Skip to content

Commit

Permalink
VPN: IPsec: Mobile Clients - move charon attributes to "Advanced sett…
Browse files Browse the repository at this point in the history 
…ings" for #8349
  • Loading branch information
@AdSchellevis
AdSchellevis committed Feb 27, 2025
1 parent 81ec980 commit 9a16ca7
Show file tree
Hide file tree
Showing 6 changed files with 257 additions and 313 deletions.
69 changes: 6 additions & 63 deletions src/etc/inc/plugins.inc.d/ipsec.inc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -936,18 +936,12 @@ function ipsec_write_strongswan_conf()
}
}

$strongswanTree['charon']['install_routes'] = 'no';
if (isset($a_client['enable']) && isset($a_client['net_list'])) {
$strongswanTree['charon']['cisco_unity'] = 'yes';
}

$strongswanTree['charon']['plugins'] = [];

$radius_auth_servers = null;
$disable_xauth = false;
if (isset($a_client['enable'])) {
if (isset($a_client['enable']) && empty($strongswanTree['charon']['plugins']['attr']['subnet'])) {
/* legacy subnet collection, can only be used when not offered manually */
$net_list = [];
if (isset($a_client['net_list'])) {
if ($strongswanTree['charon']['cisco_unity'] == 'yes') {
foreach ($a_phase1 as $ph1ent) {
if (isset($ph1ent['disabled']) || !isset($ph1ent['mobile'])) {
continue;
Expand All @@ -960,65 +954,14 @@ function ipsec_write_strongswan_conf()
}
}

$strongswanTree['charon']['plugins']['attr'] = [];
if (!isset($strongswanTree['charon']['plugins']['attr'])) {
$strongswanTree['charon']['plugins']['attr'] = [];
}
if (!empty($net_list)) {
$net_list_str = implode(",", $net_list);
$strongswanTree['charon']['plugins']['attr']['subnet'] = $net_list_str;
$strongswanTree['charon']['plugins']['attr']['split-include'] = $net_list_str;
}
$cfgservers = [];
foreach (array('dns_server1', 'dns_server2', 'dns_server3', 'dns_server4') as $dns_server) {
if (!empty($a_client[$dns_server])) {
$cfgservers[] = $a_client[$dns_server];
}
}
if (!empty($cfgservers)) {
$strongswanTree['charon']['plugins']['attr']['dns'] = implode(",", $cfgservers);
}
$cfgservers = [];
if (!empty($a_client['wins_server1'])) {
$cfgservers[] = $a_client['wins_server1'];
}
if (!empty($a_client['wins_server2'])) {
$cfgservers[] = $a_client['wins_server2'];
}
if (!empty($cfgservers)) {
$strongswanTree['charon']['plugins']['attr']['nbns'] = implode(",", $cfgservers);
}

if (!empty($a_client['dns_domain'])) {
$strongswanTree['charon']['plugins']['attr']['# Search domain and default domain'] = '';
$strongswanTree['charon']['plugins']['attr']['28674'] = $a_client['dns_domain'];
}

/*
* 28675 --> UNITY_SPLITDNS_NAME
* 25 --> INTERNAL_DNS_DOMAIN
*/
foreach (array("28675", "25") as $attr) {
if (!empty($a_client['dns_split'])) {
$strongswanTree['charon']['plugins']['attr'][$attr] = $a_client['dns_split'];
} elseif (!empty($a_client['dns_domain'])) {
$strongswanTree['charon']['plugins']['attr'][$attr] = $a_client['dns_domain'];
}
}

if (!empty($a_client['dns_split'])) {
$strongswanTree['charon']['plugins']['attr']['28675'] = $a_client['dns_split'];
}

if (!empty($a_client['login_banner'])) {
/* defang login banner, it may be multiple lines and we should not let it escape */
$strongswanTree['charon']['plugins']['attr']['28672'] = '"' . str_replace(['\\', '"'], '', $a_client['login_banner']) . '"';
}

if (isset($a_client['save_passwd'])) {
$strongswanTree['charon']['plugins']['attr']['28673'] = 1;
}

if (!empty($a_client['pfs_group'])) {
$strongswanTree['charon']['plugins']['attr']['28679'] = $a_client['pfs_group'];
}

foreach ($a_phase1 as $ph1ent) {
if (!isset($ph1ent['disabled']) && isset($ph1ent['mobile'])) {
Expand Down
83 changes: 83 additions & 0 deletions src/opnsense/mvc/app/controllers/OPNsense/IPsec/forms/settings.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -84,6 +84,18 @@
<type>checkbox</type>
<help>Initiate IKEv2 reauthentication with a make-before-break instead of a break-before-make scheme. Make-before-break uses overlapping IKE and CHILD SA during reauthentication by first recreating all new SAs before deleting the old ones. This behavior can be beneficial to avoid connectivity gaps during reauthentication, but requires support for overlapping SAs by the peer.</help>
</field>
<field>
<id>ipsec.charon.install_routes</id>
<label>Install routes</label>
<type>checkbox</type>
<help>Install routes into a separate routing table for established IPsec tunnels. If disabled a more efficient lookup for source and next-hop addresses is used.</help>
</field>
<field>
<id>ipsec.charon.cisco_unity</id>
<label>Cisco Unity</label>
<type>checkbox</type>
<help>Send Cisco Unity vendor ID payload (IKEv1 only).</help>
</field>
<field>
<type>header</type>
<label>Retransmission</label>
Expand Down Expand Up @@ -230,6 +242,77 @@
<label>Trusted Network Connect</label>
<type>dropdown</type>
</field>
</tab>
<tab id="ipsec-attr" description="Attr">
<field>
<id>ipsec.charon.plugins.attr.subnet</id>
<label>Subnet</label>
<type>select_multiple</type>
<style>tokenize</style>
<allownew>true</allownew>
<help>The protected sub-networks that this edge-device protects (in CIDR notation). Usually ignored in deference to local_ts, though macOS clients will use this for routes</help>
</field>
<field>
<id>ipsec.charon.plugins.attr.dns</id>
<label>DNS</label>
<type>select_multiple</type>
<style>tokenize</style>
<allownew>true</allownew>
<help>DNS server</help>
</field>
<field>
<id>ipsec.charon.plugins.attr.nbns</id>
<label>NBNS</label>
<type>select_multiple</type>
<style>tokenize</style>
<allownew>true</allownew>
<help>WINS server</help>
</field>
<field>
<type>header</type>
<label>Cisco Unity</label>
</field>
<field>
<id>ipsec.charon.plugins.attr.split-include</id>
<label>Split-include</label>
<type>select_multiple</type>
<style>tokenize</style>
<allownew>true</allownew>
<help>Comma-separated list of subnets to tunnel. The unity plugin provides a connection specific approach to assign this attribute.</help>
</field>
<field>
<id>ipsec.charon.plugins.attr.x_28674</id>
<label>Default search</label>
<type>text</type>
<help>Default search domain used when resolving host names via the assigned DNS servers</help>
</field>
<field>
<id>ipsec.charon.plugins.attr.x_28675</id>
<label>Split DNS name</label>
<type>text</type>
<help>If split tunneling is used clients might not install the assigned DNS servers globally. This space-separated list of domain names allows clients, such as macOS, to selectively query the assigned DNS servers. Seems Mac OS X uses only the first item in the list</help>
</field>
<field>
<id>ipsec.charon.plugins.attr.x_28672</id>
<label>Login banner</label>
<type>textbox</type>
<help>Message displayed on certain clients after login</help>
</field>
<field>
<id>ipsec.charon.plugins.attr.x_28673</id>
<label>Save password</label>
<type>checkbox</type>
<help>Allow client to save Xauth password in local storage</help>
</field>
<field>
<id>ipsec.charon.plugins.attr.x_28679</id>
<label>PFS group</label>
<type>dropdown</type>
</field>




</tab>
<activetab>ipsec-general</activetab>
</form>
15 changes: 12 additions & 3 deletions src/opnsense/mvc/app/models/OPNsense/IPsec/IPsec.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -188,12 +188,21 @@ private function traverseItems($node)
{
$result = [];
foreach ($node->iterateItems() as $key => $item) {
$is_numeric = str_starts_with($key, 'x_');
/* numeric keys, need to rename for valid xml */
$target_key = $is_numeric ? substr($key, 2) : $key;

if ($item->isContainer()) {
$result[$key] = $this->traverseItems($item);
$result[$target_key] = $this->traverseItems($item);
} elseif (is_a($item, "OPNsense\\Base\\FieldTypes\\BooleanField")) {
$result[$key] = !empty((string)$item) ? 'yes' : 'no';
$result[$target_key] = !empty((string)$item) ? 'yes' : 'no';
} elseif ((string)$item != '') {
$result[$key] = (string)$item;
if ($target_key == '28672') {
/* Unity login banner, needs to be wrapped? */
$result[$target_key] = '"' . str_replace(['\\', '"'], '', (string)$item) . '"';
} else {
$result[$target_key] = (string)$item;
}
}
}
return $result;
Expand Down
56 changes: 55 additions & 1 deletion src/opnsense/mvc/app/models/OPNsense/IPsec/IPsec.xml
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
<model>
<mount>//OPNsense/IPsec</mount>
<version>1.0.3</version>
<version>1.0.4</version>
<description>OPNsense IPsec</description>
<items>
<general>
Expand Down Expand Up @@ -55,6 +55,8 @@
<Default>1</Default>
<Required>Y</Required>
</ignore_acquire_ts>
<install_routes type="BooleanField"/>
<cisco_unity type="BooleanField"/>
<make_before_break type="BooleanField"/>
<retransmit_tries type="IntegerField"/>
<retransmit_timeout type="NumericField"/>
Expand Down Expand Up @@ -92,6 +94,58 @@
<tnc type=".\CharonLogLevelField"/>
</daemon>
</syslog>
<plugins>
<attr>
<subnet type="NetworkField">
<NetMaskRequired>Y</NetMaskRequired>
<FieldSeparator>,</FieldSeparator>
<asList>Y</asList>
</subnet>
<split-include type="NetworkField">
<NetMaskRequired>Y</NetMaskRequired>
<FieldSeparator>,</FieldSeparator>
<asList>Y</asList>
</split-include>
<!-- UNITY_DEF_DOMAIN -->
<x_28674 type="TextField"/>
<x_28675 type="TextField"/>
<x_25 type="TextField"/>
<x_28672 type="TextField"/>
<x_28673 type="BooleanField"/>
<x_28679 type="OptionField">
<OptionValues>
<o1 value='1'>1 (768 bits)</o1 >
<o2 value='2'>2 (1024 bits)</o2 >
<o5 value='5'>5 (1536 bits)</o5 >
<o14 value='14'>14 (2048 bits)</o14 >
<o15 value='15'>15 (3072 bits)</o15 >
<o16 value='16'>16 (4096 bits)</o16 >
<o17 value='17'>17 (6144 bits)</o17 >
<o18 value='18'>18 (8192 bits)</o18 >
<o19 value='19'>19 (NIST EC 256 bits)</o19 >
<o20 value='20'>20 (NIST EC 384 bits)</o20 >
<o21 value='21'>21 (NIST EC 521 bits)</o21 >
<o22 value='22'>22 (1024(sub 160) bits)</o22 >
<o23 value='23'>23 (2048(sub 224) bits)</o23 >
<o24 value='24'>24 (2048(sub 256) bits)</o24 >
<o28 value='28'>28 (Brainpool EC 256 bits)</o28 >
<o29 value='29'>29 (Brainpool EC 384 bits)</o29 >
<o30 value='30'>30 (Brainpool EC 512 bits)</o30 >
<o31 value='31'>31 (Elliptic Curve 25519)</o31 >
</OptionValues>
</x_28679>
<dns type="NetworkField">
<NetmaskAllowed>N</NetmaskAllowed>
<FieldSeparator>,</FieldSeparator>
<asList>Y</asList>
</dns>
<nbns type="NetworkField">
<NetmaskAllowed>N</NetmaskAllowed>
<FieldSeparator>,</FieldSeparator>
<asList>Y</asList>
</nbns>
</attr>
</plugins>
</charon>
<keyPairs>
<keyPair type="ArrayField">
Expand Down
99 changes: 99 additions & 0 deletions src/opnsense/mvc/app/models/OPNsense/IPsec/Migrations/M1_0_4.php
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,99 @@
<?php

/*
* Copyright (C) 2025 Deciso B.V.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
*
* 1. Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
* INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
* AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
* OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/

namespace OPNsense\IPsec\Migrations;

use OPNsense\Base\BaseModelMigration;
use OPNsense\Core\Config;
use OPNsense\IPsec\IPsec;

class M1_0_4 extends BaseModelMigration
{
public function run($model)
{
if (!$model instanceof IPsec) {
return;
}
$cnf = Config::getInstance()->object();
if (!isset($cnf->ipsec) || !isset($cnf->ipsec->client)) {
return;
}
if (isset($cnf->ipsec->client) && isset($cnf->ipsec->client->net_list)) {
$model->charon->cisco_unity = '1';
unset($cnf->ipsec->client->net_list);
}
$dns_servers = [];
foreach (['dns_server1', 'dns_server2', 'dns_server3', 'dns_server4'] as $tmp) {
if (!empty((string)$cnf->ipsec->client->$tmp)) {
$dns_servers[] = (string)$cnf->ipsec->client->$tmp;
unset($cnf->ipsec->client->$tmp);
}
}
if (!empty($dns_servers)) {
$model->charon->plugins->attr->dns = implode(',', $dns_servers);
}

$nbns_servers = [];
foreach (['wins_server1', 'wins_server2'] as $tmp) {
if (!empty((string)$cnf->ipsec->client->$tmp)) {
$nbns_servers[] = (string)$cnf->ipsec->client->$tmp;
unset($cnf->ipsec->client->$tmp);
}
}
if (!empty($nbns_servers)) {
$model->charon->plugins->attr->nbns = implode(',', $nbns_servers);
}

if (!empty((string)$cnf->ipsec->client->dns_domain)) {
$model->charon->plugins->attr->x_28674 = (string)$cnf->ipsec->client->dns_domain;
$model->charon->plugins->attr->x_28675 = (string)$cnf->ipsec->client->dns_domain;
unset($cnf->ipsec->client->dns_domain);
}

if (!empty((string)$cnf->ipsec->client->dns_split)) {
/* overwrites previous when both are set */
$model->charon->plugins->attr->x_28675 = (string)$cnf->ipsec->client->dns_split;
unset($cnf->ipsec->client->dns_split);
}

if (!empty((string)$cnf->ipsec->client->login_banner)) {
$model->charon->plugins->attr->x_28672 = (string)$cnf->ipsec->client->login_banner;
unset($cnf->ipsec->client->login_banner);
}

if (isset($cnf->ipsec->client->save_passwd)) {
$model->charon->plugins->attr->x_28673 = '1';
unset($cnf->ipsec->client->save_passwd);
}

if (!empty((string)$cnf->ipsec->client->pfs_group)) {
$model->charon->plugins->attr->x_28679 = (string)$cnf->ipsec->client->pfs_group;
unset($cnf->ipsec->client->pfs_group);
}
}
}
Loading

0 comments on commit 9a16ca7

Please sign in to comment.