Created
July 7, 2015 12:57
-
-
Save jim-p/fe05b1b6c6e865d12929 to your computer and use it in GitHub Desktop.
ipsec_stuff.diff
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ git diff RELENG_2_2_3 RELENG_2_2 -- etc/inc/ipsec.inc > ../ipsec_stuff.diff | |
| $ git diff RELENG_2_2_3 RELENG_2_2 -- etc/inc/vpn.inc >> ../ipsec_stuff.diff | |
| $ cat ../ipsec_stuff.diff | |
| diff --git a/etc/inc/ipsec.inc b/etc/inc/ipsec.inc | |
| index 8bfed07..5c7d15d 100644 | |
| --- a/etc/inc/ipsec.inc | |
| +++ b/etc/inc/ipsec.inc | |
| @@ -44,22 +44,22 @@ $ipsec_loglevels = array("dmn" => "Daemon", "mgr" => "SA Manager", "ike" => "IKE | |
| global $my_identifier_list; | |
| $my_identifier_list = array( | |
| - 'myaddress' => array( 'desc' => gettext('My IP address'), 'mobile' => true ), | |
| - 'address' => array( 'desc' => gettext('IP address'), 'mobile' => true ), | |
| - 'fqdn' => array( 'desc' => gettext('Distinguished name'), 'mobile' => true ), | |
| - 'user_fqdn' => array( 'desc' => gettext('User distinguished name'), 'mobile' => true ), | |
| - 'asn1dn' => array( 'desc' => gettext('ASN.1 distinguished Name'), 'mobile' => true ), | |
| - 'keyid tag' => array( 'desc' => gettext('KeyID tag'), 'mobile' => true ), | |
| - 'dyn_dns' => array( 'desc' => gettext('Dynamic DNS'), 'mobile' => true )); | |
| + 'myaddress' => array('desc' => gettext('My IP address'), 'mobile' => true), | |
| + 'address' => array('desc' => gettext('IP address'), 'mobile' => true), | |
| + 'fqdn' => array('desc' => gettext('Distinguished name'), 'mobile' => true), | |
| + 'user_fqdn' => array('desc' => gettext('User distinguished name'), 'mobile' => true), | |
| + 'asn1dn' => array('desc' => gettext('ASN.1 distinguished Name'), 'mobile' => true), | |
| + 'keyid tag' => array('desc' => gettext('KeyID tag'), 'mobile' => true), | |
| + 'dyn_dns' => array('desc' => gettext('Dynamic DNS'), 'mobile' => true)); | |
| global $peer_identifier_list; | |
| $peer_identifier_list = array( | |
| - 'peeraddress' => array( 'desc' => gettext('Peer IP address'), 'mobile' => false ), | |
| - 'address' => array( 'desc' => gettext('IP address'), 'mobile' => false ), | |
| - 'fqdn' => array( 'desc' => gettext('Distinguished name'), 'mobile' => true ), | |
| - 'user_fqdn' => array( 'desc' => gettext('User distinguished name'), 'mobile' => true ), | |
| - 'asn1dn' => array( 'desc' => gettext('ASN.1 distinguished Name'), 'mobile' => true ), | |
| - 'keyid tag' => array( 'desc' =>gettext('KeyID tag'), 'mobile' => true )); | |
| + 'peeraddress' => array('desc' => gettext('Peer IP address'), 'mobile' => false), | |
| + 'address' => array('desc' => gettext('IP address'), 'mobile' => false), | |
| + 'fqdn' => array('desc' => gettext('Distinguished name'), 'mobile' => true), | |
| + 'user_fqdn' => array('desc' => gettext('User distinguished name'), 'mobile' => true), | |
| + 'asn1dn' => array('desc' => gettext('ASN.1 distinguished Name'), 'mobile' => true), | |
| + 'keyid tag' => array('desc' =>gettext('KeyID tag'), 'mobile' => true)); | |
| global $ipsec_idhandling; | |
| $ipsec_idhandling = array( | |
| @@ -68,22 +68,25 @@ $ipsec_idhandling = array( | |
| global $p1_ealgos; | |
| $p1_ealgos = array( | |
| - 'aes' => array( 'name' => 'AES', 'keysel' => array( 'lo' => 128, 'hi' => 256, 'step' => 64 ) ), | |
| - 'blowfish' => array( 'name' => 'Blowfish', 'keysel' => array( 'lo' => 128, 'hi' => 256, 'step' => 64 ) ), | |
| - '3des' => array( 'name' => '3DES' ), | |
| - 'cast128' => array( 'name' => 'CAST128' ), | |
| - 'des' => array( 'name' => 'DES' )); | |
| + 'aes' => array('name' => 'AES', 'keysel' => array('lo' => 128, 'hi' => 256, 'step' => 64)), | |
| + 'aes128gcm' => array('name' => 'AES128-GCM', 'keysel' => array('lo' => 64, 'hi' => 128, 'step' => 32)), | |
| + 'aes192gcm' => array('name' => 'AES192-GCM', 'keysel' => array('lo' => 64, 'hi' => 128, 'step' => 32)), | |
| + 'aes256gcm' => array('name' => 'AES256-GCM', 'keysel' => array('lo' => 64, 'hi' => 128, 'step' => 32)), | |
| + 'blowfish' => array('name' => 'Blowfish', 'keysel' => array('lo' => 128, 'hi' => 256, 'step' => 64)), | |
| + '3des' => array('name' => '3DES'), | |
| + 'cast128' => array('name' => 'CAST128'), | |
| + 'des' => array('name' => 'DES')); | |
| global $p2_ealgos; | |
| $p2_ealgos = array( | |
| - 'aes' => array( 'name' => 'AES', 'keysel' => array( 'lo' => 128, 'hi' => 256, 'step' => 64 ) ), | |
| - 'aes128gcm' => array( 'name' => 'AES128-GCM', 'keysel' => array( 'lo' => 64, 'hi' => 128, 'step' => 32 ) ), | |
| - 'aes192gcm' => array( 'name' => 'AES192-GCM', 'keysel' => array( 'lo' => 64, 'hi' => 128, 'step' => 32 ) ), | |
| - 'aes256gcm' => array( 'name' => 'AES256-GCM', 'keysel' => array( 'lo' => 64, 'hi' => 128, 'step' => 32 ) ), | |
| - 'blowfish' => array( 'name' => 'Blowfish', 'keysel' => array( 'lo' => 128, 'hi' => 256, 'step' => 64 ) ), | |
| - '3des' => array( 'name' => '3DES' ), | |
| - 'cast128' => array( 'name' => 'CAST128' ), | |
| - 'des' => array( 'name' => 'DES' )); | |
| + 'aes' => array('name' => 'AES', 'keysel' => array('lo' => 128, 'hi' => 256, 'step' => 64)), | |
| + 'aes128gcm' => array('name' => 'AES128-GCM', 'keysel' => array('lo' => 64, 'hi' => 128, 'step' => 32)), | |
| + 'aes192gcm' => array('name' => 'AES192-GCM', 'keysel' => array('lo' => 64, 'hi' => 128, 'step' => 32)), | |
| + 'aes256gcm' => array('name' => 'AES256-GCM', 'keysel' => array('lo' => 64, 'hi' => 128, 'step' => 32)), | |
| + 'blowfish' => array('name' => 'Blowfish', 'keysel' => array('lo' => 128, 'hi' => 256, 'step' => 64)), | |
| + '3des' => array('name' => '3DES'), | |
| + 'cast128' => array('name' => 'CAST128'), | |
| + 'des' => array('name' => 'DES')); | |
| global $p1_halgos; | |
| $p1_halgos = array( | |
| @@ -110,7 +113,10 @@ $p1_dhgroups = array( | |
| 21 => '21 (nist ecp521)', | |
| 22 => '22 (1024(sub 160) bit)', | |
| 23 => '23 (2048(sub 224) bit)', | |
| - 24 => '24 (2048(sub 256) bit)' | |
| + 24 => '24 (2048(sub 256) bit)', | |
| + 28 => '28 (brainpool ecp256)', | |
| + 29 => '29 (brainpool ecp384)', | |
| + 30 => '30 (brainpool ecp512)' | |
| ); | |
| global $p2_halgos; | |
| @@ -125,14 +131,14 @@ $p2_halgos = array( | |
| global $p1_authentication_methods; | |
| $p1_authentication_methods = array( | |
| - 'hybrid_rsa_server' => array( 'name' => 'Hybrid RSA + Xauth', 'mobile' => true ), | |
| - 'xauth_rsa_server' => array( 'name' => 'Mutual RSA + Xauth', 'mobile' => true ), | |
| - 'xauth_psk_server' => array( 'name' => 'Mutual PSK + Xauth', 'mobile' => true ), | |
| - 'eap-tls' => array( 'name' => 'EAP-TLS', 'mobile' => true), | |
| - 'eap-radius' => array( 'name' => 'EAP-RADIUS', 'mobile' => true), | |
| - 'eap-mschapv2' => array( 'name' => 'EAP-MSChapv2', 'mobile' => true), | |
| - 'rsasig' => array( 'name' => 'Mutual RSA', 'mobile' => false ), | |
| - 'pre_shared_key' => array( 'name' => 'Mutual PSK', 'mobile' => false ) ); | |
| + 'hybrid_rsa_server' => array('name' => 'Hybrid RSA + Xauth', 'mobile' => true), | |
| + 'xauth_rsa_server' => array('name' => 'Mutual RSA + Xauth', 'mobile' => true), | |
| + 'xauth_psk_server' => array('name' => 'Mutual PSK + Xauth', 'mobile' => true), | |
| + 'eap-tls' => array('name' => 'EAP-TLS', 'mobile' => true), | |
| + 'eap-radius' => array('name' => 'EAP-RADIUS', 'mobile' => true), | |
| + 'eap-mschapv2' => array('name' => 'EAP-MSChapv2', 'mobile' => true), | |
| + 'rsasig' => array('name' => 'Mutual RSA', 'mobile' => false), | |
| + 'pre_shared_key' => array('name' => 'Mutual PSK', 'mobile' => false)); | |
| global $ipsec_preshared_key_type; | |
| $ipsec_preshared_key_type = array( | |
| @@ -161,7 +167,13 @@ $p2_pfskeygroups = array( | |
| 15 => '15 (3072 bit)', | |
| 16 => '16 (4096 bit)', | |
| 17 => '17 (6144 bit)', | |
| - 18 => '18 (8192 bit)' | |
| + 18 => '18 (8192 bit)', | |
| + 19 => '19 (nist ecp256)', | |
| + 20 => '20 (nist ecp384)', | |
| + 21 => '21 (nist ecp521)', | |
| + 28 => '28 (brainpool ecp256)', | |
| + 29 => '29 (brainpool ecp384)', | |
| + 30 => '30 (brainpool ecp512)' | |
| ); | |
| /* | |
| @@ -171,9 +183,11 @@ $p2_pfskeygroups = array( | |
| function ipsec_ikeid_used($ikeid) { | |
| global $config; | |
| - foreach ($config['ipsec']['phase1'] as $ph1ent) | |
| - if( $ikeid == $ph1ent['ikeid'] ) | |
| + foreach ($config['ipsec']['phase1'] as $ph1ent) { | |
| + if ($ikeid == $ph1ent['ikeid']) { | |
| return true; | |
| + } | |
| + } | |
| return false; | |
| } | |
| @@ -181,8 +195,9 @@ function ipsec_ikeid_used($ikeid) { | |
| function ipsec_ikeid_next() { | |
| $ikeid = 1; | |
| - while(ipsec_ikeid_used($ikeid)) | |
| + while (ipsec_ikeid_used($ikeid)) { | |
| $ikeid++; | |
| + } | |
| return $ikeid; | |
| } | |
| @@ -205,14 +220,15 @@ function ipsec_get_phase1_src(& $ph1ent) { | |
| $interfaceip = get_interface_ip($if); | |
| } | |
| } else { | |
| - $interfaceip=$ph1ent['interface']; | |
| + $interfaceip = $ph1ent['interface']; | |
| } | |
| } else { | |
| $if = "wan"; | |
| - if ($ph1ent['protocol'] == "inet6") | |
| + if ($ph1ent['protocol'] == "inet6") { | |
| $interfaceip = get_interface_ipv6($if); | |
| - else | |
| + } else { | |
| $interfaceip = get_interface_ip($if); | |
| + } | |
| } | |
| return $interfaceip; | |
| @@ -224,15 +240,18 @@ function ipsec_get_phase1_src(& $ph1ent) { | |
| function ipsec_get_phase1_dst(& $ph1ent) { | |
| global $g; | |
| - if (empty($ph1ent['remote-gateway'])) | |
| + if (empty($ph1ent['remote-gateway'])) { | |
| return false; | |
| + } | |
| $rg = $ph1ent['remote-gateway']; | |
| if (!is_ipaddr($rg)) { | |
| - if(! platform_booting()) | |
| + if (!platform_booting()) { | |
| return resolve_retry($rg); | |
| + } | |
| } | |
| - if(!is_ipaddr($rg)) | |
| + if (!is_ipaddr($rg)) { | |
| return false; | |
| + } | |
| return $rg; | |
| } | |
| @@ -246,12 +265,14 @@ function ipsec_idinfo_to_cidr(& $idinfo, $addrbits = false, $mode = "") { | |
| switch ($idinfo['type']) { | |
| case "address": | |
| if ($addrbits) { | |
| - if ($mode == "tunnel6") | |
| + if ($mode == "tunnel6") { | |
| return $idinfo['address']."/128"; | |
| - else | |
| + } else { | |
| return $idinfo['address']."/32"; | |
| - } else | |
| + } | |
| + } else { | |
| return $idinfo['address']; | |
| + } | |
| break; /* NOTREACHED */ | |
| case "network": | |
| return "{$idinfo['address']}/{$idinfo['netbits']}"; | |
| @@ -261,18 +282,19 @@ function ipsec_idinfo_to_cidr(& $idinfo, $addrbits = false, $mode = "") { | |
| return '0.0.0.0/0'; | |
| break; /* NOTREACHED */ | |
| default: | |
| - if (empty($mode) && !empty($idinfo['mode'])) | |
| + if (empty($mode) && !empty($idinfo['mode'])) { | |
| $mode = $idinfo['mode']; | |
| + } | |
| if ($mode == "tunnel6") { | |
| $address = get_interface_ipv6($idinfo['type']); | |
| $netbits = get_interface_subnetv6($idinfo['type']); | |
| - $address = gen_subnetv6($address,$netbits); | |
| + $address = gen_subnetv6($address, $netbits); | |
| return "{$address}/{$netbits}"; | |
| } else { | |
| $address = get_interface_ip($idinfo['type']); | |
| $netbits = get_interface_subnet($idinfo['type']); | |
| - $address = gen_subnet($address,$netbits); | |
| + $address = gen_subnet($address, $netbits); | |
| return "{$address}/{$netbits}"; | |
| } | |
| break; /* NOTREACHED */ | |
| @@ -282,18 +304,20 @@ function ipsec_idinfo_to_cidr(& $idinfo, $addrbits = false, $mode = "") { | |
| /* | |
| * Return phase2 idinfo in address/netmask format | |
| */ | |
| -function ipsec_idinfo_to_subnet(& $idinfo,$addrbits = false) { | |
| +function ipsec_idinfo_to_subnet(& $idinfo, $addrbits = false) { | |
| global $config; | |
| switch ($idinfo['type']) { | |
| case "address": | |
| if ($addrbits) { | |
| - if ($idinfo['mode'] == "tunnel6") | |
| + if ($idinfo['mode'] == "tunnel6") { | |
| return $idinfo['address']."/128"; | |
| - else | |
| + } else { | |
| return $idinfo['address']."/255.255.255.255"; | |
| - } else | |
| + } | |
| + } else { | |
| return $idinfo['address']; | |
| + } | |
| break; /* NOTREACHED */ | |
| case "none": | |
| case "network": | |
| @@ -306,12 +330,12 @@ function ipsec_idinfo_to_subnet(& $idinfo,$addrbits = false) { | |
| if ($idinfo['mode'] == "tunnel6") { | |
| $address = get_interface_ipv6($idinfo['type']); | |
| $netbits = get_interface_subnetv6($idinfo['type']); | |
| - $address = gen_subnetv6($address,$netbits); | |
| + $address = gen_subnetv6($address, $netbits); | |
| return $address."/".$netbits; | |
| } else { | |
| $address = get_interface_ip($idinfo['type']); | |
| $netbits = get_interface_subnet($idinfo['type']); | |
| - $address = gen_subnet($address,$netbits); | |
| + $address = gen_subnet($address, $netbits); | |
| return $address."/".$netbits; | |
| } | |
| break; /* NOTREACHED */ | |
| @@ -325,45 +349,49 @@ function ipsec_idinfo_to_text(& $idinfo) { | |
| global $config; | |
| switch ($idinfo['type']) { | |
| - case "address": | |
| - return $idinfo['address']; | |
| - break; /* NOTREACHED */ | |
| - case "network": | |
| - return $idinfo['address']."/".$idinfo['netbits']; | |
| - break; /* NOTREACHED */ | |
| - case "mobile": | |
| - return gettext("Mobile Client"); | |
| - break; /* NOTREACHED */ | |
| - case "none": | |
| - return gettext("None"); | |
| - break; /* NOTREACHED */ | |
| - default: | |
| - if (!empty($config['interfaces'][$idinfo['type']])) | |
| - return convert_friendly_interface_to_friendly_descr($idinfo['type']); | |
| - else | |
| - return strtoupper($idinfo['type']); | |
| - break; /* NOTREACHED */ | |
| + case "address": | |
| + return $idinfo['address']; | |
| + break; /* NOTREACHED */ | |
| + case "network": | |
| + return $idinfo['address']."/".$idinfo['netbits']; | |
| + break; /* NOTREACHED */ | |
| + case "mobile": | |
| + return gettext("Mobile Client"); | |
| + break; /* NOTREACHED */ | |
| + case "none": | |
| + return gettext("None"); | |
| + break; /* NOTREACHED */ | |
| + default: | |
| + if (!empty($config['interfaces'][$idinfo['type']])) { | |
| + return convert_friendly_interface_to_friendly_descr($idinfo['type']); | |
| + } else { | |
| + return strtoupper($idinfo['type']); | |
| + } | |
| + break; /* NOTREACHED */ | |
| } | |
| } | |
| /* | |
| * Return phase1 association for phase2 | |
| */ | |
| -function ipsec_lookup_phase1(& $ph2ent,& $ph1ent) { | |
| +function ipsec_lookup_phase1(& $ph2ent, & $ph1ent) { | |
| global $config; | |
| - if (!is_array($config['ipsec'])) | |
| + if (!is_array($config['ipsec'])) { | |
| return false; | |
| - if (!is_array($config['ipsec']['phase1'])) | |
| + } | |
| + if (!is_array($config['ipsec']['phase1'])) { | |
| return false; | |
| - if (empty($config['ipsec']['phase1'])) | |
| + } | |
| + if (empty($config['ipsec']['phase1'])) { | |
| return false; | |
| + } | |
| foreach ($config['ipsec']['phase1'] as $ph1tmp) { | |
| - if ($ph1tmp['ikeid'] == $ph2ent['ikeid']) { | |
| - $ph1ent = $ph1tmp; | |
| - return $ph1ent; | |
| - } | |
| + if ($ph1tmp['ikeid'] == $ph2ent['ikeid']) { | |
| + $ph1ent = $ph1tmp; | |
| + return $ph1ent; | |
| + } | |
| } | |
| return false; | |
| @@ -376,8 +404,9 @@ function ipsec_phase1_status(&$ipsec_status, $ikeid) { | |
| foreach ($ipsec_status as $ike) { | |
| if ($ike['id'] == $ikeid) { | |
| - if ($ike['status'] == 'established') | |
| + if ($ike['status'] == 'established') { | |
| return true; | |
| + } | |
| } | |
| } | |
| @@ -389,8 +418,9 @@ function ipsec_phase1_status(&$ipsec_status, $ikeid) { | |
| */ | |
| function ipsec_phase2_status(&$ipsec_status, &$phase2) { | |
| - if (ipsec_lookup_phase1($ph2ent,$ph1ent)) | |
| + if (ipsec_lookup_phase1($ph2ent, $ph1ent)) { | |
| return ipsec_phase1_status($ipsec_status, $ph1ent['ikeid']); | |
| + } | |
| return false; | |
| } | |
| @@ -419,8 +449,9 @@ function ipsec_smp_dump_status() { | |
| $response = ""; | |
| while (!strstr($sread, "</message>")) { | |
| $sread = fgets($fd); | |
| - if ($sread === false) | |
| + if ($sread === false) { | |
| break; | |
| + } | |
| $response .= $sread; | |
| } | |
| fclose($fd); | |
| @@ -444,20 +475,22 @@ function ipsec_smp_dump_status() { | |
| /* | |
| * Return dump of SPD table | |
| */ | |
| -function ipsec_dump_spd() | |
| -{ | |
| +function ipsec_dump_spd() { | |
| $fd = @popen("/sbin/setkey -DP", "r"); | |
| $spd = array(); | |
| if ($fd) { | |
| while (!feof($fd)) { | |
| $line = chop(fgets($fd)); | |
| - if (!$line) | |
| + if (!$line) { | |
| continue; | |
| - if ($line == "No SPD entries.") | |
| + } | |
| + if ($line == "No SPD entries.") { | |
| break; | |
| + } | |
| if ($line[0] != "\t") { | |
| - if (is_array($cursp)) | |
| + if (is_array($cursp)) { | |
| $spd[] = $cursp; | |
| + } | |
| $cursp = array(); | |
| $linea = explode(" ", $line); | |
| $cursp['srcid'] = substr($linea[0], 0, strpos($linea[0], "[")); | |
| @@ -466,26 +499,27 @@ function ipsec_dump_spd() | |
| } else if (is_array($cursp)) { | |
| $line = trim($line, "\t\r\n "); | |
| $linea = explode(" ", $line); | |
| - switch($i) | |
| - { | |
| + switch ($i) { | |
| case 1: | |
| - if ($linea[1] == "none") /* don't show default anti-lockout rule */ | |
| + if ($linea[1] == "none") /* don't show default anti-lockout rule */ { | |
| unset($cursp); | |
| - else | |
| + } else { | |
| $cursp['dir'] = $linea[0]; | |
| + } | |
| break; | |
| case 2: | |
| $upperspec = explode("/", $linea[0]); | |
| $cursp['proto'] = $upperspec[0]; | |
| list($cursp['src'], $cursp['dst']) = explode("-", $upperspec[2]); | |
| - $cursp['reqid'] = substr($upperspec[3], strpos($upperspec[3], "#")+1); | |
| + $cursp['reqid'] = substr($upperspec[3], strpos($upperspec[3], "#")+1); | |
| break; | |
| } | |
| } | |
| $i++; | |
| } | |
| - if (is_array($cursp) && count($cursp)) | |
| + if (is_array($cursp) && count($cursp)) { | |
| $spd[] = $cursp; | |
| + } | |
| pclose($fd); | |
| } | |
| @@ -495,36 +529,35 @@ function ipsec_dump_spd() | |
| /* | |
| * Return dump of SAD table | |
| */ | |
| -function ipsec_dump_sad() | |
| -{ | |
| +function ipsec_dump_sad() { | |
| $fd = @popen("/sbin/setkey -D", "r"); | |
| $sad = array(); | |
| if ($fd) { | |
| while (!feof($fd)) { | |
| $line = chop(fgets($fd)); | |
| - if (!$line || $line[0] == " ") | |
| + if (!$line || $line[0] == " ") { | |
| continue; | |
| - if ($line == "No SAD entries.") | |
| + } | |
| + if ($line == "No SAD entries.") { | |
| break; | |
| - if ($line[0] != "\t") | |
| - { | |
| - if (is_array($cursa)) | |
| + } | |
| + if ($line[0] != "\t") { | |
| + if (is_array($cursa)) { | |
| $sad[] = $cursa; | |
| + } | |
| $cursa = array(); | |
| - list($cursa['src'],$cursa['dst']) = explode(" ", $line); | |
| - } | |
| - else | |
| - { | |
| + list($cursa['src'], $cursa['dst']) = explode(" ", $line); | |
| + } else { | |
| $line = trim($line, "\t\n\r "); | |
| $linea = explode(" ", $line); | |
| foreach ($linea as $idx => $linee) { | |
| - if ($linee == 'esp' || $linee == 'ah' || $linee[0] == '#') | |
| + if ($linee == 'esp' || $linee == 'ah' || $linee[0] == '#') { | |
| $cursa['proto'] = $linee; | |
| - else if (substr($linee, 0, 3) == 'spi') | |
| + } else if (substr($linee, 0, 3) == 'spi') { | |
| $cursa['spi'] = substr($linee, strpos($linee, 'x') + 1, -1); | |
| - else if (substr($linee, 0, 5) == 'reqid') | |
| + } else if (substr($linee, 0, 5) == 'reqid') { | |
| $cursa['reqid'] = substr($linee, strpos($linee, 'x') + 1, -1); | |
| - else if (substr($linee, 0, 2) == 'E:') { | |
| + } else if (substr($linee, 0, 2) == 'E:') { | |
| $cursa['ealgo'] = $linea[$idx + 1]; | |
| break; | |
| } else if (substr($linee, 0, 2) == 'A:') { | |
| @@ -534,12 +567,12 @@ function ipsec_dump_sad() | |
| $cursa['data'] = substr($linea[$idx + 1], 0, strpos($linea[$idx + 1], 'bytes') - 1) . ' B'; | |
| break; | |
| } | |
| - | |
| } | |
| } | |
| } | |
| - if (is_array($cursa) && count($cursa)) | |
| + if (is_array($cursa) && count($cursa)) { | |
| $sad[] = $cursa; | |
| + } | |
| pclose($fd); | |
| } | |
| @@ -560,8 +593,9 @@ function ipsec_dump_mobile() { | |
| } | |
| /* This is needed for fixing #4130 */ | |
| - if (filesize("{$g['tmp_path']}/strongswan_leases.xml") < 200) | |
| + if (filesize("{$g['tmp_path']}/strongswan_leases.xml") < 200) { | |
| return array(); | |
| + } | |
| $custom_listtags = array('lease', 'pool'); | |
| $response = parse_xml_config("{$g['tmp_path']}/strongswan_leases.xml", "leases"); | |
| @@ -583,13 +617,13 @@ function ipsec_mobilekey_sort() { | |
| function ipsec_get_number_of_phase2($ikeid) { | |
| global $config; | |
| - $a_phase2 = $config['ipsec']['phase2']; | |
| + $a_phase2 = $config['ipsec']['phase2']; | |
| - $nbph2=0; | |
| + $nbph2 = 0; | |
| - if (is_array($a_phase2) && count($a_phase2)) { | |
| - foreach ($a_phase2 as $ph2tmp) { | |
| - if ($ph2tmp['ikeid'] == $ikeid) { | |
| + if (is_array($a_phase2) && count($a_phase2)) { | |
| + foreach ($a_phase2 as $ph2tmp) { | |
| + if ($ph2tmp['ikeid'] == $ikeid) { | |
| $nbph2++; | |
| } | |
| } | |
| @@ -602,8 +636,9 @@ function ipsec_get_descr($ikeid) { | |
| global $config; | |
| if (!isset($config['ipsec']['phase1']) || | |
| - !is_array($config['ipsec']['phase1'])) | |
| + !is_array($config['ipsec']['phase1'])) { | |
| return ''; | |
| + } | |
| foreach ($config['ipsec']['phase1'] as $p1) { | |
| if ($p1['ikeid'] == $ikeid) { | |
| @@ -615,26 +650,28 @@ function ipsec_get_descr($ikeid) { | |
| } | |
| function ipsec_get_phase1($ikeid) { | |
| - global $config; | |
| + global $config; | |
| - if (!isset($config['ipsec']['phase1']) || | |
| - !is_array($config['ipsec']['phase1'])) | |
| - return ''; | |
| + if (!isset($config['ipsec']['phase1']) || | |
| + !is_array($config['ipsec']['phase1'])) { | |
| + return ''; | |
| + } | |
| - $a_phase1 = $config['ipsec']['phase1']; | |
| - foreach ($a_phase1 as $p1) { | |
| - if ($p1['ikeid'] == $ikeid) { | |
| - return $p1; | |
| - } | |
| - } | |
| - unset($a_phase1); | |
| + $a_phase1 = $config['ipsec']['phase1']; | |
| + foreach ($a_phase1 as $p1) { | |
| + if ($p1['ikeid'] == $ikeid) { | |
| + return $p1; | |
| + } | |
| + } | |
| + unset($a_phase1); | |
| } | |
| function ipsec_fixup_ip($ipaddr) { | |
| - if (is_ipaddrv6($ipaddr) || is_subnetv6($ipaddr)) | |
| + if (is_ipaddrv6($ipaddr) || is_subnetv6($ipaddr)) { | |
| return Net_IPv6::compress(Net_IPv6::uncompress($ipaddr)); | |
| - else | |
| + } else { | |
| return $ipaddr; | |
| + } | |
| } | |
| function ipsec_find_id(& $ph1ent, $side = "local", $rgmap = array()) { | |
| @@ -643,65 +680,71 @@ function ipsec_find_id(& $ph1ent, $side = "local", $rgmap = array()) { | |
| $id_data = $ph1ent['myid_data']; | |
| $addr = ipsec_get_phase1_src($ph1ent); | |
| - if (!$addr) | |
| + if (!$addr) { | |
| return array(); | |
| + } | |
| } elseif ($side == "peer") { | |
| $id_type = $ph1ent['peerid_type']; | |
| $id_data = $ph1ent['peerid_data']; | |
| - if (isset($ph1ent['mobile'])) | |
| + if (isset($ph1ent['mobile'])) { | |
| $addr = "%any"; | |
| - else | |
| + } else { | |
| $addr = $ph1ent['remote-gateway']; | |
| - } else | |
| + } | |
| + } else { | |
| return array(); | |
| + } | |
| $thisid_type = $id_type; | |
| switch ($thisid_type) { | |
| - case 'myaddress': | |
| - $thisid_type = 'address'; | |
| - $thisid_data = $addr; | |
| - break; | |
| - case 'dyn_dns': | |
| - $thisid_type = 'dns'; | |
| - $thisid_data = $id_data; | |
| - break; | |
| - case 'peeraddress': | |
| - $thisid_type = 'address'; | |
| - $thisid_data = $rgmap[$ph1ent['remote-gateway']]; | |
| - break; | |
| - case 'address': | |
| - $thisid_data = $id_data; | |
| - break; | |
| - case 'fqdn': | |
| - $thisid_data = "{$id_data}"; | |
| - break; | |
| - case 'keyid tag': | |
| - $thisid_type = 'keyid'; | |
| - $thisid_data = "{$thisid_data}"; | |
| - break; | |
| - case 'user_fqdn': | |
| - $thisid_type = 'userfqdn'; | |
| - $thisid_data = "{$id_data}"; | |
| - break; | |
| - case 'asn1dn': | |
| - $thisid_data = $id_data; | |
| - $thisid_data = "{$id_data}"; | |
| - break; | |
| + case 'myaddress': | |
| + $thisid_type = 'address'; | |
| + $thisid_data = $addr; | |
| + break; | |
| + case 'dyn_dns': | |
| + $thisid_type = 'dns'; | |
| + $thisid_data = $id_data; | |
| + break; | |
| + case 'peeraddress': | |
| + $thisid_type = 'address'; | |
| + $thisid_data = $rgmap[$ph1ent['remote-gateway']]; | |
| + break; | |
| + case 'address': | |
| + $thisid_data = $id_data; | |
| + break; | |
| + case 'fqdn': | |
| + $thisid_data = "{$id_data}"; | |
| + break; | |
| + case 'keyid tag': | |
| + $thisid_type = 'keyid'; | |
| + $thisid_data = "{$id_data}"; | |
| + break; | |
| + case 'user_fqdn': | |
| + $thisid_type = 'userfqdn'; | |
| + $thisid_data = "{$id_data}"; | |
| + break; | |
| + case 'asn1dn': | |
| + $thisid_data = $id_data; | |
| + if ($thisid_data && $thisid_data[0] != '"') { | |
| + $thisid_data = "\"{$id_data}\""; | |
| + } | |
| + break; | |
| } | |
| return array($thisid_type, $thisid_data); | |
| } | |
| function ipsec_fixup_network($network) { | |
| - if (substr($network, -3) == '|/0') | |
| + if (substr($network, -3) == '|/0') { | |
| $result = substr($network, 0, -3); | |
| - else { | |
| + } else { | |
| $tmp = explode('|', $network); | |
| - if (isset($tmp[1])) | |
| + if (isset($tmp[1])) { | |
| $result = $tmp[1]; | |
| - else | |
| + } else { | |
| $result = $tmp[0]; | |
| + } | |
| unset($tmp); | |
| } | |
| @@ -711,14 +754,16 @@ function ipsec_fixup_network($network) { | |
| function ipsec_new_reqid() { | |
| global $config; | |
| - if (!is_array($config['ipsec']) || !is_array($config['ipsec']['phase2'])) | |
| + if (!is_array($config['ipsec']) || !is_array($config['ipsec']['phase2'])) { | |
| return; | |
| + } | |
| $ipsecreqid = lock('ipsecreqids', LOCK_EX); | |
| $keyids = array(); | |
| $keyid = 1; | |
| - foreach ($config['ipsec']['phase2'] as $ph2) | |
| + foreach ($config['ipsec']['phase2'] as $ph2) { | |
| $keyids[$ph2['reqid']] = $ph2['reqid']; | |
| + } | |
| for ($i = 1; $i < 16000; $i++) { | |
| if (!isset($keyids[$i])) { | |
| diff --git a/etc/inc/vpn.inc b/etc/inc/vpn.inc | |
| index 6e4d71d..9ca4df2 100644 | |
| --- a/etc/inc/vpn.inc | |
| +++ b/etc/inc/vpn.inc | |
| @@ -4,7 +4,7 @@ | |
| vpn.inc | |
| Copyright (C) 2004 Scott Ullrich | |
| Copyright (C) 2008 Shrew Soft Inc | |
| - Copyright (C) 2008 Ermal Lu�i | |
| + Copyright (C) 2008 Ermal Luçi | |
| All rights reserved. | |
| originally part of m0n0wall (http://m0n0.ch/wall) | |
| @@ -42,78 +42,87 @@ | |
| require_once("ipsec.inc"); | |
| -function vpn_ipsec_configure_loglevels($forconfig = false) | |
| -{ | |
| +function vpn_ipsec_configure_loglevels($forconfig = false) { | |
| global $config, $ipsec_loglevels; | |
| $cfgtext = array(); | |
| foreach ($ipsec_loglevels as $lkey => $ldescr) { | |
| - if (!isset($config['ipsec']["ipsec_{$lkey}"]) && !$forconfig) | |
| + if (!isset($config['ipsec']["ipsec_{$lkey}"]) && !$forconfig) { | |
| mwexec("/usr/local/sbin/ipsec stroke loglevel {$lkey} -- -1", false); | |
| - else if (is_numeric($config['ipsec']["ipsec_{$lkey}"]) && | |
| - intval($config['ipsec']["ipsec_{$lkey}"]) >= 0 && intval($config['ipsec']["ipsec_{$lkey}"]) <= 5) | |
| + } else if (is_numeric($config['ipsec']["ipsec_{$lkey}"]) && | |
| + intval($config['ipsec']["ipsec_{$lkey}"]) >= 0 && intval($config['ipsec']["ipsec_{$lkey}"]) <= 5) { | |
| $forconfig ? $cfgtext[] = "${lkey} " . (intval($config['ipsec']["ipsec_{$lkey}"]) - 1) : | |
| mwexec("/usr/local/sbin/ipsec stroke loglevel {$lkey} " . (intval($config['ipsec']["ipsec_{$lkey}"]) - 1) , false); | |
| + } | |
| } | |
| - if ($forconfig) | |
| + if ($forconfig) { | |
| return implode(',', $cfgtext); | |
| + } | |
| } | |
| /* include all configuration functions */ | |
| -function vpn_ipsec_convert_to_modp($index) | |
| -{ | |
| +function vpn_ipsec_convert_to_modp($index) { | |
| $convertion = ""; | |
| switch ($index) { | |
| - case '1': | |
| - $convertion = "modp768"; | |
| - break; | |
| - case '2': | |
| - $convertion = "modp1024"; | |
| - break; | |
| - case '5': | |
| - $convertion = "modp1536"; | |
| - break; | |
| - case '14': | |
| - $convertion = "modp2048"; | |
| - break; | |
| - case '15': | |
| - $convertion = "modp3072"; | |
| - break; | |
| - case '16': | |
| - $convertion = "modp4096"; | |
| - break; | |
| - case '17': | |
| - $convertion = "modp6144"; | |
| - break; | |
| - case '18': | |
| - $convertion = "modp8192"; | |
| - break; | |
| - case '19': | |
| - $convertion = "ecp256"; | |
| - break; | |
| - case '20': | |
| - $convertion = "ecp384"; | |
| - break; | |
| - case '21': | |
| - $convertion = "ecp512"; | |
| - break; | |
| + case '1': | |
| + $convertion = "modp768"; | |
| + break; | |
| + case '2': | |
| + $convertion = "modp1024"; | |
| + break; | |
| + case '5': | |
| + $convertion = "modp1536"; | |
| + break; | |
| + case '14': | |
| + $convertion = "modp2048"; | |
| + break; | |
| + case '15': | |
| + $convertion = "modp3072"; | |
| + break; | |
| + case '16': | |
| + $convertion = "modp4096"; | |
| + break; | |
| + case '17': | |
| + $convertion = "modp6144"; | |
| + break; | |
| + case '18': | |
| + $convertion = "modp8192"; | |
| + break; | |
| + case '19': | |
| + $convertion = "ecp256"; | |
| + break; | |
| + case '20': | |
| + $convertion = "ecp384"; | |
| + break; | |
| + case '21': | |
| + $convertion = "ecp521"; | |
| + break; | |
| + case '28': | |
| + $convertion = "ecp256bp"; | |
| + break; | |
| + case '29': | |
| + $convertion = "ecp384bp"; | |
| + break; | |
| + case '30': | |
| + $convertion = "ecp512bp"; | |
| + break; | |
| } | |
| return $convertion; | |
| } | |
| -function vpn_ipsec_configure($restart = false) | |
| -{ | |
| +function vpn_ipsec_configure($restart = false) { | |
| global $config, $g, $sa, $sn, $p1_ealgos, $p2_ealgos, $ipsec_idhandling; | |
| - if ($g['platform'] == 'jail') | |
| + if ($g['platform'] == 'jail') { | |
| return; | |
| + } | |
| /* get the automatic ping_hosts.sh ready */ | |
| unlink_if_exists("{$g['vardb_path']}/ipsecpinghosts"); | |
| touch("{$g['vardb_path']}/ipsecpinghosts"); | |
| - | |
| + | |
| /* service may have been enabled, disabled, or otherwise changed in a way requiring rule updates */ | |
| filter_configure(); | |
| @@ -145,34 +154,46 @@ function vpn_ipsec_configure($restart = false) | |
| mwexec("/sbin/ifconfig enc0 up"); | |
| set_single_sysctl("net.inet.ip.ipsec_in_use", "1"); | |
| - if (php_uname('m') != "amd64") | |
| + if (php_uname('m') != "amd64") { | |
| set_single_sysctl("net.inet.ipsec.directdispatch", "0"); | |
| + } | |
| /* needed for config files */ | |
| - if (!is_dir("{$g['varetc_path']}/ipsec")) | |
| + if (!is_dir("{$g['varetc_path']}/ipsec")) { | |
| mkdir("{$g['varetc_path']}/ipsec"); | |
| - if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d")) | |
| + } | |
| + if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d")) { | |
| mkdir("{$g['varetc_path']}/ipsec/ipsec.d"); | |
| - if (!is_dir($capath)) | |
| + } | |
| + if (!is_dir($capath)) { | |
| mkdir($capath); | |
| - if (!is_dir($keypath)) | |
| + } | |
| + if (!is_dir($keypath)) { | |
| mkdir($keypath); | |
| - if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d/crls")) | |
| + } | |
| + if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d/crls")) { | |
| mkdir("{$g['varetc_path']}/ipsec/ipsec.d/crls"); | |
| - if (!is_dir($certpath)) | |
| + } | |
| + if (!is_dir($certpath)) { | |
| mkdir($certpath); | |
| - if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d/aacerts")) | |
| + } | |
| + if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d/aacerts")) { | |
| mkdir("{$g['varetc_path']}/ipsec/ipsec.d/aacerts"); | |
| - if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d/acerts")) | |
| + } | |
| + if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d/acerts")) { | |
| mkdir("{$g['varetc_path']}/ipsec/ipsec.d/acerts"); | |
| - if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d/ocspcerts")) | |
| + } | |
| + if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d/ocspcerts")) { | |
| mkdir("{$g['varetc_path']}/ipsec/ipsec.d/ocspcerts"); | |
| - if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d/reqs")) | |
| + } | |
| + if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d/reqs")) { | |
| mkdir("{$g['varetc_path']}/ipsec/ipsec.d/reqs"); | |
| - | |
| + } | |
| - if (platform_booting()) | |
| + | |
| + if (platform_booting()) { | |
| echo gettext("Configuring IPsec VPN... "); | |
| + } | |
| /* fastforwarding is not compatible with ipsec tunnels */ | |
| set_single_sysctl("net.inet.ip.fastforwarding", "0"); | |
| @@ -190,23 +211,26 @@ function vpn_ipsec_configure($restart = false) | |
| $ipsecpinghosts = ""; | |
| /* step through each phase1 entry */ | |
| foreach ($a_phase1 as $ph1ent) { | |
| - if (isset($ph1ent['disabled'])) | |
| + if (isset($ph1ent['disabled'])) { | |
| continue; | |
| + } | |
| if (strpos($ph1ent['interface'], '_vip')) { | |
| $vpninterface = explode('_vip', $ph1ent['interface']); | |
| $ifacesuse[] = get_real_interface($vpninterface[0]); | |
| - } else { | |
| - $vpninterface = get_failover_interface($ph1ent['interface']); | |
| + } else { | |
| + $vpninterface = get_failover_interface($ph1ent['interface']); | |
| if (strpos($vpninterface, '_vip')) { | |
| $vpninterface = explode('_vip', $vpninterface); | |
| $ifacesuse[] = get_real_interface($vpninterface[0]); | |
| - } elseif (!empty($vpninterface)) | |
| + } elseif (!empty($vpninterface)) { | |
| $ifacesuse[] = $vpninterface; | |
| + } | |
| } | |
| - | |
| - if ($ph1ent['mode'] == "aggressive" && ($ph1ent['authentication_method'] == "pre_shared_key" || $ph1ent['authentication_method'] == "xauth_psk_server")) | |
| + | |
| + if ($ph1ent['mode'] == "aggressive" && ($ph1ent['authentication_method'] == "pre_shared_key" || $ph1ent['authentication_method'] == "xauth_psk_server")) { | |
| $aggressive_mode_psk = true; | |
| + } | |
| $ikeid = $ph1ent['ikeid']; | |
| $listeniflist = get_real_interface($a_phase1['interface']); | |
| @@ -217,26 +241,30 @@ function vpn_ipsec_configure($restart = false) | |
| continue; | |
| } | |
| - if(!in_array($ep,$ipmap)) | |
| + if (!in_array($ep, $ipmap)) { | |
| $ipmap[] = $ep; | |
| + } | |
| /* see if this tunnel has a hostname for the remote-gateway. If so, | |
| try to resolve it now and add it to the list for filterdns */ | |
| - if (isset ($ph1ent['mobile'])) | |
| + if (isset ($ph1ent['mobile'])) { | |
| continue; | |
| + } | |
| $rg = $ph1ent['remote-gateway']; | |
| if (!is_ipaddr($rg)) { | |
| $filterdns_list[] = "{$rg}"; | |
| add_hostname_to_watch($rg); | |
| - if (!platform_booting()) | |
| + if (!platform_booting()) { | |
| $rg = resolve_retry($rg); | |
| - if (!is_ipaddr($rg)) | |
| + } | |
| + if (!is_ipaddr($rg)) { | |
| continue; | |
| + } | |
| } | |
| - if(array_search($rg, $rgmap)) { | |
| + if (array_search($rg, $rgmap)) { | |
| log_error("The remote gateway {$rg} already exists on another phase 1 entry"); | |
| continue; | |
| } | |
| @@ -245,24 +273,27 @@ function vpn_ipsec_configure($restart = false) | |
| if (is_array($a_phase2)) { | |
| /* step through each phase2 entry */ | |
| foreach ($a_phase2 as $ph2ent) { | |
| - if (isset($ph2ent['disabled'])) | |
| + if (isset($ph2ent['disabled'])) { | |
| continue; | |
| + } | |
| - if ($ikeid != $ph2ent['ikeid']) | |
| + if ($ikeid != $ph2ent['ikeid']) { | |
| continue; | |
| + } | |
| /* add an ipsec pinghosts entry */ | |
| if ($ph2ent['pinghost']) { | |
| - if (!is_array($iflist)) | |
| + if (!is_array($iflist)) { | |
| $iflist = get_configured_interface_list(); | |
| - $viplist = get_configured_vips_list(); | |
| + } | |
| $srcip = null; | |
| $local_subnet = ipsec_idinfo_to_cidr($ph2ent['localid'], true, $ph2ent['mode']); | |
| - if(is_ipaddrv6($ph2ent['pinghost'])) { | |
| + if (is_ipaddrv6($ph2ent['pinghost'])) { | |
| foreach ($iflist as $ifent => $ifname) { | |
| $interface_ip = get_interface_ipv6($ifent); | |
| - if(!is_ipaddrv6($interface_ip)) | |
| + if (!is_ipaddrv6($interface_ip)) { | |
| continue; | |
| + } | |
| if (ip_in_subnet($interface_ip, $local_subnet)) { | |
| $srcip = $interface_ip; | |
| break; | |
| @@ -271,8 +302,9 @@ function vpn_ipsec_configure($restart = false) | |
| } else { | |
| foreach ($iflist as $ifent => $ifname) { | |
| $interface_ip = get_interface_ip($ifent); | |
| - if(!is_ipaddrv4($interface_ip)) | |
| + if (!is_ipaddrv4($interface_ip)) { | |
| continue; | |
| + } | |
| if ($local_subnet == "0.0.0.0/0" || ip_in_subnet($interface_ip, $local_subnet)) { | |
| $srcip = $interface_ip; | |
| break; | |
| @@ -281,6 +313,7 @@ function vpn_ipsec_configure($restart = false) | |
| } | |
| /* if no valid src IP was found in configured interfaces, try the vips */ | |
| if (is_null($srcip)) { | |
| + $viplist = get_configured_vips_list(); | |
| foreach ($viplist as $vip) { | |
| if (ip_in_subnet($vip['ipaddr'], $local_subnet)) { | |
| $srcip = $vip['ipaddr']; | |
| @@ -289,13 +322,14 @@ function vpn_ipsec_configure($restart = false) | |
| } | |
| } | |
| $dstip = $ph2ent['pinghost']; | |
| - if(is_ipaddrv6($dstip)) { | |
| + if (is_ipaddrv6($dstip)) { | |
| $family = "inet6"; | |
| } else { | |
| $family = "inet"; | |
| } | |
| - if (is_ipaddr($srcip)) | |
| + if (is_ipaddr($srcip)) { | |
| $ipsecpinghosts[] = "{$srcip}|{$dstip}|3|||||{$family}|\n"; | |
| + } | |
| } | |
| } | |
| } | |
| @@ -306,20 +340,23 @@ function vpn_ipsec_configure($restart = false) | |
| unset($iflist); | |
| $accept_unencrypted = ""; | |
| - if (isset($config['ipsec']['acceptunencryptedmainmode'])) | |
| + if (isset($config['ipsec']['acceptunencryptedmainmode'])) { | |
| $accept_unencrypted = "accept_unencrypted_mainmode_messages = yes"; | |
| + } | |
| $stronconf = ''; | |
| - if (file_exists("{$g['varetc_path']}/ipsec/strongswan.conf")) | |
| + if (file_exists("{$g['varetc_path']}/ipsec/strongswan.conf")) { | |
| $stronconf = file_get_contents("{$g['varetc_path']}/ipsec/strongswan.conf"); | |
| + } | |
| $i_dont_care_about_security_and_use_aggressive_mode_psk = ""; | |
| if ($aggressive_mode_psk) { | |
| log_error("WARNING: Setting i_dont_care_about_security_and_use_aggressive_mode_psk option because a phase 1 is configured using aggressive mode with pre-shared keys. This is not a secure configuration."); | |
| - if (!empty($stronconf) && strpos($stronconf, 'i_dont_care_about_security_and_use_aggressive_mode_psk') === FALSE) | |
| + if (!empty($stronconf) && strpos($stronconf, 'i_dont_care_about_security_and_use_aggressive_mode_psk') === FALSE) { | |
| $restart = true; | |
| + } | |
| $i_dont_care_about_security_and_use_aggressive_mode_psk = "i_dont_care_about_security_and_use_aggressive_mode_psk=yes"; | |
| - } | |
| + } | |
| $unity_enabled = 'yes'; | |
| if (isset($config['ipsec']['unityplugin'])) { | |
| @@ -354,7 +391,7 @@ function vpn_ipsec_configure($restart = false) | |
| $strongswan = <<<EOD | |
| -# Automatically generated config file - DO NOT MODIFY. Changes will be overwritten. | |
| +# Automatically generated config file - DO NOT MODIFY. Changes will be overwritten. | |
| starter { | |
| load_warning = no | |
| } | |
| @@ -416,44 +453,56 @@ EOD; | |
| if (is_array($a_client) && isset($a_client['enable'])) { | |
| $strongswan .= "\t\tattr {\n"; | |
| - if ($a_client['pool_address'] && $a_client['pool_netbits']) | |
| + if ($a_client['pool_address'] && $a_client['pool_netbits']) { | |
| $strongswan .= "\t\t\tsubnet = {$a_client['pool_address']}/{$a_client['pool_netbits']}\n"; | |
| + } | |
| $cfgservers = array(); | |
| - if (!empty($a_client['dns_server1'])) | |
| + if (!empty($a_client['dns_server1'])) { | |
| $cfgservers[] = $a_client['dns_server1']; | |
| - if (!empty($a_client['dns_server2'])) | |
| + } | |
| + if (!empty($a_client['dns_server2'])) { | |
| $cfgservers[] = $a_client['dns_server2']; | |
| - if (!empty($a_client['dns_server3'])) | |
| + } | |
| + if (!empty($a_client['dns_server3'])) { | |
| $cfgservers[] = $a_client['dns_server3']; | |
| - if (!empty($a_client['dns_server4'])) | |
| + } | |
| + if (!empty($a_client['dns_server4'])) { | |
| $cfgservers[] = $a_client['dns_server4']; | |
| + } | |
| - if (!empty($cfgservers)) | |
| + if (!empty($cfgservers)) { | |
| $strongswan .= "\t\t\tdns = " . implode(",", $cfgservers) . "\n"; | |
| + } | |
| unset($cfgservers); | |
| $cfgservers = array(); | |
| - if (!empty($a_client['wins_server1'])) | |
| + if (!empty($a_client['wins_server1'])) { | |
| $cfgservers[] = $a_client['wins_server1']; | |
| - if (!empty($a_client['wins_server2'])) | |
| + } | |
| + if (!empty($a_client['wins_server2'])) { | |
| $cfgservers[] = $a_client['wins_server2']; | |
| - if (!empty($cfgservers)) | |
| + } | |
| + if (!empty($cfgservers)) { | |
| $strongswan .= "\t\t\tnbns = " . implode(",", $cfgservers) . "\n"; | |
| + } | |
| unset($cfgservers); | |
| if (isset($a_client['net_list']) && is_array($a_phase2)) { | |
| $net_list = ''; | |
| foreach ($a_phase2 as $ph2ent) { | |
| - if (isset($ph2ent['disabled'])) | |
| + if (isset($ph2ent['disabled'])) { | |
| continue; | |
| + } | |
| - if (!isset($ph2ent['mobile'])) | |
| + if (!isset($ph2ent['mobile'])) { | |
| continue; | |
| + } | |
| $localid = ipsec_idinfo_to_cidr($ph2ent['localid'], true, $ph2ent['mode']); | |
| - if (!empty($net_list)) | |
| + if (!empty($net_list)) { | |
| $net_list .= ","; | |
| + } | |
| $net_list .= $localid; | |
| } | |
| @@ -476,14 +525,17 @@ EOD; | |
| $strongswan .= "\t\t\t28675 = {$a_client['dns_split']}\n"; | |
| } | |
| - if (!empty($a_client['login_banner'])) | |
| + if (!empty($a_client['login_banner'])) { | |
| $strongswan .= "\t\t\t28672 = \"{$a_client['login_banner']}\"\n"; | |
| + } | |
| - if (isset($a_client['save_passwd'])) | |
| + if (isset($a_client['save_passwd'])) { | |
| $strongswan .= "\t\t\t28673 = 1\n"; | |
| + } | |
| - if ($a_client['pfs_group']) | |
| + if ($a_client['pfs_group']) { | |
| $strongswan .= "\t\t\t28679 = \"{$a_client['pfs_group']}\"\n"; | |
| + } | |
| $strongswan .= "\t\t}\n"; | |
| if ($a_client['user_source'] != "none") { | |
| @@ -493,10 +545,12 @@ EOD; | |
| $firstsed = 0; | |
| $authcfgs = explode(",", $a_client['user_source']); | |
| foreach ($authcfgs as $authcfg) { | |
| - if ($firstsed > 0) | |
| + if ($firstsed > 0) { | |
| $strongswan .= ","; | |
| - if ($authcfg == "system") | |
| + } | |
| + if ($authcfg == "system") { | |
| $authcfg = "Local Database"; | |
| + } | |
| $strongswan .= $authcfg; | |
| $firstsed = 1; | |
| } | |
| @@ -536,8 +590,9 @@ EOD; | |
| if (is_array($a_phase1) && count($a_phase1)) { | |
| foreach ($a_phase1 as $ph1ent) { | |
| - if (isset($ph1ent['disabled'])) | |
| + if (isset($ph1ent['disabled'])) { | |
| continue; | |
| + } | |
| if (strstr($ph1ent['authentication_method'], 'rsa') || | |
| in_array($ph1ent['authentication_method'], array('eap-mschapv2', 'eap-tls', 'eap-radius'))) { | |
| @@ -576,12 +631,15 @@ EOD; | |
| $myid = trim($myid_data); | |
| - if (empty($peerid_data)) | |
| + if (empty($peerid_data)) { | |
| continue; | |
| + } | |
| if ($myid_type == 'fqdn' && !empty($myid)) { | |
| $myid = "@{$myid}"; | |
| } | |
| + | |
| + $myid = isset($ph1ent['mobile']) ? trim($myid_data) : "%any"; | |
| $peerid = ($peerid_data != 'allusers') ? trim($peerid_data) : ''; | |
| @@ -609,10 +667,12 @@ EOD; | |
| /* add PSKs for mobile clients */ | |
| if (is_array($ipseccfg['mobilekey'])) { | |
| foreach ($ipseccfg['mobilekey'] as $key) { | |
| - if ($key['ident'] == "allusers") | |
| + if ($key['ident'] == "allusers") { | |
| $key['ident'] = '%any'; | |
| - if (empty($key['type'])) | |
| + } | |
| + if (empty($key['type'])) { | |
| $key['type'] = 'PSK'; | |
| + } | |
| $pskconf .= "{$myid} {$key['ident']} : {$key['type']} 0s" . base64_encode($key['pre-shared-key']) . "\n"; | |
| } | |
| unset($key); | |
| @@ -632,7 +692,7 @@ EOD; | |
| /* begin ipsec.conf */ | |
| $ipsecconf = ""; | |
| $enablecompression = false; | |
| - if (is_array($a_phase1) && count($a_phase1)) { | |
| + if (is_array($a_phase1) && count($a_phase1)) { | |
| $ipsecconf .= "# This file is automatically generated. Do not edit\n"; | |
| $ipsecconf .= "config setup\n\tuniqueids = {$uniqueids}\n"; | |
| @@ -659,17 +719,20 @@ EOD; | |
| } | |
| foreach ($a_phase1 as $ph1ent) { | |
| - if (isset($ph1ent['disabled'])) | |
| + if (isset($ph1ent['disabled'])) { | |
| continue; | |
| + } | |
| - if ($ph1ent['mode'] == "aggressive") | |
| + if ($ph1ent['mode'] == "aggressive") { | |
| $aggressive = "yes"; | |
| - else | |
| + } else { | |
| $aggressive = "no"; | |
| + } | |
| $ep = ipsec_get_phase1_src($ph1ent); | |
| - if (!$ep) | |
| + if (!$ep) { | |
| continue; | |
| + } | |
| $ikeid = $ph1ent['ikeid']; | |
| $keyexchange = "ikev1"; | |
| @@ -678,22 +741,25 @@ EOD; | |
| if ($ph1ent['iketype'] == "ikev2") { | |
| $keyexchange = "ikev2"; | |
| //$passive = "start"; | |
| - } else if ($ph1ent['iketype'] == "auto") | |
| + } else if ($ph1ent['iketype'] == "auto") { | |
| $keyexchange = "ike"; | |
| + } | |
| } | |
| if (isset($ph1ent['mobile'])) { | |
| $right_spec = "%any"; | |
| $passive = 'add'; | |
| } else { | |
| - if (isset($ph1ent['responderonly'])) | |
| + if (isset($ph1ent['responderonly'])) { | |
| $passive = 'add'; | |
| + } | |
| $right_spec = $ph1ent['remote-gateway']; | |
| - if (is_ipaddr($right_spec)) | |
| + if (is_ipaddr($right_spec)) { | |
| $sourcehost = $right_spec; | |
| - else | |
| + } else { | |
| $sourcehost = $rgmap['remote-gateway']; | |
| + } | |
| if ($ph1ent['protocol'] == 'inet') { | |
| if (strpos($ph1ent['interface'], '_vip')) { | |
| @@ -710,7 +776,7 @@ EOD; | |
| $vpninterface = convert_real_interface_to_friendly_interface_name($ifacesuse); | |
| } | |
| } | |
| - | |
| + | |
| if (!empty($ifacesuse) && interface_has_gateway($vpninterface)) { | |
| $gatewayip = get_interface_gateway($vpninterface); | |
| $interfaceip = get_interface_ip($vpninterface); | |
| @@ -739,7 +805,7 @@ EOD; | |
| $vpninterface = convert_real_interface_to_friendly_interface_name($ifacesuse); | |
| } | |
| } | |
| - | |
| + | |
| if (!empty($ifacesuse) && interface_has_gateway($vpninterface)) { | |
| $gatewayip = get_interface_gateway_v6($vpninterface); | |
| $interfaceip = get_interface_ipv6($vpninterface); | |
| @@ -757,136 +823,156 @@ EOD; | |
| } | |
| list ($myid_type, $myid_data) = ipsec_find_id($ph1ent, 'local'); | |
| - if ($myid_type != 'address') | |
| + if ($myid_type != 'address' && $myid_type != 'keyid') { | |
| $myid_data = "{$myid_type}:{$myid_data}"; | |
| + } | |
| /* Only specify peer ID if we are not dealing with a mobile PSK-only tunnel */ | |
| $peerid_spec = ''; | |
| if (!isset($ph1ent['mobile'])) { | |
| list ($peerid_type, $peerid_data) = ipsec_find_id($ph1ent, 'peer', $rgmap); | |
| - if ($peerid_type != 'address') | |
| + if ($peerid_type != 'address' && $peerid_type != 'keyid') { | |
| $peerid_spec = "{$peerid_type}:{$peerid_data}"; | |
| - else | |
| + } else { | |
| $peerid_spec = $peerid_data; | |
| + } | |
| } | |
| if (is_array($ph1ent['encryption-algorithm']) && !empty($ph1ent['encryption-algorithm']['name']) && !empty($ph1ent['hash-algorithm'])) { | |
| $ealgosp1 = ''; | |
| $ealg_id = $ph1ent['encryption-algorithm']['name']; | |
| $ealg_kl = $ph1ent['encryption-algorithm']['keylen']; | |
| - if ($ealg_kl) | |
| + if ($ealg_kl) { | |
| $ealgosp1 = "ike = {$ealg_id}{$ealg_kl}-{$ph1ent['hash-algorithm']}"; | |
| - else | |
| + } else { | |
| $ealgosp1 = "ike = {$ealg_id}-{$ph1ent['hash-algorithm']}"; | |
| + } | |
| $modp = vpn_ipsec_convert_to_modp($ph1ent['dhgroup']); | |
| - if (!empty($modp)) | |
| + if (!empty($modp)) { | |
| $ealgosp1 .= "-{$modp}"; | |
| + } | |
| $ealgosp1 .= "!"; | |
| } | |
| if ($ph1ent['dpd_delay'] && $ph1ent['dpd_maxfail']) { | |
| - if ($passive == "route") | |
| + if ($passive == "route") { | |
| $dpdline = "dpdaction = restart"; | |
| - else | |
| + } else { | |
| $dpdline = "dpdaction = clear"; | |
| + } | |
| $dpdline .= "\n\tdpddelay = {$ph1ent['dpd_delay']}s"; | |
| $dpdtimeout = $ph1ent['dpd_delay'] * ($ph1ent['dpd_maxfail'] + 1); | |
| $dpdline .= "\n\tdpdtimeout = {$dpdtimeout}s"; | |
| - } else | |
| + } else { | |
| $dpdline = "dpdaction = none"; | |
| + } | |
| $ikelifeline = ''; | |
| - if ($ph1ent['lifetime']) | |
| + if ($ph1ent['lifetime']) { | |
| $ikelifeline = "ikelifetime = {$ph1ent['lifetime']}s"; | |
| + } | |
| $rightsourceip = NULL; | |
| - if (isset($ph1ent['mobile']) && !empty($a_client['pool_address'])) | |
| + if (isset($ph1ent['mobile']) && !empty($a_client['pool_address'])) { | |
| $rightsourceip = "\trightsourceip = {$a_client['pool_address']}/{$a_client['pool_netbits']}\n"; | |
| + } | |
| $authentication = ""; | |
| switch ($ph1ent['authentication_method']) { | |
| - case 'eap-mschapv2': | |
| - if (isset($ph1ent['mobile'])) { | |
| - $authentication = "eap_identity=%any\n\t"; | |
| - $authentication .= "leftauth=pubkey\n\trightauth=eap-mschapv2"; | |
| - if (!empty($ph1ent['certref'])) | |
| - $authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt"; | |
| - } | |
| - break; | |
| - case 'eap-tls': | |
| - if (isset($ph1ent['mobile'])) { | |
| - $authentication = "eap_identity=%identity\n\t"; | |
| - $authentication .= "leftauth=pubkey\n\trightauth=eap-tls"; | |
| - if (!empty($ph1ent['certref'])) | |
| - $authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt"; | |
| - } else { | |
| - $authentication = "leftauth=eap-tls\n\trightauth=eap-tls"; | |
| - if (!empty($ph1ent['certref'])) | |
| + case 'eap-mschapv2': | |
| + if (isset($ph1ent['mobile'])) { | |
| + $authentication = "eap_identity=%any\n\t"; | |
| + $authentication .= "leftauth=pubkey\n\trightauth=eap-mschapv2"; | |
| + if (!empty($ph1ent['certref'])) { | |
| + $authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt"; | |
| + } | |
| + } | |
| + break; | |
| + case 'eap-tls': | |
| + if (isset($ph1ent['mobile'])) { | |
| + $authentication = "eap_identity=%identity\n\t"; | |
| + $authentication .= "leftauth=pubkey\n\trightauth=eap-tls"; | |
| + if (!empty($ph1ent['certref'])) { | |
| + $authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt"; | |
| + } | |
| + } else { | |
| + $authentication = "leftauth=eap-tls\n\trightauth=eap-tls"; | |
| + if (!empty($ph1ent['certref'])) { | |
| + $authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt"; | |
| + } | |
| + } | |
| + break; | |
| + case 'eap-radius': | |
| + if (isset($ph1ent['mobile'])) { | |
| + $authentication = "eap_identity=%identity\n\t"; | |
| + $authentication .= "leftauth=pubkey\n\trightauth=eap-radius"; | |
| + if (!empty($ph1ent['certref'])) { | |
| + $authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt"; | |
| + } | |
| + } else { | |
| + $authentication = "leftauth=eap-radius\n\trightauth=eap-radius"; | |
| + if (!empty($ph1ent['certref'])) { | |
| + $authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt"; | |
| + } | |
| + } | |
| + break; | |
| + case 'xauth_rsa_server': | |
| + $authentication = "leftauth = pubkey\n\trightauth = pubkey"; | |
| + $authentication .= "\n\trightauth2 = xauth-generic"; | |
| + if (!empty($ph1ent['certref'])) { | |
| $authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt"; | |
| - } | |
| - break; | |
| - case 'eap-radius': | |
| - if (isset($ph1ent['mobile'])) { | |
| - $authentication = "eap_identity=%identity\n\t"; | |
| - $authentication .= "leftauth=pubkey\n\trightauth=eap-radius"; | |
| - if (!empty($ph1ent['certref'])) | |
| + } | |
| + break; | |
| + case 'xauth_psk_server': | |
| + $authentication = "leftauth = psk\n\trightauth = psk"; | |
| + $authentication .= "\n\trightauth2 = xauth-generic"; | |
| + break; | |
| + case 'pre_shared_key': | |
| + $authentication = "leftauth = psk\n\trightauth = psk"; | |
| + break; | |
| + case 'rsasig': | |
| + $authentication = "leftauth = pubkey\n\trightauth = pubkey"; | |
| + if (!empty($ph1ent['certref'])) { | |
| $authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt"; | |
| - } else { | |
| - $authentication = "leftauth=eap-radius\n\trightauth=eap-radius"; | |
| - if (!empty($ph1ent['certref'])) | |
| + } | |
| + break; | |
| + case 'hybrid_rsa_server': | |
| + $authentication = "leftauth = xauth-generic\n\trightauth = pubkey"; | |
| + $authentication .= "\n\trightauth2 = xauth"; | |
| + if (!empty($ph1ent['certref'])) { | |
| $authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt"; | |
| - } | |
| - break; | |
| - case 'xauth_rsa_server': | |
| - $authentication = "leftauth = pubkey\n\trightauth = pubkey"; | |
| - $authentication .= "\n\trightauth2 = xauth-generic"; | |
| - if (!empty($ph1ent['certref'])) | |
| - $authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt"; | |
| - break; | |
| - case 'xauth_psk_server': | |
| - $authentication = "leftauth = psk\n\trightauth = psk"; | |
| - $authentication .= "\n\trightauth2 = xauth-generic"; | |
| - break; | |
| - case 'pre_shared_key': | |
| - $authentication = "leftauth = psk\n\trightauth = psk"; | |
| - break; | |
| - case 'rsasig': | |
| - $authentication = "leftauth = pubkey\n\trightauth = pubkey"; | |
| - if (!empty($ph1ent['certref'])) | |
| - $authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt"; | |
| - break; | |
| - case 'hybrid_rsa_server': | |
| - $authentication = "leftauth = xauth-generic\n\trightauth = pubkey"; | |
| - $authentication .= "\n\trightauth2 = xauth"; | |
| - if (!empty($ph1ent['certref'])) | |
| - $authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt"; | |
| - break; | |
| + } | |
| + break; | |
| } | |
| $left_spec = $ep; | |
| - if (isset($ph1ent['reauth_enable'])) | |
| + if (isset($ph1ent['reauth_enable'])) { | |
| $reauth = "reauth = no"; | |
| - else | |
| + } else { | |
| $reauth = "reauth = yes"; | |
| - if (isset($ph1ent['rekey_enable'])) | |
| + } | |
| + if (isset($ph1ent['rekey_enable'])) { | |
| $rekey = "rekey = no"; | |
| - else | |
| + } else { | |
| $rekey = "rekey = yes"; | |
| + } | |
| - if ($ph1ent['nat_traversal'] == 'off') | |
| + if ($ph1ent['nat_traversal'] == 'off') { | |
| $forceencaps = 'forceencaps = no'; | |
| - else if ($ph1ent['nat_traversal'] == 'force') | |
| + } else if ($ph1ent['nat_traversal'] == 'force') { | |
| $forceencaps = 'forceencaps = yes'; | |
| - else | |
| + } else { | |
| $forceencaps = 'forceencaps = no'; | |
| - | |
| - if ($ph1ent['mobike'] == 'on') | |
| + } | |
| + | |
| + if ($ph1ent['mobike'] == 'on') { | |
| $mobike = 'mobike = yes'; | |
| - else | |
| + } else { | |
| $mobike = 'mobike = no'; | |
| + } | |
| $ipseclifetime = 0; | |
| $rightsubnet_spec = array(); | |
| @@ -896,14 +982,17 @@ EOD; | |
| $ealgoESPsp2arr = array(); | |
| if (is_array($a_phase2) && count($a_phase2)) { | |
| foreach ($a_phase2 as $ph2ent) { | |
| - if ($ikeid != $ph2ent['ikeid']) | |
| + if ($ikeid != $ph2ent['ikeid']) { | |
| continue; | |
| + } | |
| - if (isset($ph2ent['disabled'])) | |
| + if (isset($ph2ent['disabled'])) { | |
| continue; | |
| + } | |
| - if (isset($ph2ent['mobile']) && !isset($a_client['enable'])) | |
| + if (isset($ph2ent['mobile']) && !isset($a_client['enable'])) { | |
| continue; | |
| + } | |
| if (($ph2ent['mode'] == 'tunnel') or ($ph2ent['mode'] == 'tunnel6')) { | |
| $tunneltype = "type = tunnel"; | |
| @@ -912,8 +1001,8 @@ EOD; | |
| $leftsubnet_data = ipsec_idinfo_to_cidr($ph2ent['localid'], false, $ph2ent['mode']); | |
| /* Do not print localid in some cases, such as a pure-psk or psk/xauth single phase2 mobile tunnel */ | |
| - if (($localid_type == "none" || $localid_type == "mobile") | |
| - && isset($ph1ent['mobile']) && (ipsec_get_number_of_phase2($ikeid)==1)) { | |
| + if (($localid_type == "none" || $localid_type == "mobile") && | |
| + isset($ph1ent['mobile']) && (ipsec_get_number_of_phase2($ikeid) == 1)) { | |
| $left_spec = '%any'; | |
| } else { | |
| if ($localid_type != "address") { | |
| @@ -925,13 +1014,15 @@ EOD; | |
| continue; | |
| } | |
| if (!empty($ph2ent['natlocalid'])) { | |
| - $natleftsubnet_data = ipsec_idinfo_to_cidr($ph2ent['natlocalid'], false, $ph2ent['mode']); | |
| + $natleftsubnet_data = ipsec_idinfo_to_cidr($ph2ent['natlocalid'], false, $ph2ent['mode']); | |
| if ($ph2ent['natlocalid']['type'] != "address") { | |
| - if (is_subnet($natleftsubnet_data)) | |
| + if (is_subnet($natleftsubnet_data)) { | |
| $leftsubnet_data = "{$natleftsubnet_data}|{$leftsubnet_data}"; | |
| + } | |
| } else { | |
| - if (is_ipaddr($natleftsubnet_data)) | |
| + if (is_ipaddr($natleftsubnet_data)) { | |
| $leftsubnet_data = "{$natleftsubnet_data}|{$leftsubnet_data}"; | |
| + } | |
| } | |
| $natfilterrules = true; | |
| } | |
| @@ -961,8 +1052,9 @@ EOD; | |
| } | |
| } | |
| - if (isset($a_client['pfs_group']) && isset($ph2ent['mobile'])) | |
| + if (isset($a_client['pfs_group']) && isset($ph2ent['mobile'])) { | |
| $ph2ent['pfsgroup'] = $a_client['pfs_group']; | |
| + } | |
| if ($ph2ent['protocol'] == 'esp') { | |
| if (is_array($ph2ent['encryption-algorithm-option'])) { | |
| @@ -971,30 +1063,33 @@ EOD; | |
| $ealg_kl = $ealg['keylen']; | |
| if (!empty($ealg_kl) && $ealg_kl == "auto") { | |
| - if (empty($p2_ealgos) || !is_array($p2_ealgos)) | |
| + if (empty($p2_ealgos) || !is_array($p2_ealgos)) { | |
| require("ipsec.inc"); | |
| + } | |
| $key_hi = $p2_ealgos[$ealg_id]['keysel']['hi']; | |
| $key_lo = $p2_ealgos[$ealg_id]['keysel']['lo']; | |
| $key_step = $p2_ealgos[$ealg_id]['keysel']['step']; | |
| /* XXX: in some cases where include ordering is suspect these variables | |
| * are somehow 0 and we enter this loop forever and timeout after 900 | |
| * seconds wrecking bootup */ | |
| - if ($key_hi != 0 and $key_lo !=0 and $key_step !=0) { | |
| + if ($key_hi != 0 and $key_lo != 0 and $key_step != 0) { | |
| for ($keylen = $key_hi; $keylen >= $key_lo; $keylen -= $key_step) { | |
| if (!empty($ph2ent['hash-algorithm-option']) && is_array($ph2ent['hash-algorithm-option'])) { | |
| foreach ($ph2ent['hash-algorithm-option'] as $halgo) { | |
| $halgo = str_replace('hmac_', '', $halgo); | |
| $tmpealgo = "{$ealg_id}{$keylen}-{$halgo}"; | |
| $modp = vpn_ipsec_convert_to_modp($ph2ent['pfsgroup']); | |
| - if (!empty($modp)) | |
| + if (!empty($modp)) { | |
| $tmpealgo .= "-{$modp}"; | |
| + } | |
| $ealgoESPsp2arr[] = $tmpealgo; | |
| } | |
| } else { | |
| $tmpealgo = "{$ealg_id}{$keylen}"; | |
| $modp = vpn_ipsec_convert_to_modp($ph2ent['pfsgroup']); | |
| - if (!empty($modp)) | |
| + if (!empty($modp)) { | |
| $tmpealgo .= "-{$modp}"; | |
| + } | |
| $ealgoESPsp2arr[] = $tmpealgo; | |
| } | |
| } | |
| @@ -1005,15 +1100,17 @@ EOD; | |
| $halgo = str_replace('hmac_', '', $halgo); | |
| $tmpealgo = "{$ealg_id}{$ealg_kl}-{$halgo}"; | |
| $modp = vpn_ipsec_convert_to_modp($ph2ent['pfsgroup']); | |
| - if (!empty($modp)) | |
| + if (!empty($modp)) { | |
| $tmpealgo .= "-{$modp}"; | |
| + } | |
| $ealgoESPsp2arr[] = $tmpealgo; | |
| } | |
| } else { | |
| $tmpealgo = "{$ealg_id}{$ealg_kl}"; | |
| $modp = vpn_ipsec_convert_to_modp($ph2ent['pfsgroup']); | |
| - if (!empty($modp)) | |
| + if (!empty($modp)) { | |
| $tmpealgo .= "-{$modp}"; | |
| + } | |
| $ealgoESPsp2arr[] = $tmpealgo; | |
| } | |
| } | |
| @@ -1024,8 +1121,9 @@ EOD; | |
| $modp = vpn_ipsec_convert_to_modp($ph2ent['pfsgroup']); | |
| foreach ($ph2ent['hash-algorithm-option'] as $tmpAHalgo) { | |
| $tmpAHalgo = str_replace('hmac_', '', $tmpAHalgo); | |
| - if (!empty($modp)) | |
| + if (!empty($modp)) { | |
| $tmpAHalgo = "-{$modp}"; | |
| + } | |
| $ealgoAHsp2arr[] = $tmpAHalgo; | |
| } | |
| } | |
| @@ -1034,8 +1132,9 @@ EOD; | |
| $reqids[] = $ph2ent['reqid']; | |
| if (!empty($ph2ent['lifetime'])) { | |
| - if ($ipseclifetime == 0 || intval($ipseclifetime) > intval($ph2ent['lifetime'])) | |
| + if ($ipseclifetime == 0 || intval($ipseclifetime) > intval($ph2ent['lifetime'])) { | |
| $ipseclifetime = intval($ph2ent['lifetime']); | |
| + } | |
| } | |
| } | |
| @@ -1062,61 +1161,74 @@ EOD; | |
| $ipsecconnect .= "\tcompress = yes\n"; | |
| $enablecompression = true; | |
| } | |
| - if (!empty($ikelifeline)) | |
| + if (!empty($ikelifeline)) { | |
| $ipsecconnect .= "\t{$ikelifeline}\n"; | |
| - if ($ipseclifetime > 0) | |
| + } | |
| + if ($ipseclifetime > 0) { | |
| $ipsecconnect .= "\tlifetime = {$ipseclifetime}s\n"; | |
| - if (!empty($rightsourceip)) | |
| + } | |
| + if (!empty($rightsourceip)) { | |
| $ipsecconnect .= "{$rightsourceip}"; | |
| - if (!empty($ealgosp1)) | |
| + } | |
| + if (!empty($ealgosp1)) { | |
| $ipsecconnect .= "\t{$ealgosp1}\n"; | |
| - if (!empty($ealgoAHsp2arr)) | |
| + } | |
| + if (!empty($ealgoAHsp2arr)) { | |
| $ipsecconnect .= "\tah = " . join(',', $ealgoAHsp2arr) . "!\n"; | |
| - if (!empty($ealgoESPsp2arr)) | |
| + } | |
| + if (!empty($ealgoESPsp2arr)) { | |
| $ipsecconnect .= "\tesp = " . join(',', $ealgoESPsp2arr) . "!\n"; | |
| - if (!empty($authentication)) | |
| + } | |
| + if (!empty($authentication)) { | |
| $ipsecconnect .= "\t{$authentication}\n"; | |
| - if (!empty($peerid_spec)) | |
| + } | |
| + if (!empty($peerid_spec)) { | |
| $ipsecconnect .= "\trightid = {$peerid_spec}\n"; | |
| - if ($keyexchange == 'ikev1') | |
| + } | |
| + if ($keyexchange == 'ikev1') { | |
| $ipsecconnect .= "\taggressive = {$aggressive}\n"; | |
| + } | |
| if (!isset($ph1ent['mobile']) && $keyexchange == 'ikev1') { | |
| if (!empty($rightsubnet_spec)) { | |
| $ipsecfin = ''; | |
| foreach ($rightsubnet_spec as $idx => $rsubnet) { | |
| $ipsecfin .= "\nconn con{$ph1ent['ikeid']}00{$idx}\n"; | |
| - //if (!empty($reqids[$idx])) | |
| + //if (!empty($reqids[$idx])) { | |
| // $ipsecfin .= "\treqid = " . $reqids[$idx] . "\n"; | |
| + //} | |
| $ipsecfin .= $ipsecconnect; | |
| $ipsecfin .= "\trightsubnet = {$rsubnet}\n"; | |
| $ipsecfin .= "\tleftsubnet = " . $leftsubnet_spec[$idx] . "\n"; | |
| } | |
| - } else | |
| + } else { | |
| log_error("No phase2 specifications for tunnel with REQID = {$ikeid}"); | |
| + } | |
| } else { | |
| $ipsecfin = "\nconn con{$ph1ent['ikeid']}\n"; | |
| - //if (!empty($reqids[$idx])) | |
| + //if (!empty($reqids[$idx])) { | |
| // $ipsecfin .= "\treqid = " . $reqids[0] . "\n"; | |
| + //} | |
| $ipsecfin .= $ipsecconnect; | |
| if (!isset($ph1ent['mobile']) && !empty($rightsubnet_spec)) { | |
| $tempsubnets = array(); | |
| - foreach ($rightsubnet_spec as $rightsubnet) | |
| + foreach ($rightsubnet_spec as $rightsubnet) { | |
| $tempsubnets[$rightsubnet] = $rightsubnet; | |
| + } | |
| $ipsecfin .= "\trightsubnet = " . join(",", $tempsubnets) . "\n"; | |
| unset($tempsubnets, $rightsubnet); | |
| } | |
| if (!empty($leftsubnet_spec)) { | |
| $tempsubnets = array(); | |
| - foreach ($leftsubnet_spec as $leftsubnet) | |
| + foreach ($leftsubnet_spec as $leftsubnet) { | |
| $tempsubnets[$leftsubnet] = $leftsubnet; | |
| + } | |
| $ipsecfin .= "\tleftsubnet = " . join(",", $tempsubnets) . "\n"; | |
| unset($tempsubnets, $leftsubnet); | |
| } | |
| } | |
| $ipsecconf .= $ipsecfin; | |
| unset($ipsecfin); | |
| - | |
| } | |
| } | |
| @@ -1124,14 +1236,15 @@ EOD; | |
| unset($ipsecconf); | |
| /* end ipsec.conf */ | |
| - if ($enablecompression === true) | |
| + if ($enablecompression === true) { | |
| set_single_sysctl('net.inet.ipcomp.ipcomp_enable', 1); | |
| - else | |
| + } else { | |
| set_single_sysctl('net.inet.ipcomp.ipcomp_enable', 0); | |
| + } | |
| - /* mange process */ | |
| + /* manage process */ | |
| if ($restart === true) { | |
| - mwexec("/usr/local/sbin/ipsec restart", false); | |
| + mwexec("/usr/local/sbin/ipsec restart", false); | |
| } else { | |
| if (isvalidpid("{$g['varrun_path']}/starter.charon.pid")) { | |
| /* Update configuration changes */ | |
| @@ -1139,28 +1252,31 @@ EOD; | |
| mwexec("/usr/local/sbin/ipsec rereadall", false); | |
| mwexec("/usr/local/sbin/ipsec reload", false); | |
| } else { | |
| - mwexec("/usr/local/sbin/ipsec start", false); | |
| + mwexec("/usr/local/sbin/ipsec start", false); | |
| } | |
| } | |
| - if ($natfilterrules == true) | |
| + if ($natfilterrules == true) { | |
| filter_configure(); | |
| + } | |
| /* start filterdns, if necessary */ | |
| if (count($filterdns_list) > 0) { | |
| $interval = 60; | |
| - if (!empty($ipseccfg['dns-interval']) && is_numeric($ipseccfg['dns-interval'])) | |
| + if (!empty($ipseccfg['dns-interval']) && is_numeric($ipseccfg['dns-interval'])) { | |
| $interval = $ipseccfg['dns-interval']; | |
| + } | |
| $hostnames = ""; | |
| array_unique($filterdns_list); | |
| - foreach ($filterdns_list as $hostname) | |
| + foreach ($filterdns_list as $hostname) { | |
| $hostnames .= "cmd {$hostname} '/usr/local/sbin/pfSctl -c \"service reload ipsecdns\"'\n"; | |
| + } | |
| file_put_contents("{$g['varetc_path']}/ipsec/filterdns-ipsec.hosts", $hostnames); | |
| unset($hostnames); | |
| - if (isvalidpid("{$g['varrun_path']}/filterdns-ipsec.pid")) | |
| + if (isvalidpid("{$g['varrun_path']}/filterdns-ipsec.pid")) { | |
| sigkillbypid("{$g['varrun_path']}/filterdns-ipsec.pid", "HUP"); | |
| - else { | |
| + } else { | |
| mwexec("/usr/local/sbin/filterdns -p {$g['varrun_path']}/filterdns-ipsec.pid -i {$interval} -c {$g['varetc_path']}/ipsec/filterdns-ipsec.hosts -d 1"); | |
| } | |
| } else { | |
| @@ -1168,8 +1284,9 @@ EOD; | |
| @unlink("{$g['varrun_path']}/filterdns-ipsec.pid"); | |
| } | |
| - if (platform_booting()) | |
| + if (platform_booting()) { | |
| echo "done\n"; | |
| + } | |
| return count($filterdns_list); | |
| } | |
| @@ -1210,8 +1327,9 @@ function vpn_ipsec_force_reload($interface = "") { | |
| function vpn_setup() { | |
| global $g; | |
| - if ($g['platform'] == 'jail') | |
| + if ($g['platform'] == 'jail') { | |
| return; | |
| + } | |
| /* start pptpd */ | |
| vpn_pptpd_configure(); | |
| @@ -1229,8 +1347,9 @@ function vpn_netgraph_support() { | |
| $realif = get_real_interface($iface); | |
| /* Get support for netgraph(4) from the nic */ | |
| $ifinfo = pfSense_get_interface_addresses($realif); | |
| - if (!empty($ifinfo) && in_array($ifinfo['iftype'], array("ether", "vlan", "bridge"))) | |
| + if (!empty($ifinfo) && in_array($ifinfo['iftype'], array("ether", "vlan", "bridge"))) { | |
| pfSense_ngctl_attach(".", $realif); | |
| + } | |
| } | |
| } | |
| @@ -1241,11 +1360,13 @@ function vpn_pptpd_configure() { | |
| $pptpdcfg = $config['pptpd']; | |
| if (platform_booting()) { | |
| - if (!$pptpdcfg['mode'] || ($pptpdcfg['mode'] == "off")) | |
| + if (!$pptpdcfg['mode'] || ($pptpdcfg['mode'] == "off")) { | |
| return 0; | |
| + } | |
| - if (platform_booting(true)) | |
| + if (platform_booting(true)) { | |
| echo gettext("Configuring PPTP VPN service... "); | |
| + } | |
| } else { | |
| /* kill mpd */ | |
| killbypid("{$g['varrun_path']}/pptp-vpn.pid"); | |
| @@ -1270,11 +1391,12 @@ function vpn_pptpd_configure() { | |
| } | |
| /* make sure pptp-vpn directory exists */ | |
| - if (!file_exists("{$g['varetc_path']}/pptp-vpn")) | |
| + if (!file_exists("{$g['varetc_path']}/pptp-vpn")) { | |
| mkdir("{$g['varetc_path']}/pptp-vpn"); | |
| + } | |
| switch ($pptpdcfg['mode']) { | |
| - case 'server' : | |
| + case 'server': | |
| /* write mpd.conf */ | |
| $fd = fopen("{$g['varetc_path']}/pptp-vpn/mpd.conf", "w"); | |
| if (!$fd) { | |
| @@ -1337,23 +1459,27 @@ EOD; | |
| EOD; | |
| } | |
| - if (isset($pptpdcfg["wins"]) && $pptpdcfg['wins'] != "") | |
| - $mpdconf .= " set ipcp nbns {$pptpdcfg['wins']}\n"; | |
| + if (isset($pptpdcfg["wins"]) && $pptpdcfg['wins'] != "") { | |
| + $mpdconf .= " set ipcp nbns {$pptpdcfg['wins']}\n"; | |
| + } | |
| if (!empty($pptpdcfg['dns1'])) { | |
| $mpdconf .= " set ipcp dns " . $pptpdcfg['dns1']; | |
| - if (!empty($pptpdcfg['dns2'])) | |
| + if (!empty($pptpdcfg['dns2'])) { | |
| $mpdconf .= " " . $pptpdcfg['dns2']; | |
| + } | |
| $mpdconf .= "\n"; | |
| } elseif (isset ($config['dnsmasq']['enable'])) { | |
| $mpdconf .= " set ipcp dns " . get_interface_ip("lan"); | |
| - if ($syscfg['dnsserver'][0]) | |
| + if ($syscfg['dnsserver'][0]) { | |
| $mpdconf .= " " . $syscfg['dnsserver'][0]; | |
| + } | |
| $mpdconf .= "\n"; | |
| } elseif (isset($config['unbound']['enable'])) { | |
| $mpdconf .= " set ipcp dns " . get_interface_ip("lan"); | |
| - if ($syscfg['dnsserver'][0]) | |
| + if ($syscfg['dnsserver'][0]) { | |
| $mpdconf .= " " . $syscfg['dnsserver'][0]; | |
| + } | |
| $mpdconf .= "\n"; | |
| } elseif (is_array($syscfg['dnsserver']) && ($syscfg['dnsserver'][0])) { | |
| $mpdconf .= " set ipcp dns " . join(" ", $syscfg['dnsserver']) . "\n"; | |
| @@ -1366,15 +1492,15 @@ EOD; | |
| set radius server {$pptpdcfg['radius']['server']['ip']} "{$pptpdcfg['radius']['server']['secret']}" {$authport} {$acctport} | |
| EOD; | |
| - if (isset ($pptpdcfg['radius']['server2']['enable'])) { | |
| - $authport = (isset($pptpdcfg['radius']['server2']['port']) && strlen($pptpdcfg['radius']['server2']['port']) > 1) ? $pptpdcfg['radius']['server2']['port'] : 1812; | |
| - $acctport = $authport + 1; | |
| - $mpdconf .=<<<EOD | |
| + if (isset ($pptpdcfg['radius']['server2']['enable'])) { | |
| + $authport = (isset($pptpdcfg['radius']['server2']['port']) && strlen($pptpdcfg['radius']['server2']['port']) > 1) ? $pptpdcfg['radius']['server2']['port'] : 1812; | |
| + $acctport = $authport + 1; | |
| + $mpdconf .=<<<EOD | |
| set radius server {$pptpdcfg['radius']['server2']['ip']} "{$pptpdcfg['radius']['server2']['secret2']}" {$authport} {$acctport} | |
| EOD; | |
| - } | |
| - $mpdconf .=<<<EOD | |
| + } | |
| + $mpdconf .=<<<EOD | |
| set radius retries 3 | |
| set radius timeout 10 | |
| set auth enable radius-auth | |
| @@ -1448,12 +1574,13 @@ EOD; | |
| break; | |
| - case 'redir' : | |
| + case 'redir': | |
| break; | |
| } | |
| - if (platform_booting()) | |
| + if (platform_booting()) { | |
| echo "done\n"; | |
| + } | |
| return 0; | |
| } | |
| @@ -1462,8 +1589,9 @@ function vpn_pppoes_configure() { | |
| global $config; | |
| if (is_array($config['pppoes']['pppoe'])) { | |
| - foreach ($config['pppoes']['pppoe'] as $pppoe) | |
| + foreach ($config['pppoes']['pppoe'] as $pppoe) { | |
| vpn_pppoe_configure($pppoe); | |
| + } | |
| } | |
| } | |
| @@ -1473,12 +1601,14 @@ function vpn_pppoe_configure(&$pppoecfg) { | |
| $syscfg = $config['system']; | |
| /* create directory if it does not exist */ | |
| - if (!is_dir("{$g['varetc_path']}/pppoe{$pppoecfg['pppoeid']}-vpn")) | |
| + if (!is_dir("{$g['varetc_path']}/pppoe{$pppoecfg['pppoeid']}-vpn")) { | |
| mkdir("{$g['varetc_path']}/pppoe{$pppoecfg['pppoeid']}-vpn"); | |
| + } | |
| if (platform_booting()) { | |
| - if (!$pppoecfg['mode'] || ($pppoecfg['mode'] == "off")) | |
| + if (!$pppoecfg['mode'] || ($pppoecfg['mode'] == "off")) { | |
| return 0; | |
| + } | |
| echo gettext("Configuring PPPoE Server service... "); | |
| } else { | |
| @@ -1492,14 +1622,15 @@ function vpn_pppoe_configure(&$pppoecfg) { | |
| switch ($pppoecfg['mode']) { | |
| - case 'server' : | |
| + case 'server': | |
| $pppoe_interface = get_real_interface($pppoecfg['interface']); | |
| - if ($pppoecfg['paporchap'] == "chap") | |
| + if ($pppoecfg['paporchap'] == "chap") { | |
| $paporchap = "set link enable chap"; | |
| - else | |
| + } else { | |
| $paporchap = "set link enable pap"; | |
| + } | |
| /* write mpd.conf */ | |
| $fd = fopen("{$g['varetc_path']}/pppoe{$pppoecfg['pppoeid']}-vpn/mpd.conf", "w"); | |
| @@ -1566,18 +1697,21 @@ EOD; | |
| if (!empty($pppoecfg['dns1'])) { | |
| $mpdconf .= " set ipcp dns " . $pppoecfg['dns1']; | |
| - if (!empty($pppoecfg['dns2'])) | |
| + if (!empty($pppoecfg['dns2'])) { | |
| $mpdconf .= " " . $pppoecfg['dns2']; | |
| + } | |
| $mpdconf .= "\n"; | |
| } elseif (isset ($config['dnsmasq']['enable'])) { | |
| $mpdconf .= " set ipcp dns " . get_interface_ip("lan"); | |
| - if ($syscfg['dnsserver'][0]) | |
| + if ($syscfg['dnsserver'][0]) { | |
| $mpdconf .= " " . $syscfg['dnsserver'][0]; | |
| + } | |
| $mpdconf .= "\n"; | |
| } elseif (isset ($config['unbound']['enable'])) { | |
| $mpdconf .= " set ipcp dns " . get_interface_ip("lan"); | |
| - if ($syscfg['dnsserver'][0]) | |
| + if ($syscfg['dnsserver'][0]) { | |
| $mpdconf .= " " . $syscfg['dnsserver'][0]; | |
| + } | |
| $mpdconf .= "\n"; | |
| } elseif (is_array($syscfg['dnsserver']) && ($syscfg['dnsserver'][0])) { | |
| $mpdconf .= " set ipcp dns " . join(" ", $syscfg['dnsserver']) . "\n"; | |
| @@ -1586,10 +1720,12 @@ EOD; | |
| if (isset ($pppoecfg['radius']['server']['enable'])) { | |
| $radiusport = ""; | |
| $radiusacctport = ""; | |
| - if (isset($pppoecfg['radius']['server']['port'])) | |
| + if (isset($pppoecfg['radius']['server']['port'])) { | |
| $radiusport = $pppoecfg['radius']['server']['port']; | |
| - if (isset($pppoecfg['radius']['server']['acctport'])) | |
| + } | |
| + if (isset($pppoecfg['radius']['server']['acctport'])) { | |
| $radiusacctport = $pppoecfg['radius']['server']['acctport']; | |
| + } | |
| $mpdconf .=<<<EOD | |
| set radius server {$pppoecfg['radius']['server']['ip']} "{$pppoecfg['radius']['server']['secret']}" {$radiusport} {$radiusacctport} | |
| set radius retries 3 | |
| @@ -1648,7 +1784,7 @@ EOD; | |
| if (!empty($pppoecfg['username'])) { | |
| $item = explode(" ", $pppoecfg['username']); | |
| - foreach($item as $userdata) { | |
| + foreach ($item as $userdata) { | |
| $data = explode(":", $userdata); | |
| $mpdsecret .= "{$data[0]} \"" . base64_decode($data[1]) . "\" {$data[2]}\n"; | |
| } | |
| @@ -1661,8 +1797,9 @@ EOD; | |
| } | |
| /* Check if previous instance is still up */ | |
| - while (file_exists("{$g['varrun_path']}/pppoe{$pppoecfg['pppoeid']}-vpn.pid") && isvalidpid("{$g['varrun_path']}/pppoe{$pppoecfg['pppoeid']}-vpn.pid")) | |
| + while (file_exists("{$g['varrun_path']}/pppoe{$pppoecfg['pppoeid']}-vpn.pid") && isvalidpid("{$g['varrun_path']}/pppoe{$pppoecfg['pppoeid']}-vpn.pid")) { | |
| killbypid("{$g['varrun_path']}/pppoe{$pppoecfg['pppoeid']}-vpn.pid"); | |
| + } | |
| /* Get support for netgraph(4) from the nic */ | |
| pfSense_ngctl_attach(".", $pppoe_interface); | |
| @@ -1672,8 +1809,9 @@ EOD; | |
| break; | |
| } | |
| - if (platform_booting()) | |
| + if (platform_booting()) { | |
| echo gettext("done") . "\n"; | |
| + } | |
| return 0; | |
| } | |
| @@ -1685,12 +1823,14 @@ function vpn_l2tp_configure() { | |
| $l2tpcfg = $config['l2tp']; | |
| /* create directory if it does not exist */ | |
| - if (!is_dir("{$g['varetc_path']}/l2tp-vpn")) | |
| + if (!is_dir("{$g['varetc_path']}/l2tp-vpn")) { | |
| mkdir("{$g['varetc_path']}/l2tp-vpn"); | |
| + } | |
| if (platform_booting()) { | |
| - if (!$l2tpcfg['mode'] || ($l2tpcfg['mode'] == "off")) | |
| + if (!$l2tpcfg['mode'] || ($l2tpcfg['mode'] == "off")) { | |
| return 0; | |
| + } | |
| echo gettext("Configuring l2tp VPN service... "); | |
| } else { | |
| @@ -1703,16 +1843,18 @@ function vpn_l2tp_configure() { | |
| } | |
| /* make sure l2tp-vpn directory exists */ | |
| - if (!file_exists("{$g['varetc_path']}/l2tp-vpn")) | |
| + if (!file_exists("{$g['varetc_path']}/l2tp-vpn")) { | |
| mkdir("{$g['varetc_path']}/l2tp-vpn"); | |
| + } | |
| switch ($l2tpcfg['mode']) { | |
| - case 'server' : | |
| - if ($l2tpcfg['paporchap'] == "chap") | |
| + case 'server': | |
| + if ($l2tpcfg['paporchap'] == "chap") { | |
| $paporchap = "set link enable chap"; | |
| - else | |
| + } else { | |
| $paporchap = "set link enable pap"; | |
| + } | |
| /* write mpd.conf */ | |
| $fd = fopen("{$g['varetc_path']}/l2tp-vpn/mpd.conf", "w"); | |
| @@ -1775,21 +1917,24 @@ EOD; | |
| } | |
| if (is_ipaddr($l2tpcfg['dns1'])) { | |
| $mpdconf .= " set ipcp dns " . $l2tpcfg['dns1']; | |
| - if (is_ipaddr($l2tpcfg['dns2'])) | |
| + if (is_ipaddr($l2tpcfg['dns2'])) { | |
| $mpdconf .= " " . $l2tpcfg['dns2']; | |
| + } | |
| $mpdconf .= "\n"; | |
| } elseif (isset ($config['dnsmasq']['enable'])) { | |
| $mpdconf .= " set ipcp dns " . get_interface_ip("lan"); | |
| - if ($syscfg['dnsserver'][0]) | |
| + if ($syscfg['dnsserver'][0]) { | |
| $mpdconf .= " " . $syscfg['dnsserver'][0]; | |
| + } | |
| $mpdconf .= "\n"; | |
| } elseif (isset ($config['unbound']['enable'])) { | |
| $mpdconf .= " set ipcp dns " . get_interface_ip("lan"); | |
| - if ($syscfg['dnsserver'][0]) | |
| + if ($syscfg['dnsserver'][0]) { | |
| $mpdconf .= " " . $syscfg['dnsserver'][0]; | |
| + } | |
| $mpdconf .= "\n"; | |
| } elseif (is_array($syscfg['dnsserver']) && ($syscfg['dnsserver'][0])) { | |
| - $mpdconf .= " set ipcp dns " . join(" ", $syscfg['dnsserver']) . "\n"; | |
| + $mpdconf .= " set ipcp dns " . join(" ", $syscfg['dnsserver']) . "\n"; | |
| } | |
| if (isset ($l2tpcfg['radius']['enable'])) { | |
| @@ -1831,8 +1976,9 @@ l2tp{$i}: | |
| set l2tp disable originate | |
| EOD; | |
| - if (!empty($l2tpcfg['secret'])) | |
| + if (!empty($l2tpcfg['secret'])) { | |
| $mpdlinks .= "set l2tp secret {$l2tpcfg['secret']}\n"; | |
| + } | |
| } | |
| fwrite($fd, $mpdlinks); | |
| @@ -1849,8 +1995,9 @@ EOD; | |
| $mpdsecret = "\n\n"; | |
| if (is_array($l2tpcfg['user'])) { | |
| - foreach ($l2tpcfg['user'] as $user) | |
| + foreach ($l2tpcfg['user'] as $user) { | |
| $mpdsecret .= "{$user['name']} \"{$user['password']}\" {$user['ip']}\n"; | |
| + } | |
| } | |
| fwrite($fd, $mpdsecret); | |
| @@ -1865,12 +2012,13 @@ EOD; | |
| break; | |
| - case 'redir' : | |
| + case 'redir': | |
| break; | |
| } | |
| - if (platform_booting()) | |
| + if (platform_booting()) { | |
| echo "done\n"; | |
| + } | |
| return 0; | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment