webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-13 12:32:59 +02:00
Code Issues Packages Projects Releases Wiki Activity
10,642 Commits 2 Branches 1 Tag
91c35e4838b4e059c67240bb54cd32eefd105da3
Commit Graph

110 Commits

Author SHA1 Message Date
Michael Tremer
9bc2e596d0 IPsec: Include Curve 25519 in default proposal 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2017-04-05 12:16:52 +01:00
Michael Tremer
64056cae46 IPsec: Allow selecting Curve 25519 as group type 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2017-04-05 12:16:20 +01:00
Michael Tremer
570d54fd84 IPsec: Drop SHA1 and MODP<=1536 from proposed ciphers 
IPsec is still proposing to use SHA1 and MODP-1536 or MODP-1024
when initiating a connection. These are considered weak although
many off-the-shelf hardware is still using this as defaults.

This patch disables those algorithms and additionally changes
default behaviour to only accept the configured cipher suites.

This might create some interoperability issues, but increases
security of IPFire-to-IPFire IPsec connections.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2017-04-05 11:42:55 +01:00
Michael Tremer
8057ab15b9 Show better connection information for on-demand IPsec connections 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2017-02-15 12:15:42 +00:00
Michael Tremer
1ee1666ee4 IPsec: Close on-demand tunnels after 15 min of inactivity 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2017-02-15 11:22:27 +00:00
Michael Tremer
dcb406cc67 IPsec: Allow to create on-demand connections 
This will create IPsec VPN connections with auto=route set
instead of auto=start which will cause the connection being
created, but not brought up yet.

As soon as the first packet is received, the connection will
be established and data will be passed through it.

This allows IPFire to handle more VPN connections on weaker
systems and avoids negotiating many connections which are
rarely used.

Suggested-by: Tom Rymes <tomvend@rymes.com>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Fixes: #10733
 2017-02-15 10:11:58 +00:00
Larsen
2158e11ba9 IPSec VPN: Add "required" marker for "organization name" 
IPSec VPN: Add "required" marker for "organization name"

Fixes https://bugzilla.ipfire.org/show_bug.cgi?id=10846

Signed-off-by: Lars Schuhmacher <larsen007@web.de>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2015-10-15 15:44:56 +01:00
Michael Tremer
b1881251d6 Merge remote-tracking branch 'ms/ipsec-subnets' into next 2015-09-28 14:21:18 +01:00
Lars Schuhmacher
624615ee07 vpnmain.cgi - Replace spaces with tab characters and fix indentation 
Replaced spaces with tab characters. Fixed indentation.

This is based on http://patchwork.ipfire.org/patch/88/ so that patch must be applied before.

Signed-off-by: Lars Schuhmacher <larsen007@web.de>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2015-09-28 14:05:06 +01:00
Lars Schuhmacher
ed1d0fbdbe IPsec: Remove GUI option for "Roadwarrior virtual IP" 
This setting stems from IPCop (and probably Openswan) and causes a problem.

Fixes bug #10496.

Signed-off-by: Lars Schuhmacher <larsen007@web.de>
Acked-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2015-09-28 14:04:40 +01:00
Lars Schuhmacher
e3edceeb7a Mark required input fields with a star 
Mark required input fields with a star as nowadays this is
the de-facto default. Before, it was the other way around and
optional fields were marked.

Signed-off-by: Lars Schumacher <larsen007@web.de>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2015-09-21 16:40:41 +01:00
Michael Tremer
f6529a04a3 IPsec: Add option to force using MOBIKE 
Some peers that are behind a NAT router that fails
to properly forward IKE packets on UDP port 500 cannot
establish an IPsec connection. MOBIKE tries to solve that
by sending these packets to UDP port 4500 instead.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2015-09-10 13:35:24 +01:00
Michael Tremer
8792caad90 ipsec: Support using multiple subnets per tunnel 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2015-08-25 21:52:11 +01:00
Michael Tremer
4b02b4045b ipsec: Allow selection of ESP group type 
If a connection is edited, the IKE group types will be used instead.

Fixes #10860

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Tested-by: Wolfgang Apolinarski <wolfgang.apolinarski@web.de>
 2015-06-15 22:33:28 +02:00
Lars Schuhmacher
bd767b27c8 ipsec.conf: Include ipsec.user.conf and ipsec.user-post.conf 
Fix bug 10869 as the code has been removed by mistake by the
previous commit dfea4f86c2.
It also includes ipsec.user.conf only when it exists.

Signed-off-by: Lars Schuhmacher <larsen007@web.de>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2015-06-04 17:50:51 +02:00
Michael Tremer
5f0a2ba104 vpnmain.cgi: Do not use an other DH key exchange in ESP 2015-05-11 12:57:29 +02:00
Michael Tremer
2c531c2132 vpnmain.cgi: Fix ECP regex again for Brainpool curves 
The regular expression did not take into account that
there could be characters like "bp" in case of the Brainpool
curves (ecp512bp).
 2015-05-01 16:57:13 +02:00
Michael Tremer
3bcb59ab21 vpnmain.cgi: Fix prefix for elliptic curve algorithms 2015-04-28 13:22:00 +02:00
Jochen Kauz
a24062d12b vpnmain.cgi: dpd_delay/dpd_timeout wrong entry in ipsec.conf 
Fixes #10636
 2015-04-28 11:30:05 +02:00
Michael Tremer
a4d24f9052 vpnmain.cgi: Order ciphers by strength 
strongSwan uses them in the defined order. Hence it makes
much more sense to present them to the user as well in that
order.
 2015-04-22 14:45:10 +02:00
Michael Tremer
78039c1585 vpnmain.cgi: Use integrity functions as PRF for AEAD 2015-04-22 14:44:16 +02:00
Michael Tremer
e8b3bb0edc vpnmain.cgi: Rewrite algorithm generation code 2015-04-22 14:08:41 +02:00
Michael Tremer
a47376207f ipsec: Always enable support for IKE fragmentation 2015-04-21 19:36:40 +02:00
Wolfgang Apolinarski
ab2d15486b Added clientAuth to EKU of client certificate. Fixed the comment. 2015-04-18 23:32:14 +02:00
Wolfgang Apolinarski
3847730c17 Applied patches for not using md5. Additionally, the root CA is no 4096 bits, host/clients are 2048 bits (both RSA). Openssl is now choosing the random seed automatically, removed the '-rand' parameter. 2015-03-17 20:42:41 +01:00
Michael Tremer
dfea4f86c2 strongswan: Allow using AES-GCM in various configurations 2015-03-11 18:13:25 +01:00
Michael Tremer
274ebe1d9d Merge remote-tracking branch 'origin/master' into next 
Conflicts:
	config/rootfiles/packages/clamav
	lfs/clamav
 2015-03-04 23:58:47 +01:00
Christoph Anderegg
165b25b2dc vpnmain.cgi: Added inclusion of ipsec.user-post.conf to the end of ipsec.conf in order to allow connection parameters to be overwritten in ipsec.user.conf. 2015-03-03 11:16:47 +01:00
Michael Tremer
f57a228c4b ipsec: Allow IKE lifetime of up to 24 hours 
Requested in #10722

The recommended time has not been changed, but it is often
stated that 24 hours is a common lifetime for IKE.
 2015-01-19 17:04:37 +01:00
Michael Tremer
7e7788ea0b Merge remote-tracking branch 'amarx/BETA3' into next 2014-03-13 15:32:00 +01:00
Alexander Marx
03b08c08f0 VPN Checksubnets: Buttons are now Language Strings 2014-03-13 15:27:01 +01:00
Alexander Marx
4d81e0f381 VPN Checksubnets: Now the remote subnets (OpenVPN/IPSec) are checked. If they are defined elsewhere, there's a warningmessage displayed 2014-03-13 15:09:01 +01:00
Alexander Marx
c6df357fd4 Firewall: When delting an OpenVPN or IPSec connection, the rules are only colored yellow and the firewallrules are reloaded automatically 2014-03-13 14:51:28 +01:00
Alexander Marx
b3c53248d9 Firewall: When delting an OpenVPN or IPSec connection, the rules are only colored yellow and the firewallrules are reloaded automatically 2014-03-13 13:53:39 +01:00
Michael Tremer
cbb88df154 vpnmain.cgi: Remove left-over </td> tag. 2014-03-10 16:11:50 +01:00
Alexander Marx
7d44bfeef1 changes pagetitle in vpnmain.cgi 2014-01-11 12:15:11 +01:00
Alexander Marx
0afd84931e Layout changes vpnmain.cgi 2014-01-09 14:59:10 +01:00
Alexander Marx
e9850821d4 fifteen-theme: made vpnmain.cgi tables themeable 2014-01-08 15:05:42 +01:00
Stefan Schantl
e602416f94 Fix inpossible download of hostcert on french language. 
The french tranlsation string for download host certificate contains a single quote
character which breaks the used HTML code. As a result of this it wasn't possibe to
download the host certificate via the WUI with selected french language.

Fixes #10405.
 2014-01-07 21:13:56 +01:00
Michael Tremer
d2d87f2ca0 IPsec: Make connection configuration more pleasant for the eye. 2014-01-07 17:50:44 +01:00
Michael Tremer
4ad0b5b680 IPsec: Move IKE protocol option to advanced settings page. 2014-01-07 17:08:35 +01:00
Michael Tremer
afd5d8f76e IPsec: Allow to disable DPD. 2014-01-07 17:00:30 +01:00
Michael Tremer
cbb3a8f91e IPsec: Fix and enhance DPD configuration. 
Also the action option has now moved to the advanced settings
page and the design has been improved.
 2014-01-07 01:37:00 +01:00
Alexander Marx
4e156911cc IPsec: Add DPD configuration options to advanced settings. 2014-01-07 00:38:36 +01:00
Michael Tremer
63e3da5935 vpnmain.cgi: Re-design algorithm selection. 2014-01-05 02:19:06 +01:00
Michael Tremer
22fc183e08 IPsec: Add MODP-2048 subgroups. 2014-01-05 01:34:40 +01:00
Michael Tremer
651d442ecf IPsec: Add Brainpool elliptic curves. 2014-01-05 01:27:53 +01:00
Michael Tremer
d72a820484 IPsec: Add Camellia cipher for IKE and ESP. 2014-01-05 01:11:10 +01:00
Michael Tremer
095cbf430f Multiple CGI files: Check if BLUE or ORANGE are actually configured. 2013-09-07 16:40:59 +02:00
Alexander Marx
eff2dbf833 Forward Firewall: changed sort-order to Sort::Naturally. This Perl Module will be available since core 68. 2013-08-09 14:13:11 +02:00