This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree".

The branch, next has been updated via 55eb745e65ade706d6ded851086a42f2a1b8803b (commit) via dfe630f77c780c17238ae23392e52e68a41ab892 (commit) via c400bc2d7dc1c4e1f784f5bbd8c2d898b1faf97a (commit) via c6fba315ecd044bd53350641c2e6f27d9df785de (commit) via b1881251d6cdd92c7e887813395386afe9692944 (commit) via 4b046d735d28012d215276ea08272f298e1e8ba1 (commit) via d86694ad1f5c1553d57028af0bd8de58ca6d5f39 (commit) via 624615ee0731c45eff6bc964aa053d5e481aa30f (commit) via ed1d0fbdbe0a2c7990ac984ebeed4e74c7bd3955 (commit) via 9dd14089ce95dfc9277e121f95d994005f860e60 (commit) via 7c8e022c4b3c7d184e4cee8f79b5e7d63f464759 (commit) via 8792caad90e968894fa55909b725055e7ac8f5c5 (commit) via 3db584817d41c055c462a77ac9fb50491766beaf (commit) via 36f7fe6a38c7923ac0e25a677484542f9388520a (commit) from c9f0174979e9de685906e12a22e7625cd92dc90f (commit)

Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.

- Log ----------------------------------------------------------------- commit 55eb745e65ade706d6ded851086a42f2a1b8803b Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Sep 28 14:35:54 2015 +0100

core95: Ship changed files

Signed-off-by: Michael Tremer michael.tremer@ipfire.org

commit dfe630f77c780c17238ae23392e52e68a41ab892 Merge: c400bc2 3db5848 Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Sep 28 14:33:49 2015 +0100

Merge remote-tracking branch 'ms/experimental-vlan-hotplugging' into next

commit c400bc2d7dc1c4e1f784f5bbd8c2d898b1faf97a Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Sep 28 14:25:53 2015 +0100

core95: Ship changed files

Signed-off-by: Michael Tremer michael.tremer@ipfire.org

commit c6fba315ecd044bd53350641c2e6f27d9df785de Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Sep 28 14:24:44 2015 +0100

connections.cgi: Support multiple subnets for IPsec

Signed-off-by: Michael Tremer michael.tremer@ipfire.org

commit b1881251d6cdd92c7e887813395386afe9692944 Merge: 4b046d7 7c8e022 Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Sep 28 14:21:18 2015 +0100

Merge remote-tracking branch 'ms/ipsec-subnets' into next

commit 4b046d735d28012d215276ea08272f298e1e8ba1 Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Sep 28 14:08:17 2015 +0100

Start Core Update 95

Signed-off-by: Michael Tremer michael.tremer@ipfire.org

commit d86694ad1f5c1553d57028af0bd8de58ca6d5f39 Merge: 624615e 9dd1408 Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Sep 28 14:05:26 2015 +0100

Merge branch 'master' into next

commit 624615ee0731c45eff6bc964aa053d5e481aa30f Author: Lars Schuhmacher larsen007@web.de Date: Fri Sep 25 23:01:17 2015 +0200

vpnmain.cgi - Replace spaces with tab characters and fix indentation

Replaced spaces with tab characters. Fixed indentation.

This is based on http://patchwork.ipfire.org/patch/88/ so that patch must be applied before.

Signed-off-by: Lars Schuhmacher larsen007@web.de Signed-off-by: Michael Tremer michael.tremer@ipfire.org

commit ed1d0fbdbe0a2c7990ac984ebeed4e74c7bd3955 Author: Lars Schuhmacher larsen007@web.de Date: Fri Sep 25 00:04:08 2015 +0200

IPsec: Remove GUI option for "Roadwarrior virtual IP"

This setting stems from IPCop (and probably Openswan) and causes a problem.

Fixes bug #10496.

Signed-off-by: Lars Schuhmacher larsen007@web.de Acked-by: Michael Tremer michael.tremer@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org

commit 7c8e022c4b3c7d184e4cee8f79b5e7d63f464759 Author: Michael Tremer michael.tremer@ipfire.org Date: Tue Sep 22 00:26:14 2015 +0100

firewall: Support multiple subnets per IPsec tunnel

Fixes #10929

Signed-off-by: Michael Tremer michael.tremer@ipfire.org

commit 8792caad90e968894fa55909b725055e7ac8f5c5 Author: Michael Tremer michael.tremer@ipfire.org Date: Tue Aug 25 21:52:11 2015 +0100

ipsec: Support using multiple subnets per tunnel

Signed-off-by: Michael Tremer michael.tremer@ipfire.org

commit 3db584817d41c055c462a77ac9fb50491766beaf Author: Michael Tremer michael.tremer@ipfire.org Date: Sun Aug 2 22:23:59 2015 +0100

Remove old VLAN initscript

Signed-off-by: Michael Tremer michael.tremer@ipfire.org

commit 36f7fe6a38c7923ac0e25a677484542f9388520a Author: Michael Tremer michael.tremer@ipfire.org Date: Sun Aug 2 22:18:33 2015 +0100

udev: Add hotplugging for VLAN devices

The VLAN devices will now automatically be created after a parent device has been added.

Mainly this will resolve a race-condition between udev initialising the network adapters and sysvinit running scripts that will do the initialisation of the VLAN.

Signed-off-by: Michael Tremer michael.tremer@ipfire.org

-----------------------------------------------------------------------

Summary of changes: config/firewall/firewall-lib.pl | 5 +- config/rootfiles/common/armv5tel/initscripts | 2 - config/rootfiles/common/i586/initscripts | 2 - config/rootfiles/common/udev | 1 + .../rootfiles/core/94/filelists/Email-Date-Format | 1 - config/rootfiles/core/94/filelists/MIME-Lite | 1 - config/rootfiles/core/{94 => 95}/exclude | 0 config/rootfiles/core/95/filelists/files | 8 + config/rootfiles/core/{94 => 95}/meta | 0 config/rootfiles/{oldcore/93 => core/95}/update.sh | 14 +- config/rootfiles/{core => oldcore}/94/exclude | 0 .../{core => oldcore}/94/filelists/armv5tel/glibc | 0 .../rootfiles/{core => oldcore}/94/filelists/bind | 0 .../{core => oldcore}/94/filelists/chkconfig | 0 .../{core => oldcore}/94/filelists/coreutils | 0 .../rootfiles/{core => oldcore}/94/filelists/dma | 0 .../{core => oldcore}/94/filelists/dnsmasq | 0 .../rootfiles/{core => oldcore}/94/filelists/file | 0 .../rootfiles/{core => oldcore}/94/filelists/files | 0 .../{core => oldcore}/94/filelists/fireinfo | 0 .../{core => oldcore}/94/filelists/hdparm | 0 .../{core => oldcore}/94/filelists/i586/glibc | 0 .../{core => oldcore}/94/filelists/iproute2 | 0 .../{core => oldcore}/94/filelists/libgcrypt | 0 .../{core => oldcore}/94/filelists/libgpg-error | 0 .../{core => oldcore}/94/filelists/openssh | 0 .../rootfiles/{core => oldcore}/94/filelists/pcre | 0 .../oldcore/94/filelists/perl-Email-Date-Format | 1 + .../rootfiles/oldcore/94/filelists/perl-MIME-Lite | 1 + .../{core => oldcore}/94/filelists/rrdtool | 0 .../rootfiles/{core => oldcore}/94/filelists/setup | 0 .../rootfiles/{core => oldcore}/94/filelists/squid | 0 config/rootfiles/oldcore/{93 => 94}/meta | 0 config/rootfiles/{core => oldcore}/94/update.sh | 0 config/udev/60-net.rules | 4 + .../udev/network-hotplug-vlan | 82 +- html/cgi-bin/connections.cgi | 18 +- html/cgi-bin/vpnmain.cgi | 4385 ++++++++++---------- langs/de/cgi-bin/de.pl | 1 - langs/en/cgi-bin/en.pl | 1 - langs/es/cgi-bin/es.pl | 1 - langs/fr/cgi-bin/fr.pl | 1 - langs/it/cgi-bin/it.pl | 1 - langs/nl/cgi-bin/nl.pl | 1 - langs/pl/cgi-bin/pl.pl | 1 - langs/ru/cgi-bin/ru.pl | 1 - langs/tr/cgi-bin/tr.pl | 1 - lfs/initscripts | 1 - lfs/udev | 2 + make.sh | 2 +- 50 files changed, 2257 insertions(+), 2282 deletions(-) delete mode 120000 config/rootfiles/core/94/filelists/Email-Date-Format delete mode 120000 config/rootfiles/core/94/filelists/MIME-Lite copy config/rootfiles/core/{94 => 95}/exclude (100%) create mode 100644 config/rootfiles/core/95/filelists/files rename config/rootfiles/core/{94 => 95}/meta (100%) copy config/rootfiles/{oldcore/93 => core/95}/update.sh (89%) rename config/rootfiles/{core => oldcore}/94/exclude (100%) rename config/rootfiles/{core => oldcore}/94/filelists/armv5tel/glibc (100%) rename config/rootfiles/{core => oldcore}/94/filelists/bind (100%) rename config/rootfiles/{core => oldcore}/94/filelists/chkconfig (100%) rename config/rootfiles/{core => oldcore}/94/filelists/coreutils (100%) rename config/rootfiles/{core => oldcore}/94/filelists/dma (100%) rename config/rootfiles/{core => oldcore}/94/filelists/dnsmasq (100%) rename config/rootfiles/{core => oldcore}/94/filelists/file (100%) rename config/rootfiles/{core => oldcore}/94/filelists/files (100%) rename config/rootfiles/{core => oldcore}/94/filelists/fireinfo (100%) rename config/rootfiles/{core => oldcore}/94/filelists/hdparm (100%) rename config/rootfiles/{core => oldcore}/94/filelists/i586/glibc (100%) rename config/rootfiles/{core => oldcore}/94/filelists/iproute2 (100%) rename config/rootfiles/{core => oldcore}/94/filelists/libgcrypt (100%) rename config/rootfiles/{core => oldcore}/94/filelists/libgpg-error (100%) rename config/rootfiles/{core => oldcore}/94/filelists/openssh (100%) rename config/rootfiles/{core => oldcore}/94/filelists/pcre (100%) create mode 120000 config/rootfiles/oldcore/94/filelists/perl-Email-Date-Format create mode 120000 config/rootfiles/oldcore/94/filelists/perl-MIME-Lite rename config/rootfiles/{core => oldcore}/94/filelists/rrdtool (100%) rename config/rootfiles/{core => oldcore}/94/filelists/setup (100%) rename config/rootfiles/{core => oldcore}/94/filelists/squid (100%) copy config/rootfiles/oldcore/{93 => 94}/meta (100%) rename config/rootfiles/{core => oldcore}/94/update.sh (100%) rename src/initscripts/init.d/network-vlans => config/udev/network-hotplug-vlan (60%)

Difference in files: diff --git a/config/firewall/firewall-lib.pl b/config/firewall/firewall-lib.pl index b389fac..eabd9a4 100644 --- a/config/firewall/firewall-lib.pl +++ b/config/firewall/firewall-lib.pl @@ -391,8 +391,9 @@ sub get_address # IPsec networks. } elsif ($key ~~ ["ipsec_net_src", "ipsec_net_tgt", "IpSec Network"]) { my $network_address = &get_ipsec_net_ip($value, 11); - if ($network_address) { - push(@ret, [$network_address, ""]); + my @nets = split(/|/, $network_address); + foreach my $net (@nets) { + push(@ret, [$net, ""]); }

# The firewall's own IP addresses. diff --git a/config/rootfiles/common/armv5tel/initscripts b/config/rootfiles/common/armv5tel/initscripts index b4cd8f8..a174c5b 100644 --- a/config/rootfiles/common/armv5tel/initscripts +++ b/config/rootfiles/common/armv5tel/initscripts @@ -62,7 +62,6 @@ etc/rc.d/init.d/mounttmpfs #etc/rc.d/init.d/netsnmpd etc/rc.d/init.d/network etc/rc.d/init.d/network-trigger -etc/rc.d/init.d/network-vlans #etc/rc.d/init.d/networking etc/rc.d/init.d/networking/any etc/rc.d/init.d/networking/blue @@ -232,7 +231,6 @@ etc/rc.d/rcsysinit.d/S75firstsetup etc/rc.d/rcsysinit.d/S80localnet etc/rc.d/rcsysinit.d/S85firewall etc/rc.d/rcsysinit.d/S90network-trigger -etc/rc.d/rcsysinit.d/S91network-vlans etc/rc.d/rcsysinit.d/S92rngd etc/rc.d/rc3.d/S15fireinfo #etc/sysconfig diff --git a/config/rootfiles/common/i586/initscripts b/config/rootfiles/common/i586/initscripts index 878ba66..84c432a 100644 --- a/config/rootfiles/common/i586/initscripts +++ b/config/rootfiles/common/i586/initscripts @@ -64,7 +64,6 @@ etc/rc.d/init.d/mounttmpfs #etc/rc.d/init.d/netsnmpd etc/rc.d/init.d/network etc/rc.d/init.d/network-trigger -etc/rc.d/init.d/network-vlans #etc/rc.d/init.d/networking etc/rc.d/init.d/networking/any etc/rc.d/init.d/networking/blue @@ -237,7 +236,6 @@ etc/rc.d/rcsysinit.d/S75firstsetup etc/rc.d/rcsysinit.d/S80localnet etc/rc.d/rcsysinit.d/S85firewall etc/rc.d/rcsysinit.d/S90network-trigger -etc/rc.d/rcsysinit.d/S91network-vlans etc/rc.d/rcsysinit.d/S92rngd etc/rc.d/rc3.d/S15fireinfo #etc/sysconfig diff --git a/config/rootfiles/common/udev b/config/rootfiles/common/udev index d01c461..4d51954 100644 --- a/config/rootfiles/common/udev +++ b/config/rootfiles/common/udev @@ -29,6 +29,7 @@ lib/udev #lib/udev/init-net-rules.sh #lib/udev/mtd_probe #lib/udev/network-hotplug-rename +#lib/udev/network-hotplug-vlan #lib/udev/rule_generator.functions #lib/udev/rules.d #lib/udev/rules.d/25-alsa.rules diff --git a/config/rootfiles/core/94/exclude b/config/rootfiles/core/94/exclude deleted file mode 100644 index 4c7aa5a..0000000 --- a/config/rootfiles/core/94/exclude +++ /dev/null @@ -1,22 +0,0 @@ -boot/config.txt -etc/alternatives -etc/collectd.custom -etc/ipsec.conf -etc/ipsec.secrets -etc/ipsec.user.conf -etc/ipsec.user.secrets -etc/localtime -etc/shadow -etc/ssh/ssh_config -etc/ssh/sshd_config -etc/ssl/openssl.cnf -etc/sudoers -etc/sysconfig/firewall.local -etc/sysconfig/rc.local -etc/udev/rules.d/30-persistent-network.rules -srv/web/ipfire/html/proxy.pac -var/ipfire/ovpn -var/lib/alternatives -var/log/cache -var/state/dhcp/dhcpd.leases -var/updatecache diff --git a/config/rootfiles/core/94/filelists/Email-Date-Format b/config/rootfiles/core/94/filelists/Email-Date-Format deleted file mode 120000 index b98751e..0000000 --- a/config/rootfiles/core/94/filelists/Email-Date-Format +++ /dev/null @@ -1 +0,0 @@ -../../../common/Email-Date-Format \ No newline at end of file diff --git a/config/rootfiles/core/94/filelists/MIME-Lite b/config/rootfiles/core/94/filelists/MIME-Lite deleted file mode 120000 index c388805..0000000 --- a/config/rootfiles/core/94/filelists/MIME-Lite +++ /dev/null @@ -1 +0,0 @@ -../../../common/MIME-Lite \ No newline at end of file diff --git a/config/rootfiles/core/94/filelists/armv5tel/glibc b/config/rootfiles/core/94/filelists/armv5tel/glibc deleted file mode 120000 index 4c70d72..0000000 --- a/config/rootfiles/core/94/filelists/armv5tel/glibc +++ /dev/null @@ -1 +0,0 @@ -../../../../common/armv5tel/glibc \ No newline at end of file diff --git a/config/rootfiles/core/94/filelists/bind b/config/rootfiles/core/94/filelists/bind deleted file mode 120000 index 48a0eba..0000000 --- a/config/rootfiles/core/94/filelists/bind +++ /dev/null @@ -1 +0,0 @@ -../../../common/bind \ No newline at end of file diff --git a/config/rootfiles/core/94/filelists/chkconfig b/config/rootfiles/core/94/filelists/chkconfig deleted file mode 120000 index 00ef4cf..0000000 --- a/config/rootfiles/core/94/filelists/chkconfig +++ /dev/null @@ -1 +0,0 @@ -../../../common/chkconfig \ No newline at end of file diff --git a/config/rootfiles/core/94/filelists/coreutils b/config/rootfiles/core/94/filelists/coreutils deleted file mode 120000 index 7351ed2..0000000 --- a/config/rootfiles/core/94/filelists/coreutils +++ /dev/null @@ -1 +0,0 @@ -../../../common/coreutils \ No newline at end of file diff --git a/config/rootfiles/core/94/filelists/dma b/config/rootfiles/core/94/filelists/dma deleted file mode 120000 index 60f4682..0000000 --- a/config/rootfiles/core/94/filelists/dma +++ /dev/null @@ -1 +0,0 @@ -../../../common/dma \ No newline at end of file diff --git a/config/rootfiles/core/94/filelists/dnsmasq b/config/rootfiles/core/94/filelists/dnsmasq deleted file mode 120000 index d469c74..0000000 --- a/config/rootfiles/core/94/filelists/dnsmasq +++ /dev/null @@ -1 +0,0 @@ -../../../common/dnsmasq \ No newline at end of file diff --git a/config/rootfiles/core/94/filelists/file b/config/rootfiles/core/94/filelists/file deleted file mode 120000 index 0c60e43..0000000 --- a/config/rootfiles/core/94/filelists/file +++ /dev/null @@ -1 +0,0 @@ -../../../common/file \ No newline at end of file diff --git a/config/rootfiles/core/94/filelists/files b/config/rootfiles/core/94/filelists/files deleted file mode 100644 index e63a611..0000000 --- a/config/rootfiles/core/94/filelists/files +++ /dev/null @@ -1,26 +0,0 @@ -etc/system-release -etc/issue -etc/rc.d/init.d/networking/red -etc/rc.d/init.d/snort -etc/rc.d/init.d/sshd -srv/web/ipfire/cgi-bin/connscheduler.cgi -srv/web/ipfire/cgi-bin/dhcp.cgi -srv/web/ipfire/cgi-bin/dnsforward.cgi -srv/web/ipfire/cgi-bin/hosts.cgi -srv/web/ipfire/cgi-bin/logs.cgi/log.dat -srv/web/ipfire/cgi-bin/mac.cgi -srv/web/ipfire/cgi-bin/mail.cgi -srv/web/ipfire/cgi-bin/modem.cgi -srv/web/ipfire/cgi-bin/ovpnmain.cgi -srv/web/ipfire/cgi-bin/pppsetup.cgi -srv/web/ipfire/cgi-bin/proxy.cgi -srv/web/ipfire/cgi-bin/qos.cgi -srv/web/ipfire/cgi-bin/time.cgi -srv/web/ipfire/cgi-bin/updatexlrator.cgi -srv/web/ipfire/cgi-bin/urlfilter.cgi -srv/web/ipfire/cgi-bin/vpnmain.cgi -srv/web/ipfire/cgi-bin/wakeonlan.cgi -srv/web/ipfire/cgi-bin/wireless.cgi -var/ipfire/langs -var/ipfire/menu.d/40-services.menu -var/ipfire/network-functions.pl diff --git a/config/rootfiles/core/94/filelists/fireinfo b/config/rootfiles/core/94/filelists/fireinfo deleted file mode 120000 index c461155..0000000 --- a/config/rootfiles/core/94/filelists/fireinfo +++ /dev/null @@ -1 +0,0 @@ -../../../common/fireinfo \ No newline at end of file diff --git a/config/rootfiles/core/94/filelists/hdparm b/config/rootfiles/core/94/filelists/hdparm deleted file mode 120000 index b644751..0000000 --- a/config/rootfiles/core/94/filelists/hdparm +++ /dev/null @@ -1 +0,0 @@ -../../../common/hdparm \ No newline at end of file diff --git a/config/rootfiles/core/94/filelists/i586/glibc b/config/rootfiles/core/94/filelists/i586/glibc deleted file mode 120000 index 943021f..0000000 --- a/config/rootfiles/core/94/filelists/i586/glibc +++ /dev/null @@ -1 +0,0 @@ -../../../../common/i586/glibc \ No newline at end of file diff --git a/config/rootfiles/core/94/filelists/iproute2 b/config/rootfiles/core/94/filelists/iproute2 deleted file mode 120000 index 05f0f71..0000000 --- a/config/rootfiles/core/94/filelists/iproute2 +++ /dev/null @@ -1 +0,0 @@ -../../../common/iproute2 \ No newline at end of file diff --git a/config/rootfiles/core/94/filelists/libgcrypt b/config/rootfiles/core/94/filelists/libgcrypt deleted file mode 120000 index 2df12a2..0000000 --- a/config/rootfiles/core/94/filelists/libgcrypt +++ /dev/null @@ -1 +0,0 @@ -../../../common/libgcrypt \ No newline at end of file diff --git a/config/rootfiles/core/94/filelists/libgpg-error b/config/rootfiles/core/94/filelists/libgpg-error deleted file mode 120000 index cad4313..0000000 --- a/config/rootfiles/core/94/filelists/libgpg-error +++ /dev/null @@ -1 +0,0 @@ -../../../common/libgpg-error \ No newline at end of file diff --git a/config/rootfiles/core/94/filelists/openssh b/config/rootfiles/core/94/filelists/openssh deleted file mode 120000 index d8c77fd..0000000 --- a/config/rootfiles/core/94/filelists/openssh +++ /dev/null @@ -1 +0,0 @@ -../../../common/openssh \ No newline at end of file diff --git a/config/rootfiles/core/94/filelists/pcre b/config/rootfiles/core/94/filelists/pcre deleted file mode 120000 index b390d9a..0000000 --- a/config/rootfiles/core/94/filelists/pcre +++ /dev/null @@ -1 +0,0 @@ -../../../common/pcre \ No newline at end of file diff --git a/config/rootfiles/core/94/filelists/rrdtool b/config/rootfiles/core/94/filelists/rrdtool deleted file mode 120000 index 7a82e41..0000000 --- a/config/rootfiles/core/94/filelists/rrdtool +++ /dev/null @@ -1 +0,0 @@ -../../../common/rrdtool \ No newline at end of file diff --git a/config/rootfiles/core/94/filelists/setup b/config/rootfiles/core/94/filelists/setup deleted file mode 120000 index 209374b..0000000 --- a/config/rootfiles/core/94/filelists/setup +++ /dev/null @@ -1 +0,0 @@ -../../../common/setup \ No newline at end of file diff --git a/config/rootfiles/core/94/filelists/squid b/config/rootfiles/core/94/filelists/squid deleted file mode 120000 index 2dc8372..0000000 --- a/config/rootfiles/core/94/filelists/squid +++ /dev/null @@ -1 +0,0 @@ -../../../common/squid \ No newline at end of file diff --git a/config/rootfiles/core/94/meta b/config/rootfiles/core/94/meta deleted file mode 100644 index d547fa8..0000000 --- a/config/rootfiles/core/94/meta +++ /dev/null @@ -1 +0,0 @@ -DEPS="" diff --git a/config/rootfiles/core/94/update.sh b/config/rootfiles/core/94/update.sh deleted file mode 100644 index ff9797c..0000000 --- a/config/rootfiles/core/94/update.sh +++ /dev/null @@ -1,88 +0,0 @@ -#!/bin/bash -############################################################################ -# # -# This file is part of the IPFire Firewall. # -# # -# IPFire is free software; you can redistribute it and/or modify # -# it under the terms of the GNU General Public License as published by # -# the Free Software Foundation; either version 3 of the License, or # -# (at your option) any later version. # -# # -# IPFire is distributed in the hope that it will be useful, # -# but WITHOUT ANY WARRANTY; without even the implied warranty of # -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # -# GNU General Public License for more details. # -# # -# You should have received a copy of the GNU General Public License # -# along with IPFire; if not, write to the Free Software # -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # -# # -# Copyright (C) 2015 IPFire-Team info@ipfire.org. # -# # -############################################################################ -# -. /opt/pakfire/lib/functions.sh -/usr/local/bin/backupctrl exclude >/dev/null 2>&1 - -# Remove old core updates from pakfire cache to save space... -core=94 -for (( i=1; i<=$core; i++ )) -do - rm -f /var/cache/pakfire/core-upgrade-*-$i.ipfire -done - -# Stop services -/etc/init.d/squid stop -/etc/init.d/sshd stop -/etc/init.d/dnsmasq stop - -# Extract files -extract_files - -# Update Language cache -/usr/local/bin/update-lang-cache - -# Update SSH configuration -sed -i /etc/ssh/sshd_config \ - -e 's/^#PermitRootLogin yes$/PermitRootLogin yes/' - -# Move away old and unsupported keys -mv -f /etc/ssh/ssh_host_dsa_key{,.old} -# Regenerating weak RSA keys -mv -f /etc/ssh/ssh_host_key{,.old} -mv -f /etc/ssh/ssh_host_rsa_key{,.old} - -# Update crontab -sed -i /var/spool/cron/root.orig -e "/Force an update once a month/d" -sed -i /var/spool/cron/root.orig -e "/ddns update-all --force/d" - -grep -q "dma -q" /var/spool/cron/root.orig || cat <<EOF >> /var/spool/cron/root.orig - -# Retry sending spooled mails regularly -%hourly * /usr/sbin/dma -q - -# Cleanup the mail spool directory -%weekly * * /usr/sbin/dma-cleanup-spool -EOF - -fcrontab -z &>/dev/null - -# Start services -/etc/init.d/dnsmasq start -/etc/init.d/sshd start -/etc/init.d/squid start - -# This update need a reboot... -#touch /var/run/need_reboot - -# Finish -/etc/init.d/fireinfo start -sendprofile -# Update grub config to display new core version -if [ -e /boot/grub/grub.cfg ]; then - grub-mkconfig -o /boot/grub/grub.cfg -fi -sync - -# Don't report the exitcode last command -exit 0 diff --git a/config/rootfiles/core/95/exclude b/config/rootfiles/core/95/exclude new file mode 100644 index 0000000..4c7aa5a --- /dev/null +++ b/config/rootfiles/core/95/exclude @@ -0,0 +1,22 @@ +boot/config.txt +etc/alternatives +etc/collectd.custom +etc/ipsec.conf +etc/ipsec.secrets +etc/ipsec.user.conf +etc/ipsec.user.secrets +etc/localtime +etc/shadow +etc/ssh/ssh_config +etc/ssh/sshd_config +etc/ssl/openssl.cnf +etc/sudoers +etc/sysconfig/firewall.local +etc/sysconfig/rc.local +etc/udev/rules.d/30-persistent-network.rules +srv/web/ipfire/html/proxy.pac +var/ipfire/ovpn +var/lib/alternatives +var/log/cache +var/state/dhcp/dhcpd.leases +var/updatecache diff --git a/config/rootfiles/core/95/filelists/files b/config/rootfiles/core/95/filelists/files new file mode 100644 index 0000000..949c88b --- /dev/null +++ b/config/rootfiles/core/95/filelists/files @@ -0,0 +1,8 @@ +etc/system-release +etc/issue +lib/udev/network-hotplug-vlan +lib/udev/rules.d/60-net.rules +srv/web/ipfire/cgi-bin/connections.cgi +srv/web/ipfire/cgi-bin/vpnmain.cgi +usr/lib/firewall/firewall-lib.pl +var/ipfire/langs diff --git a/config/rootfiles/core/95/meta b/config/rootfiles/core/95/meta new file mode 100644 index 0000000..d547fa8 --- /dev/null +++ b/config/rootfiles/core/95/meta @@ -0,0 +1 @@ +DEPS="" diff --git a/config/rootfiles/core/95/update.sh b/config/rootfiles/core/95/update.sh new file mode 100644 index 0000000..388e18d --- /dev/null +++ b/config/rootfiles/core/95/update.sh @@ -0,0 +1,61 @@ +#!/bin/bash +############################################################################ +# # +# This file is part of the IPFire Firewall. # +# # +# IPFire is free software; you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation; either version 3 of the License, or # +# (at your option) any later version. # +# # +# IPFire is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with IPFire; if not, write to the Free Software # +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # +# # +# Copyright (C) 2015 IPFire-Team info@ipfire.org. # +# # +############################################################################ +# +. /opt/pakfire/lib/functions.sh +/usr/local/bin/backupctrl exclude >/dev/null 2>&1 + +# Remove old core updates from pakfire cache to save space... +core=95 +for (( i=1; i<=$core; i++ )) +do + rm -f /var/cache/pakfire/core-upgrade-*-$i.ipfire +done + +# Remove files +rm -f /etc/rc.d/init.d/network-vlans +rm -f /etc/rc.d/rcsysinit.d/S91network-vlans + +# Stop services + +# Extract files +extract_files + +# Update Language cache +/usr/local/bin/update-lang-cache + +# Start services + +# This update need a reboot... +#touch /var/run/need_reboot + +# Finish +/etc/init.d/fireinfo start +sendprofile +# Update grub config to display new core version +if [ -e /boot/grub/grub.cfg ]; then + grub-mkconfig -o /boot/grub/grub.cfg +fi +sync + +# Don't report the exitcode last command +exit 0 diff --git a/config/rootfiles/oldcore/94/exclude b/config/rootfiles/oldcore/94/exclude new file mode 100644 index 0000000..4c7aa5a --- /dev/null +++ b/config/rootfiles/oldcore/94/exclude @@ -0,0 +1,22 @@ +boot/config.txt +etc/alternatives +etc/collectd.custom +etc/ipsec.conf +etc/ipsec.secrets +etc/ipsec.user.conf +etc/ipsec.user.secrets +etc/localtime +etc/shadow +etc/ssh/ssh_config +etc/ssh/sshd_config +etc/ssl/openssl.cnf +etc/sudoers +etc/sysconfig/firewall.local +etc/sysconfig/rc.local +etc/udev/rules.d/30-persistent-network.rules +srv/web/ipfire/html/proxy.pac +var/ipfire/ovpn +var/lib/alternatives +var/log/cache +var/state/dhcp/dhcpd.leases +var/updatecache diff --git a/config/rootfiles/oldcore/94/filelists/armv5tel/glibc b/config/rootfiles/oldcore/94/filelists/armv5tel/glibc new file mode 120000 index 0000000..4c70d72 --- /dev/null +++ b/config/rootfiles/oldcore/94/filelists/armv5tel/glibc @@ -0,0 +1 @@ +../../../../common/armv5tel/glibc \ No newline at end of file diff --git a/config/rootfiles/oldcore/94/filelists/bind b/config/rootfiles/oldcore/94/filelists/bind new file mode 120000 index 0000000..48a0eba --- /dev/null +++ b/config/rootfiles/oldcore/94/filelists/bind @@ -0,0 +1 @@ +../../../common/bind \ No newline at end of file diff --git a/config/rootfiles/oldcore/94/filelists/chkconfig b/config/rootfiles/oldcore/94/filelists/chkconfig new file mode 120000 index 0000000..00ef4cf --- /dev/null +++ b/config/rootfiles/oldcore/94/filelists/chkconfig @@ -0,0 +1 @@ +../../../common/chkconfig \ No newline at end of file diff --git a/config/rootfiles/oldcore/94/filelists/coreutils b/config/rootfiles/oldcore/94/filelists/coreutils new file mode 120000 index 0000000..7351ed2 --- /dev/null +++ b/config/rootfiles/oldcore/94/filelists/coreutils @@ -0,0 +1 @@ +../../../common/coreutils \ No newline at end of file diff --git a/config/rootfiles/oldcore/94/filelists/dma b/config/rootfiles/oldcore/94/filelists/dma new file mode 120000 index 0000000..60f4682 --- /dev/null +++ b/config/rootfiles/oldcore/94/filelists/dma @@ -0,0 +1 @@ +../../../common/dma \ No newline at end of file diff --git a/config/rootfiles/oldcore/94/filelists/dnsmasq b/config/rootfiles/oldcore/94/filelists/dnsmasq new file mode 120000 index 0000000..d469c74 --- /dev/null +++ b/config/rootfiles/oldcore/94/filelists/dnsmasq @@ -0,0 +1 @@ +../../../common/dnsmasq \ No newline at end of file diff --git a/config/rootfiles/oldcore/94/filelists/file b/config/rootfiles/oldcore/94/filelists/file new file mode 120000 index 0000000..0c60e43 --- /dev/null +++ b/config/rootfiles/oldcore/94/filelists/file @@ -0,0 +1 @@ +../../../common/file \ No newline at end of file diff --git a/config/rootfiles/oldcore/94/filelists/files b/config/rootfiles/oldcore/94/filelists/files new file mode 100644 index 0000000..e63a611 --- /dev/null +++ b/config/rootfiles/oldcore/94/filelists/files @@ -0,0 +1,26 @@ +etc/system-release +etc/issue +etc/rc.d/init.d/networking/red +etc/rc.d/init.d/snort +etc/rc.d/init.d/sshd +srv/web/ipfire/cgi-bin/connscheduler.cgi +srv/web/ipfire/cgi-bin/dhcp.cgi +srv/web/ipfire/cgi-bin/dnsforward.cgi +srv/web/ipfire/cgi-bin/hosts.cgi +srv/web/ipfire/cgi-bin/logs.cgi/log.dat +srv/web/ipfire/cgi-bin/mac.cgi +srv/web/ipfire/cgi-bin/mail.cgi +srv/web/ipfire/cgi-bin/modem.cgi +srv/web/ipfire/cgi-bin/ovpnmain.cgi +srv/web/ipfire/cgi-bin/pppsetup.cgi +srv/web/ipfire/cgi-bin/proxy.cgi +srv/web/ipfire/cgi-bin/qos.cgi +srv/web/ipfire/cgi-bin/time.cgi +srv/web/ipfire/cgi-bin/updatexlrator.cgi +srv/web/ipfire/cgi-bin/urlfilter.cgi +srv/web/ipfire/cgi-bin/vpnmain.cgi +srv/web/ipfire/cgi-bin/wakeonlan.cgi +srv/web/ipfire/cgi-bin/wireless.cgi +var/ipfire/langs +var/ipfire/menu.d/40-services.menu +var/ipfire/network-functions.pl diff --git a/config/rootfiles/oldcore/94/filelists/fireinfo b/config/rootfiles/oldcore/94/filelists/fireinfo new file mode 120000 index 0000000..c461155 --- /dev/null +++ b/config/rootfiles/oldcore/94/filelists/fireinfo @@ -0,0 +1 @@ +../../../common/fireinfo \ No newline at end of file diff --git a/config/rootfiles/oldcore/94/filelists/hdparm b/config/rootfiles/oldcore/94/filelists/hdparm new file mode 120000 index 0000000..b644751 --- /dev/null +++ b/config/rootfiles/oldcore/94/filelists/hdparm @@ -0,0 +1 @@ +../../../common/hdparm \ No newline at end of file diff --git a/config/rootfiles/oldcore/94/filelists/i586/glibc b/config/rootfiles/oldcore/94/filelists/i586/glibc new file mode 120000 index 0000000..943021f --- /dev/null +++ b/config/rootfiles/oldcore/94/filelists/i586/glibc @@ -0,0 +1 @@ +../../../../common/i586/glibc \ No newline at end of file diff --git a/config/rootfiles/oldcore/94/filelists/iproute2 b/config/rootfiles/oldcore/94/filelists/iproute2 new file mode 120000 index 0000000..05f0f71 --- /dev/null +++ b/config/rootfiles/oldcore/94/filelists/iproute2 @@ -0,0 +1 @@ +../../../common/iproute2 \ No newline at end of file diff --git a/config/rootfiles/oldcore/94/filelists/libgcrypt b/config/rootfiles/oldcore/94/filelists/libgcrypt new file mode 120000 index 0000000..2df12a2 --- /dev/null +++ b/config/rootfiles/oldcore/94/filelists/libgcrypt @@ -0,0 +1 @@ +../../../common/libgcrypt \ No newline at end of file diff --git a/config/rootfiles/oldcore/94/filelists/libgpg-error b/config/rootfiles/oldcore/94/filelists/libgpg-error new file mode 120000 index 0000000..cad4313 --- /dev/null +++ b/config/rootfiles/oldcore/94/filelists/libgpg-error @@ -0,0 +1 @@ +../../../common/libgpg-error \ No newline at end of file diff --git a/config/rootfiles/oldcore/94/filelists/openssh b/config/rootfiles/oldcore/94/filelists/openssh new file mode 120000 index 0000000..d8c77fd --- /dev/null +++ b/config/rootfiles/oldcore/94/filelists/openssh @@ -0,0 +1 @@ +../../../common/openssh \ No newline at end of file diff --git a/config/rootfiles/oldcore/94/filelists/pcre b/config/rootfiles/oldcore/94/filelists/pcre new file mode 120000 index 0000000..b390d9a --- /dev/null +++ b/config/rootfiles/oldcore/94/filelists/pcre @@ -0,0 +1 @@ +../../../common/pcre \ No newline at end of file diff --git a/config/rootfiles/oldcore/94/filelists/perl-Email-Date-Format b/config/rootfiles/oldcore/94/filelists/perl-Email-Date-Format new file mode 120000 index 0000000..9980811 --- /dev/null +++ b/config/rootfiles/oldcore/94/filelists/perl-Email-Date-Format @@ -0,0 +1 @@ +../../../common/perl-Email-Date-Format \ No newline at end of file diff --git a/config/rootfiles/oldcore/94/filelists/perl-MIME-Lite b/config/rootfiles/oldcore/94/filelists/perl-MIME-Lite new file mode 120000 index 0000000..aa0aa6b --- /dev/null +++ b/config/rootfiles/oldcore/94/filelists/perl-MIME-Lite @@ -0,0 +1 @@ +../../../common/perl-MIME-Lite \ No newline at end of file diff --git a/config/rootfiles/oldcore/94/filelists/rrdtool b/config/rootfiles/oldcore/94/filelists/rrdtool new file mode 120000 index 0000000..7a82e41 --- /dev/null +++ b/config/rootfiles/oldcore/94/filelists/rrdtool @@ -0,0 +1 @@ +../../../common/rrdtool \ No newline at end of file diff --git a/config/rootfiles/oldcore/94/filelists/setup b/config/rootfiles/oldcore/94/filelists/setup new file mode 120000 index 0000000..209374b --- /dev/null +++ b/config/rootfiles/oldcore/94/filelists/setup @@ -0,0 +1 @@ +../../../common/setup \ No newline at end of file diff --git a/config/rootfiles/oldcore/94/filelists/squid b/config/rootfiles/oldcore/94/filelists/squid new file mode 120000 index 0000000..2dc8372 --- /dev/null +++ b/config/rootfiles/oldcore/94/filelists/squid @@ -0,0 +1 @@ +../../../common/squid \ No newline at end of file diff --git a/config/rootfiles/oldcore/94/meta b/config/rootfiles/oldcore/94/meta new file mode 100644 index 0000000..d547fa8 --- /dev/null +++ b/config/rootfiles/oldcore/94/meta @@ -0,0 +1 @@ +DEPS="" diff --git a/config/rootfiles/oldcore/94/update.sh b/config/rootfiles/oldcore/94/update.sh new file mode 100644 index 0000000..ff9797c --- /dev/null +++ b/config/rootfiles/oldcore/94/update.sh @@ -0,0 +1,88 @@ +#!/bin/bash +############################################################################ +# # +# This file is part of the IPFire Firewall. # +# # +# IPFire is free software; you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation; either version 3 of the License, or # +# (at your option) any later version. # +# # +# IPFire is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with IPFire; if not, write to the Free Software # +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # +# # +# Copyright (C) 2015 IPFire-Team info@ipfire.org. # +# # +############################################################################ +# +. /opt/pakfire/lib/functions.sh +/usr/local/bin/backupctrl exclude >/dev/null 2>&1 + +# Remove old core updates from pakfire cache to save space... +core=94 +for (( i=1; i<=$core; i++ )) +do + rm -f /var/cache/pakfire/core-upgrade-*-$i.ipfire +done + +# Stop services +/etc/init.d/squid stop +/etc/init.d/sshd stop +/etc/init.d/dnsmasq stop + +# Extract files +extract_files + +# Update Language cache +/usr/local/bin/update-lang-cache + +# Update SSH configuration +sed -i /etc/ssh/sshd_config \ + -e 's/^#PermitRootLogin yes$/PermitRootLogin yes/' + +# Move away old and unsupported keys +mv -f /etc/ssh/ssh_host_dsa_key{,.old} +# Regenerating weak RSA keys +mv -f /etc/ssh/ssh_host_key{,.old} +mv -f /etc/ssh/ssh_host_rsa_key{,.old} + +# Update crontab +sed -i /var/spool/cron/root.orig -e "/Force an update once a month/d" +sed -i /var/spool/cron/root.orig -e "/ddns update-all --force/d" + +grep -q "dma -q" /var/spool/cron/root.orig || cat <<EOF >> /var/spool/cron/root.orig + +# Retry sending spooled mails regularly +%hourly * /usr/sbin/dma -q + +# Cleanup the mail spool directory +%weekly * * /usr/sbin/dma-cleanup-spool +EOF + +fcrontab -z &>/dev/null + +# Start services +/etc/init.d/dnsmasq start +/etc/init.d/sshd start +/etc/init.d/squid start + +# This update need a reboot... +#touch /var/run/need_reboot + +# Finish +/etc/init.d/fireinfo start +sendprofile +# Update grub config to display new core version +if [ -e /boot/grub/grub.cfg ]; then + grub-mkconfig -o /boot/grub/grub.cfg +fi +sync + +# Don't report the exitcode last command +exit 0 diff --git a/config/udev/60-net.rules b/config/udev/60-net.rules index 4f22a1e..dc39ff0 100644 --- a/config/udev/60-net.rules +++ b/config/udev/60-net.rules @@ -1,3 +1,7 @@ # Call a script that checks for the right name of the new device. # If it matches the configuration it will be renamed accordingly. ACTION=="add", SUBSYSTEM=="net", PROGRAM="/lib/udev/network-hotplug-rename", RESULT=="?*", NAME="$result" + +# Call a script that will create all virtual devices for a parent device +# that has just come up. +ACTION=="add", SUBSYSTEM=="net", PROGRAM="/lib/udev/network-hotplug-vlan" diff --git a/config/udev/network-hotplug-vlan b/config/udev/network-hotplug-vlan new file mode 100644 index 0000000..f7b6a9d --- /dev/null +++ b/config/udev/network-hotplug-vlan @@ -0,0 +1,87 @@ +#!/bin/bash +############################################################################ +# # +# This file is part of the IPFire Firewall. # +# # +# IPFire is free software; you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation; either version 2 of the License, or # +# (at your option) any later version. # +# # +# IPFire is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with IPFire; if not, write to the Free Software # +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # +# # +# Copyright (C) 2015 IPFire Team info@ipfire.org # +# # +############################################################################ + +[ -n "${INTERFACE}" ] || exit 2 + +CONFIG_FILE="/var/ipfire/ethernet/vlans" + +# Skip immediately if no configuration file has been found. +[ -e "${CONFIG_FILE}" ] || exit 0 + +eval $(/usr/local/bin/readhash ${CONFIG_FILE}) + +for interface in green0 red0 blue0 orange0; do + case "${interface}" in + green*) + PARENT_DEV=${GREEN_PARENT_DEV} + VLAN_ID=${GREEN_VLAN_ID} + MAC_ADDRESS=${GREEN_MAC_ADDRESS} + ;; + red*) + PARENT_DEV=${RED_PARENT_DEV} + VLAN_ID=${RED_VLAN_ID} + MAC_ADDRESS=${RED_MAC_ADDRESS} + ;; + blue*) + PARENT_DEV=${BLUE_PARENT_DEV} + VLAN_ID=${BLUE_VLAN_ID} + MAC_ADDRESS=${BLUE_MAC_ADDRESS} + ;; + orange*) + PARENT_DEV=${ORANGE_PARENT_DEV} + VLAN_ID=${ORANGE_VLAN_ID} + MAC_ADDRESS=${ORANGE_MAC_ADDRESS} + ;; + esac + + # If the parent device does not match the interface that + # has just come up, we will go on for the next one. + [ "${PARENT_DEV}" = "${INTERFACE}" ] || continue + + # Check if the interface does already exists. + # If so, we skip creating it. + if [ -d "/sys/class/net/${interface}" ]; then + echo "Interface ${interface} already exists." >&2 + continue + fi + + if [ -z "${VLAN_ID}" ]; then + echo "${interface}: You did not set the VLAN ID." >&2 + continue + fi + + # Build command line. + command="ip link add link ${PARENT_DEV} name ${interface}" + if [ -n "${MAC_ADDRESS}" ]; then + command="${command} address ${MAC_ADDRESS}" + fi + command="${command} type vlan id ${VLAN_ID}" + + echo "Creating VLAN interface ${interface}..." + ${command} + + # Bring up the parent device. + ip link set ${PARENT_DEV} up +done + +exit 0 diff --git a/html/cgi-bin/connections.cgi b/html/cgi-bin/connections.cgi index 4eb9cd7..85a9cd7 100644 --- a/html/cgi-bin/connections.cgi +++ b/html/cgi-bin/connections.cgi @@ -261,15 +261,19 @@ close(IPSEC);

foreach my $line (@ipsec) { my @vpn = split(',', $line); - my ($network, $mask) = split("/", $vpn[12]);

- if (!&General::validip($mask)) { - $mask = ipv4_cidr2msk($mask); - } + my @subnets = split('|', $vpn[12]); + for my $subnet (@subnets) { + my ($network, $mask) = split("/", $subnet); + + if (!&General::validip($mask)) { + $mask = ipv4_cidr2msk($mask); + }

- push(@network, $network); - push(@masklen, $mask); - push(@colour, ${Header::colourvpn}); + push(@network, $network); + push(@masklen, $mask); + push(@colour, ${Header::colourvpn}); + } }

if (-e "${General::swroot}/ovpn/n2nconf") { diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index 65fc80f..b697b0a 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -40,8 +40,7 @@ undef (@dummy); ### ### Initialize variables ### -my $sleepDelay = 4; # after a call to ipsecctrl S or R, wait this delay (seconds) before reading status - # (let the ipsec do its job) +my $sleepDelay = 4; # after a call to ipsecctrl S or R, wait this delay (seconds) before reading status (let the ipsec do its job) my %netsettings=(); our %cgiparams=(); our %vpnsettings=(); @@ -132,306 +131,300 @@ sub valid_dns_host { ### Just return true is one interface is vpn enabled ### sub vpnenabled { - return ($vpnsettings{'ENABLED'} eq 'on'); + return ($vpnsettings{'ENABLED'} eq 'on'); } ### -### old version: maintain serial number to one, without explication. -### this : let the counter go, so that each cert is numbered. +### old version: maintain serial number to one, without explication. +### this: let the counter go, so that each cert is numbered. ### -sub cleanssldatabase -{ - if (open(FILE, ">${General::swroot}/certs/serial")) { - print FILE "01"; - close FILE; - } - if (open(FILE, ">${General::swroot}/certs/index.txt")) { - print FILE ""; - close FILE; - } - unlink ("${General::swroot}/certs/index.txt.old"); - unlink ("${General::swroot}/certs/serial.old"); - unlink ("${General::swroot}/certs/01.pem"); +sub cleanssldatabase { + if (open(FILE, ">${General::swroot}/certs/serial")) { + print FILE "01"; + close FILE; + } + if (open(FILE, ">${General::swroot}/certs/index.txt")) { + print FILE ""; + close FILE; + } + unlink ("${General::swroot}/certs/index.txt.old"); + unlink ("${General::swroot}/certs/serial.old"); + unlink ("${General::swroot}/certs/01.pem"); } -sub newcleanssldatabase -{ - if (! -s "${General::swroot}/certs/serial" ) { - open(FILE, ">${General::swroot}/certs/serial"); - print FILE "01"; - close FILE; - } - if (! -s ">${General::swroot}/certs/index.txt") { - system ("touch ${General::swroot}/certs/index.txt"); - } - unlink ("${General::swroot}/certs/index.txt.old"); - unlink ("${General::swroot}/certs/serial.old"); -# unlink ("${General::swroot}/certs/01.pem"); numbering evolves. Wrong place to delete +sub newcleanssldatabase { + if (! -s "${General::swroot}/certs/serial" ) { + open(FILE, ">${General::swroot}/certs/serial"); + print FILE "01"; + close FILE; + } + if (! -s ">${General::swroot}/certs/index.txt") { + system ("touch ${General::swroot}/certs/index.txt"); + } + unlink ("${General::swroot}/certs/index.txt.old"); + unlink ("${General::swroot}/certs/serial.old"); +# unlink ("${General::swroot}/certs/01.pem"); numbering evolves. Wrong place to delete }

### ### Call openssl and return errormessage if any ### sub callssl ($) { - my $opt = shift; - my $retssl = `/usr/bin/openssl $opt 2>&1`; #redirect stderr - my $ret = ''; - foreach my $line (split (/\n/, $retssl)) { - &General::log("ipsec", "$line") if (0); # 1 for verbose logging - $ret .= '<br>'.$line if ( $line =~ /error|unknown/ ); - } - if ($ret) { - $ret= &Header::cleanhtml($ret); - } - return $ret ? "$Lang::tr{'openssl produced an error'}: $ret" : '' ; + my $opt = shift; + my $retssl = `/usr/bin/openssl $opt 2>&1`; #redirect stderr + my $ret = ''; + foreach my $line (split (/\n/, $retssl)) { + &General::log("ipsec", "$line") if (0); # 1 for verbose logging + $ret .= '<br>'.$line if ( $line =~ /error|unknown/ ); + } + if ($ret) { + $ret= &Header::cleanhtml($ret); + } + return $ret ? "$Lang::tr{'openssl produced an error'}: $ret" : '' ; } ### ### Obtain a CN from given cert ### sub getCNfromcert ($) { - #&General::log("ipsec", "Extracting name from $_[0]..."); - my $temp = `/usr/bin/openssl x509 -text -in $_[0]`; - $temp =~ /Subject:.*CN=(.*)[\n]/; - $temp = $1; - $temp =~ s+/Email+, E+; - $temp =~ s/ ST=/ S=/; - $temp =~ s/,//g; - $temp =~ s/'//g; - return $temp; + #&General::log("ipsec", "Extracting name from $_[0]..."); + my $temp = `/usr/bin/openssl x509 -text -in $_[0]`; + $temp =~ /Subject:.*CN=(.*)[\n]/; + $temp = $1; + $temp =~ s+/Email+, E+; + $temp =~ s/ ST=/ S=/; + $temp =~ s/,//g; + $temp =~ s/'//g; + return $temp; } ### ### Obtain Subject from given cert ### sub getsubjectfromcert ($) { - #&General::log("ipsec", "Extracting subject from $_[0]..."); - my $temp = `/usr/bin/openssl x509 -text -in $_[0]`; - $temp =~ /Subject: (.*)[\n]/; - $temp = $1; - $temp =~ s+/Email+, E+; - $temp =~ s/ ST=/ S=/; - return $temp; + #&General::log("ipsec", "Extracting subject from $_[0]..."); + my $temp = `/usr/bin/openssl x509 -text -in $_[0]`; + $temp =~ /Subject: (.*)[\n]/; + $temp = $1; + $temp =~ s+/Email+, E+; + $temp =~ s/ ST=/ S=/; + return $temp; } ### -### Combine local subnet and connection name to make a unique name for each connection section +### Combine local subnet and connection name to make a unique name for each connection section ### (this sub is not used now) ### sub makeconnname ($) { - my $conn = shift; - my $subnet = shift; - - $subnet =~ /^(.*?)/(.*?)$/; # $1=IP $2=mask - my $ip = unpack('N', &Socket::inet_aton($1)); - if (length ($2) > 2) { - my $mm = unpack('N', &Socket::inet_aton($2)); - while ( ($mm & 1)==0 ) { - $ip >>= 1; - $mm >>= 1; - }; - } else { - $ip >>= (32 - $2); - } - return sprintf ("%s-%X", $conn, $ip); + my $conn = shift; + my $subnet = shift; + + $subnet =~ /^(.*?)/(.*?)$/; # $1=IP $2=mask + my $ip = unpack('N', &Socket::inet_aton($1)); + if (length ($2) > 2) { + my $mm = unpack('N', &Socket::inet_aton($2)); + while ( ($mm & 1)==0 ) { + $ip >>= 1; + $mm >>= 1; + }; + } else { + $ip >>= (32 - $2); + } + return sprintf ("%s-%X", $conn, $ip); } ### ### Write a config file. ### ###Type=Host : GUI can choose the interface used (RED,GREEN,BLUE) and ### the side is always defined as 'left'. -### configihash[14]: 'VHOST' is allowed ###

sub writeipsecfiles { - my %lconfighash = (); - my %lvpnsettings = (); - &General::readhasharray("${General::swroot}/vpn/config", %lconfighash); - &General::readhash("${General::swroot}/vpn/settings", %lvpnsettings); - - open(CONF, ">${General::swroot}/vpn/ipsec.conf") or die "Unable to open ${General::swroot}/vpn/ipsec.conf: $!"; - open(SECRETS, ">${General::swroot}/vpn/ipsec.secrets") or die "Unable to open ${General::swroot}/vpn/ipsec.secrets: $!"; - flock CONF, 2; - flock SECRETS, 2; - print CONF "version 2\n\n"; - print CONF "conn %default\n"; - print CONF "\tkeyingtries=%forever\n"; - print CONF "\n"; - - # Add user includes to config file - if (-e "/etc/ipsec.user.conf") { - print CONF "include /etc/ipsec.user.conf\n"; - print CONF "\n"; - } - - print SECRETS "include /etc/ipsec.user.secrets\n"; - - if (-f "${General::swroot}/certs/hostkey.pem") { - print SECRETS ": RSA ${General::swroot}/certs/hostkey.pem\n" - } - my $last_secrets = ''; # old the less specifics connections - - foreach my $key (keys %lconfighash) { - next if ($lconfighash{$key}[0] ne 'on'); - - #remote peer is not set? => use '%any' - $lconfighash{$key}[10] = '%any' if ($lconfighash{$key}[10] eq ''); - - my $localside; - if ($lconfighash{$key}[26] eq 'BLUE') { - $localside = $netsettings{'BLUE_ADDRESS'}; - } elsif ($lconfighash{$key}[26] eq 'GREEN') { - $localside = $netsettings{'GREEN_ADDRESS'}; - } elsif ($lconfighash{$key}[26] eq 'ORANGE') { - $localside = $netsettings{'ORANGE_ADDRESS'}; - } else { # it is RED - $localside = $lvpnsettings{'VPN_IP'}; - } - - print CONF "conn $lconfighash{$key}[1]\n"; - print CONF "\tleft=$localside\n"; - my $cidr_net=&General::ipcidr($lconfighash{$key}[8]); - print CONF "\tleftsubnet=$cidr_net\n"; - print CONF "\tleftfirewall=yes\n"; - print CONF "\tlefthostaccess=yes\n"; - - print CONF "\tright=$lconfighash{$key}[10]\n"; - if ($lconfighash{$key}[3] eq 'net') { - my $cidr_net=&General::ipcidr($lconfighash{$key}[11]); - print CONF "\trightsubnet=$cidr_net\n"; - } elsif ($lconfighash{$key}[10] eq '%any' && $lconfighash{$key}[14] eq 'on') { #vhost allowed for roadwarriors? - print CONF "\trightsubnet=vhost:%no,%priv\n"; - } - - # Local Cert and Remote Cert (unless auth is DN dn-auth) - if ($lconfighash{$key}[4] eq 'cert') { - print CONF "\tleftcert=${General::swroot}/certs/hostcert.pem\n"; - print CONF "\trightcert=${General::swroot}/certs/$lconfighash{$key}[1]cert.pem\n" if ($lconfighash{$key}[2] ne '%auth-dn'); - } - - # Local and Remote IDs - print CONF "\tleftid="$lconfighash{$key}[7]"\n" if ($lconfighash{$key}[7]); - print CONF "\trightid="$lconfighash{$key}[9]"\n" if ($lconfighash{$key}[9]); - - # Is PFS enabled? - my $pfs = $lconfighash{$key}[28] eq 'on' ? 'on' : 'off'; - - # Algorithms - if ($lconfighash{$key}[18] && $lconfighash{$key}[19] && $lconfighash{$key}[20]) { - my @encs = split('|', $lconfighash{$key}[18]); - my @ints = split('|', $lconfighash{$key}[19]); - my @groups = split('|', $lconfighash{$key}[20]); - - my @algos = &make_algos("ike", @encs, @ints, @groups, 1); - print CONF "\tike=" . join(",", @algos); - - if ($lconfighash{$key}[24] eq 'on') { #only proposed algorythms? - print CONF "!\n"; - } else { - print CONF "\n"; - } + my %lconfighash = (); + my %lvpnsettings = (); + &General::readhasharray("${General::swroot}/vpn/config", %lconfighash); + &General::readhash("${General::swroot}/vpn/settings", %lvpnsettings); + + open(CONF, ">${General::swroot}/vpn/ipsec.conf") or die "Unable to open ${General::swroot}/vpn/ipsec.conf: $!"; + open(SECRETS, ">${General::swroot}/vpn/ipsec.secrets") or die "Unable to open ${General::swroot}/vpn/ipsec.secrets: $!"; + flock CONF, 2; + flock SECRETS, 2; + print CONF "version 2\n\n"; + print CONF "conn %default\n"; + print CONF "\tkeyingtries=%forever\n"; + print CONF "\n"; + + # Add user includes to config file + if (-e "/etc/ipsec.user.conf") { + print CONF "include /etc/ipsec.user.conf\n"; + print CONF "\n"; }

- if ($lconfighash{$key}[21] && $lconfighash{$key}[22]) { - my @encs = split('|', $lconfighash{$key}[21]); - my @ints = split('|', $lconfighash{$key}[22]); - my @groups = split('|', $lconfighash{$key}[23]); + print SECRETS "include /etc/ipsec.user.secrets\n"; + + if (-f "${General::swroot}/certs/hostkey.pem") { + print SECRETS ": RSA ${General::swroot}/certs/hostkey.pem\n" + } + my $last_secrets = ''; # old the less specifics connections

- # Use IKE grouptype if no ESP group type has been selected - # (for backwards compatibility) - if ($lconfighash{$key}[23] eq "") { - @groups = split('|', $lconfighash{$key}[20]); + foreach my $key (keys %lconfighash) { + next if ($lconfighash{$key}[0] ne 'on'); + + #remote peer is not set? => use '%any' + $lconfighash{$key}[10] = '%any' if ($lconfighash{$key}[10] eq ''); + + my $localside; + if ($lconfighash{$key}[26] eq 'BLUE') { + $localside = $netsettings{'BLUE_ADDRESS'}; + } elsif ($lconfighash{$key}[26] eq 'GREEN') { + $localside = $netsettings{'GREEN_ADDRESS'}; + } elsif ($lconfighash{$key}[26] eq 'ORANGE') { + $localside = $netsettings{'ORANGE_ADDRESS'}; + } else { # it is RED + $localside = $lvpnsettings{'VPN_IP'}; }

- my @algos = &make_algos("esp", @encs, @ints, @groups, ($pfs eq "on")); - print CONF "\tesp=" . join(",", @algos); + print CONF "conn $lconfighash{$key}[1]\n"; + print CONF "\tleft=$localside\n"; + print CONF "\tleftsubnet=" . &make_subnets($lconfighash{$key}[8]) . "\n"; + print CONF "\tleftfirewall=yes\n"; + print CONF "\tlefthostaccess=yes\n"; + print CONF "\tright=$lconfighash{$key}[10]\n";

- if ($lconfighash{$key}[24] eq 'on') { #only proposed algorythms? - print CONF "!\n"; - } else { - print CONF "\n"; + if ($lconfighash{$key}[3] eq 'net') { + print CONF "\trightsubnet=" . &make_subnets($lconfighash{$key}[11]) . "\n"; } - }

- # IKE V1 or V2 - if (! $lconfighash{$key}[29]) { - $lconfighash{$key}[29] = "ikev1"; - } - print CONF "\tkeyexchange=$lconfighash{$key}[29]\n"; + # Local Cert and Remote Cert (unless auth is DN dn-auth) + if ($lconfighash{$key}[4] eq 'cert') { + print CONF "\tleftcert=${General::swroot}/certs/hostcert.pem\n"; + print CONF "\trightcert=${General::swroot}/certs/$lconfighash{$key}[1]cert.pem\n" if ($lconfighash{$key}[2] ne '%auth-dn'); + }

- # Lifetimes - print CONF "\tikelifetime=$lconfighash{$key}[16]h\n" if ($lconfighash{$key}[16]); - print CONF "\tkeylife=$lconfighash{$key}[17]h\n" if ($lconfighash{$key}[17]); + # Local and Remote IDs + print CONF "\tleftid="$lconfighash{$key}[7]"\n" if ($lconfighash{$key}[7]); + print CONF "\trightid="$lconfighash{$key}[9]"\n" if ($lconfighash{$key}[9]);

- # Compression - print CONF "\tcompress=yes\n" if ($lconfighash{$key}[13] eq 'on'); + # Is PFS enabled? + my $pfs = $lconfighash{$key}[28] eq 'on' ? 'on' : 'off';

- # Force MOBIKE? - if (($lconfighash{$key}[29] eq "ikev2") && ($lconfighash{$key}[32] eq 'on')) { - print CONF "\tmobike=yes\n"; - } + # Algorithms + if ($lconfighash{$key}[18] && $lconfighash{$key}[19] && $lconfighash{$key}[20]) { + my @encs = split('|', $lconfighash{$key}[18]); + my @ints = split('|', $lconfighash{$key}[19]); + my @groups = split('|', $lconfighash{$key}[20]);

- # Dead Peer Detection - my $dpdaction = $lconfighash{$key}[27]; - print CONF "\tdpdaction=$dpdaction\n"; + my @algos = &make_algos("ike", @encs, @ints, @groups, 1); + print CONF "\tike=" . join(",", @algos);

- # If the dead peer detection is disabled and IKEv2 is used, - # dpddelay must be set to zero, too. - if ($dpdaction eq "none") { - if ($lconfighash{$key}[29] eq "ikev2") { - print CONF "\tdpddelay=0\n"; + if ($lconfighash{$key}[24] eq 'on') { #only proposed algorythms? + print CONF "!\n"; + } else { + print CONF "\n"; + } } - } else { - my $dpddelay = $lconfighash{$key}[31]; - if (!$dpddelay) { - $dpddelay = 30; - } - print CONF "\tdpddelay=$dpddelay\n"; - my $dpdtimeout = $lconfighash{$key}[30]; - if (!$dpdtimeout) { - $dpdtimeout = 120; - } - print CONF "\tdpdtimeout=$dpdtimeout\n"; - } - - # Build Authentication details: LEFTid RIGHTid : PSK psk - my $psk_line; - if ($lconfighash{$key}[4] eq 'psk') { - $psk_line = ($lconfighash{$key}[7] ? $lconfighash{$key}[7] : $localside) . " " ; - $psk_line .= $lconfighash{$key}[9] ? $lconfighash{$key}[9] : $lconfighash{$key}[10]; #remoteid or remote address? - $psk_line .= " : PSK '$lconfighash{$key}[5]'\n"; - # if the line contains %any, it is less specific than two IP or ID, so move it at end of file. - if ($psk_line =~ /%any/) { - $last_secrets .= $psk_line; - } else { - print SECRETS $psk_line; - } - print CONF "\tauthby=secret\n"; - } else { - print CONF "\tauthby=rsasig\n"; - print CONF "\tleftrsasigkey=%cert\n"; - print CONF "\trightrsasigkey=%cert\n"; - }

- # Automatically start only if a net-to-net connection - if ($lconfighash{$key}[3] eq 'host') { - print CONF "\tauto=add\n"; - print CONF "\trightsourceip=$lvpnsettings{'RW_NET'}\n"; - } else { - print CONF "\tauto=start\n"; - } + if ($lconfighash{$key}[21] && $lconfighash{$key}[22]) { + my @encs = split('|', $lconfighash{$key}[21]); + my @ints = split('|', $lconfighash{$key}[22]); + my @groups = split('|', $lconfighash{$key}[23]); + + # Use IKE grouptype if no ESP group type has been selected + # (for backwards compatibility) + if ($lconfighash{$key}[23] eq "") { + @groups = split('|', $lconfighash{$key}[20]); + }

- # Fragmentation - print CONF "\tfragmentation=yes\n"; + my @algos = &make_algos("esp", @encs, @ints, @groups, ($pfs eq "on")); + print CONF "\tesp=" . join(",", @algos);

- print CONF "\n"; - }#foreach key - - # Add post user includes to config file - # After the GUI-connections allows to patch connections. - if (-e "/etc/ipsec.user-post.conf") { - print CONF "include /etc/ipsec.user-post.conf\n"; - print CONF "\n"; - } - - print SECRETS $last_secrets if ($last_secrets); - close(CONF); - close(SECRETS); + if ($lconfighash{$key}[24] eq 'on') { #only proposed algorythms? + print CONF "!\n"; + } else { + print CONF "\n"; + } + } + + # IKE V1 or V2 + if (! $lconfighash{$key}[29]) { + $lconfighash{$key}[29] = "ikev1"; + } + + print CONF "\tkeyexchange=$lconfighash{$key}[29]\n"; + + # Lifetimes + print CONF "\tikelifetime=$lconfighash{$key}[16]h\n" if ($lconfighash{$key}[16]); + print CONF "\tkeylife=$lconfighash{$key}[17]h\n" if ($lconfighash{$key}[17]); + + # Compression + print CONF "\tcompress=yes\n" if ($lconfighash{$key}[13] eq 'on'); + + # Force MOBIKE? + if (($lconfighash{$key}[29] eq "ikev2") && ($lconfighash{$key}[32] eq 'on')) { + print CONF "\tmobike=yes\n"; + } + + # Dead Peer Detection + my $dpdaction = $lconfighash{$key}[27]; + print CONF "\tdpdaction=$dpdaction\n"; + + # If the dead peer detection is disabled and IKEv2 is used, + # dpddelay must be set to zero, too. + if ($dpdaction eq "none") { + if ($lconfighash{$key}[29] eq "ikev2") { + print CONF "\tdpddelay=0\n"; + } + } else { + my $dpddelay = $lconfighash{$key}[31]; + if (!$dpddelay) { + $dpddelay = 30; + } + print CONF "\tdpddelay=$dpddelay\n"; + my $dpdtimeout = $lconfighash{$key}[30]; + if (!$dpdtimeout) { + $dpdtimeout = 120; + } + print CONF "\tdpdtimeout=$dpdtimeout\n"; + } + + # Build Authentication details: LEFTid RIGHTid : PSK psk + my $psk_line; + if ($lconfighash{$key}[4] eq 'psk') { + $psk_line = ($lconfighash{$key}[7] ? $lconfighash{$key}[7] : $localside) . " " ; + $psk_line .= $lconfighash{$key}[9] ? $lconfighash{$key}[9] : $lconfighash{$key}[10]; #remoteid or remote address? + $psk_line .= " : PSK '$lconfighash{$key}[5]'\n"; + # if the line contains %any, it is less specific than two IP or ID, so move it at end of file. + if ($psk_line =~ /%any/) { + $last_secrets .= $psk_line; + } else { + print SECRETS $psk_line; + } + print CONF "\tauthby=secret\n"; + } else { + print CONF "\tauthby=rsasig\n"; + print CONF "\tleftrsasigkey=%cert\n"; + print CONF "\trightrsasigkey=%cert\n"; + } + + # Automatically start only if a net-to-net connection + if ($lconfighash{$key}[3] eq 'host') { + print CONF "\tauto=add\n"; + print CONF "\trightsourceip=$lvpnsettings{'RW_NET'}\n"; + } else { + print CONF "\tauto=start\n"; + } + + # Fragmentation + print CONF "\tfragmentation=yes\n"; + + print CONF "\n"; + } #foreach key + + # Add post user includes to config file + # After the GUI-connections allows to patch connections. + if (-e "/etc/ipsec.user-post.conf") { + print CONF "include /etc/ipsec.user-post.conf\n"; + print CONF "\n"; + } + + print SECRETS $last_secrets if ($last_secrets); + close(CONF); + close(SECRETS); }

# Hook to regenerate the configuration files. @@ -444,779 +437,779 @@ if ($ENV{"REMOTE_ADDR"} eq "") { ### Save main settings ### if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cgiparams{'KEY'} eq '') { - &General::readhash("${General::swroot}/vpn/settings", %vpnsettings); - unless (&General::validfqdn($cgiparams{'VPN_IP'}) || &General::validip($cgiparams{'VPN_IP'}) - || $cgiparams{'VPN_IP'} eq '%defaultroute' ) { - $errormessage = $Lang::tr{'invalid input for hostname'}; - goto SAVE_ERROR; - } - - unless ($cgiparams{'VPN_DELAYED_START'} =~ /^[0-9]{1,3}$/ ) { #allow 0-999 seconds ! - $errormessage = $Lang::tr{'invalid time period'}; - goto SAVE_ERROR; - } - - if ( $cgiparams{'RW_NET'} ne '' and !&General::validipandmask($cgiparams{'RW_NET'}) ) { - $errormessage = $Lang::tr{'urlfilter invalid ip or mask error'}; - goto SAVE_ERROR; - } - - $vpnsettings{'ENABLED'} = $cgiparams{'ENABLED'}; - $vpnsettings{'VPN_IP'} = $cgiparams{'VPN_IP'}; - $vpnsettings{'VPN_DELAYED_START'} = $cgiparams{'VPN_DELAYED_START'}; - $vpnsettings{'RW_NET'} = $cgiparams{'RW_NET'}; - &General::writehash("${General::swroot}/vpn/settings", %vpnsettings); - &writeipsecfiles(); - if (&vpnenabled) { - system('/usr/local/bin/ipsecctrl', 'S'); - } else { - system('/usr/local/bin/ipsecctrl', 'D'); - } - sleep $sleepDelay; - SAVE_ERROR: + &General::readhash("${General::swroot}/vpn/settings", %vpnsettings); + + unless (&General::validfqdn($cgiparams{'VPN_IP'}) || &General::validip($cgiparams{'VPN_IP'}) + || $cgiparams{'VPN_IP'} eq '%defaultroute' ) { + $errormessage = $Lang::tr{'invalid input for hostname'}; + goto SAVE_ERROR; + } + + unless ($cgiparams{'VPN_DELAYED_START'} =~ /^[0-9]{1,3}$/ ) { #allow 0-999 seconds ! + $errormessage = $Lang::tr{'invalid time period'}; + goto SAVE_ERROR; + } + + if ( $cgiparams{'RW_NET'} ne '' and !&General::validipandmask($cgiparams{'RW_NET'}) ) { + $errormessage = $Lang::tr{'urlfilter invalid ip or mask error'}; + goto SAVE_ERROR; + } + + $vpnsettings{'ENABLED'} = $cgiparams{'ENABLED'}; + $vpnsettings{'VPN_IP'} = $cgiparams{'VPN_IP'}; + $vpnsettings{'VPN_DELAYED_START'} = $cgiparams{'VPN_DELAYED_START'}; + $vpnsettings{'RW_NET'} = $cgiparams{'RW_NET'}; + &General::writehash("${General::swroot}/vpn/settings", %vpnsettings); + &writeipsecfiles(); + if (&vpnenabled) { + system('/usr/local/bin/ipsecctrl', 'S'); + } else { + system('/usr/local/bin/ipsecctrl', 'D'); + } + sleep $sleepDelay; + SAVE_ERROR: ### ### Reset all step 2 ### } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'remove x509'} && $cgiparams{'AREUSURE'} eq 'yes') { - &General::readhasharray("${General::swroot}/vpn/config", %confighash); - - foreach my $key (keys %confighash) { - if ($confighash{$key}[4] eq 'cert') { - delete $confighash{$key}; - } - } - while (my $file = glob("${General::swroot}/{ca,certs,crls,private}/*")) { - unlink $file - } - &cleanssldatabase(); - if (open(FILE, ">${General::swroot}/vpn/caconfig")) { - print FILE ""; - close FILE; - } - &General::writehasharray("${General::swroot}/vpn/config", %confighash); - &writeipsecfiles(); - system('/usr/local/bin/ipsecctrl', 'R'); - sleep $sleepDelay; + &General::readhasharray("${General::swroot}/vpn/config", %confighash); + + foreach my $key (keys %confighash) { + if ($confighash{$key}[4] eq 'cert') { + delete $confighash{$key}; + } + } + while (my $file = glob("${General::swroot}/{ca,certs,crls,private}/*")) { + unlink $file + } + &cleanssldatabase(); + if (open(FILE, ">${General::swroot}/vpn/caconfig")) { + print FILE ""; + close FILE; + } + &General::writehasharray("${General::swroot}/vpn/config", %confighash); + &writeipsecfiles(); + system('/usr/local/bin/ipsecctrl', 'R'); + sleep $sleepDelay;

### ### Reset all step 1 ### } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'remove x509'}) { - &Header::showhttpheaders(); - &Header::openpage($Lang::tr{'ipsec'}, 1, ''); - &Header::openbigbox('100%', 'left', '', ''); - &Header::openbox('100%', 'left', $Lang::tr{'are you sure'}); - print <<END + &Header::showhttpheaders(); + &Header::openpage($Lang::tr{'ipsec'}, 1, ''); + &Header::openbigbox('100%', 'left', '', ''); + &Header::openbox('100%', 'left', $Lang::tr{'are you sure'}); + print <<END <form method='post' action='$ENV{'SCRIPT_NAME'}'> - <table width='100%'> - <tr> - <td align='center'> - <input type='hidden' name='AREUSURE' value='yes' /> - <b><font color='${Header::colourred}'>$Lang::tr{'capswarning'}</font></b>: - $Lang::tr{'resetting the vpn configuration will remove the root ca, the host certificate and all certificate based connections'}</td> - </tr><tr> - <td align='center'> - <input type='submit' name='ACTION' value='$Lang::tr{'remove x509'}' /> + <table width='100%'> + <tr> + <td align='center'> + <input type='hidden' name='AREUSURE' value='yes' /> + <b><font color='${Header::colourred}'>$Lang::tr{'capswarning'}</font></b>:&nbsp;$Lang::tr{'resetting the vpn configuration will remove the root ca, the host certificate and all certificate based connections'} + </td> + </tr><tr> + <td align='center'> + <input type='submit' name='ACTION' value='$Lang::tr{'remove x509'}' /> <input type='submit' name='ACTION' value='$Lang::tr{'cancel'}' /></td> - </tr> - </table> + </tr> + </table> </form> END - ; - &Header::closebox(); - &Header::closebigbox(); - &Header::closepage(); - exit (0); +; + &Header::closebox(); + &Header::closebigbox(); + &Header::closepage(); + exit (0);

### ### Upload CA Certificate ### } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'upload ca certificate'}) { - &General::readhasharray("${General::swroot}/vpn/caconfig", %cahash); - - if ($cgiparams{'CA_NAME'} !~ /^[a-zA-Z0-9]+$/) { - $errormessage = $Lang::tr{'name must only contain characters'}; - goto UPLOADCA_ERROR; - } - - if (length($cgiparams{'CA_NAME'}) >60) { - $errormessage = $Lang::tr{'name too long'}; - goto VPNCONF_ERROR; - } - - if ($cgiparams{'CA_NAME'} eq 'ca') { - $errormessage = $Lang::tr{'name is invalid'}; - goto UPLOAD_CA_ERROR; - } - - # Check if there is no other entry with this name - foreach my $key (keys %cahash) { - if ($cahash{$key}[0] eq $cgiparams{'CA_NAME'}) { - $errormessage = $Lang::tr{'a ca certificate with this name already exists'}; - goto UPLOADCA_ERROR; - } - } - - if (ref ($cgiparams{'FH'}) ne 'Fh') { - $errormessage = $Lang::tr{'there was no file upload'}; - goto UPLOADCA_ERROR; - } - # Move uploaded ca to a temporary file - (my $fh, my $filename) = tempfile( ); - if (copy ($cgiparams{'FH'}, $fh) != 1) { - $errormessage = $!; - goto UPLOADCA_ERROR; - } - my $temp = `/usr/bin/openssl x509 -text -in $filename`; - if ($temp !~ /CA:TRUE/i) { - $errormessage = $Lang::tr{'not a valid ca certificate'}; - unlink ($filename); - goto UPLOADCA_ERROR; - } else { - move($filename, "${General::swroot}/ca/$cgiparams{'CA_NAME'}cert.pem"); - if ($? ne 0) { - $errormessage = "$Lang::tr{'certificate file move failed'}: $!"; - unlink ($filename); - goto UPLOADCA_ERROR; - } - } - - my $key = &General::findhasharraykey (%cahash); - $cahash{$key}[0] = $cgiparams{'CA_NAME'}; - $cahash{$key}[1] = &Header::cleanhtml(getsubjectfromcert ("${General::swroot}/ca/$cgiparams{'CA_NAME'}cert.pem")); - &General::writehasharray("${General::swroot}/vpn/caconfig", %cahash); - - system('/usr/local/bin/ipsecctrl', 'R'); - sleep $sleepDelay; - - UPLOADCA_ERROR: + &General::readhasharray("${General::swroot}/vpn/caconfig", %cahash); + + if ($cgiparams{'CA_NAME'} !~ /^[a-zA-Z0-9]+$/) { + $errormessage = $Lang::tr{'name must only contain characters'}; + goto UPLOADCA_ERROR; + } + + if (length($cgiparams{'CA_NAME'}) >60) { + $errormessage = $Lang::tr{'name too long'}; + goto VPNCONF_ERROR; + } + + if ($cgiparams{'CA_NAME'} eq 'ca') { + $errormessage = $Lang::tr{'name is invalid'}; + goto UPLOAD_CA_ERROR; + } + + # Check if there is no other entry with this name + foreach my $key (keys %cahash) { + if ($cahash{$key}[0] eq $cgiparams{'CA_NAME'}) { + $errormessage = $Lang::tr{'a ca certificate with this name already exists'}; + goto UPLOADCA_ERROR; + } + } + + if (ref ($cgiparams{'FH'}) ne 'Fh') { + $errormessage = $Lang::tr{'there was no file upload'}; + goto UPLOADCA_ERROR; + } + # Move uploaded ca to a temporary file + (my $fh, my $filename) = tempfile( ); + if (copy ($cgiparams{'FH'}, $fh) != 1) { + $errormessage = $!; + goto UPLOADCA_ERROR; + } + my $temp = `/usr/bin/openssl x509 -text -in $filename`; + if ($temp !~ /CA:TRUE/i) { + $errormessage = $Lang::tr{'not a valid ca certificate'}; + unlink ($filename); + goto UPLOADCA_ERROR; + } else { + move($filename, "${General::swroot}/ca/$cgiparams{'CA_NAME'}cert.pem"); + if ($? ne 0) { + $errormessage = "$Lang::tr{'certificate file move failed'}: $!"; + unlink ($filename); + goto UPLOADCA_ERROR; + } + } + + my $key = &General::findhasharraykey (%cahash); + $cahash{$key}[0] = $cgiparams{'CA_NAME'}; + $cahash{$key}[1] = &Header::cleanhtml(getsubjectfromcert ("${General::swroot}/ca/$cgiparams{'CA_NAME'}cert.pem")); + &General::writehasharray("${General::swroot}/vpn/caconfig", %cahash); + + system('/usr/local/bin/ipsecctrl', 'R'); + sleep $sleepDelay; + + UPLOADCA_ERROR:

### ### Display ca certificate ### } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show ca certificate'}) { - &General::readhasharray("${General::swroot}/vpn/caconfig", %cahash); - - if ( -f "${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem") { - &Header::showhttpheaders(); - &Header::openpage($Lang::tr{'ipsec'}, 1, ''); - &Header::openbigbox('100%', 'left', '', ''); - &Header::openbox('100%', 'left', "$Lang::tr{'ca certificate'}:"); - my $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem`; - $output = &Header::cleanhtml($output,"y"); - print "<pre>$output</pre>\n"; - &Header::closebox(); - print "<div align='center'><a href='/cgi-bin/vpnmain.cgi'>$Lang::tr{'back'}</a></div>"; - &Header::closebigbox(); - &Header::closepage(); - exit(0); - } else { - $errormessage = $Lang::tr{'invalid key'}; - } + &General::readhasharray("${General::swroot}/vpn/caconfig", %cahash); + + if ( -f "${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem") { + &Header::showhttpheaders(); + &Header::openpage($Lang::tr{'ipsec'}, 1, ''); + &Header::openbigbox('100%', 'left', '', ''); + &Header::openbox('100%', 'left', "$Lang::tr{'ca certificate'}:"); + my $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem`; + $output = &Header::cleanhtml($output,"y"); + print "<pre>$output</pre>\n"; + &Header::closebox(); + print "<div align='center'><a href='/cgi-bin/vpnmain.cgi'>$Lang::tr{'back'}</a></div>"; + &Header::closebigbox(); + &Header::closepage(); + exit(0); + } else { + $errormessage = $Lang::tr{'invalid key'}; + }

### ### Export ca certificate to browser ### } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download ca certificate'}) { - &General::readhasharray("${General::swroot}/vpn/caconfig", %cahash); - - if ( -f "${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem" ) { - print "Content-Type: application/force-download\n"; - print "Content-Type: application/octet-stream\r\n"; - print "Content-Disposition: attachment; filename=$cahash{$cgiparams{'KEY'}}[0]cert.pem\r\n\r\n"; - print `/usr/bin/openssl x509 -in ${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem`; - exit(0); - } else { - $errormessage = $Lang::tr{'invalid key'}; - } + &General::readhasharray("${General::swroot}/vpn/caconfig", %cahash); + + if ( -f "${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem" ) { + print "Content-Type: application/force-download\n"; + print "Content-Type: application/octet-stream\r\n"; + print "Content-Disposition: attachment; filename=$cahash{$cgiparams{'KEY'}}[0]cert.pem\r\n\r\n"; + print `/usr/bin/openssl x509 -in ${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem`; + exit(0); + } else { + $errormessage = $Lang::tr{'invalid key'}; + }

### ### Remove ca certificate (step 2) ### } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'remove ca certificate'} && $cgiparams{'AREUSURE'} eq 'yes') { - &General::readhasharray("${General::swroot}/vpn/config", %confighash); - &General::readhasharray("${General::swroot}/vpn/caconfig", %cahash); - - if ( -f "${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem" ) { - foreach my $key (keys %confighash) { - my $test = `/usr/bin/openssl verify -CAfile ${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem ${General::swroot}/certs/$confighash{$key}[1]cert.pem`; - if ($test =~ /: OK/) { - # Delete connection - system('/usr/local/bin/ipsecctrl', 'D', $key) if (&vpnenabled); - unlink ("${General::swroot}/certs/$confighash{$key}[1]cert.pem"); - unlink ("${General::swroot}/certs/$confighash{$key}[1].p12"); - delete $confighash{$key}; - &General::writehasharray("${General::swroot}/vpn/config", %confighash); - &writeipsecfiles(); - } + &General::readhasharray("${General::swroot}/vpn/config", %confighash); + &General::readhasharray("${General::swroot}/vpn/caconfig", %cahash); + + if ( -f "${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem" ) { + foreach my $key (keys %confighash) { + my $test = `/usr/bin/openssl verify -CAfile ${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem ${General::swroot}/certs/$confighash{$key}[1]cert.pem`; + if ($test =~ /: OK/) { + # Delete connection + system('/usr/local/bin/ipsecctrl', 'D', $key) if (&vpnenabled); + unlink ("${General::swroot}/certs/$confighash{$key}[1]cert.pem"); + unlink ("${General::swroot}/certs/$confighash{$key}[1].p12"); + delete $confighash{$key}; + &General::writehasharray("${General::swroot}/vpn/config", %confighash); + &writeipsecfiles(); + } + } + unlink ("${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem"); + delete $cahash{$cgiparams{'KEY'}}; + &General::writehasharray("${General::swroot}/vpn/caconfig", %cahash); + system('/usr/local/bin/ipsecctrl', 'R'); + sleep $sleepDelay; + } else { + $errormessage = $Lang::tr{'invalid key'}; } - unlink ("${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem"); - delete $cahash{$cgiparams{'KEY'}}; - &General::writehasharray("${General::swroot}/vpn/caconfig", %cahash); - system('/usr/local/bin/ipsecctrl', 'R'); - sleep $sleepDelay; - } else { - $errormessage = $Lang::tr{'invalid key'}; - } ### ### Remove ca certificate (step 1) ### } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'remove ca certificate'}) { - &General::readhasharray("${General::swroot}/vpn/config", %confighash); - &General::readhasharray("${General::swroot}/vpn/caconfig", %cahash); - - my $assignedcerts = 0; - if ( -f "${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem" ) { - foreach my $key (keys %confighash) { - my $test = `/usr/bin/openssl verify -CAfile ${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem ${General::swroot}/certs/$confighash{$key}[1]cert.pem`; - if ($test =~ /: OK/) { - $assignedcerts++; - } - } - if ($assignedcerts) { - &Header::showhttpheaders(); - &Header::openpage($Lang::tr{'ipsec'}, 1, ''); - &Header::openbigbox('100%', 'left', '', ''); - &Header::openbox('100%', 'left', $Lang::tr{'are you sure'}); - print <<END - <form method='post' action='$ENV{'SCRIPT_NAME'}'> - <table width='100%'> - <tr> - <td align='center'> - <input type='hidden' name='KEY' value='$cgiparams{'KEY'}' /> - <input type='hidden' name='AREUSURE' value='yes' /></td> - </tr><tr> - <td align='center'> - <b><font color='${Header::colourred}'>$Lang::tr{'capswarning'}</font></b> - $Lang::tr{'connections are associated with this ca. deleting the ca will delete these connections as well.'}</td> - </tr><tr> - <td align='center'> - <input type='submit' name='ACTION' value='$Lang::tr{'remove ca certificate'}' /> - <input type='submit' name='ACTION' value='$Lang::tr{'cancel'}' /></td> - </tr> - </table> - </form> + &General::readhasharray("${General::swroot}/vpn/config", %confighash); + &General::readhasharray("${General::swroot}/vpn/caconfig", %cahash); + + my $assignedcerts = 0; + if ( -f "${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem" ) { + foreach my $key (keys %confighash) { + my $test = `/usr/bin/openssl verify -CAfile ${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem ${General::swroot}/certs/$confighash{$key}[1]cert.pem`; + if ($test =~ /: OK/) { + $assignedcerts++; + } + } + if ($assignedcerts) { + &Header::showhttpheaders(); + &Header::openpage($Lang::tr{'ipsec'}, 1, ''); + &Header::openbigbox('100%', 'left', '', ''); + &Header::openbox('100%', 'left', $Lang::tr{'are you sure'}); + print <<END + <form method='post' action='$ENV{'SCRIPT_NAME'}'> + <table width='100%'> + <tr> + <td align='center'> + <input type='hidden' name='KEY' value='$cgiparams{'KEY'}' /> + <input type='hidden' name='AREUSURE' value='yes' /></td> + </tr><tr> + <td align='center'> + <b><font color='${Header::colourred}'>$Lang::tr{'capswarning'}</font></b>&nbsp;$Lang::tr{'connections are associated with this ca. deleting the ca will delete these connections as well.'}</td> + </tr><tr> + <td align='center'> + <input type='submit' name='ACTION' value='$Lang::tr{'remove ca certificate'}' /> + <input type='submit' name='ACTION' value='$Lang::tr{'cancel'}' /></td> + </tr> + </table> + </form> END - ; - &Header::closebox(); - &Header::closebigbox(); - &Header::closepage(); - exit (0); +; + &Header::closebox(); + &Header::closebigbox(); + &Header::closepage(); + exit (0); + } else { + unlink ("${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem"); + delete $cahash{$cgiparams{'KEY'}}; + &General::writehasharray("${General::swroot}/vpn/caconfig", %cahash); + system('/usr/local/bin/ipsecctrl', 'R'); + sleep $sleepDelay; + } } else { - unlink ("${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem"); - delete $cahash{$cgiparams{'KEY'}}; - &General::writehasharray("${General::swroot}/vpn/caconfig", %cahash); - system('/usr/local/bin/ipsecctrl', 'R'); - sleep $sleepDelay; + $errormessage = $Lang::tr{'invalid key'}; } - } else { - $errormessage = $Lang::tr{'invalid key'}; - }

### ### Display root certificate ### } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show root certificate'} || $cgiparams{'ACTION'} eq $Lang::tr{'show host certificate'}) { - my $output; - &Header::showhttpheaders(); - &Header::openpage($Lang::tr{'ipsec'}, 1, ''); - &Header::openbigbox('100%', 'left', '', ''); - if ($cgiparams{'ACTION'} eq $Lang::tr{'show root certificate'}) { - &Header::openbox('100%', 'left', "$Lang::tr{'root certificate'}:"); - $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/ca/cacert.pem`; - } else { - &Header::openbox('100%', 'left', "$Lang::tr{'host certificate'}:"); - $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/certs/hostcert.pem`; - } - $output = &Header::cleanhtml($output,"y"); - print "<pre>$output</pre>\n"; - &Header::closebox(); - print "<div align='center'><a href='/cgi-bin/vpnmain.cgi'>$Lang::tr{'back'}</a></div>"; - &Header::closebigbox(); - &Header::closepage(); - exit(0); + my $output; + &Header::showhttpheaders(); + &Header::openpage($Lang::tr{'ipsec'}, 1, ''); + &Header::openbigbox('100%', 'left', '', ''); + if ($cgiparams{'ACTION'} eq $Lang::tr{'show root certificate'}) { + &Header::openbox('100%', 'left', "$Lang::tr{'root certificate'}:"); + $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/ca/cacert.pem`; + } else { + &Header::openbox('100%', 'left', "$Lang::tr{'host certificate'}:"); + $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/certs/hostcert.pem`; + } + $output = &Header::cleanhtml($output,"y"); + print "<pre>$output</pre>\n"; + &Header::closebox(); + print "<div align='center'><a href='/cgi-bin/vpnmain.cgi'>$Lang::tr{'back'}</a></div>"; + &Header::closebigbox(); + &Header::closepage(); + exit(0);

### ### Export root certificate to browser ### } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download root certificate'}) { - if ( -f "${General::swroot}/ca/cacert.pem" ) { - print "Content-Type: application/force-download\n"; - print "Content-Disposition: attachment; filename=cacert.pem\r\n\r\n"; - print `/usr/bin/openssl x509 -in ${General::swroot}/ca/cacert.pem`; - exit(0); - } + if ( -f "${General::swroot}/ca/cacert.pem" ) { + print "Content-Type: application/force-download\n"; + print "Content-Disposition: attachment; filename=cacert.pem\r\n\r\n"; + print `/usr/bin/openssl x509 -in ${General::swroot}/ca/cacert.pem`; + exit(0); + } ### ### Export host certificate to browser ### } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download host certificate'}) { - if ( -f "${General::swroot}/certs/hostcert.pem" ) { - print "Content-Type: application/force-download\n"; - print "Content-Disposition: attachment; filename=hostcert.pem\r\n\r\n"; - print `/usr/bin/openssl x509 -in ${General::swroot}/certs/hostcert.pem`; - exit(0); - } + if ( -f "${General::swroot}/certs/hostcert.pem" ) { + print "Content-Type: application/force-download\n"; + print "Content-Disposition: attachment; filename=hostcert.pem\r\n\r\n"; + print `/usr/bin/openssl x509 -in ${General::swroot}/certs/hostcert.pem`; + exit(0); + } ### ### Form for generating/importing the caroot+host certificate ### } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'generate root/host certificates'} || - $cgiparams{'ACTION'} eq $Lang::tr{'upload p12 file'}) { - - if (-f "${General::swroot}/ca/cacert.pem") { - $errormessage = $Lang::tr{'valid root certificate already exists'}; - goto ROOTCERT_SKIP; - } - - &General::readhash("${General::swroot}/vpn/settings", %vpnsettings); - # fill in initial values - if ($cgiparams{'ROOTCERT_HOSTNAME'} eq '') { - if (-e "${General::swroot}/red/active" && open(IPADDR, "${General::swroot}/red/local-ipaddress")) { - my $ipaddr = <IPADDR>; - close IPADDR; - chomp ($ipaddr); - $cgiparams{'ROOTCERT_HOSTNAME'} = (gethostbyaddr(pack("C4", split(/./, $ipaddr)), 2))[0]; - if ($cgiparams{'ROOTCERT_HOSTNAME'} eq '') { - $cgiparams{'ROOTCERT_HOSTNAME'} = $ipaddr; - } - } - $cgiparams{'ROOTCERT_COUNTRY'} = $vpnsettings{'ROOTCERT_COUNTRY'} if (!$cgiparams{'ROOTCERT_COUNTRY'}); - } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'upload p12 file'}) { - &General::log("ipsec", "Importing from p12..."); + $cgiparams{'ACTION'} eq $Lang::tr{'upload p12 file'}) { + + if (-f "${General::swroot}/ca/cacert.pem") { + $errormessage = $Lang::tr{'valid root certificate already exists'}; + goto ROOTCERT_SKIP; + } + + &General::readhash("${General::swroot}/vpn/settings", %vpnsettings); + # fill in initial values + if ($cgiparams{'ROOTCERT_HOSTNAME'} eq '') { + if (-e "${General::swroot}/red/active" && open(IPADDR, "${General::swroot}/red/local-ipaddress")) { + my $ipaddr = <IPADDR>; + close IPADDR; + chomp ($ipaddr); + $cgiparams{'ROOTCERT_HOSTNAME'} = (gethostbyaddr(pack("C4", split(/./, $ipaddr)), 2))[0]; + if ($cgiparams{'ROOTCERT_HOSTNAME'} eq '') { + $cgiparams{'ROOTCERT_HOSTNAME'} = $ipaddr; + } + } + $cgiparams{'ROOTCERT_COUNTRY'} = $vpnsettings{'ROOTCERT_COUNTRY'} if (!$cgiparams{'ROOTCERT_COUNTRY'}); + } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'upload p12 file'}) { + &General::log("ipsec", "Importing from p12...");

- if (ref ($cgiparams{'FH'}) ne 'Fh') { - $errormessage = $Lang::tr{'there was no file upload'}; - goto ROOTCERT_ERROR; - } + if (ref ($cgiparams{'FH'}) ne 'Fh') { + $errormessage = $Lang::tr{'there was no file upload'}; + goto ROOTCERT_ERROR; + }

- # Move uploaded certificate request to a temporary file - (my $fh, my $filename) = tempfile( ); - if (copy ($cgiparams{'FH'}, $fh) != 1) { - $errormessage = $!; - goto ROOTCERT_ERROR; - } + # Move uploaded certificate request to a temporary file + (my $fh, my $filename) = tempfile( ); + if (copy ($cgiparams{'FH'}, $fh) != 1) { + $errormessage = $!; + goto ROOTCERT_ERROR; + }

- # Extract the CA certificate from the file - &General::log("ipsec", "Extracting caroot from p12..."); - if (open(STDIN, "-|")) { - my $opt = " pkcs12 -cacerts -nokeys"; - $opt .= " -in $filename"; - $opt .= " -out /tmp/newcacert"; - $errormessage = &callssl ($opt); - } else { #child - print "$cgiparams{'P12_PASS'}\n"; - exit (0); - } - - # Extract the Host certificate from the file - if (!$errormessage) { - &General::log("ipsec", "Extracting host cert from p12..."); - if (open(STDIN, "-|")) { - my $opt = " pkcs12 -clcerts -nokeys"; - $opt .= " -in $filename"; - $opt .= " -out /tmp/newhostcert"; - $errormessage = &callssl ($opt); - } else { #child - print "$cgiparams{'P12_PASS'}\n"; - exit (0); - } - } - - # Extract the Host key from the file - if (!$errormessage) { - &General::log("ipsec", "Extracting private key from p12..."); - if (open(STDIN, "-|")) { - my $opt = " pkcs12 -nocerts -nodes"; - $opt .= " -in $filename"; - $opt .= " -out /tmp/newhostkey"; - $errormessage = &callssl ($opt); - } else { #child - print "$cgiparams{'P12_PASS'}\n"; - exit (0); - } - } - - if (!$errormessage) { - &General::log("ipsec", "Moving cacert..."); - move("/tmp/newcacert", "${General::swroot}/ca/cacert.pem"); - $errormessage = "$Lang::tr{'certificate file move failed'}: $!" if ($? ne 0); - } - - if (!$errormessage) { - &General::log("ipsec", "Moving host cert..."); - move("/tmp/newhostcert", "${General::swroot}/certs/hostcert.pem"); - $errormessage = "$Lang::tr{'certificate file move failed'}: $!" if ($? ne 0); - } - - if (!$errormessage) { - &General::log("ipsec", "Moving private key..."); - move("/tmp/newhostkey", "${General::swroot}/certs/hostkey.pem"); - $errormessage = "$Lang::tr{'certificate file move failed'}: $!" if ($? ne 0); - } - - #cleanup temp files - unlink ($filename); - unlink ('/tmp/newcacert'); - unlink ('/tmp/newhostcert'); - unlink ('/tmp/newhostkey'); - if ($errormessage) { - unlink ("${General::swroot}/ca/cacert.pem"); - unlink ("${General::swroot}/certs/hostcert.pem"); - unlink ("${General::swroot}/certs/hostkey.pem"); - goto ROOTCERT_ERROR; - } + # Extract the CA certificate from the file + &General::log("ipsec", "Extracting caroot from p12..."); + if (open(STDIN, "-|")) { + my $opt = " pkcs12 -cacerts -nokeys"; + $opt .= " -in $filename"; + $opt .= " -out /tmp/newcacert"; + $errormessage = &callssl ($opt); + } else { #child + print "$cgiparams{'P12_PASS'}\n"; + exit (0); + }

- # Create empty CRL cannot be done because we don't have - # the private key for this CAROOT - # IPFire can only import certificates + # Extract the Host certificate from the file + if (!$errormessage) { + &General::log("ipsec", "Extracting host cert from p12..."); + if (open(STDIN, "-|")) { + my $opt = " pkcs12 -clcerts -nokeys"; + $opt .= " -in $filename"; + $opt .= " -out /tmp/newhostcert"; + $errormessage = &callssl ($opt); + } else { #child + print "$cgiparams{'P12_PASS'}\n"; + exit (0); + } + }

- &General::log("ipsec", "p12 import completed!"); - &cleanssldatabase(); - goto ROOTCERT_SUCCESS; - - } elsif ($cgiparams{'ROOTCERT_COUNTRY'} ne '') { - - # Validate input since the form was submitted - if ($cgiparams{'ROOTCERT_ORGANIZATION'} eq ''){ - $errormessage = $Lang::tr{'organization cant be empty'}; - goto ROOTCERT_ERROR; - } - if (length($cgiparams{'ROOTCERT_ORGANIZATION'}) >60) { - $errormessage = $Lang::tr{'organization too long'}; - goto ROOTCERT_ERROR; - } - if ($cgiparams{'ROOTCERT_ORGANIZATION'} !~ /^[a-zA-Z0-9 ,.-_]*$/) { - $errormessage = $Lang::tr{'invalid input for organization'}; - goto ROOTCERT_ERROR; - } - if ($cgiparams{'ROOTCERT_HOSTNAME'} eq ''){ - $errormessage = $Lang::tr{'hostname cant be empty'}; - goto ROOTCERT_ERROR; - } - unless (&General::validfqdn($cgiparams{'ROOTCERT_HOSTNAME'}) || &General::validip($cgiparams{'ROOTCERT_HOSTNAME'})) { - $errormessage = $Lang::tr{'invalid input for hostname'}; - goto ROOTCERT_ERROR; - } - if ($cgiparams{'ROOTCERT_EMAIL'} ne '' && (! &General::validemail($cgiparams{'ROOTCERT_EMAIL'}))) { - $errormessage = $Lang::tr{'invalid input for e-mail address'}; - goto ROOTCERT_ERROR; - } - if (length($cgiparams{'ROOTCERT_EMAIL'}) > 40) { - $errormessage = $Lang::tr{'e-mail address too long'}; - goto ROOTCERT_ERROR; - } - if ($cgiparams{'ROOTCERT_OU'} ne '' && $cgiparams{'ROOTCERT_OU'} !~ /^[a-zA-Z0-9 ,.-_]*$/) { - $errormessage = $Lang::tr{'invalid input for department'}; - goto ROOTCERT_ERROR; - } - if ($cgiparams{'ROOTCERT_CITY'} ne '' && $cgiparams{'ROOTCERT_CITY'} !~ /^[a-zA-Z0-9 ,.-_]*$/) { - $errormessage = $Lang::tr{'invalid input for city'}; - goto ROOTCERT_ERROR; - } - if ($cgiparams{'ROOTCERT_STATE'} ne '' && $cgiparams{'ROOTCERT_STATE'} !~ /^[a-zA-Z0-9 ,.-_]*$/) { - $errormessage = $Lang::tr{'invalid input for state or province'}; - goto ROOTCERT_ERROR; - } - if ($cgiparams{'ROOTCERT_COUNTRY'} !~ /^[A-Z]*$/) { - $errormessage = $Lang::tr{'invalid input for country'}; - goto ROOTCERT_ERROR; - } - #the exact syntax is a list comma separated of - # email:any-validemail - # URI: a uniform resource indicator - # DNS: a DNS domain name - # RID: a registered OBJECT IDENTIFIER - # IP: an IP address - # example: email:franck@foo.com,IP:10.0.0.10,DNS:franck.foo.com - - if ($cgiparams{'SUBJECTALTNAME'} ne '' && $cgiparams{'SUBJECTALTNAME'} !~ /^(email|URI|DNS|RID|IP):[a-zA-Z0-9 :/,.-_@]*$/) { - $errormessage = $Lang::tr{'vpn altname syntax'}; - goto VPNCONF_ERROR; - } - - # Copy the cgisettings to vpnsettings and save the configfile - $vpnsettings{'ROOTCERT_ORGANIZATION'} = $cgiparams{'ROOTCERT_ORGANIZATION'}; - $vpnsettings{'ROOTCERT_HOSTNAME'} = $cgiparams{'ROOTCERT_HOSTNAME'}; - $vpnsettings{'ROOTCERT_EMAIL'} = $cgiparams{'ROOTCERT_EMAIL'}; - $vpnsettings{'ROOTCERT_OU'} = $cgiparams{'ROOTCERT_OU'}; - $vpnsettings{'ROOTCERT_CITY'} = $cgiparams{'ROOTCERT_CITY'}; - $vpnsettings{'ROOTCERT_STATE'} = $cgiparams{'ROOTCERT_STATE'}; - $vpnsettings{'ROOTCERT_COUNTRY'} = $cgiparams{'ROOTCERT_COUNTRY'}; - &General::writehash("${General::swroot}/vpn/settings", %vpnsettings); + # Extract the Host key from the file + if (!$errormessage) { + &General::log("ipsec", "Extracting private key from p12..."); + if (open(STDIN, "-|")) { + my $opt = " pkcs12 -nocerts -nodes"; + $opt .= " -in $filename"; + $opt .= " -out /tmp/newhostkey"; + $errormessage = &callssl ($opt); + } else { #child + print "$cgiparams{'P12_PASS'}\n"; + exit (0); + } + }

- # Replace empty strings with a . - (my $ou = $cgiparams{'ROOTCERT_OU'}) =~ s/^\s*$/./; - (my $city = $cgiparams{'ROOTCERT_CITY'}) =~ s/^\s*$/./; - (my $state = $cgiparams{'ROOTCERT_STATE'}) =~ s/^\s*$/./; - - # Create the CA certificate - if (!$errormessage) { - &General::log("ipsec", "Creating cacert..."); - if (open(STDIN, "-|")) { - my $opt = " req -x509 -sha256 -nodes"; - $opt .= " -days 999999"; - $opt .= " -newkey rsa:4096"; - $opt .= " -keyout ${General::swroot}/private/cakey.pem"; - $opt .= " -out ${General::swroot}/ca/cacert.pem"; - - $errormessage = &callssl ($opt); - } else { #child - print "$cgiparams{'ROOTCERT_COUNTRY'}\n"; - print "$state\n"; - print "$city\n"; - print "$cgiparams{'ROOTCERT_ORGANIZATION'}\n"; - print "$ou\n"; - print "$cgiparams{'ROOTCERT_ORGANIZATION'} CA\n"; - print "$cgiparams{'ROOTCERT_EMAIL'}\n"; - exit (0); - } - } - - # Create the Host certificate request - if (!$errormessage) { - &General::log("ipsec", "Creating host cert..."); - if (open(STDIN, "-|")) { - my $opt = " req -sha256 -nodes"; - $opt .= " -newkey rsa:2048"; - $opt .= " -keyout ${General::swroot}/certs/hostkey.pem"; - $opt .= " -out ${General::swroot}/certs/hostreq.pem"; - $errormessage = &callssl ($opt); - } else { #child - print "$cgiparams{'ROOTCERT_COUNTRY'}\n"; - print "$state\n"; - print "$city\n"; - print "$cgiparams{'ROOTCERT_ORGANIZATION'}\n"; - print "$ou\n"; - print "$cgiparams{'ROOTCERT_HOSTNAME'}\n"; - print "$cgiparams{'ROOTCERT_EMAIL'}\n"; - print ".\n"; - print ".\n"; - exit (0); - } - } + if (!$errormessage) { + &General::log("ipsec", "Moving cacert..."); + move("/tmp/newcacert", "${General::swroot}/ca/cacert.pem"); + $errormessage = "$Lang::tr{'certificate file move failed'}: $!" if ($? ne 0); + } + + if (!$errormessage) { + &General::log("ipsec", "Moving host cert..."); + move("/tmp/newhostcert", "${General::swroot}/certs/hostcert.pem"); + $errormessage = "$Lang::tr{'certificate file move failed'}: $!" if ($? ne 0); + } + + if (!$errormessage) { + &General::log("ipsec", "Moving private key..."); + move("/tmp/newhostkey", "${General::swroot}/certs/hostkey.pem"); + $errormessage = "$Lang::tr{'certificate file move failed'}: $!" if ($? ne 0); + } + + #cleanup temp files + unlink ($filename); + unlink ('/tmp/newcacert'); + unlink ('/tmp/newhostcert'); + unlink ('/tmp/newhostkey'); + if ($errormessage) { + unlink ("${General::swroot}/ca/cacert.pem"); + unlink ("${General::swroot}/certs/hostcert.pem"); + unlink ("${General::swroot}/certs/hostkey.pem"); + goto ROOTCERT_ERROR; + }

- # Sign the host certificate request - if (!$errormessage) { - &General::log("ipsec", "Self signing host cert..."); + # Create empty CRL cannot be done because we don't have + # the private key for this CAROOT + # IPFire can only import certificates

- #No easy way for specifying the contain of subjectAltName without writing a config file... - my ($fh, $v3extname) = tempfile ('/tmp/XXXXXXXX'); - print $fh <<END - basicConstraints=CA:FALSE - nsComment="OpenSSL Generated Certificate" - subjectKeyIdentifier=hash - authorityKeyIdentifier=keyid,issuer:always - extendedKeyUsage = serverAuth + &General::log("ipsec", "p12 import completed!"); + &cleanssldatabase(); + goto ROOTCERT_SUCCESS; + + } elsif ($cgiparams{'ROOTCERT_COUNTRY'} ne '') { + + # Validate input since the form was submitted + if ($cgiparams{'ROOTCERT_ORGANIZATION'} eq ''){ + $errormessage = $Lang::tr{'organization cant be empty'}; + goto ROOTCERT_ERROR; + } + if (length($cgiparams{'ROOTCERT_ORGANIZATION'}) >60) { + $errormessage = $Lang::tr{'organization too long'}; + goto ROOTCERT_ERROR; + } + if ($cgiparams{'ROOTCERT_ORGANIZATION'} !~ /^[a-zA-Z0-9 ,.-_]*$/) { + $errormessage = $Lang::tr{'invalid input for organization'}; + goto ROOTCERT_ERROR; + } + if ($cgiparams{'ROOTCERT_HOSTNAME'} eq ''){ + $errormessage = $Lang::tr{'hostname cant be empty'}; + goto ROOTCERT_ERROR; + } + unless (&General::validfqdn($cgiparams{'ROOTCERT_HOSTNAME'}) || &General::validip($cgiparams{'ROOTCERT_HOSTNAME'})) { + $errormessage = $Lang::tr{'invalid input for hostname'}; + goto ROOTCERT_ERROR; + } + if ($cgiparams{'ROOTCERT_EMAIL'} ne '' && (! &General::validemail($cgiparams{'ROOTCERT_EMAIL'}))) { + $errormessage = $Lang::tr{'invalid input for e-mail address'}; + goto ROOTCERT_ERROR; + } + if (length($cgiparams{'ROOTCERT_EMAIL'}) > 40) { + $errormessage = $Lang::tr{'e-mail address too long'}; + goto ROOTCERT_ERROR; + } + if ($cgiparams{'ROOTCERT_OU'} ne '' && $cgiparams{'ROOTCERT_OU'} !~ /^[a-zA-Z0-9 ,.-_]*$/) { + $errormessage = $Lang::tr{'invalid input for department'}; + goto ROOTCERT_ERROR; + } + if ($cgiparams{'ROOTCERT_CITY'} ne '' && $cgiparams{'ROOTCERT_CITY'} !~ /^[a-zA-Z0-9 ,.-_]*$/) { + $errormessage = $Lang::tr{'invalid input for city'}; + goto ROOTCERT_ERROR; + } + if ($cgiparams{'ROOTCERT_STATE'} ne '' && $cgiparams{'ROOTCERT_STATE'} !~ /^[a-zA-Z0-9 ,.-_]*$/) { + $errormessage = $Lang::tr{'invalid input for state or province'}; + goto ROOTCERT_ERROR; + } + if ($cgiparams{'ROOTCERT_COUNTRY'} !~ /^[A-Z]*$/) { + $errormessage = $Lang::tr{'invalid input for country'}; + goto ROOTCERT_ERROR; + } + #the exact syntax is a list comma separated of + # email:any-validemail + # URI: a uniform resource indicator + # DNS: a DNS domain name + # RID: a registered OBJECT IDENTIFIER + # IP: an IP address + # example: email:franck@foo.com,IP:10.0.0.10,DNS:franck.foo.com + + if ($cgiparams{'SUBJECTALTNAME'} ne '' && $cgiparams{'SUBJECTALTNAME'} !~ /^(email|URI|DNS|RID|IP):[a-zA-Z0-9 :/,.-_@]*$/) { + $errormessage = $Lang::tr{'vpn altname syntax'}; + goto VPNCONF_ERROR; + } + + # Copy the cgisettings to vpnsettings and save the configfile + $vpnsettings{'ROOTCERT_ORGANIZATION'} = $cgiparams{'ROOTCERT_ORGANIZATION'}; + $vpnsettings{'ROOTCERT_HOSTNAME'} = $cgiparams{'ROOTCERT_HOSTNAME'}; + $vpnsettings{'ROOTCERT_EMAIL'} = $cgiparams{'ROOTCERT_EMAIL'}; + $vpnsettings{'ROOTCERT_OU'} = $cgiparams{'ROOTCERT_OU'}; + $vpnsettings{'ROOTCERT_CITY'} = $cgiparams{'ROOTCERT_CITY'}; + $vpnsettings{'ROOTCERT_STATE'} = $cgiparams{'ROOTCERT_STATE'}; + $vpnsettings{'ROOTCERT_COUNTRY'} = $cgiparams{'ROOTCERT_COUNTRY'}; + &General::writehash("${General::swroot}/vpn/settings", %vpnsettings); + + # Replace empty strings with a . + (my $ou = $cgiparams{'ROOTCERT_OU'}) =~ s/^\s*$/./; + (my $city = $cgiparams{'ROOTCERT_CITY'}) =~ s/^\s*$/./; + (my $state = $cgiparams{'ROOTCERT_STATE'}) =~ s/^\s*$/./; + + # Create the CA certificate + if (!$errormessage) { + &General::log("ipsec", "Creating cacert..."); + if (open(STDIN, "-|")) { + my $opt = " req -x509 -sha256 -nodes"; + $opt .= " -days 999999"; + $opt .= " -newkey rsa:4096"; + $opt .= " -keyout ${General::swroot}/private/cakey.pem"; + $opt .= " -out ${General::swroot}/ca/cacert.pem"; + + $errormessage = &callssl ($opt); + } else { #child + print "$cgiparams{'ROOTCERT_COUNTRY'}\n"; + print "$state\n"; + print "$city\n"; + print "$cgiparams{'ROOTCERT_ORGANIZATION'}\n"; + print "$ou\n"; + print "$cgiparams{'ROOTCERT_ORGANIZATION'} CA\n"; + print "$cgiparams{'ROOTCERT_EMAIL'}\n"; + exit (0); + } + } + + # Create the Host certificate request + if (!$errormessage) { + &General::log("ipsec", "Creating host cert..."); + if (open(STDIN, "-|")) { + my $opt = " req -sha256 -nodes"; + $opt .= " -newkey rsa:2048"; + $opt .= " -keyout ${General::swroot}/certs/hostkey.pem"; + $opt .= " -out ${General::swroot}/certs/hostreq.pem"; + $errormessage = &callssl ($opt); + } else { #child + print "$cgiparams{'ROOTCERT_COUNTRY'}\n"; + print "$state\n"; + print "$city\n"; + print "$cgiparams{'ROOTCERT_ORGANIZATION'}\n"; + print "$ou\n"; + print "$cgiparams{'ROOTCERT_HOSTNAME'}\n"; + print "$cgiparams{'ROOTCERT_EMAIL'}\n"; + print ".\n"; + print ".\n"; + exit (0); + } + } + + # Sign the host certificate request + if (!$errormessage) { + &General::log("ipsec", "Self signing host cert..."); + + #No easy way for specifying the contain of subjectAltName without writing a config file... + my ($fh, $v3extname) = tempfile ('/tmp/XXXXXXXX'); + print $fh <<END + basicConstraints=CA:FALSE + nsComment="OpenSSL Generated Certificate" + subjectKeyIdentifier=hash + authorityKeyIdentifier=keyid,issuer:always + extendedKeyUsage = serverAuth END ; - print $fh "subjectAltName=$cgiparams{'SUBJECTALTNAME'}" if ($cgiparams{'SUBJECTALTNAME'}); - close ($fh); - - my $opt = " ca -md sha256 -days 999999"; - $opt .= " -batch -notext"; - $opt .= " -in ${General::swroot}/certs/hostreq.pem"; - $opt .= " -out ${General::swroot}/certs/hostcert.pem"; - $opt .= " -extfile $v3extname"; - $errormessage = &callssl ($opt); - unlink ("${General::swroot}/certs/hostreq.pem"); #no more needed - unlink ($v3extname); - } - - # Create an empty CRL - if (!$errormessage) { - &General::log("ipsec", "Creating emptycrl..."); - my $opt = " ca -gencrl"; - $opt .= " -out ${General::swroot}/crls/cacrl.pem"; - $errormessage = &callssl ($opt); - } - - # Successfully build CA / CERT! - if (!$errormessage) { - &cleanssldatabase(); - goto ROOTCERT_SUCCESS; - } - - #Cleanup - unlink ("${General::swroot}/ca/cacert.pem"); - unlink ("${General::swroot}/certs/hostkey.pem"); - unlink ("${General::swroot}/certs/hostcert.pem"); - unlink ("${General::swroot}/crls/cacrl.pem"); - &cleanssldatabase(); - } - - ROOTCERT_ERROR: - &Header::showhttpheaders(); - &Header::openpage($Lang::tr{'ipsec'}, 1, ''); - &Header::openbigbox('100%', 'left', '', $errormessage); - if ($errormessage) { - &Header::openbox('100%', 'left', $Lang::tr{'error messages'}); - print "<class name='base'>$errormessage"; - print "&nbsp;</class>"; - &Header::closebox(); - } - &Header::openbox('100%', 'left', "$Lang::tr{'generate root/host certificates'}:"); - print <<END - <form method='post' enctype='multipart/form-data' action='$ENV{'SCRIPT_NAME'}'> - <table width='100%' border='0' cellspacing='1' cellpadding='0'> - <tr><td width='40%' class='base'>$Lang::tr{'organization name'}:&nbsp;<img src='/blob.gif' alt='*' /></td> - <td width='60%' class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_ORGANIZATION' value='$cgiparams{'ROOTCERT_ORGANIZATION'}' size='32' /></td></tr> - <tr><td class='base'>$Lang::tr{'ipfires hostname'}:&nbsp;<img src='/blob.gif' alt='*' /></td> - <td class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_HOSTNAME' value='$cgiparams{'ROOTCERT_HOSTNAME'}' size='32' /></td></tr> - <tr><td class='base'>$Lang::tr{'your e-mail'}:</td> - <td class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_EMAIL' value='$cgiparams{'ROOTCERT_EMAIL'}' size='32' /></td></tr> - <tr><td class='base'>$Lang::tr{'your department'}:</td> - <td class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_OU' value='$cgiparams{'ROOTCERT_OU'}' size='32' /></td></tr> - <tr><td class='base'>$Lang::tr{'city'}:</td> - <td class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_CITY' value='$cgiparams{'ROOTCERT_CITY'}' size='32' /></td></tr> - <tr><td class='base'>$Lang::tr{'state or province'}:</td> - <td class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_STATE' value='$cgiparams{'ROOTCERT_STATE'}' size='32' /></td></tr> - <tr><td class='base'>$Lang::tr{'country'}:</td> - <td class='base'><select name='ROOTCERT_COUNTRY'> + print $fh "subjectAltName=$cgiparams{'SUBJECTALTNAME'}" if ($cgiparams{'SUBJECTALTNAME'}); + close ($fh); + + my $opt = " ca -md sha256 -days 999999"; + $opt .= " -batch -notext"; + $opt .= " -in ${General::swroot}/certs/hostreq.pem"; + $opt .= " -out ${General::swroot}/certs/hostcert.pem"; + $opt .= " -extfile $v3extname"; + $errormessage = &callssl ($opt); + unlink ("${General::swroot}/certs/hostreq.pem"); #no more needed + unlink ($v3extname); + } + + # Create an empty CRL + if (!$errormessage) { + &General::log("ipsec", "Creating emptycrl..."); + my $opt = " ca -gencrl"; + $opt .= " -out ${General::swroot}/crls/cacrl.pem"; + $errormessage = &callssl ($opt); + } + + # Successfully build CA / CERT! + if (!$errormessage) { + &cleanssldatabase(); + goto ROOTCERT_SUCCESS; + } + + #Cleanup + unlink ("${General::swroot}/ca/cacert.pem"); + unlink ("${General::swroot}/certs/hostkey.pem"); + unlink ("${General::swroot}/certs/hostcert.pem"); + unlink ("${General::swroot}/crls/cacrl.pem"); + &cleanssldatabase(); + } + + ROOTCERT_ERROR: + &Header::showhttpheaders(); + &Header::openpage($Lang::tr{'ipsec'}, 1, ''); + &Header::openbigbox('100%', 'left', '', $errormessage); + if ($errormessage) { + &Header::openbox('100%', 'left', $Lang::tr{'error messages'}); + print "<class name='base'>$errormessage"; + print "&nbsp;</class>"; + &Header::closebox(); + } + &Header::openbox('100%', 'left', "$Lang::tr{'generate root/host certificates'}:"); + print <<END + <form method='post' enctype='multipart/form-data' action='$ENV{'SCRIPT_NAME'}'> + <table width='100%' border='0' cellspacing='1' cellpadding='0'> + <tr><td width='40%' class='base'>$Lang::tr{'organization name'}:&nbsp;<img src='/blob.gif' alt='*' /></td> + <td width='60%' class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_ORGANIZATION' value='$cgiparams{'ROOTCERT_ORGANIZATION'}' size='32' /></td></tr> + <tr><td class='base'>$Lang::tr{'ipfires hostname'}:&nbsp;<img src='/blob.gif' alt='*' /></td> + <td class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_HOSTNAME' value='$cgiparams{'ROOTCERT_HOSTNAME'}' size='32' /></td></tr> + <tr><td class='base'>$Lang::tr{'your e-mail'}:</td> + <td class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_EMAIL' value='$cgiparams{'ROOTCERT_EMAIL'}' size='32' /></td></tr> + <tr><td class='base'>$Lang::tr{'your department'}:</td> + <td class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_OU' value='$cgiparams{'ROOTCERT_OU'}' size='32' /></td></tr> + <tr><td class='base'>$Lang::tr{'city'}:</td> + <td class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_CITY' value='$cgiparams{'ROOTCERT_CITY'}' size='32' /></td></tr> + <tr><td class='base'>$Lang::tr{'state or province'}:</td> + <td class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_STATE' value='$cgiparams{'ROOTCERT_STATE'}' size='32' /></td></tr> + <tr><td class='base'>$Lang::tr{'country'}:</td> + <td class='base'><select name='ROOTCERT_COUNTRY'> END - ; - foreach my $country (sort keys %{Countries::countries}) { - print "<option value='$Countries::countries{$country}'"; - if ( $Countries::countries{$country} eq $cgiparams{'ROOTCERT_COUNTRY'} ) { - print " selected='selected'"; - } - print ">$country</option>"; - } - print <<END - </select></td></tr> - <tr><td class='base'>$Lang::tr{'vpn subjectaltname'} (subjectAltName=email:*,URI:*,DNS:*,RID:*)</td> +; + foreach my $country (sort keys %{Countries::countries}) { + print "<option value='$Countries::countries{$country}'"; + if ( $Countries::countries{$country} eq $cgiparams{'ROOTCERT_COUNTRY'} ) { + print " selected='selected'"; + } + print ">$country</option>"; + } + print <<END + </select></td></tr> + <tr><td class='base'>$Lang::tr{'vpn subjectaltname'} (subjectAltName=email:*,URI:*,DNS:*,RID:*)</td> <td class='base' nowrap='nowrap'><input type='text' name='SUBJECTALTNAME' value='$cgiparams{'SUBJECTALTNAME'}' size='32' /></td></tr> - <tr><td>&nbsp;</td> - <td><br /><input type='submit' name='ACTION' value='$Lang::tr{'generate root/host certificates'}' /><br /><br /></td></tr> - <tr><td class='base' colspan='2' align='left'> - <b><font color='${Header::colourred}'>$Lang::tr{'capswarning'}</font></b>: - $Lang::tr{'generating the root and host certificates may take a long time. it can take up to several minutes on older hardware. please be patient'} - </td></tr> - <tr><td colspan='2'><hr></td></tr> - <tr><td class='base' nowrap='nowrap'>$Lang::tr{'upload p12 file'}:</td> - <td nowrap='nowrap'><input type='file' name='FH' size='32' /></td></tr> - <tr><td class='base'>$Lang::tr{'pkcs12 file password'}:</td> - <td class='base' nowrap='nowrap'><input type='password' name='P12_PASS' value='$cgiparams{'P12_PASS'}' size='32' /></td></tr> - <tr><td>&nbsp;</td> - <td><input type='submit' name='ACTION' value='$Lang::tr{'upload p12 file'}' /></td></tr> - <tr><td class='base' colspan='2' align='left'> - <img src='/blob.gif' alt='*' />&nbsp;$Lang::tr{'required field'}</td></tr> - </table></form> + <tr><td>&nbsp;</td> + <td><br /><input type='submit' name='ACTION' value='$Lang::tr{'generate root/host certificates'}' /><br /><br /></td></tr> + <tr><td class='base' colspan='2' align='left'> + <b><font color='${Header::colourred}'>$Lang::tr{'capswarning'}</font></b>: + $Lang::tr{'generating the root and host certificates may take a long time. it can take up to several minutes on older hardware. please be patient'} + </td></tr> + <tr><td colspan='2'><hr></td></tr> + <tr><td class='base' nowrap='nowrap'>$Lang::tr{'upload p12 file'}:</td> + <td nowrap='nowrap'><input type='file' name='FH' size='32' /></td></tr> + <tr><td class='base'>$Lang::tr{'pkcs12 file password'}:</td> + <td class='base' nowrap='nowrap'><input type='password' name='P12_PASS' value='$cgiparams{'P12_PASS'}' size='32' /></td></tr> + <tr><td>&nbsp;</td> + <td><input type='submit' name='ACTION' value='$Lang::tr{'upload p12 file'}' /></td></tr> + <tr><td class='base' colspan='2' align='left'> + <img src='/blob.gif' alt='*' />&nbsp;$Lang::tr{'required field'}</td></tr> + </table></form> END - ; - &Header::closebox(); - &Header::closebigbox(); - &Header::closepage(); - exit(0); - - ROOTCERT_SUCCESS: - if (&vpnenabled) { - system('/usr/local/bin/ipsecctrl', 'S'); - sleep $sleepDelay; - } - ROOTCERT_SKIP: +; + &Header::closebox(); + &Header::closebigbox(); + &Header::closepage(); + exit(0); + + ROOTCERT_SUCCESS: + if (&vpnenabled) { + system('/usr/local/bin/ipsecctrl', 'S'); + sleep $sleepDelay; + } + ROOTCERT_SKIP: ### ### Export PKCS12 file to browser ### } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download pkcs12 file'}) { - &General::readhasharray("${General::swroot}/vpn/config", %confighash); - print "Content-Type: application/force-download\n"; - print "Content-Disposition: attachment; filename=" . $confighash{$cgiparams{'KEY'}}[1] . ".p12\r\n"; - print "Content-Type: application/octet-stream\r\n\r\n"; - print `/bin/cat ${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1].p12`; - exit (0); + &General::readhasharray("${General::swroot}/vpn/config", %confighash); + print "Content-Type: application/force-download\n"; + print "Content-Disposition: attachment; filename=" . $confighash{$cgiparams{'KEY'}}[1] . ".p12\r\n"; + print "Content-Type: application/octet-stream\r\n\r\n"; + print `/bin/cat ${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1].p12`; + exit (0);

### ### Display certificate ### } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show certificate'}) { - &General::readhasharray("${General::swroot}/vpn/config", %confighash); - - if ( -f "${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem") { - &Header::showhttpheaders(); - &Header::openpage($Lang::tr{'ipsec'}, 1, ''); - &Header::openbigbox('100%', 'left', '', ''); - &Header::openbox('100%', 'left', "$Lang::tr{'cert'}:"); - my $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem`; - $output = &Header::cleanhtml($output,"y"); - print "<pre>$output</pre>\n"; - &Header::closebox(); - print "<div align='center'><a href='/cgi-bin/vpnmain.cgi'>$Lang::tr{'back'}</a></div>"; - &Header::closebigbox(); - &Header::closepage(); - exit(0); - } + &General::readhasharray("${General::swroot}/vpn/config", %confighash); + + if ( -f "${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem") { + &Header::showhttpheaders(); + &Header::openpage($Lang::tr{'ipsec'}, 1, ''); + &Header::openbigbox('100%', 'left', '', ''); + &Header::openbox('100%', 'left', "$Lang::tr{'cert'}:"); + my $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem`; + $output = &Header::cleanhtml($output,"y"); + print "<pre>$output</pre>\n"; + &Header::closebox(); + print "<div align='center'><a href='/cgi-bin/vpnmain.cgi'>$Lang::tr{'back'}</a></div>"; + &Header::closebigbox(); + &Header::closepage(); + exit(0); + }

### ### Export Certificate to browser ### } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download certificate'}) { - &General::readhasharray("${General::swroot}/vpn/config", %confighash); + &General::readhasharray("${General::swroot}/vpn/config", %confighash);

- if ( -f "${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem") { - print "Content-Type: application/force-download\n"; - print "Content-Disposition: attachment; filename=" . $confighash{$cgiparams{'KEY'}}[1] . "cert.pem\n\n"; - print `/bin/cat ${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem`; - exit (0); - } + if ( -f "${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem") { + print "Content-Type: application/force-download\n"; + print "Content-Disposition: attachment; filename=" . $confighash{$cgiparams{'KEY'}}[1] . "cert.pem\n\n"; + print `/bin/cat ${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem`; + exit (0); + }

### ### Enable/Disable connection ### } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'toggle enable disable'}) { - - &General::readhash("${General::swroot}/vpn/settings", %vpnsettings); - &General::readhasharray("${General::swroot}/vpn/config", %confighash); - - if ($confighash{$cgiparams{'KEY'}}) { - if ($confighash{$cgiparams{'KEY'}}[0] eq 'off') { - $confighash{$cgiparams{'KEY'}}[0] = 'on'; - &General::writehasharray("${General::swroot}/vpn/config", %confighash); - &writeipsecfiles(); - system('/usr/local/bin/ipsecctrl', 'S', $cgiparams{'KEY'}) if (&vpnenabled); + + &General::readhash("${General::swroot}/vpn/settings", %vpnsettings); + &General::readhasharray("${General::swroot}/vpn/config", %confighash); + + if ($confighash{$cgiparams{'KEY'}}) { + if ($confighash{$cgiparams{'KEY'}}[0] eq 'off') { + $confighash{$cgiparams{'KEY'}}[0] = 'on'; + &General::writehasharray("${General::swroot}/vpn/config", %confighash); + &writeipsecfiles(); + system('/usr/local/bin/ipsecctrl', 'S', $cgiparams{'KEY'}) if (&vpnenabled); + } else { + system('/usr/local/bin/ipsecctrl', 'D', $cgiparams{'KEY'}) if (&vpnenabled); + $confighash{$cgiparams{'KEY'}}[0] = 'off'; + &General::writehasharray("${General::swroot}/vpn/config", %confighash); + &writeipsecfiles(); + } + sleep $sleepDelay; } else { - system('/usr/local/bin/ipsecctrl', 'D', $cgiparams{'KEY'}) if (&vpnenabled); - $confighash{$cgiparams{'KEY'}}[0] = 'off'; - &General::writehasharray("${General::swroot}/vpn/config", %confighash); - &writeipsecfiles(); + $errormessage = $Lang::tr{'invalid key'}; } - sleep $sleepDelay; - } else { - $errormessage = $Lang::tr{'invalid key'}; - }

### ### Restart connection ### } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'restart'}) { - &General::readhash("${General::swroot}/vpn/settings", %vpnsettings); - &General::readhasharray("${General::swroot}/vpn/config", %confighash); + &General::readhash("${General::swroot}/vpn/settings", %vpnsettings); + &General::readhasharray("${General::swroot}/vpn/config", %confighash);

- if ($confighash{$cgiparams{'KEY'}}) { - if (&vpnenabled) { - system('/usr/local/bin/ipsecctrl', 'S', $cgiparams{'KEY'}); - sleep $sleepDelay; + if ($confighash{$cgiparams{'KEY'}}) { + if (&vpnenabled) { + system('/usr/local/bin/ipsecctrl', 'S', $cgiparams{'KEY'}); + sleep $sleepDelay; + } + } else { + $errormessage = $Lang::tr{'invalid key'}; } - } else { - $errormessage = $Lang::tr{'invalid key'}; - }

### ### Remove connection ### } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'remove'}) { - &General::readhash("${General::swroot}/vpn/settings", %vpnsettings); - &General::readhasharray("${General::swroot}/vpn/config", %confighash); - - if ($confighash{$cgiparams{'KEY'}}) { - system('/usr/local/bin/ipsecctrl', 'D', $cgiparams{'KEY'}) if (&vpnenabled); - unlink ("${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem"); - unlink ("${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1].p12"); - delete $confighash{$cgiparams{'KEY'}}; - &General::writehasharray("${General::swroot}/vpn/config", %confighash); - &writeipsecfiles(); - } else { - $errormessage = $Lang::tr{'invalid key'}; - } + &General::readhash("${General::swroot}/vpn/settings", %vpnsettings); + &General::readhasharray("${General::swroot}/vpn/config", %confighash); + + if ($confighash{$cgiparams{'KEY'}}) { + system('/usr/local/bin/ipsecctrl', 'D', $cgiparams{'KEY'}) if (&vpnenabled); + unlink ("${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem"); + unlink ("${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1].p12"); + delete $confighash{$cgiparams{'KEY'}}; + &General::writehasharray("${General::swroot}/vpn/config", %confighash); + &writeipsecfiles(); + } else { + $errormessage = $Lang::tr{'invalid key'}; + } &General::firewall_reload(); ### ### Choose between adding a host-net or net-net connection @@ -1227,535 +1220,545 @@ END &Header::openbigbox('100%', 'left', '', ''); &Header::openbox('100%', 'left', $Lang::tr{'connection type'}); print <<END - <form method='post' action='$ENV{'SCRIPT_NAME'}'> - <b>$Lang::tr{'connection type'}:</b><br /> - <table> - <tr><td><input type='radio' name='TYPE' value='host' checked='checked' /></td> + <form method='post' action='$ENV{'SCRIPT_NAME'}'> + <b>$Lang::tr{'connection type'}:</b><br /> + <table> + <tr><td><input type='radio' name='TYPE' value='host' checked='checked' /></td> <td class='base'>$Lang::tr{'host to net vpn'}</td> - </tr><tr> + </tr><tr> <td><input type='radio' name='TYPE' value='net' /></td> <td class='base'>$Lang::tr{'net to net vpn'}</td> - </tr><tr> + </tr><tr> <td align='center' colspan='2'><input type='submit' name='ACTION' value='$Lang::tr{'add'}' /></td> - </tr> - </table></form> + </tr> + </table></form> END - ; +; &Header::closebox(); &Header::closebigbox(); &Header::closepage(); exit (0); ### -### Adding/Editing/Saving a connection +### Adding/Editing/Saving a connection ### } elsif (($cgiparams{'ACTION'} eq $Lang::tr{'add'}) || - ($cgiparams{'ACTION'} eq $Lang::tr{'edit'}) || - ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'ADVANCED'} eq '')) { - - &General::readhash("${General::swroot}/vpn/settings", %vpnsettings); - &General::readhasharray("${General::swroot}/vpn/caconfig", %cahash); - &General::readhasharray("${General::swroot}/vpn/config", %confighash); - - if ($cgiparams{'ACTION'} eq $Lang::tr{'edit'}) { - if (! $confighash{$cgiparams{'KEY'}}[0]) { - $errormessage = $Lang::tr{'invalid key'}; - goto VPNCONF_END; - } - $cgiparams{'ENABLED'} = $confighash{$cgiparams{'KEY'}}[0]; - $cgiparams{'NAME'} = $confighash{$cgiparams{'KEY'}}[1]; - $cgiparams{'TYPE'} = $confighash{$cgiparams{'KEY'}}[3]; - $cgiparams{'AUTH'} = $confighash{$cgiparams{'KEY'}}[4]; - $cgiparams{'PSK'} = $confighash{$cgiparams{'KEY'}}[5]; - #$cgiparams{'free'} = $confighash{$cgiparams{'KEY'}}[6]; - $cgiparams{'LOCAL_ID'} = $confighash{$cgiparams{'KEY'}}[7]; - $cgiparams{'LOCAL_SUBNET'} = $confighash{$cgiparams{'KEY'}}[8]; - $cgiparams{'REMOTE_ID'} = $confighash{$cgiparams{'KEY'}}[9]; - $cgiparams{'REMOTE'} = $confighash{$cgiparams{'KEY'}}[10]; - $cgiparams{'REMOTE_SUBNET'} = $confighash{$cgiparams{'KEY'}}[11]; - $cgiparams{'REMARK'} = $confighash{$cgiparams{'KEY'}}[25]; - $cgiparams{'DPD_ACTION'} = $confighash{$cgiparams{'KEY'}}[27]; - $cgiparams{'IKE_VERSION'} = $confighash{$cgiparams{'KEY'}}[29]; - $cgiparams{'IKE_ENCRYPTION'} = $confighash{$cgiparams{'KEY'}}[18]; - $cgiparams{'IKE_INTEGRITY'} = $confighash{$cgiparams{'KEY'}}[19]; - $cgiparams{'IKE_GROUPTYPE'} = $confighash{$cgiparams{'KEY'}}[20]; - $cgiparams{'IKE_LIFETIME'} = $confighash{$cgiparams{'KEY'}}[16]; - $cgiparams{'ESP_ENCRYPTION'} = $confighash{$cgiparams{'KEY'}}[21]; - $cgiparams{'ESP_INTEGRITY'} = $confighash{$cgiparams{'KEY'}}[22]; - $cgiparams{'ESP_GROUPTYPE'} = $confighash{$cgiparams{'KEY'}}[23]; - if ($cgiparams{'ESP_GROUPTYPE'} eq "") { - $cgiparams{'ESP_GROUPTYPE'} = $cgiparams{'IKE_GROUPTYPE'}; - } - $cgiparams{'ESP_KEYLIFE'} = $confighash{$cgiparams{'KEY'}}[17]; - $cgiparams{'COMPRESSION'} = $confighash{$cgiparams{'KEY'}}[13]; - $cgiparams{'ONLY_PROPOSED'} = $confighash{$cgiparams{'KEY'}}[24]; - $cgiparams{'PFS'} = $confighash{$cgiparams{'KEY'}}[28]; - $cgiparams{'VHOST'} = $confighash{$cgiparams{'KEY'}}[14]; - $cgiparams{'DPD_TIMEOUT'} = $confighash{$cgiparams{'KEY'}}[30]; - $cgiparams{'DPD_DELAY'} = $confighash{$cgiparams{'KEY'}}[31]; - $cgiparams{'FORCE_MOBIKE'} = $confighash{$cgiparams{'KEY'}}[32]; + ($cgiparams{'ACTION'} eq $Lang::tr{'edit'}) || + ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'ADVANCED'} eq '')) {

- if (!$cgiparams{'DPD_DELAY'}) { - $cgiparams{'DPD_DELAY'} = 30; - } + &General::readhash("${General::swroot}/vpn/settings", %vpnsettings); + &General::readhasharray("${General::swroot}/vpn/caconfig", %cahash); + &General::readhasharray("${General::swroot}/vpn/config", %confighash);

- if (!$cgiparams{'DPD_TIMEOUT'}) { - $cgiparams{'DPD_TIMEOUT'} = 120; - } + if ($cgiparams{'ACTION'} eq $Lang::tr{'edit'}) { + if (! $confighash{$cgiparams{'KEY'}}[0]) { + $errormessage = $Lang::tr{'invalid key'}; + goto VPNCONF_END; + } + $cgiparams{'ENABLED'} = $confighash{$cgiparams{'KEY'}}[0]; + $cgiparams{'NAME'} = $confighash{$cgiparams{'KEY'}}[1]; + $cgiparams{'TYPE'} = $confighash{$cgiparams{'KEY'}}[3]; + $cgiparams{'AUTH'} = $confighash{$cgiparams{'KEY'}}[4]; + $cgiparams{'PSK'} = $confighash{$cgiparams{'KEY'}}[5]; + #$cgiparams{'free'} = $confighash{$cgiparams{'KEY'}}[6]; + $cgiparams{'LOCAL_ID'} = $confighash{$cgiparams{'KEY'}}[7]; + my @local_subnets = split(",", $confighash{$cgiparams{'KEY'}}[8]); + $cgiparams{'LOCAL_SUBNET'} = join(/|/, @local_subnets); + $cgiparams{'REMOTE_ID'} = $confighash{$cgiparams{'KEY'}}[9]; + $cgiparams{'REMOTE'} = $confighash{$cgiparams{'KEY'}}[10]; + my @remote_subnets = split(",", $confighash{$cgiparams{'KEY'}}[11]); + $cgiparams{'REMOTE_SUBNET'} = join(/|/, @remote_subnets); + $cgiparams{'REMARK'} = $confighash{$cgiparams{'KEY'}}[25]; + $cgiparams{'DPD_ACTION'} = $confighash{$cgiparams{'KEY'}}[27]; + $cgiparams{'IKE_VERSION'} = $confighash{$cgiparams{'KEY'}}[29]; + $cgiparams{'IKE_ENCRYPTION'} = $confighash{$cgiparams{'KEY'}}[18]; + $cgiparams{'IKE_INTEGRITY'} = $confighash{$cgiparams{'KEY'}}[19]; + $cgiparams{'IKE_GROUPTYPE'} = $confighash{$cgiparams{'KEY'}}[20]; + $cgiparams{'IKE_LIFETIME'} = $confighash{$cgiparams{'KEY'}}[16]; + $cgiparams{'ESP_ENCRYPTION'} = $confighash{$cgiparams{'KEY'}}[21]; + $cgiparams{'ESP_INTEGRITY'} = $confighash{$cgiparams{'KEY'}}[22]; + $cgiparams{'ESP_GROUPTYPE'} = $confighash{$cgiparams{'KEY'}}[23]; + if ($cgiparams{'ESP_GROUPTYPE'} eq "") { + $cgiparams{'ESP_GROUPTYPE'} = $cgiparams{'IKE_GROUPTYPE'}; + } + $cgiparams{'ESP_KEYLIFE'} = $confighash{$cgiparams{'KEY'}}[17]; + $cgiparams{'COMPRESSION'} = $confighash{$cgiparams{'KEY'}}[13]; + $cgiparams{'ONLY_PROPOSED'} = $confighash{$cgiparams{'KEY'}}[24]; + $cgiparams{'PFS'} = $confighash{$cgiparams{'KEY'}}[28]; + $cgiparams{'DPD_TIMEOUT'} = $confighash{$cgiparams{'KEY'}}[30]; + $cgiparams{'DPD_DELAY'} = $confighash{$cgiparams{'KEY'}}[31]; + $cgiparams{'FORCE_MOBIKE'} = $confighash{$cgiparams{'KEY'}}[32]; + + if (!$cgiparams{'DPD_DELAY'}) { + $cgiparams{'DPD_DELAY'} = 30; + }

- } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'save'}) { - $cgiparams{'REMARK'} = &Header::cleanhtml($cgiparams{'REMARK'}); - if ($cgiparams{'TYPE'} !~ /^(host|net)$/) { - $errormessage = $Lang::tr{'connection type is invalid'}; - goto VPNCONF_ERROR; - } + if (!$cgiparams{'DPD_TIMEOUT'}) { + $cgiparams{'DPD_TIMEOUT'} = 120; + }

- if ($cgiparams{'NAME'} !~ /^[a-zA-Z0-9]+$/) { - $errormessage = $Lang::tr{'name must only contain characters'}; - goto VPNCONF_ERROR; - } + } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'save'}) { + $cgiparams{'REMARK'} = &Header::cleanhtml($cgiparams{'REMARK'}); + if ($cgiparams{'TYPE'} !~ /^(host|net)$/) { + $errormessage = $Lang::tr{'connection type is invalid'}; + goto VPNCONF_ERROR; + }

- if ($cgiparams{'NAME'} =~ /^(host|01|block|private|clear|packetdefault)$/) { - $errormessage = $Lang::tr{'name is invalid'}; - goto VPNCONF_ERROR; - } + if ($cgiparams{'NAME'} !~ /^[a-zA-Z0-9]+$/) { + $errormessage = $Lang::tr{'name must only contain characters'}; + goto VPNCONF_ERROR; + }

- if (length($cgiparams{'NAME'}) >60) { - $errormessage = $Lang::tr{'name too long'}; - goto VPNCONF_ERROR; - } + if ($cgiparams{'NAME'} =~ /^(host|01|block|private|clear|packetdefault)$/) { + $errormessage = $Lang::tr{'name is invalid'}; + goto VPNCONF_ERROR; + }

- # Check if there is no other entry with this name - if (! $cgiparams{'KEY'}) { #only for add - foreach my $key (keys %confighash) { - if ($confighash{$key}[1] eq $cgiparams{'NAME'}) { - $errormessage = $Lang::tr{'a connection with this name already exists'}; - goto VPNCONF_ERROR; + if (length($cgiparams{'NAME'}) >60) { + $errormessage = $Lang::tr{'name too long'}; + goto VPNCONF_ERROR; } - } - }

- if (($cgiparams{'TYPE'} eq 'net') && (! $cgiparams{'REMOTE'})) { - $errormessage = $Lang::tr{'invalid input for remote host/ip'}; - goto VPNCONF_ERROR; - } + # Check if there is no other entry with this name + if (! $cgiparams{'KEY'}) { #only for add + foreach my $key (keys %confighash) { + if ($confighash{$key}[1] eq $cgiparams{'NAME'}) { + $errormessage = $Lang::tr{'a connection with this name already exists'}; + goto VPNCONF_ERROR; + } + } + }

- if ($cgiparams{'REMOTE'}) { - if (($cgiparams{'REMOTE'} ne '%any') && (! &General::validip($cgiparams{'REMOTE'}))) { - if (! &General::validfqdn ($cgiparams{'REMOTE'})) { - $errormessage = $Lang::tr{'invalid input for remote host/ip'}; - goto VPNCONF_ERROR; - } else { - if (&valid_dns_host($cgiparams{'REMOTE'})) { - $warnmessage = "$Lang::tr{'check vpn lr'} $cgiparams{'REMOTE'}. $Lang::tr{'dns check failed'}"; - } + if (($cgiparams{'TYPE'} eq 'net') && (! $cgiparams{'REMOTE'})) { + $errormessage = $Lang::tr{'invalid input for remote host/ip'}; + goto VPNCONF_ERROR; } - } - }

- unless (&General::validipandmask($cgiparams{'LOCAL_SUBNET'})) { - $errormessage = $Lang::tr{'local subnet is invalid'}; - goto VPNCONF_ERROR; - } + if ($cgiparams{'REMOTE'}) { + if (($cgiparams{'REMOTE'} ne '%any') && (! &General::validip($cgiparams{'REMOTE'}))) { + if (! &General::validfqdn ($cgiparams{'REMOTE'})) { + $errormessage = $Lang::tr{'invalid input for remote host/ip'}; + goto VPNCONF_ERROR; + } else { + if (&valid_dns_host($cgiparams{'REMOTE'})) { + $warnmessage = "$Lang::tr{'check vpn lr'} $cgiparams{'REMOTE'}. $Lang::tr{'dns check failed'}"; + } + } + } + }

- # Allow only one roadwarrior/psk without remote IP-address - if ($cgiparams{'REMOTE'} eq '' && $cgiparams{'AUTH'} eq 'psk') { - foreach my $key (keys %confighash) { - if ( ($cgiparams{'KEY'} ne $key) && - ($confighash{$key}[4] eq 'psk') && - ($confighash{$key}[10] eq '') ) { - $errormessage = $Lang::tr{'you can only define one roadwarrior connection when using pre-shared key authentication'}; - goto VPNCONF_ERROR; + my @local_subnets = split(",", $cgiparams{'LOCAL_SUBNET'}); + foreach my $subnet (@local_subnets) { + unless (&Network::check_subnet($subnet)) { + $errormessage = $Lang::tr{'local subnet is invalid'}; + goto VPNCONF_ERROR; + } } - } - } - if (($cgiparams{'TYPE'} eq 'net') && (! &General::validipandmask($cgiparams{'REMOTE_SUBNET'}))) { - $errormessage = $Lang::tr{'remote subnet is invalid'}; - goto VPNCONF_ERROR; - }

- if ($cgiparams{'ENABLED'} !~ /^(on|off)$/) { - $errormessage = $Lang::tr{'invalid input'}; - goto VPNCONF_ERROR; - } - if ($cgiparams{'EDIT_ADVANCED'} !~ /^(on|off)$/) { - $errormessage = $Lang::tr{'invalid input'}; - goto VPNCONF_ERROR; - } + # Allow only one roadwarrior/psk without remote IP-address + if ($cgiparams{'REMOTE'} eq '' && $cgiparams{'AUTH'} eq 'psk') { + foreach my $key (keys %confighash) { + if ( ($cgiparams{'KEY'} ne $key) && + ($confighash{$key}[4] eq 'psk') && + ($confighash{$key}[10] eq '') ) { + $errormessage = $Lang::tr{'you can only define one roadwarrior connection when using pre-shared key authentication'}; + goto VPNCONF_ERROR; + } + } + }

- # Allow nothing or a string (DN,FDQN,) beginning with @ - # with no comma but slashes between RID eg @O=FR/C=Paris/OU=myhome/CN=franck - if ( ($cgiparams{'LOCAL_ID'} !~ /^(|[\w.-]*@[\w. =*/-]+|\d+.\d+.\d+.\d+)$/) || - ($cgiparams{'REMOTE_ID'} !~ /^(|[\w.-]*@[\w. =*/-]+|\d+.\d+.\d+.\d+)$/) || - (($cgiparams{'REMOTE_ID'} eq $cgiparams{'LOCAL_ID'}) && ($cgiparams{'LOCAL_ID'} ne '')) - ) { - $errormessage = $Lang::tr{'invalid local-remote id'} . '<br />' . - 'DER_ASN1_DN: @c=FR/ou=Paris/ou=Home/cn=*<br />' . - 'FQDN: @ipfire.org<br />' . - 'USER_FQDN: info@ipfire.org<br />' . - 'IPV4_ADDR: 123.123.123.123'; - goto VPNCONF_ERROR; - } - # If Auth is DN, verify existance of Remote ID. - if ( $cgiparams{'REMOTE_ID'} eq '' && ( - $cgiparams{'AUTH'} eq 'auth-dn'|| # while creation - $confighash{$cgiparams{'KEY'}}[2] eq '%auth-dn')){ # while editing - $errormessage = $Lang::tr{'vpn missing remote id'}; - goto VPNCONF_ERROR; - } + if ($cgiparams{'TYPE'} eq 'net') { + my @remote_subnets = split(",", $cgiparams{'REMOTE_SUBNET'}); + foreach my $subnet (@remote_subnets) { + unless (&Network::check_subnet($subnet)) { + $errormessage = $Lang::tr{'remote subnet is invalid'}; + goto VPNCONF_ERROR; + } + } + }

- if ($cgiparams{'TYPE'} eq 'net'){ - $warnmessage=&General::checksubnets('',$cgiparams{'REMOTE_SUBNET'},'ipsec'); - if ($warnmessage ne ''){ - $warnmessage=$Lang::tr{'remote subnet'}." ($cgiparams{'REMOTE_SUBNET'}) <br>".$warnmessage; + if ($cgiparams{'ENABLED'} !~ /^(on|off)$/) { + $errormessage = $Lang::tr{'invalid input'}; + goto VPNCONF_ERROR; + } + if ($cgiparams{'EDIT_ADVANCED'} !~ /^(on|off)$/) { + $errormessage = $Lang::tr{'invalid input'}; + goto VPNCONF_ERROR; } - }

- if ($cgiparams{'AUTH'} eq 'psk') { - if (! length($cgiparams{'PSK'}) ) { - $errormessage = $Lang::tr{'pre-shared key is too short'}; - goto VPNCONF_ERROR; - } - if ($cgiparams{'PSK'} =~ /'/) { - $cgiparams{'PSK'} =~ tr/'/ /; - $errormessage = $Lang::tr{'invalid characters found in pre-shared key'}; - goto VPNCONF_ERROR; - } + # Allow nothing or a string (DN,FDQN,) beginning with @ + # with no comma but slashes between RID eg @O=FR/C=Paris/OU=myhome/CN=franck + if ( ($cgiparams{'LOCAL_ID'} !~ /^(|[\w.-]*@[\w. =*/-]+|\d+.\d+.\d+.\d+)$/) || + ($cgiparams{'REMOTE_ID'} !~ /^(|[\w.-]*@[\w. =*/-]+|\d+.\d+.\d+.\d+)$/) || + (($cgiparams{'REMOTE_ID'} eq $cgiparams{'LOCAL_ID'}) && ($cgiparams{'LOCAL_ID'} ne '')) + ) { + $errormessage = $Lang::tr{'invalid local-remote id'} . '<br />' . + 'DER_ASN1_DN: @c=FR/ou=Paris/ou=Home/cn=*<br />' . + 'FQDN: @ipfire.org<br />' . + 'USER_FQDN: info@ipfire.org<br />' . + 'IPV4_ADDR: 123.123.123.123'; + goto VPNCONF_ERROR; + } + # If Auth is DN, verify existance of Remote ID. + if ( $cgiparams{'REMOTE_ID'} eq '' && ( + $cgiparams{'AUTH'} eq 'auth-dn'|| # while creation + $confighash{$cgiparams{'KEY'}}[2] eq '%auth-dn')){ # while editing + $errormessage = $Lang::tr{'vpn missing remote id'}; + goto VPNCONF_ERROR; + } + + if ($cgiparams{'TYPE'} eq 'net'){ + $warnmessage=&General::checksubnets('',$cgiparams{'REMOTE_SUBNET'},'ipsec'); + if ($warnmessage ne ''){ + $warnmessage=$Lang::tr{'remote subnet'}." ($cgiparams{'REMOTE_SUBNET'}) <br>".$warnmessage; + } + } + + if ($cgiparams{'AUTH'} eq 'psk') { + if (! length($cgiparams{'PSK'}) ) { + $errormessage = $Lang::tr{'pre-shared key is too short'}; + goto VPNCONF_ERROR; + } + if ($cgiparams{'PSK'} =~ /'/) { + $cgiparams{'PSK'} =~ tr/'/ /; + $errormessage = $Lang::tr{'invalid characters found in pre-shared key'}; + goto VPNCONF_ERROR; + } } elsif ($cgiparams{'AUTH'} eq 'certreq') { - if ($cgiparams{'KEY'}) { - $errormessage = $Lang::tr{'cant change certificates'}; - goto VPNCONF_ERROR; - } - if (ref ($cgiparams{'FH'}) ne 'Fh') { - $errormessage = $Lang::tr{'there was no file upload'}; - goto VPNCONF_ERROR; - } + if ($cgiparams{'KEY'}) { + $errormessage = $Lang::tr{'cant change certificates'}; + goto VPNCONF_ERROR; + } + if (ref ($cgiparams{'FH'}) ne 'Fh') { + $errormessage = $Lang::tr{'there was no file upload'}; + goto VPNCONF_ERROR; + }

- # Move uploaded certificate request to a temporary file - (my $fh, my $filename) = tempfile( ); - if (copy ($cgiparams{'FH'}, $fh) != 1) { - $errormessage = $!; - goto VPNCONF_ERROR; - } + # Move uploaded certificate request to a temporary file + (my $fh, my $filename) = tempfile( ); + if (copy ($cgiparams{'FH'}, $fh) != 1) { + $errormessage = $!; + goto VPNCONF_ERROR; + }

- # Sign the certificate request - &General::log("ipsec", "Signing your cert $cgiparams{'NAME'}..."); - my $opt = " ca -md sha256 -days 999999"; + # Sign the certificate request + &General::log("ipsec", "Signing your cert $cgiparams{'NAME'}..."); + my $opt = " ca -md sha256 -days 999999"; $opt .= " -batch -notext"; $opt .= " -in $filename"; $opt .= " -out ${General::swroot}/certs/$cgiparams{'NAME'}cert.pem";

- if ( $errormessage = &callssl ($opt) ) { - unlink ($filename); - unlink ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"); - &cleanssldatabase(); - goto VPNCONF_ERROR; - } else { - unlink ($filename); - &cleanssldatabase(); - } - - $cgiparams{'CERT_NAME'} = getCNfromcert ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"); - if ($cgiparams{'CERT_NAME'} eq '') { - $errormessage = $Lang::tr{'could not retrieve common name from certificate'}; - goto VPNCONF_ERROR; - } + if ( $errormessage = &callssl ($opt) ) { + unlink ($filename); + unlink ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"); + &cleanssldatabase(); + goto VPNCONF_ERROR; + } else { + unlink ($filename); + &cleanssldatabase(); + } + + $cgiparams{'CERT_NAME'} = getCNfromcert ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"); + if ($cgiparams{'CERT_NAME'} eq '') { + $errormessage = $Lang::tr{'could not retrieve common name from certificate'}; + goto VPNCONF_ERROR; + } } elsif ($cgiparams{'AUTH'} eq 'pkcs12') { &General::log("ipsec", "Importing from p12...");

if (ref ($cgiparams{'FH'}) ne 'Fh') { - $errormessage = $Lang::tr{'there was no file upload'}; - goto ROOTCERT_ERROR; + $errormessage = $Lang::tr{'there was no file upload'}; + goto ROOTCERT_ERROR; }

# Move uploaded certificate request to a temporary file (my $fh, my $filename) = tempfile( ); if (copy ($cgiparams{'FH'}, $fh) != 1) { - $errormessage = $!; - goto ROOTCERT_ERROR; + $errormessage = $!; + goto ROOTCERT_ERROR; }

# Extract the CA certificate from the file &General::log("ipsec", "Extracting caroot from p12..."); if (open(STDIN, "-|")) { - my $opt = " pkcs12 -cacerts -nokeys"; + my $opt = " pkcs12 -cacerts -nokeys"; $opt .= " -in $filename"; $opt .= " -out /tmp/newcacert"; - $errormessage = &callssl ($opt); - } else { #child - print "$cgiparams{'P12_PASS'}\n"; - exit (0); - } - - # Extract the Host certificate from the file - if (!$errormessage) { - &General::log("ipsec", "Extracting host cert from p12..."); - if (open(STDIN, "-|")) { - my $opt = " pkcs12 -clcerts -nokeys"; - $opt .= " -in $filename"; - $opt .= " -out /tmp/newhostcert"; $errormessage = &callssl ($opt); - } else { #child + } else { #child print "$cgiparams{'P12_PASS'}\n"; exit (0); - } - } - - if (!$errormessage) { - &General::log("ipsec", "Moving cacert..."); - #If CA have new subject, add it to our list of CA - my $casubject = &Header::cleanhtml(getsubjectfromcert ('/tmp/newcacert')); - my @names; - foreach my $x (keys %cahash) { - $casubject='' if ($cahash{$x}[1] eq $casubject); - unshift (@names,$cahash{$x}[0]); - } - if ($casubject) { # a new one! - my $temp = `/usr/bin/openssl x509 -text -in /tmp/newcacert`; - if ($temp !~ /CA:TRUE/i) { - $errormessage = $Lang::tr{'not a valid ca certificate'}; - } else { - #compute a name for it - my $idx=0; - while (grep(/Imported-$idx/, @names) ) {$idx++}; - $cgiparams{'CA_NAME'}="Imported-$idx"; - $cgiparams{'CERT_NAME'}=&Header::cleanhtml(getCNfromcert ('/tmp/newhostcert')); - move("/tmp/newcacert", "${General::swroot}/ca/$cgiparams{'CA_NAME'}cert.pem"); - $errormessage = "$Lang::tr{'certificate file move failed'}: $!" if ($? ne 0); - if (!$errormessage) { - my $key = &General::findhasharraykey (%cahash); - $cahash{$key}[0] = $cgiparams{'CA_NAME'}; - $cahash{$key}[1] = $casubject; - &General::writehasharray("${General::swroot}/vpn/caconfig", %cahash); - system('/usr/local/bin/ipsecctrl', 'R'); - } - } - } + } + + # Extract the Host certificate from the file + if (!$errormessage) { + &General::log("ipsec", "Extracting host cert from p12..."); + if (open(STDIN, "-|")) { + my $opt = " pkcs12 -clcerts -nokeys"; + $opt .= " -in $filename"; + $opt .= " -out /tmp/newhostcert"; + $errormessage = &callssl ($opt); + } else { #child + print "$cgiparams{'P12_PASS'}\n"; + exit (0); + } + } + + if (!$errormessage) { + &General::log("ipsec", "Moving cacert..."); + #If CA have new subject, add it to our list of CA + my $casubject = &Header::cleanhtml(getsubjectfromcert ('/tmp/newcacert')); + my @names; + foreach my $x (keys %cahash) { + $casubject='' if ($cahash{$x}[1] eq $casubject); + unshift (@names,$cahash{$x}[0]); + } + if ($casubject) { # a new one! + my $temp = `/usr/bin/openssl x509 -text -in /tmp/newcacert`; + if ($temp !~ /CA:TRUE/i) { + $errormessage = $Lang::tr{'not a valid ca certificate'}; + } else { + #compute a name for it + my $idx=0; + while (grep(/Imported-$idx/, @names) ) {$idx++}; + $cgiparams{'CA_NAME'}="Imported-$idx"; + $cgiparams{'CERT_NAME'}=&Header::cleanhtml(getCNfromcert ('/tmp/newhostcert')); + move("/tmp/newcacert", "${General::swroot}/ca/$cgiparams{'CA_NAME'}cert.pem"); + $errormessage = "$Lang::tr{'certificate file move failed'}: $!" if ($? ne 0); + if (!$errormessage) { + my $key = &General::findhasharraykey (%cahash); + $cahash{$key}[0] = $cgiparams{'CA_NAME'}; + $cahash{$key}[1] = $casubject; + &General::writehasharray("${General::swroot}/vpn/caconfig", %cahash); + system('/usr/local/bin/ipsecctrl', 'R'); + } + } + } } if (!$errormessage) { - &General::log("ipsec", "Moving host cert..."); - move("/tmp/newhostcert", "${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"); - $errormessage = "$Lang::tr{'certificate file move failed'}: $!" if ($? ne 0); - } + &General::log("ipsec", "Moving host cert..."); + move("/tmp/newhostcert", "${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"); + $errormessage = "$Lang::tr{'certificate file move failed'}: $!" if ($? ne 0); + }

#cleanup temp files unlink ($filename); unlink ('/tmp/newcacert'); unlink ('/tmp/newhostcert'); if ($errormessage) { - unlink ("${General::swroot}/ca/$cgiparams{'CA_NAME'}cert.pem"); - unlink ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"); - goto VPNCONF_ERROR; + unlink ("${General::swroot}/ca/$cgiparams{'CA_NAME'}cert.pem"); + unlink ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"); + goto VPNCONF_ERROR; } &General::log("ipsec", "p12 import completed!"); } elsif ($cgiparams{'AUTH'} eq 'certfile') { - if ($cgiparams{'KEY'}) { - $errormessage = $Lang::tr{'cant change certificates'}; - goto VPNCONF_ERROR; - } - if (ref ($cgiparams{'FH'}) ne 'Fh') { - $errormessage = $Lang::tr{'there was no file upload'}; - goto VPNCONF_ERROR; - } - # Move uploaded certificate to a temporary file - (my $fh, my $filename) = tempfile( ); - if (copy ($cgiparams{'FH'}, $fh) != 1) { - $errormessage = $!; - goto VPNCONF_ERROR; - } - - # Verify the certificate has a valid CA and move it - &General::log("ipsec", "Validating imported cert against our known CA..."); - my $validca = 1; #assume ok - my $test = `/usr/bin/openssl verify -CAfile ${General::swroot}/ca/cacert.pem $filename`; - if ($test !~ /: OK/) { - my $validca = 0; - foreach my $key (keys %cahash) { - $test = `/usr/bin/openssl verify -CAfile ${General::swroot}/ca/$cahash{$key}[0]cert.pem $filename`; - if ($test =~ /: OK/) { - $validca = 1; - last; - } - } - } - if (! $validca) { - $errormessage = $Lang::tr{'certificate does not have a valid ca associated with it'}; - unlink ($filename); - goto VPNCONF_ERROR; - } else { - move($filename, "${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"); - if ($? ne 0) { - $errormessage = "$Lang::tr{'certificate file move failed'}: $!"; - unlink ($filename); - goto VPNCONF_ERROR; + if ($cgiparams{'KEY'}) { + $errormessage = $Lang::tr{'cant change certificates'}; + goto VPNCONF_ERROR; + } + if (ref ($cgiparams{'FH'}) ne 'Fh') { + $errormessage = $Lang::tr{'there was no file upload'}; + goto VPNCONF_ERROR; + } + # Move uploaded certificate to a temporary file + (my $fh, my $filename) = tempfile( ); + if (copy ($cgiparams{'FH'}, $fh) != 1) { + $errormessage = $!; + goto VPNCONF_ERROR; } - }

- $cgiparams{'CERT_NAME'} = getCNfromcert ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"); - if ($cgiparams{'CERT_NAME'} eq '') { - unlink ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"); - $errormessage = $Lang::tr{'could not retrieve common name from certificate'}; - goto VPNCONF_ERROR; - } + # Verify the certificate has a valid CA and move it + &General::log("ipsec", "Validating imported cert against our known CA..."); + my $validca = 1; #assume ok + my $test = `/usr/bin/openssl verify -CAfile ${General::swroot}/ca/cacert.pem $filename`; + if ($test !~ /: OK/) { + my $validca = 0; + foreach my $key (keys %cahash) { + $test = `/usr/bin/openssl verify -CAfile ${General::swroot}/ca/$cahash{$key}[0]cert.pem $filename`; + if ($test =~ /: OK/) { + $validca = 1; + last; + } + } + } + if (! $validca) { + $errormessage = $Lang::tr{'certificate does not have a valid ca associated with it'}; + unlink ($filename); + goto VPNCONF_ERROR; + } else { + move($filename, "${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"); + if ($? ne 0) { + $errormessage = "$Lang::tr{'certificate file move failed'}: $!"; + unlink ($filename); + goto VPNCONF_ERROR; + } + } + + $cgiparams{'CERT_NAME'} = getCNfromcert ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"); + if ($cgiparams{'CERT_NAME'} eq '') { + unlink ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"); + $errormessage = $Lang::tr{'could not retrieve common name from certificate'}; + goto VPNCONF_ERROR; + } } elsif ($cgiparams{'AUTH'} eq 'certgen') { - if ($cgiparams{'KEY'}) { - $errormessage = $Lang::tr{'cant change certificates'}; - goto VPNCONF_ERROR; - } - # Validate input since the form was submitted - if (length($cgiparams{'CERT_NAME'}) >60) { - $errormessage = $Lang::tr{'name too long'}; - goto VPNCONF_ERROR; - } - if ($cgiparams{'CERT_NAME'} !~ /^[a-zA-Z0-9 ,.-_]+$/) { - $errormessage = $Lang::tr{'invalid input for name'}; - goto VPNCONF_ERROR; - } - if ($cgiparams{'CERT_EMAIL'} ne '' && (! &General::validemail($cgiparams{'CERT_EMAIL'}))) { - $errormessage = $Lang::tr{'invalid input for e-mail address'}; - goto VPNCONF_ERROR; - } - if (length($cgiparams{'CERT_EMAIL'}) > 40) { - $errormessage = $Lang::tr{'e-mail address too long'}; - goto VPNCONF_ERROR; - } - if ($cgiparams{'CERT_OU'} ne '' && $cgiparams{'CERT_OU'} !~ /^[a-zA-Z0-9 ,.-_]*$/) { - $errormessage = $Lang::tr{'invalid input for department'}; - goto VPNCONF_ERROR; - } - if (length($cgiparams{'CERT_ORGANIZATION'}) >60) { - $errormessage = $Lang::tr{'organization too long'}; - goto VPNCONF_ERROR; - } - if ($cgiparams{'CERT_ORGANIZATION'} !~ /^[a-zA-Z0-9 ,.-_]+$/) { - $errormessage = $Lang::tr{'invalid input for organization'}; - goto VPNCONF_ERROR; - } - if ($cgiparams{'CERT_CITY'} ne '' && $cgiparams{'CERT_CITY'} !~ /^[a-zA-Z0-9 ,.-_]*$/) { - $errormessage = $Lang::tr{'invalid input for city'}; - goto VPNCONF_ERROR; - } - if ($cgiparams{'CERT_STATE'} ne '' && $cgiparams{'CERT_STATE'} !~ /^[a-zA-Z0-9 ,.-_]*$/) { - $errormessage = $Lang::tr{'invalid input for state or province'}; - goto VPNCONF_ERROR; - } - if ($cgiparams{'CERT_COUNTRY'} !~ /^[A-Z]*$/) { - $errormessage = $Lang::tr{'invalid input for country'}; - goto VPNCONF_ERROR; - } - #the exact syntax is a list comma separated of - # email:any-validemail - # URI: a uniform resource indicator - # DNS: a DNS domain name - # RID: a registered OBJECT IDENTIFIER - # IP: an IP address - # example: email:franck@foo.com,IP:10.0.0.10,DNS:franck.foo.com - - if ($cgiparams{'SUBJECTALTNAME'} ne '' && $cgiparams{'SUBJECTALTNAME'} !~ /^(email|URI|DNS|RID|IP):[a-zA-Z0-9 :/,.-_@]*$/) { - $errormessage = $Lang::tr{'vpn altname syntax'}; - goto VPNCONF_ERROR; - } + if ($cgiparams{'KEY'}) { + $errormessage = $Lang::tr{'cant change certificates'}; + goto VPNCONF_ERROR; + } + # Validate input since the form was submitted + if (length($cgiparams{'CERT_NAME'}) >60) { + $errormessage = $Lang::tr{'name too long'}; + goto VPNCONF_ERROR; + } + if ($cgiparams{'CERT_NAME'} !~ /^[a-zA-Z0-9 ,.-_]+$/) { + $errormessage = $Lang::tr{'invalid input for name'}; + goto VPNCONF_ERROR; + } + if ($cgiparams{'CERT_EMAIL'} ne '' && (! &General::validemail($cgiparams{'CERT_EMAIL'}))) { + $errormessage = $Lang::tr{'invalid input for e-mail address'}; + goto VPNCONF_ERROR; + } + if (length($cgiparams{'CERT_EMAIL'}) > 40) { + $errormessage = $Lang::tr{'e-mail address too long'}; + goto VPNCONF_ERROR; + } + if ($cgiparams{'CERT_OU'} ne '' && $cgiparams{'CERT_OU'} !~ /^[a-zA-Z0-9 ,.-_]*$/) { + $errormessage = $Lang::tr{'invalid input for department'}; + goto VPNCONF_ERROR; + } + if (length($cgiparams{'CERT_ORGANIZATION'}) >60) { + $errormessage = $Lang::tr{'organization too long'}; + goto VPNCONF_ERROR; + } + if ($cgiparams{'CERT_ORGANIZATION'} !~ /^[a-zA-Z0-9 ,.-_]+$/) { + $errormessage = $Lang::tr{'invalid input for organization'}; + goto VPNCONF_ERROR; + } + if ($cgiparams{'CERT_CITY'} ne '' && $cgiparams{'CERT_CITY'} !~ /^[a-zA-Z0-9 ,.-_]*$/) { + $errormessage = $Lang::tr{'invalid input for city'}; + goto VPNCONF_ERROR; + } + if ($cgiparams{'CERT_STATE'} ne '' && $cgiparams{'CERT_STATE'} !~ /^[a-zA-Z0-9 ,.-_]*$/) { + $errormessage = $Lang::tr{'invalid input for state or province'}; + goto VPNCONF_ERROR; + } + if ($cgiparams{'CERT_COUNTRY'} !~ /^[A-Z]*$/) { + $errormessage = $Lang::tr{'invalid input for country'}; + goto VPNCONF_ERROR; + } + #the exact syntax is a list comma separated of + # email:any-validemail + # URI: a uniform resource indicator + # DNS: a DNS domain name + # RID: a registered OBJECT IDENTIFIER + # IP: an IP address + # example: email:franck@foo.com,IP:10.0.0.10,DNS:franck.foo.com + + if ($cgiparams{'SUBJECTALTNAME'} ne '' && $cgiparams{'SUBJECTALTNAME'} !~ /^(email|URI|DNS|RID|IP):[a-zA-Z0-9 :/,.-_@]*$/) { + $errormessage = $Lang::tr{'vpn altname syntax'}; + goto VPNCONF_ERROR; + }

- if (length($cgiparams{'CERT_PASS1'}) < 5) { - $errormessage = $Lang::tr{'password too short'}; - goto VPNCONF_ERROR; - } - if ($cgiparams{'CERT_PASS1'} ne $cgiparams{'CERT_PASS2'}) { - $errormessage = $Lang::tr{'passwords do not match'}; - goto VPNCONF_ERROR; - } + if (length($cgiparams{'CERT_PASS1'}) < 5) { + $errormessage = $Lang::tr{'password too short'}; + goto VPNCONF_ERROR; + } + if ($cgiparams{'CERT_PASS1'} ne $cgiparams{'CERT_PASS2'}) { + $errormessage = $Lang::tr{'passwords do not match'}; + goto VPNCONF_ERROR; + }

- # Replace empty strings with a . - (my $ou = $cgiparams{'CERT_OU'}) =~ s/^\s*$/./; - (my $city = $cgiparams{'CERT_CITY'}) =~ s/^\s*$/./; - (my $state = $cgiparams{'CERT_STATE'}) =~ s/^\s*$/./; + # Replace empty strings with a . + (my $ou = $cgiparams{'CERT_OU'}) =~ s/^\s*$/./; + (my $city = $cgiparams{'CERT_CITY'}) =~ s/^\s*$/./; + (my $state = $cgiparams{'CERT_STATE'}) =~ s/^\s*$/./;

- # Create the Client certificate request - &General::log("ipsec", "Creating a cert..."); + # Create the Client certificate request + &General::log("ipsec", "Creating a cert...");

- if (open(STDIN, "-|")) { - my $opt = " req -nodes -rand /proc/interrupts:/proc/net/rt_cache"; - $opt .= " -newkey rsa:2048"; - $opt .= " -keyout ${General::swroot}/certs/$cgiparams{'NAME'}key.pem"; - $opt .= " -out ${General::swroot}/certs/$cgiparams{'NAME'}req.pem"; + if (open(STDIN, "-|")) { + my $opt = " req -nodes -rand /proc/interrupts:/proc/net/rt_cache"; + $opt .= " -newkey rsa:2048"; + $opt .= " -keyout ${General::swroot}/certs/$cgiparams{'NAME'}key.pem"; + $opt .= " -out ${General::swroot}/certs/$cgiparams{'NAME'}req.pem"; + + if ( $errormessage = &callssl ($opt) ) { + unlink ("${General::swroot}/certs/$cgiparams{'NAME'}key.pem"); + unlink ("${General::swroot}/certs/$cgiparams{'NAME'}req.pem"); + goto VPNCONF_ERROR; + } + } else { #child + print "$cgiparams{'CERT_COUNTRY'}\n"; + print "$state\n"; + print "$city\n"; + print "$cgiparams{'CERT_ORGANIZATION'}\n"; + print "$ou\n"; + print "$cgiparams{'CERT_NAME'}\n"; + print "$cgiparams{'CERT_EMAIL'}\n"; + print ".\n"; + print ".\n"; + exit (0); + }

- if ( $errormessage = &callssl ($opt) ) { - unlink ("${General::swroot}/certs/$cgiparams{'NAME'}key.pem"); - unlink ("${General::swroot}/certs/$cgiparams{'NAME'}req.pem"); - goto VPNCONF_ERROR; - } - } else { #child - print "$cgiparams{'CERT_COUNTRY'}\n"; - print "$state\n"; - print "$city\n"; - print "$cgiparams{'CERT_ORGANIZATION'}\n"; - print "$ou\n"; - print "$cgiparams{'CERT_NAME'}\n"; - print "$cgiparams{'CERT_EMAIL'}\n"; - print ".\n"; - print ".\n"; - exit (0); - } - - # Sign the client certificate request - &General::log("ipsec", "Signing the cert $cgiparams{'NAME'}..."); - - #No easy way for specifying the contain of subjectAltName without writing a config file... - my ($fh, $v3extname) = tempfile ('/tmp/XXXXXXXX'); - print $fh <<END - basicConstraints=CA:FALSE - nsComment="OpenSSL Generated Certificate" - subjectKeyIdentifier=hash - extendedKeyUsage=clientAuth - authorityKeyIdentifier=keyid,issuer:always + # Sign the client certificate request + &General::log("ipsec", "Signing the cert $cgiparams{'NAME'}..."); + + #No easy way for specifying the contain of subjectAltName without writing a config file... + my ($fh, $v3extname) = tempfile ('/tmp/XXXXXXXX'); + print $fh <<END + basicConstraints=CA:FALSE + nsComment="OpenSSL Generated Certificate" + subjectKeyIdentifier=hash + extendedKeyUsage=clientAuth + authorityKeyIdentifier=keyid,issuer:always END ; - print $fh "subjectAltName=$cgiparams{'SUBJECTALTNAME'}" if ($cgiparams{'SUBJECTALTNAME'}); - close ($fh); - - my $opt = " ca -md sha256 -days 999999 -batch -notext"; - $opt .= " -in ${General::swroot}/certs/$cgiparams{'NAME'}req.pem"; - $opt .= " -out ${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"; - $opt .= " -extfile $v3extname"; - - if ( $errormessage = &callssl ($opt) ) { - unlink ($v3extname); - unlink ("${General::swroot}/certs/$cgiparams{'NAME'}key.pem"); - unlink ("${General::swroot}/certs/$cgiparams{'NAME'}req.pem"); - unlink ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"); - &cleanssldatabase(); - goto VPNCONF_ERROR; - } else { - unlink ($v3extname); - unlink ("${General::swroot}/certs/$cgiparams{'NAME'}req.pem"); - &cleanssldatabase(); - } - - # Create the pkcs12 file - &General::log("ipsec", "Packing a pkcs12 file..."); - $opt = " pkcs12 -export"; - $opt .= " -inkey ${General::swroot}/certs/$cgiparams{'NAME'}key.pem"; - $opt .= " -in ${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"; - $opt .= " -name "$cgiparams{'NAME'}""; - $opt .= " -passout pass:$cgiparams{'CERT_PASS1'}"; - $opt .= " -certfile ${General::swroot}/ca/cacert.pem"; - $opt .= " -caname "$vpnsettings{'ROOTCERT_ORGANIZATION'} CA""; - $opt .= " -out ${General::swroot}/certs/$cgiparams{'NAME'}.p12"; - - if ( $errormessage = &callssl ($opt) ) { - unlink ("${General::swroot}/certs/$cgiparams{'NAME'}key.pem"); - unlink ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"); - unlink ("${General::swroot}/certs/$cgiparams{'NAME'}.p12"); - goto VPNCONF_ERROR; - } else { - unlink ("${General::swroot}/certs/$cgiparams{'NAME'}key.pem"); - } + print $fh "subjectAltName=$cgiparams{'SUBJECTALTNAME'}" if ($cgiparams{'SUBJECTALTNAME'}); + close ($fh); + + my $opt = " ca -md sha256 -days 999999 -batch -notext"; + $opt .= " -in ${General::swroot}/certs/$cgiparams{'NAME'}req.pem"; + $opt .= " -out ${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"; + $opt .= " -extfile $v3extname"; + + if ( $errormessage = &callssl ($opt) ) { + unlink ($v3extname); + unlink ("${General::swroot}/certs/$cgiparams{'NAME'}key.pem"); + unlink ("${General::swroot}/certs/$cgiparams{'NAME'}req.pem"); + unlink ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"); + &cleanssldatabase(); + goto VPNCONF_ERROR; + } else { + unlink ($v3extname); + unlink ("${General::swroot}/certs/$cgiparams{'NAME'}req.pem"); + &cleanssldatabase(); + } + + # Create the pkcs12 file + &General::log("ipsec", "Packing a pkcs12 file..."); + $opt = " pkcs12 -export"; + $opt .= " -inkey ${General::swroot}/certs/$cgiparams{'NAME'}key.pem"; + $opt .= " -in ${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"; + $opt .= " -name "$cgiparams{'NAME'}""; + $opt .= " -passout pass:$cgiparams{'CERT_PASS1'}"; + $opt .= " -certfile ${General::swroot}/ca/cacert.pem"; + $opt .= " -caname "$vpnsettings{'ROOTCERT_ORGANIZATION'} CA""; + $opt .= " -out ${General::swroot}/certs/$cgiparams{'NAME'}.p12"; + + if ( $errormessage = &callssl ($opt) ) { + unlink ("${General::swroot}/certs/$cgiparams{'NAME'}key.pem"); + unlink ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"); + unlink ("${General::swroot}/certs/$cgiparams{'NAME'}.p12"); + goto VPNCONF_ERROR; + } else { + unlink ("${General::swroot}/certs/$cgiparams{'NAME'}key.pem"); + } } elsif ($cgiparams{'AUTH'} eq 'cert') { - ;# Nothing, just editing + ;# Nothing, just editing } elsif ($cgiparams{'AUTH'} eq 'auth-dn') { - $cgiparams{'CERT_NAME'} = '%auth-dn'; # a special value saying 'no cert file' + $cgiparams{'CERT_NAME'} = '%auth-dn'; # a special value saying 'no cert file' } else { - $errormessage = $Lang::tr{'invalid input for authentication method'}; - goto VPNCONF_ERROR; + $errormessage = $Lang::tr{'invalid input for authentication method'}; + goto VPNCONF_ERROR; }

# 1)Error message here is not accurate. @@ -1763,37 +1766,39 @@ END # 3)Present since initial version (1.3.2.11), it isn't a bug correction # Check if there is no other entry with this certificate name #if ((! $cgiparams{'KEY'}) && ($cgiparams{'AUTH'} ne 'psk') && ($cgiparams{'AUTH'} ne 'auth-dn')) { - # foreach my $key (keys %confighash) { + # foreach my $key (keys %confighash) { # if ($confighash{$key}[2] eq $cgiparams{'CERT_NAME'}) { - # $errormessage = $Lang::tr{'a connection with this common name already exists'}; - # goto VPNCONF_ERROR; + # $errormessage = $Lang::tr{'a connection with this common name already exists'}; + # goto VPNCONF_ERROR; + # } # } - # } #} - # Save the config + # Save the config

my $key = $cgiparams{'KEY'}; if (! $key) { - $key = &General::findhasharraykey (%confighash); - foreach my $i (0 .. 32) { $confighash{$key}[$i] = "";} + $key = &General::findhasharraykey (%confighash); + foreach my $i (0 .. 32) { $confighash{$key}[$i] = "";} } $confighash{$key}[0] = $cgiparams{'ENABLED'}; $confighash{$key}[1] = $cgiparams{'NAME'}; if ((! $cgiparams{'KEY'}) && $cgiparams{'AUTH'} ne 'psk') { - $confighash{$key}[2] = $cgiparams{'CERT_NAME'}; + $confighash{$key}[2] = $cgiparams{'CERT_NAME'}; } $confighash{$key}[3] = $cgiparams{'TYPE'}; if ($cgiparams{'AUTH'} eq 'psk') { - $confighash{$key}[4] = 'psk'; - $confighash{$key}[5] = $cgiparams{'PSK'}; + $confighash{$key}[4] = 'psk'; + $confighash{$key}[5] = $cgiparams{'PSK'}; } else { - $confighash{$key}[4] = 'cert'; + $confighash{$key}[4] = 'cert'; } if ($cgiparams{'TYPE'} eq 'net') { - $confighash{$key}[11] = $cgiparams{'REMOTE_SUBNET'}; + my @remote_subnets = split(",", $cgiparams{'REMOTE_SUBNET'}); + $confighash{$key}[11] = join('|', @remote_subnets); } $confighash{$key}[7] = $cgiparams{'LOCAL_ID'}; - $confighash{$key}[8] = $cgiparams{'LOCAL_SUBNET'}; + my @local_subnets = split(",", $cgiparams{'LOCAL_SUBNET'}); + $confighash{$key}[8] = join('|', @local_subnets); $confighash{$key}[9] = $cgiparams{'REMOTE_ID'}; $confighash{$key}[10] = $cgiparams{'REMOTE'}; $confighash{$key}[25] = $cgiparams{'REMARK'}; @@ -1801,7 +1806,7 @@ END $confighash{$key}[27] = $cgiparams{'DPD_ACTION'}; $confighash{$key}[29] = $cgiparams{'IKE_VERSION'};

- #dont forget advanced value + # don't forget advanced value $confighash{$key}[18] = $cgiparams{'IKE_ENCRYPTION'}; $confighash{$key}[19] = $cgiparams{'IKE_INTEGRITY'}; $confighash{$key}[20] = $cgiparams{'IKE_GROUPTYPE'}; @@ -1814,44 +1819,43 @@ END $confighash{$key}[13] = $cgiparams{'COMPRESSION'}; $confighash{$key}[24] = $cgiparams{'ONLY_PROPOSED'}; $confighash{$key}[28] = $cgiparams{'PFS'}; - $confighash{$key}[14] = $cgiparams{'VHOST'}; $confighash{$key}[30] = $cgiparams{'DPD_TIMEOUT'}; $confighash{$key}[31] = $cgiparams{'DPD_DELAY'}; $confighash{$key}[32] = $cgiparams{'FORCE_MOBIKE'};

- #free unused fields! + # free unused fields! $confighash{$key}[6] = 'off'; $confighash{$key}[15] = 'off';

&General::writehasharray("${General::swroot}/vpn/config", %confighash); &writeipsecfiles(); if (&vpnenabled) { - system('/usr/local/bin/ipsecctrl', 'S', $key); - sleep $sleepDelay; + system('/usr/local/bin/ipsecctrl', 'S', $key); + sleep $sleepDelay; } if ($cgiparams{'EDIT_ADVANCED'} eq 'on') { - $cgiparams{'KEY'} = $key; - $cgiparams{'ACTION'} = $Lang::tr{'advanced'}; + $cgiparams{'KEY'} = $key; + $cgiparams{'ACTION'} = $Lang::tr{'advanced'}; } goto VPNCONF_END; - } else { # add new connection - $cgiparams{'ENABLED'} = 'on'; +} else { # add new connection + $cgiparams{'ENABLED'} = 'on'; if ( ! -f "${General::swroot}/private/cakey.pem" ) { - $cgiparams{'AUTH'} = 'psk'; + $cgiparams{'AUTH'} = 'psk'; } elsif ( ! -f "${General::swroot}/ca/cacert.pem") { - $cgiparams{'AUTH'} = 'certfile'; + $cgiparams{'AUTH'} = 'certfile'; } else { - $cgiparams{'AUTH'} = 'certgen'; + $cgiparams{'AUTH'} = 'certgen'; } - $cgiparams{'LOCAL_SUBNET'} ="$netsettings{'GREEN_NETADDRESS'}/$netsettings{'GREEN_NETMASK'}"; - $cgiparams{'CERT_EMAIL'} = $vpnsettings{'ROOTCERT_EMAIL'}; - $cgiparams{'CERT_OU'} = $vpnsettings{'ROOTCERT_OU'}; - $cgiparams{'CERT_ORGANIZATION'} = $vpnsettings{'ROOTCERT_ORGANIZATION'}; - $cgiparams{'CERT_CITY'} = $vpnsettings{'ROOTCERT_CITY'}; - $cgiparams{'CERT_STATE'} = $vpnsettings{'ROOTCERT_STATE'}; - $cgiparams{'CERT_COUNTRY'} = $vpnsettings{'ROOTCERT_COUNTRY'}; + $cgiparams{'LOCAL_SUBNET'} = "$netsettings{'GREEN_NETADDRESS'}/$netsettings{'GREEN_NETMASK'}"; + $cgiparams{'CERT_EMAIL'} = $vpnsettings{'ROOTCERT_EMAIL'}; + $cgiparams{'CERT_OU'} = $vpnsettings{'ROOTCERT_OU'}; + $cgiparams{'CERT_ORGANIZATION'} = $vpnsettings{'ROOTCERT_ORGANIZATION'}; + $cgiparams{'CERT_CITY'} = $vpnsettings{'ROOTCERT_CITY'}; + $cgiparams{'CERT_STATE'} = $vpnsettings{'ROOTCERT_STATE'}; + $cgiparams{'CERT_COUNTRY'} = $vpnsettings{'ROOTCERT_COUNTRY'};

- # choose appropriate dpd action + # choose appropriate dpd action if ($cgiparams{'TYPE'} eq 'host') { $cgiparams{'DPD_ACTION'} = 'clear'; } else { @@ -1872,64 +1876,63 @@ END

# Default IKE Version to v2 if (!$cgiparams{'IKE_VERSION'}) { - $cgiparams{'IKE_VERSION'} = 'ikev2'; + $cgiparams{'IKE_VERSION'} = 'ikev2'; }

# ID are empty - $cgiparams{'LOCAL_ID'} = ''; + $cgiparams{'LOCAL_ID'} = ''; $cgiparams{'REMOTE_ID'} = '';

#use default advanced value - $cgiparams{'IKE_ENCRYPTION'} = 'aes256gcm128|aes256gcm96|aes256gcm64|aes256|aes192gcm128|aes192gcm96|aes192gcm64|aes192|aes128gcm128|aes128gcm96|aes128gcm64|aes128'; #[18]; - $cgiparams{'IKE_INTEGRITY'} = 'sha2_512|sha2_256|sha'; #[19]; - $cgiparams{'IKE_GROUPTYPE'} = '4096|3072|2048|1536|1024'; #[20]; - $cgiparams{'IKE_LIFETIME'} = '3'; #[16]; - $cgiparams{'ESP_ENCRYPTION'} = 'aes256gcm128|aes256gcm96|aes256gcm64|aes256|aes192gcm128|aes192gcm96|aes192gcm64|aes192|aes128gcm128|aes128gcm96|aes128gcm64|aes128'; #[21]; - $cgiparams{'ESP_INTEGRITY'} = 'sha2_512|sha2_256|sha1'; #[22]; - $cgiparams{'ESP_GROUPTYPE'} = '4096|3072|2048|1536|1024'; #[23]; - $cgiparams{'ESP_KEYLIFE'} = '1'; #[17]; - $cgiparams{'COMPRESSION'} = 'on'; #[13]; - $cgiparams{'ONLY_PROPOSED'} = 'off'; #[24]; - $cgiparams{'PFS'} = 'on'; #[28]; - $cgiparams{'VHOST'} = 'on'; #[14]; - } - - VPNCONF_ERROR: - $checked{'ENABLED'}{'off'} = ''; - $checked{'ENABLED'}{'on'} = ''; - $checked{'ENABLED'}{$cgiparams{'ENABLED'}} = "checked='checked'"; - - $checked{'EDIT_ADVANCED'}{'off'} = ''; - $checked{'EDIT_ADVANCED'}{'on'} = ''; - $checked{'EDIT_ADVANCED'}{$cgiparams{'EDIT_ADVANCED'}} = "checked='checked'"; - - $checked{'AUTH'}{'psk'} = ''; - $checked{'AUTH'}{'certreq'} = ''; - $checked{'AUTH'}{'certgen'} = ''; - $checked{'AUTH'}{'certfile'} = ''; - $checked{'AUTH'}{'pkcs12'} = ''; - $checked{'AUTH'}{'auth-dn'} = ''; - $checked{'AUTH'}{$cgiparams{'AUTH'}} = "checked='checked'"; - - &Header::showhttpheaders(); - &Header::openpage($Lang::tr{'ipsec'}, 1, ''); - &Header::openbigbox('100%', 'left', '', $errormessage); - if ($errormessage) { - &Header::openbox('100%', 'left', $Lang::tr{'error messages'}); - print "<class name='base'>$errormessage"; - print "&nbsp;</class>"; - &Header::closebox(); - } + $cgiparams{'IKE_ENCRYPTION'} = 'aes256gcm128|aes256gcm96|aes256gcm64|aes256|aes192gcm128|aes192gcm96|aes192gcm64|aes192|aes128gcm128|aes128gcm96|aes128gcm64|aes128'; #[18]; + $cgiparams{'IKE_INTEGRITY'} = 'sha2_512|sha2_256|sha'; #[19]; + $cgiparams{'IKE_GROUPTYPE'} = '4096|3072|2048|1536|1024'; #[20]; + $cgiparams{'IKE_LIFETIME'} = '3'; #[16]; + $cgiparams{'ESP_ENCRYPTION'} = 'aes256gcm128|aes256gcm96|aes256gcm64|aes256|aes192gcm128|aes192gcm96|aes192gcm64|aes192|aes128gcm128|aes128gcm96|aes128gcm64|aes128'; #[21]; + $cgiparams{'ESP_INTEGRITY'} = 'sha2_512|sha2_256|sha1'; #[22]; + $cgiparams{'ESP_GROUPTYPE'} = '4096|3072|2048|1536|1024'; #[23]; + $cgiparams{'ESP_KEYLIFE'} = '1'; #[17]; + $cgiparams{'COMPRESSION'} = 'on'; #[13]; + $cgiparams{'ONLY_PROPOSED'} = 'off'; #[24]; + $cgiparams{'PFS'} = 'on'; #[28]; +}

- if ($warnmessage) { - &Header::openbox('100%', 'left', "$Lang::tr{'warning messages'}:"); - print "<class name='base'>$warnmessage"; - print "&nbsp;</class>"; - &Header::closebox(); - } +VPNCONF_ERROR: + $checked{'ENABLED'}{'off'} = ''; + $checked{'ENABLED'}{'on'} = ''; + $checked{'ENABLED'}{$cgiparams{'ENABLED'}} = "checked='checked'"; + + $checked{'EDIT_ADVANCED'}{'off'} = ''; + $checked{'EDIT_ADVANCED'}{'on'} = ''; + $checked{'EDIT_ADVANCED'}{$cgiparams{'EDIT_ADVANCED'}} = "checked='checked'"; + + $checked{'AUTH'}{'psk'} = ''; + $checked{'AUTH'}{'certreq'} = ''; + $checked{'AUTH'}{'certgen'} = ''; + $checked{'AUTH'}{'certfile'} = ''; + $checked{'AUTH'}{'pkcs12'} = ''; + $checked{'AUTH'}{'auth-dn'} = ''; + $checked{'AUTH'}{$cgiparams{'AUTH'}} = "checked='checked'"; + + &Header::showhttpheaders(); + &Header::openpage($Lang::tr{'ipsec'}, 1, ''); + &Header::openbigbox('100%', 'left', '', $errormessage); + if ($errormessage) { + &Header::openbox('100%', 'left', $Lang::tr{'error messages'}); + print "<class name='base'>$errormessage"; + print "&nbsp;</class>"; + &Header::closebox(); + } + + if ($warnmessage) { + &Header::openbox('100%', 'left', "$Lang::tr{'warning messages'}:"); + print "<class name='base'>$warnmessage"; + print "&nbsp;</class>"; + &Header::closebox(); + }

- print "<form method='post' enctype='multipart/form-data' action='$ENV{'SCRIPT_NAME'}'>"; - print<<END + print "<form method='post' enctype='multipart/form-data' action='$ENV{'SCRIPT_NAME'}'>"; + print<<END <input type='hidden' name='TYPE' value='$cgiparams{'TYPE'}' /> <input type='hidden' name='IKE_VERSION' value='$cgiparams{'IKE_VERSION'}' /> <input type='hidden' name='IKE_ENCRYPTION' value='$cgiparams{'IKE_ENCRYPTION'}' /> @@ -1943,178 +1946,183 @@ END <input type='hidden' name='COMPRESSION' value='$cgiparams{'COMPRESSION'}' /> <input type='hidden' name='ONLY_PROPOSED' value='$cgiparams{'ONLY_PROPOSED'}' /> <input type='hidden' name='PFS' value='$cgiparams{'PFS'}' /> - <input type='hidden' name='VHOST' value='$cgiparams{'VHOST'}' /> <input type='hidden' name='DPD_ACTION' value='$cgiparams{'DPD_ACTION'}' /> <input type='hidden' name='DPD_DELAY' value='$cgiparams{'DPD_DELAY'}' /> <input type='hidden' name='DPD_TIMEOUT' value='$cgiparams{'DPD_TIMEOUT'}' /> <input type='hidden' name='FORCE_MOBIKE' value='$cgiparams{'FORCE_MOBIKE'}' /> END - ; - if ($cgiparams{'KEY'}) { - print "<input type='hidden' name='KEY' value='$cgiparams{'KEY'}' />"; - print "<input type='hidden' name='NAME' value='$cgiparams{'NAME'}' />"; - print "<input type='hidden' name='AUTH' value='$cgiparams{'AUTH'}' />"; - } - - &Header::openbox('100%', 'left', "$Lang::tr{'connection'}: $cgiparams{'NAME'}"); - print "<table width='100%'>"; - if (!$cgiparams{'KEY'}) { - print <<EOF; - <tr> - <td width='20%'>$Lang::tr{'name'}:&nbsp;<img src='/blob.gif' alt='*' /></td> - <td width='30%'> - <input type='text' name='NAME' value='$cgiparams{'NAME'}' size='25' /> - </td> - <td colspan="2"></td> - </tr> +; + if ($cgiparams{'KEY'}) { + print "<input type='hidden' name='KEY' value='$cgiparams{'KEY'}' />"; + print "<input type='hidden' name='NAME' value='$cgiparams{'NAME'}' />"; + print "<input type='hidden' name='AUTH' value='$cgiparams{'AUTH'}' />"; + } + + &Header::openbox('100%', 'left', "$Lang::tr{'connection'}: $cgiparams{'NAME'}"); + print "<table width='100%'>"; + if (!$cgiparams{'KEY'}) { + print <<EOF; + <tr> + <td width='20%'>$Lang::tr{'name'}:&nbsp;<img src='/blob.gif' alt='*' /></td> + <td width='30%'> + <input type='text' name='NAME' value='$cgiparams{'NAME'}' size='25' /> + </td> + <td colspan="2"></td> + </tr> EOF - } + }

- my $disabled; - my $blob; - if ($cgiparams{'TYPE'} eq 'host') { + my $disabled; + my $blob; + if ($cgiparams{'TYPE'} eq 'host') { $disabled = "disabled='disabled'"; - } elsif ($cgiparams{'TYPE'} eq 'net') { + } elsif ($cgiparams{'TYPE'} eq 'net') { $blob = "<img src='/blob.gif' alt='*' />"; - }; + };

- print <<END + my @local_subnets = split(/|/, $cgiparams{'LOCAL_SUBNET'}); + my $local_subnets = join(",", @local_subnets); + + my @remote_subnets = split(/|/, $cgiparams{'REMOTE_SUBNET'}); + my $remote_subnets = join(",", @remote_subnets); + + print <<END <tr> <td width='20%'>$Lang::tr{'enabled'}</td> <td width='30%'> - <input type='checkbox' name='ENABLED' $checked{'ENABLED'}{'on'} /> + <input type='checkbox' name='ENABLED' $checked{'ENABLED'}{'on'} /> + </td> + <td class='boldbase' nowrap='nowrap' width='20%'>$Lang::tr{'local subnet'}&nbsp;<img src='/blob.gif' alt='*' /></td> + <td width='30%'> + <input type='text' name='LOCAL_SUBNET' value='$local_subnets' /> + </td> + </tr> + <tr> + <td class='boldbase' width='20%'>$Lang::tr{'remote host/ip'}:&nbsp;$blob</td> + <td width='30%'> + <input type='text' name='REMOTE' value='$cgiparams{'REMOTE'}' size="25" /> + </td> + <td class='boldbase' nowrap='nowrap' width='20%'>$Lang::tr{'remote subnet'}&nbsp;$blob</td> + <td width='30%'> + <input $disabled type='text' name='REMOTE_SUBNET' value='$remote_subnets' /> </td> - <td class='boldbase' nowrap='nowrap' width='20%'>$Lang::tr{'local subnet'}&nbsp;<img src='/blob.gif' alt='*' /></td> - <td width='30%'> - <input type='text' name='LOCAL_SUBNET' value='$cgiparams{'LOCAL_SUBNET'}' size="25" /> - </td> - </tr> - <tr> - <td class='boldbase' width='20%'>$Lang::tr{'remote host/ip'}:&nbsp;$blob</td> - <td width='30%'> - <input type='text' name='REMOTE' value='$cgiparams{'REMOTE'}' size="25" /> - </td> - <td class='boldbase' nowrap='nowrap' width='20%'>$Lang::tr{'remote subnet'}&nbsp;$blob</td> - <td width='30%'> - <input $disabled type='text' name='REMOTE_SUBNET' value='$cgiparams{'REMOTE_SUBNET'}' size="25" /> - </td> </tr> <tr> - <td class='boldbase' width='20%'>$Lang::tr{'vpn local id'}:</td> - <td width='30%'> - <input type='text' name='LOCAL_ID' value='$cgiparams{'LOCAL_ID'}' size="25" /> - </td> - <td class='boldbase' width='20%'>$Lang::tr{'vpn remote id'}:</td> - <td width='30%'> - <input type='text' name='REMOTE_ID' value='$cgiparams{'REMOTE_ID'}' size="25" /> - </td> + <td class='boldbase' width='20%'>$Lang::tr{'vpn local id'}:</td> + <td width='30%'> + <input type='text' name='LOCAL_ID' value='$cgiparams{'LOCAL_ID'}' size="25" /> + </td> + <td class='boldbase' width='20%'>$Lang::tr{'vpn remote id'}:</td> + <td width='30%'> + <input type='text' name='REMOTE_ID' value='$cgiparams{'REMOTE_ID'}' size="25" /> + </td> </tr> <tr><td colspan="4"><br /></td></tr> <tr> - <td class='boldbase' width='20%'>$Lang::tr{'remark title'}</td> - <td colspan='3'> - <input type='text' name='REMARK' value='$cgiparams{'REMARK'}' maxlength='50' size="73" /> - </td> - </tr> -END - ; - if (!$cgiparams{'KEY'}) { - print "<tr><td colspan='3'><input type='checkbox' name='EDIT_ADVANCED' $checked{'EDIT_ADVANCED'}{'on'} /> $Lang::tr{'edit advanced settings when done'}</td></tr>"; - } - print "</table>"; - &Header::closebox(); - - if ($cgiparams{'KEY'} && $cgiparams{'AUTH'} eq 'psk') { - &Header::openbox('100%', 'left', $Lang::tr{'authentication'}); - print <<END - <table width='100%' cellpadding='0' cellspacing='5' border='0'> - <tr><td class='base' width='50%'>$Lang::tr{'use a pre-shared key'}</td> - <td class='base' width='50%'><input type='password' name='PSK' size='30' value='$cgiparams{'PSK'}' /></td> + <td class='boldbase' width='20%'>$Lang::tr{'remark title'}</td> + <td colspan='3'> + <input type='text' name='REMARK' value='$cgiparams{'REMARK'}' maxlength='50' size="73" /> + </td> </tr> - </table> END - ; +; + if (!$cgiparams{'KEY'}) { + print "<tr><td colspan='3'><input type='checkbox' name='EDIT_ADVANCED' $checked{'EDIT_ADVANCED'}{'on'} /> $Lang::tr{'edit advanced settings when done'}</td></tr>"; + } + print "</table>"; &Header::closebox(); - } elsif (! $cgiparams{'KEY'}) { - my $cakeydisabled = ( ! -f "${General::swroot}/private/cakey.pem" ) ? "disabled='disabled'" : ''; - $cgiparams{'CERT_NAME'} = $Lang::tr{'vpn no full pki'} if ($cakeydisabled); - my $cacrtdisabled = ( ! -f "${General::swroot}/ca/cacert.pem" ) ? "disabled='disabled'" : '';

- &Header::openbox('100%', 'left', $Lang::tr{'authentication'}); - print <<END - <table width='100%' cellpadding='0' cellspacing='5' border='0'> - <tr><td width='5%'><input type='radio' name='AUTH' value='psk' $checked{'AUTH'}{'psk'} /></td> - <td class='base' width='55%'>$Lang::tr{'use a pre-shared key'}</td> - <td class='base' width='40%'><input type='password' name='PSK' size='30' value='$cgiparams{'PSK'}' /></td></tr> - <tr><td colspan='3' bgcolor='#000000'></td></tr> - <tr><td><input type='radio' name='AUTH' value='certreq' $checked{'AUTH'}{'certreq'} $cakeydisabled /></td> - <td class='base'><hr />$Lang::tr{'upload a certificate request'}</td> - <td class='base' rowspan='3' valign='middle'><input type='file' name='FH' size='30' $cacrtdisabled /></td></tr> - <tr><td><input type='radio' name='AUTH' value='certfile' $checked{'AUTH'}{'certfile'} $cacrtdisabled /></td> - <td class='base'>$Lang::tr{'upload a certificate'}</td></tr> - <tr><td><input type='radio' name='AUTH' value='pkcs12' $cacrtdisabled /></td> - <td class='base'>$Lang::tr{'upload p12 file'} $Lang::tr{'pkcs12 file password'}:<input type='password' name='P12_PASS'/></td></tr> - <tr><td><input type='radio' name='AUTH' value='auth-dn' $checked{'AUTH'}{'auth-dn'} $cacrtdisabled /></td> - <td class='base'><hr />$Lang::tr{'vpn auth-dn'}</td></tr> - <tr><td colspan='3' bgcolor='#000000'></td></tr> - <tr><td><input type='radio' name='AUTH' value='certgen' $checked{'AUTH'}{'certgen'} $cakeydisabled /></td> - <td class='base'><hr />$Lang::tr{'generate a certificate'}</td><td>&nbsp;</td></tr> - <tr><td>&nbsp;</td> - <td class='base'>$Lang::tr{'users fullname or system hostname'}:&nbsp;<img src='/blob.gif' alt='*' /></td> - <td class='base' nowrap='nowrap'><input type='text' name='CERT_NAME' value='$cgiparams{'CERT_NAME'}' size='32' $cakeydisabled /></td></tr> - <tr><td>&nbsp;</td> - <td class='base'>$Lang::tr{'users email'}:</td> - <td class='base' nowrap='nowrap'><input type='text' name='CERT_EMAIL' value='$cgiparams{'CERT_EMAIL'}' size='32' $cakeydisabled /></td></tr> - <tr><td>&nbsp;</td> - <td class='base'>$Lang::tr{'users department'}:</td> - <td class='base' nowrap='nowrap'><input type='text' name='CERT_OU' value='$cgiparams{'CERT_OU'}' size='32' $cakeydisabled /></td></tr> - <tr><td>&nbsp;</td> - <td class='base'>$Lang::tr{'organization name'}:</td> - <td class='base' nowrap='nowrap'><input type='text' name='CERT_ORGANIZATION' value='$cgiparams{'CERT_ORGANIZATION'}' size='32' $cakeydisabled /></td></tr> - <tr><td>&nbsp;</td> - <td class='base'>$Lang::tr{'city'}:</td> - <td class='base' nowrap='nowrap'><input type='text' name='CERT_CITY' value='$cgiparams{'CERT_CITY'}' size='32' $cakeydisabled /></td></tr> - <tr><td>&nbsp;</td> - <td class='base'>$Lang::tr{'state or province'}:</td> - <td class='base' nowrap='nowrap'><input type='text' name='CERT_STATE' value='$cgiparams{'CERT_STATE'}' size='32' $cakeydisabled /></td></tr> - <tr><td>&nbsp;</td> - <td class='base'>$Lang::tr{'country'}:</td> - <td class='base'><select name='CERT_COUNTRY' $cakeydisabled> + if ($cgiparams{'KEY'} && $cgiparams{'AUTH'} eq 'psk') { + &Header::openbox('100%', 'left', $Lang::tr{'authentication'}); + print <<END + <table width='100%' cellpadding='0' cellspacing='5' border='0'> + <tr><td class='base' width='50%'>$Lang::tr{'use a pre-shared key'}</td> + <td class='base' width='50%'><input type='password' name='PSK' size='30' value='$cgiparams{'PSK'}' /></td> + </tr> + </table> END - ; - foreach my $country (sort keys %{Countries::countries}) { - print "\t\t\t<option value='$Countries::countries{$country}'"; - if ( $Countries::countries{$country} eq $cgiparams{'CERT_COUNTRY'} ) { - print " selected='selected'"; - } - print ">$country</option>\n"; +; + &Header::closebox(); + } elsif (! $cgiparams{'KEY'}) { + my $cakeydisabled = ( ! -f "${General::swroot}/private/cakey.pem" ) ? "disabled='disabled'" : ''; + $cgiparams{'CERT_NAME'} = $Lang::tr{'vpn no full pki'} if ($cakeydisabled); + my $cacrtdisabled = ( ! -f "${General::swroot}/ca/cacert.pem" ) ? "disabled='disabled'" : ''; + + &Header::openbox('100%', 'left', $Lang::tr{'authentication'}); + print <<END + <table width='100%' cellpadding='0' cellspacing='5' border='0'> + <tr><td width='5%'><input type='radio' name='AUTH' value='psk' $checked{'AUTH'}{'psk'} /></td> + <td class='base' width='55%'>$Lang::tr{'use a pre-shared key'}</td> + <td class='base' width='40%'><input type='password' name='PSK' size='30' value='$cgiparams{'PSK'}' /></td></tr> + <tr><td colspan='3' bgcolor='#000000'></td></tr> + <tr><td><input type='radio' name='AUTH' value='certreq' $checked{'AUTH'}{'certreq'} $cakeydisabled /></td> + <td class='base'><hr />$Lang::tr{'upload a certificate request'}</td> + <td class='base' rowspan='3' valign='middle'><input type='file' name='FH' size='30' $cacrtdisabled /></td></tr> + <tr><td><input type='radio' name='AUTH' value='certfile' $checked{'AUTH'}{'certfile'} $cacrtdisabled /></td> + <td class='base'>$Lang::tr{'upload a certificate'}</td></tr> + <tr><td><input type='radio' name='AUTH' value='pkcs12' $cacrtdisabled /></td> + <td class='base'>$Lang::tr{'upload p12 file'} $Lang::tr{'pkcs12 file password'}:<input type='password' name='P12_PASS'/></td></tr> + <tr><td><input type='radio' name='AUTH' value='auth-dn' $checked{'AUTH'}{'auth-dn'} $cacrtdisabled /></td> + <td class='base'><hr />$Lang::tr{'vpn auth-dn'}</td></tr> + <tr><td colspan='3' bgcolor='#000000'></td></tr> + <tr><td><input type='radio' name='AUTH' value='certgen' $checked{'AUTH'}{'certgen'} $cakeydisabled /></td> + <td class='base'><hr />$Lang::tr{'generate a certificate'}</td><td>&nbsp;</td></tr> + <tr><td>&nbsp;</td> + <td class='base'>$Lang::tr{'users fullname or system hostname'}:&nbsp;<img src='/blob.gif' alt='*' /></td> + <td class='base' nowrap='nowrap'><input type='text' name='CERT_NAME' value='$cgiparams{'CERT_NAME'}' size='32' $cakeydisabled /></td></tr> + <tr><td>&nbsp;</td> + <td class='base'>$Lang::tr{'users email'}:</td> + <td class='base' nowrap='nowrap'><input type='text' name='CERT_EMAIL' value='$cgiparams{'CERT_EMAIL'}' size='32' $cakeydisabled /></td></tr> + <tr><td>&nbsp;</td> + <td class='base'>$Lang::tr{'users department'}:</td> + <td class='base' nowrap='nowrap'><input type='text' name='CERT_OU' value='$cgiparams{'CERT_OU'}' size='32' $cakeydisabled /></td></tr> + <tr><td>&nbsp;</td> + <td class='base'>$Lang::tr{'organization name'}:</td> + <td class='base' nowrap='nowrap'><input type='text' name='CERT_ORGANIZATION' value='$cgiparams{'CERT_ORGANIZATION'}' size='32' $cakeydisabled /></td></tr> + <tr><td>&nbsp;</td> + <td class='base'>$Lang::tr{'city'}:</td> + <td class='base' nowrap='nowrap'><input type='text' name='CERT_CITY' value='$cgiparams{'CERT_CITY'}' size='32' $cakeydisabled /></td></tr> + <tr><td>&nbsp;</td> + <td class='base'>$Lang::tr{'state or province'}:</td> + <td class='base' nowrap='nowrap'><input type='text' name='CERT_STATE' value='$cgiparams{'CERT_STATE'}' size='32' $cakeydisabled /></td></tr> + <tr><td>&nbsp;</td> + <td class='base'>$Lang::tr{'country'}:</td> + <td class='base'><select name='CERT_COUNTRY' $cakeydisabled> +END +; + foreach my $country (sort keys %{Countries::countries}) { + print "\t\t\t<option value='$Countries::countries{$country}'"; + if ( $Countries::countries{$country} eq $cgiparams{'CERT_COUNTRY'} ) { + print " selected='selected'"; + } + print ">$country</option>\n"; + } + print <<END + </select></td></tr> + + <tr><td>&nbsp;</td><td class='base'>$Lang::tr{'vpn subjectaltname'} (subjectAltName=email:*,URI:*,DNS:*,RID:*)</td> + <td class='base' nowrap='nowrap'><input type='text' name='SUBJECTALTNAME' value='$cgiparams{'SUBJECTALTNAME'}' size='32' $cakeydisabled /></td></tr> + <tr><td>&nbsp;</td> + <td class='base'>$Lang::tr{'pkcs12 file password'}:&nbsp;<img src='/blob.gif' alt='*' /></td> + <td class='base' nowrap='nowrap'><input type='password' name='CERT_PASS1' value='$cgiparams{'CERT_PASS1'}' size='32' $cakeydisabled /></td></tr> + <tr><td>&nbsp;</td><td class='base'>$Lang::tr{'pkcs12 file password'}&nbsp;($Lang::tr{'confirmation'}):&nbsp;<img src='/blob.gif' alt='*' /></td> + <td class='base' nowrap='nowrap'><input type='password' name='CERT_PASS2' value='$cgiparams{'CERT_PASS2'}' size='32' $cakeydisabled /></td></tr> + </table> +END +; + &Header::closebox(); } - print <<END - </select></td></tr>

- <tr><td>&nbsp;</td><td class='base'>$Lang::tr{'vpn subjectaltname'} (subjectAltName=email:*,URI:*,DNS:*,RID:*)</td> - <td class='base' nowrap='nowrap'><input type='text' name='SUBJECTALTNAME' value='$cgiparams{'SUBJECTALTNAME'}' size='32' $cakeydisabled /></td></tr> - <tr><td>&nbsp;</td> - <td class='base'>$Lang::tr{'pkcs12 file password'}:&nbsp;<img src='/blob.gif' alt='*' /></td> - <td class='base' nowrap='nowrap'><input type='password' name='CERT_PASS1' value='$cgiparams{'CERT_PASS1'}' size='32' $cakeydisabled /></td></tr> - <tr><td>&nbsp;</td><td class='base'>$Lang::tr{'pkcs12 file password'}&nbsp;($Lang::tr{'confirmation'}):&nbsp;<img src='/blob.gif' alt='*' /></td> - <td class='base' nowrap='nowrap'><input type='password' name='CERT_PASS2' value='$cgiparams{'CERT_PASS2'}' size='32' $cakeydisabled /></td></tr> - </table> -END - ; - &Header::closebox(); - } - - print "<div align='center'><input type='submit' name='ACTION' value='$Lang::tr{'save'}' />"; - if ($cgiparams{'KEY'}) { - print "<input type='submit' name='ACTION' value='$Lang::tr{'advanced'}' />"; - } - print "<input type='submit' name='ACTION' value='$Lang::tr{'cancel'}' /></div></form>"; - &Header::closebigbox(); - &Header::closepage(); - exit (0); - - VPNCONF_END: + print "<div align='center'><input type='submit' name='ACTION' value='$Lang::tr{'save'}' />"; + if ($cgiparams{'KEY'}) { + print "<input type='submit' name='ACTION' value='$Lang::tr{'advanced'}' />"; + } + print "<input type='submit' name='ACTION' value='$Lang::tr{'cancel'}' /></div></form>"; + &Header::closebigbox(); + &Header::closepage(); + exit (0); + + VPNCONF_END: }

### @@ -2122,303 +2130,288 @@ END ### if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'ADVANCED'} eq 'yes')) { - &General::readhash("${General::swroot}/vpn/settings", %vpnsettings); - &General::readhasharray("${General::swroot}/vpn/config", %confighash); - if (! $confighash{$cgiparams{'KEY'}}) { - $errormessage = $Lang::tr{'invalid key'}; - goto ADVANCED_END; - } - - if ($cgiparams{'ACTION'} eq $Lang::tr{'save'}) { - # I didn't read any incompatibilities here.... - #if ($cgiparams{'VHOST'} eq 'on' && $cgiparams{'COMPRESSION'} eq 'on') { - # $errormessage = $Lang::tr{'cannot enable both nat traversal and compression'}; - # goto ADVANCED_ERROR; - #} - my @temp = split('|', $cgiparams{'IKE_ENCRYPTION'}); - if ($#temp < 0) { - $errormessage = $Lang::tr{'invalid input'}; - goto ADVANCED_ERROR; - } - foreach my $val (@temp) { - if ($val !~ /^(aes(256|192|128)(gcm(128|96|64))?|3des|camellia(256|192|128))$/) { - $errormessage = $Lang::tr{'invalid input'}; - goto ADVANCED_ERROR; - } + &General::readhash("${General::swroot}/vpn/settings", %vpnsettings); + &General::readhasharray("${General::swroot}/vpn/config", %confighash); + if (! $confighash{$cgiparams{'KEY'}}) { + $errormessage = $Lang::tr{'invalid key'}; + goto ADVANCED_END; + } + + if ($cgiparams{'ACTION'} eq $Lang::tr{'save'}) { + my @temp = split('|', $cgiparams{'IKE_ENCRYPTION'}); + if ($#temp < 0) { + $errormessage = $Lang::tr{'invalid input'}; + goto ADVANCED_ERROR; + } + foreach my $val (@temp) { + if ($val !~ /^(aes(256|192|128)(gcm(128|96|64))?|3des|camellia(256|192|128))$/) { + $errormessage = $Lang::tr{'invalid input'}; + goto ADVANCED_ERROR; + } + } + @temp = split('|', $cgiparams{'IKE_INTEGRITY'}); + if ($#temp < 0) { + $errormessage = $Lang::tr{'invalid input'}; + goto ADVANCED_ERROR; + } + foreach my $val (@temp) { + if ($val !~ /^(sha2_(512|384|256)|sha|md5|aesxcbc)$/) { + $errormessage = $Lang::tr{'invalid input'}; + goto ADVANCED_ERROR; + } + } + @temp = split('|', $cgiparams{'IKE_GROUPTYPE'}); + if ($#temp < 0) { + $errormessage = $Lang::tr{'invalid input'}; + goto ADVANCED_ERROR; + } + foreach my $val (@temp) { + if ($val !~ /^(e521|e384|e256|e224|e192|e512bp|e384bp|e256bp|e224bp|1024|1536|2048|2048s256|2048s224|2048s160|3072|4096|6144|8192)$/) { + $errormessage = $Lang::tr{'invalid input'}; + goto ADVANCED_ERROR; + } + } + if ($cgiparams{'IKE_LIFETIME'} !~ /^\d+$/) { + $errormessage = $Lang::tr{'invalid input for ike lifetime'}; + goto ADVANCED_ERROR; + } + if ($cgiparams{'IKE_LIFETIME'} < 1 || $cgiparams{'IKE_LIFETIME'} > 8) { + $errormessage = $Lang::tr{'ike lifetime should be between 1 and 8 hours'}; + goto ADVANCED_ERROR; + } + @temp = split('|', $cgiparams{'ESP_ENCRYPTION'}); + if ($#temp < 0) { + $errormessage = $Lang::tr{'invalid input'}; + goto ADVANCED_ERROR; + } + foreach my $val (@temp) { + if ($val !~ /^(aes(256|192|128)(gcm(128|96|64))?|3des|camellia(256|192|128))$/) { + $errormessage = $Lang::tr{'invalid input'}; + goto ADVANCED_ERROR; + } + } + @temp = split('|', $cgiparams{'ESP_INTEGRITY'}); + if ($#temp < 0) { + $errormessage = $Lang::tr{'invalid input'}; + goto ADVANCED_ERROR; + } + foreach my $val (@temp) { + if ($val !~ /^(sha2_(512|384|256)|sha1|md5|aesxcbc)$/) { + $errormessage = $Lang::tr{'invalid input'}; + goto ADVANCED_ERROR; + } + } + @temp = split('|', $cgiparams{'ESP_GROUPTYPE'}); + if ($#temp < 0) { + $errormessage = $Lang::tr{'invalid input'}; + goto ADVANCED_ERROR; + } + foreach my $val (@temp) { + if ($val !~ /^(e521|e384|e256|e224|e192|e512bp|e384bp|e256bp|e224bp|1024|1536|2048|2048s256|2048s224|2048s160|3072|4096|6144|8192|none)$/) { + $errormessage = $Lang::tr{'invalid input'}; + goto ADVANCED_ERROR; + } + } + if ($cgiparams{'ESP_KEYLIFE'} !~ /^\d+$/) { + $errormessage = $Lang::tr{'invalid input for esp keylife'}; + goto ADVANCED_ERROR; + } + if ($cgiparams{'ESP_KEYLIFE'} < 1 || $cgiparams{'ESP_KEYLIFE'} > 24) { + $errormessage = $Lang::tr{'esp keylife should be between 1 and 24 hours'}; + goto ADVANCED_ERROR; + } + + if (($cgiparams{'COMPRESSION'} !~ /^(|on|off)$/) || + ($cgiparams{'FORCE_MOBIKE'} !~ /^(|on|off)$/) || + ($cgiparams{'ONLY_PROPOSED'} !~ /^(|on|off)$/) || + ($cgiparams{'PFS'} !~ /^(|on|off)$/)) { + $errormessage = $Lang::tr{'invalid input'}; + goto ADVANCED_ERROR; + } + + if ($cgiparams{'DPD_DELAY'} !~ /^\d+$/) { + $errormessage = $Lang::tr{'invalid input for dpd delay'}; + goto ADVANCED_ERROR; + } + + if ($cgiparams{'DPD_TIMEOUT'} !~ /^\d+$/) { + $errormessage = $Lang::tr{'invalid input for dpd timeout'}; + goto ADVANCED_ERROR; + } + + $confighash{$cgiparams{'KEY'}}[29] = $cgiparams{'IKE_VERSION'}; + $confighash{$cgiparams{'KEY'}}[18] = $cgiparams{'IKE_ENCRYPTION'}; + $confighash{$cgiparams{'KEY'}}[19] = $cgiparams{'IKE_INTEGRITY'}; + $confighash{$cgiparams{'KEY'}}[20] = $cgiparams{'IKE_GROUPTYPE'}; + $confighash{$cgiparams{'KEY'}}[16] = $cgiparams{'IKE_LIFETIME'}; + $confighash{$cgiparams{'KEY'}}[21] = $cgiparams{'ESP_ENCRYPTION'}; + $confighash{$cgiparams{'KEY'}}[22] = $cgiparams{'ESP_INTEGRITY'}; + $confighash{$cgiparams{'KEY'}}[23] = $cgiparams{'ESP_GROUPTYPE'}; + $confighash{$cgiparams{'KEY'}}[17] = $cgiparams{'ESP_KEYLIFE'}; + $confighash{$cgiparams{'KEY'}}[12] = 'off'; #$cgiparams{'AGGRMODE'}; + $confighash{$cgiparams{'KEY'}}[13] = $cgiparams{'COMPRESSION'}; + $confighash{$cgiparams{'KEY'}}[24] = $cgiparams{'ONLY_PROPOSED'}; + $confighash{$cgiparams{'KEY'}}[28] = $cgiparams{'PFS'}; + $confighash{$cgiparams{'KEY'}}[27] = $cgiparams{'DPD_ACTION'}; + $confighash{$cgiparams{'KEY'}}[30] = $cgiparams{'DPD_TIMEOUT'}; + $confighash{$cgiparams{'KEY'}}[31] = $cgiparams{'DPD_DELAY'}; + $confighash{$cgiparams{'KEY'}}[32] = $cgiparams{'FORCE_MOBIKE'}; + &General::writehasharray("${General::swroot}/vpn/config", %confighash); + &writeipsecfiles(); + if (&vpnenabled) { + system('/usr/local/bin/ipsecctrl', 'S', $cgiparams{'KEY'}); + sleep $sleepDelay; + } + goto ADVANCED_END; + } else { + $cgiparams{'IKE_VERSION'} = $confighash{$cgiparams{'KEY'}}[29]; + $cgiparams{'IKE_ENCRYPTION'} = $confighash{$cgiparams{'KEY'}}[18]; + $cgiparams{'IKE_INTEGRITY'} = $confighash{$cgiparams{'KEY'}}[19]; + $cgiparams{'IKE_GROUPTYPE'} = $confighash{$cgiparams{'KEY'}}[20]; + $cgiparams{'IKE_LIFETIME'} = $confighash{$cgiparams{'KEY'}}[16]; + $cgiparams{'ESP_ENCRYPTION'} = $confighash{$cgiparams{'KEY'}}[21]; + $cgiparams{'ESP_INTEGRITY'} = $confighash{$cgiparams{'KEY'}}[22]; + $cgiparams{'ESP_GROUPTYPE'} = $confighash{$cgiparams{'KEY'}}[23]; + if ($cgiparams{'ESP_GROUPTYPE'} eq "") { + $cgiparams{'ESP_GROUPTYPE'} = $cgiparams{'IKE_GROUPTYPE'}; + } + $cgiparams{'ESP_KEYLIFE'} = $confighash{$cgiparams{'KEY'}}[17]; + $cgiparams{'COMPRESSION'} = $confighash{$cgiparams{'KEY'}}[13]; + $cgiparams{'ONLY_PROPOSED'} = $confighash{$cgiparams{'KEY'}}[24]; + $cgiparams{'PFS'} = $confighash{$cgiparams{'KEY'}}[28]; + $cgiparams{'DPD_ACTION'} = $confighash{$cgiparams{'KEY'}}[27]; + $cgiparams{'DPD_TIMEOUT'} = $confighash{$cgiparams{'KEY'}}[30]; + $cgiparams{'DPD_DELAY'} = $confighash{$cgiparams{'KEY'}}[31]; + $cgiparams{'FORCE_MOBIKE'} = $confighash{$cgiparams{'KEY'}}[32]; + + if (!$cgiparams{'DPD_DELAY'}) { + $cgiparams{'DPD_DELAY'} = 30; + } + + if (!$cgiparams{'DPD_TIMEOUT'}) { + $cgiparams{'DPD_TIMEOUT'} = 120; + } } + + ADVANCED_ERROR: + $checked{'IKE_ENCRYPTION'}{'aes256'} = ''; + $checked{'IKE_ENCRYPTION'}{'aes192'} = ''; + $checked{'IKE_ENCRYPTION'}{'aes128'} = ''; + $checked{'IKE_ENCRYPTION'}{'aes256gcm128'} = ''; + $checked{'IKE_ENCRYPTION'}{'aes192gcm128'} = ''; + $checked{'IKE_ENCRYPTION'}{'aes128gcm128'} = ''; + $checked{'IKE_ENCRYPTION'}{'aes256gcm96'} = ''; + $checked{'IKE_ENCRYPTION'}{'aes192gcm96'} = ''; + $checked{'IKE_ENCRYPTION'}{'aes128gcm96'} = ''; + $checked{'IKE_ENCRYPTION'}{'aes256gcm64'} = ''; + $checked{'IKE_ENCRYPTION'}{'aes192gcm64'} = ''; + $checked{'IKE_ENCRYPTION'}{'aes128gcm64'} = ''; + $checked{'IKE_ENCRYPTION'}{'3des'} = ''; + $checked{'IKE_ENCRYPTION'}{'camellia256'} = ''; + $checked{'IKE_ENCRYPTION'}{'camellia192'} = ''; + $checked{'IKE_ENCRYPTION'}{'camellia128'} = ''; + my @temp = split('|', $cgiparams{'IKE_ENCRYPTION'}); + foreach my $key (@temp) {$checked{'IKE_ENCRYPTION'}{$key} = "selected='selected'"; } + $checked{'IKE_INTEGRITY'}{'sha2_512'} = ''; + $checked{'IKE_INTEGRITY'}{'sha2_384'} = ''; + $checked{'IKE_INTEGRITY'}{'sha2_256'} = ''; + $checked{'IKE_INTEGRITY'}{'sha'} = ''; + $checked{'IKE_INTEGRITY'}{'md5'} = ''; + $checked{'IKE_INTEGRITY'}{'aesxcbc'} = ''; @temp = split('|', $cgiparams{'IKE_INTEGRITY'}); - if ($#temp < 0) { - $errormessage = $Lang::tr{'invalid input'}; - goto ADVANCED_ERROR; - } - foreach my $val (@temp) { - if ($val !~ /^(sha2_(512|384|256)|sha|md5|aesxcbc)$/) { - $errormessage = $Lang::tr{'invalid input'}; - goto ADVANCED_ERROR; - } - } + foreach my $key (@temp) {$checked{'IKE_INTEGRITY'}{$key} = "selected='selected'"; } + $checked{'IKE_GROUPTYPE'}{'768'} = ''; + $checked{'IKE_GROUPTYPE'}{'1024'} = ''; + $checked{'IKE_GROUPTYPE'}{'1536'} = ''; + $checked{'IKE_GROUPTYPE'}{'2048'} = ''; + $checked{'IKE_GROUPTYPE'}{'3072'} = ''; + $checked{'IKE_GROUPTYPE'}{'4096'} = ''; + $checked{'IKE_GROUPTYPE'}{'6144'} = ''; + $checked{'IKE_GROUPTYPE'}{'8192'} = ''; @temp = split('|', $cgiparams{'IKE_GROUPTYPE'}); - if ($#temp < 0) { - $errormessage = $Lang::tr{'invalid input'}; - goto ADVANCED_ERROR; - } - foreach my $val (@temp) { - if ($val !~ /^(e521|e384|e256|e224|e192|e512bp|e384bp|e256bp|e224bp|1024|1536|2048|2048s256|2048s224|2048s160|3072|4096|6144|8192)$/) { - $errormessage = $Lang::tr{'invalid input'}; - goto ADVANCED_ERROR; - } - } - if ($cgiparams{'IKE_LIFETIME'} !~ /^\d+$/) { - $errormessage = $Lang::tr{'invalid input for ike lifetime'}; - goto ADVANCED_ERROR; - } - if ($cgiparams{'IKE_LIFETIME'} < 1 || $cgiparams{'IKE_LIFETIME'} > 8) { - $errormessage = $Lang::tr{'ike lifetime should be between 1 and 8 hours'}; - goto ADVANCED_ERROR; - } + foreach my $key (@temp) {$checked{'IKE_GROUPTYPE'}{$key} = "selected='selected'"; } + + # 768 is not supported by strongswan + $checked{'IKE_GROUPTYPE'}{'768'} = ''; + + $checked{'ESP_ENCRYPTION'}{'aes256'} = ''; + $checked{'ESP_ENCRYPTION'}{'aes192'} = ''; + $checked{'ESP_ENCRYPTION'}{'aes128'} = ''; + $checked{'ESP_ENCRYPTION'}{'aes256gcm128'} = ''; + $checked{'ESP_ENCRYPTION'}{'aes192gcm128'} = ''; + $checked{'ESP_ENCRYPTION'}{'aes128gcm128'} = ''; + $checked{'ESP_ENCRYPTION'}{'aes256gcm96'} = ''; + $checked{'ESP_ENCRYPTION'}{'aes192gcm96'} = ''; + $checked{'ESP_ENCRYPTION'}{'aes128gcm96'} = ''; + $checked{'ESP_ENCRYPTION'}{'aes256gcm64'} = ''; + $checked{'ESP_ENCRYPTION'}{'aes192gcm64'} = ''; + $checked{'ESP_ENCRYPTION'}{'aes128gcm64'} = ''; + $checked{'ESP_ENCRYPTION'}{'3des'} = ''; + $checked{'ESP_ENCRYPTION'}{'camellia256'} = ''; + $checked{'ESP_ENCRYPTION'}{'camellia192'} = ''; + $checked{'ESP_ENCRYPTION'}{'camellia128'} = ''; @temp = split('|', $cgiparams{'ESP_ENCRYPTION'}); - if ($#temp < 0) { - $errormessage = $Lang::tr{'invalid input'}; - goto ADVANCED_ERROR; - } - foreach my $val (@temp) { - if ($val !~ /^(aes(256|192|128)(gcm(128|96|64))?|3des|camellia(256|192|128))$/) { - $errormessage = $Lang::tr{'invalid input'}; - goto ADVANCED_ERROR; - } - } + foreach my $key (@temp) {$checked{'ESP_ENCRYPTION'}{$key} = "selected='selected'"; } + $checked{'ESP_INTEGRITY'}{'sha2_512'} = ''; + $checked{'ESP_INTEGRITY'}{'sha2_384'} = ''; + $checked{'ESP_INTEGRITY'}{'sha2_256'} = ''; + $checked{'ESP_INTEGRITY'}{'sha1'} = ''; + $checked{'ESP_INTEGRITY'}{'md5'} = ''; + $checked{'ESP_INTEGRITY'}{'aesxcbc'} = ''; @temp = split('|', $cgiparams{'ESP_INTEGRITY'}); - if ($#temp < 0) { - $errormessage = $Lang::tr{'invalid input'}; - goto ADVANCED_ERROR; - } - foreach my $val (@temp) { - if ($val !~ /^(sha2_(512|384|256)|sha1|md5|aesxcbc)$/) { - $errormessage = $Lang::tr{'invalid input'}; - goto ADVANCED_ERROR; - } - } + foreach my $key (@temp) {$checked{'ESP_INTEGRITY'}{$key} = "selected='selected'"; } + $checked{'ESP_GROUPTYPE'}{'768'} = ''; + $checked{'ESP_GROUPTYPE'}{'1024'} = ''; + $checked{'ESP_GROUPTYPE'}{'1536'} = ''; + $checked{'ESP_GROUPTYPE'}{'2048'} = ''; + $checked{'ESP_GROUPTYPE'}{'3072'} = ''; + $checked{'ESP_GROUPTYPE'}{'4096'} = ''; + $checked{'ESP_GROUPTYPE'}{'6144'} = ''; + $checked{'ESP_GROUPTYPE'}{'8192'} = ''; + $checked{'ESP_GROUPTYPE'}{'none'} = ''; @temp = split('|', $cgiparams{'ESP_GROUPTYPE'}); - if ($#temp < 0) { - $errormessage = $Lang::tr{'invalid input'}; - goto ADVANCED_ERROR; - } - foreach my $val (@temp) { - if ($val !~ /^(e521|e384|e256|e224|e192|e512bp|e384bp|e256bp|e224bp|1024|1536|2048|2048s256|2048s224|2048s160|3072|4096|6144|8192|none)$/) { - $errormessage = $Lang::tr{'invalid input'}; - goto ADVANCED_ERROR; - } - } - if ($cgiparams{'ESP_KEYLIFE'} !~ /^\d+$/) { - $errormessage = $Lang::tr{'invalid input for esp keylife'}; - goto ADVANCED_ERROR; - } - if ($cgiparams{'ESP_KEYLIFE'} < 1 || $cgiparams{'ESP_KEYLIFE'} > 24) { - $errormessage = $Lang::tr{'esp keylife should be between 1 and 24 hours'}; - goto ADVANCED_ERROR; - } - - if ( - ($cgiparams{'COMPRESSION'} !~ /^(|on|off)$/) || - ($cgiparams{'FORCE_MOBIKE'} !~ /^(|on|off)$/) || - ($cgiparams{'ONLY_PROPOSED'} !~ /^(|on|off)$/) || - ($cgiparams{'PFS'} !~ /^(|on|off)$/) || - ($cgiparams{'VHOST'} !~ /^(|on|off)$/) - ){ - $errormessage = $Lang::tr{'invalid input'}; - goto ADVANCED_ERROR; - } - - if ($cgiparams{'DPD_DELAY'} !~ /^\d+$/) { - $errormessage = $Lang::tr{'invalid input for dpd delay'}; - goto ADVANCED_ERROR; - } - - if ($cgiparams{'DPD_TIMEOUT'} !~ /^\d+$/) { - $errormessage = $Lang::tr{'invalid input for dpd timeout'}; - goto ADVANCED_ERROR; - } - - $confighash{$cgiparams{'KEY'}}[29] = $cgiparams{'IKE_VERSION'}; - $confighash{$cgiparams{'KEY'}}[18] = $cgiparams{'IKE_ENCRYPTION'}; - $confighash{$cgiparams{'KEY'}}[19] = $cgiparams{'IKE_INTEGRITY'}; - $confighash{$cgiparams{'KEY'}}[20] = $cgiparams{'IKE_GROUPTYPE'}; - $confighash{$cgiparams{'KEY'}}[16] = $cgiparams{'IKE_LIFETIME'}; - $confighash{$cgiparams{'KEY'}}[21] = $cgiparams{'ESP_ENCRYPTION'}; - $confighash{$cgiparams{'KEY'}}[22] = $cgiparams{'ESP_INTEGRITY'}; - $confighash{$cgiparams{'KEY'}}[23] = $cgiparams{'ESP_GROUPTYPE'}; - $confighash{$cgiparams{'KEY'}}[17] = $cgiparams{'ESP_KEYLIFE'}; - $confighash{$cgiparams{'KEY'}}[12] = 'off'; #$cgiparams{'AGGRMODE'}; - $confighash{$cgiparams{'KEY'}}[13] = $cgiparams{'COMPRESSION'}; - $confighash{$cgiparams{'KEY'}}[24] = $cgiparams{'ONLY_PROPOSED'}; - $confighash{$cgiparams{'KEY'}}[28] = $cgiparams{'PFS'}; - $confighash{$cgiparams{'KEY'}}[14] = $cgiparams{'VHOST'}; - $confighash{$cgiparams{'KEY'}}[27] = $cgiparams{'DPD_ACTION'}; - $confighash{$cgiparams{'KEY'}}[30] = $cgiparams{'DPD_TIMEOUT'}; - $confighash{$cgiparams{'KEY'}}[31] = $cgiparams{'DPD_DELAY'}; - $confighash{$cgiparams{'KEY'}}[32] = $cgiparams{'FORCE_MOBIKE'}; - &General::writehasharray("${General::swroot}/vpn/config", %confighash); - &writeipsecfiles(); - if (&vpnenabled) { - system('/usr/local/bin/ipsecctrl', 'S', $cgiparams{'KEY'}); - sleep $sleepDelay; - } - goto ADVANCED_END; - } else { - $cgiparams{'IKE_VERSION'} = $confighash{$cgiparams{'KEY'}}[29]; - $cgiparams{'IKE_ENCRYPTION'} = $confighash{$cgiparams{'KEY'}}[18]; - $cgiparams{'IKE_INTEGRITY'} = $confighash{$cgiparams{'KEY'}}[19]; - $cgiparams{'IKE_GROUPTYPE'} = $confighash{$cgiparams{'KEY'}}[20]; - $cgiparams{'IKE_LIFETIME'} = $confighash{$cgiparams{'KEY'}}[16]; - $cgiparams{'ESP_ENCRYPTION'} = $confighash{$cgiparams{'KEY'}}[21]; - $cgiparams{'ESP_INTEGRITY'} = $confighash{$cgiparams{'KEY'}}[22]; - $cgiparams{'ESP_GROUPTYPE'} = $confighash{$cgiparams{'KEY'}}[23]; - if ($cgiparams{'ESP_GROUPTYPE'} eq "") { - $cgiparams{'ESP_GROUPTYPE'} = $cgiparams{'IKE_GROUPTYPE'}; - } - $cgiparams{'ESP_KEYLIFE'} = $confighash{$cgiparams{'KEY'}}[17]; - $cgiparams{'COMPRESSION'} = $confighash{$cgiparams{'KEY'}}[13]; - $cgiparams{'ONLY_PROPOSED'} = $confighash{$cgiparams{'KEY'}}[24]; - $cgiparams{'PFS'} = $confighash{$cgiparams{'KEY'}}[28]; - $cgiparams{'VHOST'} = $confighash{$cgiparams{'KEY'}}[14]; - $cgiparams{'DPD_ACTION'} = $confighash{$cgiparams{'KEY'}}[27]; - $cgiparams{'DPD_TIMEOUT'} = $confighash{$cgiparams{'KEY'}}[30]; - $cgiparams{'DPD_DELAY'} = $confighash{$cgiparams{'KEY'}}[31]; - $cgiparams{'FORCE_MOBIKE'} = $confighash{$cgiparams{'KEY'}}[32]; + foreach my $key (@temp) {$checked{'ESP_GROUPTYPE'}{$key} = "selected='selected'"; }

- if (!$cgiparams{'DPD_DELAY'}) { - $cgiparams{'DPD_DELAY'} = 30; - } + $checked{'COMPRESSION'} = $cgiparams{'COMPRESSION'} eq 'on' ? "checked='checked'" : '' ; + $checked{'FORCE_MOBIKE'} = $cgiparams{'FORCE_MOBIKE'} eq 'on' ? "checked='checked'" : '' ; + $checked{'ONLY_PROPOSED'} = $cgiparams{'ONLY_PROPOSED'} eq 'on' ? "checked='checked'" : '' ; + $checked{'PFS'} = $cgiparams{'PFS'} eq 'on' ? "checked='checked'" : '' ;

- if (!$cgiparams{'DPD_TIMEOUT'}) { - $cgiparams{'DPD_TIMEOUT'} = 120; - } + $selected{'IKE_VERSION'}{'ikev1'} = ''; + $selected{'IKE_VERSION'}{'ikev2'} = ''; + $selected{'IKE_VERSION'}{$cgiparams{'IKE_VERSION'}} = "selected='selected'";

- if ($confighash{$cgiparams{'KEY'}}[3] eq 'net' || $confighash{$cgiparams{'KEY'}}[10]) { - $cgiparams{'VHOST'} = 'off'; - } - } - - ADVANCED_ERROR: - $checked{'IKE_ENCRYPTION'}{'aes256'} = ''; - $checked{'IKE_ENCRYPTION'}{'aes192'} = ''; - $checked{'IKE_ENCRYPTION'}{'aes128'} = ''; - $checked{'IKE_ENCRYPTION'}{'aes256gcm128'} = ''; - $checked{'IKE_ENCRYPTION'}{'aes192gcm128'} = ''; - $checked{'IKE_ENCRYPTION'}{'aes128gcm128'} = ''; - $checked{'IKE_ENCRYPTION'}{'aes256gcm96'} = ''; - $checked{'IKE_ENCRYPTION'}{'aes192gcm96'} = ''; - $checked{'IKE_ENCRYPTION'}{'aes128gcm96'} = ''; - $checked{'IKE_ENCRYPTION'}{'aes256gcm64'} = ''; - $checked{'IKE_ENCRYPTION'}{'aes192gcm64'} = ''; - $checked{'IKE_ENCRYPTION'}{'aes128gcm64'} = ''; - $checked{'IKE_ENCRYPTION'}{'3des'} = ''; - $checked{'IKE_ENCRYPTION'}{'camellia256'} = ''; - $checked{'IKE_ENCRYPTION'}{'camellia192'} = ''; - $checked{'IKE_ENCRYPTION'}{'camellia128'} = ''; - my @temp = split('|', $cgiparams{'IKE_ENCRYPTION'}); - foreach my $key (@temp) {$checked{'IKE_ENCRYPTION'}{$key} = "selected='selected'"; } - $checked{'IKE_INTEGRITY'}{'sha2_512'} = ''; - $checked{'IKE_INTEGRITY'}{'sha2_384'} = ''; - $checked{'IKE_INTEGRITY'}{'sha2_256'} = ''; - $checked{'IKE_INTEGRITY'}{'sha'} = ''; - $checked{'IKE_INTEGRITY'}{'md5'} = ''; - $checked{'IKE_INTEGRITY'}{'aesxcbc'} = ''; - @temp = split('|', $cgiparams{'IKE_INTEGRITY'}); - foreach my $key (@temp) {$checked{'IKE_INTEGRITY'}{$key} = "selected='selected'"; } - $checked{'IKE_GROUPTYPE'}{'768'} = ''; - $checked{'IKE_GROUPTYPE'}{'1024'} = ''; - $checked{'IKE_GROUPTYPE'}{'1536'} = ''; - $checked{'IKE_GROUPTYPE'}{'2048'} = ''; - $checked{'IKE_GROUPTYPE'}{'3072'} = ''; - $checked{'IKE_GROUPTYPE'}{'4096'} = ''; - $checked{'IKE_GROUPTYPE'}{'6144'} = ''; - $checked{'IKE_GROUPTYPE'}{'8192'} = ''; - @temp = split('|', $cgiparams{'IKE_GROUPTYPE'}); - foreach my $key (@temp) {$checked{'IKE_GROUPTYPE'}{$key} = "selected='selected'"; } - - # 768 is not supported by strongswan - $checked{'IKE_GROUPTYPE'}{'768'} = ''; - - $checked{'ESP_ENCRYPTION'}{'aes256'} = ''; - $checked{'ESP_ENCRYPTION'}{'aes192'} = ''; - $checked{'ESP_ENCRYPTION'}{'aes128'} = ''; - $checked{'ESP_ENCRYPTION'}{'aes256gcm128'} = ''; - $checked{'ESP_ENCRYPTION'}{'aes192gcm128'} = ''; - $checked{'ESP_ENCRYPTION'}{'aes128gcm128'} = ''; - $checked{'ESP_ENCRYPTION'}{'aes256gcm96'} = ''; - $checked{'ESP_ENCRYPTION'}{'aes192gcm96'} = ''; - $checked{'ESP_ENCRYPTION'}{'aes128gcm96'} = ''; - $checked{'ESP_ENCRYPTION'}{'aes256gcm64'} = ''; - $checked{'ESP_ENCRYPTION'}{'aes192gcm64'} = ''; - $checked{'ESP_ENCRYPTION'}{'aes128gcm64'} = ''; - $checked{'ESP_ENCRYPTION'}{'3des'} = ''; - $checked{'ESP_ENCRYPTION'}{'camellia256'} = ''; - $checked{'ESP_ENCRYPTION'}{'camellia192'} = ''; - $checked{'ESP_ENCRYPTION'}{'camellia128'} = ''; - @temp = split('|', $cgiparams{'ESP_ENCRYPTION'}); - foreach my $key (@temp) {$checked{'ESP_ENCRYPTION'}{$key} = "selected='selected'"; } - $checked{'ESP_INTEGRITY'}{'sha2_512'} = ''; - $checked{'ESP_INTEGRITY'}{'sha2_384'} = ''; - $checked{'ESP_INTEGRITY'}{'sha2_256'} = ''; - $checked{'ESP_INTEGRITY'}{'sha1'} = ''; - $checked{'ESP_INTEGRITY'}{'md5'} = ''; - $checked{'ESP_INTEGRITY'}{'aesxcbc'} = ''; - @temp = split('|', $cgiparams{'ESP_INTEGRITY'}); - foreach my $key (@temp) {$checked{'ESP_INTEGRITY'}{$key} = "selected='selected'"; } - $checked{'ESP_GROUPTYPE'}{'768'} = ''; - $checked{'ESP_GROUPTYPE'}{'1024'} = ''; - $checked{'ESP_GROUPTYPE'}{'1536'} = ''; - $checked{'ESP_GROUPTYPE'}{'2048'} = ''; - $checked{'ESP_GROUPTYPE'}{'3072'} = ''; - $checked{'ESP_GROUPTYPE'}{'4096'} = ''; - $checked{'ESP_GROUPTYPE'}{'6144'} = ''; - $checked{'ESP_GROUPTYPE'}{'8192'} = ''; - $checked{'ESP_GROUPTYPE'}{'none'} = ''; - @temp = split('|', $cgiparams{'ESP_GROUPTYPE'}); - foreach my $key (@temp) {$checked{'ESP_GROUPTYPE'}{$key} = "selected='selected'"; } - - $checked{'COMPRESSION'} = $cgiparams{'COMPRESSION'} eq 'on' ? "checked='checked'" : '' ; - $checked{'FORCE_MOBIKE'} = $cgiparams{'FORCE_MOBIKE'} eq 'on' ? "checked='checked'" : '' ; - $checked{'ONLY_PROPOSED'} = $cgiparams{'ONLY_PROPOSED'} eq 'on' ? "checked='checked'" : '' ; - $checked{'PFS'} = $cgiparams{'PFS'} eq 'on' ? "checked='checked'" : '' ; - $checked{'VHOST'} = $cgiparams{'VHOST'} eq 'on' ? "checked='checked'" : '' ; - - $selected{'IKE_VERSION'}{'ikev1'} = ''; - $selected{'IKE_VERSION'}{'ikev2'} = ''; - $selected{'IKE_VERSION'}{$cgiparams{'IKE_VERSION'}} = "selected='selected'"; - - $selected{'DPD_ACTION'}{'clear'} = ''; - $selected{'DPD_ACTION'}{'hold'} = ''; - $selected{'DPD_ACTION'}{'restart'} = ''; - $selected{'DPD_ACTION'}{'none'} = ''; - $selected{'DPD_ACTION'}{$cgiparams{'DPD_ACTION'}} = "selected='selected'"; - - &Header::showhttpheaders(); - &Header::openpage($Lang::tr{'ipsec'}, 1, ''); - &Header::openbigbox('100%', 'left', '', $errormessage); - - if ($errormessage) { - &Header::openbox('100%', 'left', $Lang::tr{'error messages'}); - print "<class name='base'>$errormessage"; - print "&nbsp;</class>"; - &Header::closebox(); - } + $selected{'DPD_ACTION'}{'clear'} = ''; + $selected{'DPD_ACTION'}{'hold'} = ''; + $selected{'DPD_ACTION'}{'restart'} = ''; + $selected{'DPD_ACTION'}{'none'} = ''; + $selected{'DPD_ACTION'}{$cgiparams{'DPD_ACTION'}} = "selected='selected'";

- if ($warnmessage) { - &Header::openbox('100%', 'left', $Lang::tr{'warning messages'}); - print "<class name='base'>$warnmessage"; - print "&nbsp;</class>"; - &Header::closebox(); - } + &Header::showhttpheaders(); + &Header::openpage($Lang::tr{'ipsec'}, 1, ''); + &Header::openbigbox('100%', 'left', '', $errormessage); + + if ($errormessage) { + &Header::openbox('100%', 'left', $Lang::tr{'error messages'}); + print "<class name='base'>$errormessage"; + print "&nbsp;</class>"; + &Header::closebox(); + }

- &Header::openbox('100%', 'left', "$Lang::tr{'advanced'}:"); - print <<EOF - <form method='post' enctype='multipart/form-data' action='$ENV{'SCRIPT_NAME'}'> - <input type='hidden' name='ADVANCED' value='yes' /> - <input type='hidden' name='KEY' value='$cgiparams{'KEY'}' /> + if ($warnmessage) { + &Header::openbox('100%', 'left', $Lang::tr{'warning messages'}); + print "<class name='base'>$warnmessage"; + print "&nbsp;</class>"; + &Header::closebox(); + }

- <table width='100%'> + &Header::openbox('100%', 'left', "$Lang::tr{'advanced'}:"); + print <<EOF + <form method='post' enctype='multipart/form-data' action='$ENV{'SCRIPT_NAME'}'> + <input type='hidden' name='ADVANCED' value='yes' /> + <input type='hidden' name='KEY' value='$cgiparams{'KEY'}' /> + + <table width='100%'> <thead> <tr> <th width="15%"></th> @@ -2564,14 +2557,14 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || </td> </tr> </tbody> - </table> + </table>

<br><br>

<h2>$Lang::tr{'dead peer detection'}</h2>

- <table width="100%"> - <tr> + <table width="100%"> + <tr> <td width="15%">$Lang::tr{'dpd action'}:</td> <td> <select name='DPD_ACTION'> @@ -2594,11 +2587,11 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || <input type='text' name='DPD_DELAY' size='5' value='$cgiparams{'DPD_DELAY'}' /> </td> </tr> - </table> + </table>

- <hr> + <hr>

- <table width="100%"> + <table width="100%"> <tr> <td> <label> @@ -2632,18 +2625,9 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || </td> </tr> EOF - ; - if ($confighash{$cgiparams{'KEY'}}[3] eq 'net') { - print "<tr><td><input type='hidden' name='VHOST' value='off' /></td></tr>"; - } elsif ($confighash{$cgiparams{'KEY'}}[10]) { - print "<tr><td><label><input type='checkbox' name='VHOST' $checked{'VHOST'} disabled='disabled' />"; - print " $Lang::tr{'vpn vhost'}</label></td></tr>"; - } else { - print "<tr><td><label><input type='checkbox' name='VHOST' $checked{'VHOST'} />"; - print " $Lang::tr{'vpn vhost'}</label></td></tr>"; - } - - print <<EOF; +; + + print <<EOF; <tr> <td align='left' colspan='1'><img src='/blob.gif' align='top' alt='*' />&nbsp;$Lang::tr{'required field'}</td> <td align='right' colspan='2'> @@ -2651,58 +2635,58 @@ EOF <input type='submit' name='ACTION' value='$Lang::tr{'cancel'}' /> </td> </tr> - </table></form> + </table></form> EOF

- &Header::closebox(); - &Header::closebigbox(); - &Header::closepage(); - exit(0); + &Header::closebox(); + &Header::closebigbox(); + &Header::closepage(); + exit(0);

- ADVANCED_END: + ADVANCED_END: }

### ### Default status page ### - %cgiparams = (); - %cahash = (); - %confighash = (); - &General::readhash("${General::swroot}/vpn/settings", %cgiparams); - &General::readhasharray("${General::swroot}/vpn/caconfig", %cahash); - &General::readhasharray("${General::swroot}/vpn/config", %confighash); - $cgiparams{'CA_NAME'} = ''; - - my @status = `/usr/local/bin/ipsecctrl I 2>/dev/null`; - - # suggest a default name for this side - if ($cgiparams{'VPN_IP'} eq '' && -e "${General::swroot}/red/active") { - if (open(IPADDR, "${General::swroot}/red/local-ipaddress")) { - my $ipaddr = <IPADDR>; - close IPADDR; - chomp ($ipaddr); - $cgiparams{'VPN_IP'} = (gethostbyaddr(pack("C4", split(/./, $ipaddr)), 2))[0]; - if ($cgiparams{'VPN_IP'} eq '') { - $cgiparams{'VPN_IP'} = $ipaddr; - } - } - } - # no IP found, use %defaultroute - $cgiparams{'VPN_IP'} ='%defaultroute' if ($cgiparams{'VPN_IP'} eq ''); - - $cgiparams{'VPN_DELAYED_START'} = 0 if (! defined ($cgiparams{'VPN_DELAYED_START'})); - $checked{'ENABLED'} = $cgiparams{'ENABLED'} eq 'on' ? "checked='checked'" : ''; - - &Header::showhttpheaders(); - &Header::openpage($Lang::tr{'ipsec'}, 1, ''); - &Header::openbigbox('100%', 'left', '', $errormessage); - - if ($errormessage) { - &Header::openbox('100%', 'left', $Lang::tr{'error messages'}); - print "<class name='base'>$errormessage\n"; - print "&nbsp;</class>\n"; - &Header::closebox(); - } + %cgiparams = (); + %cahash = (); + %confighash = (); + &General::readhash("${General::swroot}/vpn/settings", %cgiparams); + &General::readhasharray("${General::swroot}/vpn/caconfig", %cahash); + &General::readhasharray("${General::swroot}/vpn/config", %confighash); + $cgiparams{'CA_NAME'} = ''; + + my @status = `/usr/local/bin/ipsecctrl I 2>/dev/null`; + + # suggest a default name for this side + if ($cgiparams{'VPN_IP'} eq '' && -e "${General::swroot}/red/active") { + if (open(IPADDR, "${General::swroot}/red/local-ipaddress")) { + my $ipaddr = <IPADDR>; + close IPADDR; + chomp ($ipaddr); + $cgiparams{'VPN_IP'} = (gethostbyaddr(pack("C4", split(/./, $ipaddr)), 2))[0]; + if ($cgiparams{'VPN_IP'} eq '') { + $cgiparams{'VPN_IP'} = $ipaddr; + } + } + } + # no IP found, use %defaultroute + $cgiparams{'VPN_IP'} ='%defaultroute' if ($cgiparams{'VPN_IP'} eq ''); + + $cgiparams{'VPN_DELAYED_START'} = 0 if (! defined ($cgiparams{'VPN_DELAYED_START'})); + $checked{'ENABLED'} = $cgiparams{'ENABLED'} eq 'on' ? "checked='checked'" : ''; + + &Header::showhttpheaders(); + &Header::openpage($Lang::tr{'ipsec'}, 1, ''); + &Header::openbigbox('100%', 'left', '', $errormessage); + + if ($errormessage) { + &Header::openbox('100%', 'left', $Lang::tr{'error messages'}); + print "<class name='base'>$errormessage\n"; + print "&nbsp;</class>\n"; + &Header::closebox(); + }

if ($warnmessage) { &Header::openbox('100%', 'left', $Lang::tr{'warning messages'}); @@ -2714,61 +2698,61 @@ EOF exit 0; }

- &Header::openbox('100%', 'left', $Lang::tr{'global settings'}); - print <<END - <form method='post' action='$ENV{'SCRIPT_NAME'}'> - <table width='100%'> - <tr> + &Header::openbox('100%', 'left', $Lang::tr{'global settings'}); + print <<END + <form method='post' action='$ENV{'SCRIPT_NAME'}'> + <table width='100%'> + <tr> <td width='20%' class='base' nowrap='nowrap'>$Lang::tr{'vpn red name'}:&nbsp;<img src='/blob.gif' alt='*' /></td> <td width='20%'><input type='text' name='VPN_IP' value='$cgiparams{'VPN_IP'}' /></td> <td width='20%' class='base'>$Lang::tr{'enabled'}<input type='checkbox' name='ENABLED' $checked{'ENABLED'} /></td> - </tr> + </tr> END - ; +; print <<END - <tr> - <td class='base' nowrap='nowrap'>$Lang::tr{'vpn delayed start'}:&nbsp;<img src='/blob.gif' alt='*' /><img src='/blob.gif' alt='*' /></td> + <tr> + <td class='base' nowrap='nowrap'>$Lang::tr{'vpn delayed start'}:&nbsp;<img src='/blob.gif' alt='*' /><img src='/blob.gif' alt='*' /></td> <td ><input type='text' name='VPN_DELAYED_START' value='$cgiparams{'VPN_DELAYED_START'}' /></td> - </tr> - <tr> - <td class='base' nowrap='nowrap'>$Lang::tr{'host to net vpn'}:</td> + </tr> + <tr> + <td class='base' nowrap='nowrap'>$Lang::tr{'host to net vpn'}:</td> <td ><input type='text' name='RW_NET' value='$cgiparams{'RW_NET'}' /></td> - </tr> + </tr> </table> <br> <hr /> <table width='100%'> <tr> - <td class='base' valign='top'><img src='/blob.gif' alt='*' /></td> - <td width='70%' class='base' valign='top'>$Lang::tr{'required field'}</td><td width='30%' align='right' class='base'><input type='submit' name='ACTION' value='$Lang::tr{'save'}' /></td> + <td class='base' valign='top'><img src='/blob.gif' alt='*' /></td> + <td width='70%' class='base' valign='top'>$Lang::tr{'required field'}</td><td width='30%' align='right' class='base'><input type='submit' name='ACTION' value='$Lang::tr{'save'}' /></td> </tr> <tr> - <td class='base' valign='top' nowrap='nowrap'><img src='/blob.gif' alt='*' /><img src='/blob.gif' alt='*' />&nbsp;</td> - <td class='base'> <font class='base'>$Lang::tr{'vpn delayed start help'}</font></td> - <td></td> + <td class='base' valign='top' nowrap='nowrap'><img src='/blob.gif' alt='*' /><img src='/blob.gif' alt='*' />&nbsp;</td> + <td class='base'> <font class='base'>$Lang::tr{'vpn delayed start help'}</font></td> + <td></td> </tr> </table> END -; - print "</form>"; - &Header::closebox(); - - &Header::openbox('100%', 'left', $Lang::tr{'connection status and controlc'}); - print <<END - <table width='100%' cellspacing='1' cellpadding='0' class='tbl'> - <tr> +; + print "</form>"; + &Header::closebox(); + + &Header::openbox('100%', 'left', $Lang::tr{'connection status and controlc'}); + print <<END + <table width='100%' cellspacing='1' cellpadding='0' class='tbl'> + <tr> <th width='10%' class='boldbase' align='center'><b>$Lang::tr{'name'}</b></th> <th width='22%' class='boldbase' align='center'><b>$Lang::tr{'type'}</b></th> <th width='23%' class='boldbase' align='center'><b>$Lang::tr{'common name'}</b></th> <th width='30%' class='boldbase' align='center'><b>$Lang::tr{'remark'}</b></th> <th width='10%' class='boldbase' align='center'><b>$Lang::tr{'status'}</b></th> <th class='boldbase' align='center' colspan='6'><b>$Lang::tr{'action'}</b></th> - </tr> + </tr> END - ; - my $id = 0; - my $gif; - foreach my $key (sort { ncmp ($confighash{$a}[1],$confighash{$b}[1]) } keys %confighash) { +; + my $id = 0; + my $gif; + foreach my $key (sort { ncmp ($confighash{$a}[1],$confighash{$b}[1]) } keys %confighash) { if ($confighash{$key}[0] eq 'on') { $gif = 'on.gif'; } else { $gif = 'off.gif'; }

if ($id % 2) { @@ -2781,302 +2765,304 @@ END print "<td align='center' nowrap='nowrap' $col>$confighash{$key}[1]</td>"; print "<td align='center' nowrap='nowrap' $col>" . $Lang::tr{"$confighash{$key}[3]"} . " (" . $Lang::tr{"$confighash{$key}[4]"} . ") $confighash{$key}[29]</td>"; if ($confighash{$key}[2] eq '%auth-dn') { - print "<td align='left' nowrap='nowrap' $col>$confighash{$key}[9]</td>"; + print "<td align='left' nowrap='nowrap' $col>$confighash{$key}[9]</td>"; } elsif ($confighash{$key}[4] eq 'cert') { - print "<td align='left' nowrap='nowrap' $col>$confighash{$key}[2]</td>"; + print "<td align='left' nowrap='nowrap' $col>$confighash{$key}[2]</td>"; } else { - print "<td align='left' $col>&nbsp;</td>"; + print "<td align='left' $col>&nbsp;</td>"; } print "<td align='center' $col>$confighash{$key}[25]</td>"; my $col1="bgcolor='${Header::colourred}'"; # get real state my $active = "<b><font color='#FFFFFF'>$Lang::tr{'capsclosed'}</font></b>"; foreach my $line (@status) { - if (($line =~ /"$confighash{$key}[1]".*IPsec SA established/) || - ($line =~ /$confighash{$key}[1]{.*INSTALLED/)) - { - $col1="bgcolor='${Header::colourgreen}'"; - $active = "<b><font color='#FFFFFF'>$Lang::tr{'capsopen'}</font></b>"; - } - } - # move to blueif really down + if (($line =~ /"$confighash{$key}[1]".*IPsec SA established/) || + ($line =~ /$confighash{$key}[1]{.*INSTALLED/)) { + $col1="bgcolor='${Header::colourgreen}'"; + $active = "<b><font color='#FFFFFF'>$Lang::tr{'capsopen'}</font></b>"; + } + } + # move to blue if really down if ($confighash{$key}[0] eq 'off' && $col1 =~ /${Header::colourred}/ ) { $col1="bgcolor='${Header::colourblue}'"; - $active = "<b><font color='#FFFFFF'>$Lang::tr{'capsclosed'}</font></b>"; + $active = "<b><font color='#FFFFFF'>$Lang::tr{'capsclosed'}</font></b>"; } print <<END <td align='center' $col1>$active</td> <td align='center' $col> - <form method='post' action='$ENV{'SCRIPT_NAME'}'> - <input type='image' name='$Lang::tr{'restart'}' src='/images/reload.gif' alt='$Lang::tr{'restart'}' title='$Lang::tr{'restart'}' /> - <input type='hidden' name='ACTION' value='$Lang::tr{'restart'}' /> - <input type='hidden' name='KEY' value='$key' /> - </form> + <form method='post' action='$ENV{'SCRIPT_NAME'}'> + <input type='image' name='$Lang::tr{'restart'}' src='/images/reload.gif' alt='$Lang::tr{'restart'}' title='$Lang::tr{'restart'}' /> + <input type='hidden' name='ACTION' value='$Lang::tr{'restart'}' /> + <input type='hidden' name='KEY' value='$key' /> + </form> </td> END - ; +; if (($confighash{$key}[4] eq 'cert') && ($confighash{$key}[2] ne '%auth-dn')) { - print <<END - <td align='center' $col> - <form method='post' action='$ENV{'SCRIPT_NAME'}'> + print <<END + <td align='center' $col> + <form method='post' action='$ENV{'SCRIPT_NAME'}'> <input type='image' name='$Lang::tr{'show certificate'}' src='/images/info.gif' alt='$Lang::tr{'show certificate'}' title='$Lang::tr{'show certificate'}' /> <input type='hidden' name='ACTION' value='$Lang::tr{'show certificate'}' /> <input type='hidden' name='KEY' value='$key' /> - </form> - </td> + </form> + </td> END - ; } else { - print "<td width='2%' $col>&nbsp;</td>"; +; + } else { + print "<td width='2%' $col>&nbsp;</td>"; } - if ($confighash{$key}[4] eq 'cert' && -f "${General::swroot}/certs/$confighash{$key}[1].p12") { - print <<END - <td align='center' $col> - <form method='post' action='$ENV{'SCRIPT_NAME'}'> + if ($confighash{$key}[4] eq 'cert' && -f "${General::swroot}/certs/$confighash{$key}[1].p12") { + print <<END + <td align='center' $col> + <form method='post' action='$ENV{'SCRIPT_NAME'}'> <input type='image' name='$Lang::tr{'download pkcs12 file'}' src='/images/floppy.gif' alt='$Lang::tr{'download pkcs12 file'}' title='$Lang::tr{'download pkcs12 file'}' /> <input type='hidden' name='ACTION' value='$Lang::tr{'download pkcs12 file'}' /> <input type='hidden' name='KEY' value='$key' /> - </form> + </form> </td> END - ; } elsif (($confighash{$key}[4] eq 'cert') && ($confighash{$key}[2] ne '%auth-dn')) { - print <<END - <td align='center' $col> - <form method='post' action='$ENV{'SCRIPT_NAME'}'> +; + } elsif (($confighash{$key}[4] eq 'cert') && ($confighash{$key}[2] ne '%auth-dn')) { + print <<END + <td align='center' $col> + <form method='post' action='$ENV{'SCRIPT_NAME'}'> <input type='image' name='$Lang::tr{'download certificate'}' src='/images/floppy.gif' alt='$Lang::tr{'download certificate'}' title='$Lang::tr{'download certificate'}' /> <input type='hidden' name='ACTION' value='$Lang::tr{'download certificate'}' /> <input type='hidden' name='KEY' value='$key' /> - </form> + </form> </td> END - ; } else { - print "<td width='2%' $col>&nbsp;</td>"; +; + } else { + print "<td width='2%' $col>&nbsp;</td>"; } print <<END <td align='center' $col> - <form method='post' action='$ENV{'SCRIPT_NAME'}'> - <input type='image' name='$Lang::tr{'toggle enable disable'}' src='/images/$gif' alt='$Lang::tr{'toggle enable disable'}' title='$Lang::tr{'toggle enable disable'}' /> - <input type='hidden' name='ACTION' value='$Lang::tr{'toggle enable disable'}' /> - <input type='hidden' name='KEY' value='$key' /> - </form> + <form method='post' action='$ENV{'SCRIPT_NAME'}'> + <input type='image' name='$Lang::tr{'toggle enable disable'}' src='/images/$gif' alt='$Lang::tr{'toggle enable disable'}' title='$Lang::tr{'toggle enable disable'}' /> + <input type='hidden' name='ACTION' value='$Lang::tr{'toggle enable disable'}' /> + <input type='hidden' name='KEY' value='$key' /> + </form> </td>

<td align='center' $col> - <form method='post' action='$ENV{'SCRIPT_NAME'}'> - <input type='hidden' name='ACTION' value='$Lang::tr{'edit'}' /> - <input type='image' name='$Lang::tr{'edit'}' src='/images/edit.gif' alt='$Lang::tr{'edit'}' title='$Lang::tr{'edit'}' /> - <input type='hidden' name='KEY' value='$key' /> - </form> + <form method='post' action='$ENV{'SCRIPT_NAME'}'> + <input type='hidden' name='ACTION' value='$Lang::tr{'edit'}' /> + <input type='image' name='$Lang::tr{'edit'}' src='/images/edit.gif' alt='$Lang::tr{'edit'}' title='$Lang::tr{'edit'}' /> + <input type='hidden' name='KEY' value='$key' /> + </form> </td> <td align='center' $col> - <form method='post' action='$ENV{'SCRIPT_NAME'}'> - <input type='hidden' name='ACTION' value='$Lang::tr{'remove'}' /> - <input type='image' name='$Lang::tr{'remove'}' src='/images/delete.gif' alt='$Lang::tr{'remove'}' title='$Lang::tr{'remove'}' /> - <input type='hidden' name='KEY' value='$key' /> - </form> + <form method='post' action='$ENV{'SCRIPT_NAME'}'> + <input type='hidden' name='ACTION' value='$Lang::tr{'remove'}' /> + <input type='image' name='$Lang::tr{'remove'}' src='/images/delete.gif' alt='$Lang::tr{'remove'}' title='$Lang::tr{'remove'}' /> + <input type='hidden' name='KEY' value='$key' /> + </form> </td> </tr> END - ; +; $id++; - } - print "</table>"; - - # If the config file contains entries, print Key to action icons - if ( $id ) { - print <<END - <table> - <tr> - <td class='boldbase'>&nbsp; <b>$Lang::tr{'legend'}:</b></td> - <td>&nbsp; <img src='/images/on.gif' alt='$Lang::tr{'click to disable'}' /></td> - <td class='base'>$Lang::tr{'click to disable'}</td> - <td>&nbsp; &nbsp; <img src='/images/info.gif' alt='$Lang::tr{'show certificate'}' /></td> - <td class='base'>$Lang::tr{'show certificate'}</td> - <td>&nbsp; &nbsp; <img src='/images/edit.gif' alt='$Lang::tr{'edit'}' /></td> - <td class='base'>$Lang::tr{'edit'}</td> - <td>&nbsp; &nbsp; <img src='/images/delete.gif' alt='$Lang::tr{'remove'}' /></td> - <td class='base'>$Lang::tr{'remove'}</td> - </tr> - <tr> - <td>&nbsp; </td> - <td>&nbsp; <img src='/images/off.gif' alt='?OFF' /></td> - <td class='base'>$Lang::tr{'click to enable'}</td> - <td>&nbsp; &nbsp; <img src='/images/floppy.gif' alt='?FLOPPY' /></td> - <td class='base'>$Lang::tr{'download certificate'}</td> - <td>&nbsp; &nbsp; <img src='/images/reload.gif' alt='?RELOAD'/></td> - <td class='base'>$Lang::tr{'restart'}</td> - </tr> - </table> + } + print "</table>"; + + # If the config file contains entries, print Key to action icons + if ( $id ) { + print <<END + <table> + <tr> + <td class='boldbase'>&nbsp; <b>$Lang::tr{'legend'}:</b></td> + <td>&nbsp; <img src='/images/on.gif' alt='$Lang::tr{'click to disable'}' /></td> + <td class='base'>$Lang::tr{'click to disable'}</td> + <td>&nbsp; &nbsp; <img src='/images/info.gif' alt='$Lang::tr{'show certificate'}' /></td> + <td class='base'>$Lang::tr{'show certificate'}</td> + <td>&nbsp; &nbsp; <img src='/images/edit.gif' alt='$Lang::tr{'edit'}' /></td> + <td class='base'>$Lang::tr{'edit'}</td> + <td>&nbsp; &nbsp; <img src='/images/delete.gif' alt='$Lang::tr{'remove'}' /></td> + <td class='base'>$Lang::tr{'remove'}</td> + </tr> + <tr> + <td>&nbsp; </td> + <td>&nbsp; <img src='/images/off.gif' alt='?OFF' /></td> + <td class='base'>$Lang::tr{'click to enable'}</td> + <td>&nbsp; &nbsp; <img src='/images/floppy.gif' alt='?FLOPPY' /></td> + <td class='base'>$Lang::tr{'download certificate'}</td> + <td>&nbsp; &nbsp; <img src='/images/reload.gif' alt='?RELOAD'/></td> + <td class='base'>$Lang::tr{'restart'}</td> + </tr> + </table> END - ; - } +; + }

- print <<END - <table width='100%'> - <tr><td align='right' colspan='9'> + print <<END + <table width='100%'> + <tr><td align='right' colspan='9'> <form method='post' action='$ENV{'SCRIPT_NAME'}'> <input type='submit' name='ACTION' value='$Lang::tr{'add'}' /> </form> - </td></tr> - </table> + </td></tr> + </table> END - ; - &Header::closebox(); +; + &Header::closebox();

- &Header::openbox('100%', 'left', "$Lang::tr{'certificate authorities'}"); - print <<EOF - <table width='100%' cellspacing='1' cellpadding='0' class='tbl'> - <tr> + &Header::openbox('100%', 'left', "$Lang::tr{'certificate authorities'}"); + print <<EOF + <table width='100%' cellspacing='1' cellpadding='0' class='tbl'> + <tr> <th width='25%' class='boldbase' align='center'><b>$Lang::tr{'name'}</b></th> <th width='65%' class='boldbase' align='center'><b>$Lang::tr{'subject'}</b></th> <th width='10%' class='boldbase' colspan='3' align='center'><b>$Lang::tr{'action'}</b></th> - </tr> + </tr> EOF - ; - my $col1="bgcolor='$color{'color22'}'"; +; + my $col1="bgcolor='$color{'color22'}'"; my $col2="bgcolor='$color{'color20'}'"; - if (-f "${General::swroot}/ca/cacert.pem") { - my $casubject = &Header::cleanhtml(getsubjectfromcert ("${General::swroot}/ca/cacert.pem")); - print <<END - <tr> - <td class='base' $col1>$Lang::tr{'root certificate'}</td> - <td class='base' $col1>$casubject</td> - <td width='3%' align='center' $col1> - <form method='post' action='$ENV{'SCRIPT_NAME'}'> - <input type='hidden' name='ACTION' value='$Lang::tr{'show root certificate'}' /> - <input type='image' name='$Lang::tr{'edit'}' src='/images/info.gif' alt='$Lang::tr{'show root certificate'}' title='$Lang::tr{'show root certificate'}' /> - </form> - </td> - <td width='3%' align='center' $col1> - <form method='post' action='$ENV{'SCRIPT_NAME'}'> - <input type='image' name='$Lang::tr{'download root certificate'}' src='/images/floppy.gif' alt='$Lang::tr{'download root certificate'}' title='$Lang::tr{'download root certificate'}' /> - <input type='hidden' name='ACTION' value='$Lang::tr{'download root certificate'}' /> - </form> - </td> - <td width='4%' $col1>&nbsp;</td></tr> + if (-f "${General::swroot}/ca/cacert.pem") { + my $casubject = &Header::cleanhtml(getsubjectfromcert ("${General::swroot}/ca/cacert.pem")); + print <<END + <tr> + <td class='base' $col1>$Lang::tr{'root certificate'}</td> + <td class='base' $col1>$casubject</td> + <td width='3%' align='center' $col1> + <form method='post' action='$ENV{'SCRIPT_NAME'}'> + <input type='hidden' name='ACTION' value='$Lang::tr{'show root certificate'}' /> + <input type='image' name='$Lang::tr{'edit'}' src='/images/info.gif' alt='$Lang::tr{'show root certificate'}' title='$Lang::tr{'show root certificate'}' /> + </form> + </td> + <td width='3%' align='center' $col1> + <form method='post' action='$ENV{'SCRIPT_NAME'}'> + <input type='image' name='$Lang::tr{'download root certificate'}' src='/images/floppy.gif' alt='$Lang::tr{'download root certificate'}' title='$Lang::tr{'download root certificate'}' /> + <input type='hidden' name='ACTION' value='$Lang::tr{'download root certificate'}' /> + </form> + </td> + <td width='4%' $col1>&nbsp;</td></tr> END - ; - } else { - # display rootcert generation buttons - print <<END - <tr> - <td class='base' $col1>$Lang::tr{'root certificate'}:</td> - <td class='base' $col1>$Lang::tr{'not present'}</td> - <td colspan='3' $col1>&nbsp;</td></tr> +; + } else { + # display rootcert generation buttons + print <<END + <tr> + <td class='base' $col1>$Lang::tr{'root certificate'}:</td> + <td class='base' $col1>$Lang::tr{'not present'}</td> + <td colspan='3' $col1>&nbsp;</td></tr> END - ; - } +; + }

- if (-f "${General::swroot}/certs/hostcert.pem") { - my $hostsubject = &Header::cleanhtml(getsubjectfromcert ("${General::swroot}/certs/hostcert.pem")); + if (-f "${General::swroot}/certs/hostcert.pem") { + my $hostsubject = &Header::cleanhtml(getsubjectfromcert ("${General::swroot}/certs/hostcert.pem"));

- print <<END - <tr> - <td class='base' $col2>$Lang::tr{'host certificate'}</td> - <td class='base' $col2>$hostsubject</td> - <td width='3%' align='center' $col2> - <form method='post' action='$ENV{'SCRIPT_NAME'}'> - <input type='hidden' name='ACTION' value='$Lang::tr{'show host certificate'}' /> - <input type='image' name='$Lang::tr{'show host certificate'}' src='/images/info.gif' alt='$Lang::tr{'show host certificate'}' title='$Lang::tr{'show host certificate'}' /> - </form> - </td> - <td width='3%' align='center' $col2> - <form method='post' action='$ENV{'SCRIPT_NAME'}'> - <input type='image' name="$Lang::tr{'download host certificate'}" src='/images/floppy.gif' alt="$Lang::tr{'download host certificate'}" title="$Lang::tr{'download host certificate'}" /> - <input type='hidden' name='ACTION' value="$Lang::tr{'download host certificate'}" /> - </form> - </td> - <td width='4%' $col2>&nbsp;</td></tr> + print <<END + <tr> + <td class='base' $col2>$Lang::tr{'host certificate'}</td> + <td class='base' $col2>$hostsubject</td> + <td width='3%' align='center' $col2> + <form method='post' action='$ENV{'SCRIPT_NAME'}'> + <input type='hidden' name='ACTION' value='$Lang::tr{'show host certificate'}' /> + <input type='image' name='$Lang::tr{'show host certificate'}' src='/images/info.gif' alt='$Lang::tr{'show host certificate'}' title='$Lang::tr{'show host certificate'}' /> + </form> + </td> + <td width='3%' align='center' $col2> + <form method='post' action='$ENV{'SCRIPT_NAME'}'> + <input type='image' name="$Lang::tr{'download host certificate'}" src='/images/floppy.gif' alt="$Lang::tr{'download host certificate'}" title="$Lang::tr{'download host certificate'}" /> + <input type='hidden' name='ACTION' value="$Lang::tr{'download host certificate'}" /> + </form> + </td> + <td width='4%' $col2>&nbsp;</td></tr> END - ; - } else { - # Nothing - print <<END - <tr> - <td width='25%' class='base' $col2>$Lang::tr{'host certificate'}:</td> - <td class='base' $col2>$Lang::tr{'not present'}</td> - <td colspan='3' $col2>&nbsp;</td></tr> +; + } else { + # Nothing + print <<END + <tr> + <td width='25%' class='base' $col2>$Lang::tr{'host certificate'}:</td> + <td class='base' $col2>$Lang::tr{'not present'}</td> + <td colspan='3' $col2>&nbsp;</td></tr> END - ; - } - +; + } + my $rowcolor = 0; if (keys %cahash > 0) { foreach my $key (keys %cahash) { - if ($rowcolor++ % 2) { - print "<tr>"; - $col="bgcolor='$color{'color20'}'"; - } else { - print "<tr>"; - $col="bgcolor='$color{'color22'}'"; - } - print "<td class='base' $col>$cahash{$key}[0]</td>\n"; - print "<td class='base' $col>$cahash{$key}[1]</td>\n"; - print <<END - <td align='center' $col> - <form method='post' name='cafrm${key}a' action='$ENV{'SCRIPT_NAME'}'> - <input type='image' name='$Lang::tr{'show ca certificate'}' src='/images/info.gif' alt='$Lang::tr{'show ca certificate'}' title='$Lang::tr{'show ca certificate'}' /> - <input type='hidden' name='ACTION' value='$Lang::tr{'show ca certificate'}' /> - <input type='hidden' name='KEY' value='$key' /> - </form> - </td> - <td align='center' $col> - <form method='post' name='cafrm${key}b' action='$ENV{'SCRIPT_NAME'}'> - <input type='image' name='$Lang::tr{'download ca certificate'}' src='/images/floppy.gif' alt='$Lang::tr{'download ca certificate'}' title='$Lang::tr{'download ca certificate'}' /> - <input type='hidden' name='ACTION' value='$Lang::tr{'download ca certificate'}' /> - <input type='hidden' name='KEY' value='$key' /> - </form> - </td> - <td align='center' $col> - <form method='post' name='cafrm${key}c' action='$ENV{'SCRIPT_NAME'}'> - <input type='hidden' name='ACTION' value='$Lang::tr{'remove ca certificate'}' /> - <input type='image' name='$Lang::tr{'remove ca certificate'}' src='/images/delete.gif' alt='$Lang::tr{'remove ca certificate'}' title='$Lang::tr{'remove ca certificate'}' /> - <input type='hidden' name='KEY' value='$key' /> - </form> - </td> - </tr> + if ($rowcolor++ % 2) { + print "<tr>"; + $col="bgcolor='$color{'color20'}'"; + } else { + print "<tr>"; + $col="bgcolor='$color{'color22'}'"; + } + print "<td class='base' $col>$cahash{$key}[0]</td>\n"; + print "<td class='base' $col>$cahash{$key}[1]</td>\n"; + print <<END + <td align='center' $col> + <form method='post' name='cafrm${key}a' action='$ENV{'SCRIPT_NAME'}'> + <input type='image' name='$Lang::tr{'show ca certificate'}' src='/images/info.gif' alt='$Lang::tr{'show ca certificate'}' title='$Lang::tr{'show ca certificate'}' /> + <input type='hidden' name='ACTION' value='$Lang::tr{'show ca certificate'}' /> + <input type='hidden' name='KEY' value='$key' /> + </form> + </td> + <td align='center' $col> + <form method='post' name='cafrm${key}b' action='$ENV{'SCRIPT_NAME'}'> + <input type='image' name='$Lang::tr{'download ca certificate'}' src='/images/floppy.gif' alt='$Lang::tr{'download ca certificate'}' title='$Lang::tr{'download ca certificate'}' /> + <input type='hidden' name='ACTION' value='$Lang::tr{'download ca certificate'}' /> + <input type='hidden' name='KEY' value='$key' /> + </form> + </td> + <td align='center' $col> + <form method='post' name='cafrm${key}c' action='$ENV{'SCRIPT_NAME'}'> + <input type='hidden' name='ACTION' value='$Lang::tr{'remove ca certificate'}' /> + <input type='image' name='$Lang::tr{'remove ca certificate'}' src='/images/delete.gif' alt='$Lang::tr{'remove ca certificate'}' title='$Lang::tr{'remove ca certificate'}' /> + <input type='hidden' name='KEY' value='$key' /> + </form> + </td> + </tr> END - ; +; + } } - } - print "</table>"; - - # If the file contains entries, print Key to action icons - if ( -f "${General::swroot}/ca/cacert.pem") { - print <<END - <table><tr> - <td class='boldbase'>&nbsp; <b>$Lang::tr{'legend'}:</b></td> - <td>&nbsp; &nbsp; <img src='/images/info.gif' alt='$Lang::tr{'show certificate'}' /></td> - <td class='base'>$Lang::tr{'show certificate'}</td> - <td>&nbsp; &nbsp; <img src='/images/floppy.gif' alt='$Lang::tr{'download certificate'}' /></td> - <td class='base'>$Lang::tr{'download certificate'}</td> - </tr></table> + print "</table>"; + + # If the file contains entries, print Key to action icons + if ( -f "${General::swroot}/ca/cacert.pem") { + print <<END + <table><tr> + <td class='boldbase'>&nbsp; <b>$Lang::tr{'legend'}:</b></td> + <td>&nbsp; &nbsp; <img src='/images/info.gif' alt='$Lang::tr{'show certificate'}' /></td> + <td class='base'>$Lang::tr{'show certificate'}</td> + <td>&nbsp; &nbsp; <img src='/images/floppy.gif' alt='$Lang::tr{'download certificate'}' /></td> + <td class='base'>$Lang::tr{'download certificate'}</td> + </tr></table> END - ; - } - my $createCA = -f "${General::swroot}/ca/cacert.pem" ? '' : "<tr><td colspan='3'></td><td><input type='submit' name='ACTION' value='$Lang::tr{'generate root/host certificates'}' /></td></tr>"; - print <<END - <br> - <hr /> - <form method='post' enctype='multipart/form-data' action='$ENV{'SCRIPT_NAME'}'> - <table width='100%' border='0' cellspacing='1' cellpadding='0'> - $createCA - <tr> +; + } + my $createCA = -f "${General::swroot}/ca/cacert.pem" ? '' : "<tr><td colspan='3'></td><td><input type='submit' name='ACTION' value='$Lang::tr{'generate root/host certificates'}' /></td></tr>"; + print <<END + <br> + <hr /> + <form method='post' enctype='multipart/form-data' action='$ENV{'SCRIPT_NAME'}'> + <table width='100%' border='0' cellspacing='1' cellpadding='0'> + $createCA + <tr> <td class='base' nowrap='nowrap'>$Lang::tr{'ca name'}:&nbsp;<img src='/blob.gif' alt='*' /></td> <td nowrap='nowrap'><input type='text' name='CA_NAME' value='$cgiparams{'CA_NAME'}' size='15' /> </td> <td nowrap='nowrap'><input type='file' name='FH' size='30' /></td> <td nowrap='nowrap'><input type='submit' name='ACTION' value='$Lang::tr{'upload ca certificate'}' /></td> - </tr> - <tr> + </tr> + <tr> <td colspan='3'>$Lang::tr{'resetting the vpn configuration will remove the root ca, the host certificate and all certificate based connections'}:</td> <td align='right'><input type='submit' name='ACTION' value='$Lang::tr{'remove x509'}' /></td> - </tr> - </table> - </form> + </tr> + </table> + </form> END - ; - &Header::closebox(); - &Header::closebigbox(); - &Header::closepage(); +; + &Header::closebox(); + &Header::closebigbox(); + &Header::closepage();

sub array_unique($) { my $array = shift; @@ -3132,3 +3118,16 @@ sub make_algos($$$$$) {

return &array_unique(@algos); } + +sub make_subnets($) { + my $subnets = shift; + + my @nets = split(/|/, $subnets); + my @cidr_nets = (); + foreach my $net (@nets) { + my $cidr_net = &General::ipcidr($net); + push(@cidr_nets, $cidr_net); + } + + return join(",", @cidr_nets); +} diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index c21bac5..a3c8228 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -2620,7 +2620,6 @@ 'vpn statistic n2n' => 'OpenVPN-Netz-zu-Netz-Statistik', 'vpn statistic rw' => 'OpenVPN-Roadwarrior-Statistik', 'vpn subjectaltname' => 'Subjekt Alternativer Name', -'vpn vhost' => 'Roadwarrior virtuelle IP (manchmal auch Inner-IP genannt)', 'vpn watch' => 'Netz-zu-Netz VPN neu starten, wenn sich Remote-IP ändert (DynDNS).', 'waiting to synchronize clock' => 'Bitte warten, die Uhr wird synchronisiert', 'warn when traffic reaches' => 'Warnen wenn Traffic x % erreicht', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 783fd0f..55cf228 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -2664,7 +2664,6 @@ 'vpn statistic n2n' => 'OpenVPN Net-to-Net Statistics', 'vpn statistic rw' => 'OpenVPN Roadwarrior Statistics', 'vpn subjectaltname' => 'Subject Alt Name', -'vpn vhost' => 'Roadwarrior virtual IP (sometimes called Inner-IP)', 'vpn watch' => 'Restart net-to-net vpn when remote peer IP changes (dyndns).', 'waiting to synchronize clock' => 'Waiting to synchronize clock', 'warn when traffic reaches' => 'Warn when traffic reaches x %', diff --git a/langs/es/cgi-bin/es.pl b/langs/es/cgi-bin/es.pl index c0422b1..e24e75e 100644 --- a/langs/es/cgi-bin/es.pl +++ b/langs/es/cgi-bin/es.pl @@ -2107,7 +2107,6 @@ 'vpn red name' => 'Dirección IP pública o FQDN para la interfaz RED o<%defaultroute>', 'vpn remote id' => 'ID Remoto', 'vpn subjectaltname' => 'Nombre alternativo en Asunto', -'vpn vhost' => 'IP virtual Roadwarris (también referida como ip-interior)', 'vpn watch' => 'Reinciar vpn net-to-net cuando la ip remota cambie (dyndns)', 'waiting to synchronize clock' => 'Esperando sincronización con el reloj', 'warn when traffic reaches' => 'Advertir cuando el tráfico alcance x %', diff --git a/langs/fr/cgi-bin/fr.pl b/langs/fr/cgi-bin/fr.pl index 43e69a7..0d173ae 100644 --- a/langs/fr/cgi-bin/fr.pl +++ b/langs/fr/cgi-bin/fr.pl @@ -2111,7 +2111,6 @@ 'vpn red name' => 'IP publique ou nom de domaine complet pour l'interface ROUGE ou <%defaultroute>', 'vpn remote id' => 'ID Distant', 'vpn subjectaltname' => 'Subject Alt Name', -'vpn vhost' => 'IP Virtuelle Roadwarrior (parfois appelée Inner-IP)', 'vpn watch' => 'Redémarrer net-to-net VPN si IP hôte distant change (dyndns).', 'waiting to synchronize clock' => 'Attendre la synchronisation de l'horloge', 'warn when traffic reaches' => 'Avertir lorsque le trafic atteint x %', diff --git a/langs/it/cgi-bin/it.pl b/langs/it/cgi-bin/it.pl index 0623bd5..950f700 100644 --- a/langs/it/cgi-bin/it.pl +++ b/langs/it/cgi-bin/it.pl @@ -2586,7 +2586,6 @@ 'vpn red name' => 'IP pubblico o il nome di dominio completo per l'interfaccia RED o <%defaultroute>', 'vpn remote id' => 'Remote ID', 'vpn subjectaltname' => 'Subject Alt Name', -'vpn vhost' => 'Roadwarrior virtual IP (sometimes called Inner-IP)', 'vpn watch' => 'Restart net-to-net vpn when remote peer IP changes (dyndns).', 'waiting to synchronize clock' => 'Waiting to synchronize clock', 'warn when traffic reaches' => 'Warn when traffic reaches x %', diff --git a/langs/nl/cgi-bin/nl.pl b/langs/nl/cgi-bin/nl.pl index f748b74..9d90a08 100644 --- a/langs/nl/cgi-bin/nl.pl +++ b/langs/nl/cgi-bin/nl.pl @@ -2529,7 +2529,6 @@ 'vpn red name' => 'Publiek IP of FQDN voor RODE interface of <%defaultroute>', 'vpn remote id' => 'Remote ID', 'vpn subjectaltname' => 'Onderwerp Alt Naam', -'vpn vhost' => 'Roadwarrior virtual IP (Ook wel Inner-IP genoemd)', 'vpn watch' => 'Herstart net-to-net vpn wanneer remote peer IP verandert (dyndns).', 'waiting to synchronize clock' => 'Wachten op synchronisatie van klok', 'warn when traffic reaches' => 'Waarschuw wanneer verkeer x % bereikt', diff --git a/langs/pl/cgi-bin/pl.pl b/langs/pl/cgi-bin/pl.pl index 30cc81e..47abf2c 100644 --- a/langs/pl/cgi-bin/pl.pl +++ b/langs/pl/cgi-bin/pl.pl @@ -2120,7 +2120,6 @@ 'vpn red name' => 'Publiczne IP lub FQDN interfejsu RED lub <%defaultroute>', 'vpn remote id' => 'Zdalne ID', 'vpn subjectaltname' => 'Subject Alt Name', -'vpn vhost' => 'Roadwarrior virtual IP (sometimes called Inner-IP)', 'vpn watch' => 'Uruchom ponownie vpn net-to-net kiedy zmieni się IP zdalnej końcówki (dyndns).', 'waiting to synchronize clock' => 'Oczekiwanie na synchronizację zegara', 'warn when traffic reaches' => 'Ostrzegaj kiedy ruch osiągnie x %', diff --git a/langs/ru/cgi-bin/ru.pl b/langs/ru/cgi-bin/ru.pl index 8cf985b..6840f81 100644 --- a/langs/ru/cgi-bin/ru.pl +++ b/langs/ru/cgi-bin/ru.pl @@ -2115,7 +2115,6 @@ 'vpn red name' => 'Внешний IP или FQDN для RED интерфейса или <%defaultroute>', 'vpn remote id' => 'Удалённый ID', 'vpn subjectaltname' => 'Subject Alt Name', -'vpn vhost' => 'Roadwarrior virtual IP (sometimes called Inner-IP)', 'vpn watch' => 'Перезапускать net-to-net vpn когда удалённый IP меняется (dyndns).', 'waiting to synchronize clock' => 'Ожидается синхронизация', 'warn when traffic reaches' => 'Предупреждать когда трафик возрастает до x %', diff --git a/langs/tr/cgi-bin/tr.pl b/langs/tr/cgi-bin/tr.pl index 5426a06..782bc00 100644 --- a/langs/tr/cgi-bin/tr.pl +++ b/langs/tr/cgi-bin/tr.pl @@ -2609,7 +2609,6 @@ 'vpn red name' => 'KIRMIZI arabirim veya <%defaultroute> için gerçek IP veya FQDN', 'vpn remote id' => 'Uzak kimlik (ID)', 'vpn subjectaltname' => 'Alternatif konu adı', -'vpn vhost' => 'Roadwarrior sanal IP (bazen iç IP olarakta adlandırılır)', 'vpn watch' => 'Karşı eş IP değiştirdiğinde (dyndns) ağdan-ağa VPN bağlantısını yeniden başlat. Bu DPD ye yardımcı olur.', 'waiting to synchronize clock' => 'Saat eşleştirmesi bekleniyor', 'warn when traffic reaches' => 'Trafik x % değere ulaştığında uyar', diff --git a/lfs/initscripts b/lfs/initscripts index 4005941..141fd66 100755 --- a/lfs/initscripts +++ b/lfs/initscripts @@ -177,7 +177,6 @@ $(TARGET) : ln -sf ../init.d/localnet /etc/rc.d/rcsysinit.d/S80localnet ln -sf ../init.d/firewall /etc/rc.d/rcsysinit.d/S85firewall ln -sf ../init.d/network-trigger /etc/rc.d/rcsysinit.d/S90network-trigger - ln -sf ../init.d/network-vlans /etc/rc.d/rcsysinit.d/S91network-vlans ln -sf ../init.d/rngd /etc/rc.d/rcsysinit.d/S92rngd ln -sf ../init.d/wlanclient /etc/rc.d/rc0.d/K82wlanclient ln -sf ../init.d/wlanclient /etc/rc.d/rc3.d/S19wlanclient diff --git a/lfs/udev b/lfs/udev index e58839c..7d5bdbc 100644 --- a/lfs/udev +++ b/lfs/udev @@ -107,6 +107,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) # Install network rules. install -v -m 755 $(DIR_SRC)/config/udev/network-hotplug-rename \ /lib/udev/network-hotplug-rename + install -v -m 755 $(DIR_SRC)/config/udev/network-hotplug-vlan \ + /lib/udev/network-hotplug-vlan install -v -m 644 $(DIR_SRC)/config/udev/60-net.rules \ /lib/udev/rules.d

diff --git a/make.sh b/make.sh index c5cf466..95877a4 100755 --- a/make.sh +++ b/make.sh @@ -25,7 +25,7 @@ NAME="IPFire" # Software name SNAME="ipfire" # Short name VERSION="2.17" # Version number -CORE="94" # Core Level (Filename) +CORE="95" # Core Level (Filename) PAKFIRE_CORE="94" # Core Level (PAKFIRE) GIT_BRANCH=`git rev-parse --abbrev-ref HEAD` # Git Branch SLOGAN="www.ipfire.org" # Software slogan diff --git a/src/initscripts/init.d/network-vlans b/src/initscripts/init.d/network-vlans deleted file mode 100644 index a6a75c3..0000000 --- a/src/initscripts/init.d/network-vlans +++ /dev/null @@ -1,113 +0,0 @@ -#!/bin/bash -############################################################################ -# # -# This file is part of the IPFire Firewall. # -# # -# IPFire is free software; you can redistribute it and/or modify # -# it under the terms of the GNU General Public License as published by # -# the Free Software Foundation; either version 2 of the License, or # -# (at your option) any later version. # -# # -# IPFire is distributed in the hope that it will be useful, # -# but WITHOUT ANY WARRANTY; without even the implied warranty of # -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # -# GNU General Public License for more details. # -# # -# You should have received a copy of the GNU General Public License # -# along with IPFire; if not, write to the Free Software # -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # -# # -# Copyright (C) 2012 IPFire Team info@ipfire.org # -# # -############################################################################ - -CONFIG_FILE="/var/ipfire/ethernet/vlans" - -# Skip immediately if no configuration file has been found. -[ -e "${CONFIG_FILE}" ] || exit 0 - -eval $(/usr/local/bin/readhash ${CONFIG_FILE}) - -# This is start or stop. -action=${1} - -for interface in green0 red0 blue0 orange0; do - case "${interface}" in - green*) - PARENT_DEV=${GREEN_PARENT_DEV} - VLAN_ID=${GREEN_VLAN_ID} - MAC_ADDRESS=${GREEN_MAC_ADDRESS} - ;; - red*) - PARENT_DEV=${RED_PARENT_DEV} - VLAN_ID=${RED_VLAN_ID} - MAC_ADDRESS=${RED_MAC_ADDRESS} - ;; - blue*) - PARENT_DEV=${BLUE_PARENT_DEV} - VLAN_ID=${BLUE_VLAN_ID} - MAC_ADDRESS=${BLUE_MAC_ADDRESS} - ;; - orange*) - PARENT_DEV=${ORANGE_PARENT_DEV} - VLAN_ID=${ORANGE_VLAN_ID} - MAC_ADDRESS=${ORANGE_MAC_ADDRESS} - ;; - esac - - case "${action}" in - start) - # If no parent device has been configured, we assume - # that this interface is not set up for VLANs and - # silently go on. - [ -z "${PARENT_DEV}" ] && continue - - # Check if the interface does already exists. - # If so, we skip creating it. - if [ -d "/sys/class/net/${interface}" ]; then - echo "Interface ${interface} already exists." >&2 - continue - fi - - # Check if the parent interface exists. - if [ ! -d "/sys/class/net/${PARENT_DEV}" ]; then - echo "${interface}: Parent device is not set or does not exist: ${PARENT_DEV}" >&2 - continue - fi - - if [ -z "${VLAN_ID}" ]; then - echo "${interface}: You did not set the VLAN ID." >&2 - continue - fi - - # Build command line. - command="ip link add link ${PARENT_DEV} name ${interface}" - if [ -n "${MAC_ADDRESS}" ]; then - command="${command} address ${MAC_ADDRESS}" - fi - command="${command} type vlan id ${VLAN_ID}" - - echo "Creating VLAN interface ${interface}..." - ${command} - - # Bring up the parent device. - ip link set ${PARENT_DEV} up - ;; - - stop) - if [ ! -e "/proc/net/vlan/${interface}" ]; then - echo "${interface} is not a VLAN interface. Skipping." - continue - fi - - echo "Removing VLAN interface ${interface}..." - ip link set ${interface} down - ip link delete ${interface} - ;; - - *) - echo "Invalid action: ${action}" - exit 1 - ;; - esac -done

hooks/post-receive -- IPFire 2.x development tree