From 5045998aeebe938a903be37e50ddc2c4b45562e7 Mon Sep 17 00:00:00 2001 From: Olivier Blin Date: Mon, 4 Aug 2008 08:28:00 +0000 Subject: move drakvpn-old in an old subdir (so that it is not included in pot) --- bin/drakvpn-old | 847 -------------------------------------------------------- old/drakvpn-old | 847 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 847 insertions(+), 847 deletions(-) delete mode 100755 bin/drakvpn-old create mode 100755 old/drakvpn-old diff --git a/bin/drakvpn-old b/bin/drakvpn-old deleted file mode 100755 index 3f247a9..0000000 --- a/bin/drakvpn-old +++ /dev/null @@ -1,847 +0,0 @@ -#!/usr/bin/perl - -# -# author Florin Grad (florin@mandrakesoft.com) -# -# Copyright 2006 Mandriva -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2, as -# published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. -# - - -# i18n: IMPORTANT: to get correct namespace (drakx-net instead of libDrakX) -BEGIN { unshift @::textdomains, 'drakx-net' } -use lib qw(/usr/lib/libDrakX); - -use standalone; #- warning, standalone must be loaded very first, for 'explanations' - -use common; -use detect_devices; -use interactive; -use network::network; -use log; -use c; -use network::netconnect; -use network::shorewall; -use network::ipsec; -use Data::Dumper; - -$::isInstall and die "Not supported during install.\n"; - - -local $_ = join '', @ARGV; - -$::Wizard_pix_up = "drakvpn"; -$ugtk2::wm_icon = "drakvpn"; - -my $direct = /-direct/; - -my $tunnels_file = "/etc/shorewall/tunnels"; -my $ipsec_conf = ""; -my $racoon_conf = "/etc/racoon/racoon.conf"; -my $ipsec_package = ""; - -my $in = interactive->vnew('su'); -my $shorewall = network::shorewall::read($in); -my @section_names; - - $ipsec_conf = "/etc/ipsec.conf"; -my $ipsec = network::ipsec::read_ipsec_conf($ipsec_conf); -my $racoon = network::ipsec::read_racoon_conf($racoon_conf); - -#print network::ipsec::display_ipsec_conf($ipsec_conf,$ipsec); - -$::Wizard_title = N("DrakVPN"); - -$in->isa('interactive::gtk') and $::isWizard = 1; - -my $wait_configuring; - -sub fatal_quit ($) { - log::l("[drakvpn] FATAL: $_[0]"); - undef $wait_configuring; - $in->ask_warn('', $_[0]); - quit_global($in, -1); -} - -begin: - -#- ********************************** -#- * 0th step: verify if we are already set up - -if ($shorewall && any { !/^\s*(?:#|\n)/ } cat_($tunnels_file)) { - $::Wizard_no_previous = 1; - - if (!$shorewall->{disabled}) { - my $r = $in->ask_from_list_(N("The VPN connection is enabled."), -N("The setup of a VPN connection has already been done. - -It's currently enabled. - -What would you like to do?"), - [ N_("disable"), N_("reconfigure"), N_("dismiss") ]) or quit_global($in, 0); - # FIXME: reconfigure is not handled - if ($r eq "disable") { - if (!$::testing) { - my $_wait_disabl = $in->wait_message(N("Please wait"), N("Disabling VPN...")); - network::ipsec::stop_daemons(); - } - foreach ($ipsec_conf, $tunnels_file) { - if (-f $_) { rename($_, "$_.drakvpndisable") or die "Could not rename $_ to $_.drakvpndisable" } - } - network::ipsec::sys("/etc/init.d/shorewall restart >/dev/null"); - log::l("[drakvpn] Disabled"); - $::Wizard_finished = 1; - $in->ask_okcancel('', N("The VPN connection is now disabled.")); - quit_global($in, 0); - } - if ($r eq "dismiss") { - quit_global($in, 0); - } - } else { - my $r = $in->ask_from_list_(N("VPN connection currently disabled"), -N("The setup of a VPN connection has already been done. - -It's currently disabled. - -What would you like to do?"), - [ N_("enable"), N_("reconfigure"), N_("dismiss") ]); - # FIXME: reconfigure is not handled - if ($r eq "enable") { - foreach ($ipsec_conf, $tunnels_file) { - rename($_, "$_.old") if -f $_; - rename("$_.drakvpndisable", $_) or die "Could not find configuration. Please reconfigure."; - } - { - my $_wait_enabl = $in->wait_message(N("Please wait"), N("Enabling VPN...")); - network::ipsec::start_daemons(); - } - log::l("[drakvpn] Enabled"); - } - $::Wizard_finished = 1; - $in->ask_okcancel('', N("The VPN connection is now enabled.")); - quit_global($in, 0); - if ($r eq "dismiss") { - quit_global($in, 0); - } - } - } - -#- ********************************** -#- * 1st step: detect/setup -step_ask_confirm: - -$::Wizard_no_previous = 1; - -$direct or $in->ask_okcancel(N("Simple VPN setup."), -N("You are about to configure your computer to use a VPN connection. - -With this feature, computers on your local private network and computers -on some other remote private networks, can share resources, through -their respective firewalls, over the Internet, in a secure manner. - -The communication over the Internet is encrypted. The local and remote -computers look as if they were on the same network. - -Make sure you have configured your Network/Internet access using -drakconnect before going any further."), 1) or goto begin; - -undef $::Wizard_no_previous; - - $ipsec_package = "ipsec-tools"; - -$direct or $in->ask_okcancel(N("Simple VPN setup."), -N("VPN connection. - -This program is based on the following projects: - - FreeSwan: \t\t\thttp://www.freeswan.org/ - - Super-FreeSwan: \t\thttp://www.freeswan.ca/ - - ipsec-tools: \t\t\thttp://ipsec-tools.sourceforge.net/ - - ipsec-howto: \t\thttp://www.ipsec-howto.org - - the docs and man pages coming with the %s package - -Please read AT LEAST the ipsec-howto docs -before going any further.",$ipsec_package)) or goto begin; - -step_detectsetup: - -#my @configured_devices = map { /ifcfg-(\S+)/ } glob('/etc/sysconfig/network-scripts/ifcfg*'); - -my %aliased_devices; -/^\s*alias\s+(eth[0-9])\s+(\S+)/ and $aliased_devices{$1} = $2 foreach cat_("/etc/modules.conf"); - -#- ********************************** -#- * 2nd step: configure - -#$wait_configuring = $in->wait_message(N("Configuring..."), -# N("Configuring scripts, installing software, starting servers...")); - - - -#- install and setup the RPM packages, if needed - -my %rpm2file; -log::l("[drakvpn] install the $ipsec_package and the shorewall rpm packages"); - %rpm2file = ($ipsec_package => '/sbin/setkey', - shorewall => '/sbin/shorewall'); - -#- first: try to install all in one step, if needed -if (!-e "/sbin/setkey") { - - my @needed_to_install = grep { !-e $rpm2file{$_} } keys %rpm2file; - @needed_to_install and $in->do_pkgs->install(@needed_to_install) if !$::testing; - #- second: try one by one if failure detected - if (!$::testing && any { !-e $rpm2file{$_} } keys %rpm2file) { - foreach (keys %rpm2file) { - -e $rpm2file{$_} or $in->do_pkgs->install($_); - -e $rpm2file{$_} or fatal_quit(N("Problems installing package %s", $_)); - } - } -} - -undef $wait_configuring; - -#- configure the $ipsec_conf file -#- Add, Remove config|conn entries - -step_configuration: - -my $c; - -my %messages = (ipsec => N("Security Policies"), racoon => N("IKE daemon racoon")); - - $in->ask_from(N("Configuration file"), -N("Configuration step! - -You need to define the Security Policies and then to -configure the automatic key exchange (IKE) daemon. -The KAME IKE daemon we're using is called 'racoon'. - -What would you like to configure?\n"), - [ { val => \$c, type => "list", list => [ keys %messages ], format => sub { $messages{$_[0]} } } ]) or goto step_detectsetup; - -#------------------------------------------------------------------- -#---------------------- configure ipsec_conf ----------------------- -#------------------------------------------------------------------- - -if ($c eq "ipsec" || $c eq "configure") { - -step_configure_ipsec_conf: - -@section_names = network::ipsec::get_section_names_ipsec_conf($ipsec) if $ipsec; - -my $choice = $section_names[0]; -my $d = $in->ask_from_list_(N("%s entries", $ipsec_conf), -N("The %s file contents -is divided into sections.\n -You can now:\n - - display, add, edit, or remove sections, then - - commit the changes - -What would you like to do?\n", $ipsec_conf), - [ N_("_:display here is a verb\nDisplay"), N_("Add"), N_("Edit"), N_("Remove"), N_("Commit") ]) or goto step_configuration; - -#my $existing_section = ""; - -#- display $ipsec_conf ------------------------- - -step_display_ipsec_conf: - -if ($d eq "display $ipsec_conf" || $d eq "_:display here is a verb\nDisplay") { - my $ipsec_exists = 0; - foreach my $key (keys %$ipsec) { - $ipsec_exists = 1 if $ipsec->{$key}; - } - if ($ipsec_exists) { - $in->ask_okcancel(N("_:display here is a verb\nDisplay configuration"), - network::ipsec::display_ipsec_conf($ipsec)); - goto step_configure_ipsec_conf; - } else { -$in->ask_okcancel(N("_:display here is a verb\nDisplay configuration"), -N("The %s file does not exist.\n -This must be a new configuration.\n -You'll have to go back and choose 'add'.\n", $ipsec_conf)); - goto step_configure_ipsec_conf; - } - -#- add --------------------- - -} elsif ($d eq "Add") { - -step_add_section: - -#- add ---- kernel 2.6 part ------------------------------- - - my $section = { command => 'spdadd', - src_range => 'src_network_address', - dst_range => 'dest_network_address', - upperspec => 'any', - flag => '-P', - direction => 'in or out', - ipsec => 'ipsec', - protocol => 'esp', - mode => 'tunnel', - src_dest => 'source-destination', - level => 'require' }; - -step_add_section_ipsec_conf_k26: - - ask_info3('', -N("Add a Security Policy.\n -You can now add a Security Policy.\n -Choose continue when you are done to write the data.\n"), $section) or goto step_configure_ipsec_conf; - -# $existing_section = network::ipsec::already_existing_section_ipsec_conf($section->{src_dest}, $ipsec); -# -# if ($existing_section eq "already existing") { -#$in->ask_okcancel(N("Exists!"), -#N("A section with this name already exists. -#The section names have to be unique.\n -#You'll have to go back and add another section -#or change the name of the section.\n")); -# goto step_add_section_ipsec_conf_k26; -#}; - - if (!$ipsec->{1}) { - put_in_hash($ipsec, { max(keys %$ipsec) + 1 => "#!/sbin/setkey -f" }); - put_in_hash($ipsec, { max(keys %$ipsec) + 1 => "flush;" }); - put_in_hash($ipsec, { max(keys %$ipsec) + 1 => "spdflush;" }); - } - - network::ipsec::add_section_ipsec_conf($section, $ipsec); - - @section_names = network::ipsec::get_section_names_ipsec_conf($ipsec); - - goto step_configure_ipsec_conf; - -#- edit --------------------- - -} elsif ($d eq "Edit") { - -step_edit_ipsec_conf: -$in->ask_from(N("Edit section"), -N("Your %s file has several sections or connections.\n -You can choose here below the one you want to edit -and then click on next.\n", $ipsec_conf), - [ { val => \$choice, list => \@section_names, label => N("Section names"), sort => 0, not_edit => 0 } ]) - or goto step_configure_ipsec_conf; - -my $number = network::ipsec::matched_section_key_number_ipsec_conf($choice,$ipsec); - - - ask_info3('', -N("Edit a Security Policy.\n -You can now edit a Security Policy.\n -Choose continue when you are done to write the data.\n"), $ipsec->{$number}) or goto step_configure_ipsec_conf; - -goto step_configure_ipsec_conf; - -#- remove --------------------- - -} elsif ($d eq "Remove") { -$in->ask_from(N("Remove section"), -N("Your %s file has several sections or connections.\n -You can choose here below the one you want to remove -and then click on next.\n", $ipsec_conf), - [ { val => \$choice, list => \@section_names, label => N("Section names"), sort => 0, not_edit => 0 } ]); - - network::ipsec::remove_section_ipsec_conf($choice,$ipsec); - - @section_names = network::ipsec::get_section_names_ipsec_conf($ipsec) if $ipsec; - - goto step_configure_ipsec_conf; - -#- continue and write --------------------- - -} elsif ($d eq "Commit") { - log::l("[drakvpn] Modify the $ipsec_conf file"); - network::ipsec::write_ipsec_conf($ipsec_conf, $ipsec); - } -#------------------------------------------------------------------- -#---------------------- configure racoon_conf ----------------------- -#------------------------------------------------------------------- - -} elsif ($c eq "racoon") { - -step_configure_racoon_conf: - -@section_names = network::ipsec::get_section_names_racoon_conf($racoon) if $racoon; - -my $choice = $section_names[0]; -my $d = $in->ask_from_list_(N("%s entries", $racoon_conf), -N("The racoon.conf file configuration.\n -The contents of this file is divided into sections. -You can now: - - display \t\t (display the file contents) - - add \t\t (add one section) - - edit \t\t\t (modify parameters of an existing section) - - remove \t\t (remove an existing section) - - commit \t\t (writes the changes to the real file)"), - [ N_("_:display here is a verb\nDisplay"), N_("Add"), N_("Edit"), N_("Remove"), N_("Commit") ]) or goto step_configuration; - - -#- display $racoon_conf ------------------------- - -step_display_racoon_conf: - -if ($d eq "_:display here is a verb\nDisplay") { - - my $racoon_exists = 0; - foreach my $key (keys %$racoon) { - $racoon_exists = 1 if $racoon->{$key}; - } - - if ($racoon_exists) { - $in->ask_okcancel(N("_:display here is a verb\nDisplay configuration"), - network::ipsec::display_racoon_conf($racoon)); - goto step_configure_racoon_conf; - } else { -$in->ask_okcancel(N("_:display here is a verb\nDisplay configuration"), -N("The %s file does not exist\n -This must be a new configuration.\n -You'll have to go back and choose configure.\n", $racoon_conf)); - goto step_configure_racoon_conf; - } - -#- add $racoon_conf ------------------------------ - -} elsif ($d eq "Add") { - -step_add_section_racoon: - -#my $existing_section = ""; - -my $e = $in->ask_from_list_(N("racoon.conf entries"), -N("The 'add' sections step.\n -Here below is the racoon.conf file skeleton: -\t'path' -\t'remote' -\t'sainfo' \n -Choose the section you would like to add.\n"), - [ N_("path"), N_("remote"), N_("sainfo"), N_("dismiss") ]) or goto step_configure_racoon_conf; -if ($e eq "path") { - - my $path_section = { - 1 => [ 'path', 'path_type', '"/etc/racoon/certs"' ], - }; - - $in->ask_from('', -N("The 'add path' section step.\n -The path sections have to be on top of your racoon.conf file.\n -Put your mouse over the certificate entry to obtain online help."), - [ { label => N("path type"), - val => \$path_section->{1}[1], - list => [ 'certificate', 'pre_shared_key', 'include' ], - help => -N("path include path: specifies a path to include -a file. See File Inclusion. - Example: path include '/etc/racoon' - -path pre_shared_key file: specifies a file containing -pre-shared key(s) for various ID(s). See Pre-shared key File. - Example: path pre_shared_key '/etc/racoon/psk.txt' ; - -path certificate path: racoon(8) will search this directory -if a certificate or certificate request is received. - Example: path certificate '/etc/cert' ; - -File Inclusion: include file -other configuration files can be included. - Example: include \"remote.conf\" ; - -Pre-shared key File: Pre-shared key file defines a pair -of the identifier and the shared secret key which are used at -Pre-shared key authentication method in phase 1."), -}, - { label => N("real file"), val => \$path_section->{1}[2], type => 'entry' }, - ] -) or goto step_configure_racoon_conf; - -network::ipsec::add_section_racoon_conf($path_section, $racoon); -} elsif ($e eq "remote") { - my $main_remote_section = { 1 => [ 'remote', 'address' ], - 2 => [ 'exchange_mode', 'aggressive,main' ], - 3 => [ 'generate_policy', 'on' ], - 4 => [ 'passive', 'on' ], - 5 => [ 'certificate_type', 'x509', '"my_certificate.pem"', '"my_private_key.pem"' ], - 6 => [ 'peers_certfile', '"remote.public"' ], - 7 => [ 'verify_cert', 'on' ], - 8 => [ 'my_identifier', 'asn1dn' ], - 9 => [ 'peers_identifier', 'asn1dn' ] - }; - my $proposal_remote_section = { 1 => [ 'proposal' ], - 2 => [ 'encryption_algorithm', '3des' ], - 3 => [ 'hash_algorithm', 'md5' ], - 4 => [ 'authentication_method', 'rsasig' ], - 5 => [ 'dh_group', 'modp1024' ] - }; - ask_info2('', -N("Make sure you already have the path sections -on the top of your racoon.conf file. - -You can now choose the remote settings. -Choose continue or previous when you are done.\n"), $main_remote_section, $proposal_remote_section) or goto step_configure_racoon_conf; - -network::ipsec::add_section_racoon_conf($main_remote_section, $racoon); -network::ipsec::add_section_racoon_conf($proposal_remote_section, $racoon); -} elsif ($e eq "sainfo") { - my $sainfo_section = { 1 => [ 'sainfo', 'address', '192.168.100.2', 'any', 'address', '10.0.0.2', 'any' ], - 2 => [ 'pfs_group', '1' ], - 3 => [ 'lifetime', 'time', '30', 'sec' ], - 4 => [ 'encryption_algorithm', '3des' ], - 5 => [ 'authentication_algorithm', 'hmac_sha1' ], - 6 => [ 'compression_algorithm', 'deflate' ], - }; - ask_info('', -N("Make sure you already have the path sections -on the top of your %s file. - -You can now choose the sainfo settings. -Choose continue or previous when you are done.\n", $racoon_conf), $sainfo_section) or goto step_configure_racoon_conf; - -network::ipsec::add_section_racoon_conf($sainfo_section, $racoon); -} - -@section_names = network::ipsec::get_section_names_racoon_conf($racoon) if $racoon; - -goto step_configure_racoon_conf; - -#- edit $racoon_conf ----------------------------- - -} elsif ($d eq "Edit") { -$in->ask_from(N("Edit section"), -N("Your %s file has several sections or connections. - -You can choose here in the list below the one you want -to edit and then click on next.\n", $racoon_conf), - [ { val => \$choice, list => \@section_names, label => N("Section names"), sort => 0, not_edit => 0 } ]) - or goto step_configure_racoon_conf; - -my $number = network::ipsec::matched_section_key_number_racoon_conf($choice,$racoon); - -if ($choice =~ /^remote/) { - ask_info2('', -N("Your %s file has several sections.\n - -You can now edit the remote section entries. - -Choose continue when you are done to write the data.\n", $racoon_conf), $racoon->{$number}, $racoon->{$number+2}) - or goto step_configure_racoon_conf; - -} elsif ($choice =~ /^sainfo/) { - ask_info('', -N("Your %s file has several sections. - -You can now edit the sainfo section entries. - -Choose continue when you are done to write the data.", $racoon_conf), $racoon->{$number}) or goto step_configure_racoon_conf; - -} elsif ($choice =~ /^path/) { - $in->ask_from('', -N("This section has to be on top of your -%s file.\n -Make sure all other sections follow these path -sections.\n -You can now edit the path entries. - -Choose continue or previous when you are done.\n", $racoon_conf), - [ { label => N("path_type"), val => \$racoon->{$number}{1}[1], list => [ 'certificate', 'pre_shared_key', 'include' ] }, - { label => N("real file"), val => \$racoon->{$number}{1}[2], type => 'entry' }, - ] -) or goto step_configure_racoon_conf; -} - -goto step_configure_racoon_conf; - -#- remove $racoon_conf --------------------------- - -} elsif ($d eq "Remove") { -$in->ask_from(N("Remove section"), -N("Your %s file has several sections or connections.\n -You can choose here below the one you want to remove -and then click on next.\n", $racoon_conf), - [ { val => \$choice, list => \@section_names, label => N("Section names"), sort => 0, not_edit => 0 } ]); - -my $number = network::ipsec::matched_section_key_number_racoon_conf($choice,$racoon); -network::ipsec::remove_section_racoon_conf($choice,$racoon,$number); - @section_names = network::ipsec::get_section_names_racoon_conf($racoon) if $racoon; - - goto step_configure_racoon_conf; - -#- write $racoon_conf and continue --------------- -} elsif ($d eq "Commit") { - log::l("[drakvpn] Modify the $racoon_conf file"); - network::ipsec::write_racoon_conf($racoon_conf, $racoon); -} -} - -#- start the daemons -network::ipsec::start_daemons(); - -#- bye-bye message - -undef $wait_configuring; - -$::Wizard_no_previous = 1; -$::Wizard_finished = 1; - -$in->ask_okcancel(N("Congratulations!"), -N("Everything has been configured.\n -You may now share resources through the Internet, -in a secure way, using a VPN connection. - -You should make sure that the tunnels shorewall -section is configured.")); - -log::l("[drakvpn] Installation complete, exiting"); -quit_global($in, 0); - -sub quit_global { - my ($in, $exitcode) = @_; - $in->exit($exitcode); - goto begin; -} - - -sub ask_info { - my ($title, $text, $data) = @_; - $in->ask_from($title, $text, - [ { label => N("Sainfo source address"), val => \$data->{1}[2], type => 'entry', - help => N("sainfo (source_id destination_id | anonymous) { statements } -defines the parameters of the IKE phase 2 -(IPsec-SA establishment). - -source_id and destination_id are constructed like: - - address address [/ prefix] [[port]] ul_proto - -Examples: \n -sainfo anonymous (accepts connections from anywhere) - leave blank this entry if you want anonymous - -sainfo address 203.178.141.209 any address 203.178.141.218 any - 203.178.141.209 is the source address - -sainfo address 172.16.1.0/24 any address 172.16.2.0/24 any - 172.16.1.0/24 is the source address") }, - { label => N("Sainfo source protocol"), val => \$data->{1}[3], type => 'entry', - help => N("sainfo (source_id destination_id | anonymous) { statements } -defines the parameters of the IKE phase 2 -(IPsec-SA establishment). - -source_id and destination_id are constructed like: - - address address [/ prefix] [[port]] ul_proto - -Examples: \n -sainfo anonymous (accepts connections from anywhere) - leave blank this entry if you want anonymous - -sainfo address 203.178.141.209 any address 203.178.141.218 any - the first 'any' allows any protocol for the source") }, - { label => N("Sainfo destination address"), val => \$data->{1}[5], type => 'entry', - help => N("sainfo (source_id destination_id | anonymous) { statements } -defines the parameters of the IKE phase 2 -(IPsec-SA establishment). - -source_id and destination_id are constructed like: - - address address [/ prefix] [[port]] ul_proto - -Examples: \n -sainfo anonymous (accepts connections from anywhere) - leave blank this entry if you want anonymous - -sainfo address 203.178.141.209 any address 203.178.141.218 any - 203.178.141.218 is the destination address - -sainfo address 172.16.1.0/24 any address 172.16.2.0/24 any - 172.16.2.0/24 is the destination address") }, - { label => N("Sainfo destination protocol"), val => \$data->{1}[6], type => 'entry', - help => N("sainfo (source_id destination_id | anonymous) { statements } -defines the parameters of the IKE phase 2 -(IPsec-SA establishment). - -source_id and destination_id are constructed like: - - address address [/ prefix] [[port]] ul_proto - -Examples: \n -sainfo anonymous (accepts connections from anywhere) - leave blank this entry if you want anonymous - -sainfo address 203.178.141.209 any address 203.178.141.218 any - the last 'any' allows any protocol for the destination") }, - { label => N("PFS group"), val => \$data->{2}[1], - list => [ qw(modp768 modp1024 modp1536 1 2 5) ], - help => N("define the group of Diffie-Hellman exponentiations. -If you do not require PFS then you can omit this directive. -Any proposal will be accepted if you do not specify one. -group is one of the following: modp768, modp1024, modp1536. -Or you can define 1, 2, or 5 as the DH group number.") }, - { label => N("Lifetime number"), val => \$data->{3}[2], type => 'entry', - help => N("define a lifetime of a certain time which will be pro- -posed in the phase 1 negotiations. Any proposal will be -accepted, and the attribute(s) will not be proposed to -the peer if you do not specify it(them). They can be -individually specified in each proposal. - -Examples: \n - lifetime time 1 min; # sec,min,hour - lifetime time 1 min; # sec,min,hour - lifetime time 30 sec; - lifetime time 30 sec; - lifetime time 60 sec; - lifetime time 12 hour; - -So, here, the lifetime numbers are 1, 1, 30, 30, 60 and 12. -") }, - { label => N("Lifetime unit"), val => \$data->{3}[3], - list => [ qw(sec min hour) ], - help => N("define a lifetime of a certain time which will be pro- -posed in the phase 1 negotiations. Any proposal will be -accepted, and the attribute(s) will not be proposed to -the peer if you do not specify it(them). They can be -individually specified in each proposal. - -Examples: \n - lifetime time 1 min; # sec,min,hour - lifetime time 1 min; # sec,min,hour - lifetime time 30 sec; - lifetime time 30 sec; - lifetime time 60 sec; - lifetime time 12 hour; - -So, here, the lifetime units are 'min', 'min', 'sec', 'sec', 'sec' and 'hour'. -") }, - { label => N("Encryption algorithm"), val => \$data->{4}[1], - list => [ qw(des 3des des_iv64 des_iv32 rc5 rc4 idea 3idea cast128 blowfish null_enc twofish rijndae) ] }, - { label => N("Authentication algorithm"), val => \$data->{5}[1], - list => [ qw(des 3des des_iv64 des_iv32 hmac_md5 hmac_sha1 non_auth) ] }, - { label => N("Compression algorithm"), val => \$data->{6}[1], - list => [ N_("deflate") ], format => \&translate, allow_empty_list => 1 } - -]) } - -sub ask_info2 { - my ($title, $text, $main_remote_section, $proposal_remote_section) = @_; - $in->ask_from($title, $text,, - [ { label => N("Remote"), val => \$main_remote_section->{1}[1], type => 'entry', - help => N("remote (address | anonymous) [[port]] { statements } -specifies the parameters for IKE phase 1 for each remote node. -The default port is 500. If anonymous is specified, the state- -ments apply to all peers which do not match any other remote -directive.\n -Examples: \n -remote anonymous -remote ::1 [8000]") }, - { label => N("Exchange mode"), val => \$main_remote_section->{2}[1], - list => [ qw(main,agressive agressive,main) ], - help => N("defines the exchange mode for phase 1 when racoon is the -initiator. Also it means the acceptable exchange mode -when racoon is responder. More than one mode can be -specified by separating them with a comma. All of the -modes are acceptable. The first exchange mode is what -racoon uses when it is the initiator.\n") }, - { label => N("Generate policy"), val => \$main_remote_section->{3}[1], - list => [ N_("off"), N_("on") ], format => \&translate, - help => N("This directive is for the responder. Therefore you -should set passive on in order that racoon(8) only -becomes a responder. If the responder does not have any -policy in SPD during phase 2 negotiation, and the direc- -tive is set on, then racoon(8) will choose the first pro- -posal in the SA payload from the initiator, and generate -policy entries from the proposal. It is useful to nego- -tiate with the client which is allocated IP address -dynamically. Note that inappropriate policy might be -installed into the responder's SPD by the initiator. So -that other communication might fail if such policies -installed due to some policy mismatches between the ini- -tiator and the responder. This directive is ignored in -the initiator case. The default value is off.") }, - { label => N("Passive"), val => \$main_remote_section->{4}[1], - list => [ N_("off"), N_("on") ], format => \&translate, - help => N("If you do not want to initiate the negotiation, set this -to on. The default value is off. It is useful for a -server.") }, - { label => N("Certificate type"), val => \$main_remote_section->{5}[1], - list => [ 'x509' ], allow_empty_list => 1 }, - { label => N("My certfile"), val => \$main_remote_section->{5}[2], type => 'entry', - help => N("Name of the certificate") }, - { label => N("My private key"), val => \$main_remote_section->{5}[3], type => 'entry', - help => N("Name of the private key") }, - { label => N("Peers certfile"), val => \$main_remote_section->{6}[1], type => 'entry', - help => N("Name of the peers certificate") }, - { label => N("Verify cert"), val => \$main_remote_section->{7}[1], - list => [ N_("off"), N_("on") ], format => \&translate, - help => N("If you do not want to verify the peer's certificate for -some reason, set this to off. The default is on.") }, - { label => N("My identifier"), val => \$main_remote_section->{8}[1], type => 'entry', - help => N("specifies the identifier sent to the remote host and the -type to use in the phase 1 negotiation. address, FQDN, -user_fqdn, keyid and asn1dn can be used as an idtype. -they are used like: - my_identifier address [address]; - the type is the IP address. This is the default - type if you do not specify an identifier to use. - my_identifier user_fqdn string; - the type is a USER_FQDN (user fully-qualified - domain name). - my_identifier FQDN string; - the type is a FQDN (fully-qualified domain name). - my_identifier keyid file; - the type is a KEY_ID. - my_identifier asn1dn [string]; - the type is an ASN.1 distinguished name. If - string is omitted, racoon(8) will get DN from - Subject field in the certificate.\n -Examples: \n -my_identifier user_fqdn \"myemail\@mydomain.com\"") }, - { label => N("Peers identifier"), val => \$main_remote_section->{9}[1], type => 'entry' }, - { label => N("Proposal"), val => \$proposal_remote_section->{1}[0], list => [ 'proposal' ], allow_empty_list => 1 }, - { label => N("Encryption algorithm"), val => \$proposal_remote_section->{2}[1], list => [ qw(des 3des blowfish cast128) ], - help => N("specify the encryption algorithm used for the -phase 1 negotiation. This directive must be defined. -algorithm is one of the following: - -DES, 3DES, blowfish, cast128 for oakley. - -For other transforms, this statement should not be used.") }, - { label => N("Hash algorithm"), val => \$proposal_remote_section->{3}[1], type => 'entry' }, - { label => N("Authentication method"), val => \$proposal_remote_section->{4}[1], type => 'entry' }, - { label => N("DH group"), val => \$proposal_remote_section->{5}[1], list => [ qw(modp768 modp1024 modp1536 1 2 5) ], }, - ]); -} - -sub ask_info3 { - my ($title, $text, $section) = @_; - $in->ask_from($title, $text,, - [ { label => N("Command"), val => \$section->{command}, list => [ 'spdadd' ], allow_empty_list => 1 }, - { label => N("Source IP range"), val => \$section->{src_range}, type => 'entry' }, - { label => N("Destination IP range"), val => \$section->{dst_range}, type => 'entry' }, - { label => N("Upper-layer protocol"), val => \$section->{upperspec}, list => [ N_("any") ], - format => \&translate, allow_empty_list => 1 }, - { label => N("Flag"), val => \$section->{flag}, list => [ '-P' ], allow_empty_list => 1 }, - { label => N("Direction"), val => \$section->{direction}, list => [ 'in', 'out' ] }, - { label => N("IPsec policy"), val => \$section->{ipsec}, list => [ N_("ipsec"), N_("discard"), N_("none") ], - format => \&translate }, - { label => N("Protocol"), val => \$section->{protocol}, list => [ 'esp', 'ah', 'ipcomp' ] }, - { label => N("Mode"), val => \$section->{mode}, list => [ N_("tunnel"), N_("transport"), N_("any") ], - format => \&translate }, - { label => N("Source/destination"), val => \$section->{src_dest}, type => 'entry' }, - { label => N("Level"), val => \$section->{level}, list => [ N_("require"), N_("default"), N_("use"), N_("unique") ], - format => \&translate }, - ]); -} - diff --git a/old/drakvpn-old b/old/drakvpn-old new file mode 100755 index 0000000..3f247a9 --- /dev/null +++ b/old/drakvpn-old @@ -0,0 +1,847 @@ +#!/usr/bin/perl + +# +# author Florin Grad (florin@mandrakesoft.com) +# +# Copyright 2006 Mandriva +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2, as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +# + + +# i18n: IMPORTANT: to get correct namespace (drakx-net instead of libDrakX) +BEGIN { unshift @::textdomains, 'drakx-net' } +use lib qw(/usr/lib/libDrakX); + +use standalone; #- warning, standalone must be loaded very first, for 'explanations' + +use common; +use detect_devices; +use interactive; +use network::network; +use log; +use c; +use network::netconnect; +use network::shorewall; +use network::ipsec; +use Data::Dumper; + +$::isInstall and die "Not supported during install.\n"; + + +local $_ = join '', @ARGV; + +$::Wizard_pix_up = "drakvpn"; +$ugtk2::wm_icon = "drakvpn"; + +my $direct = /-direct/; + +my $tunnels_file = "/etc/shorewall/tunnels"; +my $ipsec_conf = ""; +my $racoon_conf = "/etc/racoon/racoon.conf"; +my $ipsec_package = ""; + +my $in = interactive->vnew('su'); +my $shorewall = network::shorewall::read($in); +my @section_names; + + $ipsec_conf = "/etc/ipsec.conf"; +my $ipsec = network::ipsec::read_ipsec_conf($ipsec_conf); +my $racoon = network::ipsec::read_racoon_conf($racoon_conf); + +#print network::ipsec::display_ipsec_conf($ipsec_conf,$ipsec); + +$::Wizard_title = N("DrakVPN"); + +$in->isa('interactive::gtk') and $::isWizard = 1; + +my $wait_configuring; + +sub fatal_quit ($) { + log::l("[drakvpn] FATAL: $_[0]"); + undef $wait_configuring; + $in->ask_warn('', $_[0]); + quit_global($in, -1); +} + +begin: + +#- ********************************** +#- * 0th step: verify if we are already set up + +if ($shorewall && any { !/^\s*(?:#|\n)/ } cat_($tunnels_file)) { + $::Wizard_no_previous = 1; + + if (!$shorewall->{disabled}) { + my $r = $in->ask_from_list_(N("The VPN connection is enabled."), +N("The setup of a VPN connection has already been done. + +It's currently enabled. + +What would you like to do?"), + [ N_("disable"), N_("reconfigure"), N_("dismiss") ]) or quit_global($in, 0); + # FIXME: reconfigure is not handled + if ($r eq "disable") { + if (!$::testing) { + my $_wait_disabl = $in->wait_message(N("Please wait"), N("Disabling VPN...")); + network::ipsec::stop_daemons(); + } + foreach ($ipsec_conf, $tunnels_file) { + if (-f $_) { rename($_, "$_.drakvpndisable") or die "Could not rename $_ to $_.drakvpndisable" } + } + network::ipsec::sys("/etc/init.d/shorewall restart >/dev/null"); + log::l("[drakvpn] Disabled"); + $::Wizard_finished = 1; + $in->ask_okcancel('', N("The VPN connection is now disabled.")); + quit_global($in, 0); + } + if ($r eq "dismiss") { + quit_global($in, 0); + } + } else { + my $r = $in->ask_from_list_(N("VPN connection currently disabled"), +N("The setup of a VPN connection has already been done. + +It's currently disabled. + +What would you like to do?"), + [ N_("enable"), N_("reconfigure"), N_("dismiss") ]); + # FIXME: reconfigure is not handled + if ($r eq "enable") { + foreach ($ipsec_conf, $tunnels_file) { + rename($_, "$_.old") if -f $_; + rename("$_.drakvpndisable", $_) or die "Could not find configuration. Please reconfigure."; + } + { + my $_wait_enabl = $in->wait_message(N("Please wait"), N("Enabling VPN...")); + network::ipsec::start_daemons(); + } + log::l("[drakvpn] Enabled"); + } + $::Wizard_finished = 1; + $in->ask_okcancel('', N("The VPN connection is now enabled.")); + quit_global($in, 0); + if ($r eq "dismiss") { + quit_global($in, 0); + } + } + } + +#- ********************************** +#- * 1st step: detect/setup +step_ask_confirm: + +$::Wizard_no_previous = 1; + +$direct or $in->ask_okcancel(N("Simple VPN setup."), +N("You are about to configure your computer to use a VPN connection. + +With this feature, computers on your local private network and computers +on some other remote private networks, can share resources, through +their respective firewalls, over the Internet, in a secure manner. + +The communication over the Internet is encrypted. The local and remote +computers look as if they were on the same network. + +Make sure you have configured your Network/Internet access using +drakconnect before going any further."), 1) or goto begin; + +undef $::Wizard_no_previous; + + $ipsec_package = "ipsec-tools"; + +$direct or $in->ask_okcancel(N("Simple VPN setup."), +N("VPN connection. + +This program is based on the following projects: + - FreeSwan: \t\t\thttp://www.freeswan.org/ + - Super-FreeSwan: \t\thttp://www.freeswan.ca/ + - ipsec-tools: \t\t\thttp://ipsec-tools.sourceforge.net/ + - ipsec-howto: \t\thttp://www.ipsec-howto.org + - the docs and man pages coming with the %s package + +Please read AT LEAST the ipsec-howto docs +before going any further.",$ipsec_package)) or goto begin; + +step_detectsetup: + +#my @configured_devices = map { /ifcfg-(\S+)/ } glob('/etc/sysconfig/network-scripts/ifcfg*'); + +my %aliased_devices; +/^\s*alias\s+(eth[0-9])\s+(\S+)/ and $aliased_devices{$1} = $2 foreach cat_("/etc/modules.conf"); + +#- ********************************** +#- * 2nd step: configure + +#$wait_configuring = $in->wait_message(N("Configuring..."), +# N("Configuring scripts, installing software, starting servers...")); + + + +#- install and setup the RPM packages, if needed + +my %rpm2file; +log::l("[drakvpn] install the $ipsec_package and the shorewall rpm packages"); + %rpm2file = ($ipsec_package => '/sbin/setkey', + shorewall => '/sbin/shorewall'); + +#- first: try to install all in one step, if needed +if (!-e "/sbin/setkey") { + + my @needed_to_install = grep { !-e $rpm2file{$_} } keys %rpm2file; + @needed_to_install and $in->do_pkgs->install(@needed_to_install) if !$::testing; + #- second: try one by one if failure detected + if (!$::testing && any { !-e $rpm2file{$_} } keys %rpm2file) { + foreach (keys %rpm2file) { + -e $rpm2file{$_} or $in->do_pkgs->install($_); + -e $rpm2file{$_} or fatal_quit(N("Problems installing package %s", $_)); + } + } +} + +undef $wait_configuring; + +#- configure the $ipsec_conf file +#- Add, Remove config|conn entries + +step_configuration: + +my $c; + +my %messages = (ipsec => N("Security Policies"), racoon => N("IKE daemon racoon")); + + $in->ask_from(N("Configuration file"), +N("Configuration step! + +You need to define the Security Policies and then to +configure the automatic key exchange (IKE) daemon. +The KAME IKE daemon we're using is called 'racoon'. + +What would you like to configure?\n"), + [ { val => \$c, type => "list", list => [ keys %messages ], format => sub { $messages{$_[0]} } } ]) or goto step_detectsetup; + +#------------------------------------------------------------------- +#---------------------- configure ipsec_conf ----------------------- +#------------------------------------------------------------------- + +if ($c eq "ipsec" || $c eq "configure") { + +step_configure_ipsec_conf: + +@section_names = network::ipsec::get_section_names_ipsec_conf($ipsec) if $ipsec; + +my $choice = $section_names[0]; +my $d = $in->ask_from_list_(N("%s entries", $ipsec_conf), +N("The %s file contents +is divided into sections.\n +You can now:\n + - display, add, edit, or remove sections, then + - commit the changes + +What would you like to do?\n", $ipsec_conf), + [ N_("_:display here is a verb\nDisplay"), N_("Add"), N_("Edit"), N_("Remove"), N_("Commit") ]) or goto step_configuration; + +#my $existing_section = ""; + +#- display $ipsec_conf ------------------------- + +step_display_ipsec_conf: + +if ($d eq "display $ipsec_conf" || $d eq "_:display here is a verb\nDisplay") { + my $ipsec_exists = 0; + foreach my $key (keys %$ipsec) { + $ipsec_exists = 1 if $ipsec->{$key}; + } + if ($ipsec_exists) { + $in->ask_okcancel(N("_:display here is a verb\nDisplay configuration"), + network::ipsec::display_ipsec_conf($ipsec)); + goto step_configure_ipsec_conf; + } else { +$in->ask_okcancel(N("_:display here is a verb\nDisplay configuration"), +N("The %s file does not exist.\n +This must be a new configuration.\n +You'll have to go back and choose 'add'.\n", $ipsec_conf)); + goto step_configure_ipsec_conf; + } + +#- add --------------------- + +} elsif ($d eq "Add") { + +step_add_section: + +#- add ---- kernel 2.6 part ------------------------------- + + my $section = { command => 'spdadd', + src_range => 'src_network_address', + dst_range => 'dest_network_address', + upperspec => 'any', + flag => '-P', + direction => 'in or out', + ipsec => 'ipsec', + protocol => 'esp', + mode => 'tunnel', + src_dest => 'source-destination', + level => 'require' }; + +step_add_section_ipsec_conf_k26: + + ask_info3('', +N("Add a Security Policy.\n +You can now add a Security Policy.\n +Choose continue when you are done to write the data.\n"), $section) or goto step_configure_ipsec_conf; + +# $existing_section = network::ipsec::already_existing_section_ipsec_conf($section->{src_dest}, $ipsec); +# +# if ($existing_section eq "already existing") { +#$in->ask_okcancel(N("Exists!"), +#N("A section with this name already exists. +#The section names have to be unique.\n +#You'll have to go back and add another section +#or change the name of the section.\n")); +# goto step_add_section_ipsec_conf_k26; +#}; + + if (!$ipsec->{1}) { + put_in_hash($ipsec, { max(keys %$ipsec) + 1 => "#!/sbin/setkey -f" }); + put_in_hash($ipsec, { max(keys %$ipsec) + 1 => "flush;" }); + put_in_hash($ipsec, { max(keys %$ipsec) + 1 => "spdflush;" }); + } + + network::ipsec::add_section_ipsec_conf($section, $ipsec); + + @section_names = network::ipsec::get_section_names_ipsec_conf($ipsec); + + goto step_configure_ipsec_conf; + +#- edit --------------------- + +} elsif ($d eq "Edit") { + +step_edit_ipsec_conf: +$in->ask_from(N("Edit section"), +N("Your %s file has several sections or connections.\n +You can choose here below the one you want to edit +and then click on next.\n", $ipsec_conf), + [ { val => \$choice, list => \@section_names, label => N("Section names"), sort => 0, not_edit => 0 } ]) + or goto step_configure_ipsec_conf; + +my $number = network::ipsec::matched_section_key_number_ipsec_conf($choice,$ipsec); + + + ask_info3('', +N("Edit a Security Policy.\n +You can now edit a Security Policy.\n +Choose continue when you are done to write the data.\n"), $ipsec->{$number}) or goto step_configure_ipsec_conf; + +goto step_configure_ipsec_conf; + +#- remove --------------------- + +} elsif ($d eq "Remove") { +$in->ask_from(N("Remove section"), +N("Your %s file has several sections or connections.\n +You can choose here below the one you want to remove +and then click on next.\n", $ipsec_conf), + [ { val => \$choice, list => \@section_names, label => N("Section names"), sort => 0, not_edit => 0 } ]); + + network::ipsec::remove_section_ipsec_conf($choice,$ipsec); + + @section_names = network::ipsec::get_section_names_ipsec_conf($ipsec) if $ipsec; + + goto step_configure_ipsec_conf; + +#- continue and write --------------------- + +} elsif ($d eq "Commit") { + log::l("[drakvpn] Modify the $ipsec_conf file"); + network::ipsec::write_ipsec_conf($ipsec_conf, $ipsec); + } +#------------------------------------------------------------------- +#---------------------- configure racoon_conf ----------------------- +#------------------------------------------------------------------- + +} elsif ($c eq "racoon") { + +step_configure_racoon_conf: + +@section_names = network::ipsec::get_section_names_racoon_conf($racoon) if $racoon; + +my $choice = $section_names[0]; +my $d = $in->ask_from_list_(N("%s entries", $racoon_conf), +N("The racoon.conf file configuration.\n +The contents of this file is divided into sections. +You can now: + - display \t\t (display the file contents) + - add \t\t (add one section) + - edit \t\t\t (modify parameters of an existing section) + - remove \t\t (remove an existing section) + - commit \t\t (writes the changes to the real file)"), + [ N_("_:display here is a verb\nDisplay"), N_("Add"), N_("Edit"), N_("Remove"), N_("Commit") ]) or goto step_configuration; + + +#- display $racoon_conf ------------------------- + +step_display_racoon_conf: + +if ($d eq "_:display here is a verb\nDisplay") { + + my $racoon_exists = 0; + foreach my $key (keys %$racoon) { + $racoon_exists = 1 if $racoon->{$key}; + } + + if ($racoon_exists) { + $in->ask_okcancel(N("_:display here is a verb\nDisplay configuration"), + network::ipsec::display_racoon_conf($racoon)); + goto step_configure_racoon_conf; + } else { +$in->ask_okcancel(N("_:display here is a verb\nDisplay configuration"), +N("The %s file does not exist\n +This must be a new configuration.\n +You'll have to go back and choose configure.\n", $racoon_conf)); + goto step_configure_racoon_conf; + } + +#- add $racoon_conf ------------------------------ + +} elsif ($d eq "Add") { + +step_add_section_racoon: + +#my $existing_section = ""; + +my $e = $in->ask_from_list_(N("racoon.conf entries"), +N("The 'add' sections step.\n +Here below is the racoon.conf file skeleton: +\t'path' +\t'remote' +\t'sainfo' \n +Choose the section you would like to add.\n"), + [ N_("path"), N_("remote"), N_("sainfo"), N_("dismiss") ]) or goto step_configure_racoon_conf; +if ($e eq "path") { + + my $path_section = { + 1 => [ 'path', 'path_type', '"/etc/racoon/certs"' ], + }; + + $in->ask_from('', +N("The 'add path' section step.\n +The path sections have to be on top of your racoon.conf file.\n +Put your mouse over the certificate entry to obtain online help."), + [ { label => N("path type"), + val => \$path_section->{1}[1], + list => [ 'certificate', 'pre_shared_key', 'include' ], + help => +N("path include path: specifies a path to include +a file. See File Inclusion. + Example: path include '/etc/racoon' + +path pre_shared_key file: specifies a file containing +pre-shared key(s) for various ID(s). See Pre-shared key File. + Example: path pre_shared_key '/etc/racoon/psk.txt' ; + +path certificate path: racoon(8) will search this directory +if a certificate or certificate request is received. + Example: path certificate '/etc/cert' ; + +File Inclusion: include file +other configuration files can be included. + Example: include \"remote.conf\" ; + +Pre-shared key File: Pre-shared key file defines a pair +of the identifier and the shared secret key which are used at +Pre-shared key authentication method in phase 1."), +}, + { label => N("real file"), val => \$path_section->{1}[2], type => 'entry' }, + ] +) or goto step_configure_racoon_conf; + +network::ipsec::add_section_racoon_conf($path_section, $racoon); +} elsif ($e eq "remote") { + my $main_remote_section = { 1 => [ 'remote', 'address' ], + 2 => [ 'exchange_mode', 'aggressive,main' ], + 3 => [ 'generate_policy', 'on' ], + 4 => [ 'passive', 'on' ], + 5 => [ 'certificate_type', 'x509', '"my_certificate.pem"', '"my_private_key.pem"' ], + 6 => [ 'peers_certfile', '"remote.public"' ], + 7 => [ 'verify_cert', 'on' ], + 8 => [ 'my_identifier', 'asn1dn' ], + 9 => [ 'peers_identifier', 'asn1dn' ] + }; + my $proposal_remote_section = { 1 => [ 'proposal' ], + 2 => [ 'encryption_algorithm', '3des' ], + 3 => [ 'hash_algorithm', 'md5' ], + 4 => [ 'authentication_method', 'rsasig' ], + 5 => [ 'dh_group', 'modp1024' ] + }; + ask_info2('', +N("Make sure you already have the path sections +on the top of your racoon.conf file. + +You can now choose the remote settings. +Choose continue or previous when you are done.\n"), $main_remote_section, $proposal_remote_section) or goto step_configure_racoon_conf; + +network::ipsec::add_section_racoon_conf($main_remote_section, $racoon); +network::ipsec::add_section_racoon_conf($proposal_remote_section, $racoon); +} elsif ($e eq "sainfo") { + my $sainfo_section = { 1 => [ 'sainfo', 'address', '192.168.100.2', 'any', 'address', '10.0.0.2', 'any' ], + 2 => [ 'pfs_group', '1' ], + 3 => [ 'lifetime', 'time', '30', 'sec' ], + 4 => [ 'encryption_algorithm', '3des' ], + 5 => [ 'authentication_algorithm', 'hmac_sha1' ], + 6 => [ 'compression_algorithm', 'deflate' ], + }; + ask_info('', +N("Make sure you already have the path sections +on the top of your %s file. + +You can now choose the sainfo settings. +Choose continue or previous when you are done.\n", $racoon_conf), $sainfo_section) or goto step_configure_racoon_conf; + +network::ipsec::add_section_racoon_conf($sainfo_section, $racoon); +} + +@section_names = network::ipsec::get_section_names_racoon_conf($racoon) if $racoon; + +goto step_configure_racoon_conf; + +#- edit $racoon_conf ----------------------------- + +} elsif ($d eq "Edit") { +$in->ask_from(N("Edit section"), +N("Your %s file has several sections or connections. + +You can choose here in the list below the one you want +to edit and then click on next.\n", $racoon_conf), + [ { val => \$choice, list => \@section_names, label => N("Section names"), sort => 0, not_edit => 0 } ]) + or goto step_configure_racoon_conf; + +my $number = network::ipsec::matched_section_key_number_racoon_conf($choice,$racoon); + +if ($choice =~ /^remote/) { + ask_info2('', +N("Your %s file has several sections.\n + +You can now edit the remote section entries. + +Choose continue when you are done to write the data.\n", $racoon_conf), $racoon->{$number}, $racoon->{$number+2}) + or goto step_configure_racoon_conf; + +} elsif ($choice =~ /^sainfo/) { + ask_info('', +N("Your %s file has several sections. + +You can now edit the sainfo section entries. + +Choose continue when you are done to write the data.", $racoon_conf), $racoon->{$number}) or goto step_configure_racoon_conf; + +} elsif ($choice =~ /^path/) { + $in->ask_from('', +N("This section has to be on top of your +%s file.\n +Make sure all other sections follow these path +sections.\n +You can now edit the path entries. + +Choose continue or previous when you are done.\n", $racoon_conf), + [ { label => N("path_type"), val => \$racoon->{$number}{1}[1], list => [ 'certificate', 'pre_shared_key', 'include' ] }, + { label => N("real file"), val => \$racoon->{$number}{1}[2], type => 'entry' }, + ] +) or goto step_configure_racoon_conf; +} + +goto step_configure_racoon_conf; + +#- remove $racoon_conf --------------------------- + +} elsif ($d eq "Remove") { +$in->ask_from(N("Remove section"), +N("Your %s file has several sections or connections.\n +You can choose here below the one you want to remove +and then click on next.\n", $racoon_conf), + [ { val => \$choice, list => \@section_names, label => N("Section names"), sort => 0, not_edit => 0 } ]); + +my $number = network::ipsec::matched_section_key_number_racoon_conf($choice,$racoon); +network::ipsec::remove_section_racoon_conf($choice,$racoon,$number); + @section_names = network::ipsec::get_section_names_racoon_conf($racoon) if $racoon; + + goto step_configure_racoon_conf; + +#- write $racoon_conf and continue --------------- +} elsif ($d eq "Commit") { + log::l("[drakvpn] Modify the $racoon_conf file"); + network::ipsec::write_racoon_conf($racoon_conf, $racoon); +} +} + +#- start the daemons +network::ipsec::start_daemons(); + +#- bye-bye message + +undef $wait_configuring; + +$::Wizard_no_previous = 1; +$::Wizard_finished = 1; + +$in->ask_okcancel(N("Congratulations!"), +N("Everything has been configured.\n +You may now share resources through the Internet, +in a secure way, using a VPN connection. + +You should make sure that the tunnels shorewall +section is configured.")); + +log::l("[drakvpn] Installation complete, exiting"); +quit_global($in, 0); + +sub quit_global { + my ($in, $exitcode) = @_; + $in->exit($exitcode); + goto begin; +} + + +sub ask_info { + my ($title, $text, $data) = @_; + $in->ask_from($title, $text, + [ { label => N("Sainfo source address"), val => \$data->{1}[2], type => 'entry', + help => N("sainfo (source_id destination_id | anonymous) { statements } +defines the parameters of the IKE phase 2 +(IPsec-SA establishment). + +source_id and destination_id are constructed like: + + address address [/ prefix] [[port]] ul_proto + +Examples: \n +sainfo anonymous (accepts connections from anywhere) + leave blank this entry if you want anonymous + +sainfo address 203.178.141.209 any address 203.178.141.218 any + 203.178.141.209 is the source address + +sainfo address 172.16.1.0/24 any address 172.16.2.0/24 any + 172.16.1.0/24 is the source address") }, + { label => N("Sainfo source protocol"), val => \$data->{1}[3], type => 'entry', + help => N("sainfo (source_id destination_id | anonymous) { statements } +defines the parameters of the IKE phase 2 +(IPsec-SA establishment). + +source_id and destination_id are constructed like: + + address address [/ prefix] [[port]] ul_proto + +Examples: \n +sainfo anonymous (accepts connections from anywhere) + leave blank this entry if you want anonymous + +sainfo address 203.178.141.209 any address 203.178.141.218 any + the first 'any' allows any protocol for the source") }, + { label => N("Sainfo destination address"), val => \$data->{1}[5], type => 'entry', + help => N("sainfo (source_id destination_id | anonymous) { statements } +defines the parameters of the IKE phase 2 +(IPsec-SA establishment). + +source_id and destination_id are constructed like: + + address address [/ prefix] [[port]] ul_proto + +Examples: \n +sainfo anonymous (accepts connections from anywhere) + leave blank this entry if you want anonymous + +sainfo address 203.178.141.209 any address 203.178.141.218 any + 203.178.141.218 is the destination address + +sainfo address 172.16.1.0/24 any address 172.16.2.0/24 any + 172.16.2.0/24 is the destination address") }, + { label => N("Sainfo destination protocol"), val => \$data->{1}[6], type => 'entry', + help => N("sainfo (source_id destination_id | anonymous) { statements } +defines the parameters of the IKE phase 2 +(IPsec-SA establishment). + +source_id and destination_id are constructed like: + + address address [/ prefix] [[port]] ul_proto + +Examples: \n +sainfo anonymous (accepts connections from anywhere) + leave blank this entry if you want anonymous + +sainfo address 203.178.141.209 any address 203.178.141.218 any + the last 'any' allows any protocol for the destination") }, + { label => N("PFS group"), val => \$data->{2}[1], + list => [ qw(modp768 modp1024 modp1536 1 2 5) ], + help => N("define the group of Diffie-Hellman exponentiations. +If you do not require PFS then you can omit this directive. +Any proposal will be accepted if you do not specify one. +group is one of the following: modp768, modp1024, modp1536. +Or you can define 1, 2, or 5 as the DH group number.") }, + { label => N("Lifetime number"), val => \$data->{3}[2], type => 'entry', + help => N("define a lifetime of a certain time which will be pro- +posed in the phase 1 negotiations. Any proposal will be +accepted, and the attribute(s) will not be proposed to +the peer if you do not specify it(them). They can be +individually specified in each proposal. + +Examples: \n + lifetime time 1 min; # sec,min,hour + lifetime time 1 min; # sec,min,hour + lifetime time 30 sec; + lifetime time 30 sec; + lifetime time 60 sec; + lifetime time 12 hour; + +So, here, the lifetime numbers are 1, 1, 30, 30, 60 and 12. +") }, + { label => N("Lifetime unit"), val => \$data->{3}[3], + list => [ qw(sec min hour) ], + help => N("define a lifetime of a certain time which will be pro- +posed in the phase 1 negotiations. Any proposal will be +accepted, and the attribute(s) will not be proposed to +the peer if you do not specify it(them). They can be +individually specified in each proposal. + +Examples: \n + lifetime time 1 min; # sec,min,hour + lifetime time 1 min; # sec,min,hour + lifetime time 30 sec; + lifetime time 30 sec; + lifetime time 60 sec; + lifetime time 12 hour; + +So, here, the lifetime units are 'min', 'min', 'sec', 'sec', 'sec' and 'hour'. +") }, + { label => N("Encryption algorithm"), val => \$data->{4}[1], + list => [ qw(des 3des des_iv64 des_iv32 rc5 rc4 idea 3idea cast128 blowfish null_enc twofish rijndae) ] }, + { label => N("Authentication algorithm"), val => \$data->{5}[1], + list => [ qw(des 3des des_iv64 des_iv32 hmac_md5 hmac_sha1 non_auth) ] }, + { label => N("Compression algorithm"), val => \$data->{6}[1], + list => [ N_("deflate") ], format => \&translate, allow_empty_list => 1 } + +]) } + +sub ask_info2 { + my ($title, $text, $main_remote_section, $proposal_remote_section) = @_; + $in->ask_from($title, $text,, + [ { label => N("Remote"), val => \$main_remote_section->{1}[1], type => 'entry', + help => N("remote (address | anonymous) [[port]] { statements } +specifies the parameters for IKE phase 1 for each remote node. +The default port is 500. If anonymous is specified, the state- +ments apply to all peers which do not match any other remote +directive.\n +Examples: \n +remote anonymous +remote ::1 [8000]") }, + { label => N("Exchange mode"), val => \$main_remote_section->{2}[1], + list => [ qw(main,agressive agressive,main) ], + help => N("defines the exchange mode for phase 1 when racoon is the +initiator. Also it means the acceptable exchange mode +when racoon is responder. More than one mode can be +specified by separating them with a comma. All of the +modes are acceptable. The first exchange mode is what +racoon uses when it is the initiator.\n") }, + { label => N("Generate policy"), val => \$main_remote_section->{3}[1], + list => [ N_("off"), N_("on") ], format => \&translate, + help => N("This directive is for the responder. Therefore you +should set passive on in order that racoon(8) only +becomes a responder. If the responder does not have any +policy in SPD during phase 2 negotiation, and the direc- +tive is set on, then racoon(8) will choose the first pro- +posal in the SA payload from the initiator, and generate +policy entries from the proposal. It is useful to nego- +tiate with the client which is allocated IP address +dynamically. Note that inappropriate policy might be +installed into the responder's SPD by the initiator. So +that other communication might fail if such policies +installed due to some policy mismatches between the ini- +tiator and the responder. This directive is ignored in +the initiator case. The default value is off.") }, + { label => N("Passive"), val => \$main_remote_section->{4}[1], + list => [ N_("off"), N_("on") ], format => \&translate, + help => N("If you do not want to initiate the negotiation, set this +to on. The default value is off. It is useful for a +server.") }, + { label => N("Certificate type"), val => \$main_remote_section->{5}[1], + list => [ 'x509' ], allow_empty_list => 1 }, + { label => N("My certfile"), val => \$main_remote_section->{5}[2], type => 'entry', + help => N("Name of the certificate") }, + { label => N("My private key"), val => \$main_remote_section->{5}[3], type => 'entry', + help => N("Name of the private key") }, + { label => N("Peers certfile"), val => \$main_remote_section->{6}[1], type => 'entry', + help => N("Name of the peers certificate") }, + { label => N("Verify cert"), val => \$main_remote_section->{7}[1], + list => [ N_("off"), N_("on") ], format => \&translate, + help => N("If you do not want to verify the peer's certificate for +some reason, set this to off. The default is on.") }, + { label => N("My identifier"), val => \$main_remote_section->{8}[1], type => 'entry', + help => N("specifies the identifier sent to the remote host and the +type to use in the phase 1 negotiation. address, FQDN, +user_fqdn, keyid and asn1dn can be used as an idtype. +they are used like: + my_identifier address [address]; + the type is the IP address. This is the default + type if you do not specify an identifier to use. + my_identifier user_fqdn string; + the type is a USER_FQDN (user fully-qualified + domain name). + my_identifier FQDN string; + the type is a FQDN (fully-qualified domain name). + my_identifier keyid file; + the type is a KEY_ID. + my_identifier asn1dn [string]; + the type is an ASN.1 distinguished name. If + string is omitted, racoon(8) will get DN from + Subject field in the certificate.\n +Examples: \n +my_identifier user_fqdn \"myemail\@mydomain.com\"") }, + { label => N("Peers identifier"), val => \$main_remote_section->{9}[1], type => 'entry' }, + { label => N("Proposal"), val => \$proposal_remote_section->{1}[0], list => [ 'proposal' ], allow_empty_list => 1 }, + { label => N("Encryption algorithm"), val => \$proposal_remote_section->{2}[1], list => [ qw(des 3des blowfish cast128) ], + help => N("specify the encryption algorithm used for the +phase 1 negotiation. This directive must be defined. +algorithm is one of the following: + +DES, 3DES, blowfish, cast128 for oakley. + +For other transforms, this statement should not be used.") }, + { label => N("Hash algorithm"), val => \$proposal_remote_section->{3}[1], type => 'entry' }, + { label => N("Authentication method"), val => \$proposal_remote_section->{4}[1], type => 'entry' }, + { label => N("DH group"), val => \$proposal_remote_section->{5}[1], list => [ qw(modp768 modp1024 modp1536 1 2 5) ], }, + ]); +} + +sub ask_info3 { + my ($title, $text, $section) = @_; + $in->ask_from($title, $text,, + [ { label => N("Command"), val => \$section->{command}, list => [ 'spdadd' ], allow_empty_list => 1 }, + { label => N("Source IP range"), val => \$section->{src_range}, type => 'entry' }, + { label => N("Destination IP range"), val => \$section->{dst_range}, type => 'entry' }, + { label => N("Upper-layer protocol"), val => \$section->{upperspec}, list => [ N_("any") ], + format => \&translate, allow_empty_list => 1 }, + { label => N("Flag"), val => \$section->{flag}, list => [ '-P' ], allow_empty_list => 1 }, + { label => N("Direction"), val => \$section->{direction}, list => [ 'in', 'out' ] }, + { label => N("IPsec policy"), val => \$section->{ipsec}, list => [ N_("ipsec"), N_("discard"), N_("none") ], + format => \&translate }, + { label => N("Protocol"), val => \$section->{protocol}, list => [ 'esp', 'ah', 'ipcomp' ] }, + { label => N("Mode"), val => \$section->{mode}, list => [ N_("tunnel"), N_("transport"), N_("any") ], + format => \&translate }, + { label => N("Source/destination"), val => \$section->{src_dest}, type => 'entry' }, + { label => N("Level"), val => \$section->{level}, list => [ N_("require"), N_("default"), N_("use"), N_("unique") ], + format => \&translate }, + ]); +} + -- cgit v1.2.1