This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree".
The branch, next has been updated via 1fab4edfa690b410a255b9dd1d896178512e03d5 (commit) via c94d1976d3bf2fd760834a0093eeb286a90c8fdd (commit) via 2c2cf3918bee850ede133562ae1c42bf8c73ef68 (commit) from 1e645047b23939036c5aa4c86c0709c8b128a906 (commit)
Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.
- Log ----------------------------------------------------------------- commit 1fab4edfa690b410a255b9dd1d896178512e03d5 Author: Michael Tremer michael.tremer@ipfire.org Date: Thu Apr 20 13:00:42 2017 +0100
IPsec: Show status in WUI when VPN is connecting
This is helpful when debugging on-demand connections when you can see if strongswan tries to connect or is still idle.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit c94d1976d3bf2fd760834a0093eeb286a90c8fdd Author: Michael Tremer michael.tremer@ipfire.org Date: Thu Apr 20 12:53:53 2017 +0100
IPsec: Mark MODP<=1024 and MD5 as broken and SHA1 as weak
Since we somehow have to support these algorithms this patch adds some information for the user that it is very strongly discouraged to use them in production.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 2c2cf3918bee850ede133562ae1c42bf8c73ef68 Author: Michael Tremer michael.tremer@ipfire.org Date: Thu Apr 20 12:44:27 2017 +0100
IPsec: Allow using MODP-768 in proposal
MODP-768 is broken but some systems out there (for example old Cisco ASAs) do not support anything better. Hence it is better to allow this instead of using no VPN at all.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
-----------------------------------------------------------------------
Summary of changes: doc/language_issues.es | 3 +++ doc/language_issues.fr | 3 +++ doc/language_issues.it | 3 +++ doc/language_issues.nl | 3 +++ doc/language_issues.pl | 3 +++ doc/language_issues.ru | 3 +++ doc/language_issues.tr | 3 +++ doc/language_missings | 12 ++++++++++++ html/cgi-bin/index.cgi | 3 +++ html/cgi-bin/vpnmain.cgi | 24 +++++++++++++----------- langs/de/cgi-bin/de.pl | 3 +++ langs/en/cgi-bin/en.pl | 3 +++ 12 files changed, 55 insertions(+), 11 deletions(-)
Difference in files: diff --git a/doc/language_issues.es b/doc/language_issues.es index 3dec2db..09dae68 100644 --- a/doc/language_issues.es +++ b/doc/language_issues.es @@ -1143,6 +1143,8 @@ WARNING: untranslated string: uptime load average WARNING: untranslated string: urlfilter redirect template WARNING: untranslated string: vendor WARNING: untranslated string: visit us at +WARNING: untranslated string: vpn broken +WARNING: untranslated string: vpn connecting WARNING: untranslated string: vpn force mobike WARNING: untranslated string: vpn keyexchange WARNING: untranslated string: vpn on-demand @@ -1152,6 +1154,7 @@ WARNING: untranslated string: vpn start action start WARNING: untranslated string: vpn statistic n2n WARNING: untranslated string: vpn statistic rw WARNING: untranslated string: vpn statistics n2n +WARNING: untranslated string: vpn weak WARNING: untranslated string: wlan client WARNING: untranslated string: wlan client advanced settings WARNING: untranslated string: wlan client and diff --git a/doc/language_issues.fr b/doc/language_issues.fr index fa5387c..1f4f9c3 100644 --- a/doc/language_issues.fr +++ b/doc/language_issues.fr @@ -1160,6 +1160,8 @@ WARNING: untranslated string: urlfilter mode block WARNING: untranslated string: urlfilter redirect template WARNING: untranslated string: vendor WARNING: untranslated string: visit us at +WARNING: untranslated string: vpn broken +WARNING: untranslated string: vpn connecting WARNING: untranslated string: vpn force mobike WARNING: untranslated string: vpn keyexchange WARNING: untranslated string: vpn on-demand @@ -1169,6 +1171,7 @@ WARNING: untranslated string: vpn start action start WARNING: untranslated string: vpn statistic n2n WARNING: untranslated string: vpn statistic rw WARNING: untranslated string: vpn statistics n2n +WARNING: untranslated string: vpn weak WARNING: untranslated string: wlan client WARNING: untranslated string: wlan client advanced settings WARNING: untranslated string: wlan client and diff --git a/doc/language_issues.it b/doc/language_issues.it index 09338a2..6b5639c 100644 --- a/doc/language_issues.it +++ b/doc/language_issues.it @@ -819,6 +819,8 @@ WARNING: untranslated string: search WARNING: untranslated string: unblock WARNING: untranslated string: unblock all WARNING: untranslated string: uncheck all +WARNING: untranslated string: vpn broken +WARNING: untranslated string: vpn connecting WARNING: untranslated string: vpn force mobike WARNING: untranslated string: vpn on-demand WARNING: untranslated string: vpn start action @@ -827,3 +829,4 @@ WARNING: untranslated string: vpn start action start WARNING: untranslated string: vpn statistic n2n WARNING: untranslated string: vpn statistic rw WARNING: untranslated string: vpn statistics n2n +WARNING: untranslated string: vpn weak diff --git a/doc/language_issues.nl b/doc/language_issues.nl index 3390ef3..3074482 100644 --- a/doc/language_issues.nl +++ b/doc/language_issues.nl @@ -867,6 +867,8 @@ WARNING: untranslated string: unblock all WARNING: untranslated string: uncheck all WARNING: untranslated string: upload dh key WARNING: untranslated string: vendor +WARNING: untranslated string: vpn broken +WARNING: untranslated string: vpn connecting WARNING: untranslated string: vpn force mobike WARNING: untranslated string: vpn on-demand WARNING: untranslated string: vpn start action @@ -875,3 +877,4 @@ WARNING: untranslated string: vpn start action start WARNING: untranslated string: vpn statistic n2n WARNING: untranslated string: vpn statistic rw WARNING: untranslated string: vpn statistics n2n +WARNING: untranslated string: vpn weak diff --git a/doc/language_issues.pl b/doc/language_issues.pl index 3dec2db..09dae68 100644 --- a/doc/language_issues.pl +++ b/doc/language_issues.pl @@ -1143,6 +1143,8 @@ WARNING: untranslated string: uptime load average WARNING: untranslated string: urlfilter redirect template WARNING: untranslated string: vendor WARNING: untranslated string: visit us at +WARNING: untranslated string: vpn broken +WARNING: untranslated string: vpn connecting WARNING: untranslated string: vpn force mobike WARNING: untranslated string: vpn keyexchange WARNING: untranslated string: vpn on-demand @@ -1152,6 +1154,7 @@ WARNING: untranslated string: vpn start action start WARNING: untranslated string: vpn statistic n2n WARNING: untranslated string: vpn statistic rw WARNING: untranslated string: vpn statistics n2n +WARNING: untranslated string: vpn weak WARNING: untranslated string: wlan client WARNING: untranslated string: wlan client advanced settings WARNING: untranslated string: wlan client and diff --git a/doc/language_issues.ru b/doc/language_issues.ru index 303e19b..f4944db 100644 --- a/doc/language_issues.ru +++ b/doc/language_issues.ru @@ -1138,6 +1138,8 @@ WARNING: untranslated string: uptime load average WARNING: untranslated string: urlfilter redirect template WARNING: untranslated string: vendor WARNING: untranslated string: visit us at +WARNING: untranslated string: vpn broken +WARNING: untranslated string: vpn connecting WARNING: untranslated string: vpn force mobike WARNING: untranslated string: vpn keyexchange WARNING: untranslated string: vpn on-demand @@ -1147,6 +1149,7 @@ WARNING: untranslated string: vpn start action start WARNING: untranslated string: vpn statistic n2n WARNING: untranslated string: vpn statistic rw WARNING: untranslated string: vpn statistics n2n +WARNING: untranslated string: vpn weak WARNING: untranslated string: wlan client WARNING: untranslated string: wlan client advanced settings WARNING: untranslated string: wlan client and diff --git a/doc/language_issues.tr b/doc/language_issues.tr index af17e37..ac7a82d 100644 --- a/doc/language_issues.tr +++ b/doc/language_issues.tr @@ -753,8 +753,11 @@ WARNING: untranslated string: route config changed WARNING: untranslated string: routing config added WARNING: untranslated string: routing config changed WARNING: untranslated string: routing table +WARNING: untranslated string: vpn broken +WARNING: untranslated string: vpn connecting WARNING: untranslated string: vpn on-demand WARNING: untranslated string: vpn start action WARNING: untranslated string: vpn start action route WARNING: untranslated string: vpn start action start WARNING: untranslated string: vpn statistics n2n +WARNING: untranslated string: vpn weak diff --git a/doc/language_missings b/doc/language_missings index a6c7188..72fe075 100644 --- a/doc/language_missings +++ b/doc/language_missings @@ -561,6 +561,8 @@ < urlfilter redirect template < vendor < visit us at +< vpn broken +< vpn connecting < vpn keyexchange < vpn on-demand < vpn start action @@ -568,6 +570,7 @@ < vpn start action start < vpn statistic n2n < vpn statistic rw +< vpn weak < wlanap access point < wlanap channel < wlanap country @@ -1180,6 +1183,8 @@ < urlfilter redirect template < vendor < visit us at +< vpn broken +< vpn connecting < vpn keyexchange < vpn on-demand < vpn start action @@ -1187,6 +1192,7 @@ < vpn start action start < vpn statistic n2n < vpn statistic rw +< vpn weak < wlanap country < wlan client < wlan client advanced settings @@ -1764,6 +1770,8 @@ < urlfilter redirect template < vendor < visit us at +< vpn broken +< vpn connecting < vpn keyexchange < vpn on-demand < vpn start action @@ -1771,6 +1779,7 @@ < vpn start action start < vpn statistic n2n < vpn statistic rw +< vpn weak < wlanap country < wlan client < wlan client advanced settings @@ -2353,6 +2362,8 @@ < urlfilter redirect template < vendor < visit us at +< vpn broken +< vpn connecting < vpn keyexchange < vpn on-demand < vpn start action @@ -2360,6 +2371,7 @@ < vpn start action start < vpn statistic n2n < vpn statistic rw +< vpn weak < week-graph < wlanap country < wlan client diff --git a/html/cgi-bin/index.cgi b/html/cgi-bin/index.cgi index 7c17462..80a86af 100644 --- a/html/cgi-bin/index.cgi +++ b/html/cgi-bin/index.cgi @@ -425,6 +425,9 @@ END if (($line =~ /"$vpnconfig{$key}[1]".*IPsec SA established/) || ($line =~/$vpnconfig{$key}[1]{.*INSTALLED/ )){ $activecolor = $Header::colourgreen; $activestatus = $Lang::tr{'capsopen'}; + } elsif ($line =~ /$vpnconfig{$key}[1][.*CONNECTING/) { + $activecolor = $Header::colourorange; + $activestatus = $Lang::tr{'vpn connecting'}; } elsif ($line =~ /$vpnconfig{$key}[1]{.*ROUTED/) { $activecolor = $Header::colourorange; $activestatus = $Lang::tr{'vpn on-demand'}; diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index cc891c9..d3e4fe8 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -2178,7 +2178,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || goto ADVANCED_ERROR; } foreach my $val (@temp) { - if ($val !~ /^(curve25519|e521|e384|e256|e224|e192|e512bp|e384bp|e256bp|e224bp|1024|1536|2048|2048s256|2048s224|2048s160|3072|4096|6144|8192)$/) { + if ($val !~ /^(curve25519|e521|e384|e256|e224|e192|e512bp|e384bp|e256bp|e224bp|768|1024|1536|2048|2048s256|2048s224|2048s160|3072|4096|6144|8192)$/) { $errormessage = $Lang::tr{'invalid input'}; goto ADVANCED_ERROR; } @@ -2219,7 +2219,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || goto ADVANCED_ERROR; } foreach my $val (@temp) { - if ($val !~ /^(curve25519|e521|e384|e256|e224|e192|e512bp|e384bp|e256bp|e224bp|1024|1536|2048|2048s256|2048s224|2048s160|3072|4096|6144|8192|none)$/) { + if ($val !~ /^(curve25519|e521|e384|e256|e224|e192|e512bp|e384bp|e256bp|e224bp|768|1024|1536|2048|2048s256|2048s224|2048s160|3072|4096|6144|8192|none)$/) { $errormessage = $Lang::tr{'invalid input'}; goto ADVANCED_ERROR; } @@ -2350,9 +2350,6 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || @temp = split('|', $cgiparams{'IKE_GROUPTYPE'}); foreach my $key (@temp) {$checked{'IKE_GROUPTYPE'}{$key} = "selected='selected'"; }
- # 768 is not supported by strongswan - $checked{'IKE_GROUPTYPE'}{'768'} = ''; - $checked{'ESP_ENCRYPTION'}{'aes256'} = ''; $checked{'ESP_ENCRYPTION'}{'aes192'} = ''; $checked{'ESP_ENCRYPTION'}{'aes128'} = ''; @@ -2506,8 +2503,8 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || <option value='sha2_384' $checked{'IKE_INTEGRITY'}{'sha2_384'}>SHA2 384 bit</option> <option value='sha2_256' $checked{'IKE_INTEGRITY'}{'sha2_256'}>SHA2 256 bit</option> <option value='aesxcbc' $checked{'IKE_INTEGRITY'}{'aesxcbc'}>AES XCBC</option> - <option value='sha' $checked{'IKE_INTEGRITY'}{'sha'}>SHA1</option> - <option value='md5' $checked{'IKE_INTEGRITY'}{'md5'}>MD5</option> + <option value='sha' $checked{'IKE_INTEGRITY'}{'sha'}>SHA1 ($Lang::tr{'vpn weak'})</option> + <option value='md5' $checked{'IKE_INTEGRITY'}{'md5'}>MD5i ($Lang::tr{'vpn broken'})</option> </select> </td> <td class='boldbase'> @@ -2516,8 +2513,8 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || <option value='sha2_384' $checked{'ESP_INTEGRITY'}{'sha2_384'}>SHA2 384 bit</option> <option value='sha2_256' $checked{'ESP_INTEGRITY'}{'sha2_256'}>SHA2 256 bit</option> <option value='aesxcbc' $checked{'ESP_INTEGRITY'}{'aesxcbc'}>AES XCBC</option> - <option value='sha1' $checked{'ESP_INTEGRITY'}{'sha1'}>SHA1</option> - <option value='md5' $checked{'ESP_INTEGRITY'}{'md5'}>MD5</option> + <option value='sha1' $checked{'ESP_INTEGRITY'}{'sha1'}>SHA1 ($Lang::tr{'vpn weak'})</option> + <option value='md5' $checked{'ESP_INTEGRITY'}{'md5'}>MD5 ($Lang::tr{'vpn broken'})</option> </select> </td> </tr> @@ -2553,7 +2550,8 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || <option value='2048s160' $checked{'IKE_GROUPTYPE'}{'2048s160'}>MODP-2048/160</option> <option value='2048' $checked{'IKE_GROUPTYPE'}{'2048'}>MODP-2048</option> <option value='1536' $checked{'IKE_GROUPTYPE'}{'1536'}>MODP-1536</option> - <option value='1024' $checked{'IKE_GROUPTYPE'}{'1024'}>MODP-1024</option> + <option value='1024' $checked{'IKE_GROUPTYPE'}{'1024'}>MODP-1024 ($Lang::tr{'vpn broken'})</option> + <option value='768' $checked{'IKE_GROUPTYPE'}{'768'}>MODP-768 ($Lang::tr{'vpn broken'})</option> </select> </td> <td class='boldbase'> @@ -2577,7 +2575,8 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || <option value='2048s160' $checked{'ESP_GROUPTYPE'}{'2048s160'}>MODP-2048/160</option> <option value='2048' $checked{'ESP_GROUPTYPE'}{'2048'}>MODP-2048</option> <option value='1536' $checked{'ESP_GROUPTYPE'}{'1536'}>MODP-1536</option> - <option value='1024' $checked{'ESP_GROUPTYPE'}{'1024'}>MODP-1024</option> + <option value='1024' $checked{'ESP_GROUPTYPE'}{'1024'}>MODP-1024 ($Lang::tr{'vpn broken'})</option> + <option value='768' $checked{'ESP_GROUPTYPE'}{'768'}>MODP-768 ($Lang::tr{'vpn broken'})</option> <option value='none' $checked{'ESP_GROUPTYPE'}{'none'}>- $Lang::tr{'none'} -</option> </select> </td> @@ -2809,6 +2808,9 @@ END ($line =~ /$confighash{$key}[1]{.*INSTALLED/)) { $col1="bgcolor='${Header::colourgreen}'"; $active = "<b><font color='#FFFFFF'>$Lang::tr{'capsopen'}</font></b>"; + } elsif ($line =~ /$confighash{$key}[1][.*CONNECTING/) { + $col1="bgcolor='${Header::colourorange}'"; + $active = "<b><font color='#FFFFFF'>$Lang::tr{'vpn connecting'}</font></b>"; } elsif ($line =~ /$confighash{$key}[1]{.*ROUTED/) { $col1="bgcolor='${Header::colourorange}'"; $active = "<b><font color='#FFFFFF'>$Lang::tr{'vpn on-demand'}</font></b>"; diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index bda0e26..68d925d 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -2605,6 +2605,8 @@ 'vpn aggrmode' => 'IKE Aggressive Mode zugelassen. Wenn möglich, vermeiden (preshared Schlüssel wird im Klartext übertragen)!', 'vpn altname syntax' => 'Der Subjekt Alternativ Name ist eine durch Komma getrennte Liste von Email, DNS, URI, RID und IP Objekten. <br />Email: eine Email Adresse. Syntax Email: 'copy' benutzt die Email Adresse aus dem Zertifikatfeld. <br />DNS: ein gültiger Domain Name.<br />URI: eine gültige URI.<br />RID: Registriertes Objekt Identifikation.<br />IP: eine IP Adresse.<br />Bitte beachten: der Zeichensatz ist eingeschränkt und die Groß-/Kleinschreibung ist entscheidend.<br />Beispiel:<br /><b>email:</b>info@ipfire.org<b>,email:</b>copy<b>,DNS:</b>www.ipfire.org<b>,IP:</b>127.0.0.1<b>,URI:</b>http://url/nach/irgendwo', 'vpn auth-dn' => 'Peer wird identifiziert durch entweder ein IPV4_ADDR, FQDN, USER_FQDN oder DER_ASN1_DN string in Remote ID Feld', +'vpn broken' => 'Gebrochen', +'vpn connecting' => 'VERBINDUNGSAUFBAU', 'vpn delayed start' => 'Verzögerung bevor VPN gestartet wird (Sekunden)', 'vpn delayed start help' => 'Falls notwendig, kann diese Verzögerung dazu verwendet werden, um Dynamic-DNS-Updates ordnungsgemäß anzuwenden. 60 ist ein gängiger Wert, wenn ROT (RED) eine dynamische IP Adresse ist.', 'vpn incompatible use of defaultroute' => 'Hostname=%defaultroute nicht zulässig', @@ -2627,6 +2629,7 @@ 'vpn statistic rw' => 'OpenVPN-Roadwarrior-Statistik', 'vpn subjectaltname' => 'Subjekt Alternativer Name', 'vpn watch' => 'Netz-zu-Netz VPN neu starten, wenn sich Remote-IP ändert (DynDNS).', +'vpn weak' => 'Schwach', 'waiting to synchronize clock' => 'Bitte warten, die Uhr wird synchronisiert', 'warn when traffic reaches' => 'Warnen wenn Traffic x % erreicht', 'warning messages' => 'Warnhinweise', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 6608ceb..4f30f56 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -2648,7 +2648,9 @@ 'vpn aggrmode' => 'IKE aggressive mode allowed. Avoid if possible (preshared key is transmitted in clear text)!', 'vpn altname syntax' => 'SubjectAltName is a comma separated list of e-mail, dns, uri, rid and ip objects.<br />email:an email address. Syntax email:copy takes the email field from the cert to be used.<br />DNS:a valid domain name.<br />URI:any valid uri.<br />RID:registered object identifier.<br />IP:an IP address.<br />Note:charset is limited and case is significant.<br />Example:<br /><b>e-mail:</b>ipfire@foo.org<b>,email:</b>copy<b>,DNS:</b>www.ipfire.org<b>,IP:</b>127.0.0.1<b>,URI:</b>http://url/to/something', 'vpn auth-dn' => 'Peer is identified by either IPV4_ADDR, FQDN, USER_FQDN or DER_ASN1_DN string in remote ID field', +'vpn broken' => 'Broken', 'vpn configuration main' => 'VPN Configuration', +'vpn connecting' => 'CONNECTING', 'vpn delayed start' => 'Delay before launching VPN (seconds)', 'vpn delayed start help' => 'If required, this delay can be used to allow dynamic DNS updates to propagate properly. 60 is a common value when RED is a dynamic IP.', 'vpn force mobike' => 'Force using MOBIKE (only IKEv2)', @@ -2672,6 +2674,7 @@ 'vpn statistic rw' => 'OpenVPN Roadwarrior Statistics', 'vpn subjectaltname' => 'Subject Alt Name', 'vpn watch' => 'Restart net-to-net vpn when remote peer IP changes (dyndns).', +'vpn weak' => 'Weak', 'waiting to synchronize clock' => 'Waiting to synchronize clock', 'warn when traffic reaches' => 'Warn when traffic reaches x %', 'warning messages' => 'Warning messages',
hooks/post-receive -- IPFire 2.x development tree