From a893cdc7a559d651b315ff4ca1dc1d82dba34e23 Mon Sep 17 00:00:00 2001 From: Ad Schellevis Date: Fri, 28 Feb 2025 12:53:25 +0000 Subject: [PATCH] VPN: IPsec: Mobile Clients - move charon attributes to "Advanced settings" for https://github.com/opnsense/core/issues/8349 (#8380) Rename previous "advanced settings" to "mobile & advanced settings" to guide people into the right direction, strongswan.conf contains both sets of data. Keep legacy page for settings that are only relevant for the old components. Since our pam authenticator hooks into the configuration, refactor to use the model as well. Cleanup code in the model that was only used in the legacy glue. --- plist | 1 + src/etc/inc/plugins.inc.d/ipsec.inc | 136 +------- .../OPNsense/IPsec/forms/settings.xml | 132 +++++++ .../library/OPNsense/Auth/Services/IPsec.php | 16 +- .../mvc/app/models/OPNsense/IPsec/IPsec.php | 42 ++- .../mvc/app/models/OPNsense/IPsec/IPsec.xml | 84 ++++- .../app/models/OPNsense/IPsec/Menu/Menu.xml | 4 +- .../OPNsense/IPsec/Migrations/M1_0_4.php | 137 ++++++++ .../mvc/app/models/OPNsense/IPsec/Swanctl.php | 21 -- src/www/vpn_ipsec_mobile.php | 327 +----------------- 10 files changed, 418 insertions(+), 482 deletions(-) create mode 100644 src/opnsense/mvc/app/models/OPNsense/IPsec/Migrations/M1_0_4.php diff --git a/plist b/plist index d84ebc777a5..771946c824d 100644 --- a/plist +++ b/plist @@ -786,6 +786,7 @@ /usr/local/opnsense/mvc/app/models/OPNsense/IPsec/Migrations/M1_0_1.php /usr/local/opnsense/mvc/app/models/OPNsense/IPsec/Migrations/M1_0_2.php /usr/local/opnsense/mvc/app/models/OPNsense/IPsec/Migrations/M1_0_3.php +/usr/local/opnsense/mvc/app/models/OPNsense/IPsec/Migrations/M1_0_4.php /usr/local/opnsense/mvc/app/models/OPNsense/IPsec/Swanctl.php /usr/local/opnsense/mvc/app/models/OPNsense/IPsec/Swanctl.xml /usr/local/opnsense/mvc/app/models/OPNsense/Interfaces/ACL/ACL.xml diff --git a/src/etc/inc/plugins.inc.d/ipsec.inc b/src/etc/inc/plugins.inc.d/ipsec.inc index 16eb7055b15..3eeb245e724 100644 --- a/src/etc/inc/plugins.inc.d/ipsec.inc +++ b/src/etc/inc/plugins.inc.d/ipsec.inc @@ -1,7 +1,7 @@ * Copyright (C) 2008 Shrew Soft Inc. * Copyright (C) 2008 Ermal Luçi @@ -925,6 +925,8 @@ function ipsec_write_strongswan_conf() $strongswanTree = (new \OPNsense\IPsec\IPsec())->strongswanTree(); + /* legacy overwrites for strongswan.conf */ + foreach ($a_phase1 as $ph1ent) { if (isset($ph1ent['disabled'])) { continue; @@ -936,18 +938,10 @@ function ipsec_write_strongswan_conf() } } - $strongswanTree['charon']['install_routes'] = 'no'; - if (isset($a_client['enable']) && isset($a_client['net_list'])) { - $strongswanTree['charon']['cisco_unity'] = 'yes'; - } - - $strongswanTree['charon']['plugins'] = []; - - $radius_auth_servers = null; - $disable_xauth = false; - if (isset($a_client['enable'])) { + if (isset($a_client['enable']) && empty($strongswanTree['charon']['plugins']['attr']['subnet'])) { + /* legacy subnet collection, can only be used when not offered manually */ $net_list = []; - if (isset($a_client['net_list'])) { + if ($strongswanTree['charon']['cisco_unity'] == 'yes') { foreach ($a_phase1 as $ph1ent) { if (isset($ph1ent['disabled']) || !isset($ph1ent['mobile'])) { continue; @@ -960,123 +954,21 @@ function ipsec_write_strongswan_conf() } } - $strongswanTree['charon']['plugins']['attr'] = []; + if (!isset($strongswanTree['charon']['plugins']['attr'])) { + $strongswanTree['charon']['plugins']['attr'] = []; + } if (!empty($net_list)) { $net_list_str = implode(",", $net_list); $strongswanTree['charon']['plugins']['attr']['subnet'] = $net_list_str; $strongswanTree['charon']['plugins']['attr']['split-include'] = $net_list_str; } - $cfgservers = []; - foreach (array('dns_server1', 'dns_server2', 'dns_server3', 'dns_server4') as $dns_server) { - if (!empty($a_client[$dns_server])) { - $cfgservers[] = $a_client[$dns_server]; - } - } - if (!empty($cfgservers)) { - $strongswanTree['charon']['plugins']['attr']['dns'] = implode(",", $cfgservers); - } - $cfgservers = []; - if (!empty($a_client['wins_server1'])) { - $cfgservers[] = $a_client['wins_server1']; - } - if (!empty($a_client['wins_server2'])) { - $cfgservers[] = $a_client['wins_server2']; - } - if (!empty($cfgservers)) { - $strongswanTree['charon']['plugins']['attr']['nbns'] = implode(",", $cfgservers); - } - - if (!empty($a_client['dns_domain'])) { - $strongswanTree['charon']['plugins']['attr']['# Search domain and default domain'] = ''; - $strongswanTree['charon']['plugins']['attr']['28674'] = $a_client['dns_domain']; - } - - /* - * 28675 --> UNITY_SPLITDNS_NAME - * 25 --> INTERNAL_DNS_DOMAIN - */ - foreach (array("28675", "25") as $attr) { - if (!empty($a_client['dns_split'])) { - $strongswanTree['charon']['plugins']['attr'][$attr] = $a_client['dns_split']; - } elseif (!empty($a_client['dns_domain'])) { - $strongswanTree['charon']['plugins']['attr'][$attr] = $a_client['dns_domain']; - } - } - - if (!empty($a_client['dns_split'])) { - $strongswanTree['charon']['plugins']['attr']['28675'] = $a_client['dns_split']; - } - - if (!empty($a_client['login_banner'])) { - /* defang login banner, it may be multiple lines and we should not let it escape */ - $strongswanTree['charon']['plugins']['attr']['28672'] = '"' . str_replace(['\\', '"'], '', $a_client['login_banner']) . '"'; - } - - if (isset($a_client['save_passwd'])) { - $strongswanTree['charon']['plugins']['attr']['28673'] = 1; - } - - if (!empty($a_client['pfs_group'])) { - $strongswanTree['charon']['plugins']['attr']['28679'] = $a_client['pfs_group']; - } - - foreach ($a_phase1 as $ph1ent) { - if (!isset($ph1ent['disabled']) && isset($ph1ent['mobile'])) { - if ($ph1ent['authentication_method'] == "eap-radius") { - $radius_auth_servers = $ph1ent['authservers']; - break; // there can only be one mobile phase1, exit loop - } - } - } - } - if (empty($radius_auth_servers) && !empty($a_client['radius_source'])) { - $radius_auth_servers = $a_client['radius_source']; } - $mdl = new \OPNsense\IPsec\Swanctl(); - if ((isset($a_client['enable']) || $mdl->isEnabled()) && !empty($radius_auth_servers)) { - $disable_xauth = true; // disable Xauth when radius is used. - $strongswanTree['charon']['plugins']['eap-radius'] = []; - $strongswanTree['charon']['plugins']['eap-radius']['servers'] = []; - $radius_server_num = 1; - $radius_accounting_enabled = false; - - foreach (auth_get_authserver_list() as $auth_server) { - if (in_array($auth_server['name'], explode(',', $radius_auth_servers))) { - $server = [ - 'address' => $auth_server['host'], - 'secret' => '"' . $auth_server['radius_secret'] . '"', - 'auth_port' => $auth_server['radius_auth_port'], - ]; - - if (!empty($auth_server['radius_acct_port'])) { - $server['acct_port'] = $auth_server['radius_acct_port']; - } - $strongswanTree['charon']['plugins']['eap-radius']['servers']['server' . $radius_server_num] = $server; - if (!empty($auth_server['radius_acct_port'])) { - $radius_accounting_enabled = true; - } - $radius_server_num += 1; - } - } - if ($radius_accounting_enabled) { - $strongswanTree['charon']['plugins']['eap-radius']['accounting'] = 'yes'; - } - if ($mdl->radiusUsesGroups()) { - $strongswanTree['charon']['plugins']['eap-radius']['class_group'] = 'yes'; - } - } - if ((isset($a_client['enable']) && !$disable_xauth) || (new \OPNsense\IPsec\Swanctl())->isEnabled()) { - $strongswanTree['charon']['plugins']['xauth-pam'] = [ - 'pam_service' => 'ipsec', - 'session' => 'no', - 'trim_email' => 'yes' - ]; - } - - $strongswan = generate_strongswan_conf($strongswanTree); - $strongswan .= "\ninclude strongswan.opnsense.d/*.conf\n"; - @file_put_contents("/usr/local/etc/strongswan.conf", $strongswan); + /* flush to disk */ + @file_put_contents( + "/usr/local/etc/strongswan.conf", + sprintf("%s\ninclude strongswan.opnsense.d/*.conf\n", generate_strongswan_conf($strongswanTree)) + ); } /** diff --git a/src/opnsense/mvc/app/controllers/OPNsense/IPsec/forms/settings.xml b/src/opnsense/mvc/app/controllers/OPNsense/IPsec/forms/settings.xml index 400a003ae0b..08f4d94c500 100644 --- a/src/opnsense/mvc/app/controllers/OPNsense/IPsec/forms/settings.xml +++ b/src/opnsense/mvc/app/controllers/OPNsense/IPsec/forms/settings.xml @@ -28,6 +28,59 @@ When sending all traffic to the remote location, you probably want to add your lan network(s) here. + + ipsec.general.user_source + + select_multiple + + Select authentication methods to use, leave empty if no challenge response authentication is needed. + + + ipsec.general.local_group + + dropdown + + Restrict access to users in the selected local group. Please be aware that other authentication backends will refuse to authenticate when using this option. + + + + + ipsec.charon.plugins.eap-radius.servers + + select_multiple + RADIUS servers to configure + + + ipsec.charon.plugins.eap-radius.accounting + + checkbox + Enable RADIUS accounting + + + ipsec.charon.plugins.eap-radius.class_group + + checkbox + + + + + ipsec.charon.plugins.xauth-pam.pam_service + + text + PAM service to use for authentication. + + + ipsec.charon.plugins.xauth-pam.session + + checkbox + Open/close a PAM session for each active IKE_SA + + + ipsec.charon.plugins.xauth-pam.trim_email + + checkbox + If an email address is received as an XAuth username, trim it to just the username part + @@ -84,6 +137,18 @@ checkbox Initiate IKEv2 reauthentication with a make-before-break instead of a break-before-make scheme. Make-before-break uses overlapping IKE and CHILD SA during reauthentication by first recreating all new SAs before deleting the old ones. This behavior can be beneficial to avoid connectivity gaps during reauthentication, but requires support for overlapping SAs by the peer. + + ipsec.charon.install_routes + + checkbox + Install routes into a separate routing table for established IPsec tunnels. If disabled a more efficient lookup for source and next-hop addresses is used. + + + ipsec.charon.cisco_unity + + checkbox + Send Cisco Unity vendor ID payload (IKEv1 only). + header @@ -231,5 +296,72 @@ dropdown + + + ipsec.charon.plugins.attr.subnet + + select_multiple + + true + The protected sub-networks that this edge-device protects (in CIDR notation). Usually ignored in deference to local_ts, though macOS clients will use this for routes + + + ipsec.charon.plugins.attr.dns + + select_multiple + + true + DNS server + + + ipsec.charon.plugins.attr.nbns + + select_multiple + + true + WINS server + + + header + + + + ipsec.charon.plugins.attr.split-include + + select_multiple + + true + Comma-separated list of subnets to tunnel. The unity plugin provides a connection specific approach to assign this attribute. + + + ipsec.charon.plugins.attr.x_28674 + + text + Default search domain used when resolving host names via the assigned DNS servers + + + ipsec.charon.plugins.attr.x_28675 + + text + If split tunneling is used clients might not install the assigned DNS servers globally. This space-separated list of domain names allows clients, such as macOS, to selectively query the assigned DNS servers. Seems Mac OS X uses only the first item in the list + + + ipsec.charon.plugins.attr.x_28672 + + textbox + Message displayed on certain clients after login + + + ipsec.charon.plugins.attr.x_28673 + + checkbox + Allow client to save Xauth password in local storage + + + ipsec.charon.plugins.attr.x_28679 + + dropdown + + ipsec-general diff --git a/src/opnsense/mvc/app/library/OPNsense/Auth/Services/IPsec.php b/src/opnsense/mvc/app/library/OPNsense/Auth/Services/IPsec.php index 292483b120d..71704a731ab 100644 --- a/src/opnsense/mvc/app/library/OPNsense/Auth/Services/IPsec.php +++ b/src/opnsense/mvc/app/library/OPNsense/Auth/Services/IPsec.php @@ -56,10 +56,10 @@ public static function aliases() */ public function supportedAuthenticators() { - $result = array(); - $configObj = Config::getInstance()->object(); - if (!empty((string)$configObj->ipsec->client->user_source)) { - $result = explode(',', (string)$configObj->ipsec->client->user_source); + $result = []; + $mdl = new \OPNsense\IPsec\IPsec(); + if (!empty((string)$mdl->general->user_source)) { + $result = explode(',', (string)$mdl->general->user_source); } else { $result[] = 'Local Database'; } @@ -87,11 +87,11 @@ public function getUserName() */ public function checkConstraints() { - $configObj = Config::getInstance()->object(); - if (!empty((string)$configObj->ipsec->client->local_group)) { + $mdl = new \OPNsense\IPsec\IPsec(); + if (!empty((string)$mdl->general->local_group)) { // Enforce group constraint when set - $local_group = (string)$configObj->ipsec->client->local_group; - return (new ACL())->inGroup($this->getUserName(), $local_group); + $local_group = (string)$mdl->general->local_group; + return (new ACL())->inGroup($this->getUserName(), $local_group, false); } else { // no constraints return true; diff --git a/src/opnsense/mvc/app/models/OPNsense/IPsec/IPsec.php b/src/opnsense/mvc/app/models/OPNsense/IPsec/IPsec.php index 7c42df6a025..848406e6e27 100644 --- a/src/opnsense/mvc/app/models/OPNsense/IPsec/IPsec.php +++ b/src/opnsense/mvc/app/models/OPNsense/IPsec/IPsec.php @@ -1,7 +1,7 @@ * All rights reserved. * @@ -31,6 +31,8 @@ use OPNsense\Base\Messages\Message; use OPNsense\Base\BaseModel; +use OPNsense\Core\Config; + /** * Class IPsec @@ -187,13 +189,45 @@ public function parseCryptographicKey($keyString, $keyType) private function traverseItems($node) { $result = []; + $cnf = Config::getInstance()->object(); foreach ($node->iterateItems() as $key => $item) { + $is_numeric = str_starts_with($key, 'x_'); + /* numeric keys, need to rename for valid xml */ + $target_key = $is_numeric ? substr($key, 2) : $key; + if ($item->isContainer()) { - $result[$key] = $this->traverseItems($item); + $result[$target_key] = $this->traverseItems($item); } elseif (is_a($item, "OPNsense\\Base\\FieldTypes\\BooleanField")) { - $result[$key] = !empty((string)$item) ? 'yes' : 'no'; + $result[$target_key] = !empty((string)$item) ? 'yes' : 'no'; + } elseif (is_a($item, "OPNsense\\Base\\FieldTypes\\AuthenticationServerField")) { + $servers = []; + foreach(explode(',', (string)$item) as $item) { + $idx = 'server' . (string)(count($servers) + 1); + $mapping = []; + if (isset($cnf->authserver)) { + foreach ($cnf->authserver as $authserver) { + if ($authserver->name == $item) { + $servers[$idx] = [ + 'address' => (string)$authserver->host, + 'secret' => '"' . (string)$authserver->radius_secret . '"', + 'auth_port' => (string)$authserver->radius_auth_port, + ]; + if (!empty((string)$authserver->radius_acct_port)) { + $servers[$idx]['acct_port'] = (string)$authserver->radius_acct_port; + } + } + } + } + + } + $result[$target_key] = $servers; } elseif ((string)$item != '') { - $result[$key] = (string)$item; + if ($target_key == '28672') { + /* Unity login banner, needs to be wrapped? */ + $result[$target_key] = '"' . str_replace(['\\', '"'], '', (string)$item) . '"'; + } else { + $result[$target_key] = (string)$item; + } } } return $result; diff --git a/src/opnsense/mvc/app/models/OPNsense/IPsec/IPsec.xml b/src/opnsense/mvc/app/models/OPNsense/IPsec/IPsec.xml index 603b6b56eda..b07a483f2fe 100644 --- a/src/opnsense/mvc/app/models/OPNsense/IPsec/IPsec.xml +++ b/src/opnsense/mvc/app/models/OPNsense/IPsec/IPsec.xml @@ -1,6 +1,6 @@ //OPNsense/IPsec - 1.0.3 + 1.0.4 OPNsense IPsec @@ -20,6 +20,10 @@ Y N + + Y + + @@ -55,6 +59,8 @@ 1 Y + + @@ -92,6 +98,82 @@ + + + + Y + , + Y + + + Y + , + Y + + + + + + + + + + 1 (768 bits) + 2 (1024 bits) + 5 (1536 bits) + 14 (2048 bits) + 15 (3072 bits) + 16 (4096 bits) + 17 (6144 bits) + 18 (8192 bits) + 19 (NIST EC 256 bits) + 20 (NIST EC 384 bits) + 21 (NIST EC 521 bits) + 22 (1024(sub 160) bits) + 23 (2048(sub 224) bits) + 24 (2048(sub 256) bits) + 28 (Brainpool EC 256 bits) + 29 (Brainpool EC 384 bits) + 30 (Brainpool EC 512 bits) + 31 (Elliptic Curve 25519) + + + + N + , + Y + + + N + , + Y + + + + + Y + + /^(radius)$/ + + + + + + + + Y + ipsec + + + Y + 0 + + + Y + 1 + + + diff --git a/src/opnsense/mvc/app/models/OPNsense/IPsec/Menu/Menu.xml b/src/opnsense/mvc/app/models/OPNsense/IPsec/Menu/Menu.xml index 8e9a6232f05..de9101e3cfd 100644 --- a/src/opnsense/mvc/app/models/OPNsense/IPsec/Menu/Menu.xml +++ b/src/opnsense/mvc/app/models/OPNsense/IPsec/Menu/Menu.xml @@ -6,12 +6,12 @@ - + - + diff --git a/src/opnsense/mvc/app/models/OPNsense/IPsec/Migrations/M1_0_4.php b/src/opnsense/mvc/app/models/OPNsense/IPsec/Migrations/M1_0_4.php new file mode 100644 index 00000000000..a8e81fdfd8f --- /dev/null +++ b/src/opnsense/mvc/app/models/OPNsense/IPsec/Migrations/M1_0_4.php @@ -0,0 +1,137 @@ +object(); + if (!isset($cnf->ipsec) || !isset($cnf->ipsec->client)) { + return; + } + if (isset($cnf->ipsec->client) && isset($cnf->ipsec->client->net_list)) { + $model->charon->cisco_unity = '1'; + unset($cnf->ipsec->client->net_list); + } + $dns_servers = []; + foreach (['dns_server1', 'dns_server2', 'dns_server3', 'dns_server4'] as $tmp) { + if (!empty((string)$cnf->ipsec->client->$tmp)) { + $dns_servers[] = (string)$cnf->ipsec->client->$tmp; + unset($cnf->ipsec->client->$tmp); + } + } + if (!empty($dns_servers)) { + $model->charon->plugins->attr->dns = implode(',', $dns_servers); + } + + $nbns_servers = []; + foreach (['wins_server1', 'wins_server2'] as $tmp) { + if (!empty((string)$cnf->ipsec->client->$tmp)) { + $nbns_servers[] = (string)$cnf->ipsec->client->$tmp; + unset($cnf->ipsec->client->$tmp); + } + } + if (!empty($nbns_servers)) { + $model->charon->plugins->attr->nbns = implode(',', $nbns_servers); + } + + if (!empty((string)$cnf->ipsec->client->dns_domain)) { + $model->charon->plugins->attr->x_28674 = (string)$cnf->ipsec->client->dns_domain; + $model->charon->plugins->attr->x_28675 = (string)$cnf->ipsec->client->dns_domain; + unset($cnf->ipsec->client->dns_domain); + } + + if (!empty((string)$cnf->ipsec->client->dns_split)) { + /* overwrites previous when both are set */ + $model->charon->plugins->attr->x_28675 = (string)$cnf->ipsec->client->dns_split; + unset($cnf->ipsec->client->dns_split); + } + + if (!empty((string)$cnf->ipsec->client->login_banner)) { + $model->charon->plugins->attr->x_28672 = (string)$cnf->ipsec->client->login_banner; + unset($cnf->ipsec->client->login_banner); + } + + if (isset($cnf->ipsec->client->save_passwd)) { + $model->charon->plugins->attr->x_28673 = '1'; + unset($cnf->ipsec->client->save_passwd); + } + + if (!empty((string)$cnf->ipsec->client->pfs_group)) { + $model->charon->plugins->attr->x_28679 = (string)$cnf->ipsec->client->pfs_group; + unset($cnf->ipsec->client->pfs_group); + } + + if (!empty((string)$cnf->ipsec->client->radius_source)) { + $model->charon->plugins->{'eap-radius'}->servers = (string)$cnf->ipsec->client->radius_source; + unset($cnf->ipsec->client->radius_source); + } else { + if (isset($cnf->ipsec->phase1)) { + foreach ($cnf->ipsec->phase1 as $phase1) { + if (!isset($phase1->disabled) && isset($phase1->mobile) && + $phase1->authentication_method == 'eap-radius' + ) { + $model->charon->plugins->{'eap-radius'}->servers = (string)$phase1->authservers; + } + } + } + } + + if (!empty((string)$cnf->ipsec->client->user_source)) { + $tmp = explode(',', (string)$cnf->ipsec->client->user_source); + $user_source = []; + foreach ($model->general->user_source->getNodeData() as $key => $data) { + if (in_array($key, $tmp)) { + $user_source[] = $key; + } + } + if (!empty($user_source)) { + $model->general->user_source = implode(',', $user_source); + } + unset($cnf->ipsec->client->user_source); + } + + if (!empty((string)$cnf->ipsec->client->local_group)) { + foreach ($model->general->local_group->getNodeData() as $key => $data) { + if ((string)$cnf->ipsec->client->local_group == $data['value']) { + $model->general->local_group = $key; + } + } + unset($cnf->ipsec->client->local_group); + } + } +} diff --git a/src/opnsense/mvc/app/models/OPNsense/IPsec/Swanctl.php b/src/opnsense/mvc/app/models/OPNsense/IPsec/Swanctl.php index 12f437a0cd9..000dab20aa3 100644 --- a/src/opnsense/mvc/app/models/OPNsense/IPsec/Swanctl.php +++ b/src/opnsense/mvc/app/models/OPNsense/IPsec/Swanctl.php @@ -337,25 +337,4 @@ public function getUsedCertrefs() } return $certrefs; } - - /** - * @return bool is there at least one connection using radius groups? - */ - public function radiusUsesGroups() - { - foreach ($this->remotes->iterateRecursiveItems() as $node) { - if ($node->getInternalXMLTagName() == 'auth' && (string)$node == 'eap-radius') { - $auth = $node->getParentNode(); - $connid = (string)$auth->connection; - if ( - !empty((string)$auth->groups) && - isset($this->Connections->Connection->$connid) && - !empty((string)$this->Connections->Connection->$connid->enabled) - ) { - return true; - } - } - } - return false; - } } diff --git a/src/www/vpn_ipsec_mobile.php b/src/www/vpn_ipsec_mobile.php index 364baf4eaa3..23d00589aaa 100644 --- a/src/www/vpn_ipsec_mobile.php +++ b/src/www/vpn_ipsec_mobile.php @@ -1,7 +1,7 @@ * All rights reserved. * @@ -37,9 +37,7 @@ config_read_array('ipsec', 'phase1'); // define formfields -$form_fields = "user_source,local_group,radius_source,pool_address,pool_netbits,pool_address_v6,pool_netbits_v6,net_list -,save_passwd,dns_domain,dns_split,dns_server1,dns_server2,dns_server3 -,dns_server4,wins_server1,wins_server2,pfs_group,login_banner"; +$form_fields = "pool_address,pool_netbits,pool_address_v6,pool_netbits_v6"; if ($_SERVER['REQUEST_METHOD'] === 'GET') { // pass savemessage @@ -64,13 +62,7 @@ if (isset($config['ipsec']['client']['enable'])) { $pconfig['enable'] = true; } - if (isset($config['ipsec']['client']['net_list'])) { - $pconfig['net_list'] = true; - } - if (isset($config['ipsec']['client']['save_passwd'])) { - $pconfig['save_passwd'] = true; - } } elseif ($_SERVER['REQUEST_METHOD'] === 'POST') { $input_errors = array(); $pconfig = $_POST; @@ -87,20 +79,6 @@ exit; } elseif (isset($_POST['submit'])) { // save form changes - - // input preparations - if (!empty($pconfig['user_source'])) { - $pconfig['user_source'] = implode(",", $pconfig['user_source']); - } - if (!empty($pconfig['radius_source'])) { - $pconfig['radius_source'] = implode(",", $pconfig['radius_source']); - } - - /* input validation */ - $reqdfields = explode(" ", "user_source"); - $reqdfieldsn = array(gettext("User Authentication Source")); - do_input_validation($_POST, $reqdfields, $reqdfieldsn, $input_errors); - if (!empty($pconfig['pool_address']) && !is_ipaddr($pconfig['pool_address'])) { $input_errors[] = gettext("A valid IPv4 address for 'Virtual IPv4 Address Pool Network' must be specified."); } @@ -109,45 +87,10 @@ $input_errors[] = gettext("A valid IPv6 address for 'Virtual IPv6 Address Pool Network' must be specified."); } - if (!empty($pconfig['dns_domain']) && !is_domain($pconfig['dns_domain'])) { - $input_errors[] = gettext("A valid value for 'DNS Default Domain' must be specified."); - } - - if (!empty($pconfig['dns_split'])) { - $domain_array=preg_split("/[ ,]+/", $pconfig['dns_split']); - foreach ($domain_array as $curdomain) { - if (!is_domain($curdomain)) { - $input_errors[] = gettext("A valid split DNS domain list must be specified."); - break; - } - } - } - - if (!empty($pconfig['dns_server1']) && !is_ipaddr($pconfig['dns_server1'])) { - $input_errors[] = gettext("A valid IP address for 'DNS Server #1' must be specified."); - } - if (!empty($pconfig['dns_server2']) && !is_ipaddr($pconfig['dns_server2'])) { - $input_errors[] = gettext("A valid IP address for 'DNS Server #2' must be specified."); - } - if (!empty($pconfig['dns_server3']) && !is_ipaddr($pconfig['dns_server3'])) { - $input_errors[] = gettext("A valid IP address for 'DNS Server #3' must be specified."); - } - if (!empty($pconfig['dns_server4']) && !is_ipaddr($pconfig['dns_server4'])) { - $input_errors[] = gettext("A valid IP address for 'DNS Server #4' must be specified."); - } - - if (!empty($pconfig['wins_server1']) && !is_ipaddr($pconfig['wins_server1'])) { - $input_errors[] = gettext("A valid IP address for 'WINS Server #1' must be specified."); - } - if (!empty($pconfig['wins_server2']) && !is_ipaddr($pconfig['wins_server2'])) { - $input_errors[] = gettext("A valid IP address for 'WINS Server #2' must be specified."); - } if (count($input_errors) == 0) { $client = array(); - $copy_fields = "user_source,local_group,radius_source,pool_address,pool_netbits,pool_address_v6, - pool_netbits_v6,dns_domain,dns_server1,dns_server2,dns_server3,dns_server4,wins_server1,wins_server2 - ,dns_split,pfs_group,login_banner"; + $copy_fields = "pool_address,pool_netbits,pool_address_v6,pool_netbits_v6"; foreach (explode(",", $copy_fields) as $fieldname) { $fieldname = trim($fieldname); if (!empty($pconfig[$fieldname])) { @@ -158,14 +101,6 @@ $client['enable'] = true; } - if (!empty($pconfig['net_list'])) { - $client['net_list'] = true; - } - - if (!empty($pconfig['save_passwd'])) { - $client['save_passwd'] = true; - } - $config['ipsec']['client'] = $client; write_config(); @@ -199,11 +134,6 @@ $( document ).ready(function() { pool_change(); pool_v6_change(); - dns_domain_change(); - dns_split_change(); - dns_server_change(); - wins_server_change(); - login_banner_change(); $("#ike_mobile_enable").change(function(){ if ($(this).is(':checked')) { @@ -238,80 +168,6 @@ function pool_v6_change() { } } -function dns_domain_change() { - - if (document.iform.dns_domain_enable.checked) { - document.iform.dns_domain.disabled = 0; - $("#dns_domain").addClass('show'); - $("#dns_domain").removeClass('hidden'); - } else { - document.iform.dns_domain.disabled = 1; - $("#dns_domain").addClass('hidden'); - $("#dns_domain").removeClass('show'); - } -} - -function dns_split_change() { - - if (document.iform.dns_split_enable.checked){ - document.iform.dns_split.disabled = 0; - $("#dns_split").addClass('show'); - $("#dns_split").removeClass('hidden'); - } else { - document.iform.dns_split.disabled = 1; - $("#dns_split").addClass('hidden'); - $("#dns_split").removeClass('show'); - } - -} - -function dns_server_change() { - - if (document.iform.dns_server_enable.checked) { - document.iform.dns_server1.disabled = 0; - document.iform.dns_server2.disabled = 0; - document.iform.dns_server3.disabled = 0; - document.iform.dns_server4.disabled = 0; - $("#dns_server_enable_inputs").addClass('show'); - $("#dns_server_enable_inputs").removeClass('hidden'); - } else { - document.iform.dns_server1.disabled = 1; - document.iform.dns_server2.disabled = 1; - document.iform.dns_server3.disabled = 1; - document.iform.dns_server4.disabled = 1; - $("#dns_server_enable_inputs").addClass('hidden'); - $("#dns_server_enable_inputs").removeClass('show'); - } -} - -function wins_server_change() { - - if (document.iform.wins_server_enable.checked) { - document.iform.wins_server1.disabled = 0; - document.iform.wins_server2.disabled = 0; - $("#wins_server_enable_inputs").addClass('show'); - $("#wins_server_enable_inputs").removeClass('hidden'); - } else { - document.iform.wins_server1.disabled = 1; - document.iform.wins_server2.disabled = 1; - $("#wins_server_enable_inputs").addClass('hidden'); - $("#wins_server_enable_inputs").removeClass('show'); - } -} - -function login_banner_change() { - - if (document.iform.login_banner_enable.checked) { - document.iform.login_banner.disabled = 0; - $("#login_banner").addClass('show'); - $("#login_banner").removeClass('hidden'); - } else { - document.iform.login_banner.disabled = 1; - $("#login_banner").addClass('hidden'); - $("#login_banner").removeClass('show'); - } -} - //]]> @@ -366,69 +222,6 @@ function print_legacy_box($msg, $name, $value) } ?>
-
-
-
- - - - - - - - - - - - - - - - - - - - -
- -
- - -
- - - - -
-
-
@@ -493,120 +286,6 @@ function print_legacy_box($msg, $name, $value) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- /> - -
- /> - - -
- onclick="dns_domain_change()" /> - - -
- onclick="dns_split_change()" /> - - - -
- onclick="dns_server_change()" /> - -
- #1: - - #2: - - #3: - - #4: - -
-
- onclick="wins_server_change()" /> - -
- #1: - - #2: - -
-
- - -
- onclick="login_banner_change()" /> - - -