bpfire

mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-10 19:15:54 +02:00

Author	SHA1	Message	Date
Michael Tremer	2ad1b18bdb	vpnmain.cgi+ovpnmain.cgi: Fix file upload with new versions of Perl File uploads did not work since Perl was upgraded. This patch fixes that problem by only checking if an object was returned instead of performing a string comparison. Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2019-10-14 18:10:20 +00:00
Michael Tremer	d47b2cc28b	IPsec: Add support for Curve448 This is supported since strongswan 5.7.2 and is a good alternative to Curve25519 because Curve448 is almost equally secure but performs faster. https://en.wikipedia.org/wiki/Curve448 This is enabled by default although we do not expect many other implementations to be able to support this. Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2019-10-08 18:53:23 +00:00
Peter Müller	0dd16f4047	vpnmain.cgi: Fix writing ESP settings for PFS ciphers The changes introduced due to #12091 caused IPsec ESP to be invalid if PFS ciphers were selected. Code has to read "!$pfs" instead of just "$pfs", as it should trigger for ciphers _without_ Perfect Forward Secrecy. Fixes #12099 Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Cc: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2019-06-17 16:14:27 +01:00
Arne Fitzenreiter	faec909e1a	vpnmain.cgi: remove wrongh "shift-space" Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2019-06-15 17:38:47 +02:00
Michael Tremer	745915d82c	vpnmain.cgi: Fix wrong cipher suite generation when PFS is disabled Fixes: #12091 Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2019-06-05 05:07:27 +01:00
Michael Tremer	ab79dc43bf	vpnmain.cgi: Set MTU to a default when editing an old connection This field is required and therefore we need to initialize it for old connections. Right now, the CGI throws an error message when editing an existing connection without the MTU being filled in. Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2019-04-04 11:53:11 +01:00
Michael Tremer	71a355c3a2	Merge branch 'ipsec-on-demand' into next	2019-03-05 15:25:36 +00:00
Michael Tremer	b15b70bc6b	vpnmain.cgi: Make on-demand mode default for IPsec VPNs Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2019-03-05 15:24:19 +00:00
Michael Tremer	eb09c90ef4	vpnmain.cgi: Carry over START_ACTION attribute correctly This setting was not carried correctly and therefore the default was ignored. Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2019-03-05 15:23:33 +00:00
Michael Tremer	38f6bdb740	ipsec: Drop delayed restart setting This is a very bad race-condition situation and is not solved by an unintuitive setting. Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2019-02-04 18:20:36 +00:00
Michael Tremer	517683eeb1	ipsec: Drop VPN_IP setting This is now a per-connection setting Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2019-02-04 18:20:36 +00:00
Michael Tremer	ae0d069827	ipsec: Allow to select local IP address used for peer on UI Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2019-02-04 18:20:36 +00:00
Michael Tremer	455fdcb17a	ipsec: Re-arrange inputs for peer addresses, subnets, etc. Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2019-02-04 18:20:36 +00:00
Michael Tremer	7e25093d42	ipsec: Don't allow to select VTI in transport mode Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2019-02-04 18:20:36 +00:00
Michael Tremer	605c391aaf	vpnmain.cgi: Don't populate GREEN subnet when green doesn't exist Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2019-02-04 18:20:36 +00:00
Michael Tremer	216bd9b389	vpnmain.cgi: Move advanced IPsec settings to connection page This is required to make the initial setup easier for GRE/VTI connections Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2019-02-04 18:20:36 +00:00
Michael Tremer	f2d45a45ab	IPsec: Do not allow 0.0.0.0/0 as remote subnet This renders the whole machine inaccessible Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2019-02-04 18:20:36 +00:00
Michael Tremer	90aa4f1083	IPsec: Use left/rightprotoport in GRE mode Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2019-02-04 18:20:36 +00:00
Michael Tremer	b01c17e9d0	IPsec: Update ipsec.conf for GRE/VTI changes Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2019-02-04 18:20:36 +00:00
Michael Tremer	55842dda69	IPsec: Add UI for set interface MTU Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2019-02-04 18:20:36 +00:00
Michael Tremer	7464131706	IPsec: Add option to configure IP address for tunnel interface Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2019-02-04 18:20:36 +00:00
Michael Tremer	8ebe725416	IPsec: Set default inactivity timeout to half an hour Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2019-02-04 18:20:36 +00:00
Michael Tremer	1e9457ac6f	IPsec: New connections should defatul to on-demand mode Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2019-02-04 18:20:36 +00:00
Michael Tremer	cae1f4a7a8	IPsec: Add dropdown to select tunnel interface mode Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2019-02-04 18:20:36 +00:00
Michael Tremer	5e6fa03e1e	vpnmain.cgi: Correctly carry over INACTIVITY_TIMEOUT Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2019-02-04 18:20:36 +00:00
Michael Tremer	326728d53d	IPsec: Write tunnel/transport mode to strongSwan configuration Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2019-02-04 18:20:36 +00:00
Michael Tremer	29f5e0e2b9	IPsec: Add selection for transport/tunnel mode Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2019-02-04 18:20:36 +00:00
Erik Kapfer	e6f7f8e7ba	database_attribute: Deliver/create index.txt.attr Fixes #11904 Since OpenSSL-1.1.0x the database attribute file for IPSec and OpenVPN wasn´t created while initial PKI generation. OpenVPN delivered an error message but IPSec did crashed within the first attempt. This problem persists also after X509 deletion and new generation. index.txt.attr will now be delivered by the system but also deleted and recreated while setting up a new x509. Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2019-01-03 14:52:53 +00:00
Michael Tremer	aec1925bea	IPsec: Show connected status for waiting connections that are active Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2018-08-23 17:34:50 +01:00
Peter Müller	05375f1275	add ChaCha20/Poly1305 to IPsec WebUI The algorithm is selected by default since it is considered to be both secure and state-of-the-art. This required Linux kernel > 4.2, which is satisfied by Core Update 2.12 122. Fixes #11549 Signed-off-by: Peter Müller <peter.mueller@link38.eu> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2018-07-01 13:34:34 +01:00
Michael Tremer	46a5bac6ed	vpnmain.cgi: Remove unused code that prevented the page from loading without GREEN Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2018-07-01 12:24:25 +01:00
Michael Tremer	237f3ab7d3	IPsec: Allow to configure a connection in waiting state This allows to create an IPsec connection that will never actively try to reach the other peer. It helps in environments where this is not desired or impossible because of NAT. Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2018-06-13 15:47:57 +01:00
Michael Tremer	4cd51e20ae	Revert "IPsec: Try to restart always-on tunnels immediately" This reverts commit `a261cb06c6`. Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2018-04-19 15:36:37 +01:00
Michael Tremer	568a227bd3	vpnmain.cgi: Fix reading common names from certificates OpenSSL has changed the output of the subject lines of certificates. Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2018-03-01 19:59:14 +00:00
Michael Tremer	a261cb06c6	IPsec: Try to restart always-on tunnels immediately When a tunnel that is in always-on configuration closes unexpectedly, we can instruct strongSwan to restart it immediately which is precisely what we do now. Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2018-02-19 23:46:17 +00:00
Peter Müller	6fc0f5eb92	mark 3DES and 1024 bit DH params as weak These are not considered secure anymore but are unfortunately still needed in some cases (legacy hardware, ...). Signed-off-by: Peter Müller <peter.mueller@link38.eu> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2017-12-14 17:46:13 +00:00
Michael Tremer	af183eeb78	IPsec: Allow configuring inactivity timeout when in on-demand mode Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2017-12-04 17:31:53 +00:00
Michael Tremer	8c6b02e7f6	IPsec: Drop support for MODP with subgroup These come from questionable sources and are not considered to be secure any more: https://eprint.iacr.org/2016/961 Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2017-12-04 13:12:38 +00:00
Michael Tremer	120d77b33c	vpnmain.cgi: Disable compression by default The compression is causing some interoperatibility issues and does not really compress data very much - even when the data is quite compressible. Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2017-11-28 17:17:46 +00:00
Peter Müller	e34e72b6e1	add missing check for Curve25519 in vpnmain.cgi This fixes bug #11501 which causes IPsec connections to crash if Curve25519 has been enabled. Signed-off-by: Peter Müller <peter.mueller@link38.eu> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2017-10-09 14:54:37 +01:00
Michael Tremer	86282bdc7d	vpnmain.cgi: Fix typo Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2017-05-05 12:02:21 +01:00
Michael Tremer	1fab4edfa6	IPsec: Show status in WUI when VPN is connecting This is helpful when debugging on-demand connections when you can see if strongswan tries to connect or is still idle. Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2017-04-20 13:00:42 +01:00
Michael Tremer	c94d1976d3	IPsec: Mark MODP<=1024 and MD5 as broken and SHA1 as weak Since we somehow have to support these algorithms this patch adds some information for the user that it is very strongly discouraged to use them in production. Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2017-04-20 12:53:53 +01:00
Michael Tremer	2c2cf3918b	IPsec: Allow using MODP-768 in proposal MODP-768 is broken but some systems out there (for example old Cisco ASAs) do not support anything better. Hence it is better to allow this instead of using no VPN at all. Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2017-04-20 12:44:27 +01:00
Michael Tremer	9bc2e596d0	IPsec: Include Curve 25519 in default proposal Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2017-04-05 12:16:52 +01:00
Michael Tremer	64056cae46	IPsec: Allow selecting Curve 25519 as group type Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2017-04-05 12:16:20 +01:00
Michael Tremer	570d54fd84	IPsec: Drop SHA1 and MODP<=1536 from proposed ciphers IPsec is still proposing to use SHA1 and MODP-1536 or MODP-1024 when initiating a connection. These are considered weak although many off-the-shelf hardware is still using this as defaults. This patch disables those algorithms and additionally changes default behaviour to only accept the configured cipher suites. This might create some interoperability issues, but increases security of IPFire-to-IPFire IPsec connections. Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2017-04-05 11:42:55 +01:00
Michael Tremer	8057ab15b9	Show better connection information for on-demand IPsec connections Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2017-02-15 12:15:42 +00:00
Michael Tremer	1ee1666ee4	IPsec: Close on-demand tunnels after 15 min of inactivity Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2017-02-15 11:22:27 +00:00
Michael Tremer	dcb406cc67	IPsec: Allow to create on-demand connections This will create IPsec VPN connections with auto=route set instead of auto=start which will cause the connection being created, but not brought up yet. As soon as the first packet is received, the connection will be established and data will be passed through it. This allows IPFire to handle more VPN connections on weaker systems and avoids negotiating many connections which are rarely used. Suggested-by: Tom Rymes <tomvend@rymes.com> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Fixes: #10733	2017-02-15 10:11:58 +00:00

1 2 3 4

154 Commits