From abe991723dc66b97dec8de95f88cb4b2689128bf Mon Sep 17 00:00:00 2001 From: mkasper Date: Sun, 8 Jan 2006 10:33:19 +0000 Subject: [PATCH] Import m0n0wall 1.2b9 files. git-svn-id: https://svn.m0n0.ch/wall/trunk@21 e36fee2c-cc09-0410-a7cc-ebac5c6737de --- captiveportal/index.php | 8 +- captiveportal/radius_accounting.inc | 19 ++-- phpconf/inc/captiveportal.inc | 56 +++++++++- phpconf/inc/system.inc | 10 ++ phpconf/inc/vpn.inc | 133 +++++++++++++++++++++- phpconf/inc/xmlparse.inc | 2 +- phpconf/rc.bootup | 6 + webgui/diag_ipsec_sad.php | 2 +- webgui/diag_ipsec_spd.php | 2 +- webgui/diag_logs_filter.php | 142 +++++++++++++++++++----- webgui/diag_logs_settings.php | 9 ++ webgui/firewall_aliases.php | 6 +- webgui/firewall_nat.php | 6 +- webgui/firewall_nat_1to1.php | 6 +- webgui/firewall_nat_out.php | 6 +- webgui/firewall_nat_server.php | 6 +- webgui/firewall_shaper.php | 2 +- webgui/firewall_shaper_pipes.php | 6 +- webgui/firewall_shaper_queues.php | 6 +- webgui/guiconfig.inc | 11 ++ webgui/interfaces_vlan.php | 6 +- webgui/license.php | 6 +- webgui/services_captiveportal.php | 21 +++- webgui/services_captiveportal_ip.php | 6 +- webgui/services_captiveportal_mac.php | 6 +- webgui/services_captiveportal_users.php | 6 +- webgui/services_dhcp.php | 6 +- webgui/services_dnsmasq.php | 6 +- webgui/services_proxyarp.php | 6 +- webgui/services_wol.php | 6 +- webgui/status_captiveportal.php | 18 +-- webgui/system_advanced.php | 14 +++ webgui/system_routes.php | 6 +- webgui/vpn_ipsec.php | 7 +- webgui/vpn_ipsec_ca.php | 93 ++++++++++++++++ webgui/vpn_ipsec_ca_edit.php | 127 +++++++++++++++++++++ webgui/vpn_ipsec_edit.php | 76 ++++++++++++- webgui/vpn_ipsec_keys.php | 7 +- webgui/vpn_ipsec_mobile.php | 62 +++++++++++ webgui/vpn_openvpn_cli.php | 6 +- webgui/vpn_pptp_users.php | 6 +- 41 files changed, 821 insertions(+), 120 deletions(-) create mode 100644 webgui/vpn_ipsec_ca.php create mode 100644 webgui/vpn_ipsec_ca_edit.php diff --git a/captiveportal/index.php b/captiveportal/index.php index 28cecd3..7b08eb8 100644 --- a/captiveportal/index.php +++ b/captiveportal/index.php @@ -74,7 +74,7 @@ if ($clientmac && portal_mac_fixed($clientmac)) { $radiusservers[0]['key']); if ($auth_val == 2) { captiveportal_logportalauth($_POST['auth_user'],$clientmac,$clientip,"LOGIN"); - $sessionid = portal_allow($clientip, $clientmac, $_POST['auth_user']); + $sessionid = portal_allow($clientip, $clientmac, $_POST['auth_user'], $_POST['auth_pass']); if (isset($config['captiveportal']['radacct_enable']) && isset($radiusservers[0])) { $auth_val = RADIUS_ACCOUNTING_START($_POST['auth_user'], $sessionid, @@ -173,7 +173,7 @@ function portal_mac_fixed($clientmac) { return FALSE ; } -function portal_allow($clientip,$clientmac,$clientuser) { +function portal_allow($clientip,$clientmac,$clientuser,$password = "") { global $orig_host, $orig_request, $g, $config; @@ -245,7 +245,9 @@ function portal_allow($clientip,$clientmac,$clientuser) { fwrite($fd, join(",", $cpent) . "\n"); } /* write in this new entry */ - fwrite($fd, time().",{$ruleno},{$clientip},{$clientmac},{$clientuser},{$sessionid}\n") ; + /* encode password in Base64 just in case it contains commas */ + $bpassword = base64_encode($password); + fwrite($fd, time().",{$ruleno},{$clientip},{$clientmac},{$clientuser},{$sessionid},{$bpassword}\n") ; fclose($fd); } diff --git a/captiveportal/radius_accounting.inc b/captiveportal/radius_accounting.inc index 4000fcc..14264f6 100644 --- a/captiveportal/radius_accounting.inc +++ b/captiveportal/radius_accounting.inc @@ -135,7 +135,7 @@ function RADIUS_ACCOUNTING_START($username,$sessionid,$radiusip,$radiusport,$rad // See RFC2866 for this. } -function RADIUS_ACCOUNTING_STOP($ruleno,$username,$sessionid,$start_time,$radiusip,$radiusport,$radiuskey,$clientip) { +function RADIUS_ACCOUNTING_STOP($ruleno,$username,$sessionid,$start_time,$radiusip,$radiusport,$radiuskey,$clientip,$interimupdate=false) { $sharedsecret=$radiuskey ; # $debug = 1 ; @@ -147,13 +147,13 @@ function RADIUS_ACCOUNTING_STOP($ruleno,$username,$sessionid,$start_time,$radius exec("/sbin/ipfw show {$ruleno}", $ipfw) ; preg_match("/(\d+)\s+(\d+)\s+(\d+)\s+skipto/", $ipfw[0], $matches) ; - $output_pkts = $matches[2] ; - $output_bytes = $matches[3] ; + $input_pkts = $matches[2] ; + $input_bytes = $matches[3] ; unset($matches) ; preg_match("/(\d+)\s+(\d+)\s+(\d+)\s+skipto/", $ipfw[1], $matches) ; - $input_pkts = $matches[2] ; - $input_bytes = $matches[3] ; + $output_pkts = $matches[2] ; + $output_bytes = $matches[3] ; $fd = @fsockopen("udp://$radiusip",$radiusport,$errno,$errstr,3) ; if(!$fd) @@ -196,6 +196,11 @@ function RADIUS_ACCOUNTING_STOP($ruleno,$username,$sessionid,$start_time,$radius 6; //Framed-IP-Address + if ($interimupdate) + $acctstatustype = 3; + else + $acctstatustype = 2; + // v v v v v v v v v 1 1 1 1 1 1 1 v // Line # 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 E $data=pack("CCCCNNNNCCCCCCCCa*CCa*CCCCCCCCCCCCCCCCCCCCCCCCCCa*CCNCCNCCNCCNCCNCCNCCa*CCa*CCCCCC", @@ -206,7 +211,7 @@ function RADIUS_ACCOUNTING_STOP($ruleno,$username,$sessionid,$start_time,$radius 32,2+strlen($nasHostname[0]),$nasHostname[0], // nasIdentifier 5,6,0,0,0,0, // nasPort 61,6,0,0,0,15, // nasPortType = Ethernet - 40,6,0,0,0,2, // Acct Status Type = Stop + 40,6,0,0,0,$acctstatustype, // Acct Status Type 45,6,0,0,0,1, // Acct RADIUS Authenticated 44,2+strlen($sessionid),$sessionid, // Acct Session ID 49,6,1, // Acct Terminate = User Request @@ -234,7 +239,7 @@ function RADIUS_ACCOUNTING_STOP($ruleno,$username,$sessionid,$start_time,$radius 32,2+strlen($nasHostname[0]),$nasHostname[0], // nasIdentifier 5,6,0,0,0,0, // nasPort 61,6,0,0,0,15, // nasPortType = Ethernet - 40,6,0,0,0,2, // Acct Status Type = Stop + 40,6,0,0,0,$acctstatustype, // Acct Status Type 45,6,0,0,0,1, // Acct RADIUS Authenticated 44,2+strlen($sessionid),$sessionid, // Acct Session ID 49,6,1, // Acct Terminate = User Request diff --git a/phpconf/inc/captiveportal.inc b/phpconf/inc/captiveportal.inc index d02363c..52e878d 100644 --- a/phpconf/inc/captiveportal.inc +++ b/phpconf/inc/captiveportal.inc @@ -36,6 +36,7 @@ /* include all configuration functions */ require_once("functions.inc"); +require_once("radius_authentication.inc"); require_once("radius_accounting.inc") ; function captiveportal_configure() { @@ -222,6 +223,7 @@ EOD; } else { killbypid("{$g['varrun_path']}/mini_httpd.cp.pid"); + killbypid("{$g['varrun_path']}/mini_httpd.cps.pid"); killbypid("{$g['varrun_path']}/minicron.pid"); captiveportal_radius_stop_all(); @@ -324,7 +326,8 @@ EOD; } /* remove clients that have been around for longer than the specified amount of time */ -/* db file structure: timestamp,ipfw_rule_no,clientip,clientmac,username,sessionid */ +/* db file structure: timestamp,ipfw_rule_no,clientip,clientmac,username,sessionid,password */ +/* (password is in Base64 and only saved when reauthentication is enabled) */ function captiveportal_prune_old() { global $g, $config; @@ -340,7 +343,7 @@ function captiveportal_prune_old() { else $idletimeout = 0; - if (!$timeout && !$idletimeout) + if (!$timeout && !$idletimeout && !isset($config['captiveportal']['reauthenticate'])) return; captiveportal_lock(); @@ -372,6 +375,55 @@ function captiveportal_prune_old() { captiveportal_logportalauth($cpdb[$i][4], $cpdb[$i][3], $cpdb[$i][2], "TIMEOUT"); unset($cpdb[$i]); } + + /* do periodic RADIUS reauthentication? */ + if (!$timedout && isset($config['captiveportal']['reauthenticate']) && + ($radiusservers !== false)) { + + if (isset($config['captiveportal']['radacct_enable'])) { + if ($config['captiveportal']['reauthenticateacct'] == "stopstart") { + /* stop and restart accounting */ + RADIUS_ACCOUNTING_STOP($cpdb[$i][1], // ruleno + $cpdb[$i][4], // username + $cpdb[$i][5], // sessionid + $cpdb[$i][0], // start time + $radiusservers[0]['ipaddr'], + $radiusservers[0]['acctport'], + $radiusservers[0]['key'], + $cpdb[$i][2]); //clientip + exec("/sbin/ipfw zero {$cpdb[$i][1]}"); + RADIUS_ACCOUNTING_START($cpdb[$i][4], + $cpdb[$i][5], + $radiusservers[0]['ipaddr'], + $radiusservers[0]['acctport'], + $radiusservers[0]['key'], + $cpdb[$i][2]); + } else if ($config['captiveportal']['reauthenticateacct'] == "interimupdate") { + RADIUS_ACCOUNTING_STOP($cpdb[$i][1], // ruleno + $cpdb[$i][4], // username + $cpdb[$i][5], // sessionid + $cpdb[$i][0], // start time + $radiusservers[0]['ipaddr'], + $radiusservers[0]['acctport'], + $radiusservers[0]['key'], + $cpdb[$i][2], //clientip + true); + } + } + + /* check this user against RADIUS again */ + $auth_val = RADIUS_AUTHENTICATION($cpdb[$i][4], + base64_decode($cpdb[$i][6]), + $radiusservers[0]['ipaddr'], + $radiusservers[0]['port'], + $radiusservers[0]['key']); + + if ($auth_val == 3) { + captiveportal_disconnect($cpdb[$i], $radiusservers); + captiveportal_logportalauth($cpdb[$i][4], $cpdb[$i][3], $cpdb[$i][2], "RADIUS_DISCONNECT"); + unset($cpdb[$i]); + } + } } /* write database */ diff --git a/phpconf/inc/system.inc b/phpconf/inc/system.inc index 700e039..28b5472 100644 --- a/phpconf/inc/system.inc +++ b/phpconf/inc/system.inc @@ -568,4 +568,14 @@ function system_set_harddisk_standby() { } } +function system_polling_configure() { + global $config, $g; + + if (isset($config['system']['polling'])) { + mwexec("/sbin/sysctl kern.polling.enable=1"); + } else { + mwexec("/sbin/sysctl kern.polling.enable=0"); + } +} + ?> diff --git a/phpconf/inc/vpn.inc b/phpconf/inc/vpn.inc index 8ce9373..b89f239 100644 --- a/phpconf/inc/vpn.inc +++ b/phpconf/inc/vpn.inc @@ -132,9 +132,34 @@ function vpn_ipsec_configure($ipchg = false) { } $racoonconf = "path pre_shared_key \"{$g['varetc_path']}/psk.txt\";\n\n"; - + $racoonconf .= "path certificate \"{$g['varetc_path']}\";\n\n"; + + /* generate CA certificates files */ + $cacertnum = 0; + if (is_array($ipseccfg['cacert']) && count($ipseccfg['cacert'])) + foreach ($ipseccfg['cacert'] as $cacert) { + ++$cacertnum; + if (isset($cacert['cert'])) { + $cert = base64_decode($cacert['cert']); + $x509cert = openssl_x509_parse(openssl_x509_read($cert)); + if(is_array($x509cert) && isset($x509cert['hash'])) { + $fd1 = fopen("{$g['varetc_path']}/{$x509cert['hash']}.0", "w"); + if (!$fd1) { + printf("Error: cannot open {$x509cert['hash']}.0 in vpn.\n"); + return 1; + } + chmod("{$g['varetc_path']}/{$x509cert['hash']}.0", 0600); + fwrite($fd1, $cert); + fclose($fd1); + } + } + } + + $tunnelnumber = 0; if (is_array($ipseccfg['tunnel']) && count($ipseccfg['tunnel'])) foreach ($ipseccfg['tunnel'] as $tunnel) { + + ++$tunnelnumber; if (isset($tunnel['disabled'])) continue; @@ -158,11 +183,68 @@ function vpn_ipsec_configure($ipchg = false) { $myidentt = "user_fqdn"; $myident = $tunnel['p1']['myident']['ufqdn']; } - + + if (isset($tunnel['p1']['authentication_method'])) { + $authmethod = $tunnel['p1']['authentication_method']; + } else {$authmethod = 'pre_shared_key';} + + $certline = ''; + + if ($authmethod == 'rsasig') { + if ($tunnel['p1']['cert'] && $tunnel['p1']['private-key']) { + $cert = base64_decode($tunnel['p1']['cert']); + $private_key = base64_decode($tunnel['p1']['private-key']); + } else { + /* null certificate/key */ + $cert = ''; + $private_key = ''; + } + + if ($tunnel['p1']['peercert']) + $peercert = base64_decode($tunnel['p1']['peercert']); + else + $peercert = ''; + + $fd1 = fopen("{$g['varetc_path']}/server{$tunnelnumber}-signed.pem", "w"); + if (!$fd1) { + printf("Error: cannot open server{$tunnelnumber}-signed.pem in vpn.\n"); + return 1; + } + chmod("{$g['varetc_path']}/server{$tunnelnumber}-signed.pem", 0600); + fwrite($fd1, $cert); + fclose($fd1); + + $fd1 = fopen("{$g['varetc_path']}/server{$tunnelnumber}-key.pem", "w"); + if (!$fd1) { + printf("Error: cannot open server{$tunnelnumber}-key.pem in vpn.\n"); + return 1; + } + chmod("{$g['varetc_path']}/server{$tunnelnumber}-key.pem", 0600); + fwrite($fd1, $private_key); + fclose($fd1); + + $certline = "certificate_type x509 \"server{$tunnelnumber}-signed.pem\" \"server{$tunnelnumber}-key.pem\";"; + + if ($peercert!=''){ + $fd1 = fopen("{$g['varetc_path']}/peer{$tunnelnumber}-signed.pem", "w"); + if (!$fd1) { + printf("Error: cannot open server{$tunnelnumber}-signed.pem in vpn.\n"); + return 1; + } + chmod("{$g['varetc_path']}/peer{$tunnelnumber}-signed.pem", 0600); + fwrite($fd1, $peercert); + fclose($fd1); + $certline .= << diff --git a/webgui/diag_ipsec_sad.php b/webgui/diag_ipsec_sad.php index 2b2b649..45377be 100644 --- a/webgui/diag_ipsec_sad.php +++ b/webgui/diag_ipsec_sad.php @@ -116,7 +116,7 @@ foreach ($sad as $sa): ?> $args .= "&proto=" . rawurlencode($sa['proto']); $args .= "&spi=" . rawurlencode("0x" . $sa['spi']); ?> - + diff --git a/webgui/diag_ipsec_spd.php b/webgui/diag_ipsec_spd.php index 48b2f34..74db399 100644 --- a/webgui/diag_ipsec_spd.php +++ b/webgui/diag_ipsec_spd.php @@ -118,7 +118,7 @@ foreach ($spd as $sp): ?> $args .= "&dst=" . rawurlencode($sp['dst']); $args .= "&dir=" . rawurlencode($sp['dir']); ?> - + diff --git a/webgui/diag_logs_filter.php b/webgui/diag_logs_filter.php index 2e827ac..e8d37ed 100644 --- a/webgui/diag_logs_filter.php +++ b/webgui/diag_logs_filter.php @@ -32,7 +32,11 @@ $pgtitle = array("Diagnostics", "Logs"); require("guiconfig.inc"); +$protocols = explode(" ", "TCP UDP TCP/UDP ICMP ESP AH GRE IPv6 IGMP any"); + $nentries = $config['syslog']['nentries']; +$resolve = $config['syslog']['resolve']; + if (!$nentries) $nentries = 50; @@ -40,6 +44,48 @@ if ($_POST['clear']) { exec("/usr/sbin/clog -i -s 262144 /var/log/filter.log"); } + +if (isset($_GET['act']) && preg_match("/^[pb]+$/", $_GET['act'])) { + $action = $_GET['act']; + $ifstring .= "&act=$action"; + $srcstring .= "&act=$action"; + $dststring .= "&act=$action"; + $prstring .= "&act=$action"; +} + +if (isset($_GET['if']) && ($_GET['if'] != "")) { + $iface = $_GET['if']; + $actstring .= "&if=$iface"; + $srcstring .= "&if=$iface"; + $dststring .= "&if=$iface"; + $prstring .= "&if=$iface"; +} + +if (isset($_GET['pr']) && in_array($_GET['pr'], $protocols)) { + $proto = $_GET['pr']; + $actstring .= "&pr=$proto"; + $ifstring .= "&pr=$proto"; + $srcstring .= "&pr=$proto"; + $dststring .= "&pr=$proto"; +} + +if (isset($_GET['sp']) && (is_numeric($_GET['sp']))) { + $srcport = $_GET['sp']; + $actstring .= "&sp=$srcport"; + $ifstring .= "&sp=$srcport"; + $dststring .= "&sp=$srcport"; + $prstring .= "&sp=$srcport"; +} + +if (isset($_GET['dp']) && (is_numeric($_GET['dp']))) { + $dstport = $_GET['dp']; + $actstring .= "&dp=$dstport"; + $ifstring .= "&dp=$dstport"; + $srcstring .= "&dp=$dstport"; + $prstring .= "&dp=$dstport"; +} + + function dump_clog($logfile, $tail, $withorig = true) { global $g, $config; @@ -62,7 +108,7 @@ function dump_clog($logfile, $tail, $withorig = true) { } function conv_clog($logfile, $tail) { - global $g, $config; + global $g, $config, $iface, $action, $proto, $srcport, $dstport; /* make interface/port table */ $iftable = array(); @@ -76,7 +122,7 @@ function conv_clog($logfile, $tail) { exec("/usr/sbin/clog " . $logfile . " | tail {$sor} -n " . $tail, $logarr); $filterlog = array(); - + foreach ($logarr as $logent) { $logent = preg_split("/\s+/", $logent, 6); $ipfa = explode(" ", $logent[5]); @@ -89,40 +135,58 @@ function conv_clog($logfile, $tail) { $flent['count'] = substr($ipfa[$i], 0, -1); $i++; } - if ($iftable[$ipfa[$i]]) + if (!isset($iface) || ($iftable[$ipfa[$i]] && strstr($iface, $iftable[$ipfa[$i]]))) $flent['interface'] = $iftable[$ipfa[$i]]; - else + else if (!isset($iface) || strstr($iface, $ipfa[$i])) $flent['interface'] = $ipfa[$i]; + else continue; $i += 2; - $flent['act'] = $ipfa[$i]; + if (!isset($action) || strstr($action, $ipfa[$i])) + $flent['act'] = $ipfa[$i]; + else continue; $i++; - $flent['src'] = format_ipf_ip($ipfa[$i]); + list($flent['src'], $flent['srcport']) = format_ipf_ip($ipfa[$i],$srcport); + if (!isset($flent['src'])) continue; $i += 2; - $flent['dst'] = format_ipf_ip($ipfa[$i]); + list($flent['dst'], $flent['dstport']) = format_ipf_ip($ipfa[$i],$dstport); + if (!isset($flent['dst'])) continue; $i += 2; - $flent['proto'] = strtoupper($ipfa[$i]); - + $protocol = strtoupper($ipfa[$i]); + if (!isset($proto) || ($proto == $protocol)) + $flent['proto'] = $protocol; + else continue; + if (isset($resolve)) { + $flent['dst'] = gethostbyaddr($flent['dst']); + $flent['src'] = gethostbyaddr($flent['src']); + } + if ($protocol == "ICMP") { + $i += 5; + $flent['dst'] = $flent['dst'] . ", type " . $ipfa[$i]; + } $filterlog[] = $flent; } return $filterlog; } -function format_ipf_ip($ipfip) { +function format_ipf_ip($ipfip,$uport) { list($ip,$port) = explode(",", $ipfip); if (!$port) - return $ip; - - return $ip . ", port " . $port; -} + return array($ip, ""); + + if ($uport == "" || ($uport == $port)) + return array($ip . ", port " . $port, $port); + return; +} ?> + - + - - - - - + + + + + + '; + $ifstring .= '" style="color:black" title="click to select interface">'; + $srcstring .= '" style="color:black" title="click to select source port">'; + $dststring .= '" style="color:black" title="click to select destination port">'; + $prstring .= '" style="color:black" title="click to select protocol">'; + ?> + - - - - + + + +
ActAct TimeIfSourceDestinationProto
IfSourceDestinationProto
- + " width="11" height="11" align="absmiddle" border="0" title="click to select action"> + + + + +
Note:
+ There are many possibilities to filter this log. + Just click on the accept () or + deny symbol () to filter for + accepted or denied IP packets. Do the same for the desired + interface, source/destination port or protocol. To deselect + a selected filter entry, click on the column description above. + To reset all filter entries and reload the firewall logs page, + click on the "Firewall" tab below "Diagnostics: Logs". +
diff --git a/webgui/diag_logs_settings.php b/webgui/diag_logs_settings.php index 69b724f..c60f5d0 100644 --- a/webgui/diag_logs_settings.php +++ b/webgui/diag_logs_settings.php @@ -43,6 +43,7 @@ $pconfig['system'] = isset($config['syslog']['system']); $pconfig['enable'] = isset($config['syslog']['enable']); $pconfig['logdefaultblock'] = !isset($config['syslog']['nologdefaultblock']); $pconfig['rawfilter'] = isset($config['syslog']['rawfilter']); +$pconfig['resolve'] = isset($config['syslog']['resolve']); if (!$pconfig['nentries']) $pconfig['nentries'] = 50; @@ -73,6 +74,7 @@ if ($_POST) { $oldnologdefaultblock = isset($config['syslog']['nologdefaultblock']); $config['syslog']['nologdefaultblock'] = $_POST['logdefaultblock'] ? false : true; $config['syslog']['rawfilter'] = $_POST['rawfilter'] ? true : false; + $config['syslog']['resolve'] = $_POST['resolve'] ? true : false; write_config(); @@ -154,6 +156,13 @@ function enable_change(enable_over) { Show raw filter logs
Hint: If this is checked, filter logs are shown as generated by the packet filter, without any formatting. This will reveal more detailed information. + + + + - + - +
  > + Resolve IP addresses to hostnames
+ Hint: If this is checked, IP addresses in firewall logs are resolved to real hostnames where possible.
+ Warning: This can cause a huge delay in loading the firewall log page!
  onClick="enable_change(false)"> diff --git a/webgui/firewall_aliases.php b/webgui/firewall_aliases.php index 1cda7c1..2429421 100644 --- a/webgui/firewall_aliases.php +++ b/webgui/firewall_aliases.php @@ -94,13 +94,13 @@ if ($_GET['act'] == "del") {   -   +  
diff --git a/webgui/firewall_nat.php b/webgui/firewall_nat.php index cb5845e..9c084e2 100644 --- a/webgui/firewall_nat.php +++ b/webgui/firewall_nat.php @@ -141,13 +141,13 @@ if ($_GET['act'] == "del") {   - -   + +   - +
Note:
diff --git a/webgui/firewall_nat_1to1.php b/webgui/firewall_nat_1to1.php index a2dfde9..9aa91d7 100644 --- a/webgui/firewall_nat_1to1.php +++ b/webgui/firewall_nat_1to1.php @@ -120,13 +120,13 @@ if ($_GET['act'] == "del") {   - -   + +   - +
Note:
diff --git a/webgui/firewall_nat_out.php b/webgui/firewall_nat_out.php index ce38a59..c1fe4e5 100644 --- a/webgui/firewall_nat_out.php +++ b/webgui/firewall_nat_out.php @@ -156,13 +156,13 @@ if ($_GET['act'] == "del") {   - -   + +   - + diff --git a/webgui/firewall_nat_server.php b/webgui/firewall_nat_server.php index e4d33c9..9c0998f 100644 --- a/webgui/firewall_nat_server.php +++ b/webgui/firewall_nat_server.php @@ -115,13 +115,13 @@ if ($_GET['act'] == "del") {   - -   + +   - +
Note:
diff --git a/webgui/firewall_shaper.php b/webgui/firewall_shaper.php index 765d60b..c5e48be 100644 --- a/webgui/firewall_shaper.php +++ b/webgui/firewall_shaper.php @@ -224,7 +224,7 @@ if ($_GET['act'] == "del") { - + diff --git a/webgui/firewall_shaper_pipes.php b/webgui/firewall_shaper_pipes.php index 322484e..75aea79 100644 --- a/webgui/firewall_shaper_pipes.php +++ b/webgui/firewall_shaper_pipes.php @@ -150,13 +150,13 @@ if ($_GET['act'] == "del") {   - -   + +   - +
Note: a pipe can diff --git a/webgui/firewall_shaper_queues.php b/webgui/firewall_shaper_queues.php index c1ded3b..11306d2 100644 --- a/webgui/firewall_shaper_queues.php +++ b/webgui/firewall_shaper_queues.php @@ -123,13 +123,13 @@ if ($_GET['act'] == "del") {   - -   + +   - +
Note: a queue can diff --git a/webgui/guiconfig.inc b/webgui/guiconfig.inc index c46fea0..9764f45 100644 --- a/webgui/guiconfig.inc +++ b/webgui/guiconfig.inc @@ -99,6 +99,7 @@ $p1_ealgos = array('des' => 'DES', '3des' => '3DES', 'blowfish' => 'Blowfish', $p2_ealgos = array('des' => 'DES', '3des' => '3DES', 'blowfish' => 'Blowfish', 'cast128' => 'CAST128', 'rijndael' => 'Rijndael (AES)'); $p1_halgos = array('sha1' => 'SHA1', 'md5' => 'MD5'); +$p1_authentication_methods = array('pre_shared_key' => 'Pre-shared key', 'rsasig' => 'RSA signature'); $p2_halgos = array('hmac_sha1' => 'SHA1', 'hmac_md5' => 'MD5'); $p2_protos = array('esp' => 'ESP', 'ah' => 'AH'); $p2_pfskeygroups = array('0' => 'off', '1' => '1', '2' => '2', '5' => '5'); @@ -434,4 +435,14 @@ function wol_sort() { usort($config['wol']['wolentry'], "wolcmp"); } +function ipsec_ca_sort() { + global $g, $config; + + function ipseccacmp($a, $b) { + return strcmp($a['ident'], $b['ident']); + } + + usort($config['ipsec']['cacert'], "ipseccacmp"); +} + ?> diff --git a/webgui/interfaces_vlan.php b/webgui/interfaces_vlan.php index 0b6991c..a896fc9 100644 --- a/webgui/interfaces_vlan.php +++ b/webgui/interfaces_vlan.php @@ -115,13 +115,13 @@ if ($_GET['act'] == "del") {   - -   + +     - + diff --git a/webgui/license.php b/webgui/license.php index 762228d..616e01d 100644 --- a/webgui/license.php +++ b/webgui/license.php @@ -80,6 +80,7 @@ require("guiconfig.inc");
Peter Allgeyer (allgeyer@web.de)
    "reject" type filter rules; dial-on-demand; WAN connect/disconnect; auto-add proxy ARP
+     firewall log filtering

Thierry Lechat (dev@lechat.org)
    SVG-based traffic grapher
@@ -122,7 +123,10 @@ require("guiconfig.inc");     Captive portal local user database

Matt Juszczak (matt@atopia.net)
-     Captive portal logging

+     Captive portal logging
+
+ Enrique Maldonado (enrique@directemar.cl)
+     IPsec certificate support

m0n0wall is based upon/includes various free software packages, listed below.
diff --git a/webgui/services_captiveportal.php b/webgui/services_captiveportal.php index a25e997..7233293 100644 --- a/webgui/services_captiveportal.php +++ b/webgui/services_captiveportal.php @@ -52,6 +52,8 @@ $pconfig['idletimeout'] = $config['captiveportal']['idletimeout']; $pconfig['enable'] = isset($config['captiveportal']['enable']); $pconfig['auth_method'] = $config['captiveportal']['auth_method']; $pconfig['radacct_enable'] = isset($config['captiveportal']['radacct_enable']); +$pconfig['reauthenticate'] = isset($config['captiveportal']['reauthenticate']); +$pconfig['reauthenticateacct'] = $config['captiveportal']['reauthenticateacct']; $pconfig['httpslogin_enable'] = isset($config['captiveportal']['httpslogin']); $pconfig['httpsname'] = $config['captiveportal']['httpsname']; $pconfig['cert'] = base64_decode($config['captiveportal']['certificate']); @@ -124,6 +126,8 @@ if ($_POST) { $config['captiveportal']['enable'] = $_POST['enable'] ? true : false; $config['captiveportal']['auth_method'] = $_POST['auth_method']; $config['captiveportal']['radacct_enable'] = $_POST['radacct_enable'] ? true : false; + $config['captiveportal']['reauthenticate'] = $_POST['reauthenticate'] ? true : false; + $config['captiveportal']['reauthenticateacct'] = $_POST['reauthenticateacct']; $config['captiveportal']['httpslogin'] = $_POST['httpslogin_enable'] ? true : false; $config['captiveportal']['httpsname'] = $_POST['httpsname']; $config['captiveportal']['certificate'] = base64_encode($_POST['cert']); @@ -170,6 +174,8 @@ function enable_change(enable_change) { document.iform.radiuskey.disabled = endis; document.iform.radacct_enable.disabled = endis; document.iform.radiusacctport.disabled = endis; + document.iform.reauthenticate.disabled = endis; + document.iform.reauthenticateacct.disabled = endis; document.iform.auth_method[0].disabled = endis; document.iform.auth_method[1].disabled = endis; document.iform.auth_method[2].disabled = endis; @@ -289,14 +295,25 @@ to access after they've authenticated. Accounting:   - > + > + send RADIUS accounting packets Accounting port:   - + + + Reauthentication:   + > + reauthenticate connected users every minute

+ > no accounting updates
+ > stop/start accounting
+ > interim update + +
When using RADIUS authentication, enter the IP address and port of the RADIUS server which users of the captive portal have to authenticate against. Leave port number blank to use the default port (1812). Leave the RADIUS shared secret blank to not use a RADIUS shared secret. RADIUS accounting packets will also be sent to the RADIUS server if accounting is enabled (default port is 1813). +

If reauthentication is enabled, Access-Requests will be sent to the RADIUS server for each user that is logged in every minute. If an Access-Reject is received for a user, that user is disconnected from the captive portal immediately. HTTPS login diff --git a/webgui/services_captiveportal_ip.php b/webgui/services_captiveportal_ip.php index 37da041..2266496 100644 --- a/webgui/services_captiveportal_ip.php +++ b/webgui/services_captiveportal_ip.php @@ -106,13 +106,13 @@ if ($_GET['act'] == "del") {   - -   + +     - +

diff --git a/webgui/services_captiveportal_mac.php b/webgui/services_captiveportal_mac.php index fec1262..056b90f 100644 --- a/webgui/services_captiveportal_mac.php +++ b/webgui/services_captiveportal_mac.php @@ -100,13 +100,13 @@ if ($_GET['act'] == "del") {   - -   + +     - + diff --git a/webgui/services_captiveportal_users.php b/webgui/services_captiveportal_users.php index e15c0dc..78fcab2 100644 --- a/webgui/services_captiveportal_users.php +++ b/webgui/services_captiveportal_users.php @@ -224,15 +224,15 @@ if($_GET['act']=="new" || $_GET['act']=="edit"){   - -   + +   - + diff --git a/webgui/services_dhcp.php b/webgui/services_dhcp.php index 9d60aeb..4f1b60d 100644 --- a/webgui/services_dhcp.php +++ b/webgui/services_dhcp.php @@ -298,13 +298,13 @@ function enable_change(enable_over) {   - -   + +   - + diff --git a/webgui/services_dnsmasq.php b/webgui/services_dnsmasq.php index 231310d..611342d 100644 --- a/webgui/services_dnsmasq.php +++ b/webgui/services_dnsmasq.php @@ -142,13 +142,13 @@ if ($_GET['act'] == "del") {   - -   + +   - + diff --git a/webgui/services_proxyarp.php b/webgui/services_proxyarp.php index cbafef2..13a3dad 100644 --- a/webgui/services_proxyarp.php +++ b/webgui/services_proxyarp.php @@ -107,13 +107,13 @@ if ($_GET['act'] == "del") {   - -   + +   - + diff --git a/webgui/services_wol.php b/webgui/services_wol.php index 6bd5bd9..abcb16a 100644 --- a/webgui/services_wol.php +++ b/webgui/services_wol.php @@ -140,13 +140,13 @@ Click the MAC address to wake up a computer.
  - -   + +   - + diff --git a/webgui/status_captiveportal.php b/webgui/status_captiveportal.php index 18b5ba4..21cb03a 100644 --- a/webgui/status_captiveportal.php +++ b/webgui/status_captiveportal.php @@ -56,7 +56,7 @@ if ($fp) { if ($line) { $cpent = explode(",", $line); if ($_GET['showact']) - $cpent[4] = captiveportal_get_last_activity($cpent[1]); + $cpent[7] = captiveportal_get_last_activity($cpent[1]); $cpdb[] = $cpent; } } @@ -68,8 +68,10 @@ if ($fp) { $order = 2; else if ($_GET['order'] == "mac") $order = 3; - else if ($_GET['order'] == "lastact") + else if ($_GET['order'] == "user") $order = 4; + else if ($_GET['order'] == "lastact") + $order = 7; else $order = 0; usort($cpdb, "clientcmp"); @@ -81,12 +83,11 @@ captiveportal_unlock(); IP address MAC address - Session start - Last activity - - Session start + + Last activity + Username @@ -95,10 +96,11 @@ captiveportal_unlock();   - + +   - + diff --git a/webgui/system_advanced.php b/webgui/system_advanced.php index 037a7dd..8b791dc 100644 --- a/webgui/system_advanced.php +++ b/webgui/system_advanced.php @@ -46,6 +46,7 @@ $pconfig['bypassstaticroutes'] = isset($config['filter']['bypassstaticroutes']); $pconfig['noantilockout'] = isset($config['system']['webgui']['noantilockout']); $pconfig['tcpidletimeout'] = $config['filter']['tcpidletimeout']; $pconfig['preferoldsa_enable'] = isset($config['ipsec']['preferoldsa']); +$pconfig['polling_enable'] = isset($config['system']['polling']); if ($_POST) { @@ -88,6 +89,7 @@ if ($_POST) { $config['filter']['tcpidletimeout'] = $_POST['tcpidletimeout']; $oldpreferoldsa = $config['ipsec']['preferoldsa']; $config['ipsec']['preferoldsa'] = $_POST['preferoldsa_enable'] ? true : false; + $config['system']['polling'] = $_POST['polling_enable'] ? true : false; write_config(); @@ -112,6 +114,7 @@ if ($_POST) { $retval |= interfaces_optional_configure(); if ($config['ipsec']['preferoldsa'] != $oldpreferoldsa) $retval |= vpn_ipsec_configure(); + $retval |= system_polling_configure(); config_unlock(); } $savemsg = get_std_save_message($retval); @@ -277,6 +280,17 @@ function enable_change(enable_over) { By default, if several SAs match, the newest one is preferred if it's at least 30 seconds old. Select this option to always prefer old SAs over new ones. + + + Device polling + + > + Use device polling
+ Device polling is a technique that lets the system periodically poll network devices for new + data instead of relying on interrupts. This can reduce CPU load and therefore increase + throughput, at the expense of a slightly higher forwarding delay (the devices are polled 1000 times + per second). Not all NICs support polling; see the m0n0wall homepage for a list of supported cards. +   diff --git a/webgui/system_routes.php b/webgui/system_routes.php index d60a111..a6fb970 100644 --- a/webgui/system_routes.php +++ b/webgui/system_routes.php @@ -102,13 +102,13 @@ if ($_GET['act'] == "del") {   - -   + +   - + diff --git a/webgui/vpn_ipsec.php b/webgui/vpn_ipsec.php index ee66c3a..9a52898 100644 --- a/webgui/vpn_ipsec.php +++ b/webgui/vpn_ipsec.php @@ -95,6 +95,7 @@ if ($_GET['act'] == "del") {

  • Tunnels
  • Mobile clients
  • Pre-shared keys
    • +
  • CAs
    • @@ -164,13 +165,13 @@ if ($_GET['act'] == "del") {   - -   + +   - + diff --git a/webgui/vpn_ipsec_ca.php b/webgui/vpn_ipsec_ca.php new file mode 100644 index 0000000..bb54ac7 --- /dev/null +++ b/webgui/vpn_ipsec_ca.php @@ -0,0 +1,93 @@ +#!/usr/local/bin/php +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +$pgtitle = array("VPN", "IPsec"); +require("guiconfig.inc"); + +if (!is_array($config['ipsec']['cacert'])) { + $config['ipsec']['cacert'] = array(); +} +ipsec_ca_sort(); +$a_secret = &$config['ipsec']['cacert']; + +if ($_GET['act'] == "del") { + if ($a_secret[$_GET['id']]) { + unset($a_secret[$_GET['id']]); + write_config(); + touch($d_ipsecconfdirty_path); + header("Location: vpn_ipsec_ca.php"); + exit; + } +} + +?> + +
    + +

    +You must apply the changes in order for them to take effect.");?>
    +

    + + + + + + +
    + +
    + + + + + + + + + + + + + + + +
    Identifier
    + + +  
    +
    +
    + diff --git a/webgui/vpn_ipsec_ca_edit.php b/webgui/vpn_ipsec_ca_edit.php new file mode 100644 index 0000000..687d340 --- /dev/null +++ b/webgui/vpn_ipsec_ca_edit.php @@ -0,0 +1,127 @@ +#!/usr/local/bin/php +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +$pgtitle = array("VPN", "IPsec", "Edit CA certificate"); +require("guiconfig.inc"); + +if (!is_array($config['ipsec']['cacert'])) { + $config['ipsec']['cacert'] = array(); +} +ipsec_ca_sort(); +$a_secret = &$config['ipsec']['cacert']; + +$id = $_GET['id']; +if (isset($_POST['id'])) + $id = $_POST['id']; + +if (isset($id) && $a_secret[$id]) { + $pconfig['ident'] = $a_secret[$id]['ident']; + $pconfig['cert'] = base64_decode($a_secret[$id]['cert']); +} + +if ($_POST) { + + unset($input_errors); + $pconfig = $_POST; + + /* input validation */ + $reqdfields = explode(" ", "ident cert"); + $reqdfieldsn = explode(",", "Identifier,CA Certificate"); + if (!strstr($_POST['cert'], "BEGIN CERTIFICATE") || !strstr($_POST['cert'], "END CERTIFICATE")) + $input_errors[] = "This certificate does not appear to be valid."; + + do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); + + if (preg_match("/[^a-zA-Z0-9@\.\-]/", $_POST['ident'])) + $input_errors[] = "The identifier contains invalid characters."; + + if (!$input_errors && !(isset($id) && $a_secret[$id])) { + /* make sure there are no dupes */ + foreach ($a_secret as $secretent) { + if ($secretent['ident'] == $_POST['ident']) { + $input_errors[] = "Another entry with the same identifier already exists."; + break; + } + } + } + + if (!$input_errors) { + + if (isset($id) && $a_secret[$id]) + $secretent = $a_secret[$id]; + + $secretent['ident'] = $_POST['ident']; + $secretent['cert'] = base64_encode($_POST['cert']); + + if (isset($id) && $a_secret[$id]) + $a_secret[$id] = $secretent; + else + $a_secret[] = $secretent; + + write_config(); + touch($d_ipsecconfdirty_path); + + header("Location: vpn_ipsec_ca.php"); + exit; + } +} +?> + + +
    + + + + + + + + + + + + + +
    Identifier + +
    +This can be any text to describe the certificate authority. +
    Certificate + +
    + Paste a CA certificate in X.509 PEM format here.
      + + + + +
    +
    + diff --git a/webgui/vpn_ipsec_edit.php b/webgui/vpn_ipsec_edit.php index 370c7f4..3bd98bd 100644 --- a/webgui/vpn_ipsec_edit.php +++ b/webgui/vpn_ipsec_edit.php @@ -111,7 +111,11 @@ if (isset($id) && $a_ipsec[$id]) { $pconfig['p1halgo'] = $a_ipsec[$id]['p1']['hash-algorithm']; $pconfig['p1dhgroup'] = $a_ipsec[$id]['p1']['dhgroup']; $pconfig['p1lifetime'] = $a_ipsec[$id]['p1']['lifetime']; + $pconfig['p1authentication_method'] = $a_ipsec[$id]['p1']['authentication_method']; $pconfig['p1pskey'] = $a_ipsec[$id]['p1']['pre-shared-key']; + $pconfig['p1cert'] = base64_decode($a_ipsec[$id]['p1']['cert']); + $pconfig['p1peercert'] = base64_decode($a_ipsec[$id]['p1']['peercert']); + $pconfig['p1privatekey'] = base64_decode($a_ipsec[$id]['p1']['private-key']); $pconfig['p2proto'] = $a_ipsec[$id]['p2']['protocol']; $pconfig['p2ealgos'] = $a_ipsec[$id]['p2']['encryption-algorithm-option']; $pconfig['p2halgos'] = $a_ipsec[$id]['p2']['hash-algorithm-option']; @@ -125,6 +129,7 @@ if (isset($id) && $a_ipsec[$id]) { $pconfig['localnet'] = "lan"; $pconfig['p1mode'] = "aggressive"; $pconfig['p1myidentt'] = "myaddress"; + $pconfig['p1authentication_method'] = "pre_shared_key"; $pconfig['p1ealgo'] = "3des"; $pconfig['p1halgo'] = "sha1"; $pconfig['p1dhgroup'] = "2"; @@ -147,8 +152,20 @@ if ($_POST) { $pconfig = $_POST; /* input validation */ - $reqdfields = explode(" ", "localnet remotenet remotebits remotegw p1pskey p2ealgos p2halgos"); - $reqdfieldsn = explode(",", "Local network,Remote network,Remote network bits,Remote gateway,Pre-Shared Key,P2 Encryption Algorithms,P2 Hash Algorithms"); + if ($_POST['p1authentication_method'] == "pre_shared_key") { + $reqdfields = explode(" ", "localnet remotenet remotebits remotegw p1pskey p2ealgos p2halgos"); + $reqdfieldsn = explode(",", "Local network,Remote network,Remote network bits,Remote gateway,Pre-Shared Key,P2 Encryption Algorithms,P2 Hash Algorithms"); + } + else { + $reqdfields = explode(" ", "localnet remotenet remotebits remotegw p2ealgos p2halgos"); + $reqdfieldsn = explode(",", "Local network,Remote network,Remote network bits,Remote gateway,P2 Encryption Algorithms,P2 Hash Algorithms"); + if (!strstr($_POST['p1cert'], "BEGIN CERTIFICATE") || !strstr($_POST['p1cert'], "END CERTIFICATE")) + $input_errors[] = "This certificate does not appear to be valid."; + if (!strstr($_POST['p1privatekey'], "BEGIN RSA PRIVATE KEY") || !strstr($_POST['p1privatekey'], "END RSA PRIVATE KEY")) + $input_errors[] = "This key does not appear to be valid."; + if ($_POST['p1peercert']!="" && (!strstr($_POST['p1peercert'], "BEGIN CERTIFICATE") || !strstr($_POST['p1peercert'], "END CERTIFICATE"))) + $input_errors[] = "This peer certificate does not appear to be valid."; + } do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); @@ -220,6 +237,10 @@ if ($_POST) { $ipsecent['p1']['dhgroup'] = $_POST['p1dhgroup']; $ipsecent['p1']['lifetime'] = $_POST['p1lifetime']; $ipsecent['p1']['pre-shared-key'] = $_POST['p1pskey']; + $ipsecent['p1']['private-key'] = base64_encode($_POST['p1privatekey']); + $ipsecent['p1']['cert'] = base64_encode($_POST['p1cert']); + $ipsecent['p1']['peercert'] = base64_encode($_POST['p1peercert']); + $ipsecent['p1']['authentication_method'] = $_POST['p1authentication_method']; $ipsecent['p2']['protocol'] = $_POST['p2proto']; $ipsecent['p2']['encryption-algorithm-option'] = $_POST['p2ealgos']; $ipsecent['p2']['hash-algorithm-option'] = $_POST['p2halgos']; @@ -262,6 +283,22 @@ function typesel_change() { break; } } +function methodsel_change() { + switch (document.iform.p1authentication_method.selectedIndex) { + case 1: /* rsa */ + document.iform.p1pskey.disabled = 1; + document.iform.p1privatekey.disabled = 0; + document.iform.p1cert.disabled = 0; + document.iform.p1peercert.disabled = 0; + break; + default: /* pre-shared */ + document.iform.p1pskey.disabled = 0; + document.iform.p1privatekey.disabled = 1; + document.iform.p1cert.disabled = 1; + document.iform.p1peercert.disabled = 1; + break; + } +} //--> @@ -434,12 +471,46 @@ function typesel_change() { seconds + + Authentication method + +
    Must match the setting + chosen on the remote side. + Pre-Shared Key + + Certificate + + +
    + Paste a certificate in X.509 PEM format here. + + + Key + + +
    + Paste an RSA private key in PEM format here. + + + Peer certificate + + +
    + Paste the peer X.509 certificate in PEM format here.
    + Leave this blank if you want to use a CA certificate for identity validation. + @@ -514,6 +585,7 @@ function typesel_change() { diff --git a/webgui/vpn_ipsec_keys.php b/webgui/vpn_ipsec_keys.php index 75a50fa..676e569 100644 --- a/webgui/vpn_ipsec_keys.php +++ b/webgui/vpn_ipsec_keys.php @@ -62,6 +62,7 @@ if ($_GET['act'] == "del") {
  • Tunnels
  • Mobile clients
  • Pre-shared keys
    • +
  • CAs
    • @@ -80,13 +81,13 @@ if ($_GET['act'] == "del") { - -   + +   - + diff --git a/webgui/vpn_ipsec_mobile.php b/webgui/vpn_ipsec_mobile.php index dfd116d..0a10977 100644 --- a/webgui/vpn_ipsec_mobile.php +++ b/webgui/vpn_ipsec_mobile.php @@ -44,6 +44,7 @@ if (count($a_ipsec) == 0) { $pconfig['p1ealgo'] = "3des"; $pconfig['p1halgo'] = "sha1"; $pconfig['p1dhgroup'] = "2"; + $pconfig['p1authentication_method'] = "pre_shared_key"; $pconfig['p2proto'] = "esp"; $pconfig['p2ealgos'] = explode(",", "3des,blowfish,cast128,rijndael"); $pconfig['p2halgos'] = explode(",", "hmac_sha1,hmac_md5"); @@ -69,6 +70,9 @@ if (count($a_ipsec) == 0) { $pconfig['p1halgo'] = $a_ipsec['p1']['hash-algorithm']; $pconfig['p1dhgroup'] = $a_ipsec['p1']['dhgroup']; $pconfig['p1lifetime'] = $a_ipsec['p1']['lifetime']; + $pconfig['p1authentication_method'] = $a_ipsec['p1']['authentication_method']; + $pconfig['p1cert'] = base64_decode($a_ipsec['p1']['cert']); + $pconfig['p1privatekey'] = base64_decode($a_ipsec['p1']['private-key']); $pconfig['p2proto'] = $a_ipsec['p2']['protocol']; $pconfig['p2ealgos'] = $a_ipsec['p2']['encryption-algorithm-option']; $pconfig['p2halgos'] = $a_ipsec['p2']['hash-algorithm-option']; @@ -86,6 +90,13 @@ if ($_POST) { do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); + if ($_POST['p1authentication_method']== "rsasig") { + if (!strstr($_POST['p1cert'], "BEGIN CERTIFICATE") || !strstr($_POST['p1cert'], "END CERTIFICATE")) + $input_errors[] = "This certificate does not appear to be valid."; + if (!strstr($_POST['p1privatekey'], "BEGIN RSA PRIVATE KEY") || !strstr($_POST['p1privatekey'], "END RSA PRIVATE KEY")) + $input_errors[] = "This key does not appear to be valid."; + } + if (($_POST['p1lifetime'] && !is_numeric($_POST['p1lifetime']))) { $input_errors[] = "The P1 lifetime must be an integer."; } @@ -132,6 +143,9 @@ if ($_POST) { $ipsecent['p1']['hash-algorithm'] = $_POST['p1halgo']; $ipsecent['p1']['dhgroup'] = $_POST['p1dhgroup']; $ipsecent['p1']['lifetime'] = $_POST['p1lifetime']; + $ipsecent['p1']['private-key'] = base64_encode($_POST['p1privatekey']); + $ipsecent['p1']['cert'] = base64_encode($_POST['p1cert']); + $ipsecent['p1']['authentication_method'] = $_POST['p1authentication_method']; $ipsecent['p2']['protocol'] = $_POST['p2proto']; $ipsecent['p2']['encryption-algorithm-option'] = $_POST['p2ealgos']; $ipsecent['p2']['hash-algorithm-option'] = $_POST['p2halgos']; @@ -149,6 +163,22 @@ if ($_POST) { } ?> +

    @@ -163,6 +193,7 @@ if ($_POST) {

  • Tunnels
  • Mobile clients
  • Pre-shared keys
    • +
  • CAs
    • @@ -245,6 +276,32 @@ if ($_POST) { seconds + + Authentication method + +
    Must match the setting + chosen on the remote side. + + + Certificate + + +
    + Paste a certificate in X.509 PEM format here. + + + Key + + +
    + Paste an RSA private key in PEM format here. + @@ -316,4 +373,9 @@ if ($_POST) {
    + diff --git a/webgui/vpn_openvpn_cli.php b/webgui/vpn_openvpn_cli.php index d022630..2290067 100644 --- a/webgui/vpn_openvpn_cli.php +++ b/webgui/vpn_openvpn_cli.php @@ -121,13 +121,13 @@ if ($_GET['act'] == "del") { - -   + +     - + diff --git a/webgui/vpn_pptp_users.php b/webgui/vpn_pptp_users.php index 5b6d9da..2e4c47a 100644 --- a/webgui/vpn_pptp_users.php +++ b/webgui/vpn_pptp_users.php @@ -99,13 +99,13 @@ if ($_GET['act'] == "del") {   - -   + +   - + -- 2.25.1