 --- a/doc/language_issues.tr +++ b/doc/language_issues.tr @@ -174,6 +174,7 @@ WARNING: translation string unused: eciadsl upload WARNING: translation string unused: edit network WARNING: translation string unused: edit service WARNING: translation string unused: editor +WARNING: translation string unused: eg WARNING: translation string unused: email server can not be empty WARNING: translation string unused: enable javascript WARNING: translation string unused: enabled on
$Lang::tr{'name'}:$cgiparams{'NAME'}$Lang::tr{'name'}: + +
$Lang::tr{'enabled'}

$Lang::tr{'remote host/ip'}: $blob - - $Lang::tr{'remote subnet'} - + $Lang::tr{'enabled'} + + $Lang::tr{'local subnet'} +
$Lang::tr{'local subnet'}$Lang::tr{'remote host/ip'}: $blob + + $Lang::tr{'remote subnet'} + +
$Lang::tr{'vpn local id'}: + + $Lang::tr{'vpn remote id'}: + +

$Lang::tr{'remark title'} * - +
$Lang::tr{'vpn local id'}:
($Lang::tr{'eg'} @xy.example.com)		$Lang::tr{'vpn remote id'}:
$Lang::tr{'remark title'} *