Hello,
I have created a couple of patches for review. They intoduce creating IPsec roadwarrior connections for Apple devices.
IPsec connections can be easily exported as an XML structure which can be imported into any iOS or macOS device.
Those connections allow that all traffic from that device can be routed through an IPFire instance in a data center and split-horizon VPNs are supported, too.
The configuration is as simple as usual although Apple has some (sane) requirements to certificate lifetimes and really makes sure that they are talking to the correct peer.
I have added a wiki page that explains how the connection needs to be set up:
https://wiki.ipfire.org/configuration/services/ipsec/apple
I would like to encourage everyone to review my patches and test them as well as the provided documentation.
As soon as I have some feedback, I would like to put this patchset forward to be merged into the next Core Update.
Best, -Michael
Signed-off-by: Michael Tremer michael.tremer@ipfire.org --- html/cgi-bin/vpnmain.cgi | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index e0f2c7a5e..2d0f57f98 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -1007,7 +1007,7 @@ END &General::log("ipsec", "Creating cacert..."); if (open(STDIN, "-|")) { my $opt = " req -x509 -sha256 -nodes"; - $opt .= " -days 999999"; + $opt .= " -days 3650"; $opt .= " -newkey rsa:4096"; $opt .= " -keyout ${General::swroot}/private/cakey.pem"; $opt .= " -out ${General::swroot}/ca/cacert.pem"; @@ -1065,7 +1065,7 @@ END print $fh "subjectAltName=$cgiparams{'SUBJECTALTNAME'}" if ($cgiparams{'SUBJECTALTNAME'}); close ($fh);
- my $opt = " ca -md sha256 -days 999999"; + my $opt = " ca -md sha256 -days 825"; $opt .= " -batch -notext"; $opt .= " -in ${General::swroot}/certs/hostreq.pem"; $opt .= " -out ${General::swroot}/certs/hostcert.pem"; @@ -1552,7 +1552,7 @@ END
# Sign the certificate request &General::log("ipsec", "Signing your cert $cgiparams{'NAME'}..."); - my $opt = " ca -md sha256 -days 999999"; + my $opt = " ca -md sha256 -days 825"; $opt .= " -batch -notext"; $opt .= " -in $filename"; $opt .= " -out ${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"; @@ -1825,7 +1825,7 @@ END print $fh "subjectAltName=$cgiparams{'SUBJECTALTNAME'}" if ($cgiparams{'SUBJECTALTNAME'}); close ($fh);
- my $opt = " ca -md sha256 -days 999999 -batch -notext"; + my $opt = " ca -md sha256 -days 825 -batch -notext"; $opt .= " -in ${General::swroot}/certs/$cgiparams{'NAME'}req.pem"; $opt .= " -out ${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"; $opt .= " -extfile $v3extname";
Signed-off-by: Michael Tremer michael.tremer@ipfire.org --- config/rootfiles/common/web-user-interface | 1 + doc/language_issues.de | 1 + doc/language_issues.en | 1 + doc/language_issues.es | 1 + doc/language_issues.fr | 1 + doc/language_issues.it | 1 + doc/language_issues.nl | 1 + doc/language_issues.pl | 1 + doc/language_issues.ru | 1 + doc/language_issues.tr | 1 + doc/language_missings | 8 ++ html/cgi-bin/vpnmain.cgi | 135 ++++++++++++++++++++- html/html/images/apple.png | Bin 0 -> 346 bytes langs/en/cgi-bin/en.pl | 1 + 14 files changed, 153 insertions(+), 1 deletion(-) create mode 100644 html/html/images/apple.png
diff --git a/config/rootfiles/common/web-user-interface b/config/rootfiles/common/web-user-interface index 9aaa05631..7d67c346c 100644 --- a/config/rootfiles/common/web-user-interface +++ b/config/rootfiles/common/web-user-interface @@ -117,6 +117,7 @@ srv/web/ipfire/html/images/add.gif srv/web/ipfire/html/images/addblue.gif srv/web/ipfire/html/images/addgreen.gif srv/web/ipfire/html/images/address-book-new.png +srv/web/ipfire/html/images/apple.png srv/web/ipfire/html/images/application-certificate.png srv/web/ipfire/html/images/application-x-executable.png srv/web/ipfire/html/images/applications-accessories.png diff --git a/doc/language_issues.de b/doc/language_issues.de index 2dc986d0a..d53bfa601 100644 --- a/doc/language_issues.de +++ b/doc/language_issues.de @@ -767,6 +767,7 @@ WARNING: translation string unused: zoneconf val ppp assignment error WARNING: translation string unused: zoneconf val vlan amount assignment error WARNING: translation string unused: zoneconf val vlan tag assignment error WARNING: translation string unused: zoneconf val zoneslave amount error +WARNING: untranslated string: download apple profile = Download Apple Configuration Profile WARNING: untranslated string: error the to date has to be later than the from date = The to date has to be later than the from date! WARNING: untranslated string: fwhost cust geoipgrp = unknown string WARNING: untranslated string: fwhost err hostip = unknown string diff --git a/doc/language_issues.en b/doc/language_issues.en index 88fa6ed79..dc40a08bb 100644 --- a/doc/language_issues.en +++ b/doc/language_issues.en @@ -656,6 +656,7 @@ WARNING: untranslated string: downlink = Downlink WARNING: untranslated string: downlink speed = Downlink speed (kbit/sec) WARNING: untranslated string: downlink std class = downlink standard class WARNING: untranslated string: download = download +WARNING: untranslated string: download apple profile = Download Apple Configuration Profile WARNING: untranslated string: download ca certificate = Download CA certificate WARNING: untranslated string: download certificate = Download file WARNING: untranslated string: download host certificate = Download host certificate diff --git a/doc/language_issues.es b/doc/language_issues.es index ef78d6680..933e99eca 100644 --- a/doc/language_issues.es +++ b/doc/language_issues.es @@ -849,6 +849,7 @@ WARNING: untranslated string: dnssec disabled warning = WARNING: DNSSEC has been WARNING: untranslated string: dnssec not supported = DNSSEC Not supported WARNING: untranslated string: dnssec validating = DNSSEC Validating WARNING: untranslated string: downlink = Downlink +WARNING: untranslated string: download apple profile = Download Apple Configuration Profile WARNING: untranslated string: download tls-auth key = Download tls-auth key WARNING: untranslated string: dpd delay = Delay WARNING: untranslated string: dpd timeout = Timeout diff --git a/doc/language_issues.fr b/doc/language_issues.fr index fd10b171e..fd9f8296c 100644 --- a/doc/language_issues.fr +++ b/doc/language_issues.fr @@ -807,6 +807,7 @@ WARNING: translation string unused: zoneconf val ppp assignment error WARNING: translation string unused: zoneconf val vlan amount assignment error WARNING: translation string unused: zoneconf val vlan tag assignment error WARNING: translation string unused: zoneconf val zoneslave amount error +WARNING: untranslated string: download apple profile = Download Apple Configuration Profile WARNING: untranslated string: fwhost cust geoipgrp = unknown string WARNING: untranslated string: fwhost err hostip = unknown string WARNING: untranslated string: guardian block a host = unknown string diff --git a/doc/language_issues.it b/doc/language_issues.it index 16ff776b5..e77b1ef3f 100644 --- a/doc/language_issues.it +++ b/doc/language_issues.it @@ -862,6 +862,7 @@ WARNING: untranslated string: dns use protocol for dns queries = Protocol for DN WARNING: untranslated string: dnsforward dnssec disabled = DNSSEC Validation is disabled WARNING: untranslated string: dnsforward forward_servers = Nameservers WARNING: untranslated string: dnssec disabled warning = WARNING: DNSSEC has been disabled +WARNING: untranslated string: download apple profile = Download Apple Configuration Profile WARNING: untranslated string: duration = Duration WARNING: untranslated string: eight hours = 8 Hours WARNING: untranslated string: email config = Configuration diff --git a/doc/language_issues.nl b/doc/language_issues.nl index 328a8e1f2..ca6dec27e 100644 --- a/doc/language_issues.nl +++ b/doc/language_issues.nl @@ -865,6 +865,7 @@ WARNING: untranslated string: dnssec aware = DNSSEC Aware WARNING: untranslated string: dnssec disabled warning = WARNING: DNSSEC has been disabled WARNING: untranslated string: dnssec not supported = DNSSEC Not supported WARNING: untranslated string: dnssec validating = DNSSEC Validating +WARNING: untranslated string: download apple profile = Download Apple Configuration Profile WARNING: untranslated string: download tls-auth key = Download tls-auth key WARNING: untranslated string: drop outgoing = Log dropped outgoing packets WARNING: untranslated string: duration = Duration diff --git a/doc/language_issues.pl b/doc/language_issues.pl index ef78d6680..933e99eca 100644 --- a/doc/language_issues.pl +++ b/doc/language_issues.pl @@ -849,6 +849,7 @@ WARNING: untranslated string: dnssec disabled warning = WARNING: DNSSEC has been WARNING: untranslated string: dnssec not supported = DNSSEC Not supported WARNING: untranslated string: dnssec validating = DNSSEC Validating WARNING: untranslated string: downlink = Downlink +WARNING: untranslated string: download apple profile = Download Apple Configuration Profile WARNING: untranslated string: download tls-auth key = Download tls-auth key WARNING: untranslated string: dpd delay = Delay WARNING: untranslated string: dpd timeout = Timeout diff --git a/doc/language_issues.ru b/doc/language_issues.ru index 0a579d406..1fed38304 100644 --- a/doc/language_issues.ru +++ b/doc/language_issues.ru @@ -853,6 +853,7 @@ WARNING: untranslated string: dnssec disabled warning = WARNING: DNSSEC has been WARNING: untranslated string: dnssec not supported = DNSSEC Not supported WARNING: untranslated string: dnssec validating = DNSSEC Validating WARNING: untranslated string: downlink = Downlink +WARNING: untranslated string: download apple profile = Download Apple Configuration Profile WARNING: untranslated string: download tls-auth key = Download tls-auth key WARNING: untranslated string: dpd delay = Delay WARNING: untranslated string: dpd timeout = Timeout diff --git a/doc/language_issues.tr b/doc/language_issues.tr index d04c99305..c716af76d 100644 --- a/doc/language_issues.tr +++ b/doc/language_issues.tr @@ -838,6 +838,7 @@ WARNING: untranslated string: dns use isp assigned nameservers = Use ISP-assigne WARNING: untranslated string: dns use protocol for dns queries = Protocol for DNS queries WARNING: untranslated string: dnsforward dnssec disabled = DNSSEC Validation is disabled WARNING: untranslated string: dnsforward forward_servers = Nameservers +WARNING: untranslated string: download apple profile = Download Apple Configuration Profile WARNING: untranslated string: duration = Duration WARNING: untranslated string: email tls explicit = explicit (STARTTLS) WARNING: untranslated string: email tls implicit = implicit (TLS) diff --git a/doc/language_missings b/doc/language_missings index bfc3ba41f..cff74f9b0 100644 --- a/doc/language_missings +++ b/doc/language_missings @@ -32,6 +32,7 @@ < dh name is invalid < dns could not add server < done +< download apple profile < error the to date has to be later than the from date < g.dtm < g.lite @@ -248,6 +249,7 @@ < dns use isp assigned nameservers < dns use protocol for dns queries < downlink +< download apple profile < download dh parameter < download tls-auth key < dpd delay @@ -918,6 +920,7 @@ < ansi t1.483 < bewan adsl pci st < bewan adsl usb +< download apple profile < g.dtm < g.lite < upload fcdsl.o @@ -1031,6 +1034,7 @@ < dns tls hostname < dns use isp assigned nameservers < dns use protocol for dns queries +< download apple profile < duration < eight hours < email config @@ -1397,6 +1401,7 @@ < dns tls hostname < dns use isp assigned nameservers < dns use protocol for dns queries +< download apple profile < download dh parameter < download tls-auth key < drop outgoing @@ -1878,6 +1883,7 @@ < dns use isp assigned nameservers < dns use protocol for dns queries < downlink +< download apple profile < download dh parameter < download tls-auth key < dpd delay @@ -2729,6 +2735,7 @@ < dns use isp assigned nameservers < dns use protocol for dns queries < downlink +< download apple profile < download dh parameter < download tls-auth key < dpd delay @@ -3422,6 +3429,7 @@ < dns tls hostname < dns use isp assigned nameservers < dns use protocol for dns queries +< download apple profile < duration < email tls explicit < email tls implicit diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index 2d0f57f98..9c0d72c88 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -19,6 +19,7 @@ # # ###############################################################################
+use MIME::Base64; use Net::DNS; use File::Copy; use File::Temp qw/ tempfile tempdir /; @@ -1178,6 +1179,122 @@ END print `/bin/cat ${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1].p12`; exit (0);
+# Export Apple profile to browser +} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download apple profile'}) { + &General::readhasharray("${General::swroot}/vpn/config", %confighash); + my $key = $cgiparams{'KEY'}; + + my $uuid1 = "AAAABBBB"; + my $uuid2 = "CCCCDDDD"; + + my $cert = ""; + my $cert_uuid = "123456789"; + + # Read and encode certificate + if ($confighash{$key}[4] eq "cert") { + my $cert_path = "${General::swroot}/certs/$confighash{$key}[1].p12"; + + # Read certificate and encode it into Base64 + open(CERT, "<${cert_path}"); + local($/) = undef; # slurp + $cert = MIME::Base64::encode_base64(<CERT>); + close(CERT); + } + + print "Content-Type: application/octet-stream\n"; + print "Content-Disposition: attachment; filename=" . $confighash{$key}[1] . ".mobileconfig\n"; + print "\n"; # end headers + + print "<!DOCTYPE plist PUBLIC \"-//Apple//DTD PLIST 1.0//EN\" \"http://www.apple.com/DTDs/PropertyList-1.0.dtd\">\n"; + print "<plist version="1.0">\n"; + print " <dict>\n"; + print " <key>PayloadDisplayName</key>\n"; + print " <string>$confighash{$key}[1]</string>\n"; + print " <key>PayloadIdentifier</key>\n"; + print " <string>$confighash{$key}[1]</string>\n"; + print " <key>PayloadUUID</key>\n"; + print " <string>${uuid1}</string>\n"; + print " <key>PayloadType</key>\n"; + print " <string>Configuration</string>\n"; + print " <key>PayloadVersion</key>\n"; + print " <integer>1</integer>\n"; + print " <key>PayloadContent</key>\n"; + print " <array>\n"; + print " <dict>\n"; + print " <key>PayloadIdentifier</key>\n"; + print " <string>org.example.vpn1.conf1</string>\n"; + print " <key>PayloadUUID</key>\n"; + print " <string>${uuid2}</string>\n"; + print " <key>PayloadType</key>\n"; + print " <string>com.apple.vpn.managed</string>\n"; + print " <key>PayloadVersion</key>\n"; + print " <integer>1</integer>\n"; + print " <key>UserDefinedName</key>\n"; + print " <string>$confighash{$key}[1]</string>\n"; + print " <key>VPNType</key>\n"; + print " <string>IKEv2</string>\n"; + print " <key>IKEv2</key>\n"; + print " <dict>\n"; + print " <key>RemoteAddress</key>\n"; + print " <string>18.206.152.26</string>\n"; + + # Left ID + if ($confighash{$key}[9]) { + print " <key>LocalIdentifier</key>\n"; + print " <string>$confighash{$key}[9]</string>\n"; + } + + # Right ID + if ($confighash{$key}[7]) { + print " <key>RemoteIdentifier</key>\n"; + print " <string>$confighash{$key}[7]</string>\n"; + } + + if ($confighash{$key}[4] eq "cert") { + print " <key>AuthenticationMethod</key>\n"; + print " <string>Certificate</string>\n"; + + print " <key>PayloadCertificateUUID</key>\n"; + print " <string>${cert_uuid}</string>\n"; + } else { + print " <key>AuthenticationMethod</key>\n"; + print " <string>SharedSecret</string>\n"; + print " <key>SharedSecret</key>\n"; + print " <string>$confighash{$key}[5]</string>\n"; + } + + print " <key>ExtendedAuthEnabled</key>\n"; + print " <integer>0</integer>\n"; + print " </dict>\n"; + print " </dict>\n"; + + if ($confighash{$key}[4] eq "cert") { + print " <dict>\n"; + print " <key>PayloadIdentifier</key>\n"; + print " <string>org.example.vpn1.client</string>\n"; + print " <key>PayloadUUID</key>\n"; + print " <string>${cert_uuid}</string>\n"; + print " <key>PayloadType</key>\n"; + print " <string>com.apple.security.pkcs12</string>\n"; + print " <key>PayloadVersion</key>\n"; + print " <integer>1</integer>\n"; + print " <key>PayloadContent</key>\n"; + print " <data>\n"; + + foreach (split /\n/,${cert}) { + print " $_\n"; + } + + print " </data>\n"; + print " </dict>\n"; + } + + print " </array>\n"; + print " </dict>\n"; + print "</plist>\n"; + + # Done + exit(0); ### ### Display certificate ### @@ -2982,7 +3099,7 @@ END <th width='23%' class='boldbase' align='center'><b>$Lang::tr{'common name'}</b></th> <th width='30%' class='boldbase' align='center'><b>$Lang::tr{'remark'}</b></th> <th width='10%' class='boldbase' align='center'><b>$Lang::tr{'status'}</b></th> - <th class='boldbase' align='center' colspan='6'><b>$Lang::tr{'action'}</b></th> + <th class='boldbase' align='center' colspan='7'><b>$Lang::tr{'action'}</b></th> </tr> END ; @@ -3082,6 +3199,22 @@ END } else { print "<td width='2%' $col> </td>"; } + + # Apple Profile + if ($confighash{$key}[3] eq 'host') { + print <<END; + <td align='center' $col> + <form method='post' action='$ENV{'SCRIPT_NAME'}'> + <input type='image' name='$Lang::tr{'download apple profile'}' src='/images/apple.png' alt='$Lang::tr{'download apple profile'}' title='$Lang::tr{'download apple profile'}' /> + <input type='hidden' name='ACTION' value='$Lang::tr{'download apple profile'}' /> + <input type='hidden' name='KEY' value='$key' /> + </form> + </td> +END + } else { + print "<td width='2%' $col> </td>"; + } + print <<END <td align='center' $col> <form method='post' action='$ENV{'SCRIPT_NAME'}'> diff --git a/html/html/images/apple.png b/html/html/images/apple.png new file mode 100644 index 0000000000000000000000000000000000000000..6571a749b693911b9c616b29a6b749b409935853 GIT binary patch literal 346 zcmeAS@N?(olHy`uVBq!ia0vp^A|TAc1|)ksWqE-VOR<w@2nP_<aHMnq`J4qFk;M!Q z+`=Ht$S`Y;1W@pgr;B5VMeo|n3%y+&1&)90SAU^usKGW{;e_aamc?fi3^}5X<b2Qn zkkiz0@`3z=`3c6HQMzor<s4k$A@_{mSXXqsyZ!ZNb7ShvpXbh;)A_&Vr2UaKiE{qA zlgkTRg{pHCFRV{c*4ffp`k{?K=eSIA{*IQ^Jqe38G4DxQx~gPKkT1WvQ*~<SP0PMk z$Da50g>5e-as->B0w#;z=wb9XPEh5Wee3MXypEOc8~ondH1Ay2V|w?oEt`%}g2C)Z zCR5BO#0eMt*&6iL??zAj*4dmoA2oFT_P=^$DO_>o$~Ql@9ECz-J>djav!H~Q|CLSb nF$uD(ZyYzx+c=dgd#Qd-dzV1X{ntx?;lSYO>gTe~DWM4fVRMKG
literal 0 HcmV?d00001
diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index ff08bce0c..aaf1d4978 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -906,6 +906,7 @@ 'downlink speed' => 'Downlink speed (kbit/sec)', 'downlink std class' => 'downlink standard class', 'download' => 'download', +'download apple profile' => 'Download Apple Configuration Profile', 'download ca certificate' => 'Download CA certificate', 'download certificate' => 'Download file', 'download dh parameter' => 'Download Diffie-Hellman parameters',
This module is required to generate UUIDs in Perl
Signed-off-by: Michael Tremer michael.tremer@ipfire.org --- config/rootfiles/common/perl-Data-UUID | 7 +++ lfs/perl-Data-UUID | 77 ++++++++++++++++++++++++++ make.sh | 1 + 3 files changed, 85 insertions(+) create mode 100644 config/rootfiles/common/perl-Data-UUID create mode 100644 lfs/perl-Data-UUID
diff --git a/config/rootfiles/common/perl-Data-UUID b/config/rootfiles/common/perl-Data-UUID new file mode 100644 index 000000000..69b7c3186 --- /dev/null +++ b/config/rootfiles/common/perl-Data-UUID @@ -0,0 +1,7 @@ +#usr/lib/perl5/site_perl/5.30.0/MACHINE-linux-thread-multi/Data +usr/lib/perl5/site_perl/5.30.0/MACHINE-linux-thread-multi/Data/UUID.pm +#usr/lib/perl5/site_perl/5.30.0/MACHINE-linux-thread-multi/auto/Data +#usr/lib/perl5/site_perl/5.30.0/MACHINE-linux-thread-multi/auto/Data/UUID +#usr/lib/perl5/site_perl/5.30.0/MACHINE-linux-thread-multi/auto/Data/UUID/.packlist +usr/lib/perl5/site_perl/5.30.0/MACHINE-linux-thread-multi/auto/Data/UUID/UUID.so +#usr/share/man/man3/Data::UUID.3 diff --git a/lfs/perl-Data-UUID b/lfs/perl-Data-UUID new file mode 100644 index 000000000..e3eee182b --- /dev/null +++ b/lfs/perl-Data-UUID @@ -0,0 +1,77 @@ +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2007-2018 IPFire Team info@ipfire.org # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see http://www.gnu.org/licenses/. # +# # +############################################################################### + +############################################################################### +# Definitions +############################################################################### + +include Config + +VER = 1.224 + +THISAPP = Data-UUID-$(VER) +DL_FILE = $(THISAPP).tar.gz +DL_FROM = $(URL_IPFIRE) +DIR_APP = $(DIR_SRC)/$(THISAPP) +TARGET = $(DIR_INFO)/$(THISAPP) + +############################################################################### +# Top-level Rules +############################################################################### + +objects = $(DL_FILE) + +$(DL_FILE) = $(DL_FROM)/$(DL_FILE) + +$(DL_FILE)_MD5 = 71510bbcce760c394591fca83a9b5e6d + +install : $(TARGET) + +check : $(patsubst %,$(DIR_CHK)/%,$(objects)) + +download :$(patsubst %,$(DIR_DL)/%,$(objects)) + +md5 : $(subst %,%_MD5,$(objects)) + +############################################################################### +# Downloading, checking, md5sum +############################################################################### + +$(patsubst %,$(DIR_CHK)/%,$(objects)) : + @$(CHECK) + +$(patsubst %,$(DIR_DL)/%,$(objects)) : + @$(LOAD) + +$(subst %,%_MD5,$(objects)) : + @$(MD5) + +############################################################################### +# Installation Details +############################################################################### + +$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) + @$(PREBUILD) + @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE) + cd $(DIR_APP) && perl Makefile.PL + cd $(DIR_APP) && make $(MAKETUNING) + cd $(DIR_APP) && make install + @rm -rf $(DIR_APP) + @$(POSTBUILD) diff --git a/make.sh b/make.sh index 4acce807f..9117dd3ec 100755 --- a/make.sh +++ b/make.sh @@ -1301,6 +1301,7 @@ buildipfire() { lfsmake2 perl-Device-SerialPort lfsmake2 perl-Device-Modem lfsmake2 perl-Apache-Htpasswd + lfsmake2 perl-Data-UUID lfsmake2 gnupg lfsmake2 hdparm lfsmake2 sdparm
Signed-off-by: Michael Tremer michael.tremer@ipfire.org --- html/cgi-bin/vpnmain.cgi | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index 9c0d72c88..c004b6087 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -19,6 +19,7 @@ # # ###############################################################################
+use Data::UUID; use MIME::Base64; use Net::DNS; use File::Copy; @@ -1184,11 +1185,14 @@ END &General::readhasharray("${General::swroot}/vpn/config", %confighash); my $key = $cgiparams{'KEY'};
- my $uuid1 = "AAAABBBB"; - my $uuid2 = "CCCCDDDD"; + # Create a UUID generator + my $uuid = Data::UUID->new(); + + my $uuid1 = $uuid->create_str(); + my $uuid2 = $uuid->create_str();
my $cert = ""; - my $cert_uuid = "123456789"; + my $cert_uuid = $uuid->create_str();
# Read and encode certificate if ($confighash{$key}[4] eq "cert") {
This is the IP address or FQDN which will be written into Apple Configuration profiles as public peer address.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org --- doc/language_issues.de | 2 ++ doc/language_issues.en | 2 ++ doc/language_issues.es | 2 ++ doc/language_issues.fr | 2 ++ doc/language_issues.it | 2 ++ doc/language_issues.nl | 2 ++ doc/language_issues.pl | 2 ++ doc/language_issues.ru | 2 ++ doc/language_issues.tr | 2 ++ doc/language_missings | 16 ++++++++++++++++ html/cgi-bin/vpnmain.cgi | 21 ++++++++++++++++++++- langs/en/cgi-bin/en.pl | 2 ++ 12 files changed, 56 insertions(+), 1 deletion(-)
diff --git a/doc/language_issues.de b/doc/language_issues.de index d53bfa601..4c4a37742 100644 --- a/doc/language_issues.de +++ b/doc/language_issues.de @@ -800,6 +800,8 @@ WARNING: untranslated string: guardian logtarget_file = unknown string WARNING: untranslated string: guardian logtarget_syslog = unknown string WARNING: untranslated string: guardian no entries = unknown string WARNING: untranslated string: guardian service = unknown string +WARNING: untranslated string: ipsec invalid ip address or fqdn for rw endpoint = Invalid IP address or FQDN for Host-to-Net Endpoint +WARNING: untranslated string: ipsec roadwarrior endpoint = Host-to-Net Endpoint WARNING: untranslated string: no entries = No entries at the moment. WARNING: untranslated string: pakfire invalid tree = Invalid repository selected WARNING: untranslated string: route config changed = unknown string diff --git a/doc/language_issues.en b/doc/language_issues.en index dc40a08bb..9bef2930c 100644 --- a/doc/language_issues.en +++ b/doc/language_issues.en @@ -1169,9 +1169,11 @@ WARNING: untranslated string: ipsec connection = IPsec Connection WARNING: untranslated string: ipsec interface mode gre = GRE WARNING: untranslated string: ipsec interface mode none = - None (Default) - WARNING: untranslated string: ipsec interface mode vti = VTI +WARNING: untranslated string: ipsec invalid ip address or fqdn for rw endpoint = Invalid IP address or FQDN for Host-to-Net Endpoint WARNING: untranslated string: ipsec mode transport = Transport WARNING: untranslated string: ipsec mode tunnel = Tunnel WARNING: untranslated string: ipsec network = IPsec network +WARNING: untranslated string: ipsec roadwarrior endpoint = Host-to-Net Endpoint WARNING: untranslated string: ipsec routing table entries = IPsec Routing Table Entries WARNING: untranslated string: ipsec settings = IPsec Settings WARNING: untranslated string: iptmangles = IPTable Mangles diff --git a/doc/language_issues.es b/doc/language_issues.es index 933e99eca..57a20d214 100644 --- a/doc/language_issues.es +++ b/doc/language_issues.es @@ -1150,9 +1150,11 @@ WARNING: untranslated string: ipsec connection = IPsec Connection WARNING: untranslated string: ipsec interface mode gre = GRE WARNING: untranslated string: ipsec interface mode none = - None (Default) - WARNING: untranslated string: ipsec interface mode vti = VTI +WARNING: untranslated string: ipsec invalid ip address or fqdn for rw endpoint = Invalid IP address or FQDN for Host-to-Net Endpoint WARNING: untranslated string: ipsec mode transport = Transport WARNING: untranslated string: ipsec mode tunnel = Tunnel WARNING: untranslated string: ipsec network = IPsec network +WARNING: untranslated string: ipsec roadwarrior endpoint = Host-to-Net Endpoint WARNING: untranslated string: ipsec routing table entries = IPsec Routing Table Entries WARNING: untranslated string: ipsec settings = IPsec Settings WARNING: untranslated string: itlb multihit = iTLB MultiHit diff --git a/doc/language_issues.fr b/doc/language_issues.fr index fd9f8296c..3fe75fd07 100644 --- a/doc/language_issues.fr +++ b/doc/language_issues.fr @@ -839,6 +839,8 @@ WARNING: untranslated string: guardian logtarget_file = unknown string WARNING: untranslated string: guardian logtarget_syslog = unknown string WARNING: untranslated string: guardian no entries = unknown string WARNING: untranslated string: guardian service = unknown string +WARNING: untranslated string: ipsec invalid ip address or fqdn for rw endpoint = Invalid IP address or FQDN for Host-to-Net Endpoint +WARNING: untranslated string: ipsec roadwarrior endpoint = Host-to-Net Endpoint WARNING: untranslated string: pakfire ago = ago. WARNING: untranslated string: route config changed = unknown string WARNING: untranslated string: routing config added = unknown string diff --git a/doc/language_issues.it b/doc/language_issues.it index e77b1ef3f..53cd94b90 100644 --- a/doc/language_issues.it +++ b/doc/language_issues.it @@ -986,8 +986,10 @@ WARNING: untranslated string: ipsec connection = IPsec Connection WARNING: untranslated string: ipsec interface mode gre = GRE WARNING: untranslated string: ipsec interface mode none = - None (Default) - WARNING: untranslated string: ipsec interface mode vti = VTI +WARNING: untranslated string: ipsec invalid ip address or fqdn for rw endpoint = Invalid IP address or FQDN for Host-to-Net Endpoint WARNING: untranslated string: ipsec mode transport = Transport WARNING: untranslated string: ipsec mode tunnel = Tunnel +WARNING: untranslated string: ipsec roadwarrior endpoint = Host-to-Net Endpoint WARNING: untranslated string: ipsec routing table entries = IPsec Routing Table Entries WARNING: untranslated string: ipsec settings = IPsec Settings WARNING: untranslated string: itlb multihit = iTLB MultiHit diff --git a/doc/language_issues.nl b/doc/language_issues.nl index ca6dec27e..85a9cd587 100644 --- a/doc/language_issues.nl +++ b/doc/language_issues.nl @@ -995,8 +995,10 @@ WARNING: untranslated string: ipsec connection = IPsec Connection WARNING: untranslated string: ipsec interface mode gre = GRE WARNING: untranslated string: ipsec interface mode none = - None (Default) - WARNING: untranslated string: ipsec interface mode vti = VTI +WARNING: untranslated string: ipsec invalid ip address or fqdn for rw endpoint = Invalid IP address or FQDN for Host-to-Net Endpoint WARNING: untranslated string: ipsec mode transport = Transport WARNING: untranslated string: ipsec mode tunnel = Tunnel +WARNING: untranslated string: ipsec roadwarrior endpoint = Host-to-Net Endpoint WARNING: untranslated string: ipsec routing table entries = IPsec Routing Table Entries WARNING: untranslated string: ipsec settings = IPsec Settings WARNING: untranslated string: itlb multihit = iTLB MultiHit diff --git a/doc/language_issues.pl b/doc/language_issues.pl index 933e99eca..57a20d214 100644 --- a/doc/language_issues.pl +++ b/doc/language_issues.pl @@ -1150,9 +1150,11 @@ WARNING: untranslated string: ipsec connection = IPsec Connection WARNING: untranslated string: ipsec interface mode gre = GRE WARNING: untranslated string: ipsec interface mode none = - None (Default) - WARNING: untranslated string: ipsec interface mode vti = VTI +WARNING: untranslated string: ipsec invalid ip address or fqdn for rw endpoint = Invalid IP address or FQDN for Host-to-Net Endpoint WARNING: untranslated string: ipsec mode transport = Transport WARNING: untranslated string: ipsec mode tunnel = Tunnel WARNING: untranslated string: ipsec network = IPsec network +WARNING: untranslated string: ipsec roadwarrior endpoint = Host-to-Net Endpoint WARNING: untranslated string: ipsec routing table entries = IPsec Routing Table Entries WARNING: untranslated string: ipsec settings = IPsec Settings WARNING: untranslated string: itlb multihit = iTLB MultiHit diff --git a/doc/language_issues.ru b/doc/language_issues.ru index 1fed38304..6ed13933a 100644 --- a/doc/language_issues.ru +++ b/doc/language_issues.ru @@ -1152,9 +1152,11 @@ WARNING: untranslated string: ipsec connection = IPsec Connection WARNING: untranslated string: ipsec interface mode gre = GRE WARNING: untranslated string: ipsec interface mode none = - None (Default) - WARNING: untranslated string: ipsec interface mode vti = VTI +WARNING: untranslated string: ipsec invalid ip address or fqdn for rw endpoint = Invalid IP address or FQDN for Host-to-Net Endpoint WARNING: untranslated string: ipsec mode transport = Transport WARNING: untranslated string: ipsec mode tunnel = Tunnel WARNING: untranslated string: ipsec network = IPsec network +WARNING: untranslated string: ipsec roadwarrior endpoint = Host-to-Net Endpoint WARNING: untranslated string: ipsec routing table entries = IPsec Routing Table Entries WARNING: untranslated string: ipsec settings = IPsec Settings WARNING: untranslated string: itlb multihit = iTLB MultiHit diff --git a/doc/language_issues.tr b/doc/language_issues.tr index c716af76d..8821371f7 100644 --- a/doc/language_issues.tr +++ b/doc/language_issues.tr @@ -912,8 +912,10 @@ WARNING: untranslated string: ipsec connection = IPsec Connection WARNING: untranslated string: ipsec interface mode gre = GRE WARNING: untranslated string: ipsec interface mode none = - None (Default) - WARNING: untranslated string: ipsec interface mode vti = VTI +WARNING: untranslated string: ipsec invalid ip address or fqdn for rw endpoint = Invalid IP address or FQDN for Host-to-Net Endpoint WARNING: untranslated string: ipsec mode transport = Transport WARNING: untranslated string: ipsec mode tunnel = Tunnel +WARNING: untranslated string: ipsec roadwarrior endpoint = Host-to-Net Endpoint WARNING: untranslated string: ipsec routing table entries = IPsec Routing Table Entries WARNING: untranslated string: ipsec settings = IPsec Settings WARNING: untranslated string: itlb multihit = iTLB MultiHit diff --git a/doc/language_missings b/doc/language_missings index cff74f9b0..3034db5ba 100644 --- a/doc/language_missings +++ b/doc/language_missings @@ -37,6 +37,8 @@ < g.dtm < g.lite < insert removable device +< ipsec invalid ip address or fqdn for rw endpoint +< ipsec roadwarrior endpoint < no entries < notes < okay @@ -568,10 +570,12 @@ < ipsec interface mode gre < ipsec interface mode none < ipsec interface mode vti +< ipsec invalid ip address or fqdn for rw endpoint < ipsec mode transport < ipsec mode tunnel < ipsec network < ipsec no connections +< ipsec roadwarrior endpoint < ipsec routing table entries < ipsec settings < itlb multihit @@ -923,6 +927,8 @@ < download apple profile < g.dtm < g.lite +< ipsec invalid ip address or fqdn for rw endpoint +< ipsec roadwarrior endpoint < upload fcdsl.o ############################################################################ # Checking cgi-bin translations for language: it # @@ -1135,8 +1141,10 @@ < ipsec interface mode gre < ipsec interface mode none < ipsec interface mode vti +< ipsec invalid ip address or fqdn for rw endpoint < ipsec mode transport < ipsec mode tunnel +< ipsec roadwarrior endpoint < ipsec routing table entries < ipsec settings < itlb multihit @@ -1509,8 +1517,10 @@ < ipsec interface mode gre < ipsec interface mode none < ipsec interface mode vti +< ipsec invalid ip address or fqdn for rw endpoint < ipsec mode transport < ipsec mode tunnel +< ipsec roadwarrior endpoint < ipsec routing table entries < ipsec settings < itlb multihit @@ -2204,10 +2214,12 @@ < ipsec interface mode gre < ipsec interface mode none < ipsec interface mode vti +< ipsec invalid ip address or fqdn for rw endpoint < ipsec mode transport < ipsec mode tunnel < ipsec network < ipsec no connections +< ipsec roadwarrior endpoint < ipsec routing table entries < ipsec settings < itlb multihit @@ -3060,10 +3072,12 @@ < ipsec interface mode gre < ipsec interface mode none < ipsec interface mode vti +< ipsec invalid ip address or fqdn for rw endpoint < ipsec mode transport < ipsec mode tunnel < ipsec network < ipsec no connections +< ipsec roadwarrior endpoint < ipsec routing table entries < ipsec settings < itlb multihit @@ -3472,8 +3486,10 @@ < ipsec interface mode gre < ipsec interface mode none < ipsec interface mode vti +< ipsec invalid ip address or fqdn for rw endpoint < ipsec mode transport < ipsec mode tunnel +< ipsec roadwarrior endpoint < ipsec routing table entries < ipsec settings < itlb multihit diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index c004b6087..61efcc72c 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -26,6 +26,7 @@ use File::Copy; use File::Temp qw/ tempfile tempdir /; use strict; use Sort::Naturally; +use Sys::Hostname; # enable only the following on debugging purpose #use warnings; #use CGI::Carp 'fatalsToBrowser'; @@ -112,6 +113,7 @@ $cgiparams{'ROOTCERT_EMAIL'} = ''; $cgiparams{'ROOTCERT_OU'} = ''; $cgiparams{'ROOTCERT_CITY'} = ''; $cgiparams{'ROOTCERT_STATE'} = ''; +$cgiparams{'RW_ENDPOINT'} = ''; $cgiparams{'RW_NET'} = ''; $cgiparams{'DPD_DELAY'} = '30'; $cgiparams{'DPD_TIMEOUT'} = '120'; @@ -507,12 +509,18 @@ if ($ENV{"REMOTE_ADDR"} eq "") { if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cgiparams{'KEY'} eq '') { &General::readhash("${General::swroot}/vpn/settings", %vpnsettings);
+ if ($cgiparams{'RW_ENDPOINT'} ne '' && !&General::validip($cgiparams{'RW_ENDPOINT'}) && !&General::validfqdn($cgiparams{'RW_ENDPOINT'})) { + $errormessage = $Lang::tr{'ipsec invalid ip address or fqdn for rw endpoint'}; + goto SAVE_ERROR; + } + if ( $cgiparams{'RW_NET'} ne '' and !&General::validipandmask($cgiparams{'RW_NET'}) ) { $errormessage = $Lang::tr{'urlfilter invalid ip or mask error'}; goto SAVE_ERROR; }
$vpnsettings{'ENABLED'} = $cgiparams{'ENABLED'}; + $vpnsettings{'RW_ENDPOINT'} = $cgiparams{'RW_ENDPOINT'}; $vpnsettings{'RW_NET'} = $cgiparams{'RW_NET'}; &General::writehash("${General::swroot}/vpn/settings", %vpnsettings); &writeipsecfiles(); @@ -1182,6 +1190,10 @@ END
# Export Apple profile to browser } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download apple profile'}) { + # Read global configuration + &General::readhash("${General::swroot}/vpn/settings", %vpnsettings); + + # Read connections &General::readhasharray("${General::swroot}/vpn/config", %confighash); my $key = $cgiparams{'KEY'};
@@ -1209,6 +1221,9 @@ END print "Content-Disposition: attachment; filename=" . $confighash{$key}[1] . ".mobileconfig\n"; print "\n"; # end headers
+ # Use our own FQDN if nothing else is configured + my $endpoint = ($vpnsettings{'RW_ENDPOINT'} ne "") ? $vpnsettings{'RW_ENDPOINT'} : &hostname(); + print "<!DOCTYPE plist PUBLIC \"-//Apple//DTD PLIST 1.0//EN\" \"http://www.apple.com/DTDs/PropertyList-1.0.dtd\">\n"; print "<plist version="1.0">\n"; print " <dict>\n"; @@ -1240,7 +1255,7 @@ END print " <key>IKEv2</key>\n"; print " <dict>\n"; print " <key>RemoteAddress</key>\n"; - print " <string>18.206.152.26</string>\n"; + print " <string>$endpoint</string>\n";
# Left ID if ($confighash{$key}[9]) { @@ -3081,6 +3096,10 @@ EOF <input type='checkbox' name='ENABLED' $checked{'ENABLED'} /> </td> </tr> + <tr> + <td class='base' nowrap='nowrap' width="60%">$Lang::tr{'ipsec roadwarrior endpoint'}:</td> + <td width="40%"><input type='text' name='RW_ENDPOINT' value='$cgiparams{'RW_ENDPOINT'}' /></td> + </tr> <tr> <td class='base' nowrap='nowrap' width="60%">$Lang::tr{'host to net vpn'}:</td> <td width="40%"><input type='text' name='RW_NET' value='$cgiparams{'RW_NET'}' /></td> diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index aaf1d4978..54e8c404a 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -1550,10 +1550,12 @@ 'ipsec interface mode gre' => 'GRE', 'ipsec interface mode none' => '- None (Default) -', 'ipsec interface mode vti' => 'VTI', +'ipsec invalid ip address or fqdn for rw endpoint' => 'Invalid IP address or FQDN for Host-to-Net Endpoint', 'ipsec mode transport' => 'Transport', 'ipsec mode tunnel' => 'Tunnel', 'ipsec network' => 'IPsec network', 'ipsec no connections' => 'No active IPsec connections', +'ipsec roadwarrior endpoint' => 'Host-to-Net Endpoint', 'ipsec routing table entries' => 'IPsec Routing Table Entries', 'ipsec settings' => 'IPsec Settings', 'iptable rules' => 'IPTable rules',
Signed-off-by: Michael Tremer michael.tremer@ipfire.org --- html/cgi-bin/vpnmain.cgi | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-)
diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index 61efcc72c..f5b1186a8 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -1259,27 +1259,27 @@ END
# Left ID if ($confighash{$key}[9]) { - print " <key>LocalIdentifier</key>\n"; - print " <string>$confighash{$key}[9]</string>\n"; + print " <key>LocalIdentifier</key>\n"; + print " <string>$confighash{$key}[9]</string>\n"; }
# Right ID if ($confighash{$key}[7]) { - print " <key>RemoteIdentifier</key>\n"; - print " <string>$confighash{$key}[7]</string>\n"; + print " <key>RemoteIdentifier</key>\n"; + print " <string>$confighash{$key}[7]</string>\n"; }
if ($confighash{$key}[4] eq "cert") { - print " <key>AuthenticationMethod</key>\n"; - print " <string>Certificate</string>\n"; + print " <key>AuthenticationMethod</key>\n"; + print " <string>Certificate</string>\n";
- print " <key>PayloadCertificateUUID</key>\n"; - print " <string>${cert_uuid}</string>\n"; + print " <key>PayloadCertificateUUID</key>\n"; + print " <string>${cert_uuid}</string>\n"; } else { - print " <key>AuthenticationMethod</key>\n"; - print " <string>SharedSecret</string>\n"; - print " <key>SharedSecret</key>\n"; - print " <string>$confighash{$key}[5]</string>\n"; + print " <key>AuthenticationMethod</key>\n"; + print " <string>SharedSecret</string>\n"; + print " <key>SharedSecret</key>\n"; + print " <string>$confighash{$key}[5]</string>\n"; }
print " <key>ExtendedAuthEnabled</key>\n";
Signed-off-by: Michael Tremer michael.tremer@ipfire.org --- html/cgi-bin/vpnmain.cgi | 7 +++++++ 1 file changed, 7 insertions(+)
diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index f5b1186a8..816136c92 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -1257,6 +1257,13 @@ END print " <key>RemoteAddress</key>\n"; print " <string>$endpoint</string>\n";
+ # PFS + my $pfs = $confighash{$key}[28]; + if ($pfs eq "on") { + print " <key>EnablePFS</key>\n"; + print " <true/>\n"; + } + # Left ID if ($confighash{$key}[9]) { print " <key>LocalIdentifier</key>\n";
Signed-off-by: Michael Tremer michael.tremer@ipfire.org --- html/cgi-bin/vpnmain.cgi | 110 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 110 insertions(+)
diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index 816136c92..7011454fa 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -126,6 +126,35 @@ $cgiparams{'INTERFACE_ADDRESS'} = ""; $cgiparams{'INTERFACE_MTU'} = 1500; &Header::getcgihash(%cgiparams, {'wantfile' => 1, 'filevar' => 'FH'});
+my %APPLE_CIPHERS = ( + "aes256gcm128" => "AES-256-GCM", + "aes128gcm128" => "AES-128-GCM", + "aes256" => "AES-256", + "aes128" => "AES-128", + "3des" => "3DES", +); + +my %APPLE_INTEGRITIES = ( + "sha2_512" => "SHA2-512", + "sha2_384" => "SHA2-384", + "sha2_256" => "SHA2-256", + "sha1" => "SHA1-160", +); + +my %APPLE_DH_GROUPS = ( + "768" => 1, + "1024" => 2, + "1536" => 5, + "2048" => 14, + "3072" => 15, + "4096" => 16, + "6144" => 17, + "8192" => 18, + "e256" => 19, + "e384" => 20, + "e521" => 21, +); + ### ### Useful functions ### @@ -1264,6 +1293,87 @@ END print " <true/>\n"; }
+ # IKE Cipher Suite + print " <key>IKESecurityAssociationParameters</key>\n"; + print " <dict>\n"; + + # Encryption + foreach my $cipher (split(/|/,$confighash{$key}[18])) { + # Skip all unsupported ciphers + next unless (exists $APPLE_CIPHERS{$cipher}); + + print " <key>EncryptionAlgorithm</key>\n"; + print " <string>$APPLE_CIPHERS{$cipher}</string>\n"; + last; + } + + # Integrity + foreach my $integrity (split(/|/,$confighash{$key}[19])) { + # Skip all unsupported algorithms + next unless (exists $APPLE_INTEGRITIES{$integrity}); + + print " <key>IntegrityAlgorithm</key>\n"; + print " <string>$APPLE_INTEGRITIES{$integrity}</string>\n"; + last; + } + + # Diffie Hellman Groups + foreach my $group (split(/|/,$confighash{$key}[20])) { + # Skip all unsupported algorithms + next unless (exists $APPLE_DH_GROUPS{$group}); + + print " <key>DiffieHellmanGroup</key>\n"; + print " <string>$APPLE_DH_GROUPS{$group}</string>\n"; + last; + } + + # Lifetime + my $lifetime = $confighash{$key}[16] * 60; + print " <key>LifeTimeInMinutes</key>\n"; + print " <integer>$lifetime</integer>\n"; + print " </dict>\n"; + + # ESP Cipher Suite + print " <key>ChildSecurityAssociationParameters</key>\n"; + print " <dict>\n"; + + # Encryption + foreach my $cipher (split(/|/,$confighash{$key}[21])) { + # Skip all unsupported ciphers + next unless (exists $APPLE_CIPHERS{$cipher}); + + print " <key>EncryptionAlgorithm</key>\n"; + print " <string>$APPLE_CIPHERS{$cipher}</string>\n"; + last; + } + + # Integrity + foreach my $integrity (split(/|/,$confighash{$key}[22])) { + # Skip all unsupported algorithms + next unless (exists $APPLE_INTEGRITIES{$integrity}); + + print " <key>IntegrityAlgorithm</key>\n"; + print " <string>$APPLE_INTEGRITIES{$integrity}</string>\n"; + last; + } + + # Diffie Hellman Groups + foreach my $group (split(/|/,$confighash{$key}[23])) { + # Skip all unsupported algorithms + next unless (exists $APPLE_DH_GROUPS{$group}); + + print " <key>DiffieHellmanGroup</key>\n"; + print " <string>$APPLE_DH_GROUPS{$group}</string>\n"; + last; + } + + # Lifetime + my $lifetime = $confighash{$key}[17] * 60; + print " <key>LifeTimeInMinutes</key>\n"; + print " <integer>$lifetime</integer>\n"; + print " </dict>\n"; + + # Left ID if ($confighash{$key}[9]) { print " <key>LocalIdentifier</key>\n";
Signed-off-by: Michael Tremer michael.tremer@ipfire.org --- html/cgi-bin/vpnmain.cgi | 6 ++++++ 1 file changed, 6 insertions(+)
diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index 7011454fa..0d141cb88 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -1401,6 +1401,12 @@ END
print " <key>ExtendedAuthEnabled</key>\n"; print " <integer>0</integer>\n"; + + # These are not needed, but we provide some default to stop iPhone asking for credentials + print " <key>AuthName</key>\n"; + print " <string>$confighash{$key}[1]</string>\n"; + print " <key>AuthPassword</key>\n"; + print " <string></string>\n"; print " </dict>\n"; print " </dict>\n";
Signed-off-by: Michael Tremer michael.tremer@ipfire.org --- doc/language_issues.de | 2 +- doc/language_issues.en | 2 ++ doc/language_issues.es | 2 ++ doc/language_issues.fr | 2 +- doc/language_issues.it | 2 +- doc/language_issues.nl | 2 ++ doc/language_issues.pl | 2 ++ doc/language_issues.ru | 2 ++ doc/language_issues.tr | 2 +- doc/language_missings | 8 ++++++ html/cgi-bin/vpnmain.cgi | 54 ++++++++++++++++++++++++++++++++++------ langs/en/cgi-bin/en.pl | 1 + 12 files changed, 69 insertions(+), 12 deletions(-)
diff --git a/doc/language_issues.de b/doc/language_issues.de index 4c4a37742..ab074d94d 100644 --- a/doc/language_issues.de +++ b/doc/language_issues.de @@ -219,7 +219,6 @@ WARNING: translation string unused: dns new 1 WARNING: translation string unused: dns saved WARNING: translation string unused: dns saved txt WARNING: translation string unused: dns server -WARNING: translation string unused: dns servers WARNING: translation string unused: dnssec information WARNING: translation string unused: do not log this port list WARNING: translation string unused: domain not set @@ -800,6 +799,7 @@ WARNING: untranslated string: guardian logtarget_file = unknown string WARNING: untranslated string: guardian logtarget_syslog = unknown string WARNING: untranslated string: guardian no entries = unknown string WARNING: untranslated string: guardian service = unknown string +WARNING: untranslated string: ipsec dns server address is invalid = Invalid DNS server IP address(es) WARNING: untranslated string: ipsec invalid ip address or fqdn for rw endpoint = Invalid IP address or FQDN for Host-to-Net Endpoint WARNING: untranslated string: ipsec roadwarrior endpoint = Host-to-Net Endpoint WARNING: untranslated string: no entries = No entries at the moment. diff --git a/doc/language_issues.en b/doc/language_issues.en index 9bef2930c..c05fc0800 100644 --- a/doc/language_issues.en +++ b/doc/language_issues.en @@ -624,6 +624,7 @@ WARNING: untranslated string: dns no address given = No IP Address given. WARNING: untranslated string: dns no tls hostname given = No TLS hostname given. WARNING: untranslated string: dns proxy server = DNS Proxy Server WARNING: untranslated string: dns recursor mode = Recursor Mode +WARNING: untranslated string: dns servers = DNS Servers WARNING: untranslated string: dns title = Domain Name System WARNING: untranslated string: dns tls hostname = TLS Hostname WARNING: untranslated string: dns use isp assigned nameservers = Use ISP-assigned DNS servers @@ -1166,6 +1167,7 @@ WARNING: untranslated string: ipfires hostname = IPFire's Hostname WARNING: untranslated string: ipinfo = IP info WARNING: untranslated string: ipsec = IPsec WARNING: untranslated string: ipsec connection = IPsec Connection +WARNING: untranslated string: ipsec dns server address is invalid = Invalid DNS server IP address(es) WARNING: untranslated string: ipsec interface mode gre = GRE WARNING: untranslated string: ipsec interface mode none = - None (Default) - WARNING: untranslated string: ipsec interface mode vti = VTI diff --git a/doc/language_issues.es b/doc/language_issues.es index 57a20d214..376af0dc4 100644 --- a/doc/language_issues.es +++ b/doc/language_issues.es @@ -833,6 +833,7 @@ WARNING: untranslated string: dns mode for qname minimisation = QNAME Minimisati WARNING: untranslated string: dns no address given = No IP Address given. WARNING: untranslated string: dns no tls hostname given = No TLS hostname given. WARNING: untranslated string: dns recursor mode = Recursor Mode +WARNING: untranslated string: dns servers = DNS Servers WARNING: untranslated string: dns tls hostname = TLS Hostname WARNING: untranslated string: dns use isp assigned nameservers = Use ISP-assigned DNS servers WARNING: untranslated string: dns use protocol for dns queries = Protocol for DNS queries @@ -1147,6 +1148,7 @@ WARNING: untranslated string: invalid ip or hostname = Invalid IP Address or Hos WARNING: untranslated string: invalid logserver protocol = Invalid syslogd server protocol WARNING: untranslated string: ipsec = IPsec WARNING: untranslated string: ipsec connection = IPsec Connection +WARNING: untranslated string: ipsec dns server address is invalid = Invalid DNS server IP address(es) WARNING: untranslated string: ipsec interface mode gre = GRE WARNING: untranslated string: ipsec interface mode none = - None (Default) - WARNING: untranslated string: ipsec interface mode vti = VTI diff --git a/doc/language_issues.fr b/doc/language_issues.fr index 3fe75fd07..c52ef3972 100644 --- a/doc/language_issues.fr +++ b/doc/language_issues.fr @@ -246,7 +246,6 @@ WARNING: translation string unused: dns new 1 WARNING: translation string unused: dns saved WARNING: translation string unused: dns saved txt WARNING: translation string unused: dns server -WARNING: translation string unused: dns servers WARNING: translation string unused: dnssec information WARNING: translation string unused: do not log this port list WARNING: translation string unused: domain not set @@ -839,6 +838,7 @@ WARNING: untranslated string: guardian logtarget_file = unknown string WARNING: untranslated string: guardian logtarget_syslog = unknown string WARNING: untranslated string: guardian no entries = unknown string WARNING: untranslated string: guardian service = unknown string +WARNING: untranslated string: ipsec dns server address is invalid = Invalid DNS server IP address(es) WARNING: untranslated string: ipsec invalid ip address or fqdn for rw endpoint = Invalid IP address or FQDN for Host-to-Net Endpoint WARNING: untranslated string: ipsec roadwarrior endpoint = Host-to-Net Endpoint WARNING: untranslated string: pakfire ago = ago. diff --git a/doc/language_issues.it b/doc/language_issues.it index 53cd94b90..be1f9c351 100644 --- a/doc/language_issues.it +++ b/doc/language_issues.it @@ -220,7 +220,6 @@ WARNING: translation string unused: dns new 1 WARNING: translation string unused: dns saved WARNING: translation string unused: dns saved txt WARNING: translation string unused: dns server -WARNING: translation string unused: dns servers WARNING: translation string unused: dnsforward forward_server WARNING: translation string unused: dnssec information WARNING: translation string unused: do not log this port list @@ -983,6 +982,7 @@ WARNING: untranslated string: invalid input for valid till days = Invalid input WARNING: untranslated string: invalid ip or hostname = Invalid IP Address or Hostname WARNING: untranslated string: invalid logserver protocol = Invalid syslogd server protocol WARNING: untranslated string: ipsec connection = IPsec Connection +WARNING: untranslated string: ipsec dns server address is invalid = Invalid DNS server IP address(es) WARNING: untranslated string: ipsec interface mode gre = GRE WARNING: untranslated string: ipsec interface mode none = - None (Default) - WARNING: untranslated string: ipsec interface mode vti = VTI diff --git a/doc/language_issues.nl b/doc/language_issues.nl index 85a9cd587..21e1e8daa 100644 --- a/doc/language_issues.nl +++ b/doc/language_issues.nl @@ -856,6 +856,7 @@ WARNING: untranslated string: dns mode for qname minimisation = QNAME Minimisati WARNING: untranslated string: dns no address given = No IP Address given. WARNING: untranslated string: dns no tls hostname given = No TLS hostname given. WARNING: untranslated string: dns recursor mode = Recursor Mode +WARNING: untranslated string: dns servers = DNS Servers WARNING: untranslated string: dns tls hostname = TLS Hostname WARNING: untranslated string: dns use isp assigned nameservers = Use ISP-assigned DNS servers WARNING: untranslated string: dns use protocol for dns queries = Protocol for DNS queries @@ -992,6 +993,7 @@ WARNING: untranslated string: invalid input for valid till days = Invalid input WARNING: untranslated string: invalid ip or hostname = Invalid IP Address or Hostname WARNING: untranslated string: invalid logserver protocol = Invalid syslogd server protocol WARNING: untranslated string: ipsec connection = IPsec Connection +WARNING: untranslated string: ipsec dns server address is invalid = Invalid DNS server IP address(es) WARNING: untranslated string: ipsec interface mode gre = GRE WARNING: untranslated string: ipsec interface mode none = - None (Default) - WARNING: untranslated string: ipsec interface mode vti = VTI diff --git a/doc/language_issues.pl b/doc/language_issues.pl index 57a20d214..376af0dc4 100644 --- a/doc/language_issues.pl +++ b/doc/language_issues.pl @@ -833,6 +833,7 @@ WARNING: untranslated string: dns mode for qname minimisation = QNAME Minimisati WARNING: untranslated string: dns no address given = No IP Address given. WARNING: untranslated string: dns no tls hostname given = No TLS hostname given. WARNING: untranslated string: dns recursor mode = Recursor Mode +WARNING: untranslated string: dns servers = DNS Servers WARNING: untranslated string: dns tls hostname = TLS Hostname WARNING: untranslated string: dns use isp assigned nameservers = Use ISP-assigned DNS servers WARNING: untranslated string: dns use protocol for dns queries = Protocol for DNS queries @@ -1147,6 +1148,7 @@ WARNING: untranslated string: invalid ip or hostname = Invalid IP Address or Hos WARNING: untranslated string: invalid logserver protocol = Invalid syslogd server protocol WARNING: untranslated string: ipsec = IPsec WARNING: untranslated string: ipsec connection = IPsec Connection +WARNING: untranslated string: ipsec dns server address is invalid = Invalid DNS server IP address(es) WARNING: untranslated string: ipsec interface mode gre = GRE WARNING: untranslated string: ipsec interface mode none = - None (Default) - WARNING: untranslated string: ipsec interface mode vti = VTI diff --git a/doc/language_issues.ru b/doc/language_issues.ru index 6ed13933a..dc8d83beb 100644 --- a/doc/language_issues.ru +++ b/doc/language_issues.ru @@ -837,6 +837,7 @@ WARNING: untranslated string: dns mode for qname minimisation = QNAME Minimisati WARNING: untranslated string: dns no address given = No IP Address given. WARNING: untranslated string: dns no tls hostname given = No TLS hostname given. WARNING: untranslated string: dns recursor mode = Recursor Mode +WARNING: untranslated string: dns servers = DNS Servers WARNING: untranslated string: dns tls hostname = TLS Hostname WARNING: untranslated string: dns use isp assigned nameservers = Use ISP-assigned DNS servers WARNING: untranslated string: dns use protocol for dns queries = Protocol for DNS queries @@ -1149,6 +1150,7 @@ WARNING: untranslated string: invalid ip or hostname = Invalid IP Address or Hos WARNING: untranslated string: invalid logserver protocol = Invalid syslogd server protocol WARNING: untranslated string: ipsec = IPsec WARNING: untranslated string: ipsec connection = IPsec Connection +WARNING: untranslated string: ipsec dns server address is invalid = Invalid DNS server IP address(es) WARNING: untranslated string: ipsec interface mode gre = GRE WARNING: untranslated string: ipsec interface mode none = - None (Default) - WARNING: untranslated string: ipsec interface mode vti = VTI diff --git a/doc/language_issues.tr b/doc/language_issues.tr index 8821371f7..dd4d24ae3 100644 --- a/doc/language_issues.tr +++ b/doc/language_issues.tr @@ -242,7 +242,6 @@ WARNING: translation string unused: dns new 1 WARNING: translation string unused: dns saved WARNING: translation string unused: dns saved txt WARNING: translation string unused: dns server -WARNING: translation string unused: dns servers WARNING: translation string unused: dnsforward forward_server WARNING: translation string unused: dnssec information WARNING: translation string unused: do not log this port list @@ -909,6 +908,7 @@ WARNING: untranslated string: invalid input for local ip address = Invalid input WARNING: untranslated string: invalid input for mode = Invalid input for mode WARNING: untranslated string: invalid ip or hostname = Invalid IP Address or Hostname WARNING: untranslated string: ipsec connection = IPsec Connection +WARNING: untranslated string: ipsec dns server address is invalid = Invalid DNS server IP address(es) WARNING: untranslated string: ipsec interface mode gre = GRE WARNING: untranslated string: ipsec interface mode none = - None (Default) - WARNING: untranslated string: ipsec interface mode vti = VTI diff --git a/doc/language_missings b/doc/language_missings index 3034db5ba..fe0713fdf 100644 --- a/doc/language_missings +++ b/doc/language_missings @@ -37,6 +37,7 @@ < g.dtm < g.lite < insert removable device +< ipsec dns server address is invalid < ipsec invalid ip address or fqdn for rw endpoint < ipsec roadwarrior endpoint < no entries @@ -567,6 +568,7 @@ < invalid logserver protocol < ipsec < ipsec connection +< ipsec dns server address is invalid < ipsec interface mode gre < ipsec interface mode none < ipsec interface mode vti @@ -927,6 +929,7 @@ < download apple profile < g.dtm < g.lite +< ipsec dns server address is invalid < ipsec invalid ip address or fqdn for rw endpoint < ipsec roadwarrior endpoint < upload fcdsl.o @@ -1138,6 +1141,7 @@ < invalid ip or hostname < invalid logserver protocol < ipsec connection +< ipsec dns server address is invalid < ipsec interface mode gre < ipsec interface mode none < ipsec interface mode vti @@ -1514,6 +1518,7 @@ < invalid ip or hostname < invalid logserver protocol < ipsec connection +< ipsec dns server address is invalid < ipsec interface mode gre < ipsec interface mode none < ipsec interface mode vti @@ -2211,6 +2216,7 @@ < invalid logserver protocol < ipsec < ipsec connection +< ipsec dns server address is invalid < ipsec interface mode gre < ipsec interface mode none < ipsec interface mode vti @@ -3069,6 +3075,7 @@ < invalid logserver protocol < ipsec < ipsec connection +< ipsec dns server address is invalid < ipsec interface mode gre < ipsec interface mode none < ipsec interface mode vti @@ -3483,6 +3490,7 @@ < invalid input for mode < invalid ip or hostname < ipsec connection +< ipsec dns server address is invalid < ipsec interface mode gre < ipsec interface mode none < ipsec interface mode vti diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index 0d141cb88..93120ea44 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -124,6 +124,7 @@ $cgiparams{'MODE'} = "tunnel"; $cgiparams{'INTERFACE_MODE'} = ""; $cgiparams{'INTERFACE_ADDRESS'} = ""; $cgiparams{'INTERFACE_MTU'} = 1500; +$cgiparams{'DNS_SERVERS'} = ""; &Header::getcgihash(%cgiparams, {'wantfile' => 1, 'filevar' => 'FH'});
my %APPLE_CIPHERS = ( @@ -511,6 +512,13 @@ sub writeipsecfiles { # Fragmentation print CONF "\tfragmentation=yes\n";
+ # DNS Servers for RW + if ($lconfighash{$key}[3] eq 'host') { + my @servers = split(/|/, $lconfighash{$key}[39]); + + print CONF "\trightdns=" . join(",", @servers) . "\n"; + } + print CONF "\n"; } #foreach key
@@ -1612,6 +1620,7 @@ END $cgiparams{'INTERFACE_MODE'} = $confighash{$cgiparams{'KEY'}}[36]; $cgiparams{'INTERFACE_ADDRESS'} = $confighash{$cgiparams{'KEY'}}[37]; $cgiparams{'INTERFACE_MTU'} = $confighash{$cgiparams{'KEY'}}[38]; + $cgiparams{'DNS_SERVERS'} = $confighash{$cgiparams{'KEY'}}[39];
if (!$cgiparams{'DPD_DELAY'}) { $cgiparams{'DPD_DELAY'} = 30; @@ -1745,6 +1754,16 @@ END } }
+ if ($cgiparams{'TYPE'} eq 'host') { + my @servers = split(",", $cgiparams{'DNS_SERVERS'}); + foreach my $server (@servers) { + unless (&Network::check_ip_address($server)) { + $errormessage = $Lang::tr{'ipsec dns server address is invalid'}; + goto VPNCONF_ERROR; + } + } + } + if ($cgiparams{'ENABLED'} !~ /^(on|off)$/) { $errormessage = $Lang::tr{'invalid input'}; goto VPNCONF_ERROR; @@ -2147,7 +2166,7 @@ END my $key = $cgiparams{'KEY'}; if (! $key) { $key = &General::findhasharraykey (%confighash); - foreach my $i (0 .. 38) { $confighash{$key}[$i] = "";} + foreach my $i (0 .. 39) { $confighash{$key}[$i] = "";} } $confighash{$key}[0] = $cgiparams{'ENABLED'}; $confighash{$key}[1] = $cgiparams{'NAME'}; @@ -2198,6 +2217,7 @@ END $confighash{$key}[36] = $cgiparams{'INTERFACE_MODE'}; $confighash{$key}[37] = $cgiparams{'INTERFACE_ADDRESS'}; $confighash{$key}[38] = $cgiparams{'INTERFACE_MTU'}; + $confighash{$key}[39] = join("|", split(",", $cgiparams{'DNS_SERVERS'}));
# free unused fields! $confighash{$key}[15] = 'off'; @@ -2280,6 +2300,7 @@ END $cgiparams{'INTERFACE_MODE'} = ""; $cgiparams{'INTERFACE_ADDRESS'} = ""; $cgiparams{'INTERFACE_MTU'} = 1500; + $cgiparams{'DNS_SERVERS'} = ""; }
VPNCONF_ERROR: @@ -2376,11 +2397,8 @@ END EOF }
- my $disabled; - my $blob; - if ($cgiparams{'TYPE'} eq 'host') { - $disabled = "disabled='disabled'"; - } elsif ($cgiparams{'TYPE'} eq 'net') { + my $blob = ""; + if ($cgiparams{'TYPE'} eq 'net') { $blob = "<img src='/blob.gif' alt='*' />"; };
@@ -2390,6 +2408,9 @@ EOF my @remote_subnets = split(/|/, $cgiparams{'REMOTE_SUBNET'}); my $remote_subnets = join(",", @remote_subnets);
+ my @dns_servers = split(/|/, $cgiparams{'DNS_SERVERS'}); + my $dns_servers = join(",", @dns_servers); + print <<END; <tr> <td width='20%'>$Lang::tr{'enabled'}</td> @@ -2425,10 +2446,26 @@ END <td width='30%'> <input type='text' name='LOCAL_SUBNET' value='$local_subnets' size="25" /> </td> - <td class='boldbase' nowrap='nowrap' width='20%'>$Lang::tr{'remote subnet'} $blob</td> +END + + if ($cgiparams{'TYPE'} eq "net") { + print <<END; + <td class='boldbase' nowrap='nowrap' width='20%'>$Lang::tr{'remote subnet'} <img src='/blob.gif' alt='*' /></td> + <td width='30%'> + <input type='text' name='REMOTE_SUBNET' value='$remote_subnets' size="25" /> + </td> +END + + } elsif ($cgiparams{'TYPE'} eq "host") { + print <<END; + <td class='boldbase' nowrap='nowrap' width='20%'>$Lang::tr{'dns servers'}:</td> <td width='30%'> - <input $disabled type='text' name='REMOTE_SUBNET' value='$remote_subnets' size="25" /> + <input type='text' name='DNS_SERVERS' value='$dns_servers' size="25" /> </td> +END + } + + print <<END; </tr> <tr> <td class='boldbase' width='20%'>$Lang::tr{'vpn local id'}:</td> @@ -2764,6 +2801,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || $cgiparams{'INTERFACE_MODE'} = $confighash{$cgiparams{'KEY'}}[36]; $cgiparams{'INTERFACE_ADDRESS'} = $confighash{$cgiparams{'KEY'}}[37]; $cgiparams{'INTERFACE_MTU'} = $confighash{$cgiparams{'KEY'}}[38]; + $cgiparams{'DNS_SERVERS'} = $confighash{$cgiparams{'KEY'}}[39];
if (!$cgiparams{'DPD_DELAY'}) { $cgiparams{'DPD_DELAY'} = 30; diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 54e8c404a..adc04f6b3 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -1547,6 +1547,7 @@ 'ipinfo' => 'IP info', 'ipsec' => 'IPsec', 'ipsec connection' => 'IPsec Connection', +'ipsec dns server address is invalid' => 'Invalid DNS server IP address(es)', 'ipsec interface mode gre' => 'GRE', 'ipsec interface mode none' => '- None (Default) -', 'ipsec interface mode vti' => 'VTI',
Signed-off-by: Michael Tremer michael.tremer@ipfire.org --- html/cgi-bin/vpnmain.cgi | 6 ++++++ 1 file changed, 6 insertions(+)
diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index 93120ea44..85c4584e1 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -350,6 +350,12 @@ sub writeipsecfiles {
print CONF "\tleftfirewall=yes\n"; print CONF "\tlefthostaccess=yes\n"; + + # Always send the host certificate + if ($lconfighash{$key}[3] eq 'host') { + print CONF "\tleftsendcert=always\n"; + } + print CONF "\tright=$lconfighash{$key}[10]\n";
if ($lconfighash{$key}[3] eq 'net') {
Signed-off-by: Michael Tremer michael.tremer@ipfire.org --- html/cgi-bin/vpnmain.cgi | 2 ++ 1 file changed, 2 insertions(+)
diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index 85c4584e1..9353a2f0d 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -1428,6 +1428,8 @@ END print " <dict>\n"; print " <key>PayloadIdentifier</key>\n"; print " <string>org.example.vpn1.client</string>\n"; + print " <key>PayloadDisplayName</key>\n"; + print " <string>$confighash{$key}[1]</string>\n"; print " <key>PayloadUUID</key>\n"; print " <string>${cert_uuid}</string>\n"; print " <key>PayloadType</key>\n";
Signed-off-by: Michael Tremer michael.tremer@ipfire.org --- html/cgi-bin/vpnmain.cgi | 12 ++++++++++++ 1 file changed, 12 insertions(+)
diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index 9353a2f0d..1e4115e95 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -1421,6 +1421,18 @@ END print " <string>$confighash{$key}[1]</string>\n"; print " <key>AuthPassword</key>\n"; print " <string></string>\n"; + + # Connect the VPN automatically + print " <key>OnDemandEnabled</key>\n"; + print " <integer>1</integer>\n"; + print " <key>OnDemandRules</key>\n"; + print " <array>\n"; + print " <dict>\n"; + print " <key>Action</key>\n"; + print " <string>Connect</string>\n"; + print " </dict>\n"; + print " </array>\n"; + print " </dict>\n"; print " </dict>\n";
Signed-off-by: Michael Tremer michael.tremer@ipfire.org --- html/cgi-bin/vpnmain.cgi | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-)
diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index 1e4115e95..2e0dd797d 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -1390,14 +1390,28 @@ END
# Left ID if ($confighash{$key}[9]) { + my $leftid = $confighash{$key}[9]; + + # Strip leading @ from FQDNs + if ($leftid =~ m/^@(.*)$/) { + $leftid = $1; + } + print " <key>LocalIdentifier</key>\n"; - print " <string>$confighash{$key}[9]</string>\n"; + print " <string>$leftid</string>\n"; }
# Right ID if ($confighash{$key}[7]) { + my $rightid = $confighash{$key}[7]; + + # Strip leading @ from FQDNs + if ($rightid =~ m/^@(.*)$/) { + $rightid = $1; + } + print " <key>RemoteIdentifier</key>\n"; - print " <string>$confighash{$key}[7]</string>\n"; + print " <string>$rightid</string>\n"; }
if ($confighash{$key}[4] eq "cert") {
This reverts commit eef4cd4b101da0c7ceab0c3386ad755ed242f8d5.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org --- html/cgi-bin/vpnmain.cgi | 6 ------ 1 file changed, 6 deletions(-)
diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index 2e0dd797d..bcbe6227e 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -1430,12 +1430,6 @@ END print " <key>ExtendedAuthEnabled</key>\n"; print " <integer>0</integer>\n";
- # These are not needed, but we provide some default to stop iPhone asking for credentials - print " <key>AuthName</key>\n"; - print " <string>$confighash{$key}[1]</string>\n"; - print " <key>AuthPassword</key>\n"; - print " <string></string>\n"; - # Connect the VPN automatically print " <key>OnDemandEnabled</key>\n"; print " <integer>1</integer>\n";
Signed-off-by: Michael Tremer michael.tremer@ipfire.org --- html/cgi-bin/vpnmain.cgi | 31 ++++++++++++++++++++++++++++++- 1 file changed, 30 insertions(+), 1 deletion(-)
diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index bcbe6227e..fa97ed531 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -1246,13 +1246,23 @@ END my $uuid1 = $uuid->create_str(); my $uuid2 = $uuid->create_str();
+ my $ca = ""; + my $ca_uuid = $uuid->create_str(); + my $cert = ""; my $cert_uuid = $uuid->create_str();
- # Read and encode certificate + # Read and encode the CA & certificate if ($confighash{$key}[4] eq "cert") { + my $ca_path = "${General::swroot}/ca/cacert.pem"; my $cert_path = "${General::swroot}/certs/$confighash{$key}[1].p12";
+ # Read the CA and encode it into Base64 + open(CA, "<${ca_path}"); + local($/) = undef; # slurp + $ca = MIME::Base64::encode_base64(<CA>); + close(CA); + # Read certificate and encode it into Base64 open(CERT, "<${cert_path}"); local($/) = undef; # slurp @@ -1465,6 +1475,25 @@ END
print " </data>\n"; print " </dict>\n"; + + print " <dict>\n"; + print " <key>PayloadIdentifier</key>\n"; + print " <string>org.example.ca</string>\n"; + print " <key>PayloadUUID</key>\n"; + print " <string>${ca_uuid}</string>\n"; + print " <key>PayloadType</key>\n"; + print " <string>com.apple.security.root</string>\n"; + print " <key>PayloadVersion</key>\n"; + print " <integer>1</integer>\n"; + print " <key>PayloadContent</key>\n"; + print " <data>\n"; + + foreach (split /\n/,${ca}) { + print " $_\n"; + } + + print " </data>\n"; + print " </dict>\n"; }
print " </array>\n";
This is great news, Michael. I do believe that the host and root certs need certain requirements for this to work? SANs come to mind.
I believe that this is resolved for new installations, but folks with older installs and certificates might run into that old issue.
Tom
On 05/28/2020 1:58 PM, Michael Tremer wrote:
Hello,
I have created a couple of patches for review. They intoduce creating IPsec roadwarrior connections for Apple devices.
IPsec connections can be easily exported as an XML structure which can be imported into any iOS or macOS device.
Those connections allow that all traffic from that device can be routed through an IPFire instance in a data center and split-horizon VPNs are supported, too.
The configuration is as simple as usual although Apple has some (sane) requirements to certificate lifetimes and really makes sure that they are talking to the correct peer.
I have added a wiki page that explains how the connection needs to be set up:
https://wiki.ipfire.org/configuration/services/ipsec/apple
I would like to encourage everyone to review my patches and test them as well as the provided documentation.
As soon as I have some feedback, I would like to put this patchset forward to be merged into the next Core Update.
Best, -Michael
Hi,
On 28 May 2020, at 19:30, Tom Rymes trymes@rymes.com wrote:
This is great news, Michael. I do believe that the host and root certs need certain requirements for this to work? SANs come to mind.
I believe that this is resolved for new installations, but folks with older installs and certificates might run into that old issue.
Yes, that might indeed happen. You might have really really old certificates that use MD5 or SHA1. Those should be replaced anyways.
All new connections will be created with the correct configuration for the certificates.
I still find the whole process a little bit too complicated, but I have no idea how to make it any better with the UI that we have. But luckily no manual intervention is required any more.
-Michael
Tom
On 05/28/2020 1:58 PM, Michael Tremer wrote:
Hello, I have created a couple of patches for review. They intoduce creating IPsec roadwarrior connections for Apple devices. IPsec connections can be easily exported as an XML structure which can be imported into any iOS or macOS device. Those connections allow that all traffic from that device can be routed through an IPFire instance in a data center and split-horizon VPNs are supported, too. The configuration is as simple as usual although Apple has some (sane) requirements to certificate lifetimes and really makes sure that they are talking to the correct peer. I have added a wiki page that explains how the connection needs to be set up: https://wiki.ipfire.org/configuration/services/ipsec/apple I would like to encourage everyone to review my patches and test them as well as the provided documentation. As soon as I have some feedback, I would like to put this patchset forward to be merged into the next Core Update. Best, -Michael
-
Michael Tremer -
Tom Rymes