From f6529a04a398643edeea679f79b15912f8a6fc94 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Thu, 10 Sep 2015 13:35:24 +0100 Subject: [PATCH] IPsec: Add option to force using MOBIKE Some peers that are behind a NAT router that fails to properly forward IKE packets on UDP port 500 cannot establish an IPsec connection. MOBIKE tries to solve that by sending these packets to UDP port 4500 instead. Signed-off-by: Michael Tremer --- config/rootfiles/core/94/filelists/files | 1 + doc/language_issues.de | 1 + doc/language_issues.es | 1 + doc/language_issues.fr | 1 + doc/language_issues.it | 1 + doc/language_issues.nl | 1 + doc/language_issues.pl | 1 + doc/language_issues.ru | 1 + doc/language_issues.tr | 1 + html/cgi-bin/vpnmain.cgi | 27 +++++++++++++++++++++++- langs/en/cgi-bin/en.pl | 1 + 11 files changed, 36 insertions(+), 1 deletion(-) diff --git a/config/rootfiles/core/94/filelists/files b/config/rootfiles/core/94/filelists/files index 625b01782..9b0811406 100644 --- a/config/rootfiles/core/94/filelists/files +++ b/config/rootfiles/core/94/filelists/files @@ -3,6 +3,7 @@ etc/issue etc/rc.d/init.d/sshd srv/web/ipfire/cgi-bin/logs.cgi/log.dat srv/web/ipfire/cgi-bin/mail.cgi +srv/web/ipfire/cgi-bin/vpnmain.cgi var/ipfire/langs var/ipfire/menu.d/40-services.menu var/ipfire/network-functions.pl diff --git a/doc/language_issues.de b/doc/language_issues.de index 0d8698756..dd1a4c155 100644 --- a/doc/language_issues.de +++ b/doc/language_issues.de @@ -651,4 +651,5 @@ WARNING: untranslated string: routing config added WARNING: untranslated string: routing config changed WARNING: untranslated string: routing table WARNING: untranslated string: show tls-auth key +WARNING: untranslated string: vpn force mobike WARNING: untranslated string: vpn statistics n2n diff --git a/doc/language_issues.es b/doc/language_issues.es index 2a502006b..866c556be 100644 --- a/doc/language_issues.es +++ b/doc/language_issues.es @@ -1047,6 +1047,7 @@ WARNING: untranslated string: uptime load average WARNING: untranslated string: urlfilter redirect template WARNING: untranslated string: vendor WARNING: untranslated string: visit us at +WARNING: untranslated string: vpn force mobike WARNING: untranslated string: vpn keyexchange WARNING: untranslated string: vpn statistic n2n WARNING: untranslated string: vpn statistic rw diff --git a/doc/language_issues.fr b/doc/language_issues.fr index aa4951d80..2dbe26b57 100644 --- a/doc/language_issues.fr +++ b/doc/language_issues.fr @@ -1062,6 +1062,7 @@ WARNING: untranslated string: urlfilter mode block WARNING: untranslated string: urlfilter redirect template WARNING: untranslated string: vendor WARNING: untranslated string: visit us at +WARNING: untranslated string: vpn force mobike WARNING: untranslated string: vpn keyexchange WARNING: untranslated string: vpn statistic n2n WARNING: untranslated string: vpn statistic rw diff --git a/doc/language_issues.it b/doc/language_issues.it index 1669e79f6..88f816f00 100644 --- a/doc/language_issues.it +++ b/doc/language_issues.it @@ -720,6 +720,7 @@ WARNING: untranslated string: samba join a domain WARNING: untranslated string: samba join domain WARNING: untranslated string: search WARNING: untranslated string: uncheck all +WARNING: untranslated string: vpn force mobike WARNING: untranslated string: vpn statistic n2n WARNING: untranslated string: vpn statistic rw WARNING: untranslated string: vpn statistics n2n diff --git a/doc/language_issues.nl b/doc/language_issues.nl index 11d76577b..7f857f1f5 100644 --- a/doc/language_issues.nl +++ b/doc/language_issues.nl @@ -769,6 +769,7 @@ WARNING: untranslated string: ta key WARNING: untranslated string: uncheck all WARNING: untranslated string: upload dh key WARNING: untranslated string: vendor +WARNING: untranslated string: vpn force mobike WARNING: untranslated string: vpn statistic n2n WARNING: untranslated string: vpn statistic rw WARNING: untranslated string: vpn statistics n2n diff --git a/doc/language_issues.pl b/doc/language_issues.pl index 2a502006b..866c556be 100644 --- a/doc/language_issues.pl +++ b/doc/language_issues.pl @@ -1047,6 +1047,7 @@ WARNING: untranslated string: uptime load average WARNING: untranslated string: urlfilter redirect template WARNING: untranslated string: vendor WARNING: untranslated string: visit us at +WARNING: untranslated string: vpn force mobike WARNING: untranslated string: vpn keyexchange WARNING: untranslated string: vpn statistic n2n WARNING: untranslated string: vpn statistic rw diff --git a/doc/language_issues.ru b/doc/language_issues.ru index d2215b6df..74dca5477 100644 --- a/doc/language_issues.ru +++ b/doc/language_issues.ru @@ -1040,6 +1040,7 @@ WARNING: untranslated string: uptime load average WARNING: untranslated string: urlfilter redirect template WARNING: untranslated string: vendor WARNING: untranslated string: visit us at +WARNING: untranslated string: vpn force mobike WARNING: untranslated string: vpn keyexchange WARNING: untranslated string: vpn statistic n2n WARNING: untranslated string: vpn statistic rw diff --git a/doc/language_issues.tr b/doc/language_issues.tr index a9d633273..1dcc1db40 100644 --- a/doc/language_issues.tr +++ b/doc/language_issues.tr @@ -697,6 +697,7 @@ WARNING: untranslated string: routing config changed WARNING: untranslated string: routing table WARNING: untranslated string: search WARNING: untranslated string: uncheck all +WARNING: untranslated string: vpn force mobike WARNING: untranslated string: vpn statistic n2n WARNING: untranslated string: vpn statistic rw WARNING: untranslated string: vpn statistics n2n diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index 8c44b7e93..9f3c645e1 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -108,6 +108,7 @@ $cgiparams{'ROOTCERT_STATE'} = ''; $cgiparams{'RW_NET'} = ''; $cgiparams{'DPD_DELAY'} = '30'; $cgiparams{'DPD_TIMEOUT'} = '120'; +$cgiparams{'FORCE_MOBIKE'} = 'off'; &Header::getcgihash(\%cgiparams, {'wantfile' => 1, 'filevar' => 'FH'}); ### @@ -360,6 +361,11 @@ sub writeipsecfiles { # Compression print CONF "\tcompress=yes\n" if ($lconfighash{$key}[13] eq 'on'); + # Force MOBIKE? + if (($lconfighash{$key}[29] eq "ikev2") && ($lconfighash{$key}[32] eq 'on')) { + print CONF "\tmobike=yes\n"; + } + # Dead Peer Detection my $dpdaction = $lconfighash{$key}[27]; print CONF "\tdpdaction=$dpdaction\n"; @@ -1286,6 +1292,7 @@ END $cgiparams{'VHOST'} = $confighash{$cgiparams{'KEY'}}[14]; $cgiparams{'DPD_TIMEOUT'} = $confighash{$cgiparams{'KEY'}}[30]; $cgiparams{'DPD_DELAY'} = $confighash{$cgiparams{'KEY'}}[31]; + $cgiparams{'FORCE_MOBIKE'} = $confighash{$cgiparams{'KEY'}}[32]; if (!$cgiparams{'DPD_DELAY'}) { $cgiparams{'DPD_DELAY'} = 30; @@ -1768,7 +1775,7 @@ END my $key = $cgiparams{'KEY'}; if (! $key) { $key = &General::findhasharraykey (\%confighash); - foreach my $i (0 .. 31) { $confighash{$key}[$i] = "";} + foreach my $i (0 .. 32) { $confighash{$key}[$i] = "";} } $confighash{$key}[0] = $cgiparams{'ENABLED'}; $confighash{$key}[1] = $cgiparams{'NAME'}; @@ -1810,6 +1817,7 @@ END $confighash{$key}[14] = $cgiparams{'VHOST'}; $confighash{$key}[30] = $cgiparams{'DPD_TIMEOUT'}; $confighash{$key}[31] = $cgiparams{'DPD_DELAY'}; + $confighash{$key}[32] = $cgiparams{'FORCE_MOBIKE'}; #free unused fields! $confighash{$key}[6] = 'off'; @@ -1858,6 +1866,10 @@ END $cgiparams{'DPD_TIMEOUT'} = 120; } + if (!$cgiparams{'FORCE_MOBIKE'}) { + $cgiparams{'FORCE_MOBIKE'} = 'no'; + } + # Default IKE Version to v2 if (!$cgiparams{'IKE_VERSION'}) { $cgiparams{'IKE_VERSION'} = 'ikev2'; @@ -1935,6 +1947,7 @@ END + END ; if ($cgiparams{'KEY'}) { @@ -2206,6 +2219,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || if ( ($cgiparams{'COMPRESSION'} !~ /^(|on|off)$/) || + ($cgiparams{'FORCE_MOBIKE'} !~ /^(|on|off)$/) || ($cgiparams{'ONLY_PROPOSED'} !~ /^(|on|off)$/) || ($cgiparams{'PFS'} !~ /^(|on|off)$/) || ($cgiparams{'VHOST'} !~ /^(|on|off)$/) @@ -2241,6 +2255,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || $confighash{$cgiparams{'KEY'}}[27] = $cgiparams{'DPD_ACTION'}; $confighash{$cgiparams{'KEY'}}[30] = $cgiparams{'DPD_TIMEOUT'}; $confighash{$cgiparams{'KEY'}}[31] = $cgiparams{'DPD_DELAY'}; + $confighash{$cgiparams{'KEY'}}[32] = $cgiparams{'FORCE_MOBIKE'}; &General::writehasharray("${General::swroot}/vpn/config", \%confighash); &writeipsecfiles(); if (&vpnenabled) { @@ -2268,6 +2283,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || $cgiparams{'DPD_ACTION'} = $confighash{$cgiparams{'KEY'}}[27]; $cgiparams{'DPD_TIMEOUT'} = $confighash{$cgiparams{'KEY'}}[30]; $cgiparams{'DPD_DELAY'} = $confighash{$cgiparams{'KEY'}}[31]; + $cgiparams{'FORCE_MOBIKE'} = $confighash{$cgiparams{'KEY'}}[32]; if (!$cgiparams{'DPD_DELAY'}) { $cgiparams{'DPD_DELAY'} = 30; @@ -2362,6 +2378,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || foreach my $key (@temp) {$checked{'ESP_GROUPTYPE'}{$key} = "selected='selected'"; } $checked{'COMPRESSION'} = $cgiparams{'COMPRESSION'} eq 'on' ? "checked='checked'" : '' ; + $checked{'FORCE_MOBIKE'} = $cgiparams{'FORCE_MOBIKE'} eq 'on' ? "checked='checked'" : '' ; $checked{'ONLY_PROPOSED'} = $cgiparams{'ONLY_PROPOSED'} eq 'on' ? "checked='checked'" : '' ; $checked{'PFS'} = $cgiparams{'PFS'} eq 'on' ? "checked='checked'" : '' ; $checked{'VHOST'} = $cgiparams{'VHOST'} eq 'on' ? "checked='checked'" : '' ; @@ -2605,6 +2622,14 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || + + + + + EOF ; if ($confighash{$cgiparams{'KEY'}}[3] eq 'net') { diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index ef5f50b3e..c77040250 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -2648,6 +2648,7 @@ 'vpn configuration main' => 'VPN Configuration', 'vpn delayed start' => 'Delay before launching VPN (seconds)', 'vpn delayed start help' => 'If required, this delay can be used to allow dynamic DNS updates to propagate properly. 60 is a common value when RED is a dynamic IP.', +'vpn force mobike' => 'Force using MOBIKE (only IKEv2)', 'vpn incompatible use of defaultroute' => 'hostname=%defaultroute not allowed', 'vpn keyexchange' => 'Keyexchange', 'vpn local id' => 'Local ID',