Created
July 7, 2015 12:57
-
-
Save jim-p/fe05b1b6c6e865d12929 to your computer and use it in GitHub Desktop.
ipsec_stuff.diff
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$ git diff RELENG_2_2_3 RELENG_2_2 -- etc/inc/ipsec.inc > ../ipsec_stuff.diff | |
$ git diff RELENG_2_2_3 RELENG_2_2 -- etc/inc/vpn.inc >> ../ipsec_stuff.diff | |
$ cat ../ipsec_stuff.diff | |
diff --git a/etc/inc/ipsec.inc b/etc/inc/ipsec.inc | |
index 8bfed07..5c7d15d 100644 | |
--- a/etc/inc/ipsec.inc | |
+++ b/etc/inc/ipsec.inc | |
@@ -44,22 +44,22 @@ $ipsec_loglevels = array("dmn" => "Daemon", "mgr" => "SA Manager", "ike" => "IKE | |
global $my_identifier_list; | |
$my_identifier_list = array( | |
- 'myaddress' => array( 'desc' => gettext('My IP address'), 'mobile' => true ), | |
- 'address' => array( 'desc' => gettext('IP address'), 'mobile' => true ), | |
- 'fqdn' => array( 'desc' => gettext('Distinguished name'), 'mobile' => true ), | |
- 'user_fqdn' => array( 'desc' => gettext('User distinguished name'), 'mobile' => true ), | |
- 'asn1dn' => array( 'desc' => gettext('ASN.1 distinguished Name'), 'mobile' => true ), | |
- 'keyid tag' => array( 'desc' => gettext('KeyID tag'), 'mobile' => true ), | |
- 'dyn_dns' => array( 'desc' => gettext('Dynamic DNS'), 'mobile' => true )); | |
+ 'myaddress' => array('desc' => gettext('My IP address'), 'mobile' => true), | |
+ 'address' => array('desc' => gettext('IP address'), 'mobile' => true), | |
+ 'fqdn' => array('desc' => gettext('Distinguished name'), 'mobile' => true), | |
+ 'user_fqdn' => array('desc' => gettext('User distinguished name'), 'mobile' => true), | |
+ 'asn1dn' => array('desc' => gettext('ASN.1 distinguished Name'), 'mobile' => true), | |
+ 'keyid tag' => array('desc' => gettext('KeyID tag'), 'mobile' => true), | |
+ 'dyn_dns' => array('desc' => gettext('Dynamic DNS'), 'mobile' => true)); | |
global $peer_identifier_list; | |
$peer_identifier_list = array( | |
- 'peeraddress' => array( 'desc' => gettext('Peer IP address'), 'mobile' => false ), | |
- 'address' => array( 'desc' => gettext('IP address'), 'mobile' => false ), | |
- 'fqdn' => array( 'desc' => gettext('Distinguished name'), 'mobile' => true ), | |
- 'user_fqdn' => array( 'desc' => gettext('User distinguished name'), 'mobile' => true ), | |
- 'asn1dn' => array( 'desc' => gettext('ASN.1 distinguished Name'), 'mobile' => true ), | |
- 'keyid tag' => array( 'desc' =>gettext('KeyID tag'), 'mobile' => true )); | |
+ 'peeraddress' => array('desc' => gettext('Peer IP address'), 'mobile' => false), | |
+ 'address' => array('desc' => gettext('IP address'), 'mobile' => false), | |
+ 'fqdn' => array('desc' => gettext('Distinguished name'), 'mobile' => true), | |
+ 'user_fqdn' => array('desc' => gettext('User distinguished name'), 'mobile' => true), | |
+ 'asn1dn' => array('desc' => gettext('ASN.1 distinguished Name'), 'mobile' => true), | |
+ 'keyid tag' => array('desc' =>gettext('KeyID tag'), 'mobile' => true)); | |
global $ipsec_idhandling; | |
$ipsec_idhandling = array( | |
@@ -68,22 +68,25 @@ $ipsec_idhandling = array( | |
global $p1_ealgos; | |
$p1_ealgos = array( | |
- 'aes' => array( 'name' => 'AES', 'keysel' => array( 'lo' => 128, 'hi' => 256, 'step' => 64 ) ), | |
- 'blowfish' => array( 'name' => 'Blowfish', 'keysel' => array( 'lo' => 128, 'hi' => 256, 'step' => 64 ) ), | |
- '3des' => array( 'name' => '3DES' ), | |
- 'cast128' => array( 'name' => 'CAST128' ), | |
- 'des' => array( 'name' => 'DES' )); | |
+ 'aes' => array('name' => 'AES', 'keysel' => array('lo' => 128, 'hi' => 256, 'step' => 64)), | |
+ 'aes128gcm' => array('name' => 'AES128-GCM', 'keysel' => array('lo' => 64, 'hi' => 128, 'step' => 32)), | |
+ 'aes192gcm' => array('name' => 'AES192-GCM', 'keysel' => array('lo' => 64, 'hi' => 128, 'step' => 32)), | |
+ 'aes256gcm' => array('name' => 'AES256-GCM', 'keysel' => array('lo' => 64, 'hi' => 128, 'step' => 32)), | |
+ 'blowfish' => array('name' => 'Blowfish', 'keysel' => array('lo' => 128, 'hi' => 256, 'step' => 64)), | |
+ '3des' => array('name' => '3DES'), | |
+ 'cast128' => array('name' => 'CAST128'), | |
+ 'des' => array('name' => 'DES')); | |
global $p2_ealgos; | |
$p2_ealgos = array( | |
- 'aes' => array( 'name' => 'AES', 'keysel' => array( 'lo' => 128, 'hi' => 256, 'step' => 64 ) ), | |
- 'aes128gcm' => array( 'name' => 'AES128-GCM', 'keysel' => array( 'lo' => 64, 'hi' => 128, 'step' => 32 ) ), | |
- 'aes192gcm' => array( 'name' => 'AES192-GCM', 'keysel' => array( 'lo' => 64, 'hi' => 128, 'step' => 32 ) ), | |
- 'aes256gcm' => array( 'name' => 'AES256-GCM', 'keysel' => array( 'lo' => 64, 'hi' => 128, 'step' => 32 ) ), | |
- 'blowfish' => array( 'name' => 'Blowfish', 'keysel' => array( 'lo' => 128, 'hi' => 256, 'step' => 64 ) ), | |
- '3des' => array( 'name' => '3DES' ), | |
- 'cast128' => array( 'name' => 'CAST128' ), | |
- 'des' => array( 'name' => 'DES' )); | |
+ 'aes' => array('name' => 'AES', 'keysel' => array('lo' => 128, 'hi' => 256, 'step' => 64)), | |
+ 'aes128gcm' => array('name' => 'AES128-GCM', 'keysel' => array('lo' => 64, 'hi' => 128, 'step' => 32)), | |
+ 'aes192gcm' => array('name' => 'AES192-GCM', 'keysel' => array('lo' => 64, 'hi' => 128, 'step' => 32)), | |
+ 'aes256gcm' => array('name' => 'AES256-GCM', 'keysel' => array('lo' => 64, 'hi' => 128, 'step' => 32)), | |
+ 'blowfish' => array('name' => 'Blowfish', 'keysel' => array('lo' => 128, 'hi' => 256, 'step' => 64)), | |
+ '3des' => array('name' => '3DES'), | |
+ 'cast128' => array('name' => 'CAST128'), | |
+ 'des' => array('name' => 'DES')); | |
global $p1_halgos; | |
$p1_halgos = array( | |
@@ -110,7 +113,10 @@ $p1_dhgroups = array( | |
21 => '21 (nist ecp521)', | |
22 => '22 (1024(sub 160) bit)', | |
23 => '23 (2048(sub 224) bit)', | |
- 24 => '24 (2048(sub 256) bit)' | |
+ 24 => '24 (2048(sub 256) bit)', | |
+ 28 => '28 (brainpool ecp256)', | |
+ 29 => '29 (brainpool ecp384)', | |
+ 30 => '30 (brainpool ecp512)' | |
); | |
global $p2_halgos; | |
@@ -125,14 +131,14 @@ $p2_halgos = array( | |
global $p1_authentication_methods; | |
$p1_authentication_methods = array( | |
- 'hybrid_rsa_server' => array( 'name' => 'Hybrid RSA + Xauth', 'mobile' => true ), | |
- 'xauth_rsa_server' => array( 'name' => 'Mutual RSA + Xauth', 'mobile' => true ), | |
- 'xauth_psk_server' => array( 'name' => 'Mutual PSK + Xauth', 'mobile' => true ), | |
- 'eap-tls' => array( 'name' => 'EAP-TLS', 'mobile' => true), | |
- 'eap-radius' => array( 'name' => 'EAP-RADIUS', 'mobile' => true), | |
- 'eap-mschapv2' => array( 'name' => 'EAP-MSChapv2', 'mobile' => true), | |
- 'rsasig' => array( 'name' => 'Mutual RSA', 'mobile' => false ), | |
- 'pre_shared_key' => array( 'name' => 'Mutual PSK', 'mobile' => false ) ); | |
+ 'hybrid_rsa_server' => array('name' => 'Hybrid RSA + Xauth', 'mobile' => true), | |
+ 'xauth_rsa_server' => array('name' => 'Mutual RSA + Xauth', 'mobile' => true), | |
+ 'xauth_psk_server' => array('name' => 'Mutual PSK + Xauth', 'mobile' => true), | |
+ 'eap-tls' => array('name' => 'EAP-TLS', 'mobile' => true), | |
+ 'eap-radius' => array('name' => 'EAP-RADIUS', 'mobile' => true), | |
+ 'eap-mschapv2' => array('name' => 'EAP-MSChapv2', 'mobile' => true), | |
+ 'rsasig' => array('name' => 'Mutual RSA', 'mobile' => false), | |
+ 'pre_shared_key' => array('name' => 'Mutual PSK', 'mobile' => false)); | |
global $ipsec_preshared_key_type; | |
$ipsec_preshared_key_type = array( | |
@@ -161,7 +167,13 @@ $p2_pfskeygroups = array( | |
15 => '15 (3072 bit)', | |
16 => '16 (4096 bit)', | |
17 => '17 (6144 bit)', | |
- 18 => '18 (8192 bit)' | |
+ 18 => '18 (8192 bit)', | |
+ 19 => '19 (nist ecp256)', | |
+ 20 => '20 (nist ecp384)', | |
+ 21 => '21 (nist ecp521)', | |
+ 28 => '28 (brainpool ecp256)', | |
+ 29 => '29 (brainpool ecp384)', | |
+ 30 => '30 (brainpool ecp512)' | |
); | |
/* | |
@@ -171,9 +183,11 @@ $p2_pfskeygroups = array( | |
function ipsec_ikeid_used($ikeid) { | |
global $config; | |
- foreach ($config['ipsec']['phase1'] as $ph1ent) | |
- if( $ikeid == $ph1ent['ikeid'] ) | |
+ foreach ($config['ipsec']['phase1'] as $ph1ent) { | |
+ if ($ikeid == $ph1ent['ikeid']) { | |
return true; | |
+ } | |
+ } | |
return false; | |
} | |
@@ -181,8 +195,9 @@ function ipsec_ikeid_used($ikeid) { | |
function ipsec_ikeid_next() { | |
$ikeid = 1; | |
- while(ipsec_ikeid_used($ikeid)) | |
+ while (ipsec_ikeid_used($ikeid)) { | |
$ikeid++; | |
+ } | |
return $ikeid; | |
} | |
@@ -205,14 +220,15 @@ function ipsec_get_phase1_src(& $ph1ent) { | |
$interfaceip = get_interface_ip($if); | |
} | |
} else { | |
- $interfaceip=$ph1ent['interface']; | |
+ $interfaceip = $ph1ent['interface']; | |
} | |
} else { | |
$if = "wan"; | |
- if ($ph1ent['protocol'] == "inet6") | |
+ if ($ph1ent['protocol'] == "inet6") { | |
$interfaceip = get_interface_ipv6($if); | |
- else | |
+ } else { | |
$interfaceip = get_interface_ip($if); | |
+ } | |
} | |
return $interfaceip; | |
@@ -224,15 +240,18 @@ function ipsec_get_phase1_src(& $ph1ent) { | |
function ipsec_get_phase1_dst(& $ph1ent) { | |
global $g; | |
- if (empty($ph1ent['remote-gateway'])) | |
+ if (empty($ph1ent['remote-gateway'])) { | |
return false; | |
+ } | |
$rg = $ph1ent['remote-gateway']; | |
if (!is_ipaddr($rg)) { | |
- if(! platform_booting()) | |
+ if (!platform_booting()) { | |
return resolve_retry($rg); | |
+ } | |
} | |
- if(!is_ipaddr($rg)) | |
+ if (!is_ipaddr($rg)) { | |
return false; | |
+ } | |
return $rg; | |
} | |
@@ -246,12 +265,14 @@ function ipsec_idinfo_to_cidr(& $idinfo, $addrbits = false, $mode = "") { | |
switch ($idinfo['type']) { | |
case "address": | |
if ($addrbits) { | |
- if ($mode == "tunnel6") | |
+ if ($mode == "tunnel6") { | |
return $idinfo['address']."/128"; | |
- else | |
+ } else { | |
return $idinfo['address']."/32"; | |
- } else | |
+ } | |
+ } else { | |
return $idinfo['address']; | |
+ } | |
break; /* NOTREACHED */ | |
case "network": | |
return "{$idinfo['address']}/{$idinfo['netbits']}"; | |
@@ -261,18 +282,19 @@ function ipsec_idinfo_to_cidr(& $idinfo, $addrbits = false, $mode = "") { | |
return '0.0.0.0/0'; | |
break; /* NOTREACHED */ | |
default: | |
- if (empty($mode) && !empty($idinfo['mode'])) | |
+ if (empty($mode) && !empty($idinfo['mode'])) { | |
$mode = $idinfo['mode']; | |
+ } | |
if ($mode == "tunnel6") { | |
$address = get_interface_ipv6($idinfo['type']); | |
$netbits = get_interface_subnetv6($idinfo['type']); | |
- $address = gen_subnetv6($address,$netbits); | |
+ $address = gen_subnetv6($address, $netbits); | |
return "{$address}/{$netbits}"; | |
} else { | |
$address = get_interface_ip($idinfo['type']); | |
$netbits = get_interface_subnet($idinfo['type']); | |
- $address = gen_subnet($address,$netbits); | |
+ $address = gen_subnet($address, $netbits); | |
return "{$address}/{$netbits}"; | |
} | |
break; /* NOTREACHED */ | |
@@ -282,18 +304,20 @@ function ipsec_idinfo_to_cidr(& $idinfo, $addrbits = false, $mode = "") { | |
/* | |
* Return phase2 idinfo in address/netmask format | |
*/ | |
-function ipsec_idinfo_to_subnet(& $idinfo,$addrbits = false) { | |
+function ipsec_idinfo_to_subnet(& $idinfo, $addrbits = false) { | |
global $config; | |
switch ($idinfo['type']) { | |
case "address": | |
if ($addrbits) { | |
- if ($idinfo['mode'] == "tunnel6") | |
+ if ($idinfo['mode'] == "tunnel6") { | |
return $idinfo['address']."/128"; | |
- else | |
+ } else { | |
return $idinfo['address']."/255.255.255.255"; | |
- } else | |
+ } | |
+ } else { | |
return $idinfo['address']; | |
+ } | |
break; /* NOTREACHED */ | |
case "none": | |
case "network": | |
@@ -306,12 +330,12 @@ function ipsec_idinfo_to_subnet(& $idinfo,$addrbits = false) { | |
if ($idinfo['mode'] == "tunnel6") { | |
$address = get_interface_ipv6($idinfo['type']); | |
$netbits = get_interface_subnetv6($idinfo['type']); | |
- $address = gen_subnetv6($address,$netbits); | |
+ $address = gen_subnetv6($address, $netbits); | |
return $address."/".$netbits; | |
} else { | |
$address = get_interface_ip($idinfo['type']); | |
$netbits = get_interface_subnet($idinfo['type']); | |
- $address = gen_subnet($address,$netbits); | |
+ $address = gen_subnet($address, $netbits); | |
return $address."/".$netbits; | |
} | |
break; /* NOTREACHED */ | |
@@ -325,45 +349,49 @@ function ipsec_idinfo_to_text(& $idinfo) { | |
global $config; | |
switch ($idinfo['type']) { | |
- case "address": | |
- return $idinfo['address']; | |
- break; /* NOTREACHED */ | |
- case "network": | |
- return $idinfo['address']."/".$idinfo['netbits']; | |
- break; /* NOTREACHED */ | |
- case "mobile": | |
- return gettext("Mobile Client"); | |
- break; /* NOTREACHED */ | |
- case "none": | |
- return gettext("None"); | |
- break; /* NOTREACHED */ | |
- default: | |
- if (!empty($config['interfaces'][$idinfo['type']])) | |
- return convert_friendly_interface_to_friendly_descr($idinfo['type']); | |
- else | |
- return strtoupper($idinfo['type']); | |
- break; /* NOTREACHED */ | |
+ case "address": | |
+ return $idinfo['address']; | |
+ break; /* NOTREACHED */ | |
+ case "network": | |
+ return $idinfo['address']."/".$idinfo['netbits']; | |
+ break; /* NOTREACHED */ | |
+ case "mobile": | |
+ return gettext("Mobile Client"); | |
+ break; /* NOTREACHED */ | |
+ case "none": | |
+ return gettext("None"); | |
+ break; /* NOTREACHED */ | |
+ default: | |
+ if (!empty($config['interfaces'][$idinfo['type']])) { | |
+ return convert_friendly_interface_to_friendly_descr($idinfo['type']); | |
+ } else { | |
+ return strtoupper($idinfo['type']); | |
+ } | |
+ break; /* NOTREACHED */ | |
} | |
} | |
/* | |
* Return phase1 association for phase2 | |
*/ | |
-function ipsec_lookup_phase1(& $ph2ent,& $ph1ent) { | |
+function ipsec_lookup_phase1(& $ph2ent, & $ph1ent) { | |
global $config; | |
- if (!is_array($config['ipsec'])) | |
+ if (!is_array($config['ipsec'])) { | |
return false; | |
- if (!is_array($config['ipsec']['phase1'])) | |
+ } | |
+ if (!is_array($config['ipsec']['phase1'])) { | |
return false; | |
- if (empty($config['ipsec']['phase1'])) | |
+ } | |
+ if (empty($config['ipsec']['phase1'])) { | |
return false; | |
+ } | |
foreach ($config['ipsec']['phase1'] as $ph1tmp) { | |
- if ($ph1tmp['ikeid'] == $ph2ent['ikeid']) { | |
- $ph1ent = $ph1tmp; | |
- return $ph1ent; | |
- } | |
+ if ($ph1tmp['ikeid'] == $ph2ent['ikeid']) { | |
+ $ph1ent = $ph1tmp; | |
+ return $ph1ent; | |
+ } | |
} | |
return false; | |
@@ -376,8 +404,9 @@ function ipsec_phase1_status(&$ipsec_status, $ikeid) { | |
foreach ($ipsec_status as $ike) { | |
if ($ike['id'] == $ikeid) { | |
- if ($ike['status'] == 'established') | |
+ if ($ike['status'] == 'established') { | |
return true; | |
+ } | |
} | |
} | |
@@ -389,8 +418,9 @@ function ipsec_phase1_status(&$ipsec_status, $ikeid) { | |
*/ | |
function ipsec_phase2_status(&$ipsec_status, &$phase2) { | |
- if (ipsec_lookup_phase1($ph2ent,$ph1ent)) | |
+ if (ipsec_lookup_phase1($ph2ent, $ph1ent)) { | |
return ipsec_phase1_status($ipsec_status, $ph1ent['ikeid']); | |
+ } | |
return false; | |
} | |
@@ -419,8 +449,9 @@ function ipsec_smp_dump_status() { | |
$response = ""; | |
while (!strstr($sread, "</message>")) { | |
$sread = fgets($fd); | |
- if ($sread === false) | |
+ if ($sread === false) { | |
break; | |
+ } | |
$response .= $sread; | |
} | |
fclose($fd); | |
@@ -444,20 +475,22 @@ function ipsec_smp_dump_status() { | |
/* | |
* Return dump of SPD table | |
*/ | |
-function ipsec_dump_spd() | |
-{ | |
+function ipsec_dump_spd() { | |
$fd = @popen("/sbin/setkey -DP", "r"); | |
$spd = array(); | |
if ($fd) { | |
while (!feof($fd)) { | |
$line = chop(fgets($fd)); | |
- if (!$line) | |
+ if (!$line) { | |
continue; | |
- if ($line == "No SPD entries.") | |
+ } | |
+ if ($line == "No SPD entries.") { | |
break; | |
+ } | |
if ($line[0] != "\t") { | |
- if (is_array($cursp)) | |
+ if (is_array($cursp)) { | |
$spd[] = $cursp; | |
+ } | |
$cursp = array(); | |
$linea = explode(" ", $line); | |
$cursp['srcid'] = substr($linea[0], 0, strpos($linea[0], "[")); | |
@@ -466,26 +499,27 @@ function ipsec_dump_spd() | |
} else if (is_array($cursp)) { | |
$line = trim($line, "\t\r\n "); | |
$linea = explode(" ", $line); | |
- switch($i) | |
- { | |
+ switch ($i) { | |
case 1: | |
- if ($linea[1] == "none") /* don't show default anti-lockout rule */ | |
+ if ($linea[1] == "none") /* don't show default anti-lockout rule */ { | |
unset($cursp); | |
- else | |
+ } else { | |
$cursp['dir'] = $linea[0]; | |
+ } | |
break; | |
case 2: | |
$upperspec = explode("/", $linea[0]); | |
$cursp['proto'] = $upperspec[0]; | |
list($cursp['src'], $cursp['dst']) = explode("-", $upperspec[2]); | |
- $cursp['reqid'] = substr($upperspec[3], strpos($upperspec[3], "#")+1); | |
+ $cursp['reqid'] = substr($upperspec[3], strpos($upperspec[3], "#")+1); | |
break; | |
} | |
} | |
$i++; | |
} | |
- if (is_array($cursp) && count($cursp)) | |
+ if (is_array($cursp) && count($cursp)) { | |
$spd[] = $cursp; | |
+ } | |
pclose($fd); | |
} | |
@@ -495,36 +529,35 @@ function ipsec_dump_spd() | |
/* | |
* Return dump of SAD table | |
*/ | |
-function ipsec_dump_sad() | |
-{ | |
+function ipsec_dump_sad() { | |
$fd = @popen("/sbin/setkey -D", "r"); | |
$sad = array(); | |
if ($fd) { | |
while (!feof($fd)) { | |
$line = chop(fgets($fd)); | |
- if (!$line || $line[0] == " ") | |
+ if (!$line || $line[0] == " ") { | |
continue; | |
- if ($line == "No SAD entries.") | |
+ } | |
+ if ($line == "No SAD entries.") { | |
break; | |
- if ($line[0] != "\t") | |
- { | |
- if (is_array($cursa)) | |
+ } | |
+ if ($line[0] != "\t") { | |
+ if (is_array($cursa)) { | |
$sad[] = $cursa; | |
+ } | |
$cursa = array(); | |
- list($cursa['src'],$cursa['dst']) = explode(" ", $line); | |
- } | |
- else | |
- { | |
+ list($cursa['src'], $cursa['dst']) = explode(" ", $line); | |
+ } else { | |
$line = trim($line, "\t\n\r "); | |
$linea = explode(" ", $line); | |
foreach ($linea as $idx => $linee) { | |
- if ($linee == 'esp' || $linee == 'ah' || $linee[0] == '#') | |
+ if ($linee == 'esp' || $linee == 'ah' || $linee[0] == '#') { | |
$cursa['proto'] = $linee; | |
- else if (substr($linee, 0, 3) == 'spi') | |
+ } else if (substr($linee, 0, 3) == 'spi') { | |
$cursa['spi'] = substr($linee, strpos($linee, 'x') + 1, -1); | |
- else if (substr($linee, 0, 5) == 'reqid') | |
+ } else if (substr($linee, 0, 5) == 'reqid') { | |
$cursa['reqid'] = substr($linee, strpos($linee, 'x') + 1, -1); | |
- else if (substr($linee, 0, 2) == 'E:') { | |
+ } else if (substr($linee, 0, 2) == 'E:') { | |
$cursa['ealgo'] = $linea[$idx + 1]; | |
break; | |
} else if (substr($linee, 0, 2) == 'A:') { | |
@@ -534,12 +567,12 @@ function ipsec_dump_sad() | |
$cursa['data'] = substr($linea[$idx + 1], 0, strpos($linea[$idx + 1], 'bytes') - 1) . ' B'; | |
break; | |
} | |
- | |
} | |
} | |
} | |
- if (is_array($cursa) && count($cursa)) | |
+ if (is_array($cursa) && count($cursa)) { | |
$sad[] = $cursa; | |
+ } | |
pclose($fd); | |
} | |
@@ -560,8 +593,9 @@ function ipsec_dump_mobile() { | |
} | |
/* This is needed for fixing #4130 */ | |
- if (filesize("{$g['tmp_path']}/strongswan_leases.xml") < 200) | |
+ if (filesize("{$g['tmp_path']}/strongswan_leases.xml") < 200) { | |
return array(); | |
+ } | |
$custom_listtags = array('lease', 'pool'); | |
$response = parse_xml_config("{$g['tmp_path']}/strongswan_leases.xml", "leases"); | |
@@ -583,13 +617,13 @@ function ipsec_mobilekey_sort() { | |
function ipsec_get_number_of_phase2($ikeid) { | |
global $config; | |
- $a_phase2 = $config['ipsec']['phase2']; | |
+ $a_phase2 = $config['ipsec']['phase2']; | |
- $nbph2=0; | |
+ $nbph2 = 0; | |
- if (is_array($a_phase2) && count($a_phase2)) { | |
- foreach ($a_phase2 as $ph2tmp) { | |
- if ($ph2tmp['ikeid'] == $ikeid) { | |
+ if (is_array($a_phase2) && count($a_phase2)) { | |
+ foreach ($a_phase2 as $ph2tmp) { | |
+ if ($ph2tmp['ikeid'] == $ikeid) { | |
$nbph2++; | |
} | |
} | |
@@ -602,8 +636,9 @@ function ipsec_get_descr($ikeid) { | |
global $config; | |
if (!isset($config['ipsec']['phase1']) || | |
- !is_array($config['ipsec']['phase1'])) | |
+ !is_array($config['ipsec']['phase1'])) { | |
return ''; | |
+ } | |
foreach ($config['ipsec']['phase1'] as $p1) { | |
if ($p1['ikeid'] == $ikeid) { | |
@@ -615,26 +650,28 @@ function ipsec_get_descr($ikeid) { | |
} | |
function ipsec_get_phase1($ikeid) { | |
- global $config; | |
+ global $config; | |
- if (!isset($config['ipsec']['phase1']) || | |
- !is_array($config['ipsec']['phase1'])) | |
- return ''; | |
+ if (!isset($config['ipsec']['phase1']) || | |
+ !is_array($config['ipsec']['phase1'])) { | |
+ return ''; | |
+ } | |
- $a_phase1 = $config['ipsec']['phase1']; | |
- foreach ($a_phase1 as $p1) { | |
- if ($p1['ikeid'] == $ikeid) { | |
- return $p1; | |
- } | |
- } | |
- unset($a_phase1); | |
+ $a_phase1 = $config['ipsec']['phase1']; | |
+ foreach ($a_phase1 as $p1) { | |
+ if ($p1['ikeid'] == $ikeid) { | |
+ return $p1; | |
+ } | |
+ } | |
+ unset($a_phase1); | |
} | |
function ipsec_fixup_ip($ipaddr) { | |
- if (is_ipaddrv6($ipaddr) || is_subnetv6($ipaddr)) | |
+ if (is_ipaddrv6($ipaddr) || is_subnetv6($ipaddr)) { | |
return Net_IPv6::compress(Net_IPv6::uncompress($ipaddr)); | |
- else | |
+ } else { | |
return $ipaddr; | |
+ } | |
} | |
function ipsec_find_id(& $ph1ent, $side = "local", $rgmap = array()) { | |
@@ -643,65 +680,71 @@ function ipsec_find_id(& $ph1ent, $side = "local", $rgmap = array()) { | |
$id_data = $ph1ent['myid_data']; | |
$addr = ipsec_get_phase1_src($ph1ent); | |
- if (!$addr) | |
+ if (!$addr) { | |
return array(); | |
+ } | |
} elseif ($side == "peer") { | |
$id_type = $ph1ent['peerid_type']; | |
$id_data = $ph1ent['peerid_data']; | |
- if (isset($ph1ent['mobile'])) | |
+ if (isset($ph1ent['mobile'])) { | |
$addr = "%any"; | |
- else | |
+ } else { | |
$addr = $ph1ent['remote-gateway']; | |
- } else | |
+ } | |
+ } else { | |
return array(); | |
+ } | |
$thisid_type = $id_type; | |
switch ($thisid_type) { | |
- case 'myaddress': | |
- $thisid_type = 'address'; | |
- $thisid_data = $addr; | |
- break; | |
- case 'dyn_dns': | |
- $thisid_type = 'dns'; | |
- $thisid_data = $id_data; | |
- break; | |
- case 'peeraddress': | |
- $thisid_type = 'address'; | |
- $thisid_data = $rgmap[$ph1ent['remote-gateway']]; | |
- break; | |
- case 'address': | |
- $thisid_data = $id_data; | |
- break; | |
- case 'fqdn': | |
- $thisid_data = "{$id_data}"; | |
- break; | |
- case 'keyid tag': | |
- $thisid_type = 'keyid'; | |
- $thisid_data = "{$thisid_data}"; | |
- break; | |
- case 'user_fqdn': | |
- $thisid_type = 'userfqdn'; | |
- $thisid_data = "{$id_data}"; | |
- break; | |
- case 'asn1dn': | |
- $thisid_data = $id_data; | |
- $thisid_data = "{$id_data}"; | |
- break; | |
+ case 'myaddress': | |
+ $thisid_type = 'address'; | |
+ $thisid_data = $addr; | |
+ break; | |
+ case 'dyn_dns': | |
+ $thisid_type = 'dns'; | |
+ $thisid_data = $id_data; | |
+ break; | |
+ case 'peeraddress': | |
+ $thisid_type = 'address'; | |
+ $thisid_data = $rgmap[$ph1ent['remote-gateway']]; | |
+ break; | |
+ case 'address': | |
+ $thisid_data = $id_data; | |
+ break; | |
+ case 'fqdn': | |
+ $thisid_data = "{$id_data}"; | |
+ break; | |
+ case 'keyid tag': | |
+ $thisid_type = 'keyid'; | |
+ $thisid_data = "{$id_data}"; | |
+ break; | |
+ case 'user_fqdn': | |
+ $thisid_type = 'userfqdn'; | |
+ $thisid_data = "{$id_data}"; | |
+ break; | |
+ case 'asn1dn': | |
+ $thisid_data = $id_data; | |
+ if ($thisid_data && $thisid_data[0] != '"') { | |
+ $thisid_data = "\"{$id_data}\""; | |
+ } | |
+ break; | |
} | |
return array($thisid_type, $thisid_data); | |
} | |
function ipsec_fixup_network($network) { | |
- if (substr($network, -3) == '|/0') | |
+ if (substr($network, -3) == '|/0') { | |
$result = substr($network, 0, -3); | |
- else { | |
+ } else { | |
$tmp = explode('|', $network); | |
- if (isset($tmp[1])) | |
+ if (isset($tmp[1])) { | |
$result = $tmp[1]; | |
- else | |
+ } else { | |
$result = $tmp[0]; | |
+ } | |
unset($tmp); | |
} | |
@@ -711,14 +754,16 @@ function ipsec_fixup_network($network) { | |
function ipsec_new_reqid() { | |
global $config; | |
- if (!is_array($config['ipsec']) || !is_array($config['ipsec']['phase2'])) | |
+ if (!is_array($config['ipsec']) || !is_array($config['ipsec']['phase2'])) { | |
return; | |
+ } | |
$ipsecreqid = lock('ipsecreqids', LOCK_EX); | |
$keyids = array(); | |
$keyid = 1; | |
- foreach ($config['ipsec']['phase2'] as $ph2) | |
+ foreach ($config['ipsec']['phase2'] as $ph2) { | |
$keyids[$ph2['reqid']] = $ph2['reqid']; | |
+ } | |
for ($i = 1; $i < 16000; $i++) { | |
if (!isset($keyids[$i])) { | |
diff --git a/etc/inc/vpn.inc b/etc/inc/vpn.inc | |
index 6e4d71d..9ca4df2 100644 | |
--- a/etc/inc/vpn.inc | |
+++ b/etc/inc/vpn.inc | |
@@ -4,7 +4,7 @@ | |
vpn.inc | |
Copyright (C) 2004 Scott Ullrich | |
Copyright (C) 2008 Shrew Soft Inc | |
- Copyright (C) 2008 Ermal Lu�i | |
+ Copyright (C) 2008 Ermal Luçi | |
All rights reserved. | |
originally part of m0n0wall (http://m0n0.ch/wall) | |
@@ -42,78 +42,87 @@ | |
require_once("ipsec.inc"); | |
-function vpn_ipsec_configure_loglevels($forconfig = false) | |
-{ | |
+function vpn_ipsec_configure_loglevels($forconfig = false) { | |
global $config, $ipsec_loglevels; | |
$cfgtext = array(); | |
foreach ($ipsec_loglevels as $lkey => $ldescr) { | |
- if (!isset($config['ipsec']["ipsec_{$lkey}"]) && !$forconfig) | |
+ if (!isset($config['ipsec']["ipsec_{$lkey}"]) && !$forconfig) { | |
mwexec("/usr/local/sbin/ipsec stroke loglevel {$lkey} -- -1", false); | |
- else if (is_numeric($config['ipsec']["ipsec_{$lkey}"]) && | |
- intval($config['ipsec']["ipsec_{$lkey}"]) >= 0 && intval($config['ipsec']["ipsec_{$lkey}"]) <= 5) | |
+ } else if (is_numeric($config['ipsec']["ipsec_{$lkey}"]) && | |
+ intval($config['ipsec']["ipsec_{$lkey}"]) >= 0 && intval($config['ipsec']["ipsec_{$lkey}"]) <= 5) { | |
$forconfig ? $cfgtext[] = "${lkey} " . (intval($config['ipsec']["ipsec_{$lkey}"]) - 1) : | |
mwexec("/usr/local/sbin/ipsec stroke loglevel {$lkey} " . (intval($config['ipsec']["ipsec_{$lkey}"]) - 1) , false); | |
+ } | |
} | |
- if ($forconfig) | |
+ if ($forconfig) { | |
return implode(',', $cfgtext); | |
+ } | |
} | |
/* include all configuration functions */ | |
-function vpn_ipsec_convert_to_modp($index) | |
-{ | |
+function vpn_ipsec_convert_to_modp($index) { | |
$convertion = ""; | |
switch ($index) { | |
- case '1': | |
- $convertion = "modp768"; | |
- break; | |
- case '2': | |
- $convertion = "modp1024"; | |
- break; | |
- case '5': | |
- $convertion = "modp1536"; | |
- break; | |
- case '14': | |
- $convertion = "modp2048"; | |
- break; | |
- case '15': | |
- $convertion = "modp3072"; | |
- break; | |
- case '16': | |
- $convertion = "modp4096"; | |
- break; | |
- case '17': | |
- $convertion = "modp6144"; | |
- break; | |
- case '18': | |
- $convertion = "modp8192"; | |
- break; | |
- case '19': | |
- $convertion = "ecp256"; | |
- break; | |
- case '20': | |
- $convertion = "ecp384"; | |
- break; | |
- case '21': | |
- $convertion = "ecp512"; | |
- break; | |
+ case '1': | |
+ $convertion = "modp768"; | |
+ break; | |
+ case '2': | |
+ $convertion = "modp1024"; | |
+ break; | |
+ case '5': | |
+ $convertion = "modp1536"; | |
+ break; | |
+ case '14': | |
+ $convertion = "modp2048"; | |
+ break; | |
+ case '15': | |
+ $convertion = "modp3072"; | |
+ break; | |
+ case '16': | |
+ $convertion = "modp4096"; | |
+ break; | |
+ case '17': | |
+ $convertion = "modp6144"; | |
+ break; | |
+ case '18': | |
+ $convertion = "modp8192"; | |
+ break; | |
+ case '19': | |
+ $convertion = "ecp256"; | |
+ break; | |
+ case '20': | |
+ $convertion = "ecp384"; | |
+ break; | |
+ case '21': | |
+ $convertion = "ecp521"; | |
+ break; | |
+ case '28': | |
+ $convertion = "ecp256bp"; | |
+ break; | |
+ case '29': | |
+ $convertion = "ecp384bp"; | |
+ break; | |
+ case '30': | |
+ $convertion = "ecp512bp"; | |
+ break; | |
} | |
return $convertion; | |
} | |
-function vpn_ipsec_configure($restart = false) | |
-{ | |
+function vpn_ipsec_configure($restart = false) { | |
global $config, $g, $sa, $sn, $p1_ealgos, $p2_ealgos, $ipsec_idhandling; | |
- if ($g['platform'] == 'jail') | |
+ if ($g['platform'] == 'jail') { | |
return; | |
+ } | |
/* get the automatic ping_hosts.sh ready */ | |
unlink_if_exists("{$g['vardb_path']}/ipsecpinghosts"); | |
touch("{$g['vardb_path']}/ipsecpinghosts"); | |
- | |
+ | |
/* service may have been enabled, disabled, or otherwise changed in a way requiring rule updates */ | |
filter_configure(); | |
@@ -145,34 +154,46 @@ function vpn_ipsec_configure($restart = false) | |
mwexec("/sbin/ifconfig enc0 up"); | |
set_single_sysctl("net.inet.ip.ipsec_in_use", "1"); | |
- if (php_uname('m') != "amd64") | |
+ if (php_uname('m') != "amd64") { | |
set_single_sysctl("net.inet.ipsec.directdispatch", "0"); | |
+ } | |
/* needed for config files */ | |
- if (!is_dir("{$g['varetc_path']}/ipsec")) | |
+ if (!is_dir("{$g['varetc_path']}/ipsec")) { | |
mkdir("{$g['varetc_path']}/ipsec"); | |
- if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d")) | |
+ } | |
+ if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d")) { | |
mkdir("{$g['varetc_path']}/ipsec/ipsec.d"); | |
- if (!is_dir($capath)) | |
+ } | |
+ if (!is_dir($capath)) { | |
mkdir($capath); | |
- if (!is_dir($keypath)) | |
+ } | |
+ if (!is_dir($keypath)) { | |
mkdir($keypath); | |
- if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d/crls")) | |
+ } | |
+ if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d/crls")) { | |
mkdir("{$g['varetc_path']}/ipsec/ipsec.d/crls"); | |
- if (!is_dir($certpath)) | |
+ } | |
+ if (!is_dir($certpath)) { | |
mkdir($certpath); | |
- if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d/aacerts")) | |
+ } | |
+ if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d/aacerts")) { | |
mkdir("{$g['varetc_path']}/ipsec/ipsec.d/aacerts"); | |
- if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d/acerts")) | |
+ } | |
+ if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d/acerts")) { | |
mkdir("{$g['varetc_path']}/ipsec/ipsec.d/acerts"); | |
- if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d/ocspcerts")) | |
+ } | |
+ if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d/ocspcerts")) { | |
mkdir("{$g['varetc_path']}/ipsec/ipsec.d/ocspcerts"); | |
- if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d/reqs")) | |
+ } | |
+ if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d/reqs")) { | |
mkdir("{$g['varetc_path']}/ipsec/ipsec.d/reqs"); | |
- | |
+ } | |
- if (platform_booting()) | |
+ | |
+ if (platform_booting()) { | |
echo gettext("Configuring IPsec VPN... "); | |
+ } | |
/* fastforwarding is not compatible with ipsec tunnels */ | |
set_single_sysctl("net.inet.ip.fastforwarding", "0"); | |
@@ -190,23 +211,26 @@ function vpn_ipsec_configure($restart = false) | |
$ipsecpinghosts = ""; | |
/* step through each phase1 entry */ | |
foreach ($a_phase1 as $ph1ent) { | |
- if (isset($ph1ent['disabled'])) | |
+ if (isset($ph1ent['disabled'])) { | |
continue; | |
+ } | |
if (strpos($ph1ent['interface'], '_vip')) { | |
$vpninterface = explode('_vip', $ph1ent['interface']); | |
$ifacesuse[] = get_real_interface($vpninterface[0]); | |
- } else { | |
- $vpninterface = get_failover_interface($ph1ent['interface']); | |
+ } else { | |
+ $vpninterface = get_failover_interface($ph1ent['interface']); | |
if (strpos($vpninterface, '_vip')) { | |
$vpninterface = explode('_vip', $vpninterface); | |
$ifacesuse[] = get_real_interface($vpninterface[0]); | |
- } elseif (!empty($vpninterface)) | |
+ } elseif (!empty($vpninterface)) { | |
$ifacesuse[] = $vpninterface; | |
+ } | |
} | |
- | |
- if ($ph1ent['mode'] == "aggressive" && ($ph1ent['authentication_method'] == "pre_shared_key" || $ph1ent['authentication_method'] == "xauth_psk_server")) | |
+ | |
+ if ($ph1ent['mode'] == "aggressive" && ($ph1ent['authentication_method'] == "pre_shared_key" || $ph1ent['authentication_method'] == "xauth_psk_server")) { | |
$aggressive_mode_psk = true; | |
+ } | |
$ikeid = $ph1ent['ikeid']; | |
$listeniflist = get_real_interface($a_phase1['interface']); | |
@@ -217,26 +241,30 @@ function vpn_ipsec_configure($restart = false) | |
continue; | |
} | |
- if(!in_array($ep,$ipmap)) | |
+ if (!in_array($ep, $ipmap)) { | |
$ipmap[] = $ep; | |
+ } | |
/* see if this tunnel has a hostname for the remote-gateway. If so, | |
try to resolve it now and add it to the list for filterdns */ | |
- if (isset ($ph1ent['mobile'])) | |
+ if (isset ($ph1ent['mobile'])) { | |
continue; | |
+ } | |
$rg = $ph1ent['remote-gateway']; | |
if (!is_ipaddr($rg)) { | |
$filterdns_list[] = "{$rg}"; | |
add_hostname_to_watch($rg); | |
- if (!platform_booting()) | |
+ if (!platform_booting()) { | |
$rg = resolve_retry($rg); | |
- if (!is_ipaddr($rg)) | |
+ } | |
+ if (!is_ipaddr($rg)) { | |
continue; | |
+ } | |
} | |
- if(array_search($rg, $rgmap)) { | |
+ if (array_search($rg, $rgmap)) { | |
log_error("The remote gateway {$rg} already exists on another phase 1 entry"); | |
continue; | |
} | |
@@ -245,24 +273,27 @@ function vpn_ipsec_configure($restart = false) | |
if (is_array($a_phase2)) { | |
/* step through each phase2 entry */ | |
foreach ($a_phase2 as $ph2ent) { | |
- if (isset($ph2ent['disabled'])) | |
+ if (isset($ph2ent['disabled'])) { | |
continue; | |
+ } | |
- if ($ikeid != $ph2ent['ikeid']) | |
+ if ($ikeid != $ph2ent['ikeid']) { | |
continue; | |
+ } | |
/* add an ipsec pinghosts entry */ | |
if ($ph2ent['pinghost']) { | |
- if (!is_array($iflist)) | |
+ if (!is_array($iflist)) { | |
$iflist = get_configured_interface_list(); | |
- $viplist = get_configured_vips_list(); | |
+ } | |
$srcip = null; | |
$local_subnet = ipsec_idinfo_to_cidr($ph2ent['localid'], true, $ph2ent['mode']); | |
- if(is_ipaddrv6($ph2ent['pinghost'])) { | |
+ if (is_ipaddrv6($ph2ent['pinghost'])) { | |
foreach ($iflist as $ifent => $ifname) { | |
$interface_ip = get_interface_ipv6($ifent); | |
- if(!is_ipaddrv6($interface_ip)) | |
+ if (!is_ipaddrv6($interface_ip)) { | |
continue; | |
+ } | |
if (ip_in_subnet($interface_ip, $local_subnet)) { | |
$srcip = $interface_ip; | |
break; | |
@@ -271,8 +302,9 @@ function vpn_ipsec_configure($restart = false) | |
} else { | |
foreach ($iflist as $ifent => $ifname) { | |
$interface_ip = get_interface_ip($ifent); | |
- if(!is_ipaddrv4($interface_ip)) | |
+ if (!is_ipaddrv4($interface_ip)) { | |
continue; | |
+ } | |
if ($local_subnet == "0.0.0.0/0" || ip_in_subnet($interface_ip, $local_subnet)) { | |
$srcip = $interface_ip; | |
break; | |
@@ -281,6 +313,7 @@ function vpn_ipsec_configure($restart = false) | |
} | |
/* if no valid src IP was found in configured interfaces, try the vips */ | |
if (is_null($srcip)) { | |
+ $viplist = get_configured_vips_list(); | |
foreach ($viplist as $vip) { | |
if (ip_in_subnet($vip['ipaddr'], $local_subnet)) { | |
$srcip = $vip['ipaddr']; | |
@@ -289,13 +322,14 @@ function vpn_ipsec_configure($restart = false) | |
} | |
} | |
$dstip = $ph2ent['pinghost']; | |
- if(is_ipaddrv6($dstip)) { | |
+ if (is_ipaddrv6($dstip)) { | |
$family = "inet6"; | |
} else { | |
$family = "inet"; | |
} | |
- if (is_ipaddr($srcip)) | |
+ if (is_ipaddr($srcip)) { | |
$ipsecpinghosts[] = "{$srcip}|{$dstip}|3|||||{$family}|\n"; | |
+ } | |
} | |
} | |
} | |
@@ -306,20 +340,23 @@ function vpn_ipsec_configure($restart = false) | |
unset($iflist); | |
$accept_unencrypted = ""; | |
- if (isset($config['ipsec']['acceptunencryptedmainmode'])) | |
+ if (isset($config['ipsec']['acceptunencryptedmainmode'])) { | |
$accept_unencrypted = "accept_unencrypted_mainmode_messages = yes"; | |
+ } | |
$stronconf = ''; | |
- if (file_exists("{$g['varetc_path']}/ipsec/strongswan.conf")) | |
+ if (file_exists("{$g['varetc_path']}/ipsec/strongswan.conf")) { | |
$stronconf = file_get_contents("{$g['varetc_path']}/ipsec/strongswan.conf"); | |
+ } | |
$i_dont_care_about_security_and_use_aggressive_mode_psk = ""; | |
if ($aggressive_mode_psk) { | |
log_error("WARNING: Setting i_dont_care_about_security_and_use_aggressive_mode_psk option because a phase 1 is configured using aggressive mode with pre-shared keys. This is not a secure configuration."); | |
- if (!empty($stronconf) && strpos($stronconf, 'i_dont_care_about_security_and_use_aggressive_mode_psk') === FALSE) | |
+ if (!empty($stronconf) && strpos($stronconf, 'i_dont_care_about_security_and_use_aggressive_mode_psk') === FALSE) { | |
$restart = true; | |
+ } | |
$i_dont_care_about_security_and_use_aggressive_mode_psk = "i_dont_care_about_security_and_use_aggressive_mode_psk=yes"; | |
- } | |
+ } | |
$unity_enabled = 'yes'; | |
if (isset($config['ipsec']['unityplugin'])) { | |
@@ -354,7 +391,7 @@ function vpn_ipsec_configure($restart = false) | |
$strongswan = <<<EOD | |
-# Automatically generated config file - DO NOT MODIFY. Changes will be overwritten. | |
+# Automatically generated config file - DO NOT MODIFY. Changes will be overwritten. | |
starter { | |
load_warning = no | |
} | |
@@ -416,44 +453,56 @@ EOD; | |
if (is_array($a_client) && isset($a_client['enable'])) { | |
$strongswan .= "\t\tattr {\n"; | |
- if ($a_client['pool_address'] && $a_client['pool_netbits']) | |
+ if ($a_client['pool_address'] && $a_client['pool_netbits']) { | |
$strongswan .= "\t\t\tsubnet = {$a_client['pool_address']}/{$a_client['pool_netbits']}\n"; | |
+ } | |
$cfgservers = array(); | |
- if (!empty($a_client['dns_server1'])) | |
+ if (!empty($a_client['dns_server1'])) { | |
$cfgservers[] = $a_client['dns_server1']; | |
- if (!empty($a_client['dns_server2'])) | |
+ } | |
+ if (!empty($a_client['dns_server2'])) { | |
$cfgservers[] = $a_client['dns_server2']; | |
- if (!empty($a_client['dns_server3'])) | |
+ } | |
+ if (!empty($a_client['dns_server3'])) { | |
$cfgservers[] = $a_client['dns_server3']; | |
- if (!empty($a_client['dns_server4'])) | |
+ } | |
+ if (!empty($a_client['dns_server4'])) { | |
$cfgservers[] = $a_client['dns_server4']; | |
+ } | |
- if (!empty($cfgservers)) | |
+ if (!empty($cfgservers)) { | |
$strongswan .= "\t\t\tdns = " . implode(",", $cfgservers) . "\n"; | |
+ } | |
unset($cfgservers); | |
$cfgservers = array(); | |
- if (!empty($a_client['wins_server1'])) | |
+ if (!empty($a_client['wins_server1'])) { | |
$cfgservers[] = $a_client['wins_server1']; | |
- if (!empty($a_client['wins_server2'])) | |
+ } | |
+ if (!empty($a_client['wins_server2'])) { | |
$cfgservers[] = $a_client['wins_server2']; | |
- if (!empty($cfgservers)) | |
+ } | |
+ if (!empty($cfgservers)) { | |
$strongswan .= "\t\t\tnbns = " . implode(",", $cfgservers) . "\n"; | |
+ } | |
unset($cfgservers); | |
if (isset($a_client['net_list']) && is_array($a_phase2)) { | |
$net_list = ''; | |
foreach ($a_phase2 as $ph2ent) { | |
- if (isset($ph2ent['disabled'])) | |
+ if (isset($ph2ent['disabled'])) { | |
continue; | |
+ } | |
- if (!isset($ph2ent['mobile'])) | |
+ if (!isset($ph2ent['mobile'])) { | |
continue; | |
+ } | |
$localid = ipsec_idinfo_to_cidr($ph2ent['localid'], true, $ph2ent['mode']); | |
- if (!empty($net_list)) | |
+ if (!empty($net_list)) { | |
$net_list .= ","; | |
+ } | |
$net_list .= $localid; | |
} | |
@@ -476,14 +525,17 @@ EOD; | |
$strongswan .= "\t\t\t28675 = {$a_client['dns_split']}\n"; | |
} | |
- if (!empty($a_client['login_banner'])) | |
+ if (!empty($a_client['login_banner'])) { | |
$strongswan .= "\t\t\t28672 = \"{$a_client['login_banner']}\"\n"; | |
+ } | |
- if (isset($a_client['save_passwd'])) | |
+ if (isset($a_client['save_passwd'])) { | |
$strongswan .= "\t\t\t28673 = 1\n"; | |
+ } | |
- if ($a_client['pfs_group']) | |
+ if ($a_client['pfs_group']) { | |
$strongswan .= "\t\t\t28679 = \"{$a_client['pfs_group']}\"\n"; | |
+ } | |
$strongswan .= "\t\t}\n"; | |
if ($a_client['user_source'] != "none") { | |
@@ -493,10 +545,12 @@ EOD; | |
$firstsed = 0; | |
$authcfgs = explode(",", $a_client['user_source']); | |
foreach ($authcfgs as $authcfg) { | |
- if ($firstsed > 0) | |
+ if ($firstsed > 0) { | |
$strongswan .= ","; | |
- if ($authcfg == "system") | |
+ } | |
+ if ($authcfg == "system") { | |
$authcfg = "Local Database"; | |
+ } | |
$strongswan .= $authcfg; | |
$firstsed = 1; | |
} | |
@@ -536,8 +590,9 @@ EOD; | |
if (is_array($a_phase1) && count($a_phase1)) { | |
foreach ($a_phase1 as $ph1ent) { | |
- if (isset($ph1ent['disabled'])) | |
+ if (isset($ph1ent['disabled'])) { | |
continue; | |
+ } | |
if (strstr($ph1ent['authentication_method'], 'rsa') || | |
in_array($ph1ent['authentication_method'], array('eap-mschapv2', 'eap-tls', 'eap-radius'))) { | |
@@ -576,12 +631,15 @@ EOD; | |
$myid = trim($myid_data); | |
- if (empty($peerid_data)) | |
+ if (empty($peerid_data)) { | |
continue; | |
+ } | |
if ($myid_type == 'fqdn' && !empty($myid)) { | |
$myid = "@{$myid}"; | |
} | |
+ | |
+ $myid = isset($ph1ent['mobile']) ? trim($myid_data) : "%any"; | |
$peerid = ($peerid_data != 'allusers') ? trim($peerid_data) : ''; | |
@@ -609,10 +667,12 @@ EOD; | |
/* add PSKs for mobile clients */ | |
if (is_array($ipseccfg['mobilekey'])) { | |
foreach ($ipseccfg['mobilekey'] as $key) { | |
- if ($key['ident'] == "allusers") | |
+ if ($key['ident'] == "allusers") { | |
$key['ident'] = '%any'; | |
- if (empty($key['type'])) | |
+ } | |
+ if (empty($key['type'])) { | |
$key['type'] = 'PSK'; | |
+ } | |
$pskconf .= "{$myid} {$key['ident']} : {$key['type']} 0s" . base64_encode($key['pre-shared-key']) . "\n"; | |
} | |
unset($key); | |
@@ -632,7 +692,7 @@ EOD; | |
/* begin ipsec.conf */ | |
$ipsecconf = ""; | |
$enablecompression = false; | |
- if (is_array($a_phase1) && count($a_phase1)) { | |
+ if (is_array($a_phase1) && count($a_phase1)) { | |
$ipsecconf .= "# This file is automatically generated. Do not edit\n"; | |
$ipsecconf .= "config setup\n\tuniqueids = {$uniqueids}\n"; | |
@@ -659,17 +719,20 @@ EOD; | |
} | |
foreach ($a_phase1 as $ph1ent) { | |
- if (isset($ph1ent['disabled'])) | |
+ if (isset($ph1ent['disabled'])) { | |
continue; | |
+ } | |
- if ($ph1ent['mode'] == "aggressive") | |
+ if ($ph1ent['mode'] == "aggressive") { | |
$aggressive = "yes"; | |
- else | |
+ } else { | |
$aggressive = "no"; | |
+ } | |
$ep = ipsec_get_phase1_src($ph1ent); | |
- if (!$ep) | |
+ if (!$ep) { | |
continue; | |
+ } | |
$ikeid = $ph1ent['ikeid']; | |
$keyexchange = "ikev1"; | |
@@ -678,22 +741,25 @@ EOD; | |
if ($ph1ent['iketype'] == "ikev2") { | |
$keyexchange = "ikev2"; | |
//$passive = "start"; | |
- } else if ($ph1ent['iketype'] == "auto") | |
+ } else if ($ph1ent['iketype'] == "auto") { | |
$keyexchange = "ike"; | |
+ } | |
} | |
if (isset($ph1ent['mobile'])) { | |
$right_spec = "%any"; | |
$passive = 'add'; | |
} else { | |
- if (isset($ph1ent['responderonly'])) | |
+ if (isset($ph1ent['responderonly'])) { | |
$passive = 'add'; | |
+ } | |
$right_spec = $ph1ent['remote-gateway']; | |
- if (is_ipaddr($right_spec)) | |
+ if (is_ipaddr($right_spec)) { | |
$sourcehost = $right_spec; | |
- else | |
+ } else { | |
$sourcehost = $rgmap['remote-gateway']; | |
+ } | |
if ($ph1ent['protocol'] == 'inet') { | |
if (strpos($ph1ent['interface'], '_vip')) { | |
@@ -710,7 +776,7 @@ EOD; | |
$vpninterface = convert_real_interface_to_friendly_interface_name($ifacesuse); | |
} | |
} | |
- | |
+ | |
if (!empty($ifacesuse) && interface_has_gateway($vpninterface)) { | |
$gatewayip = get_interface_gateway($vpninterface); | |
$interfaceip = get_interface_ip($vpninterface); | |
@@ -739,7 +805,7 @@ EOD; | |
$vpninterface = convert_real_interface_to_friendly_interface_name($ifacesuse); | |
} | |
} | |
- | |
+ | |
if (!empty($ifacesuse) && interface_has_gateway($vpninterface)) { | |
$gatewayip = get_interface_gateway_v6($vpninterface); | |
$interfaceip = get_interface_ipv6($vpninterface); | |
@@ -757,136 +823,156 @@ EOD; | |
} | |
list ($myid_type, $myid_data) = ipsec_find_id($ph1ent, 'local'); | |
- if ($myid_type != 'address') | |
+ if ($myid_type != 'address' && $myid_type != 'keyid') { | |
$myid_data = "{$myid_type}:{$myid_data}"; | |
+ } | |
/* Only specify peer ID if we are not dealing with a mobile PSK-only tunnel */ | |
$peerid_spec = ''; | |
if (!isset($ph1ent['mobile'])) { | |
list ($peerid_type, $peerid_data) = ipsec_find_id($ph1ent, 'peer', $rgmap); | |
- if ($peerid_type != 'address') | |
+ if ($peerid_type != 'address' && $peerid_type != 'keyid') { | |
$peerid_spec = "{$peerid_type}:{$peerid_data}"; | |
- else | |
+ } else { | |
$peerid_spec = $peerid_data; | |
+ } | |
} | |
if (is_array($ph1ent['encryption-algorithm']) && !empty($ph1ent['encryption-algorithm']['name']) && !empty($ph1ent['hash-algorithm'])) { | |
$ealgosp1 = ''; | |
$ealg_id = $ph1ent['encryption-algorithm']['name']; | |
$ealg_kl = $ph1ent['encryption-algorithm']['keylen']; | |
- if ($ealg_kl) | |
+ if ($ealg_kl) { | |
$ealgosp1 = "ike = {$ealg_id}{$ealg_kl}-{$ph1ent['hash-algorithm']}"; | |
- else | |
+ } else { | |
$ealgosp1 = "ike = {$ealg_id}-{$ph1ent['hash-algorithm']}"; | |
+ } | |
$modp = vpn_ipsec_convert_to_modp($ph1ent['dhgroup']); | |
- if (!empty($modp)) | |
+ if (!empty($modp)) { | |
$ealgosp1 .= "-{$modp}"; | |
+ } | |
$ealgosp1 .= "!"; | |
} | |
if ($ph1ent['dpd_delay'] && $ph1ent['dpd_maxfail']) { | |
- if ($passive == "route") | |
+ if ($passive == "route") { | |
$dpdline = "dpdaction = restart"; | |
- else | |
+ } else { | |
$dpdline = "dpdaction = clear"; | |
+ } | |
$dpdline .= "\n\tdpddelay = {$ph1ent['dpd_delay']}s"; | |
$dpdtimeout = $ph1ent['dpd_delay'] * ($ph1ent['dpd_maxfail'] + 1); | |
$dpdline .= "\n\tdpdtimeout = {$dpdtimeout}s"; | |
- } else | |
+ } else { | |
$dpdline = "dpdaction = none"; | |
+ } | |
$ikelifeline = ''; | |
- if ($ph1ent['lifetime']) | |
+ if ($ph1ent['lifetime']) { | |
$ikelifeline = "ikelifetime = {$ph1ent['lifetime']}s"; | |
+ } | |
$rightsourceip = NULL; | |
- if (isset($ph1ent['mobile']) && !empty($a_client['pool_address'])) | |
+ if (isset($ph1ent['mobile']) && !empty($a_client['pool_address'])) { | |
$rightsourceip = "\trightsourceip = {$a_client['pool_address']}/{$a_client['pool_netbits']}\n"; | |
+ } | |
$authentication = ""; | |
switch ($ph1ent['authentication_method']) { | |
- case 'eap-mschapv2': | |
- if (isset($ph1ent['mobile'])) { | |
- $authentication = "eap_identity=%any\n\t"; | |
- $authentication .= "leftauth=pubkey\n\trightauth=eap-mschapv2"; | |
- if (!empty($ph1ent['certref'])) | |
- $authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt"; | |
- } | |
- break; | |
- case 'eap-tls': | |
- if (isset($ph1ent['mobile'])) { | |
- $authentication = "eap_identity=%identity\n\t"; | |
- $authentication .= "leftauth=pubkey\n\trightauth=eap-tls"; | |
- if (!empty($ph1ent['certref'])) | |
- $authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt"; | |
- } else { | |
- $authentication = "leftauth=eap-tls\n\trightauth=eap-tls"; | |
- if (!empty($ph1ent['certref'])) | |
+ case 'eap-mschapv2': | |
+ if (isset($ph1ent['mobile'])) { | |
+ $authentication = "eap_identity=%any\n\t"; | |
+ $authentication .= "leftauth=pubkey\n\trightauth=eap-mschapv2"; | |
+ if (!empty($ph1ent['certref'])) { | |
+ $authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt"; | |
+ } | |
+ } | |
+ break; | |
+ case 'eap-tls': | |
+ if (isset($ph1ent['mobile'])) { | |
+ $authentication = "eap_identity=%identity\n\t"; | |
+ $authentication .= "leftauth=pubkey\n\trightauth=eap-tls"; | |
+ if (!empty($ph1ent['certref'])) { | |
+ $authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt"; | |
+ } | |
+ } else { | |
+ $authentication = "leftauth=eap-tls\n\trightauth=eap-tls"; | |
+ if (!empty($ph1ent['certref'])) { | |
+ $authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt"; | |
+ } | |
+ } | |
+ break; | |
+ case 'eap-radius': | |
+ if (isset($ph1ent['mobile'])) { | |
+ $authentication = "eap_identity=%identity\n\t"; | |
+ $authentication .= "leftauth=pubkey\n\trightauth=eap-radius"; | |
+ if (!empty($ph1ent['certref'])) { | |
+ $authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt"; | |
+ } | |
+ } else { | |
+ $authentication = "leftauth=eap-radius\n\trightauth=eap-radius"; | |
+ if (!empty($ph1ent['certref'])) { | |
+ $authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt"; | |
+ } | |
+ } | |
+ break; | |
+ case 'xauth_rsa_server': | |
+ $authentication = "leftauth = pubkey\n\trightauth = pubkey"; | |
+ $authentication .= "\n\trightauth2 = xauth-generic"; | |
+ if (!empty($ph1ent['certref'])) { | |
$authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt"; | |
- } | |
- break; | |
- case 'eap-radius': | |
- if (isset($ph1ent['mobile'])) { | |
- $authentication = "eap_identity=%identity\n\t"; | |
- $authentication .= "leftauth=pubkey\n\trightauth=eap-radius"; | |
- if (!empty($ph1ent['certref'])) | |
+ } | |
+ break; | |
+ case 'xauth_psk_server': | |
+ $authentication = "leftauth = psk\n\trightauth = psk"; | |
+ $authentication .= "\n\trightauth2 = xauth-generic"; | |
+ break; | |
+ case 'pre_shared_key': | |
+ $authentication = "leftauth = psk\n\trightauth = psk"; | |
+ break; | |
+ case 'rsasig': | |
+ $authentication = "leftauth = pubkey\n\trightauth = pubkey"; | |
+ if (!empty($ph1ent['certref'])) { | |
$authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt"; | |
- } else { | |
- $authentication = "leftauth=eap-radius\n\trightauth=eap-radius"; | |
- if (!empty($ph1ent['certref'])) | |
+ } | |
+ break; | |
+ case 'hybrid_rsa_server': | |
+ $authentication = "leftauth = xauth-generic\n\trightauth = pubkey"; | |
+ $authentication .= "\n\trightauth2 = xauth"; | |
+ if (!empty($ph1ent['certref'])) { | |
$authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt"; | |
- } | |
- break; | |
- case 'xauth_rsa_server': | |
- $authentication = "leftauth = pubkey\n\trightauth = pubkey"; | |
- $authentication .= "\n\trightauth2 = xauth-generic"; | |
- if (!empty($ph1ent['certref'])) | |
- $authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt"; | |
- break; | |
- case 'xauth_psk_server': | |
- $authentication = "leftauth = psk\n\trightauth = psk"; | |
- $authentication .= "\n\trightauth2 = xauth-generic"; | |
- break; | |
- case 'pre_shared_key': | |
- $authentication = "leftauth = psk\n\trightauth = psk"; | |
- break; | |
- case 'rsasig': | |
- $authentication = "leftauth = pubkey\n\trightauth = pubkey"; | |
- if (!empty($ph1ent['certref'])) | |
- $authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt"; | |
- break; | |
- case 'hybrid_rsa_server': | |
- $authentication = "leftauth = xauth-generic\n\trightauth = pubkey"; | |
- $authentication .= "\n\trightauth2 = xauth"; | |
- if (!empty($ph1ent['certref'])) | |
- $authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt"; | |
- break; | |
+ } | |
+ break; | |
} | |
$left_spec = $ep; | |
- if (isset($ph1ent['reauth_enable'])) | |
+ if (isset($ph1ent['reauth_enable'])) { | |
$reauth = "reauth = no"; | |
- else | |
+ } else { | |
$reauth = "reauth = yes"; | |
- if (isset($ph1ent['rekey_enable'])) | |
+ } | |
+ if (isset($ph1ent['rekey_enable'])) { | |
$rekey = "rekey = no"; | |
- else | |
+ } else { | |
$rekey = "rekey = yes"; | |
+ } | |
- if ($ph1ent['nat_traversal'] == 'off') | |
+ if ($ph1ent['nat_traversal'] == 'off') { | |
$forceencaps = 'forceencaps = no'; | |
- else if ($ph1ent['nat_traversal'] == 'force') | |
+ } else if ($ph1ent['nat_traversal'] == 'force') { | |
$forceencaps = 'forceencaps = yes'; | |
- else | |
+ } else { | |
$forceencaps = 'forceencaps = no'; | |
- | |
- if ($ph1ent['mobike'] == 'on') | |
+ } | |
+ | |
+ if ($ph1ent['mobike'] == 'on') { | |
$mobike = 'mobike = yes'; | |
- else | |
+ } else { | |
$mobike = 'mobike = no'; | |
+ } | |
$ipseclifetime = 0; | |
$rightsubnet_spec = array(); | |
@@ -896,14 +982,17 @@ EOD; | |
$ealgoESPsp2arr = array(); | |
if (is_array($a_phase2) && count($a_phase2)) { | |
foreach ($a_phase2 as $ph2ent) { | |
- if ($ikeid != $ph2ent['ikeid']) | |
+ if ($ikeid != $ph2ent['ikeid']) { | |
continue; | |
+ } | |
- if (isset($ph2ent['disabled'])) | |
+ if (isset($ph2ent['disabled'])) { | |
continue; | |
+ } | |
- if (isset($ph2ent['mobile']) && !isset($a_client['enable'])) | |
+ if (isset($ph2ent['mobile']) && !isset($a_client['enable'])) { | |
continue; | |
+ } | |
if (($ph2ent['mode'] == 'tunnel') or ($ph2ent['mode'] == 'tunnel6')) { | |
$tunneltype = "type = tunnel"; | |
@@ -912,8 +1001,8 @@ EOD; | |
$leftsubnet_data = ipsec_idinfo_to_cidr($ph2ent['localid'], false, $ph2ent['mode']); | |
/* Do not print localid in some cases, such as a pure-psk or psk/xauth single phase2 mobile tunnel */ | |
- if (($localid_type == "none" || $localid_type == "mobile") | |
- && isset($ph1ent['mobile']) && (ipsec_get_number_of_phase2($ikeid)==1)) { | |
+ if (($localid_type == "none" || $localid_type == "mobile") && | |
+ isset($ph1ent['mobile']) && (ipsec_get_number_of_phase2($ikeid) == 1)) { | |
$left_spec = '%any'; | |
} else { | |
if ($localid_type != "address") { | |
@@ -925,13 +1014,15 @@ EOD; | |
continue; | |
} | |
if (!empty($ph2ent['natlocalid'])) { | |
- $natleftsubnet_data = ipsec_idinfo_to_cidr($ph2ent['natlocalid'], false, $ph2ent['mode']); | |
+ $natleftsubnet_data = ipsec_idinfo_to_cidr($ph2ent['natlocalid'], false, $ph2ent['mode']); | |
if ($ph2ent['natlocalid']['type'] != "address") { | |
- if (is_subnet($natleftsubnet_data)) | |
+ if (is_subnet($natleftsubnet_data)) { | |
$leftsubnet_data = "{$natleftsubnet_data}|{$leftsubnet_data}"; | |
+ } | |
} else { | |
- if (is_ipaddr($natleftsubnet_data)) | |
+ if (is_ipaddr($natleftsubnet_data)) { | |
$leftsubnet_data = "{$natleftsubnet_data}|{$leftsubnet_data}"; | |
+ } | |
} | |
$natfilterrules = true; | |
} | |
@@ -961,8 +1052,9 @@ EOD; | |
} | |
} | |
- if (isset($a_client['pfs_group']) && isset($ph2ent['mobile'])) | |
+ if (isset($a_client['pfs_group']) && isset($ph2ent['mobile'])) { | |
$ph2ent['pfsgroup'] = $a_client['pfs_group']; | |
+ } | |
if ($ph2ent['protocol'] == 'esp') { | |
if (is_array($ph2ent['encryption-algorithm-option'])) { | |
@@ -971,30 +1063,33 @@ EOD; | |
$ealg_kl = $ealg['keylen']; | |
if (!empty($ealg_kl) && $ealg_kl == "auto") { | |
- if (empty($p2_ealgos) || !is_array($p2_ealgos)) | |
+ if (empty($p2_ealgos) || !is_array($p2_ealgos)) { | |
require("ipsec.inc"); | |
+ } | |
$key_hi = $p2_ealgos[$ealg_id]['keysel']['hi']; | |
$key_lo = $p2_ealgos[$ealg_id]['keysel']['lo']; | |
$key_step = $p2_ealgos[$ealg_id]['keysel']['step']; | |
/* XXX: in some cases where include ordering is suspect these variables | |
* are somehow 0 and we enter this loop forever and timeout after 900 | |
* seconds wrecking bootup */ | |
- if ($key_hi != 0 and $key_lo !=0 and $key_step !=0) { | |
+ if ($key_hi != 0 and $key_lo != 0 and $key_step != 0) { | |
for ($keylen = $key_hi; $keylen >= $key_lo; $keylen -= $key_step) { | |
if (!empty($ph2ent['hash-algorithm-option']) && is_array($ph2ent['hash-algorithm-option'])) { | |
foreach ($ph2ent['hash-algorithm-option'] as $halgo) { | |
$halgo = str_replace('hmac_', '', $halgo); | |
$tmpealgo = "{$ealg_id}{$keylen}-{$halgo}"; | |
$modp = vpn_ipsec_convert_to_modp($ph2ent['pfsgroup']); | |
- if (!empty($modp)) | |
+ if (!empty($modp)) { | |
$tmpealgo .= "-{$modp}"; | |
+ } | |
$ealgoESPsp2arr[] = $tmpealgo; | |
} | |
} else { | |
$tmpealgo = "{$ealg_id}{$keylen}"; | |
$modp = vpn_ipsec_convert_to_modp($ph2ent['pfsgroup']); | |
- if (!empty($modp)) | |
+ if (!empty($modp)) { | |
$tmpealgo .= "-{$modp}"; | |
+ } | |
$ealgoESPsp2arr[] = $tmpealgo; | |
} | |
} | |
@@ -1005,15 +1100,17 @@ EOD; | |
$halgo = str_replace('hmac_', '', $halgo); | |
$tmpealgo = "{$ealg_id}{$ealg_kl}-{$halgo}"; | |
$modp = vpn_ipsec_convert_to_modp($ph2ent['pfsgroup']); | |
- if (!empty($modp)) | |
+ if (!empty($modp)) { | |
$tmpealgo .= "-{$modp}"; | |
+ } | |
$ealgoESPsp2arr[] = $tmpealgo; | |
} | |
} else { | |
$tmpealgo = "{$ealg_id}{$ealg_kl}"; | |
$modp = vpn_ipsec_convert_to_modp($ph2ent['pfsgroup']); | |
- if (!empty($modp)) | |
+ if (!empty($modp)) { | |
$tmpealgo .= "-{$modp}"; | |
+ } | |
$ealgoESPsp2arr[] = $tmpealgo; | |
} | |
} | |
@@ -1024,8 +1121,9 @@ EOD; | |
$modp = vpn_ipsec_convert_to_modp($ph2ent['pfsgroup']); | |
foreach ($ph2ent['hash-algorithm-option'] as $tmpAHalgo) { | |
$tmpAHalgo = str_replace('hmac_', '', $tmpAHalgo); | |
- if (!empty($modp)) | |
+ if (!empty($modp)) { | |
$tmpAHalgo = "-{$modp}"; | |
+ } | |
$ealgoAHsp2arr[] = $tmpAHalgo; | |
} | |
} | |
@@ -1034,8 +1132,9 @@ EOD; | |
$reqids[] = $ph2ent['reqid']; | |
if (!empty($ph2ent['lifetime'])) { | |
- if ($ipseclifetime == 0 || intval($ipseclifetime) > intval($ph2ent['lifetime'])) | |
+ if ($ipseclifetime == 0 || intval($ipseclifetime) > intval($ph2ent['lifetime'])) { | |
$ipseclifetime = intval($ph2ent['lifetime']); | |
+ } | |
} | |
} | |
@@ -1062,61 +1161,74 @@ EOD; | |
$ipsecconnect .= "\tcompress = yes\n"; | |
$enablecompression = true; | |
} | |
- if (!empty($ikelifeline)) | |
+ if (!empty($ikelifeline)) { | |
$ipsecconnect .= "\t{$ikelifeline}\n"; | |
- if ($ipseclifetime > 0) | |
+ } | |
+ if ($ipseclifetime > 0) { | |
$ipsecconnect .= "\tlifetime = {$ipseclifetime}s\n"; | |
- if (!empty($rightsourceip)) | |
+ } | |
+ if (!empty($rightsourceip)) { | |
$ipsecconnect .= "{$rightsourceip}"; | |
- if (!empty($ealgosp1)) | |
+ } | |
+ if (!empty($ealgosp1)) { | |
$ipsecconnect .= "\t{$ealgosp1}\n"; | |
- if (!empty($ealgoAHsp2arr)) | |
+ } | |
+ if (!empty($ealgoAHsp2arr)) { | |
$ipsecconnect .= "\tah = " . join(',', $ealgoAHsp2arr) . "!\n"; | |
- if (!empty($ealgoESPsp2arr)) | |
+ } | |
+ if (!empty($ealgoESPsp2arr)) { | |
$ipsecconnect .= "\tesp = " . join(',', $ealgoESPsp2arr) . "!\n"; | |
- if (!empty($authentication)) | |
+ } | |
+ if (!empty($authentication)) { | |
$ipsecconnect .= "\t{$authentication}\n"; | |
- if (!empty($peerid_spec)) | |
+ } | |
+ if (!empty($peerid_spec)) { | |
$ipsecconnect .= "\trightid = {$peerid_spec}\n"; | |
- if ($keyexchange == 'ikev1') | |
+ } | |
+ if ($keyexchange == 'ikev1') { | |
$ipsecconnect .= "\taggressive = {$aggressive}\n"; | |
+ } | |
if (!isset($ph1ent['mobile']) && $keyexchange == 'ikev1') { | |
if (!empty($rightsubnet_spec)) { | |
$ipsecfin = ''; | |
foreach ($rightsubnet_spec as $idx => $rsubnet) { | |
$ipsecfin .= "\nconn con{$ph1ent['ikeid']}00{$idx}\n"; | |
- //if (!empty($reqids[$idx])) | |
+ //if (!empty($reqids[$idx])) { | |
// $ipsecfin .= "\treqid = " . $reqids[$idx] . "\n"; | |
+ //} | |
$ipsecfin .= $ipsecconnect; | |
$ipsecfin .= "\trightsubnet = {$rsubnet}\n"; | |
$ipsecfin .= "\tleftsubnet = " . $leftsubnet_spec[$idx] . "\n"; | |
} | |
- } else | |
+ } else { | |
log_error("No phase2 specifications for tunnel with REQID = {$ikeid}"); | |
+ } | |
} else { | |
$ipsecfin = "\nconn con{$ph1ent['ikeid']}\n"; | |
- //if (!empty($reqids[$idx])) | |
+ //if (!empty($reqids[$idx])) { | |
// $ipsecfin .= "\treqid = " . $reqids[0] . "\n"; | |
+ //} | |
$ipsecfin .= $ipsecconnect; | |
if (!isset($ph1ent['mobile']) && !empty($rightsubnet_spec)) { | |
$tempsubnets = array(); | |
- foreach ($rightsubnet_spec as $rightsubnet) | |
+ foreach ($rightsubnet_spec as $rightsubnet) { | |
$tempsubnets[$rightsubnet] = $rightsubnet; | |
+ } | |
$ipsecfin .= "\trightsubnet = " . join(",", $tempsubnets) . "\n"; | |
unset($tempsubnets, $rightsubnet); | |
} | |
if (!empty($leftsubnet_spec)) { | |
$tempsubnets = array(); | |
- foreach ($leftsubnet_spec as $leftsubnet) | |
+ foreach ($leftsubnet_spec as $leftsubnet) { | |
$tempsubnets[$leftsubnet] = $leftsubnet; | |
+ } | |
$ipsecfin .= "\tleftsubnet = " . join(",", $tempsubnets) . "\n"; | |
unset($tempsubnets, $leftsubnet); | |
} | |
} | |
$ipsecconf .= $ipsecfin; | |
unset($ipsecfin); | |
- | |
} | |
} | |
@@ -1124,14 +1236,15 @@ EOD; | |
unset($ipsecconf); | |
/* end ipsec.conf */ | |
- if ($enablecompression === true) | |
+ if ($enablecompression === true) { | |
set_single_sysctl('net.inet.ipcomp.ipcomp_enable', 1); | |
- else | |
+ } else { | |
set_single_sysctl('net.inet.ipcomp.ipcomp_enable', 0); | |
+ } | |
- /* mange process */ | |
+ /* manage process */ | |
if ($restart === true) { | |
- mwexec("/usr/local/sbin/ipsec restart", false); | |
+ mwexec("/usr/local/sbin/ipsec restart", false); | |
} else { | |
if (isvalidpid("{$g['varrun_path']}/starter.charon.pid")) { | |
/* Update configuration changes */ | |
@@ -1139,28 +1252,31 @@ EOD; | |
mwexec("/usr/local/sbin/ipsec rereadall", false); | |
mwexec("/usr/local/sbin/ipsec reload", false); | |
} else { | |
- mwexec("/usr/local/sbin/ipsec start", false); | |
+ mwexec("/usr/local/sbin/ipsec start", false); | |
} | |
} | |
- if ($natfilterrules == true) | |
+ if ($natfilterrules == true) { | |
filter_configure(); | |
+ } | |
/* start filterdns, if necessary */ | |
if (count($filterdns_list) > 0) { | |
$interval = 60; | |
- if (!empty($ipseccfg['dns-interval']) && is_numeric($ipseccfg['dns-interval'])) | |
+ if (!empty($ipseccfg['dns-interval']) && is_numeric($ipseccfg['dns-interval'])) { | |
$interval = $ipseccfg['dns-interval']; | |
+ } | |
$hostnames = ""; | |
array_unique($filterdns_list); | |
- foreach ($filterdns_list as $hostname) | |
+ foreach ($filterdns_list as $hostname) { | |
$hostnames .= "cmd {$hostname} '/usr/local/sbin/pfSctl -c \"service reload ipsecdns\"'\n"; | |
+ } | |
file_put_contents("{$g['varetc_path']}/ipsec/filterdns-ipsec.hosts", $hostnames); | |
unset($hostnames); | |
- if (isvalidpid("{$g['varrun_path']}/filterdns-ipsec.pid")) | |
+ if (isvalidpid("{$g['varrun_path']}/filterdns-ipsec.pid")) { | |
sigkillbypid("{$g['varrun_path']}/filterdns-ipsec.pid", "HUP"); | |
- else { | |
+ } else { | |
mwexec("/usr/local/sbin/filterdns -p {$g['varrun_path']}/filterdns-ipsec.pid -i {$interval} -c {$g['varetc_path']}/ipsec/filterdns-ipsec.hosts -d 1"); | |
} | |
} else { | |
@@ -1168,8 +1284,9 @@ EOD; | |
@unlink("{$g['varrun_path']}/filterdns-ipsec.pid"); | |
} | |
- if (platform_booting()) | |
+ if (platform_booting()) { | |
echo "done\n"; | |
+ } | |
return count($filterdns_list); | |
} | |
@@ -1210,8 +1327,9 @@ function vpn_ipsec_force_reload($interface = "") { | |
function vpn_setup() { | |
global $g; | |
- if ($g['platform'] == 'jail') | |
+ if ($g['platform'] == 'jail') { | |
return; | |
+ } | |
/* start pptpd */ | |
vpn_pptpd_configure(); | |
@@ -1229,8 +1347,9 @@ function vpn_netgraph_support() { | |
$realif = get_real_interface($iface); | |
/* Get support for netgraph(4) from the nic */ | |
$ifinfo = pfSense_get_interface_addresses($realif); | |
- if (!empty($ifinfo) && in_array($ifinfo['iftype'], array("ether", "vlan", "bridge"))) | |
+ if (!empty($ifinfo) && in_array($ifinfo['iftype'], array("ether", "vlan", "bridge"))) { | |
pfSense_ngctl_attach(".", $realif); | |
+ } | |
} | |
} | |
@@ -1241,11 +1360,13 @@ function vpn_pptpd_configure() { | |
$pptpdcfg = $config['pptpd']; | |
if (platform_booting()) { | |
- if (!$pptpdcfg['mode'] || ($pptpdcfg['mode'] == "off")) | |
+ if (!$pptpdcfg['mode'] || ($pptpdcfg['mode'] == "off")) { | |
return 0; | |
+ } | |
- if (platform_booting(true)) | |
+ if (platform_booting(true)) { | |
echo gettext("Configuring PPTP VPN service... "); | |
+ } | |
} else { | |
/* kill mpd */ | |
killbypid("{$g['varrun_path']}/pptp-vpn.pid"); | |
@@ -1270,11 +1391,12 @@ function vpn_pptpd_configure() { | |
} | |
/* make sure pptp-vpn directory exists */ | |
- if (!file_exists("{$g['varetc_path']}/pptp-vpn")) | |
+ if (!file_exists("{$g['varetc_path']}/pptp-vpn")) { | |
mkdir("{$g['varetc_path']}/pptp-vpn"); | |
+ } | |
switch ($pptpdcfg['mode']) { | |
- case 'server' : | |
+ case 'server': | |
/* write mpd.conf */ | |
$fd = fopen("{$g['varetc_path']}/pptp-vpn/mpd.conf", "w"); | |
if (!$fd) { | |
@@ -1337,23 +1459,27 @@ EOD; | |
EOD; | |
} | |
- if (isset($pptpdcfg["wins"]) && $pptpdcfg['wins'] != "") | |
- $mpdconf .= " set ipcp nbns {$pptpdcfg['wins']}\n"; | |
+ if (isset($pptpdcfg["wins"]) && $pptpdcfg['wins'] != "") { | |
+ $mpdconf .= " set ipcp nbns {$pptpdcfg['wins']}\n"; | |
+ } | |
if (!empty($pptpdcfg['dns1'])) { | |
$mpdconf .= " set ipcp dns " . $pptpdcfg['dns1']; | |
- if (!empty($pptpdcfg['dns2'])) | |
+ if (!empty($pptpdcfg['dns2'])) { | |
$mpdconf .= " " . $pptpdcfg['dns2']; | |
+ } | |
$mpdconf .= "\n"; | |
} elseif (isset ($config['dnsmasq']['enable'])) { | |
$mpdconf .= " set ipcp dns " . get_interface_ip("lan"); | |
- if ($syscfg['dnsserver'][0]) | |
+ if ($syscfg['dnsserver'][0]) { | |
$mpdconf .= " " . $syscfg['dnsserver'][0]; | |
+ } | |
$mpdconf .= "\n"; | |
} elseif (isset($config['unbound']['enable'])) { | |
$mpdconf .= " set ipcp dns " . get_interface_ip("lan"); | |
- if ($syscfg['dnsserver'][0]) | |
+ if ($syscfg['dnsserver'][0]) { | |
$mpdconf .= " " . $syscfg['dnsserver'][0]; | |
+ } | |
$mpdconf .= "\n"; | |
} elseif (is_array($syscfg['dnsserver']) && ($syscfg['dnsserver'][0])) { | |
$mpdconf .= " set ipcp dns " . join(" ", $syscfg['dnsserver']) . "\n"; | |
@@ -1366,15 +1492,15 @@ EOD; | |
set radius server {$pptpdcfg['radius']['server']['ip']} "{$pptpdcfg['radius']['server']['secret']}" {$authport} {$acctport} | |
EOD; | |
- if (isset ($pptpdcfg['radius']['server2']['enable'])) { | |
- $authport = (isset($pptpdcfg['radius']['server2']['port']) && strlen($pptpdcfg['radius']['server2']['port']) > 1) ? $pptpdcfg['radius']['server2']['port'] : 1812; | |
- $acctport = $authport + 1; | |
- $mpdconf .=<<<EOD | |
+ if (isset ($pptpdcfg['radius']['server2']['enable'])) { | |
+ $authport = (isset($pptpdcfg['radius']['server2']['port']) && strlen($pptpdcfg['radius']['server2']['port']) > 1) ? $pptpdcfg['radius']['server2']['port'] : 1812; | |
+ $acctport = $authport + 1; | |
+ $mpdconf .=<<<EOD | |
set radius server {$pptpdcfg['radius']['server2']['ip']} "{$pptpdcfg['radius']['server2']['secret2']}" {$authport} {$acctport} | |
EOD; | |
- } | |
- $mpdconf .=<<<EOD | |
+ } | |
+ $mpdconf .=<<<EOD | |
set radius retries 3 | |
set radius timeout 10 | |
set auth enable radius-auth | |
@@ -1448,12 +1574,13 @@ EOD; | |
break; | |
- case 'redir' : | |
+ case 'redir': | |
break; | |
} | |
- if (platform_booting()) | |
+ if (platform_booting()) { | |
echo "done\n"; | |
+ } | |
return 0; | |
} | |
@@ -1462,8 +1589,9 @@ function vpn_pppoes_configure() { | |
global $config; | |
if (is_array($config['pppoes']['pppoe'])) { | |
- foreach ($config['pppoes']['pppoe'] as $pppoe) | |
+ foreach ($config['pppoes']['pppoe'] as $pppoe) { | |
vpn_pppoe_configure($pppoe); | |
+ } | |
} | |
} | |
@@ -1473,12 +1601,14 @@ function vpn_pppoe_configure(&$pppoecfg) { | |
$syscfg = $config['system']; | |
/* create directory if it does not exist */ | |
- if (!is_dir("{$g['varetc_path']}/pppoe{$pppoecfg['pppoeid']}-vpn")) | |
+ if (!is_dir("{$g['varetc_path']}/pppoe{$pppoecfg['pppoeid']}-vpn")) { | |
mkdir("{$g['varetc_path']}/pppoe{$pppoecfg['pppoeid']}-vpn"); | |
+ } | |
if (platform_booting()) { | |
- if (!$pppoecfg['mode'] || ($pppoecfg['mode'] == "off")) | |
+ if (!$pppoecfg['mode'] || ($pppoecfg['mode'] == "off")) { | |
return 0; | |
+ } | |
echo gettext("Configuring PPPoE Server service... "); | |
} else { | |
@@ -1492,14 +1622,15 @@ function vpn_pppoe_configure(&$pppoecfg) { | |
switch ($pppoecfg['mode']) { | |
- case 'server' : | |
+ case 'server': | |
$pppoe_interface = get_real_interface($pppoecfg['interface']); | |
- if ($pppoecfg['paporchap'] == "chap") | |
+ if ($pppoecfg['paporchap'] == "chap") { | |
$paporchap = "set link enable chap"; | |
- else | |
+ } else { | |
$paporchap = "set link enable pap"; | |
+ } | |
/* write mpd.conf */ | |
$fd = fopen("{$g['varetc_path']}/pppoe{$pppoecfg['pppoeid']}-vpn/mpd.conf", "w"); | |
@@ -1566,18 +1697,21 @@ EOD; | |
if (!empty($pppoecfg['dns1'])) { | |
$mpdconf .= " set ipcp dns " . $pppoecfg['dns1']; | |
- if (!empty($pppoecfg['dns2'])) | |
+ if (!empty($pppoecfg['dns2'])) { | |
$mpdconf .= " " . $pppoecfg['dns2']; | |
+ } | |
$mpdconf .= "\n"; | |
} elseif (isset ($config['dnsmasq']['enable'])) { | |
$mpdconf .= " set ipcp dns " . get_interface_ip("lan"); | |
- if ($syscfg['dnsserver'][0]) | |
+ if ($syscfg['dnsserver'][0]) { | |
$mpdconf .= " " . $syscfg['dnsserver'][0]; | |
+ } | |
$mpdconf .= "\n"; | |
} elseif (isset ($config['unbound']['enable'])) { | |
$mpdconf .= " set ipcp dns " . get_interface_ip("lan"); | |
- if ($syscfg['dnsserver'][0]) | |
+ if ($syscfg['dnsserver'][0]) { | |
$mpdconf .= " " . $syscfg['dnsserver'][0]; | |
+ } | |
$mpdconf .= "\n"; | |
} elseif (is_array($syscfg['dnsserver']) && ($syscfg['dnsserver'][0])) { | |
$mpdconf .= " set ipcp dns " . join(" ", $syscfg['dnsserver']) . "\n"; | |
@@ -1586,10 +1720,12 @@ EOD; | |
if (isset ($pppoecfg['radius']['server']['enable'])) { | |
$radiusport = ""; | |
$radiusacctport = ""; | |
- if (isset($pppoecfg['radius']['server']['port'])) | |
+ if (isset($pppoecfg['radius']['server']['port'])) { | |
$radiusport = $pppoecfg['radius']['server']['port']; | |
- if (isset($pppoecfg['radius']['server']['acctport'])) | |
+ } | |
+ if (isset($pppoecfg['radius']['server']['acctport'])) { | |
$radiusacctport = $pppoecfg['radius']['server']['acctport']; | |
+ } | |
$mpdconf .=<<<EOD | |
set radius server {$pppoecfg['radius']['server']['ip']} "{$pppoecfg['radius']['server']['secret']}" {$radiusport} {$radiusacctport} | |
set radius retries 3 | |
@@ -1648,7 +1784,7 @@ EOD; | |
if (!empty($pppoecfg['username'])) { | |
$item = explode(" ", $pppoecfg['username']); | |
- foreach($item as $userdata) { | |
+ foreach ($item as $userdata) { | |
$data = explode(":", $userdata); | |
$mpdsecret .= "{$data[0]} \"" . base64_decode($data[1]) . "\" {$data[2]}\n"; | |
} | |
@@ -1661,8 +1797,9 @@ EOD; | |
} | |
/* Check if previous instance is still up */ | |
- while (file_exists("{$g['varrun_path']}/pppoe{$pppoecfg['pppoeid']}-vpn.pid") && isvalidpid("{$g['varrun_path']}/pppoe{$pppoecfg['pppoeid']}-vpn.pid")) | |
+ while (file_exists("{$g['varrun_path']}/pppoe{$pppoecfg['pppoeid']}-vpn.pid") && isvalidpid("{$g['varrun_path']}/pppoe{$pppoecfg['pppoeid']}-vpn.pid")) { | |
killbypid("{$g['varrun_path']}/pppoe{$pppoecfg['pppoeid']}-vpn.pid"); | |
+ } | |
/* Get support for netgraph(4) from the nic */ | |
pfSense_ngctl_attach(".", $pppoe_interface); | |
@@ -1672,8 +1809,9 @@ EOD; | |
break; | |
} | |
- if (platform_booting()) | |
+ if (platform_booting()) { | |
echo gettext("done") . "\n"; | |
+ } | |
return 0; | |
} | |
@@ -1685,12 +1823,14 @@ function vpn_l2tp_configure() { | |
$l2tpcfg = $config['l2tp']; | |
/* create directory if it does not exist */ | |
- if (!is_dir("{$g['varetc_path']}/l2tp-vpn")) | |
+ if (!is_dir("{$g['varetc_path']}/l2tp-vpn")) { | |
mkdir("{$g['varetc_path']}/l2tp-vpn"); | |
+ } | |
if (platform_booting()) { | |
- if (!$l2tpcfg['mode'] || ($l2tpcfg['mode'] == "off")) | |
+ if (!$l2tpcfg['mode'] || ($l2tpcfg['mode'] == "off")) { | |
return 0; | |
+ } | |
echo gettext("Configuring l2tp VPN service... "); | |
} else { | |
@@ -1703,16 +1843,18 @@ function vpn_l2tp_configure() { | |
} | |
/* make sure l2tp-vpn directory exists */ | |
- if (!file_exists("{$g['varetc_path']}/l2tp-vpn")) | |
+ if (!file_exists("{$g['varetc_path']}/l2tp-vpn")) { | |
mkdir("{$g['varetc_path']}/l2tp-vpn"); | |
+ } | |
switch ($l2tpcfg['mode']) { | |
- case 'server' : | |
- if ($l2tpcfg['paporchap'] == "chap") | |
+ case 'server': | |
+ if ($l2tpcfg['paporchap'] == "chap") { | |
$paporchap = "set link enable chap"; | |
- else | |
+ } else { | |
$paporchap = "set link enable pap"; | |
+ } | |
/* write mpd.conf */ | |
$fd = fopen("{$g['varetc_path']}/l2tp-vpn/mpd.conf", "w"); | |
@@ -1775,21 +1917,24 @@ EOD; | |
} | |
if (is_ipaddr($l2tpcfg['dns1'])) { | |
$mpdconf .= " set ipcp dns " . $l2tpcfg['dns1']; | |
- if (is_ipaddr($l2tpcfg['dns2'])) | |
+ if (is_ipaddr($l2tpcfg['dns2'])) { | |
$mpdconf .= " " . $l2tpcfg['dns2']; | |
+ } | |
$mpdconf .= "\n"; | |
} elseif (isset ($config['dnsmasq']['enable'])) { | |
$mpdconf .= " set ipcp dns " . get_interface_ip("lan"); | |
- if ($syscfg['dnsserver'][0]) | |
+ if ($syscfg['dnsserver'][0]) { | |
$mpdconf .= " " . $syscfg['dnsserver'][0]; | |
+ } | |
$mpdconf .= "\n"; | |
} elseif (isset ($config['unbound']['enable'])) { | |
$mpdconf .= " set ipcp dns " . get_interface_ip("lan"); | |
- if ($syscfg['dnsserver'][0]) | |
+ if ($syscfg['dnsserver'][0]) { | |
$mpdconf .= " " . $syscfg['dnsserver'][0]; | |
+ } | |
$mpdconf .= "\n"; | |
} elseif (is_array($syscfg['dnsserver']) && ($syscfg['dnsserver'][0])) { | |
- $mpdconf .= " set ipcp dns " . join(" ", $syscfg['dnsserver']) . "\n"; | |
+ $mpdconf .= " set ipcp dns " . join(" ", $syscfg['dnsserver']) . "\n"; | |
} | |
if (isset ($l2tpcfg['radius']['enable'])) { | |
@@ -1831,8 +1976,9 @@ l2tp{$i}: | |
set l2tp disable originate | |
EOD; | |
- if (!empty($l2tpcfg['secret'])) | |
+ if (!empty($l2tpcfg['secret'])) { | |
$mpdlinks .= "set l2tp secret {$l2tpcfg['secret']}\n"; | |
+ } | |
} | |
fwrite($fd, $mpdlinks); | |
@@ -1849,8 +1995,9 @@ EOD; | |
$mpdsecret = "\n\n"; | |
if (is_array($l2tpcfg['user'])) { | |
- foreach ($l2tpcfg['user'] as $user) | |
+ foreach ($l2tpcfg['user'] as $user) { | |
$mpdsecret .= "{$user['name']} \"{$user['password']}\" {$user['ip']}\n"; | |
+ } | |
} | |
fwrite($fd, $mpdsecret); | |
@@ -1865,12 +2012,13 @@ EOD; | |
break; | |
- case 'redir' : | |
+ case 'redir': | |
break; | |
} | |
- if (platform_booting()) | |
+ if (platform_booting()) { | |
echo "done\n"; | |
+ } | |
return 0; | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment