Easy IPsec connections for macOS & iOS

Easy IPsec connections for macOS & iOS

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 961 bytes --]

Hello,

I have created a couple of patches for review. They intoduce creating
IPsec roadwarrior connections for Apple devices.

IPsec connections can be easily exported as an XML structure which
can be imported into any iOS or macOS device.

Those connections allow that all traffic from that device can be
routed through an IPFire instance in a data center and split-horizon
VPNs are supported, too.

The configuration is as simple as usual although Apple has some
(sane) requirements to certificate lifetimes and really makes sure
that they are talking to the correct peer.

I have added a wiki page that explains how the connection needs to
be set up:

  https://wiki.ipfire.org/configuration/services/ipsec/apple

I would like to encourage everyone to review my patches and test them
as well as the provided documentation.

As soon as I have some feedback, I would like to put this patchset
forward to be merged into the next Core Update.

Best,
-Michael

[PATCH 01/16] IPsec: Use sane defaults for certificate lifetimes

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 1884 bytes --]

Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
---
 html/cgi-bin/vpnmain.cgi | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi
index e0f2c7a5e..2d0f57f98 100644
--- a/html/cgi-bin/vpnmain.cgi
+++ b/html/cgi-bin/vpnmain.cgi
@@ -1007,7 +1007,7 @@ END
 			&General::log("ipsec", "Creating cacert...");
 			if (open(STDIN, "-|")) {
 				my $opt = " req -x509 -sha256 -nodes";
-				$opt .= " -days 999999";
+				$opt .= " -days 3650";
 				$opt .= " -newkey rsa:4096";
 				$opt .= " -keyout ${General::swroot}/private/cakey.pem";
 				$opt .= " -out ${General::swroot}/ca/cacert.pem";
@@ -1065,7 +1065,7 @@ END
 			print $fh "subjectAltName=$cgiparams{'SUBJECTALTNAME'}" if ($cgiparams{'SUBJECTALTNAME'});
 			close ($fh);
 
-			my $opt = " ca -md sha256 -days 999999";
+			my $opt = " ca -md sha256 -days 825";
 			$opt .= " -batch -notext";
 			$opt .= " -in ${General::swroot}/certs/hostreq.pem";
 			$opt .= " -out ${General::swroot}/certs/hostcert.pem";
@@ -1552,7 +1552,7 @@ END
 
 		# Sign the certificate request
 		&General::log("ipsec", "Signing your cert $cgiparams{'NAME'}...");
-		my $opt = " ca -md sha256 -days 999999";
+		my $opt = " ca -md sha256 -days 825";
 		$opt .= " -batch -notext";
 		$opt .= " -in $filename";
 		$opt .= " -out ${General::swroot}/certs/$cgiparams{'NAME'}cert.pem";
@@ -1825,7 +1825,7 @@ END
 		print $fh "subjectAltName=$cgiparams{'SUBJECTALTNAME'}" if ($cgiparams{'SUBJECTALTNAME'});
 		close ($fh);
 
-		my $opt = " ca -md sha256 -days 999999 -batch -notext";
+		my $opt = " ca -md sha256 -days 825 -batch -notext";
 		$opt .= " -in ${General::swroot}/certs/$cgiparams{'NAME'}req.pem";
 		$opt .= " -out ${General::swroot}/certs/$cgiparams{'NAME'}cert.pem";
 		$opt .= " -extfile $v3extname";
-- 
2.20.1

[PATCH 02/16] IPsec: Add prototype to export Apple Configuration profiles

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 17300 bytes --]

Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
---
 config/rootfiles/common/web-user-interface |   1 +
 doc/language_issues.de                     |   1 +
 doc/language_issues.en                     |   1 +
 doc/language_issues.es                     |   1 +
 doc/language_issues.fr                     |   1 +
 doc/language_issues.it                     |   1 +
 doc/language_issues.nl                     |   1 +
 doc/language_issues.pl                     |   1 +
 doc/language_issues.ru                     |   1 +
 doc/language_issues.tr                     |   1 +
 doc/language_missings                      |   8 ++
 html/cgi-bin/vpnmain.cgi                   | 135 ++++++++++++++++++++-
 html/html/images/apple.png                 | Bin 0 -> 346 bytes
 langs/en/cgi-bin/en.pl                     |   1 +
 14 files changed, 153 insertions(+), 1 deletion(-)
 create mode 100644 html/html/images/apple.png

diff --git a/config/rootfiles/common/web-user-interface b/config/rootfiles/common/web-user-interface
index 9aaa05631..7d67c346c 100644
--- a/config/rootfiles/common/web-user-interface
+++ b/config/rootfiles/common/web-user-interface
@@ -117,6 +117,7 @@ srv/web/ipfire/html/images/add.gif
 srv/web/ipfire/html/images/addblue.gif
 srv/web/ipfire/html/images/addgreen.gif
 srv/web/ipfire/html/images/address-book-new.png
+srv/web/ipfire/html/images/apple.png
 srv/web/ipfire/html/images/application-certificate.png
 srv/web/ipfire/html/images/application-x-executable.png
 srv/web/ipfire/html/images/applications-accessories.png
diff --git a/doc/language_issues.de b/doc/language_issues.de
index 2dc986d0a..d53bfa601 100644
--- a/doc/language_issues.de
+++ b/doc/language_issues.de
@@ -767,6 +767,7 @@ WARNING: translation string unused: zoneconf val ppp assignment error
 WARNING: translation string unused: zoneconf val vlan amount assignment error
 WARNING: translation string unused: zoneconf val vlan tag assignment error
 WARNING: translation string unused: zoneconf val zoneslave amount error
+WARNING: untranslated string: download apple profile = Download Apple Configuration Profile
 WARNING: untranslated string: error the to date has to be later than the from date = The to date has to be later than the from date!
 WARNING: untranslated string: fwhost cust geoipgrp = unknown string
 WARNING: untranslated string: fwhost err hostip = unknown string
diff --git a/doc/language_issues.en b/doc/language_issues.en
index 88fa6ed79..dc40a08bb 100644
--- a/doc/language_issues.en
+++ b/doc/language_issues.en
@@ -656,6 +656,7 @@ WARNING: untranslated string: downlink = Downlink
 WARNING: untranslated string: downlink speed = Downlink speed (kbit/sec)
 WARNING: untranslated string: downlink std class = downlink standard class
 WARNING: untranslated string: download = download
+WARNING: untranslated string: download apple profile = Download Apple Configuration Profile
 WARNING: untranslated string: download ca certificate = Download CA certificate
 WARNING: untranslated string: download certificate = Download file
 WARNING: untranslated string: download host certificate = Download host certificate
diff --git a/doc/language_issues.es b/doc/language_issues.es
index ef78d6680..933e99eca 100644
--- a/doc/language_issues.es
+++ b/doc/language_issues.es
@@ -849,6 +849,7 @@ WARNING: untranslated string: dnssec disabled warning = WARNING: DNSSEC has been
 WARNING: untranslated string: dnssec not supported = DNSSEC Not supported
 WARNING: untranslated string: dnssec validating = DNSSEC Validating
 WARNING: untranslated string: downlink = Downlink
+WARNING: untranslated string: download apple profile = Download Apple Configuration Profile
 WARNING: untranslated string: download tls-auth key = Download tls-auth key
 WARNING: untranslated string: dpd delay = Delay
 WARNING: untranslated string: dpd timeout = Timeout
diff --git a/doc/language_issues.fr b/doc/language_issues.fr
index fd10b171e..fd9f8296c 100644
--- a/doc/language_issues.fr
+++ b/doc/language_issues.fr
@@ -807,6 +807,7 @@ WARNING: translation string unused: zoneconf val ppp assignment error
 WARNING: translation string unused: zoneconf val vlan amount assignment error
 WARNING: translation string unused: zoneconf val vlan tag assignment error
 WARNING: translation string unused: zoneconf val zoneslave amount error
+WARNING: untranslated string: download apple profile = Download Apple Configuration Profile
 WARNING: untranslated string: fwhost cust geoipgrp = unknown string
 WARNING: untranslated string: fwhost err hostip = unknown string
 WARNING: untranslated string: guardian block a host = unknown string
diff --git a/doc/language_issues.it b/doc/language_issues.it
index 16ff776b5..e77b1ef3f 100644
--- a/doc/language_issues.it
+++ b/doc/language_issues.it
@@ -862,6 +862,7 @@ WARNING: untranslated string: dns use protocol for dns queries = Protocol for DN
 WARNING: untranslated string: dnsforward dnssec disabled = DNSSEC Validation is disabled
 WARNING: untranslated string: dnsforward forward_servers = Nameservers
 WARNING: untranslated string: dnssec disabled warning = WARNING: DNSSEC has been disabled
+WARNING: untranslated string: download apple profile = Download Apple Configuration Profile
 WARNING: untranslated string: duration = Duration
 WARNING: untranslated string: eight hours = 8 Hours
 WARNING: untranslated string: email config = Configuration
diff --git a/doc/language_issues.nl b/doc/language_issues.nl
index 328a8e1f2..ca6dec27e 100644
--- a/doc/language_issues.nl
+++ b/doc/language_issues.nl
@@ -865,6 +865,7 @@ WARNING: untranslated string: dnssec aware = DNSSEC Aware
 WARNING: untranslated string: dnssec disabled warning = WARNING: DNSSEC has been disabled
 WARNING: untranslated string: dnssec not supported = DNSSEC Not supported
 WARNING: untranslated string: dnssec validating = DNSSEC Validating
+WARNING: untranslated string: download apple profile = Download Apple Configuration Profile
 WARNING: untranslated string: download tls-auth key = Download tls-auth key
 WARNING: untranslated string: drop outgoing = Log dropped outgoing packets
 WARNING: untranslated string: duration = Duration
diff --git a/doc/language_issues.pl b/doc/language_issues.pl
index ef78d6680..933e99eca 100644
--- a/doc/language_issues.pl
+++ b/doc/language_issues.pl
@@ -849,6 +849,7 @@ WARNING: untranslated string: dnssec disabled warning = WARNING: DNSSEC has been
 WARNING: untranslated string: dnssec not supported = DNSSEC Not supported
 WARNING: untranslated string: dnssec validating = DNSSEC Validating
 WARNING: untranslated string: downlink = Downlink
+WARNING: untranslated string: download apple profile = Download Apple Configuration Profile
 WARNING: untranslated string: download tls-auth key = Download tls-auth key
 WARNING: untranslated string: dpd delay = Delay
 WARNING: untranslated string: dpd timeout = Timeout
diff --git a/doc/language_issues.ru b/doc/language_issues.ru
index 0a579d406..1fed38304 100644
--- a/doc/language_issues.ru
+++ b/doc/language_issues.ru
@@ -853,6 +853,7 @@ WARNING: untranslated string: dnssec disabled warning = WARNING: DNSSEC has been
 WARNING: untranslated string: dnssec not supported = DNSSEC Not supported
 WARNING: untranslated string: dnssec validating = DNSSEC Validating
 WARNING: untranslated string: downlink = Downlink
+WARNING: untranslated string: download apple profile = Download Apple Configuration Profile
 WARNING: untranslated string: download tls-auth key = Download tls-auth key
 WARNING: untranslated string: dpd delay = Delay
 WARNING: untranslated string: dpd timeout = Timeout
diff --git a/doc/language_issues.tr b/doc/language_issues.tr
index d04c99305..c716af76d 100644
--- a/doc/language_issues.tr
+++ b/doc/language_issues.tr
@@ -838,6 +838,7 @@ WARNING: untranslated string: dns use isp assigned nameservers = Use ISP-assigne
 WARNING: untranslated string: dns use protocol for dns queries = Protocol for DNS queries
 WARNING: untranslated string: dnsforward dnssec disabled = DNSSEC Validation is disabled
 WARNING: untranslated string: dnsforward forward_servers = Nameservers
+WARNING: untranslated string: download apple profile = Download Apple Configuration Profile
 WARNING: untranslated string: duration = Duration
 WARNING: untranslated string: email tls explicit = explicit (STARTTLS)
 WARNING: untranslated string: email tls implicit = implicit (TLS)
diff --git a/doc/language_missings b/doc/language_missings
index bfc3ba41f..cff74f9b0 100644
--- a/doc/language_missings
+++ b/doc/language_missings
@@ -32,6 +32,7 @@
 < dh name is invalid
 < dns could not add server
 < done
+< download apple profile
 < error the to date has to be later than the from date
 < g.dtm
 < g.lite
@@ -248,6 +249,7 @@
 < dns use isp assigned nameservers
 < dns use protocol for dns queries
 < downlink
+< download apple profile
 < download dh parameter
 < download tls-auth key
 < dpd delay
@@ -918,6 +920,7 @@
 < ansi t1.483
 < bewan adsl pci st
 < bewan adsl usb
+< download apple profile
 < g.dtm
 < g.lite
 < upload fcdsl.o
@@ -1031,6 +1034,7 @@
 < dns tls hostname
 < dns use isp assigned nameservers
 < dns use protocol for dns queries
+< download apple profile
 < duration
 < eight hours
 < email config
@@ -1397,6 +1401,7 @@
 < dns tls hostname
 < dns use isp assigned nameservers
 < dns use protocol for dns queries
+< download apple profile
 < download dh parameter
 < download tls-auth key
 < drop outgoing
@@ -1878,6 +1883,7 @@
 < dns use isp assigned nameservers
 < dns use protocol for dns queries
 < downlink
+< download apple profile
 < download dh parameter
 < download tls-auth key
 < dpd delay
@@ -2729,6 +2735,7 @@
 < dns use isp assigned nameservers
 < dns use protocol for dns queries
 < downlink
+< download apple profile
 < download dh parameter
 < download tls-auth key
 < dpd delay
@@ -3422,6 +3429,7 @@
 < dns tls hostname
 < dns use isp assigned nameservers
 < dns use protocol for dns queries
+< download apple profile
 < duration
 < email tls explicit
 < email tls implicit
diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi
index 2d0f57f98..9c0d72c88 100644
--- a/html/cgi-bin/vpnmain.cgi
+++ b/html/cgi-bin/vpnmain.cgi
@@ -19,6 +19,7 @@
 #                                                                             #
 ###############################################################################
 
+use MIME::Base64;
 use Net::DNS;
 use File::Copy;
 use File::Temp qw/ tempfile tempdir /;
@@ -1178,6 +1179,122 @@ END
 	print `/bin/cat ${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1].p12`;
 	exit (0);
 
+# Export Apple profile to browser
+} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download apple profile'}) {
+	&General::readhasharray("${General::swroot}/vpn/config", \%confighash);
+	my $key = $cgiparams{'KEY'};
+
+	my $uuid1 = "AAAABBBB";
+	my $uuid2 = "CCCCDDDD";
+
+	my $cert = "";
+	my $cert_uuid = "123456789";
+
+	# Read and encode certificate
+	if ($confighash{$key}[4] eq "cert") {
+		my $cert_path = "${General::swroot}/certs/$confighash{$key}[1].p12";
+
+		# Read certificate and encode it into Base64
+		open(CERT, "<${cert_path}");
+		local($/) = undef; # slurp
+		$cert = MIME::Base64::encode_base64(<CERT>);
+		close(CERT);
+	}
+
+	print "Content-Type: application/octet-stream\n";
+	print "Content-Disposition: attachment; filename=" . $confighash{$key}[1] . ".mobileconfig\n";
+	print "\n"; # end headers
+
+	print "<!DOCTYPE plist PUBLIC \"-//Apple//DTD PLIST 1.0//EN\" \"http://www.apple.com/DTDs/PropertyList-1.0.dtd\">\n";
+	print "<plist version=\"1.0\">\n";
+	print "	<dict>\n";
+        print "		<key>PayloadDisplayName</key>\n";
+	print "		<string>$confighash{$key}[1]</string>\n";
+	print "		<key>PayloadIdentifier</key>\n";
+	print "		<string>$confighash{$key}[1]</string>\n";
+	print "		<key>PayloadUUID</key>\n";
+	print "		<string>${uuid1}</string>\n";
+	print "		<key>PayloadType</key>\n";
+	print "		<string>Configuration</string>\n";
+	print "		<key>PayloadVersion</key>\n";
+	print "		<integer>1</integer>\n";
+	print "		<key>PayloadContent</key>\n";
+	print "		<array>\n";
+	print "			<dict>\n";
+	print "				<key>PayloadIdentifier</key>\n";
+	print "				<string>org.example.vpn1.conf1</string>\n";
+	print "				<key>PayloadUUID</key>\n";
+	print "				<string>${uuid2}</string>\n";
+	print "				<key>PayloadType</key>\n";
+	print "				<string>com.apple.vpn.managed</string>\n";
+	print "				<key>PayloadVersion</key>\n";
+	print "				<integer>1</integer>\n";
+	print "				<key>UserDefinedName</key>\n";
+	print "				<string>$confighash{$key}[1]</string>\n";
+	print "				<key>VPNType</key>\n";
+	print "				<string>IKEv2</string>\n";
+	print "				<key>IKEv2</key>\n";
+	print "				<dict>\n";
+	print "					<key>RemoteAddress</key>\n";
+	print "					<string>18.206.152.26</string>\n";
+
+	# Left ID
+	if ($confighash{$key}[9]) {
+		print "				<key>LocalIdentifier</key>\n";
+		print "				<string>$confighash{$key}[9]</string>\n";
+	}
+
+	# Right ID
+	if ($confighash{$key}[7]) {
+		print "				<key>RemoteIdentifier</key>\n";
+		print "				<string>$confighash{$key}[7]</string>\n";
+	}
+
+	if ($confighash{$key}[4] eq "cert") {
+		print "				<key>AuthenticationMethod</key>\n";
+		print "				<string>Certificate</string>\n";
+
+		print "				<key>PayloadCertificateUUID</key>\n";
+		print "				<string>${cert_uuid}</string>\n";
+	} else {
+		print "				<key>AuthenticationMethod</key>\n";
+		print "				<string>SharedSecret</string>\n";
+		print "				<key>SharedSecret</key>\n";
+		print "				<string>$confighash{$key}[5]</string>\n";
+	}
+
+	print "					<key>ExtendedAuthEnabled</key>\n";
+	print "					<integer>0</integer>\n";
+	print "				</dict>\n";
+	print "			</dict>\n";
+
+	if ($confighash{$key}[4] eq "cert") {
+		print "			<dict>\n";
+		print "				<key>PayloadIdentifier</key>\n";
+		print "				<string>org.example.vpn1.client</string>\n";
+		print "				<key>PayloadUUID</key>\n";
+		print "				<string>${cert_uuid}</string>\n";
+		print "				<key>PayloadType</key>\n";
+		print "				<string>com.apple.security.pkcs12</string>\n";
+		print "				<key>PayloadVersion</key>\n";
+		print "				<integer>1</integer>\n";
+		print "				<key>PayloadContent</key>\n";
+		print "				<data>\n";
+
+		foreach (split /\n/,${cert}) {
+			print "					$_\n";
+		}
+
+		print "				</data>\n";
+		print "			</dict>\n";
+	}
+
+	print "		</array>\n";
+	print "	</dict>\n";
+	print "</plist>\n";
+
+	# Done
+	exit(0);
 ###
 ### Display certificate
 ###
@@ -2982,7 +3099,7 @@ END
 	<th width='23%' class='boldbase' align='center'><b>$Lang::tr{'common name'}</b></th>
 	<th width='30%' class='boldbase' align='center'><b>$Lang::tr{'remark'}</b></th>
 	<th width='10%' class='boldbase' align='center'><b>$Lang::tr{'status'}</b></th>
-	<th class='boldbase' align='center' colspan='6'><b>$Lang::tr{'action'}</b></th>
+	<th class='boldbase' align='center' colspan='7'><b>$Lang::tr{'action'}</b></th>
 	</tr>
 END
 ;
@@ -3082,6 +3199,22 @@ END
 	} else {
 		print "<td width='2%' $col>&nbsp;</td>";
 	}
+
+	# Apple Profile
+	if ($confighash{$key}[3] eq 'host') {
+		print <<END;
+		<td align='center' $col>
+			<form method='post' action='$ENV{'SCRIPT_NAME'}'>
+			<input type='image' name='$Lang::tr{'download apple profile'}' src='/images/apple.png' alt='$Lang::tr{'download apple profile'}' title='$Lang::tr{'download apple profile'}' />
+			<input type='hidden' name='ACTION' value='$Lang::tr{'download apple profile'}' />
+			<input type='hidden' name='KEY' value='$key' />
+			</form>
+		</td>
+END
+	} else {
+		print "<td width='2%' $col>&nbsp;</td>";
+	}
+
 	print <<END
 	<td align='center' $col>
 		<form method='post' action='$ENV{'SCRIPT_NAME'}'>
diff --git a/html/html/images/apple.png b/html/html/images/apple.png
new file mode 100644
index 0000000000000000000000000000000000000000..6571a749b693911b9c616b29a6b749b409935853
GIT binary patch
literal 346
zcmeAS(a)N?(olHy`uVBq!ia0vp^A|TAc1|)ksWqE-VOR<w(a)2nP_<aHMnq`J4qFk;M!Q
z+`=Ht$S`Y;1W(a)pgr;B5VMeo|n3%y+&1&)90SAU^usKGW{;e_aamc?fi3^}5X<b2Qn
zkkiz0@`3z=`3c6HQMzor<s4k$A(a)_{mSXXqsyZ!ZNb7ShvpXbh;)A_&Vr2UaKiE{qA
zlgkTRg{pHCFRV{c*4ffp`k{?K=eSIA{*IQ^Jqe38G4DxQx~gPKkT1WvQ*~<SP0PMk
z$Da50g>5e-as->B0w#;z=wb9XPEh5Wee3MXypEOc8~ondH1Ay2V|w?oEt`%}g2C)Z
zCR5BO#0eMt*&6iL??zAj*4dmoA2oFT_P=^$DO_>o$~Ql(a)9ECz-J>djav!H~Q|CLSb
nF$uD(ZyYzx+c=dgd#Qd-dzV1X{ntx?;lSYO>gTe~DWM4fVRMKG

literal 0
HcmV?d00001

diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
index ff08bce0c..aaf1d4978 100644
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -906,6 +906,7 @@
 'downlink speed' => 'Downlink speed (kbit/sec)',
 'downlink std class' => 'downlink standard class',
 'download' => 'download',
+'download apple profile' => 'Download Apple Configuration Profile',
 'download ca certificate' => 'Download CA certificate',
 'download certificate' => 'Download file',
 'download dh parameter' => 'Download Diffie-Hellman parameters',
-- 
2.20.1

[PATCH 03/16] perl: Package Data::UUID

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 4918 bytes --]

This module is required to generate UUIDs in Perl

Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
---
 config/rootfiles/common/perl-Data-UUID |  7 +++
 lfs/perl-Data-UUID                     | 77 ++++++++++++++++++++++++++
 make.sh                                |  1 +
 3 files changed, 85 insertions(+)
 create mode 100644 config/rootfiles/common/perl-Data-UUID
 create mode 100644 lfs/perl-Data-UUID

diff --git a/config/rootfiles/common/perl-Data-UUID b/config/rootfiles/common/perl-Data-UUID
new file mode 100644
index 000000000..69b7c3186
--- /dev/null
+++ b/config/rootfiles/common/perl-Data-UUID
@@ -0,0 +1,7 @@
+#usr/lib/perl5/site_perl/5.30.0/MACHINE-linux-thread-multi/Data
+usr/lib/perl5/site_perl/5.30.0/MACHINE-linux-thread-multi/Data/UUID.pm
+#usr/lib/perl5/site_perl/5.30.0/MACHINE-linux-thread-multi/auto/Data
+#usr/lib/perl5/site_perl/5.30.0/MACHINE-linux-thread-multi/auto/Data/UUID
+#usr/lib/perl5/site_perl/5.30.0/MACHINE-linux-thread-multi/auto/Data/UUID/.packlist
+usr/lib/perl5/site_perl/5.30.0/MACHINE-linux-thread-multi/auto/Data/UUID/UUID.so
+#usr/share/man/man3/Data::UUID.3
diff --git a/lfs/perl-Data-UUID b/lfs/perl-Data-UUID
new file mode 100644
index 000000000..e3eee182b
--- /dev/null
+++ b/lfs/perl-Data-UUID
@@ -0,0 +1,77 @@
+###############################################################################
+#                                                                             #
+# IPFire.org - A linux based firewall                                         #
+# Copyright (C) 2007-2018  IPFire Team  <info(a)ipfire.org>                     #
+#                                                                             #
+# This program is free software: you can redistribute it and/or modify        #
+# it under the terms of the GNU General Public License as published by        #
+# the Free Software Foundation, either version 3 of the License, or           #
+# (at your option) any later version.                                         #
+#                                                                             #
+# This program is distributed in the hope that it will be useful,             #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of              #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the               #
+# GNU General Public License for more details.                                #
+#                                                                             #
+# You should have received a copy of the GNU General Public License           #
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.       #
+#                                                                             #
+###############################################################################
+
+###############################################################################
+# Definitions
+###############################################################################
+
+include Config
+
+VER        = 1.224
+
+THISAPP    = Data-UUID-$(VER)
+DL_FILE    = $(THISAPP).tar.gz
+DL_FROM    = $(URL_IPFIRE)
+DIR_APP    = $(DIR_SRC)/$(THISAPP)
+TARGET     = $(DIR_INFO)/$(THISAPP)
+
+###############################################################################
+# Top-level Rules
+###############################################################################
+
+objects = $(DL_FILE)
+
+$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
+
+$(DL_FILE)_MD5 = 71510bbcce760c394591fca83a9b5e6d
+
+install : $(TARGET)
+
+check : $(patsubst %,$(DIR_CHK)/%,$(objects))
+
+download :$(patsubst %,$(DIR_DL)/%,$(objects))
+
+md5 : $(subst %,%_MD5,$(objects))
+
+###############################################################################
+# Downloading, checking, md5sum
+###############################################################################
+
+$(patsubst %,$(DIR_CHK)/%,$(objects)) :
+	@$(CHECK)
+
+$(patsubst %,$(DIR_DL)/%,$(objects)) :
+	@$(LOAD)
+
+$(subst %,%_MD5,$(objects)) :
+	@$(MD5)
+
+###############################################################################
+# Installation Details
+###############################################################################
+
+$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
+	@$(PREBUILD)
+	@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
+	cd $(DIR_APP) && perl Makefile.PL
+	cd $(DIR_APP) && make $(MAKETUNING)
+	cd $(DIR_APP) && make install
+	@rm -rf $(DIR_APP)
+	@$(POSTBUILD)
diff --git a/make.sh b/make.sh
index 4acce807f..9117dd3ec 100755
--- a/make.sh
+++ b/make.sh
@@ -1301,6 +1301,7 @@ buildipfire() {
   lfsmake2 perl-Device-SerialPort
   lfsmake2 perl-Device-Modem
   lfsmake2 perl-Apache-Htpasswd
+  lfsmake2 perl-Data-UUID
   lfsmake2 gnupg
   lfsmake2 hdparm
   lfsmake2 sdparm
-- 
2.20.1

[PATCH 04/16] vpnmain.cgi: Generate random UUIDs

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 1099 bytes --]

Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
---
 html/cgi-bin/vpnmain.cgi | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi
index 9c0d72c88..c004b6087 100644
--- a/html/cgi-bin/vpnmain.cgi
+++ b/html/cgi-bin/vpnmain.cgi
@@ -19,6 +19,7 @@
 #                                                                             #
 ###############################################################################
 
+use Data::UUID;
 use MIME::Base64;
 use Net::DNS;
 use File::Copy;
@@ -1184,11 +1185,14 @@ END
 	&General::readhasharray("${General::swroot}/vpn/config", \%confighash);
 	my $key = $cgiparams{'KEY'};
 
-	my $uuid1 = "AAAABBBB";
-	my $uuid2 = "CCCCDDDD";
+	# Create a UUID generator
+	my $uuid = Data::UUID->new();
+
+	my $uuid1 = $uuid->create_str();
+	my $uuid2 = $uuid->create_str();
 
 	my $cert = "";
-	my $cert_uuid = "123456789";
+	my $cert_uuid = $uuid->create_str();
 
 	# Read and encode certificate
 	if ($confighash{$key}[4] eq "cert") {
-- 
2.20.1

[PATCH 05/16] vpnmain.cgi: Add field for roadwarrior endpoint

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 16549 bytes --]

This is the IP address or FQDN which will be written into
Apple Configuration profiles as public peer address.

Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
---
 doc/language_issues.de   |  2 ++
 doc/language_issues.en   |  2 ++
 doc/language_issues.es   |  2 ++
 doc/language_issues.fr   |  2 ++
 doc/language_issues.it   |  2 ++
 doc/language_issues.nl   |  2 ++
 doc/language_issues.pl   |  2 ++
 doc/language_issues.ru   |  2 ++
 doc/language_issues.tr   |  2 ++
 doc/language_missings    | 16 ++++++++++++++++
 html/cgi-bin/vpnmain.cgi | 21 ++++++++++++++++++++-
 langs/en/cgi-bin/en.pl   |  2 ++
 12 files changed, 56 insertions(+), 1 deletion(-)

diff --git a/doc/language_issues.de b/doc/language_issues.de
index d53bfa601..4c4a37742 100644
--- a/doc/language_issues.de
+++ b/doc/language_issues.de
@@ -800,6 +800,8 @@ WARNING: untranslated string: guardian logtarget_file = unknown string
 WARNING: untranslated string: guardian logtarget_syslog = unknown string
 WARNING: untranslated string: guardian no entries = unknown string
 WARNING: untranslated string: guardian service = unknown string
+WARNING: untranslated string: ipsec invalid ip address or fqdn for rw endpoint = Invalid IP address or FQDN for Host-to-Net Endpoint
+WARNING: untranslated string: ipsec roadwarrior endpoint = Host-to-Net Endpoint
 WARNING: untranslated string: no entries = No entries at the moment.
 WARNING: untranslated string: pakfire invalid tree = Invalid repository selected
 WARNING: untranslated string: route config changed = unknown string
diff --git a/doc/language_issues.en b/doc/language_issues.en
index dc40a08bb..9bef2930c 100644
--- a/doc/language_issues.en
+++ b/doc/language_issues.en
@@ -1169,9 +1169,11 @@ WARNING: untranslated string: ipsec connection = IPsec Connection
 WARNING: untranslated string: ipsec interface mode gre = GRE
 WARNING: untranslated string: ipsec interface mode none = - None (Default) -
 WARNING: untranslated string: ipsec interface mode vti = VTI
+WARNING: untranslated string: ipsec invalid ip address or fqdn for rw endpoint = Invalid IP address or FQDN for Host-to-Net Endpoint
 WARNING: untranslated string: ipsec mode transport = Transport
 WARNING: untranslated string: ipsec mode tunnel = Tunnel
 WARNING: untranslated string: ipsec network = IPsec network
+WARNING: untranslated string: ipsec roadwarrior endpoint = Host-to-Net Endpoint
 WARNING: untranslated string: ipsec routing table entries = IPsec Routing Table Entries
 WARNING: untranslated string: ipsec settings = IPsec Settings
 WARNING: untranslated string: iptmangles = IPTable Mangles
diff --git a/doc/language_issues.es b/doc/language_issues.es
index 933e99eca..57a20d214 100644
--- a/doc/language_issues.es
+++ b/doc/language_issues.es
@@ -1150,9 +1150,11 @@ WARNING: untranslated string: ipsec connection = IPsec Connection
 WARNING: untranslated string: ipsec interface mode gre = GRE
 WARNING: untranslated string: ipsec interface mode none = - None (Default) -
 WARNING: untranslated string: ipsec interface mode vti = VTI
+WARNING: untranslated string: ipsec invalid ip address or fqdn for rw endpoint = Invalid IP address or FQDN for Host-to-Net Endpoint
 WARNING: untranslated string: ipsec mode transport = Transport
 WARNING: untranslated string: ipsec mode tunnel = Tunnel
 WARNING: untranslated string: ipsec network = IPsec network
+WARNING: untranslated string: ipsec roadwarrior endpoint = Host-to-Net Endpoint
 WARNING: untranslated string: ipsec routing table entries = IPsec Routing Table Entries
 WARNING: untranslated string: ipsec settings = IPsec Settings
 WARNING: untranslated string: itlb multihit = iTLB MultiHit
diff --git a/doc/language_issues.fr b/doc/language_issues.fr
index fd9f8296c..3fe75fd07 100644
--- a/doc/language_issues.fr
+++ b/doc/language_issues.fr
@@ -839,6 +839,8 @@ WARNING: untranslated string: guardian logtarget_file = unknown string
 WARNING: untranslated string: guardian logtarget_syslog = unknown string
 WARNING: untranslated string: guardian no entries = unknown string
 WARNING: untranslated string: guardian service = unknown string
+WARNING: untranslated string: ipsec invalid ip address or fqdn for rw endpoint = Invalid IP address or FQDN for Host-to-Net Endpoint
+WARNING: untranslated string: ipsec roadwarrior endpoint = Host-to-Net Endpoint
 WARNING: untranslated string: pakfire ago = ago.
 WARNING: untranslated string: route config changed = unknown string
 WARNING: untranslated string: routing config added = unknown string
diff --git a/doc/language_issues.it b/doc/language_issues.it
index e77b1ef3f..53cd94b90 100644
--- a/doc/language_issues.it
+++ b/doc/language_issues.it
@@ -986,8 +986,10 @@ WARNING: untranslated string: ipsec connection = IPsec Connection
 WARNING: untranslated string: ipsec interface mode gre = GRE
 WARNING: untranslated string: ipsec interface mode none = - None (Default) -
 WARNING: untranslated string: ipsec interface mode vti = VTI
+WARNING: untranslated string: ipsec invalid ip address or fqdn for rw endpoint = Invalid IP address or FQDN for Host-to-Net Endpoint
 WARNING: untranslated string: ipsec mode transport = Transport
 WARNING: untranslated string: ipsec mode tunnel = Tunnel
+WARNING: untranslated string: ipsec roadwarrior endpoint = Host-to-Net Endpoint
 WARNING: untranslated string: ipsec routing table entries = IPsec Routing Table Entries
 WARNING: untranslated string: ipsec settings = IPsec Settings
 WARNING: untranslated string: itlb multihit = iTLB MultiHit
diff --git a/doc/language_issues.nl b/doc/language_issues.nl
index ca6dec27e..85a9cd587 100644
--- a/doc/language_issues.nl
+++ b/doc/language_issues.nl
@@ -995,8 +995,10 @@ WARNING: untranslated string: ipsec connection = IPsec Connection
 WARNING: untranslated string: ipsec interface mode gre = GRE
 WARNING: untranslated string: ipsec interface mode none = - None (Default) -
 WARNING: untranslated string: ipsec interface mode vti = VTI
+WARNING: untranslated string: ipsec invalid ip address or fqdn for rw endpoint = Invalid IP address or FQDN for Host-to-Net Endpoint
 WARNING: untranslated string: ipsec mode transport = Transport
 WARNING: untranslated string: ipsec mode tunnel = Tunnel
+WARNING: untranslated string: ipsec roadwarrior endpoint = Host-to-Net Endpoint
 WARNING: untranslated string: ipsec routing table entries = IPsec Routing Table Entries
 WARNING: untranslated string: ipsec settings = IPsec Settings
 WARNING: untranslated string: itlb multihit = iTLB MultiHit
diff --git a/doc/language_issues.pl b/doc/language_issues.pl
index 933e99eca..57a20d214 100644
--- a/doc/language_issues.pl
+++ b/doc/language_issues.pl
@@ -1150,9 +1150,11 @@ WARNING: untranslated string: ipsec connection = IPsec Connection
 WARNING: untranslated string: ipsec interface mode gre = GRE
 WARNING: untranslated string: ipsec interface mode none = - None (Default) -
 WARNING: untranslated string: ipsec interface mode vti = VTI
+WARNING: untranslated string: ipsec invalid ip address or fqdn for rw endpoint = Invalid IP address or FQDN for Host-to-Net Endpoint
 WARNING: untranslated string: ipsec mode transport = Transport
 WARNING: untranslated string: ipsec mode tunnel = Tunnel
 WARNING: untranslated string: ipsec network = IPsec network
+WARNING: untranslated string: ipsec roadwarrior endpoint = Host-to-Net Endpoint
 WARNING: untranslated string: ipsec routing table entries = IPsec Routing Table Entries
 WARNING: untranslated string: ipsec settings = IPsec Settings
 WARNING: untranslated string: itlb multihit = iTLB MultiHit
diff --git a/doc/language_issues.ru b/doc/language_issues.ru
index 1fed38304..6ed13933a 100644
--- a/doc/language_issues.ru
+++ b/doc/language_issues.ru
@@ -1152,9 +1152,11 @@ WARNING: untranslated string: ipsec connection = IPsec Connection
 WARNING: untranslated string: ipsec interface mode gre = GRE
 WARNING: untranslated string: ipsec interface mode none = - None (Default) -
 WARNING: untranslated string: ipsec interface mode vti = VTI
+WARNING: untranslated string: ipsec invalid ip address or fqdn for rw endpoint = Invalid IP address or FQDN for Host-to-Net Endpoint
 WARNING: untranslated string: ipsec mode transport = Transport
 WARNING: untranslated string: ipsec mode tunnel = Tunnel
 WARNING: untranslated string: ipsec network = IPsec network
+WARNING: untranslated string: ipsec roadwarrior endpoint = Host-to-Net Endpoint
 WARNING: untranslated string: ipsec routing table entries = IPsec Routing Table Entries
 WARNING: untranslated string: ipsec settings = IPsec Settings
 WARNING: untranslated string: itlb multihit = iTLB MultiHit
diff --git a/doc/language_issues.tr b/doc/language_issues.tr
index c716af76d..8821371f7 100644
--- a/doc/language_issues.tr
+++ b/doc/language_issues.tr
@@ -912,8 +912,10 @@ WARNING: untranslated string: ipsec connection = IPsec Connection
 WARNING: untranslated string: ipsec interface mode gre = GRE
 WARNING: untranslated string: ipsec interface mode none = - None (Default) -
 WARNING: untranslated string: ipsec interface mode vti = VTI
+WARNING: untranslated string: ipsec invalid ip address or fqdn for rw endpoint = Invalid IP address or FQDN for Host-to-Net Endpoint
 WARNING: untranslated string: ipsec mode transport = Transport
 WARNING: untranslated string: ipsec mode tunnel = Tunnel
+WARNING: untranslated string: ipsec roadwarrior endpoint = Host-to-Net Endpoint
 WARNING: untranslated string: ipsec routing table entries = IPsec Routing Table Entries
 WARNING: untranslated string: ipsec settings = IPsec Settings
 WARNING: untranslated string: itlb multihit = iTLB MultiHit
diff --git a/doc/language_missings b/doc/language_missings
index cff74f9b0..3034db5ba 100644
--- a/doc/language_missings
+++ b/doc/language_missings
@@ -37,6 +37,8 @@
 < g.dtm
 < g.lite
 < insert removable device
+< ipsec invalid ip address or fqdn for rw endpoint
+< ipsec roadwarrior endpoint
 < no entries
 < notes
 < okay
@@ -568,10 +570,12 @@
 < ipsec interface mode gre
 < ipsec interface mode none
 < ipsec interface mode vti
+< ipsec invalid ip address or fqdn for rw endpoint
 < ipsec mode transport
 < ipsec mode tunnel
 < ipsec network
 < ipsec no connections
+< ipsec roadwarrior endpoint
 < ipsec routing table entries
 < ipsec settings
 < itlb multihit
@@ -923,6 +927,8 @@
 < download apple profile
 < g.dtm
 < g.lite
+< ipsec invalid ip address or fqdn for rw endpoint
+< ipsec roadwarrior endpoint
 < upload fcdsl.o
 ############################################################################
 # Checking cgi-bin translations for language: it                           #
@@ -1135,8 +1141,10 @@
 < ipsec interface mode gre
 < ipsec interface mode none
 < ipsec interface mode vti
+< ipsec invalid ip address or fqdn for rw endpoint
 < ipsec mode transport
 < ipsec mode tunnel
+< ipsec roadwarrior endpoint
 < ipsec routing table entries
 < ipsec settings
 < itlb multihit
@@ -1509,8 +1517,10 @@
 < ipsec interface mode gre
 < ipsec interface mode none
 < ipsec interface mode vti
+< ipsec invalid ip address or fqdn for rw endpoint
 < ipsec mode transport
 < ipsec mode tunnel
+< ipsec roadwarrior endpoint
 < ipsec routing table entries
 < ipsec settings
 < itlb multihit
@@ -2204,10 +2214,12 @@
 < ipsec interface mode gre
 < ipsec interface mode none
 < ipsec interface mode vti
+< ipsec invalid ip address or fqdn for rw endpoint
 < ipsec mode transport
 < ipsec mode tunnel
 < ipsec network
 < ipsec no connections
+< ipsec roadwarrior endpoint
 < ipsec routing table entries
 < ipsec settings
 < itlb multihit
@@ -3060,10 +3072,12 @@
 < ipsec interface mode gre
 < ipsec interface mode none
 < ipsec interface mode vti
+< ipsec invalid ip address or fqdn for rw endpoint
 < ipsec mode transport
 < ipsec mode tunnel
 < ipsec network
 < ipsec no connections
+< ipsec roadwarrior endpoint
 < ipsec routing table entries
 < ipsec settings
 < itlb multihit
@@ -3472,8 +3486,10 @@
 < ipsec interface mode gre
 < ipsec interface mode none
 < ipsec interface mode vti
+< ipsec invalid ip address or fqdn for rw endpoint
 < ipsec mode transport
 < ipsec mode tunnel
+< ipsec roadwarrior endpoint
 < ipsec routing table entries
 < ipsec settings
 < itlb multihit
diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi
index c004b6087..61efcc72c 100644
--- a/html/cgi-bin/vpnmain.cgi
+++ b/html/cgi-bin/vpnmain.cgi
@@ -26,6 +26,7 @@ use File::Copy;
 use File::Temp qw/ tempfile tempdir /;
 use strict;
 use Sort::Naturally;
+use Sys::Hostname;
 # enable only the following on debugging purpose
 #use warnings;
 #use CGI::Carp 'fatalsToBrowser';
@@ -112,6 +113,7 @@ $cgiparams{'ROOTCERT_EMAIL'} = '';
 $cgiparams{'ROOTCERT_OU'} = '';
 $cgiparams{'ROOTCERT_CITY'} = '';
 $cgiparams{'ROOTCERT_STATE'} = '';
+$cgiparams{'RW_ENDPOINT'} = '';
 $cgiparams{'RW_NET'} = '';
 $cgiparams{'DPD_DELAY'} = '30';
 $cgiparams{'DPD_TIMEOUT'} = '120';
@@ -507,12 +509,18 @@ if ($ENV{"REMOTE_ADDR"} eq "") {
 if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cgiparams{'KEY'} eq '') {
 	&General::readhash("${General::swroot}/vpn/settings", \%vpnsettings);
 
+	if ($cgiparams{'RW_ENDPOINT'} ne '' && !&General::validip($cgiparams{'RW_ENDPOINT'}) && !&General::validfqdn($cgiparams{'RW_ENDPOINT'})) {
+		$errormessage = $Lang::tr{'ipsec invalid ip address or fqdn for rw endpoint'};
+		goto SAVE_ERROR;
+	}
+
 	if ( $cgiparams{'RW_NET'} ne '' and !&General::validipandmask($cgiparams{'RW_NET'}) ) {
 		$errormessage = $Lang::tr{'urlfilter invalid ip or mask error'};
 		goto SAVE_ERROR;
 	}
 
 	$vpnsettings{'ENABLED'} = $cgiparams{'ENABLED'};
+	$vpnsettings{'RW_ENDPOINT'} = $cgiparams{'RW_ENDPOINT'};
 	$vpnsettings{'RW_NET'} = $cgiparams{'RW_NET'};
 	&General::writehash("${General::swroot}/vpn/settings", \%vpnsettings);
 	&writeipsecfiles();
@@ -1182,6 +1190,10 @@ END
 
 # Export Apple profile to browser
 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download apple profile'}) {
+	# Read global configuration
+	&General::readhash("${General::swroot}/vpn/settings", \%vpnsettings);
+
+	# Read connections
 	&General::readhasharray("${General::swroot}/vpn/config", \%confighash);
 	my $key = $cgiparams{'KEY'};
 
@@ -1209,6 +1221,9 @@ END
 	print "Content-Disposition: attachment; filename=" . $confighash{$key}[1] . ".mobileconfig\n";
 	print "\n"; # end headers
 
+	# Use our own FQDN if nothing else is configured
+	my $endpoint = ($vpnsettings{'RW_ENDPOINT'} ne "") ? $vpnsettings{'RW_ENDPOINT'} : &hostname();
+
 	print "<!DOCTYPE plist PUBLIC \"-//Apple//DTD PLIST 1.0//EN\" \"http://www.apple.com/DTDs/PropertyList-1.0.dtd\">\n";
 	print "<plist version=\"1.0\">\n";
 	print "	<dict>\n";
@@ -1240,7 +1255,7 @@ END
 	print "				<key>IKEv2</key>\n";
 	print "				<dict>\n";
 	print "					<key>RemoteAddress</key>\n";
-	print "					<string>18.206.152.26</string>\n";
+	print "					<string>$endpoint</string>\n";
 
 	# Left ID
 	if ($confighash{$key}[9]) {
@@ -3081,6 +3096,10 @@ EOF
 				<input type='checkbox' name='ENABLED' $checked{'ENABLED'} />
 			</td>
 		</tr>
+		<tr>
+			<td class='base' nowrap='nowrap' width="60%">$Lang::tr{'ipsec roadwarrior endpoint'}:</td>
+			<td width="40%"><input type='text' name='RW_ENDPOINT' value='$cgiparams{'RW_ENDPOINT'}' /></td>
+		</tr>
 		<tr>
 			<td class='base' nowrap='nowrap' width="60%">$Lang::tr{'host to net vpn'}:</td>
 			<td width="40%"><input type='text' name='RW_NET' value='$cgiparams{'RW_NET'}' /></td>
diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
index aaf1d4978..54e8c404a 100644
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -1550,10 +1550,12 @@
 'ipsec interface mode gre' => 'GRE',
 'ipsec interface mode none' => '- None (Default) -',
 'ipsec interface mode vti' => 'VTI',
+'ipsec invalid ip address or fqdn for rw endpoint' => 'Invalid IP address or FQDN for Host-to-Net Endpoint',
 'ipsec mode transport' => 'Transport',
 'ipsec mode tunnel' => 'Tunnel',
 'ipsec network' => 'IPsec network',
 'ipsec no connections' => 'No active IPsec connections',
+'ipsec roadwarrior endpoint' => 'Host-to-Net Endpoint',
 'ipsec routing table entries' => 'IPsec Routing Table Entries',
 'ipsec settings' => 'IPsec Settings',
 'iptable rules' => 'IPTable rules',
-- 
2.20.1

[PATCH 06/16] vpnmain.cgi: Fix indentation on Apple profiles

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 1784 bytes --]

Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
---
 html/cgi-bin/vpnmain.cgi | 24 ++++++++++++------------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi
index 61efcc72c..f5b1186a8 100644
--- a/html/cgi-bin/vpnmain.cgi
+++ b/html/cgi-bin/vpnmain.cgi
@@ -1259,27 +1259,27 @@ END
 
 	# Left ID
 	if ($confighash{$key}[9]) {
-		print "				<key>LocalIdentifier</key>\n";
-		print "				<string>$confighash{$key}[9]</string>\n";
+		print "					<key>LocalIdentifier</key>\n";
+		print "					<string>$confighash{$key}[9]</string>\n";
 	}
 
 	# Right ID
 	if ($confighash{$key}[7]) {
-		print "				<key>RemoteIdentifier</key>\n";
-		print "				<string>$confighash{$key}[7]</string>\n";
+		print "					<key>RemoteIdentifier</key>\n";
+		print "					<string>$confighash{$key}[7]</string>\n";
 	}
 
 	if ($confighash{$key}[4] eq "cert") {
-		print "				<key>AuthenticationMethod</key>\n";
-		print "				<string>Certificate</string>\n";
+		print "					<key>AuthenticationMethod</key>\n";
+		print "					<string>Certificate</string>\n";
 
-		print "				<key>PayloadCertificateUUID</key>\n";
-		print "				<string>${cert_uuid}</string>\n";
+		print "					<key>PayloadCertificateUUID</key>\n";
+		print "					<string>${cert_uuid}</string>\n";
 	} else {
-		print "				<key>AuthenticationMethod</key>\n";
-		print "				<string>SharedSecret</string>\n";
-		print "				<key>SharedSecret</key>\n";
-		print "				<string>$confighash{$key}[5]</string>\n";
+		print "					<key>AuthenticationMethod</key>\n";
+		print "					<string>SharedSecret</string>\n";
+		print "					<key>SharedSecret</key>\n";
+		print "					<string>$confighash{$key}[5]</string>\n";
 	}
 
 	print "					<key>ExtendedAuthEnabled</key>\n";
-- 
2.20.1

[PATCH 07/16] IPsec: Apple: Enable PFS on client when enabled

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 652 bytes --]

Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
---
 html/cgi-bin/vpnmain.cgi | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi
index f5b1186a8..816136c92 100644
--- a/html/cgi-bin/vpnmain.cgi
+++ b/html/cgi-bin/vpnmain.cgi
@@ -1257,6 +1257,13 @@ END
 	print "					<key>RemoteAddress</key>\n";
 	print "					<string>$endpoint</string>\n";
 
+	# PFS
+	my $pfs = $confighash{$key}[28];
+	if ($pfs eq "on") {
+		print "					<key>EnablePFS</key>\n";
+		print "					<true/>\n";
+	}
+
 	# Left ID
 	if ($confighash{$key}[9]) {
 		print "					<key>LocalIdentifier</key>\n";
-- 
2.20.1

[PATCH 08/16] IPsec: Apple: Add desired cipher suites to profiles

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 3601 bytes --]

Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
---
 html/cgi-bin/vpnmain.cgi | 110 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 110 insertions(+)

diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi
index 816136c92..7011454fa 100644
--- a/html/cgi-bin/vpnmain.cgi
+++ b/html/cgi-bin/vpnmain.cgi
@@ -126,6 +126,35 @@ $cgiparams{'INTERFACE_ADDRESS'} = "";
 $cgiparams{'INTERFACE_MTU'} = 1500;
 &Header::getcgihash(\%cgiparams, {'wantfile' => 1, 'filevar' => 'FH'});
 
+my %APPLE_CIPHERS = (
+	"aes256gcm128" => "AES-256-GCM",
+	"aes128gcm128" => "AES-128-GCM",
+	"aes256"       => "AES-256",
+	"aes128"       => "AES-128",
+	"3des"         => "3DES",
+);
+
+my %APPLE_INTEGRITIES = (
+	"sha2_512" => "SHA2-512",
+	"sha2_384" => "SHA2-384",
+	"sha2_256" => "SHA2-256",
+	"sha1"     => "SHA1-160",
+);
+
+my %APPLE_DH_GROUPS = (
+	"768" => 1,
+	"1024" => 2,
+	"1536" => 5,
+	"2048" => 14,
+	"3072" => 15,
+	"4096" => 16,
+	"6144" => 17,
+	"8192" => 18,
+	"e256" => 19,
+	"e384" => 20,
+	"e521" => 21,
+);
+
 ###
 ### Useful functions
 ###
@@ -1264,6 +1293,87 @@ END
 		print "					<true/>\n";
 	}
 
+	# IKE Cipher Suite
+	print "					<key>IKESecurityAssociationParameters</key>\n";
+	print "					<dict>\n";
+
+	# Encryption
+	foreach my $cipher (split(/\|/,$confighash{$key}[18])) {
+		# Skip all unsupported ciphers
+		next unless (exists $APPLE_CIPHERS{$cipher});
+
+		print "						<key>EncryptionAlgorithm</key>\n";
+		print "						<string>$APPLE_CIPHERS{$cipher}</string>\n";
+		last;
+	}
+
+	# Integrity
+	foreach my $integrity (split(/\|/,$confighash{$key}[19])) {
+		# Skip all unsupported algorithms
+		next unless (exists $APPLE_INTEGRITIES{$integrity});
+
+		print "						<key>IntegrityAlgorithm</key>\n";
+		print "						<string>$APPLE_INTEGRITIES{$integrity}</string>\n";
+		last;
+	}
+
+	# Diffie Hellman Groups
+	foreach my $group (split(/\|/,$confighash{$key}[20])) {
+		# Skip all unsupported algorithms
+		next unless (exists $APPLE_DH_GROUPS{$group});
+
+		print "						<key>DiffieHellmanGroup</key>\n";
+		print "						<string>$APPLE_DH_GROUPS{$group}</string>\n";
+		last;
+	}
+
+	# Lifetime
+	my $lifetime = $confighash{$key}[16] * 60;
+	print "						<key>LifeTimeInMinutes</key>\n";
+	print "						<integer>$lifetime</integer>\n";
+	print "					</dict>\n";
+
+	# ESP Cipher Suite
+	print "					<key>ChildSecurityAssociationParameters</key>\n";
+	print "					<dict>\n";
+
+	# Encryption
+	foreach my $cipher (split(/\|/,$confighash{$key}[21])) {
+		# Skip all unsupported ciphers
+		next unless (exists $APPLE_CIPHERS{$cipher});
+
+		print "						<key>EncryptionAlgorithm</key>\n";
+		print "						<string>$APPLE_CIPHERS{$cipher}</string>\n";
+		last;
+	}
+
+	# Integrity
+	foreach my $integrity (split(/\|/,$confighash{$key}[22])) {
+		# Skip all unsupported algorithms
+		next unless (exists $APPLE_INTEGRITIES{$integrity});
+
+		print "						<key>IntegrityAlgorithm</key>\n";
+		print "						<string>$APPLE_INTEGRITIES{$integrity}</string>\n";
+		last;
+	}
+
+	# Diffie Hellman Groups
+	foreach my $group (split(/\|/,$confighash{$key}[23])) {
+		# Skip all unsupported algorithms
+		next unless (exists $APPLE_DH_GROUPS{$group});
+
+		print "						<key>DiffieHellmanGroup</key>\n";
+		print "						<string>$APPLE_DH_GROUPS{$group}</string>\n";
+		last;
+	}
+
+	# Lifetime
+	my $lifetime = $confighash{$key}[17] * 60;
+	print "						<key>LifeTimeInMinutes</key>\n";
+	print "						<integer>$lifetime</integer>\n";
+	print "					</dict>\n";
+
+
 	# Left ID
 	if ($confighash{$key}[9]) {
 		print "					<key>LocalIdentifier</key>\n";
-- 
2.20.1

[PATCH 09/16] IPsec: Apple: Stop prompting for credentials

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 767 bytes --]

Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
---
 html/cgi-bin/vpnmain.cgi | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi
index 7011454fa..0d141cb88 100644
--- a/html/cgi-bin/vpnmain.cgi
+++ b/html/cgi-bin/vpnmain.cgi
@@ -1401,6 +1401,12 @@ END
 
 	print "					<key>ExtendedAuthEnabled</key>\n";
 	print "					<integer>0</integer>\n";
+
+	# These are not needed, but we provide some default to stop iPhone asking for credentials
+	print "					<key>AuthName</key>\n";
+	print "					<string>$confighash{$key}[1]</string>\n";
+	print "					<key>AuthPassword</key>\n";
+	print "					<string></string>\n";
 	print "				</dict>\n";
 	print "			</dict>\n";
 
-- 
2.20.1

[PATCH 10/16] IPsec: Allow sending DNS server addresses to RW clients

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 19746 bytes --]

Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
---
 doc/language_issues.de   |  2 +-
 doc/language_issues.en   |  2 ++
 doc/language_issues.es   |  2 ++
 doc/language_issues.fr   |  2 +-
 doc/language_issues.it   |  2 +-
 doc/language_issues.nl   |  2 ++
 doc/language_issues.pl   |  2 ++
 doc/language_issues.ru   |  2 ++
 doc/language_issues.tr   |  2 +-
 doc/language_missings    |  8 ++++++
 html/cgi-bin/vpnmain.cgi | 54 ++++++++++++++++++++++++++++++++++------
 langs/en/cgi-bin/en.pl   |  1 +
 12 files changed, 69 insertions(+), 12 deletions(-)

diff --git a/doc/language_issues.de b/doc/language_issues.de
index 4c4a37742..ab074d94d 100644
--- a/doc/language_issues.de
+++ b/doc/language_issues.de
@@ -219,7 +219,6 @@ WARNING: translation string unused: dns new 1
 WARNING: translation string unused: dns saved
 WARNING: translation string unused: dns saved txt
 WARNING: translation string unused: dns server
-WARNING: translation string unused: dns servers
 WARNING: translation string unused: dnssec information
 WARNING: translation string unused: do not log this port list
 WARNING: translation string unused: domain not set
@@ -800,6 +799,7 @@ WARNING: untranslated string: guardian logtarget_file = unknown string
 WARNING: untranslated string: guardian logtarget_syslog = unknown string
 WARNING: untranslated string: guardian no entries = unknown string
 WARNING: untranslated string: guardian service = unknown string
+WARNING: untranslated string: ipsec dns server address is invalid = Invalid DNS server IP address(es)
 WARNING: untranslated string: ipsec invalid ip address or fqdn for rw endpoint = Invalid IP address or FQDN for Host-to-Net Endpoint
 WARNING: untranslated string: ipsec roadwarrior endpoint = Host-to-Net Endpoint
 WARNING: untranslated string: no entries = No entries at the moment.
diff --git a/doc/language_issues.en b/doc/language_issues.en
index 9bef2930c..c05fc0800 100644
--- a/doc/language_issues.en
+++ b/doc/language_issues.en
@@ -624,6 +624,7 @@ WARNING: untranslated string: dns no address given = No IP Address given.
 WARNING: untranslated string: dns no tls hostname given = No TLS hostname given.
 WARNING: untranslated string: dns proxy server = DNS Proxy Server
 WARNING: untranslated string: dns recursor mode = Recursor Mode
+WARNING: untranslated string: dns servers = DNS Servers
 WARNING: untranslated string: dns title = Domain Name System
 WARNING: untranslated string: dns tls hostname = TLS Hostname
 WARNING: untranslated string: dns use isp assigned nameservers = Use ISP-assigned DNS servers
@@ -1166,6 +1167,7 @@ WARNING: untranslated string: ipfires hostname = IPFire's Hostname
 WARNING: untranslated string: ipinfo = IP info
 WARNING: untranslated string: ipsec = IPsec
 WARNING: untranslated string: ipsec connection = IPsec Connection
+WARNING: untranslated string: ipsec dns server address is invalid = Invalid DNS server IP address(es)
 WARNING: untranslated string: ipsec interface mode gre = GRE
 WARNING: untranslated string: ipsec interface mode none = - None (Default) -
 WARNING: untranslated string: ipsec interface mode vti = VTI
diff --git a/doc/language_issues.es b/doc/language_issues.es
index 57a20d214..376af0dc4 100644
--- a/doc/language_issues.es
+++ b/doc/language_issues.es
@@ -833,6 +833,7 @@ WARNING: untranslated string: dns mode for qname minimisation = QNAME Minimisati
 WARNING: untranslated string: dns no address given = No IP Address given.
 WARNING: untranslated string: dns no tls hostname given = No TLS hostname given.
 WARNING: untranslated string: dns recursor mode = Recursor Mode
+WARNING: untranslated string: dns servers = DNS Servers
 WARNING: untranslated string: dns tls hostname = TLS Hostname
 WARNING: untranslated string: dns use isp assigned nameservers = Use ISP-assigned DNS servers
 WARNING: untranslated string: dns use protocol for dns queries = Protocol for DNS queries
@@ -1147,6 +1148,7 @@ WARNING: untranslated string: invalid ip or hostname = Invalid IP Address or Hos
 WARNING: untranslated string: invalid logserver protocol = Invalid syslogd server protocol
 WARNING: untranslated string: ipsec = IPsec
 WARNING: untranslated string: ipsec connection = IPsec Connection
+WARNING: untranslated string: ipsec dns server address is invalid = Invalid DNS server IP address(es)
 WARNING: untranslated string: ipsec interface mode gre = GRE
 WARNING: untranslated string: ipsec interface mode none = - None (Default) -
 WARNING: untranslated string: ipsec interface mode vti = VTI
diff --git a/doc/language_issues.fr b/doc/language_issues.fr
index 3fe75fd07..c52ef3972 100644
--- a/doc/language_issues.fr
+++ b/doc/language_issues.fr
@@ -246,7 +246,6 @@ WARNING: translation string unused: dns new 1
 WARNING: translation string unused: dns saved
 WARNING: translation string unused: dns saved txt
 WARNING: translation string unused: dns server
-WARNING: translation string unused: dns servers
 WARNING: translation string unused: dnssec information
 WARNING: translation string unused: do not log this port list
 WARNING: translation string unused: domain not set
@@ -839,6 +838,7 @@ WARNING: untranslated string: guardian logtarget_file = unknown string
 WARNING: untranslated string: guardian logtarget_syslog = unknown string
 WARNING: untranslated string: guardian no entries = unknown string
 WARNING: untranslated string: guardian service = unknown string
+WARNING: untranslated string: ipsec dns server address is invalid = Invalid DNS server IP address(es)
 WARNING: untranslated string: ipsec invalid ip address or fqdn for rw endpoint = Invalid IP address or FQDN for Host-to-Net Endpoint
 WARNING: untranslated string: ipsec roadwarrior endpoint = Host-to-Net Endpoint
 WARNING: untranslated string: pakfire ago = ago.
diff --git a/doc/language_issues.it b/doc/language_issues.it
index 53cd94b90..be1f9c351 100644
--- a/doc/language_issues.it
+++ b/doc/language_issues.it
@@ -220,7 +220,6 @@ WARNING: translation string unused: dns new 1
 WARNING: translation string unused: dns saved
 WARNING: translation string unused: dns saved txt
 WARNING: translation string unused: dns server
-WARNING: translation string unused: dns servers
 WARNING: translation string unused: dnsforward forward_server
 WARNING: translation string unused: dnssec information
 WARNING: translation string unused: do not log this port list
@@ -983,6 +982,7 @@ WARNING: untranslated string: invalid input for valid till days = Invalid input
 WARNING: untranslated string: invalid ip or hostname = Invalid IP Address or Hostname
 WARNING: untranslated string: invalid logserver protocol = Invalid syslogd server protocol
 WARNING: untranslated string: ipsec connection = IPsec Connection
+WARNING: untranslated string: ipsec dns server address is invalid = Invalid DNS server IP address(es)
 WARNING: untranslated string: ipsec interface mode gre = GRE
 WARNING: untranslated string: ipsec interface mode none = - None (Default) -
 WARNING: untranslated string: ipsec interface mode vti = VTI
diff --git a/doc/language_issues.nl b/doc/language_issues.nl
index 85a9cd587..21e1e8daa 100644
--- a/doc/language_issues.nl
+++ b/doc/language_issues.nl
@@ -856,6 +856,7 @@ WARNING: untranslated string: dns mode for qname minimisation = QNAME Minimisati
 WARNING: untranslated string: dns no address given = No IP Address given.
 WARNING: untranslated string: dns no tls hostname given = No TLS hostname given.
 WARNING: untranslated string: dns recursor mode = Recursor Mode
+WARNING: untranslated string: dns servers = DNS Servers
 WARNING: untranslated string: dns tls hostname = TLS Hostname
 WARNING: untranslated string: dns use isp assigned nameservers = Use ISP-assigned DNS servers
 WARNING: untranslated string: dns use protocol for dns queries = Protocol for DNS queries
@@ -992,6 +993,7 @@ WARNING: untranslated string: invalid input for valid till days = Invalid input
 WARNING: untranslated string: invalid ip or hostname = Invalid IP Address or Hostname
 WARNING: untranslated string: invalid logserver protocol = Invalid syslogd server protocol
 WARNING: untranslated string: ipsec connection = IPsec Connection
+WARNING: untranslated string: ipsec dns server address is invalid = Invalid DNS server IP address(es)
 WARNING: untranslated string: ipsec interface mode gre = GRE
 WARNING: untranslated string: ipsec interface mode none = - None (Default) -
 WARNING: untranslated string: ipsec interface mode vti = VTI
diff --git a/doc/language_issues.pl b/doc/language_issues.pl
index 57a20d214..376af0dc4 100644
--- a/doc/language_issues.pl
+++ b/doc/language_issues.pl
@@ -833,6 +833,7 @@ WARNING: untranslated string: dns mode for qname minimisation = QNAME Minimisati
 WARNING: untranslated string: dns no address given = No IP Address given.
 WARNING: untranslated string: dns no tls hostname given = No TLS hostname given.
 WARNING: untranslated string: dns recursor mode = Recursor Mode
+WARNING: untranslated string: dns servers = DNS Servers
 WARNING: untranslated string: dns tls hostname = TLS Hostname
 WARNING: untranslated string: dns use isp assigned nameservers = Use ISP-assigned DNS servers
 WARNING: untranslated string: dns use protocol for dns queries = Protocol for DNS queries
@@ -1147,6 +1148,7 @@ WARNING: untranslated string: invalid ip or hostname = Invalid IP Address or Hos
 WARNING: untranslated string: invalid logserver protocol = Invalid syslogd server protocol
 WARNING: untranslated string: ipsec = IPsec
 WARNING: untranslated string: ipsec connection = IPsec Connection
+WARNING: untranslated string: ipsec dns server address is invalid = Invalid DNS server IP address(es)
 WARNING: untranslated string: ipsec interface mode gre = GRE
 WARNING: untranslated string: ipsec interface mode none = - None (Default) -
 WARNING: untranslated string: ipsec interface mode vti = VTI
diff --git a/doc/language_issues.ru b/doc/language_issues.ru
index 6ed13933a..dc8d83beb 100644
--- a/doc/language_issues.ru
+++ b/doc/language_issues.ru
@@ -837,6 +837,7 @@ WARNING: untranslated string: dns mode for qname minimisation = QNAME Minimisati
 WARNING: untranslated string: dns no address given = No IP Address given.
 WARNING: untranslated string: dns no tls hostname given = No TLS hostname given.
 WARNING: untranslated string: dns recursor mode = Recursor Mode
+WARNING: untranslated string: dns servers = DNS Servers
 WARNING: untranslated string: dns tls hostname = TLS Hostname
 WARNING: untranslated string: dns use isp assigned nameservers = Use ISP-assigned DNS servers
 WARNING: untranslated string: dns use protocol for dns queries = Protocol for DNS queries
@@ -1149,6 +1150,7 @@ WARNING: untranslated string: invalid ip or hostname = Invalid IP Address or Hos
 WARNING: untranslated string: invalid logserver protocol = Invalid syslogd server protocol
 WARNING: untranslated string: ipsec = IPsec
 WARNING: untranslated string: ipsec connection = IPsec Connection
+WARNING: untranslated string: ipsec dns server address is invalid = Invalid DNS server IP address(es)
 WARNING: untranslated string: ipsec interface mode gre = GRE
 WARNING: untranslated string: ipsec interface mode none = - None (Default) -
 WARNING: untranslated string: ipsec interface mode vti = VTI
diff --git a/doc/language_issues.tr b/doc/language_issues.tr
index 8821371f7..dd4d24ae3 100644
--- a/doc/language_issues.tr
+++ b/doc/language_issues.tr
@@ -242,7 +242,6 @@ WARNING: translation string unused: dns new 1
 WARNING: translation string unused: dns saved
 WARNING: translation string unused: dns saved txt
 WARNING: translation string unused: dns server
-WARNING: translation string unused: dns servers
 WARNING: translation string unused: dnsforward forward_server
 WARNING: translation string unused: dnssec information
 WARNING: translation string unused: do not log this port list
@@ -909,6 +908,7 @@ WARNING: untranslated string: invalid input for local ip address = Invalid input
 WARNING: untranslated string: invalid input for mode = Invalid input for mode
 WARNING: untranslated string: invalid ip or hostname = Invalid IP Address or Hostname
 WARNING: untranslated string: ipsec connection = IPsec Connection
+WARNING: untranslated string: ipsec dns server address is invalid = Invalid DNS server IP address(es)
 WARNING: untranslated string: ipsec interface mode gre = GRE
 WARNING: untranslated string: ipsec interface mode none = - None (Default) -
 WARNING: untranslated string: ipsec interface mode vti = VTI
diff --git a/doc/language_missings b/doc/language_missings
index 3034db5ba..fe0713fdf 100644
--- a/doc/language_missings
+++ b/doc/language_missings
@@ -37,6 +37,7 @@
 < g.dtm
 < g.lite
 < insert removable device
+< ipsec dns server address is invalid
 < ipsec invalid ip address or fqdn for rw endpoint
 < ipsec roadwarrior endpoint
 < no entries
@@ -567,6 +568,7 @@
 < invalid logserver protocol
 < ipsec
 < ipsec connection
+< ipsec dns server address is invalid
 < ipsec interface mode gre
 < ipsec interface mode none
 < ipsec interface mode vti
@@ -927,6 +929,7 @@
 < download apple profile
 < g.dtm
 < g.lite
+< ipsec dns server address is invalid
 < ipsec invalid ip address or fqdn for rw endpoint
 < ipsec roadwarrior endpoint
 < upload fcdsl.o
@@ -1138,6 +1141,7 @@
 < invalid ip or hostname
 < invalid logserver protocol
 < ipsec connection
+< ipsec dns server address is invalid
 < ipsec interface mode gre
 < ipsec interface mode none
 < ipsec interface mode vti
@@ -1514,6 +1518,7 @@
 < invalid ip or hostname
 < invalid logserver protocol
 < ipsec connection
+< ipsec dns server address is invalid
 < ipsec interface mode gre
 < ipsec interface mode none
 < ipsec interface mode vti
@@ -2211,6 +2216,7 @@
 < invalid logserver protocol
 < ipsec
 < ipsec connection
+< ipsec dns server address is invalid
 < ipsec interface mode gre
 < ipsec interface mode none
 < ipsec interface mode vti
@@ -3069,6 +3075,7 @@
 < invalid logserver protocol
 < ipsec
 < ipsec connection
+< ipsec dns server address is invalid
 < ipsec interface mode gre
 < ipsec interface mode none
 < ipsec interface mode vti
@@ -3483,6 +3490,7 @@
 < invalid input for mode
 < invalid ip or hostname
 < ipsec connection
+< ipsec dns server address is invalid
 < ipsec interface mode gre
 < ipsec interface mode none
 < ipsec interface mode vti
diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi
index 0d141cb88..93120ea44 100644
--- a/html/cgi-bin/vpnmain.cgi
+++ b/html/cgi-bin/vpnmain.cgi
@@ -124,6 +124,7 @@ $cgiparams{'MODE'} = "tunnel";
 $cgiparams{'INTERFACE_MODE'} = "";
 $cgiparams{'INTERFACE_ADDRESS'} = "";
 $cgiparams{'INTERFACE_MTU'} = 1500;
+$cgiparams{'DNS_SERVERS'} = "";
 &Header::getcgihash(\%cgiparams, {'wantfile' => 1, 'filevar' => 'FH'});
 
 my %APPLE_CIPHERS = (
@@ -511,6 +512,13 @@ sub writeipsecfiles {
 		# Fragmentation
 		print CONF "\tfragmentation=yes\n";
 
+		# DNS Servers for RW
+		if ($lconfighash{$key}[3] eq 'host') {
+			my @servers = split(/\|/, $lconfighash{$key}[39]);
+
+			print CONF "\trightdns=" . join(",", @servers) . "\n";
+		}
+
 		print CONF "\n";
 	} #foreach key
 
@@ -1612,6 +1620,7 @@ END
 		$cgiparams{'INTERFACE_MODE'}		= $confighash{$cgiparams{'KEY'}}[36];
 		$cgiparams{'INTERFACE_ADDRESS'}		= $confighash{$cgiparams{'KEY'}}[37];
 		$cgiparams{'INTERFACE_MTU'}		= $confighash{$cgiparams{'KEY'}}[38];
+		$cgiparams{'DNS_SERVERS'}		= $confighash{$cgiparams{'KEY'}}[39];
 
 		if (!$cgiparams{'DPD_DELAY'}) {
 			$cgiparams{'DPD_DELAY'} = 30;
@@ -1745,6 +1754,16 @@ END
 			}
 		}
 
+		if ($cgiparams{'TYPE'} eq 'host') {
+			my @servers = split(",", $cgiparams{'DNS_SERVERS'});
+			foreach my $server (@servers) {
+				unless (&Network::check_ip_address($server)) {
+					$errormessage = $Lang::tr{'ipsec dns server address is invalid'};
+					goto VPNCONF_ERROR;
+				}
+			}
+		}
+
 		if ($cgiparams{'ENABLED'} !~ /^(on|off)$/) {
 			$errormessage = $Lang::tr{'invalid input'};
 			goto VPNCONF_ERROR;
@@ -2147,7 +2166,7 @@ END
 	my $key = $cgiparams{'KEY'};
 	if (! $key) {
 		$key = &General::findhasharraykey (\%confighash);
-		foreach my $i (0 .. 38) { $confighash{$key}[$i] = "";}
+		foreach my $i (0 .. 39) { $confighash{$key}[$i] = "";}
 	}
 	$confighash{$key}[0] = $cgiparams{'ENABLED'};
 	$confighash{$key}[1] = $cgiparams{'NAME'};
@@ -2198,6 +2217,7 @@ END
 	$confighash{$key}[36] = $cgiparams{'INTERFACE_MODE'};
 	$confighash{$key}[37] = $cgiparams{'INTERFACE_ADDRESS'};
 	$confighash{$key}[38] = $cgiparams{'INTERFACE_MTU'};
+	$confighash{$key}[39] = join("|", split(",", $cgiparams{'DNS_SERVERS'}));
 
 	# free unused fields!
 	$confighash{$key}[15] = 'off';
@@ -2280,6 +2300,7 @@ END
 	$cgiparams{'INTERFACE_MODE'}        	= "";
 	$cgiparams{'INTERFACE_ADDRESS'}        	= "";
 	$cgiparams{'INTERFACE_MTU'}        	= 1500;
+	$cgiparams{'DNS_SERVERS'}        	= "";
 }
 
 VPNCONF_ERROR:
@@ -2376,11 +2397,8 @@ END
 EOF
 	}
 
-	my $disabled;
-	my $blob;
-	if ($cgiparams{'TYPE'} eq 'host') {
-		$disabled = "disabled='disabled'";
-	} elsif ($cgiparams{'TYPE'} eq 'net') {
+	my $blob = "";
+	if ($cgiparams{'TYPE'} eq 'net') {
 		$blob = "<img src='/blob.gif' alt='*' />";
 	};
 
@@ -2390,6 +2408,9 @@ EOF
 	my @remote_subnets = split(/\|/, $cgiparams{'REMOTE_SUBNET'});
 	my $remote_subnets = join(",", @remote_subnets);
 
+	my @dns_servers = split(/\|/, $cgiparams{'DNS_SERVERS'});
+	my $dns_servers = join(",", @dns_servers);
+
 	print <<END;
 	<tr>
 		<td width='20%'>$Lang::tr{'enabled'}</td>
@@ -2425,10 +2446,26 @@ END
 		<td width='30%'>
 			<input type='text' name='LOCAL_SUBNET' value='$local_subnets' size="25" />
 		</td>
-		<td class='boldbase' nowrap='nowrap' width='20%'>$Lang::tr{'remote subnet'}&nbsp;$blob</td>
+END
+
+	if ($cgiparams{'TYPE'} eq "net") {
+		print <<END;
+		<td class='boldbase' nowrap='nowrap' width='20%'>$Lang::tr{'remote subnet'}&nbsp;<img src='/blob.gif' alt='*' /></td>
+		<td width='30%'>
+			<input type='text' name='REMOTE_SUBNET' value='$remote_subnets' size="25" />
+		</td>
+END
+
+	} elsif ($cgiparams{'TYPE'} eq "host") {
+		print <<END;
+		<td class='boldbase' nowrap='nowrap' width='20%'>$Lang::tr{'dns servers'}:</td>
 		<td width='30%'>
-			<input $disabled type='text' name='REMOTE_SUBNET' value='$remote_subnets' size="25" />
+			<input type='text' name='DNS_SERVERS' value='$dns_servers' size="25" />
 		</td>
+END
+	}
+
+	print <<END;
 	</tr>
 	<tr>
 		<td class='boldbase' width='20%'>$Lang::tr{'vpn local id'}:</td>
@@ -2764,6 +2801,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
 		$cgiparams{'INTERFACE_MODE'}		= $confighash{$cgiparams{'KEY'}}[36];
 		$cgiparams{'INTERFACE_ADDRESS'}		= $confighash{$cgiparams{'KEY'}}[37];
 		$cgiparams{'INTERFACE_MTU'}		= $confighash{$cgiparams{'KEY'}}[38];
+		$cgiparams{'DNS_SERVERS'}		= $confighash{$cgiparams{'KEY'}}[39];
 
 		if (!$cgiparams{'DPD_DELAY'}) {
 			$cgiparams{'DPD_DELAY'} = 30;
diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
index 54e8c404a..adc04f6b3 100644
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -1547,6 +1547,7 @@
 'ipinfo' => 'IP info',
 'ipsec' => 'IPsec',
 'ipsec connection' => 'IPsec Connection',
+'ipsec dns server address is invalid' => 'Invalid DNS server IP address(es)',
 'ipsec interface mode gre' => 'GRE',
 'ipsec interface mode none' => '- None (Default) -',
 'ipsec interface mode vti' => 'VTI',
-- 
2.20.1

[PATCH 11/16] IPsec: Always send our host certificate to all RW clients

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 655 bytes --]

Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
---
 html/cgi-bin/vpnmain.cgi | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi
index 93120ea44..85c4584e1 100644
--- a/html/cgi-bin/vpnmain.cgi
+++ b/html/cgi-bin/vpnmain.cgi
@@ -350,6 +350,12 @@ sub writeipsecfiles {
 
 		print CONF "\tleftfirewall=yes\n";
 		print CONF "\tlefthostaccess=yes\n";
+
+		# Always send the host certificate
+		if ($lconfighash{$key}[3] eq 'host') {
+			print CONF "\tleftsendcert=always\n";
+		}
+
 		print CONF "\tright=$lconfighash{$key}[10]\n";
 
 		if ($lconfighash{$key}[3] eq 'net') {
-- 
2.20.1

[PATCH 12/16] IPsec: Set display name for VPN connections

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 694 bytes --]

Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
---
 html/cgi-bin/vpnmain.cgi | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi
index 85c4584e1..9353a2f0d 100644
--- a/html/cgi-bin/vpnmain.cgi
+++ b/html/cgi-bin/vpnmain.cgi
@@ -1428,6 +1428,8 @@ END
 		print "			<dict>\n";
 		print "				<key>PayloadIdentifier</key>\n";
 		print "				<string>org.example.vpn1.client</string>\n";
+		print "				<key>PayloadDisplayName</key>\n";
+		print "				<string>$confighash{$key}[1]</string>\n";
 		print "				<key>PayloadUUID</key>\n";
 		print "				<string>${cert_uuid}</string>\n";
 		print "				<key>PayloadType</key>\n";
-- 
2.20.1

[PATCH 13/16] IPsec: Ensure that iOS VPNs are always connected

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 882 bytes --]

Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
---
 html/cgi-bin/vpnmain.cgi | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi
index 9353a2f0d..1e4115e95 100644
--- a/html/cgi-bin/vpnmain.cgi
+++ b/html/cgi-bin/vpnmain.cgi
@@ -1421,6 +1421,18 @@ END
 	print "					<string>$confighash{$key}[1]</string>\n";
 	print "					<key>AuthPassword</key>\n";
 	print "					<string></string>\n";
+
+	# Connect the VPN automatically
+	print "					<key>OnDemandEnabled</key>\n";
+	print "					<integer>1</integer>\n";
+	print "					<key>OnDemandRules</key>\n";
+	print "					<array>\n";
+	print "						<dict>\n";
+	print "							<key>Action</key>\n";
+	print "							<string>Connect</string>\n";
+	print "						</dict>\n";
+	print "					</array>\n";
+
 	print "				</dict>\n";
 	print "			</dict>\n";
 
-- 
2.20.1

[PATCH 14/16] IPsec: Strip @ from IDs in Apple profile

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 1062 bytes --]

Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
---
 html/cgi-bin/vpnmain.cgi | 18 ++++++++++++++++--
 1 file changed, 16 insertions(+), 2 deletions(-)

diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi
index 1e4115e95..2e0dd797d 100644
--- a/html/cgi-bin/vpnmain.cgi
+++ b/html/cgi-bin/vpnmain.cgi
@@ -1390,14 +1390,28 @@ END
 
 	# Left ID
 	if ($confighash{$key}[9]) {
+		my $leftid = $confighash{$key}[9];
+
+		# Strip leading @ from FQDNs
+		if ($leftid =~ m/^@(.*)$/) {
+			$leftid = $1;
+		}
+
 		print "					<key>LocalIdentifier</key>\n";
-		print "					<string>$confighash{$key}[9]</string>\n";
+		print "					<string>$leftid</string>\n";
 	}
 
 	# Right ID
 	if ($confighash{$key}[7]) {
+		my $rightid = $confighash{$key}[7];
+
+		# Strip leading @ from FQDNs
+		if ($rightid =~ m/^@(.*)$/) {
+			$rightid = $1;
+		}
+
 		print "					<key>RemoteIdentifier</key>\n";
-		print "					<string>$confighash{$key}[7]</string>\n";
+		print "					<string>$rightid</string>\n";
 	}
 
 	if ($confighash{$key}[4] eq "cert") {
-- 
2.20.1

[PATCH 15/16] Revert "IPsec: Apple: Stop prompting for credentials"

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 898 bytes --]

This reverts commit eef4cd4b101da0c7ceab0c3386ad755ed242f8d5.

Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
---
 html/cgi-bin/vpnmain.cgi | 6 ------
 1 file changed, 6 deletions(-)

diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi
index 2e0dd797d..bcbe6227e 100644
--- a/html/cgi-bin/vpnmain.cgi
+++ b/html/cgi-bin/vpnmain.cgi
@@ -1430,12 +1430,6 @@ END
 	print "					<key>ExtendedAuthEnabled</key>\n";
 	print "					<integer>0</integer>\n";
 
-	# These are not needed, but we provide some default to stop iPhone asking for credentials
-	print "					<key>AuthName</key>\n";
-	print "					<string>$confighash{$key}[1]</string>\n";
-	print "					<key>AuthPassword</key>\n";
-	print "					<string></string>\n";
-
 	# Connect the VPN automatically
 	print "					<key>OnDemandEnabled</key>\n";
 	print "					<integer>1</integer>\n";
-- 
2.20.1

[PATCH 16/16] IPsec: Add CA certificate in Apple profile

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 1760 bytes --]

Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
---
 html/cgi-bin/vpnmain.cgi | 31 ++++++++++++++++++++++++++++++-
 1 file changed, 30 insertions(+), 1 deletion(-)

diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi
index bcbe6227e..fa97ed531 100644
--- a/html/cgi-bin/vpnmain.cgi
+++ b/html/cgi-bin/vpnmain.cgi
@@ -1246,13 +1246,23 @@ END
 	my $uuid1 = $uuid->create_str();
 	my $uuid2 = $uuid->create_str();
 
+	my $ca = "";
+	my $ca_uuid = $uuid->create_str();
+
 	my $cert = "";
 	my $cert_uuid = $uuid->create_str();
 
-	# Read and encode certificate
+	# Read and encode the CA & certificate
 	if ($confighash{$key}[4] eq "cert") {
+		my $ca_path = "${General::swroot}/ca/cacert.pem";
 		my $cert_path = "${General::swroot}/certs/$confighash{$key}[1].p12";
 
+		# Read the CA and encode it into Base64
+		open(CA, "<${ca_path}");
+		local($/) = undef; # slurp
+		$ca = MIME::Base64::encode_base64(<CA>);
+		close(CA);
+
 		# Read certificate and encode it into Base64
 		open(CERT, "<${cert_path}");
 		local($/) = undef; # slurp
@@ -1465,6 +1475,25 @@ END
 
 		print "				</data>\n";
 		print "			</dict>\n";
+
+		print "			<dict>\n";
+		print "				<key>PayloadIdentifier</key>\n";
+		print "				<string>org.example.ca</string>\n";
+		print "				<key>PayloadUUID</key>\n";
+		print "				<string>${ca_uuid}</string>\n";
+		print "				<key>PayloadType</key>\n";
+		print "				<string>com.apple.security.root</string>\n";
+		print "				<key>PayloadVersion</key>\n";
+		print "				<integer>1</integer>\n";
+		print "				<key>PayloadContent</key>\n";
+		print "				<data>\n";
+
+		foreach (split /\n/,${ca}) {
+			print "					$_\n";
+		}
+
+		print "				</data>\n";
+		print "			</dict>\n";
 	}
 
 	print "		</array>\n";
-- 
2.20.1

Re: Easy IPsec connections for macOS & iOS

[Tom Rymes]

[-- Attachment #1: Type: text/plain, Size: 1345 bytes --]

This is great news, Michael. I do believe that the host and root certs 
need certain requirements for this to work? SANs come to mind.

I believe that this is resolved for new installations, but folks with 
older installs and certificates might run into that old issue.

Tom

On 05/28/2020 1:58 PM, Michael Tremer wrote:
> Hello,
> 
> I have created a couple of patches for review. They intoduce creating
> IPsec roadwarrior connections for Apple devices.
> 
> IPsec connections can be easily exported as an XML structure which
> can be imported into any iOS or macOS device.
> 
> Those connections allow that all traffic from that device can be
> routed through an IPFire instance in a data center and split-horizon
> VPNs are supported, too.
> 
> The configuration is as simple as usual although Apple has some
> (sane) requirements to certificate lifetimes and really makes sure
> that they are talking to the correct peer.
> 
> I have added a wiki page that explains how the connection needs to
> be set up:
> 
>    https://wiki.ipfire.org/configuration/services/ipsec/apple
> 
> I would like to encourage everyone to review my patches and test them
> as well as the provided documentation.
> 
> As soon as I have some feedback, I would like to put this patchset
> forward to be merged into the next Core Update.
> 
> Best,
> -Michael
> 
> 

Re: Easy IPsec connections for macOS & iOS

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 1884 bytes --]

Hi,

> On 28 May 2020, at 19:30, Tom Rymes <trymes(a)rymes.com> wrote:
> 
> This is great news, Michael. I do believe that the host and root certs need certain requirements for this to work? SANs come to mind.
> 
> I believe that this is resolved for new installations, but folks with older installs and certificates might run into that old issue.

Yes, that might indeed happen. You might have really really old certificates that use MD5 or SHA1. Those should be replaced anyways.

All new connections will be created with the correct configuration for the certificates.

I still find the whole process a little bit too complicated, but I have no idea how to make it any better with the UI that we have. But luckily no manual intervention is required any more.

-Michael

> 
> Tom
> 
> On 05/28/2020 1:58 PM, Michael Tremer wrote:
>> Hello,
>> I have created a couple of patches for review. They intoduce creating
>> IPsec roadwarrior connections for Apple devices.
>> IPsec connections can be easily exported as an XML structure which
>> can be imported into any iOS or macOS device.
>> Those connections allow that all traffic from that device can be
>> routed through an IPFire instance in a data center and split-horizon
>> VPNs are supported, too.
>> The configuration is as simple as usual although Apple has some
>> (sane) requirements to certificate lifetimes and really makes sure
>> that they are talking to the correct peer.
>> I have added a wiki page that explains how the connection needs to
>> be set up:
>>   https://wiki.ipfire.org/configuration/services/ipsec/apple
>> I would like to encourage everyone to review my patches and test them
>> as well as the provided documentation.
>> As soon as I have some feedback, I would like to put this patchset
>> forward to be merged into the next Core Update.
>> Best,
>> -Michael