Context Navigation

source: npl/syn3/webint/src/vpn/openswan.php @ c5c522c

gcc484ntopperl-5.22

Last change on this file since c5c522c was c5c522c, checked in by Edwin Eefting <edwin@datux.nl>, 8 years ago
initial commit, transferred from cleaned syn3 svn tree
Property mode set to `100755`
File size: 10.7 KB

Rev	Line
[c5c522c]	1	<?
	2	/*
	3	(C) 2004-2013 DatuX - info@datux.nl
	4
	5	This program is free software: you can redistribute it and/or modify
	6	it under the terms of the GNU General Public License as published by
	7	the Free Software Foundation, either version 3 of the License, or
	8	(at your option) any later version.
	9
	10	This program is distributed in the hope that it will be useful,
	11	but WITHOUT ANY WARRANTY; without even the implied warranty of
	12	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	13	GNU General Public License for more details.
	14
	15	You should have received a copy of the GNU General Public License
	16	along with this program. If not, see <http://www.gnu.org/licenses/>.
	17	*/
	18
	19	require_once("../common.php");
	20	require_once("../network/network.php");
	21	require_once("../proc.php");
	22	IncludeLang(__FILE__);
	23
	24	$VPN_IPSEC_DIR="/etc/ipsec.d";
	25	$VPN_PUB="$VPN_IPSEC_DIR/ipsec.pub";
	26	$VPN_TUNNEL_DIR="$VPN_IPSEC_DIR/tunnels";
	27	$VPN_LOG="/var/log/secure";
	28	$VPN_STARTERRORS="$VPN_IPSEC_DIR/starterrors";
	29
	30	function vpn_Stop()
	31	{
	32	if (SvcIsUp("ipsec"))
	33	{
	34	SvcDown("ipsec");
	35	}
	36	}
	37
	38	//RET: false als het werk, anders error text.
	39	function vpn_Restart()
	40	{
	41	//only works on internet server
	42	if (!ModuleMatch("I"))
	43	return false; //return ok-code
	44
	45	// global $VPN_STARTERRORS;
	46	vpn_Stop();
	47	// LogInfo(_LogVPNStarting());
	48	SvcUp("ipsec");
	49	// FileWriteRaw("/etc/sysconfig/pluto_updown", "DEFAULTSOURCE=".GetFirstLanIp()."\n");
	50	// Cmd("pgrphack closefd /usr/sbin/ipsec setup start \|grep 'FATAL:' 1>&2",'',$out,$err);
	51
	52	// if ($err)
	53	// {
	54	// FileWrite($VPN_STARTERRORS,$err);
	55	// LogError(_LogVPNstartErrors(implode(" ",$err)));
	56	// return ($err);
	57	// }
	58	// else
	59	// {
	60	// FileWrite($VPN_STARTERRORS,'');
	61	// sleep(2); //wacht zodat VPN subsysteem up is
	62	// //kijk of er tunnels up moeten
	63	// $tunnels=vpn_ReadTunnels();
	64	// foreach ($tunnels as $name=>$conf)
	65	// {
	66	// //hij moet up zijn, EN hij is reeds getest
	67	// if ((!vpn_TunnelIsDownOnBoot($name)) && vpn_TunnelIsTested($name))
	68	// vpn_TunnelUp($name);
	69	// }
	70	// return false;
	71	// }
	72	}
	73
	74	function vpn_StartErrors()
	75	{
	76	global $VPN_STARTERRORS;
	77	if (is_file($VPN_STARTERRORS))
	78	{
	79	$raw=FileReadRaw($VPN_STARTERRORS);
	80	}
	81	return ($raw);
	82	}
	83
	84	/*function vpn_Failed()
	85	{
	86	global $VPN_IPSEC_DIR;
	87	return (is_file("$VPN_IPSEC_DIR/failed"));
	88	}
	89
	90	function vpn_Tested()
	91	{
	92	global $VPN_IPSEC_DIR;
	93	return (is_file("$VPN_IPSEC_DIR/tested"));
	94	}
	95	*/
	96
	97
	98	//force vpn monitoring check. ( this is also done every minute with a crontab)
	99	function vpn_MonUpdate($name)
	100	{
	101	Progress("Checking tunnel status $name...");
	102	SafeExec("syn3-ipseccheck '$name'");
	103	Progress("");
	104	}
	105
	106	function vpn_TunnelUp($name)
	107	{
	108
	109	$err=Cmd("
	110	(
	111	ipsec auto --down '$name' 2>/dev/null;
	112	ipsec auto --rereadsecrets;
	113	ipsec auto --replace '$name' &&
	114	ipsec auto --asynchronous --up '$name'
	115	) 2>&1
	116	",'',$out,$errout);
	117	if ($err!=0)
	118	{
	119	$out[]="Exit code $err";
	120	LogError(_LogTunnelUpError($name,implode(" ",$out)));
	121	return false;
	122	}
	123	else
	124	{
	125	LogInfo(_LogTunnelUp($name));
	126	return true;
	127	}
	128	}
	129
	130	function vpn_TunnelDown($name)
	131	{
	132	vpn_TunnelSetDownOnBoot($name,1);
	133
	134	$err=Cmd("ipsec auto --delete '$name' 2>&1",'',$out,$errout);
	135	vpn_MonUpdate($name);
	136	if ($err!=0)
	137	{
	138	LogError(_TunnelDownError($name,implode(" ",$out)));
	139	return false;
	140	}
	141	else
	142	{
	143	LogInfo(_LogTunnelDown($name));
	144	return true;
	145	}
	146	}
	147
	148	function vpn_TunnelIsTested($name)
	149	{
	150	global $VPN_TUNNEL_DIR;
	151	return (!is_file("$VPN_TUNNEL_DIR/$name.untested"));
	152	}
	153
	154	function vpn_TunnelSetTested($name,$tested)
	155	{
	156	global $VPN_TUNNEL_DIR;
	157
	158	if ($tested)
	159	FileDelete("$VPN_TUNNEL_DIR/$name.untested");
	160	else
	161	FileWriteRaw("$VPN_TUNNEL_DIR/$name.untested","");
	162	}
	163
	164	function vpn_TunnelIsDownOnBoot($name)
	165	{
	166	$tunnel=vpn_ReadTunnel($name);
	167	return ($tunnel["auto"]=="up");
	168	}
	169
	170	function vpn_TunnelSetDownOnBoot($name,$down)
	171	{
	172	$tunnel=vpn_ReadTunnel($name);
	173	if ($down)
	174	$tunnel["auto"]="ignore";
	175	else
	176	$tunnel["auto"]="up";
	177	vpn_WriteTunnel($name, $tunnel, false);
	178	}
	179
	180
	181	//gooi tunnel up, maar run backup script voor het geval er netwerk
	182	//conflict is. in dit geval gaat tunnel weer down
	183	function vpn_TunnelTestStart($name)
	184	{
	185	//test loopt nog?
	186	if ($_SESSION[testtunnel] && posix_kill($_SESSION[testtunnel][pid],0))
	187	Error(_TestAlreadyRunning());
	188
	189	//start het backup script en onthoudt PID
	190	$_SESSION[testtunnel][pid]=BgExec("exec testtunnel.sh '$name'");
	191	$_SESSION[testtunnel][name]=$name;
	192	vpn_TunnelSetTested($name,1); //het backup script zet hem weer op 0 als het misgaat
	193	vpn_TunnelUp($name); //niet controleren op errors
	194	return true;
	195	}
	196
	197	//Controleer of er nog een test loopt, en of deze geslaagd is.
	198	//Roep deze functie aan NA het refreshen van de pagina, zodat je weet
	199	//dat de netwerk settings niet verstoord zijn.
	200	function vpn_TunnelTestEnd()
	201	{
	202	//is there a test running?
	203	if ($_SESSION[testtunnel])
	204	{
	205	//kill het backup script BOEM
	206	posix_kill($_SESSION[testtunnel][pid],9);
	207
	208	$name=$_SESSION[testtunnel][name];
	209	//test is klaar nu
	210	unset($_SESSION[testtunnel]);
	211
	212	//kijk of test gelukt of mislukt is en wijzig config
	213	if (!vpn_TunnelIsTested($name))
	214	{
	215	LogError(_LogTunnelTestFailed($name));
	216	}
	217	else
	218	{
	219	vpn_TunnelSetDownOnBoot($name, 0);
	220	vpn_MonUpdate($name);
	221	}
	222	}
	223	}
	224
	225	function vpn_ReadSecret($name)
	226	{
	227	global $VPN_TUNNEL_DIR;
	228	$line=FileReadRaw("$VPN_TUNNEL_DIR/$name.key");
	229	preg_match('/"(.*)"/',$line,$matches);
	230	return ($matches[1]);
	231	}
	232
	233	function vpn_WriteSecret($name,$secret)
	234	{
	235	global $VPN_TUNNEL_DIR;
	236	$tunnel=vpn_ReadTunnel($name);
	237
	238	$line="$tunnel[leftid] $tunnel[right]: PSK \"$secret\"\n";
	239	FileWriteRaw("$VPN_TUNNEL_DIR/$name.key",$line);
	240	}
	241
	242	function vpn_ValidName($name)
	243	{
	244	return (
	245	(!preg_match("/[^a-z0-9-]/",$name)) &&
	246	(strlen($name)<25) &&
	247	(strlen($name)>=3)
	248	);
	249	}
	250
	251	function vpn_ValidSecret($secret)
	252	{
	253	return (
	254	(strlen($secret)>=8)
	255	);
	256	}
	257
	258
	259	function vpn_ValidPubKey($key)
	260	{
	261	$key=vpn_ReadableToPub($key);
	262	return (
	263	(strlen($key)==370) &&
	264	(substr($key,0,2)=='0s') &&
	265	(!preg_match("/[^A-Za-z0-9+\/]/",substr($key,2)))
	266	);
	267	}
	268
	269	function vpn_SameKey($key1,$key2)
	270	{
	271	$key1=vpn_ReadableToPub($key1);
	272	$key2=vpn_ReadableToPub($key2);
	273	return ($key1==$key2);
	274	}
	275
	276
	277	function vpn_ReadPubKey()
	278	{
	279	global $VPN_PUB;
	280	$raw=FileReadMatches($VPN_PUB,"/#pubkey=/");
	281	preg_match("/.pubkey=(.)/",$raw[0],$matches);
	282	return ($matches[1]);
	283	}
	284
	285	//make key readable (insert new-lines etc)
	286	function vpn_PubToReadable($pubkey)
	287	{
	288	return(preg_replace("/(.{50})/","\$0\n",$pubkey));
	289	}
	290
	291	//filter all the crap from a readable key
	292	function vpn_ReadableToPub($pubkey)
	293	{
	294	return(preg_replace("/[^A-Za-z0-9+\/=]/","",$pubkey));
	295	}
	296
	297	//returns corresponding tunnel filename
	298	function vpn_GetTunnelFile($name)
	299	{
	300	global $VPN_TUNNEL_DIR;
	301	return ("$VPN_TUNNEL_DIR/$name.conf");
	302	}
	303
	304	function vpn_ReadTunnel($name)
	305	{
	306	$raw=FileRead(vpn_GetTunnelFile($name));
	307	foreach ($raw as $line)
	308	{
	309	if (preg_match("/^[^a-z]([a-z])=(.*)$/",$line,$matches))
	310	$ret[$matches[1]]=$matches[2];
	311	}
	312	return ($ret);
	313	}
	314
	315	function vpn_ReadTunnels()
	316	{
	317	global $VPN_TUNNEL_DIR;
	318	$dh=opendir($VPN_TUNNEL_DIR);
	319	while ($file=readdir($dh))
	320	{
	321	if (preg_match("/^(.*).conf$/",$file,$matches))
	322	{
	323	if ($matches[1] != "dummy")
	324	$ret[$matches[1]]=vpn_ReadTunnel($matches[1]);
	325	}
	326	}
	327	return ($ret);
	328	}
	329
	330	function vpn_WriteTunnel($name,$data, $needs_testing=true)
	331	{
	332	global $VPN_IPSEC_DIR;
	333	global $VPN_TUNNEL_DIR;
	334	$raw[]="conn $name";
	335	foreach ($data as $varname=>$varvalue)
	336	{
	337	$raw[]="\t$varname=$varvalue";
	338	}
	339	//mark configuration as untested
	340	if ($needs_testing)
	341	FileWriteRaw("$VPN_TUNNEL_DIR/$name.untested");
	342
	343	FileWrite(vpn_GetTunnelFile($name),$raw);
	344	LogInfo(_LogVPNSettingsChanged($name));
	345	}
	346
	347	function vpn_DelTunnel($name)
	348	{
	349	global $VPN_TUNNEL_DIR;
	350	vpn_TunnelDown($name);
	351
	352	FileDelete("$VPN_TUNNEL_DIR/$name.conf");
	353	FileDelete("$VPN_TUNNEL_DIR/$name.mon");
	354	FileDelete("$VPN_TUNNEL_DIR/$name.key");
	355	FileDelete("$VPN_TUNNEL_DIR/$name.down");
	356	FileDelete("$VPN_TUNNEL_DIR/$name.untested");
	357	LogInfo(_LogVPNTunnelDeleted($name));
	358	}
	359
	360
	361	$VPN_STATES=array(
	362	'Main'=>"Connecting...",
	363	'STATE_MAIN_I1'=>"Connecting...",
	364	'STATE_MAIN_R1'=>"Connection accepted...",
	365	'STATE_MAIN_I2'=>"Connection complete...",
	366	'STATE_MAIN_I3'=>"Checking keys...",
	367	'STATE_MAIN_R2'=>"Checking keys...",
	368	'STATE_MAIN_I4'=>"Keys accepted...",
	369	'STATE_MAIN_R3'=>"Waiting for tunnel request...",
	370	'Quick'=>"Requesting tunnel...",
	371	'STATE_QUICK_I1'=>"Requesting tunnel...",
	372	'STATE_QUICK_R1'=>"Tunnel request received...",
	373	'STATE_QUICK_I2'=>"Tunnel established",
	374	'STATE_QUICK_R2'=>"Tunnel established",
	375	);
	376
	377
	378	$VPN_PRIO=array(
	379	'Main'=>0,
	380	'STATE_MAIN_I1'=>1,
	381	'STATE_MAIN_R1'=>2,
	382	'STATE_MAIN_I2'=>3,
	383	'STATE_MAIN_I3'=>4,
	384	'STATE_MAIN_R2'=>5,
	385	'STATE_MAIN_I4'=>6,
	386	'STATE_MAIN_R3'=>7,
	387	'Quick'=>8,
	388	'STATE_QUICK_I1'=>9,
	389	'STATE_QUICK_R1'=>10,
	390	'STATE_QUICK_I2'=>11,
	391	'STATE_QUICK_R2'=>12,
	392	);
	393
	394	//tries to determine state from a logline.
	395	//returns false on no state found
	396	function vpn_LogToState($logline)
	397	{
	398	global $VPN_STATES;
	399
	400	if (preg_match("/to state (.*)$/",$logline,$matches))
	401	{
	402	if (isset($VPN_STATES[$matches[1]]))
	403	return ($matches[1]);
	404	}
	405	elseif (preg_match("/initiating (.*) Mode/",$logline,$matches))
	406	{
	407	if (isset($VPN_STATES[$matches[1]]))
	408	return ($matches[1]);
	409	}
	410	else
	411	{
	412	return false;
	413	}
	414	}
	415	//read logging output of a tunnel
	416	//returns: $ret[]=array($state,$line);
	417	function vpn_GetLog($name)
	418	{
	419	global $VPN_LOG;
	420	$lines=SafeExec("grep '\]: \"$name\"' '$VPN_LOG'\|tail -1000");
	421	foreach ($lines as $line)
	422	{
	423	preg_match("/\]: \".?\".(.)/",$line,$matches);
	424	$ret[]=array(vpn_LogToState($matches[1]),$matches[1]);
	425	}
	426	return $ret;
	427	}
	428
	429	//gets state of all tunnels
	430	//ret[tunnelname][state]=$state
	431	//ret[tunnelname][info][]=infolines
	432	function vpn_GetStatus()
	433	{
	434	global $VPN_STATES;
	435	global $VPN_PRIO;
	436
	437	if (Cmd("ipsec whack --status",'',$output)!=0)
	438	{
	439	LogError("Error reading ipsec status. Please check if ipsec-service is running");
	440	return (false);
	441	}
	442	else {
	443	$ret=Array();
	444	foreach ($output as $line)
	445	{
	446	if (preg_match('/^.#([0-9]):."(.?)"[:0-9]* ([A-Z0-9_]+) /',$line,$matches))
	447	{
	448	$nr=$matches[1];
	449	$name=$matches[2];
	450	$state=$matches[3];
	451	if (
	452	$name &&
	453	$state &&
	454	$VPN_PRIO[$state]>=$VPN_PRIO[$ret[$name]['state']]
	455	)
	456	{
	457	$ret[$name]['state']=$state;
	458	$ret[$name]['info'][]=$line;
	459	}
	460	}
	461	elseif (preg_match('/^."(.?)": (.)$/',$line,$matches))
	462	{
	463	$name=$matches[1];
	464	$info=$matches[2];
	465	if ($name && $info)
	466	{
	467	$ret[$name]['info'][]=$info;
	468	}
	469	}
	470	}
	471
	472	return $ret;
	473	}
	474	}
	475
	476	/* zit nu in network.php
	477	if ($_SERVER['argv'][1]=="restart")
	478	{
	479	vpn_Restart();
	480	}
	481	*/
	482
	483
	484	?>

Note: See TracBrowser for help on using the repository browser.

Download in other formats: